Conversation
This should solve the problem #3785.
Hello and thank you for wanting to contribute to the MagicMirror² project! **Please make sure that you have followed these 4 rules before submitting your Pull Request:** > 1. Base your pull requests against the `develop` branch. > 2. Include these infos in the description: implement short syntax for clock week > > - Does the pull request solve a **related** issue? n/a > - If so, can you reference the issue like this `Fixes #<issue_number>`? > - What does the pull request accomplish? Use a list if needed. > - If it includes major visual changes please add screenshots. > > 3. Please run `npm run lint:prettier` before submitting so that > style issues are fixed. > 4. Don't forget to add an entry about your changes to > the CHANGELOG.md file.   **Note**: Sometimes the development moves very fast. It is highly recommended that you update your branch of `develop` before creating a pull request to send us your changes. This makes everyone's lives easier (including yours) and helps us out on the development team. Thanks again and have a nice day! --------- Co-authored-by: BugHaver <43462320+lsaadeh@users.noreply.github.com>
node v24 was released today and v23 will have reached EOL with our next release.
`fs.F_OK` and `fs.R_OK` are [deprecated since a while node 20.8.0](https://nodejs.org/api/deprecations.html#DEP0176). Node 24 now complains about them when running server mode (`node --run server`): ```bash [2025-05-23 23:11:44.932] [ERROR] (node:37733) [DEP0176] DeprecationWarning: fs.F_OK is deprecated, use fs.constants.F_OK instead (Use `node --trace-deprecation ...` to show where the warning was created) ``` The replacements have been in place for a while, and this change should work without any issues.
…3793) > What does the pull request accomplish? One external dependency less.
I was always unhappy when maintaining dependency updates to have 3 `package.json` files. This PR moves all deps into the main `package.json` and removes the folders `fonts` and `vendor`. If accepted I will update the docs too. --------- Co-authored-by: Kristjan ESPERANTO <35647502+KristjanESPERANTO@users.noreply.github.com>
and add now required "type" to `package.json`
**Short description**: I completed the translations with the help of
translation tools.
**Long description**: I'm currently looking at the translation-tests and
I noticed the e2e-test `${language} should contain all base keys, ()`.
It is supposed to check whether all keys are present in each translation
file, but it doesn't actually work that way. When I fix it, a lot of
missing translations are reported. I have completed these translations
with the help of translation tools and packed them into this PR. I have
left out the modified test so that we can focus on the question if we
accept such amount of automatic translations or not.
rejas has already expressed in another PR
(#3775 (comment))
that he prefers human translators. I basically do too, but I don't see
how we can manage to have all translations completed by humans. And even
if a few translations are not correct, hopefully a user will get in
touch.
If we decide against the translations, we should at least remove the
test. If we go for the tranlsations, I'll add the test.
What do you think?
---------
Co-authored-by: Magnus <34011212+MagMar94@users.noreply.github.com>
) see discussions [here](#3795 (comment)). The used command should work under windows too. I'm open to better solutions. Co-authored-by: Veeck <github@veeck.de>
…elated issues and make debugging way easier (#3806) Refactored calendarfetcherutils to remove as many of the date conversions as possible and use moment tz when calculating recurring events, this will make debugging a lot easier and fixes problems from the past with offsets and DST not being handled properly. Also added some tests to test the behavior of the refactored methodes to make sure the correct event dates are returned. Refactored calendar.js aswell to make sure the unix UTC start and end date of events are properly converted to a local timezone and displayed correctly for the user. This PR relates to: #3797 --------- Co-authored-by: Koen Konst <c.h.konst@avisi.nl> Co-authored-by: Kristjan ESPERANTO <35647502+KristjanESPERANTO@users.noreply.github.com>
…s" (#3809) While working on the translations (in #3792 and #3794) I realised that the e2e "Same keys" tests were not working entirely. There was also a TODO entry for this in the test, as well as a try-catch-block workaround. I therefore fixed and refactored it. I also sorted the translations in `translations/translations.js`, so that the test outputs are alphabetically.
In PR #3806 I noticed that ESLint did not complain about the use of `console`. Then I realised that the rule `no-console` was not activated. I have now changed this and replaced a few places where `console` was used. We can't apply the rule to all .js files because not all of them use our logger. Therefore I had to add an extra config block for it.
