Commit graph

1056 commits

Author SHA1 Message Date
Johannes Millan
007c7024c7 chore(deps): bump @fastify/static to 9.1.1 in super-sync-server
Patches CVE-2026-6410 and CVE-2026-6414. Regenerates the root
package-lock.json so workspace resolution matches the bumped range.
2026-04-20 15:48:40 +02:00
Johannes Millan
e113cd8d21 18.2.4 2026-04-19 19:21:50 +02:00
Johannes Millan
404c68127a 18.2.3 2026-04-18 23:24:19 +02:00
Johannes Millan
a1e3d9cc55 fix(build): pin app-builder-lib minimatch back to 10.1.1 2026-04-18 23:24:19 +02:00
dependabot[bot]
4b9bd23e56
chore(deps): bump the npm_and_yarn group across 1 directory with 9 updates (#7259)
Bumps the npm_and_yarn group with 9 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [fastify](https://github.com/fastify/fastify) | `5.8.4` | `5.8.5` |
| [nodemailer](https://github.com/nodemailer/nodemailer) | `8.0.4` | `8.0.5` |
| [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `6.4.1` | `6.4.2` |
| [@hono/node-server](https://github.com/honojs/node-server) | `1.19.11` | `1.19.14` |
| [axios](https://github.com/axios/axios) | `1.13.6` | `1.15.0` |
| [dompurify](https://github.com/cure53/DOMPurify) | `3.3.3` | `3.4.0` |
| [follow-redirects](https://github.com/follow-redirects/follow-redirects) | `1.15.11` | `1.16.0` |
| [hono](https://github.com/honojs/hono) | `4.12.9` | `4.12.14` |
| [lodash-es](https://github.com/lodash/lodash) | `4.17.23` | `4.18.1` |



Updates `fastify` from 5.8.4 to 5.8.5
- [Release notes](https://github.com/fastify/fastify/releases)
- [Commits](https://github.com/fastify/fastify/compare/v5.8.4...v5.8.5)

Updates `nodemailer` from 8.0.4 to 8.0.5
- [Release notes](https://github.com/nodemailer/nodemailer/releases)
- [Changelog](https://github.com/nodemailer/nodemailer/blob/master/CHANGELOG.md)
- [Commits](https://github.com/nodemailer/nodemailer/compare/v8.0.4...v8.0.5)

Updates `vite` from 6.4.1 to 6.4.2
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v6.4.2/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v6.4.2/packages/vite)

Updates `@hono/node-server` from 1.19.11 to 1.19.14
- [Release notes](https://github.com/honojs/node-server/releases)
- [Commits](https://github.com/honojs/node-server/compare/v1.19.11...v1.19.14)

Updates `axios` from 1.13.6 to 1.15.0
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](https://github.com/axios/axios/compare/v1.13.6...v1.15.0)

Updates `dompurify` from 3.3.3 to 3.4.0
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](https://github.com/cure53/DOMPurify/compare/3.3.3...3.4.0)

Updates `follow-redirects` from 1.15.11 to 1.16.0
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](https://github.com/follow-redirects/follow-redirects/compare/v1.15.11...v1.16.0)

Updates `hono` from 4.12.9 to 4.12.14
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](https://github.com/honojs/hono/compare/v4.12.9...v4.12.14)

Updates `lodash-es` from 4.17.23 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](https://github.com/lodash/lodash/compare/4.17.23...4.18.1)

---
updated-dependencies:
- dependency-name: fastify
  dependency-version: 5.8.5
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: nodemailer
  dependency-version: 8.0.5
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: vite
  dependency-version: 6.4.2
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: "@hono/node-server"
  dependency-version: 1.19.14
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: axios
  dependency-version: 1.15.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: dompurify
  dependency-version: 3.4.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: follow-redirects
  dependency-version: 1.16.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: hono
  dependency-version: 4.12.14
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: lodash-es
  dependency-version: 4.18.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-18 20:35:50 +02:00
Johannes Millan
47c52dfa87 18.2.2 2026-04-17 22:51:53 +02:00
Johannes Millan
b9d6dc6d86
test(e2e): update Show/hide task panel button label (#7260)
* test(e2e): update Show/hide task panel button label

The TOGGLE_DETAIL_PANEL translation was renamed from "Show/Hide
additional info" to "Show/hide task panel" in dd789d2, but e2e
selectors still referenced the old string, causing every test that
opens the task detail panel to time out.

https://claude.ai/code/session_011mX4Pr24S42svmA5j7fRux

* 18.2.1

---------

Co-authored-by: Claude <noreply@anthropic.com>
2026-04-17 22:19:22 +02:00
Johannes Millan
9b7d34100e 18.2.0 2026-04-17 19:48:55 +02:00
Leandro Marques
179700ccda
chore: update electron to v41.x (#7097)
* chore: update electron to v41.1.1

