Merge branch 'main' into dependabot/github_actions/codecov/codecov-action-6

Author: ilayda-cp

.github/workflows/coverage.yml

@@ -52,7 +52,7 @@ jobs:
 
       - name: Upload coverage report
         if: always()
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
         with:
           name: snapcraftio-coverage
           path: coverage

package.json

@@ -26,9 +26,9 @@
     "@babel/preset-react": "7.28.5",
     "@babel/preset-typescript": "7.28.5",
     "@canonical/analytics-events": "1.0.5",
-    "@canonical/cookie-policy": "3.8.4",
+    "@canonical/cookie-policy": "3.10.0",
     "@canonical/global-nav": "3.8.0",
-    "@canonical/react-components": "3.12.1",
+    "@canonical/react-components": "4.5.1",
     "@canonical/store-components": "0.55.0",
     "@dnd-kit/core": "6.3.1",
     "@dnd-kit/sortable": "10.0.0",
@@ -63,7 +63,7 @@
     "jotai": "2.17.1",
     "jotai-family": "1.0.1",
     "nanoid": "5.1.6",
-    "postcss": "8.5.6",
+    "postcss": "8.5.10",
     "postcss-cli": "11.0.1",
     "prettier": "3.8.1",
     "prop-types": "15.8.1",
@@ -86,21 +86,21 @@
     "tinyglobby": "0.2.15",
     "topojson-client": "3.1.0",
     "typescript": "5.9.3",
-    "uuid": "13.0.0",
-    "vanilla-framework": "4.44.0",
-    "vite": "7.3.1"
+    "uuid": "14.0.0",
+    "vanilla-framework": "4.50.0",
+    "vite": "7.3.2"
   },
   "devDependencies": {
     "@babel/eslint-parser": "7.28.6",
-    "@percy/cli": "1.31.8",
+    "@percy/cli": "1.31.10",
     "@types/cypress": "1.1.6",
     "@types/d3": "7.4.3",
     "@types/redux-mock-store": "^1.5.0",
     "@types/uuid": "11.0.0",
-    "@typescript-eslint/eslint-plugin": "^8.19.1",
-    "@typescript-eslint/parser": "^8.19.1",
-    "@vitest/coverage-v8": "4.0.18",
-    "@vitest/ui": "4.0.18",
+    "@typescript-eslint/eslint-plugin": "^8.58.0",
+    "@typescript-eslint/parser": "^8.58.0",
+    "@vitest/coverage-v8": "4.1.3",
+    "@vitest/ui": "4.1.3",
     "concurrently": "9.2.1",
     "cypress": "15.10.0",
     "eslint": "9.39.2",
@@ -109,13 +109,17 @@
     "eslint-plugin-prettier": "5.5.5",
     "eslint-plugin-react": "7.37.5",
     "msw": "2.12.8",
-    "stylelint": "17.1.1",
+    "stylelint": "17.6.0",
     "stylelint-config-standard-scss": "17.0.0",
     "stylelint-order": "7.0.1",
-    "vitest": "^4.0.0"
+    "vitest": "4.1.3"
   },
   "resolutions": {
     "vitest/**/glob": "13.0.1",
-    "lodash": "4.17.23"
+    "vitest/vite": "7.3.2",
+    "lodash": "4.18.1",
+    "picomatch": ">=2.3.2",
+    "brace-expansion": ">=2.0.2",
+    "@tootallnate/once": "3.0.1"
   }
 }

redirects.yaml

@@ -146,74 +146,74 @@ docs/gnome-3-34-extension/?: https://forum.snapcraft.io/t/the-gnome-3-34-extensi
 docs/snapcraft-interfaces/?: https://forum.snapcraft.io/t/supported-interfaces/7744
 
