chore(deps): bump @eslint/js from 9.39.1 to 10.0.1 in /frontend#285
Open
dependabot[bot] wants to merge 1030 commits intomainfrom
Open
chore(deps): bump @eslint/js from 9.39.1 to 10.0.1 in /frontend#285dependabot[bot] wants to merge 1030 commits intomainfrom
dependabot[bot] wants to merge 1030 commits intomainfrom
Conversation
BREAKING PRIVACY FIX: Previously, matomo.js was loaded unconditionally on every page load, even when users opted out. This violated GDPR/privacy principles and was reported in GitHub issues. Changes: 1. Deferred initialization - no longer loads matomo.js on app startup 2. Privacy-first defaults - no tracking unless explicitly enabled: - Login page (no auth token): NO tracking - API fetch errors: NO tracking - Network errors: NO tracking 3. Re-check preferences after login (useEffect depends on isAuthenticated) 4. Removed duplicate disableCookies() and setDoNotTrack() calls 5. Only initialize tracking if analytics_enabled=true in user preferences Privacy guarantees: - Login page never loads matomo.js or sends tracking events - If user opts out, NO matomo.js script is loaded on any page - If user opts out, NO network requests to analytics server - Script only loads after successful login AND analytics_enabled=true - trackOptOut() and trackConsentResponse() only work if already initialized User flow: 1. Login page → No token → userOptedOut=true → NO tracking 2. After login → Fetch preferences from API 3. If analytics_enabled=true → initMatomoIfEnabled() loads matomo.js 4. If analytics_enabled=false → Nothing loads 5. User can toggle preference anytime via Settings → Preferences Technical details: - initMatomoScript() made internal, replaced with initMatomoIfEnabled() - Added matomoInitialized flag to prevent duplicate script loading - loadUserPreference() defaults to userOptedOut=true on all errors - useEffect in App.tsx runs on isAuthenticated change, not just mount Fixes GitHub issue where users saw requests to analytics.nullcodeai.dev even with "Enable analytics" unchecked. Also fixes Matomo console warning: "The method disableCookies is registered more than once in _paq variable. Only the last call has an effect." Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Major improvements to cron schedule management: **New Components:** - CronBuilder: Visual cron expression builder with 6 frequency types (minute, hourly, daily, weekly, monthly, custom) - CronBuilderDialog: Dialog wrapper with clock icon trigger - Added comprehensive unit tests for CronBuilder **Timezone Fixes:** - Fixed hourly intervals to run at clean local times instead of odd :30 minutes - Converts hourly intervals (*/8) to specific UTC hours (2,10,18) for proper timezone handling - Backend runs in UTC, frontend shows local time consistently - Fixed double-conversion bugs that caused time shifts on edit **UI Improvements:** - Removed hardcoded formatCronExpression lookup table (only worked for 10 patterns) - Removed redundant helper text below cron inputs - Table now shows raw cron expression in monospace font - CronBuilder preview shows human-readable description at bottom of dialog **Tests Added:** - End-to-end user experience tests verifying what users enter vs when jobs run - Hourly interval conversion tests (*/8 → specific hours) - Round-trip conversion tests ensuring edit shows original values - Day-of-week adjustment tests for timezone boundary crossing **Files Changed:** - Removed: CronPickerField.tsx (replaced by CronBuilder) - Updated: dateUtils.ts with hourly interval timezone logic - Updated: Schedule.tsx and ScheduledChecksSection.tsx to use new components Fixes issues where: - "Every 8 hours at :00" showed runs at 3:30 AM instead of 12 AM, 8 AM, 4 PM - Editing schedules caused time to shift by timezone offset - Helper text showed wrong/confusing cron expressions Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
…hive paths - Fix missing Repository import in backup.py - Add source_ssh_connection_id to repository API responses - Use relative paths for SSHFS mounts to avoid ugly /tmp/sshfs_mount_xxx/ in archives - List actual directory contents instead of backing up "." to remove dot entry from archives - Improve CommandPreview with step-by-step UI showing mount, backup, and cleanup steps - Fix RepositoryWizard to properly initialize remote data source selection when editing - Add SSH prefix display (user@host:port:) in old repository form for remote sources - Fix wizard content height to prevent jumping between steps Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Claude <noreply@anthropic.com>
