fix: 2026.1.32 patch — critical ops + security + reviewed carrier fixes#1128
Merged
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
danh91
added a commit
that referenced
this pull request
Jun 23, 2026
#1096, #1120, #1095, #1089, #1114, #1118 were merged directly to main by mistake — they belong on the 2026.1.32 release branch (#1128), where the same changes already live (cherry-picks + conventions cleanups). No work is lost; this only removes their effect from main. They will reach main via #1128.
- providers: guard migration 0093 against cascade data-loss (#1116) — depend on manager/0079 so carrier FK columns are dropped before the legacy carrier delete. - manager: make migration 0078 production-safe — chunked iterator + bulk_update, idempotent (#1123). - events: batch periodic_data_archiving deletes to avoid first-run OOM (#1125). - settings: import workers before apm so huey binds REDIS_HOST under OTEL (#1124). - settings: scope MD5 PASSWORD_HASHERS to the test runner only (#1096, @mgradalska). - core: clean up async DB connections to stop the tracing connection leak (#1119/#1120 phase 1, @ChrisNolan) + phase-2 PRD.
- usps + usps_international: update server URLs to apis.usps.com / apis-tem.usps.com after USPS retired the legacy Web Tools / api-cat hosts (#1118, @zebradots). - vendor the official USPS Developer Portal v3 specs (captured 2026-06-23) for usps and usps_international, each with a provenance README.
…ovements - pickupType settable via the fedex_pickup_type shipping option, typed with the FedExPickupType enum (#1095, @ChrisNolan). - full multi-type customerReferences (CUSTOMER_REFERENCE/INVOICE_NUMBER/ DEPARTMENT_NUMBER/P_O_NUMBER/RMA_ASSOCIATION), built inline in the request tree; fixes the REF field on labels (#1089, @ChrisNolan; disc #1082). - pickup: map instruction -> remarks, type fedex_pickup_address_type as an enum option, resolve package_location via the FedExPackageLocation enum (#1114, @ChrisNolan). Multi-recipient notification emails deferred (EBE-124).
Add a hard guardrail to CLAUDE.md + .claude/rules/git-workflow.md: never merge/push/force-push/revert main (incl. gh pr merge) without explicit per-action permission; contributor PRs integrate into the release branch, not main. Adds the rule that was missing when six PRs were merged to main in error.
The 2026.1.32 metadata regen renamed the Trackers retrieve/remove path param
idOrTrackingNumber -> identifier and made TrackingEvent.description nullable.
Update consumers: tracker delete/retrieve calls use { identifier }, and
getEventIcon accepts string | null.
Version bump 2026.1.31 -> 2026.1.32 across packages, regenerated API metadata (REST/GraphQL types, OpenAPI, schemas), CHANGELOG, and frozen requirements. Removes SPRINT_MCP.md. Bumps community + ee/platform submodules to their release commits; ee/insiders stays at v2026.1.29 (its main carries #32 / task_backend, which ship with 2026.5).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The 2026.1.32 patch, off
main. Bundles the pressing operational/security bugs reported in GitHub Discussions, the reviewed community carrier fixes (refactored to karrio conventions), and the official USPS OpenAPI specs. History is clean — 4 logical commits.Commits
fix(server): critical ops + security fixes for 2026.1.32fix(usps): correct v3 API hosts + vendor official OpenAPI specsfeat(fedex): pickupType option, full customer references, pickup improvementschore(rules): require explicit permission before writing to mainCritical ops + security
PASSWORD_HASHERSto test runs onlyperiodic_data_archivingdeletes (OOM)REDIS_HOSTunder OTELmanager/0079so the carrier FK columns are dropped before the legacy carrier delete — the delete can no longer cascade into tracking/shipment/pickup history.TEST_RUNNERsubclass so it never fires in production.workersbeforeapmsosettings.HUEYexists before djhuey binds.bulk_update, idempotent.Carrier fixes (reviewed + refactored to conventions)
apis-tem/apis.usps.com) + vendored specspickupTypeas an enum-typed shipping optionConventions applied on top of the merged contributor work:
fedex_pickup_type/fedex_pickup_address_typeare now enum-typedOptionEnums (FedExPickupType,FedExPickupAddressType), notstr+ runtime validators.customerReferencesare built inline in the request tree (UPS/FedEx idiom) — thecollect_customer_referenceshelper and its mock-based unit tests were removed;fedex_department_number/fedex_po_number/fedex_rma_associationare declared options.package_locationresolves via theFedExPackageLocationenum (.map().value); the one-offpickup/utils.pywas deleted.Official USPS Developer Portal v3 specs are vendored under
modules/connectors/usps{,_international}/vendor/(captured 2026-06-23) with provenance READMEs.Verification
Not included (deferred)
The 2026.5 platform upgrade (umbrella #1065) + JTL subtree recovery is a separate major-release effort. FedEx pickup multi-email → EBE-124. USPS contract-rates PR #1121 → separate review.