Merge branch 'develop'

.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily

.github/workflows/check.yml

@@ -4,14 +4,24 @@ on:
   push:
     branches:
       - develop
+  pull_request:
+    types: [ opened, synchronize, reopened ]
+
+permissions:
+  contents: read
 
 jobs:
   build:
     name: Check code quality.
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          egress-policy: audit
+
       - name: Clone the repository.
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Get packages for the Flutter project.
         run: scripts/pub_get_all.sh

.github/workflows/dependency-review.yml

@@ -0,0 +1,27 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4

.github/workflows/release.yml

@@ -10,13 +10,18 @@ jobs:
     name: Build and release artifacts.
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-java@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/setup-java@6a0805fcefea3d4657a47ac4c165951e33482018 # v4.2.2
         with:
           distribution: 'zulu'
           java-version: '17'
 
       - name: Clone the repository.
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Get packages for the Flutter project.
         run: scripts/pub_get_all.sh
@@ -66,14 +71,14 @@ jobs:
           AVES_GOOGLE_API_KEY: ${{ secrets.AVES_GOOGLE_API_KEY }}
 
       - name: Create a release with the APK and App Bundle.
-        uses: ncipollo/release-action@v1
+        uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
         with:
           artifacts: "outputs/*"
           body: "[Changelog](https://github.com/${{ github.repository }}/blob/develop/CHANGELOG.md#${{ github.ref_name }})"
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Upload app bundle
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
         with:
           name: appbundle
           path: outputs/app-play-release.aab
@@ -83,15 +88,20 @@ jobs:
     needs: [ build ]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Get appbundle from artifacts.
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: appbundle
 
       - name: Release app to beta channel.
-        uses: r0adkll/upload-google-play@v1.1.3
+        uses: r0adkll/upload-google-play@935ef9c68bb393a8e6116b1575626a7f5be3a7fb # v1.1.3
         with:
           serviceAccountJsonPlainText: ${{ secrets.PLAYSTORE_ACCOUNT_KEY }}
           packageName: deckers.thibault.aves

.github/workflows/scorecards.yml

@@ -0,0 +1,76 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '20 7 * * 2'
+  push:
+    branches: ["develop"]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      contents: read
+      actions: read
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          egress-policy: audit
+
+      - name: "Checkout code"
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecards on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
+        with:
+          sarif_file: results.sarif

.pre-commit-config.yaml

@@ -0,0 +1,18 @@
+repos:
+- repo: https://github.com/gherynos/pre-commit-java
+  rev: v0.2.4
+  hooks:
+  - id: Checkstyle
+- repo: https://github.com/gitleaks/gitleaks
+  rev: v8.16.3
+  hooks:
+  - id: gitleaks
+- repo: https://github.com/jumanjihouse/pre-commit-hooks
+  rev: 3.0.0
+  hooks:
+  - id: shellcheck
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.4.0
+  hooks:
+  - id: end-of-file-fixer
+  - id: trailing-whitespace

CHANGELOG.md

@@ -4,6 +4,21 @@ All notable changes to this project will be documented in this file.
 
 ## <a id="unreleased"></a>[Unreleased]
 
+## <a id="v1.11.10"></a>[v1.11.10] - 2024-09-01
+
+### Added
+
+- Swedish translation (thanks Shift18, Andreas Håll)
+
+### Changed
+
+- request notification permission when launching scanning service
+- upgraded Flutter to stable v3.24.1
+
+### Fixed
+
+- duplicates from new item loading/refreshing
+
 ## <a id="v1.11.9"></a>[v1.11.9] - 2024-08-07
 
 ### Added

android/app/src/main/AndroidManifest.xml

@@ -76,7 +76,7 @@
     -->
     <uses-sdk tools:overrideLibrary="com.arthenica.ffmpegkit.flutter" />
 
