Releases · mozilla/addons-server

Fix scanner name in reviewer tools by @willdurand in #24479
Fix scanMap logic for webhook-based scanners by @willdurand in #24480
Extract matched rules information in scanner results used by webhooks by @willdurand in #24482
Make sure 0069_add_service_accounts_to_group migration uses the primary DB by @willdurand in #24483
Add more info to reviewer tools developer profile and optimize queries by @diox in #24476
Allow users that can edit scanner webhooks to edit scanner webhook events by @diox in #24487
Also display authors links for existing blocklistsubmissions, not jus… by @diox in #24481
Run test_main* tests in CI with a minimal environment by @diox in #24496
When installing deps, don't clean existing dir if only installing dev deps by @diox in #24505
Remove the SOURCE_BUILDER_VIEWER_URL setting and related code by @willdurand in #24494
Avoid database access in tests where that's easy to do to speed them up by @diox in #24495
Fix sort by addon guid in reviewer tools developer profile by @diox in #24512
Mark the customs scanner as legacy/deprecated by @willdurand in #24510
Use yara_x in clean_yara() method when swich is enabled by @willdurand in #24511
Remove legacy customs in the django admin by @willdurand in #24514
Record an ActivityLog when session anomalies are detected for a user by @diox in #24486
Remove the file_hash argument on process_validation() because it is not used by @willdurand in #24517
Add details to activity log admin change page by @diox in #24522
Remove run_customs() and the 'enable-customs' waffle switch by @willdurand in #24516
Add a migration to remove the enable-source-builder waffle switch by @willdurand in #24523
docs: update private docs by @willdurand in #24524
Add statsd pings for webhooks by @willdurand in #24525
Remove the use of the _CUSTOMS constant in test files by @willdurand in #24526
Store IP on session anomaly activity for future investigation by @diox in #24527
Pass the event name to the webhook scanners by @willdurand in #24534
Expose content changes to content review by @diox in #24498
Additional confusable characters by @diox in #24541
Optionally link ScannerResult to ActivityLog by @willdurand in #24530
Declare the scanner field as read-only in the admin when the scanner rule has been created by @willdurand in #24532
Add new webhook event: on_version_created by @willdurand in #24545
Remove GET /scanner/results/ endpoint by @willdurand in #24543
Fix event name/id in call_webhooks by @willdurand in #24549
Remove ScannerResult.state and related code by @willdurand in #24546
Add the add-on type to the webhook event payloads by @willdurand in #24551
Appeals on listing content rejections set REQUESTED, rather than creating NHR by @eviljeff in #24544
Inherit from the addon/version serializers for the webhook event payloads by @willdurand in #24550

