chore: add undici for oidc proxy support

2026-05-11 00:44:07 +08:00 · 2026-04-24 14:29:57 +01:00
10 changed files with 691 additions and 734 deletions
@@ -1,7 +1,7 @@
 {
  "name": "client",
  "private": true,
-  "version": "0.80.1",
+  "version": "0.80.0",
  "scripts": {
    "dev": "vite",
    "build": "tsc && vite build",
@@ -31,8 +31,8 @@
    "emoji-mart": "^5.6.0",
    "file-saver": "^2.0.5",
    "highlightjs-sap-abap": "^0.3.0",
-    "i18next": "25.10.1",
+    "i18next": "^25.10.1",
-    "i18next-http-backend": "3.0.6",
+    "i18next-http-backend": "^3.0.2",
    "jotai": "^2.18.1",
    "jotai-optics": "^0.4.0",
    "js-cookie": "^3.0.5",
@@ -42,7 +42,7 @@
    "mantine-form-zod-resolver": "^1.3.0",
    "mermaid": "^11.13.0",
    "mitt": "^3.0.1",
-    "posthog-js": "1.372.2",
+    "posthog-js": "1.370.0",
    "react": "^18.3.1",
    "react-arborist": "3.4.0",
    "react-clear-modal": "^2.0.18",
@@ -50,7 +50,7 @@
    "react-drawio": "^1.0.7",
    "react-error-boundary": "^6.1.1",
    "react-helmet-async": "^3.0.0",
-    "react-i18next": "16.5.8",
+    "react-i18next": "^16.5.8",
    "react-router-dom": "^7.13.1",
    "semver": "^7.7.4",
    "socket.io-client": "^4.8.3",
@@ -74,7 +74,7 @@
    "eslint-plugin-react-refresh": "^0.5.2",
    "globals": "^15.13.0",
    "optics-ts": "^2.4.1",
-    "postcss": "^8.5.12",
+    "postcss": "^8.5.8",
    "postcss-preset-mantine": "^1.18.0",
    "postcss-simple-vars": "^7.0.1",
    "prettier": "^3.8.1",
@@ -1,6 +1,6 @@
 {
  "name": "server",
-  "version": "0.80.1",
+  "version": "0.80.0",
  "description": "",
  "author": "",
  "private": true,
@@ -33,9 +33,9 @@
    "@ai-sdk/google": "^3.0.52",
    "@ai-sdk/openai": "^3.0.47",
    "@ai-sdk/openai-compatible": "^2.0.37",
-    "@aws-sdk/client-s3": "3.1037.0",
+    "@aws-sdk/client-s3": "3.1014.0",
-    "@aws-sdk/lib-storage": "3.1037.0",
+    "@aws-sdk/lib-storage": "3.1014.0",
-    "@aws-sdk/s3-request-presigner": "3.1037.0",
+    "@aws-sdk/s3-request-presigner": "3.1014.0",
    "@clickhouse/client": "^1.18.2",
    "@fastify/cookie": "^11.0.2",
    "@fastify/multipart": "^10.0.0",
@@ -110,7 +110,7 @@
    "react": "^18.3.1",
    "reflect-metadata": "^0.2.2",
    "rxjs": "^7.8.2",
-    "sanitize-filename": "1.6.3",
+    "sanitize-filename-ts": "1.0.2",
    "socket.io": "^4.8.3",
    "stripe": "^17.7.0",
    "tlds": "^1.261.0",
@@ -166,9 +166,6 @@
    "transform": {
      "^.+\\.(t|j)s$": "ts-jest"
    },
    "transformIgnorePatterns": [
      "/node_modules/(?!(\\.pnpm/)?(nanoid|uuid|image-dimensions|marked)(@|/))"
    ],
    "collectCoverageFrom": [
      "**/*.(t|j)s"
    ],
@@ -1,6 +1,6 @@
 import * as path from 'path';
 import * as bcrypt from 'bcrypt';
-import sanitize = require('sanitize-filename');
+import { sanitize } from 'sanitize-filename-ts';
 import { FastifyRequest } from 'fastify';
 import { Readable, Transform } from 'stream';
@@ -72,33 +72,11 @@ export function extractDateFromUuid7(uuid7: string) {
  return new Date(timestamp);
 }
-export type SanitizeFileNameOptions = {
+export function sanitizeFileName(fileName: string): string {
-  /** Keep spaces and `#` instead of replacing them with `_`. Useful for
+  const sanitizedFilename = sanitize(fileName)
-   * download filenames where readability matters. Defaults to false. */
+    .replace(/ /g, '_')
-  preserveSpaces?: boolean;
+    .replace(/#/g, '_');
-};
+  return sanitizedFilename.slice(0, 255);
 export function sanitizeFileName(
  fileName: string,
  options: SanitizeFileNameOptions = {},
 ): string {
  // Decode percent-encoded sequences so that bypasses like "..%2F" reach
  // sanitize() as literal "../" and get stripped. sanitize-filename only
  // strips literal characters and won't catch encoded path separators
  // on its own.
