Skip to content

Release v2025.4 #1506

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
matthew-white wants to merge 16 commits into
base: master
Choose a base branch
from
Draft

Release v2025.4 #1506

matthew-white wants to merge 16 commits into from

Conversation

@matthew-white
Copy link
Member

@matthew-white matthew-white commented Dec 1, 2025

This PR prepares the release of v2025.4. It should only contain changes from other PRs that have already been approved and merged (and possibly merge commits from the master branch).

alxndrsn and others added 16 commits November 18, 2025 11:04
@alxndrsn
nginx: udpate CSP for frontend maps (#1468)
d833567 
Closes #1403
@alxndrsn
nginx/csp: make blank.html CSP completely restrictive (#1479)
33e4715
@alxndrsn
csp-report: ensure Sentry requests are made with SNI (#1411)
5c129e5
@alxndrsn
csp: allow backend passthrough for /oidc/callback (#1478)
924d320 
Closes #1235
@brontolosone
expose database pool's maximum size, fixes #494
117b5fc
@alxndrsn
nginx/redirector: add warning re editing the file (#1509)
3017cc6
@alxndrsn
ci: run gixy to detect nginx config issues (#1508)
93fda4a 
* `gixy-ng` seems to be a maintained, popular fork of `gixy`
  * `gixy-ng`: https://github.com/dvershinin/gixy/
  * original `gixy` repo: https://github.com/yandex/gixy/
* currently only considering HIGH-level reports
  * there are some HIGH reports that can be fixed without much effort or controversy
  * there are some MEDIUM reports which are more complicated; this commit ignores those
@alxndrsn
CSP: add reporting for blank.html (#1515)
b4252cb 
It was an oversight to omit reporting for blank.html and other "disallow-all" pages.  With a `report-uri` directive, violations will not be known.

Co-authored-by: alxndrsn <alxndrsn>
@alxndrsn
ci: separate gixy step (#1521)
21475da 
Compared to mocha, the gixy step is slow and noisy, and it's helpful locally to be able to set up the docker compose env and then run the mocha tests separately from gixy.
@alxndrsn
CSP: frontend: allow Google Translate images (#1519)
3cab387 
This commit:

* makes the frontend policy consistent with other policies which allow for Google Translate images
* provides a template for addition of other browser-plugin-related policy
* removes enforcement of policy order, although the served policies maintain their current ordering

Closes #1518
@alxndrsn
nginx/csp: switch rules for API and blank.html (#1524)
2ddd987 
* blank.html should allow Google Translate
* API endpoints should allow nothing, as they shouldn't be loaded as browser pages

Closes #1516
Closes #1517
@alxndrsn @lognaturel
nginx/csp: clarify use of 'none' directives (#1529)
76561e5 
Co-authored-by: Hélène Martin <[email protected]>
@alxndrsn @lognaturel
nginx/csp/frontend: fix: OpenLayers (map) worker-src (#1530)
718dd60 
Split from https://github.com/getodk/central/pull/1526/files#r2587794987

The only identifiable Worker in frontend is from OpenLayers for displaying maps, and requires blob:, not data:.

Incorrect map-specific CSP introduced in #1468.

Co-authored-by: Hélène Martin <[email protected]>
Co-authored-by: alxndrsn <alxndrsn>
@alxndrsn
nginx/csp/frontend: block non-https images (#1531)
3846982 
Users can include images in various bits of markdown around odk-central-frontend.  This change blocks non-HTTPS images from being loaded in those markdown snippets.

---------

Co-authored-by: alxndrsn <alxndrsn>
@lognaturel
Add CSP headers specifically for Web Forms (#1526)
d210e58
@sadiqkhoja
V2025.4/update deps (#1546)
3810f54 
* Chores: updated node to 22.21.1

* updated stmp image to 1.1.5

* updated redis to 7.4.7

* Updated npm packages

* Updated postgres to 14.20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@matthew-white @alxndrsn @brontolosone @lognaturel @sadiqkhoja