Skip to content

Release 2.37.0#4194

Merged
rejas merged 474 commits into
masterfrom
develop
Jul 1, 2026
Merged

Release 2.37.0#4194
rejas merged 474 commits into
masterfrom
develop

Conversation

@rejas

@rejas rejas commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

Release Notes

Thanks to: @angeldeejay, @egeekial, @khassel, @KristjanESPERANTO, @MikeBishop, @rejas

⚠️ This release needs nodejs version >=22.21.1 <23 || >=24 (no change to previous release)

Compare to previous Release v2.36.0

[core]

[dependencies]

[modules/alert]

[modules/calendar]

[modules/newsfeed]

[modules/updatenotification]

[modules/weather]

[testing]

KristjanESPERANTO and others added 30 commits May 15, 2025 00:15
Hello and thank you for wanting to contribute to the MagicMirror²
project!

**Please make sure that you have followed these 4 rules before
submitting your Pull Request:**

> 1. Base your pull requests against the `develop` branch.
> 2. Include these infos in the description: implement short syntax for
clock week
>
> - Does the pull request solve a **related** issue? n/a
> - If so, can you reference the issue like this `Fixes
#<issue_number>`?
> - What does the pull request accomplish? Use a list if needed.
> - If it includes major visual changes please add screenshots.
>
> 3. Please run `npm run lint:prettier` before submitting so that
>    style issues are fixed.
> 4. Don't forget to add an entry about your changes to
>    the CHANGELOG.md file.


![image](https://github.com/user-attachments/assets/e6c16981-de0a-45be-b553-7a7a67977d55)


![image](https://github.com/user-attachments/assets/ebae32e7-e6fb-41aa-971a-908880acc7b9)


**Note**: Sometimes the development moves very fast. It is highly
recommended that you update your branch of `develop` before creating a
pull request to send us your changes. This makes everyone's lives
easier (including yours) and helps us out on the development team.

Thanks again and have a nice day!

---------

Co-authored-by: BugHaver <43462320+lsaadeh@users.noreply.github.com>
node v24 was released today and v23 will have reached EOL with our next
release.
`fs.F_OK` and `fs.R_OK` are [deprecated since a while node
20.8.0](https://nodejs.org/api/deprecations.html#DEP0176).

Node 24 now complains about them when running server mode (`node --run
server`):

```bash
[2025-05-23 23:11:44.932] [ERROR] (node:37733) [DEP0176] DeprecationWarning: fs.F_OK is deprecated, use fs.constants.F_OK instead
(Use `node --trace-deprecation ...` to show where the warning was created) 
```

The replacements have been in place for a while, and this change should
work without any issues.
…3793)

> What does the pull request accomplish?

One external dependency less.
I was always unhappy when maintaining dependency updates to have 3
`package.json` files.

This PR moves all deps into the main `package.json` and removes the
folders `fonts` and `vendor`.

If accepted I will update the docs too.

---------

Co-authored-by: Kristjan ESPERANTO <35647502+KristjanESPERANTO@users.noreply.github.com>
and add now required "type" to `package.json`
**Short description**: I completed the translations with the help of
translation tools.

**Long description**: I'm currently looking at the translation-tests and
I noticed the e2e-test `${language} should contain all base keys, ()`.
It is supposed to check whether all keys are present in each translation
file, but it doesn't actually work that way. When I fix it, a lot of
missing translations are reported. I have completed these translations
with the help of translation tools and packed them into this PR. I have
left out the modified test so that we can focus on the question if we
accept such amount of automatic translations or not.

rejas has already expressed in another PR
(#3775 (comment))
that he prefers human translators. I basically do too, but I don't see
how we can manage to have all translations completed by humans. And even
if a few translations are not correct, hopefully a user will get in
touch.

If we decide against the translations, we should at least remove the
test. If we go for the tranlsations, I'll add the test.

What do you think?

---------

Co-authored-by: Magnus <34011212+MagMar94@users.noreply.github.com>
)

see discussions
[here](#3795 (comment)).

The used command should work under windows too. I'm open to better
solutions.

