Releases: mozilla/addons-server
Releases Β· mozilla/addons-server
2026.04.16-1
Cherry-pick for fdd0330 on top of 2026.04.16
2026.04.16
This week's push hero is @diox
Previous Release: 2026.04.02-1
Blockers:
Cherry-picks:
Before we push:
Before we start:
Before we promote:
After we're done:
Addons-Frontend Changelog:
mozilla/addons-frontend@2026.04.02...2026.04.16
Addons Server Changelog:
What's Changed
Notable things shipping
- Switch to forked yara-x by @willdurand in #24677
- Process decisions from Cinder without a known job by @eviljeff in #24679
- Update dependabot.yml by @eviljeff in #24688
- Allow accessing promoted add-on admin page by Add-on GUID or slug by @diox in #24690
- Optimize generate_lowercase_homoglyphs_variants_for_string() by @diox in #24706
- add docker hub token for auth'd requested; add cooldown back into dependabot.yml by @eviljeff in #24703
- switch elasticsearch to use official docker image by @eviljeff in #24714
- Obey relevant max_length when importing strings from the XPI by @diox in #24713
- Add github registry auth to dependabot config by @eviljeff in #24715
- Create a content review cinderjob on created webhook payload by @eviljeff in #24711
- Revert "Add github registry auth to dependabot config" by @diox in #24716
- Check dependabot daily for all ecosystems now that there is cooldown by @diox in #24720
- Add github registry auth to dependabot config by @diox in #24722
- Ask dependabot to ignore elasticsearch 9.x in docker_compose by @diox in #24724
- set override_of on new decision by @eviljeff in #24721
- Don't allow developers to download attachments on private comments by @diox in #24729
- Move yara-x to its own requirements.txt file by @willdurand in #24733
- AMOENG-2436 - Contact Support form UI improvements by @bakulf in #24723
- Add option to scan add-on summaries with NARC by @diox in #24731
- Allow multiple BlocklistSubmission in parallel for the same version by @diox in #24728
- Omit match field in narc results by @willdurand in #24730
Dependendabots
- Bump mozilla/autograph from 7.5.5 to 7.7.4 by @dependabot[bot] in #24696
- Bump mozilla/addons-frontend from 2025.11.27 to 2026.04.02 by @dependabot[bot] in #24695
- Bump actions/deploy-pages from 4 to 5 by @dependabot[bot] in #24691
- Bump elasticsearch/elasticsearch from 8.19.8 to 8.19.13 by @dependabot[bot] in #24692
- Bump rhysd/actionlint from 1.7.9 to 1.7.12 by @dependabot[bot] in #24697
- Bump actions/configure-pages from 5 to 6 by @dependabot[bot] in #24693
- Bump stylelint from 17.5.0 to 17.6.0 by @dependabot[bot] in #24698
- Bump vitest from 4.1.1 to 4.1.2 by @dependabot[bot] in #24705
- Bump @rollup/plugin-babel from 6.1.0 to 7.0.0 by @dependabot[bot] in #24592
- Bump lodash from 4.17.23 to 4.18.1 by @dependabot[bot] in #24707
- Bump vite from 7.3.1 to 7.3.2 by @dependabot[bot] in #24709
- Bump ruff from 0.15.7 to 0.15.8 in /requirements by @dependabot[bot] in #24704
- Bump django-debug-toolbar from 6.2.0 to 6.3.0 in /requirements by @dependabot[bot] in #24725
- Bump ruff from 0.15.8 to 0.15.9 in /requirements by @dependabot[bot] in #24726
- Bump zizmorcore/zizmor from 1.18.0 to 1.23.1 by @dependabot[bot] in #24694
- Bump django from 5.2.12 to 5.2.13 in /requirements by @dependabot[bot] in #24739
- Bump cryptography from 46.0.6 to 46.0.7 in /requirements by @dependabot[bot] in #24740
- Bump pillow from 12.1.1 to 12.2.0 in /requirements by @dependabot[bot] in #24741
