installation: bump dependencies and release v22.0.0

📁 invenio-accounts (6.2.1 -> 6.2.2 🐛)

    📦 release: v6.2.2

📁 invenio-administration (4.3.1 -> 4.3.2 🐛)

    📦 release: v4.3.2
    webpack: respect `COLLECT_STATIC_ROOT` when copying tinymce
    fix: typo in search empty resources message

📁 invenio-app-rdm (14.0.0b1.dev10 -> 14.0.0b3.dev4 🚀)

    📦 release: v14.0.0b1.dev10
    fix(deposit-ui): add explicit `data-label` for files section

    * This is a fix for allowing for the `FormFeedbackSummary` to be able to
      pick-up the correct "Files" label when reporting the error summary.
      Getting the text from the original `label` attribute didn't work
      because it has more than a single element/node, which caused the
      section to show up as `[object Object]` on the error banner.
    fix(tombstone): use consistent casing for labels
    release: v14.0.0b3.dev4
    fix: ensure that pages render if accessed via secret link
    UI: change button icon and text

    * smaller action buttons
    * match record request link to the one in modal
    * increase size of community icon
    fix: restrict to only community sub/inc reqs

    also
    * correct URL error which silently redirected correctly
    * sort requests so that newest is linked
    frontend: add direct link to request if user has access
    feat(css): styles for quote replies

    * Remove padding from popup to make the button more sleek

    * Reduce the default margin/padding on blockquotes to make nested quotes
    look neater.

    * Change text color within blockquotes to be a muted gray.
    fix(requests_ui): Inject lock_request and create_comment permissions
    fix: correct types

    - url is used in `fetch(url)` and fetch only takes a path
    - recordCommunitySearchConfig is a config, so is an object
    fix(deposit-ui): better display of expired file modification period
    📦 release: v14.0.0b1.dev9
    release: v14.0.0b3.dev3
    feat(css): request comment deep links

    * Add styles to show a request event as being selected when navigated to
    via a deep link
    details: fix: do not sanitize additional description in template
    admin: requests details view improvements

    - Replace `Record deletion` by `Deletion request for "Record name"`
    - Link showing all requests for a given user
    📦 release: v14.0.0b1.dev8
    📦 release: v14.0.0b3.dev2
    fix: revert mapping.js symlink
    UI: add info message about remaining days to publish changes
    request: add file mod request template
    fix: set files_locked to .locked rather than permission

    * currently the permission is whether you can unlock the files
    * but the files are only unlocked when you create the draft
    * as such as an admin when you edit a published draft, if it was
      created by a user it will look like the files are unlocked but
      this is false

    this PR correctly sets files_locked to whether the files are locked
    feat: pass file modification eval to deposit form
    fix: align selector with semantic-ui
    📦 release: v14.0.0b3.dev1
    UI: add info message about remaining days to publish changes
    request: add file mod request template
    fix: set files_locked to .locked rather than permission

    * currently the permission is whether you can unlock the files
    * but the files are only unlocked when you create the draft
    * as such as an admin when you edit a published draft, if it was
      created by a user it will look like the files are unlocked but
      this is false

    this PR correctly sets files_locked to whether the files are locked
    feat: pass file modification eval to deposit form
    fix: align selector with semantic-ui
    fix(views): pass API record to evaluate record deletion
    details: fix: do not sanitize additional description in template
    admin: requests details view improvements

    - Replace `Record deletion` by `Deletion request for "Record name"`
    - Link showing all requests for a given user
    📦 release: v14.0.0b1.dev7
    fix(views): pass API record to evaluate record deletion
    📦 release: v14.0.0b1.dev6
    tombstone: add deletion policy
    fix(deletion-request): never disable the existing deletion request link
    fix(deletion-request): fetch existing request only for valid users
    fix(deletion-request): removal reasons in landing page data attribute
    vocab: add deletion_request prefix to removal_reasons vocabulary
    ui: added related identifiers to vocabulary
    views: remove unused data attributes from recordManagementMobile
    requests: ui: only show justification if present
    tombstone: add deletion policy
    Update release date for version v14.0.0b3.dev0
    release: v14.0.0b3.dev0
    setup: bump oauthclient major version

    * Bumping the major version of invenio-oauthclient to 6.0.0

    * This includes which is not necessarily breaking but requires a manual DB migration for very
    large instances, as documented in the module's upgrade guide.

