- ➕ Added `.codegraph/config.json` for file inclusion/exclusion in analytics.
- ⬆️ Bumped versions of `guzzlehttp`, `laravel/framework`, `laravel/horizon`, `shiki`, `nostr-tools`, and other dependencies in `composer.lock` and `yarn.lock`.
- 🖼️ Enhanced file upload validation and preview support by including `.avif` MIME type in `livewire` components and configuration.
- ✅ Added tests to ensure `.avif` is supported across file upload forms.
- Trust the Forge reverse proxy and force https URLs in production so
generated absolute URLs match the actual TLS termination.
- Reject Nostr profile photo URLs that aren't http(s) or that resolve to
loopback / private (RFC1918) addresses to close an SSRF vector in
FetchNostrProfileJob.
- Tighten image upload validation across meetup, course, and lecturer
create/edit components: explicit mimes whitelist (jpeg, png, webp),
max 5 MiB, and dimension cap of 4000x4000.
- Replace the silent "skip if exists" branch in LnurlAuthController with
updateOrCreate so concurrent callers cannot race on the k1 record.
- Validate github_data on Meetup edit, decoding the JSON, and keep only
the whitelisted keys (top, left, state) with strict type coercion to
prevent storing arbitrary attacker-controlled JSON.
- **Removed:** `docker-compose.yml`, Sail-specific Dockerfiles, and related scripts for PHP 8.3 setup.
- **Updated:** Documentation to reflect a shift from Docker to a direct PHP-based local development workflow.
- **Removed:** `laravel/sail` dependency from `composer.lock`.
- **Implemented:** `#[Locked]` Livewire attribute across components for read-only properties.
- **Added:** Feature tests to ensure locked properties cannot be tampered with.
- Added `#[SeoDataAttribute]` annotations to Livewire components for SEO management.
- Extended translations in English, Spanish, and German for better localization support.
HolgerHatGarKeineNode