Skip to content

Merge v3-alpha into master#5272

Merged
leaanthony merged 1911 commits into
masterfrom
merge/v3-alpha
Apr 29, 2026
Merged

Merge v3-alpha into master#5272
leaanthony merged 1911 commits into
masterfrom
merge/v3-alpha

Conversation

@leaanthony

Copy link
Copy Markdown
Member

⚠️ Heads up

This PR is massive (3,402 files / +333k / -313). The github.com diff browser will likely struggle. Review locally with:

git fetch origin merge/v3-alpha
git checkout merge/v3-alpha

# Focus the review on the high-risk subsets:
git diff master..HEAD -- '.github/'           # all CI/automation changes
git diff master..HEAD -- '.github/workflows/' # workflows only
git diff master..HEAD -- '.github/pull_request_template.md'
git diff master..HEAD -- 'v2/' 'website/'     # v2 territory (should be tiny)

What this PR does

Brings the v3 codebase onto master so v2 (in v2/) and v3 (in v3/) live side-by-side on a single branch, with a single docs source on Cloudflare Pages and one set of CI pipelines.

Conflict resolution (11 files)

File Resolution
v2/examples/customlayout/go.{mod,sum} Kept master (v2 territory)
v2/internal/staticanalysis/test/standard/go.{mod,sum} Kept master
v3/scripts/validate-changelog.go Kept v3-alpha (v3 territory)
.github/workflows/build-and-test.yml Kept master (v2 tests, current Go 1.22)
.github/workflows/build-and-test-v3.yml Kept v3-alpha + retargeted trigger from v3-alpha to master
.github/workflows/build-cross-image.yml Kept v3-alpha
.github/workflows/pr-master.yml Kept master
.github/workflows/pr.yml Accepted master's deletion (v3-alpha had renamed it; master's deletion stands)
.github/pull_request_template.md Hand-merged: kept v3 alpha source-install warning; simplified the changelog checklist (v3 changelog entries are added automatically)
website/src/pages/changelog.mdx Kept master (v2 changelog)

Workflow retargeting (v3-alphamaster)

All functional v3-alpha references switched to master:

  • auto-changelog-v3.yml — branches trigger, ref, push target
  • automated-releases.yml — refs, push origin, --target
  • build-and-test-v3.yml — branches trigger + base_ref guards
  • build-cross-image.yml — branches trigger + workflow_dispatch default
  • changelog-v3.yml — branches trigger; fetch / checkout / push
  • cross-compile-test-v3.yml — branches trigger
  • nightly-release-v3.yml — ref
  • publish-npm.yml — branches trigger + ref
  • semgrep.yml — removed v3-alpha from push branches list
  • unreleased-changelog-trigger.yml — branches trigger + refs

Cosmetic v3-alpha references (job names, log strings, comments, the v3-alpha issue label in stale-issues.yml) are unchanged and will be cleaned up in a Phase D doc-sweep PR.

Pre-merge sanity checks already done

Post-merge actions

After this lands:

  1. Delete v3-alpha via the GitHub web UI (the "Delete branch" button on this merged PR's page). This auto-retargets all 60 open PRs that have base: v3-alpha to base: master. Do NOT use git push --delete or the mobile app — those have known bugs that close PRs instead of retargeting.
  2. Cloudflare Pages: change the wails-v3-site project's production branch from v3-alpha to master in the CF dashboard.
  3. Branch protection: add the v3 test jobs (Run Go Tests v3 (macos / ubuntu / windows)) to master's required status checks so v3-touching PRs are properly gated.
  4. Phase D doc sweep: open a small follow-up PR replacing the cosmetic v3-alpha references in workflow log strings, the Astro editLink in docs/astro.config.mjs, and any v3 docs that hardcode v3-alpha.

Test plan

  • CI green (Run Go Tests v2 + v3, semgrep, etc.)
  • Merge commit has two parents: f0083552d (master) and 4282febab (v3-alpha) — verify with git show --stat <merge-sha>.
  • After merge: trivial PR touching v2/ triggers required v2 checks; trivial PR touching v3/ triggers v3 checks.

🤖 Generated with Claude Code

leaanthony and others added 30 commits December 7, 2025 17:40
- Add global defaults config stored in ~/.config/wails/defaults.yaml
- Add light/dark mode toggle with theme persistence
- Add PKGBUILD support to Linux build formats display
- Add macOS signing clarification (public identifiers vs Keychain storage)
- Fix spinner animation using CSS animate-spin
- Add signing defaults for macOS and Windows code signing
- Compact defaults page layout with 2-column design
- Add Wails logo with proper light/dark theme variants

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Remove the paths filter that was causing v3 build and test jobs to be
skipped when PRs targeting v3-alpha didn't contain changes in the v3/
directory. This ensures all PRs to v3-alpha are properly tested.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add [warn] prefix to generator warnings to prevent the Go problem
matcher from interpreting them as errors. The matcher regex matches
file.go:line:col: patterns, causing CI failures on valid warning output.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Update test to prefix warnings with [warn] when writing to warnings.log,
and update all fixture files accordingly. This prevents the Go problem
matcher from treating diff output as errors during CI.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Use NullLogger instead of DefaultPtermLogger during tests to prevent
console output. Warnings are still written to warnings.log for
comparison. This prevents GitHub Actions Go problem matcher from
treating any warning-like output as errors.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Update tests to match the new wrapTask behavior introduced in the
cross-platform build system:
- Task names are now prefixed with platform (e.g., linux:build)
- ARCH argument is automatically added based on GOARCH
- GOOS/GOARCH args are filtered from remaining args
- Environment variables are respected with arg overrides

Also adds test for the new SignWrapper command.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* custom transport initial

* transport codecs

* runtime set transport

* events transport

* clauded example

* bundled runtime

* wip: transport

* rework transports

* rework dialog responses

* cleanup

* cleanup

* improve error handling in HTTPTransport

* cleanup

* cleanup

* cleanup

* cleanup

* review changes

* review changes

* review changes

* review changes

* review changes

* review changes

* review changes

* move documentation to website docs

* update doc

* update changelog

* introduce JSClient method for transport for embedding JS part in transport

---------

Co-authored-by: Atterpac <Capretta.Michael@gmail.com>
Co-authored-by: Lea Anthony <lea.anthony@gmail.com>
- Add RawMessageHandler section to Application API reference
- Add System.invoke() to Frontend Runtime reference
- Create comprehensive Raw Messages guide

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Rename `HandleCustomProtocol` to `HandleOpenURL` and add universal link support on macOS.

