Commit graph

10548 commits

Author SHA1 Message Date
Prakash
f28afb9eea
Merge branch 'main' into restore/pr-6314 2026-06-28 08:53:15 +05:30
Mikael Finstad
cd34c9cf4f
upgrade @types/cors and @types/morgan (#6360)
see #6297

---------

Co-authored-by: Prakash <qxprakash@gmail.com>
2026-06-28 01:39:06 +02:00
prakash
4c30023e35
yarn check 2026-06-25 20:35:45 +05:30
prakash
a05035f70f
remove stale config and fix failing test 2026-06-25 20:34:11 +05:30
prakash
500e848eb8
#6287 fix squash all commits 2026-06-25 19:59:31 +05:30
Arvind
32b9f06a22
@uppy/locales: update Norwegian Bokmål (nb_NO) (#6346)
The Norwegian Bokmål (`nb_NO`) locale had fallen behind `en_US` by ~55
strings. This brings it up to date.

**Added** translations for the missing keys, including: AI image
generation (`generateImage`, `generating1`–`5`), audio recording
(`allowAudioAccess*`, `noAudio*`, `startAudioRecording`,
`stopAudioRecording`), required meta fields
(`missingRequiredMetaField*`), session recovery (`recoveredAllFiles`,
`recoveredXFiles`, `sessionRestored`), plugin names (`pluginName*`),
image compression (`compressedX`, `compressingImages`), and various UI
strings (`error`, `search`, `pleaseWait`, `unnamed`, `uploadStalled`,
etc.).

**Removed** keys no longer present in `en_US` (`backToSearch`,
`fileSource`, `selectFileNamed`, `timedOut`, `unselectFileNamed`).

**Fixed** `exceedsSize` to include the `%{file}` placeholder, and
aligned key order with `en_US`.

I'm a native Norwegian speaker and reviewed every string. Translation
was done with AI assistance (Claude) and checked by me.

---------

Co-authored-by: Mikael Finstad <finstaden@gmail.com>
2026-06-23 22:37:53 +02:00
Kevin van Zonneveld
52cc4b3e5e
Pin third-party GitHub Actions to SHAs (#6327) 2026-06-08 19:51:10 +00:00
Prakash
981fcedd71
@uppy/upgrade devdeps v3 (#6319)
AI disclaimer: AI used
  
  ## Changes
  - **vite 7 → 8** 
- **@vitejs/plugin-react 4 → 6** (peer-requires vite ^8; drops Babel for
oxc)
- **@tailwindcss/vite 4.1 → 4.3** (first 4.x with a vite ^8 peer range)
- `examples/react/vitest.config.ts`: add `resolve.dedupe: ['react',
'react-dom']` : reason explained in comments
2026-06-03 15:39:24 +05:30
Prakash
675b48fa14
@uppy/upgrade devdeps v2 (#6318)
AI disclaimer : AI used

## Changes
- **jsdom 26 → 29** across all packages' devDependencies —
**except`@uppy/aws-s3`** (left at 26; that plugin is being rewritten and
its deps are handled on the rewrite branch).
- **`@uppy/xhr-upload` unit tests migrated from nock to MSW**, and
`nock` dropped from its devDependencies.
  ## Why the test migration was needed
jsdom **28** overhauled resource loading so `XMLHttpRequest` now goes
through jsdom's internal (undici-based) fetch instead of Node's `http`
module ([jsdom 28 release
notes](https://github.com/jsdom/jsdom/releases/tag/28.0.0)).
nock intercepts at the Node `http` / `http.ClientRequest` layer ([nock
README](https://github.com/nock/nock)), so it can no longer see uppy's
upload requests — the mocked responses never arrive and the tests time
out. (This is the long-standing nock + jsdom XHR incompatibility:
[nock#518](https://github.com/nock/nock/issues/518).)

---------

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
2026-06-03 15:30:55 +05:30
Prakash
1427add64a
@uppy/upgrade-devdeps-v1 (#6317)
Part of the dev-dependency major-version upgrades. These required code
changes so they're split out from the no-code-change batch (#6315).

**AI Disclaimer** : AI Used

- **glob 8 → 13** — `@uppy/locales` scripts: the callback API was
removed, so `getPaths()` uses the promise form and `test.mjs` uses the
named `globSync`.
- **npm-packlist 5 → 11** — `upload-to-cdn.js`: v7+ takes an
`@npmcli/arborist` tree instead of `{ path }`; loads the tree and passes
it to `packlist()`. Adds `@npmcli/arborist` as a devDependency.
- **nock 13 → 14** (`@uppy/companion`) — the v14 @mswjs/interceptors
rewrite crashed the SSRF tests in `http-agent.test.ts`; nock
interception is now kept off by default and only activated for the one
test that mocks a host.
- **@types/use-sync-external-store 0 → 1** — `@uppy/react`: v1's exports
map only exposes extensionless subpaths, so imports use
`use-sync-external-store/shim` and `/with-selector` (runtime supports
both).
2026-06-03 14:38:14 +05:30
Prakash
d7aaab7ad1
@uppy: upgrade dev deps (#6315)
addresses #6297

