Release History

Changelog

New features, fixes, and improvements — most recent first.

2026-05-04 v1.2.0

Security Hardening & Accessibility

Comprehensive 9-phase security and quality hardening — XSS prevention, event listener cleanup, error handling standardisation, accessibility, proactive token refresh, CSS design tokens, validation UX, and tsconfig modernisation. IP spoofing fix in rate limiter, WCAG 2.1 AA compliance, Azure SWA CI/CD overhaul migrating the API to a standalone bun project, feature-based module reorganisation, and weekly Dependabot review automation.

🔒 Security

IP spoofing fix in rate limiter — api/_shared/utils.js prioritises x-azure-clientip and takes the last IP in X-Forwarded-For to prevent header-spoofing bypass.

XSS prevention across editor.js, utils.js, chip-context-menu.js — innerHTML replaced with DOM API; markdown link parser validates protocols to reject javascript: URIs.

issue-report.js — _parseMarkdown builds anchors via DOM APIs with URL constructor validation before any HTML escaping.

♿ Accessibility

WCAG 2.1 AA compliance — keyboard navigation, focus management, colour contrast, and screen reader support improved throughout.

dialogs.js — focusTrap() utility applied to all custom modals (Help, Issue Report, Startup Welcome).

taskpane.html — ARIA roles (alertdialog, dialog, menu, menuitem) and aria-live="polite" on dynamic regions added.

⚙ Changed

Event listener cleanup — AbortController pattern for modal listeners; listener-registry.js utility for consistent cleanup; duplicate drag/drop listener guard in variables-panel.js.

Centralised error handling — handleError(error, context, level) in utils.js with silent, status (toast), and critical levels.

Proactive token refresh — background timer fires 10 minutes before expiry; concurrent refresh attempts deduplicated.

CSS design token consolidation — 80+ hardcoded colours mapped to CSS custom properties; 24 CSS files updated.

Inline validation UX — validatePage2() in template.js displays inline errors; variable name warnings added to preview.

tsconfig.json modernised — ES5 → ES2022, strict mode enabled, deprecated options removed.

Modules reorganised into feature-based folders — core/, features/, ui/, extensions/, __tests__/.

Migrated from pnpm to bun — all scripts, documentation, and lockfile updated.

🔧 Fixed

express-rate-limit downgraded to 7.5.0 to resolve Azure Functions compatibility.

vi.mock paths corrected in suggestion.test.js after module reorganisation.

Post-commit hook updated to push to both origin and azdevops remotes.

🏗 CI / Infrastructure

Azure SWA — API decoupled as standalone bun project; Oryx build bypassed; .npmrc added; workspaces configuration added.

Weekly Dependabot PR review workflow added.

ajv pinned to ^8 to fix office-addin-manifest validate breakage.

🧪 Tests

Startup welcome UI test suite added.

Rate limiter IP spoofing reproduction and verification test added.

All 744 tests passing across 28 suites.

2026-04-04 v1.1.0

Attachments, Context Menus & Security

Email attachments support, rich image and link context-menu editing in the TipTap editor, Gitleaks secret scanning in CI, tenant ID security hardening in the token exchange API, and a series of bug fixes for email field persistence and issue reporting.

✦ Added

Email attachments — file validation, base64 encoding, attachment UI, size formatting, and attachment state management. Files attach to outgoing Graph API payloads.

Right-click context menus on images and links inside the TipTap editor — edit image URL/alt text or update link text/href without leaving the composer.

Gitleaks secret scanning in CI (.github/workflows/gitleaks.yml) and pre-commit hook integration for local scanning.

🔒 Security

Tenant ID validation in token exchange — JWT tenant extracted and validated against the token exchange URL, preventing cross-tenant token abuse.

🔧 Fixed

Multiple email chips now retained on template reload — emailConfig columns stored as full arrays instead of single values.

Email field saved after column mapping drop — debouncedSaveTemplate called after drop.

Issue report modal — fixed wrong default tab, state not clearing between opens, and incomplete email payload.

Known issues comment fetching CI failure fixed; GitHub issue/comment fetching optimised.

Failed Emails count in send-summary now uses monospace font — 0 visually distinct from O.

⚡ Performance

data-detection.js — regex constants hoisted out of per-row loop, eliminating repeated recompilation at scale.

2026-03-22 v1.0.0

Auto-save, Co-authoring & Issue Reporting

Template auto-save to workbook, co-authoring warning banner, help tab redesign with a new Collaboration section, diagnostic info in issue reports, and a new Known Issues tab to reduce duplicate reporting.

✦ Added

Template auto-save to Office.Settings — subject, body, sender config, and table builder state survive workbook close/reopen. Subtle ✓ Saved indicator fades in after each save.

Co-authoring warning banner — detects SharePoint / OneDrive URLs and shows a dismissible banner explaining Last-Write-Wins behaviour.

Startup welcome modal — shown on first session, dismissible via button, Escape key, or overlay click.

Help tabs redesigned — emoji icon above text label; new Collaboration tab (👥) added.

Issue report — diagnostic info preview before submission, JSON fallback view with copy button on failure, and optional email-for-updates consent.

Issue report — Known Issues tab fetches open issues from the backend API to reduce duplicate submissions. Visual type cards replace radio buttons.

⚙ Changed

Field mapper restore now prefers workbook settings over localStorage — mappings persist when reopening the workbook on any device.

Table switch clears column mappings referencing columns not present in the new table.

template.js — updateLivePreview keeps appState.template.subject in sync on every input event.