    * Further changes are yet come in v6 before RDM v14.
    fix(deletion-request): never disable the existing deletion request link
    fix(deletion-request): fetch existing request only for valid users
    fix(deletion-request): removal reasons in landing page data attribute
    vocab: add deletion_request prefix to removal_reasons vocabulary
    views: remove unused data attributes from recordManagementMobile
    requests: ui: only show justification if present
    fix(upgrade_scripts): Migrate deleted records as well
    📦 release: v14.0.0b2.dev4
    refactor(config): Update DataCite serializer for schema v4.5
    release: v14.0.0b2.dev3
    feat(shareBtn): handle optional required expiration

    * the new configuration variable RDM_RECORDS_REQUIRE_SECRET_LINKS_EXPIRATION adds the option to make the expiration date required
    * added error messages improve the user experience.
    feat(form): rename creators to authors and help text

    * rename the Creators field to Authors/Creators
    * add help text under Authors and Contributors to
      explain the difference
    📦 release: v14.0.0b2.dev2
    upgrade_scripts: v14: optimize scan to avoid scroll context overhead
    upgrade_scripts: v14: update related_identifers field
    📦 release: v14.0.0b2.dev1
    deposit-form: updated related works options vocab
    📦 release: v14.0.0b2.dev0
    installation: bump invenio-rdm-records
    upgrade_scripts: v14: Update draft.fork_revision_id to match with record.revision_id
    upgrade_scripts: v14: use low-level API for records with draft
    upgrade_scripts: Add v13 to v14 migration script
    ui: added related identifiers to vocabulary
    ui: format numbers in CompactStats

    * Adds locale-based formatting for large numbers using the HTML API
    `Intl.NumberFormat`

    * The locale is taken from `i18next.language`. The view count and the
    download count are both formatted.

    fix(macros): Fix custom fields vocabularies links on landing page
    fix(admin): use configured base template instead of hard-coded value

📁 invenio-assets (4.2.0 -> 4.2.1 🐛)

    release: v4.2.1
    setup: pin rspack

    * rspack >=1.7.0 introduced that 'this' in a closure will compile to an
      undefined value. so code which uses a callback and uses something like
      'this.props' in the function body will stop working.

    * the code should work as the javascript specs and tests show that the
      code should be correct so rspack introduced a bug with 1.7.0.

    * until now pinning to <1.7.0 is the fasted way to fix it.

📁 invenio-banners (5.2.0 -> 5.2.1 🐛)

    📦 release: v5.2.1
    fix: partially initialized module

    * since strtobool has been added to utils it created a partially
      initialized module problem. this is solved with this commit
    compatibility(312): distutils removed

    * distuils has been removed with python3.12. strtobool is the only
      function with a relatively clear specification. therefore
      reimplemented

📁 invenio-base (2.3.2 -> 2.4.0 🌈)

    📦 release: v2.4.0
    feat: add support for anchor in invenio_url_for

📁 invenio-collections (2.0.0 -> 2.1.0 🌈)

    📦 release: v2.1.0
    installation: bump invenio-rdm-records

📁 invenio-communities (21.1.1 -> 21.2.0 🌈)

    release: v21.2.0
    fix(tests): add lock/unlock links and remove reviewers field when disabled
    fix: add timeline_focused to tests
    feat: add link to submission request from communities modal
    UI: change community display for request link

📁 invenio-drafts-resources (7.3.0 -> 7.3.1 🐛)

    📦 release: v7.3.1

📁 invenio-github (3.0.2 -> 4.0.0 ⚠️)

    📦 release: v3.0.2
    api: optimize sync process with batch task execution

    * prevent GitHub page timeout with 504 after sync
    * optimize sync process with batch task execution
    * add tests for sync() and sync_repo_hooks() methods

    release: v4.0.0
    setup: bump oauthclient major version

    * Bumping the major version of invenio-oauthclient to 6.0.0

    * This includes which is not necessarily breaking but requires a manual DB migration for very
    large instances, as documented in the module's upgrade guide.

