Open
Conversation
…27494) * fix: add guest limits and rate limiting to booking-guests endpoint - Add ArrayMaxSize(10) validation to limit guests per request to 10 - Add aggressive rate limiting (5 requests/minute) via @Throttle decorator - Add total guest limit check (max 30 guests per booking) to prevent abuse - Update API documentation to reflect new limits This prevents scammers from using the endpoint to send spam emails to hundreds of guests through our system. Co-Authored-By: morgan@cal.com <morgan@cal.com> * docs: update openapi.json with guest limits and rate limiting info Co-Authored-By: morgan@cal.com <morgan@cal.com> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Co-authored-by: Anik Dhabal Babu <81948346+anikdhabal@users.noreply.github.com>
…e next month date (#27501) The incrementDate function was using .day() incorrectly, which sets the day of the week for the CURRENT week rather than finding the same weekday in the next month. This caused the function to return dates in the previous month when the target date fell early in the week. For example, when incrementing March 2, 2026 (Monday) by a month: - Old behavior: April 2 (Thursday) + .day(1) = March 30 (wrong month!) - New behavior: First Monday in April = April 6 (correct) This bug caused flaky E2E test failures in booking-limits and duration-limits tests because the 'year limit with multiple limits set' test would try to book on a date that was still in the same month, which was blocked by the month limit (3 bookings already existed in that month). Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
…#27504) Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
…ign-in users (#27495) Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Co-authored-by: CarinaWolli <wollencarina@gmail.com>
* fix: handle email invites in team event-type assignment by preventing NaN userId. * fix(i18n): improve French translation for login and identifier Updating 'Connexion' to 'Se connecter' for consistency with Google/SAML login buttons and improving the identifier label. * Update apps/web/public/static/locales/fr/common.json Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com> * revert: remove team assignment logic fix to focus on translations. --------- Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com> Co-authored-by: Sahitya Chandra <sahityajb@gmail.com>
…27490) * refactor: move shared components from apps/web to packages/features Move components that don't require dependency injection: - DisconnectIntegrationModal - Booking components (Header, Section, TimeFormatToggle, PayIcon, Price) - useInitializeWeekStart hook - TeamEventTypeForm - Event type components (AssignAllTeamMembers, BulkEditDefaultForEventsModal, etc.) - Event type dialogs (HostEditDialogs, ManagedEventDialog) - Location components (LocationInput, types) - Tab components (EventLimitsTab, EventRecurringTab, etc.) Co-Authored-By: benny@cal.com <sldisek783@gmail.com> * refactor: update import paths to use @calcom/features Update imports in apps/web and packages/platform/atoms to reference the moved components from @calcom/features instead of @calcom/web. Co-Authored-By: benny@cal.com <sldisek783@gmail.com> * refactor: delete original files from apps/web/modules Complete the file move by deleting the original files that were copied to packages/features. This makes it a proper move instead of a copy, reducing the PR size significantly. Co-Authored-By: benny@cal.com <sldisek783@gmail.com> * fix: update import paths to use @calcom/features for moved files Update import paths in apps/web files that reference components that were moved from apps/web/modules to packages/features: - LearnMoreLink - ChildrenEventTypeSelect - AssignAllTeamMembers - WeightDescription - LocationCustomClassNames (types) Co-Authored-By: benny@cal.com <sldisek783@gmail.com> * fix: update additional import paths for moved components Update import paths in apps/web files that reference components moved from apps/web/modules to packages/features: - AppList.tsx: BulkEditDefaultForEventsModal - schedule-view.tsx: BulkUpdatParams type - AddMembersWithSwitch.tsx: AssignAllTeamMembers, CheckedTeamSelect - EventTypeWebWrapper.tsx: ChildrenEventType, ManagedEventDialog - DefaultLocationSettings.tsx: LocationCustomClassNames, LocationInput - Locations.tsx: LocationCustomClassNames, LocationInput Co-Authored-By: benny@cal.com <sldisek783@gmail.com> * fix: resolve circular dependency by adding isPlatform prop to Header This fixes the circular dependency where @calcom/atoms (CalendarViewComponent) was importing Header from @calcom/features, but Header was importing useIsPlatform from @calcom/atoms. The fix adds an isPlatform prop to the Header component so it no longer needs to import useIsPlatform from @calcom/atoms. Callers now pass the isPlatform value directly: - atoms components pass isPlatform={true} - web components pass the isPlatform prop they receive Fix confidence: 9/10 (Cubic AI) Co-Authored-By: unknown <> * fix * fix * fix * fix * fix * fix --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
* refactor: split flag repositories into Prisma and Cached layers - Rename FeatureRepository to PrismaFeatureRepository (raw DB access) - Rename TeamFeatureRepository to PrismaTeamFeatureRepository (raw DB access) - Rename UserFeatureRepository to PrismaUserFeatureRepository (raw DB access) - Create CachedFeatureRepository with @memoize wrapping PrismaFeatureRepository - Create CachedTeamFeatureRepository with @Memoize/@Unmemoize wrapping PrismaTeamFeatureRepository - Create CachedUserFeatureRepository with @Memoize/@Unmemoize wrapping PrismaUserFeatureRepository - Update DI tokens, modules, and containers for all 6 repositories - Update imports in FeatureOptInService and related modules - Update tests to use new repository structure Co-Authored-By: eunjae@cal.com <hey@eunjae.dev> * refactor: simplify @memoize key patterns and delegate batch methods to Prisma - Use direct function references for @memoize key (e.g., KEY.all instead of () => KEY.all()) - Simplify batch methods in Cached repositories to delegate to Prisma repository - Update tests to reflect the new delegation pattern Co-Authored-By: eunjae@cal.com <hey@eunjae.dev> * fix: add orderBy to TeamRepository.findAllByParentId for deterministic results Co-Authored-By: eunjae@cal.com <hey@eunjae.dev> * test: update TeamRepository test to expect orderBy in findAllByParentId Co-Authored-By: eunjae@cal.com <hey@eunjae.dev> * refactor: cleanup features repository and add specialized repository methods (#27195) * refactor: cleanup features repository and add findBySlug, update methods - Remove unused methods from FeaturesRepository (keep getTeamsWithFeatureEnabled) - Add findAll(), findBySlug(), update() to IFeatureRepository interface - Add findAll() with caching to CachedFeatureRepository - Add findBySlug() with caching to CachedFeatureRepository - Add update() with Unmemoize to CachedFeatureRepository - Add checkIfFeatureIsEnabledGlobally() to CachedFeatureRepository - Update toggleFeatureFlag.handler.ts to use repository instead of raw Prisma - Add comprehensive unit tests for all new methods Co-Authored-By: eunjae@cal.com <hey@eunjae.dev> * fix: update updatedAt timestamp in feature update method Co-Authored-By: eunjae@cal.com <hey@eunjae.dev> * refactor: move feature check methods to specialized repositories - Replace getUserFeaturesStatus with two checkIfUserHasFeature calls in bookings page - Move checkIfTeamHasFeature to PrismaTeamFeatureRepository with pass-through in CachedTeamFeatureRepository - Move checkIfUserHasFeature and checkIfUserHasFeatureNonHierarchical to PrismaUserFeatureRepository with pass-throughs in CachedUserFeatureRepository - Add getEnabledFeatures to PrismaTeamFeatureRepository with caching in CachedTeamFeatureRepository - Keep FeaturesRepository methods as pass-throughs for backward compatibility - Update test to expect updatedAt in feature update Co-Authored-By: eunjae@cal.com <hey@eunjae.dev> * refactor: remove getUserFeaturesStatus and unused methods from FeaturesRepository Co-Authored-By: eunjae@cal.com <hey@eunjae.dev> * restore comment * fix: invalidate all-features cache on update and enabledFeatures cache on upsert/delete - CachedFeatureRepository: Add KEY.all() to @Unmemoize keys in update() to prevent stale findAll() results - CachedTeamFeatureRepository: Add KEY.enabledFeatures(teamId) to @Unmemoize keys in upsert() and delete() to prevent stale getEnabledFeatures() results Co-Authored-By: unknown <> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * test: add CachedUserFeatureRepository tests Add comprehensive tests for CachedUserFeatureRepository covering: - findByUserIdAndFeatureId (cache hit, cache miss, not found) - findByUserIdAndFeatureIds (empty input, multiple features) - upsert (with cache invalidation) - delete (with cache invalidation) - findAutoOptInByUserId (cache hit, cache miss, not found) - setAutoOptIn (with cache invalidation) Co-Authored-By: unknown <> * test: remove tests for methods removed from FeaturesRepository Remove integration tests for methods that were intentionally removed: - getUserFeatureStates - getTeamsFeatureStates - getUserAutoOptIn - getTeamsAutoOptIn - setUserAutoOptIn - setTeamAutoOptIn Co-Authored-By: unknown <> * avoid N+1 query * refactor: add select clauses to PrismaFeatureRepository queries - Add explicit select clauses to findAll, findBySlug, and update methods - Only fetch fields needed for FeatureDto (slug, enabled, description, type, stale, lastUsedAt, createdAt, updatedAt, updatedBy) - Update tests to expect select clauses - Fix UserFeatureRepository test to use findMany mock Co-Authored-By: unknown <> * fix bad conflict resolved * use userId --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
…27419) * Reset queue correctly all places * test: verify UI config persists on second modal open (#27422) * test: verify UI config persists on second modal open Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com> * fix: update iframe selection logic in getEmbedIframe function Refactor the getEmbedIframe function to improve iframe selection by using a more specific selector and ensuring the last iframe is targeted in cases of repeated modal openings. This change enhances reliability in iframe handling during tests. --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * fix test --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
When the routing form redirects to an event type, it now passes cal.crmLookupDone=true to indicate that the CRM contact owner lookup was already performed. The event type SSR checks for this flag and skips the duplicate CRM lookup, improving performance. This fixes the scenario where no CRM contact owner exists - previously the lookup would be performed twice (once in the router, once in SSR), but now it's only performed once. Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Add updateCurrentTimeOnFocus prop to Calendar component that enables the current time indicator to update when the page is refocused. This helps users see the accurate current time after switching tabs. Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Co-authored-by: Peer Richelsen <peeroke@gmail.com>
…27520) * seated event * Reorder imports in attendee-scheduled-email.ts
* update mintlify * remove mint.json
* fix(analytics): add input validation to analytics app schemas
Add strict input validation for tracking IDs and URLs in analytics
app integrations to ensure data conforms to expected formats
* fix: remove optional/default to fix type inference
Remove .optional() and .default("") from schemas with transform/refine
chains to preserve correct TypeScript type inference
* fix: restore .optional() for type compatibility
* fix(e2e): use valid GTM container ID format in analytics test
Co-Authored-By: pedro@cal.com <pedro.castro@ideware.com.br>
* fix(analytics): address Cubic AI review feedback
- Tighten Meta Pixel ID regex from {1,20} to {15,16} digits (confidence 9.5/10)
- Fix PostHog error message to mention underscores are allowed (confidence 9/10)
Co-Authored-By: unknown <>
* fix(analytics): enforce domain label boundaries and prevent consecutive dots
Co-Authored-By: pedro@cal.com <pedro.castro@ideware.com.br>
* refactor: extract shared validation schemas
- Create analytics-schemas.ts with reusable safeUrlSchema, alphanumericIdSchema, and numericIdSchema
- Update databuddy, insihts, matomo, plausible, posthog, and umami to use shared schemas
- Keep app-specific schemas local (domain validation, UUID patterns, etc.)
* fix(analytics): enforce exactly 10 characters for GA4 Measurement ID
Tighten GA4 regex from {1,20} to {10} to match the documented format
G-XXXXXXXXXX. This addresses Cubic AI review feedback (confidence 9/10)
that the regex was too permissive compared to the error message.
