github backnotprop/plannotator v0.17.10
on GitHub

2 days ago

Follow @plannotator on X for updates

Missed recent releases?
Release Highlights
v0.17.9 Hotfix: pin Bun to 1.3.11 for macOS binary codesign regression
v0.17.8 Configurable default diff type, close button for sessions, annotate data loss fix, markdown rendering polish
v0.17.7 Fix "fetch did not return a Response" error in OpenCode web/serve modes
v0.17.6 Bun.serve error handlers for diagnostic 500 responses, install.cmd cache fix
v0.17.5 Fix VCS detection crash when p4 not installed, install script cache path fix
v0.17.4 Vault browser merged into Files tab, Kanagawa themes, Pi idle session tool fix
v0.17.3 Sticky lane repo/branch badge overflow fix
v0.17.2 Supply-chain hardening, sticky toolstrip and badges, overlay scrollbars, external annotation highlighting, Conventional Comments
v0.17.1 Pi PR review parity, parseRemoteUrl rewrite, cross-repo clone fixes, diff viewer flash fix
v0.17.0 AI code review agents, token-level annotation, merge-base diffs
v0.16.7 Gemini CLI plan review, install script skills directory fix
v0.16.6 Perforce support, Pi shared event API, suggested code prefill, file tree expand fix

What's New in v0.17.10

v0.17.10 adds HTML and URL annotation, binds local servers to loopback for security, fixes two UI bugs in the review and plan editors, and hardens the release pipeline with supply chain age gating and binary smoke tests. 7 PRs, 1 from a first-time external contributor.

Annotate HTML Files and URLs

plannotator annotate now accepts HTML files and URLs in addition to markdown. Running plannotator annotate page.html converts the file to markdown via Turndown and opens the standard annotation UI. Running plannotator annotate https://example.com/docs fetches the page content through Jina Reader (which handles JavaScript-rendered pages), falls back to plain fetch with Turndown conversion, and opens it for annotation.

Local and private URLs skip Jina automatically and use direct fetch. A --no-jina flag, PLANNOTATOR_JINA environment variable, and config.json setting are available to disable Jina Reader entirely. For authenticated use with higher rate limits, set JINA_API_KEY.

Folder mode now shows .html and .htm files alongside markdown, with on-demand conversion when you click one. A subtle source badge in the UI shows the URL hostname or original filename so you always know where the content came from.

Dangerous link protocols (javascript:, data:, vbscript:) are blocked in the markdown renderer. Local HTML files are capped at 10MB and restricted to the project root.

Pi extension parity is included: file browser, HTML conversion, URL/Jina support, and the source badge all work identically in the Node.js server.

Local Servers Bind to Loopback by Default

Local plan, review, and annotate servers now bind to 127.0.0.1 instead of 0.0.0.0. Previously, running plannotator review on a laptop exposed the review API (including the agent job launcher) to every device on the local network. Remote sessions (SSH, Docker, devcontainers) continue to bind to 0.0.0.0 so port forwarding still works.

Both the Bun and Pi server implementations were updated with regression tests verifying hostname selection in local vs. remote sessions.

Safari Scroll Position Fix in Code Review

Safari users experienced the diff view snapping back to the top after momentum scrolling. The root cause was a WebKit compositor bug: Safari loses track of scroll position when a web component shadow DOM (<diffs-container> from @pierre/diffs) is a child of a scroll container. The reset bypasses all JavaScript APIs, so intercepting scrollTo and the scrollTop setter caught nothing.

The fix adds a WebKit-only scroll event listener that detects bogus resets (scrollTop jumping from over 200px to 0 in a single event) and synchronously restores the last known position. It is never attached on Chrome, Firefox, or Edge.

Triple-Click Paragraph Selection Restored

Triple-clicking a paragraph to select the full line stopped producing the annotation toolbar. The bug was a timing interaction between the dismiss-on-outside-click handler (added in #182) and browser click counting. The third pointerdown fired the dismiss hook, which removed the <mark> element and normalized text nodes. This DOM mutation changed the element under the cursor, resetting the browser's click count so the third click registered as detail=1 instead of detail=3.

The fix guards the dismiss handler: multi-click pointerdowns (event.detail >= 2) are skipped because they are part of an active selection gesture.

Additional Changes

  • 7-day minimum release age for dependencies — Renovate and bunfig.toml now enforce a 7-day hold on new dependency versions. This prevents repeat incidents like the Bun 1.3.12 codesign regression (#541), where a 2-day-old release was picked up by CI before the defect surfaced. Automerge is also disabled. #550 by @backnotprop
  • Smoke tests for compiled binaries — The release pipeline now tests the linux-x64 binary after compilation: --help for basic loading, review and annotate for full server startup with HTTP binding. If any test fails, artifacts are never uploaded. #555 by @backnotprop
  • Annotate documentation and blog post — Docs for all four annotate input types (markdown, HTML, URLs, folders), environment variable references for PLANNOTATOR_JINA and JINA_API_KEY, and a blog post with demo video. #553 by @backnotprop

Install / Update

macOS / Linux: 

curl -fsSL https://plannotator.ai/install.sh | bash

Windows PowerShell: 

irm https://plannotator.ai/install.ps1 | iex

Pin a specific version: 

curl -fsSL https://plannotator.ai/install.sh | bash -s -- --version v0.17.10

Claude Code Plugin: Run /plugin in Claude Code, find plannotator, and click "Update now".

Copilot CLI: 

/plugin marketplace add backnotprop/plannotator
/plugin install plannotator-copilot@plannotator

Gemini CLI: The install script auto-detects ~/.gemini and configures hooks, policy, and slash commands.

OpenCode: Clear cache and restart: 

rm -rf ~/.cache/opencode/packages/@plannotator ~/.bun/install/cache/@plannotator

Then in opencode.json: 

{
  "plugin": ["@plannotator/opencode@latest"]
}

Pi: Install or update the extension: 

pi install npm:@plannotator/pi-extension

VS Code Extension: Install from the VS Code Marketplace.

What's Changed

  • feat(annotate): support HTML files and URL annotation by @backnotprop in #545
  • fix(ui): restore triple-click paragraph selection by @backnotprop in #546
  • fix(review): work around Safari scroll-reset bug with shadow DOM diffs by @backnotprop in #547
  • chore: enforce 7-day minimum release age for supply chain hardening by @backnotprop in #550
  • docs(annotate): URL/HTML annotation docs, blog post, and promo video by @backnotprop in #553
  • Bind local Plannotator servers to loopback by default by @Aeg1sx in #533
  • ci: smoke-test compiled binaries before release by @backnotprop in #555

New Contributors

Contributors

@Aeg1sx identified that local Plannotator servers were listening on all interfaces and contributed the loopback binding fix with regression tests for both the Bun and Pi servers.

@maxim reported the Safari scroll-reset bug in #540 with clear reproduction steps and the key observation that Firefox was unaffected, which narrowed the investigation to a WebKit-specific issue.

@dezren39 reported the triple-click selection bug in #544. This was their second issue on the tracker (they previously reported #408).

@aviadshiber's codesign report in #541 from v0.17.9 directly motivated the supply chain hardening in this release. The 7-day age gate and disabled automerge prevent the same class of incident from recurring.

Full Changelog: v0.17.9...v0.17.10

Check out latest releases or
releases around backnotprop/plannotator v0.17.10

Don't miss a new plannotator release

NewReleases is sending notifications on new releases.

Get notifications