Skip to content

[pull] main from tw93:main#16

Open
pull[bot] wants to merge 165 commits into
kenzok78:mainfrom
tw93:main
Open

[pull] main from tw93:main#16
pull[bot] wants to merge 165 commits into
kenzok78:mainfrom
tw93:main

Conversation

@pull

@pull pull Bot commented Apr 22, 2026

Copy link
Copy Markdown

See Commits and Changes for more details.


Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

@pull pull Bot locked and limited conversation to collaborators Apr 22, 2026
@pull pull Bot added the ⤵️ pull label Apr 22, 2026
tw93 and others added 13 commits April 27, 2026 20:06
LinkedIn (and any site that opens a popup via window.open or
SOAuthorization) was abort()-ing on macOS 26 with a
WKUserContentController _addScriptMessageHandler: NSException because
NewWindowResponse::Allow let WebKit clone the parent's
WKWebViewConfiguration, which already had Tauri's IPC handlers
registered.

Unify all platforms behind open_requested_window so popups get a fresh
Pake WebviewWindow with a new label, and stop reusing
features.opener().target_configuration on macOS. Reposition/resize
hints from the opener are still honored.

Also tighten panic surfaces along the way:
- show_toast logs eval errors instead of unwrap()
- get_data_dir returns Result and propagates IO errors
- check_file_or_append guards against u32 overflow in the suffix loop
- set_global_shortcut logs plugin / register failures and degrades
- set_window/build_window return Result instead of expect()
- pake.json windows[].first() yields a readable error
- top-level Tauri build failure exits cleanly instead of panicking

Split inject/component.js into inject/toast.js and inject/fullscreen.js
so the polyfill can be opted out per-app later, and update
new-window-macos.test.js to lock in the fix and prevent regressions.

Co-authored-by: Cursor <cursoragent@cursor.com>
A grab-bag of follow-ups from the project audit:

feat(icon): generate full multi-resolution Windows ICO (#1190)

ensureMultiResolutionIco re-renders user-supplied ICOs through sharp so
every Windows standard size (16/24/32/48/64/128/256) is present in the
output, and exact-size PNG frames already in the source are preserved.
Avoids the Windows shell having to downsample 256x256 to 16x16 for the
tray, which produced the blurry tray icons reported in #1190.

refactor(builders): extract env helpers from BaseBuilder

Move package-manager detection, build env, install command, Cargo
mirror toggling, and the linuxdeploy strip-error matcher into a new
bin/builders/env.ts module. BaseBuilder drops from 626 to 481 lines
and becomes pure orchestration. Tests migrate from accessing private
methods on BaseBuilder to calling the module-level functions directly.

refactor(cli): top-level error boundary with PakeError

Wrap program.action in try/catch, route user-facing failures through
a PakeError class for short messages, and only print stack traces in
debug mode. Replace the lingering process.exit(1) inside
options/index.ts with a thrown PakeError so behavior stays consistent
with the rest of the pipeline.

test: snapshot CLI options to window config contract

Extract buildWindowConfigOverrides from mergeConfig as a pure
function and snapshot it across darwin/linux/win32. Catches CLI
option drift early instead of waiting for a real build.

ci: split PR fast lane from full Tauri build

quality-and-test now runs vitest + tests/index.js --no-build on every
PR/push (about 5 minutes per OS) and only runs the full real Tauri
build on push to main or manual dispatch. Replaces the broken
hashFiles('~/.cargo/bin/cargo-hack') cache with
taiki-e/install-action so cargo-hack downloads a precompiled binary.

Plus type-gate hardening (rollup noEmitOnError: production) and Node
version doc alignment in both READMEs (>=22 recommended LTS, >=18
also works), matching package.json engines.

Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
@tw93 tw93 force-pushed the main branch 2 times, most recently from d9e7cfe to 5e27e5e Compare May 6, 2026 03:01
@pull pull Bot added the merge-conflict Resolve conflicts manually label May 6, 2026
tw93 and others added 30 commits June 27, 2026 15:05
#1249 (high memory) and #1263 (Cloudflare verification loop) are recurring
reports rooted in the system WebView, not Pake: WebKitWebProcess memory is
governed by WebKitGTK, and Cloudflare challenges flag the embedded webview.
Document both as known limits so the boundary is clear without re-explaining
each time.
RPM-based distros funnel through the .deb path and the bundler can abort with
SIGABRT during packaging, taking down the whole build. --no-bundle runs the
Tauri build with no packaging step and surfaces the raw executable
(<name>-binary), reusing the keep-binary location logic. Linux-only; ignored
with a warning on other platforms.

