Commit Graph

2752 Commits

Author SHA1 Message Date
kolaente b3d5eb01dc fix(templates): address review feedback — templates page, proper service, fetch together with archived 2026-05-31 17:44:45 +02:00
kolaente 3de5206dd4 feat(templates): add templates sidebar, template picker, save-as-template action, and i18n keys 2026-05-31 17:44:45 +02:00
kolaente 6b6ca25efa feat(templates): add isTemplate to frontend project model and store 2026-05-31 17:44:45 +02:00
renovate[bot] e0fa2bbed4 chore(deps): update dependency vue-tsc to v3.3.3 2026-05-30 13:17:09 +00:00
dependabot[bot] f7921238e6 chore(deps): bump axios from 1.15.2 to 1.16.0 in /frontend
Bumps [axios](https://github.com/axios/axios) from 1.15.2 to 1.16.0.
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](https://github.com/axios/axios/compare/v1.15.2...v1.16.0)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.16.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-05-30 08:48:43 +00:00
Frederick [Bot] 50bece8cdb chore(i18n): update translations via Crowdin 2026-05-28 02:06:56 +00:00
renovate[bot] 7d1372ece3 chore(deps): update dev-dependencies 2026-05-27 21:18:08 +00:00
kolaente 7be5026113
fix(deps): bump tmp to >=0.2.6 to fix path traversal vulnerability
Adds a pnpm override for `tmp` in both the `frontend` and `desktop`
workspaces to force the patched version (0.2.6). The previous transitive
resolutions (`tmp@0.0.33` via external-editor in frontend, `tmp@0.2.3`
via tmp-promise in desktop) are vulnerable to a path traversal via
unsanitized prefix/postfix that enables directory escape.

Addresses Dependabot alerts #234 (desktop) and #235 (frontend).
2026-05-27 11:09:20 +02:00
Frederick [Bot] 6abf6c6012 chore(i18n): update translations via Crowdin 2026-05-27 02:31:52 +00:00
dependabot[bot] e0fb3ed732 chore(deps): bump js-cookie from 3.0.5 to 3.0.7 in /frontend
Bumps [js-cookie](https://github.com/js-cookie/js-cookie) from 3.0.5 to 3.0.7.
- [Release notes](https://github.com/js-cookie/js-cookie/releases)
- [Commits](https://github.com/js-cookie/js-cookie/compare/v3.0.5...v3.0.7)

---
updated-dependencies:
- dependency-name: js-cookie
  dependency-version: 3.0.7
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-05-26 18:36:29 +00:00
renovate[bot] dc85d2e3cb chore(deps): update dev-dependencies 2026-05-26 18:36:03 +00:00
Frederick [Bot] 56b82b23d8 chore(i18n): update translations via Crowdin 2026-05-24 02:13:34 +00:00
Frederick [Bot] 8a1b2252e2 chore(i18n): update translations via Crowdin 2026-05-23 02:05:00 +00:00
Frederick [Bot] 4a21b2a998 chore(i18n): update translations via Crowdin 2026-05-22 02:28:38 +00:00
kolaente 102db344b3
fix(comments): even padding around comment message 2026-05-21 09:53:35 +02:00
Frederick [Bot] 9dfa6fbf89 chore(i18n): update translations via Crowdin 2026-05-21 02:14:41 +00:00
kolaente f05ef2df94
feat(sharing): sort team members by display name in UI and by ID in API (#2784) 2026-05-20 23:32:47 +02:00
kolaente d417a30802 test(e2e): cover comment replies end-to-end
Drives the reply flow through the browser: existing comment is
quoted via the Reply action, the prefilled blockquote round-trips
to the saved reply, the chevron jumps back to the original and
applies the brief highlight.
2026-05-20 21:02:14 +00:00
kolaente 82975f9bd2 feat(comments): reply action with prefilled quote and jump-to-original chevron
Each rendered comment gets a "Reply" action (shown whenever the
viewer has write access, regardless of authorship). Clicking it
prefills the comment editor with a <blockquote data-comment-id="X">
wrapping the parent body so the canonical reply marker is the
blockquote itself.

