restore #6314 to d30c93df37
- merged `main` to it
- resolved confilicts
- squashed all commits into a single commit and sign it ( I had to do
this as signing the past unsigned commits was difficult it was messing
up the history everytime I tried )
The Norwegian Bokmål (`nb_NO`) locale had fallen behind `en_US` by ~55
strings. This brings it up to date.
**Added** translations for the missing keys, including: AI image
generation (`generateImage`, `generating1`–`5`), audio recording
(`allowAudioAccess*`, `noAudio*`, `startAudioRecording`,
`stopAudioRecording`), required meta fields
(`missingRequiredMetaField*`), session recovery (`recoveredAllFiles`,
`recoveredXFiles`, `sessionRestored`), plugin names (`pluginName*`),
image compression (`compressedX`, `compressingImages`), and various UI
strings (`error`, `search`, `pleaseWait`, `unnamed`, `uploadStalled`,
etc.).
**Removed** keys no longer present in `en_US` (`backToSearch`,
`fileSource`, `selectFileNamed`, `timedOut`, `unselectFileNamed`).
**Fixed** `exceedsSize` to include the `%{file}` placeholder, and
aligned key order with `en_US`.
I'm a native Norwegian speaker and reviewed every string. Translation
was done with AI assistance (Claude) and checked by me.
---------
Co-authored-by: Mikael Finstad <finstaden@gmail.com>
AI disclaimer : AI used
## Changes
- **jsdom 26 → 29** across all packages' devDependencies —
**except`@uppy/aws-s3`** (left at 26; that plugin is being rewritten and
its deps are handled on the rewrite branch).
- **`@uppy/xhr-upload` unit tests migrated from nock to MSW**, and
`nock` dropped from its devDependencies.
## Why the test migration was needed
jsdom **28** overhauled resource loading so `XMLHttpRequest` now goes
through jsdom's internal (undici-based) fetch instead of Node's `http`
module ([jsdom 28 release
notes](https://github.com/jsdom/jsdom/releases/tag/28.0.0)).
nock intercepts at the Node `http` / `http.ClientRequest` layer ([nock
README](https://github.com/nock/nock)), so it can no longer see uppy's
upload requests — the mocked responses never arrive and the tests time
out. (This is the long-standing nock + jsdom XHR incompatibility:
[nock#518](https://github.com/nock/nock/issues/518).)
---------
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Part of the dev-dependency major-version upgrades. These required code
changes so they're split out from the no-code-change batch (#6315).
**AI Disclaimer** : AI Used
- **glob 8 → 13** — `@uppy/locales` scripts: the callback API was
removed, so `getPaths()` uses the promise form and `test.mjs` uses the
named `globSync`.
- **npm-packlist 5 → 11** — `upload-to-cdn.js`: v7+ takes an
`@npmcli/arborist` tree instead of `{ path }`; loads the tree and passes
it to `packlist()`. Adds `@npmcli/arborist` as a devDependency.
- **nock 13 → 14** (`@uppy/companion`) — the v14 @mswjs/interceptors
rewrite crashed the SSRF tests in `http-agent.test.ts`; nock
interception is now kept off by default and only activated for the one
test that mocks a host.
- **@types/use-sync-external-store 0 → 1** — `@uppy/react`: v1's exports
map only exposes extensionless subpaths, so imports use
`use-sync-external-store/shim` and `/with-selector` (runtime supports
both).
will do a separte PR for changes which would require code changes so
it's easier to review , didn't upgrade any deps for `@uppy/aws-s3` since
we'll merge the rewrite so I think we should do that upgrade in the
rewrite branch before merging.
update : Dependency upgrades which required code changes were raised
separately
- #6309
- #6310
---------
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
this fixes#6287 , another similar attempted fix which didn't got merged
: #5683
in #5683 we discussed a more longer term solution but IMO that would be
a breaking change as it would change the event contract
AI Disclaimer : AI Used
This fix is Manually Tested across **Chrome and Firefox**
all the dev deps upgraded excepts for these :
- `@types/cors: 2.8.6`
- `@types/jsonwebtoken: 8.3.7`
- `@types/morgan: 1.7.37`
- `@types/node: ^20.19.0`
- `nock: ^13.1.3`
upgrading these to their latest major either breaks the test suite or
requires us to do code changes on our end.
#6297
---------
Co-authored-by: Mikael Finstad <finstaden@gmail.com>
exact copy of #6175
- I will point the uppy deps upgrade pr to this PR's branch
- no other changes needed in this branch as #6175 was reviewed and all
the comments were resolved
this should be the order of merge :
1. #6300
2. uppy deps upgrade ( yet to be raised )
3. merge this to main
4. merge biome changes #6244
@mifi let me know if you think otherwise.
