Releases: mozilla/addons-server
Releases Β· mozilla/addons-server
2026.02.05-1
2026.02.05
This week's push hero is @diox
Previous Release: 2026.01.22-2
Blockers:
Cherry-picks:
Before we push:
Before we start:
Before we promote:
After we're done:
- Apply webservices-infra plan from PR
Addons-Frontend Changelog:
mozilla/addons-frontend@2026.01.22...2026.02.05
Addons Server Changelog:
What's Changed
Notable things shipping
- Generate service accounts when registering scanner webhooks by @willdurand in #24325
- Prefer fxa_id over email when logging in, while allowing multiple accounts to have the same email by @diox in #24326
- docs: update private docs to run customs as a scanner by @willdurand in #24318
- Fix formatted scanner column in django admin by @willdurand in #24351
- Alter field api_key on scannerwebhook to have a max length of 255 chars by @willdurand in #24357
- Fix user admin page slowness for users with lots of activities by @diox in #24349
- Treat 201 and 202 responses as successful when calling webhooks by @willdurand in #24359
- docs: describe how to write new Node.js based scanners by @willdurand in #24358
- Use HMAC-SHA256 auth scheme when calling webhooks by @willdurand in #24342
- Improve NARC homoglyph handling and use faster/more powerful regex module by @diox in #24369
- Replace django-extended-choices with python/django Enum classes by @eviljeff in #24360
- Prevent listed versions submissions while the listing is rejected by @diox in #24367
- add support for Approve marking listing content as approved by @eviljeff in #24366
- Clean narc rules using regex module now that what's the task is using by @diox in #24380
- Automatically hard-block add-ons an user is an author of when banning them by @diox in #24356
- Add filter by webhook scanners in the scanner results Django admin by @willdurand in #24374
- Stop requiring wheel anymore by @diox in #24395
- Add a migration to duplicate the customs scanner rules for webhook by @willdurand in #24373
- move addon_important_change to a property of the activity _LOG class by @eviljeff in #24396
- Remove unused cachetools dependency by @diox in #24409
- Make NARC rules configurable by @diox in #24388
Dependendabots
- Bump vitest from 4.0.16 to 4.0.17 by @dependabot[bot] in #24339
- Bump eslint-plugin-prettier from 5.5.4 to 5.5.5 by @dependabot[bot] in #24348
- Bump knip from 5.80.2 to 5.81.0 by @dependabot[bot] in #24347
- Bump google-cloud-storage from 3.7.0 to 3.8.0 in /requirements in the google group by @dependabot[bot] in #24346
- Bump lodash from 4.17.21 to 4.17.23 by @dependabot[bot] in #24350
- Bump drf-yasg from 1.21.11 to 1.21.12 in /requirements by @dependabot[bot] in #24355
- Bump prettier from 3.7.4 to 3.8.0 by @dependabot[bot] in #24353
- Bump elasticsearch from 7.17.12 to 7.17.13 in /requirements by @dependabot[bot] in #24345
- Bump tomli from 2.3.0 to 2.4.0 in /requirements by @dependabot[bot] in #24340
- Bump sphinx-rtd-theme from 3.0.2 to 3.1.0 in /requirements by @dependabot[bot] in #24343
- Bump wheel from 0.45.1 to 0.46.2 in /requirements by @dependabot[bot] in #24361
- Bump ruff from 0.14.11 to 0.14.13 in /requirements by @dependabot[bot] in #24365
- Bump addons-linter from 9.4.0 to 9.5.0 by @dependabot[bot] in #24364
