This release includes 1 security fix for security teams reviewing exposed deployments.
Topics
+4 more
Affected surfaces
ReleasePort's take
Moderate signalGlobal search now includes contacts, shopping, and calendar with direct module deep-linking. Three core modules replaced innerHTML patterns with safer DOM methods to prevent XSS.
Why it matters: XSS mitigation (severity 80) across calendar, contacts, shopping reduces injection surface. Search expansion improves navigation efficiency. Test all deep-linking scenarios and verify XSS fixes in dev before production.
Summary
AI summaryGlobal search now includes contacts, shopping items, and calendar events; clicking a result navigates directly to the respective module.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | High |
Replaced all `innerHTML` assignments with `replaceChildren()` and `insertAdjacentHTML` in calendar.js, contacts.js, and shopping.js to comply with XSS policy. Replaced all `innerHTML` assignments with `replaceChildren()` and `insertAdjacentHTML` in calendar.js, contacts.js, and shopping.js to comply with XSS policy. Source: granite4.1:30b@2026-05-21-audit Confidence: low |
— |
| Security | Medium |
Replaced `innerHTML` with `replaceChildren()` and `insertAdjacentHTML` to prevent XSS. Replaced `innerHTML` with `replaceChildren()` and `insertAdjacentHTML` to prevent XSS. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low |
— |
| Feature | Medium |
Global search includes contacts and shopping items, deep-linking results to respective modules. Global search includes contacts and shopping items, deep-linking results to respective modules. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Contacts search results deep-link via `?open=<id>` and open edit modal on load. Contacts search results deep-link via `?open=<id>` and open edit modal on load. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Shopping search results deep-link via `?list=<id>&highlight=<id>` to correct list tab and highlight item. Shopping search results deep-link via `?list=<id>&highlight=<id>` to correct list tab and highlight item. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Calendar search now carries event id and opens edit modal directly. Calendar search now carries event id and opens edit modal directly. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high |
— |
Full changelog
Added
- Global search now includes contacts (matched by name, phone, email) and shopping items (matched by name); clicking a result navigates directly to the respective module
- Contacts search results deep-link via
?open=<id>and open the edit modal immediately on page load - Shopping search results deep-link via
?list=<id>&highlight=<id>: the correct list tab is activated and the matched item is scrolled into view - Calendar search results deep-link via
?open=<id>and open the event edit modal immediately on page load
Fixed
- Calendar search results previously navigated to
/calendarwithout identifying the specific event; results now carry the event id and open the edit modal directly - Replaced all
innerHTMLassignments incalendar.js,contacts.js, andshopping.jswithreplaceChildren()andinsertAdjacentHTMLto comply with the project XSS policy
Full Changelog: https://github.com/ulsklyc/oikos/blob/main/CHANGELOG.md
Security Fixes
- Replaced all `innerHTML` assignments in `calendar.js`, `contacts.js`, and `shopping.js` with `replaceChildren()` and `insertAdjacentHTML` to comply with XSS policy
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Beta — feedback welcome: [email protected]