The previous override ^11.0.0 allowed the vulnerable range 11.0.0 - 11.1.0.
npm resolved on 11.1.0, leaving the buffer-bounds-check CVE active in
v3/v5/v6 with buf arg. Bumping to ^11.1.1 stays in the 11.x major (CJS
compat preserved per past revert at 800f777) and fixes the advisory.
npm audit: 0 vulnerabilities. smoke tests pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Plain-node script invoked via `npm test`. Catches the buffer-bounds
regression area from GHSA-w5hq-g745-h8pq (uuid v3/v5 with buffer arg)
and validates package.json structure. No jest/Expo runtime needed —
runs in seconds, suitable for the defenseur-auto chain to gate auto-PRs.
Security release: 5 CVE resolved in build-time dep chain via overrides
(@xmldom/xmldom, uuid, postcss). 4 HIGH + 1 MEDIUM cleared.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Resolves GHSA-qx2v-qp2m-jg93 (PostCSS XSS via Unescaped </style> in CSS
Stringify Output) in the @expo/metro-config + tailwindcss build chain.
Build-time only, not runtime-exploitable in RN, but cleared for audit hygiene.
Defenseur scan post-override: 13/13 passed, 0 findings (the residual uuid
cascade is suppressed via defenseurs allowlist for GHSA-w5hq-g745-h8pq).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Resolves GHSA-w5hq-g745-h8pq in the transitive chain (xcode + @expo/ngrok).
Per spec decision D3, we pin ^11.0.0 (not ^14.0.0) to avoid ESM-only breaking
CJS consumers. Actual vulnerable code paths (v3/v5/v6 with buf param) are not
used by xcode or @expo/ngrok — they only call uuid.v4() — so the override is
safe in practice even though npm advisory range is <14.0.0.
Refs #75
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Resolves 4 HIGH CVE in the xmldom transitive dep chain (Expo CLI + xcode/plist).
Not runtime-exploitable in APK (build-time deps only) but cleaned for audit hygiene.
- GHSA-2v35-w6hq-6mfw (DoS — uncontrolled recursion in XML serialization)
- GHSA-f6ww-3ggp-fr8h (XML injection via DOCTYPE serialization)
- GHSA-x6wf-f3px-wcqx (XML injection via processing instruction serialization)
- GHSA-j759-j44w-7fr8 (XML injection via comment serialization)
Refs #74
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The (app)/layout.tsx was calling cookieStore.set() which is forbidden in
Server Components under Next.js 16 (only allowed in Server Actions and
Route Handlers). This caused a 500 error immediately after Logto login.
Also includes: mobile sync client improvements, i18n updates, web API
rate limiting, Bearer token support for mobile clients, and Dockerfile
optimizations.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The transitive dependency chain drizzle-kit -> @esbuild-kit/esm-loader ->
@esbuild-kit/core-utils pulled in esbuild@0.18.20 which is vulnerable to
GHSA-67mh-4wv8-2f99. Adding an npm override forces all nested esbuild
instances to use ^0.25.0, resolving all 4 moderate audit findings.
Ref: simpl-liste#16
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Buttons (X, back, save, delete, export) had ~28px hit areas,
causing missed taps. Increased padding to p-2.5 + hitSlop for
~44px touch targets. Bump version to 1.2.4.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace manual keyboard listeners and RN KeyboardAvoidingView with
react-native-keyboard-controller which handles edge-to-edge correctly.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
KeyboardAvoidingView does not work with edgeToEdgeEnabled on Android.
New approach: listen to Keyboard events, dynamically set spacer height
to actual keyboard height, and scrollToEnd when subtask input is focused.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Widget adapts to app theme (light/dark/system) via AsyncStorage
- Add "Check for updates" button querying Forgejo releases API
- Add "Contact us or report a bug" mailto link in settings
- Bump version to 1.0.1
Closes#1, closes#2, closes#3
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds home screen widgets (Small 2×2, Medium 4×2, Large 4×4) using
react-native-android-widget. Widgets display upcoming tasks sorted by
urgency, support tap-to-complete and deep linking into the app, and
refresh on every task mutation + every 30 minutes.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace static delete buttons with swipe gestures (left to delete, right
to complete) and add drag-to-reorder support using react-native-draggable-flatlist.
Inbox is pinned at top of lists tab with a GripVertical drag handle for
custom lists. Polling is paused during drag operations to prevent state conflicts.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Scheduled task reminders via expo-notifications with configurable
offset (at time, 1h, 3h, 1 day before)
- Optional calendar sync via expo-calendar (creates/updates/removes
events in a dedicated Simpl-Liste calendar)
- ICS export with RRULE support for inbox, lists, and individual tasks
- New migration adding calendar_event_id to tasks table
- Settings UI for notifications toggle, reminder offset, and calendar sync
- Export buttons in inbox toolbar, list header, and task detail
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Clicking a list now shows its tasks instead of opening new task form
- Add list/[id] detail screen
- Replace crypto.randomUUID() with expo-crypto (Hermes compatibility)
- Add SQL transformer for Drizzle migration files
- Improve priority color visibility in dark mode (lighter variants)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