The LC_ALL=C prefix broke Hetzner Storage Box because their restricted shell doesn't support environment variable assignment. Now the code: - Tries with LC_ALL=C first (works for normal Linux systems) - Falls back to plain df for restricted shells - Uses smarter header detection by checking if second column is numeric (works for any language: English, German, etc.) Adds 18 comprehensive tests for _run_df_command and collect_storage_info. Co-Authored-By: Claude <noreply@anthropic.com>
- Refactor RepositoryWizard to use step names instead of indices - Add required prop to SourceDirectoriesInput for optional source dirs in observe mode - Add comprehensive test suite (59 tests) covering: - Create mode (all 5 steps) - Import mode (full repository) - Import mode (observability only) - Edit mode - SSH connection handling - Navigation Co-Authored-By: Claude <noreply@anthropic.com>
- Repository health now based solely on backup status - Check/compact warnings moved to maintenance alerts (not health indicators) - Dashboard shows both unhealthy and healthy repos (up to 4 total) - Unhealthy repos shown first, remaining slots filled with healthy repos - Fix last_stats_refresh time format using serialize_datetime Co-Authored-By: Claude <noreply@anthropic.com>
- Add tests for 12 new components (642 total tests) - Improve branch coverage from 75% to 82% - Exclude api.ts from coverage (low-value API wrappers) - New test files: AnalyticsConsentBanner, CheckWarningDialog, CompactWarningDialog, CompressionSettings, CronBuilder, CronBuilderDialog, ExcludePatternInput, LockErrorDialog, PathSelectorField, RemoteMachineCard, RepositoryCell, SourceDirectoriesInput, matomo Co-Authored-By: Claude <noreply@anthropic.com>
Scripts now receive backup context via environment variables: - BORG_UI_BACKUP_STATUS: success/failure/warning (post-backup only) - BORG_UI_REPOSITORY_NAME: Repository name - BORG_UI_REPOSITORY_PATH: Repository path - BORG_UI_REPOSITORY_ID: Repository ID - BORG_UI_HOOK_TYPE: pre-backup or post-backup - BORG_UI_JOB_ID: Backup job ID This enables conditional actions in scripts based on backup result. Co-Authored-By: Claude <noreply@anthropic.com>
Add session-scoped event_loop fixture with proper cleanup to prevent "Event loop is closed" RuntimeError annotations in CI. Also adds warning filters to suppress asyncio subprocess transport warnings during test cleanup - a known Python 3.9+ issue. Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Claude <noreply@anthropic.com>
Add BORG_RELOCATED_REPO_ACCESS_IS_OK=yes environment variable to all borg command invocations. This fixes the error when importing a repository that was previously located at a different path. Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Claude <noreply@anthropic.com>
- Add showSshMountPoints prop to FileExplorerDialog to hide SSH mount points - Add allowedSshConnectionId prop to filter specific SSH connections - Hide local paths when SSH source is selected and vice versa - Disable data source cards (Local/Remote) when directories are already selected - Show SSH prefix indicator for remote source directories immediately - Add source_connection_id support to old repository form for remote-to-local - Reset selection state when FileExplorerDialog reopens - Add comprehensive tests for new functionality Co-Authored-By: Claude <noreply@anthropic.com>
…nsive tests - Extract wizard step components into src/components/wizard/: - WizardStepLocation: Repository name, location (local/SSH), path selection - WizardStepDataSource: Data source selection with remote-to-remote blocking - WizardStepSecurity: Encryption, passphrase, keyfile handling - WizardStepBackupConfig: Compression, exclude patterns, advanced options - WizardStepReview: Configuration summary and command preview - WizardStepIndicator: Step navigation with completion state - BackupFlowPreview: Visual diagram of backup data flow - Extract dialogs from Repositories.tsx: - PruneRepositoryDialog: Repository pruning with retention policies - RepositoryInfoDialog: Repository details and storage statistics - Add comprehensive test coverage for all new components (831 tests total) - Tests for remote-to-remote blocking behavior - Tests for local-to-remote and remote-to-local (SSHFS) workflows - Tests for SSH connection handling and validation - Remove beta toggle for new wizard from Settings (now default) - Significant cleanup of Repositories.tsx Co-Authored-By: Claude (claude-opus-4-5) <noreply@anthropic.com>