Co-authored-by: Veeck <github@veeck.de>
…elated issues and make debugging way easier (#3806)

Refactored calendarfetcherutils to remove as many of the date
conversions as possible and use moment tz when calculating recurring
events, this will make debugging a lot easier and fixes problems from
the past with offsets and DST not being handled properly. Also added
some tests to test the behavior of the refactored methodes to make sure
the correct event dates are returned.

Refactored calendar.js aswell to make sure the unix UTC start and end
date of events are properly converted to a local timezone and displayed
correctly for the user.

This PR relates to:
#3797

---------

Co-authored-by: Koen Konst <c.h.konst@avisi.nl>
Co-authored-by: Kristjan ESPERANTO <35647502+KristjanESPERANTO@users.noreply.github.com>
…s" (#3809)

While working on the translations (in #3792 and #3794) I realised that
the e2e "Same keys" tests were not working entirely. There was also a
TODO entry for this in the test, as well as a try-catch-block
workaround. I therefore fixed and refactored it.

I also sorted the translations in `translations/translations.js`, so
that the test outputs are alphabetically.
In PR #3806 I noticed that ESLint did not complain about the use of
`console`. Then I realised that the rule `no-console` was not activated.
I have now changed this and replaced a few places where `console` was
used.

We can't apply the rule to all .js files because not all of them use our
logger. Therefore I had to add an extra config block for it.
- animateCSS_spec test did throw errors at least with newest
dependencies (running locally or on gitlab)
- dependency updates: New jest v30 breaks our tests so we have to stay
with v29 until fixed (will take a look)
related to #3804 

added type to `commonjs` in package.json
Styling code of `logger.js`:

Just use `switch/case` instead of `if/else if`

---------

Co-authored-by: Veeck <github@veeck.de>
I have refactored the translations tests, they should now be clearer and
easier to understand. There should be no functional impact.

I have discarded the original approach of also replacing
`XMLHttpRequest` with `fetch` in the file `js/translator.js`. I had
managed to get it to work functionally, but I couldn't get the tests to
work.
e2e:
- needed window.close(), otherwise the objects are not destroyed
- add missing `await` in clock test
- set maxListeners for all tests

remaining todo (comes with another PR if I find the problem):
- calendar e2e is now the only test which still needs `--forceExit`
- fix newsfeed and calendar e2e tests so they don't need `--forceExit`
anymore
- `--forceExit` should stay in test runs to avoid running until test
limit in case of errors
- remove mocking console, not needed anymore
- configFactory-stuff should not run in browser (otherwise we get errors
`[ReferenceError: exports is not defined]`)
…st (#3831)

- see title and #3820
- remove failing unit calendar test until solved, see
#3830
…formation (#3816)

1. Base your pull requests against the `develop` branch.
Done
2. Include these infos in the description:
- Does the pull request solve a **related** issue?
No
- If so, can you reference the issue like this `Fixes #<issue_number>`?
N/A
- What does the pull request accomplish? Use a list if needed.
With some combinations of sunrise and sunset times (usually when the
time till rise/set is >9:59), the information will break across multiple
lines. This prevents that by adding CSS.
- If it includes major visual changes please add screenshots.
I don't consider it major.
3. Please run `npm run lint:prettier` before submitting so that style
issues are fixed.
Done
4. Don't forget to add an entry about your changes to the CHANGELOG.md
file.
Done

---------

Co-authored-by: veeck <gitkraken@veeck.de>
Fixes #3818

---------

Co-authored-by: veeck <gitkraken@veeck.de>
…l env and RAM details (#3839)

When we introduced the system information, I selected `###` as the
prefix for each line. While this doesn't cause any problems in the
terminal, when someone copies the output to an issue or the forum, every
line is formatted as a heading, which is not ideal. That's why I made
some rework and suggest these changes.

In addition to the formatting changes, I added some env and RAM details
plus the uptime. These are just suggestions – if you don't think they're
worth adding, I'm happy to remove them. We wanted to keep this block
compact.

