Skip to content

Releases: SysAdminDoc/ScriptVault

ScriptVault v3.19.1

Choose a tag to compare

@SysAdminDoc SysAdminDoc released this 10 Jul 04:15

Premium workbench parity release: canonical navigation, deeper dashboard destinations, reliable settings autosave, recoverable editor fallback, polished compact surfaces, four-theme rendered evidence, and verified Chrome, Firefox, and Edge packages.

ScriptVault v3.19.0

Choose a tag to compare

@SysAdminDoc SysAdminDoc released this 09 Jul 21:56

Professional workbench redesign with a premium graphite-and-emerald dashboard, live vault metrics, contextual script inspection, unified popup/side-panel/install/DevTools surfaces, and browser-rendered visual regression coverage for all four themes.

v3.17.0

Choose a tag to compare

@SysAdminDoc SysAdminDoc released this 03 Jul 00:16

Trust enforcement, sync data-safety, and backup slimming.

Security

  • Subresource Integrity "Require" mode is now enforced — refuses to run any @require/@resource without a verifiable SRI hash; the install review flags every un-pinned dependency as "unverified remote code".
  • Scam / crypto-drain detector — flags wallet seed/private-key access, drainer keywords, and wallet transaction requests, with a high-severity "possible credential/wallet exfiltration" finding when a script harvests secrets and sends data off-page. Benign wallet-adjacent scripts aren't flagged.

Data safety

  • Cloud backup no longer clobbers the sync envelope (distinct object per provider) and encrypts under E2EE.
  • Easy Cloud sync received the merge fixes: restored-from-trash scripts survive, clean 3-way merges aren't discarded, correct 3-way base.
  • SettingsManager write-race fix — concurrent settings writes no longer drop a freshly refreshed OAuth token.

UX & storage

  • "Only on This Site" one-click scope in the popup + @match validation in the dashboard editor.
  • Backup blobs are gzip-compressed in IndexedDB (transparent, backward-compatible).

Full detail in CHANGELOG.md. Remaining roadmap items (on-device AI, optional host permissions, GM.fetch streaming, per-script cookie jars, git/local-folder sync) are larger bets deferred to dedicated sessions.

v3.16.0

Choose a tag to compare

@SysAdminDoc SysAdminDoc released this 02 Jul 22:57

Deep engineering + product-quality audit pass.

Security

  • GM networking bound to the authenticated caller. GM_xmlhttpRequest / GM_webSocket / GM_download, GM_getResourceText/URL, GM_loadScript, and menu register/unregister used the caller-supplied script id, letting one userscript borrow another's @connect allowlist or read its @resource bodies. All now use Chrome's unspoofable sender.userScriptId.
  • Attribute-injection XSS in the dependency graph and other panels (quote-unescaping escapers) fixed.

Data safety

  • Cloud sync no longer permanently re-deletes restored-from-trash scripts (the tombstone-resurrection guard was dead code).
  • Trash restore persists the script before emptying the trash entry (no loss on a service-worker crash).
  • Backup restore no longer wipes per-script settings (match rules, notes, tags, pin) of installed scripts.

Correctness

  • Chrome no longer misdetected as Firefox — restores per-script world isolation on Chrome 133+ and the correct setup instructions.
  • Editor no longer swallows the first keystroke after a tab switch; cursor Ln/Col updates instead of freezing.
  • New Script / Duplicate / New Folder report failures instead of silently doing nothing.
  • Storage meter measures real usage; Find Scripts pagination works again.

Full detail in CHANGELOG.md; ~13 additional verified findings are tracked in ROADMAP.md.

v3.15.1

Choose a tag to compare

@SysAdminDoc SysAdminDoc released this 02 Jul 21:52

Fixed

  • Editor screen was unusable in v3.15.0. The full-screen editor overlay stacked below the sticky dashboard header, which painted over the Save/Close row and panel tabs — nothing in the top band was visible or clickable. The overlay now stacks above all page chrome (and below modals).
  • Hidden editor buttons actually hide. Preview CSS no longer shows for JS scripts; file-binding buttons only appear when relevant.

Changed

  • Editor nav redesigned into one band: panel tabs (Code/Settings/Externals/Storage/Info) on the left, icon-only tools with tooltips on the right. Editor chrome is two slim rows; the code pane takes ~91% of the viewport at 1440x900.
  • Save button is accented and fills while there are unsaved changes.

