release: update version to 0.14.2

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fix git reset --end-of-options error on file upload and edit (#8184 )
2026-02-28 09:10:57 +01:00 · 2026-02-18 19:23:48 -05:00 · 2026-02-18 19:13:57 -05:00 · 2026-02-18 19:12:35 -05:00 · 2026-02-18 19:12:23 -05:00 · 2026-02-18 19:11:55 -05:00
50 changed files with 493 additions and 536 deletions
--- a/.claude/commands/ghsa.md
+++ b/.claude/commands/ghsa.md
@@ -0,0 +1,13 @@
+Analyze and help fix the GitHub Security Advisory (GHSA) at: $ARGUMENTS
+
+Steps:
+1. Fetch the GHSA page using `gh api repos/gogs/gogs/security-advisories` and understand the vulnerability details (description, severity, affected versions, CWE).
+2. Verify the reported vulnerability actually exists, and why.
+3. Identify the affected code in this repository.
+4. Propose a fix with a clear explanation of the root cause and how the fix addresses it. Check for prior art in the codebase to stay consistent with existing patterns.
+5. Implement the fix. Only add tests when there is something meaningful to test at our layer.
+6. Run all the usual build and test commands.
+7. If a changelog entry is warranted (user will specify), add it to CHANGELOG.md with a placeholder for the PR link.
+8. Create a branch named after the GHSA ID, commit, and push.
+9. Create a pull request with a proper title and description, do not reveal too much detail and link the GHSA.
+10. If a changelog entry was added, update it with the PR link, then commit and push again.
--- a/.github/ISSUE_TEMPLATE/dev_release_minor_version.md
+++ b/.github/ISSUE_TEMPLATE/dev_release_minor_version.md
@@ -22,14 +22,16 @@ On the `main` branch:

 On the release branch:

- [ ] [Update the hard-coded version](https://github.com/gogs/gogs/commit/f0e3cd90f8d7695960eeef2e4e54b2e717302f6c) to the current release, e.g. `0.14.0+dev` -> `0.14.0`.
+- [ ] [Update the hard-coded version](https://github.com/gogs/gogs/commit/f17e7d5a2c36c52a1121d2315f3d75dcd8053b89) to the current release, e.g. `0.14.0+dev` -> `0.14.0`.
 - [ ] Wait for GitHub Actions to complete and no failed jobs.
- [ ] Publish new RC releases (e.g. `v0.14.0-rc.1`, `v0.14.0-rc.2`) ⚠️ **on the release branch** ⚠️ and ensure Docker and release workflows both succeed.
+- [ ] Publish new RC releases (e.g. `v0.14.0-rc.1`, `v0.14.0-rc.2`) to ensure Docker and release workflows both succeed.
+	- ⚠️ **Make sure the tag is created on the release branch**.
 	- [ ] Pull down the Docker image and [run through application setup](https://github.com/gogs/gogs/blob/main/docker/README.md) to make sure nothing blows up.
 	- [ ] Download one of the release archives and run through application setup to make sure nothing blows up.
- [ ] Publish a new [GitHub release](https://github.com/gogs/gogs/releases) ⚠️ **on the release branch** ⚠️ with entries from [CHANGELOG](https://github.com/gogs/gogs/blob/main/CHANGELOG.md) for the current minor release.
- [ ] [Wait for new image tags for the current release](https://github.com/gogs/gogs/actions/workflows/docker.yml?query=event%3Arelease) to be created automatically on both [Docker Hub](https://hub.docker.com/r/gogs/gogs/tags) and [GitHub Container registry](https://github.com/gogs/gogs/pkgs/container/gogs).
-	- Pull down the Docker image and [run through application setup](https://github.com/gogs/gogs/blob/main/docker/README.md) to make sure nothing blows up.
+- [ ] Publish a new [GitHub release](https://github.com/gogs/gogs/releases) with entries from [CHANGELOG](https://github.com/gogs/gogs/blob/main/CHANGELOG.md) for the current minor release.
+	- ⚠️ **Make sure the tag is created on the release branch**.
+- [ ] [Wait for a new image tag for the current release](https://github.com/gogs/gogs/actions/workflows/docker.yml?query=event%3Arelease) to be created automatically on both [Docker Hub](https://hub.docker.com/r/gogs/gogs/tags) and [GitHub Container registry](https://github.com/gogs/gogs/pkgs/container/gogs).
+- [ ] [Push a new Docker image tag](https://github.com/gogs/gogs/blob/main/docs/dev/release/release_new_version.md#update-docker-image-tag) as `<MAJOR>.<MINOR>` to both [Docker Hub](https://hub.docker.com/r/gogs/gogs/tags) and [GitHub Container registry](https://github.com/gogs/gogs/pkgs/container/gogs), e.g.:
 - [ ] Download all release archives and [generate SHA256 checksum](https://github.com/gogs/gogs/blob/main/docs/dev/release/sha256.sh) for all binaries to the file `checksum_sha256.txt`.
 - [ ] Upload all archives and `checksum_sha256.txt` to https://dl.gogs.io.

@@ -37,6 +39,7 @@ On the release branch:

 On the `main` branch:

+- [ ] Publish [GitHub security advisories](https://github.com/gogs/gogs/security) for security patches included in the release.
 - [ ] Update the repository mirror on [Gitee](https://gitee.com/unknwon/gogs).
 - [ ] Create a new release announcement in [Discussions](https://github.com/gogs/gogs/discussions/categories/announcements).
 - [ ] Send a tweet on the [official Twitter account](https://twitter.com/GogsHQ) for the minor release.
--- a/.github/ISSUE_TEMPLATE/dev_release_patch_version.md
+++ b/.github/ISSUE_TEMPLATE/dev_release_patch_version.md
@@ -22,16 +22,19 @@ On the release branch:

 - [ ] [Update the hard-coded version](https://github.com/gogs/gogs/commit/f0e3cd90f8d7695960eeef2e4e54b2e717302f6c) to the current release, e.g. `0.12.0` -> `0.12.1`.
 - [ ] Wait for GitHub Actions to complete and no failed jobs.
- [ ] Publish new RC releases in [GitHub release](https://github.com/gogs/gogs/releases) (e.g. `v0.12.0-rc.1`, `v0.12.0-rc.2`) ⚠️ **on the release branch** ⚠️ and ensure Docker workflow succeeds.
-	- [ ] Pull down the Docker image and [run through application setup](https://github.com/gogs/gogs/blob/main/docker/README.md) to make sure nothing blows up.
+- [ ] Publish new RC releases in [GitHub release](https://github.com/gogs/gogs/releases) (e.g. `v0.12.0-rc.1`, `v0.12.0-rc.2`) to ensure Docker workflow succeeds.
+	- ⚠️ **Make sure the tag is created on the release branch**.
+	- Pull down the Docker image and [run through application setup](https://github.com/gogs/gogs/blob/main/docker/README.md) to make sure nothing blows up.
 	- [ ] Download one of the release archives and run through application setup to make sure nothing blows up.
- [ ] Publish a new [GitHub release](https://github.com/gogs/gogs/releases) ⚠️ **on the release branch** ⚠️ with entries from [CHANGELOG](https://github.com/gogs/gogs/blob/main/CHANGELOG.md) for the current patch release and all previous releases with same minor version.
+- [ ] Publish a new [GitHub release](https://github.com/gogs/gogs/releases) with entries from [CHANGELOG](https://github.com/gogs/gogs/blob/main/CHANGELOG.md) for the current patch release and all previous releases with same minor version.
+	- ⚠️ **Make sure the tag is created on the release branch**.
 - [ ] Update all previous GitHub releases with same minor version with the warning:
 	```
 	**ℹ️ Heads up! There is a new patch release [0.12.1](https://github.com/gogs/gogs/releases/tag/v0.12.1) available, we recommend directly installing or upgrading to that version.**
 	```
- [ ] [Wait for new image tags for the current release](https://github.com/gogs/gogs/actions/workflows/docker.yml?query=event%3Arelease) to be created automatically on both [Docker Hub](https://hub.docker.com/r/gogs/gogs/tags) and [GitHub Container registry](https://github.com/gogs/gogs/pkgs/container/gogs).
+- [ ] [Wait for a new image tag for the current release](https://github.com/gogs/gogs/actions/workflows/docker.yml?query=event%3Arelease) to be created automatically on both [Docker Hub](https://hub.docker.com/r/gogs/gogs/tags) and [GitHub Container registry](https://github.com/gogs/gogs/pkgs/container/gogs).
 	- Pull down the Docker image and [run through application setup](https://github.com/gogs/gogs/blob/main/docker/README.md) to make sure nothing blows up.
+- [ ] [Update Docker image tag](https://www.notion.so/jcunknwon/Cheatsheet-and-playbooks-c3b053da42114411bd27285cd065b2a6?source=copy_link#1654f105c63f80958d96cd72e2f5df69) for the minor release `<MAJOR>.<MINOR>` on both [Docker Hub](https://hub.docker.com/r/gogs/gogs/tags) and [GitHub Container registry](https://github.com/gogs/gogs/pkgs/container/gogs).
 - [ ] Download all release archives and [generate SHA256 checksum](https://github.com/gogs/gogs/blob/main/docs/dev/release/sha256.sh) for all binaries to the file `checksum_sha256.txt`.
 - [ ] Upload all archives and `checksum_sha256.txt` to https://dl.gogs.io.

--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -72,10 +72,12 @@ jobs:
        with:
          go-version: ${{ matrix.go-version }}
      - name: Run tests with coverage
-        run: |
-          go test -shuffle=on -v -race -coverprofile=coverage -covermode=atomic -json ./... > test-report.json
-          go install github.com/mfridman/tparse@latest
-          tparse -all -file=test-report.json
+        run: go test -shuffle=on -v -race -coverprofile=coverage -covermode=atomic ./...
+      - name: Upload coverage report to Codecov
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+        with:
+          file: ./coverage
+          flags: unittests
      - name: Send email on failure
        uses: unknwon/send-email-on-failure@89339a1bc93f4ad1d30f3b7e4911fcba985c9adb # v1
        if: ${{ failure() && github.event_name == 'push' && github.ref == 'refs/heads/main' }}
@@ -101,6 +103,11 @@ jobs:
          go-version: ${{ matrix.go-version }}
      - name: Run tests with coverage
        run: go test -shuffle=on -v -coverprofile=coverage -covermode=atomic ./...
+      - name: Upload coverage report to Codecov
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+        with:
+          file: ./coverage
+          flags: unittests
      - name: Send email on failure
        uses: unknwon/send-email-on-failure@89339a1bc93f4ad1d30f3b7e4911fcba985c9adb # v1
        if: ${{ failure() && github.event_name == 'push' && github.ref == 'refs/heads/main' }}
@@ -135,10 +142,7 @@ jobs:
        with:
          go-version: ${{ matrix.go-version }}
      - name: Run tests with coverage
-        run: |
-          go test -shuffle=on -v -race -coverprofile=coverage -covermode=atomic -json ./internal/database/... > test-report.json
-          go install github.com/mfridman/tparse@latest
-          tparse -all -file=test-report.json
+        run: go test -shuffle=on -v -race -coverprofile=coverage -covermode=atomic ./internal/database/...
        env:
          GOGS_DATABASE_TYPE: postgres
          PGPORT: 5432
@@ -164,10 +168,7 @@ jobs:
        with:
          go-version: ${{ matrix.go-version }}
      - name: Run tests with coverage
-        run: |
-          go test -shuffle=on -v -race -coverprofile=coverage -covermode=atomic -json ./internal/database/... > test-report.json
-          go install github.com/mfridman/tparse@latest
-          tparse -all -file=test-report.json
+        run: go test -shuffle=on -v -race -coverprofile=coverage -covermode=atomic ./internal/database/...
        env:
          GOGS_DATABASE_TYPE: mysql
          MYSQL_USER: root
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -50,7 +50,7 @@ jobs:
        id: version
        run: |
          if [ "${{ github.event_name }}" = "release" ]; then
-            echo "version=${{ github.event.release.tag_name }}" | sed 's/version=v/version=/' >> "$GITHUB_OUTPUT"
+            echo "version=${{ github.event.release.tag_name }}" >> "$GITHUB_OUTPUT"
            echo "release_tag=${{ github.event.release.tag_name }}" >> "$GITHUB_OUTPUT"
          elif [ "${{ github.event_name }}" = "push" ] && [ "${{ github.ref }}" = "refs/heads/main" ]; then
            echo "version=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
@@ -81,7 +81,7 @@ jobs:
              -X \"gogs.io/gogs/internal/conf.BuildCommit=$(git rev-parse HEAD)\"
            " \
            $TAGS_FLAG \
-            -trimpath -o "$BINARY_NAME" ./cmd/gogs
+            -trimpath -o "$BINARY_NAME"
      - name: Prepare archive contents
        run: |
          mkdir -p dist/gogs
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,7 +4,19 @@ All notable changes to Gogs are documented in this file.