@sdetweil, since you are often on the front line with the error messages
from users: Is there any information missing in the system block that
you often have to request additionally?

Feel free to request changes!

-----

## in the terminal

### before

```
[2025-07-09 21:58:36.943] [INFO]  System information:
### SYSTEM:   manufacturer: Notebook; model: N650DU; virtual: false
### OS:       platform: linux; distro: Debian GNU/Linux; release: 12; arch: x64; kernel: 5.10.0-20-amd64
### VERSIONS: electron: 36.3.2; used node: 24.2.0; installed node: 24.2.0; npm: 10.9.0; pm2: 6.0.6
### OTHER:    timeZone: Europe/Berlin; ELECTRON_ENABLE_GPU: undefined 
```

-----

### after

```
[2025-07-09 21:57:47.604] [INFO]  
#####  System Information  #####
- SYSTEM:    manufacturer: Notebook; model: N650DU; virtual: false; timeZone: Europe/Berlin
- OS:        platform: linux; distro: Debian GNU/Linux; release: 12; arch: x64; kernel: 5.10.0-20-amd64
- VERSIONS:  electron: 36.3.2; used node: 24.2.0; installed node: 24.2.0; npm: 10.9.0; pm2: 6.0.6
- ENV:       XDG_SESSION_TYPE: wayland; MM_CONFIG_FILE: undefined;
             WAYLAND_DISPLAY:  wayland-0; DISPLAY: :0; ELECTRON_ENABLE_GPU: undefined
- RAM:       total: 15925.45 MB; free: 967.75 MB; used: 14957.70 MB
- UPTIME:    172 minutes 
```

-----

## as markdown (in an issue or the forum)

### before

[2025-07-09 21:58:36.943] [INFO]  System information:
### SYSTEM:   manufacturer: Notebook; model: N650DU; virtual: false
### OS: platform: linux; distro: Debian GNU/Linux; release: 12; arch:
x64; kernel: 5.10.0-20-amd64
### VERSIONS: electron: 36.3.2; used node: 24.2.0; installed node:
24.2.0; npm: 10.9.0; pm2: 6.0.6
### OTHER:    timeZone: Europe/Berlin; ELECTRON_ENABLE_GPU: undefined 

-----

### after

[2025-07-09 21:57:47.604] [INFO]  
#####  System Information  #####
- SYSTEM: manufacturer: Notebook; model: N650DU; virtual: false;
timeZone: Europe/Berlin
- OS: platform: linux; distro: Debian GNU/Linux; release: 12; arch: x64;
kernel: 5.10.0-20-amd64
- VERSIONS: electron: 36.3.2; used node: 24.2.0; installed node: 24.2.0;
npm: 10.9.0; pm2: 6.0.6
- ENV:       XDG_SESSION_TYPE: wayland; MM_CONFIG_FILE: undefined;
WAYLAND_DISPLAY: wayland-0; DISPLAY: :0; ELECTRON_ENABLE_GPU: undefined
- RAM:       total: 15925.45 MB; free: 967.75 MB; used: 14957.70 MB
- UPTIME:    172 minutes
see #3819

---------

Co-authored-by: Kristjan ESPERANTO <35647502+KristjanESPERANTO@users.noreply.github.com>
Co-authored-by: Veeck <github@veeck.de>
khassel and others added 24 commits May 18, 2026 21:02
This was introduced when running systeminformation in an own thread.

If the main thread ends before (e.g. when config has errors) the
systeminformation thread never ends.

As this can have side effects under pm2 or docker (because the app never
exits) this PR restores the old behavior.
The restart approach I introduced in #4156 still crashes under Electron:

```
TypeError: Cannot read properties of undefined (reading 'disableHardwareAcceleration')
    at electron.js:18
```

`nodeRestart()` hardcodes `node` as the interpreter, but under Electron
`process.argv[0]` is the Electron binary. Spawning `node js/electron.js`
causes `require("electron")` to return a string instead of the API, so
`electron.app` is `undefined`.

This uses `process.argv[0]` as the binary directly, which works for both
Electron and plain Node.

