@networkpro/web

# Changelog   All notable changes to this project will be documented in this file. This project follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). Version numbers use a **SemVer-inspired** `MAJOR.MINOR.PATCH` format, with version increments reflecting both user-visible and operational impact. --- ## [Unreleased] --- ## [1.28.4] - 2026-05-27 ### Changed - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.61.1**. - Updated all GitHub Actions workflows to utilize **npm** `11.16.0`. - Updated `.nvmrc` and `.node-version` to utilize **Node.js** `v24.16.0`. - Bumped project version to `1.28.4`. - Updated dependencies: - `@vitest/coverage-v8` `4.1.6` → `4.1.7` - `dompurify` `^3.4.3` → `^3.4.7` - `postcss` `^8.5.14` → `^8.5.15` - `semver` `^7.8.0` → `^7.8.1` - `svelte` `5.55.7` → `5.55.10` - `vite` `^8.0.13`→`^8.0.14` - `vitest` `4.1.6` → `4.1.7` - `@sveltejs/kit` `2.60.1` → `2.61.1` - `eslint-plugin-svelte` `^3.17.1` → `^3.18.0` - `stylelint` `^17.11.1` → `^17.12.0` - `eslint-plugin-jsdoc` `^62.9.0` → `^63.0.0` - `prettier-plugin-svelte` `^3.5.2` → `^4.0.1` ### Security - Converted `static/.well-known/security.txt` to an inline PGP clear-signed file and removed the retired detached `security.txt.asc` signature. - Updated transitive dependency override for `tmp` to `^0.2.7` to mitigate CVE-2026-44705. - Added npm `allowScripts` approvals for `esbuild@0.25.12` and `simple-git-hooks@2.13.1` so install-time scripts remain explicit under the current npm guidance. --- ## [1.28.3] - 2026-05-16 ### Changed - Updated GitHub Actions npm bootstrap steps from `npm@11.13.0` to `npm@11.14.1`. - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.60.1**. - Bumped project version to `v1.28.3`. - Updated dependencies: - `@vitest/coverage-v8` `4.1.5` → `4.1.6` - `dompurify` `^3.4.2` → `^3.4.3` - `prettier-plugin-svelte` `^3.5.1` → `^3.5.2` - `stylelint` `^17.11.0` → `^17.11.1` - `svelte` `5.55.5` → `5.55.7` - `vite` `^8.0.11` → `^8.0.13` - `vitest` `4.1.5` → `4.1.6` - `@playwright/test` `^1.59.1` → `^1.60.0` - `@sveltejs/kit` `2.59.1` → `2.60.1` - `eslint` `10.3.0` → `10.4.0` - `playwright` `^1.59.1` → `^1.60.0` --- ## [1.28.2] - 2026-05-08 ### Changed - Bumped project version to `v1.28.2`. - Changed SvelteKit CSP generation from hash mode to `auto` mode so dynamic responses can use nonce-based CSP while prerendered output continues to use hashes. - Removed the unused `svelte-preprocess` dev dependency because the project uses `vitePreprocess` from `@sveltejs/vite-plugin-svelte`. - Removed the `typescript` npm-check-updates reject entry after clearing the stale `svelte-preprocess` peer constraint. - Updated dependencies: - `@sveltejs/vite-plugin-svelte` `^7.1.1` → `^7.1.2` - `vite` `^8.0.10` → `^8.0.11` - `@eslint/compat` `^2.0.5` → `^2.1.0` - `semver` `^7.7.4` → `^7.8.0` - `typescript` `5.9.3` → `6.0.3` --- ## [1.28.1] - 2026-05-06 ### Changed - Bumped project version to `v1.28.1`. ### Fixed - Regenerated `package-lock.json` by using the `npm install` command. --- ## [1.28.0] - 2026-05-06 ### Added - Added consent-gated Matomo analytics behind the existing `$lib/stores/posthog` compatibility helper, preserving current app call sites while enabling pageview and limited event capture. - Added production CSP allowances for `https://analytics.netwk.pro` so Matomo can load and send tracking requests without inline scripts. ### Changed - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.59.1**. - Bumped project version to `v1.28.0`. - Updated analytics privacy documentation and dashboard copy to describe Matomo pageview/event analytics, browser privacy signal handling, opt-out behavior, and disabled user identification. - Updated repo guidance to reflect the Matomo-backed compatibility helper and the current production CSP trade-off. - Updated dependencies: - `@sveltejs/kit` `2.59.0` → `2.59.1` - `postcss` `^8.5.13` → `^8.5.14` - `svelte-check` `^4.4.7` → `^4.4.8` - `svelte-eslint-parser` `^1.6.0` → `^1.6.1` - `@sveltejs/vite-plugin-svelte` `^7.0.0` → `^7.1.1` - `stylelint` `^17.9.1` → `^17.11.0` ### Fixed - Switched SvelteKit CSP generation from `auto` to hash mode so prerendered/static pages are not served with mismatched nonce-based CSP headers that block framework-generated inline bootstrap scripts. - Changed service-worker navigation handling to fetch HTML from the network before falling back to cached core pages (`/`, `/about`, `/contact`) or the offline page, balancing CSP freshness with limited offline navigation. - Updated the `?nosw` diagnostic script to unregister service workers and clear caches before app bootstrapping completes. ### Removed - Removed the `posthog-js` runtime dependency and related PostHog transitive packages from the lockfile. - Removed PostHog initialization, capture calls, environment keys, relay rewrites, relay route handling, CSP allowances, and service-worker analytics-host exclusions while preserving the existing analytics helper API. ### Security - Updated the transitive `basic-ftp` override to `^5.3.0` to mitigate CVE-2026-44240. - Added a transitive `ip-address` override at `^10.1.0` to mitigate CVE-2026-42338. - Kept audit-mode CSP hardened with no analytics egress while production analytics are limited to the Matomo origin. --- ## [1.27.3] - 2026-05-02 ### Changed - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.59.0**. - Bumped project version to `v1.27.3`. - Upgraded dependencies: - `dompurify` `^3.4.1` → `^3.4.2` - `postcss` `^8.5.10` → `^8.5.13` - `posthog-js` `^1.372.1` → `^1.372.6` - `stylelint` `^17.9.0` → `^17.9.1` - `svelte-check` `^4.4.6` → `^4.4.7` - `@sveltejs/kit` `2.58.0` → `2.59.0` - `eslint` `10.2.1` → `10.3.0` - `globals` `^17.5.0` → `^17.6.0` - `jsdom` `29.0.2` → `29.1.1` --- ## [1.27.2] - 2026-04-25 ### Added - Added a site-wide W3C Do Not Track tracking status resource at `/.well-known/dnt`. - Added the DNT tracking status resource to `sitemap.xml`. ### Changed - Bumped project version to `v1.27.2`. - Updated `npm run dev` and `npm run