passbolt-browser-extension 5.10.3 → 5.11.1

package/.gitlab-ci/jobs/publish.yml

@@ -39,7 +39,17 @@ publish-edge:
 
 publish-to-npmjs:
   stage: publish
-  image: ${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/node:22
+  image: ${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/node:24
+  id_tokens:
+    NPM_ID_TOKEN:
+      aud: "npm:registry.npmjs.org"
+    SIGSTORE_ID_TOKEN:
+      aud: sigstore
+  when: manual
+  resource_group: publish/npm
+  environment:
+    name: publish/npm
+    url: https://www.npmjs.com/package/passbolt-browser-extension
   rules:
     - if: "$CI_COMMIT_TAG"
   script:

package/.gitlab-ci/scripts/bin/publish_npm.sh

@@ -9,10 +9,6 @@ CI_SCRIPTS_DIR=$(dirname "$0")/..
 # shellcheck source=.gitlab-ci/scripts/lib/version-check.sh
 source "$CI_SCRIPTS_DIR"/lib/version-check.sh
 
-echo //registry.npmjs.org/:_authToken="$NPM_PUBLISH_TOKEN" > .npmrc
-echo email="$NPM_PUBLISH_EMAIL" >> .npmrc
-echo always-auth=true >> .npmrc
-
 if is_release_candidate "$CI_COMMIT_TAG"; then
   npm publish --tag next
 elif is_release_alpha "$CI_COMMIT_TAG"; then
@@ -23,4 +19,4 @@ elif is_stable "$CI_COMMIT_TAG"; then
   npm publish
 else
    echo "The tag format is not supported"
-fi
+fi

package/.pre-commit-config.yaml

@@ -0,0 +1,5 @@
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.30.0  # v8.30.0
+    hooks:
+      - id: gitleaks

package/CHANGELOG.md

@@ -4,6 +4,55 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased]
 
+## [5.11.0] - 2026-04-07
+### Added
+- PB-49733 SMTP-OAUTH - WP2.1 Update SmtpSettingsService to SmtpSettingsApiService
+- PB-49734 SMTP-OAUTH - WP1.1 Create the SmtpSettingsEntity
+- PB-49737 SMTP-OAUTH - WP2.2 Update SmtpTestSettingsService to SmtpTestSettingsApiService
+- PB-49738 SMTP-OAUTH - WP2.3 Split SmtpSettingsModel to new architecture pattern
+- PB-49739 SMTP-OAUTH - WP2.4 Split SmtpTestSettingsModel to new architecture pattern
+- PB-49740 SMTP-OAUTH - WP3.1 Adapt context with the new SMTP entities
+- PB-49741 SMTP-OAUTH - WP3.2 Adapt ManageSmtpAdministationSettings to handle the new OAUTH fields
+- PB-50058 OAuth SMTP: add the new styleguide to backend
+- PB-50135 SSO with PingOne
+- PB-50157 Enable avatar upload for Safari
+- PB-50254 SCIM-WP1.2 Adapt form to handle the new date field and display warning message when expired
+- PB-50263 Add a username selector compatible with ProxMox
+
+### Fixed
+- PB-46678 Fix quickaccess closing issue on Safari
+- PB-49237 DisplayUserBadgeMenu attention required should be displayed on Administration page served by API
+- PB-49287 When deleting a user, the URL must changed not to reference the deleted user id
+- PB-49476 Fix autofill for websites using identifier as name for username field
+- PB-49619 Fix username input field selector for OVH
+- PB-49849 Sync generator password policy with the administration after save
+- PB-49866 Fix the expiry column in the resource workspace grid is not present anymore
+- PB-49882 Fix username input field selector for Supermicro IPMI WebUI
+- PB-50023 Fix multifield OTP selector matching hidden inputs
+- PB-50077 Fix React router issue that reloads the page unexpectedly
+- PB-50177 Fix autofill issues for two websites
+
+### Maintenance
+- PB-49129 Delegate tab opening to service worker in order to send all cookie via Safari
+- PB-49459 Timeouts not cleared properly when filtering resources/users grids by keywords
+- PB-49705 Add missing TOTP unit tests
+- PB-49730 Setup an environment for publishing to npmjs registry
+- PB-49998 Add required `data_collection_permissions` for Firefox and set it to `none`
+- PB-50013 Make Safari download custom avatars
+- PB-50118 Major upgrade for locutus (Critical) - passbolt-browser-extension
+- PB-50158 Add Safari enablement through a feature flag
+- PB-50200 Move the logic of passbolt.groups.create to GroupCreateController
+- PB-50201 Update group create call in groupApiService to contain "my_group_user" as urlOptions
+- PB-50202 Add supported formats documentation link in export dialog
+- PB-50225 Create a CreateGroupService.js file and move the create call to api service inside it
+- PB-50338 - Fix phantom @babel/preset-react
+
+### Security
+- PB-49608 Fix ReDoS vulnerability in PGP armor regex validation
+- PB-50271 Fix GHSA-25h7-pfq9-p65f - HIGH CVSS3.1
+- PB-50272 Fix brace-expansion vulnerabilities
+
+
 ## [5.9.0] - 2026-01-21
 ### Fixed
 - PB-43511 Display the "Migrate metadata" admin home page card icon with a 2px stroke width

