From d6259377420ad17c4d1b51f691305bc6110ec1e7 Mon Sep 17 00:00:00 2001
From: Ahmed Khalid <106074266+ahmed-arb@users.noreply.github.com>
Date: Fri, 23 Jan 2026 13:35:06 +0500
Subject: [PATCH 1/4] chore: set version suffix to main and install plugins
 from github (#1343)

---
 requirements/plugins.txt | 28 ++++++++++++++--------------
 tutor/__about__.py       |  2 +-
 2 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/requirements/plugins.txt b/requirements/plugins.txt
index 2cf7cc71ed..9a5e86a293 100644
--- a/requirements/plugins.txt
+++ b/requirements/plugins.txt
@@ -1,14 +1,14 @@
-# change version ranges when upgrading from ulmo
-tutor-android>=21.0.0,<22.0.0
-tutor-cairn>=21.0.0,<22.0.0
-tutor-credentials>=21.0.0,<22.0.0
-tutor-discovery>=21.0.0,<22.0.0
-tutor-deck>=21.0.0,<22.0.0
-tutor-forum>=21.0.0,<22.0.0
-tutor-indigo>=21.0.0,<22.0.0
-tutor-jupyter>=21.0.0,<22.0.0
-tutor-livedeps>=21.0.0,<22.0.0
-tutor-mfe>=21.0.0,<22.0.0
-tutor-minio>=21.0.0,<22.0.0
-tutor-notes>=21.0.0,<22.0.0
-tutor-xqueue>=21.0.0,<22.0.0
+# For Tutor Main, we install plugins from their main branches instead of from PyPI
+tutor-android@git+https://github.com/overhangio/tutor-android@main
+tutor-cairn@git+https://github.com/overhangio/tutor-cairn@main
+tutor-credentials@git+https://github.com/overhangio/tutor-credentials@main
+tutor-deck@git+https://github.com/overhangio/tutor-deck@main
+tutor-discovery@git+https://github.com/overhangio/tutor-discovery@main
+tutor-forum@git+https://github.com/overhangio/tutor-forum@main
+tutor-indigo@git+https://github.com/overhangio/tutor-indigo@main
+tutor-jupyter@git+https://github.com/overhangio/tutor-jupyter@main
+tutor-livedeps@git+https://github.com/overhangio/tutor-livedeps@main
+tutor-mfe@git+https://github.com/overhangio/tutor-mfe@main
+tutor-minio@git+https://github.com/overhangio/tutor-minio@main
+tutor-notes@git+https://github.com/overhangio/tutor-notes@main
+tutor-xqueue@git+https://github.com/overhangio/tutor-xqueue@main
diff --git a/tutor/__about__.py b/tutor/__about__.py
index aa0aa8ee4d..a5becddf8f 100644
--- a/tutor/__about__.py
+++ b/tutor/__about__.py
@@ -10,7 +10,7 @@
 # the main branch.
 # The suffix is cleanly separated from the __version__ in this module to avoid
 # conflicts when merging branches.
-__version_suffix__ = ""
+__version_suffix__ = "main"
 
 # The app name will be used to define the name of the default tutor root and
 # plugin directory. To avoid conflicts between multiple locally-installed

From ee0800a612ff170318bcdf8413db66def02f3825 Mon Sep 17 00:00:00 2001
From: Feanil Patel <feanil@axim.org>
Date: Fri, 30 Jan 2026 09:56:59 -0500
Subject: [PATCH 2/4] chore: update pyenv and default python version. (#1335)

---
 changelog.d/20260121_123520_feanil_patch_2.md | 13 +++++++++++++
 tutor/templates/build/openedx/Dockerfile      |  4 ++--
 2 files changed, 15 insertions(+), 2 deletions(-)
 create mode 100644 changelog.d/20260121_123520_feanil_patch_2.md

diff --git a/changelog.d/20260121_123520_feanil_patch_2.md b/changelog.d/20260121_123520_feanil_patch_2.md
new file mode 100644
index 0000000000..9a5910fe30
--- /dev/null
+++ b/changelog.d/20260121_123520_feanil_patch_2.md
@@ -0,0 +1,13 @@
+<!--
+Create a changelog entry for every new user-facing change. Please respect the following instructions:
+- Indicate breaking changes by prepending an explosion 💥 character.
+- Prefix your changes with either [Bugfix], [Improvement], [Feature], [Security], [Deprecation].
+- You may optionally append "(by @<author>)" at the end of the line, where "<author>" is either one (just one)
+  of your GitHub username, real name or affiliated organization. These affiliations will be displayed in
+  the release notes for every release.
+-->
+
+<!-- - 💥[Feature] Foobarize the blorginator. This breaks plugins by renaming the `FOO_DO` filter to `BAR_DO`. (by @regisb) -->
+<!-- - [Improvement] This is a non-breaking change. Life is good. (by @billgates) -->
+
+[Improvement] Update to use Python 3.12 for edx-platform
diff --git a/tutor/templates/build/openedx/Dockerfile b/tutor/templates/build/openedx/Dockerfile
index b99473af5e..40f7c230bb 100644
--- a/tutor/templates/build/openedx/Dockerfile
+++ b/tutor/templates/build/openedx/Dockerfile
@@ -29,9 +29,9 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
 # Install pyenv
 # https://www.python.org/downloads/
 # https://github.com/pyenv/pyenv/releases
-ARG PYTHON_VERSION=3.11.8
+ARG PYTHON_VERSION=3.12.12
 ENV PYENV_ROOT=/opt/pyenv
-RUN git clone https://github.com/pyenv/pyenv $PYENV_ROOT --branch v2.3.36 --depth 1
+RUN git clone https://github.com/pyenv/pyenv $PYENV_ROOT --branch v2.6.18 --depth 1
 