I'll raise another PR which would include deps which require code
changes
2026-06-02 10:48:58 +08:00
Prakash
7ea7530997
upgrade playwright (#6316)
fixes the timeout which we're facing in "CI / Test" in the past few days
which gets stuck at "Install Playwright Browsers"


https://github.com/transloadit/uppy/actions/runs/26646754991/job/78534314307?pr=6315

tested on my local fork
2026-06-01 18:08:22 +05:30
Prakash
c3c7cef4ed
@uppy: upgrade deps (#6307)
will do a separte PR for changes which would require code changes so
it's easier to review , didn't upgrade any deps for `@uppy/aws-s3` since
we'll merge the rewrite so I think we should do that upgrade in the
rewrite branch before merging.

update : Dependency upgrades which required code changes were raised
separately

- #6309 
- #6310

---------

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
2026-05-29 18:58:42 +05:30
Prakash
ef370da2b3
Revert "@uppy/tus: don't abort errored request" (#6313)
Reverts transloadit/uppy#6312
2026-05-29 18:48:40 +05:30
Prakash
51acfe9e6c
@uppy/tus: don't abort errored request (#6312)
this fixes #6287 , another similar attempted fix which didn't got merged
: #5683

in #5683 we discussed a more longer term solution but IMO that would be
a breaking change as it would change the event contract

AI Disclaimer : AI Used 

This fix is Manually Tested across **Chrome and Firefox**
2026-05-29 18:42:58 +05:30
Prakash
5519b84409
@uppy: upgrade biome and more improvements (#6244)
- This PR upgrades `biome` from `2.0.5` -> `2.1.2` and adds two new
rules
-
[noUnusedImports](https://biomejs.dev/linter/rules/no-unused-private-class-members)
( we already had suppressions for this rule in code, but the rule itself
was never enabled in the config )
-
[noUnusedPrivateClassMembers](https://biomejs.dev/linter/rules/no-unused-private-class-members/)
- remove stale suppressions. 
- remove stale code.

---------

Co-authored-by: Mikael Finstad <finstaden@gmail.com>
2026-05-21 12:28:03 +08:00
Prakash
9143d41bc2
@uppy/companion: upgrade dev deps (#6300)
all the dev deps upgraded excepts for these : 

  - `@types/cors: 2.8.6`
  - `@types/jsonwebtoken: 8.3.7`
  - `@types/morgan: 1.7.37`
  - `@types/node: ^20.19.0`
  - `nock: ^13.1.3`
  
upgrading these to their latest major either breaks the test suite or
requires us to do code changes on our end.
  
  #6297

---------

Co-authored-by: Mikael Finstad <finstaden@gmail.com>
2026-05-21 12:26:42 +08:00
Mikael Finstad
3c537e2780
Companion upgrade deps (#6305)
recreates #6296

---------

Co-authored-by: Prakash <qxprakash@gmail.com>
2026-05-21 12:07:05 +08:00
Prakash
d9d44ce5e5
upgrade to express v5 (#6304)
exact copy of #6175 

- I will point the uppy deps upgrade pr to this PR's branch
- no other changes needed in this branch as #6175 was reviewed and all
the comments were resolved

this should be the order of merge : 

1. #6300
2. uppy deps upgrade ( yet to be raised ) 
3. merge this to main
4. merge biome changes #6244 

@mifi let me know if you think otherwise.

---------

Co-authored-by: Mikael Finstad <finstaden@gmail.com>
2026-05-21 11:14:23 +08:00
Prakash
d9742ba4e4
Revert "Upgrade to express 5" (#6303)
Reverts transloadit/uppy#6175
2026-05-21 02:36:00 +05:30
Mikael Finstad
489d76717c
Upgrade to express 5 (#6175)
closes #6157

https://expressjs.com/en/guide/migrating-5.html

---------

Co-authored-by: Prakash <qxprakash@gmail.com>
2026-05-20 21:06:46 +05:30
Prakash
ca916f6580
@uppy/transloadit: fix stale assemblyStatus in 'transloadit:assembly-cancelled' event (#6294)
@mifi this is small change which we missed , based on our discussion in
uppy call.

---------

Co-authored-by: Mikael Finstad <finstaden@gmail.com>
2026-05-20 13:03:47 +08:00
Prakash
622daa498c
@uppy/examples: update examples after recent breaking changes (#6299) 2026-05-18 21:03:42 +05:30
Mikael Finstad
5efc32a2e7
remove angular eslint (#6164)
closes #6161

---------

Co-authored-by: Prakash <qxprakash@gmail.com>
2026-05-18 20:35:10 +08:00
Prakash
12de077e6d
remove @uppy/instagram (#6257)
closes #5455 , this PR removes all Instagram support from both the
client and Companion server.