A Vue NodeView on the blockquote extension renders an author
header + chevron when an injected commentReplyContext can resolve
the parent. The chevron scrolls to and briefly highlights the
original. Quotes whose parent isn't in the in-memory list (deleted,
on another page) render a degraded header with the chevron hidden.
2026-05-20 21:02:14 +00:00
kolaente 46dbeb5784 feat(editor): preserve comment-id on blockquotes
Extend the default Blockquote with a `commentId` attribute that
round-trips through HTML as `data-comment-id`. This single attribute
is the canonical record of a reply: it survives TipTap serialize /
parse so the backend listener and the in-app renderer can both find
the parent comment without a separate schema field.
2026-05-20 21:02:14 +00:00
Tink bot a1f81524ab feat(i18n): make Greek available in the language selector
el-GR translations are around 36% complete but were not yet listed in the
UI. Add it to the supported locales list (frontend and backend) and wire
up the dayjs locale mapping.
2026-05-20 20:25:17 +00:00
kolaente 4351ebf411
fix(print): hide reaction create button 2026-05-20 17:58:58 +02:00
kolaente 995aad3d53
fix(print): hide description editor when no description is present 2026-05-20 17:58:13 +02:00
kolaente bc7c2059aa
fix(print): hide bucket select icon 2026-05-20 17:54:15 +02:00
kolaente 612628a657
fix(modal): print full content of modal dialogs
A <dialog> opened via showModal() lives in the browser's top layer, which
renders only on the first page during print — top-layer elements are
viewport-anchored and don't paginate. CSS overrides like position: static
have no effect since top-layer membership is browser-managed.

Swap to a non-modal dialog on beforeprint (removes it from the top layer
so content flows in normal document order) and back to modal on
afterprint. The accompanying @media print rules reset the dialog's fixed
positioning and overflow so the non-modal dialog can paginate freely.
2026-05-20 17:53:01 +02:00
kolaente 44db02ab56
fix(task): print styles 2026-05-20 17:39:11 +02:00
Frederick [Bot] 3d6e5b5f6b chore(i18n): update translations via Crowdin 2026-05-20 02:15:16 +00:00
kolaente 1fd1427fed
fix(deps): bump postcss to >=8.5.10 to fix XSS via unescaped </style>
Adds a pnpm override to force postcss to a patched version (>=8.5.10),
removing the vulnerable postcss@7.0.39 pulled in transitively by
postcss-easing-gradients. Resolves GHSA / Dependabot alert #197.
2026-05-19 16:58:25 +02:00
kolaente a5dc85b5d3
fix(deps): bump ip-address to 10.2.0
Adds a pnpm override to pull ip-address >=10.1.1, resolving the XSS
vulnerability in Address6 HTML-emitting methods (GHSA, dev-only
transitive dependency via puppeteer/socks).
2026-05-19 16:56:07 +02:00
kolaente 25e1c93a23
fix(deps): bump fast-uri to 3.1.2
Resolves GHSA path traversal via percent-encoded dot segments and host
confusion via percent-encoded authority delimiters (Dependabot alerts
227 and 228). fast-uri is a transitive dev-only dependency via
stylelint -> table -> ajv.
2026-05-19 16:54:27 +02:00
kolaente 5fda2182c7
fix(deps): bump @babel/plugin-transform-modules-systemjs to 7.29.4
Resolves GHSA high-severity advisory where versions <= 7.29.3 can
generate arbitrary code when compiling malicious input.
2026-05-19 16:53:16 +02:00
Tink bot 3c048223c3 feat(filters): add Tomorrow option to date range dropdown
Closes #2734
2026-05-19 09:01:46 +00:00
Frederick [Bot] c761ab9761 chore(i18n): update translations via Crowdin 2026-05-19 02:26:35 +00:00
Tink bot a79517a79a fix(frontend): prevent avatar layout shift while loading
The .avatar img in User.vue relied solely on the width/height HTML
attributes for sizing. Those are presentational hints with zero CSS
specificity, so Bulma's global reset (img { height: auto; max-width: 100% })
overrode them. While avatarSrc was still resolving (initial src=""),
the browser had no intrinsic dimensions to compute the auto height from
and fell back to the broken-image box (~96px in Chrome), then snapped
to the real size once the blob URL loaded.