 # Old URL redirects
-docs/build-snaps: /docs/snap-format
-docs/build-snaps/build-for-another-arch: /docs/building-snaps
-docs/build-snaps/build-on-lxd-docker: /docs/build-snaps-on-docker
-docs/build-snaps/builders: /docs/t/building-the-snap/6800
-docs/build-snaps/debugging: /docs/debugging-building-snaps
-docs/build-snaps/electron: /docs/electron-apps
-docs/build-snaps/go: /docs/go-applications
-docs/build-snaps/hooks: /docs/supported-snap-hooks
-docs/build-snaps/java: /docs/java-applications
-docs/build-snaps/languages: /docs/creating-a-snap
-docs/build-snaps/metadata: /docs/snapcraft-app-and-service-metadata
-docs/build-snaps/moos: /docs/moos-applications
-docs/build-snaps/node: /docs/node-apps
-docs/build-snaps/parts: /docs/remote-reusable-parts
-docs/build-snaps/plugins: /docs/snapcraft-plugin-api
-docs/build-snaps/pre-built: /docs/t/pre-built-apps/6739
-docs/build-snaps/publish: /docs/releasing-to-the-snap-store
-docs/build-snaps/register-snap: /docs/registering-your-app-name
-docs/build-snaps/release: /docs/releasing-your-app
-docs/build-snaps/remote-parts: /docs/remote-reusable-parts
-docs/build-snaps/ros: /docs/ros-applications
-docs/build-snaps/ros2: /docs/ros2-applications
-docs/build-snaps/ruby: /docs/ruby-applications
-docs/build-snaps/rust: /docs/rust-applications
-docs/build-snaps/syntax: /docs/snapcraft-yaml-reference
-docs/build-snaps/upload: /docs/releasing-your-app
-docs/build-snaps/your-first-snap: /docs/build-on-lxd
-docs/core: /docs/quickstart-tour
-docs/core/install-arch-linux: /docs/installing-snap-on-arch-linux
-docs/core/install-debian: /docs/installing-snap-on-debian
-docs/core/install-elementary-os: /docs/installing-snap-on-elementary-os
-docs/core/install-fedora: /docs/installing-snap-on-fedora
-docs/core/install-gentoo: /docs/installing-snapd
-docs/core/install-linux-mint: /docs/installing-snap-on-linux-mint
-docs/core/install-manjaro: /docs/installing-snap-on-manjaro-linux
-docs/core/install-oe-yocto: /docs/installing-snapd
-docs/core/install-opensuse: /docs/installing-snapd
-docs/core/install-openwrt: /docs/installing-snapd
-docs/core/install-raspbian: /docs/installing-snap-on-raspbian
-docs/core/install-solus: /docs/installing-snap-on-solus
-docs/core/install-ubuntu: /docs/installing-snap-on-ubuntu
-docs/core/install: /docs/installing-snapd
-docs/core/interfaces: /docs/interface-management
-docs/core/updates: /docs/keeping-snaps-up-to-date
-docs/core/usage: /docs/quickstart-tour
-docs/deprecation-notices/dn1: /docs/t/deprecation-notice-1/8397
-docs/deprecation-notices/dn2: /docs/t/deprecation-notice-2/8398
-docs/deprecation-notices/dn3: /docs/t/deprecation-notice-3/8403
-docs/deprecation-notices/dn4: /docs/t/deprecation-notice-4/8404
-docs/deprecation-notices/dn5: /docs/t/deprecation-notice-5/8405
-docs/deprecation-notices/dn6: /docs/t/deprecation-notice-6/8406
-docs/deprecation-notices/dn7: /docs/t/deprecation-notice-7/8407
-docs/deprecation-notices/dn8: /docs/t/deprecation-notice-8/8408
-docs/deprecation-notices/dn9: /docs/t/deprecation-notice-9/8409
-docs/reference/channels: /docs/channels
-docs/reference/confinement: /docs/snap-confinement
-docs/reference/env: /docs/environment-variables
-docs/reference/interfaces: /docs/interface-management
+docs/build-snaps/?: /docs/snap-format
+docs/build-snaps/build-for-another-arch/?: /docs/building-snaps
+docs/build-snaps/build-on-lxd-docker/?: /docs/build-snaps-on-docker
+docs/build-snaps/builders/?: /docs/t/building-the-snap/6800