Removed:
- Instagram from @uppy/remote-sources (src, package.json, keywords)
- Instagram export from uppy bundle (bundle.ts, index.ts, package.json)
- Companion Instagram OAuth provider (provider/index.js, grant.js)
- Companion standalone helper Instagram env vars (helper.js,
env_example)
- All Companion Instagram tests (providers.test.js,
provider-manager.test.js, fixtures/index.js, mockserver.js)
2026-05-13 14:42:10 +05:30
Prakash
57f8daf55d
@uppy/transloadit: add AssemblyStatus to plugin state (#6267)
- fixes content repo testing area bug
https://github.com/transloadit/content/issues/4943 (tested locally in
content repo)
- Simplifies the testing area code — no need to manually construct the
assembly object and listen for multiple events; just subscribe to state
using `useUppyState` and that's it (tested locally in content repo)
- Addresses
https://transloadit.slack.com/archives/C0AFZGN6W2F/p1775580430051829?thread_ts=1775555821.837409&cid=C0AFZGN6W2F
(one of our customers wanted to create a custom UI around assembly
execution); this would become much easier now (need to verify)
- Addresses
9474e8d8e7/_console/js/features/templates/components/TestingArea/uppy.tsx (L131-L147)
- Partially addresses #6264
2026-05-13 02:52:53 +05:30
Kevin van Zonneveld
0e09bd2096
Harden dependency installs (#6291)
## Why
Recent npm supply-chain compromises showed that dependency installs and
shared CI caches can execute or preserve newly published malicious
packages before advisories catch up. This PR reduces that exposure for
this repo.

## What changed
- Made eligible Yarn installs immutable and removed shared dependency
caching from the manual CDN upload path; existing minimal age gate
remains unchanged.

## Validation
- Ran `git diff --check` across the prepared worktree.
- Audited this PR set for `pull_request_target` and release/deploy/CDN
cache reuse; patched actionable hits.
- Did not run the full test suite; this is a workflow/config-only
change.
2026-05-12 14:14:10 +02:00
Copilot
b32781e280
ci: remove qemu from companion edge deploy workflow (#6282)
## Summary
- replace QEMU-based multi-platform build in
`.github/workflows/companion-deploy.yml` with native runner matrix
builds
- build amd64 on `ubuntu-24.04` and arm64 on `ubuntu-24.04-arm`
- push architecture-specific tags (`edge-amd64`, `edge-arm64`) and
publish `transloadit/companion:edge` as a manifest that references both
- add explicit workflow permissions (`contents: read`) and keep workflow
expression formatting consistent
- remove conflicting `DOCKER_BUILDKIT`/`COMPOSE_DOCKER_CLI_BUILD` env
overrides from the docker job

## Validation
- `corepack yarn check:ci` 
- baseline full run before edits: `corepack yarn check:ci && corepack
yarn build && corepack yarn test` (test step had pre-existing failures
in `@uppy/utils` due `Promise.withResolvers` in this environment)
- parallel validation (Code Review + CodeQL) 

## TODO
- [ ] do the same for release?
https://github.com/transloadit/uppy/blob/main/.github/workflows/release.yml

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: mifi <402547+mifi@users.noreply.github.com>
Co-authored-by: Mikael Finstad <finstaden@gmail.com>
2026-05-10 13:00:03 +08:00
Mikael Finstad
ad4050b51e
Send token using websocket (#6248)
instead of window.opener - it is more robust

inspired by #4110
closes #6246
closes #4107

Biggest caveat: In cases where window.opener is null (Dropbox), the auth
window will not be auto closed (I don't know how to fix that). It will
show the user a message "Authentication successful. You may now close
this page."
https://github.com/transloadit/uppy/pull/6248/changes#diff-ef5b69c4ab5b83168eaba6f57047bb07c53e3a426f375b42fcb32d79c746872cR22

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Prakash <qxprakash@gmail.com>
2026-05-09 15:03:04 +08:00
Kevin van Zonneveld
f1de25fd6e
Add Yarn npm package age gate (#6281)
## Summary
- add Yarn's native `npmMinimalAgeGate` with a 2 day / 2880 minute
cooldown to help protect against supply chain attacks
- rely on the existing Yarn 4.12.0 install path instead of a custom
package-age script

Closes #5974.

## Verification
- `corepack yarn config get npmMinimalAgeGate` -> `2880`
- `corepack yarn install --immutable`
- `corepack yarn check`
2026-05-07 15:36:44 +02:00
Kevin van Zonneveld
e99a17f1fe
companion: port to TypeScript (#6179)
Supersedes #6178.

This branch keeps the exact same final content as #6178, but splits
history for reviewability:

1. `chore(companion): rename source and test files from .js to .ts`
(pure `git mv`, no content changes)
2. `feat(companion): port Companion to TypeScript` (actual
content/type/schema/build updates)

Validation note:
- Final tree is byte-for-byte identical to `ts-companion`
(`7b5b16a298690b0492de4cc4fab744f998b45570`).

---------

Co-authored-by: Mikael Finstad <finstaden@gmail.com>
2026-05-04 20:50:43 +08:00
Prakash
7ac262374f
@uppy/companion-client: fix stale websocket connection (#6269)
fixes #6181

`uploadRemoteFile()` now treats one remote upload attempt as a single
queue-owned unit. Instead of queueing “request token” and “open
websocket / wait for upload” as two separate jobs, it now:

  - acquires one queue slot
  - reuses serverToken if resuming, otherwise requests a new
    token
  - immediately proceeds to the websocket/upload phase within
    that same admitted attempt

That removes the stale-token race where Companion starts its 60s
socket-wait timer before the client’s websocket phase has actually been
admitted by the queue. Retries still reacquire the queue per attempt,
and existing abort/cancel behavior is
preserved.

refer
https://github.com/transloadit/uppy/issues/6181#issuecomment-4295036192
for more context about the bug
2026-04-30 01:54:15 +05:30
Prakash
588e1c0f88
@uppy/core: fix stale comments (#6272)
reported in https://github.com/transloadit/uppy/issues/6270
2026-04-24 17:00:50 +05:30
Enver
b9253f797a
@uppy/dashboard: My Device button respects fileManagerSelectionType (#6258)
Fixes #6256

## Problem

When `fileManagerSelectionType` is set to `'folders'`, clicking the **My
Device** tab/button
still opens the file picker instead of the folder picker.

