Commit graph

52 commits

Author SHA1 Message Date
Michael Mayer
a22c99dd12 Frontend: Upgrade Vitest, Vite, browserslist & Vue language server
- @vitest/coverage-v8 ^4.1.9 => ^4.1.10
- @vue/language-server ^3.3.5 => ^3.3.6
- browserslist ^4.28.4 => ^4.28.5
- vite ^8.1.0 => ^8.1.3
- vitest ^4.1.9 => ^4.1.10

Dev dependencies only; NOTICE (prod-only) unchanged.
2026-07-08 00:04:29 +00:00
Michael Mayer
9f3d958b02 Frontend: Update deps in package.json and package-lock.json
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-06-30 01:55:38 +02:00
Michael Mayer
b1318d57fa Frontend: Update deps in package.json and package-lock.json
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-06-27 13:38:53 +02:00
Michael Mayer
d13b9e50ca Frontend: Update deps in package.json and package-lock.json
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-06-25 20:46:45 +02:00
Cathie Integra
16eb3fb708 Frontend: Revert dep bump that broke options.js in prod bundle
Reverts 0182c46bb. The webpack 5.107.2->5.108.0 bump changed prod-bundle
scope-hoisting so option-builders in src/options/options.js (Languages,
TimeZones, StartPages, MapsAnimate) threw "Cannot read properties of
undefined", breaking the login and Settings pages on all editions.
Re-apply the photo-sphere-viewer/tar patch bumps separately.
2026-06-25 20:11:57 +02:00
Michael Mayer
7654e676b7 Frontend: Remove unused babel-plugin-istanbul and dead Karma config #5659
The babel-plugin-istanbul coverage plugin was only wired into the retired karma.conf.js; Vitest measures coverage via @vitest/coverage-v8 (.babelrc has no plugins). Dropping it removes the orphaned @istanbuljs/load-nyc-config -> js-yaml@3 subtree and clears the GHSA-h67p-54hq-rp68 DoS advisory; npm audit now reports 0 vulnerabilities.
2026-06-25 16:29:40 +00:00
Michael Mayer
0182c46bbb Frontend: Update deps in package.json and package-lock.json
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-06-25 18:18:08 +02:00
Michael Mayer
e1c9eafe88 Frontend: Update deps in package.json and package-lock.json
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-06-24 10:45:53 +02:00
Michael Mayer
83e6796e40 Frontend: Update deps in package.json and package-lock.json
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-06-22 21:46:50 +02:00
Michael Mayer
6006e08a38 Frontend: Update deps in package.json and package-lock.json #352 #4718 #5623 2026-06-17 03:29:55 +02:00
Ömer Duran
3ea547a564
Lightbox: Add support for 360° photos and videos #352 #4718 #5623
* Lightbox: Add 360° photo and video sphere viewer support

Wires Photo Sphere Viewer v5 into the lightbox for equirectangular
media. Backend detects UsePanoramaViewer and IsPhotosphere markers
alongside ProjectionType, and exposes Panorama + Projection in the
viewer / search result DTOs so the frontend can dispatch on the
projection type. The renderer (ThreeJS + PSV core + video plugin +
equirectangular video adapter) is lazy-loaded into a dedicated
webpack chunk so the base bundle is unchanged for users with no
360° media. PhotoPrism's existing lightbox controls drive the
underlying HTMLVideoElement that the PSV adapter creates for 360°
videos. Includes Vitest coverage for the sphere helper and the
lightbox dispatch, plus a TestCafe smoke spec and three new
ExifTool metadata fixtures.

* Lightbox: Fix 360° controls leak, hide zoom button, add sidebar icon

* Lightbox: Fix 360° touch panning and navigation arrows

* Lightbox: Fix fast swipe switching photos on 360° slides

Suppress PhotoSwipe swipe/drag navigation at its source via the dispatched pointer hook while a sphere slide is active, since the per-element gesture trap is outrun by a fast swipe whose pointer leaves the sphere container (touch-capable Windows). UI controls stay excluded so buttons and arrows still navigate.

* Lightbox: Route only equirectangular media to the 360° viewer

Routing was based on the loose photo_panorama flag for videos, which is also
true for cubemap and merely-wide (aspect > 1.9) videos, so non-equirectangular
media wrongly opened, distorted, in the sphere viewer. Route strictly on the
equirectangular projection for both photos and videos. Surface the video file's
projection in the viewer DTO via Photo.MediaProjection() (the primary search row
is a poster JPEG with no projection). Add an MP4 metadata-detection test.