Dependendabots

Bump stylelint from 17.1.1 to 17.2.0 by @dependabot[bot] in #24469
Bump glob from 13.0.1 to 13.0.2 by @dependabot[bot] in #24477
Bump glob from 13.0.2 to 13.0.3 by @dependabot[bot] in #24492
Bump dotenv from 17.2.3 to 17.3.1 by @dependabot[bot] in #24491
Bump @vitest/eslint-plugin from 1.6.6 to 1.6.7 by @dependabot[bot] in #24473
Bump stylelint from 17.2.0 to 17.3.0 by @dependabot[bot] in #24489
Bump ajv from 6.12.6 to 6.14.0 by @dependabot[bot] in #24497
Bump pytest-django from 4.11.1 to 4.12.0 in /requirements by @dependabot[bot] in #24503
Bump @vitest/eslint-plugin from 1.6.7 to 1.6.9 by @dependabot[bot] in #24502
Bump django-environ from 0.12.0 to 0.12.1 in /requirements by @dependabot[bot] in #24499
Bump mysql from 8.0 to 8.0 by @dependabot[bot] in #24485
Bump sentry-sdk from 2.52.0 to 2.53.0 in /requirements by @dependabot[bot] in #24501
Bump addons-linter from 9.8.0 to 9.9.1 by @dependabot[bot] in #24506
Bump glob from 13.0.3 to 13.0.4 by @dependabot[bot] in #24507
Bump mysqlclient from 2.2.7 to 2.2.8 in /requirements by @dependabot[bot] in #24474
Bump jsdom from 27.4.0 to 28.1.0 by @dependabot[bot] in #24500
Bump homoglyphs-fork from 2.1.1 to 2.1.2 in /requirements by @dependabot[bot] in #24509
Bump minimatch by @dependabot[bot] in #24515
Bump knip from 5.83.1 to 5.84.0 by @dependabot[bot] in #24520
Bump django-environ from 0.12.1 to 0.13.0 in /requirements by @dependabot[bot] in #24521
Bump glob from 13.0.4 to 13.0.5 by @dependabot[bot] in #24519
Bump knip from 5.84.0 to 5.84.1 by @dependabot[bot] in #24528
Bump rollup from 4.55.1 to 4.59.0 by @dependabot[bot] in #24531
Bump underscore from 1.13.7 to 1.13.8 by @dependabot[bot] in #24535
Bump glob from 13.0.5 to 13.0.6 by @dependabot[bot] in #24536
Bump rich from 14.3.2 to 14.3.3 in /requirements by @dependabot[bot] in #24538
Bump responses from 0.25.8 to 0.26.0 in /requirements by @dependabot[bot] in #24539
Bump minimatch by @dependabot[bot] in #24542
Bump knip from 5.84.1 to 5.85.0 by @dependabot[bot] in #24547
Bump django-dbbackup from 5.0.0 to 5.2.0 in /requirements by @dependabot[bot] in #24478
Bump eslint from 9.39.2 to 10.0.2 by @dependabot[bot] in #24552
Bump regex from 2026.1.15 to 2026.2.19 in /requirements by @dependabot[bot] in #24540
Bump ruff from 0.14.14 to 0.15.2 in /requirements by @dependabot[bot] in #24537
Bump django-debug-toolbar from 6.1.0 to 6.2.0 in /requirements by @dependabot[bot] in #24376

Full Changelog: 2026.02.19...2026.03.05

Contributors

diox, willdurand, and 2 other contributors

Assets 2

20 Feb 10:23

diox

2026.02.19-2

22c7ade

2026.02.19-2

Cherry-picked the following commits on top of https://github.com/mozilla/addons-server/releases/tag/2026.02.19-1:

098636e

Assets 2

19 Feb 10:49

willdurand

2026.02.19-1

ae28def

2026.02.19-1

Cherry-picked the following commits on top of https://github.com/mozilla/addons-server/releases/tag/2026.02.19:

Full Changelog: 2026.02.19...2026.02.19-1

Assets 2

17 Feb 16:55

github-actions

2026.02.19

dbc6bf3

2026.02.19

This week's push hero is @diox

Previous Release: 2026.02.05-1

Blockers:

Cherry-picks:

Before we push:

Before we start:

Before we promote:

After we're done:

Addons-Frontend Changelog:

mozilla/addons-frontend@2026.02.05...2026.02.19

Addons Server Changelog:

What's Changed

Notable things shipping

reviewer tools listing content approval and rejection by @eviljeff in #24386
Display metadata and link to detail page in scanner admin query results by @diox in #24387
Fix fake FxA user auth for local environments by @diox in #24419
Remove broken urlconf_decorator - it hasn't worked in 10 years by @diox in #24421
Update elasticsearch client libraries to 8.x by @diox in #24370
Fix CSP in admin to allow django's jsi18n admin view as a script by @diox in #24422
Increase uwsgi buffer-size in local environments to match prod by @diox in #24438
Replace last_content_review_pass with content_review_status by @eviljeff in #24437
Fix admin CSP: need to use SITE_URL, not INTERNAL_SITE_URL in admin CSP by @diox in #24446
Add links to user admin page in reviewer tools review & developer profile pages by @diox in #24425
Add actions to block add-ons / view authors in scanner results admin by @diox in #24424
Allow developer requests for new content review by @eviljeff in #24420
Add yara-x behind a waffle switch by @willdurand in #24439
Developer can request a new listing content review via the API by @eviljeff in #24454
Add links to authors of add-ons in blocklist submission page by @diox in #24459
Add a new group for the service accounts created for the scanners by @willdurand in #24462
Additional confusable characters by @diox in #24468
Allow scanners to run asynchronously and send their results later by @willdurand in #24447

