createTransport()/sendMail() callback API unchanged between majors - smoke
tested the transport directly (confirmed correct error type, not an API
shape error) since the test suite doesn't exercise the email-sending path
(EMAIL_VERIFICATION off in tests). Full build + 179-test suite still pass.
3 unique vulnerable packages remain (aws-sdk's own advisory + its nested
uuid, vite/esbuild dev-server issue needing a major v5->v8 bump) - left
deliberately, all lower practical risk or need a dedicated upgrade pass.
- Removed @types/request (unused devDependency, no "request" import anywhere
in the codebase) - it was the actual source of the critical form-data
vulnerability via its own outdated nested dependency.
- Bumped uuid v3 -> v11 (patched version) across all 8 call sites, migrating
from the old default-import "uuid.v4()"/"uuid()" style to the named-export
"v4 as uuidv4" style the new major requires. Tried v14 first - it broke the
Jest test suite entirely (ships ESM-only, Node's CJS require() choked on
it) - v11 is the oldest patched version that still works under Jest/CJS.
Removed 2 more unused "import uuid" lines with no actual usage.
- Picked up brace-expansion via a follow-up non-breaking npm audit fix.
Verified full build (frontend+backend) and full test suite (179 tests)
after each step. 45 -> 4 unique vulnerable packages remaining: aws-sdk
(its own advisory, "fix" would downgrade it - not worth it), aws-sdk's
own nested uuid (same reason), esbuild/vite (major version bump to vite 8,
needs its own dedicated upgrade pass), and nodemailer (breaking API change,
only exercised when EMAIL_VERIFICATION is enabled) - all left for a
deliberate separate decision rather than forced through here.
Dark mode: CSS custom properties + .dark class toggled via Redux/localStorage,
with a theme toggle in the Header and Settings page. Foundation didn't exist
yet despite prior assumption, so it was built from scratch.
SQLite: new DB_ENGINE=mongo|sqlite env var selects the metadata backend at
runtime (Mongo stays default, no behavior change unless opted in). File/thumbnail
bytes continue to use the existing fs/S3 storage path. Implemented via a shared
DB interface (dbTypes.ts) with parallel mongoDB/ and sqliteDB/ implementations,
selected through dbFactory.ts, with JWT/encryption logic extracted into
userCrypto.ts so both engines share it.
* feat(docker): add MongoDB and improve setup instructions
* fix: reduce docker image size and other minor improvements
* fix: reduce docker image size and other minor improvements
* docs: update README for correct env file naming
* feat(docker): add environment variables and enhance Docker instructions
* docs: update README structure and enhance installation instructions
* docs: update README to clarify requirements for Docker and non-Docker setups
* docs: update README to improve Docker instructions and formatting
* docs: update code blocks in README to use shell syntax highlighting
* docs: refine installation steps and environment variable instructions
* docs: enhance README formatting for Docker instructions
* docs: correct formatting for environment variable examples in README
* docs: enhance README with badges and improved formatting
* docs: improve Docker instructions and formatting in README
* docs: update README to use figure elements for image captions
* docs: update README to replace figure elements with markdown images
* docs: update README to use shell syntax highlighting for code blocks
* docs: fix typo in README for environment file renaming step