Releases: SysAdminDoc/ScriptVault
Release list
ScriptVault v3.19.1
Premium workbench parity release: canonical navigation, deeper dashboard destinations, reliable settings autosave, recoverable editor fallback, polished compact surfaces, four-theme rendered evidence, and verified Chrome, Firefox, and Edge packages.
ScriptVault v3.19.0
Professional workbench redesign with a premium graphite-and-emerald dashboard, live vault metrics, contextual script inspection, unified popup/side-panel/install/DevTools surfaces, and browser-rendered visual regression coverage for all four themes.
v3.17.0
Trust enforcement, sync data-safety, and backup slimming.
Security
- Subresource Integrity "Require" mode is now enforced — refuses to run any @require/@resource without a verifiable SRI hash; the install review flags every un-pinned dependency as "unverified remote code".
- Scam / crypto-drain detector — flags wallet seed/private-key access, drainer keywords, and wallet transaction requests, with a high-severity "possible credential/wallet exfiltration" finding when a script harvests secrets and sends data off-page. Benign wallet-adjacent scripts aren't flagged.
Data safety
- Cloud backup no longer clobbers the sync envelope (distinct object per provider) and encrypts under E2EE.
- Easy Cloud sync received the merge fixes: restored-from-trash scripts survive, clean 3-way merges aren't discarded, correct 3-way base.
- SettingsManager write-race fix — concurrent settings writes no longer drop a freshly refreshed OAuth token.
UX & storage
- "Only on This Site" one-click scope in the popup + @match validation in the dashboard editor.
- Backup blobs are gzip-compressed in IndexedDB (transparent, backward-compatible).
Full detail in CHANGELOG.md. Remaining roadmap items (on-device AI, optional host permissions, GM.fetch streaming, per-script cookie jars, git/local-folder sync) are larger bets deferred to dedicated sessions.
v3.16.0
Deep engineering + product-quality audit pass.
Security
- GM networking bound to the authenticated caller. GM_xmlhttpRequest / GM_webSocket / GM_download, GM_getResourceText/URL, GM_loadScript, and menu register/unregister used the caller-supplied script id, letting one userscript borrow another's @connect allowlist or read its @resource bodies. All now use Chrome's unspoofable sender.userScriptId.
- Attribute-injection XSS in the dependency graph and other panels (quote-unescaping escapers) fixed.
Data safety
- Cloud sync no longer permanently re-deletes restored-from-trash scripts (the tombstone-resurrection guard was dead code).
- Trash restore persists the script before emptying the trash entry (no loss on a service-worker crash).
- Backup restore no longer wipes per-script settings (match rules, notes, tags, pin) of installed scripts.
Correctness
- Chrome no longer misdetected as Firefox — restores per-script world isolation on Chrome 133+ and the correct setup instructions.
- Editor no longer swallows the first keystroke after a tab switch; cursor Ln/Col updates instead of freezing.
- New Script / Duplicate / New Folder report failures instead of silently doing nothing.
- Storage meter measures real usage; Find Scripts pagination works again.
Full detail in CHANGELOG.md; ~13 additional verified findings are tracked in ROADMAP.md.
v3.15.1
Fixed
- Editor screen was unusable in v3.15.0. The full-screen editor overlay stacked below the sticky dashboard header, which painted over the Save/Close row and panel tabs — nothing in the top band was visible or clickable. The overlay now stacks above all page chrome (and below modals).
- Hidden editor buttons actually hide. Preview CSS no longer shows for JS scripts; file-binding buttons only appear when relevant.
Changed
- Editor nav redesigned into one band: panel tabs (Code/Settings/Externals/Storage/Info) on the left, icon-only tools with tooltips on the right. Editor chrome is two slim rows; the code pane takes ~91% of the viewport at 1440x900.
- Save button is accented and fills while there are unsaved changes.
Internal
- New
npm run smoke:editorharness drives the real editor in headless Chromium and hit-tests every control, so layering regressions fail loudly.
v3.15.0
Removed
- Script Store tab removed entirely. The eagerly-loaded multi-source discovery tab (~2,100 lines) is gone; script discovery lives in the lighter Find Scripts dialog (toolbar, popup, side panel), Collections, and Gist import.