* feat(start-app): clear GPU cache on Electron version change for Linux

* fix(window-decorators): disable custom window title bar for GNOME

This fixes some issues when moving and resizing the window

* refactor: Migrate url.format() (DEP0116) to file:// path approach

* refactor(start-app): remove deprecated protocol.registerFileProtocol in start-app.ts

* feat(electron-builder): update gnome content snap to gnome-42-2204 for improved compatibility and update flatpak permissions

* fix(window-decorators): improve handling of custom window title bar for GNOME

* feat(start-app): implement fallback to X11 in Snap if gnome-42-2204 runtime is unavailable

* chore: update electron to v41.1.1

* chore(package-lock): remove unused dependencies from package-lock.json

* fix(electron): move snap ozone-platform switch before app ready event

app.commandLine.appendSwitch() must be called before Chromium
initializes — after the ready event fires the GPU backend is already
running and the switch is a no-op. Move the Snap X11 fallback (defense-
in-depth for missing gnome-42-2204 runtime) to run synchronously at
startup, alongside the existing gtk-version and speech-dispatcher
switches.

* fix(electron): align IS_GNOME_DESKTOP detection with preload.ts logic

The original implementation only matched Ubuntu's GNOME session
(XDG_CURRENT_DESKTOP contains both 'gnome' AND 'ubuntu'), missing plain
GNOME on Fedora, Arch, etc. The preload.ts isGnomeDesktop() already
used the correct approach: check four environment variables with OR
logic. Align common.const.ts to match, preventing a split-brain where
the main process and renderer disagree on whether the user is on GNOME
— which would produce no title bar at all on non-Ubuntu GNOME desktops.

* fix(electron): restore v41 bump lost in merge and gate title-bar toggle

- Re-apply electron 41.2.0 + minimatch 10.2.5 override (master's 0e9218bd
  reverted the dependabot bump back to 37.10.3 while this branch's
  merge-base still contained 41.2.0, so the pre-merge diff was empty).
- Regenerate root package-lock.json accordingly.
- Drop unrelated esbuild additions from plugin-dev sub-lockfiles.
- misc-settings-form: gate isUseCustomWindowTitleBar on IS_ELECTRON &&
  !IS_GNOME_DESKTOP so the toggle does not appear in the web/PWA build.

---------

Co-authored-by: Johannes Millan <johannes.millan@gmail.com>
2026-04-17 18:12:43 +02:00
dependabot[bot]
fdf20d8953
chore(deps): bump lodash in the npm_and_yarn group across 1 directory (#7218)
Bumps the npm_and_yarn group with 1 update in the / directory: [lodash](https://github.com/lodash/lodash).


Updates `lodash` from 4.17.23 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](https://github.com/lodash/lodash/compare/4.17.23...4.18.1)

---
updated-dependencies:
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-16 19:15:53 +02:00
Johannes Millan
0e9218bd68 fix(sync): handle data validation errors and improve client ID management
- Separate JsonParseError and SyncDataCorruptedError handlers in sync wrapper
- Handle corrupted remote data gracefully instead of throwing
- Add getOrGenerateClientId() as unified entry point, eliminating dual injection
  of ClientIdService + CLIENT_ID_PROVIDER in snapshot-upload, file-based-encryption,
  and sync-hydration services
- Use crypto.getRandomValues() instead of Math.random() for client ID generation
- Warn user when stored client ID is invalid and must be regenerated
- Fix flaky e2e supersync tests (premature waitForURL match on daily-summary URL)
2026-04-16 17:41:39 +02:00
Johannes Millan
c47ab48eb7
chore(deps): bump lodash from 4.17.23 to 4.18.1 (#7225)
* chore(deps): bump lodash from 4.17.23 to 4.18.1

Cherry-pick from Dependabot PR #7218. Fixes prototype pollution via
constructor/prototype path traversal in _.unset/_.omit (GHSA-f23m-r3pf-42rh)
and code injection via _.template imports keys (GHSA-r5fr-rjxr-66jc).

https://claude.ai/code/session_01NbP8MQuSHm7p4Z4uUCRqeg

* chore(deps): fix security vulnerabilities via npm audit fix

Updates transitive dependencies to resolve security advisories:
- follow-redirects 1.15.11 -> 1.16.0 (GHSA-r4q5-vmmm-2653)
- path-to-regexp 8.3.0 -> 8.4.2 and 0.1.12 -> 0.1.13 (ReDoS fixes)
- picomatch: updated nested copies to 4.0.4 (GHSA-3v7f-55p6-f55p, GHSA-c2c7-rcm5-vvqj)
- minimatch: updated app-builder-lib override from vulnerable 10.1.1 to 10.2.5

Remaining items blocked on upstream releases:
- picomatch 4.0.3 (top-level, needs @angular-devkit update)
- undici 7.22.0 (needs @angular/build update)
- vite 7.3.1 (needs @angular/build update)
- minimatch 10.1.1 in glob (needs glob update)

All vulnerabilities are in dev/build tooling only — none affect production.