The inline "browse" link in the tagline correctly respects the setting,
but
`renderMyDeviceAcquirer` in `AddFiles.tsx` always called
`triggerFileInputClick`
regardless of the `fileManagerSelectionType` prop.

## Solution

`renderMyDeviceAcquirer` now reads `fileManagerSelectionType` and calls
`triggerFolderInputClick` when set to `'folders'`, or
`triggerFileInputClick`
for `'files'` and `'both'`.

For `'both'` mode, the button defaults to file selection because a
single
HTML `<input>` cannot handle both files and folders simultaneously
(`webkitdirectory` is all-or-nothing). The folder picker remains
accessible
via the tagline's "browse folders" link.

---------

Co-authored-by: Prakash <qxprakash@gmail.com>
2026-04-24 16:00:02 +05:30
Prakash
71a34b9b37
remove stale heroku job (#6254)
context :
https://transloadit.slack.com/archives/C0FMW9PSB/p1774888069486179
2026-04-08 14:05:59 +02:00
github-actions[bot]
dabd878b87
[ci] release (#6170)
This PR was opened by the [Changesets
release](https://github.com/changesets/action) GitHub action. When
you're ready to do a release, you can merge this and the packages will
be published to npm automatically. If you're not ready to do a release
yet, that's fine, whenever you add more changesets to main, this PR will
be updated.


# Releases
## @uppy/utils@7.2.0

### Minor Changes

- 6b1abaa: Introduce modern, minimal TaskQueue to replace
RateLimitedQueue

## @uppy/xhr-upload@5.2.0

### Minor Changes

- 6b1abaa: Introduce modern, minimal TaskQueue to replace
RateLimitedQueue

### Patch Changes

-   Updated dependencies [6b1abaa]
    -   @uppy/utils@7.2.0

## @uppy/companion@6.2.2

### Patch Changes

-   49db42d: Fix bug with 429 not returning JSON response with message
-   4652dc6: upgrade @aws-sdk/ deps in @uppy/companion

## @uppy/transloadit@5.5.1

### Patch Changes

-   4787960: Add type re-export for `AssemblyInstructionsInput`
- 2f6849d: Fix allowMultipleUploadBatches to prevent adding/removing
files while an upload is in progress (#6156)
-   29d2772: remove monkey patch from uppy bundle package
-   Updated dependencies [6b1abaa]
    -   @uppy/utils@7.2.0

## uppy@5.2.4

### Patch Changes

-   29d2772: remove monkey patch from uppy bundle package
-   a86c624: upgrade esbuild in uppy to "^0.27.0"
-   Updated dependencies [6b1abaa]
-   Updated dependencies [4787960]
-   Updated dependencies [2f6849d]
-   Updated dependencies [29d2772]
    -   @uppy/xhr-upload@5.2.0
    -   @uppy/transloadit@5.5.1

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-03-25 20:59:50 +05:30
Prakash
2f6849d4da
add missing changeset for #6156 (#6242)
context :
https://transloadit.slack.com/archives/C0FMW9PSB/p1774438325564219

is this the right way to add missing changeset ?
2026-03-25 20:18:18 +05:30
Prakash
1b4c246034
@uppy/examples: update transloadit example (#6238)
discovered while testing the `@uppy/transloadit` plugin 
ideally these examples should have been updated in
c4455ebba
2026-03-21 11:45:17 +05:30
Prakash
a86c6240f4
@uppy: upgrade esbuild from "^0.25.0" -> "^0.27.0" (#6235)
this should fix CI error in bundlers workflow , more context :
https://transloadit.slack.com/archives/C0FMW9PSB/p1773989607853769?thread_ts=1773336079.954969&cid=C0FMW9PSB
2026-03-20 18:09:06 +05:30
Prakash
ddae349193
@uppy/examples: mock tus endpoint for react, vue and svelte tests (#6215)
this fixes #6176

---------

Co-authored-by: Mikael Finstad <finstaden@gmail.com>
2026-03-11 14:05:24 +08:00
Prakash
29d27726c8
remove monkey patch in bundle.ts (#6207)
full context here :
https://transloadit.slack.com/archives/C0FMW9PSB/p1771342759948189

I tested the local bundle it works as expected with the same API and 15%
reduced bundle size.
2026-03-09 00:07:53 +05:30
Copilot
47879609c7
Export AssemblyInstructionsInput type from @uppy/transloadit (#6184)
The `AssemblyInstructionsInput` type from `@transloadit/types` is now
publicly exported from `@uppy/transloadit`, allowing consumers to type
their assembly parameters without importing from the external package.

