BradGroux/veritas-kanban v4.0.1

v4.0.1 — Popout UI + Webhook Security

on GitHub

Fixed

• Restored task detail side-popout spacing after the shadcn/ui v4 sheet padding change.
• Prevented task detail tabs from being squeezed in code-task popouts by allowing horizontal tab overflow.

Security

• Required N8N_WEBHOOK_SECRET for unauthenticated n8n webhook requests.
• Hardened n8n webhook secret comparison, attachment type checks, filename sanitization, and path containment.
• Patched high and moderate dependency advisories for @xmldom/xmldom, hono, postcss, and sanitize-html.

Validation

• pnpm --filter @veritas-kanban/shared build
• pnpm --filter @veritas-kanban/web typecheck
• pnpm --filter @veritas-kanban/server typecheck
• pnpm --filter @veritas-kanban/server test -- src/__tests__/routes/webhook-n8n.test.ts
• pnpm --filter @veritas-kanban/web build
• pnpm --filter @veritas-kanban/server build

Known Remaining Audit Item

• pnpm audit --prod still reports one moderate transitive advisory: exceljs@4.4.0 -> uuid@8.3.2. This needs an upstream-compatible ExcelJS dependency update rather than a simple major-version override.

Additional Updates

• Aligned GitHub Actions CI with the documented Node.js 22 runtime.
• Added tracked first-run example tasks under tasks/examples/ and updated ignore rules so user task data remains local while seed data ships with fresh clones.
• Updated README metadata and safety wording for TypeScript 6.0, built-in API rate limiting, and Docker-not-required local setup.
• Refreshed the bug report template with current Node.js and Veritas Kanban version examples.
• Removed the tracked .safety backup bundle from the repository and ignored future local safety artifacts.

Additional Validation

• pnpm build
• pnpm lint (passes with the existing warning backlog)
• pnpm test:unit
• Validated all tracked tasks/examples/*.md files parse as task markdown.