installation: bump dependencies and release v22.0.0

[slint]

📁 invenio-accounts (6.2.1 -> 6.2.2 🐛)

📦 release: v6.2.2

📁 invenio-administration (4.3.1 -> 4.3.2 🐛)

📦 release: v4.3.2
webpack: respect `COLLECT_STATIC_ROOT` when copying tinymce
fix: typo in search empty resources message

📁 invenio-app-rdm (14.0.0b1.dev10 -> 14.0.0b3.dev4 🚀)

📦 release: v14.0.0b1.dev10
fix(deposit-ui): add explicit `data-label` for files section

* This is a fix for allowing for the `FormFeedbackSummary` to be able to
  pick-up the correct "Files" label when reporting the error summary.
  Getting the text from the original `label` attribute didn't work
  because it has more than a single element/node, which caused the
  section to show up as `[object Object]` on the error banner.
fix(tombstone): use consistent casing for labels
release: v14.0.0b3.dev4
fix: ensure that pages render if accessed via secret link
UI: change button icon and text

* smaller action buttons
* match record request link to the one in modal
* increase size of community icon
fix: restrict to only community sub/inc reqs

also
* correct URL error which silently redirected correctly
* sort requests so that newest is linked
frontend: add direct link to request if user has access
feat(css): styles for quote replies

* Remove padding from popup to make the button more sleek

* Reduce the default margin/padding on blockquotes to make nested quotes
look neater.

* Change text color within blockquotes to be a muted gray.
fix(requests_ui): Inject lock_request and create_comment permissions
fix: correct types

- url is used in `fetch(url)` and fetch only takes a path
- recordCommunitySearchConfig is a config, so is an object
fix(deposit-ui): better display of expired file modification period
📦 release: v14.0.0b1.dev9
release: v14.0.0b3.dev3
feat(css): request comment deep links

* Add styles to show a request event as being selected when navigated to
via a deep link
details: fix: do not sanitize additional description in template
admin: requests details view improvements

- Replace `Record deletion` by `Deletion request for "Record name"`
- Link showing all requests for a given user
📦 release: v14.0.0b1.dev8
📦 release: v14.0.0b3.dev2
fix: revert mapping.js symlink
UI: add info message about remaining days to publish changes
request: add file mod request template
fix: set files_locked to .locked rather than permission

* currently the permission is whether you can unlock the files
* but the files are only unlocked when you create the draft
* as such as an admin when you edit a published draft, if it was
  created by a user it will look like the files are unlocked but
  this is false

this PR correctly sets files_locked to whether the files are locked
feat: pass file modification eval to deposit form
fix: align selector with semantic-ui
📦 release: v14.0.0b3.dev1
UI: add info message about remaining days to publish changes
request: add file mod request template
fix: set files_locked to .locked rather than permission

* currently the permission is whether you can unlock the files
* but the files are only unlocked when you create the draft
* as such as an admin when you edit a published draft, if it was
  created by a user it will look like the files are unlocked but
  this is false

this PR correctly sets files_locked to whether the files are locked
feat: pass file modification eval to deposit form
fix: align selector with semantic-ui
fix(views): pass API record to evaluate record deletion
details: fix: do not sanitize additional description in template
admin: requests details view improvements

- Replace `Record deletion` by `Deletion request for "Record name"`
- Link showing all requests for a given user
📦 release: v14.0.0b1.dev7
fix(views): pass API record to evaluate record deletion
📦 release: v14.0.0b1.dev6
tombstone: add deletion policy
fix(deletion-request): never disable the existing deletion request link
fix(deletion-request): fetch existing request only for valid users
fix(deletion-request): removal reasons in landing page data attribute
vocab: add deletion_request prefix to removal_reasons vocabulary
ui: added related identifiers to vocabulary
views: remove unused data attributes from recordManagementMobile
requests: ui: only show justification if present
tombstone: add deletion policy
Update release date for version v14.0.0b3.dev0
release: v14.0.0b3.dev0
setup: bump oauthclient major version

* Bumping the major version of invenio-oauthclient to 6.0.0

* This includes which is not necessarily breaking but requires a manual DB migration for very
large instances, as documented in the module's upgrade guide.

