You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit was created on GitHub.com and signed with GitHubβs verified signature.
β¨ Improvements
Scrollbar in keyboard shortcuts modal
Skip role & use-case steps for self-hosted instances
π Bug Fixes
Prevent ORM field injection via analytics segment parameter β
Security fix (GHSA-93x3-ghh7-72j3). Centralizes analytics field allowlists into VALID_ANALYTICS_FIELDS / VALID_YAXIS and adds defense-in-depth validation in build_graph_plot() and extract_axis() so no caller can pass arbitrary field references to Django F() expressions. Also adds missing segment validation to SavedAnalyticEndpoint.
Enforce workspace membership on V2 asset endpoints β
Security fix (GHSA-qw87-v5w3-6vxx). Adds @allow_permission to all WorkspaceFileAssetEndpoint methods and scopes DuplicateAssetEndpoint's source asset lookup to workspaces where the caller is an active member.
Sanitize filenames in upload paths to prevent path traversal β
Security fix (GHSA-v57h-5999-w7xp). Server-side filename sanitization across all file upload endpoints; defense-in-depth against S3 key pollution. Handles Windows-style paths and leading-dot/whitespace edge cases.
Replace IS_SELF_MANAGED toggle with WEBHOOK_ALLOWED_IPS allowlist β
Webhook SSRF protection: blocks all private/internal IPs by default; only specific networks listed in WEBHOOK_ALLOWED_IPS (comma-separated IPs/CIDRs) are permitted. Re-validates URL at send time to prevent DNS rebinding, sanitizes error messages, and guards mixed IPv4/IPv6 allowlists.
Strip whitespace and handle null values in instance configuration β
Sanitizes patched instance config values: trims leading/trailing whitespace and converts null to "" instead of the literal string "None".
Update border for project timezone β [WEB-6785]
Update Twitter icon and links to X β
Optimize sub-issue query performance β
Adds optimized annotations and subqueries to the sub-issue listing path.
π§ Refactor & Chore
Remove Intercom integration and chat support components
Intercom is no longer used. Removes all related frontend components, hooks, custom events, API config, types, and i18n keys.
Add project context to relations API
Suppress CodeQL file coverage deprecation warning
Explicitly opts into the new default behavior where CodeQL skips computing file coverage on PRs for improved analysis performance.
Update CODEOWNERS for apps and deployments
Add Claude Code skills for PR descriptions and release notes
