946 Commits

Author SHA1 Message Date
Zachariah K. Sharma 8b3656a846 Add Vynte scheduler app shell 2026-06-14 11:53:18 -06:00
Bandhan Majumder 717fed8f86 fix(vitest): update to patched version (#29496)
* fix(vitest): update to patched version

* fix(vitest): coverage-v8 and ui dep update to patched version
2026-06-02 17:57:17 +05:30
Pankaj e64de009ec fix(docs): resolve documentation search in documentation header (#29245)
* fix(docs): resolve documentation search in documentation header

* fix: move pagefind from devDependencies to dependencies

* fix(docs): inline pagefind in build script for reliable CI execution

Merge postbuild script into build command to ensure pagefind runs
in all CI environments (Vercel, Turbo, yarn workspace).

---------

Co-authored-by: Romit <romitgabani1.work@gmail.com>
2026-05-03 09:15:08 +00:00
Sahitya Chandra 4313bd2dc5 fix(security): upgrade protobufjs to 7.5.5 to fix critical CVE (#28941)
Pins protobufjs to 7.5.5 via resolutions to patch GHSA-xq3m-2v4x-88gg
(arbitrary code execution, <7.5.5). The vulnerable 7.4.0 was pulled in
transitively through @opentelemetry/otlp-transformer, causing the
Security Audit CI job to fail on all PRs.
2026-04-20 21:52:52 +05:30
Pedro Castro 363c9d6331 chore: upgrade follow-redirects to 1.16.0 (#28894)
Co-authored-by: Keith Williams <keithwillcode@gmail.com>
2026-04-15 11:24:06 -03:00
Benny Joo 43ed117fe2 fix yarnlock (#28907) 2026-04-15 13:49:28 +00:00
Pedro Castro a17f28e9ab chore: bump lodash and markdown-it, dedupe minimatch (#28893)
* chore(deps): bump lodash and markdown-it, dedupe minimatch

* chore(deps): bump lodash and lodash-es to 4.18.1
2026-04-14 18:12:16 -03:00
Pedro Castro fa77692886 chore: bump dependency resolutions (#28889)
* chore(deps): bump dependency resolutions

* chore(deps): dedupe minimatch in yarn.lock

---------

Co-authored-by: Benny Joo <sldisek783@gmail.com>
2026-04-14 19:43:37 +00:00
Benny Joo c28d647a0d docs: improve self-hosting contents (#28888) 2026-04-15 01:18:24 +09:00
Sahitya Chandra 2911168e4e fix(security): upgrade axios to 1.15.0 to fix critical CVEs (#28850)
Upgrades axios from 1.13.5 to 1.15.0 in apps/api/v2 and the root
resolutions field to resolve two critical vulnerabilities:

- GHSA-3p68-rc4w-qgx5: NO_PROXY hostname normalization bypass leading to SSRF
- GHSA-fvcv-3m26-pcqx: Unrestricted cloud metadata exfiltration via header injection

Both CVEs are fixed in axios >=1.15.0.
2026-04-12 15:15:42 -03:00
BEK Service GmbH 78ddc1b2ae feat: add Famulor app integration to app store (#25857)
* Add Famulor app integration to app store

Introduces the Famulor app as a new automation integration in the app store, including configuration, API handler, assets, and documentation. Updates redirectApps utility to include 'famulor' for redirection support.

* fixed - famulor

* Update packages/app-store/famulor/api/add.ts

Co-authored-by: devin-ai-integration[bot] <158243242+devin-ai-integration[bot]@users.noreply.github.com>

* Update packages/app-store/famulor/config.json

Co-authored-by: devin-ai-integration[bot] <158243242+devin-ai-integration[bot]@users.noreply.github.com>

* yarn app-store:build

---------

Co-authored-by: Sahitya Chandra <sahityajb@gmail.com>
Co-authored-by: devin-ai-integration[bot] <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Co-authored-by: Dhairyashil Shinde <93669429+dhairyashiil@users.noreply.github.com>
2026-03-31 06:54:09 -03:00
Romit 0936fdafaf fix: upgrade handlebars to 4.7.9 to resolve critical vulnerability (#28625)
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
2026-03-28 17:01:18 +09:00
Henry Kwon 7c8f17ccc7 feat: Lyra App (#27370)
* feat: lyra conference app

* fix: lyra -> lyra meeting

* api url in env example

* feat: lyra oauth

* remove setup page

* fix: revision on feb 25 review

* production api url

* fix: final suggestions implementation

* yarn.lock revert
2026-03-12 07:10:22 +00:00
Alex van Andel 1b21ead011 fix: admin wizard crash and prisma enum generator path resolution (#28244)
* fix: admin wizard crash and prisma enum generator path resolution

1. Fix TypeError in WizardForm when license step is skipped:
   - defaultStep was set to 3 (APPS) but only 2 steps existed when
     hasValidLicense=true, causing steps[2] to be undefined
   - Removed redundant double onNext() call in AdminUser onSuccess
   - Extracted hasLicenseStep variable for clarity

2. Fix prisma enum generator not being directory-safe:
   - Created run-enum-generator.js wrapper resolved by Prisma relative
     to schema directory, so npx prisma commands work from any directory

Co-Authored-By: alex@cal.com <me@alexvanandel.com>

* fix: use bin entry for prisma enum generator path resolution

Changed provider from './run-enum-generator.js' (which Prisma doesn't
resolve relative to schema dir) to 'prisma-enum-generator' bin registered
in package.json. This ensures the generator is found via PATH regardless
of CWD.

