merge: upstream安全コミット11件の取り込み#83
Merged
Merged
Conversation
upstream 538f306 — marketing/package.json脆弱性パッチ
…ion (superset-sh#3121) These per-tool hooks add overhead without providing value for Codex. Only SessionStart, UserPromptSubmit, and Stop are needed.
…ing shell init (superset-sh#3030)" (superset-sh#3127) This reverts commit 3194568.
…rset-sh#3054) The `emulator.onData` callback only forwarded terminal query responses (DA1, DSR) to the PTY subprocess when `attachedClients.size === 0`. When a renderer client is attached (the normal case when viewing a terminal), the headless emulator's DA1 response was silently dropped. This caused fish shell to wait 10 seconds for a DA1 response that never arrived, then print: "warning: fish could not read response to Primary Device Attribute query after waiting for 10 seconds" The previous fix in superset-sh#3030 removed the `shellReadyState === "pending"` guard but left the `attachedClients.size === 0` check intact. The renderer's xterm also generates DA1 responses, but those go through `write()` which drops all escape sequences during shell init — so neither path delivered the response to fish. Remove the `attachedClients.size === 0` condition so the headless emulator always forwards query responses to the subprocess. This is safe because `sendWriteToSubprocess` writes directly to the PTY via IPC, bypassing the renderer's write path entirely. Fixes superset-sh#3028 Co-authored-by: zombopanda <1810282+zombopanda@users.noreply.github.com> Co-authored-by: Kiet Ho <hoakiet98@gmail.com>
…n mode (superset-sh#3093) Decouples the reuse-existing-pane lookup from the openInNewTab flag so that an already-open file is always located first. The pane is still only reused in-place when openInNewTab is false, preventing duplicate panes when the user's file-open mode is set to "new-tab".
* Lint * chore(desktop): bump version to 1.4.7
Patch upgrade to latest 40.x stable to fix 4 Dependabot security alerts: protocol handler injection, second-instance IPC OOB read, use-after-free in fullscreen/download callbacks, and registry key injection.
Remove the PostHog feature flag gate and desktop paywall from the GitHub integration so it is accessible to all plan tiers. Update billing plans to reflect GitHub as a free feature and replace GitHub with Slack in the pro features paywall preview.
…set-sh#3174) * Reuse dnd backend * Remove provider from v2 workspace * Lint * fix: await async closeTab in bulk close callbacks * docs(panes): document DndProvider requirement for consumers
…pps (superset-sh#3154) * fix(desktop): send correct terminal dimensions after attach for TUI apps When opening a terminal via preset (Ctrl+1), the PTY was spawned with stale dimensions because fitAddon.fit() ran before the container had its final layout. Most CLIs handle the late SIGWINCH from the debounced ResizeObserver, but ink-based TUI apps like Claude Code commit to the initial width during their first render cycle, resulting in a narrow UI. After a successful createOrAttach, schedule a requestAnimationFrame to re-fit and send corrected dimensions to the PTY. The resize is only sent if dimensions actually changed, making it a no-op when the initial size was already correct. * refactor(terminal): remove stale dimension handling comments Removed outdated comments regarding terminal dimension handling after attach, as the logic has been updated to ensure correct dimensions are sent to TUI apps. This cleanup enhances code readability and maintains focus on the current implementation. * refactor(terminal): streamline terminal dimension handling logic Reintroduced the requestAnimationFrame logic for updating terminal dimensions after attach, ensuring accurate dimensions are sent to TUI apps. This change enhances the responsiveness of terminal resizing and maintains consistency in the terminal's display behavior.
This was referenced Apr 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
upstream (superset-sh/superset) から安全なコミット11件をcherry-pickで取り込み。
確実に安全 (5件)
538f3061Patch vuln (Upgrade next-mdx-remote for dependabot patch superset-sh/superset#3120) — marketing/package.json脆弱性パッチ337a9aecCodex hooks削除 (fix(desktop): remove PreToolUse/PostToolUse hooks from Codex superset-sh/superset#3121) — PreToolUse/PostToolUse除去88bc7fb3Revert DA1 (Revert "fix: solve #3028 — forward DA1 query responses during shell init" superset-sh/superset#3127) — terminal-host/session revert92d0ff96DA1 fix (fix: forward DA1 query responses regardless of attached clients superset-sh/superset#3054) — fish shell 10秒待ち問題修正10d9a5ddtiptap line-height (fix(desktop): adjust tiptap editor line-height in pane superset-sh/superset#3097) — Markdownペインの行間調整おそらく安全 (6件)
c48450e4file viewer pane修正 (fix(desktop): prevent duplicate panes when file-open mode is new-tab superset-sh/superset#3093) — ファイルビューア再利用ロジック改善fffa8db8version 1.4.7 (chore(desktop): bump version to 1.4.7 superset-sh/superset#3128) — バージョンバンプ+lint修正ceb8c81fElectron 40.8.5 (chore(desktop): upgrade Electron 40.2.1 → 40.8.5 superset-sh/superset#3150) — セキュリティ4件修正c7508e54GitHub統合無料化 (Make GitHub integration free for all users superset-sh/superset#3152) — 全プランでGitHub統合利用可能に4d7c6122DnD重複削除 (fix(desktop): remove duplicate HTML5 backend from v2 Workspace superset-sh/superset#3174) — Workspace内の二重DndProvider解消b8b11af7TUI dimension修正 (fix(desktop): send correct terminal dimensions after attach for TUI apps superset-sh/superset#3154) — Claude Code等のTUIアプリ幅修正残りの要検討コミット(別PRで対応予定)
Test plan