Changelog

Follow the evolution of VitaPulse — new features, improvements and fixes.

v2.23.32026-03-22

Fixed **package.json** — suppression de la virgule traînante après le script `scan` (causait un `EJSONPARSE` au `npm ci`)

v2.23.22026-03-22

Changed **Sitemap dynamique** — suppression du cron quotidien `generateSitemap.js` et du fichier statique `public/sitemap.xml`. Le sitemap est désormais servi dynamiquement via une route Express `/sitemap.xml` avec cache in-memory (TTL 1h)

v2.23.12026-03-17

Fixed **Emails discussions** — correction de l'URL de fallback dans les templates email de discussion : `vitapulse.io` → `vitapulse.e-xode.net` (5 langues)
Changed **Lighthouse 12 → 13** — mise à jour majeure du moteur d'audit. 27 audits individuels supprimés (consolidés dans les 17 insights). Diagnostics réduits de 33 à 13 IDs. Fallback CLS elements vers `cls-culprits-insight`. `uses-http2` retiré des `skipAudits`. Scores a11y/SEO/BP ajustés (poids modifiés). Rétrocompatibilité totale avec les anciens scans
Changed **Vite 7 → 8** — migration vers Rolldown (bundler Rust). Option `api: 'modern-compiler'` retirée des options SCSS (seul mode supporté). Builds ~2x plus rapides
Changed **Vue Router 4 → 5** — mise à jour majeure sans breaking changes (merge de unplugin-vue-router dans le core)
Changed **@vitejs/plugin-vue 5 → 6** — alignement sur Vite 8
Changed **Dépendances mises à jour** — vue 3.5.18→3.5.30, vuetify 4.0.0→4.0.2, vue-i18n 11.1.11→11.3.0, pinia 3.0.3→3.0.4, dompurify 3.2.6→3.3.3, express 5.1.0→5.2.1, express-rate-limit 8.2.1→8.3.1, stripe 20.4.0→20.4.1, nodemailer 8.0.1→8.0.2, multer 2.0.3→2.1.1, sass-embedded 1.87.0→1.98.0
Changed **TipTap épinglé à 3.20.0** — overrides npm pour contourner le publish cassé de 3.20.3 (dist/ manquant)
Changed **Performance Insights — extraction enrichie** — `extractPerformanceInsights()` capture désormais la structure complète des insights Lighthouse : `headings`, `metricSavings`, `overallSavingsMs/Bytes`, `scoreDisplayMode`, `debugData`, `sortedBy`, `isEntityGrouped`, `subItems` imbriqués, et items sans troncature abusive (50 max pour tables, 30 pour listes)
Changed **Performance Insights — UI refondée** — `ScanInsightsSection.vue` remplacé par une interface riche avec recherche, filtre par métrique impactée (LCP/CLS/INP/TBT/FCP), tri par score ou par gains, chips metricSavings, badges overallSavings, et rendu adaptatif selon le type de données (table/list/checklist)
Changed **Performance Insights — PDF enrichi** — le PDF affiche désormais les metricSavings, warnings, et les tables de détails des insights (même rendu que les opportunités et diagnostics)
Changed **AuditDetailTable — subItems et nouveaux valueTypes** — support des sous-éléments expandables (clic pour déplier), et des types `source-location`, `code`, `numeric`
Changed **Lighthouse — capture `runtimeError`** — vérification de `lhr.runtimeError` après chaque appel à `lighthouse()` pour détecter les erreurs fatales (page non chargée, crash GPU, timeout DNS) et éviter les scans silencieusement marqués "completed" avec des scores null
Changed **Lighthouse — `effort` calculé depuis `guidanceLevel`** — le champ `effort` des opportunités est maintenant calculé depuis `audit.guidanceLevel` (1→high, 2→medium, 3→low) au lieu d'être hardcodé à `'medium'`
Changed **Lighthouse — `language` default cohérent** — le fallback de langue passe de `'fr'` hardcodé à `DEFAULT_LOCALE` (`'en'`) pour respecter la convention du projet
Changed **Lighthouse — desktop timeouts configurables** — `maxWaitForFcp` (15s) et `maxWaitForLoad` (35s) desktop sont maintenant dans `LIGHTHOUSE_CONFIG.timing` au lieu d'être hardcodés
Added **InsightChecklist** — nouveau composant pour afficher les insights de type checklist (document-latency, lcp-discovery) avec icônes de validation
Added **InsightListRenderer** — nouveau composant pour afficher les insights de type list (cls-culprits, forced-reflow, breakdowns, network-tree) avec rendu récursif
Added **Lighthouse — `audit.explanation`** — extraction et affichage du champ `explanation` de Lighthouse dans les opportunités, diagnostics, issues (a11y/SEO/BP/security), insights et le PDF de résultats. Ce champ fournit un texte contextuel expliquant pourquoi l'audit a échoué pour la page spécifique testée

v2.22.12026-03-14

Changed **GitHub Actions** — build workflow déclenché sur push/PR vers `main` (remplace `npm run lint`/`test:run` inexistants par `npm run build`), Docker build déclenché uniquement sur les tags de release (`v*`), CodeQL aligné sur la branche `main`

v2.22.02026-03-12

Security **Google reCAPTCHA v3** — intégration CAPTCHA invisible sur les 3 endpoints publics (signup, quick audit, contact). Vérification serveur du token avec score minimum 0.5. Désactivé en développement. Composable Vue `useCaptcha` partagé, helper serveur `verifyCaptcha` factorisé

v2.21.02026-03-12

Added **Statut de vérification utilisateur** — l'administration affiche si un utilisateur a validé son compte (code de sécurité vérifié au moins une fois) : chip vert/gris dans la liste et dans le détail utilisateur
Added **Suppression de compte utilisateur** — les administrateurs peuvent supprimer un compte utilisateur avec cascade complète (projets, scans, stats, discussions, messages, audits, associés, logs, sessions, avatar). Les comptes admin sont protégés contre la suppression
Security **Validation serveur signup** — ajout de la validation email (EMAIL_REGEX), password (≥ 8 caractères), et name (≥ 2 caractères) côté serveur dans l'endpoint d'inscription. Normalisation de l'email en lowercase et trim du name
Security **Validation serveur signin** — ajout de la validation email côté serveur dans l'endpoint de connexion
Security **Rate limit signup renforcé** — réduction du rate limit signup de 10 à 5 requêtes par 15 minutes
Security **Traduction des erreurs serveur** — les erreurs renvoyées par le serveur (signup, signin, forgot, reset) sont désormais traduites via i18n au lieu d'afficher les clés brutes