package/RELEASE_NOTES.md

@@ -1,123 +1,97 @@
-Passbolt 5.10.0 is the first version of Passbolt that officially supports Safari. Also, this version comes with tags in the grid and security improvements regarding CSV exports.
+Passbolt 5.11.0 introduces improvements to enterprise authentication and integration capabilities, alongside continued security hardening.
 
-# Safari is now supported
+This release adds support for OAuth-based SMTP authentication for Microsoft Exchange Online and expands SSO coverage with PingOne. It also includes the finalisation of SCIM following external audit fixes.
 
-Passbolt 5.10.0 adds Safari as a supported browser. Safari has its own specificities and limitations, therefore features like avatars are disabled.
+## SMTP OAuth support for Microsoft Exchange Online 
 
-# TOTP Autofill
+Passbolt 5.11 introduces OAuth 2.0 support for SMTP with Microsoft Exchange Online, replacing legacy username/password authentication.
 
-Passbolt 5.10.0 now automatically fills the one-time password directly into login forms, just like it does with usernames and passwords. This seamless integration simplifies your multi-factor authentication by eliminating manual copying.
+Administrators can configure the OAuth (Client Credentials) method by registering an application in Microsoft Entra ID and providing the required tenant ID, client ID, client secret, and service account email.
 
-# Tags are visible in the grid
+At runtime, Passbolt retrieves short-lived access tokens to authenticate SMTP connections without user interaction, improving security and aligning with modern authentication standards.
 
-This version also releases modernization of the tag codebase. This allows us to present these tags in the grid but also paves the way for further improvement of this feature.
 
-# CSV export security update
+## PingOne SSO support (Passbolt Pro)
 
-CSV export has been updated to reinforce Passbolt's security postures. Some spreadsheet software that supports CSV also executes formulas when opening these files. It's a security issue that has been tackled in this version in 2 ways:
-the CSV exports are disabled by default (import is still working) and can be reenabled via a server configuration
-When CSV exports are enabled, a confirmation checkbox is displayed to ensure the users know what are the risks of this kind of export. Exported values are not modified to keep data integrity
+Passbolt 5.11 adds support for PingOne as a new SSO provider, enabling organisations to authenticate users via their existing Ping Identity infrastructure.
 
-# React 18 migration
+The integration is based on OpenID Connect (OIDC) using the Authorization Code flow, with Passbolt delegating authentication to PingOne and receiving a verified user identity via ID tokens.
 
-The migration to React 18 is a significant step toward modernizing the application's entire codebase. This update improves the code and brings performance optimizations for our users.
+Administrators can configure PingOne from the SSO settings using the required environment ID, client ID, client secret, and base URL, with a dry-run option available to validate the setup before activation. Once enabled, users are redirected to PingOne for authentication and seamlessly logged into Passbolt, including during account recovery.
 
