watson/umami
1
0
Fork 0
mirror of https://github.com/umami-software/umami.git synced 2026-02-04 04:37:11 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
5540 commits 12 branches 109 tags 55 MiB
Commit graph

5540 commits

This branch
This branch
All branches
Author SHA1 Message Date
Jack
39d62abde0
Merge pull request #1 from chen86860/vercel/react-flight-rce-vulnerability-czx44h 
Fix React Server Components RCE vulnerability
 2025-12-08 01:27:13 +08:00
Vercel
1ac2f6bb03 Update React Flight RCE vulnerability patches 
React Flight / Next.js RCE Advisory - Vulnerability Fix and Update Report

## Summary
The umami repository was affected by the React Flight / Next.js RCE advisory. The repository had Next.js 15.5.3, which is vulnerable. This has been updated to the patched version 15.5.7.

## Affected Package Detection
Inspected all package.json files in the repository:
- Root package.json: ./package.json
- Monorepo: Not a monorepo (pnpm workspace configured but only root package.json with meaningful dependencies)

## Changes Applied

### Next.js Vulnerability Fix
 **PATCHED** - Updated next from 15.5.3 to 15.5.7
- Previous version: next@15.5.3 (vulnerable)
- Updated version: next@15.5.7 (patched)
- This is the correct patch version for the 15.5.x line per the advisory
- Addresses the React Flight RCE vulnerability (CVE impact on Next.js)

### React Flight Packages Status
 **NOT AFFECTED** - Project does not use React Flight packages
- Project does NOT use react-server-dom-webpack
- Project does NOT use react-server-dom-parcel
- Project does NOT use react-server-dom-turbopack
- No React Flight specific patches required

### React & React-DOM Status
 **NO MANUAL CHANGES NEEDED** - Project uses React 19.2.0 and React-DOM 19.2.0
- These versions remain unchanged (correctly per the advisory)
- react and react-dom themselves are not vulnerable
- Next.js 15.5.7 provides the necessary security patches
- Per the advisory: "For Next.js projects, do not manually upgrade react or react-dom"

## Files Modified
1. **package.json**
   - Changed: `"next": "15.5.3"` → `"next": "15.5.7"`

2. **pnpm-lock.yaml**
   - Updated dependency locks to reflect Next.js 15.5.7
   - Cleaned up unused transitive dependencies (previous versions of sharp and emnapi)

## Verification Performed
 **Build Verification**: Next.js build completed successfully with `npm run build-app`
   - Output shows all pages compiled correctly
   - No build errors introduced by the package update

 **Lockfile Verification**: pnpm-lock.yaml correctly resolves to:
   - next@15.5.7 (with expected dependencies)
   - react@19.2.0 (unchanged as recommended)
   - react-dom@19.2.0 (unchanged as recommended)

## Conclusion
The vulnerability has been successfully patched. The repository now uses the secure version of Next.js (15.5.7) that addresses the React Flight RCE advisory. The build completes successfully, confirming compatibility with the patched version.

No other changes were required as the project does not use any React Flight packages.

Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
 2025-12-07 17:26:20 +00:00
chen86860
069ee2a01b Remove unused migration files and clean up the Prisma migrations directory. 2025-11-26 14:55:33 +08:00
chen86860
c89e4781a8 Remove migration SQL file and associated indexes from the Prisma migrations directory. 2025-11-26 14:51:06 +08:00
chen86860
b19cebcd3e Remove all migration files and the migration lock file from the Prisma migrations directory. 2025-11-26 14:50:05 +08:00
Mike Cao
aaa1f9dc58 Merge branch 'dev'
Some checks failed
Node.js CI / build (postgresql, 18.18, 10) (push) Has been cancelled
Details
2025-11-18 10:27:02 -08:00
Mike Cao
abc1b50ad0 Reordered IP headers.
Some checks failed
Create docker images (cloud) / Build, push, and deploy (push) Has been cancelled
Details
Node.js CI / build (postgresql, 18.18, 10) (push) Has been cancelled
Details
2025-11-18 10:25:08 -08:00
Mike Cao
24b017cad8
Merge pull request #3765 from umami-software/dev
Some checks are pending
Node.js CI / build (postgresql, 18.18, 10) (push) Waiting to run
Details 
v3.0.1
 2025-11-17 22:39:48 -08:00
Mike Cao
ef3f7274e3 Remember last team.
Some checks are pending
Create docker images (cloud) / Build, push, and deploy (push) Waiting to run
Details
Node.js CI / build (postgresql, 18.18, 10) (push) Waiting to run
Details
2025-11-17 19:12:25 -08:00
Mike Cao
1852acc333 Merge remote-tracking branch 'origin/dev' into dev
Some checks failed
Node.js CI / build (postgresql, 18.18, 10) (push) Has been cancelled
Details
2025-11-14 15:46:59 -08:00
Mike Cao
cb63e49a9b Fixed triggered event lookup. Closes #3742. 2025-11-14 15:42:23 -08:00
Mike Cao
d382ad2975
Merge pull request #3682 from rkoh-rq/patch-1
Some checks are pending
Node.js CI / build (postgresql, 18.18, 10) (push) Waiting to run
Details 
fix: quote "event" reserved keyword in journey queries
 2025-11-14 11:44:31 -08:00
Mike Cao
b1dc690e2f
Merge branch 'dev' into patch-1 2025-11-14 11:44:20 -08:00
Francis Cao
cc8254985b Increase resetWebsite timeout. fix retention bug returning decimal day_number in CH.
Some checks failed
Create docker images (cloud) / Build, push, and deploy (push) Has been cancelled
Details
Node.js CI / build (postgresql, 18.18, 10) (push) Has been cancelled
Details 
Closes #3698
 2025-11-14 09:11:26 -08:00
Francis Cao
a3f32b036d revert getDateStringSQL for CH 2025-11-14 08:10:13 -08:00
Mike Cao
5ded9abbfe Added data-fetch-credentials attribute. Closes #3644
Some checks are pending
Node.js CI / build (postgresql, 18.18, 10) (push) Waiting to run
Details
2025-11-13 19:42:04 -08:00
Francis Cao
6751bf88bb fix chart and timezone issues, pass consistent dates to DB.
Some checks failed
Create docker images (cloud) / Build, push, and deploy (push) Waiting to run
Details
Node.js CI / build (postgresql, 18.18, 10) (push) Has been cancelled
Details 
Closes #3700
 2025-11-13 15:52:24 -08:00
Mike Cao
81bedec6d5
Merge pull request #3749 from Maxime-J/os-formatting
Some checks are pending
Node.js CI / build (postgresql, 18.18, 10) (push) Waiting to run
Details 
Restore OS formatting in tables
 2025-11-13 13:06:39 -08:00
Maxime-J
4531538ad3 Restore OS formatting in tables 2025-11-13 15:46:05 +01:00
Mike Cao
9fbcec46af
Merge pull request #3737 from prince0xdev/fix/login-autocomplete-username
Some checks are pending
Node.js CI / build (postgresql, 18.18, 10) (push) Waiting to run
Details
Create docker images (cloud) / Build, push, and deploy (push) Waiting to run
Details 
fix: correct autocomplete attributes to enable password manager autofill
 2025-11-12 21:38:12 -08:00
Mike Cao
d98cc35208
Merge pull request #3743 from Mintimate/master 
feat(geo): add redirect support for direct .mmdb downloads
 2025-11-12 21:33:19 -08:00
Mike Cao
97ebdc1bab Merge remote-tracking branch 'origin/dev' into dev
Some checks are pending
Node.js CI / build (postgresql, 18.18, 10) (push) Waiting to run
Details
2025-11-12 16:40:50 -08:00
Mike Cao
8a66603d32 Responsive fixes. 2025-11-12 16:39:58 -08:00
Mintimate
e13362bfec feat(geo): add redirect support for direct .mmdb downloads 2025-11-12 19:18:44 +08:00
Mintimate
371ff47325 feat(geo): add support for direct .mmdb URL and custom GEO_DATABASE_URL 
- Support GEO_DATABASE_URL environment variable for custom database URL