Dependendabots

Bump django from 4.2.27 to 4.2.28 in /requirements by @dependabot[bot] in #24412
Bump protobuf from 6.33.4 to 6.33.5 in /requirements by @dependabot[bot] in #24404
Bump sentry-sdk from 2.50.0 to 2.51.0 in /requirements by @dependabot[bot] in #24415
Bump cssselect from 1.3.0 to 1.4.0 in /requirements by @dependabot[bot] in #24417
Bump globals from 17.1.0 to 17.2.0 by @dependabot[bot] in #24413
Bump wcwidth from 0.5.0 to 0.5.2 in /requirements by @dependabot[bot] in #24423
Bump zod from 3.24.2 to 4.3.6 by @dependabot[bot] in #24391
Bump myst-parser from 4.0.1 to 5.0.0 in /requirements by @dependabot[bot] in #24352
Bump cryptography from 46.0.3 to 46.0.4 in /requirements by @dependabot[bot] in #24416
Bump knip from 5.82.1 to 5.83.0 by @dependabot[bot] in #24443
Bump addons-linter from 9.6.0 to 9.7.0 by @dependabot[bot] in #24440
Bump globals from 17.2.0 to 17.3.0 by @dependabot[bot] in #24434
Bump stylelint from 17.0.0 to 17.1.0 by @dependabot[bot] in #24430
Bump @eslint/compat from 2.0.1 to 2.0.2 by @dependabot[bot] in #24427
Bump babel from 2.17.0 to 2.18.0 in /requirements by @dependabot[bot] in #24428
Bump cryptography from 46.0.4 to 46.0.5 in /requirements by @dependabot[bot] in #24448
Bump @babel/preset-env from 7.28.6 to 7.29.0 by @dependabot[bot] in #24426
Bump proto-plus from 1.27.0 to 1.27.1 in /requirements by @dependabot[bot] in #24445
Bump pytest-split from 0.10.0 to 0.11.0 in /requirements by @dependabot[bot] in #24444
Bump wrapt from 2.0.1 to 2.1.1 in /requirements by @dependabot[bot] in #24442
Bump pyjwt from 2.10.1 to 2.11.0 in /requirements by @dependabot[bot] in #24436
Bump jquery-ui from 1.14.1 to 1.14.2 by @dependabot[bot] in #24418
Bump rich from 14.3.1 to 14.3.2 in /requirements by @dependabot[bot] in #24435
Bump wcwidth from 0.5.2 to 0.5.3 in /requirements by @dependabot[bot] in #24431
Bump dennis from 1.1.0 to 1.2.0 in /requirements by @dependabot[bot] in #24453
Bump glob from 13.0.0 to 13.0.1 by @dependabot[bot] in #24452
Bump asgiref from 3.11.0 to 3.11.1 in /requirements by @dependabot[bot] in #24451
Bump stylelint from 17.1.0 to 17.1.1 by @dependabot[bot] in #24450
Bump ipython from 9.9.0 to 9.10.0 in /requirements by @dependabot[bot] in #24429
Bump pillow from 12.1.0 to 12.1.1 in /requirements by @dependabot[bot] in #24455
Bump setuptools from 80.9.0 to 80.10.2 in /requirements by @dependabot[bot] in #24398
Bump pip from 26.0 to 26.0.1 in /requirements by @dependabot[bot] in #24457
Bump knip from 5.83.0 to 5.83.1 by @dependabot[bot] in #24465
Bump grpcio from 1.76.0 to 1.78.0 in /requirements by @dependabot[bot] in #24461
Bump sentry-sdk from 2.51.0 to 2.52.0 in /requirements by @dependabot[bot] in #24456
Bump mysql from 8.0 to 8.0 by @dependabot[bot] in #24287
Bump pycparser from 2.23 to 3.0 in /requirements by @dependabot[bot] in #24383
Bump markdown from 3.10.1 to 3.10.2 in /requirements by @dependabot[bot] in #24475
Bump dockerflow from 2024.4.2 to 2026.1.26 in /requirements by @dependabot[bot] in #24405
Bump addons-linter from 9.7.0 to 9.8.0 by @dependabot[bot] in #24470
Bump parso from 0.8.5 to 0.8.6 in /requirements by @dependabot[bot] in #24472

