2026.04.02

This week's push hero is @eviljeff

Previous Release: 2026.03.19-1

Blockers:

Cherry-picks:

Before we push:

Before we start:

Before we promote:

After we're done:

Addons-Frontend Changelog:

Addons Server Changelog:

What's Changed

Notable things shipping

• Fix softening of blocks on unban by @diox in #24620
• AMOENG-2377 - Introduce an email lookup API endpoint by @bakulf in #24591
• Add a service_account (UserProfile) FK to ScannerWebhook by @willdurand in #24621
• Remove ohfp from headers that trigger session anomalies, it creates too much noise by @diox in #24624
• Remove obsolete CSS that affect fonts by @diox in #24625
• upgrade django to 5.2 by @eviljeff in #24614
• Wrap long JSON scanner results in the admin by @willdurand in #24622
• Denying an appeal on Listing Content Rejection should drop requested by @eviljeff in #24632
• Introduce a new API endpoint to let scanners push their results by @willdurand in #24601
• Font in developer/reviewer replies in devhub shouldn't be monospace by @diox in #24643
• Move upload source step after details in submission flow by @willdurand in #24589
• Hide API key secret after generation by @diox in #24641
• add tasks that submit new addons and changes for content review to cinder by @eviljeff in #24642
• Update and restyle how we expose listing content rejection in devhub by @diox in #24647
• Expose number of matched add-ons on scanner results (and query results) page by @diox in #24652
• Fix clipboard interaction in manage API key page by @diox in #24654
• Update the style of the scanner details in the reviewer tools by @willdurand in #24633
• Simplify DiscoveryAddon admin filtering by promoted group by @diox in #24655
• Tweak css to better display the narc results in the reviewer tools by @willdurand in #24663
• Additional confusable characters by @diox in #24665
• AMOENG-2407 - Introduce a new serializer for the lookup API endpoint and account retrieval with the Users:Lookup permission by @bakulf in #24653
• Add triggers for new addons and metadata change to submit to Cinder by @eviljeff in #24662
• AMOENG-2401 - support form in devhub by @bakulf in #24646
• Don't consider i18n placeholders as regexp syntax by @diox in #24678
• Add is_active field to ScannerWebhookEvent to prevent data loss when updating events bound to a webhook scanner by @willdurand in #24664