Refs #1262
Popup-mode Sign in with Apple (e.g. Yelp, Upwork) ends on a blank window on
macOS because Pake navigates auth URLs in the current window to avoid a WebKit
crash, which breaks the popup callback to the opener. Document it alongside the
existing embedded-webview sign-in limits and point users to a browser or native
app. Refs #1266
find.js is opt-in via --enable-find and installs a no-op stub when disabled, so
injecting its ~700 lines on every page load wastes parse time in the common
find-off case. Gate the injection on the flag, matching the gating already
applied to the Find menu items. Safe because the menu items (and their
window.pakeFind eval calls) only exist when the flag is on.
Normalize custom Linux PNG icons to 512x512 and use the Tauri main binary name in the generated desktop Icon field.
Only use a safe final filename segment for JS bridge and native downloads, preventing path traversal out of the Downloads directory.
The 'all window options' link in docs/faq.md and docs/faq_CN.md pointed to
cli-usage.md#window-options / cli-usage_CN.md#窗口选项, but neither anchor
exists (there is no 'window-options' heading). Point both at the existing
#width section, which is the relevant window-sizing option for the
'App Window is Too Small/Large' FAQ entry.
In src-tauri/src/inject/style.js the selector `#Main > div.box:nth-child(8)
> div` was missing its trailing comma, so it merged with the next line into
a single descendant selector `#Main > div.box:nth-child(8) > div #Wrapper >
div.sep20`. Since #Main and #Wrapper are sibling containers, that compound
selector matches nothing, leaving both the intended element and the
`#Wrapper > div.sep20` ad separator visible. Restore the comma so each is
hidden independently.
The 'Linux: AppImage Opens but Buttons or Keyboard Do Not Work on Wayland'
section exists in both docs/faq.md and docs/faq_CN.md but was missing from
each file's Build Issues table of contents, so readers scanning the TOC could
not jump to it. Add the entry in both languages with the correct GitHub
heading anchors.
bin/utils/url.ts had no dedicated test file; getDomain, appendProtocol, and
normalizeUrl were untested (only safeDomainsToRegex is covered, via
safe-domains.test.ts). Add tests/unit/url.test.ts characterizing the SLD
extraction (incl. multi-part public suffixes and single-label hosts), the
add-https behavior of appendProtocol (including the WHATWG host:port quirk),
and normalizeUrl, covering its previously-untested throw branch.
The --zoom argParser used Number.isFinite, so a fractional in-range value
like 99.5 passed validation and was forwarded verbatim to pake.json. The
Rust WindowConfig declares zoom as u32, and serde_json refuses to
deserialize a non-integer float into u32, producing a config the packaged
app cannot load. Switch the guard to Number.isInteger (which also rejects
NaN/Infinity) and clarify the error message accordingly.
combineFiles wrapped each injected .js file as
"...=> { " + content + " });" on a single logical line. If the injected
file ends in a line comment (e.g. a //# sourceMappingURL=... pragma) with no
trailing newline, the appended ` });` lands on the commented line and is
swallowed, leaving the arrow function and its call unterminated and breaking
every later injected script. Put the closing `});` on its own line, mirroring
the existing .css branch. Adds tests/unit/combine.test.ts covering the
regression plus CSS/JS wrapping and the return value.
The --camera and --microphone options are fully wired (cli-program.ts,
types.ts, defaults.ts, and merge.ts, which writes the corresponding macOS
entitlements) but were missing from the complete CLI reference in
docs/cli-usage.md and docs/cli-usage_CN.md. AGENTS.md requires every CLI
parameter to be documented there. Add detailed sections for both, mirroring
the existing macOS-only [install] entry.
mergeLinuxConfig validated options.targets by checking whether the whole
comma-separated string was a member of a single-token allow-list. The
distro-aware default is multi-valued ('deb,appimage' on Debian/Ubuntu,
'rpm,appimage' on RPM distros), so it never matched and every default Linux
build printed a misleading "The target must be one of ..., the default 'deb'
will be used" warning while silently leaving bundle.targets at the config
default.

Extract a pure resolveLinuxBundleTargets() helper (mirroring the existing
exported-for-testing pattern), validate the parsed target list via the
already-tested filterLinuxTargets, and only warn when no known target is
present. Actual built formats are still driven by the LinuxBuilder
--bundles loop, so build output is unchanged; the Debian default resolves to
the same ['deb','appimage'] already in tauri.linux.conf.json. Adds unit
tests for the helper.
In getFileName the inner check 'if (this.buildArch === "arm64" && ...)' sat
inside the else of 'if (this.buildArch === "arm64")', so this.buildArch is
provably never 'arm64' at that point and the branch (and its 'aarch64'
assignment) can never run. Remove it and flatten the nested else into an
else-if chain; the arm64 -> aarch64 mapping is already handled by the first
branch, so behavior is unchanged.
Single-page apps such as Plane mark in-app links with target="_blank" and
handle the click themselves in JS (preventDefault plus client-side routing).
The webview opens any unhandled target="_blank" navigation in the system
browser, so the injected link guard tried to compensate by forcing a full
window.location reload and calling stopImmediatePropagation on internal
_blank links.

That stop call defeated the page's own click handler, and the click could
still escape to the native new-window path, so opening a project or a task
peek view in Plane launched the system browser instead of navigating in
place.

For internal target="_blank" links without --new-window, retarget the
anchor to _self and let the event proceed. The webview no longer escalates
the click to a browser window, the page's own handler runs (so the SPA
navigation and peek view work), and links without a handler fall back to a
normal in-app _self navigation. External _blank links, OAuth/SSO, and
--new-window paths are unchanged.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

⤵️ pull merge-conflict Resolve conflicts manually

Projects

None yet

Development

Successfully merging this pull request may close these issues.