Releases: CaspianTools/caspian-notes
Releases · CaspianTools/caspian-notes
Release list
v1.3.6
v1.3.5
Added
- Hero screenshot in README. Replaced the placeholder Screenshots section with
media/screenshots/main_screenshot.jpg— a single composite shot of the activity-bar tree alongside the masonry grid with example prompt notes. Marketplace listings render the README from inside the VSIX, and the screenshot is bundled (no.vscodeignoreexclusion ofmedia/).
v1.3.4 — security hardening (XSS invariants + dep audit)
Security
- Restored the
textContent-only invariant documented in THREAT_MODEL.md §C. Two webview callsites that were using static-stringinnerHTML(the empty-state heading atmedia/main.js:186and the pin-button SVG atmedia/main.js:236) now build their DOM viacreateElement/createElementNS. Neither was an exploitable XSS — both strings were literals — but the invariant matters for static analysis and future-proofing. - Documented the markdown-preview rendering surface as new THREAT_MODEL.md §F. The preview pane introduced in 1.3.0 sends
marked.parse(body)intoinnerHTML, which is safe under the existing CSP (script-src 'nonce-X' webview.cspSource;default-src 'none';img-src webview.cspSource data:) — that CSP blocks every JavaScript sink raw markdown HTML could expose (inline<script>,on*handlers,javascript:URIs, remote<img>,<iframe>). Added an inline comment atmedia/main.js:478so future contributors don't add a sanitizer reflexively or weaken the CSP without re-evaluating §F. - Bumped
@typescript-eslint/eslint-pluginand@typescript-eslint/parserfrom ^6.0.0 to ^8.0.0. Resolves all 6 high-severitynpm auditfindings (transitive on@typescript-eslint/typescript-estree). v8 requires ESLint ≥8.57 and Node ≥18.18, both satisfied. - Hardened
.gitignorewith patterns for.env,.env.*,credentials.json,serviceAccountKey*.json,*.pem,*.key. The extension stores no credentials, so this is purely defense-in-depth against accidental check-ins of unrelated files in dev workspaces.
Notes (not changed)
The remaining 5 moderate npm audit findings (@vscode/vsce → @azure/identity → @azure/msal-node → uuid, plus ovsx) are dev-only and never ship in the VSIX. npm audit fix --force would downgrade ovsx from 0.10.11 to 0.9.4, losing features. Accepted risk.
v1.3.3 — editor modal fills full webview height
Fixed
- Editor modal now fills the full webview height. Previously the New / Edit note dialog was vertically centered inside the backdrop and capped at
max-height: 92vh, which made it look like a half-height popup when the library was opened in a narrow panel (e.g. the secondary sidebar). Backdrop now usesalign-items: stretch, the modal takesheight: 100%of the available area, and the body textarea / Markdown preview flex-grow to fill remaining space inside the modal. Min-heights for textarea and preview reduced from 220 px to 120 px so the modal still renders correctly in very short panels.
v1.3.2 — pin LF line endings
Changed
- Pinned all text files to LF line endings via new
.gitattributes. Neutralizes Git'score.autocrlf=truedefault on Windows machines so contributors no longer see noisy LF↔CRLF diffs on files they didn't touch. Binary assets (*.png,*.jpg,*.jpeg,*.gif,*.ico,*.svg,*.woff,*.woff2,*.vsix) are explicitly marked binary so Git never normalizes them.
Notes
- This release also lands the full extension source tree (src/, media/, scripts/, docs, CI workflows) that had been worked on locally but not yet committed since the initial README-only commit.