# Changelog All notable changes to this project will be documented in this file. This project follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). Version numbers use a **SemVer-inspired** `MAJOR.MINOR.PATCH` format, with version increments reflecting both user-visible and operational impact. --- ## [Unreleased] --- ## [1.28.4] - 2026-05-27 ### Changed - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.61.1**. - Updated all GitHub Actions workflows to utilize **npm** `11.16.0`. - Updated `.nvmrc` and `.node-version` to utilize **Node.js** `v24.16.0`. - Bumped project version to `1.28.4`. - Updated dependencies: - `@vitest/coverage-v8` `4.1.6` → `4.1.7` - `dompurify` `^3.4.3` → `^3.4.7` - `postcss` `^8.5.14` → `^8.5.15` - `semver` `^7.8.0` → `^7.8.1` - `svelte` `5.55.7` → `5.55.10` - `vite` `^8.0.13`→`^8.0.14` - `vitest` `4.1.6` → `4.1.7` - `@sveltejs/kit` `2.60.1` → `2.61.1` - `eslint-plugin-svelte` `^3.17.1` → `^3.18.0` - `stylelint` `^17.11.1` → `^17.12.0` - `eslint-plugin-jsdoc` `^62.9.0` → `^63.0.0` - `prettier-plugin-svelte` `^3.5.2` → `^4.0.1` ### Security - Converted `static/.well-known/security.txt` to an inline PGP clear-signed file and removed the retired detached `security.txt.asc` signature. - Updated transitive dependency override for `tmp` to `^0.2.7` to mitigate CVE-2026-44705. - Added npm `allowScripts` approvals for `esbuild@0.25.12` and `simple-git-hooks@2.13.1` so install-time scripts remain explicit under the current npm guidance. --- ## [1.28.3] - 2026-05-16 ### Changed - Updated GitHub Actions npm bootstrap steps from `npm@11.13.0` to `npm@11.14.1`. - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.60.1**. - Bumped project version to `v1.28.3`. - Updated dependencies: - `@vitest/coverage-v8` `4.1.5` → `4.1.6` - `dompurify` `^3.4.2` → `^3.4.3` - `prettier-plugin-svelte` `^3.5.1` → `^3.5.2` - `stylelint` `^17.11.0` → `^17.11.1` - `svelte` `5.55.5` → `5.55.7` - `vite` `^8.0.11` → `^8.0.13` - `vitest` `4.1.5` → `4.1.6` - `@playwright/test` `^1.59.1` → `^1.60.0` - `@sveltejs/kit` `2.59.1` → `2.60.1` - `eslint` `10.3.0` → `10.4.0` - `playwright` `^1.59.1` → `^1.60.0` --- ## [1.28.2] - 2026-05-08 ### Changed - Bumped project version to `v1.28.2`. - Changed SvelteKit CSP generation from hash mode to `auto` mode so dynamic responses can use nonce-based CSP while prerendered output continues to use hashes. - Removed the unused `svelte-preprocess` dev dependency because the project uses `vitePreprocess` from `@sveltejs/vite-plugin-svelte`. - Removed the `typescript` npm-check-updates reject entry after clearing the stale `svelte-preprocess` peer constraint. - Updated dependencies: - `@sveltejs/vite-plugin-svelte` `^7.1.1` → `^7.1.2` - `vite` `^8.0.10` → `^8.0.11` - `@eslint/compat` `^2.0.5` → `^2.1.0` - `semver` `^7.7.4` → `^7.8.0` - `typescript` `5.9.3` → `6.0.3` --- ## [1.28.1] - 2026-05-06 ### Changed - Bumped project version to `v1.28.1`. ### Fixed - Regenerated `package-lock.json` by using the `npm install` command. --- ## [1.28.0] - 2026-05-06 ### Added - Added consent-gated Matomo analytics behind the existing `$lib/stores/posthog` compatibility helper, preserving current app call sites while enabling pageview and limited event capture. - Added production CSP allowances for `https://analytics.netwk.pro` so Matomo can load and send tracking requests without inline scripts. ### Changed - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.59.1**. - Bumped project version to `v1.28.0`. - Updated analytics privacy documentation and dashboard copy to describe Matomo pageview/event analytics, browser privacy signal handling, opt-out behavior, and disabled user identification. - Updated repo guidance to reflect the Matomo-backed compatibility helper and the current production CSP trade-off. - Updated dependencies: - `@sveltejs/kit` `2.59.0` → `2.59.1` - `postcss` `^8.5.13` → `^8.5.14` - `svelte-check` `^4.4.7` → `^4.4.8` - `svelte-eslint-parser` `^1.6.0` → `^1.6.1` - `@sveltejs/vite-plugin-svelte` `^7.0.0` → `^7.1.1` - `stylelint` `^17.9.1` → `^17.11.0` ### Fixed - Switched SvelteKit CSP generation from `auto` to hash mode so prerendered/static pages are not served with mismatched nonce-based CSP headers that block framework-generated inline bootstrap scripts. - Changed service-worker navigation handling to fetch HTML from the network before falling back to cached core pages (`/`, `/about`, `/contact`) or the offline page, balancing CSP freshness with limited offline navigation. - Updated the `?nosw` diagnostic script to unregister service workers and clear caches before app bootstrapping completes. ### Removed - Removed the `posthog-js` runtime dependency and related PostHog transitive packages from the lockfile. - Removed PostHog initialization, capture calls, environment keys, relay rewrites, relay route handling, CSP allowances, and service-worker analytics-host exclusions while preserving the existing analytics helper API. ### Security - Updated the transitive `basic-ftp` override to `^5.3.0` to mitigate CVE-2026-44240. - Added a transitive `ip-address` override at `^10.1.0` to mitigate CVE-2026-42338. - Kept audit-mode CSP hardened with no analytics egress while production analytics are limited to the Matomo origin. --- ## [1.27.3] - 2026-05-02 ### Changed - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.59.0**. - Bumped project version to `v1.27.3`. - Upgraded dependencies: - `dompurify` `^3.4.1` → `^3.4.2` - `postcss` `^8.5.10` → `^8.5.13` - `posthog-js` `^1.372.1` → `^1.372.6` - `stylelint` `^17.9.0` → `^17.9.1` - `svelte-check` `^4.4.6` → `^4.4.7` - `@sveltejs/kit` `2.58.0` → `2.59.0` - `eslint` `10.2.1` → `10.3.0` - `globals` `^17.5.0` → `^17.6.0` - `jsdom` `29.0.2` → `29.1.1` --- ## [1.27.2] - 2026-04-25 ### Added - Added a site-wide W3C Do Not Track tracking status resource at `/.well-known/dnt`. - Added the DNT tracking status resource to `sitemap.xml`. ### Changed - Bumped project version to `v1.27.2`. - Updated `npm run dev` and `npm run preview` so they start local servers without automatically opening a browser. - Refreshed sitemap metadata for updated public pages and privacy well-known resources. - Updated the HeliBoard FOSS Spotlight GitHub link to the current `HeliBorg/HeliBoard` repository. - Excluded the human-readable DNT policy text file from Prettier formatting. ### Removed - Removed stale commented debug logging from shared layout, metadata, legal, FOSS, PGP, services, terms, and home page components. - Removed `/CNAME` from the service worker ignored-path list. --- ## [1.27.1] - 2026-04-25 ### Changed - Bumped project version to `v1.27.1`. ### Fixed - Replaced the third-party Keep Android Open banner script with a first-party Svelte banner component to avoid unstable inline-script CSP violations. - Removed Keep Android Open script host and inline helper hash allowances from CSP. - Restored temporary production `script-src 'unsafe-inline'` compatibility while PostHog remains in use. - Updated README and agent guidance to reflect that CSP policy selection now lives in SvelteKit `kit.csp` instead of `src/hooks.server.js`. --- ## [1.27.0] - 2026-04-24 ### Changed - Bumped project version to `v1.27.0`. - Moved Content Security Policy selection into SvelteKit `kit.csp`, keyed from `PUBLIC_ENV_MODE`/Vite mode so SvelteKit can manage CSP hashes and nonces. - Kept `src/hooks.server.js` focused on request-time security headers, production `Report-To` metadata, Probely diagnostics, and audit-hostname mismatch warnings. - Restored CSP selection diagnostics after moving CSP construction to SvelteKit configuration. - Updated audit CSP behavior to remain enforced without analytics or external CSP reporting allowances. - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.58.0**. - Updated local Node version files from `24.14.1` to `24.15.0`. - Updated GitHub Actions npm bootstrap steps from `npm@11.12.1` to `npm@11.13.0`. - Updated dependencies: - `@vitest/coverage-v8` `4.1.4` → `4.1.5` - `@sveltejs/kit` `2.57.1` → `2.58.0` - `dompurify` `^3.4.0` → `^3.4.1` - `eslint-plugin-svelte` `^3.17.0` → `^3.17.1` - `markdownlint-cli2` `0.22.0` → `0.22.1` - `posthog-js` `^1.369.3` → `^1.372.1` - `stylelint` `^17.8.0` → `^17.9.0` - `svelte` `5.55.4` → `5.55.5` - `vite` `^8.0.8` → `^8.0.10` - `vitest` `4.1.4` → `4.1.5` ### Fixed - Corrected the Playwright mobile Chrome device-profile comment to match the current `Pixel 7` profile. - Restored dev/test `Content-Security-Policy-Report-Only` behavior by preserving development mode fallback and local CSP reporting. - Corrected audit hostname diagnostics to avoid implying that hostname detection overrides `PUBLIC_ENV_MODE`. - Limited Probely scanner diagnostics to audit mode and removed the misleading bypass log label. - Added `Prerendered` to the cspell dictionary for the new SvelteKit CSP comments. ### Security - Added a transitive dependency override for `uuid` at `^14.0.0` to mitigate known vulnerabilities. --- ## [1.26.22] - 2026-04-19 ### Added - Added project Svelte MCP configuration via `.mcp.json`. - Added Svelte MCP usage guidance to `AGENTS.md` and `CLAUDE.md`, including documentation lookup, autofix, and playground-link expectations. - Added project-local Claude Code Svelte skills under `.claude/skills/` for reproducible Svelte 5 code-writing and best-practice guidance. - Added `.markdownlint-cli2.mjs` to centralize Markdown lint globs and ignore patterns. - Added `Mcpjson` to the cspell project dictionary. - Added README documentation noting that WebKit/Safari E2E coverage is not part of the default Playwright matrix. - Added unit test coverage for `ENV_MODE` alias normalization in `scripts/checkEnv.js`. ### Changed - Bumped project version to `v1.26.22`. - Updated README technology-stack wording to explicitly reference Svelte 5, SvelteKit, Vercel, and the separate Netlify audit environment. - Simplified `npm run lint:md` to rely on the centralized `markdownlint-cli2` configuration. - Updated Playwright mobile Chrome coverage from the `Galaxy S9+` profile to the `Pixel 7` profile. - Updated `.env.codex` comments to document production-like Codex builds and corrected the analytics stub to `PUBLIC_POSTHOG_PROJECT_KEY`. - Updated `scripts/checkEnv.js` to normalize `development` to `dev` and `production` to `prod`. - Clarified the intentional use of Vite `envPrefix` for `import.meta.env.PUBLIC_*` access. - Updated `.gitattributes` to normalize text files to LF line endings by default. - Refreshed `package-lock.json` for the `v1.26.22` version bump and dependency metadata changes. ### Removed - Removed the direct `markdownlint` dev dependency, since `markdownlint-cli2` already provides the required linting engine. - Removed disabled WebKit and Mobile Safari Playwright project blocks from the default E2E configuration. --- ## [1.26.21] - 2026-04-18 ### Changed - Bumped project version to `v1.26.21`. - Updated `npm run dev` and `npm run preview` to open the local browser automatically. - Updated dependencies: - `eslint` `10.2.0` → `10.2.1` - `postcss` `^8.5.9` → `^8.5.10` - `prettier` `3.8.2` → `3.8.3` - `svelte` `5.55.3` → `5.55.4` - `autoprefixer` `^10.4.27` → `^10.5.0` - `dompurify` `^3.3.3` → `^3.4.0` - `globals` `^17.4.0` → `^17.5.0` - `posthog-js` `^1.367.0` → `^1.369.3` - `stylelint` `^17.6.0` → `^17.8.0` - Normalized transitive dependency override ranges for `minimatch`, `picomatch`, and `smol-toml` to caret ranges. ### Fixed - Kept `typescript` pinned to `5.9.3` and retained it in the `npm-check-updates` reject list because `svelte-preprocess` does not yet accept TypeScript 6. ### Security - Added transitive dependency override for `protobufjs` `v7.5.5` in order to mitigate CVE-2026-41242. --- ## [1.26.20] - 2026-04-10 ### Changed - Bumped project version to `v1.26.20`. - Updated dependencies: - `prettier` `3.8.1` → `3.8.2` - `svelte` `5.55.2` → `5.55.3` ### Fixed - Removed an unused `window` mock from the UTM unit test to better reflect the current `appendUTM` implementation. - Stabilized SPA navigation E2E helpers by relying on Playwright click actionability instead of a separate `scrollIntoViewIfNeeded()` call, with a single retry for transient no-op clicks. - Updated the navigation link assertion to compare the resolved `pathname` instead of the raw `href` attribute for better cross-browser consistency. --- ## [1.26.19] - 2026-04-09 ### Changed - Bumped project version to `v1.25.19`. - Modified Node.js version to `24` in `.github/workflows/playwright.yml`. - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.57.1**. - Updated dependencies: - `@eslint/compat` `^2.0.3` → `^2.0.5` - `@vitest/coverage-v8` `4.1.2` → `4.1.4` - `browserslist` `^4.28.1` → `^4.28.2` - `jsdom` `29.0.1` → `29.0.2` - `postcss` `^8.5.8` → `^8.5.9` - `svelte` `5.55.1` → `5.55.2` - `vite` `^8.0.3` → `^8.0.8` - `vitest` `4.1.2` → `4.1.4` - `@playwright/test` `^1.58.2` → `^1.59.1` - `@sveltejs/kit` `2.55.0` → `2.57.1` - `eslint` `10.1.0` → `10.2.0` - `eslint-plugin-jsdoc` `^62.8.1` → `^62.9.0` - `eslint-plugin-svelte` `^3.16.0` → `^3.17.0` - `playwright` `^1.58.2` → `^1.59.1` - `posthog-js` `^1.364.2` → `^1.367.0` ### Security - Added transitive dependency override for `lodash-es` `v4.18.1` in order to mitigate CVE-2026-4800 and CVE-2026-2950. - Updated transitive dependency override for `basic-ftp` to `v5.2.1` in order to mitigate CVE-2026-39983. --- ## [1.26.18] - 2026-03-30 ### Changed - Bumped project version to `v1.26.18`. - Updated dependencies: - `svelte-check` `^4.4.5` → `^4.4.6` ### Fixed - Removed `typescript` from the list of updated dependencies in release `v1.26.17`, as it was not updated due to a lack of SvelteKit support. --- ## [1.26.17] - 2026-03-30 ### Changed - Added `typescript` to the `npm-check-updates` reject list in `.ncurc.cjs` to prevent automatic upgrades to TypeScript 6 until SvelteKit supports it. - Updated all **GitHub Actions** workflows to utilize **npm** `11.12.1`. - Updated `.nvmrc` and `.node-version` to utilize **Node.js** `v24.14.1`. - Bumped project version to `v1.26.17`. - Re-added `vite-plugin-devtools-json` to `devDependencies`. - Added `vite-plugin-devtools-json` override section to allow the plugin to operate properly with **Vite 8**. - Restored pre-existing `vite-plugin-devtools-json` configuration in `vite.config.js`. - Updated dependencies: - `@vitest/coverage-v8` `4.1.0` → `4.1.2` - `eslint-plugin-jsdoc` `^62.8.0` → `^62.8.1` - `vite` `^8.0.1` → `^8.0.3` - `vitest` `4.1.0` → `4.1.2` - `eslint-plugin-svelte` `^3.15.2` → `^3.16.0` - `globby` `^16.1.1` → `^16.2.0` - `posthog-js` `^1.363.1` → `^1.364.2` - `stylelint` `^17.5.0` → `^17.6.0` - `svelte` `5.54.0` → `5.55.1` - `markdownlint-cli2` `0.21.0` → `0.22.0` ### Fixed - Resolved an `npm audit` warning caused by the transitive `smol-toml` dependency used by `markdownlint-cli2` by adding an npm override to require `smol-toml >=1.6.1`. - Fixed an `npm install` dependency resolution failure by pinning `typescript` to `5.9.3`, which is compatible with `@sveltejs/kit@2.55.0`. ### Security - Pinned transitive dependency `picomatch` to `>=4.0.4` to mitigate CVE-2026-33672. --- ## [1.26.16] - 2026-03-20 ### Changed - Updated size of **[Keep Android Open](https://keepandroidopen.org/)** banner in `src/app.html`. - Updated `svelte.config.js` to utilize the `nodejs24.x` runtime for `@sveltejs/adapter-vercel`. - Updated all **GitHub Actions** workflows to utilize **npm** `11.12.0`. - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.55.0**. - Bumped project version to `v1.26.16`. - Updated dependencies: - `vite` `^8.0.0` → `^8.0.1` - `@sveltejs/kit` `2.54.0` → `2.55.0` - `eslint` `10.0.3` → `10.1.0` - `posthog-js` `^1.360.1` → `^1.363.1` - `stylelint` `^17.4.0` → `^17.5.0` - `stylelint-order` `^8.0.0` → `^8.1.1` - `svelte` `5.53.11` → `5.54.0` - `jsdom` `28.1.0` → `29.0.1` --- ## [1.26.15] - 2026-03-12 ### Changed - Updated `vite.config.js` to resolve tsconfig paths. - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.54.0**. - Updated all GitHub Actions workflows to utilize **npm** `11.11.1`. - Removed `@eslint/js` and `eslint` from `.ncurc.cjs` "reject" list. - Modified `vite.config.js` to comment out `vite-plugin-devtools-json` related entries until package is updated. - Updated `scripts/checkEnv.js` to satisfy newer ESLint rules by removing an unnecessary placeholder assignment and preserving existing validation behavior. - Updated `src/service-worker.js` to satisfy newer ESLint rules by preserving caught error context during precache failures and removing an unnecessary reassignment in the install handler. - Bumped project version to `v1.26.15`. - Updated dependencies: - `dompurify` `^3.3.2` → `^3.3.3` - `eslint-plugin-svelte` `^3.15.0` → `^3.15.2` - `svelte` `5.53.7` → `5.53.11` - `@sveltejs/kit` `2.53.4` → `2.54.0` - `@vitest/coverage-v8` `4.0.18` → `4.1.0` - `eslint-plugin-jsdoc` `^62.7.1` → `^62.8.0` - `lightningcss` `^1.31.1` → `^1.32.0` - `posthog-js` `^1.359.1` → `^1.360.1` - `vitest` `4.0.18` → `4.1.0` - `@sveltejs/vite-plugin-svelte` `^6.2.4` → `^7.0.0` - `stylelint-order` `^7.0.1` → `^8.0.0` - `vite` `^7.3.1` → `^8.0.0` - `@eslint/js` `9.32.2` → `10.0.1` - `eslint` `9.39.2` → `10.0.3` ### Removed - Removed `vite-plugin-devtools-json`, as it is not compatible with Vite 8. - Removed `vite-tsconfig-paths`, as it is now included natively in Vite. ### Security - Pinned transitive dependency `tar` to `^7.5.11` to mitigate CVE-2026-31802. --- ## [1.26.14] - 2026-03-07 ### Changed - Bumped project version to `v1.26.14`. - Added deferred script to `src/app.html` to display the Keep Android Open banner. - Allowed `https://keepandroidopen.org` in `Content-Security-Policy` `script-src` across production, audit, and dev/test modes to support the Keep Android Open banner script. --- ## [1.26.13] - 2026-03-07 ### Changed - Bumped project version to `v1.26.13`. - Updated dependencies: - `@eslint/compat` `^2.0.2` → `^2.0.3` - `dompurify` `^3.3.1` → `^3.3.2` - `svelte-check` `^4.4.4` → `^4.4.5` - `posthog-js` `^1.358.1` → `^1.359.1` - `svelte-eslint-parser` `^1.5.1` → `^1.6.0` ### Security - Updated `dompurify` to `^3.3.2` to mitigate CVE-2026-0540. --- ## [1.26.12] - 2026-03-04 ### Changed - Bumped project version to `v1.26.12`. - Updated dependencies: - `postcss` `^8.5.6` → `^8.5.8` - `prettier-plugin-svelte` `^3.5.0` → `^3.5.1` - `svelte` `5.53.6` → `5.53.7` - `globals` `^17.3.0` → `^17.4.0` - `posthog-js` `^1.356.1` → `^1.358.1` --- ## [1.26.11] - 2026-02-28 ### Changed - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.53.4**. - Updated all GitHub Actions workflows to utilize **npm 11.11.0**. - Updated `.nvmrc` and `.node-version` to utilize **Node.js** `v24.14.0`. - Bumped project version to `v1.26.11`. - Updated dependencies: - `@sveltejs/adapter-netlify` `^6.0.3` → `^6.0.4` - `@sveltejs/adapter-vercel` `^6.3.2` → `^6.3.3` - `@sveltejs/kit` `2.53.0` → `2.53.4` - `autoprefixer` `^10.4.24` → `^10.4.27` - `eslint-plugin-jsdoc` `^62.7.0` → `^62.7.1` - `svelte` `5.53.2` → `5.53.6` - `svelte-check` `^4.4.3` → `^4.4.4` - `posthog-js` `^1.352.0` → `^1.356.1` - `stylelint` `^17.3.0` → `^17.4.0` - `svelte-eslint-parser` `^1.4.1` → `^1.5.1` ### Security - Pinned transitive dependency `basic-ftp` to `^5.2.0` to mitigate CVE-2026-27699. --- ## [1.26.10] - 2026-02-21 ### Changed - Refactored PostHog store to centralize environment gating across `initPostHog()`, `capture()`, and `identify()` via a shared `shouldSkipAnalytics()` helper. - Cached environment detection results to avoid repeated evaluation and ensure consistent behavior across analytics APIs. - Reintroduced hostname-based audit detection (`audit.netwk.pro`) as a defense-in-depth fallback alongside environment-mode audit detection. - Removed unnecessary comments from `src/lib/stores/posthog.js` and `src/lib/pages/LicenseContent.svelte`. - Corrected `tests/unit/client/lib/utils/utm.test.js` to import `vi` variable before first use. - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.53.0**. - Bumped project version to `v1.26.10`. - Updated dependencies: - `@sveltejs/adapter-netlify` `^6.0.0` → `^6.0.3` - `@sveltejs/adapter-vercel` `^6.3.1` → `^6.3.2` - `globby` `^16.1.0` → `^16.1.1` - `@sveltejs/kit` `2.51.0` → `2.53.0` - `eslint-plugin-jsdoc` `^62.5.4` → `^62.7.0` - `jsdom` `28.0.0` → `28.1.0` - `posthog-js` `^1.347.0` → `^1.352.0` - `prettier-plugin-svelte` `^3.4.1` → `^3.5.0` - `stylelint` `^17.2.0` → `^17.3.0` - `svelte` `5.50.3` → `5.53.2` - `svelte-check` `^4.3.6` → `^4.4.3` - `markdownlint-cli2` `0.20.0` → `0.21.0` ### Fixed - Prevented analytics gating logic from executing during SSR by adding an explicit `typeof window === 'undefined'` guard. - Improved test isolation by updating `\_resetPostHog()` to reset cached environment state and tracking-related stores. ### Security - Pinned the `tar` package to `^7.5.9` in transitive dependencies, in order to address CVE-2026-26960. - Pinned transitive `minimatch` to `>=10.2.1` to address an `npm audit`-reported high-severity ReDoS/DoS issue in older minimatch versions. --- ## [1.26.9] - 2026-02-12 ### Changed - Updated all GitHub Actions workflows to utilize **npm 11.10.0**. - Updated `.nvmrc` and `.node-version` to utilize **Node.js** `v24.13.1`. - Bumped project version to `v1.26.9`. - Updated dependencies: - `eslint-plugin-jsdoc` `^62.5.3` → `^62.5.4` - `svelte` `5.50.0` → `5.50.3` - `@sveltejs/kit` `2.50.2` → `2.51.0` - `eslint-plugin-svelte` `^3.14.0` → `^3.15.0` - `posthog-js` `^1.342.1` → `^1.347.0` - `stylelint` `^17.1.1` → `^17.2.0` - `vite-tsconfig-paths` `^6.0.5` → `^6.1.1` - `@sveltejs/adapter-netlify` `^5.2.4` → `^6.0.0` --- ## [1.26.8] - 2026-02-07 ### Changed - Refreshed timestamp for main route in `static/sitemap.xml`. - Updated all GitHub Actions workflows to utilize **npm 11.9.0**. - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.50.2**. - Added `eslint` and `@eslint/js` to `.ncurc.js` **reject** list, pinned `v9.39.2` in `package.json`. - Bumped project version to `v1.26.8`. - Updated dependencies: - `posthog-js` `^1.336.4` → `^1.342.1` - `semver` `^7.7.3` → `^7.7.4` - `svelte` `5.49.1` → `5.50.0` - `@playwright/test` `^1.58.1` → `^1.58.2` - `@sveltejs/kit` `2.50.1` → `2.50.2` - `eslint-plugin-jsdoc` `^62.5.0` → `^62.5.3` - `jsdom` `27.4.0` → `28.0.0` - `playwright` `^1.58.1` → `^1.58.2` - `stylelint` `^17.1.0` → `^17.1.1` --- ## [1.26.7] - 2026-02-01 ### Changed - Refreshed timestamp for `/legal` route in `static/sitemap.xml`. - Added standardized header to `AGENTS.md`, `CLAUDE.md`, `VERSIONING.md`, and `.github/COMMIT_GUIDE.md`, as well as all issue templates. - Updated footer of `LICENSE.md` and `README.md` to reflect the company's full legal name. - Refreshed **Effective Date** for Legal, Copyright, and Licensing route (`/legal`). - Updated `src/lib/pages/LicenseContent.svelte` to include our trade name. - Bumped project version to `v1.26.7`. - Updated dependencies: - `@eslint/compat` `^2.0.1` → `^2.0.2` - `@playwright/test` `^1.58.0` → `^1.58.1` - `autoprefixer` `^10.4.23` → `^10.4.24` - `playwright` `^1.58.0` → `^1.58.1` - `posthog-js` `^1.336.2` → `^1.336.4` - `svelte` `5.49.0` → `5.49.1` - `svelte-check` `^4.3.5` → `^4.3.6` - `eslint-plugin-jsdoc` `^62.4.1` → `^62.5.0` - `globals` `^17.2.0` → `^17.3.0` - `stylelint` `^17.0.0` → `^17.1.0` --- ## [1.26.6] - 2026-01-29 ### Changed - Added Prettier to the `npm-check-updates` ignore list (`.ncurc.cjs`) for deterministic formatting changes. - Updated the company name in `src/lib/pages/AboutContent.svelte` to the full, legal name. - Updated the copyright statement in `src/lib/pages/LicenseContent.svelte` to use the full, legal company name. - Updated the footer to display the full, legal company name. - Bumped project version to `v1.26.6`. - Updated dependencies: - `globals` `^17.1.0` → `^17.2.0` - `posthog-js` `^1.335.2` → `^1.336.2` - `svelte` `5.48.2` → `5.49.0` ### Security - Pinned the `tar` package to `^7.5.7` in transitive dependencies, in order to address CVE-2026-24842. --- ## [1.26.5] - 2026-01-24 ### Added - `scripts/hooks/pre-push.sh`: `simple-git-hooks` pre-push guard to prevent accidental pushes directly to `master`/`main` while preserving the existing `npm run checkout` pre-push behavior. ### Changed - `.github/workflows/deploy-audit-netlify.yml`: Added `workflow_dispatch` so the audit Netlify deployment can be triggered manually (e.g., when `audit-netlify` is already in sync and no new push occurs). - `package.json`: Updated `simple-git-hooks` configuration to run `bash scripts/hooks/pre-push.sh` on `pre-push` (alongside the existing `pre-commit` hook). - Bumped project version to `v1.26.5`. --- ## [1.26.4] - 2026-01-24 ### Added - Added `AGENTS.md` to provide operational, tool-neutral guidance for automated agents. ### Changed - **Workflow tooling updates** to keep CI aligned with upstream releases: - `npm` upgraded to `11.8.0` across build/test/publish workflows. - `actions/checkout` `v5` → `v6`, `actions/upload-artifact` `v4` → `v6`, and `actions/github-script` `v7` → `v8`. - Restored Node.js/npm version logging in `publish-test` workflow jobs. - **Documentation note added** in `CLAUDE.md` to point automation tools to `AGENTS.md`. - **Playwright E2E stabilization** (Firefox + SvelteKit SPA navigation): - Updated the shared navigation helper (`tests/e2e/shared/helpers.js`) to prefer SPA-safe URL-change waiting (polling assertions) over navigation lifecycle events, improving Firefox stability. - Strengthened the desktop “About link” test (`tests/e2e/app.spec.js`) with a stable `/about` page marker assertion (`"Security, with Intent"`) to reduce intermittent flakes. - Refreshed timestamp for root route in `static/sitemap.xml`. - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.50.1**. - **Project version bumped** to `v1.26.4`. - Updated dependencies: - `@sveltejs/adapter-vercel` `^6.3.0` → `^6.3.1` - `@sveltejs/kit` `2.50.0` → `2.50.1` - `@vitest/coverage-v8` `4.0.17` → `4.0.18` - `svelte` `5.48.0` → `5.48.2` - `vite-tsconfig-paths` `^6.0.4` → `^6.0.5` - `vitest` `4.0.17` → `4.0.18` - `@playwright/test` `^1.57.0` → `^1.58.0` - `eslint-plugin-jsdoc` `^62.3.0` → `^62.4.1` - `globals` `^17.0.0` → `^17.1.0` - `playwright` `^1.57.0` → `^1.58.0` - `posthog-js` `^1.334.0` → `^1.335.2` --- ## [1.26.3] - 2026-01-21 ### Added - **Codex-aware analytics guard** in `src/lib/stores/posthog.js` to explicitly skip PostHog initialization when the application is executed by automation or AI-assisted tooling. This prevents analytics side effects during non-interactive builds, cloud executions, and AI-driven analysis while preserving normal production behavior. - **`.env.codex` environment configuration** to support Codex and similar automation tools. This file defines a controlled, non-interactive execution context that mirrors production build semantics without enabling analytics or requiring secrets, enabling safe use of cloud-based AI and CI-style tooling. - **`CLAUDE.md` project guidance file** to provide persistent, repository-level instructions for Claude Code and other AI-assisted development tools. The file establishes clear expectations and constraints for AI usage, including: - **AI guardrails** that prohibit changes to security posture, environment detection logic, deployment assumptions, or analytics behavior without explicit human approval. - An explicit **Allowed AI Uses** section defining safe, permitted activities such as code comprehension, incremental feature development, bug fixing, testing, and documentation updates. ### Changed - **Project version bumped** to `v1.26.3`. - **Dependency updates** to incorporate upstream fixes, improvements, and compatibility updates: - `prettier` `3.8.0` → `3.8.1` - `eslint-plugin-jsdoc` `^62.0.1` → `^62.3.0` - `lightningcss` `^1.30.2` → `^1.31.1` - `posthog-js` `^1.327.0` → `^1.334.0` - `svelte` `5.46.4` → `5.48.0` ### Security - **Updated transitive dependency override** to remediate a reported vulnerability: - `tar` `7.5.3` → `7.5.6` _(addresses CVE-2026-23950)_ - **Added transitive dependency override** to mitigate a reported vulnerability: - `lodash` pinned to `4.17.23` _(addresses CVE-2025-13465)_ --- ## [1.26.2] - 2026-01-17 ### Changed - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.50.0**. - Updated `.nvmrc` and `.node-version` to utilize **Node.js** `v24.13.0`. - Bumped project version to `v1.26.2`. - Updated dependencies: - `@sveltejs/kit` `2.49.5` → `2.50.0` - `posthog-js` `^1.323.0` → `^1.327.0` - `eslint-plugin-jsdoc` `^62.0.0` → `^62.0.1` ### Security - Updated transitive dependency override to address reported vulnerabilities: - `tar@7.5.2` → `tar@7.5.3` (addresses CVE-2026-23745). --- ## [1.26.1] - 2026-01-15 ### Changed - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.49.5**. - Updated `static/manifest.json` to better reflect the company's current mission, focus, and messaging. - Updated timestamps in `sitemap.xml`. - Minor edits made to `PrivacyContent.svelte` and `TermsUseContent.svelte` for clarity and accuracy. - Bumped project version to `v1.26.1`. - Updated dependencies: - `@sveltejs/kit` `2.49.4` → `2.49.5` - `@vitest/coverage-v8` `4.0.16` → `4.0.17` - `svelte` `5.46.1` → `5.46.4` - `vitest` `4.0.16` → `4.0.17` - `posthog-js` `^1.318.1` → `^1.323.0` - `prettier` `3.7.4` → `3.8.0` - `stylelint` `^16.26.1` → `^17.0.0` - `stylelint-config-recommended` `^17.0.0` → `^18.0.0` ### Security - Updated `@sveltejs/kit` to `2.49.5`, in order to address CVE-2026-22803. --- ## [1.26.0] - 2026-01-10 ### Changed - Updated home page content to emphasize a focus on both security and privacy. - Refined header navigation styling to improve external link icon alignment and spacing consistency across layouts. - Updated `CONSTANTS.COMPANY_INFO.YEAR` in `src/lib/index.js` to reflect `2025, 2026`. - Updated copyright headers across all tracked source files to reflect effective copyright years. - Clarified repository distribution intent and reuse expectations in `README.md`, including documentation of copyright header conventions for this template project. - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.49.4**. - Bumped project version to `v1.26.0`. - Updated test tooling to support Vitest 4.x: - Removed Vitest-related version constraints from update tooling. - Updated Vitest configuration for compatibility with `vitest` and `@vitest/coverage-v8` v4. - Updated dependencies: - `@eslint/compat` `^2.0.0` → `^2.0.1` - `@sveltejs/kit` `2.49.3` → `2.49.4` - `@sveltejs/vite-plugin-svelte` `^6.2.3` → `^6.2.4` - `@vitest/coverage-v8` `3.2.4` → `4.0.16` - `posthog-js` `^1.315.1` → `^1.318.1` - `eslint-plugin-jsdoc` `^61.5.0` → `^62.0.0` - `vite-tsconfig-paths` `^6.0.3` → `^6.0.4` - `vitest` `3.2.4` → `4.0.16` --- ## [1.25.24] - 2026-01-07 ### Changed - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.49.3**. - Bumped project version to `v1.25.24`. - Updated dependencies: - `@sveltejs/kit` `2.49.2` → `2.49.3` - `@sveltejs/vite-plugin-svelte` `^6.2.1` → `^6.2.3` - `vite` `^7.3.0` → `^7.3.1` - `@sveltejs/adapter-vercel` `^6.2.0` → `^6.3.0` - `eslint-plugin-svelte` `^3.13.1` → `^3.14.0` - `posthog-js` `^1.313.0` → `^1.315.1` --- ## [1.25.23] - 2026-01-04 ### Changed - Updated `README.md` to accurately reflect hosting. - Updated timestamp in `static/.well-known/security.txt` and created a new detached signature. - Bumped project version to `v1.25.23`. --- ## [1.25.22] - 2026-01-01 ### Added - Conditional guards to ensure artifacts, issues, and external notifications are only created when workflows run in a trusted context (non-PR runs or PRs originating from the same repository). - Redacted, public-safe Gitleaks scan summaries in GitHub Actions step output to prevent accidental exposure of sensitive file paths or values. - Optional installation of `jq` gated to trusted execution contexts to support future structured output (e.g., SARIF) while preserving fork safety. ### Changed - Updated the Gitleaks secret scanning workflow to explicitly exclude Dependabot pull requests, avoiding failures caused by unavailable organization secrets in bot-triggered PRs. - Refined workflow trust boundaries to distinguish between forked pull requests