merge: upstream 205 commits#313
Open
github-actions[bot] wants to merge 206 commits into
Open
Conversation
GitOrigin-RevId: 94e25c0ea7431f3ce71d7fd63e8d42141ae5506e
GitOrigin-RevId: 41fbc3889b46cf8091bfa1fd2f2420128eb69b36
* feat: Highlight advanced props * refactor / feedback GitOrigin-RevId: 9edeb0b183b9fd6b373fd34a2e5cc27046d47426
GitOrigin-RevId: 68a5104052a763fd2c26fe4594fcd2e25a3cf54a
GitOrigin-RevId: 2f0f105d5b68cde85f24d6cacd93403dc92ad08f
GitOrigin-RevId: a845a88dda6b07356a3f321bf96d1c957653695f
GitOrigin-RevId: 3a101dcff4b6b5f6ce7db7752de7ac2c9901ab70
GitOrigin-RevId: a28317aef02a2eb91feb92387f2d0399cdbae87e
GitOrigin-RevId: fb745d5933efe7bfbbdb86d5e21383c51efcc73f
GitOrigin-RevId: 17782c920adf9f475363e16224f6f997b0d52154
Upgraded minor and patch versions across all platform workspaces. Skipped version upgrades will be documented in a separate PR. GitOrigin-RevId: a209f961d539ef5e67a72607eff1a7f74e038009
GitOrigin-RevId: 3fa1e141dd7097621f0de65f1fc610062248d23b
…(#2713) @octokit/app bumped 16.1.1 -> 16.1.2 and @octokit/auth-unauthenticated bumped 7.0.2 -> 7.0.3; rename patch files to silence version mismatch warnings on yarn install. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> GitOrigin-RevId: 8eb7d2aa0b8aa95e78238e83466edf147bbd6970
@ai-sdk/react bumped from 3.0.80 to 3.0.170 as a transitive dependency of @ai-sdk/google-vertex v4. In that range, addToolOutput changed its return type from Promise<void> to void | PromiseLike<void>. Widening spawn's parameter type accommodates this without forcing every call site to cast. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> GitOrigin-RevId: cebf1df3da538c25819eb5d24c3100927f7de897
GitOrigin-RevId: 0e2dbc3d49d6dd874fa88fedc881de96fc42e8e9
…events (#2712)
BaseAnalytics.track() was not passing this.baseEventProperties to
mergeProperties, so properties like `production` and `host` set via
appendBaseEventProperties were never included in events sent to PostHog
(server-side).
mergeSane (lodash mergeWith) mutates the first argument in place. All
call sites pass class members as the first argument, so each call would
permanently accumulate properties from subsequent calls. Merge into a
fresh {} instead.
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
GitOrigin-RevId: 96f0f681abbce3f2f5e9b7079342f9785b84ea5d
Upgrade devDependency ranges across all `packages/` workspaces. ## devDependency ranges narrowed to latest **packages/cli** - `@babel/core` ^7.12.3 → ^7.29.0 - `@babel/generator` ^7.12.1 → ^7.29.1 - `@babel/parser` ^7.12.3 → ^7.29.2 - `@babel/preset-typescript` ^7.12.1 → ^7.28.5 - `@babel/traverse` ^7.12.1 → ^7.29.0 - `@babel/types` ^7.23.0 → ^7.29.0 - `@types/babel__core` ^7.20.3 → ^7.20.5 - `@types/babel__generator` ^7.6.6 → ^7.27.0 - `@types/babel__traverse` ^7.20.3 → ^7.28.0 - `@types/cli-progress` ^3.11.0 → ^3.11.6 - `@types/lodash` ^4.14.157 → ^4.17.24 - `@types/semver` ^7.3.1 → ^7.7.1 - `@types/tmp` ^0.2.0 → ^0.2.6 - `esbuild` 0.17.18 → 0.27.7 - `lodash` ^4.17.19 → ^4.18.1 - `prettier` ^3.6.2 → ^3.8.3 - `semver` ^7.3.2 → ^7.7.4 - `socket.io-client` ^4.1.2 → ^4.8.3 - `tmp` ^0.2.1 → ^0.2.5 - `ts-jest` ^29.1.1 → ^29.4.9 - `tsx` ^4.20.6 → ^4.21.0 - `utility-types` ^3.10.0 → ^3.11.0 - `winston` ^3.3.3 → ^3.19.0 **packages/create-plasmic-app** - `@types/lodash` ^4.14.168 → ^4.17.24 - `@types/semver` ^7.3.5 → ^7.7.1 - `tsx` ^4.20.6 → ^4.21.0 **packages/host** - `@rollup/plugin-json` ^6.0.0 → ^6.1.0 - `@types/classnames` ^2.3.0 → ^2.3.4 - `rollup-plugin-banner2` ^1.2.2 → ^1.3.1 **packages/loader-react** - `@types/pascalcase` ^1.0.0 → ^1.0.3 **packages/nextjs-app-router** - `@types/yargs` ^17.0.32 → ^17.0.35 **packages/react-web** - `@babel/core` ^7.14.6 → ^7.29.0 - `@babel/preset-env` ^7.22.15 → ^7.29.2 - `@babel/preset-react` ^7.22.15 → ^7.28.5 - `@babel/preset-typescript` ^7.22.15 → ^7.28.5 - `@rollup/plugin-json` ^6.0.0 → ^6.1.0 - `@types/classnames` ^2.3.1 → ^2.3.4 - `@types/clone` ^2.1.1 → ^2.1.4 - `@types/dlv` ^1.1.2 → ^1.1.5 **packages/react-web-runtime** - `rollup` ^4.1.4 → ^4.60.2 ## Lockfile deduplication - Ran `yarn-deduplicate --strategy fewer` after install — reduced from 729 to 470 duplicate entries vs master - Manually preserved two lockfile entries that dedup would incorrectly merge: - `@types/react@*` kept at 18.x (merging up to 19.x breaks `plasmicpkgs/react-slick` build — TS2786) - `@testing-library/user-event@^14.4.0` kept at 14.6.x (merging down to 14.5.2 breaks react-aria storybook focus tests) ## Skipped - `react-aria` / `@react-aria/*` / `@react-stately/*` / `@react-types/*` — blocked by PLA-12485 (focus regression on overlay dismiss) GitOrigin-RevId: 34942a8d48b026e372fe772a77752283cef420cf
- @plasmicapp/cli@0.1.361 - create-plasmic-app@0.0.142 - @plasmicapp/data-sources@1.0.3 - @plasmicapp/host@2.0.2 - @plasmicapp/loader-gatsby@2.0.3 - @plasmicapp/loader-nextjs@2.0.3 - @plasmicapp/loader-react@2.0.3 - @plasmicapp/nextjs-app-router@1.0.23 - @plasmicapp/react-web@1.0.3 - @plasmicapp/react-web-runtime@1.0.3 - plasmicpkgs-dev@0.0.62 - @plasmicpkgs/airtable@0.0.259 - @plasmicpkgs/antd@2.0.167 - @plasmicpkgs/antd5@0.0.340 - @plasmicpkgs/plasmic-chakra-ui@0.0.75 - @plasmicpkgs/cms@0.0.22 - @plasmicpkgs/commerce@0.0.243 - @plasmicpkgs/commerce-commercetools@0.0.193 - @plasmicpkgs/commerce-local@0.0.243 - @plasmicpkgs/commerce-saleor@0.0.207 - @plasmicpkgs/commerce-shopify@0.0.251 - @plasmicpkgs/commerce-swell@0.0.253 - @plasmicpkgs/contentful@0.0.17 - @plasmicpkgs/dnd-kit@0.0.22 - @plasmicpkgs/fetch@0.0.35 - @plasmicpkgs/framer-motion@0.0.243 - @plasmicpkgs/plasmic-google-maps@0.0.24 - @plasmicpkgs/graphql@0.0.29 - @plasmicpkgs/plasmic-keen-slider@0.0.88 - @plasmicpkgs/lottie-react@0.0.237 - @plasmicpkgs/plasmic-mailchimp@0.0.22 - @plasmicpkgs/plasmic-basic-components@0.0.274 - @plasmicpkgs/plasmic-calendly@0.0.91 - @plasmicpkgs/plasmic-cms@0.0.313 - @plasmicpkgs/plasmic-content-stack@0.0.199 - @plasmicpkgs/plasmic-contentful@0.0.193 - @plasmicpkgs/plasmic-embed-css@0.1.229 - @plasmicpkgs/plasmic-eventbrite@0.0.77 - @plasmicpkgs/plasmic-giphy@0.0.77 - @plasmicpkgs/plasmic-graphcms@0.0.216 - @plasmicpkgs/plasmic-hubspot@0.0.89 - @plasmicpkgs/plasmic-intercom@0.0.22 - @plasmicpkgs/plasmic-link-preview@1.0.147 - @plasmicpkgs/plasmic-nav@0.0.215 - @plasmicpkgs/plasmic-pigeon-maps@0.0.77 - @plasmicpkgs/plasmic-query@0.0.264 - @plasmicpkgs/plasmic-rich-components@1.0.246 - @plasmicpkgs/plasmic-sanity-io@1.0.224 - @plasmicpkgs/plasmic-soundcloud@0.0.89 - @plasmicpkgs/plasmic-strapi@0.1.201 - @plasmicpkgs/plasmic-tabs@0.0.86 - @plasmicpkgs/plasmic-typeform@0.0.89 - @plasmicpkgs/plasmic-wordpress@0.0.171 - @plasmicpkgs/plasmic-wordpress-graphql@0.0.161 - @plasmicpkgs/plasmic-yotpo@0.0.88 - @plasmicpkgs/radix-ui@0.0.103 - @plasmicpkgs/react-aria@0.0.177 - @plasmicpkgs/react-audio-player@0.0.72 - @plasmicpkgs/react-awesome-reveal@3.8.247 - @plasmicpkgs/react-chartjs-2@1.0.155 - @plasmicpkgs/react-parallax-tilt@0.0.245 - @plasmicpkgs/react-quill@1.0.108 - @plasmicpkgs/react-scroll-parallax@0.0.254 - @plasmicpkgs/react-slick@0.0.266 - @plasmicpkgs/react-twitter-widgets@0.0.243 - @plasmicpkgs/react-youtube@7.13.249 - @plasmicpkgs/rive@0.0.31 - @plasmicpkgs/plasmic-spotify@0.0.22 - @plasmicpkgs/strapi@0.0.20 - @plasmicpkgs/tiptap@0.0.28 - @plasmicpkgs/vanilla-cookieconsent@0.0.21 - @plasmicpkgs/wordpress@0.0.21 GitOrigin-RevId: f110feb3414bdfdcbd84167e91a951f8dcd4dd60
GitOrigin-RevId: be922d505cb61d4f6df699d002b4a3ba7540e0a3
Resolves critical/moderate audit vulnerabilities: - handlebars: JS injection via AST type confusion (CVE, patch >=4.7.9) - protobufjs: arbitrary code execution (patch >=7.5.5) - via posthog-js opentelemetry chain Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> GitOrigin-RevId: 29c254c6d581dd53094239218f0356e1a1c1ba2e
* fix: Choice prop codegen when options use object form * test: wabToTsType GitOrigin-RevId: 4b7d5bff4f86adc6f3917ecf1cd7a03e0af01a81
GitOrigin-RevId: 7e53e05781d6af6873315d1ad4eb4776e2e00697
GitOrigin-RevId: 13aad22bce0f9357d55549ead01d8b6df8d8733d
GitOrigin-RevId: 643a9d8dfb2d09c8a2c1bd5178ad47683220e0a4
Adds a `loader_bundle_cache_total` Prometheus counter that tracks S3
bundle cache hits and misses, labeled by source ("prefill" vs "live"),
so we can measure how often a live CDN request triggers an esbuild
run vs being served from a prefilled S3 cache.