- Auto-detect .mmdb files and skip decompression

- Maintain backward compatibility with tar.gz archives
 2025-11-12 17:51:19 +08:00
Francis Cao
3aa09572f5 Merge branch 'master' of https://github.com/umami-software/umami into dev
Some checks are pending
Node.js CI / build (postgresql, 18.18, 10) (push) Waiting to run
Details
2025-11-11 21:40:28 -08:00
Prince EKPINSE
a56746ce6d fix: enable password manager autofill on login form (#3735) 2025-11-12 00:15:05 +01:00
Prince EKPINSE
678a2ccdf3 fix: correct autocomplete attributes to enable password manager autofill 2025-11-12 00:08:36 +01:00
Francis Cao
bf498d9239 add RealtimeData to types
Some checks failed
Node.js CI / build (postgresql, 18.18, 10) (push) Has been cancelled
Details
2025-11-11 13:45:41 -08:00
Francis Cao
30781430c5 remove timezone from realtime. Closes #3700 2025-11-11 13:13:25 -08:00
Francis Cao
14f5babea7
Merge pull request #3731 from Maxime-J/unique-constraint
Some checks are pending
Node.js CI / build (postgresql, 18.18, 10) (push) Waiting to run
Details 
Prevent duplicate key db errors on session creation
 2025-11-11 11:13:14 -08:00
Maxime-J
14f3db550b Use raw query with on conflict in createSession 2025-11-11 10:32:31 +01:00
Mike Cao
3d8402d2f1 Merge branch 'master' into dev 2025-11-10 22:44:36 -08:00
Mike Cao
7ac5913c86
Merge pull request #3704 from prince0xdev/fix/disable-download-when-no-data
Some checks failed
Node.js CI / build (postgresql, 18.18, 10) (push) Has been cancelled
Details 
Fix: Disable download button when no data available
 2025-11-10 22:43:42 -08:00
Mike Cao
a6e130ab2e
Fix DownloadButton to avoid duplicate downloadCsv call 
Removed redundant downloadCsv call from handleClick.
 2025-11-10 22:43:22 -08:00
Mike Cao
4fe4bb99b7
Apply suggestion from @greptile-apps[bot] 
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
 2025-11-10 22:42:20 -08:00
Mike Cao
592f7c0ae7 Added check for REDIS_URL. Closes #3677.
Some checks are pending
Node.js CI / build (postgresql, 18.18, 10) (push) Waiting to run
Details
2025-11-10 21:08:55 -08:00
Francis Cao
8787764e0e Merge branch 'analytics' of https://github.com/umami-software/umami into dev
Some checks are pending
Node.js CI / build (postgresql, 18.18, 10) (push) Waiting to run
Details
2025-11-10 17:32:18 -08:00
Francis Cao
839bf3898f add canonicalizeTimezone conversions 
Co-authored-by: Om Mishra <contact@om-mishra.com>
 2025-11-10 17:27:45 -08:00
Francis Cao
13ab84d50e Revert "add canonicalizeTimezone conversions"
Some checks failed
Create docker images (cloud) / Build, push, and deploy (push) Has been cancelled
Details
Node.js CI / build (postgresql, 18.18, 10) (push) Has been cancelled
Details 
This reverts commit a1d6204373.
 2025-11-10 17:26:06 -08:00
Francis Cao
a1d6204373 add canonicalizeTimezone conversions 
Co-authored-by: Om Mishra <contact@om-mishra.com>
 2025-11-10 17:24:51 -08:00
Francis Cao
49e1582c28 implement generateTimeSeries for eventsChart 2025-11-10 15:36:43 -08:00
Francis Cao
64a6379c3c fix realtime logs for mobile
Some checks are pending
Node.js CI / build (postgresql, 18.18, 10) (push) Waiting to run
Details
2025-11-10 01:07:11 -08:00
Francis Cao
f3e246c64b fix hasdata queries, add hasData to website events, fix sessionactivity truncation, 2025-11-09 23:58:20 -08:00
Francis Cao
9230f3cb7b manually include basePath 2025-11-09 22:03:06 -08:00
Francis Cao
f30724629c Fix null and string return types from getWebsiteStats 2025-11-09 21:37:35 -08:00
Francis Cao
c44f6f8c9c Merge branch 'dev' of https://github.com/umami-software/umami into dev 2025-11-09 21:19:46 -08:00
Francis Cao
bf548c5aca Fix revenue bigInt but and case insensitive currency 2025-11-09 21:19:38 -08:00
Prince EKPINSE
b9e90268d1 chore [#3699] : fix .gitignore syntax and untrack package-lock.json 2025-11-08 22:33:22 +01:00
Mike Cao
227201a73c
Merge pull request #3706 from metaloozee/3703
Some checks failed
Node.js CI / build (postgresql, 18.18, 10) (push) Has been cancelled
Details 
fix: Redirect loop on auth failure
 2025-11-08 11:32:02 -08:00