* Update changelog.

* add docs

* add docs

---------

Co-authored-by: Lea Anthony <lea.anthony@gmail.com>
* Add support for origin tracking in raw message handling

- Implemented origin and top origin tracking for web messages from JavaScript.
- Updated `RawMessageHandler` to include `originInfo`.
- Added cross-platform support for retrieving the origin of messages in macOS, Windows, and Linux.

* fix build

* fix build

* fix build

* fix build

* fix build

* Fix nil checks and string handling for message origins across platforms

- Ensure proper fallback to empty strings for `origin` and `topOrigin` when errors or nil values are encountered.
- Normalize handling of `message.body` to account for non-NSString values in macOS.

* add docs

* Remove unused doc

* update changelog

* fix build

---------

Co-authored-by: Lea Anthony <lea.anthony@gmail.com>
…entation (#4758)

* Update `RawMessageHandler` to include `originInfo` parameter in documentation

- Expanded examples and handler signature to reflect the additional `originInfo` parameter.
- Detailed `OriginInfo` structure and its platform-specific behaviors added.

* Expand `raw-messages` documentation to include origin validation guidance
Replace <Aside type="caution"> JSX with :::caution markdown syntax
to fix the docs build error.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…4687)

* Add window name header when making webview requests

* Add changelog item

* Update PR no in changelog entry

---------

Co-authored-by: Lea Anthony <lea.anthony@gmail.com>
* fix(v3): fixed update plist, close #4636

* chore: update changelog

* feat: add recursive merge support for nested plist dictionaries

Previously, the plist merge was shallow - nested dictionaries were
completely replaced rather than recursively merged. This caused custom
nested configurations to be lost during build asset updates.

Now nested dictionaries are recursively merged, preserving custom keys
at all levels while still allowing new keys to be added and existing
keys to be updated.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* refactor: replace temp directory with backup-based plist merge

Instead of extracting to a temp directory and copying files over,
we now:
1. Rename existing plists to .plist.bak
2. Extract new assets directly to target
3. Merge backup content into newly extracted plists
4. Clean up backup files

This is simpler, more crash-safe (backups remain if process crashes),
and avoids the overhead of a temp directory and file copying.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Lea Anthony <lea.anthony@gmail.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* Add aria-label to elements in the helloworld app templates so they can be directly tested by Appium based E2E test clients

* changelog updated

* fix: restore UNRELEASED_CHANGELOG.md to correct state

Remove accidentally merged changelog entries from other PRs and
restore the base entries from v3-alpha with only this PR's changelog entry.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Lea Anthony <lea.anthony@gmail.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
This commit integrates iOS platform support for Wails v3, adapting the
iOS-specific code to work with the new transport layer architecture.

Key changes:
- Add iOS-specific application, webview, and runtime files
- Add iOS event types and processing
- Add iOS examples and templates
- Update messageprocessor to handle iOS requests
- Move badge_ios.go to dock package

Note: The iOS branch was based on an older v3-alpha and required
significant conflict resolution due to the transport layer refactor
(PR #4702). Some iOS-specific code may need further adaptation:
- processIOSMethod needs to be implemented with new RuntimeRequest signature
- iOS event generation in tasks/events/generate.go needs updating

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit integrates Android platform support for Wails v3.

Key changes:
- Add Android-specific application, webview, and runtime files
- Add Android event types
- Add Android examples and build system (Gradle)
- Add JNI bridge for Go <-> Java communication
- Update application options for Android configuration
- Add Android include to common Taskfile template

Note: The Android branch was more recent than the iOS branch
and had fewer conflicts with the transport layer refactor.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix merge conflict marker in application_options.go
- Add AGENTS.md with beads workflow documentation for AI agents

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…sport

Transport layer refactor adaptations for mobile platforms:

- Refactor processIOSMethod to use RuntimeRequest signature
- Refactor processAndroidMethod to use RuntimeRequest signature
- Add androidRequest constant (12) and handler to messageprocessor.go
- Update messageprocessor_mobile_stub.go for non-mobile builds
- Fix undefined windowID variable (use req.WebviewWindowID)
- Add iOS event generation to tasks/events/generate.go
- Add InvalidIOSCallError and InvalidAndroidCallError to errs package
- Update iOS delegate and webview files with generated event handlers

iOS methods refactored: Haptics.Impact, Device.Info, Scroll settings,
Navigation gestures, Link previews, Debug inspector, UserAgent

Android methods refactored: Haptics.Vibrate, Device.Info, Toast.Show

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…skfile

- Remove duplicate iOS subcommand registration in main.go (merge artifact)
- Make SDK_PATH a task-level variable in iOS Taskfile to avoid eager
  evaluation that fails on non-macOS systems when running Android builds

This fixes Android builds failing with "xcrun: command not found" on
Linux systems where Xcode tools are unavailable.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The iOS branch modified events.go with debug println statements and
changed the EventProcessor.Emit signature from returning error to void.
This broke compatibility with event_manager.go and messageprocessor_events.go.

Restored the v3-alpha version which:
- Uses atomic.Bool for cancelled flags (thread-safe)
- Has EventProcessor.Emit return error for validation
- Includes decodeEventData and validateCustomEvent functions
- Removes debug println statements

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
⚠️ EXPERIMENTAL: This feature is under active development and may change.

This merge adds initial support for building Wails applications for iOS
and Android platforms. Desktop builds are completely unaffected as mobile
code uses platform-specific build tags.

