Merge remote-tracking branch 'upstream/pull/7080'

Merge remote-tracking branch 'upstream/pull/7077'

Change banner hide method

chore: updated sotm africa conference banner

Merge remote-tracking branch 'upstream/pull/7074'

Merge pull request #7062 from tyrasd/history-geolink

sync location hash on the "History" link in header navigation

sync location hash on the "History" link in header navigation

fixes https://github.com/openstreetmap/iD/issues/12287

Generalize color scheme evaluating logic

Merge remote-tracking branch 'upstream/pull/7073'

update iD to v2.40.0

Merge remote-tracking branch 'upstream/pull/7071'

Merge remote-tracking branch 'upstream/pull/7072'

Localisation updates from https://translatewiki.net.

Remove pessimistic version constraints

We were ignoring them in dependabot so they aren't really necessary.

We can add constraints when we run into specific problems, but otherwise
we should be optimistic that, for the vast majority of cases, the new version
of a gem will either work fine as-is or will be flagged up by CI.

Remove explicit mini_racer dependency

This was originally added to constrain the transitive dependency (via rtlcss)
but the associated bug is now fixed and the version constraint was automatically
changed by dependabot anyway.

Merge remote-tracking branch 'upstream/pull/7070'

Remove minimum version constraints from Gemfile

It's very unlikely that a `bundle update` will:

* lead a version downgrade
* ... and that version falls below the nominal minimum version
* ... and that version causes a breakage
* ... and that breakage is not picked up by CI

It's therefore better for legibility and clarity of other constraints
if we remove the ones that aren't necessary.

Skip big-pr check for translatewiki

These are often large, for example when we add more strings or when
a new language crosses the inclusion threshold.

Merge remote-tracking branch 'upstream/pull/7069'

Merge remote-tracking branch 'upstream/pull/7068'

Bump aws-sdk-s3 from 1.220.0 to 1.221.0 in the dependencies group

Bumps the dependencies group with 1 update: [aws-sdk-s3](https://github.com/aws/aws-sdk-ruby).

Updates `aws-sdk-s3` from 1.220.0 to 1.221.0
- [Release notes](https://github.com/aws/aws-sdk-ruby/releases)
- [Changelog](https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-s3/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-ruby/commits)

---
updated-dependencies:
- dependency-name: aws-sdk-s3
  dependency-version: 1.221.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>

Bump the dependencies group with 2 updates

Bumps the dependencies group with 2 updates: [leaflet.locatecontrol](https://github.com/domoritz/leaflet-locatecontrol) and [tag2link](https://github.com/JOSM/tag2link).

Updates `leaflet.locatecontrol` from 0.89.1 to 0.90.0
- [Changelog](https://github.com/domoritz/leaflet-locatecontrol/blob/gh-pages/CHANGELOG.md)
- [Commits](https://github.com/domoritz/leaflet-locatecontrol/compare/v0.89.1...v0.90.0)

Updates `tag2link` from 2026.3.21 to 2026.5.6
- [Release notes](https://github.com/JOSM/tag2link/releases)
- [Commits](https://github.com/JOSM/tag2link/compare/2026.3.21...2026.5.6)

---
updated-dependencies:
- dependency-name: leaflet.locatecontrol
  dependency-version: 0.90.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: tag2link
  dependency-version: 2026.5.6
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>

Merge remote-tracking branch 'upstream/pull/7066'

Merge remote-tracking branch 'upstream/pull/7065'

Merge remote-tracking branch 'upstream/pull/7064'

Bump the dependencies group with 3 updates

Bumps the dependencies group with 3 updates: [bootsnap](https://github.com/rails/bootsnap), [bootstrap_form](https://github.com/bootstrap-ruby/bootstrap_form) and [minitest](https://github.com/minitest/minitest).

Updates `bootsnap` from 1.24.1 to 1.24.3
- [Release notes](https://github.com/rails/bootsnap/releases)
- [Changelog](https://github.com/rails/bootsnap/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rails/bootsnap/compare/v1.24.1...v1.24.3)

Updates `bootstrap_form` from 5.6.0 to 5.6.1
- [Release notes](https://github.com/bootstrap-ruby/bootstrap_form/releases)
- [Changelog](https://github.com/bootstrap-ruby/bootstrap_form/blob/main/CHANGELOG.md)
- [Commits](https://github.com/bootstrap-ruby/bootstrap_form/compare/v5.6.0...v5.6.1)

Updates `minitest` from 6.0.5 to 6.0.6
- [Changelog](https://github.com/minitest/minitest/blob/master/History.rdoc)
- [Commits](https://github.com/minitest/minitest/compare/v6.0.5...v6.0.6)

---
updated-dependencies:
- dependency-name: bootsnap
  dependency-version: 1.24.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: bootstrap_form
  dependency-version: 5.6.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: minitest
  dependency-version: 6.0.6
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>

Bump the dependencies group with 3 updates

Bumps the dependencies group with 3 updates: [leaflet.locatecontrol](https://github.com/domoritz/leaflet-locatecontrol), [eslint](https://github.com/eslint/eslint) and [globals](https://github.com/sindresorhus/globals).

