* ci(docs): build on PRs and pin Node 22 (Qodo follow-up to #7640)
Qodo flagged two reliability gaps on the oxc-minify fix that landed in
#7640:
1. The Deploy Docs to GitHub Pages workflow only ran on push to
develop, so a PR that broke `pnpm run docs:build` was not caught
until after merge — exactly how the dead-link regression in #7546
escaped. Add a pull_request trigger that runs the same build but
skips the deploy/upload steps via `if: github.event_name ==
'push'`. Also include the workflow file itself in the path filter
so changes to it are exercised on PR.
2. oxc-minify@0.128.0 requires Node ^20.19.0 || >=22.12.0, but the
workflow did not pin Node and the repo declared engines.node
>=22.0.0 with engineStrict: true — a runner image (or local dev)
on Node 22.0–22.11 would refuse to install. Pin Node 22 in the
docs workflow with actions/setup-node@v6 (matching the rest of
CI), and bump engines.node to >=22.12.0 so the project's
engineStrict gate matches the actual minimum.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* ci(docs): split build and deploy so PR runs do not hit pages env protection
The previous attempt put `if: github.event_name == 'push'` on individual
deploy steps but kept the single job's `environment: github-pages`
binding. Environment protection rules reject any non-develop ref
(including `refs/pull/N/merge`), so the runner failed the entire job
at creation time before any step could execute:
Branch "refs/pull/7645/merge" is not allowed to deploy to
github-pages due to environment protection rules.
Split into two jobs: `build` runs on every trigger (PR + push) and
uploads the artifact only on push, `deploy` depends on `build`,
runs only on push, and is the only job bound to the github-pages
environment. Standard GHA pages-deploy pattern; PR builds never
attempt to enter the protected environment.
* docs: align Node minimum references with bumped engines.node (Qodo round 2 on #7645)
Qodo flagged that engines.node moved from >=22.0.0 to >=22.12.0 in
this PR but documentation still claimed the old requirement. Sync the
three places that pinned a specific minimum:
- README.md installation requirements (>= 22 → >= 22.12)
- doc/npm-trusted-publishing.md publish prerequisites
(>=22.0.0 → >=22.12.0, with oxc-minify cited as the driver)
- CHANGELOG.md 2.7.3 breaking-changes entry (22 → 22.12, with the
same oxc-minify justification)
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds a pnpm.overrides block to force-upgrade vulnerable transitive
dependencies to their patched versions. All 33 open Dependabot alerts on
ether/etherpad are against pnpm-lock.yaml; none of these packages are
direct dependencies of the workspace.
Bumps (vulnerable range → pinned):
- basic-ftp ≤5.2.2 → ≥5.3.0 (GHSA-5rq4-664w-9x2c,
GHSA-6v7q-wjvx-w8wg,
GHSA-rp42-5vxx-qpwr)
- brace-expansion <2.0.3 → ≥2.0.3 (GHSA-f886-m6hf-6m8v)
- diff <8.0.3 → ≥8.0.3 (GHSA-73rr-hh4g-fpgx)
- flatted <3.4.2 → ≥3.4.2 (GHSA-25h7-pfq9-p65f,
GHSA-rf6f-7fwh-wjgh)
- follow-redirects ≤1.15.11 → ≥1.16.0 (GHSA-r4q5-vmmm-2653)
- glob (10.x CLI) <10.5.0 → ≥10.5.0 (GHSA-5j98-mcp5-4vw2)
- js-yaml <4.1.1 → ≥4.1.1 (GHSA-mh29-5h37-fv8m)
- lodash ≤4.17.23 → ≥4.18.0 (GHSA-f23m-r3pf-42rh,
GHSA-r5fr-rjxr-66jc)
- minimatch (9.x) <9.0.7 → ≥9.0.7 (GHSA-23c5-xmqv-rm74,
GHSA-3ppc-4f35-3m26,
GHSA-7r86-cg39-jmmj)
- path-to-regexp (8.x) <8.4.0 → ≥8.4.0 (GHSA-27v5-c462-wpq7,
GHSA-j3q9-mxjg-w52f)
- picomatch (4.x) <4.0.4 → ≥4.0.4 (GHSA-3v7f-55p6-f55p,
GHSA-c2c7-rcm5-vvqj)
- qs <6.14.2 → ≥6.14.2 (GHSA-6rw7-vpxm-498p,
GHSA-w7fw-mjwx-w883)
- serialize-javascript ≤7.0.2 → ≥7.0.5 (GHSA-5c6j-r48x-rmvq,
GHSA-qj8w-gfj5-8c6v)
- socket.io-parser <4.2.6 → ≥4.2.6 (GHSA-677m-j7p3-52f9)
- tar <7.5.11 → ≥7.5.11 (GHSA-8qq5-rm4j-mr97,
GHSA-34x7-hfp2-rc4v,
GHSA-r6q2-hw4h-h46w,
GHSA-83g3-92jg-28cx,
GHSA-qffp-2rhf-9h96,
GHSA-9ppj-qmqm-q256)
- vite (non-aliased) <7.3.2 → ≥7.3.2 (GHSA-p9ff-h696-f583,
GHSA-v2wj-q39q-566r,
GHSA-4w7w-66w2-5vf9)
Scoped overrides are used where the vulnerable range is a specific major
line — e.g. `minimatch@>=9.0.0 <9.0.7` — so that 3.x/10.x lines resolving
via unrelated dependency chains are not disturbed. Otherwise the override
targets the bare package name.
Note: admin/ui/doc packages alias `vite` to `rolldown-vite@7.2.10`; those
are a separate package on npm and the vite CVEs do not apply to them.
- `pnpm install` succeeds
- `pnpm run ts-check` clean
- No source code changes; `tar` and `glob` are not directly imported by
etherpad-lite sources, so the major-version bumps (tar 6→7, glob 10→13)
affect only transitive consumers that already declare compatibility.
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* chore: Rename some occurences of etherpad-lite to etherpad
* chore: Adjust etherpad git urls
* chore: Rename more occurences from etherpad-lite to etherpad
* chore: Adjust default text
Some pnpm versions don't read onlyBuiltDependencies / ignoredBuiltDependencies
from pnpm-workspace.yaml — leaving CI on plugin repos to fail with
ERR_PNPM_IGNORED_BUILDS even after #7523 added the workspace.yaml entries.
Mirror the same configuration into package.json's "pnpm" field, which is
the older (and more widely supported) location. The two files are kept in
sync; whichever pnpm version reads the values picks them up from one or
the other.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: use gnpm
* chore: fixed pnpm
* chore: fixed gnpm
* chore: fixed jq
* chore: use 0.0.7
* chore: use flag for building
* chore: fixed all backend tests
* chore: continue with porting things
* chore: fixed path
* chore: fixed backend tests
* chore: upgraded all to gnpm
* chore: updated to gnpm 0.0.9
* chore: echo current env with debug logs
* chore: install with frozen lockfile
* chore: use 0.0.10
* chore: use 0.0.11
* chore: use 0.0.12 globally
* chore: reworked handleRelease workflow to be up to date and depend on other workflows
* Add script to trigger test on utils
* Add new function to remove the comments from the settings file.
It reduces the size of the payload when we save on the admin page `.../admin/settings`
* Add font-family: monospace; to the settings
* Upgrade the live-plugin-manager
* Fix migration scripts to skip checking for the system directory of live-plugin-manager
* Updated lockfile
* Improved handling of install.
---------
Co-authored-by: yacchin1205 <968739+yacchin1205@users.noreply.github.com>
Co-authored-by: SamTV12345 <40429738+samtv12345@users.noreply.github.com>