Internal

  • New npm run smoke:editor harness drives the real editor in headless Chromium and hit-tests every control, so layering regressions fail loudly.

v3.15.0

Choose a tag to compare

@SysAdminDoc SysAdminDoc released this 02 Jul 21:33

Removed

  • Script Store tab removed entirely. The eagerly-loaded multi-source discovery tab (~2,100 lines) is gone; script discovery lives in the lighter Find Scripts dialog (toolbar, popup, side panel), Collections, and Gist import.

Changed

  • Full-screen script editor. The editor now covers the entire viewport with a slim single-row header and tightened tab/toolbar rows — the code pane gains roughly 150-200px of vertical space.
  • New Script opens the editor directly. The template-picker modal is removed; starters remain in the editor template manager.

Fixed

  • Storage quota bar uses the real quota (unlimitedStorage-aware via navigator.storage.estimate) — no more false "Storage at 100% capacity" warnings.
  • Doubled navigation labels ("SettingsSettings", "Installed UserscriptsInstalled Userscripts") from a duplicate i18n pass.
  • Theme switches no longer show a success toast.
  • Stray empty pill in the header when no script editors are open.
  • RTL direction bootstrap actually runs — the inline script MV3 CSP always blocked is now an external file; extension pages load console-clean.

ScriptVault v3.11.0

Choose a tag to compare

@SysAdminDoc SysAdminDoc released this 24 May 13:06

ScriptVault v3.11.0

Chrome MV3 release for the Phase 38 parity wave and storage/persistence rollback hardening.

Highlights:

  • GM_addElement null-on-failure compatibility.
  • Regex dashboard search and update-click confirmation guard.
  • Popup context-menu script launchers and Navigation API window.onurlchange support.
  • GM_info script tag alias and storage rollback regression coverage.
  • minimum_chrome_version raised to Chrome 130.

Firefox remains tracked separately until the Firefox MV3/AMO validation gate is complete.

ScriptVault v2.3.4

Choose a tag to compare

@SysAdminDoc SysAdminDoc released this 29 Apr 01:06

ScriptVault v2.3.4

Two CSP-blocked inline <script> blocks were silently breaking the dashboard's view-settings toolbar (zoom + density) and the DevTools panel registration. Also relocates the self-distribution signing keys out of the repo root so Chrome's "Load unpacked" stops warning about bundled key files.

Now live on the Chrome Web Store.

Install (Brave / Chrome / Edge — recommended)

Dragdrop CRX installs are blocked by Chromium 75+ for any extension not in the Web Store, regardless of signing or developer mode. Use Load unpacked instead:

  1. Download ScriptVault-v2.3.4.zip and extract it to a permanent folder (e.g. ~/extensions/scriptvault/). Don't delete the folder afterwards — the browser loads the extension from this path on every startup.
  2. Open brave://extensions (or chrome://extensions, edge://extensions).
  3. Toggle Developer mode on (top-right).
  4. Click Load unpacked and select the extracted folder.

The CRX is still attached for users who have a flow that supports it (enterprise policy with ExtensionInstallSources whitelist, Chrome --load-extension command-line flag, or older Chromium forks like Vivaldi). It is signed with a self-distribution key (extension ID dogogpmmlddegcodbcbeccebdlegphph) — distinct from the Chrome Web Store listing.

Changes

  • Fixed: Two inline <script> blocks violated the extension_pages CSP (script-src 'self'). pages/dashboard.html had a 75-line view-settings controller (zoom + density) and pages/devtools.html had a 9-line panel registration call — both blocked at load time, leaving the dashboard's zoom/density toolbar inert and the DevTools panel un-registered. Extracted to pages/dashboard-viewsettings.js and pages/devtools.js. The remaining inline script in pages/editor-sandbox.html is the Monaco bootstrap and is allowed by the sandbox CSP ('unsafe-inline').
  • Chore: Moved self-distribution signing keys (scriptvault.pem, scriptvault-selfhost.pem) out of the repo root to ~/.scriptvault-keys/. Chrome's "Load unpacked" warned This extension includes the key file ... You probably don't want to do that because anything inside the extension dir gets bundled at build/install time. pack-crx.mjs already takes the key path as a positional CLI arg, so callers just pass ~/.scriptvault-keys/scriptvault-selfhost.pem now. Both keys remain gitignored.

Includes the v2.3.2 service-worker syntax fix and the v2.3.3 self-healing "Allow User Scripts" warning, both of which shipped without GitHub releases.