Updates `leaflet.locatecontrol` from 0.89.0 to 0.89.1
- [Changelog](https://github.com/domoritz/leaflet-locatecontrol/blob/gh-pages/CHANGELOG.md)
- [Commits](https://github.com/domoritz/leaflet-locatecontrol/compare/v0.89.0...v0.89.1)

Updates `eslint` from 10.2.1 to 10.3.0
- [Release notes](https://github.com/eslint/eslint/releases)
- [Commits](https://github.com/eslint/eslint/compare/v10.2.1...v10.3.0)

Updates `globals` from 17.5.0 to 17.6.0
- [Release notes](https://github.com/sindresorhus/globals/releases)
- [Commits](https://github.com/sindresorhus/globals/compare/v17.5.0...v17.6.0)

---
updated-dependencies:
- dependency-name: leaflet.locatecontrol
  dependency-version: 0.89.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: eslint
  dependency-version: 10.3.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: globals
  dependency-version: 17.6.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>

Bump rubocop-capybara from 2.22.1 to 2.23.0 in the rubocop group

Bumps the rubocop group with 1 update: [rubocop-capybara](https://github.com/rubocop/rubocop-capybara).

Updates `rubocop-capybara` from 2.22.1 to 2.23.0
- [Release notes](https://github.com/rubocop/rubocop-capybara/releases)
- [Changelog](https://github.com/rubocop/rubocop-capybara/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rubocop/rubocop-capybara/compare/v2.22.1...v2.23.0)

---
updated-dependencies:
- dependency-name: rubocop-capybara
  dependency-version: 2.23.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: rubocop
...

Signed-off-by: dependabot[bot] <support@github.com>

Merge remote-tracking branch 'upstream/pull/7001'

Merge remote-tracking branch 'upstream/pull/7063'

Configure dependabot to respect Gemfile constraints

This allows us to use constraints in the Gemfile, without having to
remember to repeat them in the dependabot configuration.

Actually use notification preferences

Form to manage notification preferences

Ruby API to manage notification preferences

Merge remote-tracking branch 'upstream/pull/7060'

Merge remote-tracking branch 'upstream/pull/7059'

Fix GPX import mailers, which expected different tag objects

Embrace bug, which will be future behaviour

Merge remote-tracking branch 'upstream/pull/7057'

Bump net-imap from 0.6.3 to 0.6.4

Bumps [net-imap](https://github.com/ruby/net-imap) from 0.6.3 to 0.6.4.
- [Release notes](https://github.com/ruby/net-imap/releases)
- [Commits](https://github.com/ruby/net-imap/compare/v0.6.3...v0.6.4)

---
updated-dependencies:
- dependency-name: net-imap
  dependency-version: 0.6.4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Merge remote-tracking branch 'upstream/pull/7053'

Merge remote-tracking branch 'upstream/pull/7056'

Add kw to UI languages

Localisation updates from https://translatewiki.net.

Move hash and title sync logic from iframe to parent

Merge remote-tracking branch 'upstream/pull/6713'

Merge pull request #7055 from lonvia/patch-1

Fix link to FAQ

fix link to FAQ

Cache social link platform and name at save time (#6950)

Cache rendered HTML fragment for social links using Rails.cache.fetch
instead of re-parsing URLs on every page load. This avoids repeated
regex matching and HTTP calls to resolve platform metadata.

Co-authored-by: Matt Van Horn <455140+mvanhorn@users.noreply.github.com>

Merge pull request #7048 from tomhughes/md5-passwords

Drop support for legacy MD5 passwords

Block creation of notes within moderation zones

Add table+model to store geoblock zones

Add PostGIS adapter for ActiveRecord

Enable PostGIS

Drop support for MD5 legacy passwords

Remove support for validating MD5 passwords and migrate any such
passwords in the database to an invalid password.

Reported-by: Jorge Gonzalez Milla <jorge@jmilla.es>

Redirect users with invalid password to the reset flow

Test login error cases for sessions controller

Drop unused require of securerandom

Merge remote-tracking branch 'upstream/pull/7051'

Merge pull request #7052 from openstreetmap/translatewiki

Localisation updates from https://translatewiki.net.

Localisation updates from https://translatewiki.net.

