Epic: MokoGitea vNext — rebase to Gitea 1.26.4 (security backports) + feature roadmap #762
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Big-picture planning issue for the next MokoGitea version. Two pillars: (1) close the upstream security gap by rebasing onto Gitea 1.26.4, and (2) land the next wave of Moko features. Work happens on the dependent feature branch
feat/vnext(offdev), which depends on the current release (#733, live).Fork is currently based on Gitea 1.26.1 (
1.26.1+moko..., prodstable-289).🔴 Pillar 1 — Upstream security backports (Gitea 1.26.1 -> 1.26.4)
The fork is missing all 1.26.2-1.26.4 security fixes (9 CVEs). Target: rebase/merge upstream Gitea 1.26.4 (1.26.3 shipped a repo-code-pages regression, so 1.26.4 is the floor).
X-WEBAUTH-USERheader + wildcardREVERSE_PROXY_TRUSTED_PROXIESimpersonates any user (incl. admin)⚠️ CVE-2026-20896 likely can NOT wait for vNext — 9.8 + actively exploited, and the fork's base (1.26.1) predates the fix. Immediate action: check prod
[security] ENABLE_REVERSE_PROXY_AUTHENTICATION+REVERSE_PROXY_TRUSTED_PROXIESin app.ini; if reverse-proxy auth is on with a wildcard/loose trusted-proxy list, hotfix (tighten config and/or cherry-pick the fix) ahead of the full rebase.Rebase approach: merge
go-gitea/giteav1.26.4 into the fork; resolve conflicts against Moko customizations (org governance #727, licensing, folder wikis, manifest/metadata, org branch-protection layering, RE2/jsonv2 boot fixes); replay the migration chain (fork at migration 368); full dev->rc->main validation before the stable cut.🟢 Pillar 2 — Feature roadmap (candidate scope from open issues; maintainer confirms cut line)
Access & security: #761 granular (resource-scoped) tokens · #747 dedicated
mokogitea-apibot · #746 auto-add actions bot to CI/CD team · #745 org default teams (Protected + bot naming) · #725 dot-prefixed repos always privatePlatform / governance: #738 expand OpenAPI + MCP for org-governance · #744 issue templates set first-class fields · #753 platform detection (nodejs->go)
Wiki: #665 CodeMirror editor · #550 full-text wiki search · #549 bulk-migrate flat wikis
UX / product: #719 mobile responsiveness · #723 issue/PR voting · #563/#564 custom-domain + white-label per org · #553 hosted MCP SSE endpoint
Metadata hygiene (parallel track): #759 / #760 client-repo metadata audits
Deliverables
feat/vnextSources: Gitea 1.26.3/1.26.4 security releases; CVE-2026-20896 active-exploitation reports.