chore(deps): bump the minor-and-patch group across 1 directory with 12 updates

[dependabot]

Bumps the minor-and-patch group with 12 updates in the / directory:

Package	From	To
@ownclouders/eslint-config	12.3.2	12.4.1
@playwright/test	1.60.0	1.61.0
@vue/test-utils	2.4.10	2.4.11
happy-dom	20.9.0	20.10.6
prettier	3.8.3	3.8.4
vue-tsc	3.3.2	3.3.5
@ownclouders/web-client	12.3.2	12.4.1
@ownclouders/web-pkg	12.3.2	12.4.1
@ownclouders/extension-sdk	12.3.2	12.4.1
@ownclouders/web-test-helpers	12.3.2	12.4.1
vue	3.5.35	3.5.38
uuid	14.0.0	14.0.1

Updates @ownclouders/eslint-config from 12.3.2 to 12.4.1

Release notes

Sourced from @​ownclouders/eslint-config's releases.

12.4.1

Changelog for ownCloud Web 12.4.1 (2026-06-18)

Summary

• Security - Validate postMessage origin in embed mode modals: #13844
• Bugfix - Add explicit size to space header image: #13822
• Bugfix - Apply vault theme after OIDC callback: #13826
• Bugfix - Gate MFA expiry dialog on vault capability: #13827
• Bugfix - Logo not rendering in Firefox: #13834
• Bugfix - Fix theme switching issues: #13843
• Bugfix - Pass vault parameter to capabilities endpoint: #13867
• Bugfix - Filter notifications by vault mode: #13877

Details

• Security - Validate postMessage origin in embed mode modals: #13844

  We've fixed a cross-site request forgery (CSRF) vulnerability where the embed mode modals (Save As, Export As PDF and the file picker) processed incoming postMessage events without verifying the sender's origin. A malicious page holding a reference to an authenticated ownCloud window could forge owncloud-embed:select, owncloud-embed:file-pick or owncloud-embed:cancel messages and trigger authenticated file writes in the victim's space. Incoming messages are now validated against an allowlist consisting of the application's own origin and the optionally configured embed.messagesOrigin.

  owncloud/web#13844

• Bugfix - Add explicit size to space header image: #13822

  The space header image did not have explicit width and height causing the image to overflow its container. Adding explicit width and height with values of 100% makes sure that the image stays within the boundaries of the container.

  owncloud/web#13822 owncloud/web#13835

• Bugfix - Apply vault theme after OIDC callback: #13826

  When opening the vault for the first time, the user is redirected to an external IdP for 2FA. Upon returning, the OIDC callback URL contains no vault context, causing the regular theme to be applied instead of the vault theme. We now also check the stored post-login redirect URL during the OIDC callback to correctly detect vault mode.

  owncloud/web#13826

... (truncated)

Changelog

Sourced from @​ownclouders/eslint-config's changelog.

Changelog for ownCloud Web unreleased (UNRELEASED)

The following sections list the changes in ownCloud web unreleased relevant to ownCloud admins and users.

Summary

• Security - Validate postMessage origin in embed mode modals: #13844
• Bugfix - Add open button to PDF viewer on iOS/iPadOS: #13797
• Bugfix - Add explicit size to space header image: #13822
• Bugfix - Apply vault theme after OIDC callback: #13826
• Bugfix - Gate MFA expiry dialog on vault capability: #13827
• Bugfix - Logo not rendering in Firefox: #13834
• Bugfix - Fix theme switching issues: #13843
• Bugfix - Pass vault parameter to capabilities endpoint: #13867

Details

• Security - Validate postMessage origin in embed mode modals: #13844

  We've fixed a cross-site request forgery (CSRF) vulnerability where the embed mode modals (Save As, Export As PDF and the file picker) processed incoming postMessage events without verifying the sender's origin. A malicious page holding a reference to an authenticated ownCloud window could forge owncloud-embed:select, owncloud-embed:file-pick or owncloud-embed:cancel messages and trigger authenticated file writes in the victim's space. Incoming messages are now validated against an allowlist consisting of the application's own origin and the optionally configured embed.messagesOrigin.

  owncloud/web#13844

• Bugfix - Add open button to PDF viewer on iOS/iPadOS: #13797

  On iOS/iPadOS, we now display a button to open the PDF file in the browser instead of the native PDF viewer. This is a workaround to avoid issues with the native PDF viewer on iOS/iPadOS.

  owncloud/web#13797 owncloud/web#13816

• Bugfix - Add explicit size to space header image: #13822

  The space header image did not have explicit width and height causing the image to overflow its container. Adding explicit width and height with values of 100% makes sure that the image stays within the boundaries of the container.