https://claude.ai/code/session_01NbP8MQuSHm7p4Z4uUCRqeg

---------

Co-authored-by: Claude <noreply@anthropic.com>
2026-04-14 15:32:05 +02:00
dependabot[bot]
ad38eeb2ea
chore(deps): bump the npm_and_yarn group across 1 directory with 7 updates (#7178)
Bumps the npm_and_yarn group with 7 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [electron](https://github.com/electron/electron) | `37.10.3` | `41.2.0` |
| [nodemailer](https://github.com/nodemailer/nodemailer) | `8.0.4` | `8.0.5` |
| [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `6.4.1` | `6.4.2` |
| [@hono/node-server](https://github.com/honojs/node-server) | `1.19.11` | `1.19.13` |
| [axios](https://github.com/axios/axios) | `1.13.6` | `1.15.0` |
| [hono](https://github.com/honojs/hono) | `4.12.9` | `4.12.12` |
| [lodash-es](https://github.com/lodash/lodash) | `4.17.23` | `4.18.1` |



Updates `electron` from 37.10.3 to 41.2.0
- [Release notes](https://github.com/electron/electron/releases)
- [Commits](https://github.com/electron/electron/compare/v37.10.3...v41.2.0)

Updates `nodemailer` from 8.0.4 to 8.0.5
- [Release notes](https://github.com/nodemailer/nodemailer/releases)
- [Changelog](https://github.com/nodemailer/nodemailer/blob/master/CHANGELOG.md)
- [Commits](https://github.com/nodemailer/nodemailer/compare/v8.0.4...v8.0.5)

Updates `vite` from 6.4.1 to 6.4.2
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v6.4.2/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v6.4.2/packages/vite)

Updates `@hono/node-server` from 1.19.11 to 1.19.13
- [Release notes](https://github.com/honojs/node-server/releases)
- [Commits](https://github.com/honojs/node-server/compare/v1.19.11...v1.19.13)

Updates `axios` from 1.13.6 to 1.15.0
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](https://github.com/axios/axios/compare/v1.13.6...v1.15.0)

Updates `hono` from 4.12.9 to 4.12.12
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](https://github.com/honojs/hono/compare/v4.12.9...v4.12.12)

Updates `lodash-es` from 4.17.23 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](https://github.com/lodash/lodash/compare/4.17.23...4.18.1)

---
updated-dependencies:
- dependency-name: electron
  dependency-version: 41.2.0
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: nodemailer
  dependency-version: 8.0.5
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: vite
  dependency-version: 6.4.2
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: "@hono/node-server"
  dependency-version: 1.19.13
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: axios
  dependency-version: 1.15.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: hono
  dependency-version: 4.12.12
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: lodash-es
  dependency-version: 4.18.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-13 16:40:36 +02:00
Johannes Millan
3861fa01b8 chore: regenerate package-lock.json to fix docker build
Lock file was out of sync with npm 11.11.0 (node:24-alpine) used in
Docker, causing npm ci to fail with minimatch version conflicts.
2026-04-13 16:21:17 +02:00
Johannes Millan
947ee4b3ef
fix(sync): flush pending writes before conflict detection to prevent archive bypass (#7179)
* fix(sync): flush pending writes before conflict detection to prevent archive bypass

When a user action (e.g., rename) is dispatched right before a sync cycle,
the NgRx effect may not have written the operation to IndexedDB yet. The
conflict detection in processRemoteOps only reads from IndexedDB via
getUnsyncedByEntity(), so it misses the pending operation. This causes
remote ops (e.g., moveToArchive) to be applied as non-conflicting,
bypassing the archive-wins logic.

The local operation is then written after the archive is applied and gets
uploaded on the next sync cycle. The server rejects it as concurrent, and
the superseded operation resolver may create an LWW Update that resurrects
the archived task (Bug B).

Fix: call flushPendingWrites() before conflict detection to ensure all
dispatched actions have been written to IndexedDB. This mirrors the
existing flush in uploadPendingOps().

https://claude.ai/code/session_012Tssj1CJAC8tPSTTapE3jU

* chore: update package-lock.json

https://claude.ai/code/session_012Tssj1CJAC8tPSTTapE3jU

* chore: revert accidental package-lock.json churn and clarify skipConflictDetection

- Restore package-lock.json to master state: the fix adds no new npm
  dependencies, so the lock file changes (minimatch downgrades, vitest
  peer subtree) were accidental artifacts from running npm install with
  a different npm version.
- Add comment explaining why flushPendingWrites() is also skipped when
  skipConflictDetection=true: SYNC_IMPORT semantics drop all local ops
  concurrent with or older than the import, so pending writes will be
  filtered by SyncImportFilterService on the next sync cycle.

* docs(sync): fix inaccurate comment about skipConflictDetection flush skip

The previous comment cited SyncImportFilterService as the mechanism that
would filter pending writes after forceDownloadRemoteState. That service
filters INCOMING remote ops, not outgoing ones. The actual mechanism is
server-side rejection: stale pending writes have pre-force-download vector
clocks and the server drops them as concurrent with/older than the
SYNC_IMPORT that seeded the remote state.

