Beautiful Website for Your Projects

[email protected] — 2026-06-19

Client-side search (⌘K), SSRF hardening, SEA binary fixes, and a dependency refresh.

Features

• add built-in client-side search (⌘K) to the modern template (a3d3c1c, #445)

  ```jsonc
  // docula.config.json — search is on by default for the modern template;
  // build emits search-index.json and renders the ⌘K / Ctrl-K modal.
  { "enableSearch": true } // set to false to disable
  ```

Bug Fixes

• search: robust HTML stripping and Enter-key race in client search (5d4392c, #445)
• search: match lenient script/style end tags; enable search for changelog-only sites (d6ac6e9, #445)
• api: mitigate SSRF in remote OpenAPI spec fetch (1ca11c5, #431)
• safe-fetch: handle both lookup signatures; destroy dispatcher inline on redirect (396618c, #431)
• binary: support docula.config.json; SEA mode loads JSON only (083ed53, #428)
• binary: load .mjs configs without dynamic import() in SEA mode (6fcecc5, #428)
• binary: use createRequire instead of new Function; preserve aliases and scope (10edf8b, #428)
• binary: dedupe require() calls and verify multi-line import handling (1d2e758, #428)
• binary: build SEA as ESM to enable dynamic import of file URLs (eef80ee, #426)
• binary: drop githubPath from smoke fixture to skip GH API call (eabbada, #429)
• binary: skip site config loading for version command (077f4cd, #425)
• release: grant id-token: write for npm OIDC trusted publishing (7ae3269, #424)

Documentation

• security: add Aikido badge and expand SECURITY.md (6352d7e, #432)
• security: qualify PR scan coverage to main branch (7b55ddd, #432)
• readme: move Aikido badge into dedicated Security section (c2eabf7, #433)
• security: switch vulnerability reports to private email only (4690e60, #433)
• readme: drop vulnerability reporting line from summary (4cb858f, #433)
• add Binary Download page documenting JSON-only SEA config (985cc1f, #428)
• add rel="noopener noreferrer" to Aikido badge link (1f6d5a6, #427)
• add Aikido security audit report badge to README (b5d2d2d, #427)
• re-add Aikido Security Audit badge (1d96c29, #435)

Internal

• upgrade hashery to 3 — no public API change; Node ≥22.18 already satisfied (dfd72a1, #443)
• upgrade undici to 8; bump engines.node to ^22.19.0 (0f38083, #442)
• upgrade ipaddr.js (1721a15, #441)
• upgrade ecto (5eae9fd, #440)
• upgrade @cacheable/net (9e0e5b0, #439)
• upgrade AI SDK dependencies (211bb19, #438)
• upgrade GitHub Actions — checkout v7, codecov v7 (e8e0d3b, #437)
• upgrade TypeScript and build tooling (b9cc26d, #436)
• upgrade code quality dependencies — biome, vitest (5880166, #435)
• test: rebuild test harness for isolation, determinism, and 100% coverage (bcd6d9c, #444)
• test: harden harness per review — no failure-hiding, no env leaks, safer cloneSite (4f72069, #444)
• test: address Codex review findings on the migrated tests (b78007a, #444)
• ci(binary): drop macOS x64 build, keep only macos-latest arm64 (33619a6, #430)
• ci(binary): replace deprecated macos-13 runner with macos-15-intel (c8308d2, #430)
• ci(release): drop NPM_TOKEN fallback now that OIDC publishes (21607ac, #424)

Contributors

• @jaredwray (21)

Full List of Changes

• fix(release): grant id-token: write so pnpm OIDC publish succeeds by @jaredwray in #424
• fix(binary): skip site config loading for `version` command by @jaredwray in #425
• fix(binary): build SEA as ESM to enable dynamic import of file URLs by @jaredwray in #426
• docs: add Aikido security audit report badge to README by @jaredwray in #427
• fix(binary): load .mjs configs without dynamic import() in SEA mode by @jaredwray in #428
• fix(binary): drop githubPath from smoke fixture to skip GH API call by @jaredwray in #429
• ci(binary): drop macOS x64 build, keep only macos-latest (arm64) by @jaredwray in #430
• fix(api): mitigate SSRF in remote OpenAPI spec fetch by @jaredwray in #431
• docs(security): add Aikido badge and expand SECURITY.md by @jaredwray in #432
• docs(readme): move Aikido badge into dedicated Security section by @jaredwray in #433
• root - chore: upgrade code quality dependencies by @jaredwray in #435
• root - chore: upgrade TypeScript and build tooling by @jaredwray in #436
• root - chore: upgrade GitHub Actions (breaking) by @jaredwray in #437
• root - chore: upgrade AI SDK dependencies by @jaredwray in #438
• root - chore: upgrade @cacheable/net by @jaredwray in #439
• root - chore: upgrade ecto by @jaredwray in #440
• root - chore: upgrade ipaddr.js by @jaredwray in #441
• root - chore: upgrade undici to 8 (breaking) by @jaredwray in #442
• root - chore: upgrade hashery to 3 (breaking) by @jaredwray in #443
• test: rebuild test harness for isolation, determinism, and 100% coverage by @jaredwray in #444
• feat: built-in client-side search (⌘K) for the modern template by @jaredwray in #445

Full diff: https://github.com/jaredwray/docula/compare/v2.0.0...v2.1.0

[email protected] — 2026-05-19

Node 20 → 22 minimum, pnpm 11 supply-chain hardening, AI SDK + tooling refresh, and favicon auto-generation.