* Further changes are yet come in v6 before RDM v14.
fix(deletion-request): never disable the existing deletion request link
fix(deletion-request): fetch existing request only for valid users
fix(deletion-request): removal reasons in landing page data attribute
vocab: add deletion_request prefix to removal_reasons vocabulary
views: remove unused data attributes from recordManagementMobile
requests: ui: only show justification if present
fix(upgrade_scripts): Migrate deleted records as well
📦 release: v14.0.0b2.dev4
refactor(config): Update DataCite serializer for schema v4.5
release: v14.0.0b2.dev3
feat(shareBtn): handle optional required expiration

* the new configuration variable RDM_RECORDS_REQUIRE_SECRET_LINKS_EXPIRATION adds the option to make the expiration date required
* added error messages improve the user experience.
feat(form): rename creators to authors and help text

* rename the Creators field to Authors/Creators
* add help text under Authors and Contributors to
  explain the difference
📦 release: v14.0.0b2.dev2
upgrade_scripts: v14: optimize scan to avoid scroll context overhead
upgrade_scripts: v14: update related_identifers field
📦 release: v14.0.0b2.dev1
deposit-form: updated related works options vocab
📦 release: v14.0.0b2.dev0
installation: bump invenio-rdm-records
upgrade_scripts: v14: Update draft.fork_revision_id to match with record.revision_id
upgrade_scripts: v14: use low-level API for records with draft
upgrade_scripts: Add v13 to v14 migration script
ui: added related identifiers to vocabulary
ui: format numbers in CompactStats

* Adds locale-based formatting for large numbers using the HTML API
`Intl.NumberFormat`

* The locale is taken from `i18next.language`. The view count and the
download count are both formatted.

fix(macros): Fix custom fields vocabularies links on landing page
fix(admin): use configured base template instead of hard-coded value

📁 invenio-assets (4.2.0 -> 4.2.1 🐛)

release: v4.2.1
setup: pin rspack

* rspack >=1.7.0 introduced that 'this' in a closure will compile to an
  undefined value. so code which uses a callback and uses something like
  'this.props' in the function body will stop working.

* the code should work as the javascript specs and tests show that the
  code should be correct so rspack introduced a bug with 1.7.0.

* until now pinning to <1.7.0 is the fasted way to fix it.

📁 invenio-banners (5.2.0 -> 5.2.1 🐛)

📦 release: v5.2.1
fix: partially initialized module

* since strtobool has been added to utils it created a partially
  initialized module problem. this is solved with this commit
compatibility(312): distutils removed

* distuils has been removed with python3.12. strtobool is the only
  function with a relatively clear specification. therefore
  reimplemented

📁 invenio-base (2.3.2 -> 2.4.0 🌈)

:package: release: v2.4.0
feat: add support for anchor in invenio_url_for

📁 invenio-collections (2.0.0 -> 2.1.0 🌈)

📦 release: v2.1.0
installation: bump invenio-rdm-records

📁 invenio-communities (21.1.1 -> 21.2.0 🌈)

release: v21.2.0
fix(tests): add lock/unlock links and remove reviewers field when disabled
fix: add timeline_focused to tests
feat: add link to submission request from communities modal
UI: change community display for request link

📁 invenio-drafts-resources (7.3.0 -> 7.3.1 🐛)

📦 release: v7.3.1

📁 invenio-github (3.0.2 -> 4.0.0 ⚠️)

📦 release: v3.0.2
api: optimize sync process with batch task execution

* prevent GitHub page timeout with 504 after sync
* optimize sync process with batch task execution
* add tests for sync() and sync_repo_hooks() methods

release: v4.0.0
setup: bump oauthclient major version

* Bumping the major version of invenio-oauthclient to 6.0.0

* This includes which is not necessarily breaking but requires a manual DB migration for very
large instances, as documented in the module's upgrade guide.

* Further changes are yet come in v6 before RDM v14.
api: optimize sync process with batch task execution

* prevent GitHub page timeout with 504 after sync
* optimize sync process with batch task execution
* add tests for sync() and sync_repo_hooks() methods

📁 invenio-notifications (1.2.2 -> 1.2.3 🐛)

📦 release: v1.2.3

📁 invenio-oaiserver (3.7.3 -> 3.7.4 🐛)

📦 release: v3.7.4

📁 invenio-oauth2server (3.3.1 -> 3.3.2 🐛)

📦 release: v3.3.2

📁 invenio-oauthclient (5.3.1 -> 6.1.1 ⚠️)

📦 release: v6.1.1
fix(refresh): allow non-compliant access token response type

* GitHub and a small number of other implementations violate the RFC
6749 5.1 by returning a default response type of
`application/x-www-form-urlencoded` for the access token request,
despite `application/json` being mandatory. During the response parsing
in flask-oauthlib we therefore cannot identify the correct datatypes of
the response params, as they're all string.

