Commit Graph

14068 Commits

Author SHA1 Message Date
Frederick [Bot] 4a21b2a998 chore(i18n): update translations via Crowdin 2026-05-22 02:28:38 +00:00
Tink bot 20e04f4fcb feat(logging): include user agent in HTTP access log 2026-05-21 13:42:03 +00:00
kolaente 102db344b3
fix(comments): even padding around comment message 2026-05-21 09:53:35 +02:00
Frederick [Bot] 9dfa6fbf89 chore(i18n): update translations via Crowdin 2026-05-21 02:14:41 +00:00
kolaente f05ef2df94
feat(sharing): sort team members by display name in UI and by ID in API (#2784) 2026-05-20 23:32:47 +02:00
kolaente d417a30802 test(e2e): cover comment replies end-to-end
Drives the reply flow through the browser: existing comment is
quoted via the Reply action, the prefilled blockquote round-trips
to the saved reply, the chevron jumps back to the original and
applies the brief highlight.
2026-05-20 21:02:14 +00:00
kolaente 82975f9bd2 feat(comments): reply action with prefilled quote and jump-to-original chevron
Each rendered comment gets a "Reply" action (shown whenever the
viewer has write access, regardless of authorship). Clicking it
prefills the comment editor with a <blockquote data-comment-id="X">
wrapping the parent body so the canonical reply marker is the
blockquote itself.

A Vue NodeView on the blockquote extension renders an author
header + chevron when an injected commentReplyContext can resolve
the parent. The chevron scrolls to and briefly highlights the
original. Quotes whose parent isn't in the in-memory list (deleted,
on another page) render a degraded header with the chevron hidden.
2026-05-20 21:02:14 +00:00
kolaente 46dbeb5784 feat(editor): preserve comment-id on blockquotes
Extend the default Blockquote with a `commentId` attribute that
round-trips through HTML as `data-comment-id`. This single attribute
is the canonical record of a reply: it survives TipTap serialize /
parse so the backend listener and the in-app renderer can both find
the parent comment without a separate schema field.
2026-05-20 21:02:14 +00:00
kolaente 6fc36cb700 feat(comments): treat quoted comment authors as implicit mentions
A comment whose body contains <blockquote data-comment-id="…"> nodes
now triggers the same task-comment mention notification for the
quoted comments' authors, respecting CanRead, subscription, and
existing dedup. Self-quotes, wrong-task quotes, and malformed ids
are silently skipped.
2026-05-20 21:02:14 +00:00
Tink bot a1f81524ab feat(i18n): make Greek available in the language selector
el-GR translations are around 36% complete but were not yet listed in the
UI. Add it to the supported locales list (frontend and backend) and wire
up the dayjs locale mapping.
2026-05-20 20:25:17 +00:00
kolaente 4351ebf411
fix(print): hide reaction create button 2026-05-20 17:58:58 +02:00
kolaente 995aad3d53
fix(print): hide description editor when no description is present 2026-05-20 17:58:13 +02:00
kolaente bc7c2059aa
fix(print): hide bucket select icon 2026-05-20 17:54:15 +02:00
kolaente 612628a657
fix(modal): print full content of modal dialogs
A <dialog> opened via showModal() lives in the browser's top layer, which
renders only on the first page during print — top-layer elements are
viewport-anchored and don't paginate. CSS overrides like position: static
have no effect since top-layer membership is browser-managed.

Swap to a non-modal dialog on beforeprint (removes it from the top layer
so content flows in normal document order) and back to modal on
afterprint. The accompanying @media print rules reset the dialog's fixed
positioning and overflow so the non-modal dialog can paginate freely.
2026-05-20 17:53:01 +02:00
kolaente 44db02ab56
fix(task): print styles 2026-05-20 17:39:11 +02:00
Frederick [Bot] 3d6e5b5f6b chore(i18n): update translations via Crowdin 2026-05-20 02:15:16 +00:00
kolaente 553613163f
fix(deps): bump @xmldom/xmldom to 0.8.13 2026-05-19 17:12:18 +02:00
kolaente 1fd1427fed
fix(deps): bump postcss to >=8.5.10 to fix XSS via unescaped </style>
Adds a pnpm override to force postcss to a patched version (>=8.5.10),
removing the vulnerable postcss@7.0.39 pulled in transitively by
postcss-easing-gradients. Resolves GHSA / Dependabot alert #197.
2026-05-19 16:58:25 +02:00
kolaente a5dc85b5d3
fix(deps): bump ip-address to 10.2.0
Adds a pnpm override to pull ip-address >=10.1.1, resolving the XSS
vulnerability in Address6 HTML-emitting methods (GHSA, dev-only
transitive dependency via puppeteer/socks).
2026-05-19 16:56:07 +02:00
kolaente 25e1c93a23
fix(deps): bump fast-uri to 3.1.2
Resolves GHSA path traversal via percent-encoded dot segments and host
confusion via percent-encoded authority delimiters (Dependabot alerts
227 and 228). fast-uri is a transitive dev-only dependency via
stylelint -> table -> ajv.
2026-05-19 16:54:27 +02:00
kolaente 5fda2182c7
fix(deps): bump @babel/plugin-transform-modules-systemjs to 7.29.4
Resolves GHSA high-severity advisory where versions <= 7.29.3 can
generate arbitrary code when compiling malicious input.
2026-05-19 16:53:16 +02:00
Frederick [Bot] 2fca6a46e5 [skip ci] Updated swagger docs 2026-05-19 09:43:17 +00:00
Tink bot fa6e1f8e49 fix(migration): reuse existing labels on re-import
Seed the dedup map at the start of insertFromStructure with the importing
user's existing labels, keyed by title + normalized hex color. Previously
the map was empty on each run, so importing the same CSV (or any other
migration format) twice would create a second copy of every label.