-# Conclusion
-3 long awaited features are finally out: Safari, TOTP autofill and tags in the grid.
+This addition expands Passbolt’s SSO coverage for enterprise environments and removes a key adoption blocker for organisations standardised on Ping Identity.
+
+## SCIM: audit fixes and general availability (Passbolt Pro)
+
+Following the external security audit conducted by Cure53, this release includes fixes addressing the identified findings in the SCIM provisioning implementation.
+
+With these changes, SCIM is now considered stable and exits beta.
+
+The audit-driven improvements strengthen validation, error handling, and overall robustness of the provisioning flow. SCIM is now ready for production use in environments requiring automated user lifecycle management.
+
+## Security improvements
+
+This release continues the ongoing security hardening effort across the platform.
+
+In addition to the SCIM audit fixes, improvements have been made to align with external audit recommendations and reduce potential attack surface in authentication and integration layers.
+
+## Maintenance & performance
+
+This release includes general performance improvements, particularly around background job processing and email delivery workflows.
+
+Email-related operations are now more efficient and better distributed, reducing bottlenecks in high-load environments.
+
+As usual, additional optimisations are already in progress for upcoming releases.
+
+## Conclusion
+
+As usual, the release is also packed with additional improvements and fixes. Check out the changelog to learn more.
+
+Many thanks to everyone who provided feedback, reported bugs, and contributed to making passbolt better!
 