preview` so they start local servers without automatically opening a browser. - Refreshed sitemap metadata for updated public pages and privacy well-known resources. - Updated the HeliBoard FOSS Spotlight GitHub link to the current `HeliBorg/HeliBoard` repository. - Excluded the human-readable DNT policy text file from Prettier formatting. ### Removed - Removed stale commented debug logging from shared layout, metadata, legal, FOSS, PGP, services, terms, and home page components. - Removed `/CNAME` from the service worker ignored-path list. --- ## [1.27.1] - 2026-04-25 ### Changed - Bumped project version to `v1.27.1`. ### Fixed - Replaced the third-party Keep Android Open banner script with a first-party Svelte banner component to avoid unstable inline-script CSP violations. - Removed Keep Android Open script host and inline helper hash allowances from CSP. - Restored temporary production `script-src 'unsafe-inline'` compatibility while PostHog remains in use. - Updated README and agent guidance to reflect that CSP policy selection now lives in SvelteKit `kit.csp` instead of `src/hooks.server.js`. --- ## [1.27.0] - 2026-04-24 ### Changed - Bumped project version to `v1.27.0`. - Moved Content Security Policy selection into SvelteKit `kit.csp`, keyed from `PUBLIC_ENV_MODE`/Vite mode so SvelteKit can manage CSP hashes and nonces. - Kept `src/hooks.server.js` focused on request-time security headers, production `Report-To` metadata, Probely diagnostics, and audit-hostname mismatch warnings. - Restored CSP selection diagnostics after moving CSP construction to SvelteKit configuration. - Updated audit CSP behavior to remain enforced without analytics or external CSP reporting allowances. - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.58.0**. - Updated local Node version files from `24.14.1` to `24.15.0`. - Updated GitHub Actions npm bootstrap steps from `npm@11.12.1` to `npm@11.13.0`. - Updated dependencies: - `@vitest/coverage-v8` `4.1.4` → `4.1.5` - `@sveltejs/kit` `2.57.1` → `2.58.0` - `dompurify` `^3.4.0` → `^3.4.1` - `eslint-plugin-svelte` `^3.17.0` → `^3.17.1` - `markdownlint-cli2` `0.22.0` → `0.22.1` - `posthog-js` `^1.369.3` → `^1.372.1` - `stylelint` `^17.8.0` → `^17.9.0` - `svelte` `5.55.4` → `5.55.5` - `vite` `^8.0.8` → `^8.0.10` - `vitest` `4.1.4` → `4.1.5` ### Fixed - Corrected the Playwright mobile Chrome device-profile comment to match the current `Pixel 7` profile. - Restored dev/test `Content-Security-Policy-Report-Only` behavior by preserving development mode fallback and local CSP reporting. - Corrected audit hostname diagnostics to avoid implying that hostname detection overrides `PUBLIC_ENV_MODE`. - Limited Probely scanner diagnostics to audit mode and removed the misleading bypass log label. - Added `Prerendered` to the cspell dictionary for the new SvelteKit CSP comments. ### Security - Added a transitive dependency override for `uuid` at `^14.0.0` to mitigate known vulnerabilities. --- ## [1.26.22] - 2026-04-19 ### Added - Added project Svelte MCP configuration via `.mcp.json`. - Added Svelte MCP usage guidance to `AGENTS.md` and `CLAUDE.md`, including documentation lookup, autofix, and playground-link expectations. - Added project-local Claude Code Svelte skills under `.claude/skills/` for reproducible Svelte 5 code-writing and best-practice guidance. - Added `.markdownlint-cli2.mjs` to centralize Markdown lint globs and ignore patterns. - Added `Mcpjson` to the cspell project dictionary. - Added README documentation noting that WebKit/Safari E2E coverage is not part of the default Playwright matrix. - Added unit test coverage for `ENV_MODE` alias normalization in `scripts/checkEnv.js`. ### Changed - Bumped project version to `v1.26.22`. - Updated README technology-stack wording to explicitly reference Svelte 5, SvelteKit, Vercel, and the separate Netlify audit environment. - Simplified `npm run lint:md` to rely on the centralized `markdownlint-cli2` configuration. - Updated Playwright mobile Chrome coverage from the `Galaxy S9+` profile to the `Pixel 7` profile. - Updated `.env.codex` comments to document production-like Codex builds and corrected the analytics stub to `PUBLIC_POSTHOG_PROJECT_KEY`. - Updated `scripts/checkEnv.js` to normalize `development` to `dev` and `production` to `prod`. - Clarified the intentional use of Vite `envPrefix` for `import.meta.env.PUBLIC_*` access. - Updated `.gitattributes` to normalize text files to LF line endings by default. - Refreshed `package-lock.json` for the `v1.26.22` version bump and dependency metadata changes. ### Removed - Removed the direct `markdownlint` dev dependency, since `markdownlint-cli2` already provides the required linting engine. - Removed disabled WebKit and Mobile Safari Playwright project blocks from the default E2E configuration. --- ## [1.26.21] - 2026-04-18 ### Changed - Bumped project version to `v1.26.21`. - Updated `npm run dev` and `npm run preview` to open the local browser automatically. - Updated dependencies: - `eslint` `10.2.0` → `10.2.1` - `postcss` `^8.5.9` → `^8.5.10` - `prettier` `3.8.2` → `3.8.3` - `svelte` `5.55.3` → `5.55.4` - `autoprefixer` `^10.4.27` → `^10.5.0` - `dompurify` `^3.3.3` → `^3.4.0` - `globals` `^17.4.0` → `^17.5.0` - `posthog-js` `^1.367.0` → `^1.369.3` - `stylelint` `^17.6.0` → `^17.8.0` - Normalized transitive dependency override ranges for `minimatch`, `picomatch`, and `smol-toml` to caret ranges. ### Fixed - Kept `typescript` pinned to `5.9.3` and retained it in the `npm-check-updates` reject list because `svelte-preprocess` does not yet accept TypeScript 6. ### Security - Added transitive dependency override for `protobufjs` `v7.5.5` in order to mitigate CVE-2026-41242. --- ## [1.26.20] - 2026-04-10 ### Changed - Bumped project version to `v1.26.20`. - Updated dependencies: - `prettier` `3.8.1` → `3.8.2` - `svelte` `5.55.2` → `5.55.3` ### Fixed - Removed an unused `window` mock from the UTM unit test to better reflect the current `appendUTM` implementation. - Stabilized SPA navigation