Dependendabots

• Bump less from 4.5.1 to 4.6.2 by @dependabot[bot] in #24619
• Bump less from 4.6.2 to 4.6.3 by @dependabot[bot] in #24623
• Bump flatted from 3.4.1 to 3.4.2 by @dependabot[bot] in #24626
• Bump @vitest/eslint-plugin from 1.6.10 to 1.6.11 by @dependabot[bot] in #24630
• Bump ruff from 0.15.5 to 0.15.6 in /requirements by @dependabot[bot] in #24627
• Bump @vitest/eslint-plugin from 1.6.11 to 1.6.12 by @dependabot[bot] in #24636
• Bump picomatch by @dependabot[bot] in #24656
• Bump knip from 5.86.0 to 5.88.0 by @dependabot[bot] in #24648
• Bump sentry-sdk from 2.54.0 to 2.55.0 in /requirements by @dependabot[bot] in #24651
• Bump addons-linter from 10.1.0 to 10.2.0 by @dependabot[bot] in #24649
• Bump @babel/preset-env from 7.29.0 to 7.29.2 by @dependabot[bot] in #24644
• Bump vitest from 4.0.18 to 4.1.0 by @dependabot[bot] in #24628
• Bump pyjwt from 2.12.0 to 2.12.1 in /requirements by @dependabot[bot] in #24640
• Bump charset-normalizer from 3.4.5 to 3.4.6 in /requirements by @dependabot[bot] in #24639
• Bump requests from 2.32.5 to 2.33.0 in /requirements by @dependabot[bot] in #24657
• Bump imagesize from 1.4.1 to 2.0.0 in /requirements by @dependabot[bot] in #24585
• Bump pytz from 2025.2 to 2026.1.post1 in /requirements by @dependabot[bot] in #24581
• Bump pyuwsgi from 2.0.30 to 2.0.30.post1 in /requirements by @dependabot[bot] in #24559
• Bump dockerflow from 2026.1.26 to 2026.3.4 in /requirements by @dependabot[bot] in #24583
• Bump ruff from 0.15.6 to 0.15.7 in /requirements by @dependabot[bot] in #24667
• Bump stylelint from 17.4.0 to 17.5.0 by @dependabot[bot] in #24666
• Bump the google group across 1 directory with 4 updates by @dependabot[bot] in #24650
• Bump django-model-info from 2024.11.5 to 2026.3.1 in /requirements by @dependabot[bot] in #24637
• Bump protobuf from 6.33.5 to 6.33.6 in /requirements by @dependabot[bot] in #24658
• Bump googleapis-common-protos from 1.72.0 to 1.73.0 in /requirements by @dependabot[bot] in #24611
• Bump actions/checkout from 5 to 6 by @dependabot[bot] in #24179
• Bump brace-expansion by @dependabot[bot] in #24671
• Bump cryptography from 46.0.5 to 46.0.6 in /requirements by @dependabot[bot] in #24672
• Bump @vitest/eslint-plugin from 1.6.12 to 1.6.13 by @dependabot[bot] in #24675
• Bump eslint from 10.0.3 to 10.1.0 by @dependabot[bot] in #24674
• Bump less from 4.6.3 to 4.6.4 by @dependabot[bot] in #24635
• Bump djangorestframework from 3.16.1 to 3.17.0 in /requirements by @dependabot[bot] in #24661
• Bump pygments from 2.19.2 to 2.20.0 in /requirements by @dependabot[bot] in #24680
• Bump addons-linter from 10.2.0 to 10.3.0 by @dependabot[bot] in #24686
• Bump sentry-sdk from 2.55.0 to 2.56.0 in /requirements by @dependabot[bot] in #24685
• Bump stylelint-config-standard-less from 4.0.1 to 4.1.0 by @dependabot[bot] in #24684
• Bump vitest from 4.1.0 to 4.1.1 by @dependabot[bot] in #24683
• Bump google-cloud-storage from 3.10.0 to 3.10.1 in /requirements in the google group across 1 directory by @dependabot[bot] in #24673

Full Changelog: 2026.03.19...2026.04.02

2026.03.19-1

Cherry-pick for df47da3 on top of 2026.03.19

2026.03.19

This week's push hero is @diox

Previous Release: 2026.03.05-2

Before publishing this release:

• Switch addons-customs-scanner deploy job for stage & prod to use Node 22
• Make a new version of addons-customs-scanner, let it be deployed to stage

Blockers:

Cherry-picks:

Before we push:

Before we start:

Before we promote:

After we're done:

• Deploy addons-customs-scanner to prod. Verify that it's running Node 22.

Addons-Frontend Changelog:

mozilla/addons-frontend@2026.03.05...2025.03.19

Addons Server Changelog:

What's Changed

Notable things shipping

• Fix intermittent test failure by @willdurand in #24556
• Add a migration to remove the ScannerResult.state field entirely by @willdurand in #24555
• docs: remove scanner API docs in v4 by @willdurand in #24557
• Make ScannerResult.result field nullable by @willdurand in #24553
• Remove the ScannerResult.model_version field by @willdurand in #24564
• Handle 204 responses when calling webhooks by @willdurand in #24554
• Add a migration to remove the ScannerResult.model_version colum by @willdurand in #24562
• add allow_reasons for reject_listing_content action by @eviljeff in #24563
• Fix file permissions by @willdurand in #24561
• Update scanner pipeline docs by @willdurand in #24566
• Fix mass-block of add-ons with at least one version already blocked by @diox in #24569
• Add a new AutoApprovalSummary check to wait on scanners by @willdurand in #24533
• Add git, make, and jq to setup_and_configuration docs by @eviljeff in #24573
• Bump Node.js to 22.x by @diox in #24577
• docs: mark during_validation as deprecated by @willdurand in #24578
• Add explicit support for scanner annotations by @willdurand in #24572
• docs: move annotations section under webhook scanners by @willdurand in #24582
• Remove old IE CSS directives by @willdurand in #24590
• Add a new permission to download files by @willdurand in #24587
• Record which blocks were performed on ban for each user, revert them on unban by @diox in #24570
• rm unneeded django-dbbackup setting by @eviljeff in #24594
• Bump MySQL client (and server for local environments) to 8.4 by @diox in #24586
• django52 fixes by @eviljeff in #24588
• Additional confusables characters + deduping existing by @diox in #24612
• docs: update scanner example by @willdurand in #24615
• Get rid of pattern and span meta fields in narc scanner results by @willdurand in #24613
• List the permissions of a user in the scanner webhook and user admin pages by @willdurand in #24600
• correct email for cases when add-on will not be public despite approval by @eviljeff in #24606
• replace datetime.utcnow by @eviljeff in #24618