- Add passphrase field to Repository and RepositoryData interfaces - Allow null for custom_flags field (matches API response) - Fix ssh_key_id to allow null when not set - Make Repository extend RepositoryData in Repositories.tsx Co-Authored-By: Claude (claude-opus-4-5) <noreply@anthropic.com>
…emote-to-remote prevention Fixes two critical issues in repository editing: 1. Repository type not updating when switching from local to SSH - Added missing fields to RepositoryUpdate model (repository_type, host, port, username, ssh_key_id, connection_id) - Backend now properly updates repository type and SSH connection details - Test: test_update_repository_type_local_to_ssh 2. Source connection not clearing when switching from remote to local - Frontend now explicitly sets source_connection_id to null for local sources - Backend uses model_dump(exclude_unset=True) to distinguish null from unset - WizardStepDataSource clears sourceSshConnectionId when directories are removed - Test: test_update_repository_clear_source_connection_id 3. Remote location disabled when data source is remote (prevents remote-to-remote) - WizardStepLocation now receives dataSource and sourceSshConnectionId props - SSH repository card disabled in edit mode when backing up from remote machine - Clear info alert explains why remote-to-remote is not supported - Test: enables Borg UI Server when remote directories are deleted Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Adds isAdmin check to break lock feature for improved security: - BackupJobsTable: Only show Break Lock action button to admin users - LockErrorDialog: Disable Break Lock button for non-admin users with explanatory tooltip This prevents non-admin users from breaking repository locks, which could disrupt ongoing backup/restore operations. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 24.10.1 to 25.2.3. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) --- updated-dependencies: - dependency-name: "@types/node" dependency-version: 25.2.3 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Karan Hudia <karanhudia@gmail.com>
Discord and other chat services auto-detect @username patterns in SSH URLs, causing unintended user mentions. This fix removes usernames from SSH URLs when displaying them in notification Location fields. Changes: - Add _sanitize_ssh_url() helper to remove username from SSH URLs - Apply sanitization to all notification Location displays (12 occurrences) - Add comprehensive tests for SSH URL sanitization - Test all notification scenarios (backup start/success/failure, restore success/failure) - Verify local paths remain unchanged Example: Before: ssh://u331525@host.com:23/path → Discord mentions @u331525 After: ssh://host.com:23/path → No mention Note: JSON data still contains full URL with username for automation tools. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Fix unused variable warning in LockErrorDialog test - Fix eslint-disable placement for any type in Repositories.tsx Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Changes in this release: - Admin-only restriction for lock breaking functionality - Fix Discord @ mentions in SSH repository notifications Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
…estore preview paths - Show original/custom location radio buttons for SSH destinations once a connection is selected (previously only shown for local destinations) - SSH connection selector now renders before the strategy options so the flow reads top-to-bottom naturally - Original location description adapts to mention the remote machine for SSH - Unified path input: custom path field shown for any destination type when custom strategy is selected, removing the separate SSH-only path input - Simplified canProceed() validation: require customPath only when custom strategy is selected, regardless of destination type - Fix restore preview in review step: custom strategy now shows the full archive path under the custom destination (e.g. /mnt/disk/home/user/file) instead of only the last path component, matching actual borg extract behaviour - Remove dead else-if branch in getDestinationPath that was unreachable after the strategy/destination type unification Co-Authored-By: Claude <noreply@anthropic.com>
