fix: imported fixes 2025-12-19

[julio-rocketchat]

Proposed changes (including videos or screenshots)

This PR solves a NoSQL injection issue in Rocket.Chat.

Issue(s)

VLN-174

Steps to test or reproduce

N/A

Further comments

N/A

Summary by CodeRabbit

@coderabbitai ignore

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

🦋 Changeset detected

Latest commit: c7a9fe9

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 42 packages

Name	Type
@rocket.chat/meteor	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/rest-typings	Patch
@rocket.chat/uikit-playground	Patch
@rocket.chat/api-client	Patch
@rocket.chat/apps	Patch
@rocket.chat/core-services	Patch
@rocket.chat/cron	Patch
@rocket.chat/ddp-client	Patch
@rocket.chat/freeswitch	Patch
@rocket.chat/fuselage-ui-kit	Patch
@rocket.chat/gazzodown	Patch
@rocket.chat/http-router	Patch
@rocket.chat/livechat	Patch
@rocket.chat/model-typings	Patch
@rocket.chat/ui-avatar	Patch
@rocket.chat/ui-client	Patch
@rocket.chat/ui-contexts	Patch
@rocket.chat/ui-voip	Patch
@rocket.chat/web-ui-registration	Patch
@rocket.chat/account-service	Patch
@rocket.chat/authorization-service	Patch
@rocket.chat/ddp-streamer	Patch
@rocket.chat/omnichannel-transcript	Patch
@rocket.chat/presence-service	Patch
@rocket.chat/queue-worker	Patch
@rocket.chat/stream-hub-service	Patch
@rocket.chat/abac	Patch
@rocket.chat/federation-matrix	Patch
@rocket.chat/license	Patch
@rocket.chat/media-calls	Patch
@rocket.chat/omnichannel-services	Patch
@rocket.chat/pdf-worker	Patch
@rocket.chat/presence	Patch
rocketchat-services	Patch
@rocket.chat/models	Patch
@rocket.chat/network-broker	Patch
@rocket.chat/omni-core-ee	Patch
@rocket.chat/mock-providers	Patch
@rocket.chat/ui-video-conf	Patch
@rocket.chat/instance-status	Patch
@rocket.chat/omni-core	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details