- animateCSS_spec test did throw errors at least with newest dependencies (running locally or on gitlab) - dependency updates: New jest v30 breaks our tests so we have to stay with v29 until fixed (will take a look)
Styling code of `logger.js`: Just use `switch/case` instead of `if/else if` --------- Co-authored-by: Veeck <github@veeck.de>
I have refactored the translations tests, they should now be clearer and easier to understand. There should be no functional impact. I have discarded the original approach of also replacing `XMLHttpRequest` with `fetch` in the file `js/translator.js`. I had managed to get it to work functionally, but I couldn't get the tests to work.
e2e: - needed window.close(), otherwise the objects are not destroyed - add missing `await` in clock test - set maxListeners for all tests remaining todo (comes with another PR if I find the problem): - calendar e2e is now the only test which still needs `--forceExit`
- fix newsfeed and calendar e2e tests so they don't need `--forceExit` anymore - `--forceExit` should stay in test runs to avoid running until test limit in case of errors - remove mocking console, not needed anymore - configFactory-stuff should not run in browser (otherwise we get errors `[ReferenceError: exports is not defined]`)
…formation (#3816) 1. Base your pull requests against the `develop` branch. Done 2. Include these infos in the description: - Does the pull request solve a **related** issue? No - If so, can you reference the issue like this `Fixes #<issue_number>`? N/A - What does the pull request accomplish? Use a list if needed. With some combinations of sunrise and sunset times (usually when the time till rise/set is >9:59), the information will break across multiple lines. This prevents that by adding CSS. - If it includes major visual changes please add screenshots. I don't consider it major. 3. Please run `npm run lint:prettier` before submitting so that style issues are fixed. Done 4. Don't forget to add an entry about your changes to the CHANGELOG.md file. Done --------- Co-authored-by: veeck <gitkraken@veeck.de>
…rly recurring events test (#3833)
Fixes #3818 --------- Co-authored-by: veeck <gitkraken@veeck.de>
…l env and RAM details (#3839) When we introduced the system information, I selected `###` as the prefix for each line. While this doesn't cause any problems in the terminal, when someone copies the output to an issue or the forum, every line is formatted as a heading, which is not ideal. That's why I made some rework and suggest these changes. In addition to the formatting changes, I added some env and RAM details plus the uptime. These are just suggestions – if you don't think they're worth adding, I'm happy to remove them. We wanted to keep this block compact. @sdetweil, since you are often on the front line with the error messages from users: Is there any information missing in the system block that you often have to request additionally? Feel free to request changes! ----- ## in the terminal ### before ``` [2025-07-09 21:58:36.943] [INFO] System information: ### SYSTEM: manufacturer: Notebook; model: N650DU; virtual: false ### OS: platform: linux; distro: Debian GNU/Linux; release: 12; arch: x64; kernel: 5.10.0-20-amd64 ### VERSIONS: electron: 36.3.2; used node: 24.2.0; installed node: 24.2.0; npm: 10.9.0; pm2: 6.0.6 ### OTHER: timeZone: Europe/Berlin; ELECTRON_ENABLE_GPU: undefined ``` ----- ### after ``` [2025-07-09 21:57:47.604] [INFO] ##### System Information ##### - SYSTEM: manufacturer: Notebook; model: N650DU; virtual: false; timeZone: Europe/Berlin - OS: platform: linux; distro: Debian GNU/Linux; release: 12; arch: x64; kernel: 5.10.0-20-amd64 - VERSIONS: electron: 36.3.2; used node: 24.2.0; installed node: 24.2.0; npm: 10.9.0; pm2: 6.0.6 - ENV: XDG_SESSION_TYPE: wayland; MM_CONFIG_FILE: undefined; WAYLAND_DISPLAY: wayland-0; DISPLAY: :0; ELECTRON_ENABLE_GPU: undefined - RAM: total: 15925.45 MB; free: 967.75 MB; used: 14957.70 MB - UPTIME: 172 minutes ``` ----- ## as markdown (in an issue or the forum) ### before [2025-07-09 21:58:36.943] [INFO] System information: ### SYSTEM: manufacturer: Notebook; model: N650DU; virtual: false ### OS: platform: linux; distro: Debian GNU/Linux; release: 12; arch: x64; kernel: 5.10.0-20-amd64 ### VERSIONS: electron: 36.3.2; used node: 24.2.0; installed node: 24.2.0; npm: 10.9.0; pm2: 6.0.6 ### OTHER: timeZone: Europe/Berlin; ELECTRON_ENABLE_GPU: undefined ----- ### after [2025-07-09 21:57:47.604] [INFO] ##### System Information ##### - SYSTEM: manufacturer: Notebook; model: N650DU; virtual: false; timeZone: Europe/Berlin - OS: platform: linux; distro: Debian GNU/Linux; release: 12; arch: x64; kernel: 5.10.0-20-amd64 - VERSIONS: electron: 36.3.2; used node: 24.2.0; installed node: 24.2.0; npm: 10.9.0; pm2: 6.0.6 - ENV: XDG_SESSION_TYPE: wayland; MM_CONFIG_FILE: undefined; WAYLAND_DISPLAY: wayland-0; DISPLAY: :0; ELECTRON_ENABLE_GPU: undefined - RAM: total: 15925.45 MB; free: 967.75 MB; used: 14957.70 MB - UPTIME: 172 minutes
