Make plugin registry hash independent of plugin discovery order (#12151…

…) (#12152)

* Make plugin registry hash independent of plugin discovery order

calculate_plugin_hash() iterates self.plugins.items() in insertion
order, which is the plugin discovery order of the local process. Two
processes can hold the same registry state (same plugins, versions,
active flags) in a different order and compute different hashes,
ping-ponging the _PLUGIN_REGISTRY_HASH setting and triggering endless
registry reloads in check_reload().

Sort by slug before hashing so the hash represents the registry state
rather than the iteration order of any particular process. Add a
regression test that reverses the plugin dict and asserts the hash is
unchanged.

* Address review comments: explicit sort key, guard against vacuous test

---------

Co-authored-by: Christopher Johnson <keitonasawa@gmail.com>
Co-authored-by: Nasawa <christopher@anigeek.com>

fix(tasks): bypass Invoke PTY for interactive superuser/flush commands (

#12078) (#12106)

* fix(tasks): bypass Invoke PTY for interactive superuser/flush commands

Docker TTY sessions could drop the first keypress and stall at the username prompt when using invoke superuser (and interactive flush).

Run these interactive management commands via direct subprocess stdio instead of Invoke PTY mediation.

Refs #11751.

* chore: remove changelog entry per review

(cherry picked from commit 245ead2)

Co-authored-by: getpwnam <cp@evilbit.co.uk>

chore(deps): bump idna from 3.13 to 3.15 in /contrib/dev_reqs (#11970) (

#11983)

* chore(deps): bump idna from 3.13 to 3.15 in /contrib/dev_reqs

Bumps [idna](https://github.com/kjd/idna) from 3.13 to 3.15.
- [Release notes](https://github.com/kjd/idna/releases)
- [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.md)
- [Commits](kjd/idna@v3.13...v3.15)

---
updated-dependencies:
- dependency-name: idna
  dependency-version: '3.15'
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* fix style

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Matthias Mair <code@mjmair.com>
(cherry picked from commit 65d15a5)

# Conflicts:
#	contrib/dev_reqs/requirements.txt
#	docs/requirements.txt
#	src/backend/requirements-3.14.txt
#	src/backend/requirements-dev-3.14.txt
#	src/backend/requirements-dev.txt
#	src/backend/requirements.txt

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

[UI] Fix for parameter form (#11875) (#11877)

- Ensure string field is properly selected

(cherry picked from commit aae97ee)

Co-authored-by: Oliver <oliver.henry.walters@gmail.com>

Fix for category template creation (#11803) (#11804)

- Prevent duplicate parameters
- Closes #11798


(cherry picked from commit 75942fb)

Co-authored-by: Oliver <oliver.henry.walters@gmail.com>
Co-authored-by: Copilot <copilot@github.com>

New Crowdin translations by GitHub Action (#11695) (#11729)

(cherry picked from commit 5aaf1cf)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Backport (#11686)

* Ensure the MeUserSerializer correctly marks fields as read-only

* fix behaviour

* Add note to plugin docs.

* Adjust logic for PluginListTable

* Add superuser scope to PluginInstall API endpoint

* Update unit test for API endpoint

* Explicitly set PLUGINS_INSTALL_DISABLED if PLUGINS_ENABLED = False

* Check for superuser permission in installer.py

* Additional user checks

* Sanitize package name to protect against OS command injection

* fix(security): use SandboxedEnvironment for PART_NAME_FORMAT rendering

- Switch jinja2.Environment to jinja2.sandbox.SandboxedEnvironment in
  part/helpers.py to prevent SSTI via template tags in PART_NAME_FORMAT.
- Set pk=1 on the dummy Part instance in the validator to ensure
  conditional expressions like {% if part.pk %} are properly evaluated
  during validation, closing the sandbox bypass vector.

Fixes GHSA-84jh-x777-8pqq

* Disable some unit tests for backport

* Fix SSRF in remote image download

Add IP address validation to prevent Server-Side Request Forgery
when downloading images from remote URLs. The resolved IP is now
checked against private, loopback, link-local, and reserved ranges
before connecting.

Redirects are followed manually (up to 5 hops) with SSRF validation
at each step, preventing redirect-based bypass of URL format checks.

* Style fixes

* fix styles

* fix test

* Reintroduce unit tests

---------

Co-authored-by: Paul <morimori-dev@github.com>
Co-authored-by: tikket1 <chrisveres1@gmail.com>
Co-authored-by: Matthias Mair <code@mjmair.com>

Security backport (#11584)

* Improvements for get_bulk_queryset (#11581)

* Improvements for get_bulk_queryset

- Limit scope to base view queryset
- Remove ability to provide arbitrary filters
- Remove feedback if zero items are found

* Adjust unit test

* Remove filter test

* Update CHANGELOG.md

* Refactoring for report helper functions (#11579)

* Refactoring for media file report helper functions

* Updated unit tests

* Improved error handling

* Generic path return for asset

* Fix return type annotations

* Fix existing test

* Tweaked unit test

* Collect static files in CI

* Run static step for all DB tests

* Update action.yaml

* Fix for action.yaml

* Updated unit tests

[API] Bug fix for PartCategory cascade filter (#11562) (#11563)

* Bug fix for PartCategory cascade filter

* Additional unit test

(cherry picked from commit ef2f05a)

Co-authored-by: Oliver <oliver.henry.walters@gmail.com>

Disable broken unit test (#11549)