## Changes

- Re-exported `AssemblyInstructionsInput` type in
`packages/@uppy/transloadit/src/index.ts`

## Usage

```typescript
import type { AssemblyInstructionsInput } from '@uppy/transloadit'

const params: AssemblyInstructionsInput = {
  steps: {
    encode: {
      robot: '/video/encode',
      use: ':original',
      preset: 'mp4',
    },
  },
}
```

The type was already imported internally and aliased as
`AssemblyParameters`. This change makes it available to plugin
consumers.

<!-- START COPILOT ORIGINAL PROMPT -->



<details>

<summary>Original prompt</summary>

> Make the AssemblyInstructionsInput type available from the
@uppy/transloadit package by re-exporting it from
packages/@uppy/transloadit/src/index.ts.
> 
> Background
> - The Transloadit plugin imports the type AssemblyInstructionsInput
from the external package @transloadit/types and aliases it as
AssemblyParameters in packages/@uppy/transloadit/src/index.ts.
> - Consumers of the @uppy/transloadit package need direct access to the
AssemblyInstructionsInput type but it is not currently exported from the
plugin package.
> 
> Change requested
> - Add a type re-export so that consumers can import
AssemblyInstructionsInput from the transloadit plugin package, e.g.
>   import type { AssemblyInstructionsInput } from '@uppy/transloadit'
> 
> Files to change
> - packages/@uppy/transloadit/src/index.ts
> - Add the following export alongside the other package exports (near
the end of the module where other exports live):
> 
> ```typescript name=packages/@uppy/transloadit/src/index.ts
url=https://github.com/transloadit/uppy/blob/main/packages/@uppy/transloadit/src/index.ts
> -export { COMPANION_URL, COMPANION_ALLOWED_HOSTS }
> +export { COMPANION_URL, COMPANION_ALLOWED_HOSTS }
> +
> +// Re-export type from @transloadit/types so callers can import it
from the plugin package.
> +export type { AssemblyInstructionsInput } from '@transloadit/types'
> ```
> 
> Notes
> - This is a purely type-only export and should be erased at compile
time; it does not add runtime code.
> - No other behavior or API surface should change.
> 
> Please create a branch, apply the change, and open a pull request with
a descriptive title and a short description of the change. Run
TypeScript build checks if available.
> 


</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

*This pull request was created from Copilot chat.*
>

<!-- START COPILOT CODING AGENT TIPS -->
---

💬 We'd love your input! Share your thoughts on Copilot coding agent in
our [2 minute survey](https://gh.io/copilot-coding-agent-survey).

