Merge branch 'main' into v5

Author: brendan-kellam

.github/workflows/lint.yml

@@ -0,0 +1,29 @@
+name: Lint
+
+on:
+  pull_request:
+    branches: ["main"]
+
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          submodules: "true"
+      - name: Use Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20.x'
+          cache: 'yarn'
+          cache-dependency-path: '**/yarn.lock'
+
+      - name: Install
+        run: yarn install --frozen-lockfile
+
+      - name: Lint
+        run: yarn lint

AGENTS.md

@@ -1,5 +1,7 @@
 # Agents
 
+See [CLAUDE.md](./CLAUDE.md) for project-wide conventions (code style, file naming, API route handlers, auth, PR workflow, etc.). Follow it as if it were part of this file.
+
 ## Cursor Cloud specific instructions
 
 ### Overview

CHANGELOG.md

@@ -7,12 +7,25 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-### Changed
-- Redesigned the app layout with a new collapsible sidebar navigation, replacing the previous top navigation bar. [#1097](https://github.com/sourcebot-dev/sourcebot/pull/1097)
-- Expired offline license keys no longer crash the process. An expired key now degrades to the unlicensed state. [#1109](https://github.com/sourcebot-dev/sourcebot/pull/1109)
+### Added
+- Added warning message that fires on startup when host environment contains env vars that simple-git flags as unsafe. [#1193](https://github.com/sourcebot-dev/sourcebot/pull/1193)
+- Added a loading skeleton to the latest commit info bar in the code browser. [#1195](https://github.com/sourcebot-dev/sourcebot/pull/1195)
 
 ### Fixed
 - Add missing schema changes introduced in [#1170](https://github.com/sourcebot-dev/sourcebot/pull/1170). [#1176](https://github.com/sourcebot-dev/sourcebot/pull/1176)
+- Fixed blame gutter commit navigation to use the file path as it existed at the attributing commit, so clicking a blame line whose commit predates a rename resolves to the correct historical path. [#1178](https://github.com/sourcebot-dev/sourcebot/pull/1178)
+- Bumped transitive `fast-uri` dependency to `^3.1.2`. [#1181](https://github.com/sourcebot-dev/sourcebot/pull/1181)
+- Upgraded `simple-git` to `3.36.0` to address CVE-2026-6951. [#1183](https://github.com/sourcebot-dev/sourcebot/pull/1183)
+- Upgraded `hono` to `^4.12.18` to address CVE-2026-44455, CVE-2026-44456, CVE-2026-44457, CVE-2026-44458. [#1186](https://github.com/sourcebot-dev/sourcebot/pull/1186)
+- Upgraded `ip-address` to `^10.2.0` to address CVE-2026-42338. [#1189](https://github.com/sourcebot-dev/sourcebot/pull/1189)
+- Upgraded `fast-xml-builder` to `^1.2.0` to address CVE-2026-44664, CVE-2026-44665. [#1184](https://github.com/sourcebot-dev/sourcebot/pull/1184)
+
+### Changed
+- Reduced the log verbosity of the worker by changing various log messages from info to debug. [#1179](https://github.com/sourcebot-dev/sourcebot/pull/1179)
+- [EE] Switched symbol hover detection to use Lezer highlight tags, broadening identifier coverage. [#1194](https://github.com/sourcebot-dev/sourcebot/pull/1194)
+- Improved git history and blame performance on large repositories. [#1198](https://github.com/sourcebot-dev/sourcebot/pull/1198)
+- Redesigned the app layout with a new collapsible sidebar navigation, replacing the previous top navigation bar. [#1097](https://github.com/sourcebot-dev/sourcebot/pull/1097)
+- Expired offline license keys no longer crash the process. An expired key now degrades to the unlicensed state. [#1109](https://github.com/sourcebot-dev/sourcebot/pull/1109)
 