... (truncated)

Commits

• acd69c0 chore: bump version to v12.4.1
• 07cdf1b chore: bump version to 12.4.0
• 0215824 chore: sync 12.3 branch changelog and version (#13729)
• ba19f2d fix(deps): update linters
• 6e4fcf5 Revert "Merge pull request #13521 from owncloud/chore/revert-changes-to-master"
• 69b4edc Revert "Merge pull request #13519 from owncloud/stable-12.3"
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​ownclouders/eslint-config since your current version.

Updates @playwright/test from 1.60.0 to 1.61.0

Release notes

Sourced from @​playwright/test's releases.

v1.61.0

🔑 WebAuthn passkeys

New Credentials virtual authenticator, available via browserContext.credentials, lets tests register passkeys and answer navigator.credentials.create() / navigator.credentials.get() ceremonies in the page — no real hardware key required, works in all browsers:

const context = await browser.newContext();
// Seed a passkey your backend provisioned for a test user.
await context.credentials.create('example.com', {
id: credentialId,
userHandle,
privateKey,
publicKey,
});
await context.credentials.install();
const page = await context.newPage();
await page.goto('https://example.com/login');
// The page's navigator.credentials.get() is answered with the seeded passkey.

You can also let the app register a passkey once in a setup test, read it back with credentials.get(), and seed it into later tests — see Credentials for details.

🗃️ Web Storage

New WebStorage API, available via page.localStorage and page.sessionStorage, reads and writes the page's storage for the current origin:

await page.localStorage.setItem('token', 'abc');
const token = await page.localStorage.getItem('token');
const items = await page.sessionStorage.items();

New APIs

Network

• apiResponse.securityDetails() and apiResponse.serverAddr() mirror the browser-side response.securityDetails() and response.serverAddr().

Browser and Screencast

• New option artifactsDir in browserType.connectOverCDP() controls where artifacts such as traces and downloads are stored when attached to an existing browser.
• New option cursor in screencast.showActions() controls the cursor decoration rendered for pointer actions.
• The onFrame callback in screencast.start() now receives a timestamp of when the frame was presented by the browser.

Test runner

• The testOptions.video option now supports the same set of modes as trace: new 'on-all-retries', 'retain-on-first-failure' and 'retain-on-failure-and-retries' values. See the video modes table for which runs are recorded and kept in each mode.
• Supported expect.soft.poll(...).
• New fullConfig.argv — a snapshot of process.argv from the runner process, handy for reading custom arguments passed after the -- separator.
• New fullConfig.failOnFlakyTests mirrors the config option, so reporters can explain why a flaky run failed.
• testInfo.errors now lists each sub-error of an AggregateError as a separate entry.

... (truncated)

Commits

• 1cc5a90 cherry-pick(#41295): chore: PLAYWRIGHT_TRACING_NO_WEBSOCKET_FRAMES and PLAYWR...
• a6772bd cherry-pick(#41280): Revert "fix(trace-viewer): add keyboard navigation to `N...
• 8133dcf cherry-pick(#41283): docs: add Ubuntu 26.04 and Node.js 26.x to system requir...
• 812432e chore: mark v1.61.0 (#41277)
• ac05145 fix(fetch): report serverAddr and securityDetails for reused sockets (#41267)
• 056efc9 fix(trace-viewer): add keyboard navigation to NetworkFilters component (#41...
• 41f7b9a chore: fixes uncovered by the .NET 1.61 roll (#41266)
• ba50778 fix(mcp): assign caps as array for legacy --vision flag (#41253)
• b8ee5ae docs: release notes for v1.61 (#41261)
• 49c1f69 fix(trace viewer): load trace from a local file (#41263)
• Additional commits viewable in compare view

Updates @vue/test-utils from 2.4.10 to 2.4.11

Release notes

Sourced from @​vue/test-utils's releases.

v2.4.11

compare changes

🩹 Fixes

• Drop legacy Mutation Event listener entries (#2844)
• Handle setData() correctly for components using both setup() and data() (#2846)
• Export GlobalMountOptions type (#2851)
• Set spec-compliant event.code on keydown/keyup (#2850)