## What's Included

### iOS Support
- Native iOS app structure with WKWebView
- iOS-specific runtime methods (haptics, device info, scroll settings, etc.)
- Xcode project generation (`wails3 ios xcode:gen`)
- iOS Simulator deployment via Taskfile
- Native UITabBar support
- iOS application lifecycle events

### Android Support
- Android app structure with WebView
- Android-specific runtime methods (haptics, device info, toast)
- Gradle-based build system
- APK generation and emulator deployment
- Android NDK cross-compilation support

### Transport Layer
- iOS and Android message processors adapted to new RuntimeRequest pattern
- Mobile-specific error types (InvalidIOSCallError, InvalidAndroidCallError)
- Platform stubs for non-mobile builds

### Build System
- New Taskfile includes for ios: and android: tasks
- Lazy SDK_PATH evaluation (iOS builds don't break Android on Linux)
- Project templates include mobile build configurations

## Requirements
- iOS: macOS with Xcode 15+
- Android: Android Studio with NDK r26d

## Known Limitations
- Some mobile APIs are stubbed pending full implementation
- Mobile builds require platform-specific toolchains
- Not yet tested in production environments

Report issues: https://github.com/wailsapp/wails/issues

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Remove local database files that shouldn't be tracked in version control.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…ations

The iOS service stubs were importing a non-existent package
`github.com/wailsapp/wails/v3/pkg/services` and using an incompatible
interface pattern.

This fix rewrites both files to follow the same pattern as other platforms
(Linux, Windows, Darwin):
- Implement the internal platformDock/platformNotifier interfaces
- Provide New() functions returning *DockService/*NotificationService
- Stub all required interface methods

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
leaanthony and others added 7 commits April 29, 2026 21:21
- Remove the GitHub Pages deploy workflow; the v3 site now builds and
  publishes via the new Cloudflare Pages project `wails-v3-site`,
  which deploys on every push to v3-alpha that touches docs/*.
- Drop the root CNAME file; CF Pages manages the v3.wails.io custom
  domain in its own dashboard.

The previous v3alpha.wails.io URL is preserved as a 301 redirect to
v3.wails.io via a CF zone redirect rule, so existing inbound links
keep working.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* chore: remove orphaned root-level debris

Drops files that accumulated at the repo root and aren't referenced
anywhere:

- pr_4570.diff (orphaned patch artifact from PR #4570)
- test-changelog-extraction.sh, test-ios-compile.sh,
  test-version-logic.sh (one-off helper scripts; logic that is still
  needed lives under v3/scripts/ instead)
- test-workflow.md (notes file, no longer current)

Reduces noise at the repo root and trims surface area before the
v3-alpha → master merge.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore: remove abandoned mkdocs-website experiment

Deletes the entire `mkdocs-website/` directory. It was an
alternative MkDocs-based docs setup, not deployed anywhere
(the v3 docs ship from `docs/` via Cloudflare Pages and
the v2 docs ship from `website/`), and has been confirmed
abandoned.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore(workflows): drop auto-label-issues workflow

Companion deletion to the master-side PR; retiring the auto-labeller
rather than keeping it across both versions. Removing here so the
v3-alpha → master merge has no conflict on this file.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore(workflows): drop test-nightly-releases and issue-triage-automation

Companion deletion to the master-side PR; retiring both ahead of the
v3-alpha → master merge so neither file appears in the conflict set.
Issue triage is moving to a real agent-driven workflow.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…5270)

* chore(workflows): pre-merge auto-label and changelog-trigger from master

Adopts two changes that already exist on master so the eventual
v3-alpha → master merge has fewer conflicts to hand-resolve:

- auto-label-issues.yml: switch the PR trigger from `pull_request` to
  `pull_request_target` so the workflow can label PRs from forks
  (security hardening already in place on master).
- unreleased-changelog-trigger.yml: add the `actions: write` permission
  needed by the trigger step (already in place on master).

No behaviour change for v3-alpha-only paths.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(workflows): keep v3-alpha's pull_request_target on auto-label-issues

I had the direction backwards in the previous commit on this branch.
v3-alpha already uses pull_request_target (the security-hardened
trigger that lets the workflow label PRs from forks); master is the
one still on the older pull_request. The fix to auto-label-issues
belongs on master, not on v3-alpha. Reverting that part of this PR
so v3-alpha keeps its current behaviour. The unreleased-changelog
permission update remains.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…-merge changelog-trigger permission from master
Brings the v3 codebase onto master so v2 (in v2/) and v3 (in v3/)
live side-by-side on a single branch, with a single docs source on
Cloudflare Pages and one set of CI pipelines.

Conflict resolution:
- v2/examples/customlayout/go.{mod,sum}: kept master (v2 territory).
- v2/internal/staticanalysis/test/standard/go.{mod,sum}: kept master.
- v3/scripts/validate-changelog.go: kept v3-alpha.
- .github/workflows/build-and-test.yml: kept master (v2 tests).
- .github/workflows/build-and-test-v3.yml: kept v3-alpha + retargeted
  the trigger from v3-alpha to master.
- .github/workflows/build-cross-image.yml: kept v3-alpha.
- .github/workflows/pr-master.yml: kept master.
- .github/workflows/pr.yml: accepted master's deletion (v3-alpha had
  renamed it to pr-master.yml; master's deletion stands).
- .github/pull_request_template.md: hand-merged — kept v3 alpha
  source-install warning, simplified the changelog checklist (v3
  changelog entries are added automatically).
- website/src/pages/changelog.mdx: kept master (v2 changelog).

Workflow retargeting (v3-alpha branch references → master):
- auto-changelog-v3.yml: branches trigger, ref, push target.
- automated-releases.yml: ref, push origin, --target.
- build-and-test-v3.yml: branches trigger + base_ref guards.
- build-cross-image.yml: branches trigger + workflow_dispatch default.
- changelog-v3.yml: branches trigger, fetch/checkout/push.
- cross-compile-test-v3.yml: branches trigger.
- nightly-release-v3.yml: ref.
- publish-npm.yml: branches trigger + ref.
- semgrep.yml: removed v3-alpha from push branches.
- unreleased-changelog-trigger.yml: branches trigger + refs.

Cosmetic v3-alpha references (job names, log strings, comments,
the v3-alpha issue label) are unchanged and will be cleaned up in
the Phase D documentation sweep.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings April 29, 2026 12:16

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review this pull request because it exceeds the maximum number of files (300). Try reducing the number of changed files and requesting a review from Copilot again.

@coderabbitai

coderabbitai Bot commented Apr 29, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Too many files!

This PR contains 268 files, which is 118 over the limit of 150.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bde429f1-09bd-4861-aa2f-9ab23c85564b

📥 Commits

Reviewing files that changed from the base of the PR and between f008355 and 5d3144a.

