passbolt-browser-extension 5.11.1 → 5.12.1

package/.devcontainer/Dockerfile

@@ -0,0 +1,15 @@
+FROM mcr.microsoft.com/devcontainers/typescript-node:22
+
+RUN npm install -g @aikidosec/safe-chain \
+ && install -d -o node -g node /home/node/.safe-chain \
+ && su node -c "safe-chain setup-ci"
+COPY --chown=node:node safe-chain-config.json /home/node/.safe-chain/config.json
+COPY safe-chain-shims.sh /etc/profile.d/safe-chain-shims.sh
+RUN chmod 0644 /etc/profile.d/safe-chain-shims.sh \
+ && printf '\n# Force safe-chain shims to front of PATH for non-login shells\n[ -f /etc/profile.d/safe-chain-shims.sh ] && . /etc/profile.d/safe-chain-shims.sh\n' \
+    >> /etc/bash.bashrc
+ENV PATH="/home/node/.safe-chain/shims:${PATH}"
+
+RUN curl -fsSL https://claude.ai/install.sh | bash -s stable \
+    && cp /root/.local/bin/claude /usr/local/bin/claude
+

package/.devcontainer/devcontainer.json

@@ -0,0 +1,31 @@
+// @see: https://containers.dev/implementors/json_reference/#general-properties
+{
+  "name": "[passbolt-browser-extension] Devcontainer",
+  "dockerComposeFile": "docker-compose.yml",
+  "service": "devcontainer",
+  "workspaceFolder": "/workspaces/passbolt-browser-extension",
+  "features": {
+    "ghcr.io/devcontainers/features/git:1": {}
+  },
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "Anthropic.claude-code",
+        "dbaeumer.vscode-eslint",
+        "esbenp.prettier-vscode",
+        "Orta.vscode-jest"
+      ]
+    },
+    "jetbrains": {
+      "plugins": [
+        "com.anthropic.code.plugin",
+        "com.intellij.reactivestreams",
+        "intellij.prettierJS"
+      ]
+    }
+  },
+  "remoteUser": "node",
+  "initializeCommand": "mkdir -p ${localEnv:HOME}/.claude/managed-settings && cp \"/Library/Application Support/ClaudeCode/managed-settings.json\" ${localEnv:HOME}/.claude/managed-settings/ 2>/dev/null || true",
+  "postCreateCommand": "npm install && echo 'Dev environment is ready!'",
+  "postStartCommand": "chmod +x .devcontainer/post-start.sh && .devcontainer/post-start.sh"
+}

package/.devcontainer/docker-compose.yml

@@ -0,0 +1,11 @@
+services:
+  devcontainer:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    container_name: passbolt-browser-extension-devcontainer
+    volumes:
+      - ..:/workspaces/passbolt-browser-extension:cached
+      - ${HOME}/.claude:/home/node/.claude:cached
+      - ${HOME}/.claude/managed-settings:/etc/claude-code:ro
+    command: sleep infinity

package/.devcontainer/post-start.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+set -e
+
+echo "==> Checking Claude mounts..."
+ERRORS=0
+
+if [ ! -d "$HOME/.claude" ]; then
+  echo "ERROR: ~/.claude directory is not mounted"
+  ERRORS=$((ERRORS + 1))
+else
+  echo "OK: ~/.claude directory is mounted"
+fi
+
+if [ "$ERRORS" -gt 0 ]; then
+  echo "WARNING: $ERRORS mount(s) missing. Claude Code may not work correctly."
+fi
+
+echo "==> Updating Claude Code..."
+curl -fsSL https://claude.ai/install.sh | bash -s stable
+claude --version

package/.devcontainer/safe-chain-config.json

@@ -0,0 +1,6 @@
+{
+  "minimumPackageAgeHours": 48,
+  "npm": {
+    "minimumPackageAgeExclusions": ["@passbolt/*", "@aikidosec/*"]
+  }
+}

package/.devcontainer/safe-chain-shims.sh

@@ -0,0 +1,10 @@
+# Force the safe-chain shims dir to the FRONT of PATH on every shell start.
+# VS Code's remote terminal layer can re-prepend nvm / npm-global after the
+# Dockerfile's ENV PATH ran, which would otherwise push the shims behind
+# corepack-managed pnpm/yarn under /usr/local/share/npm-global/bin.
+if [ -d "$HOME/.safe-chain/shims" ]; then
+    _sc_shims="$HOME/.safe-chain/shims"
+    PATH=$(printf ':%s:' "$PATH" | sed -e "s|:$_sc_shims:|:|g" -e 's|^:||' -e 's|:$||')
+    export PATH="$_sc_shims:$PATH"
+    unset _sc_shims
+fi

package/CHANGELOG.md

@@ -4,6 +4,72 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased]
 
