v1.27.2 - 2026-04-25

Added

• Added a site-wide W3C Do Not Track tracking status resource at /.well-known/dnt.
• Added the DNT tracking status resource to sitemap.xml.

Changed

• Bumped project version to v1.27.2.
• Updated npm run dev and npm run preview so they start local servers without automatically opening a browser.
• Refreshed sitemap metadata for updated public pages and privacy well-known resources.
• Updated the HeliBoard FOSS Spotlight GitHub link to the current HeliBorg/HeliBoard repository.
• Excluded the human-readable DNT policy text file from Prettier formatting.

Removed

• Removed stale commented debug logging from shared layout, metadata, legal, FOSS, PGP, services, terms, and home page components.
• Removed /CNAME from the service worker ignored-path list.

---

Full Changelog: v1.27.1...v1.27.2

v1.27.1

Changed

• Bumped project version to v1.27.1.

Fixed

• Replaced the third-party Keep Android Open banner script with a first-party Svelte banner component to avoid unstable inline-script CSP violations.
• Removed Keep Android Open script host and inline helper hash allowances from CSP.
• Restored temporary production script-src 'unsafe-inline' compatibility while PostHog remains in use.
• Updated README and agent guidance to reflect that CSP policy selection now lives in SvelteKit kit.csp instead of src/hooks.server.js.

---

Full Changelog: v1.27.0...v1.27.1

v1.27.0 - 2026-04-24

Changed

• Moved Content Security Policy selection into SvelteKit configuration so SvelteKit can manage CSP hashes and nonces.
• Kept request-time security header handling in src/hooks.server.js, including production reporting metadata, Probely diagnostics, and audit-hostname mismatch warnings.
• Updated audit CSP behavior to remain enforced without analytics or external CSP reporting allowances.
• Updated project metadata, local Node version files, GitHub Actions npm bootstrap version, and application dependencies.

Fixed

• Restored development and test Content-Security-Policy-Report-Only behavior, including local CSP reporting.
• Restored CSP selection diagnostics after moving CSP construction to SvelteKit configuration.
• Corrected audit hostname and Probely scanner diagnostics to avoid misleading log output.
• Updated Playwright and spellcheck comments/dictionary entries for current project terminology.

Security

• Added a transitive uuid override to ^14.0.0 to mitigate known vulnerabilities.

---

Full Changelog: v1.26.22...v1.27.0

v1.26.22 - 2026-04-19

Added

• Added project-level Svelte MCP configuration and local Claude Code Svelte skills for reproducible Svelte 5 workflows.
• Added agent guidance for Svelte MCP usage, including documentation lookup, autofix, and playground-link expectations.
• Added centralized Markdown lint configuration, README notes on default Playwright browser coverage, and unit tests for ENV_MODE alias normalization.

Changed

• Bumped the project version to v1.26.22.
• Updated README, environment comments, and scripts/checkEnv.js to better reflect Svelte 5/Vercel/Netlify usage, production-like Codex builds, analytics configuration, and normalized ENV_MODE aliases.
• Simplified Markdown linting, updated Playwright mobile Chrome coverage to Pixel 7, normalized default line endings to LF, and refreshed package-lock.json.

Removed

• Removed the direct markdownlint dev dependency.
• Removed disabled WebKit and Mobile Safari Playwright projects from the default E2E configuration.

---

Full Changelog: v1.26.21...v1.26.22

v1.26.21 - 2026-04-18

Changed

• Bumped project version to v1.26.21.
• Updated npm run dev and npm run preview to open the local browser automatically.
• Updated dependencies:
  • eslint 10.2.0 → 10.2.1
  • postcss ^8.5.9 → ^8.5.10
  • prettier 3.8.2 → 3.8.3
  • svelte 5.55.3 → 5.55.4
  • autoprefixer ^10.4.27 → ^10.5.0
  • dompurify ^3.3.3 → ^3.4.0
  • globals ^17.4.0 → ^17.5.0
  • posthog-js ^1.367.0 → ^1.369.3
  • stylelint ^17.6.0 → ^17.8.0
• Normalized transitive dependency override ranges for minimatch, picomatch, and smol-toml to caret ranges.

Fixed

• Kept typescript pinned to 5.9.3 and retained it in the npm-check-updates reject list because svelte-preprocess does not yet accept TypeScript 6.

Security

• Added transitive dependency for protobufjs v7.5.5 in order to mitigate CVE-2026-41242.

---

Full Changelog: v1.26.20...v1.26.21

v1.26.20 - 2026-04-10

Changed

• Bumped project version to v1.26.20.
• Updated dependencies:
  • prettier 3.8.1 → 3.8.2
  • svelte 5.55.2 → 5.55.3

Fixed

• Removed an unused window mock from the UTM unit test to better reflect the current appendUTM implementation.
• Stabilized SPA navigation E2E helpers by relying on Playwright click actionability instead of a separate scrollIntoViewIfNeeded() call, with a single retry for transient no-op clicks.
• Updated the navigation link assertion to compare the resolved pathname instead of the raw href attribute for better cross-browser consistency.

---

Full Changelog: v1.26.19...v1.26.20

v1.26.19 - 2026-04-09

Changed

• Bumped project version to v1.26.19.
• Modified Node.js version to 24 in .github/workflows/playwright.yml.
• Updated generator metadata in src/app.html to reflect SvelteKit 2.57.1.
• Updated dependencies:
  • @eslint/compat ^2.0.3 → ^2.0.5
  • @vitest/coverage-v8 4.1.2 → 4.1.4
  • browserslist ^4.28.1 → ^4.28.2
  • jsdom 29.0.1 → 29.0.2
  • postcss ^8.5.8 → ^8.5.9
  • svelte 5.55.1 → 5.55.2
  • vite ^8.0.3 → ^8.0.8
  • vitest 4.1.2 → 4.1.4
  • @playwright/test ^1.58.2 → ^1.59.1
  • @sveltejs/kit 2.55.0 → 2.57.1
  • eslint 10.1.0 → 10.2.0
  • eslint-plugin-jsdoc ^62.8.1 → ^62.9.0
  • eslint-plugin-svelte ^3.16.0 → ^3.17.0
  • playwright ^1.58.2 → ^1.59.1
  • posthog-js ^1.364.2 → ^1.367.0

Security

• Added transitive dependency override for lodash-es v4.18.1 in order to mitigate CVE-2026-4800 and CVE-2026-2950.
• Updated transitive dependency override for basic-ftp to v5.2.1 in order to mitigate CVE-2026-39983.

---

Full Changelog: v1.26.18...v1.26.19

v1.26.18 - 2026-03-30

Changed

• Adjusted engines.node in CHANGELOG.md to allow only >=24.0.0 <25, as Node.js v24 is now the current LTS release.
• Bumped project version to v1.26.18.
• Updated dependencies:
  • svelte-check ^4.4.5 → ^4.4.6

Fixed

• Removed typescript from the list of updated dependencies in release v1.26.17, as it was not updated due to a lack of SvelteKit support.

---

Full Changelog: v1.26.17...v1.26.18

v1.26.17 - 2026-03-30

Changed

• Updated project tooling to use Node.js v24.14.1 and npm 11.12.1.
• Updated GitHub Actions workflows to use npm 11.12.1.
• Re-added vite-plugin-devtools-json, restored its configuration, and added an override so it works with Vite 8.
• Added typescript to the npm-check-updates reject list to prevent automatic upgrades to TypeScript 6 until SvelteKit support is available.
• Updated various dependencies, including Vite, Vitest, Svelte, Stylelint, Globby, PostHog, and markdownlint tooling.
• Bumped project version to v1.26.17.

Fixed

• Resolved an npm audit warning by overriding transitive dependency smol-toml to >=1.6.1.
• Fixed npm install dependency resolution by pinning typescript to 5.9.3, which remains compatible with @sveltejs/kit@2.55.0.

Security

• Pinned transitive dependency picomatch to >=4.0.4 to mitigate CVE-2026-33672.

---

Full Changelog: v1.26.16...v1.26.17

v1.26.16 - 2026-03-20

Changed

• Updated size of Keep Android Open banner in src/app.html.
• Updated svelte.config.js to utilize the nodejs24.x runtime for @sveltejs/adapter-vercel.
• Updated all GitHub Actions workflows to utilize npm 11.12.0.
• Updated generator metadata in src/app.html to reflect SvelteKit 2.55.0.
• Bumped project version to v1.26.16.
• Updated dependencies:
  • vite ^8.0.0 → ^8.0.1
  • @sveltejs/kit 2.54.0 → 2.55.0
  • eslint 10.0.3 → 10.1.0
  • posthog-js ^1.360.1 → ^1.363.1
  • stylelint ^17.4.0 → ^17.5.0
  • stylelint-order ^8.0.0 → ^8.1.1
  • svelte 5.53.11 → 5.54.0
  • jsdom 28.1.0 → 29.0.1

---

Full Changelog: v1.26.15...v1.26.16