⛔ Files ignored due to path filters (32)
  • docs/package-lock.json is excluded by !**/package-lock.json
  • docs/public/d2/docs/DEVELOPER_GUIDE-0.svg is excluded by !**/*.svg
  • docs/public/d2/docs/DEVELOPER_GUIDE-1.svg is excluded by !**/*.svg
  • docs/public/favicon.svg is excluded by !**/*.svg
  • docs/public/missing.png is excluded by !**/*.png
  • docs/public/sponsors/sponsors.svg is excluded by !**/*.svg
  • docs/public/sponsors/zsa.png is excluded by !**/*.png
  • docs/src/assets/blog-images/devtools.png is excluded by !**/*.png
  • docs/src/assets/blog-images/montage.png is excluded by !**/*.png
  • docs/src/assets/menus/context-menu.png is excluded by !**/*.png
  • docs/src/assets/notes-app.png is excluded by !**/*.png
  • docs/src/assets/qr1.png is excluded by !**/*.png
  • docs/src/assets/qr2.png is excluded by !**/*.png
  • docs/src/assets/showcase-images/clave.png is excluded by !**/*.png
  • docs/src/assets/showcase-images/esp-studio.png is excluded by !**/*.png
  • docs/src/assets/showcase-images/mac-app.png is excluded by !**/*.png
  • docs/src/assets/showcase-images/mchat.png is excluded by !**/*.png
  • docs/src/assets/showcase-images/restic-browser-2.png is excluded by !**/*.png
  • docs/src/assets/showcase-images/snippetexpandergui-add-snippet.png is excluded by !**/*.png
  • docs/src/assets/showcase-images/snippetexpandergui-search-and-paste.png is excluded by !**/*.png
  • docs/src/assets/showcase-images/snippetexpandergui-select-snippet.png is excluded by !**/*.png
  • docs/src/assets/showcase-images/surge.png is excluded by !**/*.png
  • docs/src/assets/showcase-images/warmine1.png is excluded by !**/*.png
  • docs/src/assets/showcase-images/warmine2.png is excluded by !**/*.png
  • docs/src/assets/todo-app.png is excluded by !**/*.png
  • docs/src/assets/wails-logo-dark.svg is excluded by !**/*.svg
  • docs/src/assets/wails-logo-horizontal-dark.svg is excluded by !**/*.svg
  • docs/src/assets/wails-logo-horizontal-light.svg is excluded by !**/*.svg
  • docs/src/assets/wails-logo-light.svg is excluded by !**/*.svg
  • docs/src/assets/wails_build.mp4 is excluded by !**/*.mp4
  • docs/src/assets/wails_dev.mp4 is excluded by !**/*.mp4
  • docs/src/assets/wails_init.mp4 is excluded by !**/*.mp4
📒 Files selected for processing (268)
  • .all-contributorsrc
  • .beads/issues.jsonl
  • .coderabbit.yaml
  • .gitattributes
  • .github/ISSUE_TEMPLATE/bug_report.yml
  • .github/pull_request_template.md
  • .github/workflows/auto-changelog-v3.yml
  • .github/workflows/automated-releases.yml
  • .github/workflows/build-and-test-v3.yml
  • .github/workflows/build-and-test.yml
  • .github/workflows/build-cross-image.yml
  • .github/workflows/changelog-v3.yml
  • .github/workflows/cross-compile-test-v3.yml
  • .github/workflows/nightly-release-v3.yml
  • .github/workflows/pr-master.yml
  • .github/workflows/publish-npm.yml
  • .github/workflows/semgrep.yml
  • .github/workflows/test-simple.yml
  • .github/workflows/unreleased-changelog-trigger.yml
  • .github/workflows/weekly-release-v2.yml
  • .gitignore
  • .prettierrc.yml
  • AGENTS.md
  • IMPLEMENTATION.md
  • IOS_ARCHITECTURE.md
  • Taskfile.yaml
  • docs/.gitignore
  • docs/.npmrc
  • docs/.vscode/extensions.json
  • docs/.vscode/launch.json
  • docs/CNAME
  • docs/README.md
  • docs/Taskfile.yml
  • docs/astro.config.mjs
  • docs/package.json
  • docs/public/showcase-images/bboard.webp
  • docs/public/showcase-images/cfntracker.webp
  • docs/public/showcase-images/edex-ui.webp
  • docs/public/showcase-images/emailit.webp
  • docs/public/showcase-images/encrypteasy.webp
  • docs/public/showcase-images/filehound.webp
  • docs/public/showcase-images/gamestacker.webp
  • docs/public/showcase-images/hiposter.webp
  • docs/public/showcase-images/mchat.webp
  • docs/public/showcase-images/minecraft-mod-updater.webp
  • docs/public/showcase-images/minesweeper-xp.webp
  • docs/public/showcase-images/modalfilemanager.webp
  • docs/public/showcase-images/mollywallet.webp
  • docs/public/showcase-images/october.webp
  • docs/public/showcase-images/optimus.webp
  • docs/public/showcase-images/portfall.webp
  • docs/public/showcase-images/resizem.webp
  • docs/public/showcase-images/riftshare-main.webp
  • docs/public/showcase-images/scriptbar.webp
  • docs/public/showcase-images/tiny-rdm1.webp
  • docs/public/showcase-images/tiny-rdm2.webp
  • docs/public/showcase-images/varly2.webp
  • docs/public/showcase-images/wailsterm.webp
  • docs/public/showcase-images/wally.webp
  • docs/public/showcase-images/wombat.webp
  • docs/public/showcase-images/ytd.webp
  • docs/public/sponsors/jetbrains-grayscale.webp
  • docs/src/assets/blog-images/browser.webp
  • docs/src/assets/blog-images/build-cross-windows.webp
  • docs/src/assets/blog-images/build-darwin-amd.webp
  • docs/src/assets/blog-images/build-darwin-arm.webp
  • docs/src/assets/blog-images/build-darwin-universal.webp
  • docs/src/assets/blog-images/linux-build-cross-windows.webp
  • docs/src/assets/blog-images/multiwindow.webp
  • docs/src/assets/blog-images/remote-linux.webp