- Replace childish intro line with a direct one-liner - Split Docker Compose section into three explicit options: no Redis, bundled Redis, and external Redis — each a complete copy-paste config so users never need to manually add or remove sections - Option 3 (external Redis) now includes both the Redis-only compose for the Redis machine and the borg-ui compose that connects to it - Add upfront explanation of /local (source data) vs backup repositories (configured in the UI) to resolve the most common new-user confusion - Inline PUID/PGID and TZ hints directly in compose comments so users see them at the point of action, not buried in Customization - Remove version: '3.8' (deprecated in Compose v2) - Fix stale /mnt/backup-source reference in Customization section - Standardise permission instructions on id -u && id -g throughout Co-Authored-By: Claude <noreply@anthropic.com>
Replace the incorrect "container automatically mounts your host filesystem at /local" claim with an accurate explanation: mounts contain exactly what the user configured in docker-compose volumes, named however they like. Add a practical multi-drive example showing /photos, /nas, /external with LOCAL_MOUNT_POINTS so the file browser discovers all of them. Remove the "entire filesystem mounted by default" line and the confusing overlapping /local sub-path example. Co-Authored-By: Claude <noreply@anthropic.com>
Without this, disableCookies() caused every page load to generate a fresh random visitor ID, making unique-user counts meaningless. Each browser/installation gets a random UUID on first visit, persisted in localStorage as borg_ui_install_id. The Matomo user ID is then hash(installId + username), which is stable across sessions and unique across separate borg-ui instances — even when all users are named "admin". No resetUserId on logout: the same deterministic hash is set again on next login, so resetting just creates a pointless anonymous gap. Co-Authored-By: Claude <noreply@anthropic.com>
…ions/download-artifact-7 ci(deps): bump actions/download-artifact from 4 to 7
…er-evans/dockerhub-description-5 ci(deps): bump peter-evans/dockerhub-description from 4 to 5
chore(deps): bump gunicorn from 23.0.0 to 25.1.0
chore(deps): bump croniter from 1.4.1 to 6.0.0
Bumps [ajv](https://github.com/ajv-validator/ajv) from 6.12.6 to 6.14.0. - [Release notes](https://github.com/ajv-validator/ajv/releases) - [Commits](ajv-validator/ajv@v6.12.6...v6.14.0) --- updated-dependencies: - dependency-name: ajv dependency-version: 6.14.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [psutil](https://github.com/giampaolo/psutil) from 5.9.6 to 7.2.2. - [Changelog](https://github.com/giampaolo/psutil/blob/master/HISTORY.rst) - [Commits](giampaolo/psutil@release-5.9.6...release-7.2.2) --- updated-dependencies: - dependency-name: psutil dependency-version: 7.2.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [bcrypt](https://github.com/pyca/bcrypt) from 4.0.1 to 5.0.0. - [Changelog](https://github.com/pyca/bcrypt/blob/main/CHANGELOG.rst) - [Commits](pyca/bcrypt@4.0.1...5.0.0) --- updated-dependencies: - dependency-name: bcrypt dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
chore(deps): bump psutil from 5.9.6 to 7.2.2
chore(deps): bump pytest-cov from 4.1.0 to 7.0.0
chore(deps): bump structlog from 23.2.0 to 25.5.0
…end/ajv-6.14.0 chore(deps): bump ajv from 6.12.6 to 6.14.0 in /frontend
chore(deps): bump redis from 5.0.1 to 7.1.1
chore(deps): bump bcrypt from 4.0.1 to 5.0.0
…end/jsdom-28.1.0 chore(deps-dev): bump jsdom from 27.0.1 to 28.1.0 in /frontend
🔒 Security Scan ResultsCommit: 5b137d9
📊 See workflow artifacts for detailed reports. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps @eslint/js from 9.39.1 to 10.0.1.
Release notes
Sourced from
@eslint/js's releases.... (truncated)
Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)