 ## 0.15.0+dev (`main`)

-## 0.14.1
+### Fixed
+
+- _Security:_ Cross-repository LFS object overwrite via missing content hash verification. [#8166](https://github.com/gogs/gogs/pull/8166) - [GHSA-gmf8-978x-2fg2](https://github.com/gogs/gogs/security/advisories/GHSA-gmf8-978x-2fg2)
+- _Security:_ DOM-based XSS via issue meta selection on the issue page. [#8178](https://github.com/gogs/gogs/pull/8178) - [GHSA-vgjm-2cpf-4g7c](https://github.com/gogs/gogs/security/advisories/GHSA-vgjm-2cpf-4g7c)
+- Unable to update files via web editor and API. [#8184](https://github.com/gogs/gogs/pull/8184)
+
+### Removed
+
+- Support for passing API access tokens via URL query parameters (`token`, `access_token`). Use the `Authorization` header instead. [#8177](https://github.com/gogs/gogs/pull/8177) - [GHSA-x9p5-w45c-7ffc](https://github.com/gogs/gogs/security/advisories/GHSA-x9p5-w45c-7ffc)
+
+- Git clone via the built-in SSH server hangs. [#8132](https://github.com/gogs/gogs/issues/8132)
+
+## 0.14.0

 ### Added

--- a/SECURITY.md
+++ b/SECURITY.md
@@ -2,9 +2,9 @@

 ## Supported versions

-Only the latest minor version releases are supported (e.g., 0.14) for patching vulnerabilities. You can find the latest minor version in the [GitHub releases](https://github.com/gogs/gogs/releases) page. 
+Only the latest minor version releases are supported (>= 0.13) for accepting vulnerability reports and patching fixes.

-Existing vulnerability reports are being tracked in [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories). Not all accepted GHSA are published.
+Existing vulnerability reports are being tracked in [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories).

 ## Vulnerability lifecycle

--- a/Taskfile.yml
+++ b/Taskfile.yml
@@ -24,7 +24,7 @@ tasks:
          -X "{{.PKG_PATH}}.BuildCommit={{.BUILD_COMMIT}}"
        '
        -tags '{{.TAGS}}'
-        -trimpath -o .bin/gogs{{.BINARY_EXT}} ./cmd/gogs
+        -trimpath -o .bin/gogs{{.BINARY_EXT}}
    vars:
      PKG_PATH: gogs.io/gogs/internal/conf
      BUILD_TIME:
@@ -33,7 +33,7 @@ tasks:
        sh: git rev-parse HEAD
    sources:
      - go.mod
-      - cmd/gogs/*.go
+      - gogs.go
      - internal/**/*.go
      - conf/**/*
      - public/**/*
--- a/codecov.yml
+++ b/codecov.yml
@@ -0,0 +1,16 @@
+coverage:
+  range: "60...95"
+  status:
+    project:
+      default:
+        threshold: 1%
+        informational: true
+    patch:
+      default:
+        only_pulls: true
+        informational: true
+
+comment:
+  layout: 'diff'
+
+github_checks: false
--- a/conf/app.ini
+++ b/conf/app.ini
@@ -279,6 +279,8 @@ ACCESS_CONTROL_ALLOW_ORIGIN =
 STORAGE = local
 ; The root path to store LFS objects on local file system.
 OBJECTS_PATH = data/lfs-objects
+; The path to temporarily store LFS objects during upload verification.
+OBJECTS_TEMP_PATH = data/tmp/lfs-objects

