Releases: SysAdminDoc/ScriptVault
Release list
v3.21.0 — Security, disclosure, and reliability hardening
Highlights
- Safer script updates — every queued update is re-scanned by the AST risk analyzer and diffed against the installed version; updates that introduce new high-risk behavior are flagged and routed to manual review instead of auto-applying, closing the same-source account-takeover propagation gap.
- Locked-down permissions & disclosure — the manifest permission surface is pinned by a build-time drift gate (a release can never silently widen it), a coordinated
SECURITY.mddisclosure policy ships with private vulnerability reporting enabled, and dependency install scripts are disabled to block npm supply-chain worms. - Smoother, cleaner editing — fixed a console error on editor open (schedule-icon injection) and stopped UserCSS live previews from lingering after the dashboard closes or the target tab changes.
Other improvements
- Page-controlled tab titles can no longer inject extra metadata lines when creating a script from the current page.
- Raised the
esbuildbuild-tool floor to clear GHSA-g7r4-m6w7-qqqr (Windows dev-server path traversal). - Guarded PRIVACY.md data-flow disclosures against drift ahead of CWS Limited Use enforcement.
- Documented the UserStyles engine wiring status (preview-only surface) to prevent confusion with persistent install.
The attached ScriptVault-v3.21.0.zip is an unsigned Chrome Web Store package. Install via "Load unpacked" (unzip first) or upload to the Web Store.
ScriptVault v3.19.2
Restore broad install-time host access
v3.18.x/3.19.0–3.19.1 scoped the Chromium build to optional_host_permissions and enabled a scopedHostPermissions gate by default. Together these stranded userscripts behind a "Site Access Needed" prompt and refused to register broad all-site scripts (Broad host access requires explicit per-script opt-in before registration). Firefox was never affected.
Fixed
- Userscripts run on install again (Chromium). Reverted the Chrome/Edge manifest from
optional_host_permissionsback tohost_permissions: ["<all_urls>"], so the extension is granted full site access at install instead of surfacing "Site Access Needed" per origin. - Scoped host permissions are now opt-in. The
scopedHostPermissionssetting (and its internal registration gate) defaults tofalse. The per-site model is preserved — enable "Use scoped host permissions" in Settings — but it no longer blocks broad all-site scripts from registering by default. - Broad-match scripts (
@match *://*/*,@match <all_urls>) that were being unregistered until manually approved per script now register normally. - One-time upgrade migration clears a persisted
scopedHostPermissions: trueso existing installs pick up the new default automatically.
Upgrading (unpacked/dev installs)
Reload the extension at chrome://extensions, accept the re-prompt for full site access, and reopen the service worker so the migration runs.
SHA256 (Chrome ZIP): fa872774b4a30e86cde52e89ece25d2bd1b1662542875a79dda4ff13c58ab7de
ScriptVault v3.19.1
Premium workbench parity release: canonical navigation, deeper dashboard destinations, reliable settings autosave, recoverable editor fallback, polished compact surfaces, four-theme rendered evidence, and verified Chrome, Firefox, and Edge packages.
ScriptVault v3.19.0
Professional workbench redesign with a premium graphite-and-emerald dashboard, live vault metrics, contextual script inspection, unified popup/side-panel/install/DevTools surfaces, and browser-rendered visual regression coverage for all four themes.
v3.17.0
Trust enforcement, sync data-safety, and backup slimming.
Security
- Subresource Integrity "Require" mode is now enforced — refuses to run any @require/@resource without a verifiable SRI hash; the install review flags every un-pinned dependency as "unverified remote code".
- Scam / crypto-drain detector — flags wallet seed/private-key access, drainer keywords, and wallet transaction requests, with a high-severity "possible credential/wallet exfiltration" finding when a script harvests secrets and sends data off-page. Benign wallet-adjacent scripts aren't flagged.
Data safety
- Cloud backup no longer clobbers the sync envelope (distinct object per provider) and encrypts under E2EE.
- Easy Cloud sync received the merge fixes: restored-from-trash scripts survive, clean 3-way merges aren't discarded, correct 3-way base.
- SettingsManager write-race fix — concurrent settings writes no longer drop a freshly refreshed OAuth token.
UX & storage
- "Only on This Site" one-click scope in the popup + @match validation in the dashboard editor.
- Backup blobs are gzip-compressed in IndexedDB (transparent, backward-compatible).
Full detail in CHANGELOG.md. Remaining roadmap items (on-device AI, optional host permissions, GM.fetch streaming, per-script cookie jars, git/local-folder sync) are larger bets deferred to dedicated sessions.
v3.16.0
Deep engineering + product-quality audit pass.
Security
- GM networking bound to the authenticated caller. GM_xmlhttpRequest / GM_webSocket / GM_download, GM_getResourceText/URL, GM_loadScript, and menu register/unregister used the caller-supplied script id, letting one userscript borrow another's @connect allowlist or read its @resource bodies. All now use Chrome's unspoofable sender.userScriptId.
- Attribute-injection XSS in the dependency graph and other panels (quote-unescaping escapers) fixed.
Data safety
- Cloud sync no longer permanently re-deletes restored-from-trash scripts (the tombstone-resurrection guard was dead code).
- Trash restore persists the script before emptying the trash entry (no loss on a service-worker crash).
- Backup restore no longer wipes per-script settings (match rules, notes, tags, pin) of installed scripts.
Correctness
- Chrome no longer misdetected as Firefox — restores per-script world isolation on Chrome 133+ and the correct setup instructions.
- Editor no longer swallows the first keystroke after a tab switch; cursor Ln/Col updates instead of freezing.
- New Script / Duplicate / New Folder report failures instead of silently doing nothing.
- Storage meter measures real usage; Find Scripts pagination works again.
Full detail in CHANGELOG.md; ~13 additional verified findings are tracked in ROADMAP.md.
v3.15.1
Fixed
- Editor screen was unusable in v3.15.0. The full-screen editor overlay stacked below the sticky dashboard header, which painted over the Save/Close row and panel tabs — nothing in the top band was visible or clickable. The overlay now stacks above all page chrome (and below modals).
- Hidden editor buttons actually hide. Preview CSS no longer shows for JS scripts; file-binding buttons only appear when relevant.
Changed
- Editor nav redesigned into one band: panel tabs (Code/Settings/Externals/Storage/Info) on the left, icon-only tools with tooltips on the right. Editor chrome is two slim rows; the code pane takes ~91% of the viewport at 1440x900.
- Save button is accented and fills while there are unsaved changes.
Internal
- New
npm run smoke:editorharness drives the real editor in headless Chromium and hit-tests every control, so layering regressions fail loudly.
v3.15.0
Removed
- Script Store tab removed entirely. The eagerly-loaded multi-source discovery tab (~2,100 lines) is gone; script discovery lives in the lighter Find Scripts dialog (toolbar, popup, side panel), Collections, and Gist import.
Changed
- Full-screen script editor. The editor now covers the entire viewport with a slim single-row header and tightened tab/toolbar rows — the code pane gains roughly 150-200px of vertical space.
- New Script opens the editor directly. The template-picker modal is removed; starters remain in the editor template manager.
Fixed
- Storage quota bar uses the real quota (unlimitedStorage-aware via navigator.storage.estimate) — no more false "Storage at 100% capacity" warnings.
- Doubled navigation labels ("SettingsSettings", "Installed UserscriptsInstalled Userscripts") from a duplicate i18n pass.
- Theme switches no longer show a success toast.
- Stray empty pill in the header when no script editors are open.
- RTL direction bootstrap actually runs — the inline script MV3 CSP always blocked is now an external file; extension pages load console-clean.
ScriptVault v3.11.0
ScriptVault v3.11.0
Chrome MV3 release for the Phase 38 parity wave and storage/persistence rollback hardening.
Highlights:
- GM_addElement null-on-failure compatibility.
- Regex dashboard search and update-click confirmation guard.
- Popup context-menu script launchers and Navigation API window.onurlchange support.
- GM_info script tag alias and storage rollback regression coverage.
- minimum_chrome_version raised to Chrome 130.
Firefox remains tracked separately until the Firefox MV3/AMO validation gate is complete.
ScriptVault v2.3.4
ScriptVault v2.3.4
Two CSP-blocked inline <script> blocks were silently breaking the dashboard's view-settings toolbar (zoom + density) and the DevTools panel registration. Also relocates the self-distribution signing keys out of the repo root so Chrome's "Load unpacked" stops warning about bundled key files.
Now live on the Chrome Web Store.
Install (Brave / Chrome / Edge — recommended)
Dragdrop CRX installs are blocked by Chromium 75+ for any extension not in the Web Store, regardless of signing or developer mode. Use Load unpacked instead:
- Download
ScriptVault-v2.3.4.zipand extract it to a permanent folder (e.g.~/extensions/scriptvault/). Don't delete the folder afterwards — the browser loads the extension from this path on every startup. - Open
brave://extensions(orchrome://extensions,edge://extensions). - Toggle Developer mode on (top-right).
- Click Load unpacked and select the extracted folder.
The CRX is still attached for users who have a flow that supports it (enterprise policy with ExtensionInstallSources whitelist, Chrome --load-extension command-line flag, or older Chromium forks like Vivaldi). It is signed with a self-distribution key (extension ID dogogpmmlddegcodbcbeccebdlegphph) — distinct from the Chrome Web Store listing.
Changes
- Fixed: Two inline
<script>blocks violated theextension_pagesCSP (script-src 'self').pages/dashboard.htmlhad a 75-line view-settings controller (zoom + density) andpages/devtools.htmlhad a 9-line panel registration call — both blocked at load time, leaving the dashboard's zoom/density toolbar inert and the DevTools panel un-registered. Extracted topages/dashboard-viewsettings.jsandpages/devtools.js. The remaining inline script inpages/editor-sandbox.htmlis the Monaco bootstrap and is allowed by the sandbox CSP ('unsafe-inline'). - Chore: Moved self-distribution signing keys (
scriptvault.pem,scriptvault-selfhost.pem) out of the repo root to~/.scriptvault-keys/. Chrome's "Load unpacked" warnedThis extension includes the key file ... You probably don't want to do thatbecause anything inside the extension dir gets bundled at build/install time.pack-crx.mjsalready takes the key path as a positional CLI arg, so callers just pass~/.scriptvault-keys/scriptvault-selfhost.pemnow. Both keys remain gitignored.
Includes the v2.3.2 service-worker syntax fix and the v2.3.3 self-healing "Allow User Scripts" warning, both of which shipped without GitHub releases.