chore: update changelog

[owncloud-calens-bot]

Automated changelog update via Calens. This pull request is updated on each push to master — merging it will close it and a fresh one will be opened on the next change.

[update-docs]

Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes.

[DeepDiver1975]

Code Review — chore: update changelog

Automated changelog update from the Calens bot. Adds the #41574 subadmin email fix entry to both the Summary and Details sections of CHANGELOG.md.

Verdict: Ready to merge. Automated changelog PR — no code review required.

[DeepDiver1975]

Code Review — chore: update changelog (updated)

Automated changelog update from the Calens bot. Now includes entries for #41574 (subadmin email fix), #41597 (PHP8 messages), and #41599 (federation subdirectories). Minor: the Details section capitalises "Mydomain.com/cloud" — cosmetic only, not blocking.

Verdict: Ready to merge.

[phil-davis]

Note: when we have more CI workflows running, it might be worth investigating how to skip all the unit and acceptance test workflows for these changelog PRs.

[DeepDiver1975]

Automated changelog update via Calens — adds four new bugfix entries to CHANGELOG.md:

• htaccess RewriteBase fix for API requests blocked by file extension (#41418)
• Subadmin email change updating caller instead of target (#41574)
• PHP 8 deprecation notices in encryption storage and federation (#41597)
• Federation with subdirectory-installed servers (#41599)

All entries follow the existing format and the descriptions are accurate and well-written. No concerns — this is a pure documentation update, safe to merge.

[DeepDiver1975]

Automated Calens changelog update — same four bugfix entries as the previous revision, no new content added. Pure documentation update, safe to merge.

[DeepDiver1975]

Automated Calens changelog update — same four bugfix entries as prior revisions, no new content. Pure documentation update, safe to merge.

[DeepDiver1975]

Automated Calens changelog update — same four bugfix entries as prior revisions, no new content. Pure documentation update, safe to merge.

[DeepDiver1975]

Automated Calens changelog update — same four bugfix entries as prior revisions, no new content. Pure documentation update, safe to merge.

[DeepDiver1975]

Automated Calens changelog update. This revision adds the same four prior bugfix entries plus an expanded PHP dependency update list under "Update PHP dependencies" (#41450 et al.), including new bumps for google/apiclient-services, google/auth, guzzlehttp/guzzle, phpseclib/phpseclib, several symfony packages, and sabre/event/sabre/vobject. All entries follow the established format. Pure documentation update — safe to merge.

[DeepDiver1975]

Code Review

Automated changelog update adding 5 new bugfix entries and additional PHP dependency bumps to the next-release section.

New bugfix entries:

• #41418 — htaccess RewriteBase fix: replaces extension-based URI condition with !-f filesystem check, fixing 405 Method Not Allowed on API calls to paths ending in file extensions (e.g. /api/v1/files/photo.jpg). Well-explained entry.
• #41574 — Subadmin email change: verification token was associated with the caller instead of the target user. Clear description of the bug and fix.
• #41597 — PHP 8 compatibility: array offset on false in encryption wrapper, null to normalizeUrl in federation DbHandler.
• #41599 — Federation subdirectory support: server health checks failed when the federated server was installed at a sub-path.
• #41616 — JS test isolation: Jasmine 5 random ordering exposed shared singleton state leaks in fileactionsmenuSpec, files_sharing/appSpec, and two systemtags specs.

Dependency updates: Additional Symfony packages (console, process, routing, string, translation, translation-contracts), sabre/event, phpseclib (3.0.49 → 3.0.53), guzzle (7.11.0 → 7.11.1), google/apiclient-services (0.441.1 → 0.444.0), google/auth (1.50.1 → 1.51.0). All routine version bumps.

No issues.

[DeepDiver1975]

Code Review

Automated changelog update. Since the previous review, one new bugfix entry has been added:

• #41608 — Remove owncloud.com/federation link from federated cloud settings: explains that the "Add to your website" badge was linking to https://owncloud.com/federation# which no longer resolves after the site restructure, and that the Cloud ID is now shown directly.

The dependency update section is unchanged from the prior iteration. No issues.

[DeepDiver1975]

Code Review

Automated changelog update. Two new entries since the prior review:

• Security #41586 — Prevent user enumeration via differential password reset UI: promoted to a Security entry (previously listed as Bugfix in the last iteration). The description accurately explains the enumeration vector and the fix.
• Bugfix #41364 / #41617 — Add missing space to mail footer signature delimiter: new entry documenting the -- RFC 3676 fix, with both the issue and PR linked.

All previously reviewed entries are unchanged. No issues.

[DeepDiver1975]

Code Review

Automated changelog update. One new entry since the prior review:

• Security #41585 — Sanitize storage connection error messages returned to clients: added alongside the existing #41586 user enumeration entry, correctly categorised as Security. Description accurately describes the SSRF oracle vector and the server-side logging fix.

