v2.0.0-rc.3

This is a release candidate for GitProxy v2 which includes a addresses a diverse set of security, functionality, stability and performance issues/enhancement requests including:

• optimize pullRemote for large repos #985
• [Feature]: Create admin protected endpoint for creating users #40 & Feature Request: User Creation Endpoint and CLI Command #980
• [Refactor]: Improve configuration loading #32
• (bug) scanDiff fails on force pushes #1008
• chore: add /healthcheck endpoint to the proxy #1197
• Incorrect error message on cloning unauthorized repo #1181
• Investigate duplication of process steps in push approval flow #1196
• Z_DATA_ERROR during push parsing #1040
• Log out with AD auth fails in production #1201

A number of improvements to Git Proxy tests and dependency updates are also included in this release.

What's Changed

• chore(deps): update dependency cross-env to v10 - license-inventory - experimental/license-inventory/package.json by @renovate[bot] in #1173
• fix: prevent DOS when checking an unknown repo by @andypols in #1095
• feat: Create admin protected endpoint for creating users by @dcoric in #981
• chore: add testing documentation and coverage checks by @jescalada in #1147
• chore(deps): update github-actions - workflows - .github/workflows/dependency-review.yml by @renovate[bot] in #1170
• chore(deps): update dependency @types/node to ^22.18.1 - li-cli - experimental/li-cli/package.json by @renovate[bot] in #1190
• fix(deps): update npm - website - website/package.json by @renovate[bot] in #1131
• test: improve repo DB tests and CheckRepoInAuthList tests by @andypols in #1109
• refactor: migrate configuration system from JSON Schema to QuickType by @fabiovincenzi in #1140
• chore(deps): update dependency cypress to v15 - - package.json by @renovate[bot] in #1192
• fix: allowing empty diffs in scanDiff by @fabiovincenzi in #1182
• chore: add /healthcheck endpoint to the proxy by @andypols in #1197
• chore(deps): update github-actions - workflows - .github/workflows/scorecard.yml by @renovate[bot] in #1198
• feat: push speed optimizations by @jescalada in #1189
• fix(deps): update dependency axios to ^1.12.2 - git-proxy-cli - packages/git-proxy-cli/package.json by @renovate[bot] in #1205
• fix: incorrect error message on cloning unauthorized repos by @fabiovincenzi in #1204
• fix: Logout calls localhost in prod; standardise API base resolution by @andypols in #1201
• chore: update to eslint v9 by @06kellyjac in #955
• chore(deps): update dependency lint-staged to v16 - - package.json by @renovate[bot] in #1195
• fix(deps): update npm - li-cli - experimental/li-cli/package.json by @renovate[bot] in #1203
• fix(deps): update npm - - package.json by @renovate[bot] in #1183
• fix(deps): update npm - website - website/package.json by @renovate[bot] in #1208
• chore(deps): update github-actions to v5 - workflows - .github/workflows/unused-dependencies.yml (major) by @renovate[bot] in #1214
• fix(deps): update dependency dotenv to v17 - license-inventory - experimental/license-inventory/package.json by @renovate[bot] in #1215
• fix(deps): update dependency express to v5 - license-inventory - experimental/license-inventory/package.json by @renovate[bot] in #1219
• fix(deps): update dependency express to v5 - git-proxy-plugin-samples - plugins/git-proxy-plugin-samples/package.json by @renovate[bot] in #1217
• fix(deps): update dependency express-rate-limit to v8 - - package.json by @renovate[bot] in #1220
• refactor: eliminate duplicate executeChain calls in push approval flow by @fabiovincenzi in #1209
• fix: reimplement push parsing to prevent Z_DATA_ERROR by @kriswest in #1187
• fix(deps): update dependency express-rate-limit to v8 - license-inventory - experimental/license-inventory/package.json by @renovate[bot] in #1221
• fix: linter warnings and CI failure by @jescalada in #1218
• fix(deps): update dependency env-paths to v3 - - package.json by @renovate[bot] in #1216
• fix: "MongoServerError: The _id cannot be changed" when updating users by @andypols in #1230
• fix: bug in using API_BASE with URL by @andypols in #1228

Full Changelog: v2.0.0-rc2...v2.0.0-rc.3

v2.0.0-rc2

This is a release candidate for GitProxy v2 which adds support for SCM providers other than GitHub, (including Gitlab and basic git servers) and prevents proxying for requests for unknown git repositories.

Breaking changes are included in #1043 ( feat(key on repo url): support git hosts other than GitHub + multiple forks) and (also in v2.0.0-rc2) in #973 (associate commits by email).