 ### Added
-- PB-28063 Activate Safari support in the styleguide
-- PB-29275 SAF - WP2.10 Add Safari as supported extension
-- PB-29292 SAF - WP2.11 Fix quickaccess opening on Safari
-- PB-29605 SAF - WP2.7 Fix detached quickaccess not being closed after "use on this page" click
-- PB-36503 Browser extension causes performance degradation on some websites
-- PB-36503 Browser extension causes performance degradation on some websites
-- PB-43353 SAF - WP2.8 Fix file download on Safari
-- PB-43355 SAF - WP2.9 Fix quickaccess animations
-- PB-43997 SAF - WP1 Update the Safari browser extension build
-- PB-44342 SAF - WP2.1 Provide Safari with its own polyfill
-- PB-44343 SAF - WP2.2 Remove unsupported index.js callback
-- PB-44345 SAF - WP2.4 fix the CSS injection in styleguide.js
-- PB-45869 SAF - WP2.13 Implement file download using the native messaging
-- PB-45870 SAF - WP2.14 Implement a custom fetch using the native messaging
-- PB-46265 SAF - WP2.15 Fix authentication with MFA in the quickaccess
-- PB-46679 SAF - Fix bold font rendering
-- PB-47765 Tags modernization
-- PB-47777 Migrate tags logic from components to TagServiceWorkerService
-- PB-47789 REACT18 - Update ReactDom render to createRoot
-- PB-47992 REACT 18 - migration of ResourceWorkspaceContext
-- PB-48158 REACT 18 - Implement the migration of Dialog and Progress Contexts
-- PB-48240 REACT18 - UserWorkspace migration
-- PB-48252 REACT18 - Migrate ExtAppContext
-- PB-48253 SAF - Temporarily remove Avatar download to avoid user being signed out
-- PB-48258 SAF - Temporarily remove "upload avatar" feature
-- PB-48337 REACT18 - Update contexts that should use functional update
-- PB-48338 REACT18 - Update shared components that should use functional update
-- PB-48339 REACT18 - Update quickaccess components that should use functional update
-- PB-48340 REACT18 - Update authentication components that should use functional update
-- PB-48342 REACT18 - Update user setting components that should use functional update
-- PB-48343 REACT18 - Update administration components that should use functional update
-- PB-48360 REACT18 - Update resource components that should use functional update
-- PB-48363 REACT18 - Update user components that should use functional update
-- PB-48366 REACT18 - Remove await set state in contexts
-- PB-48384 REACT18 - Remove await setState in components and apps
-- PB-48404 REACT18 - Object.assign should use functional set state for context
-- PB-48408 CSV - WP1.2 Add a warning message when user is selecting a CSV format on the button
-- PB-48416 CSV - WP2.9 Check if the setting is enabled when displaying the csv format on exportFormats
-- PB-48419 REACT18 - Update the components to use functional setState
-- PB-48425 REACT18 - Form validation should not check errors in the state for component
-- PB-48470 Create ColumnTagsModel component
-- PB-48471 TAGRID-1.2 Create CellTags component and make it resizable
-- PB-48472 TAGRID-1.3 Add ColumnTagsModel and CellTags to DisplayResourcesList
-- PB-48473 TAGRID-1.4 Clicking on a tag should filter the workspace
-- PB-48521 Harmonise tags style
-- PB-48553 SAF - Use webNavigation instead of tab update to improve navigation performances
-- PB-49070 REACT18 - Migrate SSOContext for react-extension
-- PB-49085 REACT18 - Migrate tests to remove legacyRoot true
-- PB-49092 TAGRID-1.6 Hovering the tag on the resource detail should display tooltip
-- PB-49106 CSV - WP2.2 Implement the exportPoliciesSettingsEntity
-- PB-49107 CSV - WP2.3 Implement the exportPoliciesSettingsApiService
-- PB-49108 CSV - WP2.4 Implement the findExportPoliciesSettingsService
-- PB-49109 CSV - WP2.5 Implement findExportPoliciesSettingsController
-- PB-49110 CSV - WP2.7 Implement exportPoliciesSettingsServiceWorkerService
-- PB-49134 REACT18 - Migrate ApiAppContext
-- PB-49137 CSV - WP2.8 Implement the ExportPoliciesContext
-- PB-49138 CSV - WP2.6 Add event to find export policies settings
-- PB-49172 REACT18 - Rename method in DisplaySelfRegistrationAdminstration
-- PB-49248 REACT 18 - Revert functional setstate
-- PB-49262 REACT18 - revert functional setstate in contexts and components
-- PB-49270 SAF - Fix Safari Users settings for Duo MFA configuration
-- PB-49293 TOTP Autofill
-- PB-49294 Send TOTP through port to fill from in-form menu or quickaccess
+- PB-49733 SMTP-OAUTH - WP2.1 Update SmtpSettingsService to SmtpSettingsApiService
+- PB-49734 SMTP-OAUTH - WP1.1 Create the SmtpSettingsEntity
+- PB-49737 SMTP-OAUTH - WP2.2 Update SmtpTestSettingsService to SmtpTestSettingsApiService
+- PB-49738 SMTP-OAUTH - WP2.3 Split SmtpSettingsModel to new architecture pattern
+- PB-49739 SMTP-OAUTH - WP2.4 Split SmtpTestSettingsModel to new architecture pattern
+- PB-49740 SMTP-OAUTH - WP3.1 Adapt context with the new SMTP entities
+- PB-49741 SMTP-OAUTH - WP3.2 Adapt ManageSmtpAdministationSettings to handle the new OAUTH fields
+- PB-50058 OAuth SMTP: add the new styleguide to backend
+- PB-50135 SSO with PingOne
+- PB-50157 Enable avatar upload for Safari
+- PB-50254 SCIM-WP1.2 Adapt form to handle the new date field and display warning message when expired
+- PB-50263 Add a username selector compatible with ProxMox
 
 ### Fixed
-- PB-48468 Fix layout when an announcement is visible
-- PB-49330 Alignment issues in 2FA Yubikey login page
+- PB-46678 Fix quickaccess closing issue on Safari
+- PB-49237 DisplayUserBadgeMenu attention required should be displayed on Administration page served by API
+- PB-49287 When deleting a user, the URL must changed not to reference the deleted user id
+- PB-49476 Fix autofill for websites using identifier as name for username field
+- PB-49619 Fix username input field selector for OVH
+- PB-49849 Sync generator password policy with the administration after save
+- PB-49866 Fix the expiry column in the resource workspace grid is not present anymore
+- PB-49882 Fix username input field selector for Supermicro IPMI WebUI
+- PB-50023 Fix multifield OTP selector matching hidden inputs
+- PB-50077 Fix React router issue that reloads the page unexpectedly
+- PB-50177 Fix autofill issues for two websites
 
