alois/Verso
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
28,050 Commits 6 Branches 11 Tags
979f065581ef7d0b4504a5b05c71bcb33c2e55cd
Commit Graph

38 Commits

Author SHA1 Message Date
Alf Eaton 979f065581 Upgrade to MathJax v4 (#15030) 
GitOrigin-RevId: d1536bce67286da23e15aa18eb525dd83859978b
 2026-06-03 08:05:55 +00:00
Copilot a9a9f6ee6b Migrate history-v1 recover_zip scripts from archiver to zip-stream (#32813) 
* migrate recover_zip_from_backup from archiver to zip-stream

Replace the `archiver` package with `zip-stream` (the lower-level library
that `archiver` wraps) in the `recover_zip_from_backup.mjs` script and
`backupArchiver.mjs` library. The `archiver` package has known issues with
hanging when creating large zip files and is no longer actively maintained.

Changes:
- Add `zip-stream@^7.0.2` as a direct dependency
- Update `backupArchiver.mjs` to use promisified `ZipStream.entry()`
  instead of `Archiver.append()`
- Rewrite `recover_zip_from_backup.mjs` to use `ZipStream` with
  `stream/promises.pipeline` for cleaner async flow
- Keep `archiver` dependency for `project_archive.js` (separate code path)

Agent-Logs-Url: https://github.com/overleaf/internal/sessions/0df27a8b-97f1-43cc-ac26-f5247a84313f

Co-authored-by: briangough <7457354+briangough@users.noreply.github.com>

* extract finalize timeout to named constant

Agent-Logs-Url: https://github.com/overleaf/internal/sessions/0df27a8b-97f1-43cc-ac26-f5247a84313f

Co-authored-by: briangough <7457354+briangough@users.noreply.github.com>

* convert recover_zip.js to zip-stream, remove finalize timeout, add verbose logging

Agent-Logs-Url: https://github.com/overleaf/internal/sessions/9380d08a-d813-4e9f-a2ac-4891122c163b

Co-authored-by: briangough <7457354+briangough@users.noreply.github.com>

* add acceptance tests for recover_zip_from_backup in raw and latest modes

Agent-Logs-Url: https://github.com/overleaf/internal/sessions/9380d08a-d813-4e9f-a2ac-4891122c163b

Co-authored-by: briangough <7457354+briangough@users.noreply.github.com>

* fix comment formatting in recover_zip_from_backup.mjs

Agent-Logs-Url: https://github.com/overleaf/internal/sessions/9380d08a-d813-4e9f-a2ac-4891122c163b

Co-authored-by: briangough <7457354+briangough@users.noreply.github.com>

* restore EventEmitter.defaultMaxListeners in recover_zip.js, add acceptance test

Agent-Logs-Url: https://github.com/overleaf/internal/sessions/e7443126-22d5-4d0e-a176-a7a5dba49ffd

Co-authored-by: briangough <7457354+briangough@users.noreply.github.com>

* fix formatting

* refactor: simplify stream handling by using named imports for pipeline

* fix blob hash verification in backup acceptance tests

* fix recover_zip script and tests

* fix: exit with non-zero status on error in recover_zip.js

Agent-Logs-Url: https://github.com/overleaf/internal/sessions/ef3f109b-488f-47c9-84a5-b5269387166a

Co-authored-by: briangough <7457354+briangough@users.noreply.github.com>

* migrate from npm to yarn

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: briangough <7457354+briangough@users.noreply.github.com>
Co-authored-by: Brian Gough <briangough@users.noreply.github.com>
GitOrigin-RevId: 6255f9610f3c846790e2ed8b1979ac08b7effece
 2026-06-02 08:08:18 +00:00
Brian Gough b8067723b6 Merge pull request #33628 from overleaf/lg-otel-security-upgrade 
Bump @opentelemetry/sdk-node and auto-instrumentations-node (GHSA-q7rr-3cgh-j5r3)

GitOrigin-RevId: 2d5bac25735e9ef8a462423505f142f49ef73d8b
 2026-06-02 08:06:52 +00:00
Miguel Serrano 63852c5934 [web] bump js-yaml in reference-parser (#33953) 
* [web] bump `js-yaml` in `reference-parser`

`.yarn/patches/referer-parser-npm-0.0.3.patch` bumps the `js-yaml` dependency,
but yarn patches don't take that into account the patched package.json for dependency resolution.