Scoped to the user's own labels so imports don't silently link to other
users' labels visible via shared projects.

Fixes #2742
2026-05-19 09:09:59 +00:00
Tink bot 3c048223c3 feat(filters): add Tomorrow option to date range dropdown
Closes #2734
2026-05-19 09:01:46 +00:00
Tink bot 15badb382a test(api): cover positive project-identifier resolution
Adds back the by-identifier and case-insensitive-input cases now that
project identifiers are stored uppercase across the codebase.
2026-05-19 08:53:25 +00:00
Tink bot c6fa7991d6 fix(api): uppercase project identifier before by-index lookup
Switches the input normalisation from lower- to uppercase so identifiers
canonicalise the same way GitHub-style refs do (e.g. "PROJ-42"). The
positive identifier tests are dropped for now because the existing
fixtures store identifiers as lowercase ("test1") and the SQL comparison
remains case-sensitive — once the column-side case-insensitive match
lands, full coverage can be reinstated.
2026-05-19 08:53:25 +00:00
Tink bot 04148e14db feat(api): lowercase project identifier before by-index lookup
Normalises the input side so GitHub-style references like "TEST1-42" and
"test1-42" resolve to the same project. The SQL comparison itself remains
case-sensitive for now; case-insensitive matching on the column will be
addressed separately.
2026-05-19 08:53:25 +00:00
Tink bot 466d39e6de feat(api): accept project identifier in by-index task route
Allows GET /projects/{project}/tasks/by-index/{index} to resolve {project}
as either a numeric id or a project identifier (e.g. "PROJ"), so callers
can build GitHub-style task references like "PROJ-42" without first
looking up the project's numeric id. Pure-digit values remain interpreted
as ids, which makes identifiers consisting solely of digits unreachable
via this route.
2026-05-19 08:53:25 +00:00
kolaente 21ce33f8fd
feat(projects): always store identifiers as uppercase (#2775) 2026-05-19 10:35:43 +02:00
Frederick [Bot] c761ab9761 chore(i18n): update translations via Crowdin 2026-05-19 02:26:35 +00:00
Tink bot a79517a79a fix(frontend): prevent avatar layout shift while loading
The .avatar img in User.vue relied solely on the width/height HTML
attributes for sizing. Those are presentational hints with zero CSS
specificity, so Bulma's global reset (img { height: auto; max-width: 100% })
overrode them. While avatarSrc was still resolving (initial src=""),
the browser had no intrinsic dimensions to compute the auto height from
and fell back to the broken-image box (~96px in Chrome), then snapped
to the real size once the blob URL loaded.

Set inline-size/block-size explicitly via a CSS custom property bound
to the avatarSize prop so the rendered size is locked regardless of
load state or the Bulma reset.
2026-05-18 19:13:36 +00:00
Tink bot fee2d2ea58 fix(notifications): skip logo attachment for conversational mails
The conversational mail template does not reference cid:logo.png, but
RenderMail still attached the embedded logo to every outgoing mail.
That left an orphan inline part that some clients render as a stray
attachment. Only embed logo.png when the formal template is in use.
2026-05-18 19:06:49 +00:00
renovate[bot] faeeebe661 chore(deps): update dev-dependencies to v8.59.4 2026-05-18 19:01:32 +00:00
renovate[bot] ad457488fd chore(deps): update dependency vue-tsc to v3.3.0 2026-05-18 18:13:13 +00:00
dependabot[bot] f349b6360e chore(deps): bump brace-expansion from 5.0.5 to 5.0.6 in /frontend
Bumps [brace-expansion](https://github.com/juliangruber/brace-expansion) from 5.0.5 to 5.0.6.
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](https://github.com/juliangruber/brace-expansion/compare/v5.0.5...v5.0.6)