 ### Maintenance
-- PB-47191 Review Dependabot alert for useless regular expression escape in browser extension
-- PB-47542 Add unit tests to roleApiService
-- PB-47713 REACT18- 10.2 Implement migration for QuickAccess
-- PB-48088 Remove console errors related to pagemod page detection
-- PB-48242 Remove dev phantom dependencies
-- PB-48375 Add tests to gpg user id parser
-- PB-48467 Add unit test to improve coverage on Allowed Content type page
-- PB-49472 Remove unnecessary permissions from entitlements and project
-- PB-49631 Optimize getFirst function
+- PB-49129 Delegate tab opening to service worker in order to send all cookie via Safari
+- PB-49459 Timeouts not cleared properly when filtering resources/users grids by keywords
+- PB-49705 Add missing TOTP unit tests
+- PB-49730 Setup an environment for publishing to npmjs registry
+- PB-49998 Add required `data_collection_permissions` for Firefox and set it to `none`
+- PB-50013 Make Safari download custom avatars
+- PB-50118 Major upgrade for locutus (Critical) - passbolt-browser-extension
+- PB-50158 Add Safari enablement through a feature flag
+- PB-50200 Move the logic of passbolt.groups.create to GroupCreateController
+- PB-50201 Update group create call in groupApiService to contain "my_group_user" as urlOptions
+- PB-50202 Add supported formats documentation link in export dialog
+- PB-50225 Create a CreateGroupService.js file and move the create call to api service inside it
+- PB-50338 - Fix phantom @babel/preset-react
 
 ### Security
-- PB-48025 Major upgrade for pino (Medium) - passbolt-browser-extension
-- PB-48039 Small upgrade for validator (Medium) - styleguide
-- PB-48256 Small upgrade for lodash-es (Medium) - all-projects
-- PB-48257 Small upgrade for lodash (Medium) - all projects
-- PB-48527 Small upgrade for locutus (Critical) - passbolt-windows
-- PB-48535 NPM - Remove now unnecessary overrides in package.json for styleguide and bext
-- PB-49119 Remove dev phantom dependencies - node-fetch
-- PB-49120 Remove dev phantom dependencies - history
-- PB-49121 Remove dev phantom dependencies - expect
-- PB-49369 Fix GCVE-0-2026-2391 - Medium CVSS4.0
-- PB-49372 Fix GCVE-0-2025-68458 & GCVE-0-2025-68157 - LOW CVSS3.1
-- PB-49373 Fix GCVE-0-2026-25547 - CRITICAL CVSS4.0
-- PB-49432 Fix GCVE-0-2025-69873 - MEDIUM CVSS4.0
-- PB-49452 Fix GHSA-3ppc-4f35-3m26 - HIGH CVSS4.0
-- PB-49454 Update CSPs to allow inline <style> in SVGs
+- PB-49608 Fix ReDoS vulnerability in PGP armor regex validation
+- PB-50271 Fix GHSA-25h7-pfq9-p65f - HIGH CVSS3.1
+- PB-50272 Fix brace-expansion vulnerabilities

package/build-safari-extension/Passbolt-Safari-Extension/Passbolt - password manager Extension/services/fetch/fetchService.swift

@@ -23,6 +23,14 @@
 
 import Foundation
 
+private extension Data {
+    mutating func append(_ string: String) {
+        if let data = string.data(using: .utf8) {
+            append(data)
+        }
+    }
+}
+
 final class FetchService {
 
     // Runs a fetch on the API with profile isolation.
@@ -35,19 +43,31 @@ final class FetchService {
     //   profileUUID: The Safari profile UUID for session isolation
     static func fetch(url: URL, options: [String: Any], profileUUID: String) async throws -> [String: Any] {
         let method = options["method"] as? String ?? "GET"
-        let body = options["body"] as? String ?? ""
         let headers = options["headers"] as? [String: String] ?? [:]
         let cookies = options["cookies"] as? String
 
         var httpRequest = URLRequest(url: url)
         httpRequest.httpMethod = method
-        httpRequest.httpBody = body.data(using: .utf8)
+
+        // Build the body: structured FormData array (may contain files) or plain string
+        if let formDataArray = options["body"] as? [[String: Any]] {
+            let boundary = UUID().uuidString
+            httpRequest.httpBody = buildMultipartBody(formDataArray: formDataArray, boundary: boundary)
+            httpRequest.setValue("multipart/form-data; boundary=\(boundary)", forHTTPHeaderField: "Content-Type")
+        } else {
+            let body = options["body"] as? String ?? ""
+            httpRequest.httpBody = body.data(using: .utf8)
+        }
 
