Merge branch '6.x' into localizable-asset-meta-data

Author: jackmcdade

.claude/skills/changelog/SKILL.md

@@ -15,7 +15,7 @@ Run `git --no-pager log $(git describe --tags --abbrev=0)..HEAD --oneline --no-d
 For each commit:
 - Extract the PR number from the commit message (e.g., `(#13331)`)
 - Remove the commit SHA and `[6.x]` prefix from the message
-- Fetch the PR author from GitHub using `gh pr view <number> --json author --jq '.author.login'` for all PRs in a single command.
+- Fetch the PR author from GitHub using a sequential loop — do NOT use parallel background jobs (`&`) as they interleave stdout unpredictably. Use: `for pr in <numbers>; do echo -n "PR $pr: "; gh pr view $pr --json author --jq '.author.login'; done`
 
 ## 3. Skip certain commits
 

.github/workflows/tests.yml

@@ -17,7 +17,7 @@ jobs:
     strategy:
       matrix:
         php: [8.3, 8.4, 8.5]
-        laravel: [12.*]
+        laravel: [12.*, 13.*]
         stability: [prefer-lowest, prefer-stable]
         os: [ubuntu-latest]
         include:

.storybook/preview.ts

@@ -8,12 +8,14 @@ import './theme.css';
 import {translate} from '@/translations/translator';
 import registerUiComponents from '@/bootstrap/ui';
 import DateFormatter from '@/components/DateFormatter';
+import NumberFormatter from '@/components/NumberFormatter';
 import cleanCodeSnippet from './clean-code-snippet';
 import PortalVue from 'portal-vue';
 import FullscreenHeader from '@/components/publish/FullscreenHeader.vue';
 import Portal from '@/components/portals/Portal.vue';
 import PortalTargets from '@/components/portals/PortalTargets.vue';
 import {keys, portals, slug, stacks} from '@api';
+import useGlobalEventBus from '@/composables/global-event-bus';
 
 // Intercept Inertia navigation and log to Actions tab.
 router.on('before', (event) => {
@@ -36,6 +38,9 @@ setup(async (app) => {
                       lang: 'en',
                   }],
                   selectedSite: 'default',
+                  lang: 'en',
+                  asciiReplaceExtraSymbols: false,
+                  charmap: { currency: {}, currency_short: {} },
               };
 
               return config[key] ?? null;
@@ -46,15 +51,20 @@ setup(async (app) => {
               //
           }
       },
+      $events: useGlobalEventBus(),
       $progress: {
           loading(name, loading) {
               //
-          }
+          },
+          complete(name) {
+              //
+          },
       }
   };
 
   app.config.globalProperties.__ = translate;
   app.config.globalProperties.$date = new DateFormatter;
+  app.config.globalProperties.$number = new NumberFormatter;
   app.config.globalProperties.cp_url = (url) => url;
   app.config.globalProperties.$portals = portals;
   app.config.globalProperties.$stacks = stacks;

CHANGELOG.md

@@ -1,12 +1,16 @@
-If you discover a security vulnerability in Statamic, please review the following guidelines before submitting a report. We take security very seriously, and we do our best to resolve security issues as quickly as possible.
+If you discover a security vulnerability in Statamic, please review the following guidelines before submitting a report. We take security seriously and do our best to resolve security issues as quickly as possible.
 
 ## Guidelines
 While working to identify potential security vulnerabilities in Statamic, we ask that you:
 
 - **Privately** share any issues that you discover with us via support@statamic.com as soon as possible.
-- Give us a reasonable amount of time to address any reported issues before publicizing them.
-- Only report issues that are in scope.
-- Provide a quality report with precise explanations and concrete attack scenarios.
+- Give us a **reasonable amount of time** to address any reported issues before publicizing them.
+- **Only** report issues that are in scope.
+- Provide a **quality report** with precise explanations and concrete attack scenarios.
+- Do not submit reports generated by automated tools, AI/LLM assistants, or vulnerability scanners without **independent verification**. Reports showing signs of automated generation may be closed without review.
+- **Submit one report at a time.** Multiple simultaneous reports from the same person may be treated as spam and closed.
+- **We do not operate a paid bug bounty program.** We do not offer monetary compensation for cold vulnerability reports without a prior engagement agreement.
+- Abuse of the security advisory system, including bulk or automated submissions, may be reported to GitHub and result in account suspension.
 
