Merge v3-alpha into master#5272
Conversation
- Add global defaults config stored in ~/.config/wails/defaults.yaml - Add light/dark mode toggle with theme persistence - Add PKGBUILD support to Linux build formats display - Add macOS signing clarification (public identifiers vs Keychain storage) - Fix spinner animation using CSS animate-spin - Add signing defaults for macOS and Windows code signing - Compact defaults page layout with 2-column design - Add Wails logo with proper light/dark theme variants 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Remove the paths filter that was causing v3 build and test jobs to be skipped when PRs targeting v3-alpha didn't contain changes in the v3/ directory. This ensures all PRs to v3-alpha are properly tested. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add [warn] prefix to generator warnings to prevent the Go problem matcher from interpreting them as errors. The matcher regex matches file.go:line:col: patterns, causing CI failures on valid warning output. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Update test to prefix warnings with [warn] when writing to warnings.log, and update all fixture files accordingly. This prevents the Go problem matcher from treating diff output as errors during CI. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Use NullLogger instead of DefaultPtermLogger during tests to prevent console output. Warnings are still written to warnings.log for comparison. This prevents GitHub Actions Go problem matcher from treating any warning-like output as errors. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Update tests to match the new wrapTask behavior introduced in the cross-platform build system: - Task names are now prefixed with platform (e.g., linux:build) - ARCH argument is automatically added based on GOARCH - GOOS/GOARCH args are filtered from remaining args - Environment variables are respected with arg overrides Also adds test for the new SignWrapper command. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* custom transport initial * transport codecs * runtime set transport * events transport * clauded example * bundled runtime * wip: transport * rework transports * rework dialog responses * cleanup * cleanup * improve error handling in HTTPTransport * cleanup * cleanup * cleanup * cleanup * review changes * review changes * review changes * review changes * review changes * review changes * review changes * move documentation to website docs * update doc * update changelog * introduce JSClient method for transport for embedding JS part in transport --------- Co-authored-by: Atterpac <Capretta.Michael@gmail.com> Co-authored-by: Lea Anthony <lea.anthony@gmail.com>
- Add RawMessageHandler section to Application API reference - Add System.invoke() to Frontend Runtime reference - Create comprehensive Raw Messages guide 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Rename `HandleCustomProtocol` to `HandleOpenURL` and add universal link support on macOS. * Update changelog. * add docs * add docs --------- Co-authored-by: Lea Anthony <lea.anthony@gmail.com>
* Add support for origin tracking in raw message handling - Implemented origin and top origin tracking for web messages from JavaScript. - Updated `RawMessageHandler` to include `originInfo`. - Added cross-platform support for retrieving the origin of messages in macOS, Windows, and Linux. * fix build * fix build * fix build * fix build * fix build * Fix nil checks and string handling for message origins across platforms - Ensure proper fallback to empty strings for `origin` and `topOrigin` when errors or nil values are encountered. - Normalize handling of `message.body` to account for non-NSString values in macOS. * add docs * Remove unused doc * update changelog * fix build --------- Co-authored-by: Lea Anthony <lea.anthony@gmail.com>
…entation (#4758) * Update `RawMessageHandler` to include `originInfo` parameter in documentation - Expanded examples and handler signature to reflect the additional `originInfo` parameter. - Detailed `OriginInfo` structure and its platform-specific behaviors added. * Expand `raw-messages` documentation to include origin validation guidance
Replace <Aside type="caution"> JSX with :::caution markdown syntax to fix the docs build error. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…4687) * Add window name header when making webview requests * Add changelog item * Update PR no in changelog entry --------- Co-authored-by: Lea Anthony <lea.anthony@gmail.com>