---------

Co-authored-by: Claude <noreply@anthropic.com>
2026-04-13 16:14:40 +02:00
Johannes Millan
70414145a3
fix(sync): prevent magic link prefetch failures and improve auth resilience (#7175)
* fix(sync): prevent magic link prefetch failures and improve auth resilience

- Make /magic-login prefetch-immune: GET now renders a confirmation page
  instead of consuming the single-use token. A "Log In" button triggers
  POST /api/login/magic-link/verify which does the actual verification.
  This prevents email client link prefetchers (Outlook SafeLinks, Gmail)
  from consuming magic link tokens before users click them.

- Increase rate limits on auth endpoints for shared-IP scenarios (e.g.
  university NAT). Global: 100→500, register: 10→50, login: 5→30,
  verify: 10→50, magic-login page: 10→50.

- Add trustProxy to Fastify so req.ip uses X-Forwarded-For behind
  reverse proxies instead of collapsing all clients to one rate bucket.

- Clear stale SuperSync auth tokens after 3 consecutive AuthFailSPErrors
  instead of never clearing them. Prevents persistent failure loops where
  an invalid token keeps retrying indefinitely until app reinstall.

- Improve registration-to-login UX messaging to emphasize email
  verification is required before login links will work.

https://claude.ai/code/session_01WkbLzvhguQwRDtk7ht38aY

* chore: update package-lock.json from npm install

https://claude.ai/code/session_01WkbLzvhguQwRDtk7ht38aY

* fix(sync): address review feedback for auth resilience

- Remove conflicting style.css link from magic-login page
- Change trustProxy from true to 1 (trust single hop only)
- Increase /login/magic-link rate limit from 30 to 50 per 15min
- Delete dead magic-login-redirect.js (replaced by magic-login-confirm.js)
- Reset auth failure counter on non-auth errors (truly consecutive)
- Add test for counter reset on non-auth error between auth errors

https://claude.ai/code/session_01WkbLzvhguQwRDtk7ht38aY

* fix(sync): increase passkey rate limits and fix CSP inline script violations

- Increase passkey endpoint rate limits to match magic-link equivalents (50/15min)
- Extract inline scripts from /reset-password and /recover-passkey pages
  into external JS files to comply with CSP scriptSrc: ["'self'"]
- Remove dead safeJsonForScript helper (no longer needed)
- Increase /recover-passkey page rate limit to 50/15min for consistency

https://claude.ai/code/session_01WkbLzvhguQwRDtk7ht38aY

* fix(sync): update security tests for escapeHtml and fix recover/passkey rate limit

- Update server-security.spec.ts: tests now check for escapeHtml output
  (&lt;, &quot;) instead of safeJsonForScript output (\u003c), matching
  the new data-token attribute approach
- Increase /recover/passkey rate limit from 30 to 50 per 15min to match
  /login/magic-link (both send email with a secret link)

https://claude.ai/code/session_01WkbLzvhguQwRDtk7ht38aY

* fix(sync): reset auth failure counter after successful download

Move the counter reset from the final InSync return to right after
downloadRemoteOps() succeeds. This ensures early returns (cancelled,
LWW pending, payload rejected) also break the consecutive-failure
chain, since a successful download confirms auth is working.

https://claude.ai/code/session_01WkbLzvhguQwRDtk7ht38aY

---------

Co-authored-by: Claude <noreply@anthropic.com>
2026-04-10 14:46:57 +02:00
dependabot[bot]
8cd945a22d
chore(deps): bump lodash in the npm_and_yarn group across 1 directory (#7107)
Bumps the npm_and_yarn group with 1 update in the / directory: [lodash](https://github.com/lodash/lodash).


Updates `lodash` from 4.17.23 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](https://github.com/lodash/lodash/compare/4.17.23...4.18.1)

---
updated-dependencies:
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-09 20:34:52 +02:00
Johannes Millan
1f22fe685d 18.1.3 2026-04-01 21:27:44 +02:00
Johannes Millan
3a216b88e1 18.1.2 2026-04-01 21:25:48 +02:00
Johannes Millan
3e0f26aa5d 18.1.1 2026-04-01 21:17:20 +02:00
Johannes Millan
2e68c77086 build: package-lock 2026-04-01 15:43:38 +02:00
Johannes Millan
d32f7037a3 fix(sync): preserve own vector clock counter across full-state op resets
When a full-state op (SYNC_IMPORT/BACKUP_IMPORT) arrived from another
client, mergeRemoteOpClocks reset the local clock to a "minimal" form
but only preserved the current client's counter from the incoming op's
clock. If the current client had issued ops (e.g. GLOBAL_CONFIG) not
reflected in the incoming full-state op's clock, its counter was dropped,
causing subsequent ops to reuse the same counter value. Downstream clients
then saw these ops as EQUAL (duplicate) and skipped them silently.