Full Changelog: 2026.02.05...2026.02.19

Contributors

diox, willdurand, and 2 other contributors

Assets 2

16 Feb 14:35

diox

2026.02.05-1

c5be892

2026.02.05-1

Fixes https://bugzilla.mozilla.org/show_bug.cgi?id=2016866

Assets 2

03 Feb 17:33

github-actions

2026.02.05

2d5da98

2026.02.05

This week's push hero is @diox

Previous Release: 2026.01.22-2

Blockers:

Cherry-picks:

Before we push:

Before we start:

Before we promote:

After we're done:

Apply webservices-infra plan from PR

Addons-Frontend Changelog:

mozilla/addons-frontend@2026.01.22...2026.02.05

Addons Server Changelog:

What's Changed

Notable things shipping

Generate service accounts when registering scanner webhooks by @willdurand in #24325
Prefer fxa_id over email when logging in, while allowing multiple accounts to have the same email by @diox in #24326
docs: update private docs to run customs as a scanner by @willdurand in #24318
Fix formatted scanner column in django admin by @willdurand in #24351
Alter field api_key on scannerwebhook to have a max length of 255 chars by @willdurand in #24357
Fix user admin page slowness for users with lots of activities by @diox in #24349
Treat 201 and 202 responses as successful when calling webhooks by @willdurand in #24359
docs: describe how to write new Node.js based scanners by @willdurand in #24358
Use HMAC-SHA256 auth scheme when calling webhooks by @willdurand in #24342
Improve NARC homoglyph handling and use faster/more powerful regex module by @diox in #24369
Replace django-extended-choices with python/django Enum classes by @eviljeff in #24360
Prevent listed versions submissions while the listing is rejected by @diox in #24367
add support for Approve marking listing content as approved by @eviljeff in #24366
Clean narc rules using regex module now that what's the task is using by @diox in #24380
Automatically hard-block add-ons an user is an author of when banning them by @diox in #24356
Add filter by webhook scanners in the scanner results Django admin by @willdurand in #24374
Stop requiring wheel anymore by @diox in #24395
Add a migration to duplicate the customs scanner rules for webhook by @willdurand in #24373
move addon_important_change to a property of the activity _LOG class by @eviljeff in #24396
Remove unused cachetools dependency by @diox in #24409
Make NARC rules configurable by @diox in #24388