Co-Authored-By: alex@cal.com <me@alexvanandel.com>

* chore: Also add new bin to the lockfile

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
2026-03-03 07:37:22 -03:00
devin-ai-integration[bot] 5b88eefed4 fix: bump libphonenumber-js from 1.11.18 to 1.12.38 for updated phone metadata (#28204)
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Co-authored-by: susan <susan@cal.com>
Co-authored-by: Eunjae Lee <hey@eunjae.dev>
2026-03-03 11:01:26 +01:00
Romit ec7f8dd58e fix: resolve fast-xml-parser security audit failure (#28227) 2026-03-02 06:56:59 -03:00
Benny Joo 648ad72a54 refactor: extract dedicated @calcom/i18n package (#28141) 2026-02-23 13:30:12 +00:00
Romit f1ae5f727a fix: update fast-xml-parser and ignore audit 1113407 (#28117) 2026-02-21 12:22:57 +00:00
Pedro Castro f07bed1a2a chore(deps): bump axios to 1.13.5 (#27864)
* chore: bump axios to 1.13.5

* chore: bump axios in apps/api/v2

* chore: dedupe follow-redirects to 1.15.11
2026-02-13 22:08:49 +09:00
Pedro Castro 0d55939d13 chore(deps): resolve fast-xml-parser to 5.3.4 for @lingo.dev/_compiler (#27887) 2026-02-12 01:26:59 +00:00
Pedro Castro 83c42cfb2b chore: resolve @modelcontextprotocol/sdk to 1.26.0 (#27640) 2026-02-10 22:28:21 +09:00
emrysal b1b73f7fcc chore: release v6.1.13 2026-02-09 11:56:07 +00:00
Pedro Castro cb36fc201f fix: add URL validation to webhook endpoints (#26593)
Validates webhook URLs on create and update:
- HTTPS required (HTTP allowed for self-hosted and E2E)
- Blocks private IP ranges and localhost
- Blocks cloud metadata endpoints

Existing webhooks are preserved: validation only applies when URL is created or changed.

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
2026-02-05 16:18:10 -03:00
Eunjae Lee 2364cff54d feat: custom feedback dialog for feature opt-in (#27578)
* feat: add delayed formbricks tracking for feature opt-in

Adds delayed Formbricks survey tracking for feature opt-in. When a user
opts into a feature, this allows triggering a Formbricks action after a
configurable delay (e.g., 24 hours later) to collect feedback once
they've had time to use the feature.

Key changes:
- Added `formbricks` config option to `OptInFeatureConfig` interface
  with `actionName` and `delayMs` properties
- Created `useFormbricksOptInTracking` hook that handles the delayed
  tracking logic
- Added `isFeatureTracked` / `setFeatureTracked` storage helpers to
  prevent duplicate tracking
- Integrated the tracking hook into `useFeatureOptInBanner`

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* upgrade formbricks

* feat: replace formbricks popup with custom feedback dialog

Instead of using Formbricks' built-in popup, we now show a custom
Cal.com-styled feedback dialog that submits responses directly to
Formbricks API via tRPC mutation.

- Add FeedbackDialog component with emoji rating selector
- Add feedback tRPC router for server-side Formbricks submission
- Update useFormbricksOptInTracking to return dialog state
- Add survey config fields (surveyId, questions) to config

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* feat: position feedback dialog at bottom-right corner

- Use base-ui Dialog primitives for custom positioning
- Position dialog at bottom-right to avoid Intercom overlap
- Use z-index 10000 (below Intercom's high z-index)
- Keep blocking backdrop for modal behavior
- Use i18n keys for title/description
- Add survey IDs for bookings-v3 feedback

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* feat: add i18n keys for feedback dialog title/description

Allow each feature to specify custom i18n keys for the feedback dialog
title and description via the formbricks config.

- Add titleKey/descriptionKey to formbricks config interface
- Pass i18n keys through feedbackDialogProps
- Add bookings_v3_feedback_title/description translation keys

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* refactor: move FeedbackDialog into FeatureOptInBannerWrapper

Better encapsulation - consumers of the feature opt-in banner
no longer need to handle the feedback dialog separately.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* feat: add 5 second delay before showing feedback dialog

Ensures the page has time to finish loading before showing
the feedback dialog, avoiding showing it while skeletons
are still visible.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* refactor: simplify feedback dialog UI

- Remove redundant question labels
- Add "(optional)" to comment placeholder

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: remove emoji button borders and add footer gap

- Remove borders from rating emoji buttons
- Add proper gap between textarea and footer (pb-4)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: delayMs is opt-in waiting period, not setTimeout delay

delayMs represents the minimum time that must pass since opt-in
before showing the feedback form (e.g., 3 days). If not enough
time has passed, we skip showing the form entirely instead of
setting a long setTimeout.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* feat: custom feedback dialog for feature opt-in