- Bump proto-plus from 1.27.1 to 1.27.2 in /requirements by @dependabot[bot] in #24760
- Bump djangorestframework from 3.17.0 to 3.17.1 in /requirements by @dependabot[bot] in #24752
- Bump ipython from 9.11.0 to 9.12.0 in /requirements by @dependabot[bot] in #24755
- Bump pytest from 9.0.2 to 9.0.3 in /requirements by @dependabot[bot] in #24742
- Bump googleapis-common-protos from 1.73.0 to 1.74.0 in /requirements by @dependabot[bot] in #24754
- Bump charset-normalizer from 3.4.6 to 3.4.7 in /requirements by @dependabot[bot] in #24756
- Bump requests from 2.33.0 to 2.33.1 in /requirements by @dependabot[bot] in #24751
- Bump eslint from 10.1.0 to 10.2.0 by @dependabot[bot] in #24737
- Bump @vitest/eslint-plugin from 1.6.13 to 1.6.14 by @dependabot[bot] in #24712
Full Changelog: 2026.04.02...2026.04.16
Contributors
diox, willdurand, and 3 other contributors
Assets 2
2026.04.02-1
Cherry-pick for dbbf0ca on top of 2026.04.02
2026.04.02
This week's push hero is @eviljeff
Previous Release: 2026.03.19-1
Blockers:
Cherry-picks:
Before we push:
Before we start:
Before we promote:
After we're done:
Addons-Frontend Changelog:
Addons Server Changelog:
What's Changed
Notable things shipping
- Fix softening of blocks on unban by @diox in #24620
- AMOENG-2377 - Introduce an email lookup API endpoint by @bakulf in #24591
- Add a service_account (UserProfile) FK to ScannerWebhook by @willdurand in #24621
- Remove ohfp from headers that trigger session anomalies, it creates too much noise by @diox in #24624
- Remove obsolete CSS that affect fonts by @diox in #24625
- upgrade django to 5.2 by @eviljeff in #24614
- Wrap long JSON scanner results in the admin by @willdurand in #24622
- Denying an appeal on Listing Content Rejection should drop requested by @eviljeff in #24632
- Introduce a new API endpoint to let scanners push their results by @willdurand in #24601
- Font in developer/reviewer replies in devhub shouldn't be monospace by @diox in #24643
- Move upload source step after details in submission flow by @willdurand in #24589
- Hide API key secret after generation by @diox in #24641
- add tasks that submit new addons and changes for content review to cinder by @eviljeff in #24642
- Update and restyle how we expose listing content rejection in devhub by @diox in #24647
- Expose number of matched add-ons on scanner results (and query results) page by @diox in #24652
- Fix clipboard interaction in manage API key page by @diox in #24654
- Update the style of the scanner details in the reviewer tools by @willdurand in #24633
- Simplify DiscoveryAddon admin filtering by promoted group by @diox in #24655
- Tweak css to better display the narc results in the reviewer tools by @willdurand in #24663
- Additional confusable characters by @diox in #24665
- AMOENG-2407 - Introduce a new serializer for the lookup API endpoint and account retrieval with the Users:Lookup permission by @bakulf in #24653
- Add triggers for new addons and metadata change to submit to Cinder by @eviljeff in #24662
- AMOENG-2401 - support form in devhub by @bakulf in #24646
- Don't consider i18n placeholders as regexp syntax by @diox in #24678
- Add
is_activefield toScannerWebhookEventto prevent data loss when updating events bound to a webhook scanner by @willdurand in #24664
Dependendabots
- Bump less from 4.5.1 to 4.6.2 by @dependabot[bot] in #24619
- Bump less from 4.6.2 to 4.6.3 by @dependabot[bot] in #24623
- Bump flatted from 3.4.1 to 3.4.2 by @dependabot[bot] in #24626
