Added mkdirp() helper to app/common/fs.mjs that wraps
fs.mkdir(dir, { recursive: true }). Updated all call sites to use it.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
vue-i18n: 9.10.2 → 11.2.8
Resolves XSS and prototype pollution vulnerabilities in vue-i18n v9.
Total vulnerabilities now down to 1 (axios in threads-api transitive
dependency).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- vite: 3.2.8 → 6.4.1
- @vitejs/plugin-vue: 3.2.0 → 5.2.4
- Replaced @intlify/vite-plugin-vue-i18n with @intlify/unplugin-vue-i18n
- Narrowed i18n include pattern to *.json to avoid parsing .mjs files
This resolves the esbuild moderate severity vulnerability that was
present in Vite <=6.1.6.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- @atproto/api (Bluesky): 0.11.2 → 0.18.21
- masto (Mastodon): 6.7.0 → 7.10.1
- twitter-api-v2: 1.18.1 → 1.29.0
threads-api left at 1.6.3 (no newer version available; vulnerable
axios dependency is a transitive issue in that package).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sentry/node: 7.107.0 → 10.38.0
The project uses only Sentry.init() and Sentry.captureException(),
which are compatible across versions.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Node 20 LTS reaches end-of-life April 2026. Updated all references:
- Dockerfile base image to node:22
- All GitHub Actions workflows to Node 22
- Bumped actions/checkout and actions/setup-node to v4 where outdated
- Added .nvmrc file for local development
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Updated transitive dependencies to resolve 31 security vulnerabilities
including critical, high, and moderate severity issues. Remaining 9
vulnerabilities require breaking major version updates (vue-i18n, vite,
threads-api) which will be addressed separately. Also updated the
browserslist database.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace silent error handling with descriptive messages: log
HTTP status in i18n locale loading, log response details in
data store fetch, and warn on unexpected localization file
read errors.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Deduplicate identical _calculateCacheExpiry methods from
SplatNet3Client and NsoClient into a shared calculateCacheExpiry
function in util.mjs.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Remove permanently disabled v-if="false" Order button block and
its unused SquidTape import from GearCard. Remove unnecessary
try-catch around mobile browser detection in App.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Use strict equality in TricolorBox, add async keyword to
CoopUpdater/GearUpdater getData() for consistency, and add
missing HMR accept for useCoopGearStore.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Wrap send() methods in try-catch with descriptive error messages
and add early return when media is missing.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Guard against accessing undefined media arrays in FileWriter,
ImageWriter, and protect against findIndex returning -1 in
SplatfestResultsBox.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add a guard variable to prevent accumulating storage event listeners
during HMR module reloads.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