E2E helpers by relying on Playwright click actionability instead of a separate `scrollIntoViewIfNeeded()` call, with a single retry for transient no-op clicks. - Updated the navigation link assertion to compare the resolved `pathname` instead of the raw `href` attribute for better cross-browser consistency. --- ## [1.26.19] - 2026-04-09 ### Changed - Bumped project version to `v1.25.19`. - Modified Node.js version to `24` in `.github/workflows/playwright.yml`. - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.57.1**. - Updated dependencies: - `@eslint/compat` `^2.0.3` → `^2.0.5` - `@vitest/coverage-v8` `4.1.2` → `4.1.4` - `browserslist` `^4.28.1` → `^4.28.2` - `jsdom` `29.0.1` → `29.0.2` - `postcss` `^8.5.8` → `^8.5.9` - `svelte` `5.55.1` → `5.55.2` - `vite` `^8.0.3` → `^8.0.8` - `vitest` `4.1.2` → `4.1.4` - `@playwright/test` `^1.58.2` → `^1.59.1` - `@sveltejs/kit` `2.55.0` → `2.57.1` - `eslint` `10.1.0` → `10.2.0` - `eslint-plugin-jsdoc` `^62.8.1` → `^62.9.0` - `eslint-plugin-svelte` `^3.16.0` → `^3.17.0` - `playwright` `^1.58.2` → `^1.59.1` - `posthog-js` `^1.364.2` → `^1.367.0` ### Security - Added transitive dependency override for `lodash-es` `v4.18.1` in order to mitigate CVE-2026-4800 and CVE-2026-2950. - Updated transitive dependency override for `basic-ftp` to `v5.2.1` in order to mitigate CVE-2026-39983. --- ## [1.26.18] - 2026-03-30 ### Changed - Bumped project version to `v1.26.18`. - Updated dependencies: - `svelte-check` `^4.4.5` → `^4.4.6` ### Fixed - Removed `typescript` from the list of updated dependencies in release `v1.26.17`, as it was not updated due to a lack of SvelteKit support. --- ## [1.26.17] - 2026-03-30 ### Changed - Added `typescript` to the `npm-check-updates` reject list in `.ncurc.cjs` to prevent automatic upgrades to TypeScript 6 until SvelteKit supports it. - Updated all **GitHub Actions** workflows to utilize **npm** `11.12.1`. - Updated `.nvmrc` and `.node-version` to utilize **Node.js** `v24.14.1`. - Bumped project version to `v1.26.17`. - Re-added `vite-plugin-devtools-json` to `devDependencies`. - Added `vite-plugin-devtools-json` override section to allow the plugin to operate properly with **Vite 8**. - Restored pre-existing `vite-plugin-devtools-json` configuration in `vite.config.js`. - Updated dependencies: - `@vitest/coverage-v8` `4.1.0` → `4.1.2` - `eslint-plugin-jsdoc` `^62.8.0` → `^62.8.1` - `vite` `^8.0.1` → `^8.0.3` - `vitest` `4.1.0` → `4.1.2` - `eslint-plugin-svelte` `^3.15.2` → `^3.16.0` - `globby` `^16.1.1` → `^16.2.0` - `posthog-js` `^1.363.1` → `^1.364.2` - `stylelint` `^17.5.0` → `^17.6.0` - `svelte` `5.54.0` → `5.55.1` - `markdownlint-cli2` `0.21.0` → `0.22.0` ### Fixed - Resolved an `npm audit` warning caused by the transitive `smol-toml` dependency used by `markdownlint-cli2` by adding an npm override to require `smol-toml >=1.6.1`. - Fixed an `npm install` dependency resolution failure by pinning `typescript` to `5.9.3`, which is compatible with `@sveltejs/kit@2.55.0`. ### Security - Pinned transitive dependency `picomatch` to `>=4.0.4` to mitigate CVE-2026-33672. --- ## [1.26.16] - 2026-03-20 ### Changed - Updated size of **[Keep Android Open](https://keepandroidopen.org/)** banner in `src/app.html`. - Updated `svelte.config.js` to utilize the `nodejs24.x` runtime for `@sveltejs/adapter-vercel`. - Updated all **GitHub Actions** workflows to utilize **npm** `11.12.0`. - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.55.0**. - Bumped project version to `v1.26.16`. - Updated dependencies: - `vite` `^8.0.0` → `^8.0.1` - `@sveltejs/kit` `2.54.0` → `2.55.0` - `eslint` `10.0.3` → `10.1.0` - `posthog-js` `^1.360.1` → `^1.363.1` - `stylelint` `^17.4.0` → `^17.5.0` - `stylelint-order` `^8.0.0` → `^8.1.1` - `svelte` `5.53.11` → `5.54.0` - `jsdom` `28.1.0` → `29.0.1` --- ## [1.26.15] - 2026-03-12 ### Changed - Updated `vite.config.js` to resolve tsconfig paths. - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.54.0**. - Updated all GitHub Actions workflows to utilize **npm** `11.11.1`. - Removed `@eslint/js` and `eslint` from `.ncurc.cjs` "reject" list. - Modified `vite.config.js` to comment out `vite-plugin-devtools-json` related entries until package is updated. - Updated `scripts/checkEnv.js` to satisfy newer ESLint rules by removing an unnecessary placeholder assignment and preserving existing validation behavior. - Updated `src/service-worker.js` to satisfy newer ESLint rules by preserving caught error context during precache failures and removing an unnecessary reassignment in the install handler. - Bumped project version to `v1.26.15`. - Updated dependencies: - `dompurify` `^3.3.2` → `^3.3.3` - `eslint-plugin-svelte` `^3.15.0` → `^3.15.2` - `svelte` `5.53.7` → `5.53.11` - `@sveltejs/kit` `2.53.4` → `2.54.0` - `@vitest/coverage-v8` `4.0.18` → `4.1.0` - `eslint-plugin-jsdoc` `^62.7.1` → `^62.8.0` - `lightningcss` `^1.31.1` → `^1.32.0` - `posthog-js` `^1.359.1` → `^1.360.1` - `vitest` `4.0.18` → `4.1.0` - `@sveltejs/vite-plugin-svelte` `^6.2.4` → `^7.0.0` - `stylelint-order` `^7.0.1` → `^8.0.0` - `vite` `^7.3.1` → `^8.0.0` - `@eslint/js` `9.32.2` → `10.0.1` - `eslint` `9.39.2` → `10.0.3` ### Removed - Removed `vite-plugin-devtools-json`, as it is not compatible with Vite 8. - Removed `vite-tsconfig-paths`, as it is now included natively in Vite. ### Security - Pinned transitive dependency `tar` to `^7.5.11` to mitigate CVE-2026-31802. --- ## [1.26.14] - 2026-03-07 ### Changed - Bumped project version to `v1.26.14`. - Added deferred script to `src/app.html` to display the Keep Android Open banner. - Allowed `https://keepandroidopen.org` in `Content-Security-Policy` `script-src` across production, audit, and dev/test modes to support the Keep Android Open banner script. --- ## [1.26.13] - 2026-03-07 ### Changed - Bumped project version to `v1.26.13`. - Updated dependencies: - `@eslint/compat` `^2.0.2` → `^2.0.3` - `dompurify` `^3.3.1` → `^3.3.2` - `svelte-check` `^4.4.4` → `^4.4.5` - `posthog-js` `^1.358.1` → `^1.359.1` - `svelte-eslint-parser` `^1.5.1` → `^1.6.0` ### Security - Updated `dompurify` to `^3.3.2` to mitigate CVE-2026-0540. --- ## [1.26.12] - 2026-03-04 ### Changed - Bumped project version to `v1.26.12`. - Updated dependencies: - `postcss` `^8.5.6` → `^8.5.8` - `prettier-plugin-svelte` `^3.5.0` → `^3.5.1` - `svelte` `5.53.6` → `5.53.7` - `globals` `^17.3.0` → `^17.4.0` - `posthog-js` `^1.356.1` → `^1.358.1` --- ## [1.26.11] - 2026-02-28 ### Changed - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.53.4**. - Updated all GitHub Actions workflows to utilize **npm 11.11.0**. - Updated `.nvmrc` and `.node-version` to utilize **Node.js** `v24.14.0`. - Bumped project version to `v1.26.11`. - Updated dependencies: - `@sveltejs/adapter-netlify` `^6.0.3` → `^6.0.4` - `@sveltejs/adapter-vercel` `^6.3.2` → `^6.3.3` - `@sveltejs/kit` `2.53.0` → `2.53.4` - `autoprefixer` `^10.4.24` → `^10.4.27` - `eslint-plugin-jsdoc` `^62.7.0` → `^62.7.1` - `svelte` `5.53.2` → `5.53.6` - `svelte-check` `^4.4.3` → `^4.4.4` - `posthog-js` `^1.352.0` → `^1.356.1` - `stylelint` `^17.3.0` → `^17.4.0` - `svelte-eslint-parser` `^1.4.1` → `^1.5.1` ### Security - Pinned transitive dependency `basic-ftp` to `^5.2.0` to mitigate CVE-2026-27699. --- ## [1.26.10] - 2026-02-21 ### Changed - Refactored PostHog store to centralize environment gating across `initPostHog()`, `capture()`, and `identify()` via a shared `shouldSkipAnalytics()` helper. - Cached environment detection results to avoid repeated evaluation and ensure consistent behavior across analytics APIs. - Reintroduced hostname-based audit detection (`audit.netwk.pro`) as a defense-in-depth fallback alongside environment-mode audit detection. - Removed unnecessary comments from `src/lib/stores/posthog.js` and `src/lib/pages/LicenseContent.svelte`. - Corrected `tests/unit/client/lib/utils/utm.test.js` to import `vi` variable before first use. - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.53.0**. - Bumped project version to `v1.26.10`. - Updated dependencies: - `@sveltejs/adapter-netlify` `^6.0.0` → `^6.0.3` - `@sveltejs/adapter-vercel` `^6.3.1` → `^6.3.2` - `globby` `^16.1.0` → `^16.1.1` - `@sveltejs/kit` `2.51.0` → `2.53.0` - `eslint-plugin-jsdoc` `^62.5.4` → `^62.7.0` - `jsdom` `28.0.0` → `28.1.0` - `posthog-js` `^1.347.0` → `^1.352.0` - `prettier-plugin-svelte` `^3.4.1` → `^3.5.0` - `stylelint` `^17.2.0` → `^17.3.0` - `svelte` `5.50.3` → `5.53.2` - `svelte-check` `^4.3.6` → `^4.4.3` - `markdownlint-cli2` `0.20.0` → `0.21.0` ### Fixed - Prevented analytics gating logic from executing during SSR by adding an explicit `typeof window === 'undefined'` guard. - Improved test isolation by updating `\_resetPostHog()` to reset cached environment state and tracking-related stores. ### Security - Pinned the `tar` package to `^7.5.9` in transitive dependencies, in order to address CVE-2026-26960. - Pinned transitive `minimatch` to `>=10.2.1` to address an `npm audit`-reported high-severity ReDoS/DoS issue in older minimatch versions. --- ## [1.26.9] - 2026-02-12 ### Changed - Updated all GitHub Actions workflows to utilize **npm 11.10.0**. - Updated `.nvmrc` and `.node-version` to utilize **Node.js** `v24.13.1`. - Bumped project version to `v1.26.9`. - Updated dependencies: - `eslint-plugin-jsdoc` `^62.5.3` → `^62.5.4` - `svelte` `5.50.0` → `5.50.3` - `@sveltejs/kit` `2.50.2` → `2.51.0` - `eslint-plugin-svelte` `^3.14.0` → `^3.15.0` - `posthog-js` `^1.342.1` → `^1.347.0` - `stylelint` `^17.1.1` → `^17.2.0` - `vite-tsconfig-paths` `^6.0.5` → `^6.1.1` - `@sveltejs/adapter-netlify` `^5.2.4` → `^6.0.0` --- ## [1.26.8] - 2026-02-07 ### Changed - Refreshed timestamp for main route in `static/sitemap.xml`. - Updated all GitHub Actions workflows to utilize **npm 11.9.0**. - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.50.2**. - Added `eslint` and `@eslint/js` to `.ncurc.js` **reject** list, pinned `v9.39.2` in `package.json`. - Bumped project version to `v1.26.8`. - Updated dependencies: - `posthog-js` `^1.336.4` → `^1.342.1` - `semver` `^7.7.3` → `^7.7.4` - `svelte` `5.49.1` → `5.50.0` - `@playwright/test` `^1.58.1` → `^1.58.2` - `@sveltejs/kit` `2.50.1` → `2.50.2` - `eslint-plugin-jsdoc` `^62.5.0` → `^62.5.3` - `jsdom` `27.4.0` → `28.0.0` - `playwright` `^1.58.1` → `^1.58.2` - `stylelint` `^17.1.0` → `^17.1.1` --- ## [1.26.7] - 2026-02-01 ### Changed - Refreshed timestamp for `/legal` route in `static/sitemap.xml`. - Added standardized header to `AGENTS.md`, `CLAUDE.md`, `VERSIONING.md`, and `.github/COMMIT_GUIDE.md`, as well as all issue templates. - Updated footer of `LICENSE.md` and `README.md` to reflect the company's full legal name. - Refreshed **Effective Date** for Legal, Copyright, and Licensing route (`/legal`). - Updated `src/lib/pages/LicenseContent.svelte` to include our trade name. - Bumped project version to `v1.26.7`. - Updated dependencies: - `@eslint/compat` `^2.0.1` → `^2.0.2` - `@playwright/test` `^1.58.0` → `^1.58.1` - `autoprefixer` `^10.4.23` → `^10.4.24` - `playwright` `^1.58.0` → `^1.58.1` - `posthog-js` `^1.336.2` → `^1.336.4` - `svelte` `5.49.0` → `5.49.1` - `svelte-check` `^4.3.5` → `^4.3.6` - `eslint-plugin-jsdoc` `^62.4.1` → `^62.5.0` - `globals` `^17.2.0` → `^17.3.0` - `stylelint` `^17.0.0` → `^17.1.0` --- ## [1.26.6] - 2026-01-29 ### Changed - Added Prettier to the `npm-check-updates` ignore list (`.ncurc.cjs`) for deterministic formatting changes. - Updated the company name in `src/lib/pages/AboutContent.svelte` to the full, legal name. - Updated the copyright statement in `src/lib/pages/LicenseContent.svelte` to use the full, legal company name. - Updated the footer to display the full, legal company name. - Bumped project version to `v1.26.6`. - Updated dependencies: - `globals` `^17.1.0` → `^17.2.0` - `posthog-js` `^1.335.2` → `^1.336.2` - `svelte` `5.48.2` → `5.49.0` ### Security - Pinned the `tar` package to `^7.5.7` in transitive dependencies, in order to address CVE-2026-24842. --- ## [1.26.5] - 2026-01-24 ### Added - `scripts/hooks/pre-push.sh`: `simple-git-hooks` pre-push