- Bump @vitest/eslint-plugin from 1.6.10 to 1.6.11 by @dependabot[bot] in #24630
- Bump ruff from 0.15.5 to 0.15.6 in /requirements by @dependabot[bot] in #24627
- Bump @vitest/eslint-plugin from 1.6.11 to 1.6.12 by @dependabot[bot] in #24636
- Bump picomatch by @dependabot[bot] in #24656
- Bump knip from 5.86.0 to 5.88.0 by @dependabot[bot] in #24648
- Bump sentry-sdk from 2.54.0 to 2.55.0 in /requirements by @dependabot[bot] in #24651
- Bump addons-linter from 10.1.0 to 10.2.0 by @dependabot[bot] in #24649
- Bump @babel/preset-env from 7.29.0 to 7.29.2 by @dependabot[bot] in #24644
- Bump vitest from 4.0.18 to 4.1.0 by @dependabot[bot] in #24628
- Bump pyjwt from 2.12.0 to 2.12.1 in /requirements by @dependabot[bot] in #24640
- Bump charset-normalizer from 3.4.5 to 3.4.6 in /requirements by @dependabot[bot] in #24639
- Bump requests from 2.32.5 to 2.33.0 in /requirements by @dependabot[bot] in #24657
- Bump imagesize from 1.4.1 to 2.0.0 in /requirements by @dependabot[bot] in #24585
- Bump pytz from 2025.2 to 2026.1.post1 in /requirements by @dependabot[bot] in #24581
- Bump pyuwsgi from 2.0.30 to 2.0.30.post1 in /requirements by @dependabot[bot] in #24559
- Bump dockerflow from 2026.1.26 to 2026.3.4 in /requirements by @dependabot[bot] in #24583
- Bump ruff from 0.15.6 to 0.15.7 in /requirements by @dependabot[bot] in #24667
- Bump stylelint from 17.4.0 to 17.5.0 by @dependabot[bot] in #24666
- Bump the google group across 1 directory with 4 updates by @dependabot[bot] in #24650
- Bump django-model-info from 2024.11.5 to 2026.3.1 in /requirements by @dependabot[bot] in #24637
- Bump protobuf from 6.33.5 to 6.33.6 in /requirements by @dependabot[bot] in #24658
- Bump googleapis-common-protos from 1.72.0 to 1.73.0 in /requirements by @dependabot[bot] in #24611
- Bump actions/checkout from 5 to 6 by @dependabot[bot] in #24179
- Bump brace-expansion by @dependabot[bot] in #24671
- Bump cryptography from 46.0.5 to 46.0.6 in /requirements by @dependabot[bot] in #24672
- Bump @vitest/eslint-plugin from 1.6.12 to 1.6.13 by @dependabot[bot] in #24675
- Bump eslint from 10.0.3 to 10.1.0 by @dependabot[bot] in #24674
- Bump less from 4.6.3 to 4.6.4 by @dependabot[bot] in #24635
- Bump djangorestframework from 3.16.1 to 3.17.0 in /requirements by @dependabot[bot] in #24661
- Bump pygments from 2.19.2 to 2.20.0 in /requirements by @dependabot[bot] in #24680
- Bump addons-linter from 10.2.0 to 10.3.0 by @dependabot[bot] in #24686
- Bump sentry-sdk from 2.55.0 to 2.56.0 in /requirements by @dependabot[bot] in #24685
- Bump stylelint-config-standard-less from 4.0.1 to 4.1.0 by @dependabot[bot] in #24684
- Bump vitest from 4.1.0 to 4.1.1 by @dependabot[bot] in #24683
- Bump google-cloud-storage from 3.10.0 to 3.10.1 in /requirements in the google group across 1 directory by @dependabot[bot] in #24673
Full Changelog: 2026.03.19...2026.04.02
Contributors
diox, willdurand, and 3 other contributors
Assets 2
2026.03.19-1
Cherry-pick for df47da3 on top of 2026.03.19
2026.03.19
This week's push hero is @diox
Previous Release: 2026.03.05-2
Before publishing this release:
- Switch addons-customs-scanner deploy job for stage & prod to use Node 22
- Make a new version of
addons-customs-scanner, let it be deployed to stage
Blockers:
Cherry-picks:
Before we push:
Before we start:
Before we promote:
After we're done:
- Deploy
addons-customs-scannerto prod. Verify that it's running Node 22.
