github/penpot
1
0
Fork 0
mirror of https://github.com/penpot/penpot.git synced 2026-05-20 07:23:42 +00:00
Code Issues Packages Projects Releases Wiki Activity
21,975 Commits 190 Branches 288 Tags
Commit Graph

21975 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Andrey Antukh
1b6b367951 Add diagnostic keys to SSRF validation exceptions 
Add :uri and :scheme/:host keys to exceptions raised by
`validate-uri` for better error diagnostics. Also fix a bug
where (str url) was used instead of (str uri) in the
host-missing exception path.

Update the existing blocked-target test to verify the new :uri
key, and add three new tests covering scheme rejection, missing
host, and DNS failure error paths. All 27 tests pass with 60
assertions and 0 failures.

Signed-off-by: Andrey Antukh <niwi@niwi.nz>
 2026-05-18 15:57:55 +00:00
Belén Albeza
5c423c3678
🐛 Fix measurement guides not showing up in wasm when user has viewer role 2026-05-18 17:17:18 +02:00
Eva Marco
53530e958a
🐛 Fix incorrect warning when token applied (#9708) 
Signed-off-by: Andrey Antukh <niwi@niwi.nz>
Co-authored-by: Andrey Antukh <niwi@niwi.nz>
 2026-05-18 16:26:28 +02:00
Andrey Antukh
4d9c6eba38 📎 Add missing bugfix entries to changelog 2026-05-18 16:20:27 +02:00
Andrey Antukh
208182cab1 Merge remote-tracking branch 'origin/main' into staging 2026-05-18 15:23:46 +02:00
Andrey Antukh
f5acea7cd7 📎 Update opencode 'update-changelog' skill 2026-05-18 15:22:32 +02:00
Andrey Antukh
7e522ae777 📎 Fix inconsistencies on CHANGES.md 2026-05-18 15:11:11 +02:00
Andrés Moya
82169bc0a3
🐛 Fix loss of swap slot in some cases of variant switch (#9147) 
Signed-off-by: Andrey Antukh <niwi@niwi.nz>
Co-authored-by: Andrey Antukh <niwi@niwi.nz>
 2026-05-18 14:25:32 +02:00
Andrey Antukh
725a0c966c 📎 Fix incorrect entries on changelog 2026-05-18 14:23:18 +02:00
Andrés Moya
ab284febf7
🐛 Fix token application to grid padding (#9630) 2026-05-18 13:32:28 +02:00
Andrey Antukh
9de25c5404
🐛 Fix incorrect content-type on doc endpoint response (#9681) 
The /api/main/doc endpoint was returning HTML content with a
text/plain content-type header instead of text/html. This caused
browsers to render the response as plain text.

Added content-type: text/html; charset=utf-8 header to the
response in the doc handler and added a regression test to
verify the fix.

Closes #9680

Signed-off-by: Andrey Antukh <niwi@niwi.nz>
2.15.4-RC1 		2026-05-18 12:54:16 +02:00
Alonso Torres
9928249d4f
⬆️ Downgrade archive dependency (#9704) 2026-05-18 12:47:41 +02:00
Alejandro Alonso
0956becd12
🎉 Reduce heap allocations 2026-05-18 12:35:16 +02:00
Andrés Moya
25ee8dee78
🐛 Fix editing a text element detaches applied tokens (#9525) 2026-05-18 12:28:48 +02:00
Alejandro Alonso
1ac503f6bc
Merge pull request #9510 from penpot/alotor-fix-viewer-texts 
🐛 Fix problem with viewer texts
 2026-05-18 11:24:02 +02:00
alonso.torres
b2bfd627ae 🐛 Fix problem with viewer texts 2026-05-18 11:00:45 +02:00
andrés gonzález
24fe5559c5
📚 Update 2.16 changelog (#9689) 
Co-authored-by: Cursor <cursoragent@cursor.com>
 2026-05-18 10:31:24 +02:00
Belén Albeza
0300058605
🐛 Fix delete page icon being clipped (#9685) 2026-05-15 13:41:38 +02:00
Andrey Antukh
ff23f786b4 🐛 Fix broken authentication on /assets handlers 
- Add ::setup/props and ::db/pool to :app.http.assets/routes config
  so session renewal works correctly for asset requests.
- Add actoken/authz middleware to the assets middleware chain so
  access tokens are properly recognized.
- Add authenticated? helper that checks both ::session/profile-id
  and ::actoken/profile-id, fixing 401 errors when accessing
  protected assets with a valid access token.
- Add comprehensive test suite for assets auth scenarios.