* With the normal JSON type we can easily identify `expires_in` as an
int. To continue this behaviour, I added a simple check to convert a
string `expires_in` to an int. Without this, an error would be thrown
during authentication with these implementations.
release: v6.1.0
feat(oauth2): support for refresh tokens

* Added support for refresh tokens (RFC 6749 Section 6)

* Created two new columns in the oauthclient_remotetoken to store the
encrypted refresh token and the expiration date of the latest stored
access token.

* Extended the authorized handler to store the refresh token and
expiration date when received from the server.

* Added methods to the RemoteToken to check whether the token is
expired, and to refresh the token.

* Added unit tests to cover new functionality.

feat: link-only remotes

* Added support for remote apps that can be set to "link only": i.e.
they can be connected to existing Invenio accounts but cannot be used to
create new accounts or log in to existing ones. As such, they are only
usable for third-party integrations rather than as identity providers.

* The `link_only` option is a key on the remote app config dictionary.
It does not affect remote accounts stored in the DB in any way, and can
be enabled or disabled at any time. By default it is false, so current
functionality is unaffected and these changes are fully
backward-compatible. When enabled, the remote is hidden on the login
page and signing in with it is prohibited on the backend with a
user-facing flash error message.

* If local accounts are disabled, users can disconnect all link-only
accounts freely but cannot disconnect the last non-link-only account.
release: v6.0.0
perf(models): change `extra_data` to `JSONB`

* `JSONB` is a newer and more efficient format for storing JSON in
PostgreSQL. Compared to `JSON`, it offers significantly faster querying
and indexing support (but is very slightly slower to input). The JSON is
decomposed into a binary format rather than being stored in plaintext.

* From a high-level perspective, the access of the data is unchanged in
Python so this is not a breaking change. However, the new column type
supports more querying operations which could be used in the future.

* Migrating the column type is quite easy for small tables but can cause
performance and stability issues for larger ones. Therefore, a default
Alembic migration has been included for the vast majority of use cases,
as well as a step-by-step alternative guide for larger instances.
Instances with more than ~50k rows in `oauthclient_remoteaccount` are
advised not to use the Alembic migration and to instead follow the
upgrade guide.

📁 invenio-rdm-records (21.4.1 -> 22.7.0 ⚠️)

📦 release: v21.4.1
fix(deposit-ui): support `data-label` for specifying section label
release: v22.7.0
fix(access_requests_ui): Fix permissions for commenting with guest token
fix(permissions): Fix can_create_comment to use parent attibute
release: v22.6.0
fix(requests): don't hard-code /me for record review request
refactor(requests): move _update_link_config to new BaseRequest

* The /me/requests/... route works for all requests in InvenioRDM and is
a sensible choice for the `self_html` link of the `Request` and
`RequestEvent` records. The `_update_link_config` method can be used to
set additional variables such as the `ui` prefix.

* Set the `ReviewRequest` class to inherit from a new `BaseRequest`
class that sets `/me/requests/...` as the prefix. Also set the
`RecordDeletion` class to inherit directly from `BaseRequest`.
📦 release: v21.4.0
feat: enable admins to edit files by default

* enable feature by default
* add admin policy and replace grace period policy
* change UI so that you can only see the accordion if you are allowed to
  modify the files
* change default time period to 30+15
fix: save draft before reloading page after unlocking bucket
fix: check if feat enabled correctly
UI: add info about remaining days to publish changes
fix: hide file modification if feature disabled
components: files: check bucket unlocked outside modification period
fix: add out of policy message
backend: add file mod request and API
feat: add file editing policy and evaluator
feat: add edit files modal
feat: add edit files accordion
📦 release: v22.5.0
feat: enable admins to edit files by default

* enable feature by default
* add admin policy and replace grace period policy
* change UI so that you can only see the accordion if you are allowed to
  modify the files
* change default time period to 30+15
fix: save draft before reloading page after unlocking bucket
fix: check if feat enabled correctly
UI: add info about remaining days to publish changes
fix: hide file modification if feature disabled
components: files: check bucket unlocked outside modification period
fix: add out of policy message
backend: add file mod request and API
feat: add file editing policy and evaluator
feat: add edit files modal
feat: add edit files accordion
📦 release: v21.3.2
record_deletion: fix tests
tombstone: remove removal note when with policy