guard to prevent accidental pushes directly to `master`/`main` while preserving the existing `npm run checkout` pre-push behavior. ### Changed - `.github/workflows/deploy-audit-netlify.yml`: Added `workflow_dispatch` so the audit Netlify deployment can be triggered manually (e.g., when `audit-netlify` is already in sync and no new push occurs). - `package.json`: Updated `simple-git-hooks` configuration to run `bash scripts/hooks/pre-push.sh` on `pre-push` (alongside the existing `pre-commit` hook). - Bumped project version to `v1.26.5`. --- ## [1.26.4] - 2026-01-24 ### Added - Added `AGENTS.md` to provide operational, tool-neutral guidance for automated agents. ### Changed - **Workflow tooling updates** to keep CI aligned with upstream releases: - `npm` upgraded to `11.8.0` across build/test/publish workflows. - `actions/checkout` `v5` → `v6`, `actions/upload-artifact` `v4` → `v6`, and `actions/github-script` `v7` → `v8`. - Restored Node.js/npm version logging in `publish-test` workflow jobs. - **Documentation note added** in `CLAUDE.md` to point automation tools to `AGENTS.md`. - **Playwright E2E stabilization** (Firefox + SvelteKit SPA navigation): - Updated the shared navigation helper (`tests/e2e/shared/helpers.js`) to prefer SPA-safe URL-change waiting (polling assertions) over navigation lifecycle events, improving Firefox stability. - Strengthened the desktop “About link” test (`tests/e2e/app.spec.js`) with a stable `/about` page marker assertion (`"Security, with Intent"`) to reduce intermittent flakes. - Refreshed timestamp for root route in `static/sitemap.xml`. - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.50.1**. - **Project version bumped** to `v1.26.4`. - Updated dependencies: - `@sveltejs/adapter-vercel` `^6.3.0` → `^6.3.1` - `@sveltejs/kit` `2.50.0` → `2.50.1` - `@vitest/coverage-v8` `4.0.17` → `4.0.18` - `svelte` `5.48.0` → `5.48.2` - `vite-tsconfig-paths` `^6.0.4` → `^6.0.5` - `vitest` `4.0.17` → `4.0.18` - `@playwright/test` `^1.57.0` → `^1.58.0` - `eslint-plugin-jsdoc` `^62.3.0` → `^62.4.1` - `globals` `^17.0.0` → `^17.1.0` - `playwright` `^1.57.0` → `^1.58.0` - `posthog-js` `^1.334.0` → `^1.335.2` --- ## [1.26.3] - 2026-01-21 ### Added - **Codex-aware analytics guard** in `src/lib/stores/posthog.js` to explicitly skip PostHog initialization when the application is executed by automation or AI-assisted tooling. This prevents analytics side effects during non-interactive builds, cloud executions, and AI-driven analysis while preserving normal production behavior. - **`.env.codex` environment configuration** to support Codex and similar automation tools. This file defines a controlled, non-interactive execution context that mirrors production build semantics without enabling analytics or requiring secrets, enabling safe use of cloud-based AI and CI-style tooling. - **`CLAUDE.md` project guidance file** to provide persistent, repository-level instructions for Claude Code and other AI-assisted development tools. The file establishes clear expectations and constraints for AI usage, including: - **AI guardrails** that prohibit changes to security posture, environment detection logic, deployment assumptions, or analytics behavior without explicit human approval. - An explicit **Allowed AI Uses** section defining safe, permitted activities such as code comprehension, incremental feature development, bug fixing, testing, and documentation updates. ### Changed - **Project version bumped** to `v1.26.3`. - **Dependency updates** to incorporate upstream fixes, improvements, and compatibility updates: - `prettier` `3.8.0` → `3.8.1` - `eslint-plugin-jsdoc` `^62.0.1` → `^62.3.0` - `lightningcss` `^1.30.2` → `^1.31.1` - `posthog-js` `^1.327.0` → `^1.334.0` - `svelte` `5.46.4` → `5.48.0` ### Security - **Updated transitive dependency override** to remediate a reported vulnerability: - `tar` `7.5.3` → `7.5.6` _(addresses CVE-2026-23950)_ - **Added transitive dependency override** to mitigate a reported vulnerability: - `lodash` pinned to `4.17.23` _(addresses CVE-2025-13465)_ --- ## [1.26.2] - 2026-01-17 ### Changed - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.50.0**. - Updated `.nvmrc` and `.node-version` to utilize **Node.js** `v24.13.0`. - Bumped project version to `v1.26.2`. - Updated dependencies: - `@sveltejs/kit` `2.49.5` → `2.50.0` - `posthog-js` `^1.323.0` → `^1.327.0` - `eslint-plugin-jsdoc` `^62.0.0` → `^62.0.1` ### Security - Updated transitive dependency override to address reported vulnerabilities: - `tar@7.5.2` → `tar@7.5.3` (addresses CVE-2026-23745). --- ## [1.26.1] - 2026-01-15 ### Changed - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.49.5**. - Updated `static/manifest.json` to better reflect the company's current mission, focus, and messaging. - Updated timestamps in `sitemap.xml`. - Minor edits made to `PrivacyContent.svelte` and `TermsUseContent.svelte` for clarity and accuracy. - Bumped project version to `v1.26.1`. - Updated dependencies: - `@sveltejs/kit` `2.49.4` → `2.49.5` - `@vitest/coverage-v8` `4.0.16` → `4.0.17` - `svelte` `5.46.1` → `5.46.4` - `vitest` `4.0.16` → `4.0.17` - `posthog-js` `^1.318.1` → `^1.323.0` - `prettier` `3.7.4` → `3.8.0` - `stylelint` `^16.26.1` → `^17.0.0` - `stylelint-config-recommended` `^17.0.0` → `^18.0.0` ### Security - Updated `@sveltejs/kit` to `2.49.5`, in order to address CVE-2026-22803. --- ## [1.26.0] - 2026-01-10 ### Changed - Updated home page content to emphasize a focus on both security and privacy. - Refined header navigation styling to improve external link icon alignment and spacing consistency across layouts. - Updated `CONSTANTS.COMPANY_INFO.YEAR` in `src/lib/index.js` to reflect `2025, 2026`. - Updated copyright headers across all tracked source files to reflect effective copyright years. - Clarified repository distribution intent and reuse expectations in `README.md`, including documentation of copyright header conventions for this template project. - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.49.4**. - Bumped