  • docs/src/assets/blog-images/remote-mac.webp
  • docs/src/assets/blog-images/remote.webp
  • docs/src/assets/blog-images/vscode.webp
  • docs/src/assets/blog-images/wails-linux.webp
  • docs/src/assets/blog-images/wails-mac.webp
  • docs/src/assets/blog-images/wails-menus-linux.webp
  • docs/src/assets/blog-images/wails-menus-mac.webp
  • docs/src/assets/blog-images/wails-menus.webp
  • docs/src/assets/blog-images/wails.webp
  • docs/src/assets/contributors.html
  • docs/src/assets/showcase-images/bboard.webp
  • docs/src/assets/showcase-images/cfntracker.webp
  • docs/src/assets/showcase-images/emailit.webp
  • docs/src/assets/showcase-images/encrypteasy.webp
  • docs/src/assets/showcase-images/filehound.webp
  • docs/src/assets/showcase-images/hiposter.webp
  • docs/src/assets/showcase-images/minecraft-mod-updater.webp
  • docs/src/assets/showcase-images/minesweeper-xp.webp
  • docs/src/assets/showcase-images/modalfilemanager.webp
  • docs/src/assets/showcase-images/mollywallet.webp
  • docs/src/assets/showcase-images/october.webp
  • docs/src/assets/showcase-images/optimus.webp
  • docs/src/assets/showcase-images/portfall.webp
  • docs/src/assets/showcase-images/resizem.webp
  • docs/src/assets/showcase-images/riftshare-main.webp
  • docs/src/assets/showcase-images/scriptbar.webp
  • docs/src/assets/showcase-images/tiny-rdm1.webp
  • docs/src/assets/showcase-images/tiny-rdm2.webp
  • docs/src/assets/showcase-images/varly2.webp
  • docs/src/assets/showcase-images/wailsterm.webp
  • docs/src/assets/showcase-images/wally.webp
  • docs/src/assets/showcase-images/wombat.webp
  • docs/src/assets/showcase-images/ytd.webp
  • docs/src/components/CardAnimation.astro
  • docs/src/content/authors.ts
  • docs/src/content/config.ts
  • docs/src/content/docs/blog/2021-09-27-v2-beta1-release-notes.md
  • docs/src/content/docs/blog/2021-11-08-v2-beta2-release-notes.md
  • docs/src/content/docs/blog/2022-02-22-v2-beta3-release-notes.md
  • docs/src/content/docs/blog/2022-09-22-v2-release-notes.md
  • docs/src/content/docs/blog/2023-01-17-v3-roadmap.md
  • docs/src/content/docs/blog/2024-12-03-alpha10-and-new-release-strategy.md
  • docs/src/content/docs/changelog.mdx
  • docs/src/content/docs/community/links.md
  • docs/src/content/docs/community/showcase/_template.md
  • docs/src/content/docs/community/showcase/bulletinboard.md
  • docs/src/content/docs/community/showcase/cfntracker.md
  • docs/src/content/docs/community/showcase/clave.md
  • docs/src/content/docs/community/showcase/emailit.md
  • docs/src/content/docs/community/showcase/encrypteasy.md
  • docs/src/content/docs/community/showcase/espstudio.md
  • docs/src/content/docs/community/showcase/filehound.md
  • docs/src/content/docs/community/showcase/hiposter.md
  • docs/src/content/docs/community/showcase/index.mdx
  • docs/src/content/docs/community/showcase/mchat.md
  • docs/src/content/docs/community/showcase/minecraftupdater.md
  • docs/src/content/docs/community/showcase/minesweeper-xp.md
  • docs/src/content/docs/community/showcase/modalfilemanager.md
  • docs/src/content/docs/community/showcase/mollywallet.md
  • docs/src/content/docs/community/showcase/october.md
  • docs/src/content/docs/community/showcase/optimus.md
  • docs/src/content/docs/community/showcase/portfall.md
  • docs/src/content/docs/community/showcase/resizem.md
  • docs/src/content/docs/community/showcase/restic-browser.md
  • docs/src/content/docs/community/showcase/riftshare.md
  • docs/src/content/docs/community/showcase/scriptbar.md
  • docs/src/content/docs/community/showcase/snippetexpander.md
  • docs/src/content/docs/community/showcase/surge.md
  • docs/src/content/docs/community/showcase/tinyrdm.md
  • docs/src/content/docs/community/showcase/wailsterm.md
  • docs/src/content/docs/community/showcase/wally.md
  • docs/src/content/docs/community/showcase/warmine.md
  • docs/src/content/docs/community/showcase/wombat.md
  • docs/src/content/docs/community/showcase/ytd.md
  • docs/src/content/docs/community/templates.md
  • docs/src/content/docs/concepts/architecture.mdx
  • docs/src/content/docs/concepts/bridge.mdx
  • docs/src/content/docs/concepts/build-system.mdx
  • docs/src/content/docs/concepts/lifecycle.mdx
  • docs/src/content/docs/concepts/manager-api.mdx
  • docs/src/content/docs/contributing.mdx
  • docs/src/content/docs/contributing/_category_.json
  • docs/src/content/docs/contributing/architecture.mdx
  • docs/src/content/docs/contributing/architecture/bindings.mdx
  • docs/src/content/docs/contributing/asset-server.mdx
  • docs/src/content/docs/contributing/binding-system.mdx
  • docs/src/content/docs/contributing/build-packaging.mdx
  • docs/src/content/docs/contributing/codebase-layout.mdx
  • docs/src/content/docs/contributing/extending-wails.mdx
  • docs/src/content/docs/contributing/getting-started.mdx
  • docs/src/content/docs/contributing/index.mdx
  • docs/src/content/docs/contributing/runtime-internals.mdx
  • docs/src/content/docs/contributing/setup.mdx
  • docs/src/content/docs/contributing/standards.mdx
  • docs/src/content/docs/contributing/template-system.mdx