Fix: take max(mergedClock[clientId], currentClock[clientId]) when
rebuilding the clock after a full-state op reset.

Also add __SP_E2E_BLOCK_WS_DOWNLOAD flag to WsTriggeredDownloadService
to allow E2E tests to block automatic WS-triggered downloads during
concurrent conflict scenarios.

Fix archive conflict test by blocking WS downloads on Client A during
the concurrent edit phase so it doesn't auto-receive B's rename via
WebSocket before archiving (restoring the intended conflict scenario).

Fix LWW singleton test to assert convergence rather than specific winner.
Fix renameTask helper to avoid Playwright/Angular re-render races.
Fix shepherd.js import paths that broke the Angular dev server build.
2026-04-01 15:41:13 +02:00
dependabot[bot]
567b335974
chore(deps): bump eslint-plugin-jsdoc from 61.4.1 to 62.8.1 (#7086)
Bumps [eslint-plugin-jsdoc](https://github.com/gajus/eslint-plugin-jsdoc) from 61.4.1 to 62.8.1.
- [Release notes](https://github.com/gajus/eslint-plugin-jsdoc/releases)
- [Commits](https://github.com/gajus/eslint-plugin-jsdoc/compare/v61.4.1...v62.8.1)

---
updated-dependencies:
- dependency-name: eslint-plugin-jsdoc
  dependency-version: 62.8.1
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-01 13:01:17 +02:00
dependabot[bot]
8c29c0224c
chore(deps): bump @typescript-eslint/types from 8.57.2 to 8.58.0 (#7085)
Bumps [@typescript-eslint/types](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/types) from 8.57.2 to 8.58.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/types/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.58.0/packages/types)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/types"
  dependency-version: 8.58.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-01 13:00:57 +02:00
dependabot[bot]
b30bf4add8
chore(deps): bump chai from 5.3.3 to 6.2.2 (#7084)
Bumps [chai](https://github.com/chaijs/chai) from 5.3.3 to 6.2.2.
- [Release notes](https://github.com/chaijs/chai/releases)
- [Changelog](https://github.com/chaijs/chai/blob/main/History.md)
- [Commits](https://github.com/chaijs/chai/compare/v5.3.3...v6.2.2)

---
updated-dependencies:
- dependency-name: chai
  dependency-version: 6.2.2
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-01 13:00:44 +02:00
dependabot[bot]
0ff1f0dec2
chore(deps): bump karma-jasmine-html-reporter from 1.7.0 to 2.2.0 (#7083)
Bumps [karma-jasmine-html-reporter](https://github.com/dfederm/karma-jasmine-html-reporter) from 1.7.0 to 2.2.0.
- [Release notes](https://github.com/dfederm/karma-jasmine-html-reporter/releases)
- [Commits](https://github.com/dfederm/karma-jasmine-html-reporter/compare/v1.7.0...v2.2.0)

---
updated-dependencies:
- dependency-name: karma-jasmine-html-reporter
  dependency-version: 2.2.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-01 13:00:28 +02:00
dependabot[bot]
2dd2b9105b
chore(deps): bump @xmldom/xmldom (#7075)
Bumps the npm_and_yarn group with 1 update in the / directory: [@xmldom/xmldom](https://github.com/xmldom/xmldom).


Updates `@xmldom/xmldom` from 0.8.11 to 0.8.12
- [Release notes](https://github.com/xmldom/xmldom/releases)
- [Changelog](https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md)
- [Commits](https://github.com/xmldom/xmldom/compare/0.8.11...0.8.12)

---
updated-dependencies:
- dependency-name: "@xmldom/xmldom"
  dependency-version: 0.8.12
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-01 12:52:50 +02:00
Johannes Millan
db3eaa6f81 18.1.2 2026-03-31 22:31:59 +02:00
Johannes Millan
49f63e8174 18.1.1 2026-03-31 22:31:40 +02:00
Johannes Millan
34089fb04a chore(deps): override picomatch to 4.0.4 to fix high severity vulnerability 2026-03-31 20:05:03 +02:00
Johannes Millan
821a87ba71 chore(deps): upgrade prisma from 5.22.0 to 7.6.0
Migrate super-sync-server to Prisma v7:
- Switch generator from prisma-client-js to prisma-client with local output
- Add prisma.config.ts for datasource URL configuration
- Use PrismaPg driver adapter instead of built-in Rust engine
- Add @prisma/adapter-pg and pg dependencies
- Update all imports from @prisma/client to generated client path
- Fix Buffer→Uint8Array for Bytes fields (Prisma v6 breaking change)
- Update Dockerfile: prisma CLI version, copy prisma.config.ts
- Add DATABASE_URL validation in db.ts
- Add src/generated/ to .gitignore
2026-03-31 20:05:03 +02:00
Johannes Millan
92e342af68 chore(deps): upgrade electron-dl from v3 to v4 (pure ESM)
electron-dl v4 is a pure ESM package. Since the Electron main process
is compiled with TypeScript "module": "commonjs", static import() gets
transformed to require() which cannot load ESM. Use Function() to
preserve a real dynamic import() at runtime.
2026-03-31 19:40:38 +02:00
Johannes Millan
8e71b5a6e9 chore(deps): pin shepherd.js to ~13.0.3 (last MIT-licensed version)
shepherd.js switched from MIT to AGPL-3.0 in v14. Pin to the last
MIT-compatible version and update imports to use named exports from
the main module instead of deep internal paths.
2026-03-31 19:40:38 +02:00
Johannes Millan
375274e3ea fix(deps): update vulnerable transitive dependencies
Update path-to-regexp, serialize-javascript, brace-expansion, and
nodemailer to patched versions to resolve 30 Dependabot security alerts.
2026-03-31 19:40:37 +02:00
dependabot[bot]
e943b3c780
chore(deps): bump @angular/material from 21.2.3 to 21.2.4 (#7039)
Bumps [@angular/material](https://github.com/angular/components) from 21.2.3 to 21.2.4.
- [Release notes](https://github.com/angular/components/releases)
- [Changelog](https://github.com/angular/components/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/components/compare/v21.2.3...v21.2.4)

---
updated-dependencies:
- dependency-name: "@angular/material"
  dependency-version: 21.2.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-31 13:41:49 +02:00
dependabot[bot]
d691883c5a
chore(deps): bump @types/supertest from 6.0.3 to 7.2.0 (#7042)
Bumps [@types/supertest](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/supertest) from 6.0.3 to 7.2.0.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/supertest)

---
updated-dependencies:
- dependency-name: "@types/supertest"
  dependency-version: 7.2.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-31 13:41:28 +02:00
dependabot[bot]
f9ba198302
chore(deps): bump vitest from 3.2.4 to 4.1.2 (#7036)
Bumps [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) from 3.2.4 to 4.1.2.
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.2/packages/vitest)

---
updated-dependencies:
- dependency-name: vitest
  dependency-version: 4.1.2
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-31 13:39:16 +02:00
Johannes Millan
edb102534e
feat(android): improve task title from share intent using EXTRA_SUBJECT (#7052)
* feat(android): improve task title from share intent using EXTRA_SUBJECT

Browsers and many apps send the page title via Intent.EXTRA_SUBJECT, which
was previously ignored. Now the share handler uses subject > title > content
to build a meaningful task title instead of the generic "Check: Shared Content".
For links without metadata, a readable URL (domain + path) is used instead.

https://claude.ai/code/session_01LzFepWFjLKQSWKZn4iXEpS

* chore: update package-lock.json after npm install

https://claude.ai/code/session_01LzFepWFjLKQSWKZn4iXEpS

* refactor(android): simplify _buildTaskTitle and fix double spaces in URL

Deduplicate the subject/title preference logic and collapse multiple
spaces in _readableUrl output caused by leading slashes in pathnames.

https://claude.ai/code/session_01LzFepWFjLKQSWKZn4iXEpS

---------

Co-authored-by: Claude <noreply@anthropic.com>
2026-03-31 13:12:34 +02:00
Thorsten Klein
7fa8f12132
feat(sync): add Helm chart and WebSocket push for SuperSync (#6971)
* feat(sync): add Helm chart for SuperSync Kubernetes deployment

Includes Deployment, StatefulSet (PostgreSQL), Service, Ingress,
ConfigMap, Secret, HPA, PDB, NetworkPolicy, and test templates.
Supports both bundled PostgreSQL and external database configurations.

* feat(sync): add WebSocket push notifications for near-realtime sync

Server: Fastify WebSocket plugin with connection manager, app-level
heartbeat (30s), debounced notifications, and per-user routing.
Client: WebSocket service with exponential backoff reconnection,
WS-triggered download service, and reduced polling when connected.

* fix(sync): improve WebSocket error handling and reactivity

Make syncInterval$ reactive to WS connection state, fix Set/Map
mutation during heartbeat iteration, add error handling to WS route
handler, separate JSON parsing from message handling, detect auth
failures in WS-triggered downloads, and add logging to all empty
catch blocks.

* fix(sync): address PR review findings for WebSocket and Helm

Fix race condition in WS-triggered download pipeline by moving
isSyncInProgress filter after debounce and adding guard in
_downloadOps. Add logging to remaining empty catch blocks, fix
missing $NODE_IP in Helm NOTES.txt, and correct inaccurate
comments in values.yaml and ws-triggered-download.service.ts.

* fix(sync): add rate limiting to WebSocket upgrade endpoint

Limit WS connection attempts to 10 per minute per IP to prevent
connection flooding, matching the rate-limit pattern used by other
sync endpoints.

* fix(sync): extract shared constants, fix debounce correctness, replace deprecated toPromise

Extract CLIENT_ID_REGEX and MAX_CLIENT_ID_LENGTH into sync.const.ts
to prevent drift between sync.routes.ts and websocket.routes.ts.