⚠ BREAKING CHANGES

• Drop Node 20 support; minimum engines are now `^22.18.0 || >=24.0.0` (3420df2, #416)
  Migration: upgrade to Node 22 LTS or Node 24+. pnpm is now managed via corepack; run `corepack enable` and pnpm 11.1.3 is pinned via `packageManager`.

Features

• auto-generate favicon from logo when `favicon.ico` is missing (ba2f40c, #414)

  ```text
  site/
  favicon.ico ← used as-is if present
  logo.svg ← else used as favicon
  logo.png ← else used as favicon
  ← else no emitted
  ```

Bug Fixes

• skip lightbox and zoom-in cursor for images wrapped in links (84667c3, #411)
• simplify sidebar — all sections open by default, user preference still persisted in localStorage (25f86e8, #412)
• ai: fall back to env vars and handle empty model strings (6630c35, #413)
• ai: use valid OpenAI model name `gpt-4o-mini` (drop `-latest` suffix) (fc74979, #413)

Internal

• upgrade to pnpm 11 with defense-in-depth supply chain controls — 7-day minimumReleaseAge, strict mode, blockExoticSubdeps, allowBuilds allow-list (3420df2, 8af7fe0, #416)
• migrate binary build from hand-rolled SEA pipeline to tsdown's `exe` option; switch SEA detection to `node:sea.isSea()` (45b48c5, #423)
• upgrade GitHub Actions to latest majors — checkout v6, setup-node v6, upload-artifact v7, codecov v6, codeql v4, wrangler v4 (81dd0d1, #419)
• upgrade Vercel AI SDK dependencies — `ai` 6.0.178; anthropic, google, openai providers (e89fbf4, 670e0d7, #420)
• upgrade code quality dependencies — biome 2.4.15, vitest 4.1.6, playwright 1.60.0 (99d436e, #417)
• upgrade TypeScript 6.0.3 and tsdown 0.22.0; align `@types/node` with `.nvmrc` (42afae6, 27eedd9, #418)
• upgrade ecto 4.8.5 (dedupes writr in tree) (d209639, #421)
• upgrade jiti 2.7.0 (b50bfe3, #422)
• refactor builder: use `path.join` for favicon and logo.png paths (cec4bcc, #414)

Contributors

• @jaredwray (12)

Full List of Changes

• fix: zoom-in cursor for images inside links by @jaredwray in #411
• fix: simplify sidebar section default open state logic by @jaredwray in #412
• Auto-generate favicon from logo when favicon.ico is missing by @jaredwray in #414
• Update default OpenAI model from gpt-4o-mini-latest to gpt-4o-mini by @jaredwray in #413
• chore: upgrade to pnpm 11 with defense-in-depth supply chain controls by @jaredwray in #416
• root - chore: upgrade code quality dependencies by @jaredwray in #417
• root - chore: upgrade TypeScript and build tooling by @jaredwray in #418
• root - chore: upgrade GitHub Actions (breaking) by @jaredwray in #419
• root - chore: upgrade Vercel AI SDK dependencies by @jaredwray in #420
• root - chore: upgrade ecto by @jaredwray in #421
• root - chore: upgrade jiti by @jaredwray in #422
• build: migrate binary build to tsdown exe option by @jaredwray in #423

Full diff: https://github.com/jaredwray/docula/compare/v1.14.0...v2.0.0

What's Changed

• feat: add onAutoReadme hook to transform resolved README content by @jaredwray in https://github.com/jaredwray/docula/pull/402
• chore: upgrading biome, playwright, types, and vitest by @jaredwray in https://github.com/jaredwray/docula/pull/403
• chore: upgrading ai and the ai-sdk providers by @jaredwray in https://github.com/jaredwray/docula/pull/404
• chore: upgrading writr, ecto, and @cacheable/net to latest by @jaredwray in https://github.com/jaredwray/docula/pull/405
• chore: upgrading dotenv to 17.4.2 by @jaredwray in https://github.com/jaredwray/docula/pull/406
• chore: upgrading tsdown to 0.21.9 by @jaredwray in https://github.com/jaredwray/docula/pull/407
• chore: upgrading hashery to 2.0.0 by @jaredwray in https://github.com/jaredwray/docula/pull/408
• chore: upgrading to typescript 6.0.2 by @jaredwray in https://github.com/jaredwray/docula/pull/409
• feat: api reference and documentation nav cleanup by @jaredwray in https://github.com/jaredwray/docula/pull/410

Full Changelog: https://github.com/jaredwray/docula/compare/v1.13.0...v1.14.0