Rosa Gutierrez
2352f30b61
Adopt a cooldown period for dependency updates
...
As suggested by @flavorjones, and explained in:
https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
This applies:
- 7 days as default: from the article, a 7-day
cooldown would have prevented 8 out of 10 recent
supply chain attacks. It seems reasonably long
but not crazy long.
- 14 days for major versions, to give some time
to the community to find problems.
2025-12-08 20:05:03 +01:00
Mike Dalessio
fee376b12b
Merge pull request #1932 from basecamp/flavorjones-validate-email
...
Validate Identity email address
2025-12-04 14:06:04 -05:00
Jeremy Daer
bc1075f194
GitHub actions: limit GITHUB_TOKEN permissions ( #1933 )
2025-12-04 11:05:50 -08:00
Mike Dalessio
00eee29837
Validate Identity email address
...
using the "standard" email regexp URI::MailTo::EMAIL_REGEXP. The form
field will validate this in the browser, but if bots are creating
identities, they can put whatever they want in here. So let's add some
protection against that.
The HtmlHelper regex was renamed here to avoid confusing Brakeman,
which does imprecise constant lookup and was confusing the two
constants, one of which uses `\A` and `\z` and the other does
not (intentionally).
ref: https://app.fizzy.do/5986089/cards/3276
2025-12-04 14:01:15 -05:00
Jeremy Daer
4e0b83340d
Drop defunct user creation script
2025-12-04 10:42:34 -08:00
Jeremy Daer
53b97c94e0
mise: respect .ruby-version
...
(37signals have this configured globally; setting locally for others)
Closes #1891
2025-12-04 09:59:17 -08:00
Mike Dalessio
03e4f86b7a
Merge pull request #1878 from basecamp/flavorjones/console1984-v2
...
Bump fizzy-saas to enable console auditing
2025-12-04 12:31:34 -05:00
Mike Dalessio
912bb8a8e5
Bump fizzy-saas to enable console auditing
...
ref: https://app.fizzy.do/5986089/cards/2469
ref: https://github.com/basecamp/fizzy-saas/pull/20
2025-12-04 12:25:54 -05:00
Jason Zimdars
d4a50c996a
Merge pull request #1894 from Venkat-RK/main
...
Added 'Back to Home' link on notifications list page
2025-12-04 11:19:55 -06:00
Carmine Paolino
c9eb44119d
Fixed typo in VCR filters ( #1929 )
...
I know it's a small thing, but I just noticed that 🤷
Be careful if you reintroduce your old VCRs as they have OPEN_API_KEY
2025-12-04 08:58:12 -08:00
Andy Smith
78ea18b5da
Merge pull request #1872 from basecamp/filters-no-results
...
Nicer blank slates
2025-12-04 10:52:08 -06:00
vkagithala
a92aab9981
Removed test to verify back button.
2025-12-04 08:44:37 -08:00
Mike Dalessio
373f4d5116
Merge pull request #1924 from basecamp/flavorjones/retry-mail-jobs
...
Retry mailer jobs on common networking and SMTP errors
2025-12-04 10:29:53 -05:00
Mike Dalessio
c4a8996562
Retry mailer jobs on common networking and SMTP errors
...
This concern is lifted nearly verbatim from Basecamp.
ref: https://app.fizzy.do/5986089/cards/3300
2025-12-04 10:26:24 -05:00
Kevin McConnell
dfe7095ee6
Merge pull request #1917 from basecamp/dont-resize-svg-avatars
...
Don't try to resize non-variable avatars
2025-12-04 14:53:00 +00:00
Mike Dalessio
2fcdd921fc
Merge pull request #1922 from basecamp/flavorjones/revert-board-column-restriction
...
Revert "Changing columns requires board admin"
2025-12-04 09:50:59 -05:00
Mike Dalessio
394c5dbf03
Revert "Changing columns requires board admin"
...
This reverts commit cecccadc14 .
2025-12-04 09:46:30 -05:00
Mike Dalessio
916be75bed
Merge pull request #1859 from basecamp/flavorjones/fix-broken-remote-images
...
Gracefully handle ill-formed remote images in rich text
2025-12-04 09:39:26 -05:00
Kevin McConnell
2e47749739
Don't allow SVG avatar uploads in the first place
2025-12-04 14:27:28 +00:00
Mike Dalessio
89940d36f8
Gracefully handle ill-formed remote images in rich text
...
A better fix has been proposed upstream at
https://github.com/rails/rails/pull/56283 but this should be fine in
the meantime.
ref: https://app.fizzy.do/5986089/cards/3188
2025-12-04 09:24:52 -05:00
Kevin McConnell
6475ad3425
Don't try to resize non-variable avatars
2025-12-04 13:36:21 +00:00
Kevin McConnell
069e0ca0b2
Merge pull request #1920 from basecamp/routes-trailing-whitespace
...