+## [5.12.1] - 2026-05-12
+### Fixed
+- PB-51546 On Safari after log out, the login page does not show until the page is refreshed
+- PB-51547 On Safari after log in, some pages take a lot of time to display
+
+## [5.12.0] - 2026-05-12
+### Added
+- PB-51015 Add PIN code resource type in resourceTypeSchemasDefinition
+- PB-51016 Handle PIN code in resourceTypeEntity
+- PB-51017 Handle PIN code in resourceTypesCollection
+- PB-51019 PINCODE - 1.5 Create secretDataV5StandalonePinCodeEntity  and add...
+- PB-51020 PINCODE - 1.6 Add pin code to ResourceEditCreateFormEnumerationTypes
+- PB-51023 Update resourceTypesFormEntity to handle the new pin code resource type
+- PB-51046 PINCODE - 3.2 Adapt ExternalResourceEntity to handle the pin code resource type schema
+- PB-51047 PINCODE - 3.3 Adapt ExportResourcesService to handle the mapping of pin code
+- PB-51048 PINCODE - 3.4 Adapt resourcesKdbxImportParser and to map pin code in case it exist to the correct resource types
+- PB-51049 Add PIN code icon to passboltDefaultResourceTypeIcons.data
+- PB-51050 Update DisplayContentTypesAllowedContentTypesAdministration to handle PIN code
+- PB-51051 Add the pin code resource type to DisplayResourceCreationMenu
+- PB-51052 Add PIN code in SelectResourceForm
+- PB-51053 Create the new pin code resource type form
+- PB-51054 Adapt OrchestrateResourceForm to handle the new AddResourcePinCode
+- PB-51055 Create the new DisplayResourceDetailsPinCode to display the pin code into detail
+- PB-51056 PINCODE - 3.5 Adapt resourcesKdbxExporter and to map pin code in case it exist to the correct resource types
+- PB-51073 PINCODE - 2.8 Add pin code into the grid
+- PB-51201 Fix notes-related issues
+- PB-51246 Add pin code to workspace create menu
+
+### Fixed
+- PB-49888 The contents of Resource Creation Progress Dialog always shows Creating Password
+- PB-50166 Fix break vs continue bug in MoveResourcesService batch permission calculation
+- PB-50535 DisplayuserbadgeMenu should display attention required on page served by API if MFA is required
+- PB-50617 Add PingOne redirect URL field
+- PB-50945 Fix expired session when port is disconnected
+- PB-51012 Hide 'set expired' option for already expired resources
+- PB-51018 Tighten fields selectors to avoid false positives
+- PB-51077 Fix typo "susccessfully" to "successfully"
+
+### Security
+- PB-50623 Fix GHSA-2328-f5f3-gj25 (HIGH)
+- PB-50877 Fix undici GHSA-f269-vfmq-vjvj - MEDIUM CVSS3.1
+- PB-50906 Fix svgo GHSA-xpqw-6gx7-v673 - HIGH CVSS3.1
+- PB-50907 Fix flatted GHSA-rf6f-7fwh-wjgh - HIGH CVSS4.0
+- PB-50908 Fix @xmldom/xmldom GHSA-wh4c-j3r5-mjhp - HIGH CVSS3.1
+- PB-50920 Upgrade webpack-cli
+- PB-50921 Upgrade web-ext
+- PB-51060 Fix protocol-buffers-schema GHSA-j452-xhg8-qg39 - MEDIUM CVSS3.1
+- PB-51151 Fix i18next-http-backend GHSA-r5fr-rjxr-66jc - MEDIUM CVSS3.1
+- PB-51152 Fix uuid GHSA-w5hq-g745-h8pq - MEDIUM CVSS3.1
+- PB-51170 Fix @xmldom/xmldom GHSA-2v35-w6hq-6mfw - HIGH CVSS4.0
+- PB-51179 Investigate and/or enforce package cool down mechanism with safe-chain or npm or both
+
+### Maintenance
+- PB-50224 Add devcontainer to bext
+- PB-50301 removed GitLab CI definition as it's been moved to the ci-definitions repo
+- PB-50340 Small upgrade for picomatch (Medium)
+- PB-51086 keep notify expired session tests skipping
+
+## [5.11.2] - 2026-04-22
+### Fixed
+- PB-51067 - Rework TOTP selectors
+
+## [5.11.1] - 2026-04-09
+### Fixed
+-  PB-50644 - Fix browser extension port messaging failure after logout caused by Chrome 147 BFCache changes
+
 ## [5.11.0] - 2026-04-07
 ### Added
 - PB-49733 SMTP-OAUTH - WP2.1 Update SmtpSettingsService to SmtpSettingsApiService
@@ -2655,10 +2721,22 @@ self registration settings option in the left-side bar
 - AP: User with plugin installed
 - LU: Logged in user
 
