From fbd743ce0eac785801f465746993efbc4fdb8af5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 8 May 2026 01:23:00 +0000 Subject: [PATCH 01/29] chore(deps): bump geoip-lite from 2.0.1 to 2.0.2 Bumps [geoip-lite](https://github.com/geoip-lite/node-geoip) from 2.0.1 to 2.0.2. - [Release notes](https://github.com/geoip-lite/node-geoip/releases) - [Commits](https://github.com/geoip-lite/node-geoip/compare/v2.0.1...v2.0.2) --- updated-dependencies: - dependency-name: geoip-lite dependency-version: 2.0.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- package-lock.json | 36 +++++------------------------------- package.json | 2 +- 2 files changed, 6 insertions(+), 32 deletions(-) diff --git a/package-lock.json b/package-lock.json index 5e3e4551141..11fc8ac2240 100644 --- a/package-lock.json +++ b/package-lock.json @@ -33,7 +33,7 @@ "form-data": "^4.0.0", "formidable": "2.1.3", "fs-extra": "11.3.5", - "geoip-lite": "2.0.1", + "geoip-lite": "2.0.2", "get-random-values": "^4.0.0", "grunt": "1.6.2", "grunt-cli": "1.5.0", @@ -6034,14 +6034,14 @@ } }, "node_modules/geoip-lite": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/geoip-lite/-/geoip-lite-2.0.1.tgz", - "integrity": "sha512-cR9E28nu1a6dsvzB1tANhdmCyXWV1L4AiSCT9alHLIUl06599EGu33mqY99ieU0twQob0kfcDQ/sAUBvHb7swA==", + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/geoip-lite/-/geoip-lite-2.0.2.tgz", + "integrity": "sha512-C90u7hFgIrDTboiqJm+pc23buM5TykTJq11sCsRItKr6a4IHIHJvZPjq+pY96+Q15saWAMzs3ILzqyEVF0v2gA==", "license": "Apache-2.0", "dependencies": { "chalk": "4.1 - 4.1.2", "iconv-lite": "0.4.13 - 0.6.3", - "ip-address": "5.8.9 - 5.9.4", + "ip-address": "^10.2.0", "lazy": "1.0.11", "yauzl": "^3.2.1" }, @@ -6061,26 +6061,6 @@ "node": ">=0.10.0" } }, - "node_modules/geoip-lite/node_modules/ip-address": { - "version": "5.9.4", - "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-5.9.4.tgz", - "integrity": "sha512-dHkI3/YNJq4b/qQaz+c8LuarD3pY24JqZWfjB8aZx1gtpc2MDILu9L9jpZe1sHpzo/yWFweQVn+U//FhazUxmw==", - "license": "MIT", - "dependencies": { - "jsbn": "1.1.0", - "lodash": "^4.17.15", - "sprintf-js": "1.1.2" - }, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/geoip-lite/node_modules/sprintf-js": { - "version": "1.1.2", - "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.1.2.tgz", - "integrity": "sha512-VE0SOVEHCk7Qc8ulkWw3ntAzXuqf7S2lvwQaDLRnUeIEaKNQJzV6BwmLKhOqT61aGhfUMrXeaBk+oDGCzvhcug==", - "license": "BSD-3-Clause" - }, "node_modules/get-caller-file": { "version": "2.0.5", "resolved": "https://registry.npmjs.org/get-caller-file/-/get-caller-file-2.0.5.tgz", @@ -7937,12 +7917,6 @@ "js-yaml": "bin/js-yaml.js" } }, - "node_modules/jsbn": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/jsbn/-/jsbn-1.1.0.tgz", - "integrity": "sha512-4bYVV3aAMtDTTu4+xsDYa6sy9GyJ69/amsu9sYF2zqjiEoZA5xJi3BrfX3uY+/IekIu7MwdObdbDWpoZdBv3/A==", - "license": "MIT" - }, "node_modules/jsesc": { "version": "3.1.0", "resolved": "https://registry.npmjs.org/jsesc/-/jsesc-3.1.0.tgz", diff --git a/package.json b/package.json index 7abe71d3ac7..975947ed6b0 100644 --- a/package.json +++ b/package.json @@ -65,7 +65,7 @@ "form-data": "^4.0.0", "formidable": "2.1.3", "fs-extra": "11.3.5", - "geoip-lite": "2.0.1", + "geoip-lite": "2.0.2", "get-random-values": "^4.0.0", "grunt": "1.6.2", "grunt-cli": "1.5.0", From 0a2d2b7bf09271aaa38817b0c28764c64edf7a35 Mon Sep 17 00:00:00 2001 From: Davide Cavaliere Date: Fri, 8 May 2026 16:36:58 +0200 Subject: [PATCH 02/29] =?UTF-8?q?docs(changelog):=20=F0=9F=93=9A=20add=20u?= =?UTF-8?q?ser=20profile=20dot=20encoding=20fix=20to=20changelog?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 49f40e4f229..9ab7fb1415b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ Enterprise Fixes: - [drill] Resolve device IDs to user profiles via server-side redirect endpoint - [drill] Open crash group and user profile links in new tab - [drill] Show user-friendly error message when saving a query fails +- [users] Fix MongoDB dot encoding (.) leaking into user profile UI filters, breakdown dropdown, and URLs ## Version 25.03.43 From 823723c67fd038af9873c5bb52c6a2d91f6b3dbb Mon Sep 17 00:00:00 2001 From: Arturs Sosins Date: Thu, 7 May 2026 19:09:46 +0300 Subject: [PATCH 03/29] [security] Fix Fortify-flagged path traversal, XSS, and info-leak issues Addresses real findings from a customer Fortify scan: - frontend/express/app.js: theme image handler built sendFile path from cookie + URL with only a prefix check, allowing `..` traversal outside /public/themes. Now resolved through common.resolvePathInBase. - plugins/two-factor-auth setup2fa.html / enter2fa_login.html: hidden username/password inputs used unescaped EJS (`<%-`), enabling reflected XSS via crafted credentials. Switched to escaped `<%=`. - api/utils/common.js: returnMessage / returnOutput logged the entire params object on the "output already closed" branch, which can include req.body/req.headers (passwords, session cookies). Replaced with a small non-sensitive summary. - plugins/sdk/api/api.js: SDK config endpoints echoed raw `'Error: ' + err` to clients, leaking internal details. Now log details server-side and return a generic message. Co-Authored-By: Claude Opus 4.7 (1M context) --- api/utils/common.js | 8 ++++++-- frontend/express/app.js | 13 +++++++++++-- plugins/sdk/api/api.js | 6 ++++-- .../frontend/public/templates/enter2fa_login.html | 4 ++-- .../frontend/public/templates/setup2fa.html | 4 ++-- 5 files changed, 25 insertions(+), 10 deletions(-) diff --git a/api/utils/common.js b/api/utils/common.js index 4402b843310..1d9d46d706b 100644 --- a/api/utils/common.js +++ b/api/utils/common.js @@ -1403,7 +1403,9 @@ common.returnMessage = function(params, returnCode, message, heads, noResult = f else { console.error("Output already closed, can't write more"); console.trace(); - console.log(params); + // Don't dump the full params object — req.body/req.headers can + // contain credentials, session cookies, or other secrets. + console.log({url: params.req && params.req.url, apiPath: params.apiPath, qstringKeys: params.qstring && Object.keys(params.qstring)}); } } }; @@ -1485,7 +1487,9 @@ common.returnOutput = function(params, output, noescape, heads) { else { console.error("Output already closed, can't write more"); console.trace(); - console.log(params); + // Don't dump the full params object — req.body/req.headers can + // contain credentials, session cookies, or other secrets. + console.log({url: params.req && params.req.url, apiPath: params.apiPath, qstringKeys: params.qstring && Object.keys(params.qstring)}); } } }; diff --git a/frontend/express/app.js b/frontend/express/app.js index ab7a1c5b0a6..caadd8b6f1e 100644 --- a/frontend/express/app.js +++ b/frontend/express/app.js @@ -482,9 +482,18 @@ Promise.all([plugins.dbConnection(countlyConfig), plugins.dbConnection("countly_ var urlPath = req.url.replace(countlyConfig.path, ""); var theme = req.cookies.theme || curTheme; if (theme && theme.length && (req.url.indexOf(countlyConfig.path + '/images/') === 0 || req.url.indexOf(countlyConfig.path + '/geodata/') === 0)) { - fs.exists(__dirname + '/public/themes/' + theme + urlPath, function(exists) { + // Both `theme` (cookie) and `urlPath` (URL) are user-controlled. + // Resolve under the themes base and reject paths that escape it, + // otherwise `..