@networkpro/web 1.26.9 → 1.26.10

package/CHANGELOG.md

@@ -1,7 +1,7 @@
  <!-- =====================================================================
 CHANGELOG.md
 
-Copyright © 2025-2026-2026 Network Pro Strategies (Network Pro™)
+Copyright © 2025-2026 Network Pro Strategies (Network Pro™)
 SPDX-License-Identifier: CC-BY-4.0 OR GPL-3.0-or-later
 This file is part of Network Pro.
 ====================================================================== -->
@@ -24,6 +24,43 @@ version increments reflecting both user-visible and operational impact.
 
 ---
 
+## [1.26.10] - 2026-02-21
+
+### Changed
+
+- Refactored PostHog store to centralize environment gating across `initPostHog()`, `capture()`, and `identify()` via a shared `shouldSkipAnalytics()` helper.
+- Cached environment detection results to avoid repeated evaluation and ensure consistent behavior across analytics APIs.
+- Reintroduced hostname-based audit detection (`audit.netwk.pro`) as a defense-in-depth fallback alongside environment-mode audit detection.
+- Removed unnecessary comments from `src/lib/stores/posthog.js` and `src/lib/pages/LicenseContent.svelte`.
+- Corrected `tests/unit/client/lib/utils/utm.test.js` to import `vi` variable before first use.
+- Updated generator metadata in `src/app.html` to reflect **SvelteKit 2.53.0**.
+- Bumped project version to `v1.26.10`.
+- Updated dependencies:
+  - `@sveltejs/adapter-netlify` `^6.0.0` → `^6.0.3`
+  - `@sveltejs/adapter-vercel` `^6.3.1` → `^6.3.2`
+  - `globby` `^16.1.0` → `^16.1.1`
+  - `@sveltejs/kit` `2.51.0` → `2.53.0`
+  - `eslint-plugin-jsdoc` `^62.5.4` → `^62.7.0`
+  - `jsdom` `28.0.0` → `28.1.0`
+  - `posthog-js` `^1.347.0` → `^1.352.0`
+  - `prettier-plugin-svelte` `^3.4.1` → `^3.5.0`
+  - `stylelint` `^17.2.0` → `^17.3.0`
+  - `svelte` `5.50.3` → `5.53.2`
+  - `svelte-check` `^4.3.6` → `^4.4.3`
+  - `markdownlint-cli2` `0.20.0` → `0.21.0`
+
+### Fixed
+
+- Prevented analytics gating logic from executing during SSR by adding an explicit `typeof window === 'undefined'` guard.
+- Improved test isolation by updating `\_resetPostHog()` to reset cached environment state and tracking-related stores.
+
+### Security
+
+- Pinned the `tar` package to `^7.5.9` in transitive dependencies, in order to address CVE-2026-26960.
+- Pinned transitive `minimatch` to `>=10.2.1` to address an `npm audit`-reported high-severity ReDoS/DoS issue in older minimatch versions.
+
+---
+
 ## [1.26.9] - 2026-02-12
 
 ### Changed
@@ -58,7 +95,7 @@ version increments reflecting both user-visible and operational impact.
   - `svelte` `5.49.1` → `5.50.0`
   - `@playwright/test` `^1.58.1` → `^1.58.2`
   - `@sveltejs/kit` `2.50.1` → `2.50.2`
-  - `eslint-plugin-doc` `^62.5.0` → `^62.5.3`
+  - `eslint-plugin-jsdoc` `^62.5.0` → `^62.5.3`
   - `jsdom` `27.4.0` → `28.0.0`
   - `playwright` `^1.58.1` → `^1.58.2`
   - `stylelint` `^17.1.0` → `^17.1.1`
@@ -2410,7 +2447,8 @@ This enables analytics filtering and CSP hardening for the audit environment.
 
 <!-- Link references -->
 
-[Unreleased]: https://github.com/netwk-pro/netwk-pro.github.io/compare/v1.26.9...HEAD
+[Unreleased]: https://github.com/netwk-pro/netwk-pro.github.io/compare/v1.26.10...HEAD
+[1.26.10]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.10
 [1.26.9]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.9
 [1.26.8]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.8
 [1.26.7]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.26.7