         // SECURITY: Add cache-control headers to prevent response caching
         httpRequest.setValue("no-cache, no-store, must-revalidate", forHTTPHeaderField: "Cache-Control")
         httpRequest.setValue("no-cache", forHTTPHeaderField: "Pragma")
 
         for header in headers {
+            // Skip Content-Type when we already set it for multipart
+            if header.key.lowercased() == "content-type" && httpRequest.value(forHTTPHeaderField: "Content-Type")?.contains("multipart") == true {
+                continue
+            }
             httpRequest.setValue(String(describing: header.value), forHTTPHeaderField: String(describing: header.key))
         }
 
@@ -59,6 +79,74 @@ final class FetchService {
         return try await doFetch(request: httpRequest, profileUUID: profileUUID)
     }
 
+    /// Build a multipart/form-data body from the structured FormData array sent by JavaScript.
+    /// Each entry has: key, value, type ("SCALAR" or "FILE"), and optionally name (for files).
+    /// File values use the data URL format: "data:<mimeType>;base64,<base64Data>"
+    private static func buildMultipartBody(formDataArray: [[String: Any]], boundary: String) -> Data {
+        var body = Data()
+
+        for entry in formDataArray {
+            guard let key = entry["key"] as? String,
+                  let value = entry["value"] as? String,
+                  let type = entry["type"] as? String else {
+                continue
+            }
+
+            let sanitizedKey = sanitizeHeaderValue(key)
+            body.append("--\(boundary)\r\n")
+
+            if type == "FILE" {
+                let rawFilename = entry["name"] as? String ?? "file"
+                let sanitizedFilename = sanitizeFilename(rawFilename)
+                let (mimeType, fileData) = decodeDataURL(value)
+                let sanitizedMimeType = sanitizeHeaderValue(mimeType)
+
+                body.append("Content-Disposition: form-data; name=\"\(sanitizedKey)\"; filename=\"\(sanitizedFilename)\"\r\n")
+                body.append("Content-Type: \(sanitizedMimeType)\r\n\r\n")
+                body.append(fileData)
+                body.append("\r\n")
+            } else {
+                body.append("Content-Disposition: form-data; name=\"\(sanitizedKey)\"\r\n\r\n")
+                body.append("\(value)\r\n")
+            }
+        }
+
+        body.append("--\(boundary)--\r\n")
+        return body
+    }
+
+    /// Sanitize a filename for use in Content-Disposition headers.
+    /// Strips path traversal components, quotes, and CRLF characters.
+    private static func sanitizeFilename(_ raw: String) -> String {
+        let nameOnly = raw.components(separatedBy: CharacterSet(charactersIn: "/\\")).last ?? "file"
+        return sanitizeHeaderValue(nameOnly)
+    }
+
+    /// Sanitize a value interpolated into an HTTP header by removing quotes and CRLF.
+    private static func sanitizeHeaderValue(_ raw: String) -> String {
+        raw.replacingOccurrences(of: "\"", with: "")
+           .replacingOccurrences(of: "\r", with: "")
+           .replacingOccurrences(of: "\n", with: "")
+    }
+
+    /// Decode a data URL (e.g. "data:image/png;base64,iVBOR...") into its MIME type and binary data.
+    private static func decodeDataURL(_ dataURL: String) -> (mimeType: String, data: Data) {
+        let parts = dataURL.components(separatedBy: ",")
+        guard parts.count == 2,
+              let base64Data = Data(base64Encoded: parts[1]) else {
+            return ("application/octet-stream", Data())
+        }
+
+        // Extract MIME type from "data:image/png;base64"
+        let header = parts[0]
+        let mimeType = header
+            .replacingOccurrences(of: "data:", with: "")
+            .components(separatedBy: ";")
+            .first ?? "application/octet-stream"
+
+        return (mimeType, base64Data)
+    }
+
     // The actual fetch sent to the API using a profile-isolated session
     private static func doFetch(request: URLRequest, profileUUID: String) async throws -> [String: Any] {
         // SECURITY: Use profile-specific session, NEVER URLSession.shared

package/eslint.config.mjs

@@ -1,5 +1,4 @@
 import globals from "globals";
-import babelParser from "@babel/eslint-parser";
 import path from "path";
 import { fileURLToPath } from "url";
 