` segments could read files outside /public/themes. + var themesBase = path.resolve(__dirname, 'public/themes'); + var themedFile = common.resolvePathInBase(themesBase, theme + urlPath); + if (!themedFile) { + next(); + return; + } + fs.exists(themedFile, function(exists) { if (exists) { - res.sendFile(__dirname + '/public/themes/' + theme + urlPath); + res.sendFile(themedFile); } else { next(); diff --git a/plugins/sdk/api/api.js b/plugins/sdk/api/api.js index bf3a3a0c17c..dec9512e3f5 100644 --- a/plugins/sdk/api/api.js +++ b/plugins/sdk/api/api.js @@ -27,7 +27,8 @@ plugins.register("/permissions/features", function(ob) { common.returnOutput(params, config); }) .catch(function(err) { - common.returnMessage(params, 400, 'Error: ' + err); + console.error("Error retrieving SDK config", err); + common.returnMessage(params, 400, 'Error retrieving SDK config'); }) .finally(function() { resolve(); @@ -72,7 +73,8 @@ plugins.register("/permissions/features", function(ob) { common.returnOutput(params, res.config || {}); }) .catch(function(err) { - common.returnMessage(params, 400, 'Error: ' + err); + console.error("Error retrieving SDK config", err); + common.returnMessage(params, 400, 'Error retrieving SDK config'); }); }); diff --git a/plugins/two-factor-auth/frontend/public/templates/enter2fa_login.html b/plugins/two-factor-auth/frontend/public/templates/enter2fa_login.html index 06e5feddfe9..1d2c334d0c5 100644 --- a/plugins/two-factor-auth/frontend/public/templates/enter2fa_login.html +++ b/plugins/two-factor-auth/frontend/public/templates/enter2fa_login.html @@ -88,8 +88,8 @@ <%- inject_template.form %> <% } %>
- - + + diff --git a/plugins/two-factor-auth/frontend/public/templates/setup2fa.html b/plugins/two-factor-auth/frontend/public/templates/setup2fa.html index 54e107e7355..1c05bf28e2e 100644 --- a/plugins/two-factor-auth/frontend/public/templates/setup2fa.html +++ b/plugins/two-factor-auth/frontend/public/templates/setup2fa.html @@ -81,8 +81,8 @@ <% } %>
- - + +
From 12a2681e26faa55ef8445968a6ff6805e40b7055 Mon Sep 17 00:00:00 2001 From: Arturs Sosins Date: Thu, 7 May 2026 19:23:31 +0300 Subject: [PATCH 04/29] [security] Address PR review comments MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - frontend/express/app.js: replace explicit resolvePathInBase + fs.exists + sendFile with res.sendFile's `root` option. Express normalizes the path and rejects `..` traversal natively (recognized by CodeQL as a sanitizer, addresses alerts 1329 and 1330). Switched req.url to req.path so query strings don't bleed into filesystem lookups. - api/utils/common.js: log params.urlParts.pathname instead of req.url in the "output already closed" branch — req.url can carry api_key / auth_token in the query string. Co-Authored-By: Claude Opus 4.7 (1M context) --- api/utils/common.js | 10 ++++++---- frontend/express/app.js | 23 ++++++++--------------- 2 files changed, 14 insertions(+), 19 deletions(-) diff --git a/api/utils/common.js b/api/utils/common.js index 1d9d46d706b..be62bfcd055 100644 --- a/api/utils/common.js +++ b/api/utils/common.js @@ -1404,8 +1404,9 @@ common.returnMessage = function(params, returnCode, message, heads, noResult = f console.error("Output already closed, can't write more"); console.trace(); // Don't dump the full params object — req.body/req.headers can - // contain credentials, session cookies, or other secrets. - console.log({url: params.req && params.req.url, apiPath: params.apiPath, qstringKeys: params.qstring && Object.keys(params.qstring)}); + // contain credentials, session cookies, or other secrets. Log + // only the pathname (query string can carry api_key/auth_token). + console.log({pathname: params.urlParts && params.urlParts.pathname, apiPath: params.apiPath, qstringKeys: params.qstring && Object.keys(params.qstring)}); } } }; @@ -1488,8 +1489,9 @@ common.returnOutput = function(params, output, noescape, heads) { console.error("Output already closed, can't write more"); console.trace(); // Don't dump the full params object — req.body/req.headers can - // contain credentials, session cookies, or other secrets. - console.log({url: params.req && params.req.url, apiPath: params.apiPath, qstringKeys: params.qstring && Object.keys(params.qstring)}); + // contain credentials, session cookies, or other secrets. Log + // only the pathname (query string can carry api_key/auth_token). + console.log({pathname: params.urlParts && params.urlParts.pathname, apiPath: params.apiPath, qstringKeys: params.qstring && Object.keys(params.qstring)}); } } }; diff --git a/frontend/express/app.js b/frontend/express/app.js index caadd8b6f1e..47799765af3 100644 --- a/frontend/express/app.js +++ b/frontend/express/app.js @@ -479,23 +479,16 @@ Promise.all([plugins.dbConnection(countlyConfig), plugins.dbConnection("countly_ app.use(cookieParser()); //server theme images app.use(function(req, res, next) { - var urlPath = req.url.replace(countlyConfig.path, ""); + var urlPath = req.path.replace(countlyConfig.path, ""); var theme = req.cookies.theme || curTheme; - if (theme && theme.length && (req.url.indexOf(countlyConfig.path + '/images/') === 0 || req.url.indexOf(countlyConfig.path + '/geodata/') === 0)) { + if (theme && theme.length && (req.path.indexOf(countlyConfig.path + '/images/') === 0 || req.path.indexOf(countlyConfig.path + '/geodata/') === 0)) { // Both `theme` (cookie) and `urlPath` (URL) are user-controlled. - // Resolve under the themes base and reject paths that escape it, - // otherwise `..` segments could read files outside /public/themes. - var themesBase = path.resolve(__dirname, 'public/themes'); - var themedFile = common.resolvePathInBase(themesBase, theme + urlPath); - if (!themedFile) { - next(); - return; - } - fs.exists(themedFile, function(exists) { - if (exists) { - res.sendFile(themedFile); - } - else { + // Hand the relative path to res.sendFile with `root` set to + // /public/themes — express normalizes the path and rejects any + // `..` traversal before touching the filesystem. Missing files + // surface via the error callback and fall through to next(). + res.sendFile(theme + urlPath, {root: path.resolve(__dirname, 'public/themes')}, function(err) { + if (err) { next(); } }); From 72791670ea2d601c718d780e8263e020ef1a0513 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 11 May 2026 01:30:39 +0000 Subject: [PATCH 05/29] chore(deps): bump slackapi/slack-github-action in the actions group Bumps the actions group with 1 update: [slackapi/slack-github-action](https://github.com/slackapi/slack-github-action). Updates `slackapi/slack-github-action` from 3.0.2 to 3.0.3 - [Release notes](https://github.com/slackapi/slack-github-action/releases) - [Changelog](https://github.com/slackapi/slack-github-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/slackapi/slack-github-action/compare/v3.0.2...v3.0.3) --- updated-dependencies: - dependency-name: slackapi/slack-github-action dependency-version: 3.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] --- .github/workflows/release_notice.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release_notice.yml b/.github/workflows/release_notice.yml index 8a7a8431ee0..abe4dfd2eba 100644 --- a/.github/workflows/release_notice.yml +++ b/.github/workflows/release_notice.yml @@ -14,7 +14,7 @@ jobs: run: echo "$GITHUB_CONTEXT" - name: Send custom JSON data to Slack workflow id: slack - uses: slackapi/slack-github-action@v3.0.2 + uses: slackapi/slack-github-action@v3.0.3 with: # This data can be any valid JSON from a previous step in the GitHub Action webhook: ${{ secrets.SLACK_RELEASE }} From 4a40314bc4121e9786d8c6b5dfa5603224738d14 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 11 May 2026 01:28:05 +0000 Subject: [PATCH 06/29] chore(deps-dev): bump lint-staged from 17.0.2 to 17.0.4 Bumps [lint-staged](https://github.com/lint-staged/lint-staged) from 17.0.2 to 17.0.4. - [Release notes](https://github.com/lint-staged/lint-staged/releases) - [Changelog](https://github.com/lint-staged/lint-staged/blob/main/CHANGELOG.md) - [Commits](https://github.com/lint-staged/lint-staged/compare/v17.0.2...v17.0.4) --- updated-dependencies: - dependency-name: lint-staged dependency-version: 17.0.4 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- package-lock.