Set inline-size/block-size explicitly via a CSS custom property bound
to the avatarSize prop so the rendered size is locked regardless of
load state or the Bulma reset.
2026-05-18 19:13:36 +00:00
renovate[bot] faeeebe661 chore(deps): update dev-dependencies to v8.59.4 2026-05-18 19:01:32 +00:00
renovate[bot] ad457488fd chore(deps): update dependency vue-tsc to v3.3.0 2026-05-18 18:13:13 +00:00
dependabot[bot] f349b6360e chore(deps): bump brace-expansion from 5.0.5 to 5.0.6 in /frontend
Bumps [brace-expansion](https://github.com/juliangruber/brace-expansion) from 5.0.5 to 5.0.6.
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](https://github.com/juliangruber/brace-expansion/compare/v5.0.5...v5.0.6)

---
updated-dependencies:
- dependency-name: brace-expansion
  dependency-version: 5.0.6
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-05-18 18:12:58 +00:00
Tink bot 941f6bb1be fix(tooltip): show tooltips in top layer when inside modal dialog
Tooltips on relative dates (and other content) were invisible when a task
was opened in the modal. The modal uses <dialog> opened via showModal(),
which places it in the browser's top layer. floating-vue teleports
tooltips to <body> by default, so they were rendered *below* the dialog
backdrop and hidden behind it.

Wrap the v-tooltip directive to detect the nearest <dialog> ancestor of
the target and use it as the tooltip's container, keeping the tooltip in
the same top-layer context as the modal it belongs to. Tooltips outside
any dialog still teleport to <body> as before.
2026-05-18 18:09:38 +00:00
kolaente dbccbd64ef
fix(relations): correctly position quick add magic hint (#2766) 2026-05-18 13:23:43 +02:00
bradmartin333 4a16df8af1 fix(frontend): ensure text color inherits in filter autocomplete component 2026-05-17 15:03:50 +00:00
renovate[bot] d4e186a024 chore(deps): update dependency caniuse-lite to v1.0.30001793 2026-05-17 14:51:39 +00:00
kolaente b9e3bb95fa
feat(frontend): add Atom feed settings page and notifications discovery (#2760) 2026-05-15 19:28:29 +02:00
renovate[bot] c371ca7196 chore(deps): update dev-dependencies 2026-05-15 13:57:32 +00:00
renovate[bot] 7caaa9a16a chore(deps): update dev-dependencies 2026-05-15 10:28:16 +00:00
Tink bot 2ad7efb669 fix(kanban): prevent task taps from leaking through the sticky add-task footer on touch devices
The sticky bucket footer had no z-index, so the absolutely positioned
`.handle` overlays on each task (z-index: 1, used to capture taps on
touch devices) stacked above the Add Task button. Tapping the button
where a task scrolled behind it would open that task instead of opening
the new-task input.
2026-05-15 10:27:38 +00:00
renovate[bot] 57a0b8fee4 chore(deps): update dev-dependencies to v4.3.0 2026-05-11 21:21:39 +00:00
Tink bot f495a792b2 feat(frontend): apply quick add magic when creating related tasks
Route the create flow through taskStore.createNewTask so titles typed
into the related-task input get parsed for labels, priority, assignees,
due dates and cross-project targets - matching the main add-task input.
Also surface the quick-add-magic hint next to the field.
2026-05-11 21:21:11 +00:00
renovate[bot] 572edd431d chore(deps): update dev-dependencies 2026-05-11 06:05:06 +00:00
Frederick [Bot] c19b310b22 chore(i18n): update translations via Crowdin 2026-05-08 02:05:11 +00:00
renovate[bot] 812fa11b9b chore(deps): update dependency vite to v7.3.3 2026-05-07 07:38:48 +00:00