* Lightbox: Open tagless 2:1 360° videos in the sphere viewer

Many 360° videos carry no projection tag PhotoPrism can read, so strict
equirectangular-projection routing left them in the flat player. Fall back to
equirectangular's defining 2:1 frame for panorama-flagged videos without a
projection, via is360Equirectangular() in common/sphere.js, while cubemap and
ultrawide (~2.35:1) clips stay flat.

* Tests: Make the 360° sphere video test assert instead of skipping
2026-06-17 03:26:25 +02:00
Michael Mayer
1b2ce048b2 Frontend: Update axios, vitest, playwright & coverage-v8
Pin axios 1.18.0 (security-hardening minor: strips sensitive headers on cross-origin redirects, rejects malformed http/https URLs, tightens prototype-pollution defenses; no breaking changes). Bump vitest and coverage-v8 to 4.1.9, playwright to ^1.61.0. OSV-Scanner clean for both ecosystems.
2026-06-15 10:23:12 +00:00
Michael Mayer
b24e84f5f5 Frontend: Upgrade Vitest to v4 and Vite to v8 to drop esbuild #5659 2026-06-14 16:15:51 +00:00
Michael Mayer
9f373a909c Frontend: Update deps in package.json and package-lock.json 2026-06-14 17:43:11 +02:00
Michael Mayer
8c5e29771b Frontend: Upgrade axios from 1.16.1 to 1.17.0
Security-hardening and bug-fix minor release; no breaking changes for
our usage. Keeps the exact pin (no caret) per the high-risk-package
policy. Verified with make audit, OSV-Scanner, build-js, and test-js.
2026-06-10 16:55:39 +00:00
Michael Mayer
f205dd63ca Frontend: Update deps in package.json and package-lock.json
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-06-10 05:06:34 +02:00
Michael Mayer
6d692cf9dc Frontend: Update vue/compiler-sfc 3.5.35, tar 7.5.16, coverage-v8 3.2.6 2026-06-01 17:46:50 +00:00
Michael Mayer
d5549e792c Frontend: Update deps in package.json and package-lock.json
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-05-31 04:23:57 +02:00
Michael Mayer
36da6af565 Frontend: Update deps in package-lock.json
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-05-29 01:57:17 +02:00
Michael Mayer
f136ae3b21 Frontend: Update deps in package.json and package-lock.json 2026-05-26 16:25:19 +00:00
Michael Mayer
000cbe2a78 Frontend: Update deps in package.json and package-lock.json
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-05-24 15:32:24 +02:00
Michael Mayer
5c993ebb6d Frontend: Update deps in go.mod and go.sum
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-05-20 13:13:28 +02:00
Michael Mayer
7ba4dc1bf6 Frontend: Tune lightbox theme for face markers, retire ESLint-Prettier glue #4966
- Refactor `meta.css` face-marker palette to consume theme tokens (Path A):
  default rect → `on-surface`; named-marker stroke → `primary`; draft →
  `accent`; hover → `primary-darken-1`; handle → `primary-darken-1` fill +
  `primary` stroke; Confirm pill → `primary-darken-2`; Cancel pill →
  `highlight-lighten-1`; Remove pill → `remove`; Back button → `surface`.
- Retune the `lightbox` theme block to support the rebind: `primary
  #F2F3F3 → #9E8FC9` (muted purple), `accent #2D2E2E → #BDAFE4` (lavender),
  `surface #151515 → #181818`, `surface-bright → #1c1c1c`, `button →
  #242424`, `highlight #424041 → #3c3c3c`, `remove → #cd4645`. Effectively
  reverts the `surface-variant ↔ on-surface-variant` swap and re-introduces
  an explicit `.v-tooltip.v-theme--lightbox` override in `lightbox.css`.
- Bump `variations.darken` to 2 so `--v-theme-primary-darken-2` resolves.
- Swap the in-template button order in `markers.vue` to Cancel-left /
  Confirm-right for both the pending-add and remove-confirm popovers.
- Add inline comments to the `default.add` and updated `lightbox`
  entries so each color's purpose stays documented at the source.
- Drop `eslint-plugin-prettier` (its `prettier/prettier` rule was already
  `"off"`, making the plugin inert). Replace `plugin:prettier/recommended`
  with a direct `eslint-config-prettier` extend; keep ESLint's own
  `indent` / `quotes` / `brace-style` rules as the JS formatter.
- Tell ESLint to ignore `*.{css,scss,sass}` so Prettier owns CSS
  unambiguously; wire `npm run fmt-css` / `npm run lint-css` Prettier
  passes into `npm run fmt` / `npm run lint` so `make fmt-js` and
  `make lint-js` cover stylesheets too.
- Drop `eslint-plugin-prettier` from the dev-container global install
  list and the `frontend/tests/README.md` dependency table; regenerate
  `NOTICE` files.
2026-05-19 09:56:09 +00:00
Michael Mayer
7ed0fc44d3 Frontend: Drop unused "escape-string-regexp" dep, refresh tooling
Removes the top-level "escape-string-regexp" dependency, which has no
direct consumer in our source. The v4 line lives on as a transitive
dep of "eslint" and "sanitize-html"; "webpack-bundle-analyzer" keeps
its nested v5 copy. Net dep-tree shape is unchanged.