-[Unreleased]: https://github.com/passbolt/passbolt_browser_extension/compare/v5.9.0...HEAD
-[5.9.0]: https://github.com/passbolt/passbolt_browser_extension/compare/v5.8.0...5.9.0
-[5.8.0]: https://github.com/passbolt/passbolt_browser_extension/compare/v5.7.0...5.8.0
-[5.7.0]: https://github.com/passbolt/passbolt_browser_extension/compare/v5.6.0...5.7.0
+[Unreleased]: https://github.com/passbolt/passbolt_browser_extension/compare/v5.12.1...HEAD
+[5.12.1]: https://github.com/passbolt/passbolt_browser_extension/compare/v5.12.0...v5.12.1
+[5.12.0]: https://github.com/passbolt/passbolt_browser_extension/compare/v5.11.3...v5.12.0
+[5.11.3]: https://github.com/passbolt/passbolt_browser_extension/compare/v5.11.2...v5.11.3
+[5.11.2]: https://github.com/passbolt/passbolt_browser_extension/compare/v5.11.1...v5.11.0
+[5.11.1]: https://github.com/passbolt/passbolt_browser_extension/compare/v5.11.0...v5.11.1
+[5.11.1]: https://github.com/passbolt/passbolt_browser_extension/compare/v5.11.0...v5.11.1
+[5.11.0]: https://github.com/passbolt/passbolt_browser_extension/compare/v5.10.4...v5.11.0
+[5.10.4]: https://github.com/passbolt/passbolt_browser_extension/compare/v5.10.3...v5.10.4
+[5.10.3]: https://github.com/passbolt/passbolt_browser_extension/compare/v5.10.2...v5.10.3
+[5.10.2]: https://github.com/passbolt/passbolt_browser_extension/compare/v5.10.1...v5.10.2
+[5.10.1]: https://github.com/passbolt/passbolt_browser_extension/compare/v5.10.0...v5.10.1
+[5.10.0]: https://github.com/passbolt/passbolt_browser_extension/compare/v5.9.0...v5.10.0
+[5.9.0]: https://github.com/passbolt/passbolt_browser_extension/compare/v5.8.0...v5.9.0
+[5.8.0]: https://github.com/passbolt/passbolt_browser_extension/compare/v5.7.0...v5.8.0
+[5.7.0]: https://github.com/passbolt/passbolt_browser_extension/compare/v5.6.0...v5.7.0
 [5.6.0]: https://github.com/passbolt/passbolt_browser_extension/compare/v5.5.1...v5.6.0
 [5.5.1]: https://github.com/passbolt/passbolt_browser_extension/compare/v5.5.0...v5.5.1
 [5.5.0]: https://github.com/passbolt/passbolt_browser_extension/compare/v5.4.1...v5.5.0