I introduced more variables for more clarity.

Fixes #4154.
This updates the dependencies and implements a workaround for the
failing ci tests on node 26.1.0 (#4150).

I'm not sure myself whether we should go with this workaround or wait
for an upstream fix.
This adds the weather provider Buienradar for the Netherlands and
Belgium without requiring an API key.

In MagicMirrorOrg/MagicMirror-Documentation#380 @plebcity shared his
implementation for the old browser-side architecture. I used it as a
reference to build this server-side implementation.

### Example screenshot

<img width="969" height="578" alt="Ekrankopio de 2026-05-20 20-38-36"
src="https://github.com/user-attachments/assets/56623ad8-7439-4047-abad-452ba2ebdcb2"
/>

### Example config

```js
		{
			module: "weather",
			position: "top_left",
			header: "Buienradar - Current",
			config: {
				weatherProvider: "buienradar",
				type: "current",
				locationId: 2747891
			}
		},
		{
			module: "weather",
			position: "top_right",
			header: "Buienradar - Forecast",
			config: {
				weatherProvider: "buienradar",
				type: "forecast",
				locationId: 2747891
			}
		},
		{
			module: "weather",
			position: "bottom_left",
			header: "Buienradar - Hourly",
			config: {
				weatherProvider: "buienradar",
				type: "hourly",
				locationId: 2747891
			}
		},
```

----

When this is accepted and merged I'll update the weather docs.
Previously, `electronSwitches` only accepted strings. This PR adds
support for object entries, allowing switches with values:

```js
electronSwitches: [
  "no-sandbox",
  { "js-flags": "--max-old-space-size=8192" }
]
```

I decided to put the logic into a helper file so it can be unit-tested
independently, since electron.js itself requires a live Electron
environment and cannot be tested in isolation.

Fixes #4159
…er PM2 (#4166)

Previously, `nodeRestart()` would spawn a detached child and exit. Under
PM2 that's a problem: PM2 also respawns on exit, so both race to bind
the same port.

The fix: When `process.env.pm_id` is set, just exit and let PM2 handle
the restart.

The spawn logic is moved into its own method so it can be tested
cleanly.

Partially fixes #4165
…og (#4167)

I suggest to add the commit hash and branch to the system information.
This should help trouble shooting issues from developers. Like in #4165.

### before

```
####  System Information  ####
- SYSTEM:   manufacturer: Micro-Star International Co., Ltd.; model: MS-7D75; virtual: false; MM: v2.37.0-develop
- OS:       ...
...
```

### after

```
####  System Information  ####
- MM:       version: v2.37.0-develop; git: 03e4eef; branch: develop
- SYSTEM:   manufacturer: Micro-Star International Co., Ltd.; model: MS-7D75; virtual: false
- OS:       ...
...
```
ipWhitelist was only applied to HTTP routes, so Socket.IO module
namespaces could still be reached from disallowed clients.

This adds the same whitelist check to Socket.IO handshakes
(allowRequest), and reuses the same client IP resolution for both HTTP
and Socket.IO (forwarded IP is only trusted for loopback peers).

Also adds tests for handshake allow/deny and forwarded-header behavior.

Fixes: GHSA-w26r-fwg8-rcp3
The electron install problem is still not fixed upstream so I added 

```json
	"overrides": {
		"yauzl": "^3.3.1"
	},
```

to `package.json`. This should be reverted when fixed upstream.
Add defaults for config options that are already supported in core, so
behavior is easier to understand and config stays consistent. This does
not change runtime behavior.

Refs #4159
When a server responds with 304 (nothing changed since last fetch), the
response has no body. Several modules were trying to parse that empty
body anyway - which either cleared their cached data or threw an
exception. The result: a blank calendar, empty newsfeed, or missing
weather data after the next refresh cycle.

This was reported in the forum:
https://forum.magicmirror.builders/topic/20250/calendar-events-broadcasting-nothing-showing

The bug was "introduced" by #4120, which correctly started forwarding
304s to consumers - but not all were ready for it.