- Replace Formbricks popup with Cal.com-styled dialog
- Add configurable delay (waitAfterDays) before showing feedback
- Position dialog at bottom-right, non-blocking
- Add localStorage tracking to prevent duplicate feedback
- Add device targeting (showOn: desktop/mobile/all)
- Create tRPC endpoint for Formbricks API submission
- Use proper logger for error handling

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* refactor: rename tracking terminology to feedback

- Rename useFormbricksOptInTracking → useOptInFeedback
- Rename FormbricksOptInTrackingResult → OptInFeedbackState
- Rename formbricksTracking property → feedback
- Rename FormbricksTrackingState → FeedbackState

We no longer "track" events to Formbricks. Instead, we show
our custom feedback dialog when conditions are met.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: set waitAfterDays to 3 for production feedback delay

Co-Authored-By: unknown <>

* fix: update formbricks JS SDK usage for v3.0.0

The @formbricks/js SDK v3.0.0 changed its API:
- setup() no longer accepts debug, userId, or attributes
- Use setUserId() and setAttributes() after setup instead
- track() now expects { hiddenFields: ... } or undefined

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
2026-02-05 11:01:14 +00:00
Pedro Castro b21719b995 chore(deps): resolve @isaacs/brace-expansion to 5.0.1 (#27596)
* chore(deps): resolve @isaacs/brace-expansion to 5.0.1

* fix: pin brace-expansion version
2026-02-03 21:00:30 +00:00
Pedro Castro 629346060e chore(deps): bump tar resolution to 7.5.7 (#27538) 2026-02-03 10:53:17 -03:00
Volnei Munhoz 61dd7eb64c chore: Upgrade Next & React (#27332)
* upgrade next and react versions

* upgrade next and react versions

* upgrade next and react versions
2026-01-28 10:47:04 -03:00
Pedro Castro 2542e1e5c4 chore: pin tar to 7.5.4 (#27161) 2026-01-22 16:01:03 -03:00
Pedro Castro a0ff6b15f8 chore: update lodash to 4.17.23 (#27157)
Fixes prototype pollution in _.unset and _.omit
2026-01-22 17:58:26 +00:00
Eunjae Lee adc198b37b feat: add feature opt-in banner system (#26625)
* docs: add feature opt-in banner system plan

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>

* docs: iterate on feature opt-in banner plan based on feedback

- Use config.ts for feature metadata instead of TRPC response
- Consolidate localStorage dismissal into single key to avoid bloat
- Replace separate success dialog with in-dialog success state for smoother UX

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>

* feat: implement feature opt-in banner system

- Add checkFeatureOptInEligibility TRPC procedure to check if user can opt-in
- Create useFeatureOptInBanner hook with localStorage dismissal state
- Create FeatureOptInBanner floating component for bottom-right display
- Create FeatureOptInConfirmDialog with role-based options and success state
- Integrate banner into bookings-view.tsx as example usage

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>

* feat: add i18n translation keys for feature opt-in banner

* refactor: create FeatureOptInBannerWrapper for simpler consumer integration

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>

* refactor: use @calcom/lib/webstorage and add Zod schema for localStorage

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>

* refactor: address PR review comments - use PBAC, move logic to service, improve typing

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>

# Conflicts:
#	packages/features/feature-opt-in/services/FeatureOptInService.ts

* test: add comprehensive tests for checkFeatureOptInEligibility method

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>

* fix: correct import and Checkbox type errors

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>

* update message

* invalidate after dialog dismiss

* feat: simulate user opt-in to determine banner eligibility

When a feature has a strict policy and org/team hasn't explicitly
enabled it, user opt-in alone won't enable the feature. This change
simulates what would happen if the user opts in and only shows the
banner if opting in would actually enable the feature.

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>

* fix: add early return for missing featureConfig and clarify simulation comment

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>

* fix repository usage

* refactor: simplify FeatureOptInConfirmDialog UI and remove unused translation

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>

* refactor: replace radio buttons with multi-select dropdown in FeatureOptInConfirmDialog

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>

* resize banner

* refactor: use AnimatedPopover pattern for team selection and rename titleI18nKey to nameI18nKey

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>

* fix: change 'Just for me' to 'For me', fix width clipping, remove divider

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>

* update style

* feat: make 'Just for me' mutually exclusive with teams/org and store opt-ins in localStorage

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>

* refactor: remove barrel imports and update to direct imports

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>

* fix: add modal prop to AnimatedPopover to fix scroll lock conflict in dialogs

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>

* fix: wrap Popover.Content with Portal to prevent layout interference in dialogs

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>

* fix: use flexbox gap instead of space-y to prevent popover wrapper from affecting layout

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>

* Revert "fix: use flexbox gap instead of space-y to prevent popover wrapper from affecting layout"

This reverts commit 8385adafa890c2f2674aa3ae3b10ca6e0c55ba5c.

* Revert "fix: wrap Popover.Content with Portal to prevent layout interference in dialogs"

This reverts commit e84301a35a99b3559d47c2d37316af290834ca2d.

* Revert "fix: add modal prop to AnimatedPopover to fix scroll lock conflict in dialogs"

This reverts commit b015af2f1cf31ef7087c02cb8535d96cc4a34125.

* feat: replace Radix Dialog and AnimatedPopover with coss-ui components

This migration uses @coss/ui Dialog and Popover components which are built on
Base UI instead of Radix. Base UI handles scroll locking and positioning
differently, which should fix the gap issue when opening the popover inside
the dialog.