see #3819 --------- Co-authored-by: Kristjan ESPERANTO <35647502+KristjanESPERANTO@users.noreply.github.com> Co-authored-by: Veeck <github@veeck.de>
This was introduced when running systeminformation in an own thread. If the main thread ends before (e.g. when config has errors) the systeminformation thread never ends. As this can have side effects under pm2 or docker (because the app never exits) this PR restores the old behavior.
The restart approach I introduced in #4156 still crashes under Electron: ``` TypeError: Cannot read properties of undefined (reading 'disableHardwareAcceleration') at electron.js:18 ``` `nodeRestart()` hardcodes `node` as the interpreter, but under Electron `process.argv[0]` is the Electron binary. Spawning `node js/electron.js` causes `require("electron")` to return a string instead of the API, so `electron.app` is `undefined`. This uses `process.argv[0]` as the binary directly, which works for both Electron and plain Node. I introduced more variables for more clarity. Fixes #4154.
This updates the dependencies and implements a workaround for the failing ci tests on node 26.1.0 (#4150). I'm not sure myself whether we should go with this workaround or wait for an upstream fix.
This adds the weather provider Buienradar for the Netherlands and Belgium without requiring an API key. In MagicMirrorOrg/MagicMirror-Documentation#380 @plebcity shared his implementation for the old browser-side architecture. I used it as a reference to build this server-side implementation. ### Example screenshot <img width="969" height="578" alt="Ekrankopio de 2026-05-20 20-38-36" src="https://github.com/user-attachments/assets/56623ad8-7439-4047-abad-452ba2ebdcb2" /> ### Example config ```js { module: "weather", position: "top_left", header: "Buienradar - Current", config: { weatherProvider: "buienradar", type: "current", locationId: 2747891 } }, { module: "weather", position: "top_right", header: "Buienradar - Forecast", config: { weatherProvider: "buienradar", type: "forecast", locationId: 2747891 } }, { module: "weather", position: "bottom_left", header: "Buienradar - Hourly", config: { weatherProvider: "buienradar", type: "hourly", locationId: 2747891 } }, ``` ---- When this is accepted and merged I'll update the weather docs.
Previously, `electronSwitches` only accepted strings. This PR adds
support for object entries, allowing switches with values:
```js
electronSwitches: [
"no-sandbox",
{ "js-flags": "--max-old-space-size=8192" }
]
```
I decided to put the logic into a helper file so it can be unit-tested
independently, since electron.js itself requires a live Electron
environment and cannot be tested in isolation.
Fixes #4159
…er PM2 (#4166) Previously, `nodeRestart()` would spawn a detached child and exit. Under PM2 that's a problem: PM2 also respawns on exit, so both race to bind the same port. The fix: When `process.env.pm_id` is set, just exit and let PM2 handle the restart. The spawn logic is moved into its own method so it can be tested cleanly. Partially fixes #4165
…og (#4167) I suggest to add the commit hash and branch to the system information. This should help trouble shooting issues from developers. Like in #4165. ### before ``` #### System Information #### - SYSTEM: manufacturer: Micro-Star International Co., Ltd.; model: MS-7D75; virtual: false; MM: v2.37.0-develop - OS: ... ... ``` ### after ``` #### System Information #### - MM: version: v2.37.0-develop; git: 03e4eef; branch: develop - SYSTEM: manufacturer: Micro-Star International Co., Ltd.; model: MS-7D75; virtual: false - OS: ... ... ```
ipWhitelist was only applied to HTTP routes, so Socket.IO module namespaces could still be reached from disallowed clients. This adds the same whitelist check to Socket.IO handshakes (allowRequest), and reuses the same client IP resolution for both HTTP and Socket.IO (forwarded IP is only trusted for loopback peers). Also adds tests for handshake allow/deny and forwarded-header behavior. Fixes: GHSA-w26r-fwg8-rcp3
The electron install problem is still not fixed upstream so I added
```json
"overrides": {
"yauzl": "^3.3.1"
},
```
to `package.json`. This should be reverted when fixed upstream.