Fix debounce in notifyNewOps to accumulate excluded client IDs across
rapid calls from different clients, preventing self-notifications.

Replace deprecated toPromise() with firstValueFrom in connectWebSocket
and _sync methods. Add .catch() to reconnect path and logging to
silent early returns in _downloadOps.

* fix(build): restore correct package-lock.json and fix upstream lint errors

* revert: restore upstream HTML formatting to match CI prettier config

* fix(sync): use DownloadOutcome discriminated union in WsTriggeredDownloadService

* fix(sync): narrow TokenVerificationResult before accessing userId

* fix(sync): await async getProviderById in connectWebSocket

Missing await caused the Promise object to be cast to
SuperSyncProvider, making getWebSocketParams undefined.

* feat(sync): add SEED_USERS env var to create verified users on startup

For self-hosted single-user setups: set SEED_USERS=email1,email2 to
create verified users on boot and log their access tokens. Skips
existing users. Removes need for SMTP/magic link registration.

Also fix Dockerfile to use npm install instead of npm ci for lockfile
compatibility.

* fix(sync): address PR review feedback for Helm chart and server

Security:
- Remove seed-users.ts (logged full JWT tokens to stdout)
- Add fail assertions for missing jwtSecret and postgresql.password
- Add smtp.user/smtp.password values fields
- Add from: selector to NetworkPolicy ingress
- Add egress rule for external database when postgresql.enabled=false

Correctness:
- Fix PostgreSQL StatefulSet indentation for non-persistent mode
- Fix NOTES.txt panic on empty tls list (use len instead of index)
- Restore npm ci in Dockerfile by using node:24-alpine (ships npm 11)
- Add Recreate deployment strategy when using RWO PVC

Operational:
- Add fail guard preventing HPA maxReplicas > 1 (in-memory WS state)
- Fix PDB to use maxUnavailable instead of minAvailable
- Add WebSocket ingress timeout annotation examples
- Add Prisma db push init container for schema migrations
- Default serviceAccount.automount to false
- Add Chart.yaml maintainers, home, sources metadata

* feat(sync): add ALLOWED_EMAILS env var to restrict registration

Supports fully qualified emails (user@example.com) and domain
wildcards (*@example.com). When unset, all emails are allowed.
Applied to all three registration endpoints (passkey options,
passkey verify, magic link).

* fix(sync): exempt health endpoint from rate limiting

Kubernetes liveness/readiness probes hit /health every 5-15s,
exhausting the global rate limit (100 req/15min) and causing
429 responses that trigger container restarts.

* fix(sync): harden WebSocket, Helm chart, and sync services from multi-agent review

- Pin prisma@5.22.0 in init container and use migrate deploy instead of db push
- Add per-user WebSocket connection limit (max 10) to prevent resource exhaustion
- Add replicaCount > 1 fail guard in deployment template (in-memory WS state)
- Set maxPayload: 1024 on WebSocket plugin (only pong messages expected)
- Remove premature IN_SYNC status from download-only WS-triggered sync
- Fix double removeConnection on error+close events (let close handle cleanup)
- DRY debounce logic in notifyNewOps and store latestSeq on pending entry
- Remove dead fromClientId from NewOpsNotification and WsMessage interfaces
- Add takeUntilDestroyed to _wsProviderCleanup subscription
- Simplify email-allowlist.ts to eager init (eliminate mutable state)
- Guard connectWebSocket at call site for non-SuperSync providers
- Add distinctUntilChanged to syncInterval$ to prevent unnecessary resets
- Add container-level securityContext to PostgreSQL StatefulSet
- Fix HPA maxReplicas default to 1 (matches single-replica constraint)

* fix(sync): restore migration in Dockerfile CMD for non-Helm Docker users

Helm users get migration via init container (runs first, CMD becomes no-op).
Docker-compose/plain Docker users get automatic migration back on startup.

* fix(boards): add missing drag delay for touch and extract shared signal

Add cdkDragStartDelay to board-panel drag items, which was missing
entirely. Extract the repeated `isTouchActive() ? DRAG_DELAY_FOR_TOUCH : 0`
expression into a shared `dragDelayForTouch` computed signal and refactor
all 8 components to use it.

