Permalink
Comparing changes
Choose two branches to see what’s changed or to start a new pull request.
If you need to, you can also or
learn more about diff comparisons.
Open a pull request
Create a new pull request by comparing changes across two branches. If you need to, you can also .
Learn more about diff comparisons here.
...
- 6 commits
- 14 files changed
- 1 contributor
Commits on Apr 1, 2026
-
feat: load OS CA certificates at startup for corporate environments (#…
…3283) * docs: add admin guide for allowInsecureOutlookConnections setting Document the overridden-settings.json configuration for bypassing SSL certificate validation in Outlook calendar sync, covering file paths per platform, default behavior, and usage scenarios. * feat: load OS CA certificates at startup for corporate environments Use Node.js 24's native tls.setDefaultCACertificates() to combine system-trusted and bundled Mozilla CAs at boot time. This allows all Node.js HTTPS connections (Outlook sync, version checks, etc.) to trust certificates from the OS trust store without disabling TLS verification. Enabled by default, configurable via useSystemCertificates in overridden-settings.json. The existing allowInsecureOutlookConnections remains as a last-resort fallback. * docs: consolidate certificate docs into single admin guide Merge the separate outlook-calendar-insecure-connections.md and system-ca-certificates.md into a unified corporate-certificate-configuration.md covering both approaches (system CAs and insecure bypass) in one place. * fix: address CodeRabbit review feedback - Align settings precedence: read both override files and let appAsar win, matching the merge order in data.ts - Use getCACertificates() (no arg) to preserve NODE_EXTRA_CA_CERTS alongside system and bundled CAs - Clarify doc wording for app ASAR override location
-
fix: update axios to 1.13.6 (CVE-2026-25639, MAL-2026-2306) (#3286)
Addresses CVE-2026-25639 (prototype pollution DoS in mergeConfig) and MAL-2026-2306. Adds a resolutions entry to force axios 1.13.6 across all transitive consumers (e.g. @ewsjs/xhr), eliminating the duplicate 1.13.4 copy from the lockfile.
-
chore: update Electron from 40.0.0 to 40.8.5 (#3285)
Picks up Chromium 144.0.7559.236 and Node.js 24.14.0 with numerous bug fixes including clipboard crash, Windows notification icons, macOS safeStorage keychain migration, and desktopCapturer CoreAudio Tap API support. No breaking changes within the 40.x series.
-
fix: workspace tags in log viewer filter (#3284)
* fix: use hostname-based server tags in logging and log viewer filter The log viewer server filter showed no results because the server-N IDs in log entries (assigned from a webContents pool) didn't match the IDs in the filter dropdown (derived from Redux array index). Replace the anonymous pool-based server-N system with hostname-based tags. Log entries now use the server hostname directly (e.g., [open.rocket.chat] instead of [server-2]), and the filter dropdown uses the same hostname as key. This makes the mapping deterministic and stable across app reloads. * fix: use URL.host instead of hostname to avoid port collisions Servers on the same hostname but different ports (e.g., :3000 vs :4000) would collide when using hostname alone. URL.host includes the port when non-default, making each server key unique. * fix: dismiss path-based server matching review comment Rocket.Chat servers are always identified by host, not subpaths. Revert to origin-based matching and keep getHost for the server tag. * fix: address code review feedback - Rename webContentsToHostname → webContentsToHost to match URL.host usage - Use token-based removal in LogEntry to avoid partial substring matches * fix: use hostname-based server tags and fallback matching in log viewer Three issues with the server filter: - get-server-tag IPC returned index-based tags (server-1) instead of hostnames, causing a mismatch with the filter dropdown which uses hostnames from getHost() - registerWebContentsServer was not called during dom-ready, so logs from webContents whose console injection failed had no server tag - Filter only checked context tags, missing logs that mention the server URL in the message body Now uses getHost() for server tags, registers server context early in dom-ready, and falls back to matching against the full raw log line.
-
chore: consolidate AGENTS.md into CLAUDE.md and clean up gitignore
Merge all project-specific guidelines from AGENTS.md into CLAUDE.md, keeping universally-useful rules (build, patches, signing, testing, git safety, code style) accessible to all contributors. Remove AGENTS.md to avoid split documentation. Add temp/cache directories to .gitignore.
-
Loading
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff 4.14.0-alpha.1...4.14.0-alpha.2