What's Changed

• test: Implement fuzz tests for processors by @jescalada in #1115
• chore(deps): update github-actions - workflows - .github/workflows/unused-dependencies.yml by @renovate[bot] in #1156
• chore: update npm release workflow to handle pre-releases by @jescalada in #1159
• feat(key on repo url): support git hosts other than GitHub + multiple forks by @kriswest in #1043
• chore: bump version to rc.2 by @jescalada in #1162
• fix: flaky fuzz test errors by @jescalada in #1158
• feat: JWT apiAuthentication UI integration by @jescalada in #1096
• test: fix Cypress test data dependency by @jescalada in #1154
• feat: implement formatting checks to CI by @fabiovincenzi in #1153
• feat: don't forward requests for unknown repos by @kriswest in #1164
• fix(deps): update npm - li-cli - experimental/li-cli/package.json by @renovate[bot] in #1114
• chore(deps): update amannn/action-semantic-pull-request action to v6 - workflows - .github/workflows/pr-lint.yml by @renovate[bot] in #1157
• fix(deps): update npm - - package.json by @renovate[bot] in #1135
• fix: mongoDB client impl issues by @kriswest in #1167
• fix: return 200 status codes on rejection to ensure error message renders in git client by @kriswest in #1178
• fix: render committer and author email links instead of estimated profile links by @kriswest in #1179
• fix: display errors when adding a new repo by @andypols in #1120

Full Changelog: v2.0.0-rc.1...v2.0.0-rc2

v2.0.0-rc.1

This is a release candidate for GitProxy v2. Breaking changes are included in #973 (associate commits by email).

If you encounter any problems, feel free to open an issue!

What's Changed

• fix(deps): update npm - - package.json by @renovate[bot] in #883
• fix: restore user configs being merged with defaults by @coopernetes in #1129
• chore(deps): update github-actions - workflows - .github/workflows/ci.yml by @renovate[bot] in #1127
• chore(deps): update dependency @finos/git-proxy to ^1.19.2 - git-proxy-plugin-samples - plugins/git-proxy-plugin-samples/package.json by @renovate[bot] in #1128
• fix(deps): update dependency axios to ^1.11.0 - git-proxy-cli - packages/git-proxy-cli/package.json by @renovate[bot] in #1130
• chore: prepare for 2.x release with rc version by @coopernetes in #1137
• refactor: replace getMissingData action with checkEmptyBranch by @jescalada in #1134
• fix: 946 associate commits by email by @kriswest in #973

Full Changelog: v1.19.2...v2.0.0-rc.1

v1.19.2

❗️ Important security updates ❗️

This release contains security fixes for newly discovered high severity issues. These issues were privately reported to the GitProxy & FINOS teams. Special thanks to the following individuals for their contributions:

• @dgl for the initial report, analysis and reproductions
• @jescalada @fabiovincenzi @06kellyjac for implementing & reviewing the various fixes

The following advisories are resolved in this release:

• GHSA-qr93-8wwf-22g4
• GHSA-xxmh-rf63-qwjv
• GHSA-39p2-8hq9-fwj6
• GHSA-v98g-8rqx-g93g

All GitProxy users & implementations are strongly advised to upgrade to this latest version to receive these critical fixes. Additional bug fixes and enhancements are included below.

What's Changed

• fix: additional user api leaks by @andypols in #1098
• fix(deps): update dependency body-parser to v2 - license-inventory - experimental/license-inventory/package.json by @renovate[bot] in #1087
• chore(deps): update github-actions - workflows - .github/workflows/unused-dependencies.yml by @renovate[bot] in #1112
• fix: updated URL for FINOS community slack channel by @sam-holmes2 in #1011
• docs: update SECURITY.md with reporting guidance by @tabathad in #1117
• fix: dependency vulnerability fixes by @jescalada in #1103
• fix: default config validation error and extras by @jescalada in #1124
• fix: parsePush regression on tmp directory by @jescalada in #1118

New Contributors

• @tabathad made their first contribution in #1117

Full Changelog: v1.19.1...v1.19.2

Version 1.19.1

What's Changed

• fix: prevent non-admin users changing another user's gitAccount by @andypols in #1093
• refactor(tsx): Migrate React components to TSX by @fabiovincenzi in #984
• fix: only trim trailing .git not any match by @06kellyjac in #1094
• chore: bump by patch to v1.19.1 by @jescalada in #1102