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index 11fc8ac2240..d533237edec 100644 --- a/package-lock.json +++ b/package-lock.json @@ -8177,9 +8177,9 @@ "license": "MIT" }, "node_modules/lint-staged": { - "version": "17.0.2", - "resolved": "https://registry.npmjs.org/lint-staged/-/lint-staged-17.0.2.tgz", - "integrity": "sha512-Rbr6rdmbCn1fIDHBZpn0madg0hEkdlh+QwajnL3Qq0ZUq/icAJfLGj9BVBajAXi7657ZzKQ7kobGP9S5XOHYRw==", + "version": "17.0.4", + "resolved": "https://registry.npmjs.org/lint-staged/-/lint-staged-17.0.4.tgz", + "integrity": "sha512-+rU9lSUyVOZ/hDUmRLVGzyS2v73cDdQjX+XQz1AaOdIE4RysLq0HoPW2HrrgeNCLklkhi904VBU1bmgWLHVnkA==", "dev": true, "license": "MIT", "dependencies": { From 9c2b30cf78f5f3a4a3913f48fadb14f123781d5d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 11 May 2026 01:27:51 +0000 Subject: [PATCH 07/29] chore(deps): bump semver from 7.7.4 to 7.8.0 Bumps [semver](https://github.com/npm/node-semver) from 7.7.4 to 7.8.0. - [Release notes](https://github.com/npm/node-semver/releases) - [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md) - [Commits](https://github.com/npm/node-semver/compare/v7.7.4...v7.8.0) --- updated-dependencies: - dependency-name: semver dependency-version: 7.8.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- package-lock.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index d533237edec..c77dc762d07 100644 --- a/package-lock.json +++ b/package-lock.json @@ -11450,9 +11450,9 @@ } }, "node_modules/semver": { - "version": "7.7.4", - "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.4.tgz", - "integrity": "sha512-vFKC2IEtQnVhpT78h1Yp8wzwrf8CM+MzKMHGJZfBtzhZNycRFnXsHk6E5TxIkkMsgNS7mdX3AGB7x2QM2di4lA==", + "version": "7.8.0", + "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.0.tgz", + "integrity": "sha512-AcM7dV/5ul4EekoQ29Agm5vri8JNqRyj39o0qpX6vDF2GZrtutZl5RwgD1XnZjiTAfncsJhMI48QQH3sN87YNA==", "license": "ISC", "bin": { "semver": "bin/semver.js" From 0ff42b5f9074d140bc26e337f6ef2301d39d4c53 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 8 May 2026 16:28:43 +0000 Subject: [PATCH 08/29] chore(deps): bump fast-xml-builder from 1.1.5 to 1.2.0 in /plugins/push Bumps [fast-xml-builder](https://github.com/NaturalIntelligence/fast-xml-builder) from 1.1.5 to 1.2.0. - [Changelog](https://github.com/NaturalIntelligence/fast-xml-builder/blob/main/CHANGELOG.md) - [Commits](https://github.com/NaturalIntelligence/fast-xml-builder/compare/v1.1.5...v1.2.0) --- updated-dependencies: - dependency-name: fast-xml-builder dependency-version: 1.2.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] --- plugins/push/package-lock.json | 39 +++++++++++++++++++++++++++------- 1 file changed, 31 insertions(+), 8 deletions(-) diff --git a/plugins/push/package-lock.json b/plugins/push/package-lock.json index f1fd02d7445..ec2b744b280 100644 --- a/plugins/push/package-lock.json +++ b/plugins/push/package-lock.json @@ -833,9 +833,9 @@ "optional": true }, "node_modules/fast-xml-builder": { - "version": "1.1.5", - "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.1.5.tgz", - "integrity": "sha512-4TJn/8FKLeslLAH3dnohXqE3QSoxkhvaMzepOIZytwJXZO69Bfz0HBdDHzOTOon6G59Zrk6VQ2bEiv1t61rfkA==", + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.2.0.tgz", + "integrity": "sha512-00aAWieqff+ZJhsXA4g1g7M8k+7AYoMUUHF+/zFb5U6Uv/P0Vl4QZo84/IcufzYalLuEj9928bXN9PbbFzMF0Q==", "funding": [ { "type": "github", @@ -844,7 +844,8 @@ ], "optional": true, "dependencies": { - "path-expression-matcher": "^1.1.3" + "path-expression-matcher": "^1.5.0", + "xml-naming": "^0.1.0" } }, "node_modules/fast-xml-parser": { @@ -2027,6 +2028,21 @@ "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==" }, + "node_modules/xml-naming": { + "version": "0.1.0", + "resolved": "https://registry.npmjs.org/xml-naming/-/xml-naming-0.1.0.tgz", + "integrity": "sha512-k8KO9hrMyNk6tUWqUfkTEZbezRRpONVOzUTnc97VnCvyj6Tf9lyUR9EDAIeiVLv56jsMcoXEwjW8Kv5yPY52lw==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/NaturalIntelligence" + } + ], + "optional": true, + "engines": { + "node": ">=16.0.0" + } + }, "node_modules/y18n": { "version": "5.0.8", "resolved": "https://registry.npmjs.org/y18n/-/y18n-5.0.8.tgz", @@ -2751,12 +2767,13 @@ "optional": true }, "fast-xml-builder": { - "version": "1.1.5", - "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.1.5.tgz", - "integrity": "sha512-4TJn/8FKLeslLAH3dnohXqE3QSoxkhvaMzepOIZytwJXZO69Bfz0HBdDHzOTOon6G59Zrk6VQ2bEiv1t61rfkA==", + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.2.0.tgz", + "integrity": "sha512-00aAWieqff+ZJhsXA4g1g7M8k+7AYoMUUHF+/zFb5U6Uv/P0Vl4QZo84/IcufzYalLuEj9928bXN9PbbFzMF0Q==", "optional": true, "requires": { - "path-expression-matcher": "^1.1.3" + "path-expression-matcher": "^1.5.0", + "xml-naming": "^0.1.0" } }, "fast-xml-parser": { @@ -3637,6 +3654,12 @@ "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==" }, + "xml-naming": { + "version": "0.1.0", + "resolved": "https://registry.npmjs.org/xml-naming/-/xml-naming-0.1.0.tgz", + "integrity": "sha512-k8KO9hrMyNk6tUWqUfkTEZbezRRpONVOzUTnc97VnCvyj6Tf9lyUR9EDAIeiVLv56jsMcoXEwjW8Kv5yPY52lw==", + "optional": true + }, "y18n": { "version": "5.0.8", "resolved": "https://registry.npmjs.org/y18n/-/y18n-5.0.8.tgz", From 2d328056387c07d83b1f314fbd48aac8263d95cd Mon Sep 17 00:00:00 2001 From: Anna Sosina Date: Mon, 11 May 2026 15:51:52 +0300 Subject: [PATCH 09/29] Update CHANGELOG for version 25.03.X fixes --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 49f40e4f229..0214b1bce91 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,6 @@ ## Version 25.03.X Enterprise Fixes: +- [active_users] Fixed logic to prevent triggering active users calculation if it is already running. - [drill] Add query hint based on default indexes - [drill] Add contextual links in drill table for user IDs and crash groups - [drill] Resolve device IDs to user profiles via server-side redirect endpoint From be6b5efca3a4d443b9a694bf451a13c93bd779b6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 May 2026 06:43:17 +0000 Subject: [PATCH 10/29] chore(deps): bump countly-sdk-nodejs from 24.10.3 to 24.10.4 Bumps [countly-sdk-nodejs](https://github.com/Countly/countly-sdk-nodejs) from 24.10.3 to 24.10.4. - [Release notes](https://github.com/Countly/countly-sdk-nodejs/releases) - [Changelog](https://github.com/Countly/countly-sdk-nodejs/blob/master/CHANGELOG.md) - [Commits](https://github.com/Countly/countly-sdk-nodejs/compare/24.10.3...24.10.4) --- updated-dependencies: - dependency-name: countly-sdk-nodejs dependency-version: 24.10.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- package-lock.