Commit Graph

225 Commits

Author SHA1 Message Date
renovate[bot]
8b4cda2203 chore(deps): update dev-dependencies 2026-07-11 12:21:26 +00:00
renovate[bot]
b4d2c28624 chore(deps): update dependency undici@6 to v8.7.0 2026-07-09 13:18:22 +02:00
renovate[bot]
f933774195 chore(deps): update dependency undici@7 to v8.7.0 2026-07-08 12:39:43 +00:00
renovate[bot]
10d780f5cd chore(deps): update pnpm to v11.10.0 2026-07-08 07:32:05 +00:00
renovate[bot]
a12cc5f2b9 chore(deps): update dependency electron to v43 2026-07-06 15:43:12 +00:00
renovate[bot]
8aa5f81055 chore(deps): update dependency undici@7 to v8.6.0 2026-07-06 15:40:03 +00:00
renovate[bot]
7f241b6951 chore(deps): lock file maintenance 2026-07-06 14:21:47 +00:00
renovate[bot]
d64b0c7336 chore(deps): update dependency undici@6 to v8.6.0 2026-07-06 14:19:54 +00:00
renovate[bot]
6cd0c264d9 chore(deps): update dev-dependencies 2026-07-05 08:34:23 +00:00
renovate[bot]
9c63d7fc61 chore(deps): update dependency picomatch to v4.0.5 2026-07-03 11:08:06 +00:00
renovate[bot]
1e8f1889ed chore(deps): update dependency js-yaml to v5.2.1 2026-07-03 11:07:04 +00:00
renovate[bot]
80127d9e13 chore(deps): lock file maintenance 2026-07-03 07:48:11 +00:00
kolaente
f4904998ea fix(deps): upgrade to pnpm 11 and migrate config to pnpm-workspace.yaml
pnpm 11 no longer reads the `pnpm` field from package.json, renamed
`onlyBuiltDependencies` to `allowBuilds`, and defaults `strictDepBuilds`
to true. It also reads non-auth/registry settings (like
`public-hoist-pattern`) from pnpm-workspace.yaml rather than .npmrc.

This does what renovate PR #3069 could not: alongside the version bump
it moves the build/override/hoist config for both pnpm projects
(frontend/ and desktop/) into a per-project pnpm-workspace.yaml, so the
settings are actually honored under pnpm 11 instead of being silently
ignored (which made #3069 hard-fail with ERR_PNPM_IGNORED_BUILDS).

- frontend/desktop package.json: drop `pnpm` field, bump packageManager
  to pnpm@11.9.0
- frontend/pnpm-workspace.yaml: allowBuilds + overrides + publicHoistPattern
- desktop/pnpm-workspace.yaml: allowBuilds + overrides
- frontend/.npmrc removed (its only setting moved to publicHoistPattern)
- mise.toml: pnpm 10.34.4 -> 11.9.0

electron-winstaller is a transitive build script that was never in the
old onlyBuiltDependencies, so it was ignored under pnpm 10; it is
explicitly denied (allowBuilds: false) to keep behavior identical while
satisfying strictDepBuilds.

Claude-Session: https://claude.ai/code/session_01AHD9BmNcUfgBZdPveZRa8z
2026-07-03 06:54:50 +00:00
renovate[bot]
82f86ef7d8 chore(deps): update dependency electron to v42 2026-07-03 06:47:34 +00:00
renovate[bot]
2a342356f0 chore(deps): update dependency undici@7 to v8 2026-07-02 06:32:34 +00:00
renovate[bot]
4e0bcb7625 chore(deps): update dependency tar to v7.5.19 2026-07-01 02:11:54 +00:00
renovate[bot]
757296b8cc chore(deps): update dependency undici@6 to v8 2026-06-30 17:41:05 +00:00
renovate[bot]
bb0055293b chore(deps): update pnpm to v10.34.4 2026-06-29 16:14:58 +00:00
renovate[bot]
07d39b4290 chore(deps): pin dependencies 2026-06-27 18:01:23 +00:00
kolaente
96452f0b71 fix(desktop): set the main window icon on Linux
On X11/XWayland (Electron's default on Wayland sessions) the window had no
icon, so KDE Plasma showed the generic placeholder. Point BrowserWindow at
the packaged icon.png so the compositor has an icon to render.
2026-06-27 14:12:10 +00:00
kolaente
3f8ce93636 fix(desktop): show hidden window when relaunched from tray
When the app is hidden in the tray, closing then relaunching it triggered
the single-instance second-instance handler, which only called focus() — a
hidden window stays hidden on focus(), so the app appeared not to start
(notably on KDE Plasma Wayland where the tray icon may also be unreachable).
Call show() to surface it, and recreate the window if it no longer exists.
2026-06-27 14:12:10 +00:00
kolaente
626e1e267e fix(desktop): quit on SIGTERM and SIGINT
The desktop app ignored termination signals because the tray and embedded
express server keep the Electron event loop alive, forcing users to kill -9
on logout/shutdown. Add SIGINT/SIGTERM handlers that set isQuitting before
app.quit() so the hide-to-tray close handler doesn't swallow the quit.
2026-06-27 14:12:10 +00:00
kolaente
18a0df505b fix(deps): bump desktop undici to patched versions
node-gyp's undici 6.26.0 -> 6.27.0 and @electron/get's 7.27.2 -> 7.28.0,
each pinned within its major via overrides so only the security patch is
taken (an open >= range would jump across majors, e.g. to undici 8).