Dependendabots

• Bump @eslint/js from 9.39.2 to 10.0.1 by @dependabot[bot] in #24464
• Bump django from 4.2.28 to 4.2.29 in /requirements by @dependabot[bot] in #24565
• Bump stylelint from 17.3.0 to 17.4.0 by @dependabot[bot] in #24568
• Bump addons-linter from 9.9.1 to 10.0.0 by @dependabot[bot] in #24584
• Bump yara-x from 1.13.0 to 1.14.0 in /requirements by @dependabot[bot] in #24598
• Bump undici from 7.22.0 to 7.24.1 by @dependabot[bot] in #24603
• Bump yauzl and addons-linter by @dependabot[bot] in #24602
• Bump pyjwt from 2.11.0 to 2.12.0 in /requirements by @dependabot[bot] in #24604
• Bump flatted from 3.3.3 to 3.4.1 by @dependabot[bot] in #24605
• Bump knip from 5.85.0 to 5.86.0 by @dependabot[bot] in #24610
• Bump ruff from 0.15.2 to 0.15.5 in /requirements by @dependabot[bot] in #24595
• Bump drf-spectacular-sidecar from 2026.1.1 to 2026.3.1 in /requirements by @dependabot[bot] in #24574
• Bump @eslint/compat from 2.0.2 to 2.0.3 by @dependabot[bot] in #24608
• Bump wrapt from 2.1.1 to 2.1.2 in /requirements by @dependabot[bot] in #24596
• Bump globals from 17.3.0 to 17.4.0 by @dependabot[bot] in #24575
• Bump eslint from 10.0.2 to 10.0.3 by @dependabot[bot] in #24607
• Bump regex from 2026.2.19 to 2026.2.28 in /requirements by @dependabot[bot] in #24576
• Bump sentry-sdk from 2.53.0 to 2.54.0 in /requirements by @dependabot[bot] in #24579
• Bump drf-yasg from 1.21.14 to 1.21.15 in /requirements by @dependabot[bot] in #24558
• Bump certifi from 2026.1.4 to 2026.2.25 in /requirements by @dependabot[bot] in #24560
• Bump charset-normalizer from 3.4.4 to 3.4.5 in /requirements by @dependabot[bot] in #24597
• Bump mmh3 from 5.2.0 to 5.2.1 in /requirements by @dependabot[bot] in #24599
• Bump @vitest/eslint-plugin from 1.6.9 to 1.6.10 by @dependabot[bot] in #24616
• Bump wcwidth from 0.5.3 to 0.6.0 in /requirements by @dependabot[bot] in #24467
• Bump ipython from 9.10.0 to 9.11.0 in /requirements by @dependabot[bot] in #24593

Full Changelog: 2026.03.05...2026.03.19

2026.03.05-2

Cherry-pick of 5f4a0f2 on top of 2026.03.05-1

2026.03.05-1

Cherry-picked the following commits on top of https://github.com/mozilla/addons-server/releases/tag/2026.03.05:

• 12dd190

2026.03.05

This week's push hero is @eviljeff

Previous Release: 2026.02.19-2

Blockers:

Cherry-picks:

Before we push:

• Deploy customs 5.10.0 to prod

Before we start:

Before we promote:

After we're done:

• Deploy mozilla/webservices-infra#9901 to prod

Addons-Frontend Changelog:

mozilla/addons-frontend@2026.02.19...2026.03.05

Addons Server Changelog:

What's Changed

Notable things shipping

• Fix scanner name in reviewer tools by @willdurand in #24479
• Fix scanMap logic for webhook-based scanners by @willdurand in #24480
• Extract matched rules information in scanner results used by webhooks by @willdurand in #24482
• Make sure 0069_add_service_accounts_to_group migration uses the primary DB by @willdurand in #24483
• Add more info to reviewer tools developer profile and optimize queries by @diox in #24476
• Allow users that can edit scanner webhooks to edit scanner webhook events by @diox in #24487
• Also display authors links for existing blocklistsubmissions, not jus… by @diox in #24481
• Run test_main* tests in CI with a minimal environment by @diox in #24496
• When installing deps, don't clean existing dir if only installing dev deps by @diox in #24505
• Remove the SOURCE_BUILDER_VIEWER_URL setting and related code by @willdurand in #24494
• Avoid database access in tests where that's easy to do to speed them up by @diox in #24495
• Fix sort by addon guid in reviewer tools developer profile by @diox in #24512
• Mark the customs scanner as legacy/deprecated by @willdurand in #24510
• Use yara_x in clean_yara() method when swich is enabled by @willdurand in #24511
• Remove legacy customs in the django admin by @willdurand in #24514
• Record an ActivityLog when session anomalies are detected for a user by @diox in #24486
• Remove the file_hash argument on process_validation() because it is not used by @willdurand in #24517
• Add details to activity log admin change page by @diox in #24522
• Remove run_customs() and the 'enable-customs' waffle switch by @willdurand in #24516
• Add a migration to remove the enable-source-builder waffle switch by @willdurand in #24523
• docs: update private docs by @willdurand in #24524
• Add statsd pings for webhooks by @willdurand in #24525
• Remove the use of the _CUSTOMS constant in test files by @willdurand in #24526
• Store IP on session anomaly activity for future investigation by @diox in #24527
• Pass the event name to the webhook scanners by @willdurand in #24534
• Expose content changes to content review by @diox in #24498
• Additional confusable characters by @diox in #24541
• Optionally link ScannerResult to ActivityLog by @willdurand in #24530
• Declare the scanner field as read-only in the admin when the scanner rule has been created by @willdurand in #24532
• Add new webhook event: on_version_created by @willdurand in #24545
• Remove GET /scanner/results/ endpoint by @willdurand in #24543
• Fix event name/id in call_webhooks by @willdurand in #24549
• Remove ScannerResult.state and related code by @willdurand in #24546
• Add the add-on type to the webhook event payloads by @willdurand in #24551
• Appeals on listing content rejections set REQUESTED, rather than creating NHR by @eviljeff in #24544
• Inherit from the addon/version serializers for the webhook event payloads by @willdurand in #24550

