forgejo/release-notes-published/9.0.1.md

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Security bug fixes
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/5719) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5724)): <!--number 5724 --><!--line 0 --><!--description Rm9yZ2VqbyBnZW5lcmF0ZXMgYSB0b2tlbiB3aGljaCBpcyB1c2VkIHRvIGF1dGhlbnRpY2F0ZSB3ZWIgZW5kcG9pbnRzIHRoYXQgYXJlIG9ubHkgbWVhbnQgdG8gYmUgdXNlZCBpbnRlcm5hbGx5LCBmb3IgaW5zdGFuY2Ugd2hlbiB0aGUgU1NIIGRhZW1vbiBpcyB1c2VkIHRvIHB1c2ggYSBjb21taXQgd2l0aCBHaXQuIFRoZSB2ZXJpZmljYXRpb24gb2YgdGhpcyB0b2tlbiB3YXMgbm90IGRvbmUgaW4gY29uc3RhbnQgdGltZSBhbmQgd2FzIHN1c2NlcHRpYmxlIHRvIFt0aW1pbmcgYXR0YWNrc10oaHR0cHM6Ly9lbi53aWtpcGVkaWEub3JnL3dpa2kvVGltaW5nX2F0dGFjaykuIEEgcHJlLWNvbmRpdGlvbiBmb3Igc3VjaCBhbiBhdHRhY2sgaXMgdGhlIHByZWNpc2UgbWVhc3VyZW1lbnRzIG9mIHRoZSB0aW1lIGZvciBlYWNoIG9wZXJhdGlvbi4gU2luY2UgaXQgcmVxdWlyZXMgb2JzZXJ2aW5nIHRoZSB0aW1pbmcgb2YgbmV0d29yayBvcGVyYXRpb25zLCB0aGUgaXNzdWUgaXMgbWl0aWdhdGVkIHdoZW4gYSBGb3JnZWpvIGluc3RhbmNlIGlzIGFjY2Vzc2VkIG92ZXIgdGhlIGludGVybmV0IGJlY2F1c2UgdGhlIElTUCBpbnRyb2R1Y2UgdW5wcmVkaWN0YWJsZSByYW5kb20gZGVsYXlzLg==-->Forgejo generates a token which is used to authenticate web endpoints that are only meant to be used internally, for instance when the SSH daemon is used to push a commit with Git. The verification of this token was not done in constant time and was susceptible to [timing attacks](https://en.wikipedia.org/wiki/Timing_attack). A pre-condition for such an attack is the precise measurements of the time for each operation. Since it requires observing the timing of network operations, the issue is mitigated when a Forgejo instance is accessed over the internet because the ISP introduce unpredictable random delays.<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/5718) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5721)): <!--number 5721 --><!--line 0 --><!--description QmVjYXVzZSBvZiBhIG1pc3NpbmcgcGVybWlzc2lvbiBjaGVjaywgdGhlIGJyYW5jaCB1c2VkIHRvIHByb3Bvc2UgYSBwdWxsIHJlcXVlc3QgdG8gYSByZXBvc2l0b3J5IGNhbiBhbHdheXMgYmUgZGVsZXRlZCBieSB0aGUgdXNlciBwZXJmb3JtaW5nIHRoZSBtZXJnZS4gSXQgd2FzIGZpeGVkIHNvIHRoYXQgc3VjaCBhIGRlbGV0aW9uIGlzIG9ubHkgYWxsb3dlZCBpZiB0aGUgdXNlciBwZXJmb3JtaW5nIHRoZSBtZXJnZSBoYXMgd3JpdGUgcGVybWlzc2lvbiB0byB0aGUgcmVwb3NpdG9yeSBmcm9tIHdoaWNoIHRoZSBwdWxsIHJlcXVlc3Qgd2FzIG1hZGUu-->Because of a missing permission check, the branch used to propose a pull request to a repository can always be deleted by the user performing the merge. It was fixed so that such a deletion is only allowed if the user performing the merge has write permission to the repository from which the pull request was made.<!--description-->
- Bug fixes
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/5439) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5708)): <!--number 5708 --><!--line 0 --><!--description Rml4IGJvb2xlYW4gaW5wdXRzIGluIHdvcmtmbG93X2Rpc3BhdGNo-->Fix boolean inputs in workflow_dispatch<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/5634) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5636)): <!--number 5636 --><!--line 0 --><!