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index c77dc762d07..5bd59be747a 100644 --- a/package-lock.json +++ b/package-lock.json @@ -4160,9 +4160,9 @@ "link": true }, "node_modules/countly-sdk-nodejs": { - "version": "24.10.3", - "resolved": "https://registry.npmjs.org/countly-sdk-nodejs/-/countly-sdk-nodejs-24.10.3.tgz", - "integrity": "sha512-Xf5P6AuyGR63s91ZHAPZbz5vq6xnP0hSUq4tA5qVvZcGJMhzzeOtG1sadY5oXYFfbvKolhrzcL3QlstkUfqz0A==", + "version": "24.10.4", + "resolved": "https://registry.npmjs.org/countly-sdk-nodejs/-/countly-sdk-nodejs-24.10.4.tgz", + "integrity": "sha512-0AglC6fywBSiahPLBr/BpyWYfOLAUY2ubzI+/7xdxdkT24ZIJRdMRoZUAI/g0ITyTdv6h+rEZ4baUeTP2MGChQ==", "license": "MIT" }, "node_modules/countly-sdk-web": { From cf285e4a1c7574626717c471fa72aa14c724b4aa Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 May 2026 06:42:54 +0000 Subject: [PATCH 11/29] chore(deps): bump puppeteer from 24.43.0 to 24.43.1 Bumps [puppeteer](https://github.com/puppeteer/puppeteer) from 24.43.0 to 24.43.1. - [Release notes](https://github.com/puppeteer/puppeteer/releases) - [Changelog](https://github.com/puppeteer/puppeteer/blob/main/CHANGELOG.md) - [Commits](https://github.com/puppeteer/puppeteer/compare/puppeteer-v24.43.0...puppeteer-v24.43.1) --- updated-dependencies: - dependency-name: puppeteer dependency-version: 24.43.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- package-lock.json | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/package-lock.json b/package-lock.json index 5bd59be747a..f3cccaa62f0 100644 --- a/package-lock.json +++ b/package-lock.json @@ -2187,9 +2187,9 @@ } }, "node_modules/@puppeteer/browsers": { - "version": "2.13.1", - "resolved": "https://registry.npmjs.org/@puppeteer/browsers/-/browsers-2.13.1.tgz", - "integrity": "sha512-zmS4RTK9fbrc++WlAJhxYbfz3IjDeOmkK/CwwbLmk7ydfS9e2CiEeRJHEPvjDVElO/bwXbidwGA37Bsm6LzCnQ==", + "version": "2.13.2", + "resolved": "https://registry.npmjs.org/@puppeteer/browsers/-/browsers-2.13.2.tgz", + "integrity": "sha512-5EUZSUIc37H6aIXyWO0Z4y8NlF8NnjgmqeQgOGiswAU7pY0HOo16ho4+alIWmSfdZnjqBRawMsP3I5YqLSn6kw==", "license": "Apache-2.0", "dependencies": { "debug": "^4.4.3", @@ -10939,17 +10939,17 @@ } }, "node_modules/puppeteer": { - "version": "24.43.0", - "resolved": "https://registry.npmjs.org/puppeteer/-/puppeteer-24.43.0.tgz", - "integrity": "sha512-DRnMFz+J3s4lFUQcjqKl0/7h0jzlCZuUFU9lNjtKrnMl5WI1RwCaIItpHVu9empuPyUreYueN0sUW3/pnfdqsg==", + "version": "24.43.1", + "resolved": "https://registry.npmjs.org/puppeteer/-/puppeteer-24.43.1.tgz", + "integrity": "sha512-/FSOViCrqRdb1HDocpsM9Z1giA71gTQPUt3SpHGVRALKAy/rJr1fLFYZW9F23qPxqVxTHQnbh/5B5opJST3kAw==", "hasInstallScript": true, "license": "Apache-2.0", "dependencies": { - "@puppeteer/browsers": "2.13.1", + "@puppeteer/browsers": "2.13.2", "chromium-bidi": "14.0.0", "cosmiconfig": "^9.0.0", "devtools-protocol": "0.0.1608973", - "puppeteer-core": "24.43.0", + "puppeteer-core": "24.43.1", "typed-query-selector": "^2.12.2" }, "bin": { @@ -10960,12 +10960,12 @@ } }, "node_modules/puppeteer-core": { - "version": "24.43.0", - "resolved": "https://registry.npmjs.org/puppeteer-core/-/puppeteer-core-24.43.0.tgz", - "integrity": "sha512-cCRNXsUlhyPoKDz6+TiSpfZpRS3mD6Y1YFKhkdr6ik6TMfuJb7fAtXq9ThUFc4sphxObDk3BuAvdxc1Y6YOnqQ==", + "version": "24.43.1", + "resolved": "https://registry.npmjs.org/puppeteer-core/-/puppeteer-core-24.43.1.tgz", + "integrity": "sha512-T5ScUMAsmhdNbgDR41AGESYeS6V9MSgetkSnVhhW+gXvzC42VesKCn5ld87gAZDJ6vLHL9GkRvY9WtQWSnwFbw==", "license": "Apache-2.0", "dependencies": { - "@puppeteer/browsers": "2.13.1", + "@puppeteer/browsers": "2.13.2", "chromium-bidi": "14.0.0", "debug": "^4.4.3", "devtools-protocol": "0.0.1608973", From a33ef24f92281121b3f3423e43e37227d80ed61d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 May 2026 18:38:23 +0000 Subject: [PATCH 12/29] chore(deps): bump @protobufjs/utf8 from 1.1.0 to 1.1.1 in /plugins/push Bumps [@protobufjs/utf8](https://github.com/dcodeIO/protobuf.js) from 1.1.0 to 1.1.1. - [Release notes](https://github.com/dcodeIO/protobuf.js/releases) - [Changelog](https://github.com/protobufjs/protobuf.js/blob/master/CHANGELOG.md) - [Commits](https://github.com/dcodeIO/protobuf.js/compare/protobufjs-cli-v1.1.0...protobufjs-cli-v1.1.1) --- updated-dependencies: - dependency-name: "@protobufjs/utf8" dependency-version: 1.1.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] --- plugins/push/package-lock.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/plugins/push/package-lock.json b/plugins/push/package-lock.json index ec2b744b280..34d3f1afcf0 100644 --- a/plugins/push/package-lock.json +++ b/plugins/push/package-lock.json @@ -290,9 +290,9 @@ "optional": true }, "node_modules/@protobufjs/utf8": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/@protobufjs/utf8/-/utf8-1.1.0.tgz", - "integrity": "sha512-Vvn3zZrhQZkkBE8LSuW3em98c0FwgO4nxzv6OdSxPKJIEKY2bGbHn+mhGIPerzI4twdxaP8/0+06HBpwf345Lw==", + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@protobufjs/utf8/-/utf8-1.1.1.tgz", + "integrity": "sha512-oOAWABowe8EAbMyWKM0tYDKi8Yaox52D+HWZhAIJqQXbqe0xI/GV7FhLWqlEKreMkfDjshR5FKgi3mnle0h6Eg==", "optional": true }, "node_modules/@tootallnate/once": { @@ -2337,9 +2337,9 @@ "optional": true }, "@protobufjs/utf8": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/@protobufjs/utf8/-/utf8-1.1.0.tgz", - "integrity": "sha512-Vvn3zZrhQZkkBE8LSuW3em98c0FwgO4nxzv6OdSxPKJIEKY2bGbHn+mhGIPerzI4twdxaP8/0+06HBpwf345Lw==", + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@protobufjs/utf8/-/utf8-1.1.1.tgz", + "integrity": "sha512-oOAWABowe8EAbMyWKM0tYDKi8Yaox52D+HWZhAIJqQXbqe0xI/GV7FhLWqlEKreMkfDjshR5FKgi3mnle0h6Eg==", "optional": true }, "@tootallnate/once": { From 96c52df73752ecc9924d7710afe2251d3468e579 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 May 2026 02:12:30 +0000 Subject: [PATCH 13/29] chore(deps-dev): bump cypress from 15.14.2 to 15.15.0 in /ui-tests Bumps [cypress](https://github.com/cypress-io/cypress) from 15.14.2 to 15.15.0. - [Release notes](https://github.com/cypress-io/cypress/releases) - [Changelog](https://github.com/cypress-io/cypress/blob/develop/CHANGELOG.md) - [Commits](https://github.com/cypress-io/cypress/compare/v15.14.2...v15.15.0) --- updated-dependencies: - dependency-name: cypress dependency-version: 15.15.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- ui-tests/package-lock.json | 42 +++++++++++++++----------------------- 1 file changed, 16 insertions(+), 26 deletions(-) diff --git a/ui-tests/package-lock.json b/ui-tests/package-lock.json index 46f1a96c74b..2b81270aca3 100644 --- a/ui-tests/package-lock.json +++ b/ui-tests/package-lock.json @@ -24,9 +24,9 @@ } }, "node_modules/@cypress/request": { - "version": "3.0.10", - "resolved": "https://registry.npmjs.org/@cypress/request/-/request-3.0.10.tgz", - "integrity": "sha512-hauBrOdvu08vOsagkZ/Aju5XuiZx6ldsLfByg1htFeldhex+PeMrYauANzFsMJeAA0+dyPLbDoX2OYuvVoLDkQ==", + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/@cypress/request/-/request-4.0.0.tgz", + "integrity": "sha512-wGTQfwDMMMiz/muFw4YbCLwTh0uZsXKK+6zWBzftADpitSi6iM62C8GzEhNcng2srUiGPksOriQkA8zakW2R0g==", "license": "Apache-2.0", "dependencies": { "aws-sign2": "~0.7.0", @@ -45,11 +45,10 @@ "qs": "~6.14.1", "safe-buffer": "^5.1.2", "tough-cookie": "^5.0.0", - "tunnel-agent": "^0.6.0", - "uuid": "^8.3.2" + "tunnel-agent": "^0.6.0" }, "engines": { - "node": ">= 6" + "node": ">= 14.17.0" } }, "node_modules/@cypress/xvfb": { @@ -1345,13 +1344,13 @@ } }, "node_modules/cypress": { - "version": "15.14.2", - "resolved": "https://registry.npmjs.org/cypress/-/cypress-15.14.2.tgz", - "integrity": "sha512-xMWg/iEImeIThRQZdnf3BFJT1a84apM/R91Feoa4vVWGuYWDphMT5jLhRVTBVlCgi+6axegF1zqhNyjhug2SsQ==", + "version": "15.15.0", + "resolved": "https://registry.npmjs.org/cypress/-/cypress-15.15.0.tgz", + "integrity": "sha512-N8qBv3AUYn6xfIG73O5O58kTClUBSZ7a3C08IQFkSGTUdEauJ3BqwTFb/f9KPZgadftoZjllC0XSwD7xNNolbA==", "hasInstallScript": true, "license": "MIT", "dependencies": { - "@cypress/request": "^3.0.10", + "@cypress/request": "^4.0.0", "@cypress/xvfb": "^1.2.4", "@types/sinonjs__fake-timers": "8.1.1", "@types/sizzle": "^2.3.2", @@ -1866,9 +1865,9 @@ } }, "node_modules/hasown": { - "version": "2.0.2", - "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz", - "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==", + "version": "2.0.3", + "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.3.tgz", + "integrity": "sha512-ej4AhfhfL2Q2zpMmLo7U1Uv9+PyhIZpgQLGT1F9miIGmiCJIoCgSmczFdrc97mWT4kVY72KA+WnnhJ5pghSvSg==", "license": "MIT", "dependencies": { "function-bind": "^1.1.2" @@ -2620,13 +2619,13 @@ } }, "node_modules/side-channel-list": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/side-channel-list/-/side-channel-list-1.0.0.tgz", - "integrity": "sha512-FCLHtRD/gnpCiCHEiJLOwdmFP+wzCmDEkc9y7NsYxeF4u7Btsn1ZuwgwJGxImImHicJArLP4R0yX4c2KCrMrTA==", + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/side-channel-list/-/side-channel-list-1.0.1.tgz", + "integrity": "sha512-mjn/0bi/oUURjc5Xl7IaWi/OJJJumuoJFQJfDDyO46+hBWsfaVM65TBHq2eoZBhzl9EchxOijpkbRC8SVBQU0w==", "license": "MIT", "dependencies": { "es-errors": "^1.3.0", - "object-inspect": "^1.13.3" + "object-inspect": "^1.13.4" }, "engines": { "node": ">= 0.4" @@ -2939,15 +2938,6 @@ "node": ">=8" } }, - "node_modules/uuid": { - "version": "8.3.2", - "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz", - "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==", - "license": "MIT", - "bin": { - "uuid": "dist/bin/uuid" - } - }, "node_modules/verror": { "version": "1.10.0", "resolved": "https://registry.npmjs.org/verror/-/verror-1.10.0.tgz", From b327bf08f8691592a3f5b6df55c213867549ee68 Mon Sep 17 00:00:00 2001 From: Arturs Sosins Date: Tue, 12 May 2026 18:06:14 +0300 Subject: [PATCH 14/29] Update CHANGELOG.md for version 25.03.X fixes Added security fixes and enterprise fixes to the changelog for version 25.03.X. --- CHANGELOG.md | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0214b1bce91..60a7ee68cac 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,42 @@ ## Version 25.03.X +Security fixes: +- [alerts] Validate alertConfig.selectedApps against caller's permissions (cross-app metric exfiltration) +- [app_users / logger / compliance-hub] Strip dangerous Mongo operators ($where, $expr, $function, $accumulator) from user-supplied queries +- [app_users] Sanitize user.picture filename before deletion (path traversal) +- [app_users] Scope export download/delete to caller's app_id; reject path-traversal in filenames +- [apps] Replace updateApp/createApp mass-assignment with explicit field allowlist +- [auth] Generate new-member invite prid with crypto.randomBytes (replace predictable HMAC) +- [auth] Handle req.session.regenerate error in token login +- [auth] Replace OTP-equality recaptcha bypass with twoFactorPassed session flag +- [auth] Restrict /login/token/:token to login-purpose tokens; regenerate session id on token login to close fixation +- [cms / system / systemlogs] /i/cms/save_entries, /o/system/plugins, /i/systemlogs restricted to global admins +- [core] Add common.resolvePathInBase helper for safe path containment checks +- [crashes] Add error handlers to crash report streamed responses +- [dashboards] Constrain public screenshot route paths and stream error handling +- [dashboards] Identical response for missing/inaccessible dashboard (no enumeration) +- [dashboards] Require auth + per-widget app permission on /o/dashboards/test; remove the unused endpoint +- [data_migration] Constrain export/import paths to allowed directories; reject path-traversal in target_path, multipart filenames, and exportid (backport of #7491) +- [data] Escape regex metacharacters in sSearch parameters (ReDoS) +- [data] Return 404 (not 500) when event_groups lookup misses +- [dbvieweer] ($graphLookup) and M-11 (dbviewer non-admin filter scope) +- [dbviewer] Block $graphLookup aggregation stage (cross-collection data exfiltration) +- [errorlogs] Reject path-traversal in admin log file paths +- [event_groups] Whitelist updatable fields on create/update; scope reads by app_id +- [exports] Add stream error handlers to export download +- [exports] Authorize /o/export/download by task ownership / app_id +- [notes] Bind notes to permission-checked app_id; check edit permissions against the note's stored app_id +- [notes] Enforce saveNote schema validation +- [output] Remove noescape query-string bypass on returnOutput (reflected-XSS via parameter) +- [push] Bind message create/test/update/one/remove/toggle to query-string app_id (cross-app push injection) +- [redirect] Apply SSRF protection (api/utils/ssrf-protection.js) to app.redirect_url outbound requests +- [render] (--disable-web-security) removed from puppetteer +- [reports] Add stream error handlers +- [star-rating] Close stored XSS in feedback widget logo upload/preview; restrict uploads to image MIME types and validate magic bytes (backport of #7532) +- [star-rating] Defense-in-depth on image upload/serve routes +- [system-utility] Harden streamed responses with error handlers +- [tasks] Authorize /i/tasks/{update,delete,name,edit} per task ownership / app admin / global admin +- [users] /users/check/username now requires global admin (parity with email check) + Enterprise Fixes: - [active_users] Fixed logic to prevent triggering active users calculation if it is already running. - [drill] Add query hint based on default indexes From 1ce62aab6b06692e37993bce9bad359869e594e7 Mon Sep 17 00:00:00 2001 From: Arturs Sosins Date: Tue, 12 May 2026 20:29:50 +0300 Subject: [PATCH 15/29] docs: fix changelog typos and complete dbviewer M-11 entry MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Addresses Copilot review comments on #7559: - Drop the half-written "[dbvieweer] ($graphLookup) and M-11 ..." line (the $graphLookup half is already on the line below). - Add a proper, descriptive entry for the M-11 fix (eaaa23a8ccf): wrap the non-admin scope as a top-level $and so a user-supplied $or/$nor can't OR around the per-tenant filter. - Fix puppetteer → puppeteer. Co-Authored-By: Claude Opus 4.7 (1M context) --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 60a7ee68cac..f7b5e46a0f3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,8 +18,8 @@ Security fixes: - [data_migration] Constrain export/import paths to allowed directories; reject path-traversal in target_path, multipart filenames, and exportid (backport of #7491) - [data] Escape regex metacharacters in sSearch parameters (ReDoS) - [data] Return 404 (not 500) when event_groups lookup misses -- [dbvieweer] ($graphLookup) and M-11 (dbviewer non-admin filter scope) - [dbviewer] Block $graphLookup aggregation stage (cross-collection data exfiltration) +- [dbviewer] Wrap non-admin scope as top-level $and so user-supplied $or/$nor cannot bypass per-tenant filter (cross-tenant data exfiltration) - [errorlogs] Reject path-traversal in admin log file paths - [event_groups] Whitelist updatable fields on create/update; scope reads by app_id - [exports] Add stream error handlers to export download @@ -29,7 +29,7 @@ Security fixes: - [output] Remove noescape query-string bypass on returnOutput (reflected-XSS via parameter) - [push] Bind message create/test/update/one/remove/toggle to query-string app_id (cross-app push injection) - [redirect] Apply SSRF protection (api/utils/ssrf-protection.js) to app.redirect_url outbound requests -- [render] (--disable-web-security) removed from puppetteer +- [render] (--disable-web-security) removed from puppeteer - [reports] Add stream error handlers - [star-rating] Close stored XSS in feedback widget logo upload/preview; restrict uploads to image MIME types and validate magic bytes (backport of #7532) - [star-rating] Defense-in-depth on image upload/serve routes From 4c4196b379fa4dd022faecb298ff98766769d357 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 May 2026 02:11:57 +0000 Subject: [PATCH 16/29] chore(deps): bump xlsx-write-stream from 1.0.3 to 1.0.4 Bumps [xlsx-write-stream](https://github.com/apify/xlsx-stream) from 1.0.3 to 1.0.4. - [Release notes](https://github.com/apify/xlsx-stream/releases) - [Changelog](https://github.com/apify/xlsx-stream/blob/master/CHANGELOG.md) - [Commits](https://github.com/apify/xlsx-stream/compare/v1.0.3...v1.0.4) --- updated-dependencies: - dependency-name: xlsx-write-stream dependency-version: 1.0.