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@networkpro/web",
   "private": false,
-  "version": "1.26.9",
+  "version": "1.26.10",
   "description": "Locking Down Networks, Unlocking Confidence™ | Security, Networking, Privacy — Network Pro Strategies",
   "keywords": [
     "advocacy",
@@ -90,18 +90,18 @@
   },
   "dependencies": {
     "dompurify": "^3.3.1",
-    "posthog-js": "^1.347.0",
+    "posthog-js": "^1.352.0",
     "semver": "^7.7.4",
-    "svelte": "5.50.3"
+    "svelte": "5.53.2"
   },
   "devDependencies": {
     "@eslint/compat": "^2.0.2",
     "@eslint/js": "9.39.2",
     "@lhci/cli": "^0.15.1",
     "@playwright/test": "^1.58.2",
-    "@sveltejs/adapter-netlify": "^6.0.0",
-    "@sveltejs/adapter-vercel": "^6.3.1",
-    "@sveltejs/kit": "2.51.0",
+    "@sveltejs/adapter-netlify": "^6.0.3",
+    "@sveltejs/adapter-vercel": "^6.3.2",
+    "@sveltejs/kit": "2.53.0",
     "@sveltejs/vite-plugin-svelte": "^6.2.4",
     "@testing-library/jest-dom": "^6.9.1",
     "@testing-library/svelte": "^5.3.1",
@@ -110,25 +110,25 @@
     "browserslist": "^4.28.1",
     "eslint": "9.39.2",
     "eslint-config-prettier": "^10.1.8",
-    "eslint-plugin-jsdoc": "^62.5.4",
+    "eslint-plugin-jsdoc": "^62.7.0",
     "eslint-plugin-svelte": "^3.15.0",
     "globals": "^17.3.0",
-    "globby": "^16.1.0",
-    "jsdom": "28.0.0",
+    "globby": "^16.1.1",
+    "jsdom": "28.1.0",
     "lightningcss": "^1.31.1",
     "markdownlint": "^0.40.0",
-    "markdownlint-cli2": "0.20.0",
+    "markdownlint-cli2": "0.21.0",
     "npm-run-all": "^4.1.5",
     "playwright": "^1.58.2",
     "postcss": "^8.5.6",
     "prettier": "3.8.1",
-    "prettier-plugin-svelte": "^3.4.1",
+    "prettier-plugin-svelte": "^3.5.0",
     "simple-git-hooks": "^2.13.1",
-    "stylelint": "^17.2.0",
+    "stylelint": "^17.3.0",
     "stylelint-config-html": "^1.1.0",
     "stylelint-config-recommended": "^18.0.0",
     "stylelint-order": "^7.0.1",
-    "svelte-check": "^4.3.6",
+    "svelte-check": "^4.4.3",
     "svelte-eslint-parser": "^1.4.1",
     "svelte-preprocess": "^6.0.3",
     "typescript": "^5.9.3",
@@ -143,8 +143,9 @@
     "glob": "^11.1.0",
     "js-yaml": "^4.1.1",
     "lodash": "^4.17.23",
+    "minimatch": ">=10.2.1",
     "qs": "^6.14.1",
-    "tar": "^7.5.7",
+    "tar": "^7.5.9",
     "tmp": "^0.2.4"
   }
 }

package/src/app.html

@@ -53,7 +53,7 @@
       content="bx4ham0zkpvzztzu213bhpt76m9siq" />
     <!-- cspell:enable -->
 
-    <meta name="generator" content="SvelteKit 2.50.2" />
+    <meta name="generator" content="SvelteKit 2.53.0" />
 
     <script src="/disableSw.js"></script>
 

package/src/lib/pages/LicenseContent.svelte

@@ -11,9 +11,6 @@ This file is part of Network Pro.
   import { ccSvg, bySvg } from '$lib';
   import { CONSTANTS } from '$lib';
 
-  // Log the base path to verify its value
-  //console.log("Base path:", base);
-
   const { COMPANY_INFO, CONTACT, PAGE, LINKS, NAV } = CONSTANTS;
 
   /**

package/src/lib/stores/posthog.js

@@ -9,7 +9,9 @@ This file is part of Network Pro.
 /**
  * @file posthog.js
  * @description Privacy-aware PostHog tracking store with reactive state and safe API surface.
+ * @author Scott Lopez
  * @module src/lib/stores
+ * @updated 2026-02-21
  */
 
 import {
@@ -37,6 +39,60 @@ let initialized = false;
 /** @type {import("posthog-js").PostHog | null} Loaded PostHog instance */
 let ph = null;
 
