LunarClient · imconnorngl · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026
diff --git a/.github/actions/pnpm-install/action.yml b/.github/actions/pnpm-install/action.yml
@@ -39,9 +39,9 @@ runs:
       uses: actions/checkout@v6
 
     - name: Setup pnpm
-      uses: pnpm/action-setup@v5
+      uses: pnpm/action-setup@v6
       with:
-        version: 10
+        version: 11
         run_install: false
 
     - name: Setup Node.js

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -24,9 +24,9 @@ jobs:
           fetch-depth: 0
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v5
+        uses: pnpm/action-setup@v6
         with:
-          version: 10
+          version: 11
           run_install: false
 
       - name: Setup Node.js
@@ -62,9 +62,9 @@ jobs:
           token: ${{ secrets.PAT_TOKEN }}
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v5
+        uses: pnpm/action-setup@v6
         with:
-          version: 10
+          version: 11
           run_install: false
 
       - name: Setup Node.js
@@ -101,9 +101,9 @@ jobs:
           token: ${{ secrets.PAT_TOKEN }}
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v5
+        uses: pnpm/action-setup@v6
         with:
-          version: 10
+          version: 11
           run_install: false
 
       - name: Setup Node.js

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,105 @@
 # Changelog
 
+## 3.6.2
+
+### Patch Changes
+
+- Stop the production container restart loop caused by unhandled promise rejections under Node 24. Two changes: (1) the `/stats/[ign]/[[profile]]/card` endpoint now uses `Promise.allSettled` rather than `Promise.all` for the parallel `getProfileStats` / `getNetworth` / `getCombined` calls — when one rejects first, the losing-side promises no longer become orphaned rejections that crash the process. (2) A `process.on("unhandledRejection")` safety net in `instrumentation.server.ts` logs + reports any future orphans to Sentry instead of exiting, since Node 24's default `--unhandled-rejections=throw` is fatal. Combined this ends the ~2-minute restart cycle visible in production logs. ([#326](https://github.com/SkyCryptWebsite/SkyCrypt-Frontend/pull/326))
+
+## 3.6.2-beta.0
+
+### Patch Changes
+
+- Stop the production container restart loop caused by unhandled promise rejections under Node 24. Two changes: (1) the `/stats/[ign]/[[profile]]/card` endpoint now uses `Promise.allSettled` rather than `Promise.all` for the parallel `getProfileStats` / `getNetworth` / `getCombined` calls — when one rejects first, the losing-side promises no longer become orphaned rejections that crash the process. (2) A `process.on("unhandledRejection")` safety net in `instrumentation.server.ts` logs + reports any future orphans to Sentry instead of exiting, since Node 24's default `--unhandled-rejections=throw` is fatal. Combined this ends the ~2-minute restart cycle visible in production logs. ([`9ffadbc`](https://github.com/SkyCryptWebsite/SkyCrypt-Frontend/commit/9ffadbcf6e4c5730756a06039dc23cf9a56eda98))
+
+## 3.6.1
+
+### Patch Changes
+
+- Render the JSON-LD `<script type="application/ld+json">` block via `<svelte:element>` instead of `{@html}`, dropping the closing-tag-splitting workaround. The XSS-safe `safeJsonLd` escaping (`<` / `>` / `&`) is unchanged and still preserves data fidelity, so crawlers see exactly the same JSON content as before. ([#324](https://github.com/SkyCryptWebsite/SkyCrypt-Frontend/pull/324))
+
+- Restore the card background and inline-emoji rendering after upgrading to `takumi-js@1.1.x`. The underlying Rust crate's commit `adc48da` ("Treat absolute/floated children as out-of-flow for inline layout detection") reworked which children participate in inline formatting context, leaving the previous `<img class="absolute inset-0">` background unrendered — which made the white text and emoji appear to vanish too. The persistent image is now applied as `background-image` CSS on the parent `<main>`, matching the pattern shown in the takumi docs. ([#324](https://github.com/SkyCryptWebsite/SkyCrypt-Frontend/pull/324))
+
+- Escape JSON-LD payload so user-controlled fields (e.g. the `ign` URL parameter on stats pages) cannot break out of the `<script type="application/ld+json">` tag. `svelte-seo`'s `jsonLd` prop emits `JSON.stringify(data)` raw, and `JSON.stringify` does not escape `<`, `>` or `&` — so visiting `/stats/<script>alert(1)</script>` was enough to inject arbitrary HTML/JS into `<head>`. The new `JsonLd` component escapes those three characters to their unicode escapes (still valid JSON) before emitting the tag. ([#324](https://github.com/SkyCryptWebsite/SkyCrypt-Frontend/pull/324))