- Bump drf-yasg from 1.21.12 to 1.21.14 in /requirements by @dependabot[bot] in #24363
- Bump stylelint and stylelint-config-standard by @dependabot[bot] in #24362
- Bump knip from 5.81.0 to 5.82.0 by @dependabot[bot] in #24371
- Bump django-csp from 3.8 to 4.0 in /requirements by @dependabot[bot] in #23572
- Bump knip from 5.82.0 to 5.82.1 by @dependabot[bot] in #24375
- Bump certifi from 2025.11.12 to 2026.1.4 in /requirements by @dependabot[bot] in #24314
- Bump prettier from 3.8.0 to 3.8.1 by @dependabot[bot] in #24381
- Bump markdown from 3.10 to 3.10.1 in /requirements by @dependabot[bot] in #24384
- Bump ruff from 0.14.13 to 0.14.14 in /requirements by @dependabot[bot] in #24390
- Bump pyparsing from 3.3.1 to 3.3.2 in /requirements by @dependabot[bot] in #24379
- Bump sentry-sdk from 2.49.0 to 2.50.0 in /requirements by @dependabot[bot] in #24378
- Bump drf-spectacular-sidecar from 2025.12.1 to 2026.1.1 in /requirements by @dependabot[bot] in #24305
- Bump globals from 17.0.0 to 17.1.0 by @dependabot[bot] in #24392
- Bump vitest from 4.0.17 to 4.0.18 by @dependabot[bot] in #24389
- Bump packaging from 25.0 to 26.0 in /requirements by @dependabot[bot] in #24385
- Bump pip from 25.3 to 26.0 in /requirements by @dependabot[bot] in #24401
- Bump protobuf from 4.25.8 to 6.33.4 in /requirements by @dependabot[bot] in #24408
- Bump rich from 14.2.0 to 14.3.1 in /requirements by @dependabot[bot] in #24400
- Bump addons-linter from 9.5.0 to 9.6.0 by @dependabot[bot] in #24402
- Bump wcwidth from 0.2.14 to 0.5.0 in /requirements by @dependabot[bot] in #24406
Full Changelog: 2026.01.22...2026.02.05
Contributors
diox, willdurand, and 2 other contributors
Assets 2
2026.01.22-2
Cherry-picked eb50f7c on top of https://github.com/mozilla/addons-server/releases/tag/2026.01.22-1
2026.01.22-1
e9564e4
This commit was signed with the committerβs verified signature.
willdurand
William Durand
Cherry-picked 0fe6ca0 on top of https://github.com/mozilla/addons-server/releases/tag/2026.01.22
2026.01.22
This week's push hero is @eviljeff
Previous Release: 2026.01.08
Blockers:
Cherry-picks:
Before we push:
Before we start:
Before we promote:
After we're done:
- Deploy mozilla/webservices-infra#9094 to prod (already should have been deployed to dev/stage)
Addons-Frontend Changelog:
Addons Server Changelog:
Contributors
eviljeff
Assets 2
2026.01.08
This week's push hero is @diox
Previous Release: 2025.12.15
Blockers:
Cherry-picks:
Before we push:
Before we start:
Before we promote:
After we're done:
- run a full ES reindex
Addons-Frontend Changelog:
mozilla/addons-frontend@2025.12.11...2026.01.08
Addons Server Changelog:
What's Changed
Notable things shipping
- Upgrade to Python 3.13 by @diox in #24235
- drop logic that routes some abuse reports to reviewers directly by @eviljeff in #24240
- Adjust documentation about JWT reuse by @diox in #24243
- Compute hotness even if previous week is 0 by @diox in #24246
- Remove old Promoted group constants by @eviljeff in #24236
- drop localized strings from reviewer tools by @eviljeff in #24251
- Add command to fake cinder webhook request in local environments by @diox in #24245
Dependendabots
- Bump prettier from 3.7.3 to 3.7.4 by @dependabot[bot] in #24237