 [attachment]
 ; Whether to enabled upload attachments in general.
--- a/docs-old/dev/database_schema.md
+++ b/docs-old/dev/database_schema.md
@@ -1,131 +0,0 @@
-# Table "access"
-
-```
- Field  | Column  |   PostgreSQL    |         MySQL         |        SQLite3        
--------+---------+-----------------+-----------------------+-----------------------
- ID     | id      | BIGSERIAL       | BIGINT AUTO_INCREMENT | INTEGER AUTOINCREMENT 
- UserID | user_id | BIGINT NOT NULL | BIGINT NOT NULL       | INTEGER NOT NULL      
- RepoID | repo_id | BIGINT NOT NULL | BIGINT NOT NULL       | INTEGER NOT NULL      
- Mode   | mode    | BIGINT NOT NULL | BIGINT NOT NULL       | INTEGER NOT NULL      
-
-Primary keys: id
-Indexes: 
-	"access_user_repo_unique" UNIQUE (user_id, repo_id)
-```
-
-# Table "access_token"
-
-```
-    Field    |    Column    |         PostgreSQL          |            MySQL            |           SQLite3           
-------------+--------------+-----------------------------+-----------------------------+-----------------------------
- ID          | id           | BIGSERIAL                   | BIGINT AUTO_INCREMENT       | INTEGER AUTOINCREMENT       
- UserID      | uid          | BIGINT                      | BIGINT                      | INTEGER                     
- Name        | name         | TEXT                        | LONGTEXT                    | TEXT                        
- Sha1        | sha1         | VARCHAR(40) UNIQUE          | VARCHAR(40) UNIQUE          | VARCHAR(40) UNIQUE          
- SHA256      | sha256       | VARCHAR(64) NOT NULL UNIQUE | VARCHAR(64) NOT NULL UNIQUE | VARCHAR(64) NOT NULL UNIQUE 
- CreatedUnix | created_unix | BIGINT                      | BIGINT                      | INTEGER                     
- UpdatedUnix | updated_unix | BIGINT                      | BIGINT                      | INTEGER                     
-
-Primary keys: id
-Indexes: 
-	"idx_access_token_user_id" (uid)
-```
-
-# Table "action"
-
-```
-    Field     |     Column     |           PostgreSQL           |             MySQL              |            SQLite3             
--------------+----------------+--------------------------------+--------------------------------+--------------------------------
- ID           | id             | BIGSERIAL                      | BIGINT AUTO_INCREMENT          | INTEGER AUTOINCREMENT          
- UserID       | user_id        | BIGINT                         | BIGINT                         | INTEGER                        
- OpType       | op_type        | BIGINT                         | BIGINT                         | INTEGER                        
- ActUserID    | act_user_id    | BIGINT                         | BIGINT                         | INTEGER                        
- ActUserName  | act_user_name  | TEXT                           | LONGTEXT                       | TEXT                           
- RepoID       | repo_id        | BIGINT                         | BIGINT                         | INTEGER                        
- RepoUserName | repo_user_name | TEXT                           | LONGTEXT                       | TEXT                           
- RepoName     | repo_name      | TEXT                           | LONGTEXT                       | TEXT                           
- RefName      | ref_name       | TEXT                           | LONGTEXT                       | TEXT                           
- IsPrivate    | is_private     | BOOLEAN NOT NULL DEFAULT FALSE | BOOLEAN NOT NULL DEFAULT FALSE | NUMERIC NOT NULL DEFAULT FALSE 
- Content      | content        | TEXT                           | LONGTEXT                       | TEXT                           
- CreatedUnix  | created_unix   | BIGINT                         | BIGINT                         | INTEGER                        
-
-Primary keys: id
-Indexes: 
-	"idx_action_repo_id" (repo_id)
-	"idx_action_user_id" (user_id)
-```
-
-# Table "email_address"
-
-```
-    Field    |    Column    |           PostgreSQL           |             MySQL              |            SQLite3             
-------------+--------------+--------------------------------+--------------------------------+--------------------------------
- ID          | id           | BIGSERIAL                      | BIGINT AUTO_INCREMENT          | INTEGER AUTOINCREMENT          
- UserID      | uid          | BIGINT NOT NULL                | BIGINT NOT NULL                | INTEGER NOT NULL               
- Email       | email        | VARCHAR(254) NOT NULL          | VARCHAR(254) NOT NULL          | TEXT NOT NULL                  
- IsActivated | is_activated | BOOLEAN NOT NULL DEFAULT FALSE | BOOLEAN NOT NULL DEFAULT FALSE | NUMERIC NOT NULL DEFAULT FALSE 
-
-Primary keys: id
-Indexes: 
-	"email_address_user_email_unique" UNIQUE (uid, email)
-	"idx_email_address_user_id" (uid)
-```
-
-# Table "follow"
-
-```
-  Field   |  Column   |   PostgreSQL    |         MySQL         |        SQLite3        
----------+-----------+-----------------+-----------------------+-----------------------
- ID       | id        | BIGSERIAL       | BIGINT AUTO_INCREMENT | INTEGER AUTOINCREMENT 
- UserID   | user_id   | BIGINT NOT NULL | BIGINT NOT NULL       | INTEGER NOT NULL      
- FollowID | follow_id | BIGINT NOT NULL | BIGINT NOT NULL       | INTEGER NOT NULL      
-
-Primary keys: id
-Indexes: 
-	"follow_user_follow_unique" UNIQUE (user_id, follow_id)
-```
-
-# Table "lfs_object"
-
-```
-   Field   |   Column   |      PostgreSQL      |        MySQL         |      SQLite3      
-----------+------------+----------------------+----------------------+-------------------
- RepoID    | repo_id    | BIGINT               | BIGINT               | INTEGER           
- OID       | oid        | TEXT                 | VARCHAR(191)         | TEXT              
- Size      | size       | BIGINT NOT NULL      | BIGINT NOT NULL      | INTEGER NOT NULL  
- Storage   | storage    | TEXT NOT NULL        | LONGTEXT NOT NULL    | TEXT NOT NULL     
- CreatedAt | created_at | TIMESTAMPTZ NOT NULL | DATETIME(3) NOT NULL | DATETIME NOT NULL 
-
-Primary keys: repo_id, oid
-```
-
-# Table "login_source"
-
-```
-    Field    |    Column    |    PostgreSQL    |         MySQL         |        SQLite3        
-------------+--------------+------------------+-----------------------+-----------------------
- ID          | id           | BIGSERIAL        | BIGINT AUTO_INCREMENT | INTEGER AUTOINCREMENT 
- Type        | type         | BIGINT           | BIGINT                | INTEGER               
- Name        | name         | TEXT UNIQUE      | VARCHAR(191) UNIQUE   | TEXT UNIQUE           
- IsActived   | is_actived   | BOOLEAN NOT NULL | BOOLEAN NOT NULL      | NUMERIC NOT NULL      
- IsDefault   | is_default   | BOOLEAN          | BOOLEAN               | NUMERIC               
- Config      | cfg          | TEXT             | TEXT                  | TEXT                  
- CreatedUnix | created_unix | BIGINT           | BIGINT                | INTEGER               
- UpdatedUnix | updated_unix | BIGINT           | BIGINT                | INTEGER               
-
-Primary keys: id
-```
-
-# Table "notice"
-
-```
-    Field    |    Column    | PostgreSQL |         MySQL         |        SQLite3        
-------------+--------------+------------+-----------------------+-----------------------
- ID          | id           | BIGSERIAL  | BIGINT AUTO_INCREMENT | INTEGER AUTOINCREMENT 
- Type        | type         | BIGINT     | BIGINT                | INTEGER               
- Description | description  | TEXT       | TEXT                  | TEXT                  
- CreatedUnix | created_unix | BIGINT     | BIGINT                | INTEGER               
-
-Primary keys: id
-```
-
--- a/docs-old/admin/lfs.md
+++ b/docs-old/admin/lfs.md
--- a/docs-old/admin/release_strategy.md
+++ b/docs-old/admin/release_strategy.md
--- a/docs/dev/database_schema.md
+++ b/docs/dev/database_schema.md
@@ -0,0 +1,131 @@
+# Table "access"
+
+```
+  FIELD  | COLUMN  |   POSTGRESQL    |         MYSQL         |        SQLITE3         
+---------+---------+-----------------+-----------------------+------------------------
+  ID     | id      | BIGSERIAL       | BIGINT AUTO_INCREMENT | INTEGER AUTOINCREMENT  
+  UserID | user_id | BIGINT NOT NULL | BIGINT NOT NULL       | INTEGER NOT NULL       
+  RepoID | repo_id | BIGINT NOT NULL | BIGINT NOT NULL       | INTEGER NOT NULL       
+  Mode   | mode    | BIGINT NOT NULL | BIGINT NOT NULL       | INTEGER NOT NULL       
+
+Primary keys: id
+Indexes: 
+	"access_user_repo_unique" UNIQUE (user_id, repo_id)
+```
+
+# Table "access_token"
+
+```
+     FIELD    |    COLUMN    |         POSTGRESQL          |            MYSQL            |           SQLITE3            
+--------------+--------------+-----------------------------+-----------------------------+------------------------------
+  ID          | id           | BIGSERIAL                   | BIGINT AUTO_INCREMENT       | INTEGER AUTOINCREMENT        
+  UserID      | uid          | BIGINT                      | BIGINT                      | INTEGER                      
+  Name        | name         | TEXT                        | LONGTEXT                    | TEXT                         
+  Sha1        | sha1         | VARCHAR(40) UNIQUE          | VARCHAR(40) UNIQUE          | VARCHAR(40) UNIQUE           
+  SHA256      | sha256       | VARCHAR(64) NOT NULL UNIQUE | VARCHAR(64) NOT NULL UNIQUE | VARCHAR(64) NOT NULL UNIQUE  
+  CreatedUnix | created_unix | BIGINT                      | BIGINT                      | INTEGER                      
+  UpdatedUnix | updated_unix | BIGINT                      | BIGINT                      | INTEGER                      
+
+Primary keys: id
+Indexes: 
+	"idx_access_token_user_id" (uid)
+```
+
+# Table "action"
+
+```
+     FIELD     |     COLUMN     |           POSTGRESQL           |             MYSQL              |            SQLITE3              
+---------------+----------------+--------------------------------+--------------------------------+---------------------------------
+  ID           | id             | BIGSERIAL                      | BIGINT AUTO_INCREMENT          | INTEGER AUTOINCREMENT           
+  UserID       | user_id        | BIGINT                         | BIGINT                         | INTEGER                         
+  OpType       | op_type        | BIGINT                         | BIGINT                         | INTEGER                         
+  ActUserID    | act_user_id    | BIGINT                         | BIGINT                         | INTEGER                         
+  ActUserName  | act_user_name  | TEXT                           | LONGTEXT                       | TEXT                            
+  RepoID       | repo_id        | BIGINT                         | BIGINT                         | INTEGER                         
+  RepoUserName | repo_user_name | TEXT                           | LONGTEXT                       | TEXT                            
+  RepoName     | repo_name      | TEXT                           | LONGTEXT                       | TEXT                            
+  RefName      | ref_name       | TEXT                           | LONGTEXT                       | TEXT                            
+  IsPrivate    | is_private     | BOOLEAN NOT NULL DEFAULT FALSE | BOOLEAN NOT NULL DEFAULT FALSE | NUMERIC NOT NULL DEFAULT FALSE  
+  Content      | content        | TEXT                           | LONGTEXT                       | TEXT                            
+  CreatedUnix  | created_unix   | BIGINT                         | BIGINT                         | INTEGER                         
+
+Primary keys: id
+Indexes: 
+	"idx_action_repo_id" (repo_id)
+	"idx_action_user_id" (user_id)
+```
+
+# Table "email_address"
+
+```
+     FIELD    |    COLUMN    |           POSTGRESQL           |             MYSQL              |            SQLITE3              
+--------------+--------------+--------------------------------+--------------------------------+---------------------------------
+  ID          | id           | BIGSERIAL                      | BIGINT AUTO_INCREMENT          | INTEGER AUTOINCREMENT           
+  UserID      | uid          | BIGINT NOT NULL                | BIGINT NOT NULL                | INTEGER NOT NULL                
+  Email       | email        | VARCHAR(254) NOT NULL          | VARCHAR(254) NOT NULL          | TEXT NOT NULL                   
+  IsActivated | is_activated | BOOLEAN NOT NULL DEFAULT FALSE | BOOLEAN NOT NULL DEFAULT FALSE | NUMERIC NOT NULL DEFAULT FALSE  
+
+Primary keys: id
+Indexes: 
+	"email_address_user_email_unique" UNIQUE (uid, email)
+	"idx_email_address_user_id" (uid)
+```
+
+# Table "follow"
+
+```
+   FIELD   |  COLUMN   |   POSTGRESQL    |         MYSQL         |        SQLITE3         
+-----------+-----------+-----------------+-----------------------+------------------------
+  ID       | id        | BIGSERIAL       | BIGINT AUTO_INCREMENT | INTEGER AUTOINCREMENT  
+  UserID   | user_id   | BIGINT NOT NULL | BIGINT NOT NULL       | INTEGER NOT NULL       
+  FollowID | follow_id | BIGINT NOT NULL | BIGINT NOT NULL       | INTEGER NOT NULL       
+
+Primary keys: id
+Indexes: 
+	"follow_user_follow_unique" UNIQUE (user_id, follow_id)
+```
+
+# Table "lfs_object"
+
+```
+    FIELD   |   COLUMN   |      POSTGRESQL      |        MYSQL         |      SQLITE3       
+------------+------------+----------------------+----------------------+--------------------
+  RepoID    | repo_id    | BIGINT               | BIGINT               | INTEGER            
+  OID       | oid        | TEXT                 | VARCHAR(191)         | TEXT               
+  Size      | size       | BIGINT NOT NULL      | BIGINT NOT NULL      | INTEGER NOT NULL   
+  Storage   | storage    | TEXT NOT NULL        | LONGTEXT NOT NULL    | TEXT NOT NULL      
+  CreatedAt | created_at | TIMESTAMPTZ NOT NULL | DATETIME(3) NOT NULL | DATETIME NOT NULL  
+
+Primary keys: repo_id, oid
+```
+
+# Table "login_source"
+
+```
+     FIELD    |    COLUMN    |    POSTGRESQL    |         MYSQL         |        SQLITE3         
+--------------+--------------+------------------+-----------------------+------------------------
+  ID          | id           | BIGSERIAL        | BIGINT AUTO_INCREMENT | INTEGER AUTOINCREMENT  
+  Type        | type         | BIGINT           | BIGINT                | INTEGER                
+  Name        | name         | TEXT UNIQUE      | VARCHAR(191) UNIQUE   | TEXT UNIQUE            
+  IsActived   | is_actived   | BOOLEAN NOT NULL | BOOLEAN NOT NULL      | NUMERIC NOT NULL       
+  IsDefault   | is_default   | BOOLEAN          | BOOLEAN               | NUMERIC                
+  Config      | cfg          | TEXT             | TEXT                  | TEXT                   
+  CreatedUnix | created_unix | BIGINT           | BIGINT                | INTEGER                
+  UpdatedUnix | updated_unix | BIGINT           | BIGINT                | INTEGER                
+
+Primary keys: id
+```
+
+# Table "notice"
+
+```
+     FIELD    |    COLUMN    | POSTGRESQL |         MYSQL         |        SQLITE3         
+--------------+--------------+------------+-----------------------+------------------------
+  ID          | id           | BIGSERIAL  | BIGINT AUTO_INCREMENT | INTEGER AUTOINCREMENT  
+  Type        | type         | BIGINT     | BIGINT                | INTEGER                
+  Description | description  | TEXT       | TEXT                  | TEXT                   
+  CreatedUnix | created_unix | BIGINT     | BIGINT                | INTEGER                
+
+Primary keys: id
+```
+
--- a/docs-old/dev/import_locale.md
+++ b/docs-old/dev/import_locale.md
@@ -6,7 +6,7 @@
 1. Run the `import` subcommand:

    ```
-    $ ./.bin/gogs import locale --source <path to the unzipped directory> --target ./conf/locale
+    $ ./gogs import locale --source <path to the unzipped directory> --target ./conf/locale
    Locale files has been successfully imported!
    ```

--- a/docs-old/dev/local_development.md
+++ b/docs-old/dev/local_development.md
--- a/docs-old/user/lfs.md
+++ b/docs-old/user/lfs.md
--- a/go.mod
+++ b/go.mod
@@ -6,11 +6,10 @@ require (
 	github.com/Masterminds/semver/v3 v3.4.0
 	github.com/cockroachdb/errors v1.12.0
 	github.com/derision-test/go-mockgen/v2 v2.1.1
-	github.com/editorconfig/editorconfig-core-go/v2 v2.6.4
-	github.com/fergusstrange/embedded-postgres v1.33.0
+	github.com/editorconfig/editorconfig-core-go/v2 v2.6.3
 	github.com/glebarez/go-sqlite v1.21.2
 	github.com/glebarez/sqlite v1.11.0
-	github.com/go-ldap/ldap/v3 v3.4.12
+	github.com/go-ldap/ldap/v3 v3.4.11
 	github.com/go-macaron/binding v1.2.0
 	github.com/go-macaron/cache v0.0.0-20190810181446-10f7c57e2196
 	github.com/go-macaron/captcha v0.2.0
@@ -21,19 +20,19 @@ require (
 	github.com/go-macaron/toolbox v0.0.0-20190813233741-94defb8383c6
 	github.com/gogs/chardet v0.0.0-20150115103509-2404f7772561
 	github.com/gogs/cron v0.0.0-20171120032916-9f6c956d3e14
-	github.com/gogs/git-module v1.8.6
+	github.com/gogs/git-module v1.8.7
 	github.com/gogs/go-gogs-client v0.0.0-20200128182646-c69cb7680fd4
 	github.com/gogs/go-libravatar v0.0.0-20191106065024-33a75213d0a0
 	github.com/gogs/minwinsvc v0.0.0-20170301035411-95be6356811a
 	github.com/google/go-github v17.0.0+incompatible
-	github.com/inbucket/html2text v1.0.0
 	github.com/issue9/identicon v1.2.1
+	github.com/jaytaylor/html2text v0.0.0-20190408195923-01ec452cbe43
 	github.com/json-iterator/go v1.1.12
 	github.com/microcosm-cc/bluemonday v1.0.27
 	github.com/msteinert/pam v1.2.0
 	github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646
 	github.com/niklasfasching/go-org v1.9.1
-	github.com/olekukonko/tablewriter v1.1.3
+	github.com/olekukonko/tablewriter v0.0.5
 	github.com/pquerna/otp v1.5.0
 	github.com/prometheus/client_golang v1.23.0
 	github.com/russross/blackfriday v1.6.0
@@ -46,9 +45,9 @@ require (
 	github.com/unknwon/i18n v0.0.0-20190805065654-5c6446a380b6
 	github.com/unknwon/paginater v0.0.0-20170405233947-45e5d631308e
 	github.com/urfave/cli v1.22.17
-	golang.org/x/crypto v0.47.0
-	golang.org/x/net v0.48.0
-	golang.org/x/text v0.33.0
+	golang.org/x/crypto v0.45.0
+	golang.org/x/net v0.47.0
+	golang.org/x/text v0.31.0
 	gopkg.in/DATA-DOG/go-sqlmock.v2 v2.0.0-20180914054222-c19298f520d0
 	gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df
 	gopkg.in/ini.v1 v1.67.0
@@ -71,9 +70,6 @@ require (
 	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
 	github.com/bradfitz/gomemcache v0.0.0-20190329173943-551aad21a668 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/clipperhouse/displaywidth v0.6.2 // indirect
-	github.com/clipperhouse/stringish v0.1.1 // indirect
-	github.com/clipperhouse/uax29/v2 v2.3.0 // indirect
 	github.com/cockroachdb/logtags v0.0.0-20230118201751-21c54148d20b // indirect
 	github.com/cockroachdb/redact v1.1.5 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
@@ -83,7 +79,7 @@ require (
 	github.com/djherbis/buffer v1.2.0 // indirect
 	github.com/djherbis/nio/v3 v3.0.1 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
-	github.com/fatih/color v1.18.0 // indirect
+	github.com/fatih/color v1.13.0 // indirect
 	github.com/getsentry/sentry-go v0.27.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
 	github.com/go-logr/logr v1.2.3 // indirect
@@ -108,10 +104,10 @@ require (
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/kr/text v0.2.0 // indirect
-	github.com/lib/pq v1.10.9 // indirect
-	github.com/mattn/go-colorable v0.1.14 // indirect
+	github.com/lib/pq v1.10.2 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mattn/go-runewidth v0.0.19 // indirect
+	github.com/mattn/go-runewidth v0.0.14 // indirect
 	github.com/mattn/go-sqlite3 v1.14.24 // indirect
 	github.com/mcuadros/go-version v0.0.0-20190830083331-035f6764e8d2 // indirect
 	github.com/microsoft/go-mssqldb v0.17.0 // indirect
@@ -119,27 +115,24 @@ require (
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/ncruces/go-strftime v0.1.9 // indirect
-	github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6 // indirect
-	github.com/olekukonko/errors v1.1.0 // indirect
-	github.com/olekukonko/ll v0.1.4-0.20260115111900-9e59c2286df0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
 	github.com/prometheus/common v0.65.0 // indirect
 	github.com/prometheus/procfs v0.16.1 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
+	github.com/rivo/uniseg v0.2.0 // indirect
 	github.com/rogpeppe/go-internal v1.10.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/saintfish/chardet v0.0.0-20120816061221-3af4cd4741ca // indirect
 	github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf // indirect
-	github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
 	go.bobheadxi.dev/streamline v1.2.1 // indirect
 	go.opentelemetry.io/otel v1.11.0 // indirect
 	go.opentelemetry.io/otel/trace v1.11.0 // indirect
 	golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect
-	golang.org/x/mod v0.31.0 // indirect
+	golang.org/x/mod v0.29.0 // indirect
 	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/sys v0.40.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/bufio.v1 v1.0.0-20140618132640-567b2bfa514e // indirect
@@ -152,4 +145,4 @@ require (
 )