    * Further changes are yet come in v6 before RDM v14.
    api: optimize sync process with batch task execution

    * prevent GitHub page timeout with 504 after sync
    * optimize sync process with batch task execution
    * add tests for sync() and sync_repo_hooks() methods

📁 invenio-notifications (1.2.2 -> 1.2.3 🐛)

    📦 release: v1.2.3

📁 invenio-oaiserver (3.7.3 -> 3.7.4 🐛)

    📦 release: v3.7.4

📁 invenio-oauth2server (3.3.1 -> 3.3.2 🐛)

    📦 release: v3.3.2

📁 invenio-oauthclient (5.3.1 -> 6.1.1 ⚠️)

    📦 release: v6.1.1
    fix(refresh): allow non-compliant access token response type

    * GitHub and a small number of other implementations violate the RFC
    6749 5.1 by returning a default response type of
    `application/x-www-form-urlencoded` for the access token request,
    despite `application/json` being mandatory. During the response parsing
    in flask-oauthlib we therefore cannot identify the correct datatypes of
    the response params, as they're all string.

    * With the normal JSON type we can easily identify `expires_in` as an
    int. To continue this behaviour, I added a simple check to convert a
    string `expires_in` to an int. Without this, an error would be thrown
    during authentication with these implementations.
    release: v6.1.0
    feat(oauth2): support for refresh tokens

    * Added support for refresh tokens (RFC 6749 Section 6)

    * Created two new columns in the oauthclient_remotetoken to store the
    encrypted refresh token and the expiration date of the latest stored
    access token.

    * Extended the authorized handler to store the refresh token and
    expiration date when received from the server.

    * Added methods to the RemoteToken to check whether the token is
    expired, and to refresh the token.

    * Added unit tests to cover new functionality.

    feat: link-only remotes

    * Added support for remote apps that can be set to "link only": i.e.
    they can be connected to existing Invenio accounts but cannot be used to
    create new accounts or log in to existing ones. As such, they are only
    usable for third-party integrations rather than as identity providers.

    * The `link_only` option is a key on the remote app config dictionary.
    It does not affect remote accounts stored in the DB in any way, and can
    be enabled or disabled at any time. By default it is false, so current
    functionality is unaffected and these changes are fully
    backward-compatible. When enabled, the remote is hidden on the login
    page and signing in with it is prohibited on the backend with a
    user-facing flash error message.

    * If local accounts are disabled, users can disconnect all link-only
    accounts freely but cannot disconnect the last non-link-only account.
    release: v6.0.0
    perf(models): change `extra_data` to `JSONB`

    * `JSONB` is a newer and more efficient format for storing JSON in
    PostgreSQL. Compared to `JSON`, it offers significantly faster querying
    and indexing support (but is very slightly slower to input). The JSON is
    decomposed into a binary format rather than being stored in plaintext.

    * From a high-level perspective, the access of the data is unchanged in
    Python so this is not a breaking change. However, the new column type
    supports more querying operations which could be used in the future.

    * Migrating the column type is quite easy for small tables but can cause
    performance and stability issues for larger ones. Therefore, a default
    Alembic migration has been included for the vast majority of use cases,
    as well as a step-by-step alternative guide for larger instances.
    Instances with more than ~50k rows in `oauthclient_remoteaccount` are
    advised not to use the Alembic migration and to instead follow the
    upgrade guide.