- Bump knip from 5.71.0 to 5.72.0 by @dependabot[bot] in #24249
- Bump pytest from 9.0.1 to 9.0.2 in /requirements by @dependabot[bot] in #24248
- Bump @vitest/eslint-plugin from 1.5.1 to 1.5.2 by @dependabot[bot] in #24247
- Bump knip from 5.72.0 to 5.73.0 by @dependabot[bot] in #24255
- Bump google-cloud-storage from 3.6.0 to 3.7.0 in /requirements in the google group by @dependabot[bot] in #24254
- Bump knip from 5.73.0 to 5.73.3 by @dependabot[bot] in #24257
- Bump knip from 5.73.3 to 5.73.4 by @dependabot[bot] in #24266
- Bump @eslint/js from 9.39.1 to 9.39.2 by @dependabot[bot] in #24263
- Bump less from 4.4.2 to 4.5.1 by @dependabot[bot] in #24262
- Bump django-admin-rangefilter from 0.13.3 to 0.13.5 in /requirements by @dependabot[bot] in #24260
- Bump ruff from 0.14.7 to 0.14.9 in /requirements by @dependabot[bot] in #24258
- Bump sentry-sdk from 2.46.0 to 2.47.0 in /requirements by @dependabot[bot] in #24241
- Bump networkx from 3.6 to 3.6.1 in /requirements by @dependabot[bot] in #24253
- Bump eslint from 9.39.1 to 9.39.2 by @dependabot[bot] in #24259
- Bump jsdom from 27.2.0 to 27.3.0 by @dependabot[bot] in #24252
- Bump mysql from 8.0 to 8.0 by @dependabot[bot] in #24269
Full Changelog: 2025.12.11...2026.01.08
Contributors
diox, eviljeff, and dependabot
Assets 2
2025.12.15
faed3e6
This commit was signed with the committerβs verified signature.
willdurand
William Durand
Full Changelog: 2025.12.11...2025.12.15
2025.12.11
This week's push hero is @eviljeff
Previous Release: 2025.11.27
Blockers:
Cherry-picks:
Before we push:
Before we start:
Before we promote:
After we're done:
Addons-Frontend Changelog:
Addons Server Changelog:
What's Changed
Notable things shipping
- Avoid raising exceptions when parsing invalid manifests by @diox in #24185
- add link to source builder by @eviljeff in #24180
- Call source builder API when source code is provided by @willdurand in #24131
- Fix tests intermittently failing with time-machine by @diox in #24196
- store reason for automatic reject and block action in activity log by @eviljeff in #24189
- Add a way to use the source-builder project locally by @willdurand in #24197
- Add api key to source-builder by @willdurand in #24217
- Do not call the source builder when the version doesn't have a license by @willdurand in #24222
- Fix broken nn-NO locale (dash vs underscore in folder name), and warnings for ko/ja by @diox in #24233
Dependendabots
- Bump knip from 5.69.1 to 5.70.0 by @dependabot[bot] in #24187
- Bump sentry-sdk from 2.44.0 to 2.45.0 in /requirements by @dependabot[bot] in #24186
- Bump google-resumable-media from 2.7.2 to 2.8.0 in /requirements in the google group by @dependabot[bot] in #24182
- Bump drf-spectacular from 0.28.0 to 0.29.0 in /requirements by @dependabot[bot] in #24123
- Bump click from 8.3.0 to 8.3.1 in /requirements by @dependabot[bot] in #24172
- Bump rpds-py from 0.28.0 to 0.29.0 in /requirements by @dependabot[bot] in #24171
- Bump asgiref from 3.10.0 to 3.11.0 in /requirements by @dependabot[bot] in #24195
- Bump knip from 5.70.0 to 5.70.1 by @dependabot[bot] in #24192
- Bump billiard from 4.2.2 to 4.2.3 in /requirements in the celery group by @dependabot[bot] in #24170
- Bump @vitest/eslint-plugin from 1.4.2 to 1.4.3 by @dependabot[bot] in #24178