* fix(v3): fixed update plist, close #4636 * chore: update changelog * feat: add recursive merge support for nested plist dictionaries Previously, the plist merge was shallow - nested dictionaries were completely replaced rather than recursively merged. This caused custom nested configurations to be lost during build asset updates. Now nested dictionaries are recursively merged, preserving custom keys at all levels while still allowing new keys to be added and existing keys to be updated. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor: replace temp directory with backup-based plist merge Instead of extracting to a temp directory and copying files over, we now: 1. Rename existing plists to .plist.bak 2. Extract new assets directly to target 3. Merge backup content into newly extracted plists 4. Clean up backup files This is simpler, more crash-safe (backups remain if process crashes), and avoids the overhead of a temp directory and file copying. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Lea Anthony <lea.anthony@gmail.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* Add aria-label to elements in the helloworld app templates so they can be directly tested by Appium based E2E test clients * changelog updated * fix: restore UNRELEASED_CHANGELOG.md to correct state Remove accidentally merged changelog entries from other PRs and restore the base entries from v3-alpha with only this PR's changelog entry. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Lea Anthony <lea.anthony@gmail.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
This commit integrates iOS platform support for Wails v3, adapting the iOS-specific code to work with the new transport layer architecture. Key changes: - Add iOS-specific application, webview, and runtime files - Add iOS event types and processing - Add iOS examples and templates - Update messageprocessor to handle iOS requests - Move badge_ios.go to dock package Note: The iOS branch was based on an older v3-alpha and required significant conflict resolution due to the transport layer refactor (PR #4702). Some iOS-specific code may need further adaptation: - processIOSMethod needs to be implemented with new RuntimeRequest signature - iOS event generation in tasks/events/generate.go needs updating 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit integrates Android platform support for Wails v3. Key changes: - Add Android-specific application, webview, and runtime files - Add Android event types - Add Android examples and build system (Gradle) - Add JNI bridge for Go <-> Java communication - Update application options for Android configuration - Add Android include to common Taskfile template Note: The Android branch was more recent than the iOS branch and had fewer conflicts with the transport layer refactor. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix merge conflict marker in application_options.go - Add AGENTS.md with beads workflow documentation for AI agents 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…sport Transport layer refactor adaptations for mobile platforms: - Refactor processIOSMethod to use RuntimeRequest signature - Refactor processAndroidMethod to use RuntimeRequest signature - Add androidRequest constant (12) and handler to messageprocessor.go - Update messageprocessor_mobile_stub.go for non-mobile builds - Fix undefined windowID variable (use req.WebviewWindowID) - Add iOS event generation to tasks/events/generate.go - Add InvalidIOSCallError and InvalidAndroidCallError to errs package - Update iOS delegate and webview files with generated event handlers iOS methods refactored: Haptics.Impact, Device.Info, Scroll settings, Navigation gestures, Link previews, Debug inspector, UserAgent Android methods refactored: Haptics.Vibrate, Device.Info, Toast.Show 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…skfile - Remove duplicate iOS subcommand registration in main.go (merge artifact) - Make SDK_PATH a task-level variable in iOS Taskfile to avoid eager evaluation that fails on non-macOS systems when running Android builds This fixes Android builds failing with "xcrun: command not found" on Linux systems where Xcode tools are unavailable. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The iOS branch modified events.go with debug println statements and changed the EventProcessor.Emit signature from returning error to void. This broke compatibility with event_manager.go and messageprocessor_events.go. Restored the v3-alpha version which: - Uses atomic.Bool for cancelled flags (thread-safe) - Has EventProcessor.Emit return error for validation - Includes decodeEventData and validateCustomEvent functions - Removes debug println statements 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
⚠️ EXPERIMENTAL: This feature is under active development and may change. This merge adds initial support for building Wails applications for iOS and Android platforms. Desktop builds are completely unaffected as mobile code uses platform-specific build tags. ## What's Included ### iOS Support - Native iOS app structure with WKWebView - iOS-specific runtime methods (haptics, device info, scroll settings, etc.) - Xcode project generation (`wails3 ios xcode:gen`) - iOS Simulator deployment via Taskfile - Native UITabBar support - iOS application lifecycle events ### Android Support - Android app structure with WebView - Android-specific runtime methods (haptics, device info, toast) - Gradle-based build system - APK generation and emulator deployment - Android NDK cross-compilation support ### Transport Layer - iOS and Android message processors adapted to new RuntimeRequest pattern - Mobile-specific error types (InvalidIOSCallError, InvalidAndroidCallError) - Platform stubs for non-mobile builds ### Build System - New Taskfile includes for ios: and android: tasks - Lazy SDK_PATH evaluation (iOS builds don't break Android on Linux) - Project templates include mobile build configurations ## Requirements - iOS: macOS with Xcode 15+ - Android: Android Studio with NDK r26d ## Known Limitations - Some mobile APIs are stubbed pending full implementation - Mobile builds require platform-specific toolchains - Not yet tested in production environments Report issues: https://github.com/wailsapp/wails/issues 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Remove local database files that shouldn't be tracked in version control. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…ations The iOS service stubs were importing a non-existent package `github.com/wailsapp/wails/v3/pkg/services` and using an incompatible interface pattern. This fix rewrites both files to follow the same pattern as other platforms (Linux, Windows, Darwin): - Implement the internal platformDock/platformNotifier interfaces - Provide New() functions returning *DockService/*NotificationService - Stub all required interface methods 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
- Remove the GitHub Pages deploy workflow; the v3 site now builds and publishes via the new Cloudflare Pages project `wails-v3-site`, which deploys on every push to v3-alpha that touches docs/*. - Drop the root CNAME file; CF Pages manages the v3.wails.io custom domain in its own dashboard. The previous v3alpha.wails.io URL is preserved as a 301 redirect to v3.wails.io via a CF zone redirect rule, so existing inbound links keep working. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ite over to Cloudflare Pages
* chore: remove orphaned root-level debris Drops files that accumulated at the repo root and aren't referenced anywhere: - pr_4570.diff (orphaned patch artifact from PR #4570) - test-changelog-extraction.sh, test-ios-compile.sh, test-version-logic.sh (one-off helper scripts; logic that is still needed lives under v3/scripts/ instead) - test-workflow.md (notes file, no longer current) Reduces noise at the repo root and trims surface area before the v3-alpha → master merge. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore: remove abandoned mkdocs-website experiment Deletes the entire `mkdocs-website/` directory. It was an alternative MkDocs-based docs setup, not deployed anywhere (the v3 docs ship from `docs/` via Cloudflare Pages and the v2 docs ship from `website/`), and has been confirmed abandoned. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore(workflows): drop auto-label-issues workflow Companion deletion to the master-side PR; retiring the auto-labeller rather than keeping it across both versions. Removing here so the v3-alpha → master merge has no conflict on this file. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore(workflows): drop test-nightly-releases and issue-triage-automation Companion deletion to the master-side PR; retiring both ahead of the v3-alpha → master merge so neither file appears in the conflict set. Issue triage is moving to a real agent-driven workflow. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…d root-level debris
…5270) * chore(workflows): pre-merge auto-label and changelog-trigger from master Adopts two changes that already exist on master so the eventual v3-alpha → master merge has fewer conflicts to hand-resolve: - auto-label-issues.yml: switch the PR trigger from `pull_request` to `pull_request_target` so the workflow can label PRs from forks (security hardening already in place on master). - unreleased-changelog-trigger.yml: add the `actions: write` permission needed by the trigger step (already in place on master). No behaviour change for v3-alpha-only paths. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(workflows): keep v3-alpha's pull_request_target on auto-label-issues I had the direction backwards in the previous commit on this branch. v3-alpha already uses pull_request_target (the security-hardened trigger that lets the workflow label PRs from forks); master is the one still on the older pull_request. The fix to auto-label-issues belongs on master, not on v3-alpha. Reverting that part of this PR so v3-alpha keeps its current behaviour. The unreleased-changelog permission update remains. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…-merge changelog-trigger permission from master
Brings the v3 codebase onto master so v2 (in v2/) and v3 (in v3/)
live side-by-side on a single branch, with a single docs source on
Cloudflare Pages and one set of CI pipelines.
Conflict resolution:
- v2/examples/customlayout/go.{mod,sum}: kept master (v2 territory).
- v2/internal/staticanalysis/test/standard/go.{mod,sum}: kept master.
- v3/scripts/validate-changelog.go: kept v3-alpha.
- .github/workflows/build-and-test.yml: kept master (v2 tests).
- .github/workflows/build-and-test-v3.yml: kept v3-alpha + retargeted
the trigger from v3-alpha to master.
- .github/workflows/build-cross-image.yml: kept v3-alpha.
- .github/workflows/pr-master.yml: kept master.
- .github/workflows/pr.yml: accepted master's deletion (v3-alpha had
renamed it to pr-master.yml; master's deletion stands).
- .github/pull_request_template.md: hand-merged — kept v3 alpha
source-install warning, simplified the changelog checklist (v3
changelog entries are added automatically).
- website/src/pages/changelog.mdx: kept master (v2 changelog).
Workflow retargeting (v3-alpha branch references → master):
- auto-changelog-v3.yml: branches trigger, ref, push target.
