v2.0.1

2.0.1 (2026-04-16)

Security

• dompurify CVE fix: Bump dompurify to fix CVE GHSA-39q2-94rc-95cp (ADD_TAGS bypasses FORBID_TAGS)
• CSP hardening: Replace script-src 'unsafe-inline' with SvelteKit CSP nonces via kit.csp (per-request nonce generation)
• Auth logging: Gate auth logs to debug() level to prevent user-login leaks to stdout in production
• Remove hardcoded secret fallback: Require SESSION_SECRET via fail-fast validation
• CI audit gate: Upgrade from 'high' to 'moderate' level, remove continue-on-error
• Document ALLOWED_GITHUB_USERS: Promote as critical security setting for self-hosted deployments

Bug Fixes

• Critical: Node 25 SSR localStorage bug: Fix hard 500s on every page load
  • Node 25+ exposes a broken localStorage stub without --localstorage-file
  • Replace typeof localStorage === 'undefined' guards with window.localStorage?.getItem feature checks
  • Applied to: settings.svelte.ts, ws.svelte.ts, test-setup.ts polyfill
• resolve Svelte warning and optimize Docker layer caching (7a21ec0)
• suppress npm install warnings in Docker build (d570304)

Internal

• Remove duplicated auth-cookie restore from server.js
• Centralize TOKEN_MAX_AGE_MS via config.ts
• Remove auth-aware '/' from service worker precache
• Make logger build-time-safe (read NODE_ENV directly)
• Fix 7 pre-existing settings.test.ts failures (localStorage.clear stub + stale v2 voice fields)
• Verify cookie ^0.7.0 override still needed (kit requires ^0.6.0 which is vulnerable)

Testing

• All 409/409 unit tests pass (up from 402)
• npm audit clean (0 moderate+ vulnerabilities)
• Production verified: HTTP 200, CSP nonce per-request, zero per-request log noise

v2.0.0

What's Changed

• fix: add aria-label to collapsed sidebar icon-only buttons by @Copilot in #129
• fix: replace 💭 emoji with Lucide Brain icon in ReasoningBlock by @Copilot in #130
• feat: UI Modernization — Typography, Icons, Desktop Layout, Overlays by @devartifex in #128
• feat: add image paste, drag-and-drop, and fix upload CSRF/size issues by @dmbutko in #141
• feat: upgrade to Copilot SDK v0.2.2 — Release 2.0 by @devartifex in #147
• fix: use platform path separator in attachment validation by @dmbutko in #149
• fix: reliable auto-scroll with scroll-to-bottom button by @dmbutko in #150
• chore(deps): bump actions/github-script from 8 to 9 by @dependabot[bot] in #151
• chore(deps): bump vite from 8.0.7 to 8.0.8 by @dependabot[bot] in #154
• chore(deps): bump marked from 17.0.6 to 18.0.0 by @dependabot[bot] in #153
• chore(deps-dev): bump the dev-deps group across 1 directory with 5 updates by @dependabot[bot] in #156
• chore(deps): bump the svelte group across 1 directory with 2 updates by @dependabot[bot] in #152
• feat: voice input (STT) and text-to-speech (TTS) via Web Speech API by @devartifex in #159

New Contributors

• @dmbutko made their first contribution in #141

Full Changelog: v1.0.0...v2.0.0

v1.0.0 — Initial Public Release

Copilot Unleashed v1.0.0

Self-hosted multi-model AI chat platform powered by the official @github/copilot-sdk.

Highlights

• 20+ AI models — GPT-4.1, Claude, Gemini, o-series through a single interface
• SvelteKit 5 — Full-stack with runes, WebSocket streaming, and adapter-node
• GitHub Device Flow — Authenticate with your GitHub account (no client secret needed)
• PWA — Installable with push notifications and offline support
• Docker + Azure — Single-command deployment via docker compose up or azd up

Tech Stack

• Runtime: Node.js 24 + TypeScript 5.7 (strict mode)
• Framework: SvelteKit 5 with Svelte 5 runes
• AI: @github/copilot-sdk with per-user session lifecycle
• Real-time: WebSocket with reconnection and message buffering
• Testing: Vitest (386 unit tests) + Playwright E2E

Getting Started

# Docker (recommended)
docker compose up --build

# Local development
npm install && npm run build && npm start

See README.md for full documentation.