Dependendabots

• Bump stylelint from 17.1.1 to 17.2.0 by @dependabot[bot] in #24469
• Bump glob from 13.0.1 to 13.0.2 by @dependabot[bot] in #24477
• Bump glob from 13.0.2 to 13.0.3 by @dependabot[bot] in #24492
• Bump dotenv from 17.2.3 to 17.3.1 by @dependabot[bot] in #24491
• Bump @vitest/eslint-plugin from 1.6.6 to 1.6.7 by @dependabot[bot] in #24473
• Bump stylelint from 17.2.0 to 17.3.0 by @dependabot[bot] in #24489
• Bump ajv from 6.12.6 to 6.14.0 by @dependabot[bot] in #24497
• Bump pytest-django from 4.11.1 to 4.12.0 in /requirements by @dependabot[bot] in #24503
• Bump @vitest/eslint-plugin from 1.6.7 to 1.6.9 by @dependabot[bot] in #24502
• Bump django-environ from 0.12.0 to 0.12.1 in /requirements by @dependabot[bot] in #24499
• Bump mysql from 8.0 to 8.0 by @dependabot[bot] in #24485
• Bump sentry-sdk from 2.52.0 to 2.53.0 in /requirements by @dependabot[bot] in #24501
• Bump addons-linter from 9.8.0 to 9.9.1 by @dependabot[bot] in #24506
• Bump glob from 13.0.3 to 13.0.4 by @dependabot[bot] in #24507
• Bump mysqlclient from 2.2.7 to 2.2.8 in /requirements by @dependabot[bot] in #24474
• Bump jsdom from 27.4.0 to 28.1.0 by @dependabot[bot] in #24500
• Bump homoglyphs-fork from 2.1.1 to 2.1.2 in /requirements by @dependabot[bot] in #24509
• Bump minimatch by @dependabot[bot] in #24515
• Bump knip from 5.83.1 to 5.84.0 by @dependabot[bot] in #24520
• Bump django-environ from 0.12.1 to 0.13.0 in /requirements by @dependabot[bot] in #24521
• Bump glob from 13.0.4 to 13.0.5 by @dependabot[bot] in #24519
• Bump knip from 5.84.0 to 5.84.1 by @dependabot[bot] in #24528
• Bump rollup from 4.55.1 to 4.59.0 by @dependabot[bot] in #24531
• Bump underscore from 1.13.7 to 1.13.8 by @dependabot[bot] in #24535
• Bump glob from 13.0.5 to 13.0.6 by @dependabot[bot] in #24536
• Bump rich from 14.3.2 to 14.3.3 in /requirements by @dependabot[bot] in #24538
• Bump responses from 0.25.8 to 0.26.0 in /requirements by @dependabot[bot] in #24539
• Bump minimatch by @dependabot[bot] in #24542
• Bump knip from 5.84.1 to 5.85.0 by @dependabot[bot] in #24547
• Bump django-dbbackup from 5.0.0 to 5.2.0 in /requirements by @dependabot[bot] in #24478
• Bump eslint from 9.39.2 to 10.0.2 by @dependabot[bot] in #24552
• Bump regex from 2026.1.15 to 2026.2.19 in /requirements by @dependabot[bot] in #24540
• Bump ruff from 0.14.14 to 0.15.2 in /requirements by @dependabot[bot] in #24537
• Bump django-debug-toolbar from 6.1.0 to 6.2.0 in /requirements by @dependabot[bot] in #24376

Full Changelog: 2026.02.19...2026.03.05

2026.02.19-2

Cherry-picked the following commits on top of https://github.com/mozilla/addons-server/releases/tag/2026.02.19-1:

• 098636e

2026.02.19-1

Cherry-picked the following commits on top of https://github.com/mozilla/addons-server/releases/tag/2026.02.19:

• f32b1a1
• 92f1384
• 1599c35
• 7c6dfdf

---

Full Changelog: 2026.02.19...2026.02.19-1

2026.02.19

This week's push hero is @diox

Previous Release: 2026.02.05-1

Blockers:

Cherry-picks:

Before we push:

Before we start:

Before we promote:

After we're done:

Addons-Frontend Changelog:

mozilla/addons-frontend@2026.02.05...2026.02.19

Addons Server Changelog:

What's Changed

Notable things shipping

• reviewer tools listing content approval and rejection by @eviljeff in #24386
• Display metadata and link to detail page in scanner admin query results by @diox in #24387
• Fix fake FxA user auth for local environments by @diox in #24419
• Remove broken urlconf_decorator - it hasn't worked in 10 years by @diox in #24421
• Update elasticsearch client libraries to 8.x by @diox in #24370
• Fix CSP in admin to allow django's jsi18n admin view as a script by @diox in #24422
• Increase uwsgi buffer-size in local environments to match prod by @diox in #24438
• Replace last_content_review_pass with content_review_status by @eviljeff in #24437
• Fix admin CSP: need to use SITE_URL, not INTERNAL_SITE_URL in admin CSP by @diox in #24446
• Add links to user admin page in reviewer tools review & developer profile pages by @diox in #24425
• Add actions to block add-ons / view authors in scanner results admin by @diox in #24424
• Allow developer requests for new content review by @eviljeff in #24420
• Add yara-x behind a waffle switch by @willdurand in #24439
• Developer can request a new listing content review via the API by @eviljeff in #24454
• Add links to authors of add-ons in blocklist submission page by @diox in #24459
• Add a new group for the service accounts created for the scanners by @willdurand in #24462
• Additional confusable characters by @diox in #24468
• Allow scanners to run asynchronously and send their results later by @willdurand in #24447