Remove trailing whitespace
2025-12-04 13:36:02 +00:00
Kevin McConnell
08c380cc71
Remove trailing whitespace
...
Appease the Rubocop
2025-12-04 13:32:47 +00:00
Stanko Krtalić
150e7caf03
Merge pull request #1908 from basecamp/install-runtime-and-ci-dependencies-on-mac
...
Install any runtime or ci dependencies in bin/setup on MacOS
2025-12-04 13:16:46 +01:00
David Heinemeier Hansson
b3481b10a8
Move legacy out of sight
2025-12-04 03:34:30 -08:00
Stanko Krtalić
d466b633fc
Merge pull request #1915 from basecamp/sign-up-new-users-on-sign-in
...
Sign up new users on sign in
2025-12-04 11:32:51 +01:00
Kevin McConnell
9e0b5593ad
Merge pull request #1848 from basecamp/rate-limit-warning
...
Show alert message on login when rate limited
2025-12-04 10:30:37 +00:00
Stanko K.R.
a8f328c921
Sign up new users on sign in
2025-12-04 11:30:21 +01:00
Stanko Krtalić
06478f23d2
Merge pull request #1912 from basecamp/refactor-reaction-permission-check
...
Change reaction admin permission check to be in-line with other controllers
2025-12-04 11:04:12 +01:00
Stanko K.R.
5cfe6930ee
Change reaction admin permission check to be in-line with other controllers
2025-12-04 11:01:23 +01:00
Stanko Krtalić
6050f187ca
Merge pull request #1895 from jbnunn/remove-legacy-join-pattern
...
Removed legacy join link
2025-12-04 09:21:08 +01:00
Stanko K.R.
ea826860e0
Install any runtime or ci dependencies in bin/setup
2025-12-04 09:16:30 +01:00
Jorge Manrubia
af43ef4962
Merge pull request #1897 from Hacksore/fix/board-bell-title
...
Move the title to the button
2025-12-04 09:02:08 +01:00
Jorge Manrubia
a0cb25a951
Merge pull request #1881 from basecamp/card-notification-removal-scope
...
Tighten scope on card notification removals
2025-12-04 08:44:52 +01:00
Jorge Manrubia
457a6d71b7
Merge pull request #1906 from basecamp/column-management-auth
...
Changing columns requires board admin
2025-12-04 08:34:49 +01:00
Jorge Manrubia
40f906f69f
Merge pull request #1896 from umarhadi/main
...
Add Missing Production Databases for Solid Queue and Solid Cache
2025-12-04 08:34:15 +01:00
Jeremy Daer
cecccadc14
Changing columns requires board admin
2025-12-03 23:24:25 -08:00
Jeremy Daer
7af93765a8
Security: close narrow window of exposure to DNS rebinding ( #1903 )
2025-12-03 23:12:17 -08:00
Sean Boult
c1468de3d7
Fix title on bell icon
2025-12-03 21:20:34 -06:00
umarhadi
374fa1b5d0
Add production queue and cache database config
2025-12-04 09:50:45 +07:00
J. Nunn
383033b9d0
Removed legacy join link
2025-12-03 18:06:38 -08:00
vkagithala
8685b62232
Added 'Back to Home' link on notifications list page to improve navigation experience.
2025-12-03 17:21:50 -08:00
Jeremy Daer
cac0ca1656
Scope the single-board case to just the creator's boards ( #1880 )
2025-12-03 15:47:04 -08:00
Jeremy Daer
f440b0243e
Tighten scope on card notification removals
...
* Iterate each association separately to favor db indexing
* Pluck user IDs rather than select to avoid correlated subquery
2025-12-03 15:46:43 -08:00
Jeremy Daer
49139b7a14
SQLite import creates account-scoped tags
...
References #1879
2025-12-03 15:09:22 -08:00
Jorge Manrubia
9cf223aea1
Fix path
2025-12-03 23:53:18 +01:00
Jorge Manrubia
efc809c23e
Script to fix misassigned tags
...
See https://github.com/basecamp/fizzy/pull/1879
2025-12-03 23:46:08 +01:00
Jorge Manrubia
38d86fb17b
Merge pull request #1879 from basecamp/scope-tags
...
Scope tags by account
2025-12-03 23:42:04 +01:00
Jorge Manrubia
4a30663df1
Scope tags by account
...
We missed this one when we went to MySQL. This can results in cards tagged with cards
from other accounts. No data leaked though: the symptom is that you see the card
tagged as expected but you don't see the tag in the menu.
2025-12-03 23:39:37 +01:00
Jorge Manrubia
6847c001ea
Merge pull request #1876 from basecamp/column-reordering-auth
...
Fix unauthorized column reordering
2025-12-03 22:18:06 +01:00