Rosa Gutierrez
d88949288c
Check and report on Sec-Fetch-Site header for forgery protection
...
This is a great, solid alternative to CSRF tokens for CSRF protection
when we aren't worried about older browsers or other kind of actors
doing modifying requests in our app, and could be a good test for future
upstreaming to Rails (although there we'd need to continue using CSRF
tokens or at least letting people opt out manually).
Let's start checking the header and reporting on it when CSRF fails or
when it doesn't match the other checks Rails does, and then promote this
to be the only way to defend from CSRF.
2025-11-25 19:19:50 +01:00
Mike Dalessio
51860d6c66
Merge pull request #1719 from basecamp/flavorjones/dep-update-20251125
...
bundle update - 20251125
2025-11-25 10:30:51 -05:00
Mike Dalessio
f0a22ea608
bundle update
2025-11-25 10:28:12 -05:00
Mike Dalessio
9707ed0af9
Merge pull request #1615 from basecamp/dependabot/bundler/bootsnap-1.19.0
...
Bump bootsnap from 1.18.6 to 1.19.0
2025-11-25 10:22:47 -05:00
Mike Dalessio
0b4896654a
Merge pull request #1706 from basecamp/dependabot/bundler/rails-17f6e00
...
Bump rails from `077c3ad` to `17f6e00`
2025-11-25 10:21:38 -05:00
dependabot[bot]
62dbae568b
Bump bootsnap from 1.18.6 to 1.19.0
...
Bumps [bootsnap](https://github.com/rails/bootsnap ) from 1.18.6 to 1.19.0.
- [Changelog](https://github.com/rails/bootsnap/blob/main/CHANGELOG.md )
- [Commits](https://github.com/rails/bootsnap/compare/v1.18.6...v1.19.0 )
---
updated-dependencies:
- dependency-name: bootsnap
dependency-version: 1.19.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2025-11-25 15:16:29 +00:00
dependabot[bot]
e2f5eaa93f
Bump rails from 077c3ad to 17f6e00
...
Bumps [rails](https://github.com/rails/rails ) from `077c3ad` to `17f6e00`.
- [Release notes](https://github.com/rails/rails/releases )
- [Commits](https://github.com/rails/rails/compare/077c3ad60db4c43cccb8f4637b53b8d8eb7a3c19...17f6e00bce8c35b6c5355450331da170c768e3e0 )
---
updated-dependencies:
- dependency-name: rails
dependency-version: 17f6e00bce8c35b6c5355450331da170c768e3e0
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com >
2025-11-25 15:14:12 +00:00
Mike Dalessio
8ad59e75d4
Merge pull request #1709 from basecamp/dependabot/bundler/aws-sdk-s3-1.205.0
...
Bump aws-sdk-s3 from 1.201.0 to 1.205.0
2025-11-25 10:13:38 -05:00
Mike Dalessio
1059220b2a
Merge pull request #1626 from basecamp/dependabot/bundler/development-dependencies-a98687e030
...
Bump the development-dependencies group across 1 directory with 3 updates
2025-11-25 10:12:22 -05:00
Mike Dalessio
2c838f2aa2
Merge pull request #1707 from basecamp/dependabot/bundler/prometheus-client-mmap-1.3.0
...
Bump prometheus-client-mmap from 1.2.10 to 1.3.0
2025-11-25 10:11:24 -05:00
Mike Dalessio
0ddf356e7d
Merge pull request #1704 from basecamp/dependabot/bundler/yabeda-puma-plugin-0.9.0
...
Bump yabeda-puma-plugin from 0.8.0 to 0.9.0
2025-11-25 10:10:07 -05:00
Mike Dalessio
17011d4047
Merge pull request #1703 from basecamp/dependabot/bundler/solid_cache-1.0.10
...
Bump solid_cache from 1.0.8 to 1.0.10
2025-11-25 10:08:34 -05:00
Mike Dalessio
213f5749bb
Merge pull request #1708 from basecamp/dependabot/bundler/autotuner-1.1.0
...
Bump autotuner from 1.0.2 to 1.1.0
2025-11-25 10:05:53 -05:00
Stanko Krtalić
a165334cbd
Merge pull request #1718 from basecamp/fix-cards-getting-stuck-in-edit-mode
...
Fix cards getting stuck in edit mode
2025-11-25 15:37:44 +01:00
Stanko K.R.
a7df8260c3
Fix cards getting stuck in edit mode
2025-11-25 15:36:13 +01:00
Kevin McConnell
f086981dac
Merge pull request #1717 from basecamp/sentry-ignore-concurrent-migration-exception
...
Don't report `ConcurrentMigrationError` to Sentry
2025-11-25 13:28:42 +00:00
Kevin McConnell
b238a5b45b
Don't report ConcurrentMigrationError to Sentry
2025-11-25 13:24:07 +00:00
Stanko Krtalić
6753860c05
Merge pull request #1716 from basecamp/add-staff-flag-to-identities
...