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- package-lock.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index f3cccaa62f0..4864963b633 100644 --- a/package-lock.json +++ b/package-lock.json @@ -13419,9 +13419,9 @@ } }, "node_modules/xlsx-write-stream": { - "version": "1.0.3", - "resolved": "https://registry.npmjs.org/xlsx-write-stream/-/xlsx-write-stream-1.0.3.tgz", - "integrity": "sha512-HyAJ0oXfyBt/DZ+CJfSZvkxQNgqaSOFv9UPR5wosz1G9LW450KTPrj9lc1WKrwzVM2ItrdhhsSN88ARwYggAhQ==", + "version": "1.0.4", + "resolved": "https://registry.npmjs.org/xlsx-write-stream/-/xlsx-write-stream-1.0.4.tgz", + "integrity": "sha512-ZHpLtZzezUHTx/BI61lrv2dHXHn2YTu1EhmhijLYgEWvu5dweWNQKsXjE5slkkC8bXjVPmN3e6WQ36IpMt0C1w==", "license": "Apache-2.0", "dependencies": { "archiver": "^5.3.0", From 5a34a0049d6b2eb72ad30c6a6e888a103d97ec83 Mon Sep 17 00:00:00 2001 From: coskunaydinoglu Date: Thu, 14 May 2026 11:00:06 +0300 Subject: [PATCH 17/29] cooldown badge changes --- .../javascripts/countly/vue/components/content.js | 5 +++++ .../vue/templates/content/content-header.html | 12 ++++++++++++ 2 files changed, 17 insertions(+) diff --git a/frontend/express/public/javascripts/countly/vue/components/content.js b/frontend/express/public/javascripts/countly/vue/components/content.js index 6a35382158a..e4e84018130 100644 --- a/frontend/express/public/javascripts/countly/vue/components/content.js +++ b/frontend/express/public/javascripts/countly/vue/components/content.js @@ -71,6 +71,11 @@ type: String }, + cooldownBadge: { + default: () => ({ show: false }), + type: Object + }, + status: { default: () => ({ label: 'Status', diff --git a/frontend/express/public/javascripts/countly/vue/templates/content/content-header.html b/frontend/express/public/javascripts/countly/vue/templates/content/content-header.html index e5f12fa4359..41f9f909e73 100644 --- a/frontend/express/public/javascripts/countly/vue/templates/content/content-header.html +++ b/frontend/express/public/javascripts/countly/vue/templates/content/content-header.html @@ -55,6 +55,18 @@ :tabs="tabs" />
+
+ +
Date: Thu, 14 May 2026 11:02:26 +0300 Subject: [PATCH 18/29] Update CHANGELOG.md --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f7b5e46a0f3..15583e8c05d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -45,6 +45,8 @@ Enterprise Fixes: - [drill] Open crash group and user profile links in new tab - [drill] Show user-friendly error message when saving a query fails +Enterprise Features: +- [journey_engine] Engagement cooldown information added to journey builder and user profiles ## Version 25.03.43 Enterprise Fixes: From ee06c3d93e3bbf2ec64949a04bb02c86cca02099 Mon Sep 17 00:00:00 2001 From: coskunaydinoglu Date: Thu, 14 May 2026 11:26:51 +0300 Subject: [PATCH 19/29] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6ea3114e263..7f667996cfc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -208,6 +208,7 @@ Fixes: - [star-rating] Fix consent fields in drawer Enterprise Fixes: +- [cognito] Fix crash on GET /clogin/:code when body-parser 2.x leaves req.body undefined on requests with no body - [cohorts] Correctly regenerate cohorts having $or rule on custom properties - [journey-engine] Update asset file naming to include version from package.json From 771e257720709e6c016a394819dff85454196ea8 Mon Sep 17 00:00:00 2001 From: coskunaydinoglu Date: Thu, 14 May 2026 11:43:53 +0300 Subject: [PATCH 20/29] Update CHANGELOG.md --- CHANGELOG.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7f667996cfc..4a754b2ab6b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -37,8 +37,12 @@ Security fixes: - [tasks] Authorize /i/tasks/{update,delete,name,edit} per task ownership / app admin / global admin - [users] /users/check/username now requires global admin (parity with email check) +Enterprise Features: +- [journey_engine] Maker checker approver + Enterprise Fixes: -- [active_users] Fixed logic to prevent triggering active users calculation if it is already running. +- [active_users] Fixed logic to prevent triggering active users calculation if it +- [cognito] Fix crash on GET /clogin/:code when body-parser 2.x leaves req.body undefined on requests with no bodyis already running. - [drill] Add query hint based on default indexes - [drill] Add contextual links in drill table for user IDs and crash groups - [drill] Resolve device IDs to user profiles via server-side redirect endpoint @@ -50,7 +54,6 @@ Enterprise Fixes: ## Version 25.03.43 Enterprise Fixes: - [flow] Optimize timeline period query -- [journey_engine] Maker checker approver Dependencies: - Bump follow-redirects from 1.15.11 to 1.16.0 @@ -208,7 +211,6 @@ Fixes: - [star-rating] Fix consent fields in drawer Enterprise Fixes: -- [cognito] Fix crash on GET /clogin/:code when body-parser 2.x leaves req.body undefined on requests with no body - [cohorts] Correctly regenerate cohorts having $or rule on custom properties - [journey-engine] Update asset file naming to include version from package.json From 73c1f933bac5f0742502179986cab05c3b30f77a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 May 2026 22:55:00 +0000 Subject: [PATCH 21/29] chore(deps): bump systeminformation from 5.31.1 to 5.31.6 in /ui-tests Bumps [systeminformation](https://github.com/sebhildebrandt/systeminformation) from 5.31.1 to 5.31.6. - [Release notes](https://github.com/sebhildebrandt/systeminformation/releases) - [Changelog](https://github.com/sebhildebrandt/systeminformation/blob/master/CHANGELOG.md) - [Commits](https://github.com/sebhildebrandt/systeminformation/compare/v5.31.1...v5.31.6) --- updated-dependencies: - dependency-name: systeminformation dependency-version: 5.31.6 dependency-type: indirect ... Signed-off-by: dependabot[bot] --- ui-tests/package-lock.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ui-tests/package-lock.json b/ui-tests/package-lock.json index 2b81270aca3..5117679a160 100644 --- a/ui-tests/package-lock.json +++ b/ui-tests/package-lock.json @@ -2796,9 +2796,9 @@ } }, "node_modules/systeminformation": { - "version": "5.31.1", - "resolved": "https://registry.npmjs.org/systeminformation/-/systeminformation-5.31.1.tgz", - "integrity": "sha512-6pRwxoGeV/roJYpsfcP6tN9mep6pPeCtXbUOCdVa0nme05Brwcwdge/fVNhIZn2wuUitAKZm4IYa7QjnRIa9zA==", + "version": "5.31.6", + "resolved": "https://registry.npmjs.org/systeminformation/-/systeminformation-5.31.6.tgz", + "integrity": "sha512-Uv2b2uGGM6ns+26czgW2cYRabYdnswM0ddSOOlryHOaelzsmDSet1iM/NT7VOYxW8x/BW+HkY+b1Ve2pLTSGSA==", "license": "MIT", "os": [ "darwin", From 76a825da3154f42c0d6ea0081475f066849142a6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 May 2026 09:36:00 +0000 Subject: [PATCH 22/29] chore(deps): bump protobufjs from 7.5.5 to 7.5.8 in /plugins/push Bumps [protobufjs](https://github.com/protobufjs/protobuf.js) from 7.5.5 to 7.5.8. - [Release