Merge pull request #7049 from openstreetmap/dependabot/github_actions/dependencies-4a0b9de8bd

Bump ruby/setup-ruby from 1.305.0 to 1.306.0 in the dependencies group

Merge pull request #7050 from openstreetmap/dependabot/npm_and_yarn/dependencies-e2ab990367

Bump @herb-tools/linter from 0.9.7 to 0.10.1 in the dependencies group

Bump the dependencies group with 6 updates

Bumps the dependencies group with 6 updates:

| Package | From | To |
| --- | --- | --- |
| [bootsnap](https://github.com/rails/bootsnap) | `1.23.0` | `1.24.1` |
| [strong_migrations](https://github.com/ankane/strong_migrations) | `2.6.0` | `2.7.0` |
| [opentelemetry-instrumentation-all](https://github.com/open-telemetry/opentelemetry-ruby-contrib) | `0.92.0` | `0.93.0` |
| [herb](https://github.com/marcoroth/herb) | `0.9.7` | `0.10.1` |
| [puma](https://github.com/puma/puma) | `8.0.0` | `8.0.1` |
| [database_consistency](https://github.com/djezzzl/database_consistency) | `3.0.3` | `3.0.4` |

Updates `bootsnap` from 1.23.0 to 1.24.1
- [Release notes](https://github.com/rails/bootsnap/releases)
- [Changelog](https://github.com/rails/bootsnap/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rails/bootsnap/compare/v1.23.0...v1.24.1)

Updates `strong_migrations` from 2.6.0 to 2.7.0
- [Changelog](https://github.com/ankane/strong_migrations/blob/master/CHANGELOG.md)
- [Commits](https://github.com/ankane/strong_migrations/compare/v2.6.0...v2.7.0)

Updates `opentelemetry-instrumentation-all` from 0.92.0 to 0.93.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-ruby-contrib/releases)
- [Commits](https://github.com/open-telemetry/opentelemetry-ruby-contrib/compare/opentelemetry-instrumentation-all/v0.92.0...opentelemetry-instrumentation-all/v0.93.0)

Updates `herb` from 0.9.7 to 0.10.1
- [Release notes](https://github.com/marcoroth/herb/releases)
- [Commits](https://github.com/marcoroth/herb/compare/v0.9.7...v0.10.1)

Updates `puma` from 8.0.0 to 8.0.1
- [Release notes](https://github.com/puma/puma/releases)
- [Changelog](https://github.com/puma/puma/blob/main/History.md)
- [Commits](https://github.com/puma/puma/compare/v8.0.0...v8.0.1)

Updates `database_consistency` from 3.0.3 to 3.0.4
- [Changelog](https://github.com/djezzzl/database_consistency/blob/master/CHANGELOG.md)
- [Commits](https://github.com/djezzzl/database_consistency/compare/v3.0.3...v3.0.4)

---
updated-dependencies:
- dependency-name: bootsnap
  dependency-version: 1.24.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: strong_migrations
  dependency-version: 2.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: opentelemetry-instrumentation-all
  dependency-version: 0.93.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: herb
  dependency-version: 0.10.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: puma
  dependency-version: 8.0.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: database_consistency
  dependency-version: 3.0.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>

Bump @herb-tools/linter from 0.9.7 to 0.10.1 in the dependencies group

Bumps the dependencies group with 1 update: [@herb-tools/linter](https://github.com/marcoroth/herb/tree/HEAD/javascript/packages/linter).

Updates `@herb-tools/linter` from 0.9.7 to 0.10.1
- [Release notes](https://github.com/marcoroth/herb/releases)
- [Commits](https://github.com/marcoroth/herb/commits/v0.10.1/javascript/packages/linter)

---
updated-dependencies:
- dependency-name: "@herb-tools/linter"
  dependency-version: 0.10.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>

Bump ruby/setup-ruby from 1.305.0 to 1.306.0 in the dependencies group

Bumps the dependencies group with 1 update: [ruby/setup-ruby](https://github.com/ruby/setup-ruby).

Updates `ruby/setup-ruby` from 1.305.0 to 1.306.0
- [Release notes](https://github.com/ruby/setup-ruby/releases)
- [Changelog](https://github.com/ruby/setup-ruby/blob/master/release.rb)
- [Commits](https://github.com/ruby/setup-ruby/compare/0cb964fd540e0a24c900370abf38a33466142735...c4e5b1316158f92e3d49443a9d58b31d25ac0f8f)

---
updated-dependencies:
- dependency-name: ruby/setup-ruby
  dependency-version: 1.306.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>

Merge pull request #7039 from CommanderStorm/coordinate-transfer-system

Refactor more of the internal coordiante usage to `{ lat, lng }`

Merge pull request #7047 from tomhughes/message-rate-limit

Include deleted messages when checking the rate limit

Merge pull request #7046 from tomhughes/object-src

Block object-src in security policy

Merge pull request #7045 from tomhughes/totp-cookie

Set secure and httponly attributes for TOTP cookie

Merge remote-tracking branch 'upstream/pull/7043'

Include deleted messages when checking the rate limit

Reported-by: Jorge Gonzalez Milla <jorge@jmilla.es>

Block object-src in security policy

This is ancient history from when we had a flash based editor
though I'm not sure this rule was really needed even then.