📁 invenio-rdm-records (21.4.1 -> 22.7.0 ⚠️)

    📦 release: v21.4.1
    fix(deposit-ui): support `data-label` for specifying section label
    release: v22.7.0
    fix(access_requests_ui): Fix permissions for commenting with guest token
    fix(permissions): Fix can_create_comment to use parent attibute
    release: v22.6.0
    fix(requests): don't hard-code /me for record review request
    refactor(requests): move _update_link_config to new BaseRequest

    * The /me/requests/... route works for all requests in InvenioRDM and is
    a sensible choice for the `self_html` link of the `Request` and
    `RequestEvent` records. The `_update_link_config` method can be used to
    set additional variables such as the `ui` prefix.

    * Set the `ReviewRequest` class to inherit from a new `BaseRequest`
    class that sets `/me/requests/...` as the prefix. Also set the
    `RecordDeletion` class to inherit directly from `BaseRequest`.
    📦 release: v21.4.0
    feat: enable admins to edit files by default

    * enable feature by default
    * add admin policy and replace grace period policy
    * change UI so that you can only see the accordion if you are allowed to
      modify the files
    * change default time period to 30+15
    fix: save draft before reloading page after unlocking bucket
    fix: check if feat enabled correctly
    UI: add info about remaining days to publish changes
    fix: hide file modification if feature disabled
    components: files: check bucket unlocked outside modification period
    fix: add out of policy message
    backend: add file mod request and API
    feat: add file editing policy and evaluator
    feat: add edit files modal
    feat: add edit files accordion
    📦 release: v22.5.0
    feat: enable admins to edit files by default

    * enable feature by default
    * add admin policy and replace grace period policy
    * change UI so that you can only see the accordion if you are allowed to
      modify the files
    * change default time period to 30+15
    fix: save draft before reloading page after unlocking bucket
    fix: check if feat enabled correctly
    UI: add info about remaining days to publish changes
    fix: hide file modification if feature disabled
    components: files: check bucket unlocked outside modification period
    fix: add out of policy message
    backend: add file mod request and API
    feat: add file editing policy and evaluator
    feat: add edit files modal
    feat: add edit files accordion
    📦 release: v21.3.2
    record_deletion: fix tests
    tombstone: remove removal note when with policy

    Since we show policy description, this no longer required.
    feat(record-deletion): show deletion policy on tombstone
    serializer: ui: fix removed by to show owner/admin/system
    📦 release: v21.3.1
    fix(config): reuse community records search params config

    * Search params configured by `RDM_SEARCH_ARGS_SCHEMA` were
      not used in the `/api/communities/{id}/records` endpoint.
    Update release date for version v22.4.0
    release: v22.4.0
    setup: bump invenio-github major version

    * Bumping the major version of invenio-github to 4.0.0

    * This includes a performance improvement to the syncing system, as well
    as a new major version of `invenio-oauthclient`. However, there are no
    actual breaking changes.

    * The new major version is due to new DB migrations in
    `invenio-oauthclient`, since `invenio-github` has not had a major bump
    since InvenioRDM v13.
    record_deletion: fix tests
    tombstone: remove removal note when with policy

    Since we show policy description, this no longer required.
    feat(record-deletion): show deletion policy on tombstone
    serializer: ui: fix removed by to show owner/admin/system
    fix: showing all available suggestions in lang picker
    fix: use proper diacritics since Invenio supports UTF-8
    feat: added missing 'translator' role

    DataCite 4.6 supports 'Translator' as contributor type https://datacite-metadata-schema.readthedocs.io/en/4.6/properties/contributor/#a-contributortype which was not supported by InvenioRDM
    📦 release: v22.3.0
    feat(serializers.datacite): Add DataCite schema version 4.5 support
    * Add DataCite45JSONSerializer, use new serializer and schema for OAI and DCAT exports
    * The main DOI is moved from the identifiers list to it's own key "doi", and the alternate identifier DOIs are now added to the export for v4.5
    * Add tests fore the newly added DataCite JSON schema 4.5
    fix(services): Make 'notes' parameter optional in _update_quota
    release: v22.2.0
    feat: Make it configurable whether an expiration date must be set on a share access link or not.
    community-records: Adds service component calls to RecordCommunitiesService

    * Adds service component calls in the add, remove, set_default, and
      bulk_add methods. The component calls expect component method
      names matching the applicable permissions. The `remove` component call
      is actually made in the `_remove` method so that it can follow
      the permission check there for each individual community.

