grant/ten31-database
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
42d2b4b245f872ef778beb8c28e63f210722bc65
ten31-database/start9/0.4/startos/versions/v0.1.0.79.ts
T
Keysat cc25be4e14 Fix blank-screen on load + close 3 admin gaps (v0.1.0:79) 
The web UI rendered a blank screen for every user. Root cause: the page
loaded @babel/standalone from unpkg with no version pin, so the CDN silently
served Babel 8.0.0. Babel 8 defaults @babel/preset-react to the automatic JSX
runtime, which prepends `import {jsx} from "react/jsx-runtime"` to the compiled
output. An ESM import is illegal in this classic (non-module) inline <script>,
so the browser rejected the whole bundle and React never mounted — hence the
blank screen. The prior "verified live" checks were server-up/curl, which can't
catch a browser-render failure.

- Pin @babel/standalone@7.29.7 (its preset-react defaults to the classic
  React.createElement runtime). Verified via headless render: app mounts, login
  screen renders, no console error. Follow-up: vendor + SRI-pin the CDN libs so
  a third party can't swap our front-end deps in production again.
- Close three server-side admin gaps surfaced by a permissions audit — endpoints
  that were UI-hidden from members but not API-enforced: GET /api/users,
  /api/email/status, /api/email/accounts now require_admin. Removed the now-dead
  non-admin mailbox-row filter. 21/21 backend tests green; py_compile clean.
2026-06-16 12:59:55 -05:00

26 lines
1.4 KiB
TypeScript
Raw Blame History

import { VersionInfo } from '@start9labs/start-sdk'
// HOTFIX — restore the web UI (every user was getting a blank screen) + close three
// server-side admin gaps. Code-only, no schema change (migrations are no-ops):
// * Pin @babel/standalone to 7.29.7. The page loaded Babel from unpkg with no version
// pin, so unpkg silently served Babel 8.0.0. Babel 8 defaults @babel/preset-react to
// the automatic JSX runtime, which prepends `import {jsx} from "react/jsx-runtime"`
// to the compiled output — an ESM import is illegal in this classic (non-module)
// inline <script>, so the browser rejected the whole bundle and React never mounted.
// The 7.x line defaults preset-react to the classic runtime (React.createElement),
// which restores the prior, working behavior. (Follow-up: vendor + SRI-pin the CDN
// libs so a third party can't swap our front-end deps in production again.)
// * Enforce admin server-side on three GET endpoints that were UI-hidden but not
// API-enforced: /api/users, /api/email/status, /api/email/accounts.
export const v_0_1_0_79 = VersionInfo.of({
version: '0.1.0:79',
releaseNotes: {
en_US: [
'Fixes a blank screen on load caused by an upstream Babel CDN upgrade; the web app',
'now loads reliably. Also tightens admin-only access controls on a few internal',
'endpoints. No data changes.',
].join(' '),
},
migrations: { up: async () => {}, down: async () => {} },
})
Reference in New Issue View Git Blame Copy Permalink