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>

* refactor: replace remaining @calcom/ui components with coss-ui

- Replace Divider with Separator from @coss/ui
- Replace Label with Label from @coss/ui
- Replace CheckboxField with Checkbox + Label from @coss/ui
- Replace Icon with direct lucide-react icons (UserIcon, BuildingIcon, UsersIcon, CheckIcon)
- Replace showToast with toastManager.add() from @coss/ui

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>

* refactor: replace Popover with Menu component from coss-ui

- Replace Popover + FilterCheckboxField with Menu + MenuCheckboxItem
- MenuCheckboxItem provides built-in checkbox indicator and styling
- MenuSeparator provides proper menu separators
- Cleaner API with onCheckedChange callback
- Better keyboard navigation support

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>

* fix: align icon and text on same line in MenuCheckboxItem, widen dialog

- Wrap icon and text in flex container with items-center gap-2
- Change dialog width from sm:max-w-md to sm:max-w-lg to prevent text wrapping

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>

* use dimmed bg for coss dialog title

* refactor: change nameI18nKey/descriptionI18nKey to nested i18n object

- Change OptInFeatureConfig interface to use i18n: { name, description }
- Update all component usages to use featureConfig.i18n.name and featureConfig.i18n.description
- Update test mocks to use new structure

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>

* feat: add i18n.title to OptInFeatureConfig type definition

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>

* update texts

* use title instead of name

* update banner style

* refactor: split FeatureOptInConfirmDialog into separate success and confirmation dialogs

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>

* fix: don't record dismissed info in local storage after successful opt-in

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>

* fix: add checkFeatureOptInEligibility to IFeatureOptInService interface

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>

* update common.json

* refactor: move tRPC usage from features package to apps/web/modules

Addresses Cubic AI review feedback (confidence 9/10):
- Remove @calcom/trpc import from FeatureOptInConfirmDialog.tsx
- Add FeatureOptInMutations type for passing mutation functions via props
- Move tRPC hooks to useFeatureOptInBanner hook in apps/web/modules
- Pass mutations through FeatureOptInBannerWrapper to dialog component

This maintains the architectural constraint that packages/features
should not import from @calcom/trpc to prevent circular dependencies.

Co-Authored-By: unknown <>

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
2026-01-19 18:48:26 +00:00
Morgan 62216f2db6 feat: add CalendarsTasker with sync and trigger.dev versions (#26854)
* feat: add CalendarsTasker with sync and trigger.dev versions

This PR implements a CalendarsTasker following the same pattern as
PlatformOrganizationBillingTasker to replace the logic in
apps/api/v2/src/ee/calendars/processors/calendars.processor.ts

New files created:
- CalendarsTasker main orchestrator extending Tasker base class
- CalendarsSyncTasker for sync execution
- CalendarsTriggerTasker for async execution via trigger.dev
- CalendarsTaskService with business logic for ensuring default calendars
- trigger.dev task with queue config and retry settings
- DI modules using @evyweb/ioctopus
- NestJS DI modules for API v2

Co-Authored-By: morgan@cal.com <morgan@cal.com>

* fix: import and deasync

* style: format trigger.config.ts dirs array

Co-Authored-By: unknown <>

* refactor: move prisma query to UserRepository and set onboarding to true

Co-Authored-By: morgan@cal.com <morgan@cal.com>

* refactor: remove credential.key from UserRepository method

Co-Authored-By: morgan@cal.com <morgan@cal.com>

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
2026-01-19 16:20:05 +02:00
Alex van Andel 9690a0111d fix: Outdated lockfile 2026-01-19 13:53:58 +00:00
Morgan 1d5382bed4 chore: trigger.dev cli version for ci (#26834) 2026-01-14 14:32:14 +00:00
Volnei Munhoz cfbcd0f95b chore: upgrade sentry and start using metrics for Calendar Cache (#26827)
* upgrade sentry and start using metrics

* format changes

* format changes

* format changes

* type error

* type error

* format changes

* format changes

* fix: add updateSyncStatus call on API error and mock Sentry metrics in tests

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
2026-01-14 12:29:09 +00:00
Morgan 9ad8aa981a chore: deploy api v2 on vercel (#26735)
* chore: deploy api v2 on vercel

* fix: replace console.log with logger.log in Vercel handler

Address Cubic AI review feedback to use the logging framework
consistently instead of console.log in the serverless handler.

Co-Authored-By: unknown <>

* chore: enable esModuleInterop

* chore: deploy api v2 on vercel

* chore: deploy api v2 on vercel

* Update apps/api/v2/src/bootstrap.ts

Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>

* fixup! Merge branch 'main' into deploy-api-v2-vercel

* Revert "chore: deploy api v2 on vercel"

This reverts commit 45c704a48e8396c46118069e1a25d8d7a5ee84be.

* chore: deploy api v2 on vercel

* fix: address Cubic AI review feedback in main.ts

- Replace console.log with logger.log for consistent logging
- Replace console.error with logger.error for consistent error logging
- Restore comma: true option in qs.parse to support comma-separated arrays

Co-Authored-By: unknown <>

* fix: remove comma: true from qs.parse to maintain backward compatibility

The main branch does not have comma: true in the query parser, so adding
it would be a breaking change for existing API consumers. Removing it to
maintain consistency with the current production behavior.