+docs/build-snaps/debugging/?: /docs/debugging-building-snaps
+docs/build-snaps/electron/?: /docs/electron-apps
+docs/build-snaps/go/?: /docs/go-applications
+docs/build-snaps/hooks/?: /docs/supported-snap-hooks
+docs/build-snaps/java/?: /docs/java-applications
+docs/build-snaps/languages/?: /docs/creating-a-snap
+docs/build-snaps/metadata/?: /docs/snapcraft-app-and-service-metadata
+docs/build-snaps/moos/?: /docs/moos-applications
+docs/build-snaps/node/?: /docs/node-apps
+docs/build-snaps/parts/?: /docs/remote-reusable-parts
+docs/build-snaps/plugins/?: /docs/snapcraft-plugin-api
+docs/build-snaps/pre-built/?: /docs/t/pre-built-apps/6739
+docs/build-snaps/publish/?: /docs/releasing-to-the-snap-store
+docs/build-snaps/register-snap/?: /docs/registering-your-app-name
+docs/build-snaps/release/?: /docs/releasing-your-app
+docs/build-snaps/remote-parts/?: /docs/remote-reusable-parts
+docs/build-snaps/ros/?: /docs/ros-applications
+docs/build-snaps/ros2/?: /docs/ros2-applications
+docs/build-snaps/ruby/?: /docs/ruby-applications
+docs/build-snaps/rust/?: /docs/rust-applications
+docs/build-snaps/syntax/?: /docs/snapcraft-yaml-reference
+docs/build-snaps/upload/?: /docs/releasing-your-app
+docs/build-snaps/your-first-snap/?: /docs/build-on-lxd
+docs/core/?: /docs/quickstart-tour
+docs/core/install-arch-linux/?: /docs/installing-snap-on-arch-linux
+docs/core/install-debian/?: /docs/installing-snap-on-debian
+docs/core/install-elementary-os/?: /docs/installing-snap-on-elementary-os
+docs/core/install-fedora/?: /docs/installing-snap-on-fedora
+docs/core/install-gentoo/?: /docs/installing-snapd
+docs/core/install-linux-mint/?: /docs/installing-snap-on-linux-mint
+docs/core/install-manjaro/?: /docs/installing-snap-on-manjaro-linux
+docs/core/install-oe-yocto/?: /docs/installing-snapd
+docs/core/install-opensuse/?: /docs/installing-snapd
+docs/core/install-openwrt/?: /docs/installing-snapd
+docs/core/install-raspbian/?: /docs/installing-snap-on-raspbian
+docs/core/install-solus/?: /docs/installing-snap-on-solus
+docs/core/install-ubuntu/?: /docs/installing-snap-on-ubuntu
+docs/core/install/?: /docs/installing-snapd
+docs/core/interfaces/?: /docs/interface-management
+docs/core/updates/?: /docs/keeping-snaps-up-to-date
+docs/core/usage/?: /docs/quickstart-tour
+docs/deprecation-notices/dn1/?: /docs/t/deprecation-notice-1/8397
+docs/deprecation-notices/dn2/?: /docs/t/deprecation-notice-2/8398
+docs/deprecation-notices/dn3/?: /docs/t/deprecation-notice-3/8403
+docs/deprecation-notices/dn4/?: /docs/t/deprecation-notice-4/8404
+docs/deprecation-notices/dn5/?: /docs/t/deprecation-notice-5/8405
+docs/deprecation-notices/dn6/?: /docs/t/deprecation-notice-6/8406
+docs/deprecation-notices/dn7/?: /docs/t/deprecation-notice-7/8407
+docs/deprecation-notices/dn8/?: /docs/t/deprecation-notice-8/8408
+docs/deprecation-notices/dn9/?: /docs/t/deprecation-notice-9/8409
+docs/reference/channels/?: /docs/channels
+docs/reference/confinement/?: /docs/snap-confinement
+docs/reference/env/?: /docs/environment-variables
+docs/reference/interfaces/?: /docs/interface-management
 docs/reference/plugins.*: /docs/writing-local-plugins
-docs/snaps: /docs
-docs/snaps/intro: /docs/quickstart-tour
-docs/snaps/metadata: /docs/snap-format
-docs/snaps/structure: /docs/system-snap-directory
+docs/snaps/?: /docs
+docs/snaps/intro/?: /docs/quickstart-tour
+docs/snaps/metadata/?: /docs/snap-format
+docs/snaps/structure/?: /docs/system-snap-directory
 account/details: /admin/account
 