Resolves the 9 open desktop undici Dependabot alerts.
2026-06-27 14:34:20 +02:00
renovate[bot]
7a182817ee chore(deps): update dev-dependencies 2026-06-24 17:37:15 +00:00
renovate[bot]
0f3a8a7e39 chore(deps): update dev-dependencies 2026-06-22 12:33:44 +00:00
renovate[bot]
ffcf92936a chore(deps): update dev-dependencies 2026-06-17 12:02:41 +00:00
renovate[bot]
f851e6f959 chore(deps): update dev-dependencies 2026-06-16 11:46:40 +00:00
kolaente
e13d3f537c fix(deps): bump js-yaml to >=4.2.0 where possible
Desktop only has the v4 copy, so a plain override pins it to >=4.2.0
(resolves alert #245). The frontend also pulls js-yaml v3 via
gray-matter (histoire story tooling), which has no v4-compatible
release, so a scoped 'js-yaml@4' override bumps only the v4 copies
(eslint/cosmiconfig) and leaves gray-matter on 3.14.2. Alert #256
stays open for that dev-only, trusted-input path.
2026-06-16 08:33:16 +02:00
kolaente
340be305f8 fix(deps): tighten tar override to >=7.5.16
The ^7.5.11 override resolved to the vulnerable 7.5.15. Pin to
>=7.5.16. Resolves Dependabot alert #246 (desktop).
2026-06-16 08:31:02 +02:00
kolaente
460e8f3ab1 fix(deps): force form-data >=4.0.6 to fix unsafe boundary advisory
Resolves the form-data <4.0.6 advisory (predictable multipart
boundary). Transitive in both workspaces; pinned via pnpm overrides.
Dependabot alerts #247 (desktop) and #258 (frontend).
2026-06-16 08:30:33 +02:00
kolaente
1d6d332c18 fix(deps): bump tmp to >=0.2.7 to fix path traversal advisory
Resolves GHSA-7c78-jf6q-g5cm (type-confusion bypass of _assertPath
allowing path traversal). tmp was pinned to >=0.2.6 via pnpm overrides
in both the frontend and desktop workspaces, which resolved to the
vulnerable 0.2.6. Dependabot alerts #243 (desktop) and #244 (frontend).
2026-06-16 08:17:51 +02:00
renovate[bot]
6d505e360b chore(deps): update dev-dependencies to v40.10.3 2026-06-10 11:47:27 +02:00
renovate[bot]
8ff97a61de chore(deps): update dev-dependencies 2026-06-08 07:23:10 +00:00
renovate[bot]
43d6e14289 chore(deps): update dev-dependencies 2026-06-06 19:05:39 +00:00
renovate[bot]
8e09b69fb3 chore(deps): update dev-dependencies to v26.14.0 2026-06-06 11:18:01 +00:00
kolaente
1af6d7763b fix(desktop): show tray icon in packaged builds
The tray icon was loaded from desktop/build/icon.png, but build/ is
electron-builder's default buildResources directory, whose contents are
not packaged into the app. The icon therefore existed when running from
source but was missing in every released build, leaving an empty tray
icon.

Load the icon from the packaged app root instead and add icon.png there,
rendered from the circular logo.svg so it has transparent corners rather
than the square full-bleed source artwork.

