v1.0.761

Description

Adding a column for trash view called "Original location" where we display the parent folder name to give the user more context.

Related Issues

Related Pull Requests

Checklist

• Changes have been tested locally.
• Unit tests have been written or updated as necessary.
• The code adheres to the repository's coding standards.
• Relevant documentation has been added or updated.
• No new warnings or errors have been introduced.
• SonarCloud issues have been reviewed and addressed.
• QA Passed

Testing Process

Additional Notes

v1.0.760

Description

This PR aims to fix an issue where coupon-only sales were failing to attribute on Impact.

Changes included:

• Added a fallback uuidV4 for anonymousId: Ensures that conversions without a prior affiliate tracking cookie (impactAnonymousId) provide a valid tracking identifier to our analytics integration, preventing silent payload drops.

Related Issues

Related Pull Requests

Checklist

• Changes have been tested locally.
• Unit tests have been written or updated as necessary.
• The code adheres to the repository's coding standards.
• Relevant documentation has been added or updated.
• No new warnings or errors have been introduced.
• SonarCloud issues have been reviewed and addressed.
• QA Passed

Testing Process

Additional Notes

v1.0.759

Description

Reverts #1918 due to mobile login

Checklist

• Changes have been tested locally.
• Unit tests have been written or updated as necessary.
• The code adheres to the repository's coding standards.
• Relevant documentation has been added or updated.
• No new warnings or errors have been introduced.
• SonarCloud issues have been reviewed and addressed.
• QA Passed

Testing Process

v1.0.758

Description

This PR removes deprecated old token

Checklist

• Changes have been tested locally.
• Unit tests have been written or updated as necessary.
• The code adheres to the repository's coding standards.
• Relevant documentation has been added or updated.
• No new warnings or errors have been introduced.
• SonarCloud issues have been reviewed and addressed.
• QA Passed

Testing Process

unit tests

v1.0.757

Description

Cleaning up payments-related code as B2B plans will no longer be supported in the integrated checkout.

This PR removes:

• Unused functions
• Unused components
• Unused B2B-related styles
• B2B subscription handling logic

Related Issues

Related Pull Requests

Checklist

• Changes have been tested locally.
• Unit tests have been written or updated as necessary.
• The code adheres to the repository's coding standards.
• Relevant documentation has been added or updated.
• No new warnings or errors have been introduced.
• SonarCloud issues have been reviewed and addressed.
• QA Passed

Testing Process

Additional Notes

v1.0.756

Description

The behavior of the backup keys dialog reminder has been updated. Now, it will be displayed every 30 days, starting the user is authenticated. It will not be displayed after the authentication.

Related Issues

Related Pull Requests

Checklist

• Changes have been tested locally.
• Unit tests have been written or updated as necessary.
• The code adheres to the repository's coding standards.
• Relevant documentation has been added or updated.
• No new warnings or errors have been introduced.
• SonarCloud issues have been reviewed and addressed.
• QA Passed

Testing Process

Additional Notes

v1.0.755

Description

After login or registration, a modal will appear reminding the user to download their backup key. The behavior is:

• If the user has never seen the dialog, it opens automatically.
• The user can download the backup key at any time using the download button.
• Clicking "Remind me later" dismisses the dialog and will not show it again for 14 days or he is authenticated again.
• Once the user downloads the key and clicks "I've saved my key", the dialog will never be shown again.
• If the user logs in with a different account, the dialog will appear again for that account (state is stored per user).
• The dialog will not appear again after logout and login (with the same account) if the user already acknowledged it.
• While the dialog is open, promotional banners should be hidden.

Related Issues

Related Pull Requests

Checklist

• Changes have been tested locally.
• Unit tests have been written or updated as necessary.
• The code adheres to the repository's coding standards.
• Relevant documentation has been added or updated.
• No new warnings or errors have been introduced.
• SonarCloud issues have been reviewed and addressed.
• QA Passed

Testing Process

Additional Notes

v1.0.754

Description

Refactored the Realtime service (socket connection) by simplifying its initialization: it is now set up when the app mounts and continuously listens for events.

Additionally, a temporary polling mechanism (every 5 secs during 30 secs) has been introduced after a user purchases a plan to ensure their storage is updated correctly.

Related Issues

Related Pull Requests

Checklist

• Changes have been tested locally.
• Unit tests have been written or updated as necessary.
• The code adheres to the repository's coding standards.
• Relevant documentation has been added or updated.
• No new warnings or errors have been introduced.
• SonarCloud issues have been reviewed and addressed.
• QA Passed

Testing Process

Additional Notes

v1.0.753

Description

This PR adds support for sending public keys during account recovery. When users export their backup file, it now includes both private and public keys. During account recovery, these public keys are extracted from the backup file and forwarded to the backend, which validates that they match the account being recovered.

Related Issues

Related Pull Requests

Checklist

• Changes have been tested locally.
• Unit tests have been written or updated as necessary.
• The code adheres to the repository's coding standards.
• Relevant documentation has been added or updated.
• No new warnings or errors have been introduced.
• SonarCloud issues have been reviewed and addressed.
• QA Passed

Testing Process

Additional Notes

Updated @internxt/sdk from v1.11.17 to v1.12.0. This version includes a breaking change in changePasswordWithLinkV2 the keys parameter changed from PrivateKeys to RecoveryKeys ({ private?, public? }), which allows sending public keys alongside private keys during recovery.

v1.0.752

Bumps axios from 1.15.0 to 1.15.2.

Release notes

Sourced from axios's releases.

v1.15.2

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

v1.15.1

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

• Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)
• CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)
• Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)
• withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)
• maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)
• Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)
• Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

• AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)
• Location Request Header Type: Adds Location to CommonRequestHeadersList for accurate typing of redirect-aware requests. (#7528)

🐛 Bug Fixes

• FormData Handling: Removes Content-Type when no boundary is present on FormData fetch requests, supports multi-select fields, cancels request.body instead of the source stream on fetch abort, and fixes a recursion bug in form-data serialisation. (#7314, #10676, #10702, #10726)
• HTTP Adapter: Handles socket-only request errors without leaking keep-alive listeners. (#10576)
• Progress Events: Clamps loaded to total for computable upload/download progress events. (#7458)
• Types: Aligns runWhen type with the runtime behaviour in InterceptorManager and makes response header keys case-insensitive. (#7529, #10677)
• buildFullPath: Uses strict equality in the base/relative URL check. (#7252)
• AxiosURLSearchParams Regex: Improves the regex used for param serialisation to avoid edge-case mismatches. (#10736)
• Resilient Value Parsing: Parses out header/config values instead of throwing on malformed input. (#10687)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.15.2 - April 21, 2026

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md