Adds cache miss log message with the cache key.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
GitOrigin-RevId: 29dd37be14bd3bab0922875ff51bf3f49b95a3b9
GitOrigin-RevId: 26a99ab7a4b47a43145712b8b0e4b68f8d7db9e8
GitOrigin-RevId: 8765cdc08085347514c193d541654af29c24d15a
GitOrigin-RevId: d781fb8e8a177f3cf7c58d0b632642c94c9bdebc
GitOrigin-RevId: b0553d6b35611c38832def6205e4130e373e9a31
GitOrigin-RevId: b77d1d91c93a205fc169174c5c5427443ae7aef2
GitOrigin-RevId: f487bab55cf7d82e6a54ca2bb6893e35bd7f0eb5
* fix: override nextjs globals.css in cpa * [cpa] run-cpa: neutralize nextjs globals.css Regenerate the 8 nextjs cpa-out projects with the globals.css override fix. Strips create-next-app's dark prefers-color-scheme styles (which painted the Studio /plasmic-host canvas black) from both app/ and styles/ globals.css. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Jason Long <j@jaslong.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com> GitOrigin-RevId: f2690ae5a9d286a53e0c086e46fc219be65a5f1a
- Add new authedSensitiveRateLimiter keyed by the authenticated actor. - Apply rate limiter to POST /api/v1/grant-revoke (sendShareEmail) and POST /api/v1/end-user/app/:projectId/access-rules (sendAppEndUserInviteEmail, threaded into addEndUserManagementRoutes). - Cap grants per request at MAX_GRANTS_PER_REQUEST=5 - Limit MAX_GRANTS_PER_REQUEST on /org-creation UX GitOrigin-RevId: 63176f0298201024b2635c351db5d99605f314d2
Enforce MAX_PASSWORD_LENGTH = 64. OWASP recommends a maximum password length of 64 or higher. We use bcrypt, which truncates the password to 72 bytes, so 64 UTC-16 characters is a reasonable limit. GitOrigin-RevId: 9d200ea6535c84bece66d91fa49b793425f12101
Remove all Amplitude analytics integration:
- Delete client/server Amplitude analytics classes and init code
- Drop @amplitude/analytics-{browser,node} npm dependencies
- Strip AMPLITUDE_API_KEY env wiring from rsbuild, env, .env.example, and the CI build workflow
- Remove the cdn.amplitude.com CSP allow-listing from prod and dev load balancer Terragrunt configs
- Delete the re-identify-users custom DB script (Amplitude-only)
GitOrigin-RevId: 08470f3770a5ac494f01484173577855bcc0f08b
- Refactor: Collapsed the three ExpsProvider classes (MixinExpsProvider, RshExpsProvider, SingleRsExpsProvider) into one and replaced the ad-hoc tag/forTheme pair with a single typed themeTag: ThemableTag threaded through MixinPopup → SingleRsExpsProvider → RuleSetHelpers. - Change: Passing the actual tag into the CSS-initial lookup fixes the unset placeholder for ul/ol list-style-type, which now correctly shows none instead of disc. GitOrigin-RevId: 7bb2921df693fc47b60dafc14342757dc7cbb5b3
* Reapply "[PLA-12977]: Animations do not work in codegen (#2719)" This reverts commit 2ef3a26f029a7d1ff922fb92d354e2802795ccb0. * chore: bump cli required version to 0.1.364 GitOrigin-RevId: 6bed17b9f25df32ac38c390d27e3bb10e7862772
GitOrigin-RevId: 78608067b660143e03c9b3074acd47639635e9ec
* refactor: refactor copilot internal imports and add lint * refactor: eslint comment cleanup and simplification GitOrigin-RevId: 2c984dba86ca549d55233c866fca79feb5074d4c
GitOrigin-RevId: dd33ad9e8f68790f9de930c0bde4b75549764548
This commit allows data sources to be edited/deleted by: - the data source owner (this already exists) - a workspace owner (this is new) GitOrigin-RevId: fbef1d3852eee54f47156f9276f5cbedd8202b33
- Migrated old reference of ProjectPanel to NavigationDropdown - Deleted some unused projects and files Revert [PlasmicKit] Dashboard back to 63.0.0 Fix NewComponentItem and re-sync GitOrigin-RevId: 6c8e7bb4be6d4bdb16a24013cc566cc89914c4ae
GitOrigin-RevId: 7ca6ab2c7b913a6f7ed645ddab61129b17e5a5b9