 # Redirects webhook requests using old URL format (i.e. not starting with api/)
 (?P<snap_name>[^/]*)/webhook/notify: /api/{snap_name}/webhook/notify
-(?!api/.*)(?P<github_owner>[^/]*)/(?P<github_repo>[^/]*)/webhook/notify: /api/{github_owner}/{github_repo}/webhook/notify  
+(?!api/.*)(?P<github_owner>[^/]*)/(?P<github_repo>[^/]*)/webhook/notify: /api/{github_owner}/{github_repo}/webhook/notify
 
 # First snap flow pages
 first-snap/python: https://documentation.ubuntu.com/snapcraft/stable/how-to/integrations/craft-a-python-app/

requirements.txt

@@ -1,12 +1,12 @@
 # App dependencies
-canonicalwebteam.flask-base==3.1.1
-canonicalwebteam.flask-vite==0.4.0
+canonicalwebteam.flask-base==3.1.2
+canonicalwebteam.flask-vite==0.5.1
 canonicalwebteam.candid==0.9.0
-canonicalwebteam.discourse==7.1.1
+canonicalwebteam.discourse==7.2.0
 canonicalwebteam.blog==6.8.4
 canonicalwebteam.search==2.1.2
 canonicalwebteam.image-template==1.9.0
-canonicalwebteam.store-api==7.4.10
+canonicalwebteam.store-api==7.8.3
 canonicalwebteam.launchpad==0.9.0
 django-openid-auth==0.17
 Flask-OpenID==1.3.1
@@ -26,7 +26,7 @@ ruamel.yaml==0.18.5
 vcrpy-unittest==0.1.7
 user-agents==2.2.0
 dnspython==2.8.0
-werkzeug==2.3.8
+werkzeug==3.1.6
 sentry-sdk==2.52.0
 
 # Development dependencies

static/js/libs/__tests__/declare.test.ts

@@ -0,0 +1,42 @@
+import declareGlobal from "../declare";
+
+describe("declareGlobal", () => {
+  afterEach(() => {
+    // Clean up any globals we set
+    delete (globalThis as Record<string, unknown>).testApp;
+  });
+
+  test("sets a nested global value", () => {
+    declareGlobal("testApp.foo", { bar: 1 });
+    const g = globalThis as unknown as Record<
+      string,
+      Record<string, Record<string, number>>
+    >;
+    expect(g.testApp.foo.bar).toBe(1);
+  });
+
+  test("merges overlapping paths", () => {
+    declareGlobal("testApp.a", { x: 1 });
+    declareGlobal("testApp.b", { y: 2 });
+    const app = (globalThis as Record<string, unknown>).testApp as Record<
+      string,
+      unknown
+    >;
+    expect(app.a).toEqual({ x: 1 });
+    expect(app.b).toEqual({ y: 2 });
+  });
+
+  test("does not pollute Object.prototype via __proto__", () => {
+    const payload = JSON.parse('{"__proto__": {"polluted": true}}');
+    declareGlobal("testApp.merge", payload);
+    expect(({} as Record<string, unknown>).polluted).toBeUndefined();
+  });
+
+  test("does not pollute Object.prototype via constructor.prototype", () => {
+    const payload = JSON.parse(
+      '{"constructor": {"prototype": {"polluted": true}}}',
+    );
+    declareGlobal("testApp.merge2", payload);
+    expect(({} as Record<string, unknown>).polluted).toBeUndefined();
+  });
+});

static/js/libs/declare.ts

@@ -18,6 +18,15 @@ function buildObjectFromPath(path: string, value: unknown): Mergeable {
 
 function deepMerge(target: Mergeable, source: Mergeable, override: boolean) {
   for (const key of Object.keys(source)) {
+    // Guard against prototype pollution (CodeQL js/prototype-pollution-utility)
+    const isBlockedKey =
+      key === "__proto__" || key === "constructor" || key === "prototype";
+    const isInheritedProperty =
+      !Object.prototype.hasOwnProperty.call(target, key) &&
+      typeof target[key] !== "undefined";
+    if (isBlockedKey || isInheritedProperty) {
+      continue;
+    }
     if (typeof target[key] === "object" && typeof source[key] === "object") {
       target[key] = deepMerge(
         target[key] as Mergeable,