- automated-releases.yml: ref, push origin, --target.
- build-and-test-v3.yml: branches trigger + base_ref guards.
- build-cross-image.yml: branches trigger + workflow_dispatch default.
- changelog-v3.yml: branches trigger, fetch/checkout/push.
- cross-compile-test-v3.yml: branches trigger.
- nightly-release-v3.yml: ref.
- publish-npm.yml: branches trigger + ref.
- semgrep.yml: removed v3-alpha from push branches.
- unreleased-changelog-trigger.yml: branches trigger + refs.
Cosmetic v3-alpha references (job names, log strings, comments,
the v3-alpha issue label) are unchanged and will be cleaned up in
the Phase D documentation sweep.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Important Review skippedToo many files! This PR contains 268 files, which is 118 over the limit of 150. ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (32)
📒 Files selected for processing (268)
You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
| name: Check PR Approval | ||
| runs-on: ubuntu-latest | ||
| if: github.event_name == 'workflow_dispatch' || github.event.review.state == 'approved' | ||
| outputs: | ||
| approved: ${{ steps.check.outputs.approved }} | ||
| steps: | ||
| - name: Check if PR is approved or manual dispatch | ||
| id: check | ||
| run: | | ||
| if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then | ||
| echo "Manual dispatch, proceeding with cross-compile tests" | ||
| else | ||
| echo "PR approved, proceeding with cross-compile tests" | ||
| fi | ||
| echo "approved=true" >> $GITHUB_OUTPUT | ||
|
|
||
| cross_compile: |
| name: Cross-Compile (${{ matrix.target_os }}/${{ matrix.target_arch }}) | ||
| needs: check_approval | ||
| runs-on: ${{ matrix.runner }} | ||
| if: needs.check_approval.outputs.approved == 'true' | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| include: | ||
| - target_os: darwin | ||
| target_arch: arm64 | ||
| runner: ubuntu-latest | ||
| - target_os: darwin | ||
| target_arch: amd64 | ||
| runner: ubuntu-latest | ||
| - target_os: linux | ||
| target_arch: arm64 | ||
| runner: ubuntu-24.04-arm # Native ARM64 runner - much faster than QEMU | ||
| - target_os: linux | ||
| target_arch: amd64 | ||
| runner: ubuntu-latest | ||
| - target_os: windows | ||
| target_arch: arm64 | ||
| runner: ubuntu-latest | ||
| - target_os: windows | ||
| target_arch: amd64 | ||
| runner: ubuntu-latest | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Checkout PR (if specified) | ||
| if: github.event_name == 'workflow_dispatch' && inputs.pr_number != '' | ||
| run: gh pr checkout ${{ inputs.pr_number }} | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Setup Go | ||
| uses: actions/setup-go@v5 | ||
| with: | ||
| go-version: '1.25' | ||
| cache: true | ||
| cache-dependency-path: "v3/go.sum" | ||
|
|
||
| - name: Install Task | ||
| uses: arduino/setup-task@v2 | ||
| with: | ||
| version: 3.x | ||
| repo-token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Install Linux dependencies | ||
| uses: awalsh128/cache-apt-pkgs-action@latest | ||
| with: | ||
| packages: libgtk-3-dev libwebkit2gtk-4.1-dev libwayland-dev build-essential pkg-config | ||
| version: 1.0 | ||
|
|
||
| - name: Install Wails3 CLI | ||
| working-directory: v3 | ||
| run: | | ||
| go install ./cmd/wails3 | ||
| wails3 version | ||
|
|
||
| - name: Create test project | ||
| run: | | ||
| mkdir -p test-cross-compile | ||
| cd test-cross-compile | ||
| wails3 init -n crosstest -t vanilla | ||
|
|
||
| - name: Setup Docker cross-compile image | ||
| working-directory: test-cross-compile/crosstest | ||
| run: task common:setup:docker | ||
|
|
||
| - name: Fix replace directive for Docker build | ||
| working-directory: test-cross-compile/crosstest | ||
| run: | | ||
| # Change the replace directive to use absolute path that matches Docker mount | ||
| go mod edit -dropreplace github.com/wailsapp/wails/v3 | ||
| go mod edit -replace github.com/wailsapp/wails/v3=${{ github.workspace }}/v3 | ||
|
|
||
| - name: Cross-compile for ${{ matrix.target_os }}/${{ matrix.target_arch }} | ||