Determine staff members based on flag
2025-11-25 14:11:38 +01:00
Kevin McConnell
efae77efd6
Merge pull request #1715 from basecamp/mysql-max-execution-time
...
Set MySQL max statement timeout to 5s
2025-11-25 13:10:19 +00:00
Stanko K.R.
f64a49dcc0
Determine staff members based on flag
...
This replaces the old system based on email addresses, the aim is to make it more generic and thus appropriate for OSS/self-hosting
See: https://3.basecamp.com/2914079/buckets/37331921/todos/9302705265#__recording_9320051455
2025-11-25 14:09:31 +01:00
Kevin McConnell
b6e31a234a
Set MySQL max statement timeout to 5s
2025-11-25 12:58:17 +00:00
Stanko Krtalić
aab3a56d31
Merge pull request #1714 from basecamp/allow-long-user-agent-strings
...
Allow long user agent strings
2025-11-25 12:11:50 +01:00
Stanko K.R.
cc49a1b772
Allow long user agent strings
...
Copied this from BC and HEY which also use a string with a 4096 character length
See: https://app.fizzy.do/5986089/cards/3066
2025-11-25 12:09:02 +01:00
Stanko Krtalić
01dc7c1ce0
Merge pull request #1713 from basecamp/put-tags-the-card-is-tagged-with-first
...
Show tags the card is tagged with first
2025-11-25 11:34:04 +01:00
Stanko K.R.
4e52f9b9a9
Show tags the card is tagged with first
2025-11-25 11:24:21 +01:00
Stanko Krtalić
c8169c1972
Merge pull request #1712 from basecamp/fix-background-image-previews
...
Fix background images not showing up after upload
2025-11-25 08:15:20 +01:00
Stanko K.R.
c11a13dc20
Replace the whole card on update
2025-11-25 08:13:18 +01:00
Jason Zimdars
30f50d6715
Merge pull request #1711 from basecamp/jz-11-24-25
...
JZ 11/24/25
2025-11-24 21:31:06 -06:00
Jason Zimdars
3e0d2d8b4d
Include bottom inset on the modal and footer, too
...
Makes sure everything moves together on mobile
2025-11-24 21:28:48 -06:00
Jason Zimdars
5215c5ccb9
Attempt to fix expanded search input
2025-11-24 21:24:09 -06:00
Jason Zimdars
b45554966f
Lose the second close button
2025-11-24 17:48:21 -06:00
Jason Zimdars
0c05694a3c
This seems to have caused the unwanted effect of not focusing the field in Mobile Safari
...
Looks like it regressed in
https://github.com/basecamp/fizzy/commit/250935530f86eb628d6b54ec6b7212dac9e76f8b .
Let's see if we can get focus in Safari without sacrificing select in
other browsers by simply moving the nextFrame() call
2025-11-24 17:48:02 -06:00
Jason Zimdars
74cd88d626
Always display the cancel button, esc isn't obvious
2025-11-24 17:19:01 -06:00
Jason Zimdars
cfc61c318d
Nothing should cover the bar, trays or search results
2025-11-24 17:18:44 -06:00
Jason Zimdars
789c00b87f
Dark theme color isn't black
...
I *think* we don't need the theme color in the manifest since it doesn't
have dark mode support anyway
2025-11-24 16:37:50 -06:00
Jason Zimdars
a1fcabf01e
Add env constaints for mobile layout
...
In theory, this prevents overlapping device elements like the dynamic
island in landscape
2025-11-24 16:33:32 -06:00
Jason Zimdars
b93224b45c
Smaller on mobile
...
It really takes up a lot of space in landscape
2025-11-24 16:22:33 -06:00
Jason Zimdars
4e14c0df27
Reasonalbe max heights
...
Use all the available space above the search/trays footer. On mobile use
the full viewport height
2025-11-24 16:16:09 -06:00
Jason Zimdars
ed19e6d494
Remove top orientation (it doesn't work well), make right and left classes exclusive
...
In certain cases (board picker) both classes would be applied making a
mess
2025-11-24 15:49:42 -06:00
Jason Zimdars
9cc63c6dce
This is too fancy, remove it
2025-11-24 15:48:08 -06:00
Jason Zimdars
2f6f4cd3f5
Set reasonable maxes
2025-11-24 15:47:57 -06:00
Jason Zimdars
3a2b347aba
Restore bubble to Maybe
...
Stalled cards in Maybe are often out of view
2025-11-24 15:17:45 -06:00
Mike Dalessio
dc2d86ca54
Merge pull request #1710 from basecamp/flavorjones/plan-b-cleanup
...
Restore structured logging of `queenbee_id`
2025-11-24 15:59:14 -05:00
Mike Dalessio
9f117159a6
Restore structured logging of queenbee_id
...
and clean up some other small remaining "plan b" to-dos.
2025-11-24 15:50:45 -05:00
dependabot[bot]
143723a384
Bump aws-sdk-s3 from 1.201.0 to 1.205.0
...