---------
Co-authored-by: Mikael Finstad <finstaden@gmail.com>
## Why
Recent npm supply-chain compromises showed that dependency installs and
shared CI caches can execute or preserve newly published malicious
packages before advisories catch up. This PR reduces that exposure for
this repo.
## What changed
- Made eligible Yarn installs immutable and removed shared dependency
caching from the manual CDN upload path; existing minimal age gate
remains unchanged.
## Validation
- Ran `git diff --check` across the prepared worktree.
- Audited this PR set for `pull_request_target` and release/deploy/CDN
cache reuse; patched actionable hits.
- Did not run the full test suite; this is a workflow/config-only
change.
## Summary
- replace QEMU-based multi-platform build in
`.github/workflows/companion-deploy.yml` with native runner matrix
builds
- build amd64 on `ubuntu-24.04` and arm64 on `ubuntu-24.04-arm`
- push architecture-specific tags (`edge-amd64`, `edge-arm64`) and
publish `transloadit/companion:edge` as a manifest that references both
- add explicit workflow permissions (`contents: read`) and keep workflow
expression formatting consistent
- remove conflicting `DOCKER_BUILDKIT`/`COMPOSE_DOCKER_CLI_BUILD` env
overrides from the docker job
## Validation
- `corepack yarn check:ci` ✅
- baseline full run before edits: `corepack yarn check:ci && corepack
yarn build && corepack yarn test` (test step had pre-existing failures
in `@uppy/utils` due `Promise.withResolvers` in this environment)
- parallel validation (Code Review + CodeQL) ✅
## TODO
- [ ] do the same for release?
https://github.com/transloadit/uppy/blob/main/.github/workflows/release.yml
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: mifi <402547+mifi@users.noreply.github.com>
Co-authored-by: Mikael Finstad <finstaden@gmail.com>
Supersedes #6178.
This branch keeps the exact same final content as #6178, but splits
history for reviewability:
1. `chore(companion): rename source and test files from .js to .ts`
(pure `git mv`, no content changes)
2. `feat(companion): port Companion to TypeScript` (actual
content/type/schema/build updates)
Validation note:
- Final tree is byte-for-byte identical to `ts-companion`
(`7b5b16a298690b0492de4cc4fab744f998b45570`).
---------
Co-authored-by: Mikael Finstad <finstaden@gmail.com>
fixes#6181
`uploadRemoteFile()` now treats one remote upload attempt as a single
queue-owned unit. Instead of queueing “request token” and “open
websocket / wait for upload” as two separate jobs, it now:
- acquires one queue slot
- reuses serverToken if resuming, otherwise requests a new
token
- immediately proceeds to the websocket/upload phase within
that same admitted attempt
That removes the stale-token race where Companion starts its 60s
socket-wait timer before the client’s websocket phase has actually been
admitted by the queue. Retries still reacquire the queue per attempt,
and existing abort/cancel behavior is
preserved.
refer
https://github.com/transloadit/uppy/issues/6181#issuecomment-4295036192
for more context about the bug
Fixes#6256
## Problem
When `fileManagerSelectionType` is set to `'folders'`, clicking the **My
Device** tab/button
still opens the file picker instead of the folder picker.
The inline "browse" link in the tagline correctly respects the setting,
but
`renderMyDeviceAcquirer` in `AddFiles.tsx` always called
`triggerFileInputClick`
regardless of the `fileManagerSelectionType` prop.
## Solution
`renderMyDeviceAcquirer` now reads `fileManagerSelectionType` and calls
`triggerFolderInputClick` when set to `'folders'`, or
`triggerFileInputClick`
for `'files'` and `'both'`.
For `'both'` mode, the button defaults to file selection because a
single
HTML `<input>` cannot handle both files and folders simultaneously
(`webkitdirectory` is all-or-nothing). The folder picker remains
accessible
via the tagline's "browse folders" link.
---------
Co-authored-by: Prakash <qxprakash@gmail.com>
This PR was opened by the [Changesets
release](https://github.com/changesets/action) GitHub action. When
you're ready to do a release, you can merge this and the packages will
be published to npm automatically. If you're not ready to do a release
yet, that's fine, whenever you add more changesets to main, this PR will
be updated.