{"name":"HttpError","status":404,"request":{"method":"PATCH","url":"https://api.github.com/repos/RocketChat/Rocket.Chat/issues/comments/3674606177","headers":{"accept":"application/vnd.github.v3+json","user-agent":"octokit.js/0.0.0-development octokit-core.js/7.0.6 Node.js/24","authorization":"token [REDACTED]","content-type":"application/json; charset=utf-8"},"body":{"body":"<!-- This is an auto-generated comment: summarize by coderabbit.ai -->\n<!-- walkthrough_start -->\n\n## Walkthrough\n\nThis PR addresses a blind NoSQL injection vulnerability (VLN-174) in the users.autocomplete endpoint and related APIs by implementing stricter query validation. Changes include reworking operation handling in `isValidQuery` to restrict dangerous operators, strengthening endpoint validation with dynamic field allowlisting based on user permissions, and exporting utility constants for reuse. A patch changeset is included.\n\n## Changes\n\n| Cohort / File(s) | Summary |\n|---|---|\n| **Changeset** <br> `.changeset/fast-ligers-unite.md` | New changeset documenting patch release for `@rocket.chat/meteor` with security hotfix note. |\n| **Core Query Validation** <br> `apps/meteor/app/api/server/lib/isValidQuery.ts` | Reworked operation handling to check keys directly and use them for allowed operations lookup; expanded support for nested structures and primitive values under operation keys while maintaining existing non-operation attribute validation. |\n| **User Data Exports** <br> `apps/meteor/app/lib/server/functions/getFullUserData.ts` | Converted `defaultFields` and `fullFields` from private to exported constants for use in query validation logic. |\n| **Users API Endpoints** <br> `apps/meteor/app/api/server/v1/users.ts` | Extended imports to include `defaultFields` and `fullFields`; added dynamic field allowlisting and stricter operator restrictions (limited to `[$and, $ne, $exists]` for sensitive queries) across `users.list`, `users.info`, and `users.autocomplete` endpoints; added logic to detect user-provided queries and conditionally allow regex operators. |\n| **Tests** <br> `apps/meteor/tests/unit/app/api/server/v1/lib/isValidQuery.spec.ts` | Extended allowed operations in shallow query test from `['$or']` to `['$or', '$regex']`; added new test case verifying rejection of nested conditions with disallowed operators. |\n\n## Estimated code review effort\n\n🎯 4 (Complex) | ⏱️ ~40 minutes\n\n- **isValidQuery.ts**: Core validation logic changes with modified operation handling and recursive traversal logic; requires careful security review of operation restrictions\n- **users.ts**: Multiple endpoints modified with similar but contextually distinct field allowlisting patterns; logic density and security sensitivity demand thorough inspection\n- **Test coverage gaps**: Verify that new validation patterns across three endpoints have adequate test coverage for both allowed and blocked scenarios\n- **Operator allowlists**: Confirm that restricted operator sets (`[$and, $ne, $exists]`) appropriately balance security and functionality\n\n## Possibly related PRs\n\n- **#37044**: Modifies the `@rocket.chat/meteor` changeset alongside this PR as part of coordinated security patch release work.