❤️ Contributors

• Cédric Exbrayat (@​cexbrayat)
• Renato de Leão (@​renatodeleao)
• Matt Van Horn (@​mvanhorn)
• Carsten Brachem (@​cbrachem)
• Ahmad Hanan (@​AhmadHannan037)
• Paul Cochrane (@​paultcochrane)
• Arpit Jain (@​arpitjain099)

Commits

• 5e48e1e v2.4.11
• b73ee1d chore(deps): update dependency oxfmt to v0.53.0
• 39e32ec chore(deps): update all non-major dependencies to v17.0.7 (#2881)
• 0621772 chore(deps): update actions/checkout digest to df4cb1c (#2880)
• 81fde07 chore(deps): update all non-major dependencies (#2879)
• 4ad4255 chore(deps): update dependency oxfmt to v0.52.0 (#2878)
• 8d3d26e chore(deps): update pnpm to v11.3.0 (#2877)
• bc79eff chore(deps): update all non-major dependencies (#2876)
• 58db8f7 chore(deps): update all non-major dependencies (#2874)
• 9ad31cb chore: enable renovate minimum release age for npm
• Additional commits viewable in compare view

Updates happy-dom from 20.9.0 to 20.10.6

Release notes

Sourced from happy-dom's releases.

v20.10.6

👷‍♂️ Patch fixes

• Await NodeJS internal ReadableStream promise during teardown - By @​capricorn86 in task #2217

v20.10.5

👷‍♂️ Patch fixes

• Adds cache to query selector parser - By @​capricorn86 in task #2142
  • The selector parser degraded in performance in v20.6.3 to solve more complex selectors
  • Parsing is still a bit slower, but the cache will hopefully mitigate most of the problem

v20.10.4

👷‍♂️ Patch fixes

• Coerce null qualifiedName to empty string in createDocument - By @​Firer in task #2206

v20.10.3

👷‍♂️ Patch fixes

• Fix "~=" attribute selector matching hyphenated substrings in CSS selectors - By @​mixelburg in task #2194

v20.10.2

👷‍♂️ Patch fixes

• Updates external dependencies - By @​capricorn86 in task #2163

v20.10.0

🎨 Features

• Adds support for setting a canvas adapter for handling the canvas rendering using the browser setting canvasAdapter - By @​RAprogramm and @​capricorn86 in task #241
• Adds new package @​happy-dom/node-canvas-adapter - By @​RAprogramm and @​capricorn86 in task #241
  • @​happy-dom/node-canvas-adapter is a pluggable canvas adapter for Happy DOM using node-canvas.
• Adds support for loading image files when enabling the browser setting enableImageFileLoading - By @​capricorn86 in task #241
• Adds support for loading image data URLs - By @​capricorn86 in task #241
• Adds support for ImageData - By @​capricorn86 in task #241
• Adds support for ImageBitmap - By @​capricorn86 in task #241
• Adds support for Window.createImageBitmap() - By @​capricorn86 in task #241

Commits

• fed1de2 fix: #2217 Await NodeJS internal ReadableStream promise during teardown (#2...
• 6a9adb5 fix: #2142 Adds cache to query selector parser (#2214)
• 4440f5f fix: #2206 Coerce null qualifiedName to empty string in createDocument (#2207)
• 05e5465 chore: #2208 Updates contribution guidelines (#2211)
• 7103b05 chore: #2208 Updates contribution guidelines (#2210)
• 4c292ef chore: #2208 Updates contribution guidelines (#2209)
• 7e25c97 fix: #2194 Fix ~= attribute selector matching hyphenated substrings (#2205)
• b334a12 fix: #2163 Updates external dependencies (#2188)
• 20f89aa fix: #2180 Try to fix publish workflow (#2181)
• f08c3fa chore: #2177 Update happy-conventional-commit (#2179)
• Additional commits viewable in compare view

Updates prettier from 3.8.3 to 3.8.4

Release notes

Sourced from prettier's releases.

3.8.4

• Markdown: Fix blank lines between list items and nested sub-lists being removed in Markdown/MDX (prettier/prettier#17746 by @​byplayer)

🔗 Changelog

Changelog

Sourced from prettier's changelog.

3.8.4

diff

Markdown: Fix blank lines between list items and nested sub-lists being removed in Markdown/MDX (#17746 by @​byplayer)

Prettier was removing blank lines between list items and their nested sub-lists, converting loose lists into tight lists and changing their semantic meaning.