Co-Authored-By: unknown <>

* chore: deploy api v2 on vercel

* small fixes

* chore: add try catch around bootstrap.ts

* fix: use NestJS Logger and throw error instead of process.exit in bootstrap

- Replace console.error with logger.error for consistent logging
- Replace process.exit(1) with throw error to avoid breaking Vercel serverless instance reuse

Addresses Cubic AI review feedback (confidence 10/10 for both issues)

Co-Authored-By: unknown <>

* chore: try log redis url

* fix: sanitize REDIS_URL logging to avoid exposing credentials

Replace full REDIS_URL logging with a boolean check that only indicates
whether Redis is configured, without exposing the connection string.

Addresses Cubic AI review feedback (confidence 9/10)

Co-Authored-By: unknown <>

* chore: remove unnecessary logs

* fix: prisma adapter

* chore: handle USE_POOL platform libraries

* fix: use JSON.stringify for Vite define value

Wrap usePool with JSON.stringify() to properly serialize the string value.
Without this, Vite injects the raw value as an identifier instead of a
string literal, breaking runtime behavior.

Addresses Cubic AI review feedback (confidence 9/10)

Co-Authored-By: unknown <>

* fix: docker file builds

* fix: correct Dockerfile build order for platform packages

Reorder builds to match the dependency graph from dev:build script:
constants → enums → utils → types → libraries → trpc → api-v2

platform-libraries depends on the other platform packages, so they
must be built first.

Addresses Cubic AI review feedback (confidence 9/10)

Co-Authored-By: unknown <>

* fix: docker file builds

* chore: add docker build

* chore: upgrade nest/bull

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
2026-01-13 11:31:21 -03:00
Bailey Pumfleet 5f21f54bae feat: Add compliance page to settings (#26777)
* Add compliance page to settings

* fix: sanitize error logging in B2 download route

Avoid logging raw error objects which may expose sensitive B2 credentials
or internal information. Use sanitized error message instead.

Co-Authored-By: unknown <>

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
2026-01-12 21:50:09 -03:00
Pedro Castro 3a6ca9ef15 chore: update dependencies (#26710)
* chore: update dependencies

   - @modelcontextprotocol/sdk: 1.24.0 → 1.25.2
   via resolution
   - jose: 4.13.1 → 4.15.9
   - serialize-javascript: 6.0.1 → 6.0.2 via
   resolution

* fix: update jose and webpack versions

* chore: bump transitive dependencies

- webpack 5.94.0
- express 5.2.1
- @adobe/css-tools 4.3.2
- jsondiffpatch 0.7.2

* chore: add min-document resolution

* fix: remove jose from resolutions

Incompatible with openid-client@6.x which requires jose 5.x/6.x exports.
jose is updated directly in apps/web and packages/features/auth

* fix: replace express with body-parser, remove webpack

- body-parser: 2.2.1 (CVE-2025-13466)
- Removed webpack 5.94.0 (causes TS2729)
- Removed express 5.2.1 (causes path-to-regexp errors)

* fix: remove body-parser resolution for Express 4.x compatibility

body-parser 2.x is designed for Express 5.x but NestJS uses Express 4.x,
causing API v2 E2E tests to fail
2026-01-12 21:48:55 -03:00
Volnei Munhoz a5387bbffe update yarn lock (#26596) 2026-01-08 18:59:03 +00:00
Benny Joo f5d345b133 refactor: remove @calcom/web imports from @calcom/features and add @calcom/testing package (#26480)
* fix: remove @calcom/web imports from packages/features to eliminate circular dependency

- Migrate UserTableUser and MemberPermissions types to packages/features/users/types/user-table.ts
- Migrate useGeo hook to packages/features/geo/GeoContext.tsx
- Migrate buildLegacyRequest to packages/lib/buildLegacyCtx.ts
- Migrate Calendar component to packages/features/calendars/weeklyview/components/
- Move test utilities (bookingScenario, fixtures) to packages/features/test/
- Update all imports in packages/features to use new locations
- Add re-exports in apps/web for backward compatibility

Co-Authored-By: benny@cal.com <sldisek783@gmail.com>

* fix: delete original implementation files and fix type issues

- Delete original calendar component files in apps/web (keep only re-export stubs)
- Migrate OutOfOfficeInSlots to packages/features/bookings/components
- Convert apps/web OutOfOfficeInSlots to re-export stub
- Fix className vs class issue in Calendar.tsx
- Fix @calcom/trpc import violation in user-table.ts by using structural type

Co-Authored-By: benny@cal.com <sldisek783@gmail.com>

* fix: add missing isGroup and contains fields to UserTableUser attributes type

Co-Authored-By: benny@cal.com <sldisek783@gmail.com>

* fix: update customRole type to match actual Prisma Role model

Co-Authored-By: benny@cal.com <sldisek783@gmail.com>

* fix build

* fix

* fix

* cleanup weeklyview

* fix

* refactor to mv MemberPermissions to types package

* add types dependency to features

* fix

* fix

* fix

* fix

* fix

* fix

* rename

* rename

* migrate

* migrate

* migrate

* fix

* fix

* fix

* refactor: move test utilities from packages/features/test to tests/libs

- Move bookingScenario utilities to tests/libs/bookingScenario
- Move fixtures to tests/libs/fixtures
- Update all imports in packages/features test files to use new location
- Update all imports in apps/web test files to use new location
- Eliminates duplication of test utilities between packages/features and apps/web

