You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit was created on GitHub.com and signed with GitHub’s verified signature.
Bug fixes, dependency updates, and Dockerfile improvements
🐛 Bug Fixes
client: Fixed skysend update failing on Windows with "Permission denied" even as Administrator. Windows locks running .exe files, so fs.renameSync always threw EPERM. The fix spawns a detached, hidden cmd.exe batch script that waits 2 seconds (until the current process exits) then moves the downloaded binary into place with move /y.
client: Fixed install.ps1 hanging silently during download. PowerShell's default $ProgressPreference = 'Continue' makes Invoke-WebRequest up to 100x slower and shows no feedback in many terminal environments. The script now sets $ProgressPreference = 'SilentlyContinue' and prints Downloading <file>... done (X.X MB) and Verifying checksum... ok step messages instead.
client: Fixed install.sh showing no output during binary download. curl -fsSL and wget -q were fully silent. The binary download now uses curl --progress-bar (shows a ##### bar on stderr) and wget without -q, so users see download progress.
server: Fixed S3 uploads failing with Cloudflare R2 and other S3-compatible providers with the error [EntityReplacer] Invalid character '#' in entity name: "#xD". The root cause was fast-xml-parser@5.7.1 introducing a regression where numeric character references (e.g. 
) in XML responses could no longer be parsed. Updated fast-xml-parser override to >=5.7.2 which restores correct behavior.
server: Set requestChecksumCalculation and responseChecksumValidation to WHEN_REQUIRED on the S3 client. AWS SDK v3 >=3.679 defaults to WHEN_SUPPORTED, causing proactive CRC checksum headers that can trigger provider-specific XML parsing issues.
🔒 Security
infra: Added pnpm.overrides for postcss (>=8.5.10) to patch a moderate XSS vulnerability (GHSA-qx2v-qp2m-jg93) in transitive dependencies via autoprefixer
🗑️ Removed
server: Removed S3_PUBLIC_URL environment variable. S3 downloads now exclusively use presigned URLs, which enforce expiry and download limits server-side and expire automatically. Public bucket URLs allowed clients to bypass these controls by reusing a captured URL.
📝 Documentation
docs: Removed PBKDF2-SHA256 fallback references from password-protection.md, README.md, and docs/index.md - password protection now exclusively documents Argon2id
🎨 Improvements
server: Updated @hono/node-server from v1 to v2 - same public API, up to 2.3x faster body parsing via optimized direct Node.js IncomingMessage reads, URL construction fast-path, and buildOutgoingHttpHeaders optimization
infra: Updated patch and minor dependencies across all workspace packages - hono, @aws-sdk/client-s3, @aws-sdk/lib-storage, @aws-sdk/s3-request-presigner, better-sqlite3, tailwindcss, @tailwindcss/vite, react-router-dom, i18next, react-i18next, lucide-react, autoprefixer, vite, vue, wrangler, @cloudflare/workers-types, prettier, typescript, eslint-plugin-react-hooks, globals, typescript-eslint
infra: Updated eslint and @eslint/js from v9 to v10, and commander from v13 to v14 - no API changes required, fixed two new eslint:recommended rules (no-useless-assignment in upload chunking code, preserve-caught-error in upload worker)
web: Removed deprecated @types/dompurify - DOMPurify v3+ ships its own TypeScript declarations
infra: Added COPY apps/client/package.json, COPY apps/client/stubs/, and COPY workers/instances/package.json to the Dockerfile build stage so pnpm install --frozen-lockfile can resolve all workspace packages (including the file: stub dependency in @skysend/client) before COPY . .