* test(sync): add comprehensive WebSocket test coverage

Add unit tests for the new WebSocket real-time sync notification pipeline:

- WebSocketConnectionService (server): connection lifecycle, max-per-user
  limits, notification debouncing, heartbeat, graceful shutdown (13 tests)
- WebSocket routes validation: token/clientId validation, close codes,
  error handling, validation ordering (18 tests)
- SuperSyncWebSocketService (frontend): reconnection with exponential
  backoff, heartbeat, disconnect cleanup, URL conversion (6 tests)
- WsTriggeredDownloadService: auth error handling, pipeline resilience,
  start() idempotency (3 tests)
- SyncWrapperService: connectWebSocket guards for non-SuperSync, null
  params, and already-connected cases (3 tests)
- E2E realtime push: verifies WS-triggered download between two clients

Quality fixes:
- Replace waitForTimeout with syncAndWait in E2E
- Add explanatory comment for microtask flushing in sync-wrapper spec
- Use getter for isSyncInProgress mock in ws-triggered-download spec

---------

Co-authored-by: Johannes Millan <johannes.millan@gmail.com>
2026-03-30 21:34:30 +02:00
Johannes Millan
85a8426213 18.1.0 2026-03-29 20:31:02 +02:00
Johannes Millan
681a6cd2ee fix(build): remove sharp from deps to fix F-Droid build
sharp is a native C++ module that fails to compile in F-Droid's
build environment. It is only used by manual icon generation scripts,
so auto-install it on demand instead.

Closes #6637
2026-03-29 19:57:10 +02:00
dependabot[bot]
47dd7e3801
chore(deps): bump serialize-javascript (#6991)
Bumps the npm_and_yarn group with 1 update in the / directory: [serialize-javascript](https://github.com/yahoo/serialize-javascript).


Updates `serialize-javascript` from 7.0.4 to 7.0.5
- [Release notes](https://github.com/yahoo/serialize-javascript/releases)
- [Commits](https://github.com/yahoo/serialize-javascript/compare/v7.0.4...v7.0.5)

---
updated-dependencies:
- dependency-name: serialize-javascript
  dependency-version: 7.0.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-28 13:13:33 +01:00
Johannes Millan
b948406bc4
fix(issue): guard against undefined issueType in two-way sync effects (#6972) (#6988)
* fix(issue): guard against undefined issueType in two-way sync effects (#6972)

Add defense-in-depth null guards in _pushChanges$ and _deleteRemoteIssue$
to handle cases where issueType/issueProviderId/issueId are missing,
preventing the "Cannot read properties of undefined" crash during rapid
bulk task dispatches at initial load.

https://claude.ai/code/session_014tD3d6KyGZdvEedo7a1qYH

* chore: update package-lock.json after npm install

https://claude.ai/code/session_014tD3d6KyGZdvEedo7a1qYH

* fix(issue): improve error isolation in two-way sync effects (#6972)

Move the issueType/issueId/issueProviderId filter inside the concatMap's
inner observable so it is covered by catchError. Previously, if the
filter threw (e.g. during rapid bulk dispatches at initial load), the
entire effect would die permanently with no recovery.

Also add catchError to deleteIssueOnTaskDelete$ which had no error
recovery, and remove the redundant second filter (the adapter check
is already performed inside _deleteRemoteIssue$).

https://claude.ai/code/session_014tD3d6KyGZdvEedo7a1qYH

* Revert "fix(issue): improve error isolation in two-way sync effects (#6972)"

This reverts commit a4948ebaed.

---------

Co-authored-by: Claude <noreply@anthropic.com>
2026-03-28 11:38:37 +01:00
dependabot[bot]
07ab393b25
chore(deps): bump brace-expansion (#6979)
Bumps the npm_and_yarn group with 1 update in the / directory: [brace-expansion](https://github.com/juliangruber/brace-expansion).


Updates `brace-expansion` from 1.1.12 to 1.1.13
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](https://github.com/juliangruber/brace-expansion/compare/v1.1.12...v1.1.13)

---
updated-dependencies:
- dependency-name: brace-expansion
  dependency-version: 1.1.13
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-27 15:53:11 +01:00
dependabot[bot]
3423193d82
chore(deps): bump nodemailer (#6974)
Bumps the npm_and_yarn group with 1 update in the / directory: [nodemailer](https://github.com/nodemailer/nodemailer).


Updates `nodemailer` from 7.0.13 to 8.0.4
- [Release notes](https://github.com/nodemailer/nodemailer/releases)
- [Changelog](https://github.com/nodemailer/nodemailer/blob/master/CHANGELOG.md)
- [Commits](https://github.com/nodemailer/nodemailer/compare/v7.0.13...v8.0.4)

---
updated-dependencies:
- dependency-name: nodemailer
  dependency-version: 8.0.4
  dependency-type: direct:production
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-27 12:26:07 +01:00
johannesjo
4826bc265c 18.0.2 2026-03-26 21:24:24 +01:00
johannesjo
25e31656d1 18.0.1 2026-03-26 21:09:48 +01:00
johannesjo
926e9d46a8 build: update pdfile and package-lock 2026-03-26 21:06:33 +01:00
Johannes Millan
4eca106653 18.0.0 2026-03-26 19:58:29 +01:00
Johannes Millan
d328e80ab8 fix(build): add dotenv as explicit devDependency for Docker builds
tools/load-env.js requires dotenv directly but it was only available as
a transitive dependency of @dotenv-run/cli. This caused the Docker image
publish to fail when npm ci couldn't resolve it. Also regenerates
package-lock.json to fix stale lock file entries.
2026-03-26 17:43:04 +01:00