# Releases
## @uppy/utils@7.2.0
### Minor Changes
- 6b1abaa: Introduce modern, minimal TaskQueue to replace
RateLimitedQueue
## @uppy/xhr-upload@5.2.0
### Minor Changes
- 6b1abaa: Introduce modern, minimal TaskQueue to replace
RateLimitedQueue
### Patch Changes
- Updated dependencies [6b1abaa]
- @uppy/utils@7.2.0
## @uppy/companion@6.2.2
### Patch Changes
- 49db42d: Fix bug with 429 not returning JSON response with message
- 4652dc6: upgrade @aws-sdk/ deps in @uppy/companion
## @uppy/transloadit@5.5.1
### Patch Changes
- 4787960: Add type re-export for `AssemblyInstructionsInput`
- 2f6849d: Fix allowMultipleUploadBatches to prevent adding/removing
files while an upload is in progress (#6156)
- 29d2772: remove monkey patch from uppy bundle package
- Updated dependencies [6b1abaa]
- @uppy/utils@7.2.0
## uppy@5.2.4
### Patch Changes
- 29d2772: remove monkey patch from uppy bundle package
- a86c624: upgrade esbuild in uppy to "^0.27.0"
- Updated dependencies [6b1abaa]
- Updated dependencies [4787960]
- Updated dependencies [2f6849d]
- Updated dependencies [29d2772]
- @uppy/xhr-upload@5.2.0
- @uppy/transloadit@5.5.1
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
The `AssemblyInstructionsInput` type from `@transloadit/types` is now
publicly exported from `@uppy/transloadit`, allowing consumers to type
their assembly parameters without importing from the external package.
## Changes
- Re-exported `AssemblyInstructionsInput` type in
`packages/@uppy/transloadit/src/index.ts`
## Usage
```typescript
import type { AssemblyInstructionsInput } from '@uppy/transloadit'
const params: AssemblyInstructionsInput = {
steps: {
encode: {
robot: '/video/encode',
use: ':original',
preset: 'mp4',
},
},
}
```
The type was already imported internally and aliased as
`AssemblyParameters`. This change makes it available to plugin
consumers.
<!-- START COPILOT ORIGINAL PROMPT -->
<details>
<summary>Original prompt</summary>
> Make the AssemblyInstructionsInput type available from the
@uppy/transloadit package by re-exporting it from
packages/@uppy/transloadit/src/index.ts.
>
> Background
> - The Transloadit plugin imports the type AssemblyInstructionsInput
from the external package @transloadit/types and aliases it as
AssemblyParameters in packages/@uppy/transloadit/src/index.ts.
> - Consumers of the @uppy/transloadit package need direct access to the
AssemblyInstructionsInput type but it is not currently exported from the
plugin package.
>
> Change requested
> - Add a type re-export so that consumers can import
AssemblyInstructionsInput from the transloadit plugin package, e.g.
> import type { AssemblyInstructionsInput } from '@uppy/transloadit'
>
> Files to change
> - packages/@uppy/transloadit/src/index.ts
> - Add the following export alongside the other package exports (near
the end of the module where other exports live):
>
> ```typescript name=packages/@uppy/transloadit/src/index.ts
url=https://github.com/transloadit/uppy/blob/main/packages/@uppy/transloadit/src/index.ts
> -export { COMPANION_URL, COMPANION_ALLOWED_HOSTS }
> +export { COMPANION_URL, COMPANION_ALLOWED_HOSTS }
> +
> +// Re-export type from @transloadit/types so callers can import it
from the plugin package.
> +export type { AssemblyInstructionsInput } from '@transloadit/types'
> ```
>
> Notes
> - This is a purely type-only export and should be erased at compile
time; it does not add runtime code.
> - No other behavior or API surface should change.
>
> Please create a branch, apply the change, and open a pull request with
a descriptive title and a short description of the change. Run
TypeScript build checks if available.
>
</details>
<!-- START COPILOT CODING AGENT SUFFIX -->
*This pull request was created from Copilot chat.*
>
<!-- START COPILOT CODING AGENT TIPS -->
---
💬 We'd love your input! Share your thoughts on Copilot coding agent in
our [2 minute survey](https://gh.io/copilot-coding-agent-survey).
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: mifi <402547+mifi@users.noreply.github.com>
Co-authored-by: Mikael Finstad <finstaden@gmail.com>
Bumps [tar](https://github.com/isaacs/node-tar) from 7.5.7 to 7.5.8.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="6b8eba0ef3"><code>6b8eba0</code></a>
7.5.8</li>
<li><a
href="2cb1120bce"><code>2cb1120</code></a>
fix(unpack): improve UnpackSync symlink error "into" path
accuracy</li>
<li><a
href="d18e4e1f84"><code>d18e4e1</code></a>
fix: do not write linkpaths through symlinks</li>
<li>See full diff in <a
href="https://github.com/isaacs/node-tar/compare/v7.5.7...v7.5.8">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~isaacs">isaacs</a>, a new releaser for tar
since your current version.</p>
</details>
<details>
<summary>Install script changes</summary>
<p>This version adds <code>prepare</code> script that runs during
installation. Review the package contents before updating.</p>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
this fixes #6167
AI summary :
**The Bug: S3 Multipart Upload Fails with InvalidPart**
**What happened**
When uploading large files (200MB+) from Google Drive → Companion → S3
using multipart upload, the upload would reach ~96-100% and then fail
with S3's `InvalidPart` error on `CompleteMultipartUpload`.