- Rename PlasmicIcon__Downloadsvg.tsx -> PlasmicIcon__DownloadSvg.tsx to match the import casing emitted by the sync. The case-insensitive macOS FS left the old filename in git, breaking the build on case-sensitive Linux CI (Cannot find module './icons/PlasmicIcon__DownloadSvg'). - Remove now-unused framer-motion and react-hook-form from platform/wab; the sync deleted the only consumers (old AuthForm/RestBuilder/ SimplePathColumn duplicates). Fixes the check-unused (knip) job. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> GitOrigin-RevId: d69b2cab9dcb4bd936873e129ddab61189cc4aed
* feat(copilot-tools): manage animation sequences using AI * fix(copilot-tools): fixed animation style in changeElement tool * feat(animations): fix parseCssAnimiation to parse animation var names * refactor(delete-resource): added resuable operation for deleting resource and it's UX behaviour * chore: move tryGetAnimationSequenceUuidFromCssVar to core styles * chore(changeElement): add message for successful animations change in change element tool * fix(html-parser): animation sequences to include direct dep animations GitOrigin-RevId: 982b4c04ed087ff84a3870b41373c07b92bb351b
* fix: database ci instability * fix: address review feedback GitOrigin-RevId: 4f69a99869a249524e125378ee90b44c2f6f9423
The original http/https selector makes you think you can't copy in a full URL. This change simplifies the HostConfig to just have a single URL input. It also automatically adds http/https scheme for you now. GitOrigin-RevId: 0a36ea0c29377355199bfca059f97944fd3367c1
… (#2852) * feat(copilot-tools): add support for imported components * refactor(copilot-tools): project-exporter to now include only it's own site animations * feat(component-exporter): add data-plasmic-project attr for dependency component usages * chore(component-exporter): change signature of component-utils functions * chore(html-parser): add data-plasmic-project in html-parser snapshot * refactor(component-utils): couple data plasmic attrs structure with tpl component serialization GitOrigin-RevId: 05278660673e3a685e29730f963daa27e9b667ad
* feat(animations): fix parseCssAnimiation to parse animation var names * chore: move tryGetAnimationSequenceUuidFromCssVar to core styles * refactor(delete-variant): add resuable delete-variant operation with user confirmation and copilot error behaviour * refactor(delete-variant-group): add resuable delete-variant-group operation with user confirmation and copilot error behaviour * chore: minor change to remove unnecessary variable decl * chore(delete-resources): added tests for delete operations * fix(delete-resources): add cancelled state in the DeleteResourcesResult GitOrigin-RevId: 83f7ba7f775f697628532294fe0507c65af623ec
This PR should not have any runtime behavior changes, refactor only. - Add LocalStorageKey which centralizes local storage key strings to ensure we don't accidentally overlap keys. - Un-export ReactUtil.updateRef (only used within the module). - Add ApiSchema.spec.ts asserting @plasmicapp/host StyleSection stays assignable to PublicStyleSection. Added tiny change to fix broken typecheckin platform/wab/src/wab/client/copilot/enterprise/tools/deleteComponentVariants.ts GitOrigin-RevId: fdc04f0ff41b721ddb46b5d20e339db20f4ee51e
* fix: deduplicate copilot test bundle and fix import * fix: error after merge in master GitOrigin-RevId: a3cae15b37ff5184cc2ad7c6033e12ae5a2c19c3
* fix: implement prop delete for server query params * refactor: use omit instead of manual object filter GitOrigin-RevId: 61ca20ccdac684148a0f234729c515753e84b233
GitOrigin-RevId: 11c2d0e5ff0aa9c3fadada0ef45c77318a52f3af
github-actions
Bot
changed the title
github-actions
Bot
force-pushed
the
merge/upstream
branch
from
b183c14 to
2d5ff3c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Upstream Merge
205 new commits from plasmicapp/plasmic master.
Conflicts to resolve
git fetch origin merge/upstream git checkout merge/upstream # Resolve conflicts, then: git push origin merge/upstreamConflicted files:
Before merging
See Upstream Merge Runbook.