package/RELEASE_NOTES.md

@@ -1,97 +1,5 @@
-Passbolt 5.11.0 introduces improvements to enterprise authentication and integration capabilities, alongside continued security hardening.
-
-This release adds support for OAuth-based SMTP authentication for Microsoft Exchange Online and expands SSO coverage with PingOne. It also includes the finalisation of SCIM following external audit fixes.
-
-## SMTP OAuth support for Microsoft Exchange Online 
-
-Passbolt 5.11 introduces OAuth 2.0 support for SMTP with Microsoft Exchange Online, replacing legacy username/password authentication.
-
-Administrators can configure the OAuth (Client Credentials) method by registering an application in Microsoft Entra ID and providing the required tenant ID, client ID, client secret, and service account email.
-
-At runtime, Passbolt retrieves short-lived access tokens to authenticate SMTP connections without user interaction, improving security and aligning with modern authentication standards.
-
-
-## PingOne SSO support (Passbolt Pro)
-
-Passbolt 5.11 adds support for PingOne as a new SSO provider, enabling organisations to authenticate users via their existing Ping Identity infrastructure.
-
-The integration is based on OpenID Connect (OIDC) using the Authorization Code flow, with Passbolt delegating authentication to PingOne and receiving a verified user identity via ID tokens.
-
-Administrators can configure PingOne from the SSO settings using the required environment ID, client ID, client secret, and base URL, with a dry-run option available to validate the setup before activation. Once enabled, users are redirected to PingOne for authentication and seamlessly logged into Passbolt, including during account recovery.
-
-This addition expands Passbolt’s SSO coverage for enterprise environments and removes a key adoption blocker for organisations standardised on Ping Identity.
-
-## SCIM: audit fixes and general availability (Passbolt Pro)
-
-Following the external security audit conducted by Cure53, this release includes fixes addressing the identified findings in the SCIM provisioning implementation.
-
-With these changes, SCIM is now considered stable and exits beta.
-
-The audit-driven improvements strengthen validation, error handling, and overall robustness of the provisioning flow. SCIM is now ready for production use in environments requiring automated user lifecycle management.
-
-## Security improvements
-
-This release continues the ongoing security hardening effort across the platform.
-
-In addition to the SCIM audit fixes, improvements have been made to align with external audit recommendations and reduce potential attack surface in authentication and integration layers.
-
-## Maintenance & performance
-
-This release includes general performance improvements, particularly around background job processing and email delivery workflows.
-
-Email-related operations are now more efficient and better distributed, reducing bottlenecks in high-load environments.
-
-As usual, additional optimisations are already in progress for upcoming releases.
-
-## Conclusion
-
-As usual, the release is also packed with additional improvements and fixes. Check out the changelog to learn more.
-
-Many thanks to everyone who provided feedback, reported bugs, and contributed to making passbolt better!
-
-### Added
-- PB-49733 SMTP-OAUTH - WP2.1 Update SmtpSettingsService to SmtpSettingsApiService
-- PB-49734 SMTP-OAUTH - WP1.1 Create the SmtpSettingsEntity
-- PB-49737 SMTP-OAUTH - WP2.2 Update SmtpTestSettingsService to SmtpTestSettingsApiService
-- PB-49738 SMTP-OAUTH - WP2.3 Split SmtpSettingsModel to new architecture pattern
-- PB-49739 SMTP-OAUTH - WP2.4 Split SmtpTestSettingsModel to new architecture pattern
-- PB-49740 SMTP-OAUTH - WP3.1 Adapt context with the new SMTP entities
-- PB-49741 SMTP-OAUTH - WP3.2 Adapt ManageSmtpAdministationSettings to handle the new OAUTH fields
-- PB-50058 OAuth SMTP: add the new styleguide to backend
-- PB-50135 SSO with PingOne
-- PB-50157 Enable avatar upload for Safari
-- PB-50254 SCIM-WP1.2 Adapt form to handle the new date field and display warning message when expired
-- PB-50263 Add a username selector compatible with ProxMox
+Passbolt 5.12.1 fixes some slowlyness issues on Safari during navigation
 
 ### Fixed
-- PB-46678 Fix quickaccess closing issue on Safari
-- PB-49237 DisplayUserBadgeMenu attention required should be displayed on Administration page served by API
-- PB-49287 When deleting a user, the URL must changed not to reference the deleted user id
-- PB-49476 Fix autofill for websites using identifier as name for username field
-- PB-49619 Fix username input field selector for OVH
-- PB-49849 Sync generator password policy with the administration after save
-- PB-49866 Fix the expiry column in the resource workspace grid is not present anymore
-- PB-49882 Fix username input field selector for Supermicro IPMI WebUI
-- PB-50023 Fix multifield OTP selector matching hidden inputs
-- PB-50077 Fix React router issue that reloads the page unexpectedly
-- PB-50177 Fix autofill issues for two websites
-
-### Maintenance
-- PB-49129 Delegate tab opening to service worker in order to send all cookie via Safari
-- PB-49459 Timeouts not cleared properly when filtering resources/users grids by keywords
-- PB-49705 Add missing TOTP unit tests
-- PB-49730 Setup an environment for publishing to npmjs registry
-- PB-49998 Add required `data_collection_permissions` for Firefox and set it to `none`
-- PB-50013 Make Safari download custom avatars
-- PB-50118 Major upgrade for locutus (Critical) - passbolt-browser-extension
-- PB-50158 Add Safari enablement through a feature flag
-- PB-50200 Move the logic of passbolt.groups.create to GroupCreateController
-- PB-50201 Update group create call in groupApiService to contain "my_group_user" as urlOptions
-- PB-50202 Add supported formats documentation link in export dialog
-- PB-50225 Create a CreateGroupService.js file and move the create call to api service inside it
-- PB-50338 - Fix phantom @babel/preset-react
-
-### Security
-- PB-49608 Fix ReDoS vulnerability in PGP armor regex validation
-- PB-50271 Fix GHSA-25h7-pfq9-p65f - HIGH CVSS3.1
-- PB-50272 Fix brace-expansion vulnerabilities
+- PB-51546 On Safari after log out, the login page does not show until the page is refreshed
+- PB-51547 On Safari after log in, some pages take a lot of time to display