notes](https://github.com/protobufjs/protobuf.js/releases) - [Changelog](https://github.com/protobufjs/protobuf.js/blob/protobufjs-v7.5.8/CHANGELOG.md) - [Commits](https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.5.5...protobufjs-v7.5.8) --- updated-dependencies: - dependency-name: protobufjs dependency-version: 7.5.8 dependency-type: indirect ... Signed-off-by: dependabot[bot] --- plugins/push/package-lock.json | 48 +++++++++++++++++----------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/plugins/push/package-lock.json b/plugins/push/package-lock.json index 34d3f1afcf0..e61d1cee6d8 100644 --- a/plugins/push/package-lock.json +++ b/plugins/push/package-lock.json @@ -244,9 +244,9 @@ "optional": true }, "node_modules/@protobufjs/codegen": { - "version": "2.0.4", - "resolved": "https://registry.npmjs.org/@protobufjs/codegen/-/codegen-2.0.4.tgz", - "integrity": "sha512-YyFaikqM5sH0ziFZCN3xDC7zeGaB/d0IUb9CATugHWbd1FRFwWwt4ld4OYMPWu5a3Xe01mGAULCdqhMlPl29Jg==", + "version": "2.0.5", + "resolved": "https://registry.npmjs.org/@protobufjs/codegen/-/codegen-2.0.5.tgz", + "integrity": "sha512-zgXFLzW3Ap33e6d0Wlj4MGIm6Ce8O89n/apUaGNB/jx+hw+ruWEp7EwGUshdLKVRCxZW12fp9r40E1mQrf/34g==", "optional": true }, "node_modules/@protobufjs/eventemitter": { @@ -272,9 +272,9 @@ "optional": true }, "node_modules/@protobufjs/inquire": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/@protobufjs/inquire/-/inquire-1.1.0.tgz", - "integrity": "sha512-kdSefcPdruJiFMVSbn801t4vFK7KB/5gd2fYvrxhuJYg8ILrmn9SKSX2tZdV6V+ksulWqS7aXjBcRXl3wHoD9Q==", + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@protobufjs/inquire/-/inquire-1.1.1.tgz", + "integrity": "sha512-mnzgDV26ueAvk7rsbt9L7bE0SuAoqyuys/sMMrmVcN5x9VsxpcG3rqAUSgDyLp0UZlmNfIbQ4fHfCtreVBk8Ew==", "optional": true }, "node_modules/@protobufjs/path": { @@ -1611,22 +1611,22 @@ } }, "node_modules/protobufjs": { - "version": "7.5.5", - "resolved": "https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.5.tgz", - "integrity": "sha512-3wY1AxV+VBNW8Yypfd1yQY9pXnqTAN+KwQxL8iYm3/BjKYMNg4i0owhEe26PWDOMaIrzeeF98Lqd5NGz4omiIg==", + "version": "7.5.8", + "resolved": "https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.8.tgz", + "integrity": "sha512-dvpCIeLPbXZS/Ete7yLaO7RenOdken2NHKykBXbsaGxZT0UTltcarBciw+A78SRQs9iMAAVpsYA+l8b1hTePIA==", "hasInstallScript": true, "optional": true, "dependencies": { "@protobufjs/aspromise": "^1.1.2", "@protobufjs/base64": "^1.1.2", - "@protobufjs/codegen": "^2.0.4", + "@protobufjs/codegen": "^2.0.5", "@protobufjs/eventemitter": "^1.1.0", "@protobufjs/fetch": "^1.1.0", "@protobufjs/float": "^1.0.2", - "@protobufjs/inquire": "^1.1.0", + "@protobufjs/inquire": "^1.1.1", "@protobufjs/path": "^1.1.2", "@protobufjs/pool": "^1.1.0", - "@protobufjs/utf8": "^1.1.0", + "@protobufjs/utf8": "^1.1.1", "@types/node": ">=13.7.0", "long": "^5.0.0" }, @@ -2291,9 +2291,9 @@ "optional": true }, "@protobufjs/codegen": { - "version": "2.0.4", - "resolved": "https://registry.npmjs.org/@protobufjs/codegen/-/codegen-2.0.4.tgz", - "integrity": "sha512-YyFaikqM5sH0ziFZCN3xDC7zeGaB/d0IUb9CATugHWbd1FRFwWwt4ld4OYMPWu5a3Xe01mGAULCdqhMlPl29Jg==", + "version": "2.0.5", + "resolved": "https://registry.npmjs.org/@protobufjs/codegen/-/codegen-2.0.5.tgz", + "integrity": "sha512-zgXFLzW3Ap33e6d0Wlj4MGIm6Ce8O89n/apUaGNB/jx+hw+ruWEp7EwGUshdLKVRCxZW12fp9r40E1mQrf/34g==", "optional": true }, "@protobufjs/eventemitter": { @@ -2319,9 +2319,9 @@ "optional": true }, "@protobufjs/inquire": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/@protobufjs/inquire/-/inquire-1.1.0.tgz", - "integrity": "sha512-kdSefcPdruJiFMVSbn801t4vFK7KB/5gd2fYvrxhuJYg8ILrmn9SKSX2tZdV6V+ksulWqS7aXjBcRXl3wHoD9Q==", + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@protobufjs/inquire/-/inquire-1.1.1.tgz", + "integrity": "sha512-mnzgDV26ueAvk7rsbt9L7bE0SuAoqyuys/sMMrmVcN5x9VsxpcG3rqAUSgDyLp0UZlmNfIbQ4fHfCtreVBk8Ew==", "optional": true }, "@protobufjs/path": { @@ -3351,21 +3351,21 @@ } }, "protobufjs": { - "version": "7.5.5", - "resolved": "https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.5.tgz", - "integrity": "sha512-3wY1AxV+VBNW8Yypfd1yQY9pXnqTAN+KwQxL8iYm3/BjKYMNg4i0owhEe26PWDOMaIrzeeF98Lqd5NGz4omiIg==", + "version": "7.5.8", + "resolved": "https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.8.tgz", + "integrity": "sha512-dvpCIeLPbXZS/Ete7yLaO7RenOdken2NHKykBXbsaGxZT0UTltcarBciw+A78SRQs9iMAAVpsYA+l8b1hTePIA==", "optional": true, "requires": { "@protobufjs/aspromise": "^1.1.2", "@protobufjs/base64": "^1.1.2", - "@protobufjs/codegen": "^2.0.4", + "@protobufjs/codegen": "^2.0.5", "@protobufjs/eventemitter": "^1.1.0", "@protobufjs/fetch": "^1.1.0", "@protobufjs/float": "^1.0.2", - "@protobufjs/inquire": "^1.1.0", + "@protobufjs/inquire": "^1.1.1", "@protobufjs/path": "^1.1.2", "@protobufjs/pool": "^1.1.0", - "@protobufjs/utf8": "^1.1.0", + "@protobufjs/utf8": "^1.1.1", "@types/node": ">=13.7.0", "long": "^5.0.0" } From 7d5cb5c867fd587d05e1cbb4d41fe0e9177c7780 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 15 May 2026 01:22:58 +0000 Subject: [PATCH 23/29] chore(deps): bump express-rate-limit from 8.5.1 to 8.5.2 Bumps [express-rate-limit](https://github.com/express-rate-limit/express-rate-limit) from 8.5.1 to 8.5.2. - [Release notes](https://github.com/express-rate-limit/express-rate-limit/releases) - [Commits](https://github.com/express-rate-limit/express-rate-limit/compare/v8.5.1...v8.5.2) --- updated-dependencies: - dependency-name: express-rate-limit dependency-version: 8.5.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- package-lock.json | 8 ++++---- package.json | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package-lock.json b/package-lock.json index 4864963b633..b5928a3463a 100644 --- a/package-lock.json +++ b/package-lock.json @@ -28,7 +28,7 @@ "ejs": "5.0.2", "errorhandler": "1.5.2", "express": "4.22.1", - "express-rate-limit": "8.5.1", + "express-rate-limit": "8.5.2", "express-session": "1.19.0", "form-data": "^4.0.0", "formidable": "2.1.3", @@ -5224,9 +5224,9 @@ } }, "node_modules/express-rate-limit": { - "version": "8.5.1", - "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-8.5.1.tgz", - "integrity": "sha512-5O6KYmyJEpuPJV5hNTXKbAHWRqrzyu+OI3vUnSd2kXFubIVpG7ezpgxQy76Zo5GQZtrQBg86hF+CM/NX+cioiQ==", + "version": "8.5.2", + "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-8.5.2.tgz", + "integrity": "sha512-5Kb34ipNX694DH48vN9irak1Qx30nb0PLYHXfJgw4YEjiC3ZEmZJhwOp+VfiCYwFzvFTdB9QkArYS5kXa2cx2A==", "license": "MIT", "dependencies": { "ip-address": "^10.2.0" diff --git a/package.json b/package.json index 975947ed6b0..e7450c4ea19 100644 --- a/package.json +++ b/package.json @@ -60,7 +60,7 @@ "ejs": "5.0.2", "errorhandler": "1.5.2", "express": "4.22.1", - "express-rate-limit": "8.5.1", + "express-rate-limit": "8.5.2", "express-session": "1.19.0", "form-data": "^4.0.0", "formidable": "2.1.3", From e73d24127a09e24b9b207cd1e4c47b0c1c50e4cf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 May 2026 01:45:46 +0000 Subject: [PATCH 24/29] chore(deps-dev): bump lint-staged from 17.0.4 to 17.0.5 Bumps [lint-staged](https://github.com/lint-staged/lint-staged) from 17.0.4 to 17.0.5. - [Release notes](https://github.com/lint-staged/lint-staged/releases) - [Changelog](https://github.com/lint-staged/lint-staged/blob/main/CHANGELOG.md) - [Commits](https://github.com/lint-staged/lint-staged/compare/v17.0.4...v17.0.5) --- updated-dependencies: - dependency-name: lint-staged dependency-version: 17.0.5 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- package-lock.