This release includes 1 security fix for security teams reviewing exposed deployments.
Topics
+4 more
Affected surfaces
Summary
AI summaryFixed split-guest users on mobile seeing a broken Kitchen button and an empty More sheet, now omitted; upgraded error and toast rendering to DOM API for XSS safety.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
Converted renderError and toast icon rendering from innerHTML to DOM API to comply with the project's XSS-safety constraint Converted renderError and toast icon rendering from innerHTML to DOM API to comply with the project's XSS-safety constraint Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Split-guest users on mobile no longer see a broken Kitchen button and an empty More sheet that covered page content; those nav elements are omitted entirely for guest accounts Split-guest users on mobile no longer see a broken Kitchen button and an empty More sheet that covered page content; those nav elements are omitted entirely for guest accounts Source: llm_adapter@2026-05-21 Confidence: high |
— |
Full changelog
Fixed
- Split-guest users on mobile no longer see a broken Kitchen button and an empty More sheet that covered page content; those nav elements are omitted entirely for guest accounts
- Converted renderError and toast icon rendering from innerHTML to DOM API to comply with the project's XSS-safety constraint
Security Fixes
- toast icon rendering upgraded from innerHTML to DOM API, eliminating XSS risk in renderError and toast components
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Beta — feedback welcome: [email protected]