Fixes #2668
2026-05-30 13:30:55 +00:00
renovate[bot]
7d1372ece3 chore(deps): update dev-dependencies 2026-05-27 21:18:08 +00:00
kolaente
d5ab54941f fix(deps): bump ip-address to >=10.1.1 in desktop workspace
Resolves a medium-severity XSS in Address6 HTML-emitting methods
(GHSA / Dependabot alert #224). Vulnerable range: <=10.1.0,
patched in 10.1.1. The package is pulled in transitively through
socks -> socks-proxy-agent in the Electron build chain
(devDependency only), but we add a pnpm override to ensure the
patched version is used everywhere. The frontend workspace already
has the equivalent override.
2026-05-27 11:10:24 +02:00
kolaente
e08f05119d fix(deps): bump qs to 6.15.2 in desktop
Resolves Dependabot alert #233: qs.stringify crashes with TypeError on
null/undefined entries in comma-format arrays when encodeValuesOnly is
set (DoS, medium severity).

Updates transitive dependency via pnpm update from 6.15.0 to 6.15.2.
2026-05-27 11:09:27 +02:00
kolaente
7be5026113 fix(deps): bump tmp to >=0.2.6 to fix path traversal vulnerability
Adds a pnpm override for `tmp` in both the `frontend` and `desktop`
workspaces to force the patched version (0.2.6). The previous transitive
resolutions (`tmp@0.0.33` via external-editor in frontend, `tmp@0.2.3`
via tmp-promise in desktop) are vulnerable to a path traversal via
unsanitized prefix/postfix that enables directory escape.

Addresses Dependabot alerts #234 (desktop) and #235 (frontend).
2026-05-27 11:09:20 +02:00
renovate[bot]
dc85d2e3cb chore(deps): update dev-dependencies 2026-05-26 18:36:03 +00:00
kolaente
553613163f fix(deps): bump @xmldom/xmldom to 0.8.13 2026-05-19 17:12:18 +02:00
renovate[bot]
7caaa9a16a chore(deps): update dev-dependencies 2026-05-15 10:28:16 +00:00
renovate[bot]
0f1bf6fab2 chore(deps): update dev-dependencies 2026-05-04 10:21:25 +00:00
Dávid Takács-Tolnai
5c7d2a5e7a fix(desktop): drop redundant zoom clamp
Chromium already caps zoom levels internally, so the manual [-7, +7]
clamp was redundant. Removes the constants and clamping logic while
keeping the before-input-event approach intact for persistence support.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-22 10:32:53 +00:00
Dávid Takács-Tolnai
82a4f1f0d2 fix(desktop): support Ctrl and mouse-wheel zoom shortcuts
Electron does not register zoom shortcuts by default, so the desktop app
had no way to scale the UI. Register Ctrl+Plus, Ctrl+Minus and Ctrl+0
via webContents.before-input-event, and Ctrl+scroll via the zoom-changed
event.

The zoom level is clamped to [-7, +7] (Chromium's range, roughly 28% to
358%) and persisted to zoom.json in app.getPath('userData'), so the
chosen level survives restarts. Restored zoom is re-applied on every
did-finish-load, since Electron resets zoom across page reloads.

Fixes #2623
2026-04-22 10:32:53 +00:00
renovate[bot]
49ac0348e4 chore(deps): update dev-dependencies 2026-04-22 06:31:37 +00:00
Dávid Takács-Tolnai
e624c8a296 fix(desktop): rebuild tray menu in place instead of recreating the Tray
The old setupTray() called tray.destroy() before creating a new Tray. On
Linux with KDE Plasma 6 Wayland, tray.destroy() does not actually remove
the icon from plasmashell (electron/electron#49517), so the new Tray
registers a fresh dbusmenu while plasmashell keeps talking to the
orphaned one. Menu items still render (cached layout) but every
com.canonical.dbusmenu.Event("clicked", ...) method call from plasmashell
hits the destroyed handler and is dropped, so menu-item click callbacks
stop firing after the frontend triggers a rebuild on login.

Move the one-time Tray construction (icon, tooltip, click handler)
behind a !tray guard and keep setContextMenu in the always-run path. The
desktop:update-quick-entry-shortcut IPC handler keeps calling setupTray()
and the accelerator label updates without touching the native Tray.
2026-04-17 07:49:16 +00:00
renovate[bot]
7abac42daa chore(deps): update dependency electron to v40.9.1 2026-04-16 13:01:42 +00:00
kolaente
efc9b41349 fix(deps): update lodash to 4.18.1
Fixes code injection via _.template (Dependabot #176, #178) and
prototype pollution via _.unset/_.omit (Dependabot #175, #177).
2026-04-07 15:38:52 +02:00