### Fix

Skip parsing on 304 and keep the existing data as-is:

- **calendar** - re-broadcasts cached events
- **newsfeed** - re-broadcasts cached items
- **buienradar, openmeteo, weatherflow, weathergov** - return early
before calling `response.json()`
This keeps the same behavior, but makes the function easier to read.

- moved to async/await with early returns
- kept only one small Promise wrapper around the _hideModule callback
- removed a duplicate speed check
- cleaned up JSDoc so timing/return details are clearer

No runtime change intended; hide/show sequencing stays the same.
…fix (#4183)

Fixes electron problem from #4150 for electron v42.
**Please make sure that you have followed these 3 rules before
submitting your Pull Request:**

> 1. Base your pull requests against the `develop` branch.
Done.
> 2. Include these infos in the description:
>
> - Does the pull request solve a **related** issue?
No
> - If so, can you reference the issue like this `Fixes
#<issue_number>`?
> - What does the pull request accomplish? Use a list if needed.
> - If it includes major visual changes please add screenshots.
>

Render a strict allowlist of basic formatting tags (b, strong, i, em, u)
in news titles and descriptions, while neutralizing all other HTML.

Feeds such as The Atlantic encode emphasis as entities (&lt;em&gt;),
which html-to-text decoded to a literal <em> string that the template
then auto-escaped, so the raw tag was shown on screen. The new opt-in
allowBasicHtmlTags option (default false) sanitizes both fields by
escaping everything and restoring only the exact, attribute-free
allowlisted tags, so the result is safe to render and arbitrary
HTML/script injection is impossible.

Adds unit tests for the sanitizer and an e2e test covering rendering and
an injection attempt.

Before screenshot: <img width="980" height="2726" alt="before"
src="https://github.com/user-attachments/assets/d1c871e1-21c5-44f9-ae40-da65c2c56f68"
/>
After screenshot: <img width="980" height="2726" alt="after"
src="https://github.com/user-attachments/assets/22d9e86b-221c-408e-a29b-718b0e98f236"
/>
> 3. Please run `node --run lint:prettier` before submitting so that
>    style issues are fixed.
Done

**Note**: Sometimes the development moves very fast. It is highly
recommended that you update your branch of `develop` before creating a
pull request to send us your changes. This makes everyone's lives
easier (including yours) and helps us out on the development team.

Thanks again and have a nice day!

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
…ds (#4184)

This PR attempts to fix the unauthorized secret expansion vulnerability
reported in
[GHSA-q4gh-4ffp-5cg8](GHSA-q4gh-4ffp-5cg8).

Previously, if a module sent a payload through the socket containing any
`**SECRET_FOO**` placeholder, the server would unconditionally expand it
with the real environment variable. This meant a manipulated module
could theoretically extract secrets that belonged to other modules.

To prevent this, the expansion logic is now much stricter and scoped to
the individual module:
* In `app.js`, we now store a copy of the redacted config
(`global.configRedacted`) to keep track of which module uses which
secrets.
* In `node_helper.js`, before handling a socket notification, we build a
specific "allow-list" (`Set`) of secrets that are actually present in
the calling module's config.
* `replaceSecretPlaceholder` in `server_functions.js` was updated to
accept this `Set` and will now only expand placeholders that the module
is explicitly authorized to know. Unlisted placeholders are safely
ignored.

I also updated the unit tests to cover the new allow-list behavior.

Since this security stuff is tricky and gives me headaches all the time,
I've added more comments than usual.

I've tried several ways to make it a little simpler, but unfortunately,
I couldn't come up with anything easier than that. I'd appreciate it if
someone could take a critical look at the logic to make sure I didn't
miss anything!
`_updateDom` was wrapping its entire body in a `new Promise(resolve =>
{...})` constructor just to chain `getDom()` and
`updateDomWithContent()` together. Since `updateDomWithContent` was
already converted to async in #4182, we can now just `await` it directly
- the manual wrapper, the explicit `Promise.resolve()` normalization,
and the nested `.then().catch()` chain all become unnecessary, making
the control flow easier to follow.
Also added `.catch(Log.error)` at both call sites, since async functions
reject on error instead of swallowing it silently.
This adds a pre-filter that drops out-of-window non-recurring events
from the raw ICS data before `node-ical` parses it. Recurring events and
anything we cannot classify cheaply are kept - the existing logic
handles those as before.