- Bump @eslint/compat from 1.4.1 to 2.0.0 by @dependabot[bot] in #24177
- Bump django-environ from 0.11.2 to 0.12.0 in /requirements by @dependabot[bot] in #22989
- Bump rhysd/actionlint from 1.7.8 to 1.7.9 by @dependabot[bot] in #24174
- Bump mozilla/autograph from 7.5.3 to 7.5.4 by @dependabot[bot] in #24175
- Bump asttokens from 3.0.0 to 3.0.1 in /requirements by @dependabot[bot] in #24173
- Bump mozilla/addons-frontend from 2025.11.13 to 2025.11.27 by @dependabot[bot] in #24200
- Bump mozilla/autograph from 7.5.4 to 7.5.5 by @dependabot[bot] in #24201
- Bump sentry-sdk from 2.45.0 to 2.46.0 in /requirements by @dependabot[bot] in #24204
- Bump ruff from 0.14.5 to 0.14.6 in /requirements by @dependabot[bot] in #24206
- Bump exceptiongroup from 1.3.0 to 1.3.1 in /requirements by @dependabot[bot] in #24207
- Bump @vitest/eslint-plugin from 1.4.3 to 1.5.0 by @dependabot[bot] in #24209
- Bump stylelint from 16.25.0 to 16.26.0 by @dependabot[bot] in #24211
- Bump networkx from 3.5 to 3.6 in /requirements by @dependabot[bot] in #24210
- Bump knip from 5.70.1 to 5.70.2 by @dependabot[bot] in #24213
- Bump addons-linter from 9.2.0 to 9.3.0 by @dependabot[bot] in #24205
- Bump time-machine from 2.19.0 to 3.1.0 in /requirements by @dependabot[bot] in #24212
- Bump django from 4.2.26 to 4.2.27 in /requirements by @dependabot[bot] in #24216
- Bump kombu from 5.6.0 to 5.6.1 in /requirements in the celery group by @dependabot[bot] in #24214
- Bump prettier from 3.6.2 to 3.7.0 by @dependabot[bot] in #24218
- Bump deprecated from 1.2.18 to 1.3.1 in /requirements by @dependabot[bot] in #24108
- Bump sqlparse from 0.5.3 to 0.5.4 in /requirements by @dependabot[bot] in #24221
- Bump prettier from 3.7.0 to 3.7.1 by @dependabot[bot] in #24219
- Bump stylelint from 16.26.0 to 16.26.1 by @dependabot[bot] in #24220
- Bump prettier from 3.7.1 to 3.7.3 by @dependabot[bot] in #24224
- Bump @vitest/eslint-plugin from 1.5.0 to 1.5.1 by @dependabot[bot] in #24227
- Bump knip from 5.70.2 to 5.71.0 by @dependabot[bot] in #24225
- Bump ruff from 0.14.6 to 0.14.7 in /requirements by @dependabot[bot] in #24226
- Bump rpds-py from 0.29.0 to 0.30.0 in /requirements by @dependabot[bot] in #24228
- Bump zizmorcore/zizmor from 1.12.1 to 1.18.0 by @dependabot[bot] in #24202
- Bump drf-spectacular-sidecar from 2025.10.1 to 2025.12.1 in /requirements by @dependabot[bot] in #24232
- Bump elasticsearch/elasticsearch from 8.18.2 to 8.19.8 by @dependabot[bot] in #24231
Full Changelog: 2025.11.27...2025.12.11
Contributors
diox, willdurand, and 2 other contributors
Assets 2
2025.11.27
This week's push hero is @diox
Previous Release: 2025.11.13-1
Blockers:
Cherry-picks:
Before we push:
Before we start:
Before we promote:
After we're done:
Addons-Frontend Changelog:
mozilla/addons-frontend@2025.11.13...2025.11.27
Addons Server Changelog:
What's Changed
Notable things shipping
- Return a 414 if the url we'd redirect to for locale and app is too long by @eviljeff in #24145
- Don't create fake CinderJob for requeues; expose notes in log by @eviljeff in #24155
- Create activitylogs for Collection and UserProfile property changes by @eviljeff in #24151
- add dedicated source permission (& extra django admin view perms) by @eviljeff in #24168