Add defaults for config options that are already supported in core, so behavior is easier to understand and config stays consistent. This does not change runtime behavior. Refs #4159
When a server responds with 304 (nothing changed since last fetch), the response has no body. Several modules were trying to parse that empty body anyway - which either cleared their cached data or threw an exception. The result: a blank calendar, empty newsfeed, or missing weather data after the next refresh cycle. This was reported in the forum: https://forum.magicmirror.builders/topic/20250/calendar-events-broadcasting-nothing-showing The bug was "introduced" by #4120, which correctly started forwarding 304s to consumers - but not all were ready for it. ### Fix Skip parsing on 304 and keep the existing data as-is: - **calendar** - re-broadcasts cached events - **newsfeed** - re-broadcasts cached items - **buienradar, openmeteo, weatherflow, weathergov** - return early before calling `response.json()`
This keeps the same behavior, but makes the function easier to read. - moved to async/await with early returns - kept only one small Promise wrapper around the _hideModule callback - removed a duplicate speed check - cleaned up JSDoc so timing/return details are clearer No runtime change intended; hide/show sequencing stays the same.
**Please make sure that you have followed these 3 rules before submitting your Pull Request:** > 1. Base your pull requests against the `develop` branch. Done. > 2. Include these infos in the description: > > - Does the pull request solve a **related** issue? No > - If so, can you reference the issue like this `Fixes #<issue_number>`? > - What does the pull request accomplish? Use a list if needed. > - If it includes major visual changes please add screenshots. > Render a strict allowlist of basic formatting tags (b, strong, i, em, u) in news titles and descriptions, while neutralizing all other HTML. Feeds such as The Atlantic encode emphasis as entities (<em>), which html-to-text decoded to a literal <em> string that the template then auto-escaped, so the raw tag was shown on screen. The new opt-in allowBasicHtmlTags option (default false) sanitizes both fields by escaping everything and restoring only the exact, attribute-free allowlisted tags, so the result is safe to render and arbitrary HTML/script injection is impossible. Adds unit tests for the sanitizer and an e2e test covering rendering and an injection attempt. Before screenshot: <img width="980" height="2726" alt="before" src="https://github.com/user-attachments/assets/d1c871e1-21c5-44f9-ae40-da65c2c56f68" /> After screenshot: <img width="980" height="2726" alt="after" src="https://github.com/user-attachments/assets/22d9e86b-221c-408e-a29b-718b0e98f236" /> > 3. Please run `node --run lint:prettier` before submitting so that > style issues are fixed. Done **Note**: Sometimes the development moves very fast. It is highly recommended that you update your branch of `develop` before creating a pull request to send us your changes. This makes everyone's lives easier (including yours) and helps us out on the development team. Thanks again and have a nice day! --------- Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
…ds (#4184) This PR attempts to fix the unauthorized secret expansion vulnerability reported in [GHSA-q4gh-4ffp-5cg8](GHSA-q4gh-4ffp-5cg8). Previously, if a module sent a payload through the socket containing any `**SECRET_FOO**` placeholder, the server would unconditionally expand it with the real environment variable. This meant a manipulated module could theoretically extract secrets that belonged to other modules. To prevent this, the expansion logic is now much stricter and scoped to the individual module: * In `app.js`, we now store a copy of the redacted config (`global.configRedacted`) to keep track of which module uses which secrets. * In `node_helper.js`, before handling a socket notification, we build a specific "allow-list" (`Set`) of secrets that are actually present in the calling module's config. * `replaceSecretPlaceholder` in `server_functions.js` was updated to accept this `Set` and will now only expand placeholders that the module is explicitly authorized to know. Unlisted placeholders are safely ignored. I also updated the unit tests to cover the new allow-list behavior. Since this security stuff is tricky and gives me headaches all the time, I've added more comments than usual. I've tried several ways to make it a little simpler, but unfortunately, I couldn't come up with anything easier than that. I'd appreciate it if someone could take a critical look at the logic to make sure I didn't miss anything!