Some calendars accumulate years of old events. Pre-filtering them
reduces the amount of work `node-ical` has to do and keeps event loop
lag lower. My benchmarks on a fast machine showed a small but measurable
speedup (roughly 10-20% with generated test data); on a Raspberry Pi it
should be significantly more noticeable.

For the implementation I ended up using
[`ics-filter`](https://github.com/runely/ics-filter), suggested by
@rejas. I had a custom version first, but ICS date string parsing has
enough complexity that it makes sense to delegate it to a package built
specifically for this. I also contributed a couple of fixes to
`ics-filter` along the way, and the maintainer was responsive and open
to improvements, so it seems like a good fit.

Solves #4103.
Follow-up to #4185. This PR replaces `.then()`/`.catch()` chains in the
DOM update flow with `async/await`, making the code easier to read and
reason about.

**What changed:**
- `createDomObjects` and `MM.updateDom` are now `async`, the nested
`.then()` callbacks are gone
- Extracted a small `createModuleDom()` helper to keep the loop in
`createDomObjects` readable
- Errors in `createDomObjects` are caught in a single `try/catch` -
before, a failing module could cause an unhandled Promise rejection
- `updateDomWithContent` now properly awaits the full show animation
before resolving. The old code called `resolve()` while the animation
was still running, which was technically wrong
- Fixed `@param {Promise} callback` in JSDoc - it's not a Promise, it's
a plain `() => void` function
With SunCalc v2 we have to point the browser vendor mapping to the new
CJS bundle.
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to
7.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/checkout/releases">actions/checkout's
releases</a>.</em></p>
<blockquote>
<h2>v7.0.0</h2>
<h2>What's Changed</h2>
<ul>
<li>block checking out fork pr for pull_request_target and workflow_run
by <a href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2454">actions/checkout#2454</a></li>
<li>Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the
minor-actions-dependencies group across 1 directory by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2458">actions/checkout#2458</a></li>
<li>Bump flatted from 3.3.1 to 3.4.2 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2460">actions/checkout#2460</a></li>
<li>Bump js-yaml from 4.1.0 to 4.2.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2461">actions/checkout#2461</a></li>
<li>Bump <code>@​actions/core</code> and
<code>@​actions/tool-cache</code> and Remove uuid by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2459">actions/checkout#2459</a></li>
<li>upgrade module to esm and update dependencies by <a
href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2463">actions/checkout#2463</a></li>
<li>Bump the minor-npm-dependencies group across 1 directory with 3
updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2462">actions/checkout#2462</a></li>
<li>getting ready for checkout v7 release by <a
href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2464">actions/checkout#2464</a></li>
<li>update error wording by <a
href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2467">actions/checkout#2467</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/checkout/pull/2454">actions/checkout#2454</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/checkout/compare/v6.0.3...v7.0.0">https://github.com/actions/checkout/compare/v6.0.3...v7.0.0</a></p>
<h2>v6.0.3</h2>
<h2>What's Changed</h2>
<ul>
<li>Update changelog by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2357">actions/checkout#2357</a></li>
<li>fix: expand merge commit SHA regex and add SHA-256 test cases by <a
href="https://github.com/yaananth"><code>@​yaananth</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2414">actions/checkout#2414</a></li>
<li>Fix checkout init for SHA-256 repositories by <a
href="https://github.com/yaananth"><code>@​yaananth</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2439">actions/checkout#2439</a></li>
<li>Update changelog for v6.0.3 by <a
href="https://github.com/yaananth"><code>@​yaananth</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2446">actions/checkout#2446</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/yaananth"><code>@​yaananth</code></a>
made their first contribution in <a
href="https://redirect.github.com/actions/checkout/pull/2414">actions/checkout#2414</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/checkout/compare/v6...v6.0.3">https://github.com/actions/checkout/compare/v6...v6.0.3</a></p>