- Add JA4-based restrictions and display JA4s in user admin by @diox in #24162
- Add additional custom confusable characters to normalization code by @diox in #24181
Dependendabots
- Bump eslint from 9.39.0 to 9.39.1 by @dependabot[bot] in #24126
- Bump markdown from 3.9 to 3.10 in /requirements by @dependabot[bot] in #24128
- Bump the google group in /requirements with 2 updates by @dependabot[bot] in #24133
- Bump @vitest/eslint-plugin from 1.4.0 to 1.4.1 by @dependabot[bot] in #24132
- Bump rabbitmq from 3.12 to 3.13.6 by @dependabot[bot] in #23931
- Bump addons-linter from 8.4.0 to 9.0.0 by @dependabot[bot] in #24138
- Bump googleapis-common-protos from 1.71.0 to 1.72.0 in /requirements by @dependabot[bot] in #24139
- Bump knip from 5.67.1 to 5.68.0 by @dependabot[bot] in #24137
- Bump ruff from 0.14.3 to 0.14.4 in /requirements by @dependabot[bot] in #24141
- Bump jsdom from 26.1.0 to 27.1.0 by @dependabot[bot] in #24115
- Bump rpds-py from 0.19.0 to 0.28.0 in /requirements by @dependabot[bot] in #24086
- Bump jsonschema-specifications from 2025.4.1 to 2025.9.1 in /requirements by @dependabot[bot] in #23884
- Bump js-yaml from 4.1.0 to 4.1.1 by @dependabot[bot] in #24144
- Bump addons-linter from 9.0.0 to 9.1.0 by @dependabot[bot] in #24148
- Bump @vitest/eslint-plugin from 1.4.1 to 1.4.2 by @dependabot[bot] in #24146
- Bump mozilla/addons-frontend from 2025.10.30 to 2025.11.13 by @dependabot[bot] in #24149
- Bump sentry-sdk from 2.43.0 to 2.44.0 in /requirements by @dependabot[bot] in #24153
- Bump knip from 5.68.0 to 5.69.0 by @dependabot[bot] in #24152
- Bump glob from 11.0.3 to 11.1.0 by @dependabot[bot] in #24156
- Bump pillow from 11.3.0 to 12.0.0 in /requirements by @dependabot[bot] in #24055
- Bump pytest from 8.4.2 to 9.0.0 in /requirements by @dependabot[bot] in #24154
- Bump pytest-reportlog from 0.4.0 to 1.0.0 in /requirements by @dependabot[bot] in #24161
- Bump certifi from 2025.10.5 to 2025.11.12 in /requirements by @dependabot[bot] in #24160
- Bump jsdom from 27.1.0 to 27.2.0 by @dependabot[bot] in #24159
- Bump execnet from 2.1.1 to 2.1.2 in /requirements by @dependabot[bot] in #24158
- Bump addons-linter from 9.1.0 to 9.2.0 by @dependabot[bot] in #24157
- Bump pytest from 9.0.0 to 9.0.1 in /requirements by @dependabot[bot] in #24164
- Bump knip from 5.69.0 to 5.69.1 by @dependabot[bot] in #24163
- Bump ruff from 0.14.4 to 0.14.5 in /requirements by @dependabot[bot] in #24167
- Bump actions/setup-node from 4 to 6 by @dependabot[bot] in #24037
- Bump google-cloud-storage from 3.5.0 to 3.6.0 in /requirements in the google group by @dependabot[bot] in #24169
- Bump lxml from 5.4.0 to 6.0.2 in /requirements by @dependabot[bot] in #23960
- Bump cryptography from 45.0.7 to 46.0.3 in /requirements by @dependabot[bot] in #24056
- Bump cffi from 1.17.1 to 2.0.0 in /requirements by @dependabot[bot] in #23895
Full Changelog: 2025.11.13...2025.11.27
Contributors
diox, eviljeff, and dependabot
Assets 2
2025.11.13-1
This week's push hero is @eviljeff
Cherry-pick release
Previous Release: 2025.11.13
Blockers:
Cherry-picks:
Before we push:
Before we start:
Before we promote:
After we're done:
- Deploy customs update to prod
Full Changelog: 2025.11.13...2025.11.13-1
Contributors
eviljeff