# Changelog

## 1.5.1 - 2025-12-29

### Features

- Added HOST environment variable support for configuring server host binding

### Security

- Fixed unhandled error in HTTP response writing (G104)
- Fixed file write permissions to use more restrictive 0600 instead of 0644 (G306)
- Fixed potential file inclusion vulnerability by adding path validation in file operations (G304)

### Docker

- Added HOST environment variable to Dockerfile (defaults to 0.0.0.0, make sure to set it properly in production)

## 1.5.0 - 2025-12-29

### Features

- Move to IndexedDB for saving graph data (from localStorage)
- Add multiple links support between nodes.
- Increase undo/redo history to 100 steps.
- Move undo/redo operations to IndexedDB instead of memory.
- Mass selection improvements (moving and linking multiple nodes at once).
- Codebase refactor to use Svelte 5 Runes.
- Mobile improvements
- Added SBOM generation, see `/sbom/` for the generated SBOMs.

### Dependency Updates

- `@sveltejs/kit`: ^2.49.1 -> ^2.49.2
- `@typescript-eslint/eslint-plugin`: ^8.50.1 -> ^8.51.0
- `@typescript-eslint/parser`: ^8.50.1 -> ^8.51.0
- `svelte`: ^5.45.6 -> ^5.46.1
- `svelte-check`: ^4.3.4 -> ^4.3.5
- `vite`: ^7.2.6 -> ^7.3.0
- Added `eslint-plugin-security`: ^3.0.1


### Major Codebase Changes

- Moved from `npm` to `pnpm`
- Updated license from `MIT` to `BSD-3-Clause`
- Moved from `Makefile` to `Taskfile`
- Codebase organization and structure changes

### CI/CD Updates

- Updated CI workflows to use `task` commands instead of bash scripts
- Added gosec security scanning to backend build pipeline

### Security

- Overrode `cookie` package to latest version (1.1.1) due to low severity vulnerability in default version.