Full Changelog: v1.19.0...v1.19.1

Version 1.19.0

What's Changed

• chore(deps): update dependency @types/node to ^22.15.34 - li-cli - experimental/li-cli/package.json by @renovate in #1067
• chore(deps): update dependency @finos/git-proxy to ^1.18.0 - git-proxy-plugin-samples - plugins/git-proxy-plugin-samples/package.json by @renovate in #1073
• chore(deps): update github-actions - workflows - .github/workflows/scorecard.yml by @renovate in #1072
• chore(deps): update dependency @finos/git-proxy to ^1.18.2 - git-proxy-plugin-samples - plugins/git-proxy-plugin-samples/package.json by @renovate in #1074
• fix(deps): update dependency eslint to ^9.30.0 - website - website/package.json by @renovate in #1075
• chore(deps): update dependency lint-staged to v16 - license-inventory - experimental/license-inventory/package.json by @renovate in #1076
• chore(deps): update dependency node to v22 - workflows - .github/workflows/unused-dependencies.yml by @renovate in #1077
• chore(deps): update dependency sinon to v20 - - package.json by @renovate in #1078
• fix(deps): update dependency eslint to ^9.30.1 - website - website/package.json by @renovate in #1079
• fix(deps): update npm - li-cli - experimental/li-cli/package.json by @renovate in #1080
• chore(deps): update dependency sinon to v21 - - package.json by @renovate in #1081
• chore(deps): update grafana/grafana docker tag to v12 - license-inventory - experimental/license-inventory/docker-compose.yaml by @renovate in #1082
• fix(deps): update dependency body-parser to v2 - - package.json by @renovate in #1084
• fix(proxy): preserve original Git pack POST streams before validation by @fabiovincenzi in #1060
• feat: mongo connection string & cookie secret from env vars by @coopernetes in #1086
• fix(deps): update dependency zod to ^3.25.73 - li-cli - experimental/li-cli/package.json by @renovate in #1085
• fix: updated README and documentation site with info on community meeting by @sam-holmes2 in #1026
• chore: add @jescalada as a featured maintainer on docs site and remov… by @JamieSlome in #1097
• fix: use a public user object to prevent passwords and other secrets … by @andypols in #1090
• chore: bump by minor to v1.19.0 by @JamieSlome in #1099

New Contributors

• @sam-holmes2 made their first contribution in #1026
• @andypols made their first contribution in #1090

Full Changelog: v1.18.2...v1.19.0

Version 1.18.2

What's Changed

• fix: correct typing for ConfigLoader env by @06kellyjac in #1070
• chore: bump by patch to v1.18.2 by @JamieSlome in #1071

Full Changelog: v1.18.1...v1.18.2

Version 1.18.1

What's Changed

• test: improve auth test coverage by @jescalada in #1024
• chore(deps): update dependency @jest/globals to v30 - license-inventory - experimental/license-inventory/package.json by @renovate in #1058
• test: improve proxy route test coverage by @jescalada in #1025
• chore: upgrade node in CI to 20.19 by @jescalada in #1059
• fix: allow for auth with activedirectory again by @06kellyjac in #1061
• chore: bump by patch to v1.18.1 by @JamieSlome in #1069

Full Changelog: v1.18.0...v1.18.1

Version 1.18.0

What's Changed

• test: stop the config loader and restore defaults after tests have run by @kriswest in #1050
• chore: apply finos active badge by @TheJuanAndOnly99 in #1052
• feat: support direct querying of AD group membership via LDAP by @kriswest in #972
• fix(deps): update npm - li-cli - experimental/li-cli/package.json by @renovate in #1016
• chore(deps): update dependency @finos/git-proxy to ^1.17.2 - git-proxy-plugin-samples - plugins/git-proxy-plugin-samples/package.json by @renovate in #1054
• chore(deps): update github-actions - workflows - .github/workflows/ci.yml by @renovate in #1055
• fix(deps): update dependency axios to ^1.10.0 - git-proxy-cli - packages/git-proxy-cli/package.json by @renovate in #1056
• feat(experimental): fall back to local spdx data and filter deprecated by @06kellyjac in #1048
• fix(deps): update npm - website - website/package.json by @renovate in #1057
• feat(auth): add role mapping for JWT auth claims by @jescalada in #977
• chore: bump by minor to v1.18.0 by @JamieSlome in #1066

Full Changelog: v1.17.2...v1.18.0

Version 1.17.2

What's Changed

• fix: neDB implementation issues by @kriswest in #979
• test: improve config test coverage by @jescalada in #1032
• test: increase action test coverage by @jescalada in #1038
• fix: correct method for finding ad configuration by @06kellyjac in #1046
• chore: bump by patch to v1.17.2 by @JamieSlome in #1047

Full Changelog: v1.17.1...v1.17.2