 // +heroku goVersion go1.25
-// +heroku install ./cmd/gogs
+// +heroku install ./
--- a/go.sum
+++ b/go.sum
@@ -22,8 +22,8 @@ github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWX
 github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
-github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e h1:4dAU9FXIyQktpoUAgOJK3OTFc/xug0PCXYCqU0FgDKI=
-github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
+github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=
+github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
 github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk=
 github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
@@ -41,12 +41,6 @@ github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWR
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/clipperhouse/displaywidth v0.6.2 h1:ZDpTkFfpHOKte4RG5O/BOyf3ysnvFswpyYrV7z2uAKo=
-github.com/clipperhouse/displaywidth v0.6.2/go.mod h1:R+kHuzaYWFkTm7xoMmK1lFydbci4X2CicfbGstSGg0o=
-github.com/clipperhouse/stringish v0.1.1 h1:+NSqMOr3GR6k1FdRhhnXrLfztGzuG+VuFDfatpWHKCs=
-github.com/clipperhouse/stringish v0.1.1/go.mod h1:v/WhFtE1q0ovMta2+m+UbpZ+2/HEXNWYXQgCt4hdOzA=
-github.com/clipperhouse/uax29/v2 v2.3.0 h1:SNdx9DVUqMoBuBoW3iLOj4FQv3dN5mDtuqwuhIGpJy4=
-github.com/clipperhouse/uax29/v2 v2.3.0/go.mod h1:Wn1g7MK6OoeDT0vL+Q0SQLDz/KpfsVRgg6W7ihQeh4g=
 github.com/cockroachdb/errors v1.12.0 h1:d7oCs6vuIMUQRVbi6jWWWEJZahLCfJpnJSVobd1/sUo=
 github.com/cockroachdb/errors v1.12.0/go.mod h1:SvzfYNNBshAVbZ8wzNc/UPK3w1vf0dKDUP41ucAIf7g=
 github.com/cockroachdb/logtags v0.0.0-20230118201751-21c54148d20b h1:r6VH0faHjZeQy818SGhaone5OnYfxFR/+AzdY3sf5aE=
@@ -85,14 +79,12 @@ github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+m
 github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs=
 github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU=
 github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I=
-github.com/editorconfig/editorconfig-core-go/v2 v2.6.4 h1:CHwUbBVVyKWRX9kt5A/OtwhYUJB32DrFp9xzmjR6cac=
-github.com/editorconfig/editorconfig-core-go/v2 v2.6.4/go.mod h1:JWRVKHdVW+dkv6F8p+xGCa6a+TyMrqsFbFkSs/aQkrQ=
+github.com/editorconfig/editorconfig-core-go/v2 v2.6.3 h1:XVUp6qW3BIkmM3/1EkrHpa6bL56APOynfXcZEmIgOhs=
+github.com/editorconfig/editorconfig-core-go/v2 v2.6.3/go.mod h1:ThHVc+hqbUsmE1wmK/MASpQEhCleWu1JDJDNhUOMy0c=
 github.com/edsrzf/mmap-go v1.0.0/go.mod h1:YO35OhQPt3KJa3ryjFM5Bs14WD66h8eGKpfaBNrHW5M=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
-github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
-github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
-github.com/fergusstrange/embedded-postgres v1.33.0 h1:ka8vmRpm4IDsES7NPXQ/NThAp1fc/f+crcXYjCW7wK0=
-github.com/fergusstrange/embedded-postgres v1.33.0/go.mod h1:w0YvnCgf19o6tskInrOOACtnqfVlOvluz3hlNLY7tRk=
+github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w=
+github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
 github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE=
 github.com/frankban/quicktest v1.14.3/go.mod h1:mgiwOwqx65TmIk1wJ6Q7wvnVMocbUorkibMOrVTHZps=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
@@ -109,8 +101,8 @@ github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:h
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
 github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
-github.com/go-ldap/ldap/v3 v3.4.12 h1:1b81mv7MagXZ7+1r7cLTWmyuTqVqdwbtJSjC0DAp9s4=
-github.com/go-ldap/ldap/v3 v3.4.12/go.mod h1:+SPAGcTtOfmGsCb3h1RFiq4xpp4N636G75OEace8lNo=
+github.com/go-ldap/ldap/v3 v3.4.11 h1:4k0Yxweg+a3OyBLjdYn5OKglv18JNvfDykSoI8bW0gU=
+github.com/go-ldap/ldap/v3 v3.4.11/go.mod h1:bY7t0FLK8OAVpp/vV6sSlpz3EQDGcQwc8pF0ujLgKvM=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0=
@@ -154,8 +146,8 @@ github.com/gogs/chardet v0.0.0-20150115103509-2404f7772561 h1:aBzukfDxQlCTVS0NBU
 github.com/gogs/chardet v0.0.0-20150115103509-2404f7772561/go.mod h1:Pcatq5tYkCW2Q6yrR2VRHlbHpZ/R4/7qyL1TCF7vl14=
 github.com/gogs/cron v0.0.0-20171120032916-9f6c956d3e14 h1:yXtpJr/LV6PFu4nTLgfjQdcMdzjbqqXMEnHfq0Or6p8=
 github.com/gogs/cron v0.0.0-20171120032916-9f6c956d3e14/go.mod h1:jPoNZLWDAqA5N3G5amEoiNbhVrmM+ZQEcnQvNQ2KaZk=
-github.com/gogs/git-module v1.8.6 h1:4Io9vWZYQyIjdIPxfKgeYZXnDKNgydc6OZTxII5xCH4=
-github.com/gogs/git-module v1.8.6/go.mod h1:IiMSJqi8XH62Kjqjt5Rw8IawSo+DHfM2dDjkSzWLjhs=
+github.com/gogs/git-module v1.8.7 h1:GDyfzB1Z8ytld3LajTfUE4PuIcGcuCHpWB6j8/oD7Tk=
+github.com/gogs/git-module v1.8.7/go.mod h1:IiMSJqi8XH62Kjqjt5Rw8IawSo+DHfM2dDjkSzWLjhs=
 github.com/gogs/go-gogs-client v0.0.0-20200128182646-c69cb7680fd4 h1:C7NryI/RQhsIWwC2bHN601P1wJKeuQ6U/UCOYTn3Cic=
 github.com/gogs/go-gogs-client v0.0.0-20200128182646-c69cb7680fd4/go.mod h1:fR6z1Ie6rtF7kl/vBYMfgD5/G5B1blui7z426/sj2DU=
 github.com/gogs/go-libravatar v0.0.0-20191106065024-33a75213d0a0 h1:K02vod+sn3M1OOkdqi2tPxN2+xESK4qyITVQ3JkGEv4=
@@ -231,8 +223,6 @@ github.com/hexops/valast v1.4.3 h1:oBoGERMJh6UZdRc6cduE1CTPK+VAdXA59Y1HFgu3sm0=
 github.com/hexops/valast v1.4.3/go.mod h1:Iqx2kLj3Jn47wuXpj3wX40xn6F93QNFBHuiKBerkTGA=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/inbucket/html2text v1.0.0 h1:N5kza++4uBBDJ2Z3KUnTRyPNoBcW+YfOgNiNmNB+sgs=
-github.com/inbucket/html2text v1.0.0/go.mod h1:5TrhXQKGU+LXurODaSm55Y9eXoPBRnYiOz4x2XfUoJU=
 github.com/issue9/assert/v2 v2.0.0 h1:vN7fr70g5ND6zM39tPZk/E4WCyjGMqApmFbujSTmEo0=
 github.com/issue9/assert/v2 v2.0.0/go.mod h1:rKr1eVGzXUhAo2af1thiKAhIA8uiSK9Wyn7mcZ4BzAg=
 github.com/issue9/identicon v1.2.1 h1:9RUq3DcmDJvfXAYZWJDaq/Bi45oS/Fr79W0CazbXNaY=
@@ -249,6 +239,8 @@ github.com/jackc/pgx/v5 v5.6.0 h1:SWJzexBzPL5jb0GEsrPMLIsi/3jOo7RHlzTjcAeDrPY=
 github.com/jackc/pgx/v5 v5.6.0/go.mod h1:DNZ/vlrUnhWCoFGxHAG8U2ljioxukquj7utPDgtQdTw=
 github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
 github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
+github.com/jaytaylor/html2text v0.0.0-20190408195923-01ec452cbe43 h1:jTkyeF7NZ5oIr0ESmcrpiDgAfoidCBF4F5kJhjtaRwE=
+github.com/jaytaylor/html2text v0.0.0-20190408195923-01ec452cbe43/go.mod h1:CVKlgaMiht+LXvHG173ujK6JUhZXKb2u/BQtjPDIvyk=
 github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
 github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
 github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
@@ -290,19 +282,24 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
-github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
-github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
+github.com/lib/pq v1.10.2 h1:AqzbZs4ZoCBp+GtejcpCpcxM3zlSMx29dXbUSeVtJb8=
+github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lunny/log v0.0.0-20160921050905-7887c61bf0de/go.mod h1:3q8WtuPQsoRbatJuy3nvq/hRSvuBJrHHr+ybPPiNvHQ=
 github.com/lunny/nodb v0.0.0-20160621015157-fc1ef06ad4af/go.mod h1:Cqz6pqow14VObJ7peltM+2n3PWOz7yTrfUuGbVFkzN0=
 github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
-github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
-github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
+github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
+github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
+github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
 github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84=
+github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
+github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
+github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-runewidth v0.0.19 h1:v++JhqYnZuu5jSKrk9RbgF5v4CGUjqRfBm05byFGLdw=
-github.com/mattn/go-runewidth v0.0.19/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs=
+github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
+github.com/mattn/go-runewidth v0.0.14 h1:+xnbZSEeDbOIg5/mE6JF0w6n9duR1l3/WmbinWVwUuU=
+github.com/mattn/go-runewidth v0.0.14/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mattn/go-sqlite3 v1.10.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
 github.com/mattn/go-sqlite3 v1.11.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
 github.com/mattn/go-sqlite3 v1.14.24 h1:tpSp2G2KyMnnQu99ngJ47EIkWVmliIizyZBfPrBWDRM=
@@ -337,14 +334,8 @@ github.com/niklasfasching/go-org v1.9.1/go.mod h1:ZAGFFkWvUQcpazmi/8nHqwvARpr1xp
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
-github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6 h1:zrbMGy9YXpIeTnGj4EljqMiZsIcE09mmF8XsD5AYOJc=
-github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6/go.mod h1:rEKTHC9roVVicUIfZK7DYrdIoM0EOr8mK1Hj5s3JjH0=
-github.com/olekukonko/errors v1.1.0 h1:RNuGIh15QdDenh+hNvKrJkmxxjV4hcS50Db478Ou5sM=
-github.com/olekukonko/errors v1.1.0/go.mod h1:ppzxA5jBKcO1vIpCXQ9ZqgDh8iwODz6OXIGKU8r5m4Y=
-github.com/olekukonko/ll v0.1.4-0.20260115111900-9e59c2286df0 h1:jrYnow5+hy3WRDCBypUFvVKNSPPCdqgSXIE9eJDD8LM=
-github.com/olekukonko/ll v0.1.4-0.20260115111900-9e59c2286df0/go.mod h1:b52bVQRRPObe+yyBl0TxNfhesL0nedD4Cht0/zx55Ew=
-github.com/olekukonko/tablewriter v1.1.3 h1:VSHhghXxrP0JHl+0NnKid7WoEmd9/urKRJLysb70nnA=
-github.com/olekukonko/tablewriter v1.1.3/go.mod h1:9VU0knjhmMkXjnMKrZ3+L2JhhtsQ/L38BbL3CRNE8tM=
+github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
+github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
@@ -397,6 +388,8 @@ github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlT
 github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
+github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
+github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
 github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
 github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
@@ -458,8 +451,6 @@ github.com/unknwon/paginater v0.0.0-20170405233947-45e5d631308e h1:Qf3QQl/zmEbWD
 github.com/unknwon/paginater v0.0.0-20170405233947-45e5d631308e/go.mod h1:TBwoao3Q4Eb/cp+dHbXDfRTrZSsj/k7kLr2j1oWRWC0=
 github.com/urfave/cli v1.22.17 h1:SYzXoiPfQjHBbkYxbew5prZHS1TOLT3ierW8SYLqtVQ=
 github.com/urfave/cli v1.22.17/go.mod h1:b0ht0aqgH/6pBYzzxURyrM4xXNgsoT/n2ZzwQiEhNVo=
-github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 h1:nIPpBwaJSVYIxUFsDv3M8ofmx9yWTog9BfvIu0q41lo=
-github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8/go.mod h1:HUYIGzjTL3rfEspMxjDjgmT5uz5wzYJKVo23qUhYTos=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/ziutek/mymysql v1.5.4 h1:GB0qdRGsTwQSBVYuVShFBKaXSnSnYYC2d9knnE1LHFs=
@@ -486,8 +477,8 @@ golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20201124201722-c8d3bf9c5392/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20221005025214-4161e89ecf1b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.47.0 h1:V6e3FRj+n4dbpw86FJ8Fv7XVOql7TEwpHapKoMJ/GO8=
-golang.org/x/crypto v0.47.0/go.mod h1:ff3Y9VzzKbwSSEzWqJsJVBnWmRwRSHt/6Op5n9bQc4A=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b h1:M2rDM6z3Fhozi9O7NWsxAkg/yqS/lQJ6PmkyIV3YP+o=
 golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b/go.mod h1:3//PLf8L/X+8b4vuAfHzxeRUl04Adcb341+IGKfnqS8=
@@ -496,8 +487,8 @@ golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvx
 golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI=
-golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -518,8 +509,8 @@ golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT
 golang.org/x/net v0.0.0-20210610132358-84b48f89b13b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
-golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -547,6 +538,8 @@ golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -555,24 +548,26 @@ golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220224120231-95c6836cb0e7/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
-golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.39.0 h1:RclSuaJf32jOqZz74CkPA9qFuVTX7vhLlpfj/IGWlqY=
-golang.org/x/term v0.39.0/go.mod h1:yxzUCTP/U+FzoxfdKmLaA0RV1WgE0VY7hXBwKtY/4ww=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE=
-golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -586,8 +581,8 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA=
-golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
--- a/cmd/gogs/main.go
+++ b/cmd/gogs/main.go
@@ -1,3 +1,5 @@
+//go:build go1.18
+
 // Gogs is a painless self-hosted Git Service.
 package main

