BugPin 1.0.7

Features

• Update notification banner
  • Show a dismissible banner in the Admin Console when a newer BugPin release is available on GitHub, with a link out to the release notes
  • Add a daily update-check service that polls the GitHub Releases API (24-hour TTL, 1-hour cooldown on failure) and caches the result in the settings store
  • Add an admin-only /api/version endpoint that exposes the current/latest version, release URL, last-checked timestamp, and effective check status
  • Add a System Settings toggle to enable or disable update checks

Security

• Resolve all 67 npm vulnerabilities reported by bun audit (2 critical, 28 high, 34 moderate, 3 low)
• Bump direct dependencies within compatible ranges across the server, Admin Console, and widget workspaces, including Hono (4.11 → 4.12), @aws-sdk/client-s3, axios, jspdf, react-router-dom, fabric, preact, nodemailer, and zod
• Add root package.json overrides to pull patched versions of vulnerable transitive packages: fast-xml-parser, tar, dompurify, smol-toml, brace-expansion, follow-redirects, markdown-it, postcss, rollup, minimatch, and picomatch
• Refresh the Alpine base image in both Docker build stages with apk upgrade so libssl3, libcrypto3, musl, musl-utils, and zlib pick up the latest security patches (e.g. libssl3 3.5.5 → 3.5.6, musl 1.2.5-r10 → 1.2.5-r12, zlib 1.3.1 → 1.3.2)

Fix

• Fix the widget screenshot crash on Firefox pages with locally injected @font-face rules (e.g. Vite-served apps) by detecting browser-exposed empty fontFamily on CSSFontFaceRule and skipping font embedding for that capture, falling back to system fonts in the screenshot
• Update Hono server middleware (auth, validate, rate-limit, https-enforcement) to use the typed MiddlewareHandler signature so route-level path parameter type inference is preserved through the middleware chain after the Hono 4.12 upgrade
• Stop label click-through for Switch controls in the Admin Console: clicking the descriptive text next to a Switch no longer toggles it; only the Switch handle (mouse) and keyboard activation (Space/Enter when focused) toggle the state, while screen-reader label association is preserved
• Tighten secondary helper text size in Screenshot settings for visual consistency with other settings sections
• Widen the global settings tab content area from max-w-3xl to max-w-4xl so wider forms and tables render without horizontal scroll
• Reduce Admin Console polling noise: Dashboard stats and recent reports now refresh every 10 seconds (was 1 second), and the Reports list every 2 seconds (was 1 second)
• Fix the broken LICENCE link in the README so it resolves to the actual LICENSE file

Docs

• Add a "Create a Project" step to the README Quick Start so the origin of the widget API key is no longer skipped
• Add a Widget showcase block with the widget dialog screenshot and a short list of widget capabilities: script-tag embed, Shadow DOM isolation, offline cache, annotation tools
• Add an npm package install option (@arantic/bugpin-widget) alongside the <script> tag method in the Widget Integration section
• Replace the single AGPL license badge with separate Admin Console (AGPL-3.0) and Widget (MIT) badges, each linking to the correct LICENSE file
• Restructure the Admin Console and Widget showcase blocks for symmetric layout, with stacked light and dark mode dashboard screenshots

---

Compare: v1.0.6...v1.0.7

BugPin 1.0.6

Features

• User assignment to bug reports

  • Add user assignment to bug reports, including single and bulk assignment from the reports list
  • Show assignee details, including avatars, in report detail and reports list views
  • Add assignable-user validation and admin/editor assignable-user lookup support on the server
  • Add project-level default assignees so new reports can be assigned automatically
  • Add user-level default project mapping so a user can be selected as the default assignee for multiple projects
  • Add reporter assignment notification support for assignment and reassignment events

• Manual creation of reports

  • Let admins and editors create reports from the reports list when feedback did not come through the widget, including optional files, reporter details, URL, and intake channel
  • Add a dedicated authenticated manual report creation flow on the server with support for optional attachments
  • Record whether each report came from the widget or was created manually, and add source-aware filtering in the reports list
  • Keep manually created reports in the reports list after creation instead of opening the new report automatically

Fix

• Fix the root bun run test workflow by correcting the server test script
• Fix database initialization for older installations by adding the new report source column before creating indexes that depend on it
• Fix the widget annotation canvas save flow when the Fabric canvas has not initialized yet
• Upgrade Vite to 6.4.2 in affected workspaces to address optimized dependency path traversal advisories
• Fix two Dependabot-reported Vite vulnerabilities related to optimized dependency path traversal handling
• Align the Reports page header action with the Projects page layout
• Remove manual/widget source badges from the report list and report title header to reduce visual noise

---

Compare: v1.0.5...v1.0.6

BugPin 1.0.5

Features

• Email notifications for report submitters
  • Confirmation email sent to reporter when a bug report is submitted
  • Status change email sent to reporter when report status is updated (includes old/new status)
  • Ad-hoc messaging: admins can send direct messages to reporters from the report detail page
  • Optional message attachment when resolving a report (included in status change email)
  • Reporter message history displayed as a timeline in the Admin Console
  • CC sender option when composing reporter messages
  • Three new customizable email templates: reporter confirmation, status change, and direct message
  • Per-project notifyReporter setting to control automatic reporter emails (default: enabled)

Improvements

• Improved responsive layout and readability on small screens (mobile view)
• Extended widget dialog color customization with background, secondary, input, and foreground colors for both light and dark modes
• License Status card in Admin Console now shows customer email and license issue date
• License expiry displays "Never" for non-expiring licenses instead of a far-future date
• License dates use a readable format (e.g. "March 22, 2026")

Fix

• Widget theme (dark/light) now correctly follows the host website or system preference when set to auto.
• User is no longer logged out after changing their password in Profile Settings. The current session is preserved while all other sessions are invalidated.
• Widget launcher button now correctly hides the icon when set to "No Icon" in project-level settings. Nullable fields (icon, text, tooltip) were being overridden by global defaults due to nullish coalescing treating explicit null as unset.
• Enterprise license now correctly unlocks S3 Storage and Email Templates features. Fixed feature name mismatch (email-templates vs custom-templates) and added automatic feature granting for the enterprise plan.
• Enterprise license is now persisted to the database and survives Docker container updates. Previously, the license was only stored in memory and lost on restart.
• Admin Console no longer crashes when duplicating a browser tab after a deployment. Stale chunk imports are caught and the page reloads automatically to fetch the latest assets.
• Fix typed mocks in reporter-email.test.ts (properly typed SendEmailOptions spy)

Security

• Server-side file upload validation: MIME type allowlist, magic bytes verification, and configurable size limits
• Invalid or oversized files are rejected before being saved to disk

Settings

• Separate configurable upload size limits for images and videos (Admin Console > Screenshot Settings)
• New settings: Max Image Upload Size (default 10 MB), Max Video Upload Size (default 50 MB, up to 500 MB)
• Widget dynamically reflects configured size limits in validation messages and helper text
• Default max screenshot capture size changed from 10 MB to 5 MB

Internal

• Add tests/server/tsconfig.json so server test files are covered by TypeScript type checking in the IDE
• Add test suites for reporter email, reporter messages service, reporter notifications, and reporter messages routes
• Version stamping in Docker builds and beta tag support in CI/CD workflows
• Remove unused exports and dead code flagged by knip (12 items across 8 files)
• Delete unused SettingsUpdateInput type and WebhookService interface

---

Compare: v1.0.4...v1.0.5

BugPin 1.0.4

Changelog 1.0.4

Fix

• Upgrade fabric.js to v7.2.0 to resolve stored XSS vulnerability (CVE-2026-27013)
• Persist project custom settings toggles when reopening settings modal

Internal

• Rename "Admin Portal" to "Admin Console" across documentation and codebase
• Update logo and brand images

Features

• Add file transfer mode option for GitHub integrations, allowing users to upload files directly to the repository or use links
• Add a Screen Capture Consent dialog that prepares users for the browser permission prompt, with browser-specific illustrations and a "Don't show this again" option

Compare: v1.0.3...v1.0.4

BugPin 1.0.3

Changelog

Bug Fixes

• Fixed notifications not being sent on report creation and state changes
• Fixed screenshot capture handling for font embedding issues and cross-origin stylesheets
• Fixed login error handling to provide specific feedback for invalid credentials
• Fixed invitation URLs to include admin path

Improvements

• Added notification settings for report deletion
• Added configurable log level to Docker environment (LOG_LEVEL)
• Improved email template styling
• Improved error handling in email service with detailed error messages
• Cleaner API key PDF generation (removed warning box)
• Improved background opacity in AlertDialog and Dialog components

Security

• Compiled EE module to JavaScript for production Docker builds
• Updated jsPDF to 4.1.0, Nodemailer to latest

Internal

• Refactored project API key handling to store full keys in database
• Changed package.json read to synchronous to avoid top-level await issues

Compare: v1.0.2...v1.0.3

BugPin 1.0.2

Changelog

• Add package.json copy to Dockerfile for runtime versioning and simplify Docker publish workflow tag matching
• Update release workflow to streamline changelog and remove deployment instructions
• Enhance Docker publish workflow to differentiate between production and development tags
• Remove main branch trigger from Docker publish workflow
• Integrate dynamic versioning from package.json into AboutDialog and server config

Compare: v1.0.1...v1.0.2

BugPin 1.0.1

What's Changed

• chore: bump version to 1.0.1 (e5f33b4)
• chore: Update ee submodule reference (60ae3c9)
• chore: Update path and imports of server tests (9f05bd0)
• chore: Update submodule URL to use HTTPS and add Enterprise Edition module copy in Dockerfile (b9fe501)

Full Changelog

Full Changelog: ...v1.0.1

BugPin 1.0.0

What's Changed

• fix: Update output delimiters in release workflow for consistency (4e85015)
• chore: Update docker publish workflow conditions to trigger on any push to dev and main branches. (8b800ed)
• Update release workflow to include previous tag in outputs (b2e6ed5)
• Initial commit (d9d173c)

Full Changelog: ...v1.0.0