Skip to content

fix: 2026.1.32 patch — critical ops + security + reviewed carrier fixes#1128

Merged
danh91 merged 6 commits into
mainfrom
patch/2026.1.32
Jun 23, 2026
Merged

fix: 2026.1.32 patch — critical ops + security + reviewed carrier fixes#1128
danh91 merged 6 commits into
mainfrom
patch/2026.1.32

Conversation

@danh91

@danh91 danh91 commented Jun 23, 2026

Copy link
Copy Markdown
Member

Summary

The 2026.1.32 patch, off main. Bundles the pressing operational/security bugs reported in GitHub Discussions, the reviewed community carrier fixes (refactored to karrio conventions), and the official USPS OpenAPI specs. History is clean — 4 logical commits.

Versioning: fixes only, no version bump (matches the fix-PR convention). Cut the release with ./bin/release 2026.1.32 (VERSION sweep + freeze + CHANGELOG + tag) after merge.

Provenance note: the six community PRs below were briefly merged to main in error, then reverted (main force-pushed back to a pristine 8211f507a). Their work is integrated here instead — each shows "Merged" on GitHub, so contributors keep credit, and the code lands on main only when this PR is merged. A guardrail (commit 4) now prevents writing to main without explicit permission.

Commits

Commit Scope
fix(server): critical ops + security fixes for 2026.1.32 the 6 critical bugs (4 authored + #1096/#1120)
fix(usps): correct v3 API hosts + vendor official OpenAPI specs #1118 + vendored specs
feat(fedex): pickupType option, full customer references, pickup improvements #1095/#1089/#1114, refactored to conventions
chore(rules): require explicit permission before writing to main guardrail

Critical ops + security

Fix Discussion Linear Severity Source
Guard migration 0093 against cascade data-loss #1116 EBE-113 🔴 data-loss authored
Scope MD5 PASSWORD_HASHERS to test runs only #1094 EBE-112 🔴 security #1096 (@mgradalska)
Batch periodic_data_archiving deletes (OOM) #1125 EBE-118 🔴 OOM authored
Huey ignores REDIS_HOST under OTEL #1124 EBE-119 🔴 bg-tasks down authored
Production-safe migration 0078 #1123 EBE-120 🟠 migration authored
Async DB connection cleanup (tracing leak, phase 1) #1119 EBE-121 🟠 conn-leak #1120 (@ChrisNolan)

Carrier fixes (reviewed + refactored to conventions)

Fix Discussion Linear Source
USPS v3 host correction (apis-tem/apis.usps.com) + vendored specs USPS retirement EBE-115 #1118 (@zebradots)
FedEx pickupType as an enum-typed shipping option #1105 EBE-122 #1095 (@ChrisNolan)
FedEx full customer references (REF field), built inline #1082 EBE-114 #1089 (@ChrisNolan)
FedEx pickup: instruction→remarks, enum address-type, package-location map #1112 EBE-123 #1114 (@ChrisNolan)

Conventions applied on top of the merged contributor work:

  • fedex_pickup_type / fedex_pickup_address_type are now enum-typed OptionEnums (FedExPickupType, FedExPickupAddressType), not str + runtime validators.
  • customerReferences are built inline in the request tree (UPS/FedEx idiom) — the collect_customer_references helper and its mock-based unit tests were removed; fedex_department_number/fedex_po_number/fedex_rma_association are declared options.
  • package_location resolves via the FedExPackageLocation enum (.map().value); the one-off pickup/utils.py was deleted.
  • Deferred: FedEx pickup multi-recipient notification emails → EBE-124 (needs one canonical option name + spec-confirmed cap).

Official USPS Developer Portal v3 specs are vendored under modules/connectors/usps{,_international}/vendor/ (captured 2026-06-23) with provenance READMEs.

Verification

karrio test events.test_archiving / core.test_async_db_cleanup / manager.test_trackers   # OK
karrio migrate --check                                                                    # graph valid (0093→0079)
fedex connector tests          # OK (pickupType, customer-references, pickup)
usps / usps_international       # OK

Not included (deferred)

The 2026.5 platform upgrade (umbrella #1065) + JTL subtree recovery is a separate major-release effort. FedEx pickup multi-email → EBE-124. USPS contract-rates PR #1121 → separate review.