<!-- Input -->
- a


b


c

d



<!-- Prettier 3.8.3 -->

a

b


c

d



<!-- Prettier 3.8.4 -->


a

b



c

d

Commits

• 1c6ba55 Release 3.8.4
• 4a673dc Fix blank lines between list items and nested sub-lists being removed in Mark...
• 074aaed Replace main branch in changelog link with tags (#19054)
• c22a003 Bump Prettier dependency to 3.8.3
• 07bad1f Clean changelog_unreleased
• See full diff in compare view

Updates vue-tsc from 3.3.2 to 3.3.5

Release notes

Sourced from vue-tsc's releases.

v3.3.5

language-core

• fix: include event modifiers in duplicate listener checks (#6097) - Thanks to @​KazariEX!

Our Sponsors ❤️

... (truncated)

Changelog

Sourced from vue-tsc's changelog.

3.3.5 (2026-06-13)

language-core

• fix: include event modifiers in duplicate listener checks (#6097) - Thanks to @​KazariEX!

3.3.4 (2026-06-08)

language-core

• fix: only exclude already-set props from inherited attrs when checkRequiredFallthroughAttributes is enabled (#6088) - Thanks to @​KazariEX!
• fix: camelize slot props regardless of htmlAttributes option (#6089) - Thanks to @​KazariEX!
• fix: detect duplicate event listeners across name formats (#6094) - Thanks to @​whysopaul!

language-service

• fix: respect var hoisting for destructured props hints (#6092) - Thanks to @​KazariEX!

typescript-plugin

• fix: do not treat class and style as a boolean property (#6081) - Thanks to @​KazariEX!

3.3.3 (2026-05-30)

vscode

• fix: prevent grammar scopes leakage in capitalized tags (#6073) - Thanks to @​KazariEX!
• fix: preserve TS auto imports behavior in Vue files (#6072) - Thanks to @​KazariEX!

workspace

• fix: read PR title from env in auto-version workflow to prevent injection (#6074) - Thanks to @​arpitjain099!

Commits

• 2fe255c v3.3.5 (#6102)
• 043a77b v3.3.4 (#6095)
• 5c41b5f v3.3.3 (#6079)
• See full diff in compare view

Updates @ownclouders/web-client from 12.3.2 to 12.4.1

Release notes

Sourced from @​ownclouders/web-client's releases.

12.4.1

Changelog for ownCloud Web 12.4.1 (2026-06-18)

Summary

• Security - Validate postMessage origin in embed mode modals: #13844
• Bugfix - Add explicit size to space header image: #13822
• Bugfix - Apply vault theme after OIDC callback: #13826
• Bugfix - Gate MFA expiry dialog on vault capability: #13827
• Bugfix - Logo not rendering in Firefox: #13834
• Bugfix - Fix theme switching issues: #13843
• Bugfix - Pass vault parameter to capabilities endpoint: #13867
• Bugfix - Filter notifications by vault mode: #13877

Details

• Security - Validate postMessage origin in embed mode modals: #13844

  We've fixed a cross-site request forgery (CSRF) vulnerability where the embed mode modals (Save As, Export As PDF and the file picker) processed incoming postMessage events without verifying the sender's origin. A malicious page holding a reference to an authenticated ownCloud window could forge owncloud-embed:select, owncloud-embed:file-pick or owncloud-embed:cancel messages and trigger authenticated file writes in the victim's space. Incoming messages are now validated against an allowlist consisting of the application's own origin and the optionally configured embed.messagesOrigin.

  owncloud/web#13844

• Bugfix - Add explicit size to space header image: #13822

  The space header image did not have explicit width and height causing the image to overflow its container. Adding explicit width and height with values of 100% makes sure that the image stays within the boundaries of the container.

  owncloud/web#13822 owncloud/web#13835

• Bugfix - Apply vault theme after OIDC callback: #13826

  When opening the vault for the first time, the user is redirected to an external IdP for 2FA. Upon returning, the OIDC callback URL contains no vault context, causing the regular theme to be applied instead of the vault theme. We now also check the stored post-login redirect URL during the OIDC callback to correctly detect vault mode.

  owncloud/web#13826

... (truncated)

Changelog

Sourced from @​ownclouders/web-client's changelog.

Changelog for ownCloud Web unreleased (UNRELEASED)

The following sections list the changes in ownCloud web unreleased relevant to ownCloud admins and users.

Summary

• Security - Validate postMessage origin in embed mode modals: #13844
• Bugfix - Add open button to PDF viewer on iOS/iPadOS: #13797
• Bugfix - Add explicit size to space header image: #13822
• Bugfix - Apply vault theme after OIDC callback: #13826
• Bugfix - Gate MFA expiry dialog on vault capability: #13827
• Bugfix - Logo not rendering in Firefox: #13834
• Bugfix - Fix theme switching issues: #13843
• Bugfix - Pass vault parameter to capabilities endpoint: #13867

Details

• Security - Validate postMessage origin in embed mode modals: #13844

  We've fixed a cross-site request forgery (CSRF) vulnerability where the embed mode modals (Save As, Export As PDF and the file picker) processed incoming postMessage events without verifying the sender's origin. A malicious page holding a reference to an authenticated ownCloud window could forge owncloud-embed:select, owncloud-embed:file-pick or owncloud-embed:cancel messages and trigger authenticated file writes in the victim's space. Incoming messages are now validated against an allowlist consisting of the application's own origin and the optionally configured embed.messagesOrigin.

  owncloud/web#13844

• Bugfix - Add open button to PDF viewer on iOS/iPadOS: #13797

  On iOS/iPadOS, we now display a button to open the PDF file in the browser instead of the native PDF viewer. This is a workaround to avoid issues with the native PDF viewer on iOS/iPadOS.

  owncloud/web#13797 owncloud/web#13816

• Bugfix - Add explicit size to space header image: #13822

  The space header image did not have explicit width and height causing the image to overflow its container. Adding explicit width and height with values of 100% makes sure that the image stays within the boundaries of the container.

... (truncated)

Commits

• 2b4c666 chore: sync translations
• acd69c0 chore: bump version to v12.4.1
• a43605d fix(notifications): [OCISDEV-967] filter notifications by vault mode (#13877)...
• 07cdf1b chore: bump version to 12.4.0
• d4c2b7e chore: check if vault capability is enabled
• f065999 feat: add new theme colors
• 99d516e feat(web-runtime): [OCISDEV-534] add MFA session expiry warning
• c4492b0 feat: [OCISDEV-527] check vault permission (#13802)
• 406d400 refactor: remove protected-project and protected-personal as per backend change
• 263e778 feat: fetch and show vault spaces
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​ownclouders/web-client since your current version.

Updates @ownclouders/web-pkg from 12.3.2 to 12.4.1

Release notes

Sourced from @​ownclouders/web-pkg's releases.

12.4.1

Changelog for ownCloud Web 12.4.1 (2026-06-18)

Summary

• Security - Validate postMessage origin in embed mode modals: #13844
• Bugfix - Add explicit size to space header image: #13822
• Bugfix - Apply vault theme after OIDC callback: #13826
• Bugfix - Gate MFA expiry dialog on vault capability: #13827
• Bugfix - Logo not rendering in Firefox: #13834
• Bugfix - Fix theme switching issues: #13843
• Bugfix - Pass vault parameter to capabilities endpoint: #13867
• Bugfix - Filter notifications by vault mode: #13877

Details

• Security - Validate postMessage origin in embed mode modals: #13844

  We've fixed a cross-site request forgery (CSRF) vulnerability where the embed mode modals (Save As, Export As PDF and the file picker) processed incoming postMessage events without verifying the sender's origin. A malicious page holding a reference to an authenticated ownCloud window could forge owncloud-embed:select, owncloud-embed:file-pick or owncloud-embed:cancel messages and trigger authenticated file writes in the victim's space. Incoming messages are now validated against an allowlist consisting of the application's own origin and the optionally configured embed.messagesOrigin.

  owncloud/web#13844

• Bugfix - Add explicit size to space header image: #13822

  The space header image did not have explicit width and height causing the image to overflow its container. Adding explicit width and height with values of 100% makes sure that the image stays within the boundaries of the container.

  owncloud/web#13822 owncloud/web#13835

• Bugfix - Apply vault theme after OIDC callback: #13826

  When opening the vault for the first time, the user is redirected to an external IdP for 2FA. Upon returning, the OIDC callback URL contains no vault context, causing the regular theme to be applied instead of the vault theme. We now also check the stored post-login redirect URL during the OIDC callback to correctly detect vault mode.

  owncloud/web#13826

... (truncated)

Changelog

Sourced from @​ownclouders/web-pkg's changelog.

