This repository was archived by the owner on Jun 7, 2026. It is now read-only.
Conversation
also bundles the windows extended-length path prefix strip (history.rs helper + src/lib/path.ts mirror + HistoryPanel wiring) that was already in the working tree.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
JLab Desktop 0.5.5
Patch release. Security hardening, one display fix, and an internal endpoint swap. No new features, no breaking changes.
Changed
/api/statsto the new/api/public/heartbeatendpoint. The 60s liveness poll no longer pulls the heavy stats aggregation just to read the deploy version. No UI change. After this, the app talks only to/api/public/*(static-scan, threat-intel, heartbeat).Fixed
\\?\C:\...) now render the way a user types them (C:\..., and\\?\UNC\server\sharebecomes\\server\share). Display only; stored values and scan logic are unchanged.CHANGELOG.mdline matching the old fixed delimiter can no longer inject into the step output. CI-only.Security
.ssh,.gnupg,.aws,.docker,.kube,.config/git,.config/gh) and the user's home directory itself. Stops secret-laden paths from landing indebug.log.open_urlnow restricts GitHub URLs to the repo root and source-only sub-paths (releases,tree,blob,tag,commits). Issue, wiki, discussion, pulls, and security paths are rejected. Shrinks the open-redirect blast radius.coalesce_window_ms) is no longer read from or written towatcher-settings.json, so a hand-edited settings file can no longer delay the next "threat found" toast.core:webview:allow-internal-toggle-devtoolscapability from the Tauri capability set.SECURITY.md's permission list is synced tocapabilities/default.json.Audit
tsc,cargo fmt --check,cargo clippy -D warnings, andcargo test(132 passed) all green on dev.README.md,SECURITY.md, andCHANGELOG.mdreviewed and updated. Stale changelog link refs (0.5.3 / 0.5.4) restored.package.json,package-lock.json,tauri.conf.json,Cargo.toml,Cargo.lock.Merging to
maintriggers the release workflow, which builds the bundles, attaches them to a GitHub Release, and tagsv0.5.5.