  • docs/src/content/docs/contributing/testing-ci.mdx
  • docs/src/content/docs/credits.mdx
  • docs/src/content/docs/faq.mdx
  • docs/src/content/docs/features/bindings/advanced.mdx
  • docs/src/content/docs/features/bindings/best-practices.mdx
  • docs/src/content/docs/features/bindings/enums.mdx
  • docs/src/content/docs/features/bindings/methods.mdx
  • docs/src/content/docs/features/bindings/models.mdx
  • docs/src/content/docs/features/bindings/services.mdx
  • docs/src/content/docs/features/browser/integration.mdx
  • docs/src/content/docs/features/clipboard/basics.mdx
  • docs/src/content/docs/features/dialogs/custom.mdx
  • docs/src/content/docs/features/dialogs/file.mdx
  • docs/src/content/docs/features/dialogs/message.mdx
  • docs/src/content/docs/features/dialogs/overview.mdx
  • docs/src/content/docs/features/drag-and-drop/files.mdx
  • docs/src/content/docs/features/drag-and-drop/html.mdx
  • docs/src/content/docs/features/environment/info.mdx
  • docs/src/content/docs/features/events/system.mdx
  • docs/src/content/docs/features/keyboard/shortcuts.mdx
  • docs/src/content/docs/features/menus/application.mdx
  • docs/src/content/docs/features/menus/context.mdx
  • docs/src/content/docs/features/menus/reference.mdx
  • docs/src/content/docs/features/menus/systray.mdx
  • docs/src/content/docs/features/notifications/overview.mdx
  • docs/src/content/docs/features/platform/dock.mdx
  • docs/src/content/docs/features/screens/info.mdx
  • docs/src/content/docs/features/windows/basics.mdx
  • docs/src/content/docs/features/windows/events.mdx
  • docs/src/content/docs/features/windows/frameless.mdx
  • docs/src/content/docs/features/windows/multiple.mdx
  • docs/src/content/docs/features/windows/options.mdx
  • docs/src/content/docs/feedback.mdx
  • docs/src/content/docs/getting-started/installation.mdx
  • docs/src/content/docs/getting-started/your-first-app.mdx
  • docs/src/content/docs/guides/_category_.json
  • docs/src/content/docs/guides/architecture.mdx
  • docs/src/content/docs/guides/build/building.mdx
  • docs/src/content/docs/guides/build/cross-platform.mdx
  • docs/src/content/docs/guides/build/customization.mdx
  • docs/src/content/docs/guides/build/linux.mdx
  • docs/src/content/docs/guides/build/macos.mdx
  • docs/src/content/docs/guides/build/signing.mdx
  • docs/src/content/docs/guides/build/windows.mdx
  • docs/src/content/docs/guides/cli.mdx
  • docs/src/content/docs/guides/custom-templates.mdx
  • docs/src/content/docs/guides/custom-transport.mdx
  • docs/src/content/docs/guides/customising-windows.mdx
  • docs/src/content/docs/guides/distribution/auto-updates.mdx
  • docs/src/content/docs/guides/distribution/custom-protocols.mdx
  • docs/src/content/docs/guides/e2e-testing.mdx
  • docs/src/content/docs/guides/events-reference.mdx
  • docs/src/content/docs/guides/file-associations.mdx
  • docs/src/content/docs/guides/gin-routing.mdx
  • docs/src/content/docs/guides/gin-services.mdx
  • docs/src/content/docs/guides/installers.mdx
  • docs/src/content/docs/guides/menus.mdx
  • docs/src/content/docs/guides/panic-handling.mdx
  • docs/src/content/docs/guides/performance.mdx
  • docs/src/content/docs/guides/raw-messages.mdx
  • docs/src/content/docs/guides/routing.mdx
  • docs/src/content/docs/guides/security.mdx
  • docs/src/content/docs/guides/server-build.mdx
  • docs/src/content/docs/guides/single-instance.mdx
  • docs/src/content/docs/guides/testing.mdx
  • docs/src/content/docs/guides/windows-uac.mdx
  • docs/src/content/docs/index.mdx
  • docs/src/content/docs/migration/v2-to-v3.mdx
  • docs/src/content/docs/quick-start/first-app.mdx
  • docs/src/content/docs/quick-start/installation.mdx
  • docs/src/content/docs/quick-start/next-steps.mdx
  • docs/src/content/docs/quick-start/why-wails.mdx
  • docs/src/content/docs/reference/application.mdx
  • docs/src/content/docs/reference/cli.mdx
  • docs/src/content/docs/reference/dialogs.mdx
  • docs/src/content/docs/reference/events.mdx
  • docs/src/content/docs/reference/frontend-runtime.mdx
  • docs/src/content/docs/reference/menu.mdx
  • docs/src/content/docs/reference/overview.mdx
  • docs/src/content/docs/reference/updater.mdx
  • docs/src/content/docs/reference/window.mdx
  • docs/src/content/docs/status.mdx
  • docs/src/content/docs/troubleshooting/mac-syso.mdx
  • docs/src/content/docs/tutorials/01-creating-a-service.mdx
  • docs/src/content/docs/tutorials/02-todo-vanilla.mdx
  • docs/src/content/docs/tutorials/03-notes-vanilla.mdx
  • docs/src/content/docs/tutorials/overview.mdx
  • docs/src/content/docs/whats-new.md
  • docs/src/env.d.ts
  • docs/src/stylesheets/extra.css
  • docs/tsconfig.json
  • qodana.yaml
  • v2/cmd/wails/build.go
  • v2/cmd/wails/doctor.go
  • v2/cmd/wails/internal/dev/dev.go
  • v2/cmd/wails/internal/dev/stdout_scanner.go
  • v2/go.mod
  • v2/internal/app/app_devtools.go
  • v2/internal/binding/binding.go
  • v2/internal/frontend/desktop/darwin/WailsMenu.m
  • v2/internal/frontend/desktop/darwin/browser.go
  • v2/internal/frontend/desktop/darwin/frontend.go
  • v2/internal/frontend/desktop/linux/browser.go