All previously reviewed entries are unchanged. No issues.

[DeepDiver1975]

Code Review

Overview

Automated changelog update by the calens bot. Adds 9 new entries to the unreleased section of CHANGELOG.md covering two security fixes, seven bugfixes, and expanded PHP dependency update detail.

New entries added

Security:

• #41585 — Sanitize external storage connection error messages (prevents internal network topology leak via Guzzle cURL error details)
• #41586 — Prevent user enumeration via differential password reset UI (LDAP vs non-existent user distinction)

Bugfixes:

• #41364/#41617 — Fix RFC 3676 email signature delimiter (missing trailing space)
• #41418 — Fix htaccess RewriteBase blocking API requests by file extension (RewriteCond %{REQUEST_FILENAME} !-f replacement)
• #41574 — Fix subadmin email change applying to caller instead of target user
• #41597 — PHP 8 deprecation fixes in encryption storage and federation DbHandler
• #41599 — Fix federation with servers installed in subdirectories
• #41608 — Remove defunct owncloud.com/federation link from settings
• #41616 — Fix JS test isolation bugs exposed by Jasmine 5 random ordering

Dependency updates: Expanded the #41450 entry with additional packages (firebase/php-jwt, sabre/event, multiple symfony components) and updated version ranges.

Assessment

Changelog content is accurate and well-written. Descriptions are specific and include the root cause and fix approach for each entry — well above the typical bot-generated minimum. No concerns with the content.

Routine automated PR — safe to merge whenever the release branch is ready.

[DeepDiver1975]

🤖 Automated review by Claude Code review agent.

Overview

This is an auto-generated changelog update from calens-bot (CHANGELOG.md only, +143/-5, 1 file). It rolls newly merged entries into the ## Summary and ## Details sections and refreshes the bundled PHP dependency version list. As auto-generated content, this is low-risk and requires no functional review. The notes below are a sanity scan only.

Code quality / style

• Formatting is consistent with the existing changelog conventions: Category - Description: [#NNNNN](link) in Summary, with matching expanded blocks in Details.
• Entries are correctly bucketed (Security / Bugfix / Change) and reference both issue and PR links where applicable (e.g. #41364 → #41617, #41623 → #41624).
• Dependency bump list is well-formed; version ranges read as plausible forward upgrades (e.g. phpseclib 3.0.49 → 3.0.55, symfony/console 7.4.7 → 7.4.13).

Specific suggestions

None — content is machine-generated and follows the established template. No manual edits warranted.

Potential issues / risks

• Nothing anomalous detected. All links point to github.com/owncloud/core; no external/suspicious URLs introduced (the one external reference, owncloud.com/federation, appears only as descriptive text in a bugfix note about removing that defunct link).
• New ## Details entries are ordered ahead of the existing Change - Update M$ Office icons block; this matches the bot's insertion behavior and the Summary ordering, so it is internally consistent.
• Two security entries (#41585 storage error sanitization, #41586 user-enumeration via reset UI) are summarized here only — their actual fixes live in their own PRs and are out of scope for this changelog PR.

Per repo policy this is an ephemeral PR (regenerated on each push to master); safe to merge as-is.

[DeepDiver1975]

🤖 Automated review by Claude Code review agent.

Overview

This is an auto-generated changelog update from calens-bot. It touches a single file (CHANGELOG.md, +154/-5), adding new entries to the ## Summary and ## Details sections and refreshing the "Update PHP dependencies" version list. This is low-risk automated content; the underlying changes live in their own referenced PRs. Review kept brief per that nature, with a scan for anomalies.

Code quality / style

• Formatting is consistent with the existing changelog conventions (category prefix, issue/PR link, indented detail blocks).
• Summary and Details entries are in sync — every new Summary line has a matching Details block (Security x2, Bugfix x9), which is the expected calens output.
• Dependency version bumps are appended in the existing bullet style.

Specific suggestions

• None required for the bot. One cosmetic nit (upstream, not blocking): the dependency list ordering is slightly inconsistent — symfony/deprecation-contracts now appears after symfony/translation rather than alphabetically among the other symfony/* entries. This is generated ordering and harmless.

Potential issues / risks

• No code changes; merging only updates documentation. Low risk.
• Sanity-checked the entries against their references: links are well-formed, the two Security entries (#41585 storage error sanitization, #41586 password-reset user enumeration) are described coherently, and the dependency bumps are plausible patch/minor upgrades. Nothing anomalous (no unexpected files, no injected content, no broken markdown).
• Reminder: merging this PR closes it and calens opens a fresh one on the next push to master, as noted in the PR body.

LGTM as automated changelog content.

[DeepDiver1975]

🤖 Automated review by Claude Code review agent.