@@ -7,11 +9,12 @@ import (
 	"github.com/urfave/cli"
 	log "unknwon.dev/clog/v2"

+	"gogs.io/gogs/internal/cmd"
 	"gogs.io/gogs/internal/conf"
 )

 func init() {
-	conf.App.Version = "0.15.0+dev"
+	conf.App.Version = "0.14.2"
 }

 func main() {
@@ -20,14 +23,14 @@ func main() {
 	app.Usage = "A painless self-hosted Git service"
 	app.Version = conf.App.Version
 	app.Commands = []cli.Command{
-		webCommand,
-		servCommand,
-		hookCommand,
-		certCommand,
-		adminCommand,
-		importCommand,
-		backupCommand,
-		restoreCommand,
+		cmd.Web,
+		cmd.Serv,
+		cmd.Hook,
+		cmd.Cert,
+		cmd.Admin,
+		cmd.Import,
+		cmd.Backup,
+		cmd.Restore,
 	}
 	if err := app.Run(os.Args); err != nil {
 		log.Fatal("Failed to start application: %v", err)
--- a/internal/cmd/admin.go
+++ b/internal/cmd/admin.go
@@ -1,4 +1,4 @@
-package main
+package cmd

 import (
 	"context"
@@ -14,7 +14,7 @@ import (
 )

 var (
-	adminCommand = cli.Command{
+	Admin = cli.Command{
 		Name:  "admin",
 		Usage: "Perform admin operations on command line",
 		Description: `Allow using internal logic of Gogs without hacking into the source code
--- a/internal/cmd/backup.go
+++ b/internal/cmd/backup.go
@@ -1,4 +1,4 @@
-package main
+package cmd

 import (
 	"context"
@@ -20,7 +20,7 @@ import (
 	"gogs.io/gogs/internal/osutil"
 )

-var backupCommand = cli.Command{
+var Backup = cli.Command{
 	Name:  "backup",
 	Usage: "Backup files and database",
 	Description: `Backup dumps and compresses all related files and database into zip file,
--- a/internal/cmd/cert.go
+++ b/internal/cmd/cert.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-package main
+package cmd

 import (
 	"crypto/ecdsa"
@@ -22,7 +22,7 @@ import (
 	"github.com/urfave/cli"
 )

-var certCommand = cli.Command{
+var Cert = cli.Command{
 	Name:  "cert",
 	Usage: "Generate self-signed certificate",
 	Description: `Generate a self-signed X.509 certificate for a TLS server.
--- a/internal/cmd/cmd.go
+++ b/internal/cmd/cmd.go
@@ -1,4 +1,4 @@
-package main
+package cmd

 import (
 	"time"
@@ -21,6 +21,7 @@ func boolFlag(name, usage string) cli.BoolFlag {
 	}
 }

+//nolint:deadcode,unused
 func intFlag(name string, value int, usage string) cli.IntFlag {
 	return cli.IntFlag{
 		Name:  name,
@@ -29,6 +30,7 @@ func intFlag(name string, value int, usage string) cli.IntFlag {
 	}
 }

+//nolint:deadcode,unused
 func durationFlag(name string, value time.Duration, usage string) cli.DurationFlag {
 	return cli.DurationFlag{
 		Name:  name,
--- a/internal/cmd/hook.go
+++ b/internal/cmd/hook.go
@@ -1,4 +1,4 @@
-package main
+package cmd

 import (
 	"bufio"
@@ -24,7 +24,7 @@ import (
 )

 var (
-	hookCommand = cli.Command{
+	Hook = cli.Command{
 		Name:        "hook",
 		Usage:       "Delegate commands to corresponding Git hooks",
 		Description: "All sub-commands should only be called by Git",
--- a/internal/cmd/import.go
+++ b/internal/cmd/import.go
@@ -1,4 +1,4 @@
-package main
+package cmd

 import (
 	"bufio"
@@ -16,7 +16,7 @@ import (
 )

 var (
-	importCommand = cli.Command{
+	Import = cli.Command{
 		Name:  "import",
 		Usage: "Import portable data as local Gogs data",
 		Description: `Allow user import data from other Gogs installations to local instance
--- a/internal/cmd/restore.go
+++ b/internal/cmd/restore.go
@@ -1,4 +1,4 @@
-package main
+package cmd

 import (
 	"context"
@@ -18,7 +18,7 @@ import (
 	"gogs.io/gogs/internal/semverutil"
 )

-var restoreCommand = cli.Command{
+var Restore = cli.Command{
 	Name:  "restore",
 	Usage: "Restore files and database from backup",
 	Description: `Restore imports all related files and database from a backup archive.
--- a/internal/cmd/serv.go
+++ b/internal/cmd/serv.go
@@ -1,4 +1,4 @@
-package main
+package cmd

 import (
 	"context"
@@ -21,7 +21,7 @@ const (
 	accessDeniedMessage = "Repository does not exist or you do not have access"
 )

-var servCommand = cli.Command{
+var Serv = cli.Command{
 	Name:        "serv",
 	Usage:       "This command should only be called by SSH shell",
 	Description: `Serv provide access auth for repositories`,
--- a/internal/cmd/web.go
+++ b/internal/cmd/web.go
@@ -1,4 +1,4 @@
-package main
+package cmd

 import (
 	"crypto/tls"
@@ -30,7 +30,6 @@ import (
 	"gogs.io/gogs/internal/conf"
 	"gogs.io/gogs/internal/context"
 	"gogs.io/gogs/internal/database"
-	"gogs.io/gogs/internal/embeddedpg"
 	"gogs.io/gogs/internal/form"
 	"gogs.io/gogs/internal/osutil"
 	"gogs.io/gogs/internal/route"
@@ -46,7 +45,7 @@ import (
 	"gogs.io/gogs/templates"
 )

-var webCommand = cli.Command{
+var Web = cli.Command{
 	Name:  "web",
 	Usage: "Start web server",
 	Description: `Gogs web server is the only thing you need to run,
@@ -55,7 +54,6 @@ and it takes care of all the other things for you`,
 	Flags: []cli.Flag{
 		stringFlag("port, p", "3000", "Temporary port number to prevent conflict"),
 		stringFlag("config, c", "", "Custom configuration file path"),
-		boolFlag("embedded-postgres", "Use embedded PostgreSQL database"),
 	},
 }

@@ -162,29 +160,7 @@ func newMacaron() *macaron.Macaron {
 }

 func runWeb(c *cli.Context) error {
-	// Initialize configuration first to get WorkDir
-	err := conf.Init(c.String("config"))
-	if err != nil {
-		log.Fatal("Failed to initialize configuration: %v", err)
-	}
-	conf.InitLogging(false)
-
-	var localPg *embeddedpg.LocalPostgres
-
-	if c.Bool("embedded-postgres") {
-		localPg = embeddedpg.Initialize(conf.WorkDir())
-		if err := localPg.Launch(); err != nil {
-			log.Fatal("Failed to launch embedded postgres: %v", err)
-		}
-		defer func() {
-			if err := localPg.Shutdown(); err != nil {
-				log.Error("Failed to shutdown embedded postgres: %v", err)
-			}
-		}()
-		localPg.ConfigureGlobalDatabase()
-	}
-
-	err = route.GlobalInit(c.String("config"))
+	err := route.GlobalInit(c.String("config"))
 	if err != nil {
 		log.Fatal("Failed to initialize application: %v", err)
 	}
--- a/internal/conf/conf.go
+++ b/internal/conf/conf.go
@@ -346,6 +346,7 @@ func Init(customConf string) error {
 		return errors.Wrap(err, "mapping [lfs] section")
 	}
 	LFS.ObjectsPath = ensureAbs(LFS.ObjectsPath)
+	LFS.ObjectsTempPath = ensureAbs(LFS.ObjectsTempPath)

 	handleDeprecated()
 	if !HookMode {
--- a/internal/conf/static.go
+++ b/internal/conf/static.go
@@ -231,7 +231,7 @@ var (
 )

 type AppOpts struct {
-	// ⚠️ WARNING: Should only be set by the main package (i.e. "cmd/gogs/main.go").
+	// ⚠️ WARNING: Should only be set by the main package (i.e. "gogs.go").
 	Version string `ini:"-"`