-    <!-- from Android 11, we should define <queries> to make other apps visible to this app -->
+    <!-- from Android 11 (API 30), we should define <queries> to make other apps visible to this app -->
     <queries>
         <intent>
             <action android:name="android.intent.action.MAIN" />
@@ -92,7 +92,7 @@
             <data android:mimeType="video/*" />
         </intent>
         <!--
-        from Android 11, `url_launcher` method `canLaunchUrl()` will return false,
+        from Android 11 (API 30), `url_launcher` method `canLaunchUrl()` will return false,
         if appropriate intents are not declared, cf https://pub.dev/packages/url_launcher#configuration=
         -->
         <!-- to open https URLs -->

android/app/src/main/kotlin/deckers/thibault/aves/utils/PermissionManager.kt

@@ -96,7 +96,7 @@ object PermissionManager {
                 segments.volumePath?.let { volumePath ->
                     val dirSet = dirsPerVolume[volumePath] ?: HashSet()
                     if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.R) {
-                        // request primary directory on volume from Android 11
+                        // request primary directory on volume from Android 11 (API 30)
                         val relativeDir = segments.relativeDir
                         if (relativeDir != null) {
                             val dirSegments = relativeDir.split(File.separator).takeWhile { it.isNotEmpty() }
@@ -172,7 +172,6 @@ object PermissionManager {
         val accessibleDirs = HashSet(getGrantedDirs(context))
         accessibleDirs.addAll(context.getExternalFilesDirs(null).filterNotNull().map { it.path })
 
-        // from API 19 / Android 4.4 / KitKat, removable storage requires access permission, at the file level
         // from API 21 / Android 5.0 / Lollipop, removable storage requires access permission, but directory access grant is possible
         // from API 30 / Android 11 / R, any storage requires access permission
         if (Build.VERSION.SDK_INT <= Build.VERSION_CODES.Q) {

android/app/src/main/kotlin/deckers/thibault/aves/utils/StorageUtils.kt

@@ -565,7 +565,7 @@ object StorageUtils {
         if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.Q && isMediaStoreContentUri(uri)) {
             val path = uri.path
             path ?: return uri
-            // from Android 11, accessing the original URI for a `file` or `downloads` media content yields a `SecurityException`
+            // from Android 11 (API 30), accessing the original URI for a `file` or `downloads` media content yields a `SecurityException`
             if (path.startsWith(IMAGE_PATH_ROOT) || path.startsWith(VIDEO_PATH_ROOT)) {
                 // "Caller must hold ACCESS_MEDIA_LOCATION permission to access original"
                 if (context.checkSelfPermission(Manifest.permission.ACCESS_MEDIA_LOCATION) == PackageManager.PERMISSION_GRANTED) {

android/app/src/main/res/values-sv/strings.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <resources>
     <string name="app_name">Aves</string>
-    <string name="app_widget_label">Foto Ram</string>
+    <string name="app_widget_label">Fotoram</string>
     <string name="wallpaper">Bakgrund</string>
     <string name="safe_mode_shortcut_short_label">Felsäkert läge</string>
     <string name="videos_shortcut_short_label">Videor</string>

android/exifinterface/src/main/java/androidx/exifinterface/media/ExifInterfaceFork.java

@@ -6808,6 +6808,11 @@ private void parseTiffHeaders(ByteOrderedDataInputStream dataInputStream) throws
         }
         firstIfdOffset -= 8;
         if (firstIfdOffset > 0) {
+            // TLAD start
+            if (firstIfdOffset > ATTRIBUTE_SIZE_DANGER_THRESHOLD) {
+                throw new IOException("dangerous IFD offset=" + firstIfdOffset);
+            }
+            // TLAD end
             dataInputStream.skipFully(firstIfdOffset);
         }
     }

fastlane/metadata/android/en-US/changelogs/129.txt

@@ -0,0 +1,3 @@
+In v1.11.10:
+- enjoy the app in Swedish
+Full changelog available on GitHub

fastlane/metadata/android/en-US/changelogs/12901.txt

@@ -0,0 +1,3 @@
+In v1.11.10:
+- enjoy the app in Swedish
+Full changelog available on GitHub

fastlane/metadata/android/sv/full_description.txt

@@ -1,5 +1,5 @@
-<i>Aves</i> kan hantera alla typer av bilder och videor, inklusive vanliga JPEG- och MP4-filer, men även mer exotiska filer som <b>flersidiga TIFF-filer, SVG-filer, gamla AVI-filer och mycket mer</b>! Den skannar din mediasamling för att identifiera <b>rörelsefoton</b>, <b>panoramor</b> (även kallade fotosfärer), <b>360° videor</b>, samnt <b>GeoTIFF</b> filer.
+<i>Aves</i> kan hantera alla typer av bilder och videor, inklusive dina vanliga JPEG- och MP4-filer, men även mer exotiska filer som <b>flersidiga TIFF-filer, SVG-filer, gamla AVI-filer och mycket mer</b>! Den skannar din mediasamling för att identifiera <b>rörelsefoton</b>, <b>panoramabilder</b> (även kallade fotosfärer), <b>360° videor</b>, samt <b>GeoTIFF</b> filer.
 