Overview

This is a calens-bot auto-generated changelog update PR. It modifies a single file (CHANGELOG.md, +154/-5) adding Summary and Details entries for upcoming changes, and updating the "Update PHP dependencies" entry with new version bumps. This is low-risk automated content; no source code is touched.

Code quality / style

• Formatting is consistent with the existing changelog conventions (Summary block, Details block, two-space indented dependency bullets, trailing issue/PR links).
• Entry categories (Security, Bugfix, Change) and wording follow the established style.
• New dependency bumps are appended in the expected indented-bullet form, and the corresponding PR links (#41613, #41619, #41626) are added to the dependency entry's link list.

Specific suggestions

• None required. A couple of minor observations only:
  • The dependency list ordering is mostly alphabetical but the newly inserted symfony/deprecation-contracts and symfony/translation-contracts entries land slightly out of strict alpha order relative to the surrounding symfony entries. This is cosmetic and matches calens' merge behavior; no action needed.
  • Some entries reference issue numbers in the Summary heading while linking an additional implementing PR in the Details body (e.g. #41364→#41617, #41623→#41624). This is consistent with prior practice.

Potential issues / risks

• No functional code changes; risk is limited to documentation accuracy.
• Nothing anomalous detected: all links point to github.com/owncloud/core, no unexpected external URLs, no suspicious or unrelated content injected.
• Version bumps in the changelog should match the actual composer.lock changes in the referenced dependency-update PRs; verifying that is outside the scope of this changelog-only diff.

Overall: routine automated changelog update, safe to merge once the underlying referenced PRs are confirmed merged.

[DeepDiver1975]

🤖 Automated review by Claude Code review agent.

Overview

This is a Calens-bot auto-generated changelog update (chore: update changelog, head b5651828). It touches a single file (CHANGELOG.md, +154 / -5) and adds Summary + Details entries for several recently merged PRs/issues, plus refreshed dependency version bumps under the existing "Update PHP dependencies" entry. This is low-risk automated content.

Code quality / style

• Only CHANGELOG.md is modified — no source, config, or CI files touched, as expected for a Calens PR.
• Entry formatting follows the established convention: * <Type> - <description>: [#<id>](url) in Summary, mirrored with an indented body in Details, and trailing reference URLs.
• Type prefixes (Security, Bugfix, Change) and link targets (issues vs. pull requests) are consistent and well-formed.
• Dependency bumps are appended/updated cleanly with matching PR references (41613, 41619, 41626).

Specific suggestions

• None required. Content is generated and conforms to the existing changelog structure.

Potential issues / risks

• No anomalies detected: no non-changelog files, no malformed entries, no suspicious links (all point to github.com/owncloud/core).
• Minor note: the Details section lists symfony/deprecation-contracts (v3.6.0 to v3.7.0) out of alphabetical order relative to the other symfony/* entries, but this is purely cosmetic and originates from the generator/diff merge, not a correctness concern.

Overall: safe automated changelog update. No blocking concerns.

[DeepDiver1975]

🤖 Automated review by Claude Code review agent.

Overview

This is a Calens-generated changelog update PR. It touches a single file (CHANGELOG.md, +157/-5) and is authored by the owncloud-calens-bot. As auto-generated, append-only changelog content, this is low-risk automated documentation — no source code, build, or CI files are affected. The entries reflect a normal mix of Security, Bugfix, and Change items plus a dependency-bump list.

Code quality / style

• Content is well-formed Markdown consistent with the existing changelog structure (Summary + Details sections, PR/issue links).
• Entry formatting, indentation, and link patterns match the surrounding file.

Specific suggestions

• No action required from a reviewer's standpoint; this PR is regenerated on every push to master and closed on merge.

Potential issues / risks

• Duplicate dependency entry: The "Update PHP dependencies" details list contains guzzlehttp/psr7 twice — once as (2.8.0 to 2.10.4) and again as (2.11.0 to 2.12.0). This looks like overlapping/cumulative bump fragments from multiple dependency PRs being merged into one Calens entry. It is cosmetic (changelog only) but the two version ranges are inconsistent and could confuse readers. Worth a glance at the source changelog fragments if this surfaces again.
• No non-changelog files are touched and no malformed entries were detected beyond the duplicate noted above.

Overall: safe to merge as routine generated changelog content.

[DeepDiver1975]

🤖 Automated review by Claude Code review agent.

Overview

This is a calens-bot auto-generated changelog update. It touches a single file (CHANGELOG.md, +157/-7), regenerating the unreleased Summary and Details sections from the changelog source fragments. This is low-risk automated content — no code paths are affected.