Dependendabots

Bump vitest from 4.0.16 to 4.0.17 by @dependabot[bot] in #24339
Bump eslint-plugin-prettier from 5.5.4 to 5.5.5 by @dependabot[bot] in #24348
Bump knip from 5.80.2 to 5.81.0 by @dependabot[bot] in #24347
Bump google-cloud-storage from 3.7.0 to 3.8.0 in /requirements in the google group by @dependabot[bot] in #24346
Bump lodash from 4.17.21 to 4.17.23 by @dependabot[bot] in #24350
Bump drf-yasg from 1.21.11 to 1.21.12 in /requirements by @dependabot[bot] in #24355
Bump prettier from 3.7.4 to 3.8.0 by @dependabot[bot] in #24353
Bump elasticsearch from 7.17.12 to 7.17.13 in /requirements by @dependabot[bot] in #24345
Bump tomli from 2.3.0 to 2.4.0 in /requirements by @dependabot[bot] in #24340
Bump sphinx-rtd-theme from 3.0.2 to 3.1.0 in /requirements by @dependabot[bot] in #24343
Bump wheel from 0.45.1 to 0.46.2 in /requirements by @dependabot[bot] in #24361
Bump ruff from 0.14.11 to 0.14.13 in /requirements by @dependabot[bot] in #24365
Bump addons-linter from 9.4.0 to 9.5.0 by @dependabot[bot] in #24364
Bump drf-yasg from 1.21.12 to 1.21.14 in /requirements by @dependabot[bot] in #24363
Bump stylelint and stylelint-config-standard by @dependabot[bot] in #24362
Bump knip from 5.81.0 to 5.82.0 by @dependabot[bot] in #24371
Bump django-csp from 3.8 to 4.0 in /requirements by @dependabot[bot] in #23572
Bump knip from 5.82.0 to 5.82.1 by @dependabot[bot] in #24375
Bump certifi from 2025.11.12 to 2026.1.4 in /requirements by @dependabot[bot] in #24314
Bump prettier from 3.8.0 to 3.8.1 by @dependabot[bot] in #24381
Bump markdown from 3.10 to 3.10.1 in /requirements by @dependabot[bot] in #24384
Bump ruff from 0.14.13 to 0.14.14 in /requirements by @dependabot[bot] in #24390
Bump pyparsing from 3.3.1 to 3.3.2 in /requirements by @dependabot[bot] in #24379
Bump sentry-sdk from 2.49.0 to 2.50.0 in /requirements by @dependabot[bot] in #24378
Bump drf-spectacular-sidecar from 2025.12.1 to 2026.1.1 in /requirements by @dependabot[bot] in #24305
Bump globals from 17.0.0 to 17.1.0 by @dependabot[bot] in #24392
Bump vitest from 4.0.17 to 4.0.18 by @dependabot[bot] in #24389
Bump packaging from 25.0 to 26.0 in /requirements by @dependabot[bot] in #24385
Bump pip from 25.3 to 26.0 in /requirements by @dependabot[bot] in #24401
Bump protobuf from 4.25.8 to 6.33.4 in /requirements by @dependabot[bot] in #24408
Bump rich from 14.2.0 to 14.3.1 in /requirements by @dependabot[bot] in #24400
Bump addons-linter from 9.5.0 to 9.6.0 by @dependabot[bot] in #24402
Bump wcwidth from 0.2.14 to 0.5.0 in /requirements by @dependabot[bot] in #24406

Full Changelog: 2026.01.22...2026.02.05

Contributors

diox, willdurand, and 2 other contributors

Assets 2

27 Jan 16:01

diox

2026.01.22-2

a2cebd4

2026.01.22-2

Cherry-picked eb50f7c on top of https://github.com/mozilla/addons-server/releases/tag/2026.01.22-1

Assets 2

22 Jan 11:42

willdurand

2026.01.22-1

e9564e4

2026.01.22-1

Cherry-picked 0fe6ca0 on top of https://github.com/mozilla/addons-server/releases/tag/2026.01.22

Assets 2

20 Jan 15:39

github-actions

2026.01.22

4dea90a

2026.01.22

This week's push hero is @eviljeff

Previous Release: 2026.01.08

Blockers:

Cherry-picks:

Before we push:

Before we start:

Before we promote:

After we're done:

Deploy mozilla/webservices-infra#9094 to prod (already should have been deployed to dev/stage)

Releases: mozilla/addons-server

2026.03.05-1

Uh oh!

2026.03.05

Blockers:

Cherry-picks:

Before we push:

Before we start:

Before we promote:

After we're done:

Addons-Frontend Changelog:

Addons Server Changelog:

What's Changed

Notable things shipping

Dependendabots

Contributors

Uh oh!

2026.02.19-2

Uh oh!

2026.02.19-1

Uh oh!

2026.02.19

Blockers:

Cherry-picks:

Before we push:

Before we start:

Before we promote:

After we're done:

Addons-Frontend Changelog:

Addons Server Changelog:

What's Changed

Notable things shipping

Dependendabots

Contributors

Uh oh!

2026.02.05-1

Uh oh!

2026.02.05

Blockers:

Cherry-picks:

Before we push:

Before we start:

Before we promote:

After we're done:

Addons-Frontend Changelog:

Addons Server Changelog:

What's Changed

Notable things shipping

Dependendabots

Contributors

Uh oh!

2026.01.22-2

Uh oh!

2026.01.22-1

Uh oh!

2026.01.22

Blockers:

Cherry-picks:

Before we push:

Before we start:

Before we promote:

After we're done:

Addons-Frontend Changelog:

Addons Server Changelog:

Contributors

Uh oh!