Co-Authored-By: benny@cal.com <sldisek783@gmail.com>

* fix: correct relative import paths for tests/libs in test files

Co-Authored-By: benny@cal.com <sldisek783@gmail.com>

* refactor: replace test utility implementations with re-exports to tests/libs

Co-Authored-By: benny@cal.com <sldisek783@gmail.com>

* fix: fix test import paths and move signup handler tests to apps/web

Co-Authored-By: benny@cal.com <sldisek783@gmail.com>

* fix: move buildLegacyCtx to packages/lib and restore handlers to packages/features

- Move buildLegacyCtx from apps/web/lib to packages/lib to break circular dependency
- Update apps/web/lib/buildLegacyCtx.ts to re-export from @calcom/lib
- Restore signup handlers and tests to packages/features/auth/signup/handlers
- Update handler imports to use @calcom/lib/buildLegacyCtx instead of @calcom/web/lib/buildLegacyCtx

Co-Authored-By: benny@cal.com <sldisek783@gmail.com>

* fix: update recurring-event.test.ts imports to use tests/libs path

Co-Authored-By: benny@cal.com <sldisek783@gmail.com>

* refactor: delete test re-export files and update imports to use tests/libs directly

Co-Authored-By: benny@cal.com <sldisek783@gmail.com>

* fix: update remaining test imports to use tests/libs directly

Co-Authored-By: benny@cal.com <sldisek783@gmail.com>

* fix: update handleRecurringEventBooking calls to match function signature (1 arg)

Co-Authored-By: benny@cal.com <sldisek783@gmail.com>

* remove

* migrate tests

* migrate tests

* refactor: update test mock imports by removing  and using async  for mock creators.

* fix type errors

* fix: add type assertion for MockUser in p2002.test-suite.ts

Co-Authored-By: benny@cal.com <sldisek783@gmail.com>

* fix: restore locale import in compareReminderBodyToTemplate.test.ts using relative path

Co-Authored-By: benny@cal.com <sldisek783@gmail.com>

* feat: create @calcom/testing package and migrate tests from /tests directory

- Created new @calcom/testing package in /packages/testing
- Moved all files from /tests to /packages/testing
- Updated all imports across the codebase to use @calcom/testing alias
- Removed /tests directory at root level

This allows other packages like @calcom/features and @calcom/web to import
testing utilities using the @calcom/testing alias instead of relative paths.

Co-Authored-By: benny@cal.com <sldisek783@gmail.com>

* fix

* fix

* fix: add missing useBookings export to @calcom/atoms package

Co-Authored-By: benny@cal.com <sldisek783@gmail.com>

* fix: add missing useCalendarsBusyTimes and useConnectedCalendars exports to @calcom/atoms

Co-Authored-By: benny@cal.com <sldisek783@gmail.com>

* chore: add @calcom/testing as explicit devDependency to packages that use it

Co-Authored-By: benny@cal.com <sldisek783@gmail.com>

* refactor: move setupVitest.ts into @calcom/testing package

Co-Authored-By: benny@cal.com <sldisek783@gmail.com>

* fix

* chore: add biome rules to restrict @calcom/testing imports

Co-Authored-By: benny@cal.com <sldisek783@gmail.com>

* fix

* rename libs to lib

* rename libs to lib

* add rule

* add rule

* refactor: remove @calcom/features imports from @calcom/testing

- Move mockPaymentSuccessWebhookFromStripe to fresh-booking.test.ts
- Replace ProfileRepository.generateProfileUid() with uuidv4()
- Clone Tracking type into @calcom/testing/src/lib/types.ts
- Update imports in expects.ts and getMockRequestDataForBooking.ts
- Move source files into src/ folder
- Move CalendarManager mock to @calcom/features

Co-Authored-By: benny@cal.com <sldisek783@gmail.com>

* fix: add explicit exports for nested paths in @calcom/testing

Co-Authored-By: benny@cal.com <sldisek783@gmail.com>

* improve

* improve

* fix

* fix

* fix type checks

* fix type checks

* fix type checks

* fix tests

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
2026-01-08 16:59:11 +09:00
Pedro Castro 2aed9908b7 fix: replace gray-matter with direct yaml.load for js-yaml 4.x compatibility (#26555)
gray-matter uses yaml.safeLoad() which was removed in js-yaml 4.x, causing 500
errors on app store pages after the js-yaml 4.1.1 update (CWE-1321 fix)

- Add parseFrontmatter function using yaml.load with JSON_SCHEMA
- Add type guard for safe type narrowing
- Add unit tests for frontmatter parsing and security
- Remove gray-matter dependency
2026-01-07 15:16:26 -03:00
Pedro Castro 23848e7503 chore(deps): update dependencies and add version constraints (#26390)
- Update sanitize-html to 2.17.0
- Remove unused Storybook dependencies from @calcom/ui
- Add resolutions for consistent dependency versions
- Clean up packageExtensions
2026-01-05 13:00:55 -03:00
Hariom Balhara 9d39590510 feat: create BookingHistoryViewerService to combine audit logs with routing form submissions (#26045)
* feat: create BookingHistoryViewerService to combine audit logs with routing form submissions

Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com>

* refactor(booking): rename audit log query and enhance type safety

- Updated the booking logs view to use the new getBookingHistory query instead of getAuditLogs.
- Introduced DisplayBookingAuditLog type for improved clarity in BookingAuditViewerService.
- Refactored BookingHistoryViewerService to utilize the new DisplayBookingAuditLog type and added sorting functionality for history logs.
- Adjusted related types and methods to ensure consistency across services.