Dependendabots

• Bump django from 4.2.27 to 4.2.28 in /requirements by @dependabot[bot] in #24412
• Bump protobuf from 6.33.4 to 6.33.5 in /requirements by @dependabot[bot] in #24404
• Bump sentry-sdk from 2.50.0 to 2.51.0 in /requirements by @dependabot[bot] in #24415
• Bump cssselect from 1.3.0 to 1.4.0 in /requirements by @dependabot[bot] in #24417
• Bump globals from 17.1.0 to 17.2.0 by @dependabot[bot] in #24413
• Bump wcwidth from 0.5.0 to 0.5.2 in /requirements by @dependabot[bot] in #24423
• Bump zod from 3.24.2 to 4.3.6 by @dependabot[bot] in #24391
• Bump myst-parser from 4.0.1 to 5.0.0 in /requirements by @dependabot[bot] in #24352
• Bump cryptography from 46.0.3 to 46.0.4 in /requirements by @dependabot[bot] in #24416
• Bump knip from 5.82.1 to 5.83.0 by @dependabot[bot] in #24443
• Bump addons-linter from 9.6.0 to 9.7.0 by @dependabot[bot] in #24440
• Bump globals from 17.2.0 to 17.3.0 by @dependabot[bot] in #24434
• Bump stylelint from 17.0.0 to 17.1.0 by @dependabot[bot] in #24430
• Bump @eslint/compat from 2.0.1 to 2.0.2 by @dependabot[bot] in #24427
• Bump babel from 2.17.0 to 2.18.0 in /requirements by @dependabot[bot] in #24428
• Bump cryptography from 46.0.4 to 46.0.5 in /requirements by @dependabot[bot] in #24448
• Bump @babel/preset-env from 7.28.6 to 7.29.0 by @dependabot[bot] in #24426
• Bump proto-plus from 1.27.0 to 1.27.1 in /requirements by @dependabot[bot] in #24445
• Bump pytest-split from 0.10.0 to 0.11.0 in /requirements by @dependabot[bot] in #24444
• Bump wrapt from 2.0.1 to 2.1.1 in /requirements by @dependabot[bot] in #24442
• Bump pyjwt from 2.10.1 to 2.11.0 in /requirements by @dependabot[bot] in #24436
• Bump jquery-ui from 1.14.1 to 1.14.2 by @dependabot[bot] in #24418
• Bump rich from 14.3.1 to 14.3.2 in /requirements by @dependabot[bot] in #24435
• Bump wcwidth from 0.5.2 to 0.5.3 in /requirements by @dependabot[bot] in #24431
• Bump dennis from 1.1.0 to 1.2.0 in /requirements by @dependabot[bot] in #24453
• Bump glob from 13.0.0 to 13.0.1 by @dependabot[bot] in #24452
• Bump asgiref from 3.11.0 to 3.11.1 in /requirements by @dependabot[bot] in #24451
• Bump stylelint from 17.1.0 to 17.1.1 by @dependabot[bot] in #24450
• Bump ipython from 9.9.0 to 9.10.0 in /requirements by @dependabot[bot] in #24429
• Bump pillow from 12.1.0 to 12.1.1 in /requirements by @dependabot[bot] in #24455
• Bump setuptools from 80.9.0 to 80.10.2 in /requirements by @dependabot[bot] in #24398
• Bump pip from 26.0 to 26.0.1 in /requirements by @dependabot[bot] in #24457
• Bump knip from 5.83.0 to 5.83.1 by @dependabot[bot] in #24465
• Bump grpcio from 1.76.0 to 1.78.0 in /requirements by @dependabot[bot] in #24461
• Bump sentry-sdk from 2.51.0 to 2.52.0 in /requirements by @dependabot[bot] in #24456
• Bump mysql from 8.0 to 8.0 by @dependabot[bot] in #24287
• Bump pycparser from 2.23 to 3.0 in /requirements by @dependabot[bot] in #24383
• Bump markdown from 3.10.1 to 3.10.2 in /requirements by @dependabot[bot] in #24475
• Bump dockerflow from 2024.4.2 to 2026.1.26 in /requirements by @dependabot[bot] in #24405
• Bump addons-linter from 9.7.0 to 9.8.0 by @dependabot[bot] in #24470
• Bump parso from 0.8.5 to 0.8.6 in /requirements by @dependabot[bot] in #24472

Full Changelog: 2026.02.05...2026.02.19

2026.02.05-1

• Fixes https://bugzilla.mozilla.org/show_bug.cgi?id=2016866