static/js/public/featured-snaps.ts

@@ -1,4 +1,5 @@
 import declareGlobal from "../libs/declare";
+import { trackFeaturedSnapClicked } from "../store/utils/featuredTracker";
 
 type PackageData = {
   apps: Array<string>;
@@ -31,21 +32,26 @@ async function buildCards(category: string): Promise<void> {
     );
 
     featuredSnapCards.forEach((featuredSnapCard, index) => {
-      buildCard(featuredSnapCard, localData[index]);
+      buildCard(featuredSnapCard, localData[index], category, index);
     });
   } else {
     const response = await fetch(`/store/featured-snaps/${category}`);
     const data: Array<PackageData> = await response.json();
 
     featuredSnapCards.forEach((featuredSnapCard, index) => {
-      buildCard(featuredSnapCard, data[index]);
+      buildCard(featuredSnapCard, data[index], category, index);
     });
 
     window.sessionStorage.setItem(category, JSON.stringify(data));
   }
 }
 
-function buildCard(featuredSnapCard: Element, data: PackageData) {
+function buildCard(
+  featuredSnapCard: Element,
+  data: PackageData,
+  category: string,
+  index: number,
+) {
   const placeholder = featuredSnapCard.querySelector(
     "[data-js='featured-snap-card-placeholder']",
   ) as HTMLElement;
@@ -117,6 +123,12 @@ function buildCard(featuredSnapCard: Element, data: PackageData) {
     }
 
     content.appendChild(clone);
+
+    content.addEventListener("click", () => {
+      if (category === "featured") {
+        trackFeaturedSnapClicked(data.package_name, index + 1, "home");
+      }
+    });
   }
 
   placeholder.classList.add("u-hide");

static/js/public/first-snap-flow.ts

@@ -28,8 +28,7 @@ function install(language: unknown, fsfFlow: string): void {
       ) as HTMLLinkElement;
       if (paginationBtn) {
         paginationBtn.classList.remove("is-disabled");
-        paginationBtn.href =
-          `/${fsfFlow}/${language}/${selectedOs}/package` as string;
+        paginationBtn.href = `/${encodeURIComponent(fsfFlow)}/${encodeURIComponent(String(language))}/${encodeURIComponent(selectedOs)}/package`;
       }
     }
   }
@@ -98,7 +97,7 @@ function install(language: unknown, fsfFlow: string): void {
       `#js-pagination-next`,
     ) as HTMLLinkElement;
     if (paginationBtn) {
-      const paginationBtnLink: string = `/${fsfFlow}/${language}/${type}/package`;
+      const paginationBtnLink: string = `/${encodeURIComponent(fsfFlow)}/${encodeURIComponent(String(language))}/${encodeURIComponent(type)}/package`;
       paginationBtn.classList.remove("is-disabled");
       paginationBtn.href = paginationBtnLink;
     }
@@ -193,7 +192,7 @@ function push(): void {
       ".js-continue",
     ) as HTMLLinkElement;
     if (continueBtn) {
-      continueBtn.href = `/${snapName}/releases`;
+      continueBtn.href = `/${encodeURIComponent(snapName)}/releases`;
       continueBtn.classList.add("p-button--positive");
       continueBtn.classList.remove("p-button");
       continueBtn.classList.remove("is-disabled");
@@ -204,7 +203,7 @@ function push(): void {
       "#js-pagination-next",
     ) as HTMLLinkElement;
     if (paginationBtn) {
-      paginationBtn.href = `/${snapName}/listing?from=first-snap`;
+      paginationBtn.href = `/${encodeURIComponent(snapName)}/listing?from=first-snap`;
       paginationBtn.classList.remove("is-disabled");
     }
   });
@@ -372,7 +371,7 @@ function initRegisterName(
         "#js-pagination-next",
       ) as HTMLLinkElement;
       if (paginationBtn) {
-        paginationBtn.href = `/${snapName}/listing?from=first-snap-unpublished`;
+        paginationBtn.href = `/${encodeURIComponent(snapName)}/listing?from=first-snap-unpublished`;
         paginationBtn.classList.remove("is-disabled");
       }
     };