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: mifi <402547+mifi@users.noreply.github.com>
Co-authored-by: Mikael Finstad <finstaden@gmail.com>
2026-03-02 10:38:57 +08:00
Merlijn Vos
23cbd4a05a
@uppy/xhr-upload: add browser tests (#6169)
Good to have actual browser tests for this uploader.
2026-02-19 15:10:17 +01:00
dependabot[bot]
53f5b44f4b
build(deps): bump docker/build-push-action from 6.15.0 to 6.19.2 (#6183)
Bumps
[docker/build-push-action](https://github.com/docker/build-push-action)
from 6.15.0 to 6.19.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/docker/build-push-action/releases">docker/build-push-action's
releases</a>.</em></p>
<blockquote>
<h2>v6.19.2</h2>
<ul>
<li>Preserve port in <code>GIT_AUTH_TOKEN</code> host by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/build-push-action/pull/1458">docker/build-push-action#1458</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/build-push-action/compare/v6.19.1...v6.19.2">https://github.com/docker/build-push-action/compare/v6.19.1...v6.19.2</a></p>
<h2>v6.19.1</h2>
<ul>
<li>Derive <code>GIT_AUTH_TOKEN</code> host from GitHub server URL by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/build-push-action/pull/1456">docker/build-push-action#1456</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/build-push-action/compare/v6.19.0...v6.19.1">https://github.com/docker/build-push-action/compare/v6.19.0...v6.19.1</a></p>
<h2>v6.19.0</h2>
<ul>
<li>Scope default git auth token to <code>github.com</code> by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/build-push-action/pull/1451">docker/build-push-action#1451</a></li>
<li>Bump brace-expansion from 1.1.11 to 1.1.12 in <a
href="https://redirect.github.com/docker/build-push-action/pull/1396">docker/build-push-action#1396</a></li>
<li>Bump form-data from 2.5.1 to 2.5.5 in <a
href="https://redirect.github.com/docker/build-push-action/pull/1391">docker/build-push-action#1391</a></li>
<li>Bump js-yaml from 3.14.1 to 3.14.2 in <a
href="https://redirect.github.com/docker/build-push-action/pull/1429">docker/build-push-action#1429</a></li>
<li>Bump lodash from 4.17.21 to 4.17.23 in <a
href="https://redirect.github.com/docker/build-push-action/pull/1446">docker/build-push-action#1446</a></li>
<li>Bump tmp from 0.2.3 to 0.2.4 in <a
href="https://redirect.github.com/docker/build-push-action/pull/1398">docker/build-push-action#1398</a></li>
<li>Bump undici from 5.28.4 to 5.29.0 in <a
href="https://redirect.github.com/docker/build-push-action/pull/1397">docker/build-push-action#1397</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/build-push-action/compare/v6.18.0...v6.19.0">https://github.com/docker/build-push-action/compare/v6.18.0...v6.19.0</a></p>
<h2>v6.18.0</h2>
<ul>
<li>Bump <code>@​docker/actions-toolkit</code> from 0.61.0 to 0.62.1 in
<a
href="https://redirect.github.com/docker/build-push-action/pull/1381">docker/build-push-action#1381</a></li>
</ul>
<blockquote>
<p>[!NOTE]
<a
href="https://docs.docker.com/build/ci/github-actions/build-summary/">Build
summary</a> is now supported with <a
href="https://docs.docker.com/build-cloud/">Docker Build Cloud</a>.</p>
</blockquote>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/build-push-action/compare/v6.17.0...v6.18.0">https://github.com/docker/build-push-action/compare/v6.17.0...v6.18.0</a></p>
<h2>v6.17.0</h2>
<ul>
<li>Bump <code>@​docker/actions-toolkit</code> from 0.59.0 to 0.61.0 by
<a href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in
<a
href="https://redirect.github.com/docker/build-push-action/pull/1364">docker/build-push-action#1364</a></li>
</ul>
<blockquote>
<p>[!NOTE]
Build record is now exported using the <a
href="https://docs.docker.com/reference/cli/docker/buildx/history/export/"><code>buildx
history export</code></a> command instead of the legacy export-build
tool.</p>
</blockquote>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/build-push-action/compare/v6.16.0...v6.17.0">https://github.com/docker/build-push-action/compare/v6.16.0...v6.17.0</a></p>
<h2>v6.16.0</h2>
<ul>
<li>Handle no default attestations env var by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/build-push-action/pull/1343">docker/build-push-action#1343</a></li>
<li>Only print secret keys in build summary output by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/build-push-action/pull/1353">docker/build-push-action#1353</a></li>
<li>Bump <code>@​docker/actions-toolkit</code> from 0.56.0 to 0.59.0 in
<a
href="https://redirect.github.com/docker/build-push-action/pull/1352">docker/build-push-action#1352</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/build-push-action/compare/v6.15.0...v6.16.0">https://github.com/docker/build-push-action/compare/v6.15.0...v6.16.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="10e90e3645"><code>10e90e3</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/build-push-action/issues/1458">#1458</a>
from crazy-max/git-auth-port</li>
<li><a
href="5262538458"><code>5262538</code></a>
chore: update generated content</li>
<li><a
href="cd130e45cb"><code>cd130e4</code></a>
preserve port in GIT_AUTH_TOKEN host</li>
<li><a
href="806c75105a"><code>806c751</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/build-push-action/issues/1452">#1452</a>
from crazy-max/update-yarn</li>
<li><a
href="601a80b39c"><code>601a80b</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/build-push-action/issues/1456">#1456</a>
from crazy-max/auth-token-dyn-host</li>
<li><a
href="8f7fd7c8c7"><code>8f7fd7c</code></a>
chore: update generated content</li>
<li><a
href="710e335474"><code>710e335</code></a>
derive GIT_AUTH_TOKEN host from GitHub server URL</li>
<li><a
href="c4ca8486a6"><code>c4ca848</code></a>
update yarn to 4.9.2</li>
<li><a
href="ee4ca427a2"><code>ee4ca42</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/build-push-action/issues/1398">#1398</a>
from docker/dependabot/npm_and_yarn/tmp-0.2.4</li>
<li><a
href="f1b3bb51af"><code>f1b3bb5</code></a>
chore: update generated content</li>
<li>Additional commits viewable in <a
href="471d1dc4e0...10e90e3645">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=docker/build-push-action&package-manager=github_actions&previous-version=6.15.0&new-version=6.19.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-19 10:02:54 +01:00
dependabot[bot]
63c56c9d1d
build(deps-dev): bump tar from 7.5.7 to 7.5.8 (#6185)
Bumps [tar](https://github.com/isaacs/node-tar) from 7.5.7 to 7.5.8.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="6b8eba0ef3"><code>6b8eba0</code></a>
7.5.8</li>
<li><a
href="2cb1120bce"><code>2cb1120</code></a>
fix(unpack): improve UnpackSync symlink error &quot;into&quot; path
accuracy</li>
<li><a
href="d18e4e1f84"><code>d18e4e1</code></a>
fix: do not write linkpaths through symlinks</li>
<li>See full diff in <a
href="https://github.com/isaacs/node-tar/compare/v7.5.7...v7.5.8">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~isaacs">isaacs</a>, a new releaser for tar
since your current version.</p>
</details>
<details>
<summary>Install script changes</summary>
<p>This version adds <code>prepare</code> script that runs during
installation. Review the package contents before updating.</p>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=tar&package-manager=npm_and_yarn&previous-version=7.5.7&new-version=7.5.8)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-19 10:02:39 +01:00
Prakash
4652dc6a4a
upgrade aws-sdk in @uppy/companion (#6180)
this fixes  #6167 

AI summary :

**The Bug: S3 Multipart Upload Fails with InvalidPart**

**What happened**
When uploading large files (200MB+) from Google Drive → Companion → S3
using multipart upload, the upload would reach ~96-100% and then fail
with S3's `InvalidPart` error on `CompleteMultipartUpload`.