 ## [4.17.1] - 2026-05-04
 

CLAUDE.md

@@ -263,6 +263,89 @@ Images added to `.mdx` files in `docs/` should be wrapped in a `<Frame>` compone
 </Frame>
 ```
 
+## Fixing CVEs
+
+When fixing a CVE in a transitive dependency, prefer a real top-level upgrade over a forced `resolutions` override.
+
+1. **Trace the dependency chain to a package in your own `package.json`.** Run:
+
+   ```bash
+   yarn why <vulnerable-package> --recursive
+   ```
+
+   "Top-level" means a package **literally listed in this repo's root or workspace `package.json`** under `dependencies`, `devDependencies`, or `peerDependencies` — not just any ancestor in the chain. If the chain is `vulnerable-pkg → mid-pkg → top-pkg`, do not stop at `mid-pkg`; keep walking until you reach `top-pkg`.
+
+2. **Check whether the existing ranges already allow a patched version.** Often the lockfile is just stale: every `^x.y.z` range in the chain still admits the patched version, but `yarn.lock` was written before that version existed. In that case, refresh the lockfile entry — no `package.json` change, no `resolutions` override:
+
+   ```bash
+   yarn up <intermediate-or-vulnerable-pkg>
+   # or, to refresh many at once:
+   yarn dedupe
+   ```
+
+   This is the lightest-weight fix: it doesn't force a version, it just bumps the lock to the latest version that satisfies the constraints already in the tree. Verify with `yarn why <vulnerable-package>` afterward — if every instance is now patched, you're done.
+
+3. **If a refresh isn't enough, bump the top-level dependency** to a version whose transitive tree no longer includes the vulnerable version. This is also a real, supported upgrade. Verify the upgrade actually removes the vulnerable version with `yarn why <vulnerable-package>` after running `yarn install`.
+
+4. **Fall back to a `resolutions` override** only if neither a refresh nor a top-level bump resolves it (no compatible version exists in the existing ranges, or a top-level upgrade would require a breaking major). Use the **qualified** form keyed to the existing source range (not a bare key, which overrides every requester unnecessarily), and pin with `^`, not `>=`:
+
+   ```json
+   "resolutions": {
+       "<pkg>@npm:<existing-source-range>": "^<patched>"
+   }
+   ```
+
+   The `<existing-source-range>` is whatever range is currently requesting the vulnerable version (find it in `yarn.lock`, e.g. `^2.8.3`). Avoid the bare-key form `"<pkg>": "^x.y.z"`.
+
+### Branch naming for CVE fixes
+
+Use a **package-keyed** branch name, not a CVE-keyed one:
+
+```
+cursor/cve/<package>
+```
+
+Multiple CVEs against the same package commonly land in one upstream release, so package-keyed branches let sibling work join the same PR (see "Batching CVEs" below). Do not include the CVE ID or a Linear issue ID in the branch name.
+
+### Batching CVEs that share a package
+
+CVEs often arrive in clusters because one package release fixes several at once. Before opening a new PR, check whether a sibling PR is already addressing the same package.
+
+1. **Extract** `<package>` and `<min-patched-version>` from the Linear issue (the Dependabot-sourced body lists both — affected package and fixed version).
+
+2. **Look for a sibling PR**:
+
+   ```bash
+   gh pr list --state open --search '<package> in:title' --json number,title,headRefName
+   ```
+
+3. **Decide based on the result**:
+
+   - **Sibling PR exists and its branch already pins ≥ `<min-patched-version>`**:
+     - `gh pr checkout <number>`
+     - **Edit** the existing CHANGELOG line for this PR — append this CVE ID to the comma-separated list. Do not add a new CHANGELOG line.
+     - `gh pr edit <number>` to append the CVE ID to the title and body, and add a `Fixes <LINEAR-ID>` line to the PR body alongside any existing `Fixes` lines (this auto-links the Linear issue and Linear will mark it Done when the PR merges).
+     - Do not transition the Linear issue manually — leave it for the merge to close.
+     - **Do not open a new PR.**
+
+   - **Sibling PR exists but its pin is too low to cover this CVE**:
+     - Check out the branch.
+     - Bump the resolution / package version higher to cover both.
+     - **Edit** the existing CHANGELOG line — append this CVE and update the version. Update the PR title and body, and add `Fixes <LINEAR-ID>` to the PR body.
+     - Do not transition the Linear issue manually — leave it for the merge to close.
+
+   - **No sibling PR exists**:
+     - Create a new `cursor/cve/<package>` branch and open the PR as usual.
+
+4. **Post-flight (race-window backstop)**: After opening a new PR, re-run step 2. If a competing PR with a *lower* number appeared while you were working, close yours, push your CHANGELOG entry and Linear link onto the older PR.
+
+### CHANGELOG and PR conventions for CVE fixes
+
+- CHANGELOG entry (under `[Unreleased] → Fixed`): `Upgraded \`<pkg>\` to \`^x.y.z\` to address CVE-A, CVE-B, .... [#<PR>]`
+- **One CHANGELOG line per PR**, not per CVE. When the PR addresses multiple CVEs (batched), list all of them comma-separated on a single line.
+- PR title format: `chore: upgrade <pkg> to ^x.y.z to address CVE-A, CVE-B, ...` (list every CVE the PR resolves).
+- Keep entries short. The CVE IDs are enough.
+
 ## Branches and Pull Requests
 
 When creating a branch or opening a PR, ask the user for:

docs/api-reference/sourcebot-public.openapi.json

@@ -599,6 +599,10 @@
                   "type": "string",
                   "description": "The hash of the commit that last modified the lines in this range."
                 },
+                "path": {
+                  "type": "string",
+                  "description": "The file path as it existed at the attributing commit. May differ from the current path due to renames."
+                },
                 "startLine": {
                   "type": "integer",
                   "minimum": 0,
@@ -614,6 +618,7 @@
               },
               "required": [
                 "hash",
+                "path",
                 "startLine",
                 "lineCount"
               ]

docs/docs/configuration/idp.mdx

@@ -69,9 +69,32 @@ in the GitHub identity provider config.
 
             When asked to provide a callback url, provide `<sourcebot_url>/api/auth/callback/github` (ex. https://sourcebot.coolcorp.com/api/auth/callback/github)
 
+            <Frame>
+              <img src="/images/github_app_callback_url.png" alt="GitHub App callback URL configuration" />
+            </Frame>
+
+            Select "Request user authorization (OAuth) during installation"
+
+            <Frame>
+              <img src="/images/github_app_request_user_auth.png" alt="GitHub App request user authorization during installation" />
+            </Frame>
+
             Set the following fine-grained permissions in the GitHub App:
                 - `“Email addresses” account permissions (read)`
-                - `"Metadata" repository permissions (read)` (only needed if using permission syncing)
+
+                  <Frame>
+                    <img src="/images/github_app_perm_email.png" alt="Email addresses account permission set to Read-only" />
+                  </Frame>
+                - `"Metadata" repository permissions (read)` (only needed if using [permission syncing](/docs/features/permission-syncing))
+
+                  <Frame>
+                    <img src="/images/github_app_perm_metadata.png" alt="Metadata repository permission set to Read-only" />
+                  </Frame>
+                - `"Contents" repository permissions (read)` (only needed if using the app to [authenticate a connection](/docs/connections/github#github-app))
+
+                  <Frame>
+                    <img src="/images/github_app_perm_contents.png" alt="Contents repository permission set to Read-only" />
+                  </Frame>
         </Tab>
         <Tab title="GitHub OAuth App">
             Follow [this guide](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/creating-an-oauth-app) by GitHub to create an OAuth App.