*Root cause*
_A version mismatch between two AWS SDK packages caused by yarn dedupe._
Commit `3c3034b40` ("Dedupe dependencies #6085") ran `yarn dedupe`.
Companion had `@aws-sdk/client-s3` and `@aws-sdk/lib-storage` both at
`"^3.338.0"`, which previously both resolved to `3.600.0`. But the
`@uppy/transloadit` package elsewhere in the monorepo had
`"@aws-sdk/client-s3": "^3.891.0"`. Dedupe merged the resolutions —
`client-s3` jumped to `3.896.0` while `lib-storage` stayed at `3.600.0`.
*Why the mismatch matters*
AWS SDK `client-s3@3.896.0` introduced a _breaking behavioral change_ in
its checksum middleware:
• *Old (3.600.0):* Default checksum = MD5, no auto-injection.
`UploadPart` requests sent _no checksum header_.
• *New (3.896.0):* Default checksum = CRC32,
`requestChecksumCalculation` defaults to `"WHEN_SUPPORTED"`. The
middleware _auto-injects `x-amz-checksum-crc32`_ on every `UploadPart`
request.
The old `lib-storage@3.600.0` didn't know about this new behavior. It
called `CreateMultipartUpload` _without_ setting `ChecksumAlgorithm`.
Then `client-s3@3.896.0` added CRC32 checksums to each `UploadPart`. S3
saw parts with checksums that weren't declared at creation time →
rejected with `InvalidPart` at `CompleteMultipartUpload`.
*How the fixes work*
_Option A — `requestChecksumCalculation: 'WHEN_REQUIRED'`_ (workaround):
Tells the new `client-s3` to only add checksums when S3 requires them
(which it doesn't for `UploadPart`). This restores the old behavior — no
checksum headers, no mismatch.
_Option B — Upgrade all AWS SDK packages to `^3.986.0`_ (proper fix):
The new `lib-storage@3.986.0` is _aware_ of the CRC32 checksum behavior.
When it detects `requestChecksumCalculation = "WHEN_SUPPORTED"`, it
explicitly sets `ChecksumAlgorithm: "CRC32"` on the
`CreateMultipartUpload` call. Now S3 expects CRC32 checksums on the
parts, the parts have CRC32 checksums → everything is consistent →
upload succeeds.
*TL;DR*
`yarn dedupe` upgraded `client-s3` but not `lib-storage`. The new
`client-s3` started adding CRC32 checksums to parts, but the old
`lib-storage` didn't declare CRC32 at multipart creation time. S3
rejected the mismatch. Fix: upgrade both packages together so they agree
on checksum behavior.
## Implementation Plan for Transloadit allowMultipleUploadBatches Fix
- [x] Explore the codebase to understand existing structure
- [x] Review transloadit/src/index.ts
- [x] Review existing event handlers (#onError, #onCancelAll)
- [x] Review install() and uninstall() methods
- [x] Understand test structure
- [x] Implement the proper fix in
packages/@uppy/transloadit/src/index.ts
- [x] Set allowNewUpload: false at start of #prepareUpload
(preprocessor)
- [x] Reset allowNewUpload: true at end of #afterUpload (postprocessor)
- [x] Reset allowNewUpload: true in #prepareUpload error handler
- [x] Keep existing resets in #onError and #onCancelAll handlers
- [x] Removed event listener approach (was causing race conditions)
- [x] Update tests to match implementation
- [x] Test allowNewUpload lifecycle through actual upload flow
(preprocessor/postprocessor)
- [x] Test allowNewUpload reset on preprocessor error
- [x] Test allowNewUpload reset on error event
- [x] Test allowNewUpload reset on cancel-all
- [x] Remove obsolete event listener tests
<!-- START COPILOT CODING AGENT TIPS -->
---
💡 You can make Copilot smarter by setting up custom instructions,
customizing its development environment and configuring Model Context
Protocol (MCP) servers. Learn more [Copilot coding agent
tips](https://gh.io/copilot-coding-agent-tips) in the docs.
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: mifi <402547+mifi@users.noreply.github.com>
Co-authored-by: Mikael Finstad <finstaden@gmail.com>