`_updateDom` was wrapping its entire body in a `new Promise(resolve =>
{...})` constructor just to chain `getDom()` and
`updateDomWithContent()` together. Since `updateDomWithContent` was
already converted to async in #4182, we can now just `await` it directly
- the manual wrapper, the explicit `Promise.resolve()` normalization,
and the nested `.then().catch()` chain all become unnecessary, making
the control flow easier to follow.
Also added `.catch(Log.error)` at both call sites, since async functions
reject on error instead of swallowing it silently.
This adds a pre-filter that drops out-of-window non-recurring events from the raw ICS data before `node-ical` parses it. Recurring events and anything we cannot classify cheaply are kept - the existing logic handles those as before. Some calendars accumulate years of old events. Pre-filtering them reduces the amount of work `node-ical` has to do and keeps event loop lag lower. My benchmarks on a fast machine showed a small but measurable speedup (roughly 10-20% with generated test data); on a Raspberry Pi it should be significantly more noticeable. For the implementation I ended up using [`ics-filter`](https://github.com/runely/ics-filter), suggested by @rejas. I had a custom version first, but ICS date string parsing has enough complexity that it makes sense to delegate it to a package built specifically for this. I also contributed a couple of fixes to `ics-filter` along the way, and the maintainer was responsive and open to improvements, so it seems like a good fit. Solves #4103.
Follow-up to #4185. This PR replaces `.then()`/`.catch()` chains in the DOM update flow with `async/await`, making the code easier to read and reason about. **What changed:** - `createDomObjects` and `MM.updateDom` are now `async`, the nested `.then()` callbacks are gone - Extracted a small `createModuleDom()` helper to keep the loop in `createDomObjects` readable - Errors in `createDomObjects` are caught in a single `try/catch` - before, a failing module could cause an unhandled Promise rejection - `updateDomWithContent` now properly awaits the full show animation before resolving. The old code called `resolve()` while the animation was still running, which was technically wrong - Fixed `@param {Promise} callback` in JSDoc - it's not a Promise, it's a plain `() => void` function
With SunCalc v2 we have to point the browser vendor mapping to the new CJS bundle.
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/checkout/releases">actions/checkout's releases</a>.</em></p> <blockquote> <h2>v7.0.0</h2> <h2>What's Changed</h2> <ul> <li>block checking out fork pr for pull_request_target and workflow_run by <a href="https://github.com/aiqiaoy"><code>@aiqiaoy</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2454">actions/checkout#2454</a></li> <li>Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/checkout/pull/2458">actions/checkout#2458</a></li> <li>Bump flatted from 3.3.1 to 3.4.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/checkout/pull/2460">actions/checkout#2460</a></li> <li>Bump js-yaml from 4.1.0 to 4.2.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/checkout/pull/2461">actions/checkout#2461</a></li> <li>Bump <code>@actions/core</code> and <code>@actions/tool-cache</code> and Remove uuid by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/checkout/pull/2459">actions/checkout#2459</a></li> <li>upgrade module to esm and update dependencies by <a href="https://github.com/aiqiaoy"><code>@aiqiaoy</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2463">actions/checkout#2463</a></li> <li>Bump the minor-npm-dependencies group across 1 directory with 3 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/checkout/pull/2462">actions/checkout#2462</a></li> <li>getting ready for checkout v7 release by <a href="https://github.com/aiqiaoy"><code>@aiqiaoy</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2464">actions/checkout#2464</a></li> <li>update error wording by <a href="https://github.com/aiqiaoy"><code>@aiqiaoy</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2467">actions/checkout#2467</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/aiqiaoy"><code>@aiqiaoy</code></a> made their first contribution in <a href="https://redirect.github.com/actions/checkout/pull/2454">actions/checkout#2454</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v6.0.3...v7.0.0">https://github.com/actions/checkout/compare/v6.0.3...v7.0.0</a></p> <h2>v6.0.3</h2> <h2>What's Changed</h2> <ul> <li>Update changelog by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2357">actions/checkout#2357</a></li> <li>fix: expand merge commit SHA regex and add SHA-256 test cases by <a href="https://github.com/yaananth"><code>@yaananth</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2414">actions/checkout#2414</a></li> <li>Fix