-<b>Navigering och sökhantering</b> är än viktigt del av <i>Aves</i>. Målet är att användarna på ett smidigt sätt ska kunna gå från album till foton till taggar till kartor, osv.
+<b>Navigering och sökhantering</b> är än viktigt del av <i>Aves</i>. Målet är att användarna på ett smidigt sätt ska kunna gå från album till foton till etiketter till kartor, osv.
 
 <i>Aves</i> integrerar med Android (från KitKat till Android 14, inklusive Android TV) med funktioner som <b>widgetar</b>, <b>appgenvägar</b>, <b>skärmsläckare</b> och <b>global sökhantering.</b> Den fungerar också som en <b>mediavisare och mediaväljare</b>.

lib/l10n/app_de.arb

@@ -1374,5 +1374,21 @@
   "videoRepeatActionSetEnd": "Ende festlegen",
   "@videoRepeatActionSetEnd": {},
   "chipActionShowCollection": "In Sammlung anzeigen",
-  "@chipActionShowCollection": {}
+  "@chipActionShowCollection": {},
+  "sortByDuration": "Nach Dauer",
+  "@sortByDuration": {},
+  "sortOrderShortestFirst": "Kurze zuerst",
+  "@sortOrderShortestFirst": {},
+  "sortOrderLongestFirst": "Lange zuerst",
+  "@sortOrderLongestFirst": {},
+  "explorerActionSelectStorageVolume": "Speicher auswählen",
+  "@explorerActionSelectStorageVolume": {},
+  "selectStorageVolumeDialogTitle": "Speicher auswählen",
+  "@selectStorageVolumeDialogTitle": {},
+  "setHomeCustom": "Benutzerdefiniert",
+  "@setHomeCustom": {},
+  "chipActionGoToExplorerPage": "Im Explorer anzeigen",
+  "@chipActionGoToExplorerPage": {},
+  "explorerPageTitle": "Explorer",
+  "@explorerPageTitle": {}
 }

lib/l10n/app_hi.arb

@@ -544,5 +544,15 @@
   "authenticateToConfigureVault": "वॉल्ट को कॉन्फ़िगर करने के लिए प्रमाणीकरण करें",
   "@authenticateToConfigureVault": {},
   "renameAlbumDialogLabelAlreadyExistsHelper": "डायरेक्टरी पहले से मौजूद",
-  "@renameAlbumDialogLabelAlreadyExistsHelper": {}
+  "@renameAlbumDialogLabelAlreadyExistsHelper": {},
+  "videoRepeatActionSetEnd": "एण्ड सेट करे",
+  "@videoRepeatActionSetEnd": {},
+  "chipActionShowCountryStates": "राज्यों को दिखाएं",
+  "@chipActionShowCountryStates": {},
+  "chipActionConfigureVault": "वॉल्ट को कॉन्फ़िगर करें",
+  "@chipActionConfigureVault": {},
+  "videoActionABRepeat": "A-B दोहराव",
+  "@videoActionABRepeat": {},
+  "videoRepeatActionSetStart": "स्टार्ट सेट करे",
+  "@videoRepeatActionSetStart": {}
 }

lib/l10n/app_id.arb

@@ -1380,5 +1380,15 @@
   "selectStorageVolumeDialogTitle": "Pilih Penyimpanan",
   "@selectStorageVolumeDialogTitle": {},
   "setHomeCustom": "Kustom",
-  "@setHomeCustom": {}
+  "@setHomeCustom": {},
+  "explorerPageTitle": "Explorer",
+  "@explorerPageTitle": {},
+  "sortOrderLongestFirst": "Yang terpanjang dulu",
+  "@sortOrderLongestFirst": {},
+  "sortByDuration": "Berdasarkan durasi",
+  "@sortByDuration": {},
+  "sortOrderShortestFirst": "Yang terpendek dulu",
+  "@sortOrderShortestFirst": {},
+  "chipActionGoToExplorerPage": "Tampilkan di Explorer",
+  "@chipActionGoToExplorerPage": {}
 }