Addons-Frontend Changelog:
mozilla/addons-frontend@2026.03.05...2025.03.19
Addons Server Changelog:
What's Changed
Notable things shipping
- Fix intermittent test failure by @willdurand in #24556
- Add a migration to remove the ScannerResult.state field entirely by @willdurand in #24555
- docs: remove scanner API docs in v4 by @willdurand in #24557
- Make ScannerResult.result field nullable by @willdurand in #24553
- Remove the ScannerResult.model_version field by @willdurand in #24564
- Handle 204 responses when calling webhooks by @willdurand in #24554
- Add a migration to remove the ScannerResult.model_version colum by @willdurand in #24562
- add allow_reasons for reject_listing_content action by @eviljeff in #24563
- Fix file permissions by @willdurand in #24561
- Update scanner pipeline docs by @willdurand in #24566
- Fix mass-block of add-ons with at least one version already blocked by @diox in #24569
- Add a new AutoApprovalSummary check to wait on scanners by @willdurand in #24533
- Add git, make, and jq to setup_and_configuration docs by @eviljeff in #24573
- Bump Node.js to 22.x by @diox in #24577
- docs: mark during_validation as deprecated by @willdurand in #24578
- Add explicit support for scanner annotations by @willdurand in #24572
- docs: move annotations section under webhook scanners by @willdurand in #24582
- Remove old IE CSS directives by @willdurand in #24590
- Add a new permission to download files by @willdurand in #24587
- Record which blocks were performed on ban for each user, revert them on unban by @diox in #24570
- rm unneeded django-dbbackup setting by @eviljeff in #24594
- Bump MySQL client (and server for local environments) to 8.4 by @diox in #24586
- django52 fixes by @eviljeff in #24588
- Additional confusables characters + deduping existing by @diox in #24612
- docs: update scanner example by @willdurand in #24615
- Get rid of pattern and span meta fields in narc scanner results by @willdurand in #24613
- List the permissions of a user in the scanner webhook and user admin pages by @willdurand in #24600
- correct email for cases when add-on will not be public despite approval by @eviljeff in #24606
- replace datetime.utcnow by @eviljeff in #24618
Dependendabots
- Bump @eslint/js from 9.39.2 to 10.0.1 by @dependabot[bot] in #24464
- Bump django from 4.2.28 to 4.2.29 in /requirements by @dependabot[bot] in #24565
- Bump stylelint from 17.3.0 to 17.4.0 by @dependabot[bot] in #24568
- Bump addons-linter from 9.9.1 to 10.0.0 by @dependabot[bot] in #24584
- Bump yara-x from 1.13.0 to 1.14.0 in /requirements by @dependabot[bot] in #24598
- Bump undici from 7.22.0 to 7.24.1 by @dependabot[bot] in #24603
- Bump yauzl and addons-linter by @dependabot[bot] in #24602
- Bump pyjwt from 2.11.0 to 2.12.0 in /requirements by @dependabot[bot] in #24604
- Bump flatted from 3.3.3 to 3.4.1 by @dependabot[bot] in #24605
- Bump knip from 5.85.0 to 5.86.0 by @dependabot[bot] in #24610
- Bump ruff from 0.15.2 to 0.15.5 in /requirements by @dependabot[bot] in #24595
- Bump drf-spectacular-sidecar from 2026.1.1 to 2026.3.1 in /requirements by @dependabot[bot] in #24574
- Bump @eslint/compat from 2.0.2 to 2.0.3 by @dependabot[bot] in #24608
- Bump wrapt from 2.1.1 to 2.1.2 in /requirements by @dependabot[bot] in #24596
- Bump globals from 17.3.0 to 17.4.0 by @dependabot[bot] in #24575
- Bump eslint from 10.0.2 to 10.0.3 by @dependabot[bot] in #24607
- Bump regex from 2026.2.19 to 2026.2.28 in /requirements by @dependabot[bot] in #24576
- Bump sentry-sdk from 2.53.0 to 2.54.0 in /requirements by @dependabot[bot] in #24579
- Bump drf-yasg from 1.21.14 to 1.21.15 in /requirements by @dependabot[bot] in #24558
- Bump certifi from 2026.1.4 to 2026.2.25 in /requirements by @dependabot[bot] in #24560
- Bump charset-normalizer from 3.4.4 to 3.4.5 in /requirements by @dependabot[bot] in #24597
- Bump mmh3 from 5.2.0 to 5.2.1 in /requirements by @dependabot[bot] in #24599
- Bump @vitest/eslint-plugin from 1.6.9 to 1.6.10 by @dependabot[bot] in #24616
- Bump wcwidth from 0.5.3 to 0.6.0 in /requirements by @dependabot[bot] in #24467
- Bump ipython from 9.10.0 to 9.11.0 in /requirements by @dependabot[bot] in #24593
Full Changelog: 2026.03.05...2026.03.19
Contributors
diox, willdurand, and 2 other contributors
Assets 2
2026.03.05-2
Cherry-pick of 5f4a0f2 on top of 2026.03.05-1
2026.03.05-1
e978dbd
This commit was signed with the committerβs verified signature.
