* SECURITY
  * Sanitize uploaded file names (#5571) (#5573)
  * HTMLEncode user added text (#5570) (#5575)
* BUGFIXES
  * Fix indexer reindex bug when gitea restart (#5563) (#5564)
  * Remove a double slash in the HTTPS redirect with Let's Encrypt (#5537) (#5539)
  * Fix bug when a read perm user to edit his issue (#5516) (#5534)
  * Detect force push failure on deletion of protected branches (#5522) (#5531)
  * Let's Encrypt handler listens on correct port for certificate validation (#5525) (#5527)
  * Fix forgot deletion of notification when delete repository (#5506) (#5514)
  * Fix undeleted content when deleting user (#5429) (#5509)
  * Fix empty wiki (#5504) (#5508)

* BUGFIXES
  * Fix dependent issue searching when gitea is run in subpath (#5392) (#5400)
  * API: '/orgs/:org/repos': return private repos with read access (#5393)
  * Fix repository deletion when there is large number of issues in it (#5426) (#5434)
  * Word-break the WebHook url to prevent a ui-break (#5445)
  * Admin should be able to delete repos via the API even if they are not a member of the organization (#5443) (#5447)
  * Ensure that the `closed_at` is set for closed (#5450)
  * Fix topic name length on database (#5493) (#5495)

* BREAKING
  * Respect email privacy option in user search via API (#4512)
  * Simply remove tidb and deps (#3993)
  * Swagger.v1.json template (#3572)
* SECURITY
  * Add CSRF checking to reqToken and add reqToken to admin API routes (#5272) (#5250)
  * Improve URL validation for external wiki  and external issues (#4710)
  * Make cookies HttpOnly and obey COOKIE_SECURE flag (#4706)
  * Don't disclose emails of all users when sending out emails (#4664)
  * Check that repositories can only be migrated to own user or organizations (#4366)
* FEATURE
  * Add comment replies (#5147) (#5104)
  * Pull request review/approval and comment on code (#3748)
  * Added dependencies for issues (#2196) (#2531)
  * Add the ability to have built in themes in Gitea and provide dark theme arc-green (#4198)
  * Add sudo functionality to the API (#4809)
  * Add oauth providers via cli (#4591)
  * Disable merging a WIP Pull request (#4529)
  * Force user to change password (#4489)
  * Add letsencrypt to Gitea (#4189)
  * Add push webhook support for mirrored repositories (#4127)
  * Add csv file render support defaultly (#4105)
  * Add Recaptcha functionality to Gitea (#4044)
* ENHANCEMENT
  * Fix milestones sorted wrongly (#4987)
  * Allow api to create tags for releases if they don't exist (#4890)
  * Fix #4877 to follow the OpenID Connect Audiences spec (#4878)
  * Enforce token on api routes [fixed critical security issue #4357] (#4840)
  * Update legacy branch and tag URLs in dashboard to new format (#4812)
  * Slack webhook channel name cannot be empty or just contain an hashtag (#4786)
  * Add whitespace handling to PR-comparsion (#4683)
  * Make reverse proxy auth optional (#4643)
  * MySQL TLS (#4642)
  * Make sure to set PR split view when creating/previewing a pull request  (#4617)
  * Log user in after a successful sign up (#4615)
  * Fix typo IsPullReuqestBroken -> IsPullRequestBroken (#4578)
  * Allow admin toggle forcing a password change for newly created users (#4563)
  * Update jQuery to v1.12.4 (#4551)
  * Env var GITEA_PUSHER_EMAIL (#4516)
  * Feat(repo): support search repository by topic name (#4505)
  * Small improvements to dependency UI (#4503)
  * Make max commits in graph configurable (#4498)
  * Add valid for lfs oid (#4461)
  * Add shortcut to save wiki page (#4452)
  * Allow administrator to create repository for any organization (#4368)
  * Fix repository last updated time update when delete a user who watched the repo (#4363)
  * Switch plaintext scratch tokens to use hash instead (#4331)
  * Increase default TOTP secret size to 320 bits (#4287)
  * Keep preseeded database password (#4284)
  * Implemented hover text showing user FullName (#4261)
  * Add ability to delete a token (#4235)
  * Fix typos in i18n variable names. (#4080)
  * Api: repos/search: add parameters to control the sort order (#3964)
  * Add missing path in the Docker app.ini template (#2181)
  * Add file name and branch to page title (#4902)
  * Offline use of google fonts (#4872)
  * Add missing History link to directory listings v2 (#4829)
  * Locale for Edit and Remove due date issue (#4802)
  * Disable 'May Import Local Repository' when is disabled by setting (Is… (#4780)
  * API /admin/users/{username} missing parameter (#4775)
  * Display error when adding a user to a team twice (#4746)
  * Remove UsePrivilegeSeparation from the Docker sshd_config, see #2876 (#4722)
  * Focus title input when clicking helper link (#4696)
  * Add vendor to user reserved words and format words list according alphabet (#4685)
  * Add gitea/issues link to 500 page (#4654)
  * Hide home button when landing page is not set to home (#4651)
  * Remove link to GitHub issues in 404 template (#4639)