| working-directory: test-cross-compile/crosstest | ||
| run: | | ||
| echo "Cross-compiling for ${{ matrix.target_os }}/${{ matrix.target_arch }}..." | ||
| task ${{ matrix.target_os }}:build ARCH=${{ matrix.target_arch }} | ||
| echo "Cross-compilation successful!" | ||
| ls -la bin/ | ||
|
|
||
| cross_compile_results: |
| if: ${{ always() }} | ||
| runs-on: ubuntu-latest | ||
| name: Cross-Compile Results | ||
| needs: [cross_compile] | ||
| steps: | ||
| - run: | | ||
| result="${{ needs.cross_compile.result }}" | ||
| echo "Cross-compile result: $result" | ||
| if [[ $result == "success" || $result == "skipped" ]]; then | ||
| echo "Cross-compile tests passed (or were skipped)!" | ||
| exit 0 | ||
| else | ||
| echo "One or more cross-compile tests failed" | ||
| exit 1 | ||
| fi |
| name: Detect committed changes | ||
| if: github.event_name != 'workflow_dispatch' | ||
| outputs: | ||
| changed: ${{ steps.package-json-changes.outputs.any_modified == 'true' || steps.source-changes.outputs.any_modified == 'true' }} | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| ref: ${{ github.sha }} | ||
| persist-credentials: 'true' | ||
|
|
||
| - name: Detect committed package.json changes | ||
| id: package-json-changes | ||
| uses: step-security/changed-files@3dbe17c78367e7d60f00d78ae6781a35be47b4a1 # v45.0.1 | ||
| with: | ||
| files: | | ||
| v3/internal/runtime/desktop/@wailsio/runtime/package.json | ||
| v3/internal/runtime/desktop/@wailsio/runtime/package-lock.json | ||
|
|
||
| - name: Detect committed source changes | ||
| if: >- | ||
| steps.package-json-changes.outputs.any_modified != 'true' | ||
| id: source-changes | ||
| uses: step-security/changed-files@3dbe17c78367e7d60f00d78ae6781a35be47b4a1 # v45.0.1 | ||
| with: | ||
| files: | | ||
| v3/internal/runtime/Taskfile.yaml | ||
| v3/internal/runtime/desktop/@wailsio/compiled/main.js | ||
| v3/internal/runtime/desktop/@wailsio/runtime/tsconfig.json | ||
| v3/internal/runtime/desktop/@wailsio/runtime/src/** | ||
| v3/pkg/events/events.txt | ||
| v3/tasks/events/** | ||
|
|
||
| rebuild_and_publish: |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Test | ||
| run: echo "Hello World" No newline at end of file |
| entry.innerHTML = ` | ||
| <span class="log-time">${time}</span> | ||
| <span class="log-type">${type}</span> | ||
| <span class="log-message">${message}</span> | ||
| `; |
| return | ||
| } | ||
|
|
||
| cmd := exec.Command(parts[0], parts[1:]...) |
|
|
||
| if _, err := os.Stat(path); err == nil { | ||
| // Serve file from disk to make testing easy | ||
| http.ServeFile(w, r, path) |
| url := r.URL.Path | ||
| path := dir + "/assets" + url | ||
|
|
||
| if _, err := os.Stat(path); err == nil { |
…ntain permissions' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
…ntain permissions' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
| "url": "https://github.com/sponsors/SuperchupuDev" | ||
| } | ||
| }, | ||
| "node_modules/vite": { |
There was a problem hiding this comment.
High severity vulnerability may affect your project—review required:
Line 941 lists a dependency (vite) with a known High severity vulnerability.
ℹ️ Why this matters
Affected versions of vite are vulnerable to Exposure of Sensitive Information to an Unauthorized Actor / Missing Authentication for Critical Function. This occurs because the Vite Dev Server WebSocket improperly exposes the fetchModule method, allowing unauthenticated remote attackers to bypass filesystem restrictions and read arbitrary files from the host machine
To resolve this comment:
Check if you enable vite dev server using --host flag and websocket is not disabled.
- If you're affected, upgrade this dependency to at least version 6.4.2 at v3/examples/custom-protocol-example/frontend/package-lock.json.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| "url": "https://github.com/sponsors/isaacs" | ||
| } | ||
| }, | ||
| "node_modules/happy-dom": { |
There was a problem hiding this comment.