and trusted repository contexts. - Updated `.gitignore` to stop tracking generated `.svelte-kit` files. - Bumped project version to `v1.25.22`. - Updated dependencies: - `stylelint-order` `^7.0.0` → `^7.0.1` - `posthog-js` `^1.310.1` → `^1.313.0` - `globals` `^16.5.0` → `^17.0.0` ### Removed - Removed Mastodon verification in `src/routes/posts/+page.svelte`, as it was not functioning properly. This route will remain unverified. ### Security - Hardened secret-handling logic in CI by preventing the use of organization-level secrets, write permissions, and external notifications in untrusted pull request contexts. - Ensured Gitleaks license usage is restricted to safe execution paths, eliminating false-negative or false-positive failures caused by GitHub Actions secret scoping rules. - Added transitive dependency override for `qs` to `^6.14.1`, in order to address CVE-2025-15284. --- ## [1.25.21] - 2025-12-27 ### Added - Added Mastodon verification to `src/routes/posts/+page.svelte` via ``. ### Changed - Updated intro paragraph of `README.md` to better reflect the company's current mission, focus, and messaging. - Bumped project version to `v1.25.21`. - Updated dependencies: - `@testing-library/svelte` `^5.3.0` → `^5.3.1` - `jsdom` `27.3.0` → `27.4.0` --- ## [1.25.20] - 2025-12-24 ### Added - Added `VERSIONING.md` to document the project’s versioning strategy. ### Changed - Updated `.lighthouse.cjs` to utilize `https://netwk.pro` as the target. - Removed **Services** route from `sitemap.xml` and refreshed last modified timestamps. - Updated `README.md` to clarify the project's versioning strategy and changelog format. - Updated `src/routes/+page.svelte` to apply `containerClass="readable"` to `` for improved readability. - Revised homepage and About page content (`HomeContent.svelte` and `AboutContent.svelte`) to better reflect the company’s current mission, focus, and messaging. - Bumped project version to `v1.25.20`. ### Removed - Removed **Services** from primary navigation (`HeaderDefault.svelte` and `HeaderHome.svelte`). - Removed references to home implementation services from `AboutContent.svelte`. - This change reflects a clarified focus on internal research, education, advocacy, and selectively aligned consulting, rather than broad outward-facing service offerings. --- ## [1.25.19] - 2025-12-24 ### Changed - Updated GitHub workflows to utilize `actions/checkout@v6`, `actions/upload-artifact@v6`, and `actions/download-artifact@v7`: - `.github/workflows/templates/publish.template.yml` - `.github/workflows/backup-branch.yml` - `.github/workflows/build-and-publish.yml` - `.github/workflows/dependency-review.yml` - `.github/workflows/lighthouse.yml` - `.github/workflows/meta-check.yml` - `.github/workflows/playwright.yml` - `.github/workflows/probely-scan.yml` - `.github/workflows/publish-test.yml` - `.github/workflows/secret-scan.yml` - Corrected `README.md` to properly state that subsites are hosted on Vercel and Netlify. - Updated `.node-version` and `.nvmrc` to utilize **Node.js** `v24.12.0`. - Bumped project version to `v1.25.19`. - Updated dependencies: - `@eslint/js` `^9.39.1` → `^9.39.2` - `@testing-library/svelte` `^5.2.9` → `^5.3.0` - `autoprefixer` `^10.4.22` → `^10.4.23` - `eslint` `^9.39.1` → `^9.39.2` - `prettier-plugin-svelte` `^3.4.0` → `^3.4.1` - `svelte-check` `^4.3.4` → `^4.3.5` - `globby` `^16.0.0` → `^16.1.0` - `posthog-js` `^1.305.0` → `^1.310.1` - `svelte` `5.45.9` → `5.46.1` - `vite` `^7.2.7` → `^7.3.0` - `vite-tsconfig-paths` `^5.1.4` → `^6.0.3` ## Removed - Removed `/* eslint-env vitest */` comment from `vitest-setup-client.js`, as it was causing an ESLint warning. --- ## [1.25.18] - 2025-12-11 ### Changed - Refreshed timestamp for root route in `sitemap.xml`. - Reformatted the following files with Prettier: - `src/lib/README.md` - `src/lib/pages/LicenseContent.svelte` - `src/lib/pages/PrivacyContent.svelte` - `src/lib/pages/TermsUseContent.svelte` - Bumped project version to `v1.25.18`. - Updated dependencies: - `prettier` `3.6.2` → `3.7.4` --- ## [1.25.17] - 2025-12-11 ### Added - Added SSR boundary protection test (`tests/unit/server/internal/ssrBoundary.test.js`): - Detects Node-only imports (`jsdom`, `fs`, `path`, etc.) in client-visible modules. - Ensures imports are properly gated behind `import.meta.env.SSR`. - Prevents accidental SSR/client boundary violations in future code changes. - Added support for detecting SSR-safe code paths by allowing SSR-gated dynamic imports in shared modules. ### Changed - Refactored `src/service-worker.js` for improved consistency, clarity, and lint compatibility: - Removed unused function parameters (`_err`) and adjusted callback signatures to align with ESLint expectations. - Replaced anonymous no-op parameters with explicitly ignored placeholders using the `_` naming convention. - Improved async iteration patterns in asset caching logic for better readability and maintainability. - Updated JSDoc annotations for accuracy and improved editor support. - Ensured all cache operations conform to structured error-handling patterns consistent with the rest of the codebase. - Updated `src/lib/utils/purify.js`: - Replaced `typeof window !== 'undefined'` guard with compile-time `import.meta.env.SSR`. - Ensures Vite tree-shakes `jsdom` imports from client bundles. - Fixed build failures caused by jsdom/cssstyle when bundled on the client. - Preserves existing DOMPurify caching and SSR behavior. - Enhanced ESLint `no-unused-vars` rule in `eslint.config.mjs`: - Added support for ignoring unused catch parameters via `caughtErrors` and `caughtErrorsIgnorePattern`. - Prevented false positives on intentionally unused error variables (e.g., `_err`). - Expanded ignore patterns to match project coding conventions. - Replaced `src/lib/img/qr/vcard.png` and `src/lib/img/qr/vcard.webp` with revised versions. - Updated GitHub workflows to utilize **npm** `11.7.0`. - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.49.2**. - Updated `src/lib/README.md` to reflect the newly updated app constant. - Updated contact information in `static/bin/contact.vcf`. - Updated `CONTACT.PHONE` app constant to reflect our new phone number, (602) 428-5300. - Removed `jsdom` from `.ncurc.cjs` `reject` list. - Bumped project version to `v1.25.17`. - Updated dependencies: - `dompurify` `^3.3.0` → `^3.3.1` - `posthog-js` `^1.295.0` → `^1.305.0` - `svelte` `5.43.12` → `5.45.9` - `@playwright/test` `^1.56.1` → `^1.57.0` - `@sveltejs/adapter-vercel` `^6.1.1` → `^6.2.0` - `@sveltejs/kit` `2.48.5` → `2.49.2` - `browserslist` `^4.28.0` → `^4.28.1` - `eslint-plugin-jsdoc` `^61.2.1` → `^61.5.0` - `eslint-plugin-svelte` `^3.13.0` → `^3.13.1` - `markdownlint` `^0.39.0` → `^0.40.0` - `markdownlint-cli2` `0.19.0` → `0.20.0` - `playwright` `^1.56.1` → `^1.57.0` - `stylelint` `^16.25.0` → `^16.26.1` - `svelte-eslint-parser` `^1.4.0` → `^1.4.1` - `vite` `^7.2.2` → `^7.2.7` - `jsdom` `26.1.0` → `27.3.0` ### Fixed - Resolved client-side build failures caused by dynamic jsdom imports leaking into the Vite dependency graph. - Resolved false positive ESLint errors for unused catch bindings in JS modules. --- ## [1.25.16] - 2025-11-18 ### Changed - Removed `vercel-insights.com` from the `disallowedHosts` list in `service-worker.js`. ### Removed - Removed `https://vercel-insights.com` from `script-src` and `connect-src` in `hooks.server.js`. ### Notes - **Analytics:** Reverted Vercel Analytics integration due to inline script injection requirement. Continuing with PostHog Cloud until migration to CSP-compliant Matomo is feasible. --- ## [1.25.15] - 2025-11-18 ### Added - Added `https://vercel-insights.com` to `script-src` and `connect-src` in `hooks.server.js` to allow for Vercel Analytics. ### Changed - Added `vercel-insights.com` to the `disallowedHosts` list in `service-worker.js`, in order to prevent SW caching. - Bumped project version to `v1.25.15`. - Updated dependencies: - `svelte` `5.43.10` → `5.43.12` --- ## [1.25.14] - 2025-11-18 ### Changed - Bumped project version to `v1.25.14`. - Updated dependencies: - `svelte` `5.43.7` → `5.43.10` - `posthog-js` `^1.293.0` → `^1.295.0` ### Security - Added transitive dependency override for `glob` to `^11.1.0`, in order to address CVE-2025-64756. --- ## [1.25.13] - 2025-11-16 ### Changed - Updated `.markdownlint.mjs` to ignore rule `MD060`, which is overly strict and unnecessary. - Bumped project version to `v1.25.13`. - Updated dependencies: - `svelte` `5.43.6` → `5.43.7` - `posthog-js` `^1.292.0` → `^1.293.0` - `@eslint/compat` `^1.4.1` → `^2.0.0` - `markdownlint-cli2` `0.18.1` → `0.19.0` ### Fixed - Resolved prototype pollution vulnerability in transitive `js-yaml` dependency via `overrides`, due to outdated `@lhci/cli` dependency on `@lhci/utils`. --- ## [1.25.12] - 2025-11-14 ### Added - Added revised **QR code** image assets for **Vcard** information: - `src/lib/img/qr/vcard.png` - `src/lib/img/qr/vcard.webp` ### Changed - Modified `.node-version` and `.nvmrc` to utilize **Node.js** `24.11.1` (LTS). - Updated `.ncurc.cjs` to reject updates to `markdownlint-cli2`, due to discrepancies between in-editor and CLI linting errors. - Updated environment template (`.env.template`) to include `PUBLIC_ENV_MODE`, which is now required to build the proper environment (e.g., `dev`, `audit`, `production`). - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.48.5**. - Bumped project version to `v1.25.12`. - Updated dependencies: - `@sveltejs/kit` `2.48.4` → `2.48.5` - `eslint-plugin-jsdoc` `^61.2.0` → `^61.2.1` --- ## [1.25.11] - 2025-11-12 ### Added - `gotoDesktop(page, path)` and `gotoMobile(page, path)` helper functions to streamline viewport + navigation setup. - `clickAndWaitForNavigation(page, locator, options)` utility for safe SPA or full-page navigation detection with optional URL pattern matching. - `DEBUG_LOGS` flag in `helpers.js` to allow toggling of console logs for test diagnostics. - Navigation debug logs to `getVisibleNav()` to indicate which navigation region was detected (when debugging is enabled). ### Changed - Refactored all E2E tests to use `gotoDesktop()` and `gotoMobile()` for consistency and DRY principles. - Replaced brittle direct `waitForNavigation()` usages with `clickAndWaitForNavigation()` helper. - Updated mobile and desktop tests to improve consistency across specs and improve visibility assertions. ### Removed - Legacy direct `setViewportSize()` and `page.goto()` calls from individual test blocks (now handled via `goto*()` helpers). --- ## [1.25.10] - 2025-11-12 ### Changed - Updated GitHub workflows to specify `ENV: ci` where appropriate: - `templates/check-codeql.template.yml` - `templates/publish.template.yml` - `auto-assign.yml` - `branch-backup.yml` - `check-security-txt-expiry.yml` - `dependency-review.yml` - `meta-check.yml` - `prevent-audit-merges.yml` - `secret-scan.yml` - Added `@sveltejs/adapter-netlify` devDependency for smoother toggling between production and audit modes. - Production uses `@sveltejs/adapter-vercel` only. `@sveltejs/adapter-netlify` exists solely to support the audit environment. - Bumped project version to `v1.25.10`. - Updated dependencies: - `@testing-library/svelte` `^5.2.8` → `^5.2.9` - `eslint-plugin-jsdoc` `^61.1.12` → `^61.2.0` - `posthog-js` `^1.290.0` → `^1.292.0` ## Removed - Removed unneeded comments in `build-and-publish.yml` workflow. --- ## [1.25.9] - 2025-11-11 ### Changed - Updated the support email address to `support@netwk.pro` in the following files: - `README.md` - `check-codeql.template.yml` - `publish.template.yml` - `contact.vcf` - Modified `eslint.config.mjs` to include `.cjs` files when linting JavaScript. - Bumped project version to `v1.25.9`. ## Fixed - Modified `.github/workflows/probely-scan.yml` to accept either a 200 or 201 response. - Workflow was correctly triggering scan, but then failed due to receiving a 200 response rather than the 201 that was expected. --- ## [1.25.8] - 2025-11-11 ### Added - 🔐 **Branch protection rules** on `master`: - Enforced pull requests for all changes - Blocked force pushes - Linear history requirement - 🚫 **CI workflow to prevent merges from `audit-netlify` to `master`**: - PRs originating from `audit-netlify` targeting `master` are automatically rejected - Triggered on `pull_request` events - Uses `github.event.pull_request.head.ref` for precise branch detection - 🚀 **Netlify CI deployment** for audit-only branch: - Workflow `.github/workflows/deploy-audit-netlify.yml` added - Deploys `audit-netlify` to a separate Netlify site - Uses environmental variables to trigger `vite build --mode audit` - 🌐 **`hooks.server.js` CSP hardening** for audit deployments: - Probely scanner detection based on UA/IP added via `isProbelyScanner()` - Audit-specific CSP disables analytics and CSP reporting endpoints - Logs detailed CSP info when in `isAudit` or `isDebug` modes - 🛡️ Middleware improvements: - User-agent/IP fingerprinting for Probely DAST - Added logging for audit-mode scanner matches - 🧪 Support for per-environment `.env` files (e.g. `.env.audit`) - 🔄 Git helper scripts: - Added bash script to sync `audit-netlify` with latest `master` - Supports merge conflict resolution via VS Code diff viewer ### Changed - Updated `.stylelintignore` to exclude `.netlify` directory - Updated `lint:md` script to exclude the `build/` and `.netlify/` directories - Refined `svelte.config.js` to support alternate build targets (Vercel → Netlify via adapter switch) - Audit builds now use isolated `.env` config and a separate Netlify site token - Bumped project version to `v1.25.8` --- ## [1.25.7] - 2025-11-11 ### Added - Introduced `src/lib/security/probely.js` helper module to detect Probely vulnerability scanner requests via normalized IP and User-Agent matching. - Supports case-insensitive substring matching for known Probely UA fragments (`ProbelySPDR/`, etc.). - IP allowlisting based on published ranges: - Added unit test suite `tests/unit/server/lib/security/probely.test.js` to verify robustness of `isProbelyScanner()` logic against UA/IP variations and edge cases. ### Changed - Updated `hooks.server.js` to integrate `isProbelyScanner()` as a drop-in replacement for inline Probely detection logic, improving clarity and testability. - Contact details and motto updated in `static/.well-known/humans.txt`. - Refreshed last modified dates in `static/sitemap.xml`. - Minor cosmetic changes to `static/robots.txt`. - Corrected fallback metadata in `+layout.svelte`. - Removed inline styles from `src/lib/components/PWAInstallButton.svelte` and `src/lib/components/foss/FossFeatures.svelte`. - Moved styles to `src/lib/styles/css/default.css`. - Regenerated `global.min.css` bundle with LightningCSS. - Minor optimizations and cleanup to several files: - `src/lib/components/RedirectPage.svelte` - `src/lib/components/layout/Footer.svelte` - `src/lib/pages/AboutContent.svelte` - `src/lib/pages/TermsConditionsContent.svelte` - `src/lib/pages/TermsUseContent.svelte` - `src/routes/contact/+page.svelte` - `src/routes/posts/+page.svelte` - `src/routes/privacy-rights/+page.svelte` - Bumped project version to `v1.25.7`. - Updated dependencies: - `autoprefixer` `^10.4.21` → `^10.4.22` - `browserslist` `^4.27.0` → `^4.28.0` - `svelte` `5.43.3` → `5.43.6` - `svelte-check` `^4.3.3` → `^4.3.4` - `posthog-js` `^1.285.1` → `^1.290.0` - `vite` `^7.1.12` → `^7.2.2` --- ## [1.25.6] - 2025-11-04 ### Security - Hardened `Content-Security-Policy (CSP)` in `hooks.server.js`: - Environment-specific policies for `production`, `audit`, `dev`, and `test` - Added real CSP reporting endpoint (`csp.netwk.pro`) in production - Report-only mode enabled in non-prod for safer diagnostics - Added `/api/mock-csp` endpoint to capture and log CSP violation reports in non-prod environments ### Changed - Updated `README.md` with detailed explanation of the CSP enforcement strategy and future nonce-based roadmap - Moved inline styles from `Badges.svelte` and `Logo.svelte` to external stylesheet (`default.css`) - Regenerated `global.min.css` using LightningCSS to