Commit Graph

905 Commits

Author SHA1 Message Date
renovate[bot] dc85d2e3cb chore(deps): update dev-dependencies 2026-05-26 18:36:03 +00:00
kolaente 46dbeb5784 feat(editor): preserve comment-id on blockquotes
Extend the default Blockquote with a `commentId` attribute that
round-trips through HTML as `data-comment-id`. This single attribute
is the canonical record of a reply: it survives TipTap serialize /
parse so the backend listener and the in-app renderer can both find
the parent comment without a separate schema field.
2026-05-20 21:02:14 +00:00
kolaente 1fd1427fed
fix(deps): bump postcss to >=8.5.10 to fix XSS via unescaped </style>
Adds a pnpm override to force postcss to a patched version (>=8.5.10),
removing the vulnerable postcss@7.0.39 pulled in transitively by
postcss-easing-gradients. Resolves GHSA / Dependabot alert #197.
2026-05-19 16:58:25 +02:00
kolaente a5dc85b5d3
fix(deps): bump ip-address to 10.2.0
Adds a pnpm override to pull ip-address >=10.1.1, resolving the XSS
vulnerability in Address6 HTML-emitting methods (GHSA, dev-only
transitive dependency via puppeteer/socks).
2026-05-19 16:56:07 +02:00
kolaente 25e1c93a23
fix(deps): bump fast-uri to 3.1.2
Resolves GHSA path traversal via percent-encoded dot segments and host
confusion via percent-encoded authority delimiters (Dependabot alerts
227 and 228). fast-uri is a transitive dev-only dependency via
stylelint -> table -> ajv.
2026-05-19 16:54:27 +02:00
kolaente 5fda2182c7
fix(deps): bump @babel/plugin-transform-modules-systemjs to 7.29.4
Resolves GHSA high-severity advisory where versions <= 7.29.3 can
generate arbitrary code when compiling malicious input.
2026-05-19 16:53:16 +02:00
renovate[bot] faeeebe661 chore(deps): update dev-dependencies to v8.59.4 2026-05-18 19:01:32 +00:00
renovate[bot] ad457488fd chore(deps): update dependency vue-tsc to v3.3.0 2026-05-18 18:13:13 +00:00
dependabot[bot] f349b6360e chore(deps): bump brace-expansion from 5.0.5 to 5.0.6 in /frontend
Bumps [brace-expansion](https://github.com/juliangruber/brace-expansion) from 5.0.5 to 5.0.6.
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](https://github.com/juliangruber/brace-expansion/compare/v5.0.5...v5.0.6)

---
updated-dependencies:
- dependency-name: brace-expansion
  dependency-version: 5.0.6
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-05-18 18:12:58 +00:00
renovate[bot] d4e186a024 chore(deps): update dependency caniuse-lite to v1.0.30001793 2026-05-17 14:51:39 +00:00
renovate[bot] c371ca7196 chore(deps): update dev-dependencies 2026-05-15 13:57:32 +00:00
renovate[bot] 7caaa9a16a chore(deps): update dev-dependencies 2026-05-15 10:28:16 +00:00
renovate[bot] 57a0b8fee4 chore(deps): update dev-dependencies to v4.3.0 2026-05-11 21:21:39 +00:00
renovate[bot] 572edd431d chore(deps): update dev-dependencies 2026-05-11 06:05:06 +00:00
renovate[bot] 812fa11b9b chore(deps): update dependency vite to v7.3.3 2026-05-07 07:38:48 +00:00
dependabot[bot] fc9a9a6c71 chore(deps): bump axios from 1.15.0 to 1.15.2 in /frontend
Bumps [axios](https://github.com/axios/axios) from 1.15.0 to 1.15.2.
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](https://github.com/axios/axios/compare/v1.15.0...v1.15.2)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.15.2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-05-06 12:37:48 +00:00
renovate[bot] 4754230ef0 chore(deps): update dev-dependencies 2026-05-06 12:37:26 +00:00
kolaente 926e163089 chore(deps): bump workbox-precaching to 7.4.1 to match workbox-cli 2026-05-05 08:31:42 +00:00
renovate[bot] 7ed0e3ecd6 chore(deps): update dev-dependencies 2026-05-05 08:31:42 +00:00
renovate[bot] 55e96018f3 chore(deps): update dev-dependencies 2026-05-04 10:55:46 +00:00
renovate[bot] 0f1bf6fab2 chore(deps): update dev-dependencies 2026-05-04 10:21:25 +00:00
kolaente 9852aff4ee fix(frontend): add postcss-html as explicit devDependency
Stylelint 17.9.0 resolves customSyntax modules relative to the
stylelint package, so the transitive postcss-html pulled in via
stylelint-config-recommended-vue is no longer reachable and lint
fails with "Could not find postcss-html".
2026-04-27 09:22:01 +00:00
renovate[bot] 519b65b96e chore(deps): update dev-dependencies 2026-04-27 09:22:01 +00:00
renovate[bot] 71c2e01366 chore(deps): update dependency caniuse-lite to v1.0.30001790 2026-04-22 10:18:08 +00:00
renovate[bot] 49ac0348e4 chore(deps): update dev-dependencies 2026-04-22 06:31:37 +00:00
renovate[bot] 0b2b5b580d chore(deps): update dev-dependencies 2026-04-21 18:38:21 +00:00
renovate[bot] 9d25864b25 chore(deps): pin dependency otplib to 12.0.1 2026-04-21 11:14:41 +00:00
kolaente 3b7c098c84 test(e2e): add otplib dev dep for TOTP tests 2026-04-21 10:50:09 +00:00
renovate[bot] 73a597345a chore(deps): update dev-dependencies to v4.2.3 2026-04-21 07:41:56 +00:00
renovate[bot] 5a1db90103 chore(deps): update dev-dependencies to v8.59.0 2026-04-20 19:28:55 +00:00
renovate[bot] 326874d94c chore(deps): update dev-dependencies 2026-04-20 06:18:12 +00:00
dependabot[bot] 10ec3b55b0 chore(deps): bump dompurify from 3.3.2 to 3.4.0 in /frontend
Bumps [dompurify](https://github.com/cure53/DOMPurify) from 3.3.2 to 3.4.0.
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](https://github.com/cure53/DOMPurify/compare/3.3.2...3.4.0)

