dotenv v17: Added quiet option to suppress new default logging.
p-limit v7 and p-queue v9: No code changes needed (only dropped older Node).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
cron v4: No code changes needed (positional constructor args still supported).
ical-generator v10: Removed `new` keyword (now a factory function) and
switched from `attachments` property to `createAttachment()` method.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
jsonpath v1.2.1 (published Feb 2025) fixed the security vulnerability
that prompted the switch to jsonpath-plus. Reverting to the original
package simplifies the code by removing the jsonpathQuery/jsonpathApply
wrapper functions.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Replace JS config (tailwind.config.js) with CSS @theme block in base.css
- Switch from PostCSS to @tailwindcss/vite plugin
- Convert all bg-opacity-*/border-opacity-* to slash syntax (e.g. bg-zinc-900/70)
- Add @custom-variant for mobile and ss variants
- Add @reference to Vue scoped styles using @apply
- Rename v3 utilities: rounded→rounded-sm, backdrop-blur-sm→backdrop-blur-xs,
drop-shadow→drop-shadow-sm, rotate-[25deg]→rotate-25
- Delete obsolete tailwind.config.js and postcss.config.js
- Rename vite.config.js to .mjs for ESM compatibility
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Added mkdirp() helper to app/common/fs.mjs that wraps
fs.mkdir(dir, { recursive: true }). Updated all call sites to use it.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
vue-i18n: 9.10.2 → 11.2.8
Resolves XSS and prototype pollution vulnerabilities in vue-i18n v9.
Total vulnerabilities now down to 1 (axios in threads-api transitive
dependency).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- vite: 3.2.8 → 6.4.1
- @vitejs/plugin-vue: 3.2.0 → 5.2.4
- Replaced @intlify/vite-plugin-vue-i18n with @intlify/unplugin-vue-i18n
- Narrowed i18n include pattern to *.json to avoid parsing .mjs files
This resolves the esbuild moderate severity vulnerability that was
present in Vite <=6.1.6.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- @atproto/api (Bluesky): 0.11.2 → 0.18.21
- masto (Mastodon): 6.7.0 → 7.10.1
- twitter-api-v2: 1.18.1 → 1.29.0
threads-api left at 1.6.3 (no newer version available; vulnerable
axios dependency is a transitive issue in that package).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sentry/node: 7.107.0 → 10.38.0
The project uses only Sentry.init() and Sentry.captureException(),
which are compatible across versions.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Node 20 LTS reaches end-of-life April 2026. Updated all references:
- Dockerfile base image to node:22
- All GitHub Actions workflows to Node 22
- Bumped actions/checkout and actions/setup-node to v4 where outdated
- Added .nvmrc file for local development
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Updated transitive dependencies to resolve 31 security vulnerabilities
including critical, high, and moderate severity issues. Remaining 9
vulnerabilities require breaking major version updates (vue-i18n, vite,
threads-api) which will be addressed separately. Also updated the
browserslist database.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace silent error handling with descriptive messages: log
HTTP status in i18n locale loading, log response details in
data store fetch, and warn on unexpected localization file
read errors.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Deduplicate identical _calculateCacheExpiry methods from
SplatNet3Client and NsoClient into a shared calculateCacheExpiry
function in util.mjs.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Remove permanently disabled v-if="false" Order button block and
its unused SquidTape import from GearCard. Remove unnecessary
try-catch around mobile browser detection in App.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Use strict equality in TricolorBox, add async keyword to
CoopUpdater/GearUpdater getData() for consistency, and add
missing HMR accept for useCoopGearStore.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Wrap send() methods in try-catch with descriptive error messages
and add early return when media is missing.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Guard against accessing undefined media arrays in FileWriter,
ImageWriter, and protect against findIndex returning -1 in
SplatfestResultsBox.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add a guard variable to prevent accumulating storage event listeners
during HMR module reloads.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