project version to `v1.26.0`. - Updated test tooling to support Vitest 4.x: - Removed Vitest-related version constraints from update tooling. - Updated Vitest configuration for compatibility with `vitest` and `@vitest/coverage-v8` v4. - Updated dependencies: - `@eslint/compat` `^2.0.0` → `^2.0.1` - `@sveltejs/kit` `2.49.3` → `2.49.4` - `@sveltejs/vite-plugin-svelte` `^6.2.3` → `^6.2.4` - `@vitest/coverage-v8` `3.2.4` → `4.0.16` - `posthog-js` `^1.315.1` → `^1.318.1` - `eslint-plugin-jsdoc` `^61.5.0` → `^62.0.0` - `vite-tsconfig-paths` `^6.0.3` → `^6.0.4` - `vitest` `3.2.4` → `4.0.16` --- ## [1.25.24] - 2026-01-07 ### Changed - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.49.3**. - Bumped project version to `v1.25.24`. - Updated dependencies: - `@sveltejs/kit` `2.49.2` → `2.49.3` - `@sveltejs/vite-plugin-svelte` `^6.2.1` → `^6.2.3` - `vite` `^7.3.0` → `^7.3.1` - `@sveltejs/adapter-vercel` `^6.2.0` → `^6.3.0` - `eslint-plugin-svelte` `^3.13.1` → `^3.14.0` - `posthog-js` `^1.313.0` → `^1.315.1` --- ## [1.25.23] - 2026-01-04 ### Changed - Updated `README.md` to accurately reflect hosting. - Updated timestamp in `static/.well-known/security.txt` and created a new detached signature. - Bumped project version to `v1.25.23`. --- ## [1.25.22] - 2026-01-01 ### Added - Conditional guards to ensure artifacts, issues, and external notifications are only created when workflows run in a trusted context (non-PR runs or PRs originating from the same repository). - Redacted, public-safe Gitleaks scan summaries in GitHub Actions step output to prevent accidental exposure of sensitive file paths or values. - Optional installation of `jq` gated to trusted execution contexts to support future structured output (e.g., SARIF) while preserving fork safety. ### Changed - Updated the Gitleaks secret scanning workflow to explicitly exclude Dependabot pull requests, avoiding failures caused by unavailable organization secrets in bot-triggered PRs. - Refined workflow trust boundaries to distinguish between forked pull requests and trusted repository contexts. - Updated `.gitignore` to stop tracking generated `.svelte-kit` files. - Bumped project version to `v1.25.22`. - Updated dependencies: - `stylelint-order` `^7.0.0` → `^7.0.1` - `posthog-js` `^1.310.1` → `^1.313.0` - `globals` `^16.5.0` → `^17.0.0` ### Removed - Removed Mastodon verification in `src/routes/posts/+page.svelte`, as it was not functioning properly. This route will remain unverified. ### Security - Hardened secret-handling logic in CI by preventing the use of organization-level secrets, write permissions, and external notifications in untrusted pull request contexts. - Ensured Gitleaks license usage is restricted to safe execution paths, eliminating false-negative or false-positive failures caused by GitHub Actions secret scoping rules. - Added transitive dependency override for `qs` to `^6.14.1`, in order to address CVE-2025-15284. --- ## [1.25.21] - 2025-12-27 ### Added - Added Mastodon verification to `src/routes/posts/+page.svelte` via `<svelte:head>`. ### Changed - Updated intro paragraph of `README.md` to better reflect the company's current mission, focus, and messaging. - Bumped project version to `v1.25.21`. - Updated dependencies: - `@testing-library/svelte` `^5.3.0` → `^5.3.1` - `jsdom` `27.3.0` → `27.4.0` --- ## [1.25.20] - 2025-12-24 ### Added - Added `VERSIONING.md` to document the project’s versioning strategy. ### Changed - Updated `.lighthouse.cjs` to utilize `https://netwk.pro` as the target. - Removed **Services** route from `sitemap.xml` and refreshed last modified timestamps. - Updated `README.md` to clarify the project's versioning strategy and changelog format. - Updated `src/routes/+page.svelte` to apply `containerClass="readable"` to `<FullWidthSection>` for improved readability. - Revised homepage and About page content (`HomeContent.svelte` and `AboutContent.svelte`) to better reflect the company’s current mission, focus, and messaging. - Bumped project version to `v1.25.20`. ### Removed - Removed **Services** from primary navigation (`HeaderDefault.svelte` and `HeaderHome.svelte`). - Removed references to home implementation services from `AboutContent.svelte`. - This change reflects a clarified focus on internal research, education, advocacy, and selectively aligned consulting, rather than broad outward-facing service offerings. --- ## [1.25.19] - 2025-12-24 ### Changed - Updated GitHub workflows to utilize `actions/checkout@v6`, `actions/upload-artifact@v6`, and `actions/download-artifact@v7`: - `.github/workflows/templates/publish.template.yml` - `.github/workflows/backup-branch.yml` - `.github/workflows/build-and-publish.yml` - `.github/workflows/dependency-review.yml` - `.github/workflows/lighthouse.yml` - `.github/workflows/meta-check.yml` - `.github/workflows/playwright.yml` - `.github/workflows/probely-scan.yml` - `.github/workflows/publish-test.yml` - `.github/workflows/secret-scan.yml` - Corrected `README.md` to properly state that subsites are hosted on Vercel and Netlify. - Updated `.node-version` and `.nvmrc` to utilize **Node.js** `v24.12.0`. - Bumped project version to `v1.25.19`. - Updated dependencies: - `@eslint/js` `^9.39.1` → `^9.39.2` - `@testing-library/svelte` `^5.2.9` → `^5.3.0` - `autoprefixer` `^10.4.22` → `^10.4.23` - `eslint` `^9.39.1` → `^9.39.2` - `prettier-plugin-svelte` `^3.4.0` → `^3.4.1` - `svelte-check` `^4.3.4` → `^4.3.5` - `globby` `^16.0.0` → `^16.1.0` - `posthog-js` `^1.305.0` → `^1.310.1` - `svelte` `5.45.9` → `5.46.1` - `vite` `^7.2.7` → `^7.3.0` - `vite-tsconfig-paths` `^5.1.4` → `^6.0.3` ## Removed - Removed `/* eslint-env vitest */` comment from `vitest-setup-client.js`, as it was causing an ESLint warning. --- ## [1.25.18] - 2025-12-11 ### Changed - Refreshed timestamp for root route in `sitemap.xml`. - Reformatted the following files with Prettier: - `src/lib/README.md` - `src/lib/pages/LicenseContent.svelte` - `src/lib/pages/PrivacyContent.svelte` - `src/lib/pages/TermsUseContent.svelte` - Bumped