Since we show policy description, this no longer required.
feat(record-deletion): show deletion policy on tombstone
serializer: ui: fix removed by to show owner/admin/system
📦 release: v21.3.1
fix(config): reuse community records search params config

* Search params configured by `RDM_SEARCH_ARGS_SCHEMA` were
  not used in the `/api/communities/{id}/records` endpoint.
Update release date for version v22.4.0
release: v22.4.0
setup: bump invenio-github major version

* Bumping the major version of invenio-github to 4.0.0

* This includes a performance improvement to the syncing system, as well
as a new major version of `invenio-oauthclient`. However, there are no
actual breaking changes.

* The new major version is due to new DB migrations in
`invenio-oauthclient`, since `invenio-github` has not had a major bump
since InvenioRDM v13.
record_deletion: fix tests
tombstone: remove removal note when with policy

Since we show policy description, this no longer required.
feat(record-deletion): show deletion policy on tombstone
serializer: ui: fix removed by to show owner/admin/system
fix: showing all available suggestions in lang picker
fix: use proper diacritics since Invenio supports UTF-8
feat: added missing 'translator' role

DataCite 4.6 supports 'Translator' as contributor type https://datacite-metadata-schema.readthedocs.io/en/4.6/properties/contributor/#a-contributortype which was not supported by InvenioRDM
📦 release: v22.3.0
feat(serializers.datacite): Add DataCite schema version 4.5 support
* Add DataCite45JSONSerializer, use new serializer and schema for OAI and DCAT exports
* The main DOI is moved from the identifiers list to it's own key "doi", and the alternate identifier DOIs are now added to the export for v4.5
* Add tests fore the newly added DataCite JSON schema 4.5
fix(services): Make 'notes' parameter optional in _update_quota
release: v22.2.0
feat: Make it configurable whether an expiration date must be set on a share access link or not.
community-records: Adds service component calls to RecordCommunitiesService

* Adds service component calls in the add, remove, set_default, and
  bulk_add methods. The component calls expect component method
  names matching the applicable permissions. The `remove` component call
  is actually made in the `_remove` method so that it can follow
  the permission check there for each individual community.

* The placement of the component calls in each method is intended to allow
  maximum flixibility in modifying the service call's input data before
  performing the action on the records.

* Adds a `components` property in the service config that reads components
  from the RDM_RECORD_COMMUNITIES_SERVICE_COMPONENTS variable if present
  (defaults to [])

* Note that in bulk_add I've wrapped the set_default argument value in a
  dictionary (making it mutable) so that it can be updated inside the
  components.

* Updates from original commit:
    - Added errors to arguments passed into RecordCommunitiesService
      components for remove method
    - using run_components method and set_app_config_fn_scoped test fixture
    - minor shift in position of set_default value setting
release: v22.1.0
feat(form): add help text to creatibutors btn
release: v22.0.1
fix(contrib): change meeting id schemes validator
fix: duplicate uploads from resetting progress

* Fix duplicate uploads from resetting progress.
* Guard duplicate selections by comparing normalized names before upload.
* Reuse existing upload state so failed files stay retryable without
  side effects.
📦 release: v22.0.0
serializers: bibtex: update resourcetype to publication-dissertation
feat(resource_types)!: Remove publication-thesis

BREAKING CHANGE: resource_type with id publication-dissertation will now be used instead as it is correctly mapped to the "Dissertation" type in DataCite

📁 invenio-records-resources (8.6.0 -> 8.7.1 🌈)

📦 release: v8.7.1
release: v8.7.0
feat(records): return page number in RecordList

* Added the current page number as part of the serialized RecordList
result type. This is needed for cases where the page number included in
the request differs from the actual page the view handler decided to
return.
* Specifically right now we need this for where
the JS client requests a page that includes a given record (rather than
a specific numbered page), and then needs to know which page was
actually returned so it can update the local state.
📦 release: v8.6.2
release: v8.6.1
fix(service): track errors on commit for create_update_many
fix(multipart): recompute full file checksum if no parts are set

* in our tests (with local file storage), multipart-uploaded files did
  not have a checksum set at all (it was set to `None`), which caused
  the task `recompute_multipart_checksum_task()` to fail