willdurand
William Durand
Cherry-picked the following commits on top of https://github.com/mozilla/addons-server/releases/tag/2026.03.05:
2026.03.05
This week's push hero is @eviljeff
Previous Release: 2026.02.19-2
Blockers:
Cherry-picks:
Before we push:
- Deploy
customs5.10.0 to prod
Before we start:
Before we promote:
After we're done:
- Deploy mozilla/webservices-infra#9901 to prod
Addons-Frontend Changelog:
mozilla/addons-frontend@2026.02.19...2026.03.05
Addons Server Changelog:
What's Changed
Notable things shipping
- Fix scanner name in reviewer tools by @willdurand in #24479
- Fix scanMap logic for webhook-based scanners by @willdurand in #24480
- Extract matched rules information in scanner results used by webhooks by @willdurand in #24482
- Make sure 0069_add_service_accounts_to_group migration uses the primary DB by @willdurand in #24483
- Add more info to reviewer tools developer profile and optimize queries by @diox in #24476
- Allow users that can edit scanner webhooks to edit scanner webhook events by @diox in #24487
- Also display authors links for existing blocklistsubmissions, not jus⦠by @diox in #24481
- Run test_main* tests in CI with a minimal environment by @diox in #24496
- When installing deps, don't clean existing dir if only installing dev deps by @diox in #24505
- Remove the SOURCE_BUILDER_VIEWER_URL setting and related code by @willdurand in #24494
- Avoid database access in tests where that's easy to do to speed them up by @diox in #24495
- Fix sort by addon guid in reviewer tools developer profile by @diox in #24512
- Mark the customs scanner as legacy/deprecated by @willdurand in #24510
- Use
yara_xinclean_yara()method when swich is enabled by @willdurand in #24511 - Remove legacy customs in the django admin by @willdurand in #24514
- Record an ActivityLog when session anomalies are detected for a user by @diox in #24486
- Remove the file_hash argument on process_validation() because it is not used by @willdurand in #24517
- Add details to activity log admin change page by @diox in #24522
- Remove run_customs() and the 'enable-customs' waffle switch by @willdurand in #24516
- Add a migration to remove the enable-source-builder waffle switch by @willdurand in #24523
- docs: update private docs by @willdurand in #24524
- Add statsd pings for webhooks by @willdurand in #24525
- Remove the use of the _CUSTOMS constant in test files by @willdurand in #24526
- Store IP on session anomaly activity for future investigation by @diox in #24527
- Pass the event name to the webhook scanners by @willdurand in #24534
- Expose content changes to content review by @diox in #24498
- Additional confusable characters by @diox in #24541
- Optionally link ScannerResult to ActivityLog by @willdurand in #24530
- Declare the scanner field as read-only in the admin when the scanner rule has been created by @willdurand in #24532
- Add new webhook event: on_version_created by @willdurand in #24545
- Remove GET /scanner/results/ endpoint by @willdurand in #24543
- Fix event name/id in call_webhooks by @willdurand in #24549