  * Cmd/serve: pprof cpu and memory profile dumps to disk (#4560)
  * Add flash message after an account has been successfully activated (#4510)
  * Prevent html entity escaping on delete branch (#4471)
  * Locale for button Edit on protected branch (#4442)
  * Update notification icon (#4343)
  * Added front-end topics validation (#4316)
  * Don't display buttons if there are no system notifications (#4280)
  * Issue due date api (#3890)
* BUGFIXES
  * dont' send assign webhooks when creating issue (#5365)
  * Fix create team, update team missing units (#5188)
  * Fix file edit change preview functionality (#5300)
  * *ix bug when users have serval teams with different units on different repositories (#5307)
  * Fix U2F if gitea is configured in subpath (#5302)
  * Fix markdown image with link (#4675)
  * Remove maxlines option for file logger (#5282)
  * Fix wrong api request url for instances running in subfolders (#5261) (#5247)
  * Accept web-command cli flags if web-command is commited (#5245) (#5200)
  * Reduce join star, repo_topic, topic tables on repo search, to resolve extra columns problem on MSSQL (#5136) (#5229)
  * Fix data race on migrate repository (#5224) (#5230)
  * Add secret to all webhook's payload where it has been missing (#5208) (#5199)
  * Fix sqlite and MSSQL lock (#5210) (#5223) (#5214) (#5218) (#5176) (#5179)
  * Fix race on updatesize (#5190) (#5215)
  * Fix filtering issues by tags on main screen issues (#5219) (#3824)
  * Fix SQL quoting (#5137) (#5117)
  * Fix regex to support optional end line of old section in diff hunk (#5097) (#5096)
  * Fix release creation via API (#5076)
  * Remove links from topics in edit mode  (#5026)
  * Fix missing AppSubUrl in few more templates (fixup) (#5021)
  * Fix missing AppSubUrl in some templates (#5020)
  * Hide outdated comments in file view (#5017)
  * Upgrade gopkg.in/testfixtures.v2 (#4999)
  * Disable debug routes unless PPROF is enabled in configuration (#4995)
  * Fix user menu item styling (#4985)
  * Fix layout of the topics editing form (#4971)
  * Fix null pointer dereference in ParseCommitWithSignature (#4962)
  * Fix url in discord webhook (#4953)
  * Detect charset and convert non UTF-8 files for display (#4950)
  * Make sure to catch the right error so it is displayed on the UI (#4945)
  * Fix(topics): don't redirect to explore page. (#4938)
  * Fix bug forget to remove Stopwatch when remove repository (#4928)
  * Fix bug when repo remained bare if multiple branches pushed in single push (#4923)
  * Fix: Crippled diff (#4726) (#4900)
  * Fix trimming of markup section names (#4863)
  * Issues api allow pulls and fix #4832 (#4852)
  * Do not autocreate directory for new users/orgs (#4828) (#4849)
  * Fix redirect with non-ascii branch names (#4764) (#4810)
  * Fix missing release title in webhook (#4783) (#4796)
  * User shouldn't be able to approve or reject his/her own PR (#4729)
  * Make sure to reset commit count in the cache on mirror syncing (#4720)
  * Fixed bug where team with admin privelege type doesn't get any unit  (#4719)
  * Fix incorrect caption of webhook setting (#4701) (#4717)
  * Allow WIP marker to contains < or > (#4709)
  * Hide org/create menu item in Dashboard if user has no rights (#4678) (#4680)
  * Site admin could create repos even MAX_CREATION_LIMIT=0 (#4645)
  * Fix custom templates being ignored (#4638)
  * Fix starring icon after semantic ui update (#4628)
  * Fix Split-View line adjustment (#4622)
  * Fix integer constant overflows in tests (#4616)
  * Push whitelist now doesn't apply to branch deletion (#4601) (#4607)
  * Fix bugs when too many IN variables (#4594)
  * Fix failure on creating pull request with assignees (#4419) (#4583)
  * Fix panic issue on update avatar email (#4580) (#4581)
  * Fix status code label for a successful webhook (#4540)
  * An inactive user shouldn't be able to be added as a collaborator (#4535)
  * Don't fail silently if trying to add a collaborator twice (#4533)
  * Fix incorrect MergeWhitelistTeamIDs check in CanUserMerge function (#4519) (#4525)
  * Fix out-of-transaction query in removeOrgUser (#4521) (#4522)
  * Fix migration from older releases (#4495)
  * Accept 'Data:' in commit graph (#4487)
  * Update xorm to latest version and fix correct `user` table referencing in sql (#4473)
  * Relative URLs for LibreJS page (#4460)
  * Redirect to correct page after using scratch token (#4458)
  * Fix column droping for MSSQL that need new transaction for that (#4440)
  * Replace src with raw to fix image paths (#4377)
  * Add default merge options when creating new repository (#4369)
  * Fix docker build (#4358)
  * Fixes repo membership check in API (#4341)
  * Dep upgrade mysql lib (#4161)
  * Fix some issues with special chars in branch names (#3767)
  * Responsive design fixes (#4508)
* TRANSLATION
  * Fix punctuation in English translation (#4958)
  * Fix translation (#4355)

* SECURITY
  * Add CSRF checking to reqToken and add reqToken to admin API routes (#5272) (#5250)
* FEATURE
  * Add comment replies (#5147) (#5104)
* BUGFIXES
  * Fix wrong api request url for instances running in subfolders (#5261) (#5247)
  * Accept web-command cli flags if web-command is commited (#5245) (#5200)
  * Reduce join star, repo_topic, topic tables on repo search, to resolve extra columns problem on MSSQL (#5136) (#5229)
  * Fix data race on migrate repository (#5224) (#5230)
  * Add secret to all webhook's payload where it has been missing (#5208) (#5199)
  * Fix sqlite and MSSQL lock (#5210) (#5223) (#5214) (#5218) (#5176) (#5179)
  * Fix race on updatesize (#5190) (#5215)
  * Fix filtering issues by tags on main screen issues (#5219) (#3824)
  * Fix SQL quoting (#5137) (#5117)
  * Fix regex to support optional end line of old section in diff hunk (#5097) (#5096)

* SECURITY
  * Fix remote command execution vulnerability in upstream library (#5177) (#5196)

* BREAKING
  * Respect email privacy option in user search via API (#4512)
  * Simply remove tidb and deps (#3993)
  * Swagger.v1.json template (#3572)
* FEATURE
  * Pull request review/approval and comment on code (#3748)
  * Added dependencies for issues (#2196) (#2531)
  * Add the ability to have built in themes in Gitea and provide dark theme arc-green (#4198)
  * Add sudo functionality to the API (#4809)
  * Add oauth providers via cli (#4591)
  * Disable merging a WIP Pull request (#4529)
  * Force user to change password (#4489)
  * Add letsencrypt to Gitea (#4189)
  * Add push webhook support for mirrored repositories (#4127)
  * Add csv file render support defaultly (#4105)
  * Add Recaptcha functionality to Gitea (#4044)
* BUGFIXES
  * Fix release creation via API (#5076)
  * Remove links from topics in edit mode  (#5026)
  * Fix missing AppSubUrl in few more templates (fixup) (#5021)
  * Fix missing AppSubUrl in some templates (#5020)
  * Hide outdated comments in file view (#5017)
  * Upgrade gopkg.in/testfixtures.v2 (#4999)
  * Disable debug routes unless PPROF is enabled in configuration (#4995)
  * Fix user menu item styling (#4985)
  * Fix layout of the topics editing form (#4971)
  * Fix null pointer dereference in ParseCommitWithSignature (#4962)
  * Fix url in discord webhook (#4953)
  * Detect charset and convert non UTF-8 files for display (#4950)
  * Make sure to catch the right error so it is displayed on the UI (#4945)
  * Fix(topics): don't redirect to explore page. (#4938)
  * Fix bug forget to remove Stopwatch when remove repository (#4928)
  * Fix bug when repo remained bare if multiple branches pushed in single push (#4923)
  * Fix: Let's Encrypt configuration settings (#4911)
  * Fix: Crippled diff (#4726) (#4900)
  * Fix trimming of markup section names (#4863)
  * Issues api allow pulls and fix #4832 (#4852)
  * Do not autocreate directory for new users/orgs (#4828) (#4849)
  * Fix redirect with non-ascii branch names (#4764) (#4810)
  * Fix missing release title in webhook (#4783) (#4796)
  * User shouldn't be able to approve or reject his/her own PR (#4729)
  * Make sure to reset commit count in the cache on mirror syncing (#4720)
  * Fixed bug where team with admin privelege type doesn't get any unit  (#4719)
  * Fix incorrect caption of webhook setting (#4701) (#4717)
  * Allow WIP marker to contains < or > (#4709)
  * Hide org/create menu item in Dashboard if user has no rights (#4678) (#4680)
  * Site admin could create repos even MAX_CREATION_LIMIT=0 (#4645)
  * Fix custom templates being ignored (#4638)
  * Fix starring icon after semantic ui update (#4628)
  * Fix Split-View line adjustment (#4622)
  * Fix integer constant overflows in tests (#4616)
  * Push whitelist now doesn't apply to branch deletion (#4601) (#4607)
  * Fix bugs when too many IN variables (#4594)
  * Fix failure on creating pull request with assignees (#4419) (#4583)
  * Fix panic issue on update avatar email (#4580) (#4581)
  * Fix status code label for a successful webhook (#4540)
  * An inactive user shouldn't be able to be added as a collaborator (#4535)
  * Don't fail silently if trying to add a collaborator twice (#4533)
  * Fix incorrect MergeWhitelistTeamIDs check in CanUserMerge function (#4519) (#4525)
  * Fix out-of-transaction query in removeOrgUser (#4521) (#4522)
  * Fix migration from older releases (#4495)
  * Accept 'Data:' in commit graph (#4487)
  * Update xorm to latest version and fix correct `user` table referencing in sql (#4473)
  * Relative URLs for LibreJS page (#4460)
  * Redirect to correct page after using scratch token (#4458)
  * Fix column droping for MSSQL that need new transaction for that (#4440)
  * Replace src with raw to fix image paths (#4377)
  * Add default merge options when creating new repository (#4369)
  * Fix docker build (#4358)
  * Fixes repo membership check in API (#4341)
  * Dep upgrade mysql lib (#4161)
  * Fix some issues with special chars in branch names (#3767)
  * Responsive design fixes (#4508)
* ENHANCEMENT
  * Fix milestones sorted wrongly (#4987)
  * Allow api to create tags for releases if they don't exist (#4890)
  * Fix #4877 to follow the OpenID Connect Audiences spec (#4878)
  * Enforce token on api routes [fixed critical security issue #4357] (#4840)
  * Update legacy branch and tag URLs in dashboard to new format (#4812)
  * Slack webhook channel name cannot be empty or just contain an hashtag (#4786)
  * Add whitespace handling to PR-comparsion (#4683)
  * Make reverse proxy auth optional (#4643)
  * MySQL TLS (#4642)
  * Make sure to set PR split view when creating/previewing a pull request  (#4617)
  * Log user in after a successful sign up (#4615)
  * Fix typo IsPullReuqestBroken -> IsPullRequestBroken (#4578)
  * Allow admin toggle forcing a password change for newly created users (#4563)
  * Update jQuery to v1.12.4 (#4551)
  * Env var GITEA_PUSHER_EMAIL (#4516)
  * Feat(repo): support search repository by topic name (#4505)
  * Small improvements to dependency UI (#4503)
  * Make max commits in graph configurable (#4498)
  * Add valid for lfs oid (#4461)
  * Add shortcut to save wiki page (#4452)
  * Allow administrator to create repository for any organization (#4368)
  * Fix repository last updated time update when delete a user who watched the repo (#4363)
  * Switch plaintext scratch tokens to use hash instead (#4331)
  * Increase default TOTP secret size to 320 bits (#4287)
  * Keep preseeded database password (#4284)
  * Implemented hover text showing user FullName (#4261)
  * Add ability to delete a token (#4235)
  * Fix typos in i18n variable names. (#4080)
  * Api: repos/search: add parameters to control the sort order (#3964)
  * Add missing path in the Docker app.ini template (#2181)
  * Add file name and branch to page title (#4902)
  * Offline use of google fonts (#4872)
  * Add missing History link to directory listings v2 (#4829)
  * Locale for Edit and Remove due date issue (#4802)
  * Disable 'May Import Local Repository' when is disabled by setting (Is… (#4780)
  * API /admin/users/{username} missing parameter (#4775)
  * Display error when adding a user to a team twice (#4746)
  * Remove UsePrivilegeSeparation from the Docker sshd_config, see #2876 (#4722)
  * Focus title input when clicking helper link (#4696)
  * Add vendor to user reserved words and format words list according alphabet (#4685)
  * Add gitea/issues link to 500 page (#4654)
  * Hide home button when landing page is not set to home (#4651)
  * Remove link to GitHub issues in 404 template (#4639)
  * Cmd/serve: pprof cpu and memory profile dumps to disk (#4560)
  * Add flash message after an account has been successfully activated (#4510)
  * Prevent html entity escaping on delete branch (#4471)
  * Locale for button Edit on protected branch (#4442)
  * Update notification icon (#4343)
  * Added front-end topics validation (#4316)
  * Don't display buttons if there are no system notifications (#4280)
  * Issue due date api (#3890)
* SECURITY
  * Improve URL validation for external wiki  and external issues (#4710)
  * Make cookies HttpOnly and obey COOKIE_SECURE flag (#4706)
  * Don't disclose emails of all users when sending out emails (#4664)
  * Check that repositories can only be migrated to own user or organizations (#4366)
* TRANSLATION
  * Fix punctuation in English translation (#4958)
  * Fix translation (#4355)

* BREAKING
  * Respect email privacy option in user search via API (#4512)
  * Simply remove tidb and deps (#3993)
  * Swagger.v1.json template (#3572)
* FEATURE
  * Pull request review/approval and comment on code (#3748)
  * Added dependencies for issues (#2196) (#2531)
  * Add the ability to have built in themes in Gitea and provide dark theme arc-green (#4198)
  * Add sudo functionality to the API (#4809)
  * Add oauth providers via cli (#4591)
  * Disable merging a WIP Pull request (#4529)
  * Force user to change password (#4489)
  * Add letsencrypt to Gitea (#4189)
  * Add push webhook support for mirrored repositories (#4127)
  * Add csv file render support defaultly (#4105)
  * Add Recaptcha functionality to Gitea (#4044)
* BUGFIXES
  * Fix release creation via API (#5076)
  * Remove links from topics in edit mode  (#5026)
  * Fix missing AppSubUrl in few more templates (fixup) (#5021)
  * Fix missing AppSubUrl in some templates (#5020)
  * Hide outdated comments in file view (#5017)
  * Upgrade gopkg.in/testfixtures.v2 (#4999)
  * Disable debug routes unless PPROF is enabled in configuration (#4995)
  * Fix user menu item styling (#4985)
  * Fix layout of the topics editing form (#4971)
  * Fix null pointer dereference in ParseCommitWithSignature (#4962)
  * Fix url in discord webhook (#4953)
  * Detect charset and convert non UTF-8 files for display (#4950)
  * Make sure to catch the right error so it is displayed on the UI (#4945)
  * Fix(topics): don't redirect to explore page. (#4938)
  * Fix bug forget to remove Stopwatch when remove repository (#4928)
  * Fix bug when repo remained bare if multiple branches pushed in single push (#4923)
  * Fix: Let's Encrypt configuration settings (#4911)
  * Fix: Crippled diff (#4726) (#4900)
  * Fix trimming of markup section names (#4863)
  * Issues api allow pulls and fix #4832 (#4852)
  * Do not autocreate directory for new users/orgs (#4828) (#4849)
  * Fix redirect with non-ascii branch names (#4764) (#4810)
  * Fix missing release title in webhook (#4783) (#4796)
  * User shouldn't be able to approve or reject his/her own PR (#4729)
  * Make sure to reset commit count in the cache on mirror syncing (#4720)
  * Fixed bug where team with admin privelege type doesn't get any unit  (#4719)
  * Fix incorrect caption of webhook setting (#4701) (#4717)
  * Allow WIP marker to contains < or > (#4709)
  * Hide org/create menu item in Dashboard if user has no rights (#4678) (#4680)
  * Site admin could create repos even MAX_CREATION_LIMIT=0 (#4645)
  * Fix custom templates being ignored (#4638)
  * Fix starring icon after semantic ui update (#4628)
  * Fix Split-View line adjustment (#4622)
  * Fix integer constant overflows in tests (#4616)
  * Push whitelist now doesn't apply to branch deletion (#4601) (#4607)
  * Fix bugs when too many IN variables (#4594)
  * Fix failure on creating pull request with assignees (#4419) (#4583)
  * Fix panic issue on update avatar email (#4580) (#4581)
  * Fix status code label for a successful webhook (#4540)
  * An inactive user shouldn't be able to be added as a collaborator (#4535)
  * Don't fail silently if trying to add a collaborator twice (#4533)
  * Fix incorrect MergeWhitelistTeamIDs check in CanUserMerge function (#4519) (#4525)
  * Fix out-of-transaction query in removeOrgUser (#4521) (#4522)
  * Fix migration from older releases (#4495)
  * Accept 'Data:' in commit graph (#4487)
  * Update xorm to latest version and fix correct `user` table referencing in sql (#4473)
  * Relative URLs for LibreJS page (#4460)
  * Redirect to correct page after using scratch token (#4458)
  * Fix column droping for MSSQL that need new transaction for that (#4440)
  * Replace src with raw to fix image paths (#4377)
  * Add default merge options when creating new repository (#4369)
  * Fix docker build (#4358)
  * Fixes repo membership check in API (#4341)
  * Dep upgrade mysql lib (#4161)
  * Fix some issues with special chars in branch names (#3767)
  * Responsive design fixes (#4508)
* ENHANCEMENT
  * Fix milestones sorted wrongly (#4987)
  * Allow api to create tags for releases if they don't exist (#4890)
  * Fix #4877 to follow the OpenID Connect Audiences spec (#4878)
  * Enforce token on api routes [fixed critical security issue #4357] (#4840)
  * Update legacy branch and tag URLs in dashboard to new format (#4812)
  * Slack webhook channel name cannot be empty or just contain an hashtag (#4786)
  * Add whitespace handling to PR-comparsion (#4683)
  * Make reverse proxy auth optional (#4643)
  * MySQL TLS (#4642)
  * Make sure to set PR split view when creating/previewing a pull request  (#4617)
  * Log user in after a successful sign up (#4615)
  * Fix typo IsPullReuqestBroken -> IsPullRequestBroken (#4578)
  * Allow admin toggle forcing a password change for newly created users (#4563)
  * Update jQuery to v1.12.4 (#4551)
  * Env var GITEA_PUSHER_EMAIL (#4516)
  * Feat(repo): support search repository by topic name (#4505)
  * Small improvements to dependency UI (#4503)
  * Make max commits in graph configurable (#4498)
  * Add valid for lfs oid (#4461)
  * Add shortcut to save wiki page (#4452)
  * Allow administrator to create repository for any organization (#4368)
  * Fix repository last updated time update when delete a user who watched the repo (#4363)
  * Switch plaintext scratch tokens to use hash instead (#4331)
  * Increase default TOTP secret size to 320 bits (#4287)
  * Keep preseeded database password (#4284)
  * Implemented hover text showing user FullName (#4261)
  * Add ability to delete a token (#4235)
  * Fix typos in i18n variable names. (#4080)
  * Api: repos/search: add parameters to control the sort order (#3964)
  * Add missing path in the Docker app.ini template (#2181)
  * Add file name and branch to page title (#4902)
  * Offline use of google fonts (#4872)
  * Add missing History link to directory listings v2 (#4829)
  * Locale for Edit and Remove due date issue (#4802)
  * Disable 'May Import Local Repository' when is disabled by setting (Is… (#4780)
  * API /admin/users/{username} missing parameter (#4775)
  * Display error when adding a user to a team twice (#4746)
  * Remove UsePrivilegeSeparation from the Docker sshd_config, see #2876 (#4722)
  * Focus title input when clicking helper link (#4696)
  * Add vendor to user reserved words and format words list according alphabet (#4685)
  * Add gitea/issues link to 500 page (#4654)
  * Hide home button when landing page is not set to home (#4651)
  * Remove link to GitHub issues in 404 template (#4639)
  * Cmd/serve: pprof cpu and memory profile dumps to disk (#4560)
  * Add flash message after an account has been successfully activated (#4510)
  * Prevent html entity escaping on delete branch (#4471)
  * Locale for button Edit on protected branch (#4442)
  * Update notification icon (#4343)
  * Added front-end topics validation (#4316)
  * Don't display buttons if there are no system notifications (#4280)
  * Issue due date api (#3890)
* SECURITY
  * Improve URL validation for external wiki  and external issues (#4710)
  * Make cookies HttpOnly and obey COOKIE_SECURE flag (#4706)
  * Don't disclose emails of all users when sending out emails (#4664)
  * Check that repositories can only be migrated to own user or organizations (#4366)
* TRANSLATION
  * Fix punctuation in English translation (#4958)
  * Fix translation (#4355)

* SECURITY
  * Enforce token on api routes (#4840) (#4905)
* BUGFIXES
  * Remove links from topics in edit mode (#5030)
  * Detect charset and convert non UTF-8 files for display (#4950) (#4994)
  * Fix layout of the topics editing form (#4971) (#4993)
  * Fix null pointer dereference in ParseCommitWithSignature (#4964)
  * Fix url in discord webhook (#4951)
  * Fix font-cropping UI bug in diff (#4726) (#4929)
  * Fix bug forget to remove Stopwatch when remove repository (#4933)
  * Fix bug when repo remained bare if multiple branches pushed (#4927)
  * Fix redirect with non-ascii branch names (#4764) (#4887)
  * Fix issues api allow pulls (#4852) (#4862)
  * Fix trimming of markup section names (#4864)

* SECURITY
  * Don't disclose emails of all users when sending out emails (#4784)
  * Improve URL validation for external wiki and external issues (#4710) (#4740)
  * Make cookies HttpOnly and obey COOKIE_SECURE flag (#4706) (#4707)
* BUGFIXES
  * Fix missing release title in webhook (#4783) (#4800)
  * Make sure to reset commit count in the cache on mirror syncing (#4770)
  * Fixed bug where team with admin privelege type doesn't get any unit (#4759)
  * Fix failure on creating pull request with assignees (#4583) (#4727)
  * Hide org/create menu item in Dashboard if user has no rights (#4678) (#4686)
* TRANSLATION
  * Fix incorrect caption of webhook setting (#4701) (#4718)

* SECURITY
  * Check that repositories can only be migrated to own user or organizations (#4366) (#4370)
  * Limit uploaded avatar image-size to 4096px x 3072px by default (#4353)
  * Do not allow to reuse TOTP passcode (#3878)
* BUGFIXES
  * Fix column droping for MSSQL that need new transaction for that (#4440) (#4484)
  * Redirect to correct page after using scratch token (#4458) (#4472)
  * Replace src with raw to fix image paths (#4377) (#4386)
  * Fixes repo membership check in API (#4341) (#4379)
  * Add default merge options when adding new repository (#4369) (#4373)
  * Fix repository last updated time update when delete a user who watched the repo (#4363) (#4371)
  * Fix html entity escaping in branch deletion message (#4471) (#4485)
  * Fix out-of-transaction query in removeOrgUser (#4521) (#4524)
  * Fix incorrect MergeWhitelistTeamIDs check in CanUserMerge function (#4519)
  * Fix panic issue on update avatar email (#4580) (#4590)
  * Fix bugs when too many IN variables (#4594) (#4597)
  * Push whitelist now doesn't apply to branch deletion (#4601) (#4640)
  * Site admin could create repos even MAX_CREATION_LIMIT=0 (#4645) (#4650)
* FEATURE
  * Add cli commands to regen hooks & keys (#3979)
  * Add support for FIDO U2F (#3971)
  * Added user language setting (#3875)
  * LDAP Public SSH Keys synchronization (#1844)
  * Add topic support (#3711)
  * Multiple assignees (#3705)
  * Add protected branch whitelists for merging (#3689)
  * Global code search support (#3664)
  * Add label descriptions (#3662)
  * Add issue search via API (#3612)
  * Add repository setting to enable/disable health checks (#3607)
  * Emoji Autocomplete (#3433)
  * Implements generator cli for secrets (#3531)
* ENHANCEMENT
  * Add more webhooks support and refactor webhook templates directory (#3929)
  * Add new option to allow only OAuth2/OpenID user registration (#3910)
  * Add option to use paged LDAP search when synchronizing users (#3895)
  * Symlink icons (#1416)
  * Improve release page UI (#3693)
  * Add admin dashboard option to run health checks (#3606)
  * Add branch link in branch list (#3576)
  * Reduce sql query times in retrieveFeeds (#3547)
  * Option to enable or disable swagger endpoints (#3502)
  * Add missing licenses (#3497)
  * Reduce repo indexer disk usage (#3452)
  * Enable caching on assets and avatars (#3376)
  * Add repository search ordered by stars/forks. Forks column in admin repo list (#3969)
  * Add Environment Variables to Docker template (#4012)
  * LFS: make HTTP auth period configurable (#4035)
  * Add config path as an optionial flag when changing pass via CLI (#4184)
  * Refactor User Settings sections (#3900)
  * Allow square brackets in external issue patterns (#3408)
  * Add Attachment API (#3478)
  * Add EnableTimetracking option to app settings (#3719)
  * Add config option to enable or disable log executed SQL (#3726)
  * Shows total tracked time in issue and milestone list (#3341)
* TRANSLATION
  * Improve English grammar and consistency (#3614)
* DEPLOYMENT
  * Allow Gitea to run as different USER in Docker (#3961)
  * Provide compressed release binaries (#3991)
  * Sign release binaries (#4188)

* SECURITY
  * Check that repositories can only be migrated to own user or organizations (#4366) (#4370)
* BUGFIXES
  * Fix column droping for MSSQL that need new transaction for that (#4440) (#4484)
  * Redirect to correct page after using scratch token (#4458) (#4472)
  * Replace src with raw to fix image paths (#4377) (#4386)
  * Fixes repo membership check in API (#4341) (#4379)
  * Add default merge options when adding new repository (#4369) (#4373)
  * Fix repository last updated time update when delete a user who watched the repo (#4363) (#4371)
  * Fix html entity escaping in branch deletion message (#4471) (#4485)

* SECURITY
  * Limit uploaded avatar image-size to 4096x3072 by default (#4353)
  * Do not allow to reuse TOTP passcode (#3878)
* FEATURE
  * Add cli commands to regen hooks & keys (#3979)
  * Add support for FIDO U2F (#3971)
  * Added user language setting (#3875)
  * LDAP Public SSH Keys synchronization (#1844)
  * Add topic support (#3711)
  * Multiple assignees (#3705)
  * Add protected branch whitelists for merging (#3689)
  * Global code search support (#3664)
  * Add label descriptions (#3662)
  * Add issue search via API (#3612)
  * Add repository setting to enable/disable health checks (#3607)
  * Emoji Autocomplete (#3433)
  * Implements generator cli for secrets (#3531)
* ENHANCEMENT
  * Add more webhooks support and refactor webhook templates directory (#3929)
  * Add new option to allow only OAuth2/OpenID user registration (#3910)
  * Add option to use paged LDAP search when synchronizing users (#3895)
  * Symlink icons (#1416)
  * Improve release page UI (#3693)
  * Add admin dashboard option to run health checks (#3606)
  * Add branch link in branch list (#3576)
  * Reduce sql query times in retrieveFeeds (#3547)
  * Option to enable or disable swagger endpoints (#3502)
  * Add missing licenses (#3497)
  * Reduce repo indexer disk usage (#3452)
  * Enable caching on assets and avatars (#3376)
  * Add repository search ordered by stars/forks. Forks column in admin repo list (#3969)
  * Add Environment Variables to Docker template (#4012)
  * LFS: make HTTP auth period configurable (#4035)
  * Add config path as an optionial flag when changing pass via CLI (#4184)
  * Refactor User Settings sections (#3900)
  * Allow square brackets in external issue patterns (#3408)
  * Add Attachment API (#3478)
  * Add EnableTimetracking option to app settings (#3719)
  * Add config option to enable or disable log executed SQL (#3726)
  * Shows total tracked time in issue and milestone list (#3341)
* TRANSLATION
  * Improve English grammar and consistency (#3614)
* DEPLOYMENT
  * Allow Gitea to run as different USER in Docker (#3961)
  * Provide compressed release binaries (#3991)
  * Sign release binaries (#4188)

* SECURITY
  * Limit uploaded avatar image-size to 4096x3072 by default (#4353)
  * Do not allow to reuse TOTP passcode (#3878)
* FEATURE
  * Add cli commands to regen hooks & keys (#3979)
  * Add support for FIDO U2F (#3971)
  * Added user language setting (#3875)
  * LDAP Public SSH Keys synchronization (#1844)
  * Add topic support (#3711)
  * Multiple assignees (#3705)
  * Add protected branch whitelists for merging (#3689)
  * Global code search support (#3664)
  * Add label descriptions (#3662)
  * Add issue search via API (#3612)
  * Add repository setting to enable/disable health checks (#3607)
  * Emoji Autocomplete (#3433)
  * Implements generator cli for secrets (#3531)
* ENHANCEMENT
  * Add more webhooks support and refactor webhook templates directory (#3929)
  * Add new option to allow only OAuth2/OpenID user registration (#3910)
  * Add option to use paged LDAP search when synchronizing users (#3895)
  * Symlink icons (#1416)
  * Improve release page UI (#3693)
  * Add admin dashboard option to run health checks (#3606)
  * Add branch link in branch list (#3576)
  * Reduce sql query times in retrieveFeeds (#3547)
  * Option to enable or disable swagger endpoints (#3502)
  * Add missing licenses (#3497)
  * Reduce repo indexer disk usage (#3452)
  * Enable caching on assets and avatars (#3376)
  * Add repository search ordered by stars/forks. Forks column in admin repo list (#3969)
  * Add Environment Variables to Docker template (#4012)
  * LFS: make HTTP auth period configurable (#4035)
  * Add config path as an optionial flag when changing pass via CLI (#4184)
  * Refactor User Settings sections (#3900)
  * Allow square brackets in external issue patterns (#3408)
  * Add Attachment API (#3478)
  * Add EnableTimetracking option to app settings (#3719)
  * Add config option to enable or disable log executed SQL (#3726)
  * Shows total tracked time in issue and milestone list (#3341)
* TRANSLATION
  * Improve English grammar and consistency (#3614)
* DEPLOYMENT
  * Allow Gitea to run as different USER in Docker (#3961)
  * Provide compressed release binaries (#3991)
  * Sign release binaries (#4188)

* SECURITY
  * HTML-escape plain-text READMEs (#4192) (#4214)
  * Fix open redirect vulnerability on login screen (#4312) (#4312)
* BUGFIXES
  * Fix broken monitoring page when running processes are shown (#4203) (#4208)
  * Fix delete comment bug (#4216) (#4228)
  * Delete reactions added to issues and comments when deleting repository (#4232) (#4237)
  * Fix wiki URL encoding bug (#4091) (#4254)
  * Fix code tab link when viewing tags (#3908) (#4263)
  * Fix webhook type conflation (#4285) (#4285)

* BUGFIXES
  * Adjust z-index for floating labels (#3939) (#3950)
  * Add missing token validation on application settings page (#3976) #3978
  * Webhook and hook_task clean up (#4006)
  * Fix webhook bug of response info is not displayed in UI (#4023)
  * Fix writer cannot read bare repo guide (#4033) (#4039)
  * Don't force due date to current time (#3830) (#4057)
  * Fix wiki redirects (#3919) (#4065)
  * Fix attachment ENABLED (#4064) (#4066)
  * Added deletion of an empty line at the end of file (#4054) (#4074)
  * Use ResolveReference instead of path.Join (#4073)
  * Fix #4081 Check for leading / in base before removing it (#4083)
  * Respository's home page not updated after first push (#4075)

* BREAKING
  * Add "error" as reserved username (#3882) (#3886)
* SECURITY
  * Do not allow inactive users to access repositories using private key (#3887) (#3889)
  * Fix path cleanup in file editor, when initilizing new repository and LFS oids  (#3871) (#3873)
  * Remove unnecessary allowed safe HTML (#3778) (#3779)
  * Correctly check http git access rights for reverse proxy authorized users (#3721) (#3743)
* BUGFIXES
  * Fix to use only needed columns from tables to get repository git paths (#3870) (#3883)
  * Fix GPG expire time display when time is zero (#3584) (#3884)
  * Fix to update only issue last update time when adding a comment (#3855) (#3860)
  * Fix repository star count after deleting user (#3781) (#3783)
  * Use the active branch for the code tab (#3720) (#3776)
  * Set default branch name on first push (#3715) (#3723)
  * Show clipboard button if disable HTTP of git protocol (#3773) (#3774)

* BREAKING
  * Drop deprecated GOGS\_WORK\_DIR use (#2946)
  * Fix API status code for hook creation (#2814)
* SECURITY
  * Escape branch name in dropdown menu (#3691) (#3692)
  * Refactor and simplify to correctly validate redirect to URL (#3674) (#3676)
  * Fix escaping changed title in comments (#3530) (#3534)
  * Escape search query (#3486) (#3488)
  * Sanitize logs for mirror sync (#3057)
* FEATURE
  * Serve .patch and .diff for pull requests (#3305, #3293)
  * Add repo-sync-releases admin command (#3254)
  * Support default private when creating or migrating repository (#3239)
  * Writable deploy keys (closes #671) (#3225)
  * Add Pull Request merge options - Ignore white-space for conflict checking, Rebase, Squash merge (#3188)
  * Added progressbar for issues with checkboxes (#1146). (#3171)
  * Mention completion for issue editor. (#3136)
  * Add 'mark all read' option to notifications (#3097)
  * Git LFS lock api (#2938)
  * Add reactions to issues/PR and comments (#2856)
  * Add dingtalk webhook  (#2777)
  * Responsive view (#2750)
* BUGFIXES
  * Fix wiki inter-links with spaces (#3560) (#3632)
  * Fix query protected branch bug (#3563) (#3571)
  * Fix remove team member issue (#3566) (#3570)
  * Fix the protected branch panic issue (#3567) (#3569)
  * If Mirrors repository no content is fetched, updated time should not be changed (#3551) (#3565)
  * Bug fix for mirrored repository releases sorted (#3522) (#3555)
  * Add issue closed time column to fix activity closed issues list (#3537) (#3540)
  * Update markbates/goth library to support OAuth2 with new dropbox API (#3533) (#3539)
  * Fixes missing avatars in offline mode (#3471) (#3477)
  * Fix synchronization bug in repo indexer (#3455) (#3461)
  * Fix rendering of wiki page list if wiki repo contains other files (#3454) (#3463)
  * Fix webhook X-GitHub-* headers casing for better compatibility (#3429)
  * Add content type and doctype to requests made with go-get (#3426, #3423)
  * Fix SQL type error for webhooks (#3424)
  * Fix PR merge error (#3421)
  * Recognize more characters in crossreferenced repo name (#3413)
  * Fix MSSQL bug on org (#3405)
  * HTML escape all lines of the search result (#3402)
  * Change local copy origin url after repository rename (#3399)
  * Force-push to base repo's ref/pull/#/head (#3393)
  * Fix bug when a user delete but assigned on issue (#3318)
  * Use issue number/index instead of id for API URL. Fix #3297 (#3298)
  * Fix repo-transfer-and-team-repo-count bug (#3241)
  * Fix always-on SSL Mode checkbox in admin page (#3208)
  * Fix source download link when no code unit allowed (#3166)
  * Fix org owner cannot be removed if he is not in owner team (#3164)
  * Fix run web with -p push failed (#3154)
  * Fix gpg tmpl (#3153)
  * Fix SSH auth lfs locks (#3152)
  * Improvements for supporting UI Location (#3146)
  * Fix new pull request link (#3133)
  * Fix missing branch in release bug (#3108)
  * Allow adding collaborators with (fullname) (#3103)
  * Fix repo links (#3093)
  * fix lfs url refs + keep path upper/lowercase in db. (#3092)
  * Fix redis session failed (#3086)
  * Fix bugs in issue dashboard stats (#3073)
  * Fix avatar URLs (#3069)
  * Fix ref parsing in commit messages (#3067)
  * Fix issue list branch link broken (#3061)
  * sendmail: correct option to set envelope-sender (#3044)
  * Fix missing password length check when change password (#3039)
  * Fix git lfs path (#3016)
  * Fix API-Endpoint release (#3005) (#3012)
  * Set OpenID support on by default when installing new instance (#3010)
  * Various wiki bug fixes (#2996)
  * Fix go-get, src and raw urls to new scheme (#2978)
  * Fix error when add user has full name to team (#2973)
  * Fix memcache support when value is returned as string always (#2924)
* ENHANCEMENT
  * Use GiteaServer as the user agent for http requests (#3404)
  * Delete indexer DB entries when (re)creating index (#3385)
  * Change how merged PR commit info are prepared (#3368)
  * Asynchronously populate the repo indexer (#3366)
  * Make the default action for the gitea executable that of running the webserver (#3331)
  * Templates for extra links in top navbar and repo tool tabs. (#3308)
  * Fixed asterisk based tasklist items #3295 (#3296)
  * Add more additional template snippets (#3286)
  * Open external tracker in blank window, consistently with wiki (#3227)
  * Fix repo links on user profile (#3197)
  * Enable emoji for wiki view (#3158)
  * Small improve on deleting attachements (#3145)
  * Reduce overhead of upgrades for users with custom stylesheets/JS (#3051)
  * Default log level to Info without hardcoding it in installer (#3041)
  * Memory usage improvements (#3013)
  * Add fingerprint to ssh key endpoints. (#3009)
  * Improve memory usage when reaching diff limits (#2990)
  * Expandable commit bodies (#2980)
  * Update gitgraph.js to fix blurry commit graph on HiDPI screens (#2957)
  * Fix language names (#2955)
  * Remove render issue link (#2954)
  * Page parameter for repo search API (#2915)
  * Apply LANDING\_PAGE config options for logged in users (#2894)
  * Enable admin to search by email (#2888)
  * Hide add key button if SSH is disabled (#2873)
  * Fix comment API paths (#2813)
  * Add an option to allow redirect of http port 80 to https. (#1928)
* MISC
  * Fix organization profile on mobile devices (#3332)
  * Fix guide link for webhooks in repository settings (#3291) (#3292)
  * Enable Libravatar by default in new installations (#3287)
  * Improve suppressed diff boxes (#3193)
  * fix button heights on commits page (#3091)
  * Minor copy changes (#3074)
  * Sort repos in issues dashboard sidebar (#3072)
  * Remove box-shadow from UI, fix dashboard issue (#3065)
  * Adjust branch button size (#3063)
  * Fix misalignment issue in repo header (#3062)
  * Delete a user's public key via admin api (closes #3014) (#3059)
  * Dashboard: Fix line height problem in issue titles (#3054)
  * Remove duplicate "Max Diff Lines" from config view (#2987)
  * Drop unmaintained gogs migration script (#2947)
  * App restarts to quickly if it fails to start. (#2945)
  * Add owner to delete repo message (#2886)

* SECURITY
  * Refactor and simplify to correctly validate redirect to URL (#3674) (#3676)
* BUGFIXES
  * Update markbates/goth library to fix OAuth2 support (#3661) (#3663)
  * Fix column removal in MSSQL (#3638) (#3640)
  * Fix wiki inter-links with spaces (#3560) (#3632)

* SECURITY
  * Fix escaping changed title in comments (#3530) (#3534)
  * Escape search query (#3486) (#3488)
* BUGFIXES
  * Fix query protected branch bug (#3563) (#3571)
  * Fix remove team member issue (#3566) (#3570)
  * Fix the protected branch panic issue (#3567) (#3569)
  * If Mirrors repository no content is fetched, updated time should not be changed (#3551) (#3565)
  * Bug fix for mirrored repository releases sorted (#3522) (#3555)
  * Add issue closed time column to fix activity closed issues list (#3537) (#3540)
  * Update markbates/goth library to support OAuth2 with new dropbox API (#3533) (#3539)
  * Fixes missing avatars in offline mode (#3471) (#3477)
  * Fix synchronization bug in repo indexer (#3455) (#3461)
  * Fix rendering of wiki page list if wiki repo contains other files (#3454) (#3463)

* SECURITY
  * Fix escaping changed title in comments (#3530) (#3535)
  * Escape search query display (#3486) (#3489)
* BUGFIXES
  * Fix repo-transfer-and-team-repo-count bug (#3241) (#3244)
  * Open external tracker in blank window, consistently with wiki (#3227) (#3228)
  * Change SSL Mode from checkbox to string in admin page (#3208) (#3211)