Merge pull request 'fix(security): override @expo/cli ws to ^8.20.1 (GHSA-58qx-3vcg-4xpx) (#92 )' (#94 ) from issue-92-ws-override into master

state: sync after #90 + web deploy
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-31 19:21:22 +00:00 · 2026-05-30 15:46:07 -04:00 · 2026-05-30 19:25:20 +00:00 · 2026-05-30 15:05:10 -04:00 · 2026-05-30 14:57:44 -04:00 · 2026-05-30 14:53:57 -04:00
7 changed files with 25 additions and 11 deletions
--- a/STATE.md
+++ b/STATE.md
@ -1,16 +1,23 @@
 # STATE — simpl-liste

-> Derniere MAJ : 2026-05-10 (par fix-issue #87)
+> Derniere MAJ : 2026-05-30 (deploy web liste.lacompagnie + #90)

 ## Position actuelle

-Version 1.6.1 (versionCode 13). Remediation vulnerabilites du defenseur en cours
+Version 1.6.4 (versionCode 16). Remediation vulnerabilites du defenseur en cours
 via overrides `@xmldom/xmldom@^0.8.13` et `uuid@^11.0.0` dans `package.json`
 (overnight 2026-04-24). 4 CVE HIGH xmldom nettoyees ; 1 advisory uuid residuelle
 non-exploitable en pratique (details dans `SECURITY.md`).

+Companion web `liste.lacompagniemaximus.com` : deploye **manuellement** (docker-compose
+standalone `/data/simpl-liste-web` sur le VPS, build depuis `source/` rsync — PAS une app
+Coolify malgre la spec). Procedure en memoire `simpl-liste-web-deploy`.
+
 ## Decisions recentes

+- 2026-05-30 : #90 merged (PR #93, ThemeToggle eslint-disable) + premier deploy web depuis 7 sem (rsync source/ + docker compose --build sur VPS) — #70 et #90 live sur liste.lacompagniemaximus.com.
+- 2026-05-30 : PR #89 merged — display name web resolu via userInfo (ordre fallback de la vitrine), fix #70.
+- 2026-05-30 : nettoyage lint web/ (PR #91, 2 prefer-const + import inutilise) ; #90 analyse (ThemeToggle set-state-in-effect, decision : eslint-disable documente).
 - 2026-05-10 : Aligne 6 patches Expo SDK 54 via expo install --fix — expo-doctor 17/17 (ref #87)
 - 2026-05-08 : Defenseur rerun confirme 0 findings — overrides existants suffisent, pas de PR necessaire (ref #81)
 - 2026-04-24 : overrides xmldom + uuid (spec `spec-decisions-vuln-simpl-liste.md`) — PRs #77, #78, #79 (pending-human).
--- a/package-lock.json
+++ b/package-lock.json
@ -1,12 +1,12 @@
 {
  "name": "simpl-liste",
-  "version": "1.6.3",
+  "version": "1.6.4",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "simpl-liste",
-      "version": "1.6.3",
+      "version": "1.6.4",
      "dependencies": {
        "@expo-google-fonts/inter": "^0.4.2",
        "@expo/ngrok": "^4.1.3",
@ -6464,9 +6464,9 @@
      }
    },
    "node_modules/expo/node_modules/ws": {
-      "version": "8.20.0",
-      "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.0.tgz",
-      "integrity": "sha512-sAt8BhgNbzCtgGbt2OxmpuryO63ZoDk/sqaB/znQm94T4fCEsy/yV+7CdC1kJhOU9lboAEU7R3kquuycDoibVA==",
+      "version": "8.21.0",
+      "resolved": "https://registry.npmjs.org/ws/-/ws-8.21.0.tgz",
+      "integrity": "sha512-Vsp28b7DRcimFQvrqu2Wek3z1iYxDCWqHYB8Qsnk/S4RfaCQzPGPyBNuVjJV3cd6UiKtUtp6sNM77gWvzcCH+g==",
      "license": "MIT",
      "engines": {
        "node": ">=10.0.0"
--- a/package.json
+++ b/package.json
@ -68,7 +68,10 @@
    "esbuild": "^0.25.0",
    "@xmldom/xmldom": "^0.8.13",
    "uuid": "^11.1.1",
-    "postcss": "^8.5.10"
+    "postcss": "^8.5.10",
+    "@expo/cli": {
+      "ws": "^8.20.1"
+    }
  },
  "private": true
 }
--- a/web/src/app/(app)/lists/[id]/page.tsx
+++ b/web/src/app/(app)/lists/[id]/page.tsx
@ -74,7 +74,7 @@ export default async function ListPage({

  // Fetch subtasks for all parent tasks
  const parentIds = tasks.map((t) => t.id);
-  let subtasksMap: Record<string, Task[]> = {};
+  const subtasksMap: Record<string, Task[]> = {};

  if (parentIds.length > 0) {
    const allSubtasks = await db
--- a/web/src/app/api/lists/[id]/tasks/route.ts
+++ b/web/src/app/api/lists/[id]/tasks/route.ts
@ -49,7 +49,7 @@ export async function GET(
  }

  // Build query
-  let query = db
+  const query = db
    .select()
    .from(slTasks)
    .where(and(...conditions));
--- a/web/src/components/Header.tsx
+++ b/web/src/components/Header.tsx
@ -2,7 +2,6 @@

 import { ThemeToggle } from "./ThemeToggle";
 import { User, LogOut } from "lucide-react";
-import Link from "next/link";
 import { useState } from "react";
 import { useTranslation } from "react-i18next";

--- a/web/src/components/ThemeToggle.tsx
+++ b/web/src/components/ThemeToggle.tsx
@ -12,6 +12,11 @@ export function ThemeToggle() {

  useEffect(() => {
    const stored = localStorage.getItem("sl-theme") as Theme | null;
+    // localStorage is unavailable during SSR, so the stored theme can only be
+    // read post-mount. ThemeScript already applies the `dark` class before
+    // hydration (no page FOUC); only the toggle icon corrects on mount. The
+    // rule is a false positive for this hydration-from-localStorage read.
+    // eslint-disable-next-line react-hooks/set-state-in-effect
    if (stored) setTheme(stored);
  }, []);
Author	SHA1	Message	Date
maximus	158204b938	Merge pull request 'fix(security): override @expo/cli ws to ^8.20.1 (GHSA-58qx-3vcg-4xpx) (#92 )' (#94 ) from issue-92-ws-override into master	2026-05-31 19:21:22 +00:00
le king fu	483030081c	state: sync after #90 + web deploy Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-05-30 15:46:07 -04:00
maximus	51429045e6	Merge pull request 'chore(web): document set-state-in-effect on ThemeToggle localStorage read (#90 )' (#93 ) from issue-90-themetoggle-lint-disable into master	2026-05-30 19:25:20 +00:00
le king fu	9ee5372404	fix(security): override @expo/cli ws to ^8.20.1 (GHSA-58qx-3vcg-4xpx) (#92 ) npm audit flagged ws 8.0.0-8.20.0 (moderate, uninitialized memory disclosure) pulled in via expo > @expo/cli > ws@8.20.0. Scope the override to @expo/cli so only the vulnerable 8.x instance is bumped (resolved to 8.21.0); metro's ws@7.5.10 and react-native's ws@6.2.3 stay on their majors to avoid breaking the Metro dev server. All ws here is dev/build tooling (Expo CLI, Metro, react-devtools), absent from the shipped APK, so this was not exploitable in production - but the override clears npm audit and stops the Defenseur re-flagging. npm audit: 0 vulnerabilities. Root smoke green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-05-30 15:05:10 -04:00
le king fu	e9ddf27eab	chore(web): document set-state-in-effect on ThemeToggle localStorage read (#90 ) ThemeToggle's mount effect reads localStorage then setTheme, a pattern react-hooks/set-state-in-effect flags. It is safe here: localStorage is SSR-unavailable so the read must happen post-mount, and ThemeScript already applies the dark class before hydration (no page FOUC). Add a targeted eslint-disable-next-line with justification. web/ lint is now green (0 errors). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-05-30 14:57:44 -04:00
le king fu	7750214c64	state: sync after #70 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-05-30 14:53:57 -04:00
maximus	97cf9ce0f7	Merge pull request 'chore(web): fix prefer-const and remove unused import' (#91 ) from chore/web-lint-cleanup into master	2026-05-30 18:52:34 +00:00
maximus	7343f993ee	Merge pull request 'fix(web): resolve display name from userInfo, not just claims (#70 )' (#89 ) from issue-70-harmonize-display-name into master	2026-05-30 18:52:22 +00:00
le king fu	4086aac50c	chore(web): fix prefer-const and remove unused import Three pre-existing lint issues surfaced during #70's lint check: - lists/[id]/page.tsx: subtasksMap was `let`, never reassigned -> const - api/lists/[id]/tasks/route.ts: query was `let`, never reassigned -> const - Header.tsx: drop unused `Link` import from next/link Leaves web/ lint at a single remaining error (ThemeToggle set-state-in-effect), tracked in #90 (needs a design decision: useSyncExternalStore vs documented eslint-disable). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-05-30 14:22:44 -04:00