fix: PR #194 review findings + CI fixes#198
Merged
github-actions[bot] merged 177 commits intomainfrom Apr 23, 2026
Merged
Conversation
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Notebooks now sync before notes in syncNow() to ensure note-notebook dependencies are satisfied. Adds pullNotebooks/pushNotebooks methods and applyRemoteNotebookChange for bidirectional notebook sync. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Move validateNotebookTree from inline test definition to a shared module so it can be reused by the API route and other consumers. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add conflict state to SyncStatusIndicator with amber warning icon and count. Conflicts now take priority over idle state so users discover them without navigating to Settings. Also export ConflictResolver from sync components barrel. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
DatabaseConnection.transaction() already calls the inner fn — no need for extra () at call site. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Fix pullNotebooks() to only advance cursor to last successfully applied change (prevents skipping failed changes on retry) - Fix tree validation snapshot to properly exclude deleted notebooks (prevents ghost parent references in validation) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
feat: add bidirectional notebook sync
test: add sync-core unit tests (62 tests)
feat: surface sync conflicts in status indicator
# Conflicts: # apps/desktop/src/main/services/apiClient.ts # apps/desktop/src/main/services/syncService.ts # packages/api/src/db/schema.ts # packages/api/src/routes/sync.ts # packages/storage-sqlite/src/migrations/index.ts
feat: add bidirectional tag sync
Configure automated code review with path-specific instructions for core, storage, desktop, and API packages. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…ration Add optional metadata (name, version, priority) to registerRemarkPlugin and registerRehypePlugin signatures for debugging and execution ordering. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The requestSingleInstanceLock logic was inverted: startup URL parsing and the second-instance listener were inside if (!gotTheLock), which only runs in the secondary process that immediately quits. This meant the primary instance never registered deep-link forwarding, so readied://auth/verify links were dropped on both cold start and when the app was already running on Windows/Linux. Moved both handlers into the else block (primary instance). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Bumps [pnpm/action-setup](https://github.com/pnpm/action-setup) from 4 to 5. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pnpm/action-setup/releases">pnpm/action-setup's releases</a>.</em></p> <blockquote> <h2>v5.0.0</h2> <p>Updated the action to use Node.js 24.</p> <h2>v4.4.0</h2> <p>Updated the action to use Node.js 24.</p> <h2>v4.3.0</h2> <h2>What's Changed</h2> <ul> <li>docs: fix the run_install example in the Readme by <a href="https://github.com/dreyks"><code>@dreyks</code></a> in <a href="https://redirect.github.com/pnpm/action-setup/pull/175">pnpm/action-setup#175</a></li> <li>chore: remove unused <code>@types/node-fetch</code> dependency by <a href="https://github.com/silverwind"><code>@silverwind</code></a> in <a href="https://redirect.github.com/pnpm/action-setup/pull/186">pnpm/action-setup#186</a></li> <li>Clarify that package_json_file is relative to GITHUB_WORKSPACE by <a href="https://github.com/chris-martin"><code>@chris-martin</code></a> in <a href="https://redirect.github.com/pnpm/action-setup/pull/184">pnpm/action-setup#184</a></li> <li>feat: store caching by <a href="https://github.com/jrmajor"><code>@jrmajor</code></a> in <a href="https://redirect.github.com/pnpm/action-setup/pull/188">pnpm/action-setup#188</a></li> <li>refactor: remove star imports by <a href="https://github.com/KSXGitHub"><code>@KSXGitHub</code></a> in <a href="https://redirect.github.com/pnpm/action-setup/pull/196">pnpm/action-setup#196</a></li> <li>fix(ci): exclude macos by <a href="https://github.com/KSXGitHub"><code>@KSXGitHub</code></a> in <a href="https://redirect.github.com/pnpm/action-setup/pull/197">pnpm/action-setup#197</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/dreyks"><code>@dreyks</code></a> made their first contribution in <a href="https://redirect.github.com/pnpm/action-setup/pull/175">pnpm/action-setup#175</a></li> <li><a href="https://github.com/silverwind"><code>@silverwind</code></a> made their first contribution in <a href="https://redirect.github.com/pnpm/action-setup/pull/186">pnpm/action-setup#186</a></li> <li><a href="https://github.com/chris-martin"><code>@chris-martin</code></a> made their first contribution in <a href="https://redirect.github.com/pnpm/action-setup/pull/184">pnpm/action-setup#184</a></li> <li><a href="https://github.com/jrmajor"><code>@jrmajor</code></a> made their first contribution in <a href="https://redirect.github.com/pnpm/action-setup/pull/188">pnpm/action-setup#188</a></li> <li><a href="https://github.com/Boosted-Bonobo"><code>@Boosted-Bonobo</code></a> made their first contribution in <a href="https://redirect.github.com/pnpm/action-setup/pull/199">pnpm/action-setup#199</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/pnpm/action-setup/compare/v4.2.0...v4.3.0">https://github.com/pnpm/action-setup/compare/v4.2.0...v4.3.0</a></p> <h2>v4.2.0</h2> <p>When there's a <code>.npmrc</code> file at the root of the repository, pnpm will be fetched from the registry that is specified in that <code>.npmrc</code> file <a href="https://redirect.github.com/pnpm/action-setup/pull/179">#179</a></p> <h2>v4.1.0</h2> <p>Add support for <code>package.yaml</code> <a href="https://redirect.github.com/pnpm/action-setup/pull/156">#156</a>.