reflect updated external styles - Bumped project version to `v1.25.6` - Updated dependencies: - `@eslint/js` `^9.39.0` → `^9.39.1` - `eslint` `^9.39.0` → `^9.39.1` - `eslint-plugin-jsdoc` `^61.1.11` → `^61.1.12` - `svelte` `5.43.2` → `5.43.3` - `posthog-js` `^1.284.0` → `^1.285.1` ### Fixed - Updated `probely-scan.yml` GitHub workflow to utilize the correct API endpoint and cURL requests. --- ## [1.25.5] - 2025-11-03 ### Added - Introduced `static/b173de6c44c144c1b186841b88d51c67.txt` for use with [IndexNow](https://www.indexnow.org) and Bing Webmaster Tools. ### Changed - Bumped project version to `v1.25.5`. ### Fixed - Corrected the URLs for the HTML versions of the licenses in `static/sitemap.xml`. --- ## [1.25.4] - 2025-11-03 ### Added - `detectEnvironment()` now returns: - `isDebug` boolean (true if `isDev` or `isTest`) - `isLocalhost` (optional, in browser contexts) - Support for `PUBLIC_POSTHOG_PROJECT_KEY` using `import.meta.env` - Dynamic PostHog initialization (`initPostHog`) now uses env-based key injection - vite.config.js: - `envPrefix: ['PUBLIC_']` added to expose public vars to client - Console banner for `ENV_MODE`, `PUBLIC_ENV_MODE`, and audit-mode warning - CSP debug logs gated behind `isDebug` and server-only context - `.env.production` support via `--mode=production` guidance - Conditional `minify` flag for `lightningcssPlugin` based on `mode` (`production` or `audit`) ### Changed - Environment detection (`env.js`) now respects hostname overrides and normalizes fallback logic for SSR/client consistency - Logs in `hooks.server.js` and PostHog analytics client are now gated by `isDebug` to avoid unnecessary noise in production - Better logging structure for PostHog initialization, including full `import.meta.env` dump in debug mode - Bumped project version to `v1.25.4` ### Fixed - Broken or undefined env var behavior due to missing `envPrefix` in `vite.config.js` - Client-only `import.meta.env.PUBLIC_*` variables incorrectly resolving as `undefined` in production builds - CSP not reflecting audit context due to host-based detection mismatch ### Developer Notes - `.env.production` is **now required** for full environment variable injection during `npm run build --mode=production` or Vercel deployments. - Without it, `PUBLIC_` variables (e.g. `PUBLIC_POSTHOG_PROJECT_KEY`) may resolve as undefined in the client bundle. - Local builds can still fall back to `.env` or `.env.development` by default. --- ## [1.25.3] - 2025-11-03 ### Changed - Updated `posthog.js` to display environmental context logs only in development and testing environments. - Bumped project version to `v1.25.3`. ### Removed - Removed **Branch Guard** workflow (`.github/workflows/branch-guard.yml`), as it was resulting in mostly false positives. --- ## [1.25.2] - 2025-11-03 ### Changed - **Unified Environment Detection (`env.js`)** - Added support for server-side hostname injection via optional `hostOverride` parameter. - Enables accurate audit environment detection on both server (`hooks.server.js`) and client. - Logs the resolved environment and host when executed on the server. - Maintains safe fallback behavior for client-only usage. - **CSP Handling (`hooks.server.js`)** - Replaced reliance on `window.location` (unavailable on server) with `event.url.hostname` for host detection. - Now correctly applies hardened audit-mode CSP in deployments matching `*.audit.netwk.pro`. - Improved logging for audit/test/prod environment resolution during server request lifecycle. - **Build Diagnostics (`vite.config.js`)** - Added `stderr` output for `audit` mode builds to ensure visibility in CI logs. - Displays a prominent `🔒 Audit Mode Detected` tag during Vercel and local builds. - Continues to log `ENV_MODE`, `PUBLIC_ENV_MODE`, and `NODE_ENV` for build-time inspection. - Bumped project version to `v1.25.2`. --- ## [1.25.1] - 2025-11-02 ### Added - Introduced new **environment diagnostics endpoint** at `src/routes/api/env-check/+server.js`. - Returns resolved build and runtime environment data for verification. - Useful for confirming `ENV_MODE` / `PUBLIC_ENV_MODE` propagation on Vercel builds. - Helps troubleshoot environment mismatches between build-time and client-side contexts. ### Changed - **vite.config.js** - Enhanced configuration to log build mode and environment variables during bundling. - Prints `mode`, `ENV_MODE`, `PUBLIC_ENV_MODE`, and `NODE_ENV` to aid CI/CD debugging. - Uses color-coded console output for clear visibility in build logs. - **env.js** - Simplified and stabilized environment detection logic for better cross-environment consistency. - Removed redundant imports and corrected handling of static vs dynamic `BUILD_ENV_MODE`. - Improved comments and type annotations for maintainability and IDE autocompletion. - Bumped project version to `v1.25.1`. ### Developer Experience - Build logs now clearly display environment information before bundling. - `env-check` API endpoint provides real-time environment inspection without rebuilding. --- ## [1.25.0] - 2025-11-02 ### Added - Introduced unified environment detection utility (`src/lib/utils/env.js`) with full **JSDoc typing**. - Normalizes `process.env` and `import.meta.env` usage across SSR (Node) and client contexts. - Safely handles browser environments where `process` is undefined. - Provides standardized flags for: - `isDev`, `isProd`, `isAudit`, `isCI`, and `isTest` - Enables consistent environment checks across analytics, CSP, and runtime logic. - Added hybrid **environment + host-based analytics guard** in `src/lib/stores/posthog.js`. - Automatically disables PostHog tracking in `audit` mode or when hostname matches `*.audit.netwk.pro`. - Prevents analytics initialization during development and test contexts. - Uses the shared `detectEnvironment()` utility for centralized logic. - Improves runtime logging for environment-specific behavior. ### Changed - Updated `hooks.server.js` to include a dedicated **audit environment block** for Content Security Policy (CSP). - Hardened audit CSP by removing all analytics-related sources (`posthog.com`, `posthog-assets.com`). - Redirects CSP violation reporting to the mock endpoint (`/api/mock-csp`) in audit mode. - Preserves full HSTS and other production security headers for audit deployments. - Added clear separation between `test`, `audit`, and `prod` security policies. - Improved console debugging for environment detection (`NODE_ENV`, `ENV_MODE`). - Refactored **environment detection logic** for improved reliability across client and server contexts. - Added unified environment resolver at `src/lib/utils/env.js` to standardize detection for `dev`, `prod`, `audit`, `ci`, and `test` modes. - Ensures consistent handling of both `process.env.*` (Node/SSR) and `import.meta.env.*` (Vite/client) variables. - Prevents mismatched behavior between browser-side analytics (`posthog.js`) and server-side policies (`hooks.server.js`). - Automatically falls back to `'unknown'` if no explicit mode is set, avoiding build-time exceptions. - Refactored **Branch Guard** workflow (`.github/workflows/branch-guard.yml`) for improved accuracy and reduced noise. - Adjusted detection logic to **ignore merge commits**, Dependabot updates, and automated actions. - Ensures workflow warnings are shown **only for true direct commits** to protected branches (`master`, `main`). - Simplified step output and summary formatting for clearer reporting in the Actions log and job summary. - Maintains lightweight permissions (`contents: read`) and executes entirely without repository writes. - Improves reliability of branch protection monitoring without affecting CI or merge operations. - Bumped project version to `v1.25.0`. ### Fixed - Resolved client-side crash in browser environments caused by `process.env` being undefined. - Implemented defensive checks in `env.js` for `process` availability. - Eliminated reference errors during client-side initialization of analytics. ### Developer Experience - Simplified future configuration by consolidating environment checks into a single typed utility. - Improved maintainability and Vercel compatibility by ensuring `.env.audit` and `PUBLIC_ENV_MODE` variables propagate correctly to both client and server environments. ### Developer Notes - When deploying audit builds, ensure Vercel environment variables include: ```bash ENV_MODE=audit PUBLIC_ENV_MODE=audit ``` This enables analytics filtering and CSP hardening for the audit environment. - Audit deployments retain full HTTPS and security headers but omit telemetry and external CSP reporting. --- ## [1.24.5] ### Added - Introduced **Branch Guard workflow** (`.github/workflows/branch-guard.yml`) to automatically enforce branch protection policies. - Ensures consistent branch naming conventions. - Blocks direct pushes to protected branches (e.g., `master`, `main`, and `release/*`). - Provides early validation for pull requests and feature branches to maintain repository integrity. - Introduced comprehensive pre-push checks for code consistency and style compliance. - Added optional `simple-git-hooks` configuration to automate local linting before commits or pushes. - Implemented `lint:all` script using `npm-run-all` for efficient, parallel execution of linters. - Ensures **ESLint**, **Stylelint**, **Markdownlint**, and **Prettier** all run before code is committed, improving codebase hygiene and preventing formatting drift. - Designed for **developer-side speed and reliability**, running linters in parallel while deferring `format` (Prettier) until after lint checks complete for safety. - Added **hybrid linting configuration**: - Parallel execution for static lint tasks (`eslint`, `stylelint`, `markdownlint`). - Sequential Prettier formatting step for deterministic, race-free execution. ### Changed - Reorganized local linting commands for clarity and consistency, consolidating redundant sequential scripts into the `lint:all` aggregator. - Improved developer experience with faster pre-push validations and clearer script naming conventions. - Bumped project version to `v1.24.5`. ### Developer Experience - Enhanced local development workflow by introducing **fast, parallel linting** and **optional pre-commit hooks**, reducing turnaround time for style and quality checks. - Simplified npm scripts for readability and maintainability by adopting `npm-run-all` as the central task runner. ### Notes - For instructions on installing and configuring the new dependencies, please see the **[Editor Configuration](https://github.com/netwk-pro/netwk-pro.github.io/wiki/Editor-Configuration#automation)** section of the [Wiki](https://github.com/netwk-pro/netwk-pro.github.io/wiki). > **Note:** Version `1.24.4` was merged but not tagged or released. > Subsequent updates are reflected in `v1.24.5` and later. --- ## [1.24.4] ### Documentation - Added a **Continuous Security & Dependency Checks** section to `README.md`, outlining the automated vulnerability and dependency analysis integrated into CI/CD workflows. ### Added - Introduced **non-blocking** `npm audit` **step** in the `build-and-publish.yml` workflow to automatically detect known vulnerabilities during dependency installation. - Introduced **[Probely](https://probely.com/) Dynamic Application Security Testing (DAST)** integration via a new GitHub Actions workflow at `.github/workflows/probely-scan.yml`. - Executes **weekly automated scans** of the `audit.netwk.pro` environment every Tuesday at 09:00 UTC. - Authenticates securely using a scoped **API key** stored in GitHub Secrets (`PROBELY_API_KEY`). - Polls the Probely API for scan completion and retrieves the full **HTML vulnerability report**. - Uploads reports as workflow **artifacts** for maintainers to review. - Includes a 60-minute timeout and supports manual triggering via `workflow_dispatch`. - Configured for **read-only testing** against non-production environments to safely identify potential web and API vulnerabilities. - Future updates will introduce automated issue creation and alerting for high-severity findings. ### Changed - Updated `static/robots.txt` to exclude redirect routes and sensitive/internal endpoints (e.g., `/api`, `/relay-*`, `/consultation`, `/contact`, `/status`, etc.) from automated crawlers and vulnerability scanners. - Bumped project version to `v1.24.4`. ### Security - Enhanced continuous security coverage through the addition of **Probely DAST** for dynamic web and API vulnerability testing. - Maintained and improved **GitLeaks** secret scanning across pull requests and scheduled full-history scans. - Together, these workflows now provide full-spectrum coverage across **SAST** (static analysis) and **DAST** (dynamic analysis) layers within the CI/CD pipeline. --- ## [1.24.3] ### Changed - Bumped project version to `v1.24.3`. - Updated `.github/workflows/secret-scan.yml` to utilize a unique `CODEQL_ACTION_ANALYSIS_KEY` to avoid conflicts with CodeQL. - Updated `static/robots.txt` to disallow crawling of the `/api` route. ### Fixed - Corrected naming of `static/7cbb39ce-750b-43da-83b8-8980e5554d4d.txt`. --- ## [1.24.2] ### Added - Introduced new text file to prove ownership of the domain for **[Probely](https://probely.com/) DAST scans** in `static/`. ### Changed - Bumped project version to `v1.24.2`. - Updated `author.url` in `package.json` to reflect updated bio site, now located at [bio.netwk.pro](https://bio.netwk.pro). --- ## [1.24.1] ### Changed - Bumped project version to `v1.24.1`. - Updated **GitLeaks workflow** (`.github/workflows/secret-scan.yml`): - Reworked Gitleaks step to use official environment variables (`GITLEAKS_REPORT_PATH`, `GITLEAKS_LICENSE`) for compatibility with `gitleaks/gitleaks-action@v2`. - Added explicit handling for runs with no detected secrets (skips JSON parsing when no report is generated). - Improved summary step output with clear “No leaks detected” message and reduced false warnings. - Ensured consistent artifact uploads and safer fork-handling conditions. - Lighthouse now points to the new audit version of the site at [audit.netwk.pro](https://audit.netwk.pro). --- ## [1.24.0] ### Added - Introduced [GitLeaks](https://github.com/gitleaks/gitleaks-action) secret scan CI action as `.github/workflows/secret-scan.yml`. - Introduced two-phase scan strategy: - **Pull Request scans** to detect secrets before merge. - **Nightly scheduled scans** (`cron: "0 4 * * *"`) for full-history coverage. - Added **artifact upload** for the `gitleaks-report.json` file, allowing maintainers to download complete results from the Actions UI. - Implemented **public-safe summary output** in `$GITHUB_STEP_SUMMARY`: - Displays secret descriptions only. - Redacts file paths and other sensitive details. - Provides a concise, readable summary of findings. - Added **GitHub Issue creation step** to automatically open a security issue when leaks are detected. - Integrated optional **ntfy.sh notifications** for real-time alerting on secret leaks. - Implemented **fork-safety guards** to prevent workflows triggered from untrusted forks from: - Accessing organization secrets (license keys, ntfy topic). - Uploading artifacts or creating issues. - Added descriptive comments and logical layer separation: - **Layer 1 – Output Redaction** - **Layer 2 – Secret / Fork Handling** ### Changed - Bumped project version to `v1.23.1`. - Updated `.node-version` and `.nvmrc` to utilize **Node.js** `24.11.0` (LTS). - Updated CI workflows to utilize `node-version: 24`: - `build-and-publish.yml` - `lighthouse.yml` - `meta-check.yml` - `playwright.yml` - `publish-test.yml` - `templates/publish.template.yml` - Updated dependencies: - `@eslint/js` `^9.38.0` → `^9.39.0` - `eslint` `^9.38.0` → `^9.39.0` - `globals` `^16.4.0` → `^16.5.0` - `posthog-js` `^1.282.0` → `^1.284.0` ### Security - Added **automated SAST scanning** via GitLeaks to prevent secrets and credentials from being committed. - Implemented **security event reporting** via GitHub’s Code Scanning interface (SARIF upload supported). - Configured **automated