@vercel

vercel Bot commented Jun 23, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
karrio-web Ready Ready Preview, Comment Jun 23, 2026 7:05am

Request Review

@danh91 danh91 changed the title fix: 2026.1.32 critical-ops + security patch (data-loss, MD5, OOM, huey, migrations) fix: 2026.1.32 patch — critical ops + security + reviewed carrier fixes Jun 23, 2026
@danh91 danh91 force-pushed the patch/2026.1.32 branch from 9369c11 to 8f9871c Compare June 23, 2026 04:36
danh91 added a commit that referenced this pull request Jun 23, 2026
#1096, #1120, #1095, #1089, #1114, #1118 were merged directly to main by
mistake — they belong on the 2026.1.32 release branch (#1128), where the same
changes already live (cherry-picks + conventions cleanups). No work is lost;
this only removes their effect from main. They will reach main via #1128.
danh91 added 4 commits June 23, 2026 01:33
- providers: guard migration 0093 against cascade data-loss (#1116) — depend on
  manager/0079 so carrier FK columns are dropped before the legacy carrier delete.
- manager: make migration 0078 production-safe — chunked iterator + bulk_update,
  idempotent (#1123).
- events: batch periodic_data_archiving deletes to avoid first-run OOM (#1125).
- settings: import workers before apm so huey binds REDIS_HOST under OTEL (#1124).
- settings: scope MD5 PASSWORD_HASHERS to the test runner only (#1096, @mgradalska).
- core: clean up async DB connections to stop the tracing connection leak
  (#1119/#1120 phase 1, @ChrisNolan) + phase-2 PRD.
- usps + usps_international: update server URLs to apis.usps.com / apis-tem.usps.com
  after USPS retired the legacy Web Tools / api-cat hosts (#1118, @zebradots).
- vendor the official USPS Developer Portal v3 specs (captured 2026-06-23) for
  usps and usps_international, each with a provenance README.
…ovements

- pickupType settable via the fedex_pickup_type shipping option, typed with the
  FedExPickupType enum (#1095, @ChrisNolan).
- full multi-type customerReferences (CUSTOMER_REFERENCE/INVOICE_NUMBER/
  DEPARTMENT_NUMBER/P_O_NUMBER/RMA_ASSOCIATION), built inline in the request
  tree; fixes the REF field on labels (#1089, @ChrisNolan; disc #1082).
- pickup: map instruction -> remarks, type fedex_pickup_address_type as an enum
  option, resolve package_location via the FedExPackageLocation enum (#1114,
  @ChrisNolan). Multi-recipient notification emails deferred (EBE-124).
Add a hard guardrail to CLAUDE.md + .claude/rules/git-workflow.md: never
merge/push/force-push/revert main (incl. gh pr merge) without explicit
per-action permission; contributor PRs integrate into the release branch, not
main. Adds the rule that was missing when six PRs were merged to main in error.
danh91 added 2 commits June 23, 2026 03:02
The 2026.1.32 metadata regen renamed the Trackers retrieve/remove path param
idOrTrackingNumber -> identifier and made TrackingEvent.description nullable.
Update consumers: tracker delete/retrieve calls use { identifier }, and
getEventIcon accepts string | null.
Version bump 2026.1.31 -> 2026.1.32 across packages, regenerated API metadata
(REST/GraphQL types, OpenAPI, schemas), CHANGELOG, and frozen requirements.
Removes SPRINT_MCP.md. Bumps community + ee/platform submodules to their
release commits; ee/insiders stays at v2026.1.29 (its main carries #32 /
task_backend, which ship with 2026.5).
@danh91 danh91 force-pushed the patch/2026.1.32 branch from 6322a85 to 4ef0fdb Compare June 23, 2026 07:03
@danh91 danh91 merged commit deea10f into main Jun 23, 2026
14 of 15 checks passed
@danh91 danh91 deleted the patch/2026.1.32 branch June 23, 2026 07:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant