Reporting the DeprecationWarning once should be sufficient when running tests.

… a set

17e9fcd - 2025-07-29 - musabustun <musabustun@noreply.codeberg.org>
90b302e - 2025-07-29 - return42 <return42@noreply.codeberg.org>
023a222 - 2025-07-29 - return42 <return42@noreply.codeberg.org>
17d37ed - 2025-07-30 - gkalathas <gkalathas@noreply.codeberg.org>
3c64c16 - 2025-07-29 - return42 <return42@noreply.codeberg.org>
d8f65cd - 2025-07-26 - IcewindX <icewindx@noreply.codeberg.org>

* [upd] pypi: Bump the minor group with 2 updates

Bumps the minor group with 2 updates: [granian[reload]](https://github.com/emmett-framework/granian) and [granian](https://github.com/emmett-framework/granian).


Updates `granian[reload]` from 2.4.2 to 2.5.0
- [Release notes](https://github.com/emmett-framework/granian/releases)
- [Commits](emmett-framework/granian@v2.4.2...v2.5.0)

Updates `granian` from 2.4.2 to 2.5.0
- [Release notes](https://github.com/emmett-framework/granian/releases)
- [Commits](emmett-framework/granian@v2.4.2...v2.5.0)

---
updated-dependencies:
- dependency-name: granian[reload]
  dependency-version: 2.5.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor
- dependency-name: granian
  dependency-version: 2.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* [enh] py: use humanized duration

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Ivan Gabaldon <igabaldon@inetol.net>

* [fix] CI task "update_engine_traits.py" fails

To catch all problems with an HTTP request, the more general class
``httpx.HTTPError`` must be caught, for your test use::

    $ ./manage dev.env
    $ python ./searxng_extra/update/update_engine_traits.py

Closes: #5068

* [data] update searx.data - update_engine_traits.py

With this change, the "latest" tag will be visually higher (on registry tag list). Right now, it appears under the "DOCKER_TAG" manifest tag, which can be confusing.

The app and website were taken offline in December 2024, with the latter
pointing to KitchenAid's US website. [1]

[1] https://en.wikipedia.org/wiki/Yummly

Closes: #5079

- not 100% sure about the condition code mapping, there are no real matches for most of the codes from Apple WeatherKit to the weather codes we have in SearXNG
- related: #4885

Building the container currently does not work properly.
When rebuilding several times with `make container`, `version_frozen.py`
is recreated, which wouldn't be an issue if the file’s timestamp was constant.
Now, when creating `version_frozen.py`, it will have the same timestamp as the
commit when it was created. (`version_frozen.py` is moved to a dedicated layer).

Reusing "builder" cache when building "dist" could be slow
(CD reports 2 seconds, but locally I've seen it take up to 10 seconds),
so the Dockerfile is now split and we save a couple steps
by importing the "builder" image directly.

The last changes made it possible to remove the layer cache in "builder",
since the overhead is now greater than building the layers from scratch.

Until now, all "dist" layers were squashed into a single layer,
which in most cases is a good idea
(except for storage/delivery pricing/overhead), but in our case,
since we manage the entire pipeline, we can ignore this
and share layers between builds.
This means (for example) that if we change files unrelated to the container
in several consecutive commits (documentation changes), we don't have to push
the entire image to registry, but only the different layers
(`version_frozen.py` in this example).
The same applies when pulling, as only the layers that have changed
compared to the local layers will be downloaded (that's the theory,
we'll see if this works as expected or if we need to tweak something else).

Due to current limitations of `actions/cache`, the cache cannot be overwritten.
In our case, we need to accumulate cached wheels from different architectures.
To solve this, we simply delete the key before storing the cache again.

WhiteNoise requires all headers to be strings, however it's common to use
other primitive types (e.g. numbers) in the header, e.g. `X-XSS-Protection: 0`.
Thus, we must convert all types of values (i.e. numbers) to strings.

- closes #5091

Sometimes, there's only an `adaptivestreaming` field in `streams`, which
is usually an m3u8 file. That's however not supported by the video player
of any browser, so we can't use and must build a different url instead.

#5097)

Bumps the minor group with 1 update: [certifi](https://github.com/certifi/python-certifi).


Updates `certifi` from 2025.7.14 to 2025.8.3
- [Commits](certifi/python-certifi@2025.07.14...2025.08.03)

---
updated-dependencies:
- dependency-name: certifi
  dependency-version: 2025.8.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

We always use the latest versions of our base images, so this dependabot task
is unneeded.

All actions are pulled using the version hash, versions are handled by
dependabot, and we'll have control over which actions get updated.

Replaces Trivy scanner with Docker Scout, we have recently begun analyzing the
images there, and the action will keep us in sync about the problems on GHCS
dashboard.

The `publishedDate` has always been `None` before that change, which
causes that there are no `publishedDate`s visible for any result.

0fbf5aa - 2025-08-07 - alexgabi <alexgabi@noreply.codeberg.org>
d18d3ed - 2025-08-07 - return42 <return42@noreply.codeberg.org>
7927a63 - 2025-08-06 - pikzim <pikzim@noreply.codeberg.org>
27c8b40 - 2025-08-05 - nhthinh <nhthinh@noreply.codeberg.org>
83262e7 - 2025-08-04 - IcewindX <icewindx@noreply.codeberg.org>

To get an API key follow instructions at [1].

[1] https://about.marginalia-search.com/article/api/

Related (historical ordered):
- #1620
- #1673
- #1627
- #2489

Closes:
- #3034

Co-authored-by: Markus Heiser <markus.heiser@darmarit.de>

Related:

- #5037 (comment)

…ION (#5101)

Replaces `x_for` functionality with `trusted_proxies`. This allows defining
which IP / ranges to trust extracting the client IP address from X-Forwarded-For
and X-Real-IP headers.

We don't know if the proxy chain will give us the proper client
address (REMOTE_ADDR in the WSGI environment), so we rely on reading the headers
of the proxy before SearXNG (if there is one, in that case it must be added to
trusted_proxies) hoping it has done the proper checks. In case a proxy in the
chain does not check the client address correctly, integrity is compromised and
this should be fixed by whoever manages the proxy, not us.

Closes:

- #4940
- #4939
- #4907
- #3632
- #3191
- #1237

Related:

- searxng/searxng-docker#386
- inetol-infrastructure/searxng-container#81

The HTTP X-Forwarded-Proto (XFP) request header is a de-facto standard header
for identifying the protocol (HTTP or HTTPS) that a client used to connect to a
proxy or load balancer.[1]

In our documentation[2] we recommend to set the `X-Scheme` header. This header
is not required if the `server.base_url` is set correctly.[3]

If none of these URL scheme details exist, then the header X-Forwarded-Proto is
evaluated as a third alternative.

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Forwarded-Proto
[2] https://docs.searxng.org/admin/installation-apache.html#apache-s-searxng-site
[3] https://docs.searxng.org/admin/settings/settings_server.html

Closes: #5105

The HTTP X-Forwarded-Proto (XFP) request header is a *de-facto* standard header
for identifying the protocol (HTTP or HTTPS) that a client used to connect to a
proxy or load balancer.[1]

The ``X-Scheme`` header was added 10 years ago, why ``X-Scheme`` was used back
then and not ``X-Forwarded-Proto``, nobody knows today / possibly because
``X-Forwarded-Proto`` wasn't a *de-facto* standard back then.

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Forwarded-Proto
[2] searx/searx@6ef7c3276

Add Baidu Captcha detection to reduce `JSONDecodeError` error

Baidu will redirect to `wappass.baidu.com` and return a captcha challenge.
Current behavior will get the data from `wappass.baidu.com` then return a
`json.decoder.JSONDecodeError` error.

Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>

The User-Agent header recently become required to fetch blacklist from URL

  https://ahmia.fi/blacklist/

[1] https://github.com/searxng/searxng/actions/runs/18892940199/job/53924400294

Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>

Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>

To complete a SearXNG developer environment, nvm needs to be
installed (ensured).  Without this patch::

    $ LANG=C ./manage dev.env
    ...
    ./utils/lib_nvm.sh: line 27: .nvm/nvm.sh: No such file or directory
    ./utils/lib_nvm.sh: line 28: .nvm/bash_completion: No such file or directory
    ...
    (dev.env)$

Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>

0bdbdde - 2025-10-26 - 0ko <0ko@noreply.codeberg.org>
7b0abb9 - 2025-10-27 - artens <artens@noreply.codeberg.org>
882a289 - 2025-10-27 - langckx <langckx@noreply.codeberg.org>
c2d0255 - 2025-10-25 - Flyingfufu <flyingfufu@noreply.codeberg.org>

…#5403)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.30.9 to 4.31.2.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@16140ae...0499de3)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.31.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the minor group with 3 updates: [granian](https://github.com/emmett-framework/granian), [selenium](https://github.com/SeleniumHQ/Selenium) and [granian[reload]](https://github.com/emmett-framework/granian).