* Add RequestHelper test

GitOrigin-RevId: 8246f8ab54956897cc361d7c02b65e5363ad43ec
 2026-05-29 08:06:27 +00:00
Lucie Germain 5e47353ad4 [Security upgrade] Pin @babel/plugin-transform-modules-systemjs to 7.29.4 via resolutions (GHSA-fv7c-fp4j-7gwp) (#33650) 
* Pin @babel/plugin-transform-modules-systemjs to 7.29.4 via resolutions (GHSA-fv7c-fp4j-7gwp)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Fix missing comma in package.json resolutions

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: Jakob Ackermann <jakob.ackermann@overleaf.com>
GitOrigin-RevId: d6f3e72234d64fd0afb8676b8652cc03b0cddbe0
 2026-05-28 08:07:54 +00:00
Lucie Germain a4e7d90cf1 [Security upgrade] pin js-cookie to 3.0.7 (#33960) 
* pin js-cookie to 3.0.7 in root yarn.lock

* drop unnecessary js-cookie resolution; ^3.0.5 already permits 3.0.7

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
GitOrigin-RevId: e7803a04aa76daea574e6b1e67b3d6c42134945e
 2026-05-28 08:07:49 +00:00
Andrew Rumble 9daa56becc Merge pull request #33079 from overleaf/ar-remove-request-from-clsi 
[clsi] remove request library

GitOrigin-RevId: 4690c476157fc2829e516d91f688f9424f8c162f
 2026-05-28 08:07:11 +00:00
Andrew Rumble dddefc9e30 Merge pull request #33962 from overleaf/lg-uuid-security-upgrade 
[Security upgrade] pin uuid to 11.1.1 in root yarn.lock

GitOrigin-RevId: 873da40311c0e67fc3eb7eb0c484475d1e515148
 2026-05-28 08:06:59 +00:00
Miguel Serrano 21902e7a55 [CE/SP] Remove non-production dependencies (#33949) 
Some non-production dependencies were bundled in the CE and SP images:
- `lint` was pulled as production dependency by `eslint-plugin`. Moving to peer-dependency, which is the usual strategy, addresses the issue.
- Yarn cache wasn't purged. By adding `/usr/local/share/.cache/yarn` to the mounts we ensure it's also cleaned.

GitOrigin-RevId: f328592c8f8de7193295839578e239a975fe30aa
 2026-05-28 08:06:51 +00:00
Miguel Serrano 14b04ad4b8 [project-history] Removed request dependency (#32686) 
* [project-history] Removed `request` dependency

GitOrigin-RevId: 086bbbf2efeea6026127653a1f68ca6bf0476de6
 2026-05-28 08:06:04 +00:00
Miguel Serrano 8ce9d184cb [migrations] pin underscore version to 1.13.8 (#33951) 
`east` is the only workspace pointing to an old version of `underscore`, which is now pinned to `1.13.8` the same way it's done for `argparse`.

GitOrigin-RevId: a938067ba62aca7b73e15f030d9c341f9337c26d
 2026-05-28 08:05:30 +00:00
Eric Mc Sween 52a8a447aa Merge pull request #33909 from overleaf/em-remove-tpdsworker 
Remove tpdsworker service

GitOrigin-RevId: 9014d7d5bdc4e3cc7a7168d93b90ef8aa72d0c1a
 2026-05-27 08:08:00 +00:00
Jakob Ackermann c7b56ff295 [monorepo] remove contacts service (#33550) 
GitOrigin-RevId: 15478243e4d6a56b81eee28f76f9ef7dc54a45d7
 2026-05-27 08:07:19 +00:00
Lucie Germain ae00bcbeca [Security Upgrade]: pin @xmldom/xmldom to 0.8.13 (#33373) 
Adds a resolution in root package.json to force all consumers to
@xmldom/xmldom@0.8.13, fixing GHSA-wh4c-j3r5-mjhp, GHSA-j759-j44w-7fr8,
GHSA-x6wf-f3px-wcqx, GHSA-f6ww-3ggp-fr8h, and GHSA-2v35-w6hq-6mfw.

The vulnerable 0.7.13 entry in yarn.lock is replaced by 0.8.13
(minimum safe version across all five advisories).