notifications** for detected leaks via GitHub Issues and optional ntfy alerts. --- ## [1.23.0] - 2025-10-30 ### Documentation - Updated `src/lib/README.md` to reflect newly added app constants. ### Changed - Refactored all route files to use named imports from `$lib/components` and `$lib/pages` barrel modules, replacing individual `.svelte` imports for improved consistency and maintainability. - Changed `COMPANY_INFO.APP_NAME` constant to `Network Pro™` in `src/lib/index.js`. - Removed unnecessary `™` symbol from files that utilize the app constant. - Changed `/license` and `/foss-spotlight` routes to `/legal` and `/foss`, respectively, for more intuitive navigation. - Updated all references to the new routes, `/legal` and `/foss`. - Updated `vercel.json` to redirect `/license` to `/legal`, and `/foss-spotlight` to `/foss`. - Refactored Playwright helper utilities to modern standards: - Replaced deprecated `page.waitForNavigation()` with `waitForURL()` and `waitForLoadState()` in `clickAndWaitForNavigation()` for improved SPA and full-page navigation reliability. - Simplified logic and removed unsupported `lastResponse()` usage. - Improved test stability for mobile navigation (especially in CI environments). - Modified `tests/unit/server/meta.test.js` to match on `Locking Down Networks`, rather than `Network Pro`, which is now dynamically attached. - Refreshed **Last Modified** timestamps in `static/sitemap.xml`. - Updated `.node-version` and `.nvmrc` to utilize **Node.js** `22.21.1` (LTS). - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.48.4**. - Bumped project version to `v1.23.0`. - Updated dependencies: - `@sveltejs/kit` `2.48.3` → `2.48.4` - `svelte` `5.43.0` → `5.43.2` - `eslint-plugin-svelte` `^3.12.5` → `^3.13.0` - Refactored metadata and SEO handling for consistency and maintainability: - Centralized all `` and `` management in `src/lib/components/MetaTags.svelte`. - Removed redundant per-page `<svelte:head>` entries and `MetaTags` imports in individual `+page.svelte` files. - Added dynamic canonical URL generation using route `pathname` from `+layout.js`. - Implemented automatic title and description suffixing: - Titles now end with `— Network Pro™`. - Descriptions now end with `| Security, Networking, Privacy — Network Pro Strategies`. - Cleaned up fallback values (`defaultTitle`, `defaultDescription`, `defaultMeta`) to prevent redundant branding text. - Adjusted layout structure to ensure correct canonical and OpenGraph metadata per route. - Updated `src/app.html`: - Removed duplicate document sections and placeholder meta tags. - Verified correct `%sveltekit.head%` placement for dynamic head injection. - Moved static PWA-related metadata (e.g., `<meta name="theme-color">`) into `app.html`. - Retained dynamic icons and preload links for cache-busted assets via `+layout.svelte`. ### Security - Added transitive dependency overrides to address reported vulnerabilities: - `tar@7.5.1` → `tar@7.5.2` (fixes CVE-2025-64118: race condition/uninitialized memory exposure). - Confirmed overrides applied correctly via `npm ls` and `npm explain`. --- ## [1.22.2] - 2025-10-29 ### Documentation - Rewrote `CONTRIBUTING.md` to accurately describe the modern SvelteKit contribution workflow. - Updated guidelines for branch naming, code style, and pull request submission. - Removed outdated references to Webpack and `build/` artifacts. - Moved `CONTRIBUTING.md` and `CODE_OF_CONDUCT.md` to the organization’s `.github` repository to centralize contribution and conduct policies across all projects. ### Added - Introduced `vite-plugin-devtools-json` as a new `devDependency` to improve DevTools and JSON inspection support. - Added plugin configuration in `vite.config.js`. - Added `.ncurc.json` configuration to define rules for `npm-check-updates`, preventing automatic upgrades of version-linked packages such as `vitest` and `@vitest/coverage-v8`. - Added the term `ncurc` to `cspell.json` to prevent false-positive spell-check warnings. ### Changed - Updated GitHub workflows to utilize `actions/upload-artifact@v5` and `actions/setup-node@v6`: - `templates/publish.template.yml` - `build-and-publish.yml` - `lighthouse.yml` - `meta-check.yml` - `playwright.yml` - `publish-test.yml` - Improved **Svelte 5** / Rune compatibility in `vitest.config.client.js`: - Added `optimizeDeps.include` configuration to ensure `.svelte` files are properly transformed during testing, and to align with **Vitest 4.x** and future **Vite 6** compatibility. - Prevents `rune_outside_svelte` errors and prepares for future **Vitest 4.x** updates. - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.48.3**. - Modified `.node-version` and `.nvmrc` to reflect **Node.js** version `22.21.0` (LTS). - Bumped project version to `v1.22.2`. - Updated dependencies: - `@eslint/compat` `^1.4.0` → `^1.4.1` - `@sveltejs/adapter-vercel` `^6.0.0` → `^6.1.1` - `@sveltejs/kit` `2.47.2` → `2.48.3` - `browserslist` `^4.26.3` → `^4.27.0` - `eslint-plugin-jsdoc` `^61.1.5` → `^61.1.11` - `posthog-js` `^1.278.0` → `^1.282.0` - `svelte` `5.41.1` → `5.43.0` - `vite` `^7.1.11` → `^7.1.12` --- ## [1.22.1] - 2025-10-21 ### Documentation - Updated directory structure and **static/pgp** section of `README.md`. ### Changed - Bumped project version to `v1.22.1`. - Updated the text and layout of `AboutContent.svelte`. - Added a link to the privacy email address in `PrivacyContent.svelte` and `PrivacyDashboard.svelte` for easier access. - Updated the text of `ServicesContent.svelte`. - Increased default Playwright test timeouts for navigation-sensitive suites (Desktop and Mobile) to improve stability under CI latency conditions. - Implemented `Promise.all()` pattern for combined click and navigation waits, reducing flakiness in route transition tests. - Updated the `about` link navigation tests in both Desktop and Mobile scenarios to include: - Explicit `page.waitForLoadState('domcontentloaded')` calls before assertions. - Extended per-suite timeouts (`90s`) using `test.setTimeout(90000)` for reliability on slower environments. - Added fallback `waitForURL('\*\*/about', { timeout: 60000 })` to ensure deterministic routing checks. - Adjusted test structure for consistency across device profiles and browsers. - Verified local runs remain performant while increasing tolerance for **CI network latency**. ### Fixed - Corrected `TermsUseContent.svelte` to reflect hosting by Vercel, not Netlify. - Corrected license identifier syntax on the following pages: - `AboutContent.svelte` - `FossContent.svelte` - `LicenseContent.svelte` - `PrivacyContent.svelte` - `PrivacyDashboard.svelte` - `ServicesContent.svelte` - `TermsConditionsContent.svelte` - `TermsUseContent.svelte` --- ## [1.22.0] - 2025-10-20 ### Added - Introduced **dynamic QR code image imports** using `import.meta.glob` in `src/lib/images.js`. - Implemented new `getQR()` helper function for streamlined QR lookups. - Added `QR_IMAGES` registry for centralized QR asset management. - Created dedicated PGP key data module (`src/lib/data/pgpKeys.js`) with dynamic QR bindings. - Added new app constants (`EMAIL_LINK`, `SECURE_LINK`, `PRIVACY_LINK`) to: - `src/lib/index.js` - `src/lib/types/appConstants.js` - Re-exported `src/lib/data/pgpKeys.js` from `src/lib/index.js`. - Added favicon and manifest entry for `icon-about.png`. - Introduced updated **contact assets block** in `AboutContent.svelte` with enhanced typing. - Exported `src/lib/img/powered-by-proton.svg` from `src/lib/images.js`. - Added missing JSDoc annotation to `src/lib/data/fossData.js`. - Added updated PGP key for `support@netwk.pro` (previously `support@neteng.pro`). ### Changed - Bumped project version to `v1.22.0`. - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.47.2**. - Refactored **PGPContent.svelte** to use the `getQR()` helper and dynamic QR registry. - Refactored **AboutContent.svelte** to use the centralized `PGP_KEYS` dataset and app constants. - Split PGP key fingerprints into two lines for improved readability. - Enhanced **images.js** with support for eager QR image imports. - Replaced static PGP imports with automated dynamic resolution. - Updated **manifest.json** to reference the new app icon. - Revised layout and text consistency for PGP and contact sections in **AboutContent.svelte**. - Updated type definitions in `src/lib/types/appConstants.js` for `CONTACT` constants. - Cleaned up unused imports and improved inline JSDoc typings throughout the app. - Updated asset references in `IGNORE_PATHS` and `REQUIRED_ASSETS` in `src/service-worker.js`. - Added spacing adjustments to the tagline in **Logo.svelte**. - Updated **HeaderDefault.svelte** to reference the global constant for the **Blog** link. - Revised text and app constant usage in **HomeContent.svelte**. - Updated the contact section and **Effective Date** in **ServicesContent.svelte**. - Rebuilt `src/lib/styles/global.min.css` using **LightningCSS**. - Refreshed `_Last Modified_` timestamps in `static/sitemap.xml`. ### Fixed - Fixed SSR error caused by missing `getQR` reference during page load. - Corrected destructuring of `CONTACT` constants during SSR initialization. - Fixed fingerprint rendering fallback when fingerprint type was non-array. - Adjusted QR image alignment and eager/lazy decoding behavior. ### Removed - Deleted outdated static assets from `static/pgp`, replaced with dynamically loaded QR images. - Removed redundant manual image imports from legacy sections of `images.js`. - Removed unnecessary comment block from the `<head>` section of `src/app.html`. - Removed `font-weight: bold` property from the `.fingerprint` CSS class in `src/lib/styles/css/default.css`. ### 🧩 Technical Notes - Updated `vite` from `v7.1.10` → `v7.1.11` to address **CVE-2025-62522**. - Updated dependencies for SvelteKit `2.47.2` compatibility: - `@sveltejs/kit`, `svelte`, `vite`, and `eslint`-related plugins. - Cleaned up build cache and service worker registration logic in `src/service-worker.js`. --- ## [1.21.1] - 2025-10-17 ### Added - Introduced universal relay mock handler at `src/routes/relay-[slug]/[...catchall]/+server.js` to consolidate test-only endpoints such as `flags`, `config`, and `config.js`. - Added fallback support for `GET`, `HEAD`, and `OPTIONS` methods within the catchall relay handler. ### Changed - Bumped project version to `v1.21.1`. - Standardized header in various files: - `.editorconfig` - `.env.template` - `.gitattributes` - `.gitignore` - `.prettierignore` - `.stylelintignore` ### Removed - Deleted unneeded comments in `stylelint.config.js` and `.markdownlint.mjs`. --- ## [1.21.0] - 2025-10-17 ### Added - Introduced modular analytics initializer at `src/lib/utils/initAnalytics.js` to handle PostHog tracking, asset preloading, and cleanup logic. ### Changed - Bumped project version to `v1.21.0`. - Added `pageleave` to `cspell.json` to support custom PostHog events. - Expanded `lint` script in `package.json` to include `.cjs` files. - Updated `src/service-worker.js` to correctly exclude `security.txt.sig` from caching. - Refactored `+layout.svelte` to use the new `initAnalytics.js` utility for cleaner side-effect management. - Updated fallback meta description logic in both `+layout.svelte` and `+layout.js`. - Adjusted `"purpose"` value in `static/manifest.json` from `"any maskable"` to `"maskable"` for improved PWA icon support. - Increased spacing before contact info in `src/lib/pages/HomeContent.svelte`. - Enhanced `registerServiceWorker.js` to skip SW registration in Firefox during development, preventing known `/@fs/` path evaluation errors. - Integrated automatic cleanup of existing service workers in `registerServiceWorker.js` when running in Firefox + dev mode. - Improved logging clarity in `registerServiceWorker.js` to better distinguish SW lifecycle behavior by environment. - Updated `unregisterServiceWorker.js` to include scoped SW logging when unregistering. - Refactored `posthog.js` to add conditional guards for suppressing noisy analytics errors in development mode. --- ## [1.20.0] - 2025-10-17 ### Added - Implemented new **Services** route at `/services`: - Created `src/routes/services/+page.server.js` and `src/routes/services/+page.svelte`. - Added full Services content in `src/lib/pages/ServicesContent.svelte`. - Introduced **Services Summary Table** component (`src/lib/components/ServiceSummaryTable.svelte`). - Added corresponding CSS for Services route in `src/lib/styles/css/default.css`. - Added PostHog Cloud proxy rewrites to `vercel.json` for analytics endpoint. - Added new terms to `cspell.json`: `hcaptcha`, `serv`, and `tshoot`. - Updated CI workflows to use **npm v11.6.2** and added `packages: write` permission with `GITHUB_TOKEN` for GPR publishing: - `.github/workflows/build-and-publish.yml` - `.github/workflows/publish-test.yml` - `.github/workflows/templates/publish.template.yml` - Updated `.github/workflows/meta-check.yml` to explicitly use the `ubuntu-24.04` runner. ### Changed - Bumped project version to `v1.20.0`. - Updated generator metadata in `src/app.html` to reflect `SvelteKit 2.47.1`. - Updated `HeaderDefault.svelte` and `HeaderHome.svelte` to include a "Services" section in navigation. - Rebuilt `src/lib/styles/global.min.css` using **LightningCSS**. - Updated content in: - `src/lib/pages/AboutContent.svelte` – added contact info and consultation link. - `src/lib/pages/HomeContent.svelte` – added company contact info. - `src/lib/pages/PrivacyContent.svelte` – added new _Security & Anti-Abuse Measures (hCaptcha)_ section. - `src/lib/pages/LicenseContent.svelte` – relocated internal comment. - Modified import handling for `RedirectPage` in `src/routes/consultation/+page.svelte`. - Updated `src/hooks.server.js`: - Corrected `isTestEnvironment` constant. - Relaxed CSP rules for development mode to support local PostHog proxy. - Updated `static/sitemap.xml` to include the `/services` route and refresh _Last Modified_ timestamps. - Updated author metadata (`@author`) from **SunDevil311** → **Scott Lopez** across all relevant JS files, including scripts, libs, and tests. - Updated dependencies: - `dompurify` `^3.2.7` → `^3.3.0` - `posthog-js` `^1.271.0` → `^1.276.0` - `semver` `^7.7.2` → `^7.7.3` - `svelte` `^5.39.9` → `^5.40.2` - `@eslint/js` `^9.37.0` → `^9.38.0` - `@playwright/test` `^1.55.1` → `^1.56.1` - `@sveltejs/adapter-vercel` `^5.10.3` → `^6.0.0` - `@sveltejs/kit` `2.44.0` → `2.47.1` - `eslint` `^9.37.0` → `^9.38.0` - `eslint-plugin-jsdoc` `^60.8.2` → `^61.1.4` - `markdownlint` `^0.38.0` → `^0.39.0` - `playwright` `^1.55.1` → `^1.56.1` - `svelte-check` `^4.3.2` → `^4.3.3` - `vite` `^7.1.9` → `^7.1.10` ### Removed - Deleted redundant comment from `src/routes/layout.svelte`. ### 🧩 Technical Notes <!-- markdownlint-disable MD036 --> **PostHog Proxy and CSP Adjustments** - Introduced `/relay-MSR0` reverse proxy via **Vercel rewrites** to route PostHog analytics traffic through the site origin, improving privacy compliance and avoiding CORS preflight requests. - Updated `vercel.json` accordingly to map: - `/relay-MSR0/static/(.*)` → `https://us-assets.i.posthog.com/static/$1` - `/relay-MSR0/(.*)` → `https://us.i.posthog.com/$1` - Adjusted Content Security Policy (CSP) in `src/hooks.server.js`: - Removed explicit `/relay-MSR0` source from `connect-src` (invalid in CSP). - `'self'` now implicitly allows `/relay-MSR0` requests on the same origin. - Development CSP remains more permissive (`unsafe-inline`, `unsafe-eval`, `localhost:*`) for compatibility with PostHog local testing. **Miscellaneous** - Confirmed `initPostHog()` dynamic import strategy prevents SSR evaluation errors. - Verified service worker (`service-worker.js`) continues caching non-PostHog requests correctly. - Verified `Strict-Transport-Security` and other headers remain unaffected by proxy rewrite behavior. <!-- markdownlint-enable MD036 --> --- ## [1.19.0] - 2025-10-06 ### Added - **`src/lib/components/index.js`**, **`src/lib/components/foss/index.js`**, **`src/lib/components/layout/index.js`** - Introduced explicit component export modules to improve import consistency across the library. - Added wildcard exports in `src/lib/index.js` for these component modules, enabling `$lib/components/...