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index b5928a3463a..9f0717149eb 100644 --- a/package-lock.json +++ b/package-lock.json @@ -8177,9 +8177,9 @@ "license": "MIT" }, "node_modules/lint-staged": { - "version": "17.0.4", - "resolved": "https://registry.npmjs.org/lint-staged/-/lint-staged-17.0.4.tgz", - "integrity": "sha512-+rU9lSUyVOZ/hDUmRLVGzyS2v73cDdQjX+XQz1AaOdIE4RysLq0HoPW2HrrgeNCLklkhi904VBU1bmgWLHVnkA==", + "version": "17.0.5", + "resolved": "https://registry.npmjs.org/lint-staged/-/lint-staged-17.0.5.tgz", + "integrity": "sha512-d12yC+/e8RhBjZtaxZn71FyrgU/P5e+uAPifhCLwdosQZP/zamSdKRWDC30ocVIbzDKiFG1McHc/LUgB92GIPw==", "dev": true, "license": "MIT", "dependencies": { From dc5439b3ffaef3dc083c80c807404ba3630d280c Mon Sep 17 00:00:00 2001 From: Anna Sosina Date: Tue, 19 May 2026 10:16:22 +0300 Subject: [PATCH 25/29] Update CHANGELOG for version 25.03.44 Updated version number to 25.03.44 and added security fixes, enterprise features, and bug fixes. --- CHANGELOG.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 69340d877bd..b8eb178dfa2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -## Version 25.03.X +## Version 25.03.44 Security fixes: - [alerts] Validate alertConfig.selectedApps against caller's permissions (cross-app metric exfiltration) - [app_users / logger / compliance-hub] Strip dangerous Mongo operators ($where, $expr, $function, $accumulator) from user-supplied queries @@ -39,6 +39,7 @@ Security fixes: Enterprise Features: - [journey_engine] Maker checker approver +- [journey_engine] Engagement cooldown information added to journey builder and user profiles Enterprise Fixes: - [active_users] Fixed logic to prevent triggering active users calculation if it @@ -50,9 +51,6 @@ Enterprise Fixes: - [drill] Show user-friendly error message when saving a query fails - [users] Fix MongoDB dot encoding (.) leaking into user profile UI filters, breakdown dropdown, and URLs -Enterprise Features: -- [journey_engine] Engagement cooldown information added to journey builder and user profiles - ## Version 25.03.43 Enterprise Fixes: - [flow] Optimize timeline period query From b3f9d0f6fe8dcf20af5557f9f04e1bfb2692662b Mon Sep 17 00:00:00 2001 From: Davide Cavaliere Date: Tue, 19 May 2026 18:12:38 +0200 Subject: [PATCH 26/29] fix(notes): accept numeric color in saveNote schema saveNote schema declared color as String but the dashboard (countly.common.notes.js COLOR_TAGS) sends a numeric index 1..5. Validation stayed dormant until H-5 started enforcing validateArgs, after which every create/edit failed with 'Invalid type for color'. Switched color to IntegerString so both Number (JSON body) and numeric string (URL query) are accepted. Slack context: https://countly.slack.com/archives/CV9KV4UQ1/p1779195915103949 Ports: Countly/countly-platform#280 Co-Authored-By: Claude Opus 4.7 (1M context) --- CHANGELOG.md | 3 +++ api/parts/mgmt/users.js | 5 ++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 49f40e4f229..7bbb8a83685 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,7 @@ ## Version 25.03.X +Fixes: +- [core] Accept numeric color in saveNote schema so graph note create/edit no longer fails validation + Enterprise Fixes: - [drill] Add query hint based on default indexes - [drill] Add contextual links in drill table for user IDs and crash groups diff --git a/api/parts/mgmt/users.js b/api/parts/mgmt/users.js index 75348a28703..cfe1c605cb2 100644 --- a/api/parts/mgmt/users.js +++ b/api/parts/mgmt/users.js @@ -911,8 +911,11 @@ usersApi.saveNote = async function(params) { 'type': 'String', }, 'color': { + // Frontend (countly.common.notes.js COLOR_TAGS) sends a numeric + // index 1..5. URL query callers may send "5" as a string. + // Mirror the ts handling — IntegerString accepts both. 'required': true, - 'type': 'String' + 'type': 'IntegerString' }, 'category': { 'required': false, From 0b6cea6cd756e446315fc11052d80d1aabba3ef4 Mon Sep 17 00:00:00 2001 From: Anna Sosina Date: Tue, 19 May 2026 19:57:34 +0300 Subject: [PATCH 27/29] Change 'ts' type from empty to 'IntegerString' --- api/parts/mgmt/users.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/api/parts/mgmt/users.js b/api/parts/mgmt/users.js index cfe1c605cb2..9560efa9d0b 100644 --- a/api/parts/mgmt/users.js +++ b/api/parts/mgmt/users.js @@ -904,7 +904,7 @@ usersApi.saveNote = async function(params) { }, 'ts': { 'required': true, - 'type': '' + 'type': 'IntegerString' }, 'noteType': { 'required': true, @@ -1190,4 +1190,4 @@ usersApi.ackNotification = function(params) { }); }; -module.exports = usersApi; \ No newline at end of file +module.exports = usersApi; From 4f3bcf8939914b94d9a8ea2ef1abee15e602c150 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 May 2026 13:46:40 +0000 Subject: [PATCH 28/29] chore(deps): bump get-random-values from 4.1.2 to 5.0.0 Bumps [get-random-values](https://github.com/kenany/get-random-values) from 4.1.2 to 5.0.0. - [Release notes](https://github.com/kenany/get-random-values/releases) - [Commits](https://github.com/kenany/get-random-values/compare/4.1.2...5.0.0) --- updated-dependencies: - dependency-name: get-random-values dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- package-lock.json | 10 +++++----- package.json | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/package-lock.json b/package-lock.json index 9f0717149eb..4d7dba2568b 100644 --- a/package-lock.json +++ b/package-lock.json @@ -34,7 +34,7 @@ "formidable": "2.1.3", "fs-extra": "11.3.5", "geoip-lite": "2.0.2", - "get-random-values": "^4.0.0", + "get-random-values": "^5.0.0", "grunt": "1.6.2", "grunt-cli": "1.5.0", "grunt-contrib-concat": "2.1.0", @@ -6131,15 +6131,15 @@ } }, "node_modules/get-random-values": { - "version": "4.1.2", - "resolved": "https://registry.npmjs.org/get-random-values/-/get-random-values-4.1.2.tgz", - "integrity": "sha512-wSryUwTGxprpTZqyA2BLt3s/nnk49aeUiaVcoGeZckvu1NpC8nueUO6D74VfXy/BEpRNL7DAD/dgPVot5chruw==", + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/get-random-values/-/get-random-values-5.0.0.tgz", + "integrity": "sha512-K4SoyabzMZ+stdDY4atTAml/UztnBFBu1Hk3vC4paSKHl/Cecxfe07SQhevII4/mnwGBa/q9pfaZo2lS9G4Pvg==", "license": "MIT", "dependencies": { "window-or-global": "^1.0.1" }, "engines": { - "node": "20 || 22 || >=24" + "node": "22 || >=24" } }, "node_modules/get-stream": { diff --git a/package.json b/package.json index e7450c4ea19..3144b4a3830 100644 --- a/package.json +++ b/package.json @@ -66,7 +66,7 @@ "formidable": "2.1.3", "fs-extra": "11.3.5", "geoip-lite": "2.0.2", - "get-random-values": "^4.0.0", + "get-random-values": "^5.0.0", "grunt": "1.6.2", "grunt-cli": "1.5.0", "grunt-contrib-concat": "2.1.0", From 08f1972eb21fd3b92da9e1507e21bb1abfe3a020 Mon Sep 17 00:00:00 2001 From: Davide Cavaliere Date: Thu, 21 May 2026 09:24:32 +0200 Subject: [PATCH 29/29] docs(changelog): note groups findGroups legacy group_id fix under 25.03.X Pairs with the actual fix in countly-enterprise-plugins PR #3179 (mirror of countly-platform #295). Read-path coercion in plugins/groups/api/services/dbService.js so pre-2021 members docs with group_id stored as a string no longer trip MongoDB Location40081 on the new $in-based $lookup pipeline. Co-Authored-By: Claude Opus 4.7 (1M context) --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8f5836d30b8..ffa81cec811 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ## Version 25.03.X Fixes: - [core] Accept numeric color in saveNote schema so graph note create/edit no longer fails validation +- [groups] Tolerate legacy string `group_id` on members in findGroups aggregation so the groups listing, User Management, Alerts and Preset Management pages no longer 400 with MongoDB Location40081 on tenants with pre-2021 data ## Version 25.03.44 Security fixes: