Skip to content

v1.3.1: scorecard polish + hide PNG link for SVG-only diagram types#30

Merged
gregzuro merged 1 commit into
masterfrom
scorecard-v1.3.1
May 14, 2026
Merged

v1.3.1: scorecard polish + hide PNG link for SVG-only diagram types#30
gregzuro merged 1 commit into
masterfrom
scorecard-v1.3.1

Conversation

@gregzuro
Copy link
Copy Markdown
Owner

@gregzuro gregzuro commented May 14, 2026

Clears the items flagged on community.obsidian.md/plugins/obsidian-kroki and fixes the broken PNG action link for diagram types whose Kroki server doesn't generate PNG.

Source

  • main.ts: documentactiveDocument in the renderer and settings link helper (popout-window compatibility).
  • main.ts: drop the General settings heading per Obsidian's style guide.
  • main.ts: settings-textarea handler no longer hands addEventListener a Promise<void>.
  • styles.css: #fff#ffffff.
  • manifest.json: trailing period on the description.

PNG action link

The PNG action link is now hidden for diagram types whose Kroki /png/ endpoint isn't implemented: bpmn, bytefield, d2, dbml, excalidraw, nomnoml, pikchr, svgbob, symbolator, wavedrom. Verified against kroki.io's support matrix and by probing each endpoint live (SVG=200, PNG=400/404).

The Edit link now uses the SVG URL — niolesk just decodes the source out of the encoded fragment, so format doesn't matter to it, and SVG is valid for every diagram type.

README and RELEASE_NOTES.md call this out.

Build / supply chain

  • esbuild.config.mjs uses node:module's builtinModules instead of the builtin-modules dep, which is dropped from package.json.
  • pako pinned to 2.1.0 (was ^2.1.0).
  • package-lock.json is now committed; both workflows switched npm installnpm ci.
  • publish.yml gained id-token: write + attestations: write permissions and an actions/attest-build-provenance@v2 step covering main.js, manifest.json, styles.css. Release body comes from RELEASE_NOTES.md.

Hygiene

  • New CONTRIBUTING.md covering dev setup (nix develop or npm install), test-vault flow, and the release path.

Version

Bumped to 1.3.1 across manifest.json, package.json, versions.json.

Verification

  • npm run lint and npm run build both clean. grep -c builtin-modules main.js → 0.
  • Smoke-tested in a vault: settings tab no longer shows General, edits to per-type headers still persist, popout-window render path works.
  • PNG link only appears for types where it actually downloads (e.g. PlantUML, GraphViz, Mermaid) and is absent for the 10 SVG-only types listed above.

Out of scope

  • The three "scan not available" disclosures (malware, vulnerable deps, obfuscation) — should populate automatically on next release once the lockfile + attestation are in place.
  • The atob/btoa and vault.read disclosures — intentional (Kroki URL encoding and @from_file: include).

@gregzuro
v1.3.1: scorecard polish + hide PNG link for SVG-only diagram types
3b00e03 
Addresses the issues flagged on community.obsidian.md/plugins/obsidian-kroki:

Source
- main.ts: document → activeDocument for popout-window compatibility
  (renderer + settings linkFragment).
- main.ts: drop the 'General' settings heading per Obsidian style guide.
- main.ts: wrap async settings-textarea handler so addEventListener gets
  a void-returning callback.
- styles.css: #fff → #ffffff (6-digit hex).
- manifest.json: trailing period on description.

PNG action link
- main.ts: omit the PNG link for diagram types whose Kroki /png/ endpoint
  is unsupported (bpmn, bytefield, d2, dbml, excalidraw, nomnoml, pikchr,
  svgbob, symbolator, wavedrom — verified against kroki.io support
  matrix and probed live). Edit link now uses svgUrl, which is valid for
  every type. README and RELEASE_NOTES note this.

Build / supply chain
- esbuild.config.mjs: switch builtin-modules dep to node:module's
  builtinModules; drop the dep from package.json.
- package.json: pin pako 2.1.0 (was ^2.1.0).
- .gitignore: stop ignoring package-lock.json; commit the lockfile.
- .github/workflows/main.yml and publish.yml: npm install → npm ci.
- publish.yml: add id-token/attestations permissions and an
  actions/attest-build-provenance@v2 step for main.js, manifest.json,
  styles.css. Release notes pulled from RELEASE_NOTES.md.

Hygiene
- New CONTRIBUTING.md.

Version bump: 1.3.0 → 1.3.1 (manifest.json, package.json, versions.json).
@gregzuro gregzuro merged commit 23a9119 into master May 14, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gregzuro