Updates `granian` from 2.5.5 to 2.5.6
- [Release notes](https://github.com/emmett-framework/granian/releases)
- [Commits](emmett-framework/granian@v2.5.5...v2.5.6)

Updates `selenium` from 4.37.0 to 4.38.0
- [Release notes](https://github.com/SeleniumHQ/Selenium/releases)
- [Commits](SeleniumHQ/selenium@selenium-4.37.0...selenium-4.38.0)

Updates `granian[reload]` from 2.5.5 to 2.5.6
- [Release notes](https://github.com/emmett-framework/granian/releases)
- [Commits](emmett-framework/granian@v2.5.5...v2.5.6)

---
updated-dependencies:
- dependency-name: granian
  dependency-version: 2.5.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor
- dependency-name: selenium
  dependency-version: 4.38.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor
- dependency-name: granian[reload]
  dependency-version: 2.5.6
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor

Bumps the minor group in /client/simple with 2 updates: [@biomejs/biome](https://github.com/biomejs/biome/tree/HEAD/packages/@biomejs/biome) and [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node).

Updates `@biomejs/biome` from 2.2.7 to 2.3.2
- [Release notes](https://github.com/biomejs/biome/releases)
- [Changelog](https://github.com/biomejs/biome/blob/main/packages/@biomejs/biome/CHANGELOG.md)
- [Commits](https://github.com/biomejs/biome/commits/@biomejs/biome@2.3.2/packages/@biomejs/biome)

Updates `@types/node` from 24.9.1 to 24.9.2
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@biomejs/biome"
  dependency-version: 2.3.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor
- dependency-name: "@types/node"
  dependency-version: 24.9.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor

Reported in [1], HOTFIX in [2], this patch here is now the final solution.

Note that if using PEP 563 postponed evaluation of annotations" (e.g. ``from
__future__ import annotations``) only the following spellings will work:

    ClassVar or ClassVar[<type>]
    typing.ClassVar or typing.ClassVar[<type>]

Importing ClassVar or typing under an aliased name (e.g. ``import typing as t``)
will not be properly detected. [3]

[1] #5304 (comment)
[2] #5309
[3] https://jcristharif.com/msgspec/structs.html#class-variables

Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>

This reverts HOTFIX from commit fc7d8b8 [1]

[1] #5309

Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>

…5410)

…nt including version (#5414)

SourceHut uses a foss bot protection tool called `go-away` (which I can
recommend BTW).  It blocks common crawler user agents, such as the standard
Firefox user agent.  Hence, we're now using our custom SearXNG user agent to
clarify we're not a crawler.

Closes: #5270
Co-authored-by: Markus Heiser <markus.heiser@darmarit.de>

…5417)

Yandex engine will return parsing error instead of informing that a CAPTCHA was found. It is confusing for the admin and the users (#5415).


This patch fixes an issue where the CAPTCHA response from Yandex wouldn't be detected, resulting in `ParserError` when trying to parse the response to DOM.

In this fix, I replaced the url condition and instead is checking if the `x-yandex-captcha` header is set, and is equal to `captcha`.

Alternatively, maybe something like `resp.headers.get('Location', '').startswith("https://yandex.com/showcaptcha")` could be done instead. Lastly, setting `params['allow_redirects'] = True` can also work, but this will waste an extra request. Just let me know.

Closes: #5415

The difference between decompression with brotli or gzip in HTML files is
negligible for 3 MB of compiled binary package.

Introduced in eaa694f

Closes https://github.com/searxng/searxng/security/code-scanning/276
Closes https://github.com/searxng/searxng/security/dependabot/37

….0 (#5424)

Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 3.6.0 to 3.7.0.
- [Release notes](https://github.com/docker/setup-qemu-action/releases)
- [Commits](docker/setup-qemu-action@2910929...c7c5346)

---
updated-dependencies:
- dependency-name: docker/setup-qemu-action
  dependency-version: 3.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [JamesIves/github-pages-deploy-action](https://github.com/jamesives/github-pages-deploy-action) from 4.7.3 to 4.7.4.
- [Release notes](https://github.com/jamesives/github-pages-deploy-action/releases)
- [Commits](JamesIves/github-pages-deploy-action@6c2d9db...4a3abc7)

---
updated-dependencies:
- dependency-name: JamesIves/github-pages-deploy-action
  dependency-version: 4.7.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the minor group with 3 updates: [granian](https://github.com/emmett-framework/granian), [granian[pname]](https://github.com/emmett-framework/granian) and [granian[reload]](https://github.com/emmett-framework/granian).


