github RayLabsHQ/gitea-mirror v3.13.0
on GitHub

latest releases: v3.13.2, v3.13.1
5 hours ago

What's Changed

Security Fixes

  • Resolve 27 Docker Scout CVEs — Go stdlib, npm packages (fast-xml-parser, devalue, node-forge, rollup, svgo)
  • Build git-lfs from source with Go 1.25.8 to fix critical CVE-2025-68121 and 5 other Go stdlib/crypto CVEs (no patched git-lfs release exists yet)
  • Strip build-only packages (esbuild, vite, rollup, svgo, tailwindcss) from production Docker image — eliminates CVEs and reduces image size
  • Harden API endpoints:
    • /api/auth/debug — dev-only, requires auth, removed test user creation POST
    • /api/auth/check-users — returns boolean instead of exact user count
    • /api/cleanup/auto — now requires authentication
    • /api/health — removed OS version, memory, and uptime disclosure
    • /api/config — validates Gitea URL protocol
  • BETTER_AUTH_SECRET — logs security warning when using insecure defaults
  • generateRandomString() — replaced Math.random() with crypto.getRandomValues() (was used for OAuth client secret generation)
  • hashValue() — added random salt and timing-safe verification

Upgrades

  • Astro v5 → v6 (Vite 7, Zod 4)
  • Updated @astrojs/node, @astrojs/mdx, @astrojs/react, better-auth, @better-auth/sso
  • npm overrides: fast-xml-parser ≥5.5.5, devalue ≥5.6.4, node-forge ≥1.3.3, svgo ≥4.0.1, rollup ≥4.59.0

Features

  • Import repository topics and descriptions into Gitea (#224)
  • Sort repositories by import date (#226)
  • Startup repair progress logs (#223)

Bug Fixes

  • Gracefully handle SAML-protected orgs during GitHub import (#218)

Full Changelog: v3.12.5...v3.13.0

Check out latest releases or
releases around RayLabsHQ/gitea-mirror v3.13.0

Don't miss a new gitea-mirror release

NewReleases is sending notifications on new releases.

Get notifications