+
+- Harden security headers against iframe-based phishing. The phishing site `sky.shiiiyu.moe` was embedding the real site in an invisible cross-origin iframe and rewriting `history.pushState` to disguise the URL bar. The fix layers three browser-enforced controls: `Content-Security-Policy: frame-ancestors 'self'` (modern browsers) and `X-Frame-Options: DENY` (older-browser fallback) refuse the iframe outright, and `Cross-Origin-Opener-Policy: same-origin` isolates the top-level browsing context group so a malicious opener cannot reach back via `window.opener`. The `/api/*` surface is unaffected — partner integrations (e.g., Lunar Client) that call the Go backend directly continue to work. ([#324](https://github.com/SkyCryptWebsite/SkyCrypt-Frontend/pull/324))
+
+## 3.6.1-beta.2
+
+### Patch Changes
+
+- Harden security headers against iframe-based phishing. The phishing site `sky.shiiiyu.moe` was embedding the real site in an invisible cross-origin iframe and rewriting `history.pushState` to disguise the URL bar. The fix layers three browser-enforced controls: `Content-Security-Policy: frame-ancestors 'self'` (modern browsers) and `X-Frame-Options: DENY` (older-browser fallback) refuse the iframe outright, and `Cross-Origin-Opener-Policy: same-origin` isolates the top-level browsing context group so a malicious opener cannot reach back via `window.opener`. The `/api/*` surface is unaffected — partner integrations (e.g., Lunar Client) that call the Go backend directly continue to work. ([`43736ae`](https://github.com/SkyCryptWebsite/SkyCrypt-Frontend/commit/43736ae30e223ad18c6281484d728fafa2279365))
+
+## 3.6.1-beta.1
+
+### Patch Changes
+
+- Render the JSON-LD `<script type="application/ld+json">` block via `<svelte:element>` instead of `{@html}`, dropping the closing-tag-splitting workaround. The XSS-safe `safeJsonLd` escaping (`<` / `>` / `&`) is unchanged and still preserves data fidelity, so crawlers see exactly the same JSON content as before. ([`263c4f3`](https://github.com/SkyCryptWebsite/SkyCrypt-Frontend/commit/263c4f3560c04b0cbbdf288e5c7cfc780050665b))
+
+## 3.6.1-beta.0
+
+### Patch Changes
+
+- Restore the card background and inline-emoji rendering after upgrading to `takumi-js@1.1.x`. The underlying Rust crate's commit `adc48da` ("Treat absolute/floated children as out-of-flow for inline layout detection") reworked which children participate in inline formatting context, leaving the previous `<img class="absolute inset-0">` background unrendered — which made the white text and emoji appear to vanish too. The persistent image is now applied as `background-image` CSS on the parent `<main>`, matching the pattern shown in the takumi docs. ([`176b8c2`](https://github.com/SkyCryptWebsite/SkyCrypt-Frontend/commit/176b8c2296f3c79a1a217515f30a4d531fef9644))
+
+- Escape JSON-LD payload so user-controlled fields (e.g. the `ign` URL parameter on stats pages) cannot break out of the `<script type="application/ld+json">` tag. `svelte-seo`'s `jsonLd` prop emits `JSON.stringify(data)` raw, and `JSON.stringify` does not escape `<`, `>` or `&` — so visiting `/stats/<script>alert(1)</script>` was enough to inject arbitrary HTML/JS into `<head>`. The new `JsonLd` component escapes those three characters to their unicode escapes (still valid JSON) before emitting the tag. ([`5452ef7`](https://github.com/SkyCryptWebsite/SkyCrypt-Frontend/commit/5452ef74f36f90789224c53793444dfbc2297a74))
+
+## 3.6.0
+
+### Minor Changes
+
+- Remove the official wiki and use the new independent wiki #317. Thanks @DespicableGoose! ([#318](https://github.com/SkyCryptWebsite/SkyCrypt-Frontend/pull/318))
+
+## 3.6.0-beta.0
+
+### Minor Changes
+
+- Remove the official wiki and use the new independent wiki #317. Thanks @DespicableGoose! ([`ac42e56`](https://github.com/SkyCryptWebsite/SkyCrypt-Frontend/commit/ac42e5654b867a6e91e0310ee02e3f90d89313f7))
+
+## 3.5.2
+
+### Patch Changes
+
+- Fix remaining SvelteKit remote query lifecycle regressions by replacing stored live query instances with plain reactive snapshots in the stats route, combined section loading, inventory, networth, additional stats, and header theme icon flows. This aligns the app more closely with the stricter remote query behavior introduced around sveltejs/kit#15533 and prevents inactive query access during tab and section transitions. ([#315](https://github.com/SkyCryptWebsite/SkyCrypt-Frontend/pull/315))
+