Code quality / style

• Single file changed (CHANGELOG.md), consistent with an automated changelog regeneration. No source, config, or build files touched.
• Formatting matches the existing calens output (Summary list entries mirrored by expanded Details blocks, two-space indented bullet sub-lists for the dependency update, PR/issue backlinks appended).
• New entries are well-formed: each Summary line has a matching Details block, and the categorization (Security / Bugfix / Change) and ordering are consistent with the file's conventions.

Specific suggestions

None — this is generated content and should be regenerated upstream rather than hand-edited.

Potential issues / risks

• Checked specifically for the previously-reported duplicate guzzlehttp/psr7 entry in the "Update PHP dependencies" block: it now appears exactly once (guzzlehttp/psr7 (2.8.0 to 2.12.0)). No duplicate has reappeared.
• No other malformed or duplicated entries spotted; all Summary entries have a corresponding Details section and vice versa.
• Two new Security entries (#41585 storage error sanitization, #41586 password-reset user enumeration) are referenced — informational only here; the underlying fixes live in their respective PRs.

Low-risk automated changelog content. No concerns blocking merge.

[DeepDiver1975]

🤖 Automated review by Claude Code review agent.

Overview

This is an automated changelog update generated by calens-bot (owncloud-calens-bot). It touches a single file (CHANGELOG.md, +169 / -7) and regenerates the unreleased section from the individual changelog/ fragment files. The content is low-risk, machine-generated documentation; no source, configuration, or build files are affected.

Code quality / style

• Entries follow the established calens format consistently: each ## Summary line has a matching ## Details block with the same title and the same PR/issue reference.
• Categories (Security, Bugfix, Change) are correctly grouped and ordered.
• Dependency bumps in the Update PHP dependencies block are alphabetized and internally consistent.

Specific suggestions

None. As a generated artifact, manual edits here would be overwritten on the next master push.

Potential issues / risks

• No non-changelog files are touched — scope is exactly as expected for this bot.
• No malformed or duplicate entries detected; every Summary entry maps 1:1 to a Details entry.
• The version ranges for updated dependencies (e.g. guzzlehttp/psr7 2.8.0 → 2.12.0, symfony/* → v7.4.13, phpseclib 3.0.49 → 3.0.55) are forward bumps with no downgrades.
• Three new Security entries are referenced; the actual fixes live in their respective PRs (#41585, #41586, #41634) and are out of scope for this changelog PR.

Looks good to merge once the underlying PRs/fragments are finalized. Note that merging this will close it and the bot will open a fresh one on the next master change.

[DeepDiver1975]

🤖 Automated review by Claude Code review agent.

Overview

This is an automated changelog-update PR generated by calens-bot. It modifies a single file (CHANGELOG.md, +170/-7) to add new Summary and Details entries for recently merged changes (security fixes, bugfixes, and an expanded dependency-update list). This is low-risk, machine-generated content; no source, config, or build files are touched.

Code quality / style

• Formatting follows the existing calens convention: Summary bullets at top, expanded Details blocks below, consistent two-line spacing and indentation.
• New entries are grouped correctly (Security → Bugfix → existing Change entries) and each links to the corresponding issue/PR.
• The dependency-update section (Update PHP dependencies) is re-rendered with refreshed version ranges and additional packages; entries remain alphabetically ordered.

Specific suggestions

None. The content is generated and matches the established template.

Potential issues / risks

• Scanned for anomalies: no non-changelog files modified, no duplicate bullet entries, no malformed markdown links. The deletions (-7) are the normal in-place update of the dependency block (old version ranges replaced with new ones), not a loss of unrelated content.
• One minor observation (cosmetic only, not introduced by this PR but visible in the diff): the dependency bullets are not strictly alphabetical in a couple of spots (e.g. symfony/deprecation-contracts now appears after symfony/translation). This is purely calens ordering output and has no functional impact.

Low-risk automated content — safe to merge once CI passes.

[DeepDiver1975]

🤖 Automated review by Claude Code review agent.

Scope: Single file, CHANGELOG.md only (+170/-7). No source, code, or config changes — this is a pure calens regeneration aggregating changelog/unreleased/* fragments.

Faithfulness: Looks like a clean calens render. New Summary entries each have a matching Details block with the correct type prefix (Security/Bugfix/Change), description, and issue/PR links. The "Update PHP dependencies" Change block is correctly extended with new bumped versions (firebase/php-jwt, symfony/console, etc.) and additional PR references (41613, 41619, 41626, 41635, 41639) — ordering and formatting are consistent with the existing list. No duplicated, malformed, or orphaned entries spotted.

Checks: Lint/style/JS-unit/CodeQL/changelog-lint/semantic-commits/CLA all green. PHP Unit matrix (8.3 across mariadb/mysql/postgres/sqlite) still pending. mergeStateStatus = BLOCKED (awaiting required checks), mergeable = MERGEABLE (no conflicts).

No concerns with the content. Recommend merging once the PHP Unit checks finish green.