\n\n## Suggested labels\n\n`stat: ready to merge`, `stat: QA assured`\n\n## Suggested reviewers\n\n- ggazzo\n- KevLehman\n\n## Poem\n\n> 🐰 A query once wild, now tamed with care,\n> No regex shall slip through our security snare,\n> Field allowlists guard what the users may see,\n> Nested structures checked recursively,\n> Safe from injection, our endpoints now stand free! 🛡️\n\n<!-- walkthrough_end -->\n\n\n<!-- pre_merge_checks_walkthrough_start -->\n\n## Pre-merge checks and finishing touches\n<details>\n<summary>❌ Failed checks (1 inconclusive)</summary>\n\n|  Check name | Status         | Explanation                                                                                                                  | Resolution                                                                                                                                  |\n| :---------: | :------------- | :--------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------ |\n| Title check | ❓ Inconclusive | The title is vague and generic without describing the actual security fix implemented for the NoSQL injection vulnerability. | Revise title to be more descriptive, e.g., 'fix: prevent NoSQL injection in users endpoints' to clearly convey the main security objective. |\n\n</details>\n<details>\n<summary>✅ Passed checks (4 passed)</summary>\n\n|         Check name         | Status   | Explanation                                                                                                                                                                                                                                                                |\n| :------------------------: | :------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n|     Linked Issues check    | ✅ Passed | The pull request successfully implements the recommended remediations from VLN-174: operator allowlisting (restricting to safe operators like $and, $ne, $exists), field allowlisting (using defaultFields/fullFields), and enhanced query validation with error handling. |\n| Out of Scope Changes check | ✅ Passed | All changes are directly aligned with addressing the NoSQL injection vulnerability. The changeset file documents a security hotfix, query validation logic is hardened, and test coverage is expanded accordingly.                                                         |\n|     Docstring Coverage     | ✅ Passed | No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.                                                                                                                                                                 |\n|      Description Check     | ✅ Passed | Check skipped - CodeRabbit’s high-level summary is enabled.                                                                                                                                                                                                                |\n\n</details>\n\n<!-- pre_merge_checks_walkthrough_end -->\n\n<!-- finishing_touch_checkbox_start -->\n\n<details>\n<summary>✨ Finishing touches</summary>\n\n- [ ] <!-- {\"checkboxId\": \"7962f53c-55bc-4827-bfbf-6a18da830691\"} --> 📝 Generate docstrings\n<details>\n<summary>🧪 Generate unit tests (beta)</summary>\n\n- [ ] <!