@@ -32,18 +31,13 @@ export default [
     files: ["**/*.{js,jsx,mjs,cjs}"],
 
     languageOptions: {
-      parser: babelParser,
       ecmaVersion: 2024,
       sourceType: "module",
 
       parserOptions: {
-        requireConfigFile: false,
         ecmaFeatures: {
           jsx: true,
         },
-        babelOptions: {
-          presets: ["@babel/preset-react"],
-        },
       },
 
       globals: {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "passbolt-browser-extension",
-  "version": "5.10.3",
+  "version": "5.11.1",
   "license": "AGPL-3.0",
   "copyright": "Copyright 2025 Passbolt SA",
   "description": "Passbolt web extension for the open source password manager for teams",
@@ -19,10 +19,9 @@
     "ip-regex": "^5.0.0",
     "jssha": "~3.3.1",
     "kdbxweb": "2.1.1",
-    "locutus": "~2.0.39",
     "openpgp": "^6.1.1",
     "papaparse": "^5.5.2",
-    "passbolt-styleguide": "5.10.5",
+    "passbolt-styleguide": "^5.11.3",
     "react": "^18.3.1",
     "react-dom": "^18.3.1",
     "secrets-passbolt": "github:passbolt/secrets.js#v2.0.1",
@@ -33,31 +32,30 @@
   },
   "devDependencies": {
     "@babel/core": "^7.23.2",
-    "@babel/eslint-parser": "^7.22.9",
     "@babel/helpers": "^7.26.10",
     "@babel/plugin-transform-runtime": "^7.22.9",
     "@babel/preset-env": "^7.22.9",
-    "@babel/preset-react": "^7.22.5",
+    "@babel/preset-react": "^7.28.5",
     "@babel/runtime": "^7.27.0",
     "@babel/runtime-corejs3": "^7.26.10",
-    "@eslint/js": "^9.37.0",
+    "@eslint/js": "^9.39.4",
     "@svgr/webpack": "^8.1.0",
     "babel-jest": "^29.6.2",
     "babel-loader": "^8.2.3",
     "buffer": "^6.0.3",
     "crx": "^5.0.1",
-    "eslint": "^9.37.0",
+    "eslint": "^9.39.4",
     "eslint-config-prettier": "^10.1.8",
     "eslint-import-resolver-alias": "^1.1.2",
     "eslint-plugin-import": "^2.32.0",
-    "eslint-plugin-jest": "^29.0.1",
-    "eslint-plugin-n": "^17.23.1",
-    "eslint-plugin-no-unsanitized": "^4.1.4",
-    "eslint-plugin-prettier": "^5.5.4",
+    "eslint-plugin-jest": "^29.15.1",
+    "eslint-plugin-n": "^17.24.0",
+    "eslint-plugin-no-unsanitized": "^4.1.5",
+    "eslint-plugin-prettier": "^5.5.5",
     "eslint-plugin-promise": "^7.2.1",
     "eslint-plugin-react": "^7.37.5",
-    "eslint-plugin-regexp": "^2.10.0",
-    "eslint-plugin-security": "^3.0.1",
+    "eslint-plugin-regexp": "^3.1.0",
+    "eslint-plugin-security": "^4.0.0",
     "filereader": "^0.10.3",
     "formdata-node": "^6.0.3",
     "globals": "^16.4.0",