+- Improve the mobile stats header and profile action layout by collapsing the search trigger earlier on small screens and keeping the expanded profile actions inline with the always-visible buttons while preserving their staggered animation timing. ([#315](https://github.com/SkyCryptWebsite/SkyCrypt-Frontend/pull/315))
+
+## 3.5.2-beta.0
+
+### Patch Changes
+
+- Fix remaining SvelteKit remote query lifecycle regressions by replacing stored live query instances with plain reactive snapshots in the stats route, combined section loading, inventory, networth, additional stats, and header theme icon flows. This aligns the app more closely with the stricter remote query behavior introduced around sveltejs/kit#15533 and prevents inactive query access during tab and section transitions. ([`3dd3f2f`](https://github.com/SkyCryptWebsite/SkyCrypt-Frontend/commit/3dd3f2fa7d77e2668c90755ec5e18933838c2752))
+
+- Improve the mobile stats header and profile action layout by collapsing the search trigger earlier on small screens and keeping the expanded profile actions inline with the always-visible buttons while preserving their staggered animation timing. ([`c677cbb`](https://github.com/SkyCryptWebsite/SkyCrypt-Frontend/commit/c677cbb95be31fcb9887beca90cdb607ade05efd))
+
+## 3.5.1
+
+### Patch Changes
+
+- Fix SvelteKit 2.56 remote query lifecycle regressions by keeping the combined profile query local to the consuming components instead of passing a live query instance through context. This aligns the app with the remote function tracking changes from sveltejs/kit#15533 and the related refresh model changes in sveltejs/kit#15562. ([#313](https://github.com/SkyCryptWebsite/SkyCrypt-Frontend/pull/313))
+
+- Reduce Svelte 5 `await_reactivity_loss` warnings after the SvelteKit remote function changes by keeping profile, networth, theme icon, and performance-mode reads in non-async reactive paths. This aligns the affected UI with the stricter query lifecycle introduced around sveltejs/kit#15533. ([#313](https://github.com/SkyCryptWebsite/SkyCrypt-Frontend/pull/313))
+
+- Fix search flows after the SvelteKit remote query changes in sveltejs/kit#15533 by switching the home page and command palette to imperative `query().run()` calls with client-side navigation. This removes duplicate search requests, avoids redirect errors from reactive query usage, and resets command palette search state correctly. ([#313](https://github.com/SkyCryptWebsite/SkyCrypt-Frontend/pull/313))
+
+- Fix the settings drag-and-drop lists after the `@dnd-kit/svelte` 0.4.0 upgrade by restoring stable sortable behavior with the updated plugin configuration and provider lifecycle handling. This keeps whole-row dragging working reliably in the Order and Misc settings tabs. ([#313](https://github.com/SkyCryptWebsite/SkyCrypt-Frontend/pull/313))
+
+## 3.5.1-beta.1
+
+### Patch Changes
+
+- Fix the settings drag-and-drop lists after the `@dnd-kit/svelte` 0.4.0 upgrade by restoring stable sortable behavior with the updated plugin configuration and provider lifecycle handling. This keeps whole-row dragging working reliably in the Order and Misc settings tabs. ([`0f2bb4b`](https://github.com/SkyCryptWebsite/SkyCrypt-Frontend/commit/0f2bb4b7f99c46b6beb969e4ba07ee4b6c5eaee8))
+
+## 3.5.1-beta.0
+
+### Patch Changes
+
+- Fix SvelteKit 2.56 remote query lifecycle regressions by keeping the combined profile query local to the consuming components instead of passing a live query instance through context. This aligns the app with the remote function tracking changes from sveltejs/kit#15533 and the related refresh model changes in sveltejs/kit#15562. ([`b0727e1`](https://github.com/SkyCryptWebsite/SkyCrypt-Frontend/commit/b0727e181cc07f6dd3f349623c0dbc84a1e45ffc))
+
+- Reduce Svelte 5 `await_reactivity_loss` warnings after the SvelteKit remote function changes by keeping profile, networth, theme icon, and performance-mode reads in non-async reactive paths. This aligns the affected UI with the stricter query lifecycle introduced around sveltejs/kit#15533. ([`eb72f4a`](https://github.com/SkyCryptWebsite/SkyCrypt-Frontend/commit/eb72f4a9a43a0f342822fc4c7d86254b6a029f41))
+
+- Fix search flows after the SvelteKit remote query changes in sveltejs/kit#15533 by switching the home page and command palette to imperative `query().run()` calls with client-side navigation. This removes duplicate search requests, avoids redirect errors from reactive query usage, and resets command palette search state correctly. ([`b0727e1`](https://github.com/SkyCryptWebsite/SkyCrypt-Frontend/commit/b0727e181cc07f6dd3f349623c0dbc84a1e45ffc))
+
 ## 3.5.0
 