-- {\"checkboxId\": \"f47ac10b-58cc-4372-a567-0e02b2c3d479\", \"radioGroupId\": \"utg-output-choice-group-unknown_comment_id\"} -->   Create PR with unit tests\n- [ ] <!-- {\"checkboxId\": \"07f1e7d6-8a8e-4e23-9900-8731c2c87f58\", \"radioGroupId\": \"utg-output-choice-group-unknown_comment_id\"} -->   Post copyable unit tests in a comment\n- [ ] <!-- {\"checkboxId\": \"6ba7b810-9dad-11d1-80b4-00c04fd430c8\", \"radioGroupId\": \"utg-output-choice-group-unknown_comment_id\"} -->   Commit unit tests in branch `imported-fixes-2025-12-19`\n\n</details>\n\n</details>\n\n<!-- finishing_touch_checkbox_end -->\n\n<!-- tips_start -->\n\n---\n\nThanks for using [CodeRabbit](https://coderabbit.ai?utm_source=oss&utm_medium=github&utm_campaign=RocketChat/Rocket.Chat&utm_content=37874)! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.\n\n<details>\n<summary>❤️ Share</summary>\n\n- [X](https://twitter.com/intent/tweet?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A&url=https%3A//coderabbit.ai)\n- [Mastodon](https://mastodon.social/share?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A%20https%3A%2F%2Fcoderabbit.ai)\n- [Reddit](https://www.reddit.com/submit?title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&text=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code.%20Check%20it%20out%3A%20https%3A//coderabbit.ai)\n- [LinkedIn](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fcoderabbit.ai&mini=true&title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&summary=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code)\n\n</details>\n\n<sub>Comment `@coderabbitai help` to get the list of available commands and usage tips.</sub>\n\n<!-- tips_end -->\n\n<!-- internal state start -->\n\n\n<!-- DwQgtGAEAqAWCWBnSTIEMB26CuAXA9mAOYCmGJATmriQCaQDG+Ats2bgFyQAOFk+AIwBWJBrngA3EsgEBPRvlqU0AgfFwA6NPEgQAfACgjoCEYDEZyAAUASpETZWaCrIPR1AGxJcAZvAAeXPDM3PgUNPR+/tKQAEwADLEArGAAjLFpAJyQABS2kGYAzADsABzFACwAlJCQBgCqNgAyXLC4uNyIHAD03UTqsNgCGkzM3Tb4DADWJLgAwrDU45MzmgtL3NgeHt0l5RW1BgCCeLBhXEJb8IQUK7MMi7iHAMr42BQMJJACVBgPQSEwhEwFFpGAEsk0hlUtlAEmEMGcpCeP0w/0gSikHnw3BeuGo2C6/G4ZEggBQCRgUEjUOhxRIpdJZaCpeIcJJJVmlABaRgAItIGBR4NxxPgsDkfGgxMgfLdmNYbFUOAYoPlUMFQuEaTKWOgMPhcLBKJBKaFEOowvJMPQAO5oZBoDyUtC0eS8EhgNDcXj4KT0A2UEgaZWQGwkHwBv4xJAOL4ANSaADk0pVcgAhDzwDD0BP4Z4ARSakAAkhgRGJrlgSzBDZAAEQEyiILR4SYsbheGi1yAAUSzoUzuCqQagOcgNEQ4gwRHsNE6PFuEngSnoOWes+QBDH0ieYWNJG9tGwny4Ce6RyHwdHPne/r4ozYGFwyF3zto6grDsgbDfaBQfw82DLkGBgWJAADywiiOIUjSrKkAZhgMz0NG2DSAYRaIDGkDxkmqQpiaQL2t8CHZrmBZ/mWIpYBIWzkFQagZrg8iZmONYNhQTZoC2oztrMXxkLQ/aPqx1CQGQKhePaWBcf6j7wAw1L0NQeLTEam6ZuGfDOGouBUC4kB+CQHi0LBOrseikyOOwyA5JmDAAW+U72GQZrQV8hnGcgDgPOgyDcHaiDWmE9CLIghpSfQ0BgdAVg1HI9hDMw6iTtOiBGVBu4AI6oYKMQEpm07YsoBAcfB8AzJAAAklKkP4GjVl8BHhOiJDMKKE5UOOuroO0kpTAZWLWpA1qGpSKA0J1kiNSQtWQNllDwDElJSJ+EgOqhNmBkQGgADTfAKsjCpAoWwPOYYBDEu7en4XjfNcW7+IOYlSFgBpvEQp14hQSI0rQ1C/qgepPG+lJiB48iUrg7zkLQ9VHD44ZiDSUgcRWyAZhONLYDim7FBoqSFPjur0AIRn4Na9XPNgRCkJj9CUt+8DUGjf6sdNGqcMGPJIA6g08AFBXGmgQ1/XiAh2l8825Ru+Bs2Jfb4AOe1hMGRY+ELQ1S4t9pjbz5N0HtAhYtM6KYKQtwEkSxVhJtGjbXt1UzSQ/gOyNAY1FaKAhF4D5PJgVudS+2zkxjTw5MSFBJTuGDg/YaDhgH1A22VFWVVa3SVbubu616ty8EzNBVHtVrBkcwfWqH6AMJ8mHwEbXzmR5Jm5KKseQ9D9jEgw8B+AwkB6hgYBpRgrlTQZi2eQlPl2pA7EYGgbB7TKJDSNa6gPN2j0uRWNRhHtPf9/qPD4LX9fF16se/koGCyJXBqic79mATEw+j1I49Gc34cBUFFAhXa4Vi7V2kDLGYI89pRRiogPa9wNBDhDPuIENJ4oACkriyyOFQbAQh8DAX0MYcAUABL8HVjJQgpA6KKQUKwdgXBeD8EguWGC3x5BMCUPRHSWgdD4JMFAOAaopI4AIMQMgxUaT3loRrBKTh9LxTYcoVQ6guG6DAIYAhpgDAjEWFOaQsxugSgnGADM5tEBgGwBgdQgZmC0CVLWOxIFLBHCLCIyhERpHMGcPIfA6sHhmzQqXWgzdfzkCGr4nRaUng3S+EoRAAo66C1/P5XAPlKReAlgZXc/p+bTDQKQSAAABW4qlNC+NwN0NgNAwj1TgF8MJtNZid1ED3bWct/I5LyTPJJ08sx/ifjE9AkBniiHeOoeQAAJfUURD40GAuYRxHgJrM3amOWWWSlD2WcEskeJCxL+A5jSK6QwMx93YO+fxI5RQkCMN2CcwQqHyL3IuEgQ0ww+CBFwJo5MDB2NrEYCAYAjCek6OUviYRuhAvBdweA3Q0oUBRt0DMAhuhIFjA6JceYcqyA0E+Wx9jQJOJcWI+gDgZFeJ8do2mfyEG/36t4xOVFjpWgQtOTMZolCQBRj3WQGLKCyDocta4BJY4NnoEk2AYBxZpXoA8UQUxkBECofFfylJhKkwSU8W4+oADch9QmGmmBuGsMx5AgygpfHpDZDVfGNRkrS5c6BgQjls9G+B8BTGxvVEsa0Mz0CKpNUUe4ObID1ENSkmkyCfDlsa4c4EnUMu9ahRlWZmWMApdILgDMfQ0iyR1eSTwB4egoFQCGJBsrwAZuwW19KKz8yoBUxsnr1YJq+Kgf2zhi3F22GJH21l0BjVBu8M0mJ5CcsMrDYsTb1otsEYISiO1QwMEHWPUd8ktkoD8pQN5kcaRrwNN1bGosaRip1fnKOy6p06y+JKT4woaQ5HbhQV6FBUIXigAupd79dJoBRogT8zpLgTl9oSV8NJnbtnkuoJNtAU1boYZRDlF6VkKDkhgRNK6FIMt3Z9Ni3BD2iuoLAfeI8aDOh2ak2QgsA2/goQtPu7a0CyAlRLP0VAf0OhjQAcVEVQDw3wSCLEXOcXZ/ksxeWxhzKt5A6YzmfWId4eUsxGj9Wu41EV5zBHfO/Zt0DhoIFum6WFi4nJZOdkgFKCGfVrtgwW5TDLlKCgEHgGIi5EkEa/NQB4CSFWsr9va2gRx2gOac02IwczIBl0WVRGWct1keE2VFnZYGkG+r4JsI28l5biHEOcyAABZWYZxiXwCIPPKGY1zF1LoFwAABiitFtAeUuGq8JoE9hiulfk3uDxrK5a/rYKzarQLEAgsqRQSF3BIXQsM5QBFddkWIFRT6xrWKnzVeAsADxFjwwTgAPpRMMG0qYuTAxCEQKKAwwBymYB7tuPb8AvDXNuR4txDyBXPLEgjd5kAxnFdgN8+xyoNFDZGyQMFELPRTcoPCiQqRujsSbDi/7vz8XOJo51GkJKPH6TpZVxAVLN40EU8hQEzVtRyiRAAMS2B4eosKeT/SQw6M73xBROSUBKLYuAKcTyCT0682xuefx0+JdLTlBQyr4E3JjUq5qYos0uLZMajiBJpKFWnlBlsDVycTBQRbpChCzILLE/Q+6biUBNJK5AUCkNnrC+cPolw0l/FLWQOq3ZYD1LbygYBvSLmXLL3luyzM6b1qGp2/hpc0i1jEeKQKBKC0drNT2mdhQs03KHqPcvbM2xjWuFVRBZKZ8D96hXDKWLw40HfWWPEnPoD8x/SeLp55JQUtseQ+U2dhi4gswXk9Pb848L35u7u5bmQUtRRaQ0B9/jecrW8a80p7lzWIJD7Pu9c554gHVDY6+DQOXG5OABtNOWYHbkAdqZiciAAC6VaB9gA0tXiWIWoB57IAXw0MMA/6RL6LGt5fYUmxH8dcK8yEeIOwvhNxKRl9fM99IhN8q00ovAxAqkmBDcEtJUDksA3Zbw5ZKR5pMY7x/Ynkp9qcZ98A9o8B7t4AAAvQWNfTnIfNTAfJgnVE0OLSNN0QTS2AAcgACoeCdcfh8BnQlMD9SosMBkYCjQIlchj8rQz8SAL9/Bg9r9X08tMxdw0DdJ8APAQQ+Z/0CRcAgMkMa8aAdcgVhVcMqEM94Chcdds9SpYMXd5c/8qMBQT5kBmBOchRboLYuocgK9Q5KDACNBH8QiG0wC2wICLxQt8UFlio09VkaxYt4sWY6UktNQUseAjkMtTlss8dgwrBciTk9lWsQNaBuhKsuBKdqd1cKB6c8QvYg1WZgd60wcvRJsYUocZsYc4dQinxdU9xY4qNAl3xRRPxMi3FtMDI4INANBuh5jFiFjEVui4UZtrw/gos+hZgqdth6jGi0AlRagoAGCe9N8DATiDJqcmCqVij0s+4zQSt8Qxp1RJROBD4rc6UTMVDbknJNjywA0niOtoDU0/FaAdUQkciHiWtwgbIziN8hcl4bjN8PYxoQ1mjksQCZdYNn05J+tjcMsWIXDf9Fcwtctrttsnhudbojh55wYaDKBHtxBntxFFBpoSCPst0PifsPokc/kgcvRht2ixsIVVjpsxsATtjaj9i6d/psUuh+SUdCV0diVHAscyUwTwl8cyisjWkBU3hEBY5841pzC0CJxMBBi5FRQUZzMESmDZidRzSnhNwpjkMJwWoOdzikStT+gnJ1B7RgFT5qCmJhoBg3hfMJpBYAyZMjwytAxgxN59k/QawuDBUjTXRBRTTal2o8RHwZBWEbTKBzMWCECyd3SXTZY3TnTriBdN89o6lozBjr0QF4lGJ5AsMIy68oz/TBiOo4z5NZkLtNsbtdt9sDBDtjsNBTtztLsRyqS7sHsDAbkWT7l2THlJ8uSvt8s3xHB+TAcAUDA2jQUxtxwnw4cLEylwcoU1jodYdVi6sltMUNBEAu4FTcVkdHFUduMqFMdPEdlccqV6hrC3EzzotQ8qoapnZWZL9zMwoIKST6s114pnZCdHJpwslbDq1llK5yzD8eDM4KAeDb9Nx8LCKeC9oCKoL/BiKlcVclJ+53szzGB0lR0KNjNHgBkXDtDtALEnIpMXtRQ3wEtJC3xf169HDkAH1tkJQPBF9PYDwjwYhfwzQpxbpKBbg+AR8sLbMWZnAvgMwo470tpdpIAyKrQKLIACLyBiLYiqVRxcdV9RA4t/VtkMjdS3FDkYT8jtZgIVy7lBL2U3sXlPtwguAdz4A9yfkBS1FeF5ZfVSEWwVS1yaFHwM1hZ3F/zrT2EVBOFtAVFDA4r7x1AdslxEAdtgq6AdsLTmp8ELtCFIB4hUgAA2JIUoeIJIHwVINAZqkgQoHwWgBgTIJIZqnwTIBSAQBGQoNq5q2geIPq5qzICoWICobIOqoqlgKOUqkyCqkgEgqq4hHhBqt0HbNgb6EgHbGVA1aqr6J4OqgAb0uLrCQDAhRkFBVwwFrF8CZyUKetrCQFsHTDuFoDmE2vYCsBPgiC+oMh+p2j+rCjeGMiBumFsGhtkrSjhtqFrDfFoBsHMR5EmDzwKkQAWFlWht0lQkxrrBxrxowHcFwC8FJumHJufV+qxppvxv5EFFT1FCZqmDRthr+oQiQgwhjEQDz2htrAAB0MAZapbcB5bFaFblbgBhaqqUISA9A5blalalaLBLAcJkwKguB0xMxSJ8xCwSxKIa0qwalIApb6xQiojvY+IHaewFYBw5bZadafb5bQJ6avAvbTaekcwLbixSwoIbasA7aHbQDuJojXauxexBJFZHwvbQI+RYluaqIvbABeDcAARd7CWiBREM+QUMDmKmUlDgI4SAUO8iTMa2gNGiDwShBiUZYaGeN5cxZCV6NiJ2+Ol28wgSISXAPaEaeSU6UPe0XqVSUqKA2YXKd+cyR/SONdOyByQWf0ctfmTCX+f+MKaQCBaKKwYuHpZnbk06KAFiBG8IU+5iDALdZ7f/XuhuO3WdKCDQfhZAVtYiM2iiSOoEuySAlIhnNtGemYLSxGv0REBpQGI+aSmkFiLJMZaAGKJfA3NKT1YjKkWgfeJ4cfPjGfDS5BeQTC8Bo0SQ6i4TaAs0ZZKAGeJQNqYjVUvjQaDQeGRGNxZ4WQTGZgYbI4TCWYLoN9O4NYTimlV8yUGIHIPGAmImT2UmQaKoNcfcaLcu24Q8Y8KAT5FlR8VZWWIqDADQIpVYLRUSXcCJbGAZCYYpDQdYJ4CRtpK9HpY3P8dSBxgYXUdvO3ehsYqiT8COJKWuZZfS6ZPcMtSkIrSMOWYe1O6ONuUtbActPKaLUmIRT/cQDDOgDQV/YhX8fAjaDxvdLJN5cuQWfyW+EQ+gLovouOggcAviAAfiQIygoAAF4ABSYoVMDp2IWIC3Xp2IDpwoI4QZsZ2IOYQZx+fcKLMZkZjppIHpvpy4DMXBbSLiHBMZpIHkXpyZvptA4StGOZ0Z7p8ZioK0Y5hZnp05vptQfAS5m5oZla6iy5vpgAPSOAvlXSog0D4LGeKB2YBYWcBZBdyFkDeBYqwEq0gA+a+YwwrF+bDL3Svh7nDWEgqaxFIwPnBewEAEwCMaCJczKxnFvgcmLAMgRcW4DAX2fgPgFiBSRfHFju4STcZiyDXJXij0lSruZpPudiXFmQa4IcGW3QCdSAJl20Fl2WIgWWa8cIUaPaJlghq6/qLJCGuYVh8mHXE0DRpSuWNqMaOJTJv9cB0w3Q5Ap4eHXFnewKYKRlA+psKwTVdWOlUGyMI6boSAHR5AT154AUFeEeM4HFAAdU/1t03prAkEVkjXDBeOcfpjoGSfLCcl/Fbw8D2hKfNfJkFgKe3HXWcildH37vqYTqHo9rSoEechJBUCzQzZrFzY9NCikPShQNS02XrT4HvlgPJiIjrsLBd3qmDcgNyj9Flh3yyUT2gscJ1yxDdSrXhxEieEWBTJIG3rua8lusFkkM+fA3hdFFPptGmk+CmgYugIwa+F/XYows4p4OQHMmXYGTucXZnGcDcRnm8lgA4C/shcIbQL8G3RJlYX1SmEFhQQmMQAFftyiQ4GeCAblhcLVScmHieFbTk15hLUlAQA4tfsbAUG2AAekh6VvAvZXj4aQzSc92gN0jzTRjHtqX9l0lIdlg0iNEwHvsfrXQM0rSQb7soEg/fpXygFg2dgXl4j2lfk0xbQfrCCfqBKPEnqtX4Ck1ZiLHqKGThXknTUrf9hE5dro5/ZqpQ4fo0ojZw4oEg/8l3rtZOhYTHBgbgqh006bEs9tb/g0AEAOmFGLi8gDc1etA4DAneD3Fmgxaqb2jeY0FiGGGZC0F+cNjtFXTby/CpBHg4CgDedFcM+QCww0BFagHqnoZvjBKoCRjpZfvHg4ieFNHGLFFUsjXUEg485cC8+GmtQxMgzXi7QdFtB4cIcqnE9lmtGiVFFxfzRXlHa9yqnRCTYZvkFGkDGLCXaMjnEtkkNfKaU/F8RK4mjU0QFkEfDQDqjy7iAEFFaZ1lmVR3HVia8Ok0GO4K68eK/eJkLg46/u14zScqnQG8yMeO+ZCuNQ2YFJlJfVksVcqbHu7O6K62+e74Dq5bQ8a7U+++94ty6wHodFayRh9K/QB8AmlqBu+FEg+BLjfsH27xH8DDKR6vWqQQG/uy/m9a7HGfVjkM/4CC7B7XU9mUj6jR9FcRagCbbY/4FwOx529x/x7QA0GDc8YNFQFC+dH0+VdFEnETVfASR6UbKcjF9w/MXEF4yG/Hh6TeE7fs693M78h/ms4AXqgp13F07E+tyZ+HnoAi6i/xniFi74J1yyXMjQVWfCywRwT3DK3AXGmS8wEU/5ct6s7/ntdOiy6RdOkqii8qmZDTk/s/yV4Y/0mqzd+i895UF+eqz2jz8i4L60AYDi513PqBFOj1/uyZ78B6V/Ge2nh+9p7IGz6fXkHz4960HFmr775i9yqH/L/75UCr74IPfsFlbr9njkgN/cj/swH1FGnc2SVgEHfo6wBNCpBdLp/txrjvcX6Z4E2AbM8g+nxc73vYbaxdr4Ad9ulQC7aZ6YC2FoFxffhY71xtE4rA/ngQdBWg3GePFFoCp1r27kLNmvCnBpdBkt1JPjCyODV9ZIFkJAVL2n5IDhgmAz2LX3lYL99eZ/b9F8FhYC9WIqAOLB6QV42h3uIfDuAALtCQdl65XM9u1EDDHc3WqvBHokScgN8l+kAJEEhlha7s10QyRdIKFDK9g/SK8CgL8z55QB4Y+PLtt32Z6Wgu0OvUqPHCUE1hKBVXE+DV1FbwANAC3PgIV0PbDQoGjFFGFWw34PAx6CAHyGwEj7PsskT7ASNPXdrSDKAGgKmDTG3A0hQwjMLZF+0Z6hNU2bwXiDsliTiRBQJ8Z9ob3IDZpq87UR3FpTDZRAI2AiGMHALVhM9wBGAUbsy0rK74tWxCBdpuBc5SJo84FcJoUxUFmhvYJaCUK2xibltihQMKuDej9hFc+23+Xysd1yGG9JWxQiCmUMAJIZKhVATWDlBaTp5ah24fTt4Q9Ld1GweZFMuY3EJiZp4yASdpTwIZpM/oOiC2GpiNgrA2YcoB0AQCRCjQ4Y0kcuLhV3CSUp4CnKqC+B6Qn5pU/sNJv62ZhTg9oXBU5Gzj8THD6UycD9r5Egrh4dclUbOOwPR5es7Qs3fTgjQ/515mcoeSuCNFEjMCOODKFEcZEIYtlT4XgLBriJrTgjOkVvOPidEPqdCQEKyMBDpkgRWAQ8LfIrmvxkLbw3I5BVeniLOCojyA1gtJgg3HQ10euEw5aJWlf5BRURaTWPPcLMyUYY48gdbt3F7jm8G8zcCkXe1hTN4lCsxFeM8F3Qbwt4I8CsDP1OHTBBYe1XlHLychGRF8YArvJzkbTdQMRZmddAUL0HEj9RV8MgLfA9EyiCRaTLJLoKXxAh6ofIG+KHB0xnAhuKMPaB4nkBpNvQVuTcEEzxAzAThh0AKNIA0ChgvAa0YSKGDOzvAa4kAT1qGDRY1w4BeXculiTkAcB/e90TBBs3wDa1daPtS7GrVoClVMIqEPQLWCpq1hdBfNEsZzkQDQ1D8T1WoI9VqDzi6wKrBMAvBICS0A6tSYDkOJnHzjawFpKGJOO+pyU2aC4usGBjiylYKwa4msFlmf7IA1oRANXj0jRwZZOyeAFqFnXiTYcq4UMT8GlHEHt0pk6oHtI+C1CZIawvQhugRw5TF16IpdDQFuJPF1hoCuhKgqKElqhhFwi+G8ZAVlhpMDW0SLmkKDcgwI7YplHglEH5Q2jhIEEiOoCSwAAFcOsTAcIgEEKbh7IVICgLHDQJSBSGNYbrFgD/EjJQyAnNyPBKpoLjawbUJQJLVtCPoCoCEk8bWFBiig/AD4ykCzUprbisaYQYrJmAdB81lxbASWthN+QLiAAvuJMgBzjFJS4lcZLSaCZgkIxYfsTEBVYKSJJe4gkBpOPESSzxmALZFeK+CbAu0DbJ4N5GP4D5mILtEwlkmUmpV/cFaH8AlnLKG08IxtUEXakGihxBY96bcOLnMybhf0CcJ4RmFTgKEqo5+KqLBUQBFxNRJQiuIqKciBFVK04e0pvn0QokhctUz2GQG0SfB6AiFSzJhk8YaVdw2iaDAVDElaS6wUk1cVwFrCyS+KRAdyTuOUkP1is8mAWkeMsnaTBQfpfScB0MlzS6wPY0WhtAEZpRMIvsUyfOIsnbjrJEk2yUZPmmBcrugyJgMSEgDrBwkqaMmjtLrCeSDxzPTSYhNrB+SLxaE+aWXF4yOVQmpqMGGoPaw7pPGr4GhqZ1rpkRCwkEuidBJbol12ynfX0rokiT3Zhui6EwipWGQSC5ukyAIHtEGml4a0hJPuKgEWB/xREuDH3nmyYAoxjs+bMDFaCdzVxgoBUcGFNNBmzSZJzgJaStKxprTVJm0w8RjWmm1gdJ+0jwAZLsnzSIyYEHwH6yKjfTaYF0kBNdO3F3SFxD0ncU9OOm1gCaDAXNE5FBq8zSAssgGXiH3HeT/pYMvZOeICnzSrwFWZKW8B6Q8cNx4JceJJCQx7V1o1ICyPbOo7a8s0VAUgJTBA5eh6CkwB2dOB5nKA8kKrcWYpOQkAQqIktAAJoQsCGeJSANVnyTyIOE6gfKmjljngD45rOIgIgGazqQQgC4MmVnIUDOzAwrsySeySllySpwQ8tWXpI1mHStZ1NTOQnPbk3Tag5s+cZbKxrWzJamdOJDzSwB80h5gMz2SrPBl+y6wfNewGnOJD0AoAoNJQDYFyoNdkACAD6EYhtG8Y/y+kVACLi8Cwwh5ks+aYtPklezJ59JTWc9OpqESd5S8yAGZKerX5hxug2wOuMlqFA0ApQUoJ1T6apBaAi1EoLQFiA+BYgzVBgBUHKCLUSAAgCoMUFQWxBpqq1EgMUCwUKRCgy1eIBQvwWlBCg5CtAKtWGpJAKgpMWIApJHGIjbAW87OpePmkVBWFpQZqvEFoCZABA81GRWNSSDFBOqzVUoAos+DVxMg81Ehe1QoWFBpqmQTIFgviDxwGASgTIEQviAKR4gxQUavHGKAkAKgQiluVnKdm5ySAJYCaPSTXDUhoa91GBTAvqoQAzop1SgKQEurAdyqh1VREAA -->\n\n<!-- internal state end -->"},"request":{"retryCount":1}},"response":{"url":"https://api.github.com/repos/RocketChat/Rocket.Chat/issues/comments/3674606177","status":404,"headers":{"access-control-allow-origin":"*","access-control-expose-headers":"ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset","content-encoding":"gzip","content-security-policy":"default-src 'none'","content-type":"application/json; charset=utf-8","date":"Fri, 19 Dec 2025 11:01:38 GMT","referrer-policy":"origin-when-cross-origin, strict-origin-when-cross-origin","server":"github.com","strict-transport-security":"max-age=31536000; includeSubdomains; preload","transfer-encoding":"chunked","vary":"Accept-Encoding, Accept, X-Requested-With","x-accepted-github-permissions":"issues=write; pull_requests=write","x-content-type-options":"nosniff","x-frame-options":"deny","x-github-api-version-selected":"2022-11-28","x-github-media-type":"github.v3; format=json","x-github-request-id":"6016:131866:5AA50:18E5AA:69453092","x-ratelimit-limit":"7700","x-ratelimit-remaining":"7573","x-ratelimit-reset":"1766145366","x-ratelimit-resource":"core","x-ratelimit-used":"127","x-xss-protection":"0"},"data":{"message":"Not Found","documentation_url":"https://docs.github.com/rest/issues/comments#update-an-issue-comment","status":"404"}}}

[github-actions]

📦 Docker Image Size Report

📈 Changes

Service	Current	Baseline	Change	Percent
sum of all images	1.2GiB	1.2GiB	+12MiB
rocketchat	358MiB	347MiB	+12MiB
omnichannel-transcript-service	132MiB	132MiB	-2.3KiB
queue-worker-service	132MiB	132MiB	-288B
ddp-streamer-service	126MiB	126MiB	+865B
account-service	113MiB	113MiB	+843B
authorization-service	111MiB	111MiB	-140B
stream-hub-service	110MiB	110MiB	+216B
presence-service	110MiB	110MiB	+120B

📊 Historical Trend

---
config:
  theme: "dark"
  xyChart:
    width: 900
    height: 400
---
xychart
  title "Image Size Evolution by Service (Last 30 Days + This PR)"
  x-axis ["11/15 22:28", "11/16 01:28", "11/17 23:50", "11/18 22:53", "11/19 23:02", "11/21 16:49", "11/24 17:34", "11/27 22:32", "11/28 19:05", "12/01 23:01", "12/02 21:57", "12/03 21:00", "12/04 18:17", "12/05 21:56", "12/08 20:15", "12/09 22:17", "12/10 23:26", "12/11 21:56", "12/12 22:45", "12/13 01:34", "12/15 22:31", "12/16 22:18", "12/17 21:04", "12/18 23:12", "12/19 11:38", "12/19 12:20 (PR)"]
  y-axis "Size (GB)" 0 --> 0.5
  line "account-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "authorization-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "ddp-streamer-service" [0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12]
  line "omnichannel-transcript-service" [0.14, 0.14, 0.14, 0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13]
  line "presence-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "queue-worker-service" [0.14, 0.14, 0.14, 0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13]
  line "rocketchat" [0.36, 0.36, 0.35, 0.35, 0.35, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.35]
  line "stream-hub-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]

Loading

Statistics (last 25 days):

• 📊 Average: 1.5GiB
• ⬇️ Minimum: 1.2GiB
• ⬆️ Maximum: 1.6GiB
• 🎯 Current PR: 1.2GiB

ℹ️ About this report

This report compares Docker image sizes from this build against the develop baseline.

• Tag: pr-37874
• Baseline: develop
• Timestamp: 2025-12-19 12:20:07 UTC
• Historical data points: 25

---

Updated: Fri, 19 Dec 2025 12:20:07 GMT

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 67.71%. Comparing base (25a10b6) to head (c7a9fe9).
⚠️ Report is 7 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #37874      +/-   ##
===========================================
+ Coverage    67.69%   67.71%   +0.01%     
===========================================
  Files         3474     3474              
  Lines       113862   113855       -7     
  Branches     20942    20939       -3     
===========================================
+ Hits         77084    77093       +9     
+ Misses       34598    34578      -20     
- Partials      2180     2184       +4     

Flag	Coverage Δ
e2e	57.20% <ø> (+0.01%)	⬆️
e2e-api	44.02% <ø> (+0.06%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[julio-rocketchat]

/patch

[dionisio-bot]

Pull request #37876 added to Project: "Patch 7.13.2"

[julio-rocketchat]

/backport 7.12.3

[dionisio-bot]

Pull request #37877 added to Project: "Patch 7.12.3"

[julio-rocketchat]

/backport 7.11.3

[dionisio-bot]

Pull request #37878 added to Project: "Patch 7.11.3"

[julio-rocketchat]

/backport 7.10.6

[dionisio-bot]

Pull request #37879 added to Project: "Patch 7.10.6"

[julio-rocketchat]

/backport 7.9.7

[dionisio-bot]

Pull request #37880 added to Project: "Patch 7.9.7"

[julio-rocketchat]

/backport 7.8.5

[dionisio-bot]

Pull request #37882 added to Project: "Patch 7.8.5"