Resolves GHSA-qx2v-qp2m-jg93 (PostCSS XSS via Unescaped </style> in CSS
Stringify Output) in the @expo/metro-config + tailwindcss build chain.
Build-time only, not runtime-exploitable in RN, but cleared for audit hygiene.
Defenseur scan post-override: 13/13 passed, 0 findings (the residual uuid
cascade is suppressed via defenseurs allowlist for GHSA-w5hq-g745-h8pq).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Resolves GHSA-w5hq-g745-h8pq in the transitive chain (xcode + @expo/ngrok).
Per spec decision D3, we pin ^11.0.0 (not ^14.0.0) to avoid ESM-only breaking
CJS consumers. Actual vulnerable code paths (v3/v5/v6 with buf param) are not
used by xcode or @expo/ngrok — they only call uuid.v4() — so the override is
safe in practice even though npm advisory range is <14.0.0.
Refs #75
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Resolves 4 HIGH CVE in the xmldom transitive dep chain (Expo CLI + xcode/plist).
Not runtime-exploitable in APK (build-time deps only) but cleaned for audit hygiene.
- GHSA-2v35-w6hq-6mfw (DoS — uncontrolled recursion in XML serialization)
- GHSA-f6ww-3ggp-fr8h (XML injection via DOCTYPE serialization)
- GHSA-x6wf-f3px-wcqx (XML injection via processing instruction serialization)
- GHSA-j759-j44w-7fr8 (XML injection via comment serialization)
Refs #74
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The (app)/layout.tsx was calling cookieStore.set() which is forbidden in
Server Components under Next.js 16 (only allowed in Server Actions and
Route Handlers). This caused a 500 error immediately after Logto login.
Also includes: mobile sync client improvements, i18n updates, web API
rate limiting, Bearer token support for mobile clients, and Dockerfile
optimizations.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace aggressive >=major overrides (picomatch>=4, brace-expansion>=2, etc.)
with npm audit fix which patches each dependency within its compatible semver
range: picomatch 2.3.2/3.0.2/4.0.4, brace-expansion 1.1.13/2.0.3/5.0.5,
undici 6.24.1, node-forge 1.4.0, tar 7.5.13, yaml 1.10.3/2.8.3.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The transitive dependency chain drizzle-kit -> @esbuild-kit/esm-loader ->
@esbuild-kit/core-utils pulled in esbuild@0.18.20 which is vulnerable to
GHSA-67mh-4wv8-2f99. Adding an npm override forces all nested esbuild
instances to use ^0.25.0, resolving all 4 moderate audit findings.
Ref: simpl-liste#16
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace manual keyboard listeners and RN KeyboardAvoidingView with
react-native-keyboard-controller which handles edge-to-edge correctly.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds home screen widgets (Small 2×2, Medium 4×2, Large 4×4) using
react-native-android-widget. Widgets display upcoming tasks sorted by
urgency, support tap-to-complete and deep linking into the app, and
refresh on every task mutation + every 30 minutes.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace static delete buttons with swipe gestures (left to delete, right
to complete) and add drag-to-reorder support using react-native-draggable-flatlist.
Inbox is pinned at top of lists tab with a GripVertical drag handle for
custom lists. Polling is paused during drag operations to prevent state conflicts.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Scheduled task reminders via expo-notifications with configurable
offset (at time, 1h, 3h, 1 day before)
- Optional calendar sync via expo-calendar (creates/updates/removes
events in a dedicated Simpl-Liste calendar)
- ICS export with RRULE support for inbox, lists, and individual tasks
- New migration adding calendar_event_id to tasks table
- Settings UI for notifications toggle, reminder offset, and calendar sync
- Export buttons in inbox toolbar, list header, and task detail
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Clicking a list now shows its tasks instead of opening new task form
- Add list/[id] detail screen
- Replace crypto.randomUUID() with expo-crypto (Hermes compatibility)
- Add SQL transformer for Drizzle migration files
- Improve priority color visibility in dark mode (lighter variants)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
