Resolve conflict in webdav-sync-expansion.spec.ts:
- Use simplified sync verification without reload (sync updates NgRx directly)
- Test: B marks task done -> sync -> verify A sees task as done
- CVE-2025-66035: XSRF token leakage via protocol-relative URLs
- CVE-2025-66412: Stored XSS via SVG animation and MathML attributes
- CVE-2025-66414: DNS rebinding in @modelcontextprotocol/sdk
Updated @angular/* packages to 20.3.15 and @angular/cli to 20.3.13.
* master: (41 commits)
16.7.2
16.7.1
16.7.0
fix(focus-mode): show start button when break time is up in banner mode
fix(focus-mode): hide dismiss button in banner-only mode (#5737)
fix(focus-mode): add start button in banner after session completes (#5737)
refactor(focus-mode): remove isAlwaysUseFocusMode setting (#5737)
feat(focus-mode): add task existence check before resuming tracking (#5737)
feat(focus-mode): add icon buttons for banner and sync session with tracking (#5753)
fix(repeat): schedule tasks for correct day and remove from Today when needed (#5594)
feat(focus-mode): sync duration when Pomodoro settings change (#5753)
feat(focus-mode): add new settings and fix pomodoro dialog (#5753)
fix(focus-mode): fix pomodoro long break timing and add ticking sound option (#5753)
feat(android): add better notifications and permanent notification for focus mode
feat(android): add background time tracking via foreground service
build(ci): add i18n JSON validation step to lint-and-test workflow
docs: add archived tasks viewer to community plugins
fix(android): make schedule dialog scrollable on small screens (#5741)
fix(focus-mode): preserve existing notes when opening notes panel (#5752)
fix(sync): show user-friendly error for Flatpak/Snap permission issues
...
# Conflicts:
# src/app/features/android/store/android.effects.ts
# src/app/features/focus-mode/store/focus-mode.effects.ts
# src/app/features/issue/dialog-edit-issue-provider/dialog-edit-issue-provider.component.ts
# src/app/features/reminder/reminder.module.ts
# src/app/features/task-repeat-cfg/store/task-repeat-cfg.effects.ts
Add local-rules/require-hydration-guard ESLint rule that warns when
selector-based NgRx effects lack hydration guards (skipDuringSync() or
isApplyingRemoteOps()).
The rule correctly identifies:
- Effects that START with this.store.select() as primary source
- Does NOT flag selectors in withLatestFrom (secondary sources)
- Does NOT flag selectors inside operator callbacks (already guarded)
This prevents duplicate operations during sync replay where selector-based
effects would fire on intermediate states.
Install eslint-plugin-local-rules to enable the rule.
Previously, flushYoungToOld was dispatched as an action and handled by
an NgRx effect. This caused a race condition during finish day:
1. Action dispatched, effect queued
2. Method returned, sync started, DB locked
3. Effect ran, tried to write, blocked by DB lock
Fix follows the same pattern as moveToArchive:
- Perform the flush synchronously in ArchiveService before dispatching
- Dispatch action for op-log capture only (syncs to other clients)
- Handler skips local operations (only runs for remote)
Also adds comprehensive unit tests and e2e test for this scenario.
The server migration check was incorrectly creating a SYNC_IMPORT when
a fresh client (with local data but no sync history) synced to an empty
server. This caused operations from other clients to be filtered out as
"invalidated by SYNC_IMPORT" because they were CONCURRENT with it.
Now _checkAndHandleServerMigration() checks for previously synced ops
before triggering migration, correctly distinguishing between:
- Fresh client (only local ops) → uploads ops normally
- Server migration (has sync history) → creates SYNC_IMPORT
Also adds npm scripts for debugging supersync E2E tests.
* master:
fix(electron): use includes() instead of in operator for hostname check
fix(docker): use Debian-based nginx for ARM64 QEMU compatibility
16.6.1
build: add resolved URL and integrity for ical.js version 2.1.0
fix(ui): align time tracking button overlay (#5720)
fix(calendar): handle Office 365 updateTimezones crash (#5722)
fix(repeat): use fallback for undefined startDate (#5724)
build(welcome): update wording for issue claiming instructions
fix(docker): drop arm/v7 platform to fix QEMU build failure
Replace custom UUID v7 implementations with the standard uuidv7 library.
The custom implementation had a bug with JavaScript bitwise operators
not handling 48-bit timestamps correctly.
- Override @conventional-changelog/git-client to ^2.5.1 to fix CVE-2025-59433
- Update glob (via nested deps) to ^11.1.0 to fix CVE-2025-64756
- Update node-forge to ^1.3.3 to fix CVE-2025-12816 & CVE-2025-66030
Upgrade Electron from 37.7.0 to 39.2.5. Since Electron 38+ defaults to
Wayland via --ozone-platform=auto, force X11 on Linux to ensure reliable
idle detection (#1443) and global shortcuts. Users can opt-in to Wayland
with --ozone-platform=wayland or --force-wayland flags.
- Add 'pree2e' script to build plugins before tests
- Add explicit checks for plugin management initialization
- Improve stability in issue-provider-panel tests
- Ensure baseURL is passed to test context
- Update plugin lockfiles
