Skip to content

Releases: CaspianTools/caspian-notes

v1.3.6

Choose a tag to compare

@github-actions github-actions released this 07 May 03:41

Changed

  • Maintenance release — no functional changes. Repackaged the VSIX from a freshly installed dependency tree to refresh the published artifact. Source, configuration, and bundled assets are identical to 1.3.5.

v1.3.5

Choose a tag to compare

@github-actions github-actions released this 25 Apr 15:21

Added

  • Hero screenshot in README. Replaced the placeholder Screenshots section with media/screenshots/main_screenshot.jpg — a single composite shot of the activity-bar tree alongside the masonry grid with example prompt notes. Marketplace listings render the README from inside the VSIX, and the screenshot is bundled (no .vscodeignore exclusion of media/).

v1.3.4 — security hardening (XSS invariants + dep audit)

Choose a tag to compare

@CaspianTools CaspianTools released this 25 Apr 14:51

Security

  • Restored the textContent-only invariant documented in THREAT_MODEL.md §C. Two webview callsites that were using static-string innerHTML (the empty-state heading at media/main.js:186 and the pin-button SVG at media/main.js:236) now build their DOM via createElement/createElementNS. Neither was an exploitable XSS — both strings were literals — but the invariant matters for static analysis and future-proofing.
  • Documented the markdown-preview rendering surface as new THREAT_MODEL.md §F. The preview pane introduced in 1.3.0 sends marked.parse(body) into innerHTML, which is safe under the existing CSP (script-src 'nonce-X' webview.cspSource; default-src 'none'; img-src webview.cspSource data:) — that CSP blocks every JavaScript sink raw markdown HTML could expose (inline <script>, on* handlers, javascript: URIs, remote <img>, <iframe>). Added an inline comment at media/main.js:478 so future contributors don't add a sanitizer reflexively or weaken the CSP without re-evaluating §F.
  • Bumped @typescript-eslint/eslint-plugin and @typescript-eslint/parser from ^6.0.0 to ^8.0.0. Resolves all 6 high-severity npm audit findings (transitive on @typescript-eslint/typescript-estree). v8 requires ESLint ≥8.57 and Node ≥18.18, both satisfied.
  • Hardened .gitignore with patterns for .env, .env.*, credentials.json, serviceAccountKey*.json, *.pem, *.key. The extension stores no credentials, so this is purely defense-in-depth against accidental check-ins of unrelated files in dev workspaces.

Notes (not changed)

The remaining 5 moderate npm audit findings (@vscode/vsce@azure/identity@azure/msal-nodeuuid, plus ovsx) are dev-only and never ship in the VSIX. npm audit fix --force would downgrade ovsx from 0.10.11 to 0.9.4, losing features. Accepted risk.

v1.3.3 — editor modal fills full webview height

Choose a tag to compare

@CaspianTools CaspianTools released this 25 Apr 14:31

Fixed

  • Editor modal now fills the full webview height. Previously the New / Edit note dialog was vertically centered inside the backdrop and capped at max-height: 92vh, which made it look like a half-height popup when the library was opened in a narrow panel (e.g. the secondary sidebar). Backdrop now uses align-items: stretch, the modal takes height: 100% of the available area, and the body textarea / Markdown preview flex-grow to fill remaining space inside the modal. Min-heights for textarea and preview reduced from 220 px to 120 px so the modal still renders correctly in very short panels.

v1.3.2 — pin LF line endings

Choose a tag to compare

@CaspianTools CaspianTools released this 25 Apr 14:14

Changed

  • Pinned all text files to LF line endings via new .gitattributes. Neutralizes Git's core.autocrlf=true default on Windows machines so contributors no longer see noisy LF↔CRLF diffs on files they didn't touch. Binary assets (*.png, *.jpg, *.jpeg, *.gif, *.ico, *.svg, *.woff, *.woff2, *.vsix) are explicitly marked binary so Git never normalizes them.

Notes

  • This release also lands the full extension source tree (src/, media/, scripts/, docs, CI workflows) that had been worked on locally but not yet committed since the initial README-only commit.