 	BrandName string
@@ -361,8 +361,9 @@ type DatabaseOpts struct {
 var Database DatabaseOpts

 type LFSOpts struct {
-	Storage     string
-	ObjectsPath string
+	Storage         string
+	ObjectsPath     string
+	ObjectsTempPath string
 }

 // LFS settings
@@ -436,6 +437,8 @@ func handleDeprecated() {

 // checkInvalidOptions checks invalid (renamed/deleted) configuration sections
 // and options and returns a list of warnings.
+//
+// LEGACY [0.15]: Delete this function.
 func checkInvalidOptions(config *ini.File) (warnings []string) {
 	renamedSections := map[string]string{
 		"mailer":  "email",
@@ -452,8 +455,18 @@ func checkInvalidOptions(config *ini.File) (warnings []string) {
 		option  string
 	}
 	renamedOptionPaths := map[optionPath]optionPath{
-		// Example:
-		// {"security", "REVERSE_PROXY_AUTHENTICATION_USER"}: {"auth", "REVERSE_PROXY_AUTHENTICATION_HEADER"},
+		{"security", "REVERSE_PROXY_AUTHENTICATION_USER"}: {"auth", "REVERSE_PROXY_AUTHENTICATION_HEADER"},
+		{"auth", "ACTIVE_CODE_LIVE_MINUTES"}:              {"auth", "ACTIVATE_CODE_LIVES"},
+		{"auth", "RESET_PASSWD_CODE_LIVE_MINUTES"}:        {"auth", "RESET_PASSWORD_CODE_LIVES"},
+		{"auth", "ENABLE_CAPTCHA"}:                        {"auth", "ENABLE_REGISTRATION_CAPTCHA"},
+		{"auth", "ENABLE_NOTIFY_MAIL"}:                    {"user", "ENABLE_EMAIL_NOTIFICATION"},
+		{"auth", "REGISTER_EMAIL_CONFIRM"}:                {"auth", "REQUIRE_EMAIL_CONFIRMATION"},
+		{"session", "GC_INTERVAL_TIME"}:                   {"session", "GC_INTERVAL"},
+		{"session", "SESSION_LIFE_TIME"}:                  {"session", "MAX_LIFE_TIME"},
+		{"server", "ROOT_URL"}:                            {"server", "EXTERNAL_URL"},
+		{"server", "LANDING_PAGE"}:                        {"server", "LANDING_URL"},
+		{"database", "DB_TYPE"}:                           {"database", "TYPE"},
+		{"database", "PASSWD"}:                            {"database", "PASSWORD"},
 	}
 	for oldPath, newPath := range renamedOptionPaths {
 		if config.Section(oldPath.section).HasKey(oldPath.option) {
@@ -502,7 +515,7 @@ func checkInvalidOptions(config *ini.File) (warnings []string) {
 // HookMode indicates whether program starts as Git server-side hook callback.
 // All operations should be done synchronously to prevent program exits before finishing.
 //
-// ⚠️ WARNING: Should only be set by "cmd/gogs/serv.go".
+// ⚠️ WARNING: Should only be set by "internal/cmd/serv.go".
 var HookMode bool

 // Indicates which database backend is currently being used.
--- a/internal/conf/static_test.go
+++ b/internal/conf/static_test.go
@@ -54,20 +54,20 @@ func TestCheckInvalidOptions(t *testing.T) {
 	_, _ = cfg.Section("server").NewKey("NONEXISTENT_OPTION", "true")

 	wantWarnings := []string{
-		"option [auth] ACTIVE_CODE_LIVE_MINUTES is invalid",
-		"option [auth] ENABLE_CAPTCHA is invalid",
-		"option [auth] ENABLE_NOTIFY_MAIL is invalid",
-		"option [auth] REGISTER_EMAIL_CONFIRM is invalid",
-		"option [auth] RESET_PASSWD_CODE_LIVE_MINUTES is invalid",
-		"option [database] DB_TYPE is invalid",
-		"option [database] PASSWD is invalid",
-		"option [security] REVERSE_PROXY_AUTHENTICATION_USER is invalid",
-		"option [session] GC_INTERVAL_TIME is invalid",
-		"option [session] SESSION_LIFE_TIME is invalid",
+		"option [auth] ACTIVE_CODE_LIVE_MINUTES is invalid, use [auth] ACTIVATE_CODE_LIVES instead",
+		"option [auth] ENABLE_CAPTCHA is invalid, use [auth] ENABLE_REGISTRATION_CAPTCHA instead",
+		"option [auth] ENABLE_NOTIFY_MAIL is invalid, use [user] ENABLE_EMAIL_NOTIFICATION instead",
+		"option [auth] REGISTER_EMAIL_CONFIRM is invalid, use [auth] REQUIRE_EMAIL_CONFIRMATION instead",
+		"option [auth] RESET_PASSWD_CODE_LIVE_MINUTES is invalid, use [auth] RESET_PASSWORD_CODE_LIVES instead",
+		"option [database] DB_TYPE is invalid, use [database] TYPE instead",
+		"option [database] PASSWD is invalid, use [database] PASSWORD instead",
+		"option [security] REVERSE_PROXY_AUTHENTICATION_USER is invalid, use [auth] REVERSE_PROXY_AUTHENTICATION_HEADER instead",
+		"option [session] GC_INTERVAL_TIME is invalid, use [session] GC_INTERVAL instead",
+		"option [session] SESSION_LIFE_TIME is invalid, use [session] MAX_LIFE_TIME instead",
 		"section [mailer] is invalid, use [email] instead",
 		"section [service] is invalid, use [auth] instead",
-		"option [server] ROOT_URL is invalid",
-		"option [server] LANDING_PAGE is invalid",
+		"option [server] ROOT_URL is invalid, use [server] EXTERNAL_URL instead",
+		"option [server] LANDING_PAGE is invalid, use [server] LANDING_URL instead",
 		"option [server] NONEXISTENT_OPTION is invalid",
 	}

--- a/internal/context/auth.go
+++ b/internal/context/auth.go
@@ -146,18 +146,12 @@ func authenticatedUserID(store AuthStore, c *macaron.Context, sess session.Store

 	// Check access token.
 	if isAPIPath(c.Req.URL.Path) {
-		tokenSHA := c.Query("token")
-		if len(tokenSHA) <= 0 {
-			tokenSHA = c.Query("access_token")
-		}
-		if tokenSHA == "" {
-			// Well, check with header again.
-			auHead := c.Req.Header.Get("Authorization")
-			if len(auHead) > 0 {
-				auths := strings.Fields(auHead)
-				if len(auths) == 2 && auths[0] == "token" {
-					tokenSHA = auths[1]
-				}
+		var tokenSHA string
+		auHead := c.Req.Header.Get("Authorization")
+		if auHead != "" {
+			auths := strings.Fields(auHead)
+			if len(auths) == 2 && auths[0] == "token" {
+				tokenSHA = auths[1]
 			}
 		}

--- a/internal/database/release.go
+++ b/internal/database/release.go
@@ -14,7 +14,6 @@ import (
 	api "github.com/gogs/go-gogs-client"

 	"gogs.io/gogs/internal/errutil"
-	"gogs.io/gogs/internal/process"
 )

 // Release represents a release of repository.
@@ -359,11 +358,13 @@ func DeleteReleaseOfRepoByID(repoID, id int64) error {
 		return errors.Newf("GetRepositoryByID: %v", err)
 	}

-	_, stderr, err := process.ExecDir(-1, repo.RepoPath(),
-		fmt.Sprintf("DeleteReleaseByID (git tag -d): %d", rel.ID),
-		"git", "tag", "-d", rel.TagName)
-	if err != nil && !strings.Contains(stderr, "not found") {
-		return errors.Newf("git tag -d: %v - %s", err, stderr)
+	gitRepo, err := git.Open(repo.RepoPath())
+	if err != nil {
+		return errors.Newf("open repository: %v", err)
+	}
+	err = gitRepo.DeleteTag(rel.TagName)
+	if err != nil && !strings.Contains(err.Error(), "not found") {
+		return errors.Newf("delete tag: %v", err)
 	}

 	if _, err = x.Id(rel.ID).Delete(new(Release)); err != nil {
--- a/internal/database/repo.go
+++ b/internal/database/repo.go
@@ -158,6 +158,7 @@ func NewRepoContext() {
 	}

 	RemoveAllWithNotice("Clean up repository temporary data", filepath.Join(conf.Server.AppDataPath, "tmp"))
+	RemoveAllWithNotice("Clean up LFS temporary data", conf.LFS.ObjectsTempPath)
 }

 // Repository contains information of a repository.
--- a/internal/database/schemadoc/main.go
+++ b/internal/database/schemadoc/main.go
@@ -10,8 +10,6 @@ import (
 	"github.com/cockroachdb/errors"
 	"github.com/glebarez/sqlite"
 	"github.com/olekukonko/tablewriter"
-	"github.com/olekukonko/tablewriter/renderer"
-	"github.com/olekukonko/tablewriter/tw"
 	"gopkg.in/DATA-DOG/go-sqlmock.v2"
 	"gorm.io/driver/mysql"
 	"gorm.io/driver/postgres"
@@ -63,25 +61,20 @@ func main() {

 		_, _ = w.WriteString("```\n")

-		table := tablewriter.NewTable(w,
-			tablewriter.WithRenderer(renderer.NewBlueprint(tw.Rendition{
-				Borders: tw.BorderNone,
-				Symbols: tw.NewSymbols(tw.StyleASCII),
-			})),
-			tablewriter.WithHeaderAutoFormat(tw.Off),
-		)
-		table.Header("Field", "Column", "PostgreSQL", "MySQL", "SQLite3")
+		table := tablewriter.NewWriter(w)
+		table.SetHeader([]string{"Field", "Column", "PostgreSQL", "MySQL", "SQLite3"})
+		table.SetBorder(false)
 		for j, f := range ti.Fields {
 			sqlite3Type := strings.ToUpper(collected[2][i].Fields[j].Type)
 			sqlite3Type = strings.ReplaceAll(sqlite3Type, "PRIMARY KEY ", "")
-			_ = table.Append([]string{
+			table.Append([]string{
 				f.Name, f.Column,
 				strings.ToUpper(f.Type),                         // PostgreSQL
 				strings.ToUpper(collected[1][i].Fields[j].Type), // MySQL
 				sqlite3Type,
 			})
 		}
-		_ = table.Render()
+		table.Render()
 		_, _ = w.WriteString("\n")

 		_, _ = w.WriteString("Primary keys: ")
--- a/internal/email/message.go
+++ b/internal/email/message.go
@@ -10,7 +10,7 @@ import (
 	"time"

 	"github.com/cockroachdb/errors"
-	"github.com/inbucket/html2text"
+	"github.com/jaytaylor/html2text"
 	"gopkg.in/gomail.v2"
 	log "unknwon.dev/clog/v2"