Changelog for ownCloud Web unreleased (UNRELEASED)

The following sections list the changes in ownCloud web unreleased relevant to ownCloud admins and users.

Summary

• Security - Validate postMessage origin in embed mode modals: #13844
• Bugfix - Add open button to PDF viewer on iOS/iPadOS: #13797
• Bugfix - Add explicit size to space header image: #13822
• Bugfix - Apply vault theme after OIDC callback: #13826
• Bugfix - Gate MFA expiry dialog on vault capability: #13827
• Bugfix - Logo not rendering in Firefox: #13834
• Bugfix - Fix theme switching issues: #13843
• Bugfix - Pass vault parameter to capabilities endpoint: #13867

Details

• Security - Validate postMessage origin in embed mode modals: #13844

  We've fixed a cross-site request forgery (CSRF) vulnerability where the embed mode modals (Save As, Export As PDF and the file picker) processed incoming postMessage events without verifying the sender's origin. A malicious page holding a reference to an authenticated ownCloud window could forge owncloud-embed:select, owncloud-embed:file-pick or owncloud-embed:cancel messages and trigger authenticated file writes in the victim's space. Incoming messages are now validated against an allowlist consisting of the application's own origin and the optionally configured embed.messagesOrigin.

  owncloud/web#13844

• Bugfix - Add open button to PDF viewer on iOS/iPadOS: #13797

  On iOS/iPadOS, we now display a button to open the PDF file in the browser instead of the native PDF viewer. This is a workaround to avoid issues with the native PDF viewer on iOS/iPadOS.

  owncloud/web#13797 owncloud/web#13816

• Bugfix - Add explicit size to space header image: #13822

  The space header image did not have explicit width and height causing the image to overflow its container. Adding explicit width and height with values of 100% makes sure that the image stays within the boundaries of the container.

... (truncated)

Commits

• 2b4c666 chore: sync translations
• acd69c0 chore: bump version to v12.4.1
• a43605d fix(notifications): [OCISDEV-967] filter notifications by vault mode (#13877)...
• 85647f7 Merge pull request #13863 from owncloud/fix/OCISDEV-777/backport-mitigate-ifr...
• 841605b Chore/backport pass vault param to capabilities (#13868)
• a91bbf1 fix: [OCISDEV-916] apply vault theme on oidc callback (#13826) (#13833)
• b5e60a5 fix(web-pkg): [OCISDEV-777] validate postMessage origin in embed mode modals
• 11f68f4 fix(web-app-password-protected-folders): [OCISDEV-917] fix theme switching an...
• b3704b9 fix: gate MFA expiry dialog on vault capability (#13837)
• 07cdf1b chore: bump version to 12.4.0
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​ownclouders/web-pkg since your current version.

Updates @ownclouders/extension-sdk from 12.3.2 to 12.4.1

Release notes

Sourced from @​ownclouders/extension-sdk's releases.

12.4.1

Changelog for ownCloud Web 12.4.1 (2026-06-18)

Summary

• Security - Validate postMessage origin in embed mode modals: #13844
• Bugfix - Add explicit size to space header image: #13822
• Bugfix - Apply vault theme after OIDC callback: #13826
• Bugfix - Gate MFA expiry dialog on vault capability: #13827
• Bugfix - Logo not rendering in Firefox: #13834
• Bugfix - Fix theme switching issues: #13843
• Bugfix - Pass vault parameter to capabilities endpoint: #13867
• Bugfix - Filter notifications by vault mode: #13877

Details

• Security - Validate postMessage origin in embed mode modals: #13844

  We've fixed a cross-site request forgery (CSRF) vulnerability where the embed mode modals (Save As, Export As PDF and the file picker) processed incoming postMessage events without verifying the sender's origin. A malicious page holding a reference to an authenticated ownCloud window could forge owncloud-embed:select, owncloud-embed:file-pick or owncloud-embed:cancel messages and trigger authenticated file writes in the victim's space. Incoming messages are now validated against an allowlist consisting of the application's own origin and the optionally configured embed.messagesOrigin.

  owncloud/web#13844

• Bugfix - Add explicit size to space header image: #13822

  The space header image did not have explicit width and height causing the image to overflow its container. Adding explicit width and height with values of 100% makes sure that the image stays within the boundaries of the container.

  owncloud/web#13822 owncloud/web#13835

• Bugfix - Apply vault theme after OIDC callback: #13826

  When opening the vault for the first time, the user is redirected to an external IdP for 2FA. Upon returning, the OIDC callback URL contains no vault context, causing the regular theme to be applied instead of the vault theme. We now also check the stored post-login redirect URL during the OIDC callback to correctly detect vault mode.

  owncloud/web#13826

... (truncated)

Changelog

Sourced from @​ownclouders/extension-sdk's changelog.