 ### Minor Changes

diff --git a/CLAUDE.md b/CLAUDE.md
@@ -0,0 +1 @@
+AGENTS.md
diff --git a/Dockerfile b/Dockerfile
@@ -15,6 +15,7 @@ ENV PUBLIC_SERVER_API_URL=$PUBLIC_SERVER_API_URL
 
 COPY package*.json .
 COPY pnpm-lock.yaml .
+COPY pnpm-workspace.yaml .
 
 RUN pnpm fetch
 RUN pnpm install --frozen-lockfile
@@ -30,7 +31,7 @@ FROM node:24-alpine
 
 ENV PNPM_HOME="/pnpm"
 ENV PATH="$PNPM_HOME:$PATH"
-RUN corepack enable pnpm && corepack install -g pnpm@latest-10
+RUN corepack enable pnpm && corepack install -g pnpm@latest-11
 
 WORKDIR /app
 
@@ -42,4 +43,4 @@ COPY pnpm-lock.yaml .
 
 EXPOSE 3000
 ENV NODE_ENV=production
-CMD ["pnpm", "run", "runbuild"]
+CMD ["node", "./build"]
diff --git a/orval.config.ts b/orval.config.ts
@@ -12,8 +12,10 @@ export default defineConfig({
           path: "./src/lib/shared/api/mutator/custom-instance.ts",
           name: "customFetch"
         }
-      },
-      prettier: true
+      }
+    },
+    hooks: {
+      afterAllFilesWrite: "prettier --write ./src/lib/shared/api/orval-generated.ts"
     }
   },
   skycryptZod: {
@@ -22,8 +24,10 @@ export default defineConfig({
       target: "./src/lib/shared/api/orval-generated-zod.ts",
       client: "zod",
       tsconfig: "./tsconfig.json",
-      fileExtension: ".zod.ts",
-      prettier: true
+      fileExtension: ".zod.ts"
+    },
+    hooks: {
+      afterAllFilesWrite: "prettier --write ./src/lib/shared/api/orval-generated-zod.ts"
     }
   }
 });
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "skycrypt-frontend",
-  "version": "3.5.0",
+  "version": "3.6.2",
   "private": true,
   "type": "module",
   "repository": {
@@ -32,89 +32,88 @@
     "test:e2e": "playwright test"
   },
   "devDependencies": {
-    "@changesets/cli": "^2.30.0",
-    "@commitlint/cli": "^20.5.0",
-    "@commitlint/config-conventional": "^20.5.0",
-    "@commitlint/types": "^20.5.0",
+    "@changesets/cli": "^2.31.0",
+    "@commitlint/cli": "^21.0.1",
+    "@commitlint/config-conventional": "^21.0.1",
+    "@commitlint/types": "^21.0.1",
     "@date-fns/tz": "^1.4.1",
-    "@dnd-kit/abstract": "^0.3.2",
-    "@dnd-kit/dom": "^0.3.2",
-    "@dnd-kit/helpers": "^0.3.2",
-    "@dnd-kit/svelte": "^0.3.2",
-    "@eslint/compat": "^2.0.4",
+    "@dnd-kit/abstract": "^0.4.0",
+    "@dnd-kit/dom": "^0.4.0",
+    "@dnd-kit/helpers": "^0.4.0",
+    "@dnd-kit/svelte": "^0.4.0",
+    "@eslint/compat": "^2.1.0",
     "@eslint/js": "^10.0.1",
-    "@lucide/svelte": "^1.7.0",
+    "@lucide/svelte": "^1.16.0",
     "@oslojs/crypto": "^1.0.1",
     "@oslojs/encoding": "^1.1.0",
-    "@playwright/test": "^1.59.1",
+    "@playwright/test": "^1.60.0",
     "@sveltejs/adapter-cloudflare": "^7.2.8",
     "@sveltejs/adapter-node": "^5.5.4",
-    "@sveltejs/kit": "^2.56.1",
-    "@sveltejs/vite-plugin-svelte": "^7.0.0",
+    "@sveltejs/kit": "^2.60.1",
+    "@sveltejs/vite-plugin-svelte": "^7.1.2",
     "@svitejs/changesets-changelog-github-compact": "^1.2.0",
-    "@tailwindcss/vite": "^4.2.2",
+    "@tailwindcss/vite": "^4.3.0",