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
GitOrigin-RevId: e1a301e3a1d637894284f35238ca0e8c23534276
 2026-05-25 08:05:19 +00:00
Lucie Germain 6fa708982b Pin argparse/underscore to 1.13.8 via yarn resolution (#33364) 
Fixes GHSA-cf4h-3jhx-xvhq (critical, arbitrary code execution) and
GHSA-qpx9-hpmf-5gmw (high, DoS via _.flatten/_.isEqual).

Vulnerable underscore@1.7.0 came from js-yaml@2.1.3 → argparse@0.1.16.
All other instances were already ≥1.13.8.

GitOrigin-RevId: b2ab4bc2682e19709694b7dd686134a439ade90c
 2026-05-22 08:06:48 +00:00
Olzhas Askar bb0dc07d22 Merge pull request #33741 from overleaf/lg-sanitize-html-upgrade 
[Security upgrade] Upgrade sanitize-html to 2.17.4 (GHSA-rpr9-rxv7-x643)

GitOrigin-RevId: 40a11361eac35d44a6fd7069e0d0d7c02a6628ec
 2026-05-21 08:06:33 +00:00
Miguel Serrano 107189cd5f [web] Clear hardcoded password in external SP auth (#33597) 
registerExternalAuthAdmin() now generates a random password on admin registration.

A migration clears the password for existing installs only in CE/SP

GitOrigin-RevId: 94a82d35dc8cd46915c31fb24f477c19367025eb
 2026-05-21 08:06:07 +00:00
Mathias Jakobsen 5d4f38e57a Merge pull request #33629 from overleaf/lg-fast-uri-resolution 
[Security upgrade] Pin fast-uri to 3.1.2 via resolutions (GHSA-q3j6-qgpj-74h6, GHSA-v39h-62p7-jpjc)

GitOrigin-RevId: 154e742e12cb68e8b1c8d5b88e1a188160746784
 2026-05-20 08:07:34 +00:00
Eric Mc Sween 2f32b9d61e Merge pull request #32706 from overleaf/em-dropbox-queue 
[third-party-datastore] Apply Dropbox→Overleaf updates inline, removing queue hop

GitOrigin-RevId: 1ea17eefe57aaf32634ce3395682f7eac2e53dc5
 2026-05-20 08:07:10 +00:00
Lucie Germain 2f08f6f6eb Bump mongoose to 8.22.1 (GHSA-wpg9-53fq-2r8h) (#33648) 
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
GitOrigin-RevId: f092e8d914ea5825e285fe4741bb42dd2c5d5fa3
 2026-05-20 08:07:05 +00:00
Andrew Rumble e9aedce4ab Merge pull request #33625 from overleaf/ar-update-vitest 
[monorepo] bump vitest to 4.1.5

GitOrigin-RevId: 22ba2249ae384fd59347c9aa45c70f51ccdf8890
 2026-05-18 08:06:49 +00:00
Andrew Rumble 19ad00c329 Merge pull request #33743 from overleaf/lg-systeminformation-upgrade 
[Security Upgrade] Upgrade systeminformation to 5.31.6 (GHSA-hvx9-hwr7-wjj9)

GitOrigin-RevId: bd75d2bc59e183d23972e367f40f753c08ca6967
 2026-05-18 08:06:41 +00:00
Andrew Rumble 25dfaab2a1 Merge pull request #33641 from overleaf/lg-fast-xml-builder-resolution 
[Security upgrade] Pin fast-xml-builder to 1.1.7 via resolutions (GHSA-5wm8-gmm8-39j9, GHSA-45c6-75p6-83cc)

GitOrigin-RevId: ab13841bd8c20da98a136567cf7436ebb9f73722
 2026-05-15 08:08:40 +00:00
renovate[bot] fc66bbfb26 [CoreI] Update dependency axios to v1.15.2 from 1.15.0 [SECURITY] (#33398) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
GitOrigin-RevId: 567d0e7463084e872187a72085714f68d84dc5b6
 2026-05-14 08:06:04 +00:00
Alf Eaton 00ddd8185c Upgrade webpack and related dependencies (#31638) 
GitOrigin-RevId: e188a6ab9f7a024c1769a85e1d4e40ccb5d02213
 2026-05-14 08:05:51 +00:00
Jakob Ackermann b62d4814c3 [monorepo] turn throw statements in callback code into callback calls (#33524) 
* [eslint-plugin] add rule for throw inside callback code