<h2>v6.0.2</h2>
<h2>What's Changed</h2>
<ul>
<li>Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID
is set by <a
href="https://github.com/TingluoHuang"><code>@​TingluoHuang</code></a>
in <a
href="https://redirect.github.com/actions/checkout/pull/2355">actions/checkout#2355</a></li>
<li>Fix tag handling: preserve annotations and explicit fetch-tags by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2356">actions/checkout#2356</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/checkout/compare/v6.0.1...v6.0.2">https://github.com/actions/checkout/compare/v6.0.1...v6.0.2</a></p>
<h2>v6.0.1</h2>
<h2>What's Changed</h2>
<ul>
<li>Update all references from v5 and v4 to v6 by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2314">actions/checkout#2314</a></li>
<li>Add worktree support for persist-credentials includeIf by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2327">actions/checkout#2327</a></li>
<li>Clarify v6 README by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2328">actions/checkout#2328</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/checkout/compare/v6...v6.0.1">https://github.com/actions/checkout/compare/v6...v6.0.1</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/actions/checkout/blob/main/CHANGELOG.md">actions/checkout's
changelog</a>.</em></p>
<blockquote>
<h1>Changelog</h1>
<h2>v7.0.0</h2>
<ul>
<li>Block checking out fork PR for pull_request_target and workflow_run
by <a href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2454">actions/checkout#2454</a></li>
<li>Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the
minor-actions-dependencies group across 1 directory by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2458">actions/checkout#2458</a></li>
<li>Bump flatted from 3.3.1 to 3.4.2 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2460">actions/checkout#2460</a></li>
<li>Bump js-yaml from 4.1.0 to 4.2.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2461">actions/checkout#2461</a></li>
<li>Bump <code>@​actions/core</code> and
<code>@​actions/tool-cache</code> and Remove uuid by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2459">actions/checkout#2459</a></li>
<li>upgrade module to esm and update dependencies by <a
href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2463">actions/checkout#2463</a></li>
<li>Bump the minor-npm-dependencies group across 1 directory with 3
updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2462">actions/checkout#2462</a></li>
</ul>
<h2>v6.0.3</h2>
<ul>
<li>Fix checkout init for SHA-256 repositories by <a
href="https://github.com/yaananth"><code>@​yaananth</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2439">actions/checkout#2439</a></li>
<li>fix: expand merge commit SHA regex and add SHA-256 test cases by <a
href="https://github.com/yaananth"><code>@​yaananth</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2414">actions/checkout#2414</a></li>
</ul>
<h2>v6.0.2</h2>
<ul>
<li>Fix tag handling: preserve annotations and explicit fetch-tags by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2356">actions/checkout#2356</a></li>
</ul>
<h2>v6.0.1</h2>
<ul>
<li>Add worktree support for persist-credentials includeIf by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2327">actions/checkout#2327</a></li>
</ul>
<h2>v6.0.0</h2>
<ul>
<li>Persist creds to a separate file by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2286">actions/checkout#2286</a></li>
<li>Update README to include Node.js 24 support details and requirements
by <a href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a>
in <a
href="https://redirect.github.com/actions/checkout/pull/2248">actions/checkout#2248</a></li>
</ul>
<h2>v5.0.1</h2>
<ul>
<li>Port v6 cleanup to v5 by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2301">actions/checkout#2301</a></li>
</ul>
<h2>v5.0.0</h2>
<ul>
<li>Update actions checkout to use node 24 by <a
href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2226">actions/checkout#2226</a></li>
</ul>
<h2>v4.3.1</h2>
<ul>
<li>Port v6 cleanup to v4 by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2305">actions/checkout#2305</a></li>
</ul>
<h2>v4.3.0</h2>
<ul>
<li>docs: update README.md by <a
href="https://github.com/motss"><code>@​motss</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1971">actions/checkout#1971</a></li>
<li>Add internal repos for checking out multiple repositories by <a