Also bumps "@vue/language-server" to ^3.3.0, adds "vuln" and "tools"
phony aliases in the Makefile, and aligns the frontend "audit" target
with the root one (--no-fund --no-audit).

Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-05-19 01:04:49 +00:00
Michael Mayer
c012700f29 Frontend: Update deps in package.json and package-lock.json #4966 #5585
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-05-18 11:27:36 +02:00
Michael Mayer
29efda150c Frontend: Remove floating-vue and consolidate on Vuetify tooltips #4966 2026-05-17 11:06:28 +00:00
Michael Mayer
ae4e330e2e Frontend: Update deps in package.json and package-lock.json #4966
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-05-15 08:24:55 +02:00
Michael Mayer
12a5fdd153 Frontend: Update deps in package.json and tests in info.test.js
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-05-09 17:39:41 +02:00
Michael Mayer
511f0cf793 Frontend: Update deps in package.json and package-lock.json #4966
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-05-06 10:30:16 +02:00
Michael Mayer
4410269cc2 Frontend: Drop unused @testing-library/react and vite-tsconfig-paths
Both were added during the Vitest framework integration (#4990) but
never referenced in any source file or test config — npm ls confirms
zero transitive consumers. PhotoPrism is Vue, so the React testing
library is not applicable; @testing-library/jest-dom (the actually
used helper) stays. The TS-paths resolver was speculatively added
when the Vite config was first stubbed and was never wired up.

README's "Known Unused" table is replaced with a short "Auditing for
Orphaned Dependencies" section so the sweep pattern (rg + npm ls)
is documented for future cleanups.
2026-05-05 10:07:55 +00:00
Michael Mayer
8339ed1b26 Frontend: Drop orphaned cheerio dependency from package.json
Cheerio was originally pulled in alongside easygettext@2.17.0 in May
2022 (commit d600d5faf), where easygettext declared cheerio@^1.0.0-rc.3
as a runtime dep for HTML parsing in the gettext-extract flow. When
easygettext was replaced by vue3-gettext / vue-gettext-extract in
October 2025 (commit ab9a0a969 / #1152), cheerio was overlooked and
left as a top-level dep with no consumers.

The exact pin to 1.0.0-rc.12 was set in September 2024 (commit
ab9e156c9, bundled into an unrelated UX commit) after an August 2024
bump to ^1.0.0 broke easygettext's ^1.0.0-rc.3 peer constraint. That
rationale evaporated when easygettext was removed; the lockfile
reverse-search confirms zero current consumers.