checkout init for SHA-256 repositories by <a href="https://github.com/yaananth"><code>@yaananth</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2439">actions/checkout#2439</a></li> <li>Update changelog for v6.0.3 by <a href="https://github.com/yaananth"><code>@yaananth</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2446">actions/checkout#2446</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/yaananth"><code>@yaananth</code></a> made their first contribution in <a href="https://redirect.github.com/actions/checkout/pull/2414">actions/checkout#2414</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v6...v6.0.3">https://github.com/actions/checkout/compare/v6...v6.0.3</a></p> <h2>v6.0.2</h2> <h2>What's Changed</h2> <ul> <li>Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set by <a href="https://github.com/TingluoHuang"><code>@TingluoHuang</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2355">actions/checkout#2355</a></li> <li>Fix tag handling: preserve annotations and explicit fetch-tags by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2356">actions/checkout#2356</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v6.0.1...v6.0.2">https://github.com/actions/checkout/compare/v6.0.1...v6.0.2</a></p> <h2>v6.0.1</h2> <h2>What's Changed</h2> <ul> <li>Update all references from v5 and v4 to v6 by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2314">actions/checkout#2314</a></li> <li>Add worktree support for persist-credentials includeIf by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2327">actions/checkout#2327</a></li> <li>Clarify v6 README by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2328">actions/checkout#2328</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v6...v6.0.1">https://github.com/actions/checkout/compare/v6...v6.0.1</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/actions/checkout/blob/main/CHANGELOG.md">actions/checkout's changelog</a>.</em></p> <blockquote> <h1>Changelog</h1> <h2>v7.0.0</h2> <ul> <li>Block checking out fork PR for pull_request_target and workflow_run by <a href="https://github.com/aiqiaoy"><code>@aiqiaoy</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2454">actions/checkout#2454</a></li> <li>Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/checkout/pull/2458">actions/checkout#2458</a></li> <li>Bump flatted from 3.3.1 to 3.4.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/checkout/pull/2460">actions/checkout#2460</a></li> <li>Bump js-yaml from 4.1.0 to 4.2.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/checkout/pull/2461">actions/checkout#2461</a></li> <li>Bump <code>@actions/core</code> and <code>@actions/tool-cache</code> and Remove uuid by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/checkout/pull/2459">actions/checkout#2459</a></li> <li>upgrade module to esm and update dependencies by <a href="https://github.com/aiqiaoy"><code>@aiqiaoy</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2463">actions/checkout#2463</a></li> <li>Bump the minor-npm-dependencies group across 1 directory with 3 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/checkout/pull/2462">actions/checkout#2462</a></li> </ul> <h2>v6.0.3</h2> <ul> <li>Fix checkout init for SHA-256 repositories by <a href="https://github.com/yaananth"><code>@yaananth</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2439">actions/checkout#2439</a></li> <li>fix: expand merge commit SHA regex and add SHA-256 test cases by <a href="https://github.com/yaananth"><code>@yaananth</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2414">actions/checkout#2414</a></li> </ul> <h2>v6.0.2</h2> <ul> <li>Fix tag handling: preserve annotations and explicit fetch-tags by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2356">actions/checkout#2356</a></li> </ul> <h2>v6.0.1</h2> <ul> <li>Add worktree support for persist-credentials includeIf by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2327">actions/checkout#2327</a></li> </ul> <h2>v6.0.0</h2> <ul> <li>Persist creds to a separate file by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2286">actions/checkout#2286</a></li> <li>Update README to include Node.js 24 support details and requirements by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2248">actions/checkout#2248</a></li> </ul> <h2>v5.0.1</h2> <ul> <li>Port v6 cleanup to v5 by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2301">actions/checkout#2301</a></li> </ul> <h2>v5.0.0</h2> <ul> <li>Update actions checkout to use node 24 by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2226">actions/checkout#2226</a></li> </ul> <h2>v4.3.1</h2> <ul> <li>Port v6 cleanup to v4 by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2305">actions/checkout#2305</a></li> </ul> <h2>v4.3.0</h2> <ul> <li>docs: update README.md by <a href="https://github.com/motss"><code>@motss</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1971">actions/checkout#1971</a></li> <li>Add internal repos for checking out multiple repositories by <a href="https://github.com/mouismail"><code>@mouismail</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1977">actions/checkout#1977</a></li> <li>Documentation update - add recommended permissions to Readme by <a href="https://github.com/benwells"><code>@benwells</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2043">actions/checkout#2043</a></li> <li>Adjust positioning of user email note and permissions heading by <a href="https://github.com/joshmgross"><code>@joshmgross</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2044">actions/checkout#2044</a></li> <li>Update README.md by <a href="https://github.com/nebuk89"><code>@nebuk89</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2194">actions/checkout#2194</a></li> <li>Update CODEOWNERS for actions by <a href="https://github.com/TingluoHuang"><code>@TingluoHuang</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2224">actions/checkout#2224</a></li> <li>Update package dependencies by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2236">actions/checkout#2236</a></li> </ul> <h2>v4.2.2</h2> <ul> <li><code>url-helper.ts</code> now leverages well-known environment variables by <a href="https://github.com/jww3"><code>@jww3</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1941">actions/checkout#1941</a></li> <li>Expand unit test coverage for <code>isGhes</code> by <a href="https://github.com/jww3"><code>@jww3</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1946">actions/checkout#1946</a></li> </ul> <h2>v4.2.1</h2> <ul> <li>Check out other refs/* by commit if provided, fall back to ref by <a href="https://github.com/orhantoy"><code>@orhantoy</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1924">actions/checkout#1924</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/checkout/commit/9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0"><code>9c091bb</code></a> update error wording (<a href="https://redirect.github.com/actions/checkout/issues/2467">#2467</a>)</li> <li><a href="https://github.com/actions/checkout/commit/1044a6dea927916f2c38ba5aeffbc0a847b1221a"><code>1044a6d</code></a> getting ready for checkout v7 release (<a href="https://redirect.github.com/actions/checkout/issues/2464">#2464</a>)</li> <li><a href="https://github.com/actions/checkout/commit/f0282184c7ce73ab54c7e4ab5a617122602e575f"><code>f028218</code></a> Bump the minor-npm-dependencies group across 1 directory with 3 updates (<a href="https://redirect.github.com/actions/checkout/issues/2462">#2462</a>)</li> <li><a href="https://github.com/actions/checkout/commit/d914b262ffc244530a203ab40decab34c3abf34d"><code>d914b26</code></a> upgrade module to esm and update dependencies (<a href="https://redirect.github.com/actions/checkout/issues/2463">#2463</a>)</li> <li><a href="https://github.com/actions/checkout/commit/537c7ef99cef6e5ddb5e7ff5d16d14510503801d"><code>537c7ef</code></a> Bump <code>@actions/core</code> and <code>@actions/tool-cache</code> and Remove uuid (<a href="https://redirect.github.com/actions/checkout/issues/2459">#2459</a>)</li> <li><a href="https://github.com/actions/checkout/commit/130a169078a413d3a5246a393625e8e742f387f6"><code>130a169</code></a> Bump js-yaml from 4.1.0 to 4.2.0 (<a href="https://redirect.github.com/actions/checkout/issues/2461">#2461</a>)</li> <li><a href="https://github.com/actions/checkout/commit/7d09575332117a40b46e5e020664df234cd416f3"><code>7d09575</code></a> Bump flatted from 3.3.1 to 3.4.2 (<a href="https://redirect.github.com/actions/checkout/issues/2460">#2460</a>)</li> <li><a href="https://github.com/actions/checkout/commit/0f9f3aa320cb53abeb534aeb54048075d9697a0e"><code>0f9f3aa</code></a> Bump actions/publish-immutable-action (<a href="https://redirect.github.com/actions/checkout/issues/2458">#2458</a>)</li> <li><a href="https://github.com/actions/checkout/commit/f9e715a95fcd1f9253f77dd28f11e88d2d6460c7"><code>f9e715a</code></a> block checking out fork pr for pull_request_target and workflow_run (<a href="https://redirect.github.com/actions/checkout/issues/2454">#2454</a>)</li> <li>See full diff in <a href="https://github.com/actions/checkout/compare/v6...v7">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: veeck <gitkraken@veeck.de>
KristjanESPERANTO
approved these changes
Jul 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release Notes
Thanks to: @angeldeejay, @egeekial, @khassel, @KristjanESPERANTO, @MikeBishop, @rejas
Compare to previous Release v2.36.0
[core]
[dependencies]
[modules/alert]
[modules/calendar]
[modules/newsfeed]
[modules/updatenotification]
[modules/weather]
[testing]