v2.20.02026-03-12

Added **Suivi conversions Google Ads** — événement GA4 `purchase` déclenché après un checkout réussi (Pro/Business) avec valeur de conversion, devise EUR et cycle de facturation. L'événement est automatiquement importé par Google Ads via `ads_conversion_PURCHASE_1`
Added **Validation URL** — vérification du format URL sur la page Quick Audit et la page d'accueil (protocole http/https, hostname valide avec au moins un point). Le bouton est désactivé tant que l'URL est invalide
Added **Validation email** — vérification du format email sur les pages de connexion et d'inscription. Utilise le regex partagé `EMAIL_REGEX` au lieu d'un regex inline moins strict
Fixed **Textes de validation en dur** — remplacement des messages de validation en français hardcodés (signup/signin) par des clés i18n traduites dans les 5 langues

v2.19.02026-03-08

Added **Langue italienne** — ajout de l'italien (it) comme 5ème langue supportée : traductions complètes (interface, vulnérabilités, emails), drapeau, imports dans tous les modules (main, email, googleWebhook, downloadPdf)
Fixed **Traductions allemandes incomplètes** — correction de 697 clés manquantes dans de.json (landing, admin, billing, project, cwv, caseStudies, pdf, et toutes les autres sections). Nettoyage des clés obsolètes et correction des types incompatibles (tableaux FAQ, takeaways, includes)
Fixed **Traductions italiennes incomplètes** — correction de 320 clés manquantes dans it.json. Nettoyage des clés obsolètes pour alignement parfait avec la structure anglaise de référence

v2.18.22026-03-08

Fixed **Appel parasite quick-audit/convert** — nettoyage du localStorage lorsque la conversion échoue, évitant un appel API inutile à chaque connexion

v2.18.12026-03-08

Changed **Limite scans Pro** — réduction de la limite de scans manuels du plan Pro de 50 à 30 par mois. Code et textes mis à jour dans les 4 langues (en/fr/es/de)
Fixed **Limite scans Business** — correction de la limite de scans manuels du plan Business (était `Infinity`, maintenant 100). Seul l'admin est illimité
Fixed **Reset mensuel du compteur de scans** — ajout d'un reset lazy du compteur `scansThisMonth` (le compteur n'était jamais remis à zéro, bloquant les utilisateurs définitivement après X scans)
Fixed **Affichage compteur scans** — le dashboard Billing affiche maintenant les scans du mois en cours (`scansThisMonth`) au lieu du total à vie
Fixed **Alignement textes/code limites scans** — correction des incohérences entre les textes (5/50/200) et les valeurs réelles dans le code (10/30/100) pour les 3 plans dans les 4 langues

v2.18.02026-03-08

Added **Langue allemande (DE)** — support complet de l'allemand comme 4ème langue : traductions UI (de.json), vulnérabilités (vulnerabilities/de.json), templates email (emails/de.js), drapeau SVG, intégration dans les imports (main.js, email.js, googleWebhook.js, downloadPdf.js)
Added **News multilingues dynamiques** — refonte de l'éditeur de news admin : EN toujours obligatoire, ajout de langues supplémentaires via bouton (+), onglets dynamiques par langue. Champ `languages` stocké sur chaque news. Recherche admin étendue à toutes les langues. Chips de langues affichées dans la liste admin
Changed **Rétention plan Free** — passage de 1 mois à 3 mois d'historique de scans (retentionDays 30 → 90). Textes pricing, FAQ et labels mis à jour dans les 4 langues

v2.17.12026-03-08

Changed **Page Free Audit enrichie** — ajout de 3 sections marketing sous le formulaire : highlights des fonctionnalités, aperçu du rapport PDF (screenshots case study), et CTA vers l'inscription

v2.17.02026-03-08

Added **Landing pages campagnes** — 3 pages dédiées pour Google Ads : `/agencies` (agences web, white label), `/developers` (développeurs, régressions), `/core-web-vitals` (métriques Google). Traduites en FR/EN/ES, intégrées au sitemap
Changed **Limites de plans** — rétention réduite : free 1 mois (était 6), pro 6 mois (était 12), business 1 an (était 3 ans). URLs par projet pro : 3 (était 5)
Changed **CheckoutView factorisé** — les features hardcodées en anglais sont remplacées par les traductions i18n de la page pricing

v2.16.22026-03-07

Added **ProjectBanner sur la page scan** — affichage du screenshot et de l'URL du projet dans les résultats de scan, avec lien cliquable vers la page du projet
Security **Codes de sécurité cryptographiques** — remplacement de `Math.random()` par `crypto.randomInt()` pour la génération des codes 2FA
Security **Comparaison timing-safe** — les vérifications de codes de sécurité utilisent désormais `crypto.timingSafeEqual` pour prévenir les attaques par timing
Security **Protection open redirect** — validation du paramètre `redirect` dans les pages d'authentification (signin, signup, verify-code)
Security **Invalidation des sessions** — les autres sessions sont détruites lors d'un changement de mot de passe ou d'email
Security **Fuite de stack trace** — les erreurs 500 n'exposent plus la stack trace en production
Security **Secret de cookie** — le secret de session est désormais obligatoire en production (plus de fallback en dur)
Security **CSP Helmet activé** — Content Security Policy configuré en production (script-src, style-src, frame-src, etc.)
Security **Sanitization v-html** — les descriptions Stack Packs sont désormais sanitizées via DOMPurify
Security **Webhook Stripe** — les messages d'erreur ne divulguent plus les détails Stripe internes
Security **Sanitization HTML durcie** — restriction de l'attribut `style` au tag `span` uniquement, regex de couleur stricte
Security **Rate limiting étendu** — ajout de limites sur change-password, change-email, verify-email-change
Security **Plages IPv6 privées complètes** — ajout des plages `fd00:`, `::ffff:` mapped pour bloquer les scans sur IPs privées
Fixed **Bug associates/invite.js** — correction d'un crash `ReferenceError` quand la variable `project` était utilisée avant sa déclaration

v2.16.12026-03-07

Fixed **SSR 404 systématique** — toutes les pages retournaient HTTP 404 quand JavaScript est désactivé (le slash initial de l'URL était supprimé avant résolution du routeur Vue)

v2.16.02026-03-07

Added **Page 404** — les URLs inexistantes affichent désormais une page 404 dédiée avec HTTP 404 au lieu de rediriger vers la homepage (amélioration SEO)
Added **Méta dynamiques pour les news** — les pages de détail des articles ont désormais un titre, description et image OG uniques générés côté SSR. Schema JSON-LD `NewsArticle` avec auteur et dates
Added **x-default dans le sitemap** — le générateur de sitemap inclut désormais le hreflang `x-default`
Changed **Optimisation fonts** — suppression du double chargement Google Fonts dans `index.html` (déjà chargé via `style.css`) et de la police IBM Plex Mono inutilisée
Changed **Remplacement de Plotly par Chart.js** — le graphique d'historique CWV utilise désormais Chart.js (tree-shaked) au lieu de `plotly.js-dist-min`, réduisant le bundle de ~4.6 MB à ~50 KB
Fixed **robots.txt** — correction du domaine du sitemap (pointait vers un domaine inexistant)
Fixed **Schema Pricing** — suppression du faux `AggregateRating` (données inventées)
Removed **`useMeta.js`** — composable jamais utilisé, supprimé (dead code)
Removed **`sitemap.xml` du dépôt Git** — fichier régénéré quotidiennement par cron, ne doit pas être versionné

v2.15.02026-03-07

Added **Suppression de projet** — les propriétaires peuvent supprimer un projet depuis la page Paramètres (zone de danger). La suppression cascade sur tous les scans, statistiques, discussions et messages associés. Les associés perdent automatiquement l'accès
Added **Navigation par clic sur les scores** — cliquer sur une carte de score (Performance, Accessibilité, SEO, Best Practices) redirige automatiquement vers l'onglet ou sous-onglet correspondant dans les résultats du scan
Fixed **Badge non lu des news** — les news sans commentaire restaient toujours marquées comme non lues même après consultation, car la discussion nécessaire au suivi de lecture n'était créée qu'au premier commentaire

v2.14.0

Added **Redirection post-auth vers le projet partagé** — lorsqu'un associé clique sur le lien d'un email de partage de projet, il est redirigé automatiquement vers la page du projet après connexion ou inscription (au lieu du dashboard)
Added **Liens documentation dans les résultats de scan** — les éléments de sécurité documentés (headers HTTP, audits Lighthouse, warnings TLS, versions logicielles) affichent une icône "doc" avec tooltip, cliquable pour ouvrir la page de documentation correspondante dans un nouvel onglet
Added **Badge non lu en cyan** — les badges de contenu non lu (news, discussions) utilisent la couleur primaire au lieu du rouge pour éviter la confusion avec les erreurs
Added **Annulation des invitations en attente** — les propriétaires de projet peuvent annuler les invitations en attente d'un associé via un bouton dans la section "Invitations en attente" des paramètres du projet
Added **Bannière projet partagée** — le titre, l'URL et le screenshot du projet sont affichés sur les pages Discussions et Paramètres via un composant `ProjectBanner` réutilisable
Added **Lien résultats complets** — lien "Consulter tous les résultats de l'audit" sous les scores dans la page projet
Changed **Logo email embarqué (CID)** — le logo VitaPulse dans les emails est désormais embarqué en pièce jointe CID au lieu d'être référencé par URL externe, garantissant son affichage dans Gmail, Outlook et tous les clients email
Changed **Avatar email embarqué (CID)** — l'avatar de l'utilisateur dans les emails d'invitation associé est embarqué en pièce jointe CID pour un affichage fiable dans tous les clients email
Changed **Menu header** — l'option "Administration" est déplacée juste avant "Déconnexion" (après le divider) au lieu d'être en première position
Changed **MongoDB connection** — encodage `encodeURIComponent()` du nom d'utilisateur et mot de passe dans l'URI de connexion pour gérer les caractères spéciaux
Changed **Traduction française** — remplacement de tous les termes "scan/scans" par "audit/audits" dans l'interface française
Changed **Harmonisation responsive** — remplacement de tous les breakpoints hardcodés (768px, 960px, 600px) par des mixins SCSS centralisés (`max-md`, `max-sm`, `max-lg`) basés sur les variables du design system. Harmonisation des 4 pages projet (overview, settings, discussions, discussion detail) : même background (`$gradient-light`), même padding, même breakpoint (`max-md`), même variable `$header-height`. Remplacement de `calc(100vh - 72px)` par `$header-height` dans 6 pages app

v2.13.32026-03-06

Fixed **Email partage projet** — l'email envoyé lors du partage d'un projet avec un associé déjà inscrit inclut désormais les scores de performance et les alertes de sécurité (headers manquants), comme c'était déjà le cas pour les invitations de nouveaux utilisateurs
Changed **Factorisation `getProjectScanData()`** — la logique d'extraction des scores et headers de sécurité pour les emails d'invitation est centralisée dans `dbHelpers.js` (utilisée par `invite.js` et `share.js`)

v2.13.22026-03-06

Changed **MongoDB indexes initialization** — `initializeCollections(db)` est désormais appelée au démarrage du serveur, garantissant la création des index sur toutes les collections (users, projects, scans, quickAudits)
Changed **Optimisation N+1 project list** — remplacement de 2N requêtes individuelles (find + count par projet) par 2 aggregations batch (`$group` + `$facet`), réduisant drastiquement la charge MongoDB sur le dashboard
Changed **Aggregation `$facet`** — les endpoints `GET /api/projects/:id/scans` et `GET /api/admin/projects/:id` combinent désormais data + count en une seule requête MongoDB au lieu de deux
Changed **Admin scans pagination** — l'endpoint `GET /api/admin/scans` est désormais paginé (50 résultats/page avec navigation) au lieu de charger 200 résultats d'un coup
Changed **Index compound scans** — ajout de l'index `{ projectId: 1, status: 1, createdAt: -1 }` pour optimiser les requêtes filtrées par statut
Fixed **MongoDB sort memory overflow** — ajout de `allowDiskUse()` sur les requêtes de listing scans pour éviter le crash `QueryExceededMemoryLimitNoDiskUseAllowed` sur les collections volumineuses

v2.13.12026-03-06

Changed **Sécurité : hashage des codes de vérification** — remplacement de l'encodage Base64 (réversible) par SHA-256 pour le stockage des codes de sécurité 2FA (`hashCode`/`verifyCode` dans `email.js`)
Changed **Sécurité : projection MongoDB sur `users`** — exclusion systématique des champs sensibles (`password`, `securityCode`, `securityCodeExpires`, `securityCodeAttempts`) via `findUserSafe()` dans 18 fichiers API (billing, projects, associates, scans)
Changed **Sécurité : sanitization formulaire de contact** — les champs `name`, `subject` et `message` sont désormais trimés et sanitizés via `sanitize-html` avant envoi
Changed **Extraction IP centralisée** — remplacement de 9 occurrences de `req.headers['x-forwarded-for']` manuelles par `getClientIp(req)` dans les endpoints commentaires, discussions et admin
Changed **Consolidation `escapeHtml`** — suppression des 2 implémentations dupliquées (entry-server.js, useMeta.js), import unique depuis `shared/utils.js`. Ajout de l'échappement des quotes simples (`'` → `'`)
Changed **Helpers backend factorisés** — `parseObjectId()`, `parsePagination()`, `findUserSafe()` dans `dbHelpers.js` ; pagination utilisée dans 4 endpoints (logs, discussions, news, scans)
Changed **Robustesse logging** — `logEvent()` loggue désormais les erreurs d'écriture MongoDB au lieu de les ignorer silencieusement
Changed **Robustesse router** — le catch vide dans `router.beforeEach` loggue désormais les erreurs de vérification auth

v2.13.02026-03-06

Added **Project discussions** — forum-style discussions for project associates. Owner and associates can create discussions, post messages, and track unread discussions. Accessible from the project overview via a "Discussions" button with unread badge.
Added **Unified discussion system** — news comments and project discussions now share the same data architecture (`discussions`, `discussionMessages`, `discussionReads` collections) and reusable `CommentThread` component
Added **Discussion email notifications** — configurable alerts for new discussions and new messages, with separate toggles in project settings (available for all plans)
Added **Admin discussions page** — manage all discussions (news and projects) from admin panel with filtering by type and deletion capabilities
Added **Rich text messages** — discussion messages and news comments now support rich text editing (TipTap) with full toolbar: bold, italic, underline, colors, headings, lists, blockquotes, code blocks, images, YouTube, links. Images uploaded to dedicated `public/uploads/discussions/` directory
Added **Server-side HTML sanitization** — all user-generated HTML content (discussions and news comments) is sanitized server-side via `sanitize-html` to prevent XSS attacks. Only safe tags, attributes, and YouTube iframes are allowed
Added **Client-side HTML sanitization** — DOMPurify applied to all `v-html` rendering (discussion messages, news article content, news comments)
Added **Source Serif 4 content font** — discussion messages, news articles, and rich text editor now use Source Serif 4 (serif) for content readability, creating a clear visual distinction between app UI (Inter) and user-generated content
Added **Page comments** — users can read and post comments on documentation pages (vulnerability details). Public read, authenticated write, comment count badges and unread indicators on the vulnerability list page. Admin panel updated with "Pages" filter for page-type discussions
Changed **News comments** — migrated from `newsComments`/`newsReads` to unified `discussions`/`discussionMessages`/`discussionReads` collections (breaking: existing news comments are lost, fresh start)
Changed **TiptapEditor** — moved from `components/admin/` to `components/common/` for reuse across discussions and news. Added `showRawMode` prop (raw HTML mode now admin-only)
Changed **Discussion & news UI redesign** — card-based message layout with left accent border, proper page backgrounds (gradient-light), white card containers for articles and comments, improved typography with content font, hover effects on messages, styled empty states and form areas
Fixed **News comment log events** — posting or editing a news comment now logs `news-comment-create` and `news-comment-edit` events (was missing)

v2.12.12026-03-03

Fixed **Associate sharing bug** — re-inviting an accepted associate on a new project incorrectly returned an "already associate" error instead of sharing the project
Fixed **Associate display per project** — associates tab in project settings now correctly filters by current project: shows only associates with access to this project, pending invitations for this project, and other associates without access
Fixed **Project settings centering** — page was not centered due to missing `container-narrow` class
Added **Associate empty states** — each section (project associates, pending invitations, other associates) now shows an explicit message when empty
Added **Signup email pre-fill** — associate invitation emails for new users include the email as query parameter, pre-filling the signup form

v2.12.02026-03-02

Added **User avatar system** — users can upload a profile picture (JPEG/PNG/WebP, 2MB max) from their account page. Avatar displayed in header menu, news comments, associate invite emails, and admin user pages
Added **News author display** — news articles show "Published by {name}" with author avatar below the title. Author is automatically tracked when creating news
Changed **Email templates** — added VitaPulse logo (icon-192.png) in email header above the brand name for better visual identity
Changed **Associate invite emails** — include the inviter's avatar and name in a styled card
Fixed **Security headers detection** — response headers were extracted from redirect responses (301/302) instead of the final response (200), causing security headers like `strict-transport-security` to be incorrectly reported as missing. Now uses `lhr.finalDisplayedUrl` for URL matching and filters only 2xx responses

v2.11.02026-03-01

Added **Google Analytics 4 integration** — GA4 tracking with SSR-compatible injection, SPA page view tracking on route changes, and custom events for key user actions (sign_up, login, quick_audit, project_create, scan_start, pdf_download, begin_checkout, contact form, share report). Configurable via `GA_MEASUREMENT_ID` environment variable
Added **Sitemap generator cron** — automated `public/sitemap.xml` generation with all static pages (11 routes × 3 locales with hreflang alternates) and dynamic news pages from database. Run via `npm run sitemap` or scheduled cron
Added **Public news list page** — new paginated `/news` page accessible without authentication, SEO-indexable with cover images, excerpts and pagination. News routes moved from `/app/news/` to `/news/` for better search engine visibility
Added **Dynamic news back link** — back button on news detail page dynamically adapts based on navigation history (returns to news list, dashboard or previous page)
Added **TipTap HTML raw mode** — toggle button in the editor toolbar to switch between WYSIWYG and raw HTML editing, allowing direct HTML paste
Added **Blog link in footer** — added Blog link in the Resources column of the footer
Changed **Optimized robots.txt for SEO** — locale-aware Disallow rules for all private routes (`/*/app/`, `/*/signup`, `/*/signin`, `/*/auth/`, `/*/checkout`, `/*/report/`), allowing proper crawling of public content pages (landing, pricing, docs, news, case studies, etc.)
Changed **Vue Router navigation guard** — migrated from deprecated `next()` callback to return-based API
Fixed **TipTap duplicate extensions warning** — disabled `link` and `underline` in StarterKit config since they are added separately with custom configuration
Fixed **News validation error messages** — admin news creation/update now returns specific missing field names instead of generic `error.validation`
Fixed **NewsDetailView comments crash** — restored missing `comments` ref declaration

v2.10.02026-03-01

Added **Email change with verification** — users can change their email address from the Account page via a secure 6-digit code sent to the new address (10 min expiry, 3 attempts max). Inline UI with two-step flow (enter new email → enter code)
Added **Enriched associate invitation emails** — invitation emails now include latest performance scores (4 categories with color-coded badges) and missing high/medium-severity security headers to incentivize recipients to sign up and view full reports
Added **Security alerts email helper** — new `renderSecurityAlerts()` shared helper in `emailLayout.js` for displaying missing security headers with severity badges
Added **Responsive container widths** — optimized Vuetify container max-widths for all breakpoints (92% at md, 1080px at lg, 1400px at xl, 1800px at xxl) with `.container-narrow` opt-out for form/centered pages
Added **`.form-narrow` utility class** — constrains form widths to 640px max, applied to ProjectSettingsView and ProjectNewView
Changed **Unified email templates** — all 7 email types now share a consistent branded layout via `emailLayout.js` (gradient header with VitaPulse/e-xode branding, navigation footer with links to Pricing, Docs, Contact, Terms, Privacy). Factored shared helpers (score colors, CWV formatting, CTA buttons, code boxes) to eliminate duplication across locale files.
Changed **Upgraded Vuetify from 3.x to 4.0.0** — full Material Design 3 migration
Changed Migrated all typography classes from MD2 to MD3 (text-h1→text-display-large, text-body-2→text-body-medium, text-caption→text-body-small, etc.)
Changed Migrated VRow grid props (`align` → CSS class, `dense` → `density="compact"`)
Changed Updated SCSS breakpoints to MD3 values (md: 840px, lg: 1145px, xl: 1545px, xxl: 2138px)
Changed Added `xxl` breakpoint mixin to SCSS design system
Changed Added CSS reset for headings/paragraphs to replace Vuetify 4's removed global reset
Changed Updated `vue` from 3.5.27 to 3.5.29
Changed Updated `playwright` from 1.58.1 to 1.58.2
Changed Updated `cors` from 2.8.5 to 2.8.6
Changed Updated `vue-router` from 4.6.4 to 5.0.3
Changed Updated `mongodb` from 6.21.0 to 7.1.0
Changed Updated `nodemailer` from 6.10.1 to 8.0.1
Changed Updated `stripe` from 14.25.0 to 20.4.0
Changed Updated `@stripe/stripe-js` from 3.5.0 to 8.8.0
Fixed **Email link colors** — fixed link colors being overridden by email clients (Gmail, Outlook) using `<span>` wrapper technique
Fixed **Pending associates visibility** — associates with pending status now appear in the project settings list instead of being hidden until they accept
Fixed **Node watch paths** — added `src/translate/emails/` to `--watch-path` list for email template hot-reload in development

v2.9.02026-02-28

Added Security vulnerabilities documentation page (`/docs/vulnerabilities`) with detailed guides for HTTP security headers, TLS/SSL, Lighthouse security audits, and software version exposure (26 vulnerabilities total)
Added Separate translation files for vulnerabilities (`src/translate/vulnerabilities/en.json`, `fr.json`)
Added Vulnerability detail view with route `/docs/vulnerabilities/:id` and breadcrumb navigation
Added Vulnerabilities listed in Docs page section #10 with severity chips and direct links
Added 4 vulnerability categories: HTTP Security Headers (10), TLS/SSL Certificate (5), Lighthouse Security Audits (7), Software Version Exposure (4)
Added Spanish language support (es.json, vulnerability translations, email templates, flag icon)
Added Centralized locale configuration (`SUPPORTED_LOCALES`, `LOCALE_CODES`, `getIntlLocale()`, `getOgLocale()` in `shared/const.js`) — adding a new language only requires updating the single source of truth
Added Changelog page now auto-generated from `CHANGELOG.md` — single source of truth, no duplication in translation files
Changed Redesigned header action elements (language switcher, account, sign in) with consistent pill-style buttons using shared SCSS mixin
Changed Language switcher now displays country flag emoji (🇬🇧/🇫🇷) with locale code, clearly interactive at rest
Changed CTA buttons (Dashboard, Start Free) use rounded pill style for visual consistency
Changed Mobile drawer language buttons also show flag emojis

v2.8.32026-02-28

Fixed PDF section order now matches app tab order: Security → Quality → Performance → Resources → Advanced (Global → Framework → Critical Chains → Scripts Treemap → Audit Timing → Passed)
Fixed Moved `runWarnings` from after CWV to Advanced/Global section in PDF
Fixed Moved `console` to first position in Advanced section in PDF
Fixed Added missing translation key `scan.details.showAll` (EN/FR)

v2.8.22026-02-28

Changed Moved Server Response Time block from Advanced > Global to Performance tab (displayed before Opportunities/Diagnostics)
Changed PDF report updated to match new Server Response Time placement

v2.8.12026-02-28

Added Advanced tab split into 6 sub-tabs: Global, Framework, Critical Chains, Scripts Treemap, Audit Timing, Passed
Added New components: `ScanStackPacksSection`, `ScanCriticalChainsSection`, `ScanScriptTreemapSection`, `ScanAuditTimingSection`
Changed Advanced > Global sub-tab: Console section displayed first, then Server Response Time, then remaining technical data
Changed Fixed console section scrollbar overflow (removed unnecessary max-height constraint)
Fixed Console section displaying unwanted horizontal/vertical scrollbars

v2.8.02026-02-28

Added HTTP response headers extraction from Lighthouse artifacts (`NetworkRecords`) during scans
Added Standalone Security tab in scan results with four sub-tabs: "TLS Certificate", "Response Headers", "Software Versions" and "Lighthouse Audits"
Added Security headers analysis: 10 critical headers checked (HSTS, CSP, X-Frame-Options, etc.) with present/missing status and risk severity levels (high/medium/low)
Added Full response headers table in Security > Headers sub-tab
Added TLS certificate analysis: protocol version, cipher suite, signature algorithm, issuer, expiration with warnings for weak/expired certificates
Added Software versions detection from HTTP headers (Server, X-Powered-By), HTML content (CMS, meta generator, frameworks) and TLS protocol
Added PDF report: security section now includes TLS certificate, response headers, software versions and Lighthouse security audits
Added Global CSS gap utilities (`.gap-1` to `.gap-16`) in design system — fixes all `gap-*` classes that were non-functional with Vuetify
Added Lighthouse scores sorted worst-to-best on scan details page and project overview page
Added Core Web Vitals sorted worst-to-best on scan details page and project overview page
Added Quick stats clickable: navigate to corresponding tab and sub-tab with smooth scroll
Added Passed audits click scrolls directly to Passed section anchor within Advanced tab
Changed Scan result tabs reordered: Security → Quality → Performance → Resources → Advanced
Changed Security tab is now the default selected tab on scan results
Changed Security issues moved from Quality tab sub-tab to standalone Security tab
Changed Scan results overview layout reorganized: environment chips before quick-stats, screenshot in 3rd column
Changed Loading timeline moved from overview to Resources tab (after stat-cards, before resources by type)
Changed Quality tab reduced from 4 sub-tabs to 3 (accessibility, SEO, best practices)

v2.7.12026-02-28

Changed Refactored project creation wizard: removed step 4 (scan progress), now redirects to project overview after creation where `ScanProgressCard` handles scan progress display
Changed Project creation wizard reduced from 4 steps to 3 steps (Info → Pages → Alerts → Launch)
Fixed Dashboard news section not displaying: `NewsSection` was reading `data.news` instead of `data.items` from API response
Fixed Scan results: overview section extracted from tabs and displayed permanently between CWV and tab navigation

v2.7.02026-02-28

Added Localized URLs: all routes now prefixed with locale (`/en/*`, `/fr/*`)
Added `useLocalePath` composable for locale-aware navigation
Added Automatic locale detection from browser on first visit
Added SEO: hreflang, canonical, og:locale, and Schema.org inLanguage in SSR
Added Locale switcher updates URL path in real-time
Added News system: CRUD backend with bilingual content (FR/EN), cover image upload, sticky/homepage banner flags
Added News comments with moderation: users can post, edit own comments; admin approval workflow with pending/approved/rejected status
Added Comment rate limiting: configurable max comments per time window via admin settings
Added Admin news management: TipTap WYSIWYG editor, bilingual tabs, publish/draft, sticky and homepage banner controls
Added Admin comments moderation panel: approve, reject, delete comments with filters
Added Dashboard news section: latest 3 articles with unread badge and sticky indicator
Added News detail page with full content rendering and comments section
Added Homepage news banner: dismissible gradient banner for featured articles
Added IP tracking: user login IPs stored with history for security auditing
Added User blocking system: admin can block by account and/or IP addresses
Added Admin user detail: security section with block/unblock UI, IP history table with per-IP status and unblock action
Added Admin bypass: administrators exempt from all plan limits (projects, scans, associates, pages)
Added Favicon: SVG/PNG/ICO with VitaPulse branding (gradient V + pulse line)
Added News publicly accessible: reading news and comments no longer requires authentication
Added Comment posting/editing still requires authentication, with "Sign in to comment" prompt for visitors
Added Centralized event logging system: `logEvent()` helper, `logs` collection, admin logs page with search/filter/delete
Added Event logging instrumented across all endpoints: auth, projects, scans, billing, associates, admin, contact, quick audit, PDF download (40+ events)
Added Admin user detail: recent activity logs section with link to filtered logs page
Added Forgot password flow: email verification code, reset password page
Added Change password: authenticated users can change password from account page
Added Account page: profile editing (name) and password change under `/app/account`
Changed Pricing FAQ completely rewritten with 20 comprehensive questions covering all features, plans, and capabilities
Changed Backend-generated URLs (Stripe checkout, emails, Google Chat webhooks, share links) now include locale prefix
Changed Admin user detail page shows IP history and blocking controls
Changed SCSS design system: all hardcoded hex colors, border-radius, font-size, font-weight replaced with variables across 30+ files
Changed New SCSS mixins: `hover-row`, `hover-lift`, `hover-light-on-dark`, `link-on-dark`, `link-primary` for consistent hover effects
Changed Removed unused SCSS mixins (`status-good/warning/error`, `score-gauge`)
Changed Added `$border-radius-xs`, `$gradient-dark-diagonal` SCSS variables
Changed Favicon and apple-touch-icon now use relative paths (fixes cross-origin issues in dev)
Changed Removed orphan `src/views/auth/` directory (duplicate of `src/views/Auth/`)
Changed Refactored: auth page SCSS extracted to global `.auth-page` class in `_components.scss`
Changed Refactored: `getEventColor`/`getEventCategory`/`formatLogMeta` extracted to `useLogUtils` composable
Changed Refactored: business downgrade logic extracted to `handleBusinessDowngrade()` in `dbHelpers.js`
Changed Refactored: inline URL truncation styles replaced with `.admin-url-truncate` SCSS class
Changed Logger `logEvent()` changed to fire-and-forget with `.catch(() => {})` (no more async/await)
Security ObjectId validation added to all news/comments API endpoints
Security ObjectId.isValid() validation added to all API endpoints accepting ID parameters (17+ routes)
Security Error logging (`console.error`) added to all catch blocks across the entire API (15+ files)
Security Blocked users/IPs rejected at login with appropriate error messages
Security MongoDB projection added to user query in lighthouse.js to exclude password hash
Security Webhook error responses standardized to JSON format
Security setReference race condition fixed with atomic bulkWrite operation
Fixed Hardcoded French progress messages in scan store replaced with i18n keys (`scan.progress.*`)
Fixed Default locale inconsistency: backend now uses `DEFAULT_LOCALE` ('en') everywhere instead of mixed 'fr'/'en'
Fixed Hardcoded French in `useDateFormat.js` replaced with i18n keys (`dashboard.fewSeconds`, `dashboard.days`)
Fixed Default locale for `formatDateShort`/`formatDateFull` changed from `'fr-FR'` to `'en-US'`
Fixed Scan status colors centralized in `SCAN_STATUS_COLORS` constant (removed duplication in 3 admin views)
Fixed ObjectId validation added to `findUserOrSharedProject` helper (prevents crash on invalid IDs)
Fixed Cron notifications now log warnings on failure instead of silently swallowing errors
Fixed Cron scheduled scans now validate `project.url` before launching scan
Fixed TiptapEditor image upload now handles fetch errors and checks `res.ok`
Fixed Unused `shallowRef` import removed from NewsDetailView
Fixed Unused `mdiEyeOff` import removed from AdminNewsEditView

v2.6.12026-02-27

Changed CWV tooltips on scan detail page now show per-metric descriptions matching project overview page
Changed Removed non-functional expandable CWV cards on scan detail page
Changed Added spacing between Mobile/Desktop toggle buttons
Changed Removed share report button from scan detail page

v2.6.02026-02-27

Added Plan upgrade/downgrade with Stripe proration (Pro ↔ Business, monthly ↔ yearly)
Added Upgrade preview dialog showing prorated amount before confirmation
Added Webhook handler for `customer.subscription.updated` as backup sync
Added Checkout guard preventing duplicate subscriptions
Added Project screenshot thumbnail on dashboard cards and project overview header
Added Placeholder image for projects without scans (VitaPulse branded SVG)
Changed Upgrade button in Billing page now opens inline preview dialog instead of redirecting to pricing
Changed Pricing page buttons adapt for existing subscribers (upgrade, downgrade, cycle change)
Changed Downgrade from Business automatically revokes associates
Changed Admin downgrade from Business now properly revokes associates and cleans shared projects

v2.5.12026-02-27

Added Associates can now view project settings in read-only mode
Added Associates can manage their own email notification preferences (scan results and regression alerts) based on their plan
Added Associate notification emails are sent after each scan completion

v2.5.02026-02-27

Changed Case Studies page: fixed all section-to-page mappings to match actual PDF content (16 sections for 28 pages)
Changed Case Studies page: corrected metrics values (mobile 82, desktop 78)
Changed Documentation page: complete rebuild with comprehensive VitaPulse user guide (10 sections: Quick Audit, Projects, Scans, Scores, CWV, Opportunities, Regressions, PDF Reports, Associates, Plans)
Changed Documentation page: added quick start cards, table of contents, and screenshot illustrations
Changed Landing page: enhanced features section with 6 benefit cards and 4 illustrated feature showcases
Changed Changelog page: complete rewrite with full version history (v1.0.0 to v2.4.0)
Changed Security page: updated with VitaPulse-specific security practices and technical details
Changed Terms of Service: comprehensive rewrite with 12 sections covering SaaS-specific terms
Changed Privacy Policy: GDPR-compliant rewrite with detailed data collection, storage, and rights information
Changed Cookie Policy: rewritten to reflect actual minimal cookie usage (single session cookie)
Removed API documentation page and route (no public API)
Removed Blog page link from footer (no blog content)
Removed Status page link from footer

v2.4.12026-02-26

Changed Project settings page: split into tabs (Settings / Associates) for Business plan users
Changed Dashboard: search field and project filter now on the same line
Fixed Associates tab not switching (missing activeTab ref)
Fixed Invite button not vertically centered next to email input

v2.4.02026-02-26

Added Associates system for Business plan users: invite up to 5 associates by email to share project access
Added Associates management section in project settings (invite, share, remove per project)
Added Dashboard filter (All / My projects / Shared with me) with shared badge showing owner name
Added Email invitation templates for associates (existing user + new user) in EN/FR
Added Automatic project linking when invited associate registers a new account
Added Associate access inheritance: associates inherit PDF download and report sharing capabilities from project owner's plan
Added Scan ownership awareness: project owners can manage scans launched by associates
Added Automatic associate revocation on plan downgrade (Business → Pro/Free)

v2.3.22026-02-26

Fixed Global button spacing: adjacent buttons in card actions are no longer visually stuck together
Fixed CWV history chart now auto-rebuilds project stats from existing scans when collection is empty

v2.3.12026-02-22

Fixed Admin scores display not showing due to per-device nested data structure
Fixed Admin CWV table empty due to same nested structure issue
Fixed Scan detail page now shows scores and CWV per device with mobile/desktop toggle

v2.3.02026-02-22

Added Admin user detail page with editable plan, type, name, company
Added User projects list in admin user detail
Added Clickable rows in admin users table
Added Admin project detail page with editable name, URL, scan frequency
Added Project scans list in admin project detail with status, score, device
Added Clickable project rows in admin projects list and user detail
Added Link to project owner from project detail page
Added Admin scan detail page with scores, CWV, regressions display
Added Editable scan status and reference flag from admin
Added Admin scan delete with confirmation dialog
Added Clickable scan rows in admin scans list and project detail
Added Links to owner and project from scan detail page

v2.2.12026-02-22

Fixed Landing page hero section alignment and height

v2.2.02026-02-22

Added User `type` field (`user` default, `admin` manual) for role-based access
Added Admin dashboard with user listing (email, plan, projects, scans, registration date)
Added Admin projects page listing all projects with owner, scan count, latest score
Added Admin scans page listing 200 most recent scans with project, owner, status, score, duration
Added `requireAdmin` middleware for admin-only API endpoints
Added Admin menu in header (crown icon) visible only for admin users
Added Admin route guard (`requiresAdmin`) on frontend router
Changed CWV history chart now uses dedicated `projectStats` collection with incremental aggregation instead of paginated scan data
Changed Stats are pushed to `projectStats` on each scan completion (no cron needed)
Changed New `GET /api/projects/:id/stats` endpoint for lightweight chart data