--- a/internal/embeddedpg/embeddedpg.go
+++ b/internal/embeddedpg/embeddedpg.go
@@ -1,92 +0,0 @@
-package embeddedpg
-
-import (
-	"fmt"
-	"os"
-	"path/filepath"
-	"time"
-
-	"github.com/cockroachdb/errors"
-	embpg "github.com/fergusstrange/embedded-postgres"
-	log "unknwon.dev/clog/v2"
-
-	"gogs.io/gogs/internal/conf"
-)
-
-// LocalPostgres wraps embedded PostgreSQL server functionality.
-type LocalPostgres struct {
-	srv      *embpg.EmbeddedPostgres
-	baseDir  string
-	tcpPort  uint32
-	database string
-	user     string
-	pass     string
-}
-
-// Initialize creates a LocalPostgres with default settings based on workDir.
-func Initialize(workDir string) *LocalPostgres {
-	storageBase := filepath.Join(workDir, "data", "local-postgres")
-	return &LocalPostgres{
-		baseDir:  storageBase,
-		tcpPort:  15432,
-		database: "gogs",
-		user:     "gogs",
-		pass:     "gogs",
-	}
-}
-
-// Launch starts the embedded PostgreSQL server and blocks until ready.
-func (pg *LocalPostgres) Launch() error {
-	log.Info("Launching local PostgreSQL server...")
-	log.Trace("Base directory: %s", pg.baseDir)
-
-	// Create base directory
-	if err := os.MkdirAll(pg.baseDir, 0o700); err != nil {
-		return errors.Wrap(err, "mkdir local postgres base")
-	}
-
-	opts := embpg.DefaultConfig().
-		Username(pg.user).
-		Password(pg.pass).
-		Database(pg.database).
-		Port(pg.tcpPort).
-		DataPath(pg.baseDir).
-		StartTimeout(45 * time.Second).
-		Logger(os.Stderr)
-
-	pg.srv = embpg.NewDatabase(opts)
-
-	if err := pg.srv.Start(); err != nil {
-		return errors.Wrap(err, "launch embedded pg")
-	}
-
-	log.Info("Local PostgreSQL ready on port %d", pg.tcpPort)
-	return nil
-}
-
-// Shutdown stops the embedded PostgreSQL server gracefully.
-func (pg *LocalPostgres) Shutdown() error {
-	if pg.srv == nil {
-		return nil
-	}
-
-	log.Info("Shutting down local PostgreSQL...")
-	if err := pg.srv.Stop(); err != nil {
-		return errors.Wrap(err, "shutdown embedded pg")
-	}
-
-	log.Info("Local PostgreSQL shutdown complete")
-	return nil
-}
-
-// ConfigureGlobalDatabase modifies global conf.Database to point to this instance.
-func (pg *LocalPostgres) ConfigureGlobalDatabase() {
-	conf.Database.Type = "postgres"
-	conf.Database.Host = fmt.Sprintf("localhost:%d", pg.tcpPort)
-	conf.Database.Name = pg.database
-	conf.Database.User = pg.user
-	conf.Database.Password = pg.pass
-	conf.Database.SSLMode = "disable"
-
-	log.Trace("Global database configured for local PostgreSQL")
-}
--- a/internal/embeddedpg/embeddedpg_test.go
+++ b/internal/embeddedpg/embeddedpg_test.go
@@ -1,28 +0,0 @@
-package embeddedpg
-
-import (
-	"path/filepath"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-)
-
-func TestInitialize(t *testing.T) {
-	workDir := "/tmp/gogs-test"
-	pg := Initialize(workDir)
-
-	assert.NotNil(t, pg)
-	assert.Equal(t, filepath.Join(workDir, "data", "local-postgres"), pg.baseDir)
-	assert.Equal(t, uint32(15432), pg.tcpPort)
-	assert.Equal(t, "gogs", pg.database)
-	assert.Equal(t, "gogs", pg.user)
-	assert.Equal(t, "gogs", pg.pass)
-}
-
-func TestShutdownWithoutStart(t *testing.T) {
-	pg := Initialize("/tmp/gogs-test")
-
-	// Should not error when stopping a non-started instance
-	err := pg.Shutdown()
-	assert.NoError(t, err)
-}
--- a/internal/lfsutil/storage.go
+++ b/internal/lfsutil/storage.go
@@ -1,6 +1,8 @@
 package lfsutil

 import (
+	"crypto/sha256"
+	"encoding/hex"
 	"io"
 	"os"
 	"path/filepath"
@@ -10,7 +12,10 @@ import (
 	"gogs.io/gogs/internal/osutil"
 )

-var ErrObjectNotExist = errors.New("Object does not exist")
+var (
+	ErrObjectNotExist = errors.New("object does not exist")
+	ErrOIDMismatch    = errors.New("content hash does not match OID")
+)

 // Storager is an storage backend for uploading and downloading LFS objects.
 type Storager interface {
@@ -39,6 +44,8 @@ var _ Storager = (*LocalStorage)(nil)
 type LocalStorage struct {
 	// The root path for storing LFS objects.
 	Root string
+	// The path for storing temporary files during upload verification.
+	TempDir string
 }

 func (*LocalStorage) Storage() Storage {
@@ -58,29 +65,50 @@ func (s *LocalStorage) Upload(oid OID, rc io.ReadCloser) (int64, error) {
 		return 0, ErrInvalidOID
 	}

-	var err error
 	fpath := s.storagePath(oid)
-	defer func() {
-		rc.Close()
+	dir := filepath.Dir(fpath)

-		if err != nil {
-			_ = os.Remove(fpath)
-		}
-	}()
+	defer rc.Close()

-	err = os.MkdirAll(filepath.Dir(fpath), os.ModePerm)
-	if err != nil {
+	if err := os.MkdirAll(dir, os.ModePerm); err != nil {
 		return 0, errors.Wrap(err, "create directories")
 	}
-	w, err := os.Create(fpath)
-	if err != nil {
-		return 0, errors.Wrap(err, "create file")
-	}
-	defer w.Close()

-	written, err := io.Copy(w, rc)
+	// If the object file already exists, skip the upload and return the
+	// existing file's size.
+	if fi, err := os.Stat(fpath); err == nil {
+		_, _ = io.Copy(io.Discard, rc)
+		return fi.Size(), nil
+	}
+
+	// Write to a temp file and verify the content hash before publishing.
+	// This ensures the final path always contains a complete, hash-verified
+	// file, even when concurrent uploads of the same OID race.
+	if err := os.MkdirAll(s.TempDir, os.ModePerm); err != nil {
+		return 0, errors.Wrap(err, "create temp directory")
+	}
+	tmp, err := os.CreateTemp(s.TempDir, "upload-*")
 	if err != nil {
-		return 0, errors.Wrap(err, "copy file")
+		return 0, errors.Wrap(err, "create temp file")
+	}
+	tmpPath := tmp.Name()
+	defer os.Remove(tmpPath)
+
+	hash := sha256.New()
+	written, err := io.Copy(tmp, io.TeeReader(rc, hash))
+	if closeErr := tmp.Close(); err == nil && closeErr != nil {
+		err = closeErr
+	}
+	if err != nil {
+		return 0, errors.Wrap(err, "write object file")
+	}
+
+	if computed := hex.EncodeToString(hash.Sum(nil)); computed != string(oid) {
+		return 0, ErrOIDMismatch
+	}
+
+	if err := os.Rename(tmpPath, fpath); err != nil && !os.IsExist(err) {
+		return 0, errors.Wrap(err, "publish object file")
 	}
 	return written, nil
 }
--- a/internal/lfsutil/storage_test.go
+++ b/internal/lfsutil/storage_test.go
@@ -10,6 +10,9 @@ import (
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"gogs.io/gogs/internal/osutil"
 )

 func TestLocalStorage_storagePath(t *testing.T) {
@@ -46,50 +49,54 @@ func TestLocalStorage_storagePath(t *testing.T) {
 }

 func TestLocalStorage_Upload(t *testing.T) {
+	base := t.TempDir()
 	s := &LocalStorage{
-		Root: filepath.Join(os.TempDir(), "lfs-objects"),
+		Root:    filepath.Join(base, "lfs-objects"),
+		TempDir: filepath.Join(base, "tmp", "lfs"),
 	}
-	t.Cleanup(func() {
-		_ = os.RemoveAll(s.Root)
+
+	const helloWorldOID = OID("c0535e4be2b79ffd93291305436bf889314e4a3faec05ecffcbb7df31ad9e51a") // "Hello world!"
+
+	t.Run("invalid OID", func(t *testing.T) {
+		written, err := s.Upload("bad_oid", io.NopCloser(strings.NewReader("")))
+		assert.Equal(t, int64(0), written)
+		assert.Equal(t, ErrInvalidOID, err)
 	})

-	tests := []struct {
-		name       string
-		oid        OID
-		content    string
-		expWritten int64
-		expErr     error
-	}{
-		{
-			name:   "invalid oid",
-			oid:    "bad_oid",
-			expErr: ErrInvalidOID,
-		},
+	t.Run("valid OID", func(t *testing.T) {
+		written, err := s.Upload(helloWorldOID, io.NopCloser(strings.NewReader("Hello world!")))
+		require.NoError(t, err)
+		assert.Equal(t, int64(12), written)
+	})

-		{
-			name:       "valid oid",
-			oid:        "ef797c8118f02dfb649607dd5d3f8c7623048c9c063d532cc95c5ed7a898a64f",
-			content:    "Hello world!",
-			expWritten: 12,
-		},
-	}
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			written, err := s.Upload(test.oid, io.NopCloser(strings.NewReader(test.content)))
-			assert.Equal(t, test.expWritten, written)
-			assert.Equal(t, test.expErr, err)
-		})
-	}
+	t.Run("valid OID but wrong content", func(t *testing.T) {
+		oid := OID("ef797c8118f02dfb649607dd5d3f8c7623048c9c063d532cc95c5ed7a898a64f")
+		written, err := s.Upload(oid, io.NopCloser(strings.NewReader("Hello world!")))
+		assert.Equal(t, int64(0), written)
+		assert.Equal(t, ErrOIDMismatch, err)
+
+		// File should have been cleaned up.
+		assert.False(t, osutil.IsFile(s.storagePath(oid)))
+	})
+
+	t.Run("duplicate upload returns existing size", func(t *testing.T) {
+		written, err := s.Upload(helloWorldOID, io.NopCloser(strings.NewReader("should be ignored")))
+		require.NoError(t, err)
+		assert.Equal(t, int64(12), written)
+
+		// Verify original content is preserved.
+		var buf bytes.Buffer
+		err = s.Download(helloWorldOID, &buf)
+		require.NoError(t, err)
+		assert.Equal(t, "Hello world!", buf.String())
+	})
 }

 func TestLocalStorage_Download(t *testing.T) {
 	oid := OID("ef797c8118f02dfb649607dd5d3f8c7623048c9c063d532cc95c5ed7a898a64f")
 	s := &LocalStorage{
-		Root: filepath.Join(os.TempDir(), "lfs-objects"),
+		Root: filepath.Join(t.TempDir(), "lfs-objects"),
 	}
-	t.Cleanup(func() {
-		_ = os.RemoveAll(s.Root)
-	})

 	fpath := s.storagePath(oid)
 	err := os.MkdirAll(filepath.Dir(fpath), os.ModePerm)
--- a/internal/markup/sanitizer.go
+++ b/internal/markup/sanitizer.go
@@ -1,6 +1,8 @@
 package markup

 import (
+	"net/url"
+	"strings"
 	"sync"

 	"github.com/microcosm-cc/bluemonday"
@@ -32,14 +34,28 @@ func NewSanitizer() {
 		sanitizer.policy.AllowAttrs("type").Matching(lazyregexp.New(`^checkbox$`).Regexp()).OnElements("input")
 		sanitizer.policy.AllowAttrs("checked", "disabled").OnElements("input")

-		// Data URLs
-		sanitizer.policy.AllowURLSchemes("data")
+		// Only allow data URIs with safe image MIME types to prevent XSS via
+		// "data:text/html" payloads.
+		sanitizer.policy.AllowURLSchemeWithCustomPolicy("data", isSafeDataURI)

 		// Custom URL-Schemes
 		sanitizer.policy.AllowURLSchemes(conf.Markdown.CustomURLSchemes...)
 	})
 }