Bumps [aws-sdk-s3](https://github.com/aws/aws-sdk-ruby ) from 1.201.0 to 1.205.0.
- [Release notes](https://github.com/aws/aws-sdk-ruby/releases )
- [Changelog](https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-s3/CHANGELOG.md )
- [Commits](https://github.com/aws/aws-sdk-ruby/commits )
---
updated-dependencies:
- dependency-name: aws-sdk-s3
dependency-version: 1.205.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2025-11-24 20:30:51 +00:00
dependabot[bot]
41a7d55672
Bump autotuner from 1.0.2 to 1.1.0
...
Bumps [autotuner](https://github.com/Shopify/autotuner ) from 1.0.2 to 1.1.0.
- [Release notes](https://github.com/Shopify/autotuner/releases )
- [Commits](https://github.com/Shopify/autotuner/compare/v1.0.2...v1.1.0 )
---
updated-dependencies:
- dependency-name: autotuner
dependency-version: 1.1.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2025-11-24 20:30:36 +00:00
dependabot[bot]
50332d0a4f
Bump prometheus-client-mmap from 1.2.10 to 1.3.0
...
Bumps [prometheus-client-mmap](https://gitlab.com/gitlab-org/prometheus-client-mmap ) from 1.2.10 to 1.3.0.
- [Release notes](https://gitlab.com/gitlab-org/prometheus-client-mmap/tags )
- [Changelog](https://gitlab.com/gitlab-org/prometheus-client-mmap/blob/master/CHANGELOG.md )
- [Commits](https://gitlab.com/gitlab-org/prometheus-client-mmap/compare/1.2.10...1.3.0 )
---
updated-dependencies:
- dependency-name: prometheus-client-mmap
dependency-version: 1.3.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2025-11-24 20:30:23 +00:00
dependabot[bot]
9df6919e9e
Bump the development-dependencies group across 1 directory with 3 updates
...
Bumps the development-dependencies group with 3 updates in the / directory: [brakeman](https://github.com/presidentbeef/brakeman ), [webmock](https://github.com/bblimke/webmock ) and [mocha](https://github.com/freerange/mocha ).
Updates `brakeman` from 7.1.0 to 7.1.1
- [Release notes](https://github.com/presidentbeef/brakeman/releases )
- [Changelog](https://github.com/presidentbeef/brakeman/blob/main/CHANGES.md )
- [Commits](https://github.com/presidentbeef/brakeman/compare/v7.1.0...v7.1.1 )
Updates `webmock` from 3.26.0 to 3.26.1
- [Release notes](https://github.com/bblimke/webmock/releases )
- [Changelog](https://github.com/bblimke/webmock/blob/master/CHANGELOG.md )
- [Commits](https://github.com/bblimke/webmock/compare/3.26.0...v3.26.1 )
Updates `mocha` from 2.7.1 to 2.8.2
- [Changelog](https://github.com/freerange/mocha/blob/main/RELEASE.md )
- [Commits](https://github.com/freerange/mocha/compare/v2.7.1...v2.8.2 )
---
updated-dependencies:
- dependency-name: brakeman
dependency-version: 7.1.1
dependency-type: direct:development
update-type: version-update:semver-patch
dependency-group: development-dependencies
- dependency-name: webmock
dependency-version: 3.26.1
dependency-type: direct:development
update-type: version-update:semver-patch
dependency-group: development-dependencies
- dependency-name: mocha
dependency-version: 2.8.2
dependency-type: direct:development
update-type: version-update:semver-minor
dependency-group: development-dependencies
...
Signed-off-by: dependabot[bot] <support@github.com >
2025-11-24 20:29:32 +00:00
dependabot[bot]
c4487581bb
Bump yabeda-puma-plugin from 0.8.0 to 0.9.0
...
Bumps [yabeda-puma-plugin](https://github.com/yabeda-rb/yabeda-puma-plugin ) from 0.8.0 to 0.9.0.
- [Release notes](https://github.com/yabeda-rb/yabeda-puma-plugin/releases )
- [Changelog](https://github.com/yabeda-rb/yabeda-puma-plugin/blob/master/CHANGELOG.md )
- [Commits](https://github.com/yabeda-rb/yabeda-puma-plugin/compare/v0.8.0...v0.9.0 )
---
updated-dependencies:
- dependency-name: yabeda-puma-plugin
dependency-version: 0.9.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2025-11-24 20:29:30 +00:00
dependabot[bot]
9adcd2f02f
Bump solid_cache from 1.0.8 to 1.0.10
...
Bumps [solid_cache](https://github.com/rails/solid_cache ) from 1.0.8 to 1.0.10.
- [Release notes](https://github.com/rails/solid_cache/releases )
- [Commits](https://github.com/rails/solid_cache/compare/v1.0.8...v1.0.10 )
---
updated-dependencies:
- dependency-name: solid_cache
dependency-version: 1.0.10
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
2025-11-24 20:29:13 +00:00