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch merge/v3-alpha

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Comment thread .github/workflows/automated-releases.yml Fixed
Comment thread .github/workflows/automated-releases.yml Fixed
Comment thread .github/workflows/automated-releases.yml Fixed
Comment thread .github/workflows/automated-releases.yml Fixed
Comment thread .github/workflows/automated-releases.yml Fixed
Comment on lines +17 to +33
name: Check PR Approval
runs-on: ubuntu-latest
if: github.event_name == 'workflow_dispatch' || github.event.review.state == 'approved'
outputs:
approved: ${{ steps.check.outputs.approved }}
steps:
- name: Check if PR is approved or manual dispatch
id: check
run: |
if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
echo "Manual dispatch, proceeding with cross-compile tests"
else
echo "PR approved, proceeding with cross-compile tests"
fi
echo "approved=true" >> $GITHUB_OUTPUT

cross_compile:
Comment on lines +34 to +120
name: Cross-Compile (${{ matrix.target_os }}/${{ matrix.target_arch }})
needs: check_approval
runs-on: ${{ matrix.runner }}
if: needs.check_approval.outputs.approved == 'true'
strategy:
fail-fast: false
matrix:
include:
- target_os: darwin
target_arch: arm64
runner: ubuntu-latest
- target_os: darwin
target_arch: amd64
runner: ubuntu-latest
- target_os: linux
target_arch: arm64
runner: ubuntu-24.04-arm # Native ARM64 runner - much faster than QEMU
- target_os: linux
target_arch: amd64
runner: ubuntu-latest
- target_os: windows
target_arch: arm64
runner: ubuntu-latest
- target_os: windows
target_arch: amd64
runner: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Checkout PR (if specified)
if: github.event_name == 'workflow_dispatch' && inputs.pr_number != ''
run: gh pr checkout ${{ inputs.pr_number }}
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Setup Go
uses: actions/setup-go@v5
with:
go-version: '1.25'
cache: true
cache-dependency-path: "v3/go.sum"

- name: Install Task
uses: arduino/setup-task@v2
with:
version: 3.x
repo-token: ${{ secrets.GITHUB_TOKEN }}

- name: Install Linux dependencies
uses: awalsh128/cache-apt-pkgs-action@latest
with:
packages: libgtk-3-dev libwebkit2gtk-4.1-dev libwayland-dev build-essential pkg-config
version: 1.0

- name: Install Wails3 CLI
working-directory: v3
run: |
go install ./cmd/wails3
wails3 version

- name: Create test project
run: |
mkdir -p test-cross-compile
cd test-cross-compile
wails3 init -n crosstest -t vanilla

- name: Setup Docker cross-compile image
working-directory: test-cross-compile/crosstest
run: task common:setup:docker

- name: Fix replace directive for Docker build
working-directory: test-cross-compile/crosstest
run: |
# Change the replace directive to use absolute path that matches Docker mount
go mod edit -dropreplace github.com/wailsapp/wails/v3
go mod edit -replace github.com/wailsapp/wails/v3=${{ github.workspace }}/v3

- name: Cross-compile for ${{ matrix.target_os }}/${{ matrix.target_arch }}
working-directory: test-cross-compile/crosstest
run: |
echo "Cross-compiling for ${{ matrix.target_os }}/${{ matrix.target_arch }}..."
task ${{ matrix.target_os }}:build ARCH=${{ matrix.target_arch }}
echo "Cross-compilation successful!"
ls -la bin/

cross_compile_results:
Comment on lines +121 to +135
if: ${{ always() }}
runs-on: ubuntu-latest
name: Cross-Compile Results
needs: [cross_compile]
steps:
- run: |
result="${{ needs.cross_compile.result }}"
echo "Cross-compile result: $result"
if [[ $result == "success" || $result == "skipped" ]]; then
echo "Cross-compile tests passed (or were skipped)!"
exit 0
else
echo "One or more cross-compile tests failed"
exit 1
fi
Comment on lines +12 to +46
name: Detect committed changes
if: github.event_name != 'workflow_dispatch'
outputs:
changed: ${{ steps.package-json-changes.outputs.any_modified == 'true' || steps.source-changes.outputs.any_modified == 'true' }}
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
ref: ${{ github.sha }}
persist-credentials: 'true'

- name: Detect committed package.json changes
id: package-json-changes
uses: step-security/changed-files@3dbe17c78367e7d60f00d78ae6781a35be47b4a1 # v45.0.1
with:
files: |
v3/internal/runtime/desktop/@wailsio/runtime/package.json
v3/internal/runtime/desktop/@wailsio/runtime/package-lock.json

- name: Detect committed source changes
if: >-
steps.package-json-changes.outputs.any_modified != 'true'
id: source-changes
uses: step-security/changed-files@3dbe17c78367e7d60f00d78ae6781a35be47b4a1 # v45.0.1
with:
files: |
v3/internal/runtime/Taskfile.yaml
v3/internal/runtime/desktop/@wailsio/compiled/main.js
v3/internal/runtime/desktop/@wailsio/runtime/tsconfig.json
v3/internal/runtime/desktop/@wailsio/runtime/src/**
v3/pkg/events/events.txt
v3/tasks/events/**

rebuild_and_publish:
Comment on lines +8 to +11
runs-on: ubuntu-latest
steps:
- name: Test
run: echo "Hello World" No newline at end of file
Comment on lines +267 to +271
entry.innerHTML = `
<span class="log-time">${time}</span>
<span class="log-type">${type}</span>
<span class="log-message">${message}</span>
`;
return
}

cmd := exec.Command(parts[0], parts[1:]...)

if _, err := os.Stat(path); err == nil {
// Serve file from disk to make testing easy
http.ServeFile(w, r, path)
url := r.URL.Path
path := dir + "/assets" + url

if _, err := os.Stat(path); err == nil {
leaanthony and others added 2 commits April 29, 2026 22:21
…ntain permissions'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
…ntain permissions'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
"url": "https://github.com/sponsors/SuperchupuDev"
}
},
"node_modules/vite": {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity vulnerability may affect your project—review required:
Line 941 lists a dependency (vite) with a known High severity vulnerability.

ℹ️ Why this matters

Affected versions of vite are vulnerable to Exposure of Sensitive Information to an Unauthorized Actor / Missing Authentication for Critical Function. This occurs because the Vite Dev Server WebSocket improperly exposes the fetchModule method, allowing unauthenticated remote attackers to bypass filesystem restrictions and read arbitrary files from the host machine

References: GHSA, CVE

To resolve this comment:
Check if you enable vite dev server using --host flag and websocket is not disabled.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

"url": "https://github.com/sponsors/isaacs"
}
},
"node_modules/happy-dom": {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity vulnerability may affect your project—review required:
Line 1581 lists a dependency (happy-dom) with a known High severity vulnerability.

ℹ️ Why this matters

Affected versions of happy-dom are vulnerable to Improper Control of Generation of Code ('Code Injection'). Happy DOM's ECMAScriptModuleCompiler is vulnerable to code injection because content inside export { } declarations in ES module scripts is extracted via regex and interpolated directly into generated JavaScript as an executable expression without validation. The quote filter strips " and ' but not backticks, so template-literal payloads like export { require(\child_process`).execSync(`id`) }` survive sanitization and execute arbitrary commands when happy-dom evaluates the module. Attackers who can inject or control HTML processed by happy-dom (SSR applications, web scrapers, testing pipelines) can achieve remote code execution on the host.