     "@types/culori": "^4.0.1",
     "@types/eslint": "^9.6.1",
-    "@types/node": "^25.5.2",
+    "@types/node": "^25.8.0",
     "@types/relaxed-json": "^1.0.4",
     "@types/upng-js": "^2.1.5",
-    "@vitest/browser-playwright": "^4.1.2",
-    "@vitest/coverage-v8": "^4.1.2",
-    "@vitest/ui": "^4.1.2",
-    "bits-ui": "^2.17.2",
+    "@vitest/browser-playwright": "^4.1.6",
+    "@vitest/coverage-v8": "^4.1.6",
+    "@vitest/ui": "^4.1.6",
+    "bits-ui": "^2.18.1",
     "clsx": "^2.1.1",
     "date-fns": "^4.1.0",
-    "devalue": "^5.6.4",
+    "devalue": "^5.8.1",
     "dotenv-cli": "^11.0.0",
-    "eslint": "^10.2.0",
+    "eslint": "^10.3.0",
     "eslint-config-prettier": "^10.1.8",
-    "eslint-plugin-svelte": "^3.17.0",
+    "eslint-plugin-svelte": "^3.17.1",
     "formsnap": "^2.0.1",
-    "globals": "^17.4.0",
-    "ky": "^2.0.0",
+    "globals": "^17.6.0",
+    "ky": "^2.0.2",
     "numerable": "^0.3.15",
-    "orval": "^8.6.2",
+    "orval": "^8.10.0",
     "paneforge": "^1.0.2",
-    "playwright": "^1.59.1",
-    "prettier": "^3.8.1",
-    "prettier-plugin-svelte": "^3.5.1",
-    "prettier-plugin-tailwindcss": "^0.7.2",
+    "playwright": "^1.60.0",
+    "prettier": "^3.8.3",
+    "prettier-plugin-svelte": "^3.5.2",
+    "prettier-plugin-tailwindcss": "^0.8.0",
     "pretty-ms": "^9.3.0",
     "runed": "^0.37.1",
     "satori-html": "^0.3.2",
-    "skinview3d": "^3.4.1",
-    "super-sitemap": "^1.0.7",
-    "svelte": "^5.55.1",
-    "svelte-check": "^4.4.6",
+    "skinview3d": "^3.4.2",
+    "super-sitemap": "^1.0.12",
+    "svelte": "^5.55.7",
+    "svelte-check": "^4.4.8",
     "svelte-persisted-store": "^0.12.0",
     "svelte-preprocess": "^6.0.3",
     "svelte-seo": "^2.0.0",
-    "svelte-sonner": "^1.1.0",
+    "svelte-sonner": "^1.1.1",
     "svelte-tiny-virtual-list": "4.0.0-rc.2",
     "sveltekit-superforms": "^2.30.1",
-    "tailwind-merge": "^3.5.0",
-    "tailwindcss": "^4.2.2",
+    "tailwind-merge": "^3.6.0",
+    "tailwindcss": "^4.3.0",
     "tailwindcss-motion": "^1.1.1",
     "tslib": "^2.8.1",
-    "typescript": "^6.0.2",
-    "typescript-eslint": "^8.58.0",
+    "typescript": "^6.0.3",
+    "typescript-eslint": "^8.59.3",
     "vaul-svelte": "1.0.0-next.7",
-    "vite": "^8.0.5",
-    "vite-plugin-devtools-json": "^1.0.0",
-    "vitest": "^4.1.2",
-    "vitest-browser-svelte": "^2.1.0",
-    "zod": "^4.3.6"
+    "vite": "^8.0.13",
+    "vitest": "^4.1.6",
+    "vitest-browser-svelte": "^2.1.1",
+    "zod": "^4.4.3"
   },
   "dependencies": {
-    "@sentry/sveltekit": "^10.47.0",
+    "@sentry/sveltekit": "^10.53.1",
     "culori": "^4.0.2",
     "simple-git-hooks": "^2.13.1",
-    "takumi-js": "1.0.0-rc.15",
-    "svelte-interactions": "^0.2.0"
+    "svelte-interactions": "^0.2.0",
+    "takumi-js": "1.1.2"
   },
   "engines": {
     "node": "^24",
-    "pnpm": "^10",
+    "pnpm": "^11",
     "deno": "forbidden, use node instead",
     "npm": "forbidden, use pnpm instead",
     "yarn": "forbidden, use pnpm instead",