 ## Scope
 We are only interested in vulnerabilities that affect Statamic itself, tested against **your own local installation** of the software, running the latest version. You can install a local copy of Statamic by following these [installation instructions](https://statamic.dev/installing). Do not test against any Statamic installation that you don’t own, including [statamic.com](https:/statamic.com), [statamic.dev](https://statamic.dev), and [demo.statamic.com](https://demo.statamic.com).

SECURITY.md

@@ -16,7 +16,7 @@
         "guzzlehttp/guzzle": "^6.3 || ^7.0",
         "inertiajs/inertia-laravel": "^2.0",
         "james-heinrich/getid3": "^1.9.21",
-        "laravel/framework": "^12.40.0",
+        "laravel/framework": "^12.40.0 || ^13.0",
         "laravel/prompts": "^0.3.0",
         "league/commonmark": "^2.2",
         "league/csv": "^9.0",
@@ -25,17 +25,17 @@
         "michelf/php-smartypants": "^1.8.1",
         "nesbot/carbon": "^3.0",
         "pixelfear/composer-dist-plugin": "^0.1.4",
-        "pragmarx/google2fa": "^8.0",
-        "rebing/graphql-laravel": "^9.8",
+        "pragmarx/google2fa": "^8.0 || ^9.0",
+        "rebing/graphql-laravel": "^9.15",
         "rhukster/dom-sanitizer": "^1.0.7",
         "spatie/blink": "^1.3",
         "spatie/error-solutions": "^1.0 || ^2.0",
         "statamic/stringy": "^3.1.2",
-        "stillat/blade-parser": "^2.0",
-        "symfony/http-foundation": "^7.3.7",
-        "symfony/lock": "^7.0.3",
-        "symfony/var-exporter": "^7.0.3",
-        "symfony/yaml": "^7.0.3",
+        "stillat/blade-parser": "^2.1",
+        "symfony/http-foundation": "^7.3.7 || ^8.0",
+        "symfony/lock": "^7.0.3 || ^8.0",
+        "symfony/var-exporter": "^7.0.3 || ^8.0",
+        "symfony/yaml": "^7.0.3 || ^8.0",
         "ueberdosis/tiptap-php": "^2.0",
         "voku/portable-ascii": "^2.0.2",
         "web-auth/webauthn-lib": "~5.2.0",
@@ -48,9 +48,9 @@
         "google/cloud-translate": "^1.6",
         "laravel/pint": "1.16.0",
         "mockery/mockery": "^1.6.10",
-        "orchestra/testbench": "^10.8",
+        "orchestra/testbench": "^10.8 || ^11.0",
         "phpunit/phpunit": "^11.5.3",
-        "spatie/laravel-ray": "^1.42"
+        "spatie/laravel-ray": "^1.43.6"
     },
     "conflict": {
         "algolia/algoliasearch-client-php": "<4.32"
@@ -115,7 +115,10 @@
     "autoload-dev": {
         "psr-4": {
             "Tests\\": "tests",
-            "Foo\\Bar\\": "tests/Fixtures/Addon"
+            "Foo\\Bar\\": "tests/Fixtures/Addon",
+            "App\\": "tests/Fixtures/App/"
         }
-    }
+    },
+    "minimum-stability": "dev",
+    "prefer-stable": true
 }

composer.json

@@ -27,6 +27,18 @@
         'users' => false,
     ],
 
+    /*
+    |--------------------------------------------------------------------------
+    | Authentication
+    |--------------------------------------------------------------------------
+    |
+    | By default, the GraphQL API will be publicly accessible. However, you
+    | may define an API token here which will be used to authenticate requests.
+    |
+    */
+
+    'auth_token' => env('STATAMIC_GRAPHQL_AUTH_TOKEN'),
+
     /*
     |--------------------------------------------------------------------------
     | Queries

config/graphql.php

@@ -181,6 +181,18 @@
 
     'elevated_session_duration' => 15,
 
+    /*
+    |--------------------------------------------------------------------------
+    | Two-Factor Authentication
+    |--------------------------------------------------------------------------
+    |
+    | Here you may disable two-factor authentication entirely. This can be
+    | useful on local or staging environments, or when using OAuth.
+    |
+    */
+
+    'two_factor_enabled' => env('STATAMIC_TWO_FACTOR_ENABLED', true),
+
     /*
     |--------------------------------------------------------------------------
     | Enforce Two-Factor Authentication