- update to 9.0.2:
* it was possible to use a token sent via email for secondary email validation
to reset the password instead. In other words, a token sent for a given
action (registration, password reset or secondary email validation) could
be used to perform a different action.
* a fork of a public repository would show in the list of forks, even if its
owner was not a public user or organization.
* the members of an organization team with read access to a repository (e.g.
to read issues) but no read access to the code could read the RSS or atom
feeds which include the commit activity. Reading the RSS or atom feeds is
now denied unless the team has read permissions on the code.
* the tokens used when replying by email to issues or pull requests were
weaker than the rfc2104 recommendations.
* a registered user could modify the update frequency of any push mirror.
* it was possible to use basic authorization (i.e. user:password) for requests
to the API even when security keys were enrolled for a user.
* some markup sanitation rules were not as strong as they could be.
* when Forgejo is configured to enable instance wide search (e.g. with bleve),
results found in the repositories of private or limited users were displayed
to anonymous visitors.
* fix: handle renamed dependency for cargo registry.
* support www.github.com for migrations.
* move forgot_password-link to fix login tab order.
* code owners will not be mentioned when a pull request comes from a forked
repository.
* labels are missing in the pull request payload removing a label.
* in a Forgejo Actions workflow, the unlabeled event type for pull requests
was incorrectly mapped to the labeled event type.
* when a Forgejo Actions issue or pull request workflow is triggered by an
labeled or unlabeled event type, it misses information about the label added (forwarded request 1224536 from rrahl0)