Skip to content

Release v2025.4 #1506

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sadiqkhoja merged 17 commits into from
Dec 15, 2025
Merged

Release v2025.4 #1506

sadiqkhoja merged 17 commits into from
Dec 15, 2025

Conversation

@matthew-white
Copy link
Member

@matthew-white matthew-white commented Dec 1, 2025

This PR prepares the release of v2025.4. It should only contain changes from other PRs that have already been approved and merged (and possibly merge commits from the master branch).

alxndrsn and others added 16 commits November 18, 2025 11:04
@alxndrsn
nginx: udpate CSP for frontend maps (#1468)
d833567 
Closes #1403
@alxndrsn
nginx/csp: make blank.html CSP completely restrictive (#1479)
33e4715
@alxndrsn
csp-report: ensure Sentry requests are made with SNI (#1411)
5c129e5
@alxndrsn
csp: allow backend passthrough for /oidc/callback (#1478)
924d320 
Closes #1235
@brontolosone
expose database pool's maximum size, fixes #494
117b5fc
@alxndrsn
nginx/redirector: add warning re editing the file (#1509)
3017cc6
@alxndrsn
ci: run gixy to detect nginx config issues (#1508)
93fda4a 
* `gixy-ng` seems to be a maintained, popular fork of `gixy`
  * `gixy-ng`: https://github.com/dvershinin/gixy/
  * original `gixy` repo: https://github.com/yandex/gixy/
* currently only considering HIGH-level reports
  * there are some HIGH reports that can be fixed without much effort or controversy
  * there are some MEDIUM reports which are more complicated; this commit ignores those
@alxndrsn
CSP: add reporting for blank.html (#1515)
b4252cb 
It was an oversight to omit reporting for blank.html and other "disallow-all" pages.  With a `report-uri` directive, violations will not be known.

Co-authored-by: alxndrsn <alxndrsn>
@alxndrsn
ci: separate gixy step (#1521)
21475da 
Compared to mocha, the gixy step is slow and noisy, and it's helpful locally to be able to set up the docker compose env and then run the mocha tests separately from gixy.
@alxndrsn
CSP: frontend: allow Google Translate images (#1519)
3cab387 
This commit:

* makes the frontend policy consistent with other policies which allow for Google Translate images
* provides a template for addition of other browser-plugin-related policy
* removes enforcement of policy order, although the served policies maintain their current ordering

Closes #1518
@alxndrsn
nginx/csp: switch rules for API and blank.html (#1524)
2ddd987 
* blank.html should allow Google Translate
* API endpoints should allow nothing, as they shouldn't be loaded as browser pages

Closes #1516
Closes #1517
@alxndrsn @lognaturel
nginx/csp: clarify use of 'none' directives (#1529)
76561e5 
Co-authored-by: Hélène Martin <ln@getodk.org>
@alxndrsn @lognaturel
nginx/csp/frontend: fix: OpenLayers (map) worker-src (#1530)
718dd60 
Split from https://github.com/getodk/central/pull/1526/files#r2587794987

The only identifiable Worker in frontend is from OpenLayers for displaying maps, and requires blob:, not data:.

Incorrect map-specific CSP introduced in #1468.

Co-authored-by: Hélène Martin <ln@getodk.org>
Co-authored-by: alxndrsn <alxndrsn>
@alxndrsn
nginx/csp/frontend: block non-https images (#1531)
3846982 
Users can include images in various bits of markdown around odk-central-frontend.  This change blocks non-HTTPS images from being loaded in those markdown snippets.

---------

Co-authored-by: alxndrsn <alxndrsn>
@lognaturel
Add CSP headers specifically for Web Forms (#1526)
d210e58
@sadiqkhoja
V2025.4/update deps (#1546)
3810f54 
* Chores: updated node to 22.21.1

* updated stmp image to 1.1.5

* updated redis to 7.4.7

* Updated npm packages

* Updated postgres to 14.20
@matthew-white matthew-white marked this pull request as ready for review December 15, 2025 18:36
@matthew-white
Copy link
Member Author

matthew-white commented Dec 15, 2025

I've marked this PR as ready for review, since the only thing it needs now is an update to submodules.

sadiqkhoja
sadiqkhoja approved these changes Dec 15, 2025
View reviewed changes
Copy link
Contributor

@sadiqkhoja sadiqkhoja left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified that it includes already approved changes only.

@sadiqkhoja sadiqkhoja merged commit f33060e into master Dec 15, 2025
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sadiqkhoja sadiqkhoja sadiqkhoja approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@matthew-white @sadiqkhoja @alxndrsn @brontolosone @lognaturel