Changed
- Full-screen script editor. The editor now covers the entire viewport with a slim single-row header and tightened tab/toolbar rows — the code pane gains roughly 150-200px of vertical space.
- New Script opens the editor directly. The template-picker modal is removed; starters remain in the editor template manager.
Fixed
- Storage quota bar uses the real quota (unlimitedStorage-aware via navigator.storage.estimate) — no more false "Storage at 100% capacity" warnings.
- Doubled navigation labels ("SettingsSettings", "Installed UserscriptsInstalled Userscripts") from a duplicate i18n pass.
- Theme switches no longer show a success toast.
- Stray empty pill in the header when no script editors are open.
- RTL direction bootstrap actually runs — the inline script MV3 CSP always blocked is now an external file; extension pages load console-clean.
ScriptVault v3.11.0
ScriptVault v3.11.0
Chrome MV3 release for the Phase 38 parity wave and storage/persistence rollback hardening.
Highlights:
- GM_addElement null-on-failure compatibility.
- Regex dashboard search and update-click confirmation guard.
- Popup context-menu script launchers and Navigation API window.onurlchange support.
- GM_info script tag alias and storage rollback regression coverage.
- minimum_chrome_version raised to Chrome 130.
Firefox remains tracked separately until the Firefox MV3/AMO validation gate is complete.
ScriptVault v2.3.4
ScriptVault v2.3.4
Two CSP-blocked inline <script> blocks were silently breaking the dashboard's view-settings toolbar (zoom + density) and the DevTools panel registration. Also relocates the self-distribution signing keys out of the repo root so Chrome's "Load unpacked" stops warning about bundled key files.
Now live on the Chrome Web Store.
Install (Brave / Chrome / Edge — recommended)
Dragdrop CRX installs are blocked by Chromium 75+ for any extension not in the Web Store, regardless of signing or developer mode. Use Load unpacked instead:
- Download
ScriptVault-v2.3.4.zipand extract it to a permanent folder (e.g.~/extensions/scriptvault/). Don't delete the folder afterwards — the browser loads the extension from this path on every startup. - Open
brave://extensions(orchrome://extensions,edge://extensions). - Toggle Developer mode on (top-right).
- Click Load unpacked and select the extracted folder.
The CRX is still attached for users who have a flow that supports it (enterprise policy with ExtensionInstallSources whitelist, Chrome --load-extension command-line flag, or older Chromium forks like Vivaldi). It is signed with a self-distribution key (extension ID dogogpmmlddegcodbcbeccebdlegphph) — distinct from the Chrome Web Store listing.
Changes
- Fixed: Two inline
<script>blocks violated theextension_pagesCSP (script-src 'self').pages/dashboard.htmlhad a 75-line view-settings controller (zoom + density) andpages/devtools.htmlhad a 9-line panel registration call — both blocked at load time, leaving the dashboard's zoom/density toolbar inert and the DevTools panel un-registered. Extracted topages/dashboard-viewsettings.jsandpages/devtools.js. The remaining inline script inpages/editor-sandbox.htmlis the Monaco bootstrap and is allowed by the sandbox CSP ('unsafe-inline'). - Chore: Moved self-distribution signing keys (
scriptvault.pem,scriptvault-selfhost.pem) out of the repo root to~/.scriptvault-keys/. Chrome's "Load unpacked" warnedThis extension includes the key file ... You probably don't want to do thatbecause anything inside the extension dir gets bundled at build/install time.pack-crx.mjsalready takes the key path as a positional CLI arg, so callers just pass~/.scriptvault-keys/scriptvault-selfhost.pemnow. Both keys remain gitignored.
Includes the v2.3.2 service-worker syntax fix and the v2.3.3 self-healing "Allow User Scripts" warning, both of which shipped without GitHub releases.
ScriptVault v2.3.1
ScriptVault v2.3.1
Fixes a broken v2.3.0 — extensions failed to load with Could not load icon 'icons/16.png' specified in 'icons' because the manifest referenced a directory that was deleted during v2.3.0's branding cleanup. Also fixes a separate ZIP-format issue: the v2.3.0 ZIP used Windows-style backslash entry names (images\icon128.png) which Chrome cannot match against manifest paths regardless of file presence.
Install (Brave / Chrome / Edge — recommended)
Dragdrop CRX installs are blocked by Chromium 75+ for any extension not in the Web Store, regardless of signing or developer mode. Use Load unpacked instead:
- Download
ScriptVault-v2.3.1.zipand extract it to a permanent folder (e.g.~/extensions/scriptvault/). Don't delete the folder afterwards — the browser loads the extension from this path on every startup. - Open
brave://extensions(orchrome://extensions,edge://extensions). - Toggle Developer mode on (top-right).
- Click Load unpacked and select the extracted folder.
The CRX is still attached for users who have a flow that supports it (enterprise policy with ExtensionInstallSources whitelist, Chrome --load-extension command-line flag, or older Chromium forks like Vivaldi). It is signed with a self-distribution key (extension ID dogogpmmlddegcodbcbeccebdlegphph) — distinct from the Chrome Web Store listing.
Changes
- Fixed:
manifest.jsonreferencedicons/16.png/icons/32.png/icons/48.png/icons/128.png, but theicons/directory was deleted in v2.3.0's branding cleanup. Repointed manifest,pages/popup.html,modules/public-api.js,modules/backup-scheduler.js, and the TypeScript mirror atsrc/modules/public-api.tsto the survivingimages/icon{16,32,48,128}.pngfiles. Firefox manifest was already correct. - Fixed:
build.sh/publish.shPowerShellCompress-Archivefallback wrote Windows-style backslash entries (images\icon128.png). Switched tobsdtar(C:\Windows\System32\tar.exe), which writes POSIX-style forward-slash entries that Chrome can match.
523/523 tests green.
ScriptVault v2.3.0
ScriptVault v2.3.0
Install (Brave / Chrome / Edge — recommended)
Dragdrop CRX installs are blocked by Chromium 75+ for any extension not in the Web Store, regardless of signing or developer mode. The CRX in this release will hit CRX_REQUIRED_PROOF_MISSING in Brave and a similar block in Chrome/Edge. Use Load unpacked instead:
- Download
ScriptVault-v2.3.0.zipand extract it to a permanent folder (e.g.~/extensions/scriptvault/). Don't delete the folder afterwards — the browser loads the extension from this path on every startup. - Open
brave://extensions(orchrome://extensions,edge://extensions). - Toggle Developer mode on (top-right).
- Click Load unpacked and select the extracted folder.
The CRX is still attached for users who have a flow that supports it (enterprise policy with ExtensionInstallSources whitelist, Chrome --load-extension command-line flag, or older Chromium forks like Vivaldi). It is signed with a self-distribution key (extension ID dogogpmmlddegcodbcbeccebdlegphph) — distinct from the Chrome Web Store listing.
Highlights
- Fixed: weekly-digest alarm never dispatched (unknown alarm names now route to
NotificationSystem.handleAlarm()) - Security:
ScriptSigning.verifyScript()prototype-pollution guard viaObject.hasOwn()— maliciouspublicKeystrings liketoStringno longer auto-trust - Security:
GM_addElementattrspath now dropson*event handlers and rejectsjavascript:/vbscript:URLs (matches the existinginnerHTMLpath) - Reliability:
ScriptValuesset/delete/setAll/deleteMultiple now snapshot prior state and roll back the cache on persist failure - Reliability:
ScriptStorage.clear()andFolderStorage.update()rollback on save failure - Memory:
requireCachecapped at 500 entries (LRU) - Accuracy:
QuotaManager.getBreakdown()usesTextEncoderfor true UTF-8 byte counts (wasstring.length) - Robustness:
pages/install.jsrenderInstallUI()shows visible error instead of crashing on missing DOM - Robustness:
pages/sidepanel.jschrome.runtime.sendMessagecalls catch SW-wake errors
See CHANGELOG.md for the full list.