Closes #9677

Signed-off-by: Andrey Antukh <niwi@niwi.nz>
 2026-05-15 12:05:02 +02:00
Belén Albeza
fc36fb0959
🐛 Fix text editor being hidden to Playwright when empty text (#9682) 2026-05-15 12:04:51 +02:00
Andrey Antukh
6ac8012258 Merge remote-tracking branch 'origin/main' into staging 2026-05-15 11:57:16 +02:00
Andrey Antukh
6cc36e4fcc 📎 Backport more changes for opencode 2026-05-15 11:56:30 +02:00
Andrey Antukh
fe76567180 📎 Backport opencode skills from staging 2026-05-15 11:51:49 +02:00
Andrey Antukh
3db0e5ee0d 📎 Update changelog 2026-05-15 11:31:58 +02:00
Andrey Antukh
1f8ab6fed2 📎 Update the 'update-changelog' skill 
And add specific tool for extracting info from github
 2026-05-15 11:31:58 +02:00
Andrey Antukh
0b65431137 📎 Add taiga skill and script for opencode 
Allows easy extraction of information from taiga urls
 2026-05-15 11:10:02 +02:00
Elena Torró
053d4a23f5
🐛 Fix shape deletion after tiles refactor (#9678) 2026-05-15 11:06:17 +02:00
andrés gonzález
27ac0b7469
🐛 Unify layout creation telemetry for plugins and MCP (#9654) 
* 🐛 Unify layout creation telemetry for plugins and MCP

* 📚 Update changelog for version 2.15.4

Signed-off-by: Andrey Antukh <niwi@niwi.nz>

---------

Signed-off-by: Andrey Antukh <niwi@niwi.nz>
Co-authored-by: Andrey Antukh <niwi@niwi.nz>
 2026-05-15 10:53:43 +02:00
Andrey Antukh
1dea84b7b1 📚 Update mcp readme 2026-05-15 10:19:29 +02:00
Aitor Moreno
58c42df37e
🐛 Fix atlas texture leak 2026-05-14 17:17:06 +02:00
andrés gonzález
310bf6fd6a
💄 Change auth illustration (#9552) 
Signed-off-by: Andrey Antukh <niwi@niwi.nz>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Andrey Antukh <niwi@niwi.nz>
 2026-05-14 16:25:53 +02:00
andrés gonzález
7e7bf7c458
Update Open Graph and link preview metadata (#9557) 
Signed-off-by: Andrey Antukh <niwi@niwi.nz>
Co-authored-by: Andrey Antukh <niwi@niwi.nz>
 2026-05-14 16:23:57 +02:00
andrés gonzález
c62ce866a8
📚 Change sentence at MCP docs (#9568) 2026-05-14 16:23:13 +02:00
andrés gonzález
846958d79e
📚 Change slogan at Help Center footer (#9554) 2026-05-14 16:22:19 +02:00
Alonso Torres
dc878572da
🐛 Fix problem with set activation after renaming (#9545) 2026-05-14 16:04:07 +02:00
Pablo Alba
5dafd44966
🐛 Fix library update button freezes and does not apply updates (#9513) 
Co-authored-by: Andrey Antukh <niwi@niwi.nz>
 2026-05-14 16:03:47 +02:00
Xaviju
fb2734cd02
🐛 Save numeric input value on unmount (#9548) 2026-05-14 16:02:34 +02:00
Andrey Antukh
9021544c05 Merge remote-tracking branch 'origin/main' into staging 2026-05-14 15:24:29 +02:00
Andrey Antukh
05d40e3370 📚 Update changelog 2.15.3 2026-05-14 15:19:24 +02:00
Andrey Antukh
237f61fda0 📎 Add update changelog opencode skill 2026-05-14 15:19:03 +02:00
Andrey Antukh
eb1707788b 📎 Add gh-issue-from-pr SKILL for opencode 2026-05-14 15:01:26 +02:00
Alonso Torres
8afe8a5dfa
🐛 Fix plugins schema validation error (#9632) 2026-05-14 15:00:41 +02:00
Andrey Antukh
fd19bf121f 📎 Update changelog 2026-05-14 14:23:59 +02:00
Alejandro Alonso
134391bc3a
Merge pull request #9633 from penpot/elenatorro-fix-auto-width 
🐛 Fix regression on auto-width
 2026-05-14 14:01:19 +02:00
Andrey Antukh
67d9567971
🐛 Prevent CSS injection vulnerability in font family names 
Add a shared `schema:font-family` whitelist validator in
app.common.types.font that only allows letters, digits, spaces,
hyphens, underscores, and dots in font family names. Apply the schema
to create-font-variant and update-font RPC endpoints on the
backend, and add client-side validation in the dashboard fonts UI.
Include unit tests for the schema and integration tests for the RPC
handlers.

Signed-off-by: Andrey Antukh <niwi@niwi.nz>
 2026-05-14 13:46:02 +02:00
Elena Torro
b13aedb231 🐛 Fix regression on auto-width 2026-05-14 13:43:00 +02:00
Alejandro Alonso
009e505ba1
Merge pull request #9570 from penpot/superalex-interactive-drag-crop-atlas-snapshopt 
🎉 Rebuild drag-crop cache from tile textures with hybrid atlas fill
 2026-05-14 13:14:36 +02:00
Alejandro Alonso
575f4b9df0 🎉 Optimize drag-crop cache rebuild path 2026-05-14 13:00:25 +02:00
Alejandro Alonso
d4be6686c7 🎉 Rebuild drag-crop cache from tile textures with hybrid atlas fill 2026-05-14 13:00:25 +02:00
Aitor Moreno
64f73ef23b
♻️ Remove Mutex from mem buffer (#9479) 2026-05-14 12:57:10 +02:00