  const decoded = fileName.replace(/%[0-9a-fA-F]{2}/g, (m) => {
    try {
      return decodeURIComponent(m);
    } catch {
      return m;
    }
  });
  const sanitized = sanitize(decoded);
  if (options.preserveSpaces) {
    return sanitized;
  }
  return sanitized.replace(/ /g, '_').replace(/#/g, '_');
 }
 export function removeAccent(str: string): string {
@@ -53,6 +53,7 @@ import { EnvironmentService } from '../../integrations/environment/environment.s
 import { TokenService } from '../auth/services/token.service';
 import { JwtAttachmentPayload, JwtType } from '../auth/dto/jwt-payload';
 import * as path from 'path';
 import { sanitize } from 'sanitize-filename-ts';
 import { AttachmentInfoDto, RemoveIconDto } from './dto/attachment.dto';
 import { PageAccessService } from '../page/page-access/page-access.service';
 import { AuditEvent, AuditResource } from '../../common/events/audit-events';
@@ -356,19 +357,13 @@ export class AttachmentController {
      throw new BadRequestException('Invalid image attachment type');
    }
-    if (!fileName) {
+    if (!fileName || sanitize(fileName) !== fileName) {
      throw new BadRequestException('Invalid file name');
    }
-    const ext = path.extname(fileName);
+    const filenameWithoutExt = path.basename(fileName, path.extname(fileName));
-    const filenameWithoutExt = path.basename(fileName, ext);
+    if (!isValidUUID(filenameWithoutExt)) {
-
+      throw new BadRequestException('Invalid file id');
    if (
      !ext ||
      !isValidUUID(filenameWithoutExt) ||
      `${filenameWithoutExt}${ext}` !== fileName
    ) {
      throw new BadRequestException('Invalid file name');
    }
    const filePath = `${getAttachmentFolderPath(attachmentType, workspace.id)}/${fileName}`;
@@ -23,12 +23,9 @@ import {
  SpaceCaslSubject,
 } from '../../core/casl/interfaces/space-ability.type';
 import { FastifyReply } from 'fastify';
 import { sanitize } from 'sanitize-filename-ts';
 import { getExportExtension } from './utils';
-import {
+import { getMimeType, getPageTitle } from '../../common/helpers';
  getMimeType,
  getPageTitle,
  sanitizeFileName,
 } from '../../common/helpers';
 import * as path from 'path';
 import { AuditEvent, AuditResource } from '../../common/events/audit-events';
 import {
@@ -88,9 +85,7 @@ export class ExportController {
    if (result.type === 'file') {
      const ext = getExportExtension(dto.format);
-      const fileName =
+      const fileName = sanitize(page.title || 'untitled') + ext;
        sanitizeFileName(page.title || 'untitled', { preserveSpaces: true }) +
        ext;
      const contentType = getMimeType(path.extname(fileName));
      res.headers({
@@ -101,9 +96,7 @@ export class ExportController {
      res.send(result.content);
    } else {
-      const fileName =
+      const fileName = sanitize(page.title || 'untitled') + '.zip';
        sanitizeFileName(page.title || 'untitled', { preserveSpaces: true }) +
        '.zip';
      res.headers({
        'Content-Type': 'application/zip',
@@ -151,9 +144,7 @@ export class ExportController {
      'Content-Type': 'application/zip',
      'Content-Disposition':
        'attachment; filename="' +
-        encodeURIComponent(
+        encodeURIComponent(sanitize(exportFile.fileName)) +
          sanitizeFileName(exportFile.fileName, { preserveSpaces: true }),
        ) +
        '"',
    });
@@ -1,6 +1,7 @@
 import { BadRequestException, Injectable, Logger } from '@nestjs/common';
 import { PageRepo } from '@docmost/db/repos/page/page.repo';
 import { MultipartFile } from '@fastify/multipart';
 import { sanitize } from 'sanitize-filename-ts';
 import * as path from 'path';
 import {
  htmlToJson,
@@ -52,8 +53,8 @@ export class ImportService {
    const file = await filePromise;
    const fileBuffer = await file.toBuffer();
    const fileExtension = path.extname(file.filename).toLowerCase();
-    const fileName = sanitizeFileName(
+    const fileName = sanitize(
-      path.basename(file.filename, fileExtension),
+      path.basename(file.filename, fileExtension).slice(0, 255),
    );
    const fileContent = fileBuffer.toString();
@@ -1,7 +1,7 @@
 {
  "name": "docmost",
  "homepage": "https://docmost.com",
-  "version": "0.80.1",
+  "version": "0.80.0",
  "private": true,
  "scripts": {
    "build": "nx run-many -t build",
@@ -72,7 +72,7 @@
    "ms": "3.0.0-canary.1",
    "qrcode": "^1.5.4",
    "rfc6902": "5.2.0",
-    "uuid": "^14.0.0",
+    "uuid": "^13.0.0",
    "y-indexeddb": "^9.0.12",
    "y-prosemirror": "1.3.7",
    "yjs": "^13.6.30"
@@ -128,12 +128,11 @@
      "yaml@>=2.0.0 <2.8.3": "2.8.3",
      "path-to-regexp@^8": "8.4.0",
      "brace-expansion@^5": "5.0.5",
-      "@xmldom/xmldom": "0.8.13",
+      "@xmldom/xmldom": "0.8.12",
      "handlebars": "4.7.9",
      "axios": "1.15.0",
      "langsmith": "0.5.19",
-      "follow-redirects": "1.16.0",
+      "follow-redirects": "1.16.0"
      "protobufjs":  "7.5.5"
    },
    "neverBuiltDependencies": []
  }