project version to `v1.25.18`. - Updated dependencies: - `prettier` `3.6.2` → `3.7.4` --- ## [1.25.17] - 2025-12-11 ### Added - Added SSR boundary protection test (`tests/unit/server/internal/ssrBoundary.test.js`): - Detects Node-only imports (`jsdom`, `fs`, `path`, etc.) in client-visible modules. - Ensures imports are properly gated behind `import.meta.env.SSR`. - Prevents accidental SSR/client boundary violations in future code changes. - Added support for detecting SSR-safe code paths by allowing SSR-gated dynamic imports in shared modules. ### Changed - Refactored `src/service-worker.js` for improved consistency, clarity, and lint compatibility: - Removed unused function parameters (`_err`) and adjusted callback signatures to align with ESLint expectations. - Replaced anonymous no-op parameters with explicitly ignored placeholders using the `_` naming convention. - Improved async iteration patterns in asset caching logic for better readability and maintainability. - Updated JSDoc annotations for accuracy and improved editor support. - Ensured all cache operations conform to structured error-handling patterns consistent with the rest of the codebase. - Updated `src/lib/utils/purify.js`: - Replaced `typeof window !== 'undefined'` guard with compile-time `import.meta.env.SSR`. - Ensures Vite tree-shakes `jsdom` imports from client bundles. - Fixed build failures caused by jsdom/cssstyle when bundled on the client. - Preserves existing DOMPurify caching and SSR behavior. - Enhanced ESLint `no-unused-vars` rule in `eslint.config.mjs`: - Added support for ignoring unused catch parameters via `caughtErrors` and `caughtErrorsIgnorePattern`. - Prevented false positives on intentionally unused error variables (e.g., `_err`). - Expanded ignore patterns to match project coding conventions. - Replaced `src/lib/img/qr/vcard.png` and `src/lib/img/qr/vcard.webp` with revised versions. - Updated GitHub workflows to utilize **npm** `11.7.0`. - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.49.2**. - Updated `src/lib/README.md` to reflect the newly updated app constant. - Updated contact information in `static/bin/contact.vcf`. - Updated `CONTACT.PHONE` app constant to reflect our new phone number, (602) 428-5300. - Removed `jsdom` from `.ncurc.cjs` `reject` list. - Bumped project version to `v1.25.17`. - Updated dependencies: - `dompurify` `^3.3.0` → `^3.3.1` - `posthog-js` `^1.295.0` → `^1.305.0` - `svelte` `5.43.12` → `5.45.9` - `@playwright/test` `^1.56.1` → `^1.57.0` - `@sveltejs/adapter-vercel` `^6.1.1` → `^6.2.0` - `@sveltejs/kit` `2.48.5` → `2.49.2` - `browserslist` `^4.28.0` → `^4.28.1` - `eslint-plugin-jsdoc` `^61.2.1` → `^61.5.0` - `eslint-plugin-svelte` `^3.13.0` → `^3.13.1` - `markdownlint` `^0.39.0` → `^0.40.0` - `markdownlint-cli2` `0.19.0` → `0.20.0` - `playwright` `^1.56.1` → `^1.57.0` - `stylelint` `^16.25.0` → `^16.26.1` - `svelte-eslint-parser` `^1.4.0` → `^1.4.1` - `vite` `^7.2.2` → `^7.2.7` - `jsdom` `26.1.0` → `27.3.0` ### Fixed - Resolved client-side build failures caused by dynamic jsdom imports leaking into the Vite dependency graph. - Resolved false positive ESLint errors for unused catch bindings in JS modules. --- ## [1.25.16] - 2025-11-18 ### Changed - Removed `vercel-insights.com` from the `disallowedHosts` list in `service-worker.js`. ### Removed - Removed `https://vercel-insights.com` from `script-src` and `connect-src` in `hooks.server.js`. ### Notes - **Analytics:** Reverted Vercel Analytics integration due to inline script injection requirement. Continuing with PostHog Cloud until migration to CSP-compliant Matomo is feasible. --- ## [1.25.15] - 2025-11-18 ### Added - Added `https://vercel-insights.com` to `script-src` and `connect-src` in `hooks.server.js` to allow for Vercel Analytics. ### Changed - Added `vercel-insights.com` to the `disallowedHosts` list in `service-worker.js`, in order to prevent SW caching. - Bumped project version to `v1.25.15`. - Updated dependencies: - `svelte` `5.43.10` → `5.43.12` --- ## [1.25.14] - 2025-11-18 ### Changed - Bumped project version to `v1.25.14`. - Updated dependencies: - `svelte` `5.43.7` → `5.43.10` - `posthog-js` `^1.293.0` → `^1.295.0` ### Security - Added transitive dependency override for `glob` to `^11.1.0`, in order to address CVE-2025-64756. --- ## [1.25.13] - 2025-11-16 ### Changed - Updated `.markdownlint.mjs` to ignore rule `MD060`, which is overly strict and unnecessary. - Bumped project version to `v1.25.13`. - Updated dependencies: - `svelte` `5.43.6` → `5.43.7` - `posthog-js` `^1.292.0` → `^1.293.0` - `@eslint/compat` `^1.4.1` → `^2.0.0` - `markdownlint-cli2` `0.18.1` → `0.19.0` ### Fixed - Resolved prototype pollution vulnerability in transitive `js-yaml` dependency via `overrides`, due to outdated `@lhci/cli` dependency on `@lhci/utils`. --- ## [1.25.12] - 2025-11-14 ### Added - Added revised **QR code** image assets for **Vcard** information: - `src/lib/img/qr/vcard.png` - `src/lib/img/qr/vcard.webp` ### Changed - Modified `.node-version` and `.nvmrc` to utilize **Node.js** `24.11.1` (LTS). - Updated `.ncurc.cjs` to reject updates to `markdownlint-cli2`, due to discrepancies between in-editor and CLI linting errors. - Updated environment template (`.env.template`) to include `PUBLIC_ENV_MODE`, which is now required to build the proper environment (e.g., `dev`, `audit`, `production`). - Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.48.5**. - Bumped project version to `v1.25.12`. - Updated dependencies: - `@sveltejs/kit` `2.48.4` → `2.48.5` - `eslint-plugin-jsdoc` `^61.2.0` → `^61.2.1` --- ## [1.25.11] - 2025-11-12 ### Added - `gotoDesktop(page, path)` and `gotoMobile(page, path)` helper functions to streamline viewport + navigation setup. - `clickAndWaitForNavigation(page, locator, options)` utility for safe SPA or full-page navigation detection with optional URL pattern matching. - `DEBUG_LOGS` flag in `helpers.js` to allow toggling of console logs for test diagnostics. - Navigation debug logs to `getVisibleNav()` to indicate which navigation region was detected (when debugging is enabled). ### Changed - Refactored all E2E tests to use `gotoDesktop()` and `gotoMobile()` for consistency and DRY principles. - Replaced brittle direct `waitForNavigation()` usages with `clickAndWaitForNavigation()` helper. - Updated mobile and desktop tests to improve consistency across specs and improve visibility assertions. ### Removed - Legacy direct `setViewportSize()` and `page.goto()` calls from individual test blocks (now handled via `goto*()` helpers). --- ## [1.25.10] - 2025-11-12 ### Changed - Updated GitHub workflows to specify `ENV: ci` where appropriate: - `templates/check-codeql.template.yml` - `templates/publish.template.yml` - `auto-assign.yml` - `branch-backup.yml` - `check-security-txt-expiry.yml` - `dependency-review.yml` - `meta-check.yml` - `prevent-audit-merges.yml` - `secret-scan.yml` - Added `@sveltejs/adapter-netlify` devDependency for smoother toggling between production and audit modes. - Production uses `@sveltejs/adapter-vercel` only. `@sveltejs/adapter-netlify` exists solely to support the audit environment. - Bumped project version to `v1.25.10`. - Updated dependencies: - `@testing-library/svelte` `^5.2.8` → `^5.2.9` - `eslint-plugin-jsdoc` `^61.1.12` → `^61.2.0` - `posthog-js` `^1.290.0` → `^1.292.0` ## Removed - Removed unneeded comments in `build-and-publish.yml` workflow. --- ## [1.25.9] - 2025-11-11 ### Changed - Updated the support email address to `support@netwk.pro` in the following files: - `README.md` - `check-codeql.template.yml` - `publish.template.yml` - `contact.vcf` - Modified `eslint.config.mjs` to include `.cjs` files when linting JavaScript. - Bumped project version to `v1.25.9`. ## Fixed - Modified `.github/workflows/probely-scan.yml` to accept either a 200 or 201 response. - Workflow was correctly triggering scan, but then failed due to receiving a 200 response rather than the 201 that was expected. --- ## [1.25.8] - 2025-11-11 ### Added - 🔐 **Branch protection rules** on `master`: - Enforced pull requests for all changes - Blocked force pushes - Linear history requirement - 🚫 **CI workflow to prevent merges from `audit-netlify` to `master`**: - PRs originating from `audit-netlify` targeting `master` are automatically rejected - Triggered on `pull_request` events - Uses `github.event.pull_request.head.ref` for precise branch detection - 🚀 **Netlify CI deployment** for audit-only branch: - Workflow `.github/workflows/deploy-audit-netlify.yml` added - Deploys `audit-netlify` to a separate Netlify site - Uses environmental variables to trigger `vite build --mode audit` - 🌐 **`hooks.server.js` CSP hardening** for audit deployments: - Probely scanner detection based on UA/IP added via `isProbelyScanner()` - Audit-specific CSP disables analytics and CSP reporting endpoints - Logs detailed CSP info when in `isAudit` or `isDebug` modes - 🛡️ Middleware improvements: - User-agent/IP fingerprinting for Probely DAST - Added logging for audit-mode scanner matches - 🧪 Support for per-environment `.env` files (e.g. `.env.audit`) - 🔄 Git helper scripts: - Added bash script to sync `audit-netlify` with latest `master` - Supports merge conflict resolution via VS Code diff viewer ### Changed - Updated `.stylelintignore` to exclude `.netlify` directory - Updated `lint:md` script to exclude the `build/` and `.netlify/` directories - Refined `svelte.config.js` to support alternate build targets (Vercel → Netlify via adapter switch) - Audit builds now use isolated `.env` config and a separate Netlify site token - Bumped project version to `v1.25.8` --- ## [1.25.7] - 2025-11-11 ### Added - Introduced `src/lib/security/probely.js` helper module to detect Probely vulnerability scanner requests via normalized IP and User-Agent matching. - Supports case-insensitive substring matching for known Probely UA fragments (`ProbelySPDR/`, etc.). - IP allowlisting based on published ranges: <https://help.probely.com/en/articles/5112461/> - Added unit test suite `tests/unit/server/lib/security/probely.test.js` to verify robustness of `isProbelyScanner()` logic against UA/IP variations and edge cases. ### Changed - Updated `hooks.server.js` to integrate `isProbelyScanner()` as a drop-in replacement for inline Probely detection logic, improving clarity and testability. - Contact details and motto updated in `static/.well-known/humans.txt`. - Refreshed last modified dates in `static/sitemap.xml`. - Minor cosmetic changes to `static/robots.txt`. - Corrected fallback metadata in `+layout.svelte`. - Removed inline styles from `src/lib/components/PWAInstallButton.svelte` and `src/lib/components/foss/FossFeatures.svelte`. - Moved styles to `src/lib/styles/css/default.css`. - Regenerated `global.min.css` bundle with LightningCSS. - Minor optimizations and cleanup to several files: - `src/lib/components/RedirectPage.svelte` - `src/lib/components/layout/Footer.svelte` - `src/lib/pages/AboutContent.svelte` - `src/lib/pages/TermsConditionsContent.svelte` - `src/lib/pages/TermsUseContent.svelte` - `src/routes/contact/+page.svelte` - `src/routes/posts/+page.svelte` - `src/routes/privacy-rights/+page.svelte` - Bumped project version to `v1.25.7`. - Updated dependencies: - `autoprefixer` `^10.4.21` → `^10.4.22` - `browserslist` `^4.27.0` → `^4.28.0` - `svelte` `5.43.3` → `5.43.6` - `svelte-check` `^4.3.3` → `^4.3.4` - `posthog-js` `^1.285.1` → `^1.290.0` - `vite` `^7.1.12` → `^7.2.2` --- ## [1.25.6] - 2025-11-04 ### Security - Hardened `Content-Security-Policy (CSP)` in `hooks.server.js`: - Environment-specific policies for `production`, `audit`, `dev`, and `test` - Added real CSP reporting endpoint (`csp.netwk.pro`) in production - Report-only mode enabled in non-prod for safer diagnostics - Added `/api/mock-csp` endpoint to capture and log CSP violation reports in non-prod environments ### Changed - Updated `README.md` with detailed explanation of the CSP enforcement strategy and future nonce-based roadmap - Moved