* refactor(routing-forms): streamline imports and enhance type definitions

- Consolidated type exports and imports from the features library for better organization.
- Removed redundant type definitions and functions in zod.ts, findFieldValueByIdentifier.ts, getFieldIdentifier.ts, and parseRoutingFormResponse.ts.
- Introduced new utility functions for handling field responses and parsing routing form responses.
- Improved type safety and clarity across routing form response handling.

* fix: remove double prefix from uniqueId in form submission entry

Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com>

* 1c97f9cc5d50416788c01876fe539bcc9750e9b2 (#26453)

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
2026-01-05 11:11:05 +00:00
shashank-100 9c08c5fed1 fix: patch React 19 vulnerabilities by upgrading to 19.2.3 (#26411)
* security: patch React 19 vulnerabilities by upgrading to 19.2.3

* chore: revert lingo.dev upgrade
2026-01-03 14:20:08 +00:00
Pedro Castro 40dd546429 chore(deps): update dependencies and add version constraints (#26328)
* chore(deps): update dependencies and add version constraints

 - Update direct dependencies: body-parser, @nestjs/swagger, react-use, trigger.dev
 - Add resolutions for consistent dependency versions across the monorepo
 - Add packageExtensions to ensure compatible transitive dependency versions

* fix: upgrade rollup resolution from 3.29.5 to 4.22.4

 Rollup 3.x is incompatible with vite 5.x which requires rollup ^4.20.0.
 The previous resolution caused CI failures due to missing ./parseAst
 export

* fix: update axios resolution to 1.13.2

Align resolution with direct dependency in apps/api/v2.
Both versions include the fix, but 1.13.2 is newer and
avoids an unnecessary downgrade
2026-01-01 23:18:53 +00:00
Volnei Munhoz bbf9274d37 chore: upgrade Vitest to 4.0.16 and Vite to 6.4.1 (#26351)
* chore: upgrade Vitest to 4.0.16 and Vite to 6.4.1

- Update vitest from 2.1.9 to 4.0.16
- Update @vitest/ui from 2.1.9 to 4.0.16
- Update vitest-fetch-mock from 0.3.0 to 0.4.5
- Update vitest-mock-extended from 2.0.2 to 3.1.0
- Update vite from 4.5.14/5.4.21 to 6.4.1 across all packages
- Update @vitejs/plugin-react to 5.1.2
- Update @vitejs/plugin-react-swc to 4.2.2
- Update @vitejs/plugin-basic-ssl to 2.1.0
- Update vite-plugin-dts to 4.5.4
- Rename vitest.config.ts to vitest.config.mts for ESM compatibility
- Add globals: true to vitest config

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* fix: address Vitest 4.0 and Vite 6 breaking changes

- Convert arrow function mockImplementation patterns to regular functions
  (Vitest 4.0 breaking change: arrow functions can't be constructor mocks)
- Fix CSS imports with ?inline suffix for Vite 6 compatibility
- Add biome override to disable useArrowFunction rule for test files
- Fix syntax errors in test files introduced by regex replacements

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* fix: fix remaining Vitest 4.0 constructor mock patterns

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* fix: fix more Vitest 4.0 constructor mock patterns and exclude API v2 spec files

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* fix: convert more arrow function mocks to regular functions for Vitest 4.0

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* fix: convert more arrow function mocks to regular functions for Vitest 4.0

- Fix CrmService.integration.test.ts jsforce.Connection mock
- Fix RetellSDKClient.test.ts Retell mock
- Fix RetellAIService.test.ts CreditService mocks
- Fix GoogleCalendarSubscriptionAdapter.test.ts CalendarAuth mock

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* fix: convert Google Calendar and OAuthManager arrow function mocks for Vitest 4.0

- Fix googleapis.ts Calendar, OAuth2Client, and JWT mocks
- Fix utils.ts JWT mock
- Fix OAuthManager.ts defaultMockOAuthManager mock

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* fix: add React plugin, jsdom environment, and fix more constructor mocks for Vitest 4.0

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* fix: convert HostRepository PrismaClient mock to regular function for Vitest 4.0

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* fix: add useOrgBranding mock to React component tests for Vitest 4.0

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* fix: update TestFunction type for Vitest 4.0 compatibility

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* fix: convert listBookingReports constructor mocks to regular functions for Vitest 4.0

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* fix: convert UserRepository constructor mock to regular function for Vitest 4.0

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* fix: convert OrganizationPaymentService constructor mock to regular function for Vitest 4.0

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* fix: convert more constructor mocks to regular functions for Vitest 4.0

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* fix: add apps/web path aliases to vitest config