---
updated-dependencies:
- dependency-name: dompurify
  dependency-version: 3.4.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-16 13:01:57 +00:00
renovate[bot] 2ae194e943 chore(deps): update dependency postcss to v8.5.10 2026-04-15 16:25:26 +00:00
renovate[bot] 85dbef8330 chore(deps): update dependency stylelint to v17.8.0 2026-04-15 15:49:30 +00:00
kolaente a1fbc277be
fix(deps): patch follow-redirects and basic-ftp security vulnerabilities
Update follow-redirects to 1.16.0 (fixes auth header leak on cross-domain
redirects) and basic-ftp to 5.2.2 (fixes CRLF injection in FTP commands).
2026-04-14 20:49:42 +02:00
renovate[bot] c68649faf4 chore(deps): update dev-dependencies 2026-04-14 10:51:01 +00:00
renovate[bot] a3ac01346a chore(deps): update dev-dependencies 2026-04-13 10:14:34 +00:00
renovate[bot] 160495b84e chore(deps): update dependency stylelint to v17.7.0 2026-04-12 14:42:19 +00:00
renovate[bot] df7a5c645c chore(deps): update dependency wait-on to v9.0.5 2026-04-10 22:57:21 +00:00
dependabot[bot] e8c20b1244 chore(deps): bump axios from 1.13.5 to 1.15.0 in /frontend
Bumps [axios](https://github.com/axios/axios) from 1.13.5 to 1.15.0.
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](https://github.com/axios/axios/compare/v1.13.5...v1.15.0)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.15.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-10 09:58:30 +00:00
kolaente 27a88dd17a
fix(deps): bump basic-ftp override to 5.2.1 to patch CRLF injection
Resolves Dependabot alert #183 (high severity): basic-ftp 5.2.0 is
vulnerable to FTP command injection via CRLF. The package is pulled in
as a dev-only transitive dependency by @histoire/plugin-screenshot.
2026-04-09 15:34:00 +02:00
renovate[bot] 4415485675 chore(deps): update dependency vitest to v4.1.4 2026-04-09 08:59:51 +00:00
renovate[bot] e898c01e3d chore(deps): update dev-dependencies 2026-04-08 08:03:18 +00:00
kolaente 8a8d187065 chore(frontend): deduplicate pnpm dependencies 2026-04-07 14:22:04 +00:00
renovate[bot] 11299d773f chore(deps): update dependency vitest to v4.1.3 2026-04-07 13:43:01 +00:00
kolaente b20df2ef63
fix(deps): update brace-expansion to 5.0.5
Fixes zero-step sequence causing process hang and memory
exhaustion (Dependabot #168).
2026-04-07 15:39:33 +02:00
kolaente efc9b41349
fix(deps): update lodash to 4.18.1
Fixes code injection via _.template (Dependabot #176, #178) and
prototype pollution via _.unset/_.omit (Dependabot #175, #177).
2026-04-07 15:38:52 +02:00
kolaente f40eddd4e3
fix(deps): update defu to 6.1.7
Fixes prototype pollution via __proto__ key (Dependabot #180).
2026-04-07 15:38:17 +02:00
renovate[bot] 33886d2e3c chore(deps): update dev-dependencies 2026-04-06 16:23:31 +00:00
kolaente 0834d19f9c
feat: remove flexsearch dependency and replace with simple string filtering (#2542) 2026-04-04 21:41:25 +02:00