---
updated-dependencies:
- dependency-name: brace-expansion
  dependency-version: 5.0.6
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-05-18 18:12:58 +00:00
Tink bot 941f6bb1be fix(tooltip): show tooltips in top layer when inside modal dialog
Tooltips on relative dates (and other content) were invisible when a task
was opened in the modal. The modal uses <dialog> opened via showModal(),
which places it in the browser's top layer. floating-vue teleports
tooltips to <body> by default, so they were rendered *below* the dialog
backdrop and hidden behind it.

Wrap the v-tooltip directive to detect the nearest <dialog> ancestor of
the target and use it as the tooltip's container, keeping the tooltip in
the same top-layer context as the modal it belongs to. Tooltips outside
any dialog still teleport to <body> as before.
2026-05-18 18:09:38 +00:00
Tink bot 52f3dd6806 fix(ci): commit newly added Crowdin translation files
The Crowdin sync workflow used `git diff --quiet` and `git commit -am`,
both of which only consider tracked files. New language files downloaded
by Crowdin (e.g. el-GR, th-TH) were therefore left untracked and silently
dropped on each run.

Switch the change check to `git status --porcelain` scoped to the
translation directories and stage them explicitly before committing so
new locales are included.
2026-05-18 17:57:21 +00:00
kolaente dbccbd64ef
fix(relations): correctly position quick add magic hint (#2766) 2026-05-18 13:23:43 +02:00
bradmartin333 4a16df8af1 fix(frontend): ensure text color inherits in filter autocomplete component 2026-05-17 15:03:50 +00:00
renovate[bot] d4e186a024 chore(deps): update dependency caniuse-lite to v1.0.30001793 2026-05-17 14:51:39 +00:00
kolaente b9e3bb95fa
feat(frontend): add Atom feed settings page and notifications discovery (#2760) 2026-05-15 19:28:29 +02:00
Tink bot 6b14307896 test(trello): drop redundant BackgroundImage assignment in getTestBoard 2026-05-15 15:16:11 +00:00
Tink bot fc373ae963 test(trello): serve testimage from local server instead of vikunja.io
Mirrors the Todoist migration test setup so TestConvertTrelloToVikunja
no longer depends on https://vikunja.io/testimage.jpg being reachable.
2026-05-15 15:16:11 +00:00
kolaente 70393f38d2
feat: add Atom feed for user notifications with API token auth (#2758) 2026-05-15 17:25:09 +02:00
renovate[bot] c371ca7196 chore(deps): update dev-dependencies 2026-05-15 13:57:32 +00:00
Brett Randall bc7e41c2b0 chore(deps): group node and pnpm updates across mise and version files
Add packageRules to keep mise.toml in sync with the files it mirrors
when Renovate raises version-bump PRs:

- node: groups mise.toml and frontend/.nvmrc (nvm manager) into one PR
- pnpm: groups mise.toml and frontend/package.json#packageManager
  (npm manager) into one PR

Without these rules Renovate would open separate PRs for each file,
allowing them to drift out of sync.
2026-05-15 10:56:52 +00:00
Brett Randall 2b38c2a196 chore: add mise.toml to pin tool versions
Consolidates tool versions already declared across the project into a
single mise.toml so that `mise install` / `mise exec` activates the
correct runtime in one step.

Without an explicit project-level pin, mise falls back to the global
user config, silently using the wrong version even when .nvmrc is
present (legacy files rank below all mise config files).

Versions mirror existing project pins:
- node 24.13.0  (frontend/.nvmrc)
- pnpm 10.28.1  (frontend/package.json#packageManager)
- go 1.25.7     (go.mod)
2026-05-15 10:56:52 +00:00
renovate[bot] 7caaa9a16a chore(deps): update dev-dependencies 2026-05-15 10:28:16 +00:00
Tink bot 2ad7efb669 fix(kanban): prevent task taps from leaking through the sticky add-task footer on touch devices
The sticky bucket footer had no z-index, so the absolutely positioned
`.handle` overlays on each task (z-index: 1, used to capture taps on
touch devices) stacked above the Add Task button. Tapping the button
where a task scrolled behind it would open that task instead of opening
the new-task input.
2026-05-15 10:27:38 +00:00
renovate[bot] 57a0b8fee4 chore(deps): update dev-dependencies to v4.3.0 2026-05-11 21:21:39 +00:00