+// isSafeDataURI returns whether the given data URI uses a safe image MIME type.
+func isSafeDataURI(u *url.URL) bool {
+	// The opaque data of a data URI has the form "mediatype;base64,data" or
+	// "mediatype,data". We only allow common image MIME types.
+	mediatype, _, _ := strings.Cut(u.Opaque, ";")
+	mediatype, _, _ = strings.Cut(mediatype, ",")
+	switch strings.TrimSpace(strings.ToLower(mediatype)) {
+	case "image/png", "image/jpeg", "image/gif", "image/webp", "image/x-icon":
+		return true
+	}
+	return false
+}
+
 // Sanitize takes a string that contains a HTML fragment or document and applies policy whitelist.
 func Sanitize(s string) string {
 	return sanitizer.policy.Sanitize(s)
--- a/internal/markup/sanitizer_test.go
+++ b/internal/markup/sanitizer_test.go
@@ -26,6 +26,20 @@ func Test_Sanitizer(t *testing.T) {
 		{input: `<input type="hidden">`, expVal: ``},
 		{input: `<input type="checkbox">`, expVal: `<input type="checkbox">`},
 		{input: `<input checked disabled autofocus>`, expVal: `<input checked="" disabled="">`},
+
+		// Data URIs: safe image types should be allowed
+		{input: `<img src="data:image/png;base64,abc">`, expVal: `<img src="data:image/png;base64,abc">`},
+		{input: `<img src="data:image/jpeg;base64,abc">`, expVal: `<img src="data:image/jpeg;base64,abc">`},
+		{input: `<img src="data:image/gif;base64,abc">`, expVal: `<img src="data:image/gif;base64,abc">`},
+		{input: `<img src="data:image/webp;base64,abc">`, expVal: `<img src="data:image/webp;base64,abc">`},
+
+		// Data URIs: text/html must be stripped to prevent XSS (GHSA-xrcr-gmf5-2r8j)
+		{input: `<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">Click</a>`, expVal: `Click`},
+		{input: `<a href="data:text/html,<script>alert(1)</script>">XSS</a>`, expVal: `XSS`},
+		{input: `<img src="data:text/html;base64,abc">`, expVal: ``},
+
+		// Data URIs: SVG must be stripped (can contain embedded JavaScript)
+		{input: `<img src="data:image/svg+xml;base64,abc">`, expVal: ``},
 	}
 	for _, test := range tests {
 		t.Run(test.input, func(t *testing.T) {
--- a/internal/route/lfs/basic.go
+++ b/internal/route/lfs/basic.go
@@ -91,7 +91,7 @@ func (h *basicHandler) serveUpload(c *macaron.Context, repo *database.Repository
 	s := h.DefaultStorager()
 	written, err := s.Upload(oid, c.Req.Request.Body)
 	if err != nil {
-		if err == lfsutil.ErrInvalidOID {
+		if err == lfsutil.ErrInvalidOID || err == lfsutil.ErrOIDMismatch {
 			responseJSON(c.Resp, http.StatusBadRequest, responseError{
 				Message: err.Error(),
 			})
@@ -105,8 +105,8 @@ func (h *basicHandler) serveUpload(c *macaron.Context, repo *database.Repository
 	err = h.store.CreateLFSObject(c.Req.Context(), repo.ID, oid, written, s.Storage())
 	if err != nil {
 		// NOTE: It is OK to leave the file when the whole operation failed
-		// with a DB error, a retry on client side can safely overwrite the
-		// same file as OID is seen as unique to every file.
+		// with a DB error, a retry on client side will skip the upload as
+		// the file already exists on disk.
 		internalServerError(c.Resp)
 		log.Error("Failed to create object [repo_id: %d, oid: %s]: %v", repo.ID, oid, err)
 		return
--- a/internal/route/lfs/route.go
+++ b/internal/route/lfs/route.go
@@ -30,7 +30,7 @@ func RegisterRoutes(r *macaron.Router) {
 				store:          store,
 				defaultStorage: lfsutil.Storage(conf.LFS.Storage),
 				storagers: map[lfsutil.Storage]lfsutil.Storager{
-					lfsutil.StorageLocal: &lfsutil.LocalStorage{Root: conf.LFS.ObjectsPath},
+					lfsutil.StorageLocal: &lfsutil.LocalStorage{Root: conf.LFS.ObjectsPath, TempDir: conf.LFS.ObjectsTempPath},
 				},
 			}
 			r.Combo("/:oid", verifyOID()).
--- a/internal/route/repo/view.go
+++ b/internal/route/repo/view.go
@@ -181,7 +181,7 @@ func renderFile(c *context.Context, entry *git.TreeEntry, treeLink, rawLink stri

 			output.Reset()
 			for i := 0; i < len(lines); i++ {
-				output.WriteString(fmt.Sprintf(`<span id="L%d">%d</span>`, i+1, i+1))
+				fmt.Fprintf(&output, `<span id="L%d">%d</span>`, i+1, i+1)
 			}
 			c.Data["LineNums"] = gotemplate.HTML(output.String())
 		}
--- a/public/js/gogs.js
+++ b/public/js/gogs.js
@@ -240,29 +240,19 @@ function initCommentForm() {
      }
      switch (input_id) {
        case "#milestone_id":
-          $list
-            .find(".selected")
-            .html(
-              '<a class="item" href=' +
-                $(this).data("href") +
-                ">" +
-                $(this).text() +
-                "</a>"
-            );
+          var $milestoneAnchor = $('<a class="item"></a>');
+          $milestoneAnchor.attr("href", $(this).data("href"));
+          $milestoneAnchor.text($(this).text());
+          $list.find(".selected").empty().append($milestoneAnchor);
          break;
        case "#assignee_id":
-          $list
-            .find(".selected")
-            .html(
-              '<a class="item" href=' +
-                $(this).data("href") +
-                ">" +
-                '<img class="ui avatar image" src=' +
-                $(this).data("avatar") +
-                ">" +
-                $(this).text() +
-                "</a>"
-            );
+          var $assigneeAnchor = $('<a class="item"></a>');
+          $assigneeAnchor.attr("href", $(this).data("href"));
+          $assigneeAnchor.append(
+            $('<img class="ui avatar image">').attr("src", $(this).data("avatar"))
+          );
+          $assigneeAnchor.append($("<span></span>").text($(this).text()));
+          $list.find(".selected").empty().append($assigneeAnchor);
      }
      $(".ui" + select_id + ".list .no-select").addClass("hide");
      $(input_id).val($(this).data("id"));
--- a/templates/repo/branches/all.tmpl
+++ b/templates/repo/branches/all.tmpl
@@ -14,7 +14,7 @@
 					<div class="ui eleven wide column">
 						{{if .IsProtected}}<i class="octicon octicon-shield"></i> {{end}}<a class="markdown" href="{{$.RepoLink}}/src/{{EscapePound .Name}}"><code>{{.Name}}</code></a>
 						{{$timeSince := TimeSince .Commit.Committer.When $.Lang}}
-						<span class="ui text light grey">{{$.i18n.Tr "repo.branches.updated_by" $timeSince .Commit.Committer.Name | Safe}}</span>
+						<span class="ui text light grey">{{$.i18n.Tr "repo.branches.updated_by" $timeSince (Sanitize .Commit.Committer.Name) | Safe}}</span>
 					</div>
 					<div class="ui four wide column">
 						{{if and (and (eq $.BranchName .Name) $.IsRepositoryAdmin) (not $.Repository.IsMirror)}}
--- a/templates/repo/branches/overview.tmpl
+++ b/templates/repo/branches/overview.tmpl
@@ -13,7 +13,7 @@
 				<div class="ui eleven wide column">
 					{{if .DefaultBranch.IsProtected}}<i class="octicon octicon-shield"></i> {{end}}<a class="markdown" href="{{$.RepoLink}}/src/{{EscapePound .DefaultBranch.Name}}"><code>{{.DefaultBranch.Name}}</code></a>
 					{{$timeSince := TimeSince .DefaultBranch.Commit.Committer.When $.Lang}}
-					<span class="ui text light grey">{{$.i18n.Tr "repo.branches.updated_by" $timeSince .DefaultBranch.Commit.Committer.Name | Safe}}</span>
+					<span class="ui text light grey">{{$.i18n.Tr "repo.branches.updated_by" $timeSince (Sanitize .DefaultBranch.Commit.Committer.Name) | Safe}}</span>
 				</div>
 				{{if and $.IsRepositoryAdmin (not $.Repository.IsMirror)}}
 					<div class="ui four wide column">
@@ -33,7 +33,7 @@
 						<div class="ui eleven wide column">
 							{{if .IsProtected}}<i class="octicon octicon-shield"></i> {{end}}<a class="markdown" href="{{$.RepoLink}}/src/{{EscapePound .Name}}"><code>{{.Name}}</code></a>
 							{{$timeSince := TimeSince .Commit.Committer.When $.Lang}}
-							<span class="ui text light grey">{{$.i18n.Tr "repo.branches.updated_by" $timeSince .Commit.Committer.Name | Safe}}</span>
+							<span class="ui text light grey">{{$.i18n.Tr "repo.branches.updated_by" $timeSince (Sanitize .Commit.Committer.Name) | Safe}}</span>
 						</div>
 						{{if and $.IsRepositoryWriter $.AllowPullRequest}}
 							<div class="ui four wide column">
@@ -55,7 +55,7 @@
 						<div class="ui eleven wide column">
 							{{if .IsProtected}}<i class="octicon octicon-shield"></i> {{end}}<a class="markdown" href="{{$.RepoLink}}/src/{{EscapePound .Name}}"><code>{{.Name}}</code></a>
 							{{$timeSince := TimeSince .Commit.Committer.When $.Lang}}
-							<span class="ui text light grey">{{$.i18n.Tr "repo.branches.updated_by" $timeSince .Commit.Committer.Name | Safe}}</span>
+							<span class="ui text light grey">{{$.i18n.Tr "repo.branches.updated_by" $timeSince (Sanitize .Commit.Committer.Name) | Safe}}</span>
 						</div>
 						{{if and $.IsRepositoryWriter $.AllowPullRequest}}
 							<div class="ui four wide column">
--- a/templates/repo/wiki/view.tmpl
+++ b/templates/repo/wiki/view.tmpl
@@ -58,7 +58,7 @@
 			{{end}}
 			<div class="ui sub header">
 				{{$timeSince := TimeSince .Author.When $.Lang}}
-				{{.i18n.Tr "repo.wiki.last_commit_info" .Author.Name $timeSince | Safe}}
+				{{.i18n.Tr "repo.wiki.last_commit_info" (Sanitize .Author.Name) $timeSince | Safe}}
 			</div>
 		</div>
 		<div class="markdown has-emoji">
Author	SHA1	Message	Date
Joe Chen	5dcb6c64bd	release: update version to 0.14.2 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-18 19:23:48 -05:00
JSS	b4bdb270d1	Fix git reset --end-of-options error on file upload and edit (#8184 )	2026-02-18 19:13:57 -05:00
ᴊᴏᴇ ᴄʜᴇɴ	0120bf0c86	js: use safe DOM construction for milestone and assignee selection (#8178 ) Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-18 19:12:35 -05:00
ᴊᴏᴇ ᴄʜᴇɴ	094b632182	context: reject access tokens passed via URL query parameters (#8177 )	2026-02-18 19:12:23 -05:00
ᴊᴏᴇ ᴄʜᴇɴ	a5c2cc0c6e	template: escape untrusted names in locale strings piped through Safe (#8176 ) Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-02-18 19:11:55 -05:00
ᴊᴏᴇ ᴄʜᴇɴ	41b186cbfd	database: use safe git-module API for tag deletion (#8175 ) Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-02-18 19:11:43 -05:00
ᴊᴏᴇ ᴄʜᴇɴ	51cf4cbe7e	markup: restrict data URI scheme to safe image MIME types (#8174 ) Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-18 19:10:56 -05:00
ᴊᴏᴇ ᴄʜᴇɴ	5e6014c421	lfs: verify content hash and prevent object overwrite (#8166 ) Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: deepsource-autofix[bot] <62050782+deepsource-autofix[bot]@users.noreply.github.com>	2026-02-18 19:10:41 -05:00
Joe Chen	f5c8030c1f	Fix up tests	2026-01-31 22:28:11 -05:00
Joe Chen	8c5c0125c4	release: update version to 0.14.1	2026-01-31 22:23:40 -05:00
ᴊᴏᴇ ᴄʜᴇɴ	3f03530042	fix(ssh): git clone via built-in SSH server hangs (#8135 ) Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>	2026-01-31 22:22:03 -05:00
Joe Chen	36c26c4ccc	Update version to 0.14.0	2026-01-31 16:32:58 -05:00