📁 invenio-records-ui (2.1.1 -> 2.1.2 🐛)

📦 release: v2.1.2

📁 invenio-requests (10.3.1 -> 10.5.0 🌈)

release: v10.5.0
config: Add feature flag for locking and tests
fix: remove record link for draft inclusion

In 4ef6118f9986ba337a1d67ba7f5f7b482f6ebf96 we started showing this link
for all record requests. Draft inclusion requests have a record as a
topic, but there is no associated public record. As such we manually
filter this out.
services: Add translations for lock methods
customizations: Add reviewers to scheme dynamically
services: Better permissions and error handling
services: permissions: Pass request to event result item
fix(permissions): Lock request for all by default
feat(requests): Add conversation locking functionality
assets: invenio_requests: Make lock component overridable
assets: invenio_requests: Make lock button unclickable until page reloaded
assets: invenio_requests: Add help text with lock/unlock button
assets: invenio_requests: Disable text editor on lock
feat(requests): Add UI support for locking requests
feat(events): quote comments in replies

* Added a button in the comment action dropdown to qute that comment's
contents in the new comment. When clicked, it appends the comment's
contents to the RichEditor (inside a blockquote).

* Added a tooltip that renders above any text highlighted within
comments and is dynamically positioned to be in the midpoint of the
selection. The tooltip contains a "Quote" button and a "Copy" button.
When "Quote" is clicked, it performs the same action as above, but just
for the selected portion of text.

* Formatting is only kept in the quote for the first method, due to the
complexities of propagating HTML formatting for partial selections.

* The blockquote currently has no real pointer to the quoted comment,
and is freely editable by the user.
release: v10.4.0
feat(events): deep links

* Added a "Copy link" button to events/comments in the UI, which copies
the current URL with a hash containing the event ID.

* When TimelineFeed is mounted, it sees if there's a relevant hash in
the URL, and requests the server to return the page that contains that
event (instead of just requesting the first page).

* Added an argument to the request event `search` route to return the
page containing a given event instead of a specific numbered page. The
actual page number chosen is returned by the server.
This is calculated by counting the number of records older than the
specified one and dividing by the page size.
📦 release: v10.3.1
📦 release: v10.3.0
📦 release: v10.3.1
📦 release: v10.3.0
feat(editor): auto-save drafts

* Added localStorage hooks to the state actions to save and restore the
draft comment

* When the comment is submitted successfully, we delete the local draft.
We don't delete if there is an error while saving.

📁 invenio-search-ui (4.1.3 -> 4.1.5 🐛)

📦 release: v4.1.5
release: v4.1.4
fix: fixed searchbar crashing
*In case buildUID prop is not passed the
component can crash entire search app

📁 invenio-theme (4.4.3 -> 4.5.0 🌈)

release: v4.5.0
css: reduce margin on blockquotes site-wide

* Blockquotes currently have a large amount of margin, and this looks
especially weird when nesting them.

* They look more normal if they have a bit less margin and none at all
when they are nested. Also, making their text muted-coloured makes it
feel more natural too

📁 invenio-users-resources (9.0.2 -> 9.0.3 🐛)

release: v9.0.3
setup: bump oauthclient major version

* Bumping the major version of invenio-oauthclient to 6.0.0

* This includes
which is
not necessarily breaking but requires a manual DB migration for very
large instances, as documented in the module's upgrade guide.

* Further changes are yet come in v6 before RDM v14.
feat: add user creation endpoint

📁 invenio-vocabularies (9.1.1 -> 9.1.2 🐛)

release: v9.1.2
Updated file pattern in ROR dump

* ROR changed the naming of files inside the dump zip
* changed regexs from _schema_v2.json to -ror-data.json
fix: ChangedInMarshmallow4Warning

* 'Field' should not be instantiated. Use 'fields.Raw' or another field
  subclass instead.

🚨 Major version bumps (potentially breaking changes):
📁 certifi (2025.11.12 -> 2026.1.4 ⚠️)
📁 faker (38.2.0 -> 40.1.0 ⚠️)
📁 ua-parser-builtins (0.18.0.post1 -> 202601 ⚠️)
📁 uritools (5.0.0 -> 6.0.1 ⚠️)
📁 zenodo-rdm-app (21.4.5 -> 22.0.0 ⚠️)