Changelog for ownCloud Web unreleased (UNRELEASED)

The following sections list the changes in ownCloud web unreleased relevant to ownCloud admins and users.

Summary

• Security - Validate postMessage origin in embed mode modals: #13844
• Bugfix - Add open button to PDF viewer on iOS/iPadOS: #13797
• Bugfix - Add explicit size to space header image: #13822
• Bugfix - Apply vault theme after OIDC callback: #13826
• Bugfix - Gate MFA expiry dialog on vault capability: #13827
• Bugfix - Logo not rendering in Firefox: #13834
• Bugfix - Fix theme switching issues: #13843
• Bugfix - Pass vault parameter to capabilities endpoint: #13867

Details

• Security - Validate postMessage origin in embed mode modals: #13844

  We've fixed a cross-site request forgery (CSRF) vulnerability where the embed mode modals (Save As, Export As PDF and the file picker) processed incoming postMessage events without verifying the sender's origin. A malicious page holding a reference to an authenticated ownCloud window could forge owncloud-embed:select, owncloud-embed:file-pick or owncloud-embed:cancel messages and trigger authenticated file writes in the victim's space. Incoming messages are now validated against an allowlist consisting of the application's own origin and the optionally configured embed.messagesOrigin.

  owncloud/web#13844

• Bugfix - Add open button to PDF viewer on iOS/iPadOS: #13797

  On iOS/iPadOS, we now display a button to open the PDF file in the browser instead of the native PDF viewer. This is a workaround to avoid issues with the native PDF viewer on iOS/iPadOS.

  owncloud/web#13797 owncloud/web#13816

• Bugfix - Add explicit size to space header image: #13822

  The space header image did not have explicit width and height causing the image to overflow its container. Adding explicit width and height with values of 100% makes sure that the image stays within the boundaries of the container.

... (truncated)

Commits

• acd69c0 chore: bump version to v12.4.1
• 07cdf1b chore: bump version to 12.4.0
• 0215824 chore: sync 12.3 branch changelog and version (#13729)
• 02ec681 fix(deps): update dependency @​vitejs/plugin-vue to ^6.0.6 (#13700)
• 06dab4f fix(deps): update dependency @​vitejs/plugin-vue to ^6.0.5
• 6e4fcf5 Revert "Merge pull request #13521 from owncloud/chore/revert-changes-to-master"
• 69b4edc Revert "Merge pull request #13519 from ownc...

  Description has been truncated

[kw-security]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[dj4oC]

The non-@ownclouders bumps here are routine (Playwright 1.61, Vue 3.5.38, prettier 3.8.4, vue-tsc 3.3.5, happy-dom, uuid, @vue/test-utils).

The blocker is the @ownclouders/* group: bumping web-client/web-pkg/extension-sdk/web-test-helpers/eslint-config from 12.3.2 → 12.4.1 breaks the repo-wide check:types — which is why the check job is red here. The 12.4.x Resource interface changed, and web-app-advanced-search's SearchResource no longer satisfies extends Resource (TS2430/TS2322). The alt-text unit fixtures also need a spaceId to match the new Resource shape.

I'm preparing a companion change that updates SearchResource (and the alt-text fixtures) for the 12.4.x Resource interface; once that's in, this bump should go green. Holding merge until then.

[dj4oC]

The blocking part of this bump (the @ownclouders/* 12.3.2 → 12.4.1 move) needs source changes to compile — web-client 12.4.x makes Resource.spaceId required, which breaks check:types in web-app-advanced-search (and an alt-text test fixture). I've put the @ownclouders bump plus those compat fixes in #479 (verified green: check:types / lint / test:unit). Once #479 lands, the remaining routine bumps here (Playwright, Vue, prettier, vue-tsc, happy-dom, uuid, @vue/test-utils) should rebase cleanly.

[dependabot]

Looks like these dependencies are no longer updatable, so this is no longer needed.