From 4313bd2dc5322b22ed222372bb0aa3e2a246d7a4 Mon Sep 17 00:00:00 2001 From: Sahitya Chandra Date: Mon, 20 Apr 2026 21:52:52 +0530 Subject: [PATCH 1/4] fix(security): upgrade protobufjs to 7.5.5 to fix critical CVE (#28941) Pins protobufjs to 7.5.5 via resolutions to patch GHSA-xq3m-2v4x-88gg (arbitrary code execution, <7.5.5). The vulnerable 7.4.0 was pulled in transitively through @opentelemetry/otlp-transformer, causing the Security Audit CI job to fail on all PRs. --- package.json | 1 + yarn.lock | 8 ++++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/package.json b/package.json index 5d4f98066ed5d7..746985df394741 100644 --- a/package.json +++ b/package.json @@ -145,6 +145,7 @@ "form-data": "4.0.4", "axios": "1.15.0", "follow-redirects": "1.16.0", + "protobufjs": "7.5.5", "jws": "4.0.1", "jsonwebtoken": "9.0.0", "sha.js": "2.4.12", diff --git a/yarn.lock b/yarn.lock index 9d74108805fb3f..9e32fd238b1dce 100644 --- a/yarn.lock +++ b/yarn.lock @@ -34681,9 +34681,9 @@ __metadata: languageName: node linkType: hard -"protobufjs@npm:^7.2.5, protobufjs@npm:^7.3.0": - version: 7.4.0 - resolution: "protobufjs@npm:7.4.0" +"protobufjs@npm:7.5.5": + version: 7.5.5 + resolution: "protobufjs@npm:7.5.5" dependencies: "@protobufjs/aspromise": "npm:^1.1.2" "@protobufjs/base64": "npm:^1.1.2" @@ -34697,7 +34697,7 @@ __metadata: "@protobufjs/utf8": "npm:^1.1.0" "@types/node": "npm:>=13.7.0" long: "npm:^5.0.0" - checksum: 10/408423506610f70858d7593632f4a6aa4f05796c90fd632be9b9252457c795acc71aa6d3b54bb7f48a890141728fee4ca3906723ccea6c202ad71f21b3879b8b + checksum: 10/048898023a38d22f5fc9a1bcf0dcce5cfbcd37fb00753bd72283720eee7e2cb6055b23957542e5bcdc136379af66203a2ddb8d8c39d11f73169bacf07885fedd languageName: node linkType: hard From 88859e4e316ea0a1349cc3a1c4f57c6028ab437b Mon Sep 17 00:00:00 2001 From: Anirban Singha <143536290+SinghaAnirban005@users.noreply.github.com> Date: Mon, 20 Apr 2026 21:57:18 +0530 Subject: [PATCH 2/4] fix: add deterministic tiebreaker to RR host selection algorithm (#28783) * fix: add deterministic tiebreaker to RR host selection algorithm * chore: cleanup comments * Update packages/features/bookings/lib/getLuckyUser.integration-test.ts Co-authored-by: devin-ai-integration[bot] <158243242+devin-ai-integration[bot]@users.noreply.github.com> --------- Co-authored-by: Sahitya Chandra Co-authored-by: devin-ai-integration[bot] <158243242+devin-ai-integration[bot]@users.noreply.github.com> --- .../bookings/lib/getLuckyUser.integration-test.ts | 8 +++++--- packages/features/bookings/lib/getLuckyUser.ts | 3 ++- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/packages/features/bookings/lib/getLuckyUser.integration-test.ts b/packages/features/bookings/lib/getLuckyUser.integration-test.ts index fcdcb03905837f..3571d0be00b622 100644 --- a/packages/features/bookings/lib/getLuckyUser.integration-test.ts +++ b/packages/features/bookings/lib/getLuckyUser.integration-test.ts @@ -441,7 +441,7 @@ describe("getOrderedListOfLuckyUsers Integration tests", () => { vi.setSystemTime("2024-11-14T00:00:13Z"); }); - it("should sort as per availableUsers if no other criteria like weight/priority/calibration (TODO: make it independent of availableUsers order)", async () => { + it("should sort by user id if no other criteria like weight/priority/calibration", async () => { const [host1, host2, host3] = await Promise.all([ createHostWithBookings({ user: { email: "test-user1@example.com" }, @@ -475,7 +475,9 @@ describe("getOrderedListOfLuckyUsers Integration tests", () => { routingFormResponse: null, }); - expectLuckyUsers(luckyUsers, [user2, user1, user3]); + const expectedOrder = [user1, user2, user3].sort((a, b) => a.id - b.id) + + expectLuckyUsers(luckyUsers, expectedOrder); const { users: luckyUsers2 } = await luckyUserService.getOrderedListOfLuckyUsers({ availableUsers: [user3, user1, user2], @@ -487,7 +489,7 @@ describe("getOrderedListOfLuckyUsers Integration tests", () => { allRRHosts: [], routingFormResponse: null, }); - expectLuckyUsers(luckyUsers2, [user3, user1, user2]); + expectLuckyUsers(luckyUsers2, expectedOrder); }); describe("should sort as per weights", () => { diff --git a/packages/features/bookings/lib/getLuckyUser.ts b/packages/features/bookings/lib/getLuckyUser.ts index 93ac0baf6dc310..42e568c852e201 100644 --- a/packages/features/bookings/lib/getLuckyUser.ts +++ b/packages/features/bookings/lib/getLuckyUser.ts @@ -170,6 +170,7 @@ export class LuckyUserService implements ILuckyUserService { availableUsers, bookingsOfAvailableUsers, organizersWithLastCreated, + eventType, }: GetLuckyUserParams & { bookingsOfAvailableUsers: PartialBooking[]; organizersWithLastCreated: { id: number; bookings: { createdAt: Date }[] }[]; @@ -216,7 +217,7 @@ export class LuckyUserService implements ILuckyUserService { const leastRecentlyBookedUser = availableUsers.sort((a, b) => { if (userIdAndAtCreatedPair[a.id] > userIdAndAtCreatedPair[b.id]) return 1; else if (userIdAndAtCreatedPair[a.id] < userIdAndAtCreatedPair[b.id]) return -1; - else return 0; + else return eventType.isRRWeightsEnabled ? 0 : a.id - b.id; })[0]; return leastRecentlyBookedUser; From 810ad0edb8fca43f57a8b2796ed9209c22b9f901 Mon Sep 17 00:00:00 2001 From: Bandhan Majumder <133476557+bandhan-majumder@users.noreply.github.com> Date: Mon, 20 Apr 2026 21:59:41 +0530 Subject: [PATCH 3/4] fix: set event type description correctly in the confirmation mail (#28827) --- packages/trpc/server/routers/viewer/bookings/confirm.handler.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/trpc/server/routers/viewer/bookings/confirm.handler.ts b/packages/trpc/server/routers/viewer/bookings/confirm.handler.ts index b33c42536c0617..32ffc1b6d886ce 100644 --- a/packages/trpc/server/routers/viewer/bookings/confirm.handler.ts +++ b/packages/trpc/server/routers/viewer/bookings/confirm.handler.ts @@ -233,7 +233,7 @@ export const confirmHandler = async ({ ctx, input }: ConfirmOptions) => { const evt: CalendarEvent = { type: booking?.eventType?.slug as string, title: booking.title, - description: booking.description, + description: booking.eventType?.description ?? null, bookerUrl, // TODO: Remove the usage of `bookingFields` in computing responses. We can do that by storing `label` with the response. Also, this would allow us to correctly show the label for a field even after the Event Type has been deleted. ...getCalEventResponses({ From e9c6d0ee462d974740e71f5355cd36b72594352c Mon Sep 17 00:00:00 2001 From: Akash Moradiya <64416825+akash3444@users.noreply.github.com> Date: Mon, 20 Apr 2026 22:17:46 +0530 Subject: [PATCH 4/4] fix: vertically center scroll arrows in All Apps category tab (#28937) Co-authored-by: akash-moradiya Co-authored-by: Romit <85230081+romitg2@users.noreply.github.com> Co-authored-by: Sahitya Chandra --- apps/web/modules/apps/components/AllApps.tsx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/apps/web/modules/apps/components/AllApps.tsx b/apps/web/modules/apps/components/AllApps.tsx index 206805ca478693..298ac443413366 100644 --- a/apps/web/modules/apps/components/AllApps.tsx +++ b/apps/web/modules/apps/components/AllApps.tsx @@ -89,10 +89,10 @@ function CategoryTab({ selectedCategory, categories, searchText, onCategoryChang {leftVisible && ( )}
    {rightVisible && (