v2.1.02026-02-21

Added "Set as reference" action on scan details page with `isReference` badge display
Added Network requests table in Resources tab (URL, type, protocol, status, transfer/resource size, priority)
Added Main thread time column in third-party summary table
Added Parse/Compile column in script bootup table
Added Overview stat cards in Resources tab (requests, transferred, third parties count, JS libraries count)
Added Show more/less toggle on script bootup, third-party, and network requests tables
Added Core Web Vitals history chart (Plotly) on project overview page, visible when at least 2 completed scans exist
Changed Merged "Insights" tab into "Performance" tab (opportunities + diagnostics + insights)
Changed Merged "Technical", "Console", and "Passed" tabs into a single "Advanced" tab
Changed Replaced `v-btn-toggle` navigation with `v-tabs` for scan result sections
Changed Redesigned Resources tab with section headers, sorted resource bars, and detailed tables
Changed Third-party section now displays data directly from `thirdPartySummary` with entity name and main thread time
Changed Replaced `networkSummary` (aggregate) with detailed `networkRequests` table
Changed Regression detection now prioritizes scans marked as `isReference` before falling back to latest scan
Changed Synchronized PDF report generation with all scan result display changes (4 stat cards, parseCompile column, network requests table, third-party mainThreadTime, section ordering)

v2.0.02026-02-15

Added Comprehensive PDF report generation matching the full application display with 25+ sections (screenshots, filmstrip, audit detail tables, resource bar charts, critical chains, layout shifts, script treemap, entities, BF cache, user timings, server response time, config settings)
Added Case studies page with real audit data from www.e-xode.net (23-page PDF, per-page screenshots, key metrics, takeaways)
Added Complete i18n localization system with `createT(locale)` server-side translation resolver
Added Shared component library: 13 reusable components extracted (`AlertError`, `ConfirmDialog`, `DataTable`, `EmptyState`, `LoadingSpinner`, `PageHeader`, `ScoreCircle`, `ScanProgressCard`, `SearchInput`, `SectionCard`, `StatCard`, `StatusChip`, `UpgradeCta`)
Added Shared utilities module (`shared/utils.js`) with `escapeHtml`, `formatBytes`, `formatMs`, `getScoreColor`, `getScoreLabel`, `getScoreBg`, `getCwvStatus`, `getCwvColor`, `formatCwvValue`
Added Shared constants module (`shared/const.js`) with `DEVICES`, `CWV_METRICS`, `INSIGHTS_FAILING_THRESHOLD`, `SCAN_DATA_FIELDS`
Added Shared database helpers (`shared/dbHelpers.js`) for MongoDB operations
Added Shared API client (`shared/api.js`) with centralized error handling
Added Rate limiting on all API endpoints with configurable windows
Added Session management with automatic cleanup on dev startup
Added Version number displayed in application footer
Added PDF White Label mode for Business plan users
Added App version exposed via Vite `define` for frontend access
Changed Rewrote `pdfTemplate.js` (~580 lines) with all scan data sections, matching app UX/design (brand gradient, score colors, impact badges, CWV thresholds)
Changed Rewrote `downloadPdf.js` with comprehensive `preparePdfData()` extracting all 35+ scan data fields per device
Changed Refactored all Pinia stores to use shared utilities and constants
Changed Refactored all API endpoints to use shared database helpers and middleware
Changed Updated all Vue components to use shared component library
Changed Migrated all hardcoded strings to i18n translation files (en.json, fr.json)
Changed Updated `entry-server.js` with i18n-aware SSR (`getRouteMeta`, `generateMetaTags`, `getSchemaMarkup`)
Changed Updated `index.html` with `` placeholder for dynamic lang attribute
Changed Rewrote `CaseStudiesView.vue` with real audit content and PDF page screenshots
Changed Improved error handling across all API routes with safe JSON parsing
Fixed Security audit: input validation, authorization checks, rate limiting on all endpoints
Fixed Data parity between scan storage and display fields
Fixed Docker and Playwright configuration for PDF generation
Fixed Session cleanup preventing stale session file accumulation
Fixed Rate limiting configuration for different endpoint categories
Fixed SSR hydration for localized meta tags and schema markup
Fixed Translation key consistency across all components
Security Added `requireAuth` middleware on all protected routes
Security Added input sanitization with `escapeHtml` utility
Security Enforced ownership checks on scan/project access
Security Configured Helmet CSP and CORS policies
Security Added rate limiting per API category (auth, scans, general)

v1.3.02026-02-10

Added Case studies page showcasing VitaPulse audit capabilities
Added GitHub Actions workflow for CI testing
Changed Layout improvements across all views
Changed Translation updates for all supported locales
Changed Major layout and code refactoring

v1.2.02026-02-07

Added Coupon management system for Stripe payments
Added Quick audit rate limiting (max audits per plan)
Added Automated cron jobs for data pruning
Added Email notifications with scoring reports
Added Multi-page scan support
Changed Pricing logic refactored with plan-based feature gating
Changed Header theme improvements
Changed Report results display fixes
Fixed Docker environment variables for Stripe integration
Fixed Translation consistency issues

v1.1.02026-02-06

Added PDF report export with Chromium rendering
Added SEO optimizations (meta tags, schema markup, sitemap)
Added Scan animation and progress indicators
Added CSS design system with variables and mixins
Added Detailed audit results display (8 tabbed sections)
Added New project creation workflow with guided steps
Changed Factorized scan animation components
Changed Server-side rendering fixes for Vue Router
Fixed Translation loading and fallback behavior
Fixed Server rendering hydration issues

v1.0.02026-02-04

Added Initial release of VitaPulse platform
Added Lighthouse 12 audit engine integration
Added Core Web Vitals monitoring (LCP, FCP, CLS, TBT, INP, TTFB, Speed Index, TTI)
Added Mobile and desktop device analysis
Added Performance, Accessibility, Best Practices and SEO scoring
Added Stripe payment integration with Pro and Business plans
Added User authentication with email verification
Added Legal pages (Terms, Privacy, Cookies)
Added CORS and security configuration
Added Docker containerization with docker-compose