mirror/formbricks
1
0
Fork 0
mirror of https://github.com/formbricks/formbricks.git synced 2026-05-22 02:56:28 -05:00
Code Issues Packages Projects Releases 178 Wiki Activity
5,143 Commits 469 Branches 220 Tags
3ba2aa6e3ec870109333a5f01498ff1370174bb2
Commit Graph

2863 Commits

Author SHA1 Message Date
Tiago Farto 039de42345 chore: update sso deletion backport 2026-05-15 11:55:14 +00:00
Tiago Farto 0834f0a849 chore: polish SSO confirmation terminology 2026-05-14 13:53:18 +00:00
Tiago Farto 0cb2d2b3d2 chore: backport SSO confirmation env rename 2026-05-14 13:50:17 +00:00
Tiago Farto 98abc421e4 chore: backport SSO deletion simplification 2026-05-14 13:47:15 +00:00
Dhruwang 613c91a719 Merge branch 'release/4.9' of https://github.com/formbricks/formbricks into backport/7930-sso-account-deletion 
# Conflicts:
#	pnpm-lock.yaml
 2026-05-13 10:44:58 +05:30
Matti Nannt 80e1cc2411 fix: patch transitive and direct dependency security vulnerabilities for 4.9 
Updates direct dependencies with known CVEs and adds/tightens pnpm overrides
for transitive dependencies that cannot be updated directly.

Direct updates:
- next: 16.1.7 → 16.2.6 (middleware bypass, SSRF, DoS, XSS CVEs)
- lodash: 4.17.23 → 4.18.1 (code injection via template CVE-2025-62616)
- nodemailer: 8.0.2 → 8.0.7 (SMTP injection CVEs)
- uuid: 13.0.0 → 13.0.2 (buffer bounds check CVE)
- postcss: 8.5.8 → 8.5.14 (XSS via unescaped </style> CVE-2025-62695)
- @opentelemetry suite: 0.213.0 → 0.217.0 / 2.6.0 → 2.7.1

Override additions/updates:
- protobufjs@7: 7.5.8, protobufjs@8: 8.2.0 (GHSA-xq3m-2v4x-88gg arbitrary code execution)
- @protobufjs/utf8: 1.1.1 (overlong UTF-8 CVE)
- vite@7: 7.3.3, vite@8: 8.0.12 (GHSA-v2wj-q39q-566r fs.deny bypass, GHSA-p9ff-h696-f583 file read)
- node-forge: 1.4.0 (multiple signature forgery / DoS CVEs)
- defu: 6.1.7 (prototype pollution CVE-2025-62629)
- brace-expansion@1/2/5: patched (ReDoS CVE-2025-67313)
- picomatch@2/4: patched (ReDoS CVE-2025-60538/63394)
- dompurify: 3.4.2 (XSS CVE-2025-26791)
- ip-address: 10.1.1 (ReDoS CVE-2025-62629)
- fast-uri: 3.1.2 (CVE-2025-48944/48945)
- fast-xml-parser: 5.7.0 (multiple CVEs)
- yaml: 2.8.3 (CVE-2025-63675)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-12 21:33:15 +02:00
Dhruwang fef959e9aa test: strip backport-only test additions 
Backport PRs should not introduce new test files or test cases beyond
what already exists on the release branch — even when those tests live
on main. Coverage for the underlying functionality remains on main via
the original PR (#7930); duplicating it here only inflates the backport
diff.

Removes 7 added test files and 3 test cases that were added to
jwt.test.ts (account deletion SSO reauthentication intents). Existing
test file updates (user.test.ts cleanup, providers.test.ts and
keys.test.ts trivial adjustments) are kept. No production code touched.
 2026-05-12 18:59:07 +05:30
Tiago Farto 240ce70feb test: restore sso reauth coverage 2026-05-12 12:21:58 +00:00
Tiago Farto c16a77fd66 test: restore scoped sso deletion coverage 2026-05-12 12:10:35 +00:00
Tiago Farto f33cfcd11f test: fix sso backport expectations 2026-05-12 11:46:17 +00:00
Tiago Farto a164fb213f test: cover sso account deletion backport 2026-05-12 10:57:40 +00:00
Tiago Farto d3cf3f05f2 chore: trim release backport scope 2026-05-12 10:42:35 +00:00
Tiago Farto 261d2050fc test: isolate authenticated api client 2026-05-11 15:05:34 +00:00
Tiago 5b26354f48 fix: sso account deletion password check (#7930) 
(cherry picked from commit 69ead97965)
 2026-05-11 14:52:01 +00:00
Tiago Farto 9b4be60dd9 fix: backport account deletion authorization (#7901) 2026-04-28 12:52:06 +00:00
Dhruwang Jariwala bad3b7a771 fix: (backport) prevent SSRF via redirect following in webhook delivery (#7877) (#7892) 2026-04-27 15:32:12 +05:30
Anshuman Pandey 9178558ba1 fix: prevent SSRF via redirect following in webhook delivery (#7877) 2026-04-27 15:08:17 +05:30
Dhruwang Jariwala a65e6d9093 fix: prevent Airtable integration crash when token expires (#7811) 
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-27 11:02:04 +05:30
Tiago Farto e1a44817f2 fix: password hash visibility improvement 
(cherry picked from commit 73ad130ece)
 2026-04-24 13:10:40 +00:00
Dhruwang 60e7c7e8ee fix(surveys): prevent split offline responses on restore (backport #7767) 
Backport of #7767 to release/4.9. Anchors displayId and responseId back
into saved survey progress as soon as they are created, recovers a
missing responseId from displayId on restore, and falls back to a
bootstrap create path that uses the full accumulated response state.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-20 11:43:46 +05:30
Bhagya Amarasinghe 8204a5c652 fix: restore legacy SSO auto-linking hotfix (#7728) 2026-04-13 20:42:33 +05:30
Anshuman Pandey e823e10f9a fix: backports missing posthog events fix (#7723) 2026-04-13 17:36:39 +05:30
Dhruwang Jariwala 2d66fc6987 fix: prevent TTC overcount for multi-question blocks (backport #7713) (#7719) 2026-04-13 14:40:35 +05:30
Dhruwang Jariwala 652970003d fix: validate "Other" option text on required questions and remove duplicate response entry (backport #7716) (#7717) 2026-04-13 12:27:08 +04:00
Dhruwang Jariwala 322f0be197 fix: improve restricted ID validation toast with i18n support (#7703) 
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Johannes <johannes@formbricks.com>
 2026-04-12 06:18:13 +00:00
Manuel Delgado 1a02f91afd fix(api): return 409 Conflict instead of 500 when creating user with duplicate email (#7675) 
Co-authored-by: Tiago Farto <tiago@formbricks.com>
 2026-04-10 14:28:17 +00:00
Tiago cc22ccb22d chore: Harden SSO account linking for existing email-based accounts (#7702) 2026-04-10 14:19:21 +00:00
Tiago 12763f0ef6 fix: Dutch translations for link survey footer (Privacy Policy, Imprint, Report Survey) (#7707) 2026-04-10 13:42:15 +00:00
Dhruwang Jariwala d39e3ee638 feat: offline support for link surveys (#7694) 
Co-authored-by: Matti Nannt <mail@matthiasnannt.com>
Co-authored-by: Anshuman Pandey <54475686+pandeymangg@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: pandeymangg <anshuman.pandey9999@gmail.com>
Co-authored-by: Johannes <johannes@formbricks.com>
 2026-04-10 11:27:48 +00:00
dingdyan d85242a86b fix: handle internal server error toast behavior in create organization (#7662) 
Co-authored-by: Dhruwang <dhruwangjariwala18@gmail.com>
 2026-04-10 11:13:10 +00:00
Dhruwang Jariwala 805c1c6874 fix: (duplicate) server error toast handling (#7701) 2026-04-10 09:22:16 +00:00
Niels Kaspers 01687e8907 fix: add TERMS_URL support to survey link footers (#7670) 2026-04-10 09:21:11 +00:00
Johannes 31d455002d feat: unifiy nav auth behaviour (#7635) 
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Johannes <jobenjada@users.noreply.github.com>
 2026-04-09 14:26:14 +00:00
Johannes d96304d86d fix: make navigation more user-friendly (#7599) 
Co-authored-by: Tiago Farto <tiago@formbricks.com>
 2026-04-09 08:03:24 +00:00
Anshuman Pandey 3d16e859c6 feat: custom posthog events (#7647) 2026-04-09 05:34:01 +00:00
Tiago 87bcad2b20 feat: Supporting different AI providers within Formbricks (#7611) 
Co-authored-by: Dhruwang <dhruwangjariwala18@gmail.com>
 2026-04-06 05:45:12 +00:00
Anshuman Pandey b5eaa4c7fd fix: merge epic/improve-telemetry into main (#7666) 2026-04-03 10:12:51 +00:00
Tiago 995c03bc01 chore: Revoke all active sessions after password reset (#7628) 2026-04-03 06:10:28 +00:00
Johannes b4395a48c5 fix: multi-lang toggle covering arabic text (#7657) 
Co-authored-by: Dhruwang <dhruwangjariwala18@gmail.com>
 2026-04-02 13:09:16 +00:00
Johannes 461e3893fe fix: 7549 multilang button overflow (#7656) 
Co-authored-by: Niels Kaspers <kaspersniels@gmail.com>
 2026-04-02 12:53:57 +00:00
Tiago 735a9f84ec fix: harden api error reporting for v2/v1 Sentry observability (#7633) 2026-04-02 12:08:44 +00:00
Tiago b975e7fa2e feat: Make password reset links single-use and revocable (#7627) 2026-04-01 07:12:37 +00:00
Johannes 6c3052f9e4 fix: correct CSAT template option order for question 2 (#7636) 
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Johannes <jobenjada@users.noreply.github.com>
 2026-04-01 07:11:27 +00:00
Dhruwang Jariwala 5bb8119ebf feat: split AI toggle into smart tools and data analysis settings (#7563) 2026-03-31 11:23:51 +00:00
Johannes 02411277d4 revert: remove fake-door workflows experiment (#7392) (#7631) 
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Johannes <jobenjada@users.noreply.github.com>
 2026-03-31 10:47:33 +00:00
Dhruwang Jariwala 4cfb8c6d7b fix: resolve language code case mismatch in link survey rendering (#7624) 
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-30 11:34:20 +00:00
Anshuman Pandey e74a51a5ff fix: sync segment state after auto-save to prevent stale reference on publish (#7619) 2026-03-30 06:51:44 +00:00
Dhruwang Jariwala 29cc6a10fe fix: prevent auto-save from overwriting survey status during publish (#7618) 2026-03-30 06:34:20 +00:00
Bhagya Amarasinghe 01f765e969 fix: migrate auth sessions to database-backed storage (#7594) 2026-03-27 07:15:06 +00:00
Anshuman Pandey 9366960f18 feat: adds support for internal webhook urls (#7577) 2026-03-27 07:04:14 +00:00