@giphy/react-components@10.1.2 imports noUUIDRandom from @giphy/js-util,
which was only added in 5.x. Previously the uuid override forced uuid@14
into js-util@4.4.2 breaking the noUUIDRandom export. Pin js-util@5.2.0
directly and drop the uuid override (moderate severity, not high).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Resolves all TS2345/TS2347/TS7006 type errors introduced by stricter TypeScript 5.x.
Fix Icons.Settings to Icons.Setting, cast account data returns, fix implicit any.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
When a new deploy lands while a tab is open, lazy-loaded chunks (like
GifPicker) disappear because their content-hash filename changes. Vite
dispatches a vite:preloadError event in this case. We reload once and
clear the flag on successful load so future deploys can trigger again.
Icons.Settings is undefined in folds v2.6.2; only Icons.Setting exists.
This caused TypeError: i is not a function when rendering m.room.join_rules
or m.room.guest_access state events in the room timeline, crashing DMs with
those events visible in the initial view.
react-router v7's generatePath() now calls encodeURIComponent() on all
path params. pathUtils.ts was also calling encodeURIComponent() before
passing to generatePath, resulting in double-encoding (e.g. '#' became
'%2523' instead of '%23').
This caused spaces/rooms with alias paths to receive double-encoded
room IDs from useParams(), which were then re-encoded by matrix-sdk
when making HTTP requests (400 Bad Request from Synapse).
Remove the manual encodeURIComponent() calls -- generatePath handles it.
- Fix prettier formatting in useCall.ts and initMatrix.ts (unblocks CI)
- Fix viteStaticCopy stripBase so manifest.json and public/locales/ land
at correct output paths (was getting extra 'public/' prefix from v4 path
preservation behavior)
- Silence react-router v7 HydrateFallback warning on root route (SPA has
no SSR hydration, null is intentional)
1.6.0 did not export SearchContextManager/SearchContext/SearchBar,
causing React error #130 (element type undefined) when opening GifPicker.
5.9.4 uses @emotion (not styled-components), supports React 16-18, and
exports all required components. Downgrade @giphy/js-fetch-api to 4.2.2
to match the peer dep range.
When matrix-sdk is briefly upgraded then reverted, the local IndexedDB
schema version is higher than the SDK expects. Detect the VersionError
DOMException and show a clear 'Clear local data and reload' button
instead of a cryptic error message.
@giphy/react-components@10.x calls styled-components internals
(mergeAttributes) that do not exist in styled-components v6 — crashes
on open. Reverted to 1.6.0 until giphy publishes a v6-compatible release.
WelcomePage: remove Sentry test button (verified working), rename
Support -> Lotus Matrix Guide.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
All newly flagged high-severity packages (lodash, js-cookie) are either
in dev-only tools (commitizen) or tree-shaken out of the deployed bundle
(react-use/js-cookie is unused). Zero deployed-bundle impact confirmed.
Being 9 major versions behind accumulates migration debt.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
lodash >= 4.18.0 patches prototype-pollution (GHSA-f23m-r3pf-42rh) and
code-injection (GHSA-r5fr-rjxr-66jc) used by slate-dom/slate-react in
the deployed bundle.
Attempted @giphy/react-components@10.1.2 upgrade but it pulled in new
high-severity lodash and js-cookie vulns — net regression, reverted.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- dompurify updated to 3.4.5 to fix 7 XSS/prototype-pollution CVEs
- emojibase-data added to manualChunks: splits 856 kB out of the main
bundle, reducing it from 1.8 MB to 932 kB
- husky prepare script updated from deprecated "husky install" to "husky"
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace broken vite-plugin-static-copy target for pdf.worker with a
custom closeBundle plugin that copies the file directly to dist root.
Also uninstall vite-plugin-top-level-await which was removed from
vite.config.js in the previous commit.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Prettier: auto-formatted 103 files to fix baseline. Prettier check in CI
is now a hard gate (removed continue-on-error).
Brotli: installed libnginx-mod-http-brotli-filter/static. Enabled in nginx
with brotli_static on for pre-compressed assets and comp_level 6.
Sentry releases: deploy script now exports VITE_APP_VERSION=<git-short-sha>
before building so each Sentry release maps to an exact commit.
CI also passes github.sha as VITE_APP_VERSION.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Build is the only hard gate. TS/ESLint/Prettier/audit run as informational
checks (continue-on-error) since the codebase has pre-existing issues from
matrix-js-sdk type incompatibilities and upstream formatting.
Bundle size table is written to the job summary after every build so regressions
are visible without digging into logs.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Runs npm ci + npm run build on every push to lotus and on PRs.
Marks commit as failed if the build breaks — gives early feedback
before the webhook deploy script also catches it.
Source map upload skipped in CI (deploy script handles that).
npm audit runs informational-only (continue-on-error) since known
vulns require upstream fixes.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
RoomSkeleton: shimmer skeleton matching Room header/timeline/input layout,
used as Suspense fallback for all three Room routes (home/direct/space)
Sentry source maps: @sentry/vite-plugin uploads 72 hidden source map files
to Sentry on each build then deletes them from dist — stack traces now show
real file/line numbers instead of minified bundle positions.
Auth token loaded from /etc/lotus-deploy.env (not in git).
Auto-deploy: webhook receiver on port 9001, nginx proxies
/hooks/lotus-deploy, HMAC-SHA256 verified, triggers on lotus branch push.
Deploy script: git reset --hard + npm ci + npm run build + rsync to webroot.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
browserTracingIntegration injects sentry-trace and baggage headers into all
outgoing fetch calls. Synapse does not list these in Access-Control-Allow-Headers,
so every Matrix API call was blocked by the browser CORS preflight check.
Removed browserTracingIntegration, set tracePropagationTargets:[] and
tracesSampleRate:0. Error capture (the useful part) is unaffected.
CSP fix (Sentry ingest domain) is applied via nginx — no code change needed.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Initialize Sentry SDK in index.tsx when VITE_SENTRY_DSN env var is set
- Wrap entire App with Sentry.ErrorBoundary (replaces the hard crash with a retry UI)
- 5% trace sample rate, sendDefaultPii disabled, strip events containing accessToken
- Add .env.production template with VITE_SENTRY_DSN placeholder
- Get your DSN from sentry.io -> Project Settings -> Client Keys
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add defensive check in folds Icon component so that if src is ever
undefined or non-function (root cause unknown, possibly data-dependent),
the SVG renders empty rather than throwing and crashing the whole app.
Also adds postinstall script to re-apply the patch after npm install.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Fixes GHSA-q89c-q3h5-w34g: path traversal & URL injection via unsanitised
lng/ns parameters. Remaining open issues are all in devDependencies
(commitizen/lodash/tmp) or dev-server-only tools (esbuild/vite), with no
runtime impact on the production build.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Lobby, Explore/FeaturedRooms/PublicRooms, Inbox/Notifications/Invites are
now lazy-loaded via React.lazy so they only enter the bundle when navigated
to. Main bundle: 2547 kB → 2472 kB (gzip 637 → 618 kB).
Spoiler aria-pressed was initialised to false (revealed); changed to true
so the spoiler starts hidden, matching CSS logic (aria-pressed=true →
color:transparent).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Previously every visible Message subscribed to settingsAtom via useSetting,
creating O(80) active atom subscriptions. Now RoomTimeline reads it once
and passes it down as a prop, reducing subscriptions to 1.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Lotus Bot