package/src/all/background_page/controller/auth/authLogoutController.js

@@ -54,8 +54,17 @@ class AuthLogoutController {
       return;
     }
 
-    const url = this.apiClientOptions.getBaseUrl().toString();
-    await browser.tabs.update(this.worker.tab.id, { url });
+    /*
+     * Use tabs.reload instead of tabs.update to ensure the page is fully
+     * reloaded from the server. A tabs.update navigation may restore the
+     * page from the browser's Back/Forward Cache (BFCache), resulting in
+     * a stale page with a dead extension message port after sign-out.
+     *
+     * See: PB-50644
+     */
+    await browser.tabs.reload(this.worker.tab.id);
+    // const url = this.apiClientOptions.getBaseUrl().toString();
+    // await browser.tabs.update(this.worker.tab.id, { url });
   }
 }
 

package/src/all/background_page/controller/auth/authLogoutController.test.js

@@ -34,7 +34,7 @@ describe("AuthLogoutController", () => {
     });
 
     it("Should sign-out the user and redirect after.", async () => {
-      expect.assertions(3);
+      expect.assertions(2);
       const logoutSpy = jest.spyOn(AuthModel.prototype, "logout").mockImplementation(() => {});
 
       const worker = {
@@ -48,10 +48,19 @@ describe("AuthLogoutController", () => {
       await controller.exec(true);
 
       expect(logoutSpy).toHaveBeenCalledTimes(1);
-      expect(browser.tabs.update).toHaveBeenCalledTimes(1);
-      expect(browser.tabs.update).toHaveBeenCalledWith(worker.tab.id, {
-        url: apiClientOptions.getBaseUrl().toString(),
-      });
+      expect(browser.tabs.reload).toHaveBeenCalledTimes(1);
+      /*
+       * Use tabs.reload instead of tabs.update to ensure the page is fully
+       * reloaded from the server. A tabs.update navigation may restore the
+       * page from the browser's Back/Forward Cache (BFCache), resulting in
+       * a stale page with a dead extension message port after sign-out.
+       *
+       * See: PB-50644
+       */
+      // expect(browser.tabs.update).toHaveBeenCalledTimes(1);
+      // expect(browser.tabs.update).toHaveBeenCalledWith(worker.tab.id, {
+      //   url: apiClientOptions.getBaseUrl().toString(),
+      // });
     });
   });
 });

package/src/all/background_page/controller/group/groupCreateController.js

@@ -0,0 +1,58 @@
+/**
+ * Passbolt ~ Open source password manager for teams
+ * Copyright (c) Passbolt SA (https://www.passbolt.com)
+ *
+ * Licensed under GNU Affero General Public License version 3 of the or any later version.
+ * For full copyright and license information, please see the LICENSE.txt
+ * Redistributions of files must retain the above copyright notice.
+ *
+ * @copyright     Copyright (c) Passbolt SA (https://www.passbolt.com)
+ * @license       https://opensource.org/licenses/AGPL-3.0 AGPL License
+ * @link          https://www.passbolt.com Passbolt(tm)
+ * @since         5.11.0
+ */
+import CreateGroupService from "../../service/group/createGroupService";
+import GroupEntity from "../../model/entity/group/groupEntity";
+
+class GroupCreateController {
+  /**
+   * GroupCreateController constructor
+   *
+   * @param {Worker} worker
+   * @param {string} requestId
+   * @param {ApiClientOptions} apiClientOptions the api client options
+   * @param {AccountEntity} account The account associated to the worker.
+   */
+  constructor(worker, requestId, apiClientOptions, account) {
+    this.worker = worker;
+    this.requestId = requestId;
+    this.createGroupService = new CreateGroupService(apiClientOptions, account);
+  }
+
+  /**
+   * Controller executor.
+   * @param {object} groupDto The group data
+   * @returns {Promise<void>}
+   */
+  async _exec(groupDto) {
+    try {
+      const group = await this.exec(groupDto);
+      this.worker.port.emit(this.requestId, "SUCCESS", group);
+    } catch (error) {
+      console.error(error);
+      this.worker.port.emit(this.requestId, "ERROR", error);
+    }
+  }
+
+  /**
+   * Create a group.
+   * @param {object} groupDto The group data
+   * @returns {Promise<GroupEntity>}
+   */
+  async exec(groupDto) {
+    const groupEntity = new GroupEntity(groupDto);
+    return this.createGroupService.create(groupEntity);
+  }
+}
+
+export default GroupCreateController;