High severity vulnerability may affect your project—review required:
Line 1581 lists a dependency (happy-dom) with a known High severity vulnerability.
ℹ️ Why this matters
Affected versions of happy-dom are vulnerable to Improper Control of Generation of Code ('Code Injection'). Happy DOM's ECMAScriptModuleCompiler is vulnerable to code injection because content inside export { } declarations in ES module scripts is extracted via regex and interpolated directly into generated JavaScript as an executable expression without validation. The quote filter strips " and ' but not backticks, so template-literal payloads like export { require(\child_process`).execSync(`id`) }` survive sanitization and execute arbitrary commands when happy-dom evaluates the module. Attackers who can inject or control HTML processed by happy-dom (SSR applications, web scrapers, testing pipelines) can achieve remote code execution on the host.
To resolve this comment:
Check if you process untrusted HTML with JavaScript evaluation enabled (enabled by default in versions before 20.0.0, opt-in afterwards).
- If you're affected, upgrade this dependency to at least version 20.8.8 at v3/internal/runtime/desktop/@wailsio/runtime/package-lock.json.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| "node": "^10 || ^12 || >=14" | ||
| } | ||
| }, | ||
| "node_modules/rollup": { |
There was a problem hiding this comment.
High severity vulnerability may affect your project—review required:
Line 569 lists a dependency (rollup) with a known High severity vulnerability.
ℹ️ Why this matters
Affected versions of rollup are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').
To resolve this comment:
Check if you use Rollup to bundle JavaScript with import.meta.url and the output format is set to cjs, umd, or iife formats, while allowing users to inject scriptless HTML elements with unsanitized name attributes.
- If you're affected, upgrade this dependency to at least version 3.29.5 at v3/examples/dev/frontend/package-lock.json.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
|
Semgrep found 8
Risk: Affected versions of rollup are vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). Rollup is vulnerable to arbitrary file write via path traversal: chunk/asset names derived from user-controlled inputs (e.g., CLI named inputs, manual chunk aliases, or malicious plugins) are insufficiently sanitized, allowing Manual Review Advice: A vulnerability from this advisory is reachable if you are running Fix: Upgrade this library to at least version 4.59.0 at wails/v3/examples/ios/frontend/package-lock.json:824. Reference(s): GHSA-mw96-cpmx-2vgc, CVE-2026-27606 |
- All workflow go-version pins moved to 1.25 (was a mix of 1.22, 1.23, 1.24): build-and-test.yml, build-and-test-v3.yml, automated-releases, changelog-v3, build-cross-image, pr-master, nightly-release-v3, weekly-release-v2, auto-changelog-v3. - v2/go.mod: go 1.22.0 -> go 1.25.0. v3/go.mod was already 1.25. Go 1.25's vet adds a new "non-constant format string" check; fix the 30 sites it flagged in v2 by passing "%s" as the explicit format argument. Affects: - pkg/runtime/log.go (12 wrapper calls) - internal/frontend/dispatcher/log.go (6 wrapper calls) - cmd/wails/internal/dev/dev.go (5 calls) - pkg/commands/build/nsis_installer.go (2 calls) - cmd/wails/build.go, internal/binding/binding.go, cmd/wails/internal/dev/stdout_scanner.go, internal/frontend/dispatcher/calls.go, internal/frontend/dispatcher/securecalls.go (1 each) Verified locally: `go vet ./...` and `go test -run "^$" ./...` clean on v2; v3 had no format-string issues. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- pkg/assetserver/assethandler.go: re-add the //go:embed defaultindex.html declaration that was removed in a0b2ab7 by mistake while leaving the reference at assetserver.go:175 intact, breaking the package build. defaultindex.html still ships in the package; just the var declaration was the orphaned deletion. Also switch fmt.Errorf(msg) -> errors.New(msg) for the non-format-string variant flagged by Go 1.25 vet. - pkg/clilogger/clilogger.go: 2 more format-string sites that the local pass missed (recursive c.Fatal calls inside Println/Fatalf wrappers). - internal/frontend/desktop/darwin/browser.go, internal/frontend/desktop/darwin/frontend.go: 4 darwin-only format-string sites that don't show in cross-OS vet from a Mac. Switched the fmt.Sprintf(...) wrappers to direct printf-style logger.Error calls. Verified: `go vet ./...` clean on linux and darwin builds. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Same surgical pattern as the darwin fixes — pass an explicit "%s" format constant or switch to errors.New where the call passed a non-constant string as the format argument. Affects: - internal/frontend/desktop/linux/browser.go (1 site) - internal/frontend/desktop/linux/frontend.go (4 sites) - internal/frontend/desktop/windows/browser.go (1 site) - internal/frontend/desktop/windows/frontend.go (10 logger.Error sites + 1 winc.Errorf) - internal/wv2installer/download.go (1 fmt.Errorf -> errors.New) - internal/wv2installer/wv2installer.go (2 fmt.Errorf -> errors.New) - pkg/assetserver/webview/request_windows.go (1 fmt.Errorf -> errors.New, with errors import) Local GOOS=windows vet now clean. Linux files use the same surgical pattern that already worked for darwin so I expect them to pass too. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
After replacing logger.Error(fmt.Sprintf(...)) with the printf-style logger.Error(...), the "fmt" import is no longer used. Go's compiler errors out on unused imports. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- internal/frontend/desktop/windows/frontend.go: 5 more
logger.Error(fmt.Sprintf("...", args...)) sites switched to direct
logger.Error("...", args...) printf-style. These didn't match my
earlier sed because the format strings have multiple args (not just
err.Error()).
- internal/wv2installer/{download.go,wv2installer.go}: drop the now-
unused "fmt" import after the previous switch from fmt.Errorf to
errors.New.
GOOS=windows go vet ./... locally clean.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This PR is massive (3,402 files / +333k / -313). The github.com diff browser will likely struggle. Review locally with:
What this PR does
Brings the v3 codebase onto
masterso v2 (inv2/) and v3 (inv3/) live side-by-side on a single branch, with a single docs source on Cloudflare Pages and one set of CI pipelines.Conflict resolution (11 files)
v2/examples/customlayout/go.{mod,sum}v2/internal/staticanalysis/test/standard/go.{mod,sum}v3/scripts/validate-changelog.go.github/workflows/build-and-test.yml.github/workflows/build-and-test-v3.ymlv3-alphatomaster.github/workflows/build-cross-image.yml.github/workflows/pr-master.yml.github/workflows/pr.yml.github/pull_request_template.mdwebsite/src/pages/changelog.mdxWorkflow retargeting (
v3-alpha→master)All functional
v3-alphareferences switched tomaster:auto-changelog-v3.yml— branches trigger, ref, push targetautomated-releases.yml— refs, push origin,--targetbuild-and-test-v3.yml— branches trigger +base_refguardsbuild-cross-image.yml— branches trigger + workflow_dispatch defaultchangelog-v3.yml— branches trigger; fetch / checkout / pushcross-compile-test-v3.yml— branches triggernightly-release-v3.yml— refpublish-npm.yml— branches trigger + refsemgrep.yml— removedv3-alphafrom push branches listunreleased-changelog-trigger.yml— branches trigger + refsCosmetic
v3-alphareferences (job names, log strings, comments, thev3-alphaissue label instale-issues.yml) are unchanged and will be cleaned up in a Phase D doc-sweep PR.Pre-merge sanity checks already done
cd v2 && go mod download && go vet ./cmd/...— cleancd v3 && go mod download && go vet ./cmd/...— cleanauto-label-issues.yml,test-nightly-releases.yml,issue-triage-automation.ymlremoved; root debris clearedPost-merge actions
After this lands:
v3-alphavia the GitHub web UI (the "Delete branch" button on this merged PR's page). This auto-retargets all 60 open PRs that havebase: v3-alphatobase: master. Do NOT usegit push --deleteor the mobile app — those have known bugs that close PRs instead of retargeting.wails-v3-siteproject's production branch fromv3-alphatomasterin the CF dashboard.Run Go Tests v3 (macos / ubuntu / windows)) to master's required status checks so v3-touching PRs are properly gated.v3-alphareferences in workflow log strings, the AstroeditLinkindocs/astro.config.mjs, and any v3 docs that hardcodev3-alpha.Test plan
f0083552d(master) and4282febab(v3-alpha) — verify withgit show --stat <merge-sha>.v2/triggers required v2 checks; trivial PR touchingv3/triggers v3 checks.🤖 Generated with Claude Code