    * The placement of the component calls in each method is intended to allow
      maximum flixibility in modifying the service call's input data before
      performing the action on the records.

    * Adds a `components` property in the service config that reads components
      from the RDM_RECORD_COMMUNITIES_SERVICE_COMPONENTS variable if present
      (defaults to [])

    * Note that in bulk_add I've wrapped the set_default argument value in a
      dictionary (making it mutable) so that it can be updated inside the
      components.

    * Updates from original commit:
        - Added errors to arguments passed into RecordCommunitiesService
          components for remove method
        - using run_components method and set_app_config_fn_scoped test fixture
        - minor shift in position of set_default value setting
    release: v22.1.0
    feat(form): add help text to creatibutors btn
    release: v22.0.1
    fix(contrib): change meeting id schemes validator
    fix: duplicate uploads from resetting progress

    * Fix duplicate uploads from resetting progress.
    * Guard duplicate selections by comparing normalized names before upload.
    * Reuse existing upload state so failed files stay retryable without
      side effects.
    📦 release: v22.0.0
    serializers: bibtex: update resourcetype to publication-dissertation
    feat(resource_types)!: Remove publication-thesis

    BREAKING CHANGE: resource_type with id publication-dissertation will now be used instead as it is correctly mapped to the "Dissertation" type in DataCite

📁 invenio-records-resources (8.6.0 -> 8.7.1 🌈)

    📦 release: v8.7.1
    release: v8.7.0
    feat(records): return page number in RecordList

    * Added the current page number as part of the serialized RecordList
    result type. This is needed for cases where the page number included in
    the request differs from the actual page the view handler decided to
    return.
    * Specifically right now we need this for where
    the JS client requests a page that includes a given record (rather than
    a specific numbered page), and then needs to know which page was
    actually returned so it can update the local state.
    📦 release: v8.6.2
    release: v8.6.1
    fix(service): track errors on commit for create_update_many
    fix(multipart): recompute full file checksum if no parts are set

    * in our tests (with local file storage), multipart-uploaded files did
      not have a checksum set at all (it was set to `None`), which caused
      the task `recompute_multipart_checksum_task()` to fail

📁 invenio-records-ui (2.1.1 -> 2.1.2 🐛)

    📦 release: v2.1.2

📁 invenio-requests (10.3.1 -> 10.5.0 🌈)

    release: v10.5.0
    config: Add feature flag for locking and tests
    fix: remove record link for draft inclusion

    In 4ef6118f9986ba337a1d67ba7f5f7b482f6ebf96 we started showing this link
    for all record requests. Draft inclusion requests have a record as a
    topic, but there is no associated public record. As such we manually
    filter this out.
    services: Add translations for lock methods
    customizations: Add reviewers to scheme dynamically
    services: Better permissions and error handling
    services: permissions: Pass request to event result item
    fix(permissions): Lock request for all by default
    feat(requests): Add conversation locking functionality
    assets: invenio_requests: Make lock component overridable
    assets: invenio_requests: Make lock button unclickable until page reloaded
    assets: invenio_requests: Add help text with lock/unlock button
    assets: invenio_requests: Disable text editor on lock
    feat(requests): Add UI support for locking requests
    feat(events): quote comments in replies

    * Added a button in the comment action dropdown to qute that comment's
    contents in the new comment. When clicked, it appends the comment's
    contents to the RichEditor (inside a blockquote).

    * Added a tooltip that renders above any text highlighted within
    comments and is dynamically positioned to be in the midpoint of the
    selection. The tooltip contains a "Quote" button and a "Copy" button.
    When "Quote" is clicked, it performs the same action as above, but just
    for the selected portion of text.