Co-Authored-By: unknown <>
* refactor: add createPrefixedIdSchema factory for GTM/GA4/Fathom
- Add factory function to handle prefixed IDs with configurable options
(prefix, addPrefixIfMissing, allowEmpty)
- Consolidate GTM, GA4, and Fathom schemas using the shared factory
- Standardize imports to use @calcom/app-store alias
* fix: reject prefix-only IDs like "G-" or "GTM-" without content
---------
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
* feat: add signup watchlist review feature flag and handler logic - Add 'signup-watchlist-review' global feature flag - Add SIGNUP to WatchlistSource enum in Prisma schema - When flag enabled, lock new signups and add email to watchlist - Show 'account under review' message on signup page - Add i18n strings for review UI - Create seed migration for the feature flag Co-Authored-By: alex@cal.com <me@alexvanandel.com> * test: add isAccountUnderReview tests to fetchSignup test suite Co-Authored-By: alex@cal.com <me@alexvanandel.com> * fix: address Cubic AI review feedback (confidence >= 9/10) - Remove 'import process from node:process' in signup-view.tsx (P0 bug in 'use client' component) - Move watchlist review check before checkoutSessionId early return in calcomSignupHandler (P1 premium bypass) - Revert selfHostedHandler to original state (out of scope per user request) - Add test mocks for FeaturesRepository and GlobalWatchlistRepository Co-Authored-By: alex@cal.com <me@alexvanandel.com> * fix: remove node:process import from useFlags.ts (client-side file) Co-Authored-By: alex@cal.com <me@alexvanandel.com> * fix: remove !token condition from watchlist review check Token is present in normal email-verified signups, so the !token condition was incorrectly skipping watchlist review for verified users. Co-Authored-By: alex@cal.com <me@alexvanandel.com> * Apply suggestion from @cubic-dev-ai[bot] Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com> * refactor: move user lock to UserRepository.lockByEmail Co-Authored-By: alex@cal.com <me@alexvanandel.com> * refactor: use cached getFeatureRepository() instead of deprecated FeaturesRepository Co-Authored-By: alex@cal.com <me@alexvanandel.com> * refactor: remove user locking, keep only watchlist addition on signup review Co-Authored-By: alex@cal.com <me@alexvanandel.com> * feat: lock user on signup review, remove watchlist entry on unlock Co-Authored-By: alex@cal.com <me@alexvanandel.com> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
* fix: exclude test files from CODEOWNERS foundation approval Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com> * fix: add *.test.* to CODEOWNERS test file exclusions Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com> * fix: add *.integration-test.* to CODEOWNERS test file exclusions Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
* fix(app-store): preserve existing enabled state during seed * Update seed-app-store.ts --------- Co-authored-by: Sahitya Chandra <sahityajb@gmail.com>
…nique constraint flake (#27916) Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
* add e2e-spec pattern to CODEOWNERS * Add pattern for test-suite files in CODEOWNERS
… button alignment (#27924) * fix: resolve insights page UI regressions for plus button size and download alignment Co-Authored-By: eunjae@cal.com <hey@eunjae.dev> * fix: default icon size to 16px in createIcon wrapper Co-Authored-By: eunjae@cal.com <hey@eunjae.dev> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
… entry removal (#27923) * fix: resolve signup watchlist review issues with deleteEntry, email verification ordering, and unlock flow Co-Authored-By: ali@cal.com <alishahbaz7@gmail.com> * fix: scope sendEmailVerification to non-invite signups only Co-Authored-By: ali@cal.com <alishahbaz7@gmail.com> * feat: auto-unlock users when SIGNUP-source watchlist entries are removed Co-Authored-By: ali@cal.com <alishahbaz7@gmail.com> * fix: remove PII from error logging in unlockSignupUser Co-Authored-By: ali@cal.com <alishahbaz7@gmail.com> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