ScriptVault v2.3.1

Choose a tag to compare

@SysAdminDoc SysAdminDoc released this 25 Apr 17:31

ScriptVault v2.3.1

Fixes a broken v2.3.0 — extensions failed to load with Could not load icon 'icons/16.png' specified in 'icons' because the manifest referenced a directory that was deleted during v2.3.0's branding cleanup. Also fixes a separate ZIP-format issue: the v2.3.0 ZIP used Windows-style backslash entry names (images\icon128.png) which Chrome cannot match against manifest paths regardless of file presence.

Install (Brave / Chrome / Edge — recommended)

Dragdrop CRX installs are blocked by Chromium 75+ for any extension not in the Web Store, regardless of signing or developer mode. Use Load unpacked instead:

  1. Download ScriptVault-v2.3.1.zip and extract it to a permanent folder (e.g. ~/extensions/scriptvault/). Don't delete the folder afterwards — the browser loads the extension from this path on every startup.
  2. Open brave://extensions (or chrome://extensions, edge://extensions).
  3. Toggle Developer mode on (top-right).
  4. Click Load unpacked and select the extracted folder.

The CRX is still attached for users who have a flow that supports it (enterprise policy with ExtensionInstallSources whitelist, Chrome --load-extension command-line flag, or older Chromium forks like Vivaldi). It is signed with a self-distribution key (extension ID dogogpmmlddegcodbcbeccebdlegphph) — distinct from the Chrome Web Store listing.

Changes

  • Fixed: manifest.json referenced icons/16.png / icons/32.png / icons/48.png / icons/128.png, but the icons/ directory was deleted in v2.3.0's branding cleanup. Repointed manifest, pages/popup.html, modules/public-api.js, modules/backup-scheduler.js, and the TypeScript mirror at src/modules/public-api.ts to the surviving images/icon{16,32,48,128}.png files. Firefox manifest was already correct.
  • Fixed: build.sh / publish.sh PowerShell Compress-Archive fallback wrote Windows-style backslash entries (images\icon128.png). Switched to bsdtar (C:\Windows\System32\tar.exe), which writes POSIX-style forward-slash entries that Chrome can match.

523/523 tests green.

ScriptVault v2.3.0

Choose a tag to compare

@SysAdminDoc SysAdminDoc released this 25 Apr 16:17

ScriptVault v2.3.0

Install (Brave / Chrome / Edge — recommended)

Dragdrop CRX installs are blocked by Chromium 75+ for any extension not in the Web Store, regardless of signing or developer mode. The CRX in this release will hit CRX_REQUIRED_PROOF_MISSING in Brave and a similar block in Chrome/Edge. Use Load unpacked instead:

  1. Download ScriptVault-v2.3.0.zip and extract it to a permanent folder (e.g. ~/extensions/scriptvault/). Don't delete the folder afterwards — the browser loads the extension from this path on every startup.
  2. Open brave://extensions (or chrome://extensions, edge://extensions).
  3. Toggle Developer mode on (top-right).
  4. Click Load unpacked and select the extracted folder.

The CRX is still attached for users who have a flow that supports it (enterprise policy with ExtensionInstallSources whitelist, Chrome --load-extension command-line flag, or older Chromium forks like Vivaldi). It is signed with a self-distribution key (extension ID dogogpmmlddegcodbcbeccebdlegphph) — distinct from the Chrome Web Store listing.

Highlights

  • Fixed: weekly-digest alarm never dispatched (unknown alarm names now route to NotificationSystem.handleAlarm())
  • Security: ScriptSigning.verifyScript() prototype-pollution guard via Object.hasOwn() — malicious publicKey strings like toString no longer auto-trust
  • Security: GM_addElement attrs path now drops on* event handlers and rejects javascript: / vbscript: URLs (matches the existing innerHTML path)
  • Reliability: ScriptValues set/delete/setAll/deleteMultiple now snapshot prior state and roll back the cache on persist failure
  • Reliability: ScriptStorage.clear() and FolderStorage.update() rollback on save failure
  • Memory: requireCache capped at 500 entries (LRU)
  • Accuracy: QuotaManager.getBreakdown() uses TextEncoder for true UTF-8 byte counts (was string.length)
  • Robustness: pages/install.js renderInstallUI() shows visible error instead of crashing on missing DOM
  • Robustness: pages/sidepanel.js chrome.runtime.sendMessage calls catch SW-wake errors

See CHANGELOG.md for the full list.