Vulnerability: GO-2025-3533
Improper Handling of Highly Compressed Data (Data Amplification) in
github.com/getkin/kin-openapi/openapi3filter
More info: https://pkg.go.dev/vuln/GO-2025-3533
Module: github.com/getkin/kin-openapi
Found in: github.com/getkin/kin-openapi@v0.88.0
Fixed in: github.com/getkin/kin-openapi@v0.131.0
Example traces found:
#1: cmd/flamenco-manager/webservice.go:193:17: flamenco.runWebService calls echo.Echo.Start, which eventually calls openapi3filter.ValidateRequest
Add a script `debug-worker-add.sh` which allows additions of mock
workers to Flamenco. It is useful for testing the UI for larger lists of
worker items.
It assists the development of multi-selection for workers #104395
Reviewed-on: https://projects.blender.org/studio/flamenco/pulls/104394
Small documentation issue I ran into while writing a custom job type
The exec command takes an `exe` parameter, similar to other commands,
but the documentation wrongly indicates the parameter should be `exec`.
Reviewed-on: https://projects.blender.org/studio/flamenco/pulls/104396
Add the following features:
- `Ctrl + Click` / `Cmd + Click` to toggle selection of additional
tasks.
- `Shift + Click` to select a range of additional tasks.
- Ability to perform `Cancel` and `Requeue` actions on multiple tasks
concurrently.
- Notifications on how many tasks successfully/failed to have an
action performed.
Tabulator has selectable rows built-in and provides a function that
can return an array of all selected rows. However, tabulator's default
behavior for multi-selection does not reset to a single task after
each regular click. Therefore, I built a custom multi-select using the
tabulator API, introducing `Shift + click` and `Ctrl + click` and
matching their behaviors as they work in most file explorers,
including Blender's.
In addition to manipulating the Tabulator's row selection, the state
of selected Tasks is also needs to be copied to Pinia stores. This
stores will allow us to access selected Tasks from any component and
make API calls on them.
Ref: #99396
Reviewed-on: https://projects.blender.org/studio/flamenco/pulls/104386
Reviewed-by: Sybren A. Stüvel <sybren@blender.org>
Updates Tabulator package from 5.4 to 6.3
The relevant breaking change is the change of the `selectable` variable to `selectableRows`
Reviewed-on: https://projects.blender.org/studio/flamenco/pulls/104390
Reviewed-by: Sybren A. Stüvel <sybren@blender.org>
When a Worker is soft-deleted, references to it are not cleaned up by
the database (that only happens when it is really deleted). As a result,
the "last-assigned worker of a task" field is still set, but the worker
itself cannot be fetched any more.
This is just a quick fix to avoid an error. It's probably better to
remove the soft-deletion of Workers, as the feature is not really used
anyway. Or to implement it properly, so that the info is used.
Add a utility command `cmd/task-poker` that takes a job ID and changes the
status of a random task every second.
This is a development utility, to help work on the Manager's web interface
and deal with constantly-updating tasks.
Add `/devstart` as an alias to `/development/getting-started/` page. This
is to be able to use a shorter link in the documentation I'm writing for
my hands-on class at SIGGRAPH 2025.
Adjust the padding for the task name column, by setting a minimum
width.
This makes the task name column wide enough to go into the 10k-99k
frame numbers.
Reviewed-on: https://projects.blender.org/studio/flamenco/pulls/104379
Reviewed-by: Sybren A. Stüvel <sybren@blender.org>
Allow CORS requests from `http://localhost:<port>`. Some webbrowsers
(like Safari) are picky about hostname vs. IP addresses, and this
makes them work well with the webapp development server.
Reviewed-on: https://projects.blender.org/studio/flamenco/pulls/104385
Reviewed-by: Sybren A. Stüvel <sybren@blender.org>
Remove the `linkTitle: GSoC` from the GSoC page front matter. It is not
used for the links in the navigation tree, which is why I put it there
to begin with.
Instead of just showing "macOS", now show the name as declared by the
OS itself, the version, and the kernel/build version.
Reviewed-on: https://projects.blender.org/studio/flamenco/pulls/104361
Reviewed-by: Sybren A. Stüvel <sybren@blender.org>
Add two new mage commands:
- `mage format`: run `gofmt` on all the Go sources.
- `mage formatCheck`: run the formatter to check formatting issues. This
will output the diff to make the code format-compliant.
These commands are also available via `make format` resp. `make
format-check`.
The `else` block does contain a comment to explain what situation we're
in when the `if` condition is false. I like that construct, but
golangci-lint did not.
No functional changes.
Explicitly ignore an error when requesting the Manager to shut down.
This was already ignored implicitly, but now it's explicit to make
linters happy.
No functional changes.
Log an error when a database transaction rollback fails. I wouldn't know
how to test, because usually stuff Just Works, but it's good to have
this logged anyway.
When the `blender` variable has no value, Flamenco will not be able to
run Blender, which is worth emitting a warning about early on.
This required a bit of a reshuffle of the configuration loading logic, to
avoid loading things twice (and thus warning twice).
Fixes part of #104366
When a Worker would sign off while working on a task, and that task's
job would be in `pause-requested` state, it would always re-queue the
task. This in turn would not get detected, which caused the job to get
stuck.
Now tasks correctly go to `paused` when a Worker signs off, and
subsequently the job will be re-checked and go to `paused` when possible
as well.
Note that this does not handle already-stuck jobs. That'll be for the
following commit.
Fix a `nil` dereference caused by an extra check on `err`.
Co-authored-by: Nitin Rawat <shvmnrwt@gmail.com>
Reviewed-on: https://projects.blender.org/studio/flamenco/pulls/104353
Reviewed-by: Sybren A. Stüvel <sybren@blender.org>