 # Install Python
 RUN $PYENV_ROOT/bin/pyenv install $PYTHON_VERSION

From e72ddf1e9cbaaea6b95818f97cf9f999b88adcb6 Mon Sep 17 00:00:00 2001
From: Kshitij Sobti <kshitij@sobti.in>
Date: Wed, 25 Feb 2026 14:56:40 +0530
Subject: [PATCH 3/4] feat: Add ENV_SAVED Action (#1302)

Adds an ENV_SAVED Action hook that allows hooking into the save mechanism and
running custom code after saving an environemnt.
---
 .../20251111_011520_kshitij_env_saved_action.md        |  2 ++
 tutor/env.py                                           |  9 +++++++++
 tutor/hooks/catalog.py                                 | 10 ++++++++++
 3 files changed, 21 insertions(+)
 create mode 100644 changelog.d/20251111_011520_kshitij_env_saved_action.md

diff --git a/changelog.d/20251111_011520_kshitij_env_saved_action.md b/changelog.d/20251111_011520_kshitij_env_saved_action.md
new file mode 100644
index 0000000000..6359072d86
--- /dev/null
+++ b/changelog.d/20251111_011520_kshitij_env_saved_action.md
@@ -0,0 +1,2 @@
+- [Feature] Add ENV_SAVED Action that allows hooks to run after a save
+  operation. (by @xitij2000)
diff --git a/tutor/env.py b/tutor/env.py
index ecd0f5b83d..ad965345a9 100644
--- a/tutor/env.py
+++ b/tutor/env.py
@@ -342,6 +342,15 @@ def save(root: str, config: Config) -> None:
         save_all_from(src, os.path.join(root_env, dst), config)
 
     upgrade_obsolete(root)
+
+    config_copy = deepcopy(config)
+    hooks.Actions.ENV_SAVED.do(root_env, config_copy)
+    if config_copy != config:
+        fmt.echo_alert(
+            "A plugin just modified the config during the ENV_SAVED hook. "
+            "This could have unintended consequences."
+        )
+
     fmt.echo_info(f"Environment generated in {base_dir(root)}")
 
 
diff --git a/tutor/hooks/catalog.py b/tutor/hooks/catalog.py
index cca622c67a..d72f18320b 100644
--- a/tutor/hooks/catalog.py
+++ b/tutor/hooks/catalog.py
@@ -94,6 +94,16 @@ def run_this_on_start(root, config, name):
     #: :parameter kwargs: job named arguments.
     DO_JOB: Action[[str, Any]] = Action()
 
+    #: This action is called at the end of the tutor.env.save function after all
+    #: the changes to the environment have been applied, all obsolete config has
+    #: been upgraded.
+    #: Modifying the config object will not trigger changes in the configuration.
+    #: For all purposes, it should be considered read-only.
+    #:
+    #: :parameter str root: project root.
+    #: :parameter dict config: project configuration.
+    ENV_SAVED: Action[[str, Config]] = Action()
+
     #: Triggered when a single plugin needs to be loaded. Only plugins that have previously been
     #: discovered can be loaded (see :py:data:`CORE_READY`).
     #:

From 5f2d0333a3f6a1e70999d74bf57b80daf734cff5 Mon Sep 17 00:00:00 2001
From: Steven Giron <steven.giron@utp.edu.co>
Date: Thu, 9 Apr 2026 15:43:48 -0500
Subject: [PATCH 4/4] fix: apply upstream security patch to remove
 activation_key exposure from account API

---
 CHANGELOG.md                             | 5 +++++
 tutor/__about__.py                       | 2 +-
 tutor/templates/build/openedx/Dockerfile | 3 +++
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index fea78eac08..2e62f3bac2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -20,6 +20,11 @@ instructions, because git commits are used to generate release notes:
 
 <!-- scriv-insert-here -->
 
+<a id='changelog-21.0.3'></a>
+## v21.0.3 (2026-04-09)
+
+- [Security] Backport fix to remove `activation_key` exposure from `/api/user/v1/accounts/{username}`, preventing email verification bypass via OAuth2 password grant flow (source: upstream edx-platform commit 21cead238466ca398ba368518f1d3288431d68f4).
+
 <a id='changelog-21.0.2'></a>
 ## v21.0.2 (2026-03-13)
 
diff --git a/tutor/__about__.py b/tutor/__about__.py
index bc712ee5d9..777327b617 100644
--- a/tutor/__about__.py
+++ b/tutor/__about__.py
@@ -2,7 +2,7 @@
 
 # Increment this version number to trigger a new release. See
 # docs/tutor.html#versioning for information on the versioning scheme.
-__version__ = "21.0.2"
+__version__ = "21.0.3"
 
 # The version suffix will be appended to the actual version, separated by a
 # dash. Use this suffix to differentiate between the actual released version and
diff --git a/tutor/templates/build/openedx/Dockerfile b/tutor/templates/build/openedx/Dockerfile
index 3cd893359a..64f5df9331 100644
--- a/tutor/templates/build/openedx/Dockerfile
+++ b/tutor/templates/build/openedx/Dockerfile
@@ -64,6 +64,9 @@ RUN git config --global user.email "tutor@overhang.io" \
 {# RUN curl -fsSL https://github.com/openedx/edx-platform/commit/<GITSHA1>.patch | git am #}
 {# Include a comment on why the patch is neccessary. #}
 
+# SECURITY FIX: remove activation_key exposure from account API
+RUN curl -fsSL https://github.com/openedx/openedx-platform/commit/21cead238466ca398ba368518f1d3288431d68f4.patch | git am
+
 {{ patch("openedx-dockerfile-post-git-checkout") }}
 
 ##### Empty layer with just the repo at the root.