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* fix: fix test issues for Vitest 4.0 compatibility

- Fix Response constructor 204 status code issue in testUtils.ts
- Fix FeaturesRepository mock persistence in handleNotificationWhenNoSlots.test.ts
- Add @vitest-environment node directive to formSubmissionUtils.test.ts
- Fix document.querySelector mock in embed.test.ts

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* fix: clear EventManager spy between tests for Vitest 4.0 compatibility

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* fix: update TeamRepository mock pattern for Vitest 4.0 compatibility

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* fix: convert RoutingFormResponseRepository mock to regular function for Vitest 4.0

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* fix: convert more constructor mocks to regular functions for Vitest 4.0

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* fix: fix mock reset and spy clear issues for Vitest 4.0

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* fix: fix remaining test failures for Vitest 4.0 upgrade

- Fix booking-validations.test.ts: convert UserRepository mock to regular function
- Fix route.test.ts: update 500 error test to mock ImageResponse instead of fetch
- Fix users-public-view.test.tsx: add missing mocks for getOrgFullOrigin and useRouterQuery
- Add @calcom/web path alias to vitest config

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* fix: add vitest-mocks for generated files that don't exist in CI

- Add svg-hashes.json mock for route.test.ts
- Add tailwind.generated.css mock for embed.test.ts
- Update vitest config to use mock files

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* fix: update vitest config aliases for CI compatibility

- Use array format for aliases to ensure proper ordering
- Add @calcom/platform-constants alias to resolve from source
- Add @calcom/embed-react alias to resolve from source
- Ensure svg-hashes.json mock alias is matched before @calcom/web

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* fix: add @calcom/embed-snippet alias for CI compatibility

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* Fix wrong test

* fix: migrate from CLI flags to VITEST_MODE env var for Vitest 4.0

Vitest 4.0 no longer allows custom CLI flags like --packaged-embed-tests-only.
This change migrates to using VITEST_MODE environment variable instead:
- VITEST_MODE=packaged-embed for packaged embed tests
- VITEST_MODE=integration for integration tests
- VITEST_MODE=timezone for timezone-dependent tests

Updated vitest.config.mts to handle mode-based include/exclude patterns.
Updated CI workflows and package scripts to use the new env var approach.

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* fix: return default include pattern instead of undefined in vitest config

The getTestInclude() function was returning undefined for the default case,
but Vitest 4.0 expects an array. This caused 'resolved.include is not iterable'
error in CI.

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* fix: always set INTEGRATION_TEST_MODE for jsdom environment

The getBookingFields.ts file checks for INTEGRATION_TEST_MODE to allow
server-side imports in the jsdom environment. Without this, tests fail
with 'getBookingFields must not be imported on the client side' error.

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* fix: support legacy CLI flags for backwards compatibility with main workflow

The CI runs workflows from main branch, which uses the old CLI flag approach
(yarn test -- --integrationTestsOnly). This commit adds backwards compatibility
by checking both VITEST_MODE env var and process.argv for the legacy flags.

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
2026-01-01 18:16:10 -03:00
Volnei Munhoz ed14219e44 upgrade typescript (#26347) 2025-12-31 13:32:55 -03:00
Volnei Munhoz c52eff65a2 chore: fix biome warnings/errors (#26295)
* Fix icon-names

* make all errors into warns

* Minimal fix to mock
2025-12-30 11:46:26 +00:00
Volnei Munhoz 7c373ddad6 feat: Introduce biome (#25664)
* Configure biome

* Fix companion build

* fix: remove generated files from formatter ignore list to enable proper formatting

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* fix: add explicit stripe dependency to @calcom/features to fix type resolution

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* fix: rename const require to nodeRequire in generate-swagger.ts to avoid TypeScript reserved identifier conflict

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* fix: add guard for document in makeBodyVisible to prevent test environment teardown errors

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* fix: replace ESLint with Biome CLI in embed-code-generator.e2e.ts

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* fix: address cubic review comments

- Fix invalid --reporter-path Biome CLI option by using shell redirection
- Fix packages/lib lint report filename (app-store.json -> lib.json)
- Add typescript-eslint and eslint back to companion for lint:react-compiler
- Add missing restricted import rules to biome.json:
  - packages/lib: add ../trpc/** and @trpc/server restrictions
  - packages/trpc: add ../apps/web/** restriction

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* chore: regenerate companion bun.lock after adding eslint dependencies

Co-Authored-By: Volnei Munhoz <volnei.munhoz@gmail.com>

* Remove remaining eslint things

* add tailwind directives

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
2025-12-29 19:41:41 -03:00
Keith Williams 55805f081d fix: add artifact handling for API v2 E2E tests (#26249)
* fix: add artifact handling for API v2 E2E tests

- Add jest-junit reporter to generate JUnit XML test results
- Update workflow to upload from correct path (apps/api/v2/test-results)
- Add if-no-files-found: ignore and retention-days: 30 for consistency

Co-Authored-By: keith@cal.com <keithwillcode@gmail.com>

* Apply suggestion from @keithwillcode

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
2025-12-29 02:22:38 -03:00
Keith Williams b6e0182002 chore: Fix peer dependencies in yarn.lock (#26250) 2025-12-29 05:05:34 +00:00