+/**
+ * Cache environment detection so capture/identify/init share the same policy
+ * without duplicating logic or repeatedly re-evaluating.
+ * @type {ReturnType<typeof detectEnvironment> | null}
+ */
+let _env = null;
+
+/** @type {RegExp} Audit hostname matcher (defense-in-depth) */
+const AUDIT_HOST_RE = /(^|\.)audit\.netwk\.pro$/i;
+
+/**
+ * Returns (and caches) the environment detection result so all callers
+ * share the same policy without recomputing.
+ *
+ * @returns {ReturnType<typeof detectEnvironment>}
+ */
+function getEnv() {
+  if (_env) return _env;
+  _env = detectEnvironment();
+  return _env;
+}
+
+/**
+ * Determines whether this build/runtime is a Codex environment.
+ *
+ * @returns {boolean}
+ */
+function isCodexEnvironment() {
+  return (
+    import.meta.env.PUBLIC_CODEX === 'true' || import.meta.env.CODEX === 'true'
+  );
+}
+
+/**
+ * Central analytics gate:
+ * - Skip entirely in Codex
+ * - Skip in audit context (mode or audit hostname)
+ * - Skip in debug context (dev/test)
+ * - Skip during SSR
+ *
+ * @returns {boolean} True if analytics should be skipped in the current runtime.
+ */
+function shouldSkipAnalytics() {
+  // Explicit SSR guard: never attempt analytics server-side
+  if (typeof window === 'undefined') return true;
+
+  const { isAudit, isDebug } = getEnv();
+  const host = window.location?.hostname || '';
+  const isAuditHost = AUDIT_HOST_RE.test(host);
+  const effectiveAudit = isAudit || isAuditHost;
+
+  return isCodexEnvironment() || effectiveAudit || isDebug;
+}
+
 /**
  * Initializes the PostHog analytics client if tracking is permitted.
  * Uses dynamic import to avoid SSR failures.
@@ -46,21 +102,16 @@ let ph = null;
 export async function initPostHog() {
   if (initialized || typeof window === 'undefined') return;
 
-  const { isAudit, isDebug, isDev, isTest, mode, effective } =
-    detectEnvironment();
-
-  const isCodex =
-    import.meta.env.PUBLIC_CODEX === 'true' || import.meta.env.CODEX === 'true';
+  const { isAudit, isDebug, isDev, isTest, mode, effective } = getEnv();
 
   // 🤖 Skip analytics entirely in Codex environments
-  if (isCodex) {
+  if (isCodexEnvironment()) {
     console.info('[PostHog] Skipping analytics (Codex environment).');
     return;
   }
 
-  // 🌐 Hybrid hostname + environment guard
   const host = window.location.hostname;
-  const isAuditHost = /(^|\.)audit\.netwk\.pro$/i.test(host);
+  const isAuditHost = AUDIT_HOST_RE.test(host);
   const effectiveAudit = isAudit || isAuditHost;
 
   // 🧭 Log environment context before any conditional logic
@@ -69,6 +120,8 @@ export async function initPostHog() {
       buildMode: mode,
       effectiveMode: effective,
       host,
+      isAudit,
+      isAuditHost,
       effectiveAudit,
       isDev,
       isTest,
@@ -107,7 +160,6 @@ export async function initPostHog() {
 
     // ✅ Load public key from env
     const key = import.meta.env.PUBLIC_POSTHOG_PROJECT_KEY;
-    //console.log('✅ Key in runtime:', key);
 
     if (!key) {
       console.warn('[PostHog] ⚠️ PUBLIC_POSTHOG_PROJECT_KEY is not set.');
@@ -145,8 +197,7 @@ export async function initPostHog() {
  * @param {Record<string, any>} [properties={}] - Optional event properties
  */
 export function capture(event, properties = {}) {
-  const isDev = import.meta.env.MODE === 'development';
-  if (isDev || ph === null || !get(trackingEnabled)) return;
+  if (shouldSkipAnalytics() || ph === null || !get(trackingEnabled)) return;
 
   try {
     ph.capture(event, properties);
@@ -161,8 +212,7 @@ export function capture(event, properties = {}) {
  * @param {Record<string, any>} [properties={}] - Optional user traits
  */
 export function identify(id, properties = {}) {
-  const isDev = import.meta.env.MODE === 'development';
-  if (isDev || ph === null || !get(trackingEnabled)) return;
+  if (shouldSkipAnalytics() || ph === null || !get(trackingEnabled)) return;
 
   try {
     ph.identify(id, properties);
@@ -184,4 +234,9 @@ export function _resetPostHog() {
 
   initialized = false;
   ph = null;
+  _env = null;
+
+  // Reset stores for clean test isolation
+  trackingEnabled.set(false);
+  showReminder.set(false);
 }

package/tests/unit/client/lib/utils/utm.test.js

@@ -14,16 +14,15 @@ This file is part of Network Pro.
  * @updated 2026-01-15
  */
 
+import { writable } from 'svelte/store';
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
+
 // Mock SvelteKit environment and store
 vi.mock('$app/environment', () => ({ browser: true }));
 
-import { writable } from 'svelte/store';
-
 vi.mock('$app/stores', () => {
   const mockPageStore = writable({
-    url: {
-      pathname: '/contact',
-    },
+    url: { pathname: '/contact' },
   });
 
   return {
@@ -33,16 +32,14 @@ vi.mock('$app/stores', () => {
   };
 });
 
+// Import *after* mocks
 import { appendUTM } from '$lib/utils/utm.js';
-import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
 
 describe('appendUTM', () => {
   const originalWindow = globalThis.window;
 
   beforeEach(() => {
-    globalThis.window = {
-      location: { search: '' },
-    };
+    globalThis.window = { location: { search: '' } };
   });
 
   afterEach(() => {