    * Formatting is only kept in the quote for the first method, due to the
    complexities of propagating HTML formatting for partial selections.

    * The blockquote currently has no real pointer to the quoted comment,
    and is freely editable by the user.
    release: v10.4.0
    feat(events): deep links

    * Added a "Copy link" button to events/comments in the UI, which copies
    the current URL with a hash containing the event ID.

    * When TimelineFeed is mounted, it sees if there's a relevant hash in
    the URL, and requests the server to return the page that contains that
    event (instead of just requesting the first page).

    * Added an argument to the request event `search` route to return the
    page containing a given event instead of a specific numbered page. The
    actual page number chosen is returned by the server.
    This is calculated by counting the number of records older than the
    specified one and dividing by the page size.
    📦 release: v10.3.1
    📦 release: v10.3.0
    📦 release: v10.3.1
    📦 release: v10.3.0
    feat(editor): auto-save drafts

    * Added localStorage hooks to the state actions to save and restore the
    draft comment

    * When the comment is submitted successfully, we delete the local draft.
    We don't delete if there is an error while saving.

📁 invenio-search-ui (4.1.3 -> 4.1.5 🐛)

    📦 release: v4.1.5
    release: v4.1.4
    fix: fixed searchbar crashing
    *In case buildUID prop is not passed the
    component can crash entire search app

📁 invenio-theme (4.4.3 -> 4.5.0 🌈)

    release: v4.5.0
    css: reduce margin on blockquotes site-wide

    * Blockquotes currently have a large amount of margin, and this looks
    especially weird when nesting them.

    * They look more normal if they have a bit less margin and none at all
    when they are nested. Also, making their text muted-coloured makes it
    feel more natural too

📁 invenio-users-resources (9.0.2 -> 9.0.3 🐛)

    release: v9.0.3
    setup: bump oauthclient major version

    * Bumping the major version of invenio-oauthclient to 6.0.0

    * This includes
    which is
    not necessarily breaking but requires a manual DB migration for very
    large instances, as documented in the module's upgrade guide.

    * Further changes are yet come in v6 before RDM v14.
    feat: add user creation endpoint

📁 invenio-vocabularies (9.1.1 -> 9.1.2 🐛)

    release: v9.1.2
    Updated file pattern in ROR dump

    * ROR changed the naming of files inside the dump zip
    * changed regexs from _schema_v2.json to -ror-data.json
    fix: ChangedInMarshmallow4Warning

    * 'Field' should not be instantiated. Use 'fields.Raw' or another field
      subclass instead.

🚨 Major version bumps (potentially breaking changes):
📁 certifi (2025.11.12 -> 2026.1.4 ⚠️)
📁 faker (38.2.0 -> 40.1.0 ⚠️)
📁 ua-parser-builtins (0.18.0.post1 -> 202601 ⚠️)
📁 uritools (5.0.0 -> 6.0.1 ⚠️)
📁 zenodo-rdm-app (21.4.5 -> 22.0.0 ⚠️)

Author: slint

pyproject.toml

@@ -1,13 +1,13 @@
 [project]
 name = "zenodo-rdm-app"
-version = "21.4.5"
+version = "22.0.0"
 authors = [
     { name = "CERN" }
 ]
 license = "GPL-3.0"
 requires-python = ">=3.9"
 dependencies = [
-    "invenio-app-rdm[opensearch2]==14.0.0b1.dev10",
+    "invenio-app-rdm[opensearch2]==14.0.0b3.dev4",
     "zenodo-legacy",
     "zenodo-rdm",
     "github3.py>=3.0.0",
@@ -21,7 +21,6 @@ dependencies = [
     "uwsgitop>=0.11",
     "uwsgi-tools>=1.1.1",
     "invenio-records-resources",
-    "invenio-previewer",
 ]
 
 [tool.uv.sources]