Updates `granian` from 2.5.6 to 2.5.7
- [Release notes](https://github.com/emmett-framework/granian/releases)
- [Commits](emmett-framework/granian@v2.5.6...v2.5.7)

Updates `granian[pname]` from 2.5.6 to 2.5.7
- [Release notes](https://github.com/emmett-framework/granian/releases)
- [Commits](emmett-framework/granian@v2.5.6...v2.5.7)

Updates `granian[reload]` from 2.5.6 to 2.5.7
- [Release notes](https://github.com/emmett-framework/granian/releases)
- [Commits](emmett-framework/granian@v2.5.6...v2.5.7)

---
updated-dependencies:
- dependency-name: granian
  dependency-version: 2.5.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor
- dependency-name: granian[pname]
  dependency-version: 2.5.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor
- dependency-name: granian[reload]
  dependency-version: 2.5.7
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…h 4 updates (#5423)

* [upd] web-client (simple): Bump the minor group

Bumps the minor group in /client/simple with 4 updates: [ol](https://github.com/openlayers/openlayers), [@biomejs/biome](https://github.com/biomejs/biome/tree/HEAD/packages/@biomejs/biome), [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) and [sharp](https://github.com/lovell/sharp).

Updates `ol` from 10.6.1 to 10.7.0
- [Release notes](https://github.com/openlayers/openlayers/releases)
- [Commits](openlayers/openlayers@v10.6.1...v10.7.0)

Updates `@biomejs/biome` from 2.3.2 to 2.3.4
- [Release notes](https://github.com/biomejs/biome/releases)
- [Changelog](https://github.com/biomejs/biome/blob/main/packages/@biomejs/biome/CHANGELOG.md)
- [Commits](https://github.com/biomejs/biome/commits/@biomejs/biome@2.3.4/packages/@biomejs/biome)

Updates `@types/node` from 24.9.2 to 24.10.0
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `sharp` from 0.34.4 to 0.34.5
- [Release notes](https://github.com/lovell/sharp/releases)
- [Commits](lovell/sharp@v0.34.4...v0.34.5)

---
updated-dependencies:
- dependency-name: ol
  dependency-version: 10.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor
- dependency-name: "@biomejs/biome"
  dependency-version: 2.3.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor
- dependency-name: "@types/node"
  dependency-version: 24.10.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor
- dependency-name: sharp
  dependency-version: 0.34.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* [upd] web-client (simple): rebuild static

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Ivan Gabaldon <igabaldon@inetol.net>

…#5445)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.2 to 4.31.3.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@0499de3...014f16e)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.31.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

- official website: https://devicon.dev/
- the engine contains a lot of icons of popular software frameworks (e.g. pytest),
so they could for example be useful for visualizing a diagram of the tech stack used in an app

Bumps the minor group in /client/simple with 3 updates: [@biomejs/biome](https://github.com/biomejs/biome/tree/HEAD/packages/@biomejs/biome), [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) and [browserslist](https://github.com/browserslist/browserslist).

Updates `@biomejs/biome` from 2.3.4 to 2.3.5
- [Release notes](https://github.com/biomejs/biome/releases)
- [Changelog](https://github.com/biomejs/biome/blob/main/packages/@biomejs/biome/CHANGELOG.md)
- [Commits](https://github.com/biomejs/biome/commits/@biomejs/biome@2.3.5/packages/@biomejs/biome)

Updates `@types/node` from 24.10.0 to 24.10.1
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `browserslist` from 4.27.0 to 4.28.0
- [Release notes](https://github.com/browserslist/browserslist/releases)
- [Changelog](https://github.com/browserslist/browserslist/blob/main/CHANGELOG.md)
- [Commits](browserslist/browserslist@4.27.0...4.28.0)

---
updated-dependencies:
- dependency-name: "@biomejs/biome"
  dependency-version: 2.3.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor
- dependency-name: "@types/node"
  dependency-version: 24.10.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor
- dependency-name: browserslist
  dependency-version: 4.28.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the minor group with 3 updates: [certifi](https://github.com/certifi/python-certifi), [pylint](https://github.com/pylint-dev/pylint) and [basedpyright](https://github.com/detachhead/basedpyright).


Updates `certifi` from 2025.10.5 to 2025.11.12
- [Commits](certifi/python-certifi@2025.10.05...2025.11.12)

Updates `pylint` from 4.0.2 to 4.0.3
- [Release notes](https://github.com/pylint-dev/pylint/releases)
- [Commits](pylint-dev/pylint@v4.0.2...v4.0.3)

Updates `basedpyright` from 1.32.1 to 1.33.0
- [Release notes](https://github.com/detachhead/basedpyright/releases)
- [Commits](DetachHead/basedpyright@v1.32.1...v1.33.0)