*Root cause*
_A version mismatch between two AWS SDK packages caused by yarn dedupe._

Commit `3c3034b40` ("Dedupe dependencies #6085") ran `yarn dedupe`.
Companion had `@aws-sdk/client-s3` and `@aws-sdk/lib-storage` both at
`"^3.338.0"`, which previously both resolved to `3.600.0`. But the
`@uppy/transloadit` package elsewhere in the monorepo had
`"@aws-sdk/client-s3": "^3.891.0"`. Dedupe merged the resolutions —
`client-s3` jumped to `3.896.0` while `lib-storage` stayed at `3.600.0`.

*Why the mismatch matters*
AWS SDK `client-s3@3.896.0` introduced a _breaking behavioral change_ in
its checksum middleware:
• *Old (3.600.0):* Default checksum = MD5, no auto-injection.
`UploadPart` requests sent _no checksum header_.
• *New (3.896.0):* Default checksum = CRC32,
`requestChecksumCalculation` defaults to `"WHEN_SUPPORTED"`. The
middleware _auto-injects `x-amz-checksum-crc32`_ on every `UploadPart`
request.

The old `lib-storage@3.600.0` didn't know about this new behavior. It
called `CreateMultipartUpload` _without_ setting `ChecksumAlgorithm`.
Then `client-s3@3.896.0` added CRC32 checksums to each `UploadPart`. S3
saw parts with checksums that weren't declared at creation time →
rejected with `InvalidPart` at `CompleteMultipartUpload`.

*How the fixes work*

_Option A — `requestChecksumCalculation: 'WHEN_REQUIRED'`_ (workaround):
Tells the new `client-s3` to only add checksums when S3 requires them
(which it doesn't for `UploadPart`). This restores the old behavior — no
checksum headers, no mismatch.

_Option B — Upgrade all AWS SDK packages to `^3.986.0`_ (proper fix):
The new `lib-storage@3.986.0` is _aware_ of the CRC32 checksum behavior.
When it detects `requestChecksumCalculation = "WHEN_SUPPORTED"`, it
explicitly sets `ChecksumAlgorithm: "CRC32"` on the
`CreateMultipartUpload` call. Now S3 expects CRC32 checksums on the
parts, the parts have CRC32 checksums → everything is consistent →
upload succeeds.

*TL;DR*
`yarn dedupe` upgraded `client-s3` but not `lib-storage`. The new
`client-s3` started adding CRC32 checksums to parts, but the old
`lib-storage` didn't declare CRC32 at multipart creation time. S3
rejected the mismatch. Fix: upgrade both packages together so they agree
on checksum behavior.
2026-02-13 18:03:55 +05:30
Copilot
f6efd2ebcc
Fix allowMultipleUploadBatches by preventing file operations during upload (#6156)
## Implementation Plan for Transloadit allowMultipleUploadBatches Fix

- [x] Explore the codebase to understand existing structure
  - [x] Review transloadit/src/index.ts
  - [x] Review existing event handlers (#onError, #onCancelAll)
  - [x] Review install() and uninstall() methods
  - [x] Understand test structure
- [x] Implement the proper fix in
packages/@uppy/transloadit/src/index.ts
- [x] Set allowNewUpload: false at start of #prepareUpload
(preprocessor)
- [x] Reset allowNewUpload: true at end of #afterUpload (postprocessor)
  - [x] Reset allowNewUpload: true in #prepareUpload error handler
  - [x] Keep existing resets in #onError and #onCancelAll handlers
  - [x] Removed event listener approach (was causing race conditions)
- [x] Update tests to match implementation
- [x] Test allowNewUpload lifecycle through actual upload flow
(preprocessor/postprocessor)
  - [x] Test allowNewUpload reset on preprocessor error
  - [x] Test allowNewUpload reset on error event
  - [x] Test allowNewUpload reset on cancel-all
  - [x] Remove obsolete event listener tests

<!-- START COPILOT CODING AGENT TIPS -->
---

💡 You can make Copilot smarter by setting up custom instructions,
customizing its development environment and configuring Model Context
Protocol (MCP) servers. Learn more [Copilot coding agent
tips](https://gh.io/copilot-coding-agent-tips) in the docs.

