Skip to content

Fix Announcement Banner Dismissed & Add secrets in gitignore#3

Merged
florianjs merged 2 commits into
florianjs:mainfrom
IkiaeM:fix
Jan 5, 2026
Merged

Fix Announcement Banner Dismissed & Add secrets in gitignore#3
florianjs merged 2 commits into
florianjs:mainfrom
IkiaeM:fix

Conversation

@IkiaeM

@IkiaeM IkiaeM commented Jan 5, 2026

Copy link
Copy Markdown
Contributor
  • Generates a unique key with a hash of the announcement content so that if the announcement is modified, it reappears.
  • Fixes an issue when loading the page when the ad is “Dismissed” to prevent it from appearing and disappearing immediately.
  • Adds secret files and other sensitive items to gitignore after installation.

Before:
before

After:
after

IkiaeM added 2 commits January 5, 2026 11:05
…istence

- Wrap announcement banner in ClientOnly to prevent SSR/client hydration mismatch
- Add hash-based dismissal tracking to persist state per unique announcement message
- Add announcementReady flag with nextTick to ensure proper transition rendering
- Replace simple boolean dismissal key with message-specific hash key in sessionStorage
Comment thread .gitignore
Comment thread .gitignore
@florianjs florianjs merged commit 6d03208 into florianjs:main Jan 5, 2026
Dim145 added a commit to Dim145/opentracker that referenced this pull request May 10, 2026
Six open Dependabot alerts, all transitive — five in
doc/package-lock.json (florianjs#1florianjs#5) and one in pnpm-lock.yaml (florianjs#6). Patched
in two manifests:

doc/ (vitepress / vite-based docs site):
- Bump direct deps to latest minor: @tailwindcss/vite + tailwindcss
  4.0 → 4.3.0, vitepress 1.5 → 1.6.4, vue 3.5 → 3.5.34.
- Pin npm `overrides`:
    "esbuild": "^0.25.0"   # CVE: dev-server CORS leak  (florianjs#1, florianjs#6)
    "vite":    "^7.3.3"    # CVE: optimized-deps path traversal  (florianjs#4)
  Vite 8 was tested but removes `transformWithEsbuild` which
  VitePress 1.x still imports — sticking on 7.3.x until the
  upstream migration to oxc lands.
- The bump also pulls patched versions of preact (florianjs#2, JSON VNode
  injection), rollup (florianjs#3, arbitrary file write), and postcss (florianjs#5,
  XSS via stringify) transitively — all four cleared by the rebuild.

Workspace root (pnpm):
- Add `esbuild: "^0.25.0"` to `pnpm.overrides`. The vulnerable
  esbuild@0.18.20 was pinned by `@esbuild-kit/core-utils`, the
  legacy ESM loader pulled in by drizzle-kit; the override
  collapses every chain (drizzle-kit, vite, nitropack, tsx,
  vitest) onto esbuild@0.25.12 and drops 0.18.x from the lockfile
  entirely (florianjs#6).

Verified:
- `cd doc && npm audit` → "found 0 vulnerabilities"
- `cd doc && npm run build` → builds in ~3s, all routes render
- `docker build -f doc/Dockerfile doc` → image rebuilds clean
- API rebuild + boot → drizzle-kit schema push still works
  (it was the heaviest user of @esbuild-kit/* on the workspace)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

2 participants