- Remove ScannerResult.state and related code by @willdurand in #24546
- Add the add-on type to the webhook event payloads by @willdurand in #24551
- Appeals on listing content rejections set REQUESTED, rather than creating NHR by @eviljeff in #24544
- Inherit from the addon/version serializers for the webhook event payloads by @willdurand in #24550
Dependendabots
- Bump stylelint from 17.1.1 to 17.2.0 by @dependabot[bot] in #24469
- Bump glob from 13.0.1 to 13.0.2 by @dependabot[bot] in #24477
- Bump glob from 13.0.2 to 13.0.3 by @dependabot[bot] in #24492
- Bump dotenv from 17.2.3 to 17.3.1 by @dependabot[bot] in #24491
- Bump @vitest/eslint-plugin from 1.6.6 to 1.6.7 by @dependabot[bot] in #24473
- Bump stylelint from 17.2.0 to 17.3.0 by @dependabot[bot] in #24489
- Bump ajv from 6.12.6 to 6.14.0 by @dependabot[bot] in #24497
- Bump pytest-django from 4.11.1 to 4.12.0 in /requirements by @dependabot[bot] in #24503
- Bump @vitest/eslint-plugin from 1.6.7 to 1.6.9 by @dependabot[bot] in #24502
- Bump django-environ from 0.12.0 to 0.12.1 in /requirements by @dependabot[bot] in #24499
- Bump mysql from 8.0 to 8.0 by @dependabot[bot] in #24485
- Bump sentry-sdk from 2.52.0 to 2.53.0 in /requirements by @dependabot[bot] in #24501
- Bump addons-linter from 9.8.0 to 9.9.1 by @dependabot[bot] in #24506
- Bump glob from 13.0.3 to 13.0.4 by @dependabot[bot] in #24507
- Bump mysqlclient from 2.2.7 to 2.2.8 in /requirements by @dependabot[bot] in #24474
- Bump jsdom from 27.4.0 to 28.1.0 by @dependabot[bot] in #24500
- Bump homoglyphs-fork from 2.1.1 to 2.1.2 in /requirements by @dependabot[bot] in #24509
- Bump minimatch by @dependabot[bot] in #24515
- Bump knip from 5.83.1 to 5.84.0 by @dependabot[bot] in #24520
- Bump django-environ from 0.12.1 to 0.13.0 in /requirements by @dependabot[bot] in #24521
- Bump glob from 13.0.4 to 13.0.5 by @dependabot[bot] in #24519
- Bump knip from 5.84.0 to 5.84.1 by @dependabot[bot] in #24528
- Bump rollup from 4.55.1 to 4.59.0 by @dependabot[bot] in #24531
- Bump underscore from 1.13.7 to 1.13.8 by @dependabot[bot] in #24535
- Bump glob from 13.0.5 to 13.0.6 by @dependabot[bot] in #24536
- Bump rich from 14.3.2 to 14.3.3 in /requirements by @dependabot[bot] in #24538
- Bump responses from 0.25.8 to 0.26.0 in /requirements by @dependabot[bot] in #24539
- Bump minimatch by @dependabot[bot] in #24542
- Bump knip from 5.84.1 to 5.85.0 by @dependabot[bot] in #24547
- Bump django-dbbackup from 5.0.0 to 5.2.0 in /requirements by @dependabot[bot] in #24478
- Bump eslint from 9.39.2 to 10.0.2 by @dependabot[bot] in #24552
- Bump regex from 2026.1.15 to 2026.2.19 in /requirements by @dependabot[bot] in #24540
- Bump ruff from 0.14.14 to 0.15.2 in /requirements by @dependabot[bot] in #24537
- Bump django-debug-toolbar from 6.1.0 to 6.2.0 in /requirements by @dependabot[bot] in #24376
Full Changelog: 2026.02.19...2026.03.05
Contributors
diox, willdurand, and 2 other contributors
Assets 2
2026.02.19-2
Cherry-picked the following commits on top of https://github.com/mozilla/addons-server/releases/tag/2026.02.19-1: