* Fix DND/Focus mode not silencing new mail sounds on macOS 12+
Update macos-notification-state from v1.3.6 to v3.0.0 to add proper
support for macOS Focus mode (which replaced Do Not Disturb in macOS 12).
The old version did not detect Focus mode on macOS 12+, causing sounds
to play even when the user had DND/Focus enabled.
The v3.0.0 API change requires async handling since getDoNotDisturb()
now returns a Promise, so update doNotDisturb() and displayNotification()
to be async, along with their callers in the unread-notifications package.
Fixes: https://community.getmailspring.com/t/notifications-do-not-respect-focus-mode-on-macos/9737
* Silence all sounds when macOS Focus/DND mode is enabled
Move the Do Not Disturb check into SoundRegistry.playSound() so that
all sounds are silenced when Focus mode is active, not just the new
mail notification sound. This affects:
- New mail sound
- Send button click sound ('hit-send')
- Mail sent sound ('send')
This is more consistent with user expectations - when DND is enabled,
no sounds should play from the app.
* Patches from local testing
---------
Co-authored-by: Claude <noreply@anthropic.com>
When opening the full message in a new window via the 'Message Clipped -
Show All' link, Chinese and other non-ASCII characters would appear as
garbled text. This was because the HTML file was written without a charset
declaration, causing the browser to guess the encoding incorrectly.
The fix prepends a UTF-8 charset meta tag to the HTML content before
writing it to the temporary file, ensuring the browser correctly
interprets the character encoding.
Fixes: https://community.getmailspring.com/t/message-clipped-show-all-has-a-problem-with-encoding/9532
Co-authored-by: Claude <noreply@anthropic.com>
* Add security vulnerability assessment for quickpreview attachment chain
Document verified vulnerability chain in quick preview feature:
- XSS via unsanitized HTML from Snarkdown/Mammoth (innerHTML injection)
- Exposed privileged IPC (finishWithData/finishCapture) to renderer
- Path validation bypass via directory traversal (missing path.resolve)
- Arbitrary file write leading to persistent RCE
Includes remediation plan with prioritized fixes and testing strategy.
* Fix critical security vulnerability chain in quickpreview attachment handling
This commit addresses a critical vulnerability chain that could lead to
persistent RCE via a single malicious attachment preview.
Security fixes implemented:
1. Path Validation (CVE-like: directory traversal)
- Use path.resolve() to normalize paths before validation
- Add path.sep suffix to prevent prefix-matching attacks
- Return resolved path to prevent double-resolution
2. HTML Sanitization (CVE-like: XSS)
- Add DOMPurify library with SanitizeTransformer config
- Sanitize Mammoth, Snarkdown, and XLSX output before innerHTML
- Prevents script injection via malicious .md/.docx/.xlsx files
3. Opaque Tokens (defense in depth)
- Replace direct file path exposure with cryptographic tokens
- Token-to-path mapping stored only in main process
- Tokens are single-use and deleted after consumption
4. Sender Validation (defense in depth)
- Validate IPC sender URL matches quickpreview renderer
- Reject requests from unauthorized senders
5. Content Security Policy (defense in depth)
- Add CSP headers to preview and capture windows
- Restrict script-src, object-src, frame-src
- Allow external images for document preview functionality
Reported-by: Chanho Kim
* Fix memory leak in preview token system
Add cleanupPreviewToken() function and call it when preview times out
or fails. This prevents token accumulation in long-running instances.
On success, the IPC handler already deletes the token. On failure
(timeout, crash, etc.), we now explicitly clean up the unused token.
* Fix token storage in wrong process (renderer vs main)
The previewTokens Map was being stored in the renderer process (where
index.ts runs) but the IPC handlers check for tokens in the main process
(where quickpreview-ipc.ts is registered). This caused "Invalid or expired
preview token" errors for PDF and DOCX previews.
Fix: Generate and cleanup tokens via IPC handlers so they're stored in
the main process where the validation occurs.
Changes:
- Add quickpreview:generateToken and quickpreview:cleanupToken IPC handlers
- Update index.ts to call these via ipcRenderer.invoke instead of
importing functions directly
- Make _generateNextCrossplatformPreview async to await token generation
* Remove unneeded markdown files
---------
Co-authored-by: Claude <noreply@anthropic.com>
* Upgrade node-emoji from v1.2.1 to v2.2.0
Breaking changes addressed:
- Changed import from default to namespace import (v2 uses ESM)
- Replaced `NodeEmoji.emoji` object access with `NodeEmoji.search('')`
since the `emoji` property is no longer exposed in v2
- Added caching for getAllEmojiNames() to maintain performance
- Removed @types/node-emoji as v2 includes built-in TypeScript types
* Fix issue with emoji toolbar popover
---------
Co-authored-by: Claude <noreply@anthropic.com>
- Update uuid from ^3.0.0 to ^13.0.0 in app/package.json
- Remove @types/uuid (types now built-in with v11+)
- Convert CommonJS require() to ESM imports in:
- app/internal_packages/onboarding/lib/onboarding-constants.ts
- app/src/flux/stores/draft-factory.ts
Breaking changes addressed:
- v7+: Removed default export, now uses named exports only
- v12+: Dropped CommonJS support (ESM only)
- v11+: Written in TypeScript with built-in types
Co-authored-by: Claude <noreply@anthropic.com>
* Upgrade ical.js and ical-expander to latest versions
- Update ical.js from 1.3.0 to 2.2.1
- Update ical-expander from 2.0.0 to 3.2.0
- Fix TypeScript type imports for ical.js 2.x ES module structure
- Fix getFirstPropertyValue return type handling in event-header.tsx
- Fix occurrence item access pattern in calendar-data-source.ts
The ical.js 2.x release includes ES6 module support, improved TypeScript
definitions, and various bug fixes for recurrence handling and timezone
support.
* Fix issues
---------
Co-authored-by: Claude <noreply@anthropic.com>
* Upgrade juice module from 7.0.0 to 11.0.3
Upgrade the CSS inlining library used for email composition.
No code changes required as the basic juice(html) API remains
compatible across these versions.
* Update package-lock.json for juice upgrade
---------
Co-authored-by: Claude <noreply@anthropic.com>
Node.js 18+ includes native fetch, and Electron 39 uses Node.js 22+.
The node-fetch package is no longer needed.
Co-authored-by: Claude <noreply@anthropic.com>
Update to modern lru-cache API for improved performance:
- Use named import { LRUCache } instead of default import
- Rename del() to delete() method
- Rename reset() to clear() method
v10.4.3 is the latest version compatible with Node ^16.17.
Co-authored-by: Claude <noreply@anthropic.com>
Update the snarkdown Markdown parser dependency to latest version.
v2.0.0 includes bug fixes for link parsing, fenced code blocks,
strikethrough support, TypeScript typings, and code block HTML structure.
The API remains compatible - CommonJS require() returns the function
directly, so no code changes were needed.
Co-authored-by: Claude <noreply@anthropic.com>
* Add Electron upgrade assessment for v37 to v39 migration
Comprehensive analysis of breaking changes, deprecated APIs, and required
code changes for upgrading from Electron 37.2.2 to the latest v39.x.
Key findings:
- macOS 11 support dropped in Electron 38 (min is now macOS 12)
- new-window event deprecated, needs migration to setWindowOpenHandler
- did-get-response-details event removed, needs alternative approach
- @electron/remote still compatible but represents technical debt
* Upgrade better-sqlite3 from 11.7 to 12.5
* Upgrade dependencies, re-test on macOS
---------
Co-authored-by: Claude <noreply@anthropic.com>
* A Mailspring Magyar nyelvi fájljának javítása
To improve the Hungarian language file of MailSpring.
* I improved it a bit.
I improved it a bit. Now it looks perfect.
* Minor modification
Minor modification