npm ls cheerio --all returns only the direct top-level entry; no
source files import it. make audit, make build-js, make test-js
(1055 passed / 13 skipped) all stay clean after removal.
2026-05-05 09:59:09 +00:00
Michael Mayer
044af03a6d Frontend: Bump axios from 1.15.2 to 1.16.0 in package.json
The supply-chain compromise that drove the original 1.14.0 quarantine
(malicious 1.14.1/0.30.4 from a hijacked maintainer account) was fully
remediated upstream weeks ago, so 1.16.0 is safe. Keeps the exact-pin
style recommended for high-risk packages.
2026-05-05 09:29:31 +00:00
Michael Mayer
c3fb3d53ca Frontend: Bump routine deps in package.json and package-lock.json
Updates four low-risk packages within their existing major lines:
@vue/compiler-sfc 3.5.18 -> 3.5.33 (track vue runtime), webpack-bundle-analyzer
4.10.2 -> 5.3.0 (CJS-compatible, drops Node <20.9), babel-plugin-polyfill-corejs3
0.13.0 -> 0.14.2, vite-tsconfig-paths 5.1.4 -> 6.1.1.
2026-05-05 09:27:18 +00:00
Michael Mayer
a2dce2b06c Frontend: Drop unused postcss-url and @vitejs/plugin-react
Removes two stale dependencies that have no code references in any
frontend/, plus/frontend/, pro/frontend/, or portal/frontend/ tree.
postcss-url was a 2019 leftover and is the only consumer of the
unpatched minimatch <=3.1.3 ReDoS chain (GHSA-3ppc-4f35-3m26,
GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74); npm audit now reports
zero vulnerabilities.
2026-05-05 09:22:20 +00:00
Michael Mayer
624733778a Frontend: Upgrade "workbox-webpack-plugin" to ^7.4.1 in package.json
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-05-05 11:05:22 +02:00
Michael Mayer
81b763798e Frontend: Pin Vuetify to 3.12.2 to fix dropdown flash-close #5538
Vuetify 3.12.3 added an onFocusout handler to VAutocomplete, VSelect,
and VCombobox (commit 3d33e2f, fixing Vuetify upstream #22697) that
flips isFocused=false on any blur whose relatedTarget is outside the
textfield. The handler closes long dropdowns on open because the
virtual scroller unmounts the focused list item during the scroll-to-
selected-index pass that runs right after the menu opens, producing a
transient blur with relatedTarget=null. Pinning Vuetify to 3.12.2 (the
last release without the regression) is the cleanest fix; explored
workarounds (list-props navigation-strategy=track, capture-phase
focusout suppression with activator refocus, menu-props attach=true)
all had unacceptable side effects.

The pin is documented inline in three places that cross-reference each
other: package.json (//vuetify field), frontend/CODEMAP.md (Runtime &
Plugins), and frontend/src/common/view.js (sibling-menu gate comment
block). The original GitHub issue #5538 has been updated with the full
root-cause analysis. A separate follow-up issue #5556 tracks the minor
.v-field--focused linger that 3.12.2 still has (PhotoPrism is currently
unaffected because the relevant inputs aren't on screen together).

Includes incidental cssnano (7.1.8 -> 7.1.9) and postcss (8.5.13 ->
8.5.14) patch bumps from \`make -C frontend update\` after the pin.
2026-05-04 19:18:44 +00:00
Michael Mayer
b78fb89869 Frontend: Update JS deps in package.json and package-lock.json #5538
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-05-04 17:52:16 +02:00
Michael Mayer
3f0725df2d Frontend: Update deps in package.json and package-lock.json #5505
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-04-28 09:01:53 +02:00
Michael Mayer
aaeb5c92b8 Frontend: Bump axios to 1.15.2 and drop legacy supply-chain pins
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-04-27 11:59:52 +02:00
Michael Mayer
c86c0369e9 Frontend: Upgrade JS deps in package.json and package-lock.json
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-04-27 11:14:31 +02:00
Michael Mayer
e0333cb43b Frontend: Update deps in package.json and package-lock.json
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-04-01 15:26:06 +02:00
Michael Mayer
ca4f063052 Frontend: Pin "axios" to v1.14.0 to mitigate supply chain attack
see https://socket.dev/blog/axios-npm-package-compromised

Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-03-31 08:52:23 +02:00
Michael Mayer
a41ef30237 Frontend: Upgrade dependencies in package.json and package-lock.json
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-03-28 09:35:57 +01:00
Ömer Duran
95099a5f78 Frontend: Upgrade Vuetify from ~3.11.9 to ^3.12.0 #5452 2026-03-10 12:31:48 +01:00
Michael Mayer
e052fd3eaf Frontend: Update deps in package.json and package-lock.json
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-03-09 11:49:28 +01:00
Michael Mayer
1a110df2e0 Frontend: Update deps in package-lock.json
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-03-08 15:38:31 +01:00
Michael Mayer
360a25e9c4 Frontend: Update deps in package.json and package-lock.json
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-03-07 10:24:35 +01:00
Michael Mayer
0303bc56d9 Frontend: Update deps in package.json and package-lock.json
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-03-06 18:49:34 +01:00
Michael Mayer
69dcce1619 Frontend: Update postcss in package.json and package-lock.json
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-03-03 11:46:35 +01:00
Michael Mayer
9022309706 Frontend: Update deps in package-lock.json
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-03-02 19:26:13 +01:00