--description cGFja2FnZSBhcmNoICBkYXRhYmFzZSBub3QgdXBkYXRpbmcgd2hlbiB1cGxvYWRpbmcgImFueSIgYXJjaGl0ZWN0dXJl-->package arch  database not updating when uploading "any" architecture<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/5627) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5631)): <!--number 5631 --><!--line 0 --><!--description Y29ycmVjdCBTUUwgcXVlcnkgZm9yIGFjdGl2ZSBpc3N1ZXM=-->correct SQL query for active issues<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/5626) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5629)): <!--number 5629 --><!--line 0 --><!--description c3BlY2lmeSBkZWZhdWx0IHZhbHVlIGZvciBgRVhQTE9SRV9ERUZBVUxUX1NPUlRgLg==-->specify default value for `EXPLORE_DEFAULT_SORT`.<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/5613) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5624)): <!--number 5624 --><!--line 0 --><!--description Zml4OiBBZGQgYHJlY2VudHVwZGF0ZWRgIGFzIHJlY29nbml6ZWQgc29ydCBvcHRpb24=-->fix: Add `recentupdated` as recognized sort option<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/5616): <!--number 5616 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgbWVybWFpZCB0byB2MTEuMy4wICh2OS4wL2Zvcmdlam8p-->Update dependency mermaid to v11.3.0 (v9.0/forgejo)<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/5587) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5588)): <!--number 5588 --><!--line 0 --><!--description RG9ja2VyZmlsZTogdXNlIGFscGluZTozLjIwIGluc3RlYWQgb2YgZ29sYW5nOjEuMjMtYWxwaW5lMy4yMA==-->Dockerfile: use alpine:3.20 instead of golang:1.23-alpine3.20<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/5585) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5586)): <!--number 5586 --><!--line 0 --><!--description RG9ja2VyZmlsZTogdW5uZWNlc3NhcnkgY29udGFpbmVyIGltYWdlIGxheWVyIGR1cGxpY2F0aW9u-->Dockerfile: unnecessary container image layer duplication<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/5647): <!--number 5647 --><!--line 0 --><!--description W2NvbW1pdF0oaHR0cHM6Ly9jb2RlYmVyZy5vcmcvZm9yZ2Vqby9mb3JnZWpvL2NvbW1pdC8xOTEzMzk5ZDgxNzY5NDRmMTcwZDRmMWMwMzJkYzM3MDAzYWFhZmMwKSBBbHdheXMgdXBkYXRlIGV4cGlyYXRpb24gdGltZSB3aGVuIGNyZWF0aW5nIGFuIGFydGlmYWN0-->[commit](https://codeberg.org/forgejo/forgejo/commit/1913399d8176944f170d4f1c032dc37003aaafc0) Always update expiration time when creating an artifact<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/5647): <!--number 5647 --><!--line 1 --><!--description W2NvbW1pdF0oaHR0cHM6Ly9jb2RlYmVyZy5vcmcvZm9yZ2Vqby9mb3JnZWpvL2NvbW1pdC80ZmUzMTFlN2MwMjkyZTNhYzc5ZjhiYzA2M2YxYmNhY2VmNDQ5NGYwKSBVcGRhdGUgc2NoZWR1bGVkIHRhc2tzIGV2ZW4gaWYgY2hhbmdlcyBhcmUgcHVzaGVkIGJ5ICJBY3Rpb25zVXNlciI=-->[commit](https://codeberg.org/forgejo/forgejo/commit/4fe311e7c0292e3ac79f8bc063f1bcacef4494f0) Update scheduled tasks even if changes are pushed by "ActionsUser"<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/5715): <!--number 5715 --><!--line 0 --><!--description W2NvbW1pdF0oaHR0cHM6Ly9jb2RlYmVyZy5vcmcvZm9yZ2Vqby9mb3JnZWpvL2NvbW1pdC83Njg0MDJjODg0MWRiNWU4YWNjOTc5MTkxNDliYTMyOWQ1MTI0ZTE3KSBGaXggZGlzYWJsZSAyZmEgYnVn-->[commit](https://codeberg.org/forgejo/forgejo/commit/768402c8841db5e8acc97919149ba329d5124e17) Fix disable 2fa bug<!--description-->
- Localization
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/5583) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5680)): <!--number 5680 --><!--line 0 --><!--description aTE4bjogdXBkYXRlIG9mIHRyYW5zbGF0aW9ucyBmcm9tIENvZGViZXJnIFRyYW5zbGF0ZQ==-->i18n: update of translations from Codeberg Translate<!--description-->
- Included for completeness but not worth a release note
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/5702) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5710)): <!--number 5710 --><!--line 0 --><!--description Zml4OiB1c2UgYnVmZmVyZWQgaXRlcmF0ZSBmb3IgZGViaWFuIHNlYXJjaHBhY2thZ2Vz-->fix: use buffered iterate for debian searchpackages<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/5688) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5691)): <!--number 5691 --><!--line 0 --><!--description Zml4OiBtYWtlIGJyYW5jaCBwcm90ZWN0aW9uIHdvcmsgZm9yIG5ldyBicmFuY2hlcw==-->fix: make branch protection work for new branches<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/5651) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5656)): <!--number 5656 --><!--line 0 --><!--description bGluayB0byBzZWN1cml0eSBwb2xpY3kgaW4gc2VjdXJpdHkudHh0-->link to security policy in security.txt<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/5653) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5655)): <!--number 5655 --><!--line 0 --><!--description Zml4OiBkb24ndCBzaG93IHRydW5jYXRlZCBjb21tZW50cyBpbiBSU1MvQXRvbSBmZWVkcw==-->fix: don't show truncated comments in RSS/Atom feeds<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/5652) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5654)): <!--number 5654 --><!--line 0 --><!--description Zml4OiB0eXBvIG9uIHJlbGVhc2VzIGZvciBzb3VyY2UgY29kZSBkb3dubG9hZHM=-->fix: typo on releases for source code downloads<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/5640) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5645)): <!--number 5645 --><!--line 0 --><!--description UmV2ZXJ0ICJhZGQgZ2FwIGJldHdlZW4gYnJhbmNoIGRyb3Bkb3duIGFuZCBQUiBidXR0b24i-->Revert "add gap between branch dropdown and PR button"<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/5615) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5618)): <!--number 5618 --><!--line 0 --><!--description Zml4OiBEb24ndCBkb3VibGUgZXNjYXBlIGRlbGV0ZSBicmFuY2ggdGV4dA==-->fix: Don't double escape delete branch text<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/5595) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5596)): <!--number 5596 --><!--line 0 --><!--description Zml4OiBBZGQgc2VydmVyIGxvZ2dpbmcgZm9yIE9BdXRoIHNlcnZlciBlcnJvcnM=-->fix: Add server logging for OAuth server errors<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/5592) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5594)): <!--number 5594 --><!--line 0 --><!--description Zm9yZ2Vqby1jbGkgaXMgbm93IGEgc3ltbGluayBhbmQgY2Fubm90IGJlIHVzZWQgZm9yIHNhbml0eSBjaGVja3M=-->forgejo-cli is now a symlink and cannot be used for sanity checks<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/5491) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5575)): <!--number 5575 --><!--line 0 --><!--description Zml4OiBjb3JyZWN0IGRvY3VtZW50YXRpb24gZm9yIG5vbiAyMDAgcmVzcG9uc2VzIGluIHN3YWdnZXI=-->fix: correct documentation for non 200 responses in swagger<!--description-->
<!--end release-notes-assistant-->