Reported-by: Jorge Gonzalez Milla <jorge@jmilla.es>

Set secure and httponly attributes for TOTP cookie

Reported-by: Jorge Gonzalez Milla <jorge@jmilla.es>

Merge pull request #7036 from tomhughes/bundler4

Update bundler to v4

Reuse 0s and 1s for arm textures

Expand text gradient mask

Merge remote-tracking branch 'upstream/pull/7042'

Merge remote-tracking branch 'upstream/pull/7041'

Fix string that was not translatable

Fix string that was not translatable

Merge pull request #7040 from openstreetmap/translatewiki

Localisation updates from https://translatewiki.net.

Localisation updates from https://translatewiki.net.

Merge remote-tracking branch 'upstream/pull/7033'

Remove dead css

Signed-off-by: Frank Elsinga <frank@elsinga.de>

fix inconsistent method capitalisation

Signed-off-by: Frank Elsinga <frank@elsinga.de>

Migrate to lat, lng coords

Signed-off-by: Frank Elsinga <frank@elsinga.de>

Merge remote-tracking branch 'upstream/pull/7035'

Update bundler to v4

Merge remote-tracking branch 'upstream/pull/7009'

Merge remote-tracking branch 'upstream/pull/7002'

Bump postcss from 8.5.6 to 8.5.10

Bumps [postcss](https://github.com/postcss/postcss) from 8.5.6 to 8.5.10.
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/postcss/postcss/compare/8.5.6...8.5.10)

---
updated-dependencies:
- dependency-name: postcss
  dependency-version: 8.5.10
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Merge remote-tracking branch 'upstream/pull/7032'

Merge remote-tracking branch 'upstream/pull/7034'

Bump erb from 6.0.2 to 6.0.4

Bumps [erb](https://github.com/ruby/erb) from 6.0.2 to 6.0.4.
- [Release notes](https://github.com/ruby/erb/releases)
- [Changelog](https://github.com/ruby/erb/blob/master/NEWS.md)
- [Commits](https://github.com/ruby/erb/compare/v6.0.2...v6.0.4)

---
updated-dependencies:
- dependency-name: erb
  dependency-version: 6.0.4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Merge pull request #7017 from lonvia/entrances-for-routing

Take entrances into account for routing start and end points

take entrances into account for routing start and end points

Merge pull request #7031 from openstreetmap/dependabot/npm_and_yarn/dependencies-53e8d04f7f

Bump maplibre-gl from 5.23.0 to 5.24.0 in the dependencies group

Bump the dependencies group with 2 updates

Bumps the dependencies group with 2 updates: [dalli](https://github.com/petergoldstein/dalli) and [opentelemetry-instrumentation-all](https://github.com/open-telemetry/opentelemetry-ruby-contrib).

Updates `dalli` from 4.3.3 to 5.0.2
- [Changelog](https://github.com/petergoldstein/dalli/blob/main/CHANGELOG.md)
- [Commits](https://github.com/petergoldstein/dalli/compare/v4.3.3...v5.0.2)

Updates `opentelemetry-instrumentation-all` from 0.91.0 to 0.92.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-ruby-contrib/releases)
- [Commits](https://github.com/open-telemetry/opentelemetry-ruby-contrib/compare/opentelemetry-instrumentation-all/v0.91.0...opentelemetry-instrumentation-all/v0.92.0)

---
updated-dependencies:
- dependency-name: dalli
  dependency-version: 5.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: dependencies
- dependency-name: opentelemetry-instrumentation-all
  dependency-version: 0.92.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>

Bump maplibre-gl from 5.23.0 to 5.24.0 in the dependencies group

Bumps the dependencies group with 1 update: [maplibre-gl](https://github.com/maplibre/maplibre-gl-js).

Updates `maplibre-gl` from 5.23.0 to 5.24.0
- [Release notes](https://github.com/maplibre/maplibre-gl-js/releases)
- [Changelog](https://github.com/maplibre/maplibre-gl-js/blob/main/CHANGELOG.md)
- [Commits](https://github.com/maplibre/maplibre-gl-js/compare/v5.23.0...v5.24.0)

---
updated-dependencies:
- dependency-name: maplibre-gl
  dependency-version: 5.24.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>