References: GHSA, CVE

To resolve this comment:
Check if you process untrusted HTML with JavaScript evaluation enabled (enabled by default in versions before 20.0.0, opt-in afterwards).

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

"node": "^10 || ^12 || >=14"
}
},
"node_modules/rollup": {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity vulnerability may affect your project—review required:
Line 569 lists a dependency (rollup) with a known High severity vulnerability.

ℹ️ Why this matters

Affected versions of rollup are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

References: GHSA, CVE

To resolve this comment:
Check if you use Rollup to bundle JavaScript with import.meta.url and the output format is set to cjs, umd, or iife formats, while allowing users to inject scriptless HTML elements with unsanitized name attributes.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

@semgrep-code-wailsapp

Copy link
Copy Markdown

Semgrep found 8 ssc-6193c409-cebc-449c-8a55-f95fa9d0e4f0 findings:

  • v3/examples/ios/frontend/package-lock.json
  • v3/examples/android/frontend/package-lock.json
  • v3/examples/file-association/frontend/package-lock.json
  • v3/internal/runtime/desktop/@wailsio/runtime/package-lock.json
  • v3/examples/dev/frontend/package-lock.json
  • v3/examples/dock/frontend/package-lock.json
  • v3/examples/custom-protocol-example/frontend/package-lock.json
  • v3/internal/setupwizard/frontend/package-lock.json

Risk: Affected versions of rollup are vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). Rollup is vulnerable to arbitrary file write via path traversal: chunk/asset names derived from user-controlled inputs (e.g., CLI named inputs, manual chunk aliases, or malicious plugins) are insufficiently sanitized, allowing ../ sequences to survive and be passed into path.resolve when computing output paths. This lets an attacker escape the configured output directory and overwrite arbitrary files on the host filesystem that the build process can write to, potentially leading to persistent RCE by clobbering shell/profile or other executable/config files.

Manual Review Advice: A vulnerability from this advisory is reachable if you are running rollup --input

Fix: Upgrade this library to at least version 4.59.0 at wails/v3/examples/ios/frontend/package-lock.json:824.

Reference(s): GHSA-mw96-cpmx-2vgc, CVE-2026-27606

leaanthony and others added 5 commits April 29, 2026 22:35
- All workflow go-version pins moved to 1.25 (was a mix of 1.22, 1.23,
  1.24): build-and-test.yml, build-and-test-v3.yml, automated-releases,
  changelog-v3, build-cross-image, pr-master, nightly-release-v3,
  weekly-release-v2, auto-changelog-v3.
- v2/go.mod: go 1.22.0 -> go 1.25.0. v3/go.mod was already 1.25.

Go 1.25's vet adds a new "non-constant format string" check; fix the
30 sites it flagged in v2 by passing "%s" as the explicit format
argument. Affects:
- pkg/runtime/log.go (12 wrapper calls)
- internal/frontend/dispatcher/log.go (6 wrapper calls)
- cmd/wails/internal/dev/dev.go (5 calls)
- pkg/commands/build/nsis_installer.go (2 calls)
- cmd/wails/build.go, internal/binding/binding.go,
  cmd/wails/internal/dev/stdout_scanner.go,
  internal/frontend/dispatcher/calls.go,
  internal/frontend/dispatcher/securecalls.go (1 each)

Verified locally: `go vet ./...` and `go test -run "^$" ./...`
clean on v2; v3 had no format-string issues.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- pkg/assetserver/assethandler.go: re-add the //go:embed defaultindex.html
  declaration that was removed in a0b2ab7 by mistake while leaving the
  reference at assetserver.go:175 intact, breaking the package build.
  defaultindex.html still ships in the package; just the var declaration
  was the orphaned deletion. Also switch fmt.Errorf(msg) -> errors.New(msg)
  for the non-format-string variant flagged by Go 1.25 vet.

- pkg/clilogger/clilogger.go: 2 more format-string sites that the local
  pass missed (recursive c.Fatal calls inside Println/Fatalf wrappers).

- internal/frontend/desktop/darwin/browser.go,
  internal/frontend/desktop/darwin/frontend.go: 4 darwin-only format-string
  sites that don't show in cross-OS vet from a Mac. Switched the
  fmt.Sprintf(...) wrappers to direct printf-style logger.Error calls.

Verified: `go vet ./...` clean on linux and darwin builds.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Same surgical pattern as the darwin fixes — pass an explicit "%s"
format constant or switch to errors.New where the call passed a
non-constant string as the format argument.

Affects:
- internal/frontend/desktop/linux/browser.go (1 site)
- internal/frontend/desktop/linux/frontend.go (4 sites)
- internal/frontend/desktop/windows/browser.go (1 site)
- internal/frontend/desktop/windows/frontend.go (10 logger.Error sites + 1 winc.Errorf)
- internal/wv2installer/download.go (1 fmt.Errorf -> errors.New)
- internal/wv2installer/wv2installer.go (2 fmt.Errorf -> errors.New)
- pkg/assetserver/webview/request_windows.go (1 fmt.Errorf -> errors.New, with errors import)

Local GOOS=windows vet now clean. Linux files use the same surgical
pattern that already worked for darwin so I expect them to pass too.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
After replacing logger.Error(fmt.Sprintf(...)) with the printf-style
logger.Error(...), the "fmt" import is no longer used. Go's compiler
errors out on unused imports.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- internal/frontend/desktop/windows/frontend.go: 5 more
  logger.Error(fmt.Sprintf("...", args...)) sites switched to direct
  logger.Error("...", args...) printf-style. These didn't match my
  earlier sed because the format strings have multiple args (not just
  err.Error()).
- internal/wv2installer/{download.go,wv2installer.go}: drop the now-
  unused "fmt" import after the previous switch from fmt.Errorf to
  errors.New.

GOOS=windows go vet ./... locally clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@leaanthony leaanthony merged commit 35d801c into master Apr 29, 2026
19 of 21 checks passed
@leaanthony leaanthony deleted the merge/v3-alpha branch April 29, 2026 13:01
pull Bot pushed a commit to c3b2a7/wails that referenced this pull request Apr 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.