…eet (#27909) * fix: display phone numbers and localized timezone in BookingDetailsSheet Co-Authored-By: eunjae@cal.com <hey@eunjae.dev> * refactor: replace selectAll with explicit column selects for Attendee query Co-Authored-By: eunjae@cal.com <hey@eunjae.dev> * Update apps/web/modules/bookings/components/BookingDetailsSheet.tsx Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com> * Add tests: packages/lib/dayjs/formatToLocalizedTimezone.test.ts Generated by Paragon from proposal for PR #27909 * Revert "refactor: replace selectAll with explicit column selects for Attendee query" This reverts commit f810ba8. --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
* feat: enable onboarding-v3 globally and update e2e tests - Add migration to set onboarding-v3 feature flag enabled=true - Rewrite onboarding.e2e.ts for v3 flow (Plan Selection → Personal Settings → Calendar) - Update URL assertions in signup, team-invitation, org-invitation, ab-tests-redirect, and auth tests to accept both old and new onboarding paths Co-Authored-By: sean@cal.com <Sean@brydon.io> * fix: use pathname-only matching in waitForURL to prevent false matches on callbackUrl query param Co-Authored-By: sean@cal.com <Sean@brydon.io> * use test IDs --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Co-authored-by: Anik Dhabal Babu <81948346+anikdhabal@users.noreply.github.com>
…#27880) * refactor: apply biome formatting to small packages + packages/lib Format packages/sms, packages/prisma, packages/platform/libraries, packages/platform/examples, packages/platform/types, packages/emails, and packages/lib. Excludes packages/platform/examples/base/src/pages/[bookingUid].tsx due to pre-existing lint errors. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * revert: remove packages/platform formatting changes Revert biome formatting for packages/platform as requested. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
…x Vitest RPC errors (#27931) Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
* chore: bump axios to 1.13.5 * chore: bump axios in apps/api/v2 * chore: dedupe follow-redirects to 1.15.11
* feat(companion): add configurable landing page feature - Add useUserPreferences hook for persistent storage of landing page preference - Add LandingPagePicker component for both iOS and Android/web platforms - Update tabs index to redirect based on user preference - Update bookings index to accept initial filter from URL params - Add App Settings section in More screen with landing page selector - Clear user preferences on logout for fresh state * fix(companion): remove try-finally for React Compiler compatibility * fix(companion): use router.replace for dynamic landing page redirect Replace Redirect component with router.replace() to fix TypeScript strict typing issue with expo-router's Href type for dynamic routes. * fix(companion): use literal route strings for TypeScript strict typing Use switch statement with literal route strings instead of dynamic string variable to satisfy expo-router's strict Href type checking. * working fix * better css
…#27946) Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
…alue (#27961) Signed-off-by: Aritra Dey <adey01027@gmail.com> Co-authored-by: Romit <85230081+romitg2@users.noreply.github.com>
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
…7964) Signed-off-by: Aritra Dey <adey01027@gmail.com>
…function (#27972) * refactor: move cancel booking logic into handleCancel function * chore: remove unused comments per review feedback --------- Co-authored-by: Deepanshu Verma <deepanshuverma186@email.com>
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
) * fix: revert assignmentReason breaking change in webhook payloads Remove the new { category, details } format from EventPayloadType to maintain backward compatibility for webhook consumers. The new format is stripped at all webhook payload construction sites by destructuring assignmentReason out of CalendarEvent before spreading into the payload. A sanitizeAssignmentReasonForWebhook function provides an additional safety net in sendPayload itself. Emails and booking single view continue to use the new format via CalendarEvent. Co-Authored-By: ali@cal.com <alishahbaz7@gmail.com> * fix: strip assignmentReason from handlePaymentSuccess webhook payload Co-Authored-By: ali@cal.com <alishahbaz7@gmail.com> * fix: strip assignmentReason from triggerWebhooks and handleSeats webhook payloads Co-Authored-By: ali@cal.com <alishahbaz7@gmail.com> * refactor: use zod safeParse instead of type assertion in sanitizeAssignmentReasonForWebhook Co-Authored-By: ali@cal.com <alishahbaz7@gmail.com> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )