v3.0.2 (#576)

* feat(course-card): add success toasts for course enable/disable

Show a sonner success toast immediately after the user confirms:
  - Disable: "CS101 disabled" with the selected reason as description.
  - Enable:  "CS101 enabled".

Fires optimistically on confirm-click (the mutation uses optimistic
updates so the UI reflects the change instantly). Failure is already
covered by the generic "Failed to save settings" error toast in the
user-settings provider's onError handler.

* fix(course-card): show light red header when course is disabled in light mode

Override statusColorClasses.headerBg/headerBorder with red-500 tints on
the CardHeader when the course is disabled. Dark mode retains the neutral
muted tint. tailwind-merge resolves the conflicting bg/border classes in
favour of the later (disabled) override.

* chore: update version to 3.0.2

* feat: add invert option to toast notifications for improved visibility

chore(tests): update tests

* refactor(toasts): centralize invert:true on Toaster; fix(tests): stable CardHeader selector (#577)

* Initial plan

* fix(tests): use stable data-slot selector; feat(toasts): apply invert:true to all toasts

Co-authored-by: devakesu <61821107+devakesu@users.noreply.github.com>

* refactor(toasts): move invert:true to global Toaster toastOptions

Co-authored-by: devakesu <61821107+devakesu@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: devakesu <61821107+devakesu@users.noreply.github.com>

* feat(toaster): enhance Toaster component with theme support and remove redundant styles

fix(addrecord): Fix occupied sessions

* fix(tests): add coverage for Toaster theme integration and AddAttendanceDialog session index+1 fallback (#578)

* Initial plan

* fix(tests): add coverage for Toaster theme integration and AddAttendanceDialog session index+1 fallback

Co-authored-by: devakesu <61821107+devakesu@users.noreply.github.com>

* Update src/components/__tests__/toaster.test.tsx

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Devanarayanan <fusion@devakesu.com>

---------

Signed-off-by: Devanarayanan <fusion@devakesu.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: devakesu <61821107+devakesu@users.noreply.github.com>
Co-authored-by: Devanarayanan <fusion@devakesu.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* fix: remove unnecessary type cast in Toaster and freeze time in AddAttendanceDialog tests (#580)

* Initial plan

* fix: remove unnecessary ToasterProps cast and freeze time in AddAttendanceDialog tests

Co-authored-by: devakesu <61821107+devakesu@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: devakesu <61821107+devakesu@users.noreply.github.com>

* chore(deps): bump scalar, patch tar vuln, remove redocly

- Bump @scalar/nextjs-api-reference from ^0.9.24 to ^0.10.0
- Fix high-severity tar path traversal (GHSA-qffp-2rhf-9h96) by
  tightening override from ^7.5.6 to ^7.5.10
- Remove @redocly/cli devDependency and docs:validate script to
  eliminate remaining moderate dompurify XSS advisory chain
- Remove now-redundant @redocly/* ajv overrides

* chore: update dependencies and improve layout styles

- Added @opentelemetry/context-async-hooks as a dev dependency.
- Changed max-w-[100vw] to max-w-screen in the RootLayout component for better responsiveness.
- Updated test cases in AddAttendanceDialog.test.tsx to use vi.useFakeTimers with specific options for better time manipulation.

* chore(deps): update package-lock.json to include new dependencies and clean up module paths

* chore: upgrade minimum Node.js requirement to 22.12.0

Drop Node 20 support in favour of Node 22 LTS to resolve
@scalar/nextjs-api-reference >=0.10.0 engine requirement.

- package.json: engines.node → >=22.12.0
- package-lock.json: sync engines field
- Dockerfile: node:20.19.2-alpine3.20 → node:22.14.0-alpine3.20 (SHA pinned)
- CI workflows: node-version 20 → 22 across test, pipeline,
  auto-version-bump, and deploy-egress-proxies
- README.md, docs/CONTRIBUTING.md, docs/DEVELOPER_GUIDE.md,
  .github/copilot-instructions.md: update Node prereq references

* chore: update Node.js version to 22.12.0 and remove Redocly validation from documentation

* Update .github/workflows/deploy-egress-proxies.yml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Devanarayanan <fusion@devakesu.com>

* Update .github/workflows/deploy-egress-proxies.yml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Devanarayanan <fusion@devakesu.com>

* Update .github/workflows/auto-version-bump.yml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Devanarayanan <fusion@devakesu.com>

* chore: update README and SECURITY.md for dependency changes and vulnerability updates

---------

Signed-off-by: Devanarayanan <fusion@devakesu.com>
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: 3 people

.example.env

@@ -43,7 +43,7 @@ NEXT_PUBLIC_APP_NAME=GhostClass
 # (calculate-version job). A GitHub Secret here would always be stale after
 # an auto-version bump. Keep in sync with package.json for local dev only.
 # 🔨 Build-time (auto-derived from git tag by pipeline — not a GitHub Secret)
-NEXT_PUBLIC_APP_VERSION=3.0.1
+NEXT_PUBLIC_APP_VERSION=3.0.2
 
 # ⚠️ Your production domain WITHOUT https://
 # All URL-based variables are derived from this.

.github/copilot-instructions.md

@@ -48,14 +48,13 @@ Key config files at root: `next.config.ts`, `vitest.config.ts`, `vitest.setup.ts
 ## Development Commands
 
 ```bash
-npm install          # Install dependencies (requires Node 20.19+ or 22.12+)
+npm install          # Install dependencies (requires Node 22.12+)
 npm run dev          # Development server on http://localhost:3000 (uses --webpack for Serwist)
 npm run build        # Production build
 npm run lint         # ESLint
 npm run test         # Vitest unit/component tests (watch mode by default)
 npm run test:coverage # Coverage report (lcov, html, json)
 npm run test:e2e     # Playwright E2E tests (all configured projects; CI uses --project=chromium)
-npm run docs:validate # Validate OpenAPI spec with Redocly
 ```
 
 ### Environment Setup

.github/workflows/auto-version-bump.yml

@@ -108,7 +108,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: '20'
+          node-version: '22.12.0'
 
       - name: Check if version needs bump
         id: check

.github/workflows/deploy-egress-proxies.yml

@@ -25,7 +25,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: '20'
+          node-version: '22.12.0'
 
       - name: Validate Cloudflare deploy secrets
         id: validate
@@ -172,7 +172,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: '20'
+          node-version: '22.12.0'
 
       - name: Validate Cloudflare deploy secrets
         id: validate

.github/workflows/pipeline.yml

@@ -50,7 +50,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: '20'
+          node-version: '22.12.0'
 
       - name: Create and push signed tag
         env:

.github/workflows/release.yml

@@ -207,7 +207,7 @@ jobs:
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Login to GHCR
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

.github/workflows/test.yml

@@ -18,7 +18,7 @@ jobs:
 
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: '20.19.0'
+          node-version: '22.12.0'
           cache: 'npm'
 
       - name: Install dependencies
@@ -64,7 +64,7 @@ jobs:
 
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: '20.19.0'
+          node-version: '22.12.0'
           cache: 'npm'
 
       - name: Install dependencies

Dockerfile

@@ -1,7 +1,7 @@
 # ===============================
 # 0. Global deterministic settings
 # ===============================
-ARG NODE_IMAGE=node:20.19.2-alpine3.20@sha256:6e0e1a13235997255e6f36fd3da4169d99b5e87c0de01dc08300359d23224c33
+ARG NODE_IMAGE=node:22.14.0-alpine3.20@sha256:40be979442621049f40b1d51a26b55e281246b5de4e5f51a18da7beb6e17e3f9
 ARG SOURCE_DATE_EPOCH=1767225600
 
 # ===============================

README.md

@@ -14,7 +14,7 @@
 [![React](https://img.shields.io/badge/React-19.2.4-61DAFB?logo=react&logoColor=white)](https://react.dev)
 [![TypeScript](https://img.shields.io/badge/TypeScript-5.9.3-3178C6?logo=typescript&logoColor=white)](https://www.typescriptlang.org)
 [![Tailwind CSS](https://img.shields.io/badge/Tailwind-4-38B2AC?logo=tailwind-css&logoColor=white)](https://tailwindcss.com)
-[![Node.js](https://img.shields.io/badge/Node.js-20.19.0%2B%20%7C%2022.12.0%2B-339933?logo=node.js&logoColor=white)](https://nodejs.org)
+[![Node.js](https://img.shields.io/badge/Node.js-22.12.0%2B-339933?logo=node.js&logoColor=white)](https://nodejs.org)
 [![Tests](https://img.shields.io/badge/Tests-Vitest%20%2B%20Playwright-green)](https://vitest.dev/)
 
 ## Overview
@@ -43,7 +43,7 @@ GhostClass is the ultimate academic survival tool for students who want to manag
 
 - **Next.js 16.1.6** - React 19 with App Router
 - **TypeScript 5.9.3** - Strict mode for type safety
-- **Node.js** - v20.19.2+ or v22.12.0+
+- **Node.js** - v22.12.0+
 
 ### Styling & UI
 
@@ -63,7 +63,6 @@ GhostClass is the ultimate academic survival tool for students who want to manag
 
 - **OpenAPI 3.1** - API specification standard
 - **Scalar** - Interactive API documentation viewer
-- **Redocly CLI** - OpenAPI validation and linting
 
 ### Backend & Database
 
@@ -405,7 +404,7 @@ Courses can be disabled on a per-semester basis so they no longer affect aggrega
 
 ### Prerequisites
 
-- **Node.js** - v20.19.2+ or v22.12.0+
+- **Node.js** - v22.12.0+
 - **npm** - v11+ (specified in `package.json` engines)
 - **Docker** - For containerized deployment (optional)
 - **Git** - Version control
@@ -679,9 +678,6 @@ npm run test:e2e:ui        # Interactive E2E with Playwright UI
 
 # Run All Tests
 npm run test:all           # Unit + E2E tests
-
-# Validate API Documentation
-npm run docs:validate      # Lint OpenAPI spec
 ```
 
 ### Test Coverage

SECURITY.md

@@ -76,27 +76,33 @@ GhostClass uses npm overrides to enforce minimum secure versions of transitive d
 
 ### Current Overrides (package.json)
 
-#### tar: ^7.5.6
+#### serialize-javascript: ^7.0.4
 
-- **Reason**: Path traversal vulnerabilities in versions <6.1.9
-- **CVEs**: CVE-2021-32803, CVE-2021-32804, CVE-2021-37701, CVE-2021-37712, CVE-2021-37713
-- **Scope**: Dev-only (used by supabase CLI for unpacking)
+- **Reason**: Cross-site scripting vulnerability in versions <3.1.0
+- **CVEs**: CVE-2020-7660
+- **Scope**: Dev-only (used by Webpack/build toolchain)
 - **Status**: ✅ Patched
 
-#### fast-xml-parser: ^5.3.4
+#### tar: ^7.5.10
 
-- **Reason**: Prototype pollution and XXE (XML External Entity) vulnerabilities in versions <4.2.4
-- **CVEs**: CVE-2023-26920 (prototype pollution), CVE-2022-39353 (XXE)
-- **Scope**: Dev-only (used by @redocly/cli for OpenAPI parsing)
+- **Reason**: Path traversal vulnerabilities in versions ≤7.5.9
+- **CVEs**: CVE-2021-32803, CVE-2021-32804, CVE-2021-37701, CVE-2021-37712, CVE-2021-37713 / GHSA-qffp-2rhf-9h96
+- **Scope**: Dev-only (used by supabase CLI for unpacking)
 - **Status**: ✅ Patched
 
 #### js-yaml: ^4.1.1
 
 - **Reason**: Code execution via `load()` function in versions <4.0.0
 - **CVEs**: CVE-2021-23343
-- **Scope**: Dev-only (used by ESLint and Redocly CLI)
+- **Scope**: Dev-only (used by ESLint → @eslint/eslintrc)
 - **Status**: ✅ Patched
 
+#### rollup: ^4.52.3
+
+- **Reason**: Security and stability improvements in v4.x
+- **Scope**: Dev-only (used by Vite/Vitest for bundling)
+- **Status**: ✅ Up-to-date
+
 #### glob: ^13.0.6
 
 - **Reason**: Performance improvements and security hardening in v13+
@@ -109,13 +115,12 @@ GhostClass uses npm overrides to enforce minimum secure versions of transitive d
 - **Scope**: Dev-only (used by Vite/Terser for sourcemap generation)
 - **Status**: ✅ Up-to-date
 
-#### @redocly/cli, @redocly/openapi-core, @redocly/respect-core → ajv: ^8.18.0 (selective override)
+#### minimatch: ^10.2.2
 
-- **Reason**: ReDoS vulnerability when using `$data` option in @redocly packages' ajv dependency
-- **CVEs**: CVE-2025-69873 / [GHSA-2g4f-4pwh-qvx6](https://github.com/advisories/GHSA-2g4f-4pwh-qvx6)
-- **Scope**: Dev-only (Redocly CLI for OpenAPI validation)
-- **Status**: ✅ Patched via selective overrides
-- **Note**: ESLint's internal ajv (v6) is no longer flagged by `npm audit` — the advisory was resolved without requiring a global override or ESLint upgrade
+- **Reason**: ReDoS vulnerability in versions <3.0.5
+- **CVEs**: GHSA-3ppc-4f35-3m26
+- **Scope**: Dev-only (used by @sentry/nextjs and other build tools)
+- **Status**: ✅ Patched
 
 ### Maintenance Policy
 
@@ -132,7 +137,7 @@ All previously tracked issues have been resolved:
 
 | Issue | Resolution |
 | --- | --- |
-| `ajv <8.18.0` ReDoS (GHSA-2g4f-4pwh-qvx6) in ESLint | Advisory resolved — no longer flagged by `npm audit`. `@redocly/*` selective overrides remain as defence-in-depth. |
+| `ajv <8.18.0` ReDoS (GHSA-2g4f-4pwh-qvx6) in ESLint | Advisory resolved — no longer flagged by `npm audit`. |
 | `minimatch` ReDoS (GHSA-3ppc-4f35-3m26) in `@sentry/nextjs` | Fixed via `minimatch: ^10.2.2` override in `package.json`. |
 
 See [Dependency Security Overrides](#dependency-security-overrides) for the current override list.