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pnpm/action-setup/commit/fc06bc1257f339d1d5d8b3a19a8cae5388b55320"><code>fc06bc1</code></a> feat!: run the action on Node.js 24 (<a href="https://redirect.github.com/pnpm/action-setup/issues/205">#205</a>)</li> <li>See full diff in <a href="https://github.com/pnpm/action-setup/compare/v4...v5">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/labeler](https://github.com/actions/labeler) from 5 to 6. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/labeler/releases">actions/labeler's releases</a>.</em></p> <blockquote> <h2>v6.0.0</h2> <h2>What's Changed</h2> <ul> <li>Add workflow file for publishing releases to immutable action package by <a href="https://github.com/jcambass"><code>@jcambass</code></a> in <a href="https://redirect.github.com/actions/labeler/pull/802">actions/labeler#802</a></li> </ul> <h3>Breaking Changes</h3> <ul> <li>Upgrade Node.js version to 24 in action and dependencies <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/labeler/pull/891">actions/labeler#891</a> Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. <a href="https://github.com/actions/runner/releases/tag/v2.327.1">Release Notes</a></li> </ul> <h3>Dependency Upgrades</h3> <ul> <li>Upgrade eslint-config-prettier from 9.0.0 to 9.1.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/labeler/pull/711">actions/labeler#711</a></li> <li>Upgrade eslint from 8.52.0 to 8.55.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/labeler/pull/720">actions/labeler#720</a></li> <li>Upgrade <code>@types/jest</code> from 29.5.6 to 29.5.11 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/labeler/pull/719">actions/labeler#719</a></li> <li>Upgrade <code>@types/js-yaml</code> from 4.0.8 to 4.0.9 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/labeler/pull/718">actions/labeler#718</a></li> <li>Upgrade <code>@typescript-eslint/parser</code> from 6.9.0 to 6.14.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/labeler/pull/717">actions/labeler#717</a></li> <li>Upgrade prettier from 3.0.3 to 3.1.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/labeler/pull/726">actions/labeler#726</a></li> <li>Upgrade eslint from 8.55.0 to 8.56.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/labeler/pull/725">actions/labeler#725</a></li> <li>Upgrade <code>@typescript-eslint/parser</code> from 6.14.0 to 6.19.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/labeler/pull/745">actions/labeler#745</a></li> <li>Upgrade eslint-plugin-jest from 27.4.3 to 27.6.3 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/labeler/pull/744">actions/labeler#744</a></li> <li>Upgrade <code>@typescript-eslint/eslint-plugin</code> from 6.9.0 to 6.20.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/labeler/pull/750">actions/labeler#750</a></li> <li>Upgrade prettier from 3.1.1 to 3.2.5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/labeler/pull/752">actions/labeler#752</a></li> <li>Upgrade undici from 5.26.5 to 5.28.3 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/labeler/pull/757">actions/labeler#757</a></li> <li>Upgrade braces from 3.0.2 to 3.0.3 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/labeler/pull/789">actions/labeler#789</a></li> <li>Upgrade minimatch from 9.0.3 to 10.0.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/labeler/pull/805">actions/labeler#805</a></li> <li>Upgrade <code>@actions/core</code> from 1.10.1 to 1.11.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/labeler/pull/811">actions/labeler#811</a></li> <li>Upgrade typescript from 5.4.3 to 5.7.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/labeler/pull/819">actions/labeler#819</a></li> <li>Upgrade <code>@typescript-eslint/parser</code> from 7.3.1 to 8.17.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/labeler/pull/824">actions/labeler#824</a></li> <li>Upgrade prettier from 3.2.5 to 3.4.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/labeler/pull/825">actions/labeler#825</a></li> <li>Upgrade <code>@types/jest</code> from 29.5.12 to 29.5.14 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/labeler/pull/827">actions/labeler#827</a></li> <li>Upgrade eslint-plugin-jest from 27.9.0 to 28.9.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/labeler/pull/832">actions/labeler#832</a></li> <li>Upgrade ts-jest from 29.1.2 to 29.2.5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/labeler/pull/831">actions/labeler#831</a></li> <li>Upgrade <code>@vercel/ncc</code> from 0.38.1 to 0.38.3 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/labeler/pull/830">actions/labeler#830</a></li> <li>Upgrade typescript from 5.7.2 to 5.7.3 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/labeler/pull/835">actions/labeler#835</a></li> <li>Upgrade eslint-plugin-jest from 28.9.0 to 28.11.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/labeler/pull/839">actions/labeler#839</a></li> <li>Upgrade undici from 5.28.4 to 5.28.5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/labeler/pull/842">actions/labeler#842</a></li> <li>Upgrade <code>@octokit/request-error</code> from 5.0.1 to 5.1.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/labeler/pull/846">actions/labeler#846</a></li> </ul> <h3>Documentation changes</h3> <ul> <li>Add note regarding <code>pull_request_target</code> to README.md by <a href="https://github.com/silverwind"><code>@silverwind</code></a> in <a href="https://redirect.github.com/actions/labeler/pull/669">actions/labeler#669</a></li> <li>Update readme with additional examples and important note about <code>pull_request_target</code> event by <a href="https://github.com/IvanZosimov"><code>@IvanZosimov</code></a> in <a href="https://redirect.github.com/actions/labeler/pull/721">actions/labeler#721</a></li> <li>Document update - permission section by <a href="https://github.com/harithavattikuti"><code>@harithavattikuti</code></a> in <a href="https://redirect.github.com/actions/labeler/pull/840">actions/labeler#840</a></li> <li>Improvement in documentation for pull_request_target event usage in README by <a href="https://github.com/suyashgaonkar"><code>@suyashgaonkar</code></a> in <a href="https://redirect.github.com/actions/labeler/pull/871">actions/labeler#871</a></li> <li>Fix broken links in documentation by <a href="https://github.com/suyashgaonkar"><code>@suyashgaonkar</code></a> in <a href="https://redirect.github.com/actions/labeler/pull/822">actions/labeler#822</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/silverwind"><code>@silverwind</code></a> made their first contribution in <a href="https://redirect.github.com/actions/labeler/pull/669">actions/labeler#669</a></li> <li><a href="https://github.com/Jcambass"><code>@Jcambass</code></a> made their first contribution in <a href="https://redirect.github.com/actions/labeler/pull/802">actions/labeler#802</a></li> <li><a href="https://github.com/suyashgaonkar"><code>@suyashgaonkar</code></a> made their first contribution in <a href="https://redirect.github.com/actions/labeler/pull/822">actions/labeler#822</a></li> <li><a href="https://github.com/HarithaVattikuti"><code>@HarithaVattikuti</code></a> made their first contribution in <a href="https://redirect.github.com/actions/labeler/pull/840">actions/labeler#840</a></li> <li><a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> made their first contribution in <a href="https://redirect.github.com/actions/labeler/pull/891">actions/labeler#891</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/labeler/commit/634933edcd8ababfe52f92936142cc22ac488b1b"><code>634933e</code></a> publish-action upgrade to 0.4.0 from 0.2.2 (<a href="https://redirect.github.com/actions/labeler/issues/901">#901</a>)</li> <li><a href="https://github.com/actions/labeler/commit/f1a63e87db0c6baf19c5713083f8d00d789ca184"><code>f1a63e8</code></a> Update Node.js version to 24 in action and dependencies (<a href="https://redirect.github.com/actions/labeler/issues/891">#891</a>)</li> <li><a href="https://github.com/actions/labeler/commit/b0a1180683c9f17424de4d71c044bea4c7b9bc7c"><code>b0a1180</code></a> Bump <code>@octokit/request-error</code> from 5.0.1 to 5.1.1 (<a href="https://redirect.github.com/actions/labeler/issues/846">#846</a>)</li> <li><a href="https://github.com/actions/labeler/commit/110d44140c9195b853f2f24044bbfed8f4968efb"><code>110d441</code></a> Update README.md (<a href="https://redirect.github.com/actions/labeler/issues/871">#871</a>)</li> <li><a href="https://github.com/actions/labeler/commit/bee50fefe18762fad67754b2f3bfff2c8082ebb8"><code>bee50fe</code></a> Bump undici from 5.28.4 to 5.28.5 (<a href="https://redirect.github.com/actions/labeler/issues/842">#842</a>)</li> <li><a href="https://github.com/actions/labeler/commit/6463cdb00ee92c05bec55dffc4e1fce250301945"><code>6463cdb</code></a> Bump eslint-plugin-jest from 28.9.0 to 28.11.0 (<a href="https://redirect.github.com/actions/labeler/issues/839">#839</a>)</li> <li><a href="https://github.com/actions/labeler/commit/c209686724ee12fcc5e6294d1d569b91f86fa691"><code>c209686</code></a> Bump typescript from 5.7.2 to 5.7.3 (<a href="https://redirect.github.com/actions/labeler/issues/835">#835</a>)</li> <li><a href="https://github.com/actions/labeler/commit/5184940b544b0096088a7b42d1b8a551003d9eb1"><code>5184940</code></a> Bump <code>@vercel/ncc</code> from 0.38.1 to 0.38.3 (<a href="https://redirect.github.com/actions/labeler/issues/830">#830</a>)</li> <li><a href="https://github.com/actions/labeler/commit/3629d5568b59204f18786372f6d740d649719488"><code>3629d55</code></a> Document update - permission section (<a href="https://redirect.github.com/actions/labeler/issues/840">#840</a>)</li> <li><a href="https://github.com/actions/labeler/commit/d24f7f3731b2a06433c0bccc364d560c5329c48f"><code>d24f7f3</code></a> Bump ts-jest from 29.1.2 to 29.2.5 (<a href="https://redirect.github.com/actions/labeler/issues/831">#831</a>)</li> <li>Additional commits viewable in <a href="https://github.com/actions/labeler/compare/v5...v6">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3 to 4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/releases">github/codeql-action's releases</a>.</em></p> <blockquote> <h2>v3.35.1</h2> <ul> <li>Fix incorrect minimum required Git version for <a href="https://redirect.github.com/github/roadmap/issues/1158">improved incremental analysis</a>: it should have been 2.36.0, not 2.11.0. <a href="https://redirect.github.com/github/codeql-action/pull/3781">#3781</a></li> </ul> <h2>v3.35.0</h2> <ul> <li>Reduced the minimum Git version required for <a href="https://redirect.github.com/github/roadmap/issues/1158">improved incremental analysis</a> from 2.38.0 to 2.11.0. <a href="https://redirect.github.com/github/codeql-action/pull/3767">#3767</a></li> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.1">2.25.1</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3773">#3773</a></li> </ul> <h2>v3.34.1</h2> <ul> <li>Downgrade default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3">2.24.3</a> due to issues with a small percentage of Actions and JavaScript analyses. <a href="https://redirect.github.com/github/codeql-action/pull/3762">#3762</a></li> </ul> <h2>v3.34.0</h2> <ul> <li>Added an experimental change which disables TRAP caching when <a href="https://redirect.github.com/github/roadmap/issues/1158">improved incremental analysis</a> is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. <a href="https://redirect.github.com/github/codeql-action/pull/3569">#3569</a></li> <li>We are rolling out improved incremental analysis to C/C++ analyses that use build mode <code>none</code>. We expect this rollout to be complete by the end of April 2026. <a href="https://redirect.github.com/github/codeql-action/pull/3584">#3584</a></li> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.0">2.25.0</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3585">#3585</a></li> </ul> <h2>v3.33.0</h2> <ul> <li>Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. <a href="https://redirect.github.com/github/codeql-action/pull/3562">#3562</a> To opt out of this change: <ul> <li><strong>Repositories owned by an organization:</strong> Create a custom repository property with the name <code>github-codeql-file-coverage-on-prs</code> and the type "True/false", then set this property to <code>true</code> in the repository's settings. For more information, see <a href="https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization">Managing custom properties for repositories in your organization</a>. Alternatively, if you are using an advanced setup workflow, you can set the <code>CODEQL_ACTION_FILE_COVERAGE_ON_PRS</code> environment variable to <code>true</code> in your workflow.</li> <li><strong>User-owned repositories using default setup:</strong> Switch to an advanced setup workflow and set the <code>CODEQL_ACTION_FILE_COVERAGE_ON_PRS</code> environment variable to <code>true</code> in your workflow.</li> <li><strong>User-owned repositories using advanced setup:</strong> Set the <code>CODEQL_ACTION_FILE_COVERAGE_ON_PRS</code> environment variable to <code>true</code> in your workflow.</li> </ul> </li> <li>Fixed <a href="https://redirect.github.com/github/codeql-action/issues/3555">a bug</a> which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. <a href="https://redirect.github.com/github/codeql-action/pull/3557">#3557</a></li> <li>The CodeQL Action now loads <a href="https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization">custom repository properties</a> on GitHub Enterprise Server, enabling the customization of features such as <code>github-codeql-disable-overlay</code> that was previously only available on GitHub.com. <a href="https://redirect.github.com/github/codeql-action/pull/3559">#3559</a></li> <li>Once <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registries</a> can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. <a href="https://redirect.github.com/github/codeql-action/pull/3563">#3563</a></li> <li>Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". <a href="https://redirect.github.com/github/codeql-action/pull/3564">#3564</a></li> <li>A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. <a href="https://redirect.github.com/github/codeql-action/pull/3570">#3570</a></li> </ul> <h2>v3.32.6</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3">2.24.3</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3548">#3548</a></li> </ul> <h2>v3.32.5</h2> <ul> <li>Repositories owned by an organization can now set up the <code>github-codeql-disable-overlay</code> custom repository property to disable <a href="https://redirect.github.com/github/roadmap/issues/1158">improved incremental analysis for CodeQL</a>. First, create a custom repository property with the name <code>github-codeql-disable-overlay</code> and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to <code>true</code> to disable improved incremental analysis. For more information, see <a href="https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization">Managing custom properties for repositories in your organization</a>. This feature is not yet available on GitHub Enterprise Server. <a href="https://redirect.github.com/github/codeql-action/pull/3507">#3507</a></li> <li>Added an experimental change so that when <a href="https://redirect.github.com/github/roadmap/issues/1158">improved incremental analysis</a> fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. <a href="https://redirect.github.com/github/codeql-action/pull/3487">#3487</a></li> <li>The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. <a href="https://redirect.github.com/github/codeql-action/pull/3515">#3515</a></li> <li>Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. <a href="https://redirect.github.com/github/codeql-action/pull/3516">#3516</a></li> <li>Added an experimental change which lowers the minimum disk space requirement for <a href="https://redirect.github.com/github/roadmap/issues/1158">improved incremental analysis</a>, enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. <a href="https://redirect.github.com/github/codeql-action/pull/3498">#3498</a></li> <li>Added an experimental change which allows the <code>start-proxy</code> action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. <a href="https://redirect.github.com/github/codeql-action/pull/3512">#3512</a></li> <li>The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. <a href="https://redirect.github.com/github/codeql-action/pull/3503">#3503</a>, <a href="https://redirect.github.com/github/codeql-action/pull/3504">#3504</a></li> </ul> <h2>v3.32.4</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.2">2.24.2</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3493">#3493</a></li> <li>Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registries are configured</a>. This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. <a href="https://redirect.github.com/github/codeql-action/pull/3473">#3473</a></li> <li>When the CodeQL Action is run <a href="https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/troubleshooting/troubleshooting-analysis-errors/logs-not-detailed-enough#creating-codeql-debugging-artifacts-for-codeql-default-setup">with debugging enabled in Default Setup</a> and <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registries are configured</a>, the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. <a href="https://redirect.github.com/github/codeql-action/pull/3486">#3486</a></li> <li>Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. <a href="https://redirect.github.com/github/codeql-action/pull/3485">#3485</a></li> <li>Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a <a href="https://github.com/dsp-testing/codeql-cli-nightlies">nightly CodeQL CLI release</a> instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. <a href="https://redirect.github.com/github/codeql-action/pull/3484">#3484</a></li> </ul> <h2>v3.32.3</h2> <ul> <li>Added experimental support for testing connections to <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registries</a>. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. <a href="https://redirect.github.com/github/codeql-action/pull/3466">#3466</a></li> </ul> <h2>v3.32.2</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's changelog</a>.</em></p> <blockquote> <h2>4.32.3 - 13 Feb 2026</h2> <ul> <li>Added experimental support for testing connections to <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registries</a>. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. <a href="https://redirect.github.com/github/codeql-action/pull/3466">#3466</a></li> </ul> <h2>4.32.2 - 05 Feb 2026</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.1">2.24.1</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3460">#3460</a></li> </ul> <h2>4.32.1 - 02 Feb 2026</h2> <ul> <li>A warning is now shown in Default Setup workflow logs if a <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registry is configured</a> using a GitHub Personal Access Token (PAT), but no username is configured. <a href="https://redirect.github.com/github/codeql-action/pull/3422">#3422</a></li> <li>Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. <a href="https://redirect.github.com/github/codeql-action/pull/3421">#3421</a></li> </ul> <h2>4.32.0 - 26 Jan 2026</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.0">2.24.0</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3425">#3425</a></li> </ul> <h2>4.31.11 - 23 Jan 2026</h2> <ul> <li>When running a Default Setup workflow with <a href="https://docs.github.com/en/actions/how-tos/monitor-workflows/enable-debug-logging">Actions debugging enabled</a>, the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. <a href="https://redirect.github.com/github/codeql-action/pull/3409">#3409</a></li> <li>Improved error handling throughout the CodeQL Action. <a href="https://redirect.github.com/github/codeql-action/pull/3415">#3415</a></li> <li>Added experimental support for automatically excluding <a href="https://docs.github.com/en/repositories/working-with-files/managing-files/customizing-how-changed-files-appear-on-github">generated files</a> from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. <a href="https://redirect.github.com/github/codeql-action/pull/3318">#3318</a></li> <li>The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. <a href="https://redirect.github.com/github/codeql-action/pull/3403">#3403</a></li> </ul> <h2>4.31.10 - 12 Jan 2026</h2> <ul> <li>Update default CodeQL bundle version to 2.23.9. <a href="https://redirect.github.com/github/codeql-action/pull/3393">#3393</a></li> </ul> <h2>4.31.9 - 16 Dec 2025</h2> <p>No user facing changes.</p> <h2>4.31.8 - 11 Dec 2025</h2> <ul> <li>Update default CodeQL bundle version to 2.23.8. <a href="https://redirect.github.com/github/codeql-action/pull/3354">#3354</a></li> </ul> <h2>4.31.7 - 05 Dec 2025</h2> <ul> <li>Update default CodeQL bundle version to 2.23.7. <a href="https://redirect.github.com/github/codeql-action/pull/3343">#3343</a></li> </ul> <h2>4.31.6 - 01 Dec 2025</h2> <p>No user facing changes.</p> <h2>4.31.5 - 24 Nov 2025</h2> <ul> <li>Update default CodeQL bundle version to 2.23.6. <a href="https://redirect.github.com/github/codeql-action/pull/3321">#3321</a></li> </ul> <h2>4.31.4 - 18 Nov 2025</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/github/codeql-action/commit/5cc552f43e3a9ff0174c3f5ff48a65f65932165c"><code>5cc552f</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3768">#3768</a> from github/dependabot/npm_and_yarn/npm-minor-3536e7...</li> <li><a href="https://github.com/github/codeql-action/commit/6b1a9f21316cab28a783572d1a21f9c64440e119"><code>6b1a9f2</code></a> Merge branch 'main' into dependabot/npm_and_yarn/npm-minor-3536e7c6f0</li> <li><a href="https://github.com/github/codeql-action/commit/9d3ec5727af849d875626d89231bc989ed1aa11d"><code>9d3ec57</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3770">#3770</a> from github/dependabot/github_actions/dot-github/wor...</li> <li><a href="https://github.com/github/codeql-action/commit/3ff82aacd04bbf827a9ebbbe4084ad623a5dd7ee"><code>3ff82aa</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3575">#3575</a> from github/mbg/ts/sync-checks</li> <li><a href="https://github.com/github/codeql-action/commit/4bdd4e7526a4cfd5a91592c3b8429e517975e99f"><code>4bdd4e7</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3554">#3554</a> from github/sam-robson/overlay-include-diff</li> <li><a href="https://github.com/github/codeql-action/commit/23a0098b57aa5903397f33daf70c093ec77d2d1c"><code>23a0098</code></a> fix: improve error handling and logging for diff range path resolution</li> <li><a href="https://github.com/github/codeql-action/commit/ea7b090925e11be0e9d47ec732e8b7265b86ff57"><code>ea7b090</code></a> Rebuild</li> <li><a href="https://github.com/github/codeql-action/commit/a663d0174ae6d4729785acc36e8967971de379e4"><code>a663d01</code></a> Bump ruby/setup-ruby</li> <li><a href="https://github.com/github/codeql-action/commit/b659882aae80c1450f0b84dc23c4ad35812f6621"><code>b659882</code></a> Bump the npm-minor group with 5 updates</li> <li><a href="https://github.com/github/codeql-action/commit/d5bb39fa0b22a80973c7598d7b60a9bec2778bef"><code>d5bb39f</code></a> refactor: single source of truth for getDiffRangesJsonFilePath and simplified...</li> <li>Additional commits viewable in <a href="https://github.com/github/codeql-action/compare/v3...v4">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
- Remove redundant auto-tag.yml (semantic-release handles tags) - Unify GH_TOKEN across all CI workflows, fix GH Actions injection patterns - Fix command injection in plugin install (exec → execFile) - Fix race condition and missing .catch() in useEmbedResolver - Standardize all 16 tsconfigs to extend base (strict mode everywhere) - Fix 12 type errors from noUncheckedIndexedAccess in API routes - Enable no-floating-promises ESLint rule with typed linting - Fix 12 floating promises in main process with void operator - Upgrade fumadocs 15→16 with import migration for Next.js 16 compat - Sync lucide-react to ^0.562.0, TypeScript to ^5.7.2 across monorepo - Remove stale @types/react global override (was breaking web app React 19) - Add exports field to mcp-server and plugin-cli packages - Remove stale site/* from pnpm-workspace.yaml - Add version validation and error handling to bump-version.js - Add settings broadcast guard in preload - Remove hardcoded version from Hero.tsx - Add .env.example for developer onboarding - Optimize pre-push hook (typecheck only, tests in CI) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Fix all 72 floating promise warnings with void operators (30 files) - Upgrade Electron 29→35 (Chromium 134, Node.js 22, security patches) - Update electron-updater to ^6.8.3 - Add renderer store tests: editorBufferStore, editorPreferencesStore, performanceStore (26 new tests, 51 total desktop tests) - Enable no-floating-promises as error (was warn, now 0 violations) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…improvements
Design System:
- Add Button primitive (primary/secondary/danger/ghost variants, loading state)
- Add Toast notification system (success/error/info/warning, auto-dismiss)
- Add Modal pattern (glass effect, portal, escape/overlay close)
- Add typography tokens (font-weight, line-height, letter-spacing)
UX Improvements:
- Add save indicator in editor ("Saving..." → "Saved")
- Flush pending saves on window close (prevent data loss)
- Show toast notifications for plugin install/uninstall/toggle
- Humanize AI error messages (raw codes → actionable user guidance)
- Add settings "Reset to Defaults" button in sidebar
- Add update notification banner at top of app window
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Design System: - Replace ~60 hardcoded spacing values with --space-* tokens across 14 CSS modules - Consolidate 30+ ad-hoc button styles to Button primitive in all settings sections - Migrate AiSection inline styles to CSS module classes UX Features: - Add welcome screen for first-run onboarding with feature highlights - Add sync progress indicator in sidebar footer (pending count, status, retry) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Search: - Add collapsible filter bar with status pills (All/Active/On Hold/Completed/Dropped) - Add tag filter dropdown populated from existing tags - Add sort controls (by title/created/updated, asc/desc) - Filter toggle button with active count badge Plugin Marketplace: - Wire BrowseTab to fetch plugins from API (https://api.readied.app/plugins) - Graceful offline fallback to static built-in list with notice - Add plugins:installFromUrl IPC handler (download + extract + validate) - Install button with loading state, toast feedback - Cross-reference installed plugins to show "Installed" badge - Auto-refresh installed tab after marketplace install Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Tables: - Add comprehensive table CSS (tables.css) for editor/preview parity - Style WYSIWYG editor tables identical to preview (tokens, stripes, hover) - Style insert-table modal with glass effect and accent grid selection - Style sortable table headers with sort indicators - Add overflow-x:auto for wide tables, row hover effects - Remove hardcoded text-align so GFM alignment markers work Export: - Add YAML frontmatter to exported markdown (title, dates, tags, id) - Add per-note file export command (Cmd+Shift+E → save dialog) - Improve HTML clipboard conversion: tables, blockquotes, ordered lists, images, horizontal rules - Add data:exportNote IPC handler with save dialog Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
# Conflicts: # apps/desktop/package.json # pnpm-lock.yaml
Security: - Fix YAML frontmatter backslash escaping (CodeQL critical) - Validate plugin IDs with regex + path traversal check (P1) - Fix PowerShell path interpolation to use separate args - Add 50MB size limit and try/finally cleanup to installFromUrl - Fix semver regex to accept build metadata Accessibility: - Welcome screen: role=dialog, aria-modal, aria-labelledby, Escape handler - Modal: aria-labelledby, focus on open, tabIndex - Toast: aria-live=assertive for errors, polite for others - Welcome Skip button uses Button primitive UX fixes: - Save indicator no longer flashes on note switch (track noteId) - UpdateBanner handles download errors with retry - UpdatesSection installNow wrapped in try/catch - Welcome copy updated: "Local-First" instead of "Offline Forever" - Hero play overlay hidden when no video URL Code quality: - CSS keyframes renamed to kebab-case (Stylelint) - MagicLinkFlow border-radius uses --radius-xl not --space-4 - Button.module.css currentcolor lowercase - Toast word-break → overflow-wrap - .env.example with parser-safe placeholders - NoteListFilterBar unmount guard + error handling - SidebarFooter prevStatusRef always updated - PluginsSection slug/id matching improved - Stripe timestamp NaN guard - source.ts import order fixed - Test improvements (consistent patterns, comments) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…oad) Security hardening: - encryptionService: enforce minimum 100k PBKDF2 iterations - encryptionService: validate hex strings before Buffer.from() - preload: validate HTTPS-only URLs for plugin install - preload: guard log:write against non-string payloads Sync/encryption: - syncService: emit status event when encryption not ready (UI visibility) - apiClient: add explicit type generics to all E2EE request calls CI: - ci.yml: add contents:read permission to label job Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Fix mcp-server TS2532 errors from noUncheckedIndexedAccess (optional chaining on regex matches) - Restructure ESLint config: type-aware rules only for src/ files in tsconfig projects - Ignore incomplete ai-assistant package - Result: 0 lint errors, 32 warnings (all non-blocking) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Main process: - exportNote: async writeFile, Unicode-safe filename sanitizer - plugins:install: tmpDir cleanup via finally block - plugins:installFromUrl: slug validation, URL parsing, JSON guard Renderer: - NoteListFilterBar: aria-pressed on pills, error logging in tags fetch - NoteEditor: guard saved flash against note switch (trackedNoteIdRef) - Welcome: auto-focus primary button on mount - UpdateBanner: include error message in UI, check startDownload result - SidebarFooter: "Synced Xm ago" display, subscribe to lastSyncAt - Modal: useId() for unique aria-labelledby - Toast: conditional role (alert vs status) Plugins & export: - PluginsSection: error toast on failed install/uninstall, validate API response - Section.module.css: rename plugin-spinner to pluginSpinner (camelCase) - exportMarkdown: escapeHtml in tables, escapeYamlScalar in frontmatter, async clipboard handlers - Button.module.css: danger hover uses color-mix tokens - Hero.tsx: non-interactive wrapper when no video URL Other: - .env.example: inline comments moved to own lines - bump-version.js: stricter semver regex Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
# Conflicts: # .env.example # apps/desktop/src/main/index.ts # apps/desktop/src/renderer/components/NoteEditor.tsx # apps/desktop/src/renderer/components/NoteListFilterBar.tsx # apps/desktop/src/renderer/components/UpdateBanner.tsx # apps/desktop/src/renderer/components/Welcome.tsx # apps/desktop/src/renderer/components/sidebar/SidebarFooter.tsx # apps/desktop/src/renderer/pages/settings/sections/PluginsSection.tsx # apps/desktop/src/renderer/pages/settings/sections/Section.module.css # apps/desktop/src/renderer/plugins/exportMarkdown.ts # apps/desktop/src/renderer/ui/patterns/Modal.tsx # apps/desktop/src/renderer/ui/primitives/Button.module.css # apps/desktop/src/renderer/ui/primitives/Toast.tsx # apps/web/components/landing/Hero.tsx # pnpm-lock.yaml # scripts/bump-version.js
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 10 minutes and 7 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (19)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
github-actions
Bot
added
dependencies
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 549339d469
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Comment on lines
57
to
+60
| if (!open) return null; | ||
|
|
||
| const titleId = title != null ? 'modal-title' : undefined; | ||
| const generatedId = useId(); | ||
| const titleId = title != null ? generatedId : undefined; |
There was a problem hiding this comment.
useId above early return
useId() is invoked only after if (!open) return null, which makes hook execution conditional on open. When the same Modal instance rerenders from closed to open, React can throw a hook order error ("Rendered more hooks than during the previous render"), so toggling visibility via the open prop can break at runtime.
Useful? React with 👍 / 👎.
| } | ||
|
|
||
| // Validate manifest.id matches the expected pluginSlug if provided | ||
| if (pluginSlug && pluginSlug.length > 0 && manifest.id !== pluginSlug) { |
There was a problem hiding this comment.
This rejects downloads whenever manifest.id !== pluginSlug, but marketplace slug and plugin manifest id are not guaranteed to be the same identifier in this codebase (the UI already has slug/id reconciliation logic). As a result, valid marketplace bundles can be blocked from installation even though the existing id format and path traversal validations already protect filesystem safety.
Useful? React with 👍 / 👎.
2 tasks
github-actions Bot
pushed a commit
that referenced
this pull request
Apr 23, 2026
## Summary Fixes two review findings from PR #198: - **P1**: Move `useId()` above early return in Modal to prevent React hook order violation - **P2**: Remove strict slug/id equality check in `plugins:installFromUrl` — marketplace slug and manifest id are independent identifiers ## Test plan - [x] `pnpm typecheck` — 17/17 pass - [x] `pnpm test` — 16/16 pass 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This was referenced Apr 23, 2026
tomymaritano
added a commit
that referenced
this pull request
Apr 23, 2026
#208) ## Release Summary Major release with all review findings resolved and conflicts synced. ### Highlights - Design system primitives (Button, Toast, Modal) - Advanced search filters + functional plugin marketplace - High-quality table rendering (editor = preview parity) - Document export with YAML frontmatter + per-note export - Welcome screen, save indicator, update banner, sync progress - Security hardening (plugin install, encryption, YAML/HTML escaping) - A11y improvements (aria-pressed, focus management, live regions) - ESLint typed linting (0 errors), TypeScript strict across all 16 packages - All review findings from PRs #194, #198, #200, #202 addressed ## Test plan - [x] `pnpm typecheck` — 17/17 pass - [x] `pnpm test` — 16/16 pass - [x] `pnpm lint` — 0 errors - [x] Conflicts with main resolved in merge commit 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Post-merge fixes addressing all review findings from PR #194, plus CI failures and additional improvements.
Security
CI Fixes
Accessibility
aria-pressedon filter pills,useId()for modal, conditional toast roleUX
Code Quality
Test plan
pnpm typecheck— 17/17 passpnpm test— 16/16 passpnpm lint— 0 errors🤖 Generated with Claude Code