href="https://github.com/mouismail"><code>@​mouismail</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1977">actions/checkout#1977</a></li>
<li>Documentation update - add recommended permissions to Readme by <a
href="https://github.com/benwells"><code>@​benwells</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2043">actions/checkout#2043</a></li>
<li>Adjust positioning of user email note and permissions heading by <a
href="https://github.com/joshmgross"><code>@​joshmgross</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2044">actions/checkout#2044</a></li>
<li>Update README.md by <a
href="https://github.com/nebuk89"><code>@​nebuk89</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2194">actions/checkout#2194</a></li>
<li>Update CODEOWNERS for actions by <a
href="https://github.com/TingluoHuang"><code>@​TingluoHuang</code></a>
in <a
href="https://redirect.github.com/actions/checkout/pull/2224">actions/checkout#2224</a></li>
<li>Update package dependencies by <a
href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2236">actions/checkout#2236</a></li>
</ul>
<h2>v4.2.2</h2>
<ul>
<li><code>url-helper.ts</code> now leverages well-known environment
variables by <a href="https://github.com/jww3"><code>@​jww3</code></a>
in <a
href="https://redirect.github.com/actions/checkout/pull/1941">actions/checkout#1941</a></li>
<li>Expand unit test coverage for <code>isGhes</code> by <a
href="https://github.com/jww3"><code>@​jww3</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1946">actions/checkout#1946</a></li>
</ul>
<h2>v4.2.1</h2>
<ul>
<li>Check out other refs/* by commit if provided, fall back to ref by <a
href="https://github.com/orhantoy"><code>@​orhantoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1924">actions/checkout#1924</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/checkout/commit/9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0"><code>9c091bb</code></a>
update error wording (<a
href="https://redirect.github.com/actions/checkout/issues/2467">#2467</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/1044a6dea927916f2c38ba5aeffbc0a847b1221a"><code>1044a6d</code></a>
getting ready for checkout v7 release (<a
href="https://redirect.github.com/actions/checkout/issues/2464">#2464</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/f0282184c7ce73ab54c7e4ab5a617122602e575f"><code>f028218</code></a>
Bump the minor-npm-dependencies group across 1 directory with 3 updates
(<a
href="https://redirect.github.com/actions/checkout/issues/2462">#2462</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/d914b262ffc244530a203ab40decab34c3abf34d"><code>d914b26</code></a>
upgrade module to esm and update dependencies (<a
href="https://redirect.github.com/actions/checkout/issues/2463">#2463</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/537c7ef99cef6e5ddb5e7ff5d16d14510503801d"><code>537c7ef</code></a>
Bump <code>@​actions/core</code> and <code>@​actions/tool-cache</code>
and Remove uuid (<a
href="https://redirect.github.com/actions/checkout/issues/2459">#2459</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/130a169078a413d3a5246a393625e8e742f387f6"><code>130a169</code></a>
Bump js-yaml from 4.1.0 to 4.2.0 (<a
href="https://redirect.github.com/actions/checkout/issues/2461">#2461</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/7d09575332117a40b46e5e020664df234cd416f3"><code>7d09575</code></a>
Bump flatted from 3.3.1 to 3.4.2 (<a
href="https://redirect.github.com/actions/checkout/issues/2460">#2460</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/0f9f3aa320cb53abeb534aeb54048075d9697a0e"><code>0f9f3aa</code></a>
Bump actions/publish-immutable-action (<a
href="https://redirect.github.com/actions/checkout/issues/2458">#2458</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/f9e715a95fcd1f9253f77dd28f11e88d2d6460c7"><code>f9e715a</code></a>
block checking out fork pr for pull_request_target and workflow_run (<a
href="https://redirect.github.com/actions/checkout/issues/2454">#2454</a>)</li>
<li>See full diff in <a
href="https://github.com/actions/checkout/compare/v6...v7">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/checkout&package-manager=github_actions&previous-version=6&new-version=7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: veeck <gitkraken@veeck.de>
Comment thread js/main.js Dismissed
@rejas rejas merged commit 4b4a595 into master Jul 1, 2026
18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.