* [monorepo] enable our custom eslint plugins globally

* [monorepo] fix running make lint from root

* [monorepo] turn throw statements in callback code into callback calls

* [monorepo] add eslint-plugin libraries to all the Dockerfiles

* [monorepo] install eslint-plugin library at the root level

* [linked-url-proxy] add eslint-plugin library into Dockerfile

* [latexqc] add our eslint-plugin to eslint config

GitOrigin-RevId: b05e3ebbefb62370f2422e83880dd3913815270d
 2026-05-14 08:05:47 +00:00
Andrew Rumble 5e3561aedc Merge pull request #33655 from overleaf/lg-ip-address-resolution 
Pin ip-address to 10.1.1 via resolutions (GHSA-v2v4-37r5-5v8g)

GitOrigin-RevId: c0233698549fee7f32c8a95a17b793b8535922c1
 2026-05-14 08:05:30 +00:00
renovate[bot] 5c5a80923a [Platform] Update dependency dompurify to v3.4.0 from 3.3.3 [SECURITY] (#33227) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
GitOrigin-RevId: da9d98ac0b4d3690bd2db18f7c4f61cf45fb379a
 2026-05-12 08:05:58 +00:00
Andrew Rumble 45005d2783 Merge pull request #33483 from overleaf/ar-remove-unused-sandboxed-module-deps 
[monorepo] remove sandboxed-module from services that don't use it

GitOrigin-RevId: dbb9c3b11f4b5436a447942713ce02ff3efb0b50
 2026-05-11 08:06:20 +00:00
Brian Gough 3940f8c2a7 Merge pull request #33504 from overleaf/bg-upgrade-yauzl 
Upgrade yauzl library in web to version 3.3.0

GitOrigin-RevId: 82b4158db7a432f4257bd48402840f07801c6d07
 2026-05-11 08:05:47 +00:00
renovate[bot] 47f80317e4 [CoreI] Update dependency nodemailer to v8.0.5 [SECURITY] (#32703) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
GitOrigin-RevId: 3ae15cc3adad3d0212c46b5c478210dc9f20ef08
 2026-05-08 08:10:18 +00:00
renovate[bot] de9b07f0b9 [Platform] Update dependency lodash to v4.18.1 from 4.17.23 [SECURITY] (#33229) 
* Upgrade lodash resolution to 4.18.1

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* update lodash in rest of packages

---------

Co-authored-by: Eric Mc Sween <5454374+emcsween@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Anna Fields <acfields11@gmail.com>
GitOrigin-RevId: 66ce1610993a592899c25155757ca3267ebcd5c1
 2026-05-07 08:07:41 +00:00
Alf Eaton 37a68a9c5e Reapply "Add Vertex as an AI provider (#32450)" (#33339) 
GitOrigin-RevId: d506c99cf32fae97b6721923256bd980120fbeed
 2026-05-06 08:07:19 +00:00
Andrew Rumble f434b1fc28 Merge pull request #33149 from overleaf/ar-ja-remove-i18next-additional-packages 
[web] remove i18next additional libraries

GitOrigin-RevId: 98fc17b409090db32b02bb66953f1c2e6efee608
 2026-05-06 08:05:41 +00:00
Alf Eaton e3f88791da Revert "Add Vertex as an AI provider (#32450)" (#33309) 
This reverts commit 20d895350ee13a7683f178bc83b87f0e765c7af6.

GitOrigin-RevId: 6be06b0fee0b038c42db45fce2377efd5d5a47dc
 2026-05-01 08:06:32 +00:00
Alf Eaton f00dab5cc0 Add Vertex as an AI provider (#32450) 
GitOrigin-RevId: 20d895350ee13a7683f178bc83b87f0e765c7af6
 2026-05-01 08:06:25 +00:00
Domagoj Kriskovic 9e677a2c1e Use overleaf CDN for loading pyodide packages 
GitOrigin-RevId: e17ff3387166421a546a9519786d77ba12cdffc4
 2026-04-30 08:05:23 +00:00
Anna Claire Fields 0d64a88a46 Yarn 4 Migration (#32253) 
Migrates the Overleaf monorepo package manager from npm (v11) to Yarn 4 (v4.9.1) using node-modules linker mode.

GitOrigin-RevId: 50d32ab01955c15e29679eff9e9e9cfb897fab2d
 2026-04-28 08:52:37 +00:00