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: mifi <402547+mifi@users.noreply.github.com>
Co-authored-by: Mikael Finstad <finstaden@gmail.com>
2026-02-09 21:42:43 +08:00
Mikael Finstad
49db42d72a
@uppy/companion: fix 429 not returning JSON response with message (#6177)
discovered by llm
2026-02-09 20:41:26 +08:00
Prakash
cb6d42a42f
@uppy/examples/aws-companion fix typo (#6174) 2026-02-09 13:59:31 +05:30
dependabot[bot]
41d7268af8
build(deps): bump next from 15.5.9 to 16.1.5 (#6160)
Bumps [next](https://github.com/vercel/next.js) from 15.5.9 to 16.1.5.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/vercel/next.js/releases">next's
releases</a>.</em></p>
<blockquote>
<h2>v16.1.5</h2>
<p>Please refer the following changelogs for more information about this
security release:</p>
<p><a
href="https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472">https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472</a>
<a
href="https://vercel.com/changelog/summary-of-cve-2026-23864">https://vercel.com/changelog/summary-of-cve-2026-23864</a></p>
<h2>v16.1.4</h2>
<blockquote>
<p>[!NOTE]
This release is backporting bug fixes. It does <strong>not</strong>
include all pending features/changes on canary.</p>
</blockquote>
<h3>Core Changes</h3>
<ul>
<li>Only filter next config if experimental flag is enabled (<a
href="https://redirect.github.com/vercel/next.js/issues/88733">#88733</a>)</li>
</ul>
<h3>Credits</h3>
<p>Huge thanks to <a
href="https://github.com/mischnic"><code>@​mischnic</code></a> for
helping!</p>
<h2>v16.1.3</h2>
<blockquote>
<p>[!NOTE]
This release is backporting bug fixes. It does <strong>not</strong>
include all pending features/changes on canary.</p>
</blockquote>
<h3>Core Changes</h3>
<ul>
<li>Fix linked list bug in LRU deleteFromLru (<a
href="https://redirect.github.com/vercel/next.js/issues/88652">#88652</a>)</li>
<li>Fix relative same host redirects in node middleware (<a
href="https://redirect.github.com/vercel/next.js/issues/88253">#88253</a>)</li>
</ul>
<h3>Credits</h3>
<p>Huge thanks to <a
href="https://github.com/acdlite"><code>@​acdlite</code></a> and <a
href="https://github.com/ijjk"><code>@​ijjk</code></a> for helping!</p>
<h2>v16.1.2</h2>
<blockquote>
<p>[!NOTE]
This release is backporting bug fixes. It does <strong>not</strong>
include all pending features/changes on canary.</p>
</blockquote>
<h3>Core Changes</h3>
<ul>
<li>Turbopack: Update to swc_core v50.2.3 (<a
href="https://redirect.github.com/vercel/next.js/issues/87841">#87841</a>)
(<a
href="https://redirect.github.com/vercel/next.js/issues/88296">#88296</a>)
<ul>
<li>Fixes a crash when processing mdx files with multibyte characters.
(<a
href="https://redirect.github.com/vercel/next.js/issues/87713">#87713</a>)</li>
</ul>
</li>
<li>Turbopack: <a
href="https://microsoft.github.io/mimalloc/">mimalloc</a> upgrade and
enabling it on musl (<a
href="https://redirect.github.com/vercel/next.js/issues/88503">#88503</a>)
(<a
href="https://redirect.github.com/vercel/next.js/issues/87815">#87815</a>)
(<a
href="https://redirect.github.com/vercel/next.js/issues/88426">#88426</a>)
<ul>
<li>Fixes <a
href="https://redirect.github.com/vercel/next.js/pull/88426">a
significant performance issue</a> on musl-based Linux distributions
(e.g. Alpine in Docker) related to musl's allocator.</li>
<li>Other platforms have always used mimalloc, but we previously did not
use mimalloc on musl because of compilation issues that have since been
resolved.</li>
</ul>
</li>
</ul>
<h3>Credits</h3>
<p>Huge thanks to <a
href="https://github.com/mischnic"><code>@​mischnic</code></a> for
helping!</p>
<h2>v16.1.1</h2>
<blockquote>
<p>[!NOTE]
This release is backporting bug fixes. It does <strong>not</strong>
include all pending features/changes on canary.</p>
</blockquote>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="acba4a6b9f"><code>acba4a6</code></a>
v16.1.5</li>
<li><a
href="e1d1fc6525"><code>e1d1fc6</code></a>
Add maximum size limit for postponed body parsing (<a
href="https://redirect.github.com/vercel/next.js/issues/88175">#88175</a>)</li>
<li><a
href="500ec83743"><code>500ec83</code></a>
fetch(next/image): reduce maximumResponseBody from 300MB to 50MB (<a
href="https://redirect.github.com/vercel/next.js/issues/88588">#88588</a>)</li>
<li><a
href="1caaca3cdb"><code>1caaca3</code></a>
feat(next/image)!: add <code>images.maximumResponseBody</code> config
(<a
href="https://redirect.github.com/vercel/next.js/issues/88183">#88183</a>)</li>
<li><a
href="522ed840be"><code>522ed84</code></a>
Sync DoS mitigations for React Flight</li>
<li><a
href="8cad197c76"><code>8cad197</code></a>
[backport][cna] Ensure created app is not considered the workspace root
in pn...</li>
<li><a
href="27186615d7"><code>2718661</code></a>
Backport/docs fixes (<a
href="https://redirect.github.com/vercel/next.js/issues/89031">#89031</a>)</li>
<li><a
href="53336250b3"><code>5333625</code></a>
Backport/docs fixes 16.1.5 (<a
href="https://redirect.github.com/vercel/next.js/issues/88916">#88916</a>)</li>
<li><a
href="60de6c2114"><code>60de6c2</code></a>
v16.1.4</li>
<li><a
href="5f75d22b80"><code>5f75d22</code></a>
backport: Only filter next config if experimental flag is enabled (<a
href="https://redirect.github.com/vercel/next.js/issues/88733">#88733</a>)
(#...</li>
<li>Additional commits viewable in <a
href="https://github.com/vercel/next.js/compare/v15.5.9...v16.1.5">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=next&package-manager=npm_and_yarn&previous-version=15.5.9&new-version=16.1.5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-05 15:53:42 +01:00