` shorthand imports. - **`tests/unit/client/lib/PWAInstallButton.test.js`** - Added focused unit tests for `PWAInstallButton.svelte` verifying install-event handling and user-prompt logic using `Vitest` and `@testing-library/svelte`. - **`src/lib/README.md`**, **`src/lib/types/README.md`** - Added contextual documentation for the library and type definition directories. - Clarifies module structure, export hierarchy, and intended usage for contributors. ### Changed - Bumped project version to `v1.19.0`. - Updated `src/lib/pages/AboutContent.svelte` with new services - Added DOM and animation mocks (`window.matchMedia`, `Element.prototype.animate`) to `vitest-setup-client.js` to stabilize component transition tests. - Updated `src/lib/index.js` to export all component and utility submodules explicitly, replacing previous implicit import behavior. - Centralized page-level component exports in `src/lib/pages/index.js` for consistent import structure. - Updated `src/routes/+layout.svelte` to import objects from submodules, instead of by their explicit alias - Minor alignment in `src/routes/+page.svelte` and `src/routes/links/+page.svelte` with updated component imports - Moved inline CSS fom `src/lib/components/FullWidthSection.svelte` into `src/lib/styles/css/default.css` - Generated an updated `src/lib/styles/global.min.css` file with LightningCSS - Updated `.gitignore` to remove duplicate `.vercel` entry - Updated last modified dates in `static/sitemap.xml` - Updated dependencies: - `eslint-plugin-jsdoc` `^60.8.1` → `^60.8.2` - `posthog-js` `^1.270.1` → `^1.271.0` - `svelte` `5.39.8` → `5.39.9` --- ## [1.18.5] - 2025-10-05 ### Added - Added Vercel CLI scripts to `package.json`, including `dev:vercel` and `build:vercel`. ### Changed - Bumped project version to `v1.18.5`. - Updated generator metadata in `app.html` to reflect `SvelteKit 2.44.0`. - Added `scripts/testRedirects.js` to `.gitignore`. - Cleaned up header in `jsconfig.template.jsonc`. - Updated **Repository Structure** section in `README.md`. - Restructured `CHANGELOG.md` such that sections are presented in alphabetical order. - Corrected JSDoc annotations in `static/disableSw.js`. - Updated dependencies: - `@sveltejs/kit` `2.43.8` → `2.44.0` - `eslint-plugin-jsdoc` `^60.8.0` → `^60.8.1` ### Documentation - Revised **Repository Structure** to accurately reflect the folders under `/tests`. ### Removed - Removed all references to Netlify and all Netlify-specific scripts from `package.json`. - Removed `test:redirects` script from `package.json`. - The `testRedirects.js` script has been removed from version control, as it is no longer needed to test Netlify redirects. --- ## [1.18.4] - 2025-10-04 ### Changes - Bumped project version to `v1.18.4`. - Updated **npm** to `v11.6.1` in CI workflows: - `.github/workflows/build-and-publish.yml` - `.github/workflows/lighthouse.yml` - `.github/workflows/playwright.yml` - `.github/workflows/publish-test.yml` - `.github/workflows/templates/publish.template.yml` - Updated **Repository Structure** section in `README.md`. - Updated dependencies: - `@eslint/js` `^9.36.0` → `^9.37.0` - `@sveltejs/adapter-vercel` `^5.10.2` → `^5.10.3` - `@sveltejs/kit` `2.43.5` → `2.43.8` - `@testing-library/jest-dom` `^6.8.0` → `^6.9.1` - `browserslist` `^4.26.2` → `^4.26.3` - `eslint` `^9.36.0` → `^9.37.0` - `eslint-plugin-jsdoc` `^60.4.1` → `^60.8.0` - `lightningcss` `^1.30.1` → `^1.30.2` - `posthog-js` `^1.268.6` → `^1.270.1` - `stylelint` `^16.24.0` → `^16.25.0` - `svelte` `5.39.6` → `5.39.8` - `typescript` `^5.9.2` → `^5.9.3` - `vite` `^7.1.7` → `^7.1.9` ### Documentation - Updated **Repository Structure** to reflect current environment and files. --- ## [1.18.3] - 2025-09-27 ### Changed - Bumped version to `v1.18.3`. - Updated `README.md` to reflect hosting by Vercel. - Standardized header in the following files: - `.editorconfig` - `.gitattributes` - `.gitignore` - `.prettierignore` - `.stylelintignore` - `CHANGELOG.template.md` --- ## [1.18.2] - 2025-09-27 ### Changed - Bumped version to `v1.18.2`. - Replaced Netlify badge with Vercel badge in `README.md`. --- ## [1.18.1] - 2025-09-27 ### Changed - Bumped version to `v1.18.1`. - Removed `www` redirect from `vercel.json`. ### Notes - Instead of an app redirect, the `www` subdomain is now set up with a CNAME record --- ## [1.18.0] - 2025-09-27 ### Changed - Bumped version to `v1.18.0`. - Updated Node.js version in `.node-version` and `.nvmrc` to `22.20.0` for compatibility with Vercel. - Updated CI workflows to utilize `node-version: 22`: - `build-and-publish.yml` - `lighthouse.yml` - `meta-check.yml` - `playwright.yml` - `publish-test.yml` - `templates/publish.template.yml` - Migrated hosting and serverless functions from **Netlify** to **Vercel**. - Updated deployment configuration to use `@sveltejs/adapter-vercel` in place of `@sveltejs/adapter-netlify`. - Cleaned up Netlify-specific files and settings: - Removed `netlify.toml` and Netlify plugin configuration. - Removed unused SMTP-related environment variables (`SMTP_*`, `MAIL_ENABLED`, `NOTIFY_EMAIL`). - Replaced `_redirects` with Vercel-managed redirects and rewrites in `vercel.json`. - Updated environment configuration to define `ENV_MODE` within Vercel project settings. - Adjusted `engines.npm` requirement in `package.json` from `>=11.0.0 <12` to `>=10.0.0 <12` for compatibility with Vercel. ### Removed - Deleted `netlify.toml` and `_redirects`. - Removed `vercel.json` from `.gitignore`. --- ## [1.17.2] - 2025-09-27 ### Changed - Bumped version to `v1.17.2`. - Updated generator metadata in `app.html` to reflect `SvelteKit 2.43.5`. - Updated Node.js version in `.node-version` and `.nvmrc` to `24.9.0`. - Updated `actions/checkout`, `actions/setup-node`, and `actions/download-artifact` in the following files in `.github/workflows`: - `templates/publish.template.yml` - `backup-branch.yml` - `build-and-publish.yml` - `check-security-txt-expiry.yml` - `dependency-review.yml` - `lighthouse.yml` - `playwright.yml` - `publish-test.yml` - Updated JSDoc linting step and `sed` syntax in the following workflows: - `templates/publish.template.yml` - `publish-test.yml` - Upgraded dependencies: - `@eslint/compat` `^1.3.2` → `^1.4.0` - `@eslint/js` `^9.35.0` → `^9.36.0` - `@playwright/test` `^1.55.0` → `^1.55.1` - `@sveltejs/kit` `2.42.1` → `2.43.5` - `@sveltejs/vite-plugin-svelte` `^6.2.0` → `^6.2.1` - `eslint` `^9.35.0` → `^9.36.0` - `eslint-plugin-jsdoc` `^58.1.1` → `^60.4.1` - `eslint-plugin-svelte` `^3.12.3` → `^3.12.4` - `playwright` `^1.55.0` → `^1.55.1` - `posthog-js` `^1.266.0` → `^1.268.6` - `svelte` `5.39.1` → `5.39.6` - `svelte-check` `^4.3.1` → `^4.3.2` - `svelte-eslint-parser` `^1.3.2` → `^1.3.3` --- ## [1.17.1] - 2025-09-17 ### Changed - Bumped version to `v1.17.1`. ### Security - Patched transitive vulnerabilities by pinning dependencies via `overrides`: - Forced `tmp` to `>=0.2.4` (resolves CVE-2025-54798 reported via `@lhci/cli`). - Forced `cookie` to `^1.0.0` (used by `@sveltejs/kit` and `@lhci/cli`). --- ## [1.17.0] - 2025-09-17 ### Added - New `meta-check.yml` GitHub Actions workflow to validate `<title>` and `<meta>` descriptions using Vitest. - Runs separately from Playwright to avoid hydration timing issues. - Ensures SEO metadata is tested in CI without blocking other jobs. - New `meta.test.js` file in `tests/unit/meta` for testing in CI. - New `meta.test.js` file in `tests/unit/server` for local testing. ### Changed - Bumped version to `v1.17.0`. - Cleaned up Playwright E2E tests: - Removed brittle `toHaveTitle` assertions causing CI failures. - Standardized footer checks to use helper function. - Improved test readability and consistency in `app.spec.js` and `mobile.spec.js`. - Updated generator metadata in `app.html` to reflect `SvelteKit 2.42.1`. - Updated Node.js version in `.node-version` and `.nvmrc` to `24.8.0`. - Updated CSP endpoint section and footer in `README.md`. - Updated JSDoc linting step and `sed` syntax in `build-and-publish.yml` workflow. - Updated `npm` version to `11.6.0` in GitHub Actions workflow files: - `build-and-publish.yml` - `lighthouse.yml` - `playwright.yml` - `publish-test.yml` - `templates/publish.template.yml` - Upgraded dependencies: - `@eslint/compat` `^1.3.1` → `^1.3.2` - `@eslint/js` `^9.32.0` → `^9.35.0` - `@playwright/test` `^1.54.1` → `^1.55.0` - `@sveltejs/adapter-netlify` `^5.1.0` → `^5.2.3` - `@sveltejs/kit` `2.27.0` → `2.42.1` - `@sveltejs/vite-plugin-svelte` `^6.1.0` → `^6.2.0` - `@testing-library/jest-dom` `^6.6.4` → `^6.8.0` - `browserslist` `^4.25.1` → `^4.26.2` - `dompurify` `^3.2.6` → `^3.2.7` - `eslint` `^9.32.0` → `^9.35.0` - `eslint-plugin-jsdoc` `^52.0.2` → `^58.1.1` - `eslint-plugin-svelte` `^3.11.0` → `^3.12.3` - `globals` `^16.3.0` → `^16.4.0` - `playwright` `^1.54.1` → `^1.55.0` - `posthog-js` `^1.258.4` → `^1.266.0` - `stylelint` `^16.23.0` → `^16.24.0` - `svelte` `5.37.2` → `5.39.1` - `svelte-check` `^4.3.0` → `^4.3.1` - `svelte-eslint-parser` `^1.3.0` → `^1.3.2` - `vite` `^7.0.6` → `^7.1.5` ### Documentation - Clarified CSP reporting setup in `README.md`: - Explained relationship with external CSP reporting endpoint (`csp-endpoint` repo). - Documented use of both `report-uri` (legacy) and `report-to` (modern, recommended). - Added example headers including `Report-To` definition. ### Removed - Deleted `src/routes/example.svx`, which was unused and unneeded. - Removed `mdsvex` from package.json, as it is unlikely to be used. ### Security - Updated dependencies to address known vulnerabilities (notably `@sveltejs/kit`, `vite`, and related plugins). ### Notes - Pinned `jsdom` to `26.1.0` due to build incompatibility in `27.x` (`cssstyle` parsing error with Vite/Rollup). --- ## [1.16.0] - 2025-07-31 ### Added - Added `CODE_OF_CONDUCT.md` and `CONTRIBUTING.md` to project root to provide instructions for contributing. ### Changed - Bumped version to `v1.16.0`. - Updated generator metadata in `app.html` to reflect `SvelteKit 2.27.0`. - Added `vercel.json` to `.gitignore`. - Added additional rule overrides to `stylelint.config.js` to suppress unnecessarily strict linting errors - The errors were corrected and the rule overrides are currently commented out - Updated `npm` to `11.5.2` in the following files in `.github/workflows` - `build-and-publish.yml` - `lighthouse.yml` - `playwright.yml` - `publish-test.ml` - `templates/publish.template.yml` - Upgraded dependencies: - `@eslint/js` `^9.31.0` → `^9.32.0` - `@sveltejs/kit` `2.25.1` → `2.27.0` - `@testing-library/jest-dom` `^6.6.3` → `^6.6.4` - `eslint` `^9.31.0` → `^9.32.0` - `eslint-plugin-jsdoc` `^51.4.1` → `^52.0.2` - `posthog-js` `^1.257.0` → `^1.258.4` - `stylelint` `^16.22.0` → `^16.23.0` - `stylelint-config-recommended` `^16.0.0` → `^17.0.0` - `svelte` `5.36.12` → `5.37.2` - `typescript` `^5.8.3` → `^5.9.2` - `vite` `^7.0.5` → `^7.0.6` ### Fixed - Corrected deprecated CSS usage throughout the project in the following files: - `src/lib/components/Badges.svelte` - `src/lib/components/Logo.svelte` - `src/lib/components/layout/Footer.svelte` - `src/lib/pages/LicenseContent.svelte` - `src/lib/styles/css/default.css` - `src/lib/styles/css/styles.css` - `src/routes/consultation/+page.svelte` - Generated new `global.min.css` stylesheet with LightningCSS. - Resolved `svelte-check` type error in `PGP key download endpoint` by replacing Node.js `Buffer` with a standards-compliant `Uint8Array` in the `Response()` constructor. --- ## [1.15.4] - 2025-07-20 ### Changed - Bumped version to `v1.15.4` - **Updated "Copy SMS Code - OTP Helper" entry** in `src/lib/data/fossData.js` to maintain visual consistency with previous "FOSS Spotlight" entries --- ## [1.15.3] - 2025-07-20 ### Added - New FOSS Spotlight entry: **Copy SMS Code – OTP Helper** - Added `otp-helper.png` and `otp-helper.webp` to `src/img/posts` - Imported image assets via `images.js` as `otphelpPng` and `otphelpWbp` ### Changed - **Bumped version** to `v1.15.3` - **Updated Node.js version** to `v24.4.1` in `.node-version` and `.nvmrc` - **Updated generator metadata** in `app.html` to reflect `SvelteKit 2.25.1` - **Updated "Last Updated"** timestamp on FOSS Spotlight to `2025-07-20` - **Updated `sitemap.xml`** with current post dates - **Upgraded dependencies**: - `@sveltejs/adapter-netlify` from `^5.0.2` to `^5.1.0` - `@sveltejs/kit` from `2.22.5` to `2.25.1` - `@sveltejs/vite-plugin-svelte` from `^6.0.0` to `^6.1.0` - `eslint-config-prettier` from `^10.1.5` to `^10.1.8` - `eslint-plugin-jsdoc` from `^51.3.4` to `^51.4.1` - `eslint-plugin-svelte` from `^3.10.1` to `^3.11.0` - `stylelint` from `^16.21.1` to `^16.22.0` - `svelte` from `5.35.6` to `5.36.12` - `svelte-check` from `^4.2.2` to `^4.3.0` - `svelte-eslint-parser` from `^1.2.0` to `^1.3.0` - `vite` from `^7.0.4` to `^7.0.5` --- ## [1.15.2] - 2025-07-12 ### Added - Added `Disallow` directives to `static/robots.txt` for stub routes: - `/consultation` - `/links` - `/posts` ### Changed - Updated `README.md` to reflect the updated directory structure after removing the `netlify/` directory. --- ## [1.15.1] - 2025-07-12 ### Added - Added `Report-To` header in `src/hooks.server.js` to support modern CSP reporting ### Changed - Bumped project version to `1.15.1` - Updated CSP report URL in `src/hooks.server.js` to use external endpoint - Updated `sitemap.xml` to reflect latest site structure - Updated `.node-version` and `.nvmrc` to `v24.4.0` - Cleaned up `netlify.toml`: - Removed `[[edge_functions]]` block - Confirmed `ENV_MODE` remains for internal tooling - Updated to latest versions: - `@eslint/js` to `^9.31.0` - `@playwright/test` to `^1.54.1` - `@sveltejs/kit` to `2.22.5` - `@sveltejs/vite-plugin-svelte` to `6.0.0` - `eslint` to `^9.31.0` - `eslint-plugin-jsdoc` to `^51.3.4` - `playwright` to `^1.54.1` - `posthog-js` to `^1.257.0` - `stylelint` to `^16.21.1` - `svelte` to `5.35.6` - `vite` to `7.0.4` ### Removed - Deleted `/netlify/edge-functions/` and `csp-report.js` (CSP report handling is now in its own project) - Removed `tests/unit/server/csp-report.test.js` from project, as CSP endpoint has been relocated --- ## [1.15.0] - 2025-07-01 ### Added - `redirect.js` utility to handle browser-aware redirects with fallback logic for Firefox. - Unit test for `redirect.js` under `tests/unit/client/lib/utils/redirect.test.js`. - `/consultation` redirect route to `utm.js` UTM-tracking logic. - Redirect from `/foss` to `/foss-spotlight` in `_redirects`. - `scripts/testRedirect.js` to verify Netlify/SvelteKit trailing slash redirect behavior. - `test:redirects` script in package.json to trigger `scripts/testRedirects.js` - Logic to suppress `rel="noopener noreferrer"` on internal redirects in `HeaderHome.svelte` and `HeaderDefault.svelte` - `redirect` flag to navigation metadata to distinguish internal redirect behavior in `HeaderHome.svelte` and `HeaderDefault.svelte` ### Changed - Bumped version to **v1.15.0** - Restructured unit tests: - Moved `purify.test.js` to `tests/unit/client/lib/utils/` - Moved `utm.test.js` to `tests/unit/client/lib/utils/` - Moved `unregisterServiceWorker.test.js` to `tests/unit/client/lib/utils/` - Moved `page.svelte.test.js` to `tests/unit/client/routes/` - Moved `checkEnv.test.js`, `checkVersions.test.js`, and `csp-report.test.js` to `tests/unit/server/` - Moved `auditCoverage.test.js` to `tests/unit/server/internal/` - Refactored `_redirects` file: - Removed trailing slashes to match SvelteKit/Netlify conventions. - Updated `RedirectPage.svelte` to use `redirectWithBrowserAwareness()` for better cross-browser redirect behavior. - Refactored all relevant `+page.svelte` files to remove local redirect timeouts and centralize logic in `RedirectPage`. - Updated `vitest.config.client.js` and `vitest.config.server.js` to: - Reflect new directory structure - Properly assign `jsdom` for client-side tests and `node` for server-side tests - `/consultation`, `/contact`, `/links`, `/posts`, and `/privacy-rights` `+page.svelte` files updated to capture UTM parameters in a privacy-preserving manner. - Moved inline styles from `RedirectPage.svelte` to `src/lib/styles/css/default.css`, including `@keyframes spin` animation used by `.loading-spinner` - Removed unnecessary `rel` attribute from internal links in `AboutContent.svelte`, `LicenseContent.svelte`, and `PrivacyDashboard.svelte` - Updated project README with revised directory structure reflecting separate client/server test folders. - Upgraded dependencies: - `globals` `^16.2.0` → `^16.3.0` ### Fixed - Firefox-specific issue where delayed `window.location.replace()` triggered a new tab instead of redirecting in the same window — now handled by bypassing the delay in Firefox. - Prevented server-context tests from breaking due to `window` usage by scoping them to client-only environments. ## Removed - `head:flatten` and `head:validate` scripts in package.json, as the `_headers` file has been deprecated --- ## [1.14.3] - 2025-06-30 ### Added - Manual event capture for redirect pages using PostHog, with automatic UTM parameter extraction - Utility function `getUTMParams` for parsing UTM query values from URLs - `trackingEnabled` named export from `trackingPreferences.js` for cleaner consumption ### Changed - Bumped version to **v1.14.3** - Refactored redirect logic in multiple pages to integrate UTM-aware analytics - All redirect pages now consistently open in a new browser tab using `<a>` fallback - Enhanced `utm.js` logic to support campaign identification for `/contact`, `/links`, `/posts`, and `/privacy-rights` - Updated `generator` metadata in `app.html` to `SvelteKit 2.22.2` - Modified `HomeContent.svelte` to use app constant for blog link - Removed inline styles from redirect pages and integrated them into the main stylesheet - Renamed "Data Sharing" section in Privacy Policy to "Legal Requests and Data Disclosure" - Expanded the above section to strengthen users' legal rights and privacy protections - Updated Privacy Policy effective date to June 30, 2025 ### Fixed - Reinstated filtering logic in `csp-report.js` to suppress low-value or noisy CSP violations - Resolved `ReferenceError` in `utm.test.js` by reordering mocked imports for `$app/environment` and `$app/stores` to comply with Vitest's hoisting behavior --- ## [1.14.2] - 2025-06-30 ### Added - Added Node.js and npm environment checks to `build-and-publish.yml`. - Added `.github/workflows/templates/publish.template.yml` for reuse in other org repos. - JSDoc linting now outputs violation details for better visibility during CI checks ### Changed - Version bumped to **v1.14.2** - Corrected naming of `check-security-txt-expiry.yml` - Updated Node version reference in `.node-version` and `.nvmrc` to `24.3.0` - Aligned environment context (`ENV_MODE: ci`) in `check-codeql` workflow to match `build-and-publish.yml` standardization - Updated Node to `24` and npm to `11.4.2` across multiple workflows (`build-and-publish.yml`, `lighthouse.yml`, `playwright.yml`, and `publish-test.yml`) for version alignment - Upgraded dependencies: - `@eslint/compat` ^1.3.0 → ^1.3.1 - `@eslint/js` ^9.29.0 → ^9.30.0 - `@lhci/cli` ^0.15.0 → ^0.15.1 - `@playwright/test` ^1.53.0 → ^1.53.2 - `@sveltejs/kit` 2.21.5 → 2.22.2 - `@vitest/coverage-v8` ^3.2.3 → ^3.2.4 - `browserslist` ^4.25.0 → ^4.25.1 - `eslint` ^9.29.0 → ^9.30.0 - `eslint-plugin-jsdoc` ^51.0.1 → ^51.3.1 - `eslint-plugin-svelte` ^3.9.2 → ^3.10.1 - `playwright` ^1.53.0 → ^1.53.2 - `posthog-js` ^1.253.4 → ^1.256.0 - `prettier` ^3.5.3 → ^3.6.2 - `stylelint` ^16.20.0 → ^16.21.0 - `svelte` 5.34.3 → 5.34.9 - `svelte-check` ^4.2.1 → ^4.2.2 - `vitest` ^3.2.3 → ^3.2.4 ### Fixed - Updated `check-security-txt-expiry.yml` to use correct path for `security.txt` (now looks in `static/.well-known/`) --- ## [1.14.1] - 2025-06-16 ### Added - Introduced `.github/workflows/publish-test.yml`, a standalone workflow to safely simulate `npm publish` without publishing. - Added commands to display Node.js and npm versions for visibility and troubleshooting in all relevant jobs. ### Changed - Updated Node.js engine to `24` to match the specified engine constraints in `package.json`. - Reordered `npm ci` step to follow Node.js and npm setup to prevent version mismatches during simulation steps. - Refactored `build-and-publish.yml` to use `git archive` for artifact preparation and aligned it with a tested publishing flow. - Removed `.npmrc` token-based authentication in favor of environment secrets to avoid credential conflicts. --- ## [1.14.0] - 2025-06-16 ### Changed - Commented out registry and auth lines in `.npmrc`, retaining only `engine-strict=true` to streamline CI token handling and prevent conflicts ### Reverted - Temporarily reverted `build-and-publish.yml` to prior, working workflow to confirm publish capability before attempting archive-based improvements --- ## [1.13.8] - 2025-06-16 ### Added - Added `cryptomator.png` and `cryptomator.webp` images for use in the FOSS Spotlight route - Imported assets via image utility (`src/lib/images.js`) as `cryptomPng` and `cryptomWbp` - Introduced `cryptomator` entry to `fossData.js` - Added `COMMIT_GUIDE.md` to help standardize commit message formatting across contributions ### Changed - Updated `build-and-publish.yml` to use an allowlist-based upload approach, explicitly including root-level files and directories (`.github/`, `.vscode/`, `netlify/`, `scripts/`, `src/`, `static/`, and `tests/`) - Updated meta `author` field in `app.html` to `Scott Lopez` - Version bumped to **v1.13.8** - Upgraded dependencies: - `postcss` updated from `^8.5.5` → `^8.5.6` - `posthog-js` updated from `^1.252.1` → `^1.253.4` --- ## [1.13.7] - 2025-06-15 ### Changed - Added pre-publish steps in `build-and-publish.yml` to recursively list all files and top-level directory contents for auditing - Version bumped to **v1.13.7** --- ## [1.13.6] - 2025-06-15 ### Added - Introduced `.github/workflows/check-codeql.yml` reusable workflow to validate successful CodeQL analysis during CI - Added `.github/workflows/templates/check-codeql.template.yml` for documentation and workflow templating purposes ### Changed - Replaced inline `check-codeql` job in `.github/workflows/build-and-publish.yml` with call to reusable workflow - Updated `.node-version` and `.nvmrc` from `24.1.0` → `24.2.0` to reflect upgraded Node.js binary - Replaced `ℹ️` symbol with `🛈` in `bootstrap.local.sh` to improve clarity in terminals - Version bumped to **v1.13.6** - Upgraded dependencies: - `posthog-js` updated from `1.252.0` → `1.252.1` --- ## [1.13.5] - 2025-06-14 ### Added - Introduced `links/` and `posts/` redirect routes for improved navigation and backward compatibility - Added `proton-img` and `qrcode-img` utility classes to global stylesheet to eliminate inline styles in `PGPContent.svelte` - Set `decoding="sync"` and `loading="eager"` on the first QR code image and the Proton Mail badge to improve perceived load performance and visual smoothness - Added `rel="noopener noreferrer"` support to `RedirectPage.svelte`, now used by the new `/links` and `/posts` routes - Revised `obtainium-img` class in stylesheets to improve Obtainium image rendering on mobile and enhance overall clarity - Added a new `scripts/bootstrap.local.sh` script to streamline local development setup, including OS detection and Playwright dependencies - Added a new “Environment Requirements” Wiki page to consolidate Node version constraints, setup instructions, and local dev tooling guidance - Replaced the detailed "Getting Started" section in `README.md` with a concise reference to the Wiki and a minimal quickstart snippet ### Changed - Promoted Node.js and npm version enforcement details from README to the Wiki for centralized documentation - Removed low-priority CSP report filtering in `csp-report.js` to allow all violations to be logged and reviewed - Reordered CSS rules to resolve `no-descending-specificity` warnings triggered by focus selectors - Updated `HeaderHome.svelte` and `HeaderDefault.svelte` to use `PAGE.SELF` and `PAGE.BLANK` constants for target behavior - Updated `AboutContent.svelte` to use application constant instead of hardcoded value - Removed unused `COMPANY_INFO` destructured constant from `PGPContent.svelte` - Upgraded dependencies: - `svelte` updated from `5.34.1` → `5.34.3` - Fixed schema warning in GitHub issue template by replacing `assignees: []` with `assignees: SunDevil311` - Version bumped to **v1.13.5** ### Fixed - Restored consistent `:visited` link color by forcing `color: #cba557 !important` across all visited interaction states - Prevented gold-on-gold text issue when focusing visited links - Rolled back enhanced `:focus-visible` styles to resolve flicker and override conflicts during fast navigation ### Removed - Removed unneeded demo unit test (`demo.test.js`) from `tests/unit` --- ## [1.13.4] - 2025-06-13 ### Changed - Version bumped to **v1.13.4** - Replaced legacy detached signature file `security.txt.asc` with a new `security.txt.sig` format for consistency and clarity --- ## [1.13.3] - 2025-06-13 ### Changed - Upgraded dependencies: - `@eslint/js` updated from `^9.28.0` → `^9.29.0` - `@sveltejs/kit` updated from `2.21.4` → `2.21.5` - `eslint` updated from `^9.28.0` → `^9.29.0` - Updated `generator` meta tag in `app.html` to reflect `SvelteKit 2.21.5` - Added note to `.well-known/security.txt` clarifying detached signature availability - Replaced "Recommended Toolchain," "Tooling Configuration," and "Available Scripts" sections in `README.md` with a new “Development Reference” section linking to the Wiki - Removed `static/styles/` directory, as the stylesheets are now dynamically imported - Removed stylesheets from `static/styles` from the Service Worker cache configuration - Removed `scripts/flattenHeaders.js` and `scripts/validateHeader.js`, which were originally designed for the deprecated `_headers` file - Version bumped to **v1.13.3** --- ## [1.13.2] - 2025-06-12 ### Changed - Version bumped to v1.13.2 - Updated `a:visited` color to `#cba557` for improved contrast and aesthetics - Refined `a:active` color to `#e0b000` for clearer interaction feedback - Confirmed all link colors meet WCAG AA contrast standards against `#191919` background --- ## [1.13.1] - 2025-06-12 ### Added - Modularized `ObtainiumBlock.svelte` component for cleaner integration in `FossItemContent.svelte` - `heliboard.json` Obtainium configuration file for download - Dark mode-compatible styling for Obtainium blocks in the main stylesheet ### Changed - Version bumped to **v1.13.1** - Removed unnecessary PostHog preload script from `app.html` - Removed `script-src-elem 'self' 'unsafe-inline'` from CSP policy - Replaced existing Obtainium images with optimized versions - Revised `<title>` metadata for the root route - Commented out debugging `console.log` statements in the following files: - `Badges.svelte` - `LegalNav.svelte` - `MetaTags.svelte` - `Footer.svelte` - `FossItemContent.svelte` - `FossContent.svelte` - `HomeContent.svelte` - `LicenseContent.svelte` - `TermsConditionsContent.svelte` - Revised type definitions in `src/lib/types/fossTypes.js` - Added optional `obtainium` property to `FossItem` - Removed unused `hideLabels` property - Refactored `FossItemContent.svelte` to better support and display Obtainium download links and metadata - Updated `README.md` to reflect the correct location of the `static/pgp/` directory - Revised the `hooks.server.js` section in `README.md` to improve accuracy and reflect current CSP behavior - Updated `tests/e2e/app.spec.js` to assert the correct title for the root route - Upgraded dependencies: - `posthog-js` `^1.250.2` → `^1.252.0` - `eslint-plugin-jsdoc` `^50.8.0` → `^51.0.1` --- ## [1.13.0] - 2025-06-11 ### Added - Introduced `/pgp` route to publish OpenPGP contact information, download links, and QR codes - Added `.well-known/humans.txt` to document project authorship - Added `.well-known/security.txt` to define the official security contact and vulnerability disclosure policy - Linked OpenPGP keys to external directories for validation (e.g. keys.openpgp.org) - Added new GitHub Actions workflow: `check-security-txt-expiry.yml` to monitor `security.txt` expiration ### Changed - Enforced `"singleQuote": true` in `.prettierrc` and formatted the codebase using Prettier - Updated `src/service-worker.js` to exclude `security.txt.asc` from caching - CSP policy updated to allow `clipboard-write` for improved UX on PGP fingerprint buttons - Clarified that addresses under the `s.neteng.pro` domain are powered by Proton Mail and support native E2EE - Revised `SECURITY.md` and `security.txt` with accurate Proton Mail usage notes and PGP policy references ### Removed - Legacy reference to a "coming soon" PGP section in `SECURITY.md` (now live and linked) --- ## [1.12.9] - 2025-06-11 ### Added - Added `check-security-txt-expiry.yml` workflow to check `.well-known/security.txt` expiration and warn if close to expiring - Added `humans.txt` and `security.txt` to `.well-known/` directory - Added `src/lib/components/CodeBlock.svelte` component for improved inline formatting control - Updated sitemap.xml to include `.well-known/` routes and the `/pgp` route - Added link to OpenPGP results for `security@s.neteng.pro` on the `/pgp` route - Added support for copy-to-clipboard feedback on PGP fingerprint buttons - Added detached signature (`security.txt.asc`) for `.well-known/security.txt`, signed with the `security@s.neteng.pro` PGP key ### Changed - Version bump to `v1.12.9` in `package.json` - Corrected the name of `dnt-policy.txt` from `dnt-policy-1.0.txt` - Updated `src/service-worker.js` to: - Reflect correct `.well-known/dnt-policy.txt` reference - Exclude `.well-known/security.txt.asc` from caching - Applied line breaks to comment header in `jsconfig.template.jsonc` to fix formatting - Minor revision to spreadsheet display and fingerprint formatting for improved mobile responsiveness - Revised `.github/SECURITY.md`: - Removed note about “PGP section coming soon to the wiki” (now live) - Clarified Proton Mail use for `s.neteng.pro` addresses, while preserving support guidance for others - Streamlined vulnerability reporting section for clarity and correctness - Updated Content Security Policy (CSP) header to allow `clipboard-write` permission - Added Proton Mail usage note to `/pgp` route UI for `s.neteng.pro` domain only - Added equivalent Proton Mail usage comment to `.well-known/security.txt` - Upgraded dependencies: - `@eslint/compat` `^1.2.9` → `^1.3.0` - `eslint-plugin-jsdoc` `^50.7.1` → `^50.8.0` - `postcss` `^8.5.4` → `^8.5.5` - `posthog-js` `^1.250.1` → `^1.250.2` - `svelte` `5.33.19` → `5.34.1` --- ## [1.12.8] - 2025-06-11 ### Added - Created `/pgp` route with `+page.svelte`, `+page.server.js`, and supporting structure. - Added `src/lib/pages/PGPContent.svelte` for rendering PGP key information. - Dynamic routing with `src/routes/pgp/[key]/+server.js` for serving `.asc` files with correct MIME type (`application/pgp-keys`). - Support for serving QR code images statically in `/pgp` and dynamically in `/about`. - Added WebP versions of QR code images in `static/pgp/` and `src/lib/img/qr/`. - Set up dynamic import for QR images in `/about` route via `src/lib/images.js`. - Enhanced accessibility styles for focus-visible states on links. - Improved copy-to-clipboard buttons for PGP fingerprints. - Defined `ContactAssets` typedef and expanded `pgpKeys` data structure for strict typing. - README updated with new section: `static/pgp/` Directory Structure. ### Changed - Modified `/about` route to reference `/pgp` and use dynamic WebP images for PGP keys. - Adjusted `src/lib/meta.js` to include metadata for the `/pgp` route. - Canonical links in `static/bin/CC-BY-4.0.html` and `static/bin/COPYING.html` updated to reflect new paths. - Service worker updated to exclude `.asc` files in `/pgp`, while continuing to cache QR image assets. - Moved license and binary files from `static/assets` to `static/bin`. - File paths