Skip to content

Sidecar 1.4.0

Latest

Choose a tag to compare

@dmnyc dmnyc released this 14 Jul 03:07
c0533a2

Same build submitted to the Chrome Web Store. For most people the Chrome Web Store listing is the right way to install β€” it updates automatically. This release is for advanced users who want to load the packaged build manually (see the README's manual install instructions).

Added

  • Expandable signing preview β€” the approval prompt now shows event content in a compact, expandable pane with Formatted / Raw / JSON views and a Show more / less toggle in every view. "Formatted" renders a note the way a client would (mentions as @-names, media, and note/nevent/naddr embeds), so long content β€” like a repost whose content is an embedded event β€” no longer pushes the "Signing as" account card off-screen.
  • Wider event-kind recognition β€” the signing prompt now labels roughly 40 more event kinds (Blossom upload authorization, polls, user status, zap goals, labels, communities, wiki articles, starter packs, voice messages, and many NIP-51 lists and sets), so routine actions no longer show the "unrecognized kind" caution. A request to vanish (kind 62) now carries a delete-style heads-up.
  • "Save your PIN" reminder β€” right after creating a PIN, a one-time modal prompts you to write it down or store it in a password manager before moving on. There's no recovery if it's forgotten, so this is the one moment to make sure it's actually captured somewhere durable.
  • In-app release notes β€” the help guide's new "What's new" section summarizes each release's highlights, linked from the help nav and from a new "What's new in this version" link in Settings β†’ Updates.

Changed

  • nostr-tools updated to 2.23.11 (from 2.16.2) β€” roughly a year of upstream fixes; the vendored bundle remains the byte-exact official npm artifact, and the app's relay-subscription call sites were adapted to the newer single-filter API. Cross-version interop (NIP-04/NIP-44 ciphertexts, event signatures) verified.
  • QR codes are now rendered by qrcode-generator (MIT) with a small first-party canvas adapter, replacing the GPL-3.0-licensed QRious library and resolving a license conflict with the project's MIT terms. Every QR type the app shows (keys, ncryptsec, Lightning addresses, invoices, wallet strings) verified end-to-end: encoded, then scanned back with the same decoder the app uses.
  • The standalone popup and the in-panel approval now share the same event-kind labels, so kinds β€” including the NIP-17 DM setup events β€” are recognized consistently in both places.
  • Readable identities β€” approval prompts show the encrypt/decrypt counterparty by name with its npub kept beneath as a verifiable key (a display name alone is spoofable). Click the npub to reveal the full, untruncated key; the raw hex is on hover. Other pubkey fallbacks now use npubs, not hex.
  • Reject Primal's NWC string β€” Primal's wallet is Spark-based and only works inside Primal's own apps, so its Nostr Wallet Connect string can't drive an external wallet. Sidecar now detects it and explains why, instead of hanging on connect.

Security

  • Auto-lock now defaults to 15 minutes of inactivity, instead of never. It only counts down when nothing has been signed, paid, or unlocked in that window, so active use is unaffected β€” this only shrinks the window a decrypted keystore is left exposed on an unattended browser. Still adjustable (including back to Never) in Settings, and anyone who's already chosen a value there keeps it. Existing users who'd never chosen a value get a one-time notice that auto-lock is now on β€” with a reminder that the unlock PIN is unrecoverable β€” the first time the panel opens unlocked.
  • Auto-lock changes apply immediately. Changing the timer in Settings now re-arms (or clears) the countdown on the spot; previously the new value only took effect after the next sign, payment, or unlock β€” so enabling auto-lock and walking away would never actually lock.
  • Web pages can no longer read Sidecar's full settings. The settings read available to visited pages is now clamped to the pay-card toggle, matching the existing clamp on writes β€” a page could previously see the auto-lock timing, budget, and auto-zap configuration.
  • Vendored-bundle provenance (addresses the community audit in #106) β€” VENDOR.md now records the exact npm package, version, license, and SHA-256 of every bundled third-party file; scripts/update-vendor.sh regenerates all of them from official registry artifacts, including a byte-reproducible nip49.js build; and CI verifies the hashes on every push and pull request, so tampering with vendored code is mechanically detectable. Also fixes the version drift between manifest.json and package.json and removes the misleading devDependencies entry.

Fixed

  • The PIN/confirm fields on the "create a keystore" screen no longer show a stale green checkmark next to an empty box after a reset (erase-everything, or the 21-failed-unlock auto-wipe) β€” the validity indicators now recompute when the fields are cleared, instead of only on typing.
  • Turning the on-page "Pay with Sidecar" card off now sticks across page loads β€” the content script was reading the saved setting from the wrong spot in the reply, so only the live toggle push ever applied.
  • Resuming a saved composer draft that contains a mention now correctly re-renders it as the resolved @name β€” the Write tab and the "Resume your draft?" preview previously showed the raw nostr:npub… string instead.

Full changelog: CHANGELOG.md at v1.4.0