updated on the `/license` route to reflect the new `/bin/license` location. - Updated sitemap.xml. - Updated `.prettierignore` to ignore `static/bin/license`. - Updated LinkSheet download in `FossItemContent.svelte` to reference `bin/linksheet.json`. - Added dynamic `lsheetDl` constant in `fossData.js`. - Updated `TermsConditionsContent.svelte` to point to `bin/consulting-terms.pdf`. - Updated `LicenseContent.svelte` to: - View HTML license file. - Use `download` attribute for all other formats. - Updated `generator` meta tag to reflect `SvelteKit 2.21.4` - Upgraded dependencies: - `@playwright/test` updated from `^1.52.0` → `^1.53.0` - `@sveltejs/kit` updated from `2.21.3` → `2.21.4` - `eslint-plugin-svelte` updated from `^3.9.1` → `^3.9.2` - `playwright` updated from `^1.52.0` → `^1.53.0` - `posthog-js` updated from `^1.249.5` → `^1.250.1` - `svelte` updated from `5.33.18` → `5.33.19` ### Fixed - Resolved TypeScript and JSDoc typing errors in `AboutContent.svelte` and `PGPContent.svelte`. - Verified fallback behavior on `/pgp/[key]` for unknown files: - `.asc` files return "File not found". - All others fall through to 404. - Adjusted `function copy(text)` with explicit JSDoc type for parameter. - Removed stale references to deleted assets in service worker config. --- ## [1.12.7] - 2025-06-09 ### Changed - Permissions in `playwright.yml` reduced to `contents: read` to align with least-privilege practices. - Renamed "Upload Playwright Report" step for clarity and naming consistency. - Patch version bumped to **v1.12.7** to reflect post-tag changes. ### Security - Explicit `GITHUB_TOKEN` permissions added to `.github/workflows/build-and-publish.yml` to satisfy GitHub policy while preserving least-privilege. - Reviewed and reduced permissions in `playwright.yml` to `contents: read` as no elevated scopes are currently required. - Confirmed `auto-assign.yml` uses appropriate scopes for issue/PR auto-assignment (`issues: write`, `pull-requests: write`, `contents: read`). - Validated that `dependency-review.yml` and `backup-branch.yml` are properly scoped; no changes required. --- ## [1.12.6] - 2025-06-09 ### Added - Enabled non-blocking Lighthouse CI budget assertions to track performance/resource regressions without blocking the build. - Added GitHub Actions step to annotate PRs with budget-related audit failures and post a markdown summary comment. - Introduced a dedicated `Authenticate GitHub CLI` step in the Lighthouse workflow to ensure proper auth for comment posting. - Added `/legal`, `/legal/`, and `/legal/*` redirects to Netlify `_redirects` file, pointing to `/license`. - Added `/privacy-policy/` and `/privacy-policy/*` redirects to match existing `/privacy-policy` route. - Created `scripts/openReport.js`, a cross-platform Node.js utility for opening HTML coverage reports for client and server test runs. Executed via `coverage:client` and `coverage:server` scripts in `package.json`. - Added `coverage:client`, `coverage:server`, and `coverage:open` scripts to `package.json` to simplify access to generated test coverage reports from the CLI. ### Changed - Bumped patch version to `v1.12.6`. - Updated Lighthouse CI workflow to upload the entire `.lighthouseci/` directory as a single artifact instead of renaming individual files. - Updated ESLint config (`eslint.config.mjs`) to ignore `**/playwright-report/**` and `**/test-results/**`. - Updated `lint:md` script in `package.json` to exclude `playwright-report/` and `test-results/` from markdownlint. - Added `playwright-report/` and `test-results/` to `.stylelintignore` to suppress stylelint noise on generated reports. - Upgraded `@lhci/cli` from `v0.14.0` to `v0.15.0`. - Upgraded `@vitest/coverage-v8` from `v3.2.2` to `v3.2.3`. - Upgraded `posthog-js` from `v1.249.4` to `v1.249.5`. - Upgraded `vitest` from `v3.2.2` to `v3.2.3`. ### Documentation - Updated `README.md` with improved context and phrasing around the CHANGELOG reference. - Added `CHANGELOG.md` to the documented project structure with a descriptive label: ```markdown ├── CHANGELOG.md # Chronological record of notable project changes ``` ### Fixed - Updated Lighthouse CI annotation step to explicitly select only valid Lighthouse report files (e.g., `*.report.json`, `lhr-*.json`) and ignore `assertion-results.json`, which caused `jq` parsing errors during CI runs. - Scoped Lighthouse assertions in `.lighthouserc.cjs` to `resource-summary` only, preventing unwanted failures from default performance audits. - Resolved malformed PR comment formatting in the Lighthouse GitHub Actions workflow by replacing Markdown tables with plain-text bullet lists. ### Notes - Confirmed that `Authenticate GitHub CLI` is not needed in `build-and-publish.yml`, as only the `check-codeql` job uses the GitHub CLI and is already authenticated. - Verified that `scripts/openReport.js` does not require unit testing, as it performs side-effect-only CLI actions. Linting and manual testing are sufficient. --- ## [1.12.5] - 2025-06-08 ### Added - Added `squircle` section to `src/lib/data/fossData.js`. - Added Squircle CE images to `src/lib/img/` and imported them via the image utility (`src/lib/images.js`). ### Changed - Quoted `name` and `steps.name` fields in `auto-assign.yml` and `dependency-review.yml` to prevent potential YAML parsing issues. - Replaced `GITHUB_TOKEN` with `NWPRO_GPR` in the `build-and-publish.yml` workflow. - Upgraded `svelte` to `v5.33.18` and `@sveltejs/kit` to `v2.21.3`. - Updated the `generator` meta tag in `app.html` to reflect the new `@sveltejs/kit` version. - Updated "Last Updated" date in `FossContent.svelte` to reflect the Squircle CE post addition. - Revised page modification dates in `sitemap.xml` for FOSS Spotlight, Privacy Policy, and Legal, Licensing, and Copyright. ### Removed - Removed unused `GITHUB_TOKEN` permissions from `build-and-publish.yml`. - Removed the unnecessary "Authenticate GitHub CLI" step from `build-and-publish.yml`. --- ## [1.12.4] - 2025-06-05 ### Added - Introduced `.md-smart-quotes.js` script for use with markdownlint to flag "smart quotes" in Markdown files. ### Changed - Cleaned up `IGNORE_PATHS` in `src/service-worker.js`: removed the `static/docs/` entry, as the directory no longer exists. - Upgraded development dependencies: - `@vitest/coverage-v8` - `posthog-js` - `vitest` - Corrected the "Effective Date" in `LICENSE.md`. - Refactored `.markdownlint.jsonc` into `.markdownlint.mjs` to support the custom linting script. ### Removed - Removed the entire `static/docs/` directory; its contents have been migrated to the [Wiki](https://github.com/netwk-pro/netwk-pro.github.io/wiki). --- ## [1.12.3] - 2025-06-04 ### Added - `static/docs/pgp.md`, `pgp-win.md`, and `pgp-email.md` added for reference. These files have been temporarily stored until they can be migrated to the wiki. ### Changed - Added the new Markdown files in `static/docs` to the `service-worker.js` cache ignore list. --- ## 1.12.2 – 2025-06-04 ### Changed - `LicenseContent` component updated to reflect the correct "Effective Date." --- ## [1.12.1] – 2025-06-04 ### Added - Standardized issue templates and contact links in `.github/ISSUE_TEMPLATE/config.yml` for consistent triage experience across repositories. - Shared health files (`SUPPORT.md`, `CONTRIBUTING.md`, `SECURITY.md`) retained in `.github` for fallback visibility. - Centralized issue submission and triage via main repository (`netwk-pro.github.io`) for all public projects. ### Changed - Updated `.github` structure to delegate issue creation to the main repository only, simplifying user flow and internal tracking. - Reorganized public repositories to override the default `.github` issue config selectively as needed. ### Removed - Removed unused local issue templates from `.github` to prevent template duplication in dependent repositories. --- ## [1.12.0] – 2025-06-04 ### Added - Initial scaffolding for tracking preferences store using SvelteKit writable stores. - `PrivacyDashboard` and `PrivacyContent` components updated to bind to the reactive tracking store. - Derived store for automatic re-consent prompts (`remindUserToReconsent`). - Consent cookie logic added for first-time and returning users. - First iteration of PostHog integration. - `sr-only` utility class added to `global.min.css` for accessibility improvements. - Support disclaimer added to Legal, Copyright, and Licensing section. - Privacy dashboard UI elements and opt-in interface. ### Changed - Migrated tracking preference logic from `utils/privacy.js` and `utils/trackingCookies.js` to a store-based architecture. - Updated `posthog.js` to consume new `trackingPreferences` store. - Improved inline documentation for Netlify `adapter-edge` settings. ### Removed - Deprecated `shouldTrackUser()` logic and legacy cookie checks. <!-- Link references --> [Unreleased]: https://github.com/netwk-pro/netwk-pro.github.io/compare/v1.28.4...HEAD [1.28.4]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.28.4 [1.28.3]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.28.3 [1.28.2]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.28.2 [1.28.1]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.28.1 [1.28.0]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.28.0 [1.27.3]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.27.3 [1.27.2]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.27.2 [1.27.1]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.27.1 [1.27.0]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.27.0 [1.26.22]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.22 [1.26.21]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.21 [1.26.20]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.20 [1.26.19]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.19 [1.26.18]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.18 [1.26.17]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.17 [1.26.16]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.16 [1.26.15]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.15 [1.26.14]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.14 [1.26.13]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.13 [1.26.12]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.12 [1.26.11]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.11 [1.26.10]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.10 [1.26.9]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.9 [1.26.8]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.8 [1.26.7]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.7 [1.26.6]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.6 [1.26.5]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.5 [1.26.4]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.4 [1.26.3]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.3 [1.26.2]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.2 [1.26.1]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.1 [1.26.0]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.0 [1.25.24]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.24 [1.25.23]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.23 [1.25.22]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.22 [1.25.21]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.21 [1.25.20]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.20 [1.25.19]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.19 [1.25.18]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.18 [1.25.17]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.17 [1.25.16]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.16 [1.25.15]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.15 [1.25.14]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.14 [1.25.13]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.13 [1.25.12]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.12 [1.25.11]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.11 [1.25.10]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.10 [1.25.9]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.9 [1.25.8]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.8 [1.25.7]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.7 [1.25.6]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.6 [1.25.5]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.5 [1.25.4]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.4 [1.25.3]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.3 [1.25.2]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.2 [1.25.1]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.1 [1.25.0]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.0 [1.24.5]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.24.5 [1.24.4]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.24.4 [1.24.3]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.24.3 [1.24.2]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.24.2 [1.24.1]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.24.1 [1.24.0]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.24.0 [1.23.0]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.23.0 [1.22.2]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.22.2 [1.22.1]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.22.1 [1.22.0]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.22.0 [1.21.1]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.21.1 [1.21.0]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.21.0 [1.20.0]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.20.0 [1.19.0]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.19.0 [1.18.5]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.18.5 [1.18.4]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.18.4 [1.18.3]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.18.3 [1.18.2]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.18.2 [1.18.1]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.18.1 [1.18.0]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.18.0 [1.17.2]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.17.2 [1.17.1]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.17.1 [1.17.0]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.17.0 [1.16.0]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.16.0 [1.15.4]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.15.4 [1.15.3]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.15.3 [1.15.2]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.15.2 [1.15.1]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.15.1 [1.15.0]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.15.0 [1.14.2]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.14.2 [1.14.1]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.14.1 [1.14.0]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.14.0 [1.13.8]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.13.8 [1.13.7]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.13.7 [1.13.6]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.13.6 [1.13.5]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.13.5 [1.13.4]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.13.4 [1.13.3]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.13.3 [1.13.2]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.13.2 [1.13.1]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.13.1 [1.13.0]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.13.0 [1.12.9]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.12.9 [1.12.8]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.12.8 [1.12.7]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.12.7 [1.12.6]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.12.6 [1.12.5]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.12.5 [1.12.4]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.12.4 [1.12.3]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.12.3 [1.12.1]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.12.1 [1.12.0]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.12.0 <!-- cspell:ignore qrcode cryptom otphelp domcontentloaded heli -->