chore: release 1.4.1

[github-actions]

Shipped changes on main since the last tag. For a fuller, narrative history (motivation and context), see CHANGELOG.md in the repo.

---

---

1.5.0 (2026-05-14)

Features

• ai: tighter product prompt + loading spinner on AI buttons (02744b4)
• collaborative group gift contributors with invite flow (#115) (ad321e4)
• in-app accept/decline for invited users + register flow for new users (#125) (d104d85)
• per-email-type from addresses with shared fallback (#121) (dde12a8)
• phase 8 — group gifts (#111) (1247ec3)
• phase 8 — group gifts + bundled enhancements (#108 #109 #110 #112) (#113) (a72d112)
• Phase 8 group gifts (#130) (dde9a44)

Bug Fixes

• address Codacy security findings and esbuild advisory (bf475e4)
• address CodeRabbit comprehensive feedback (1865c61)
• address final PR #130 review comments (Round 2) (a56c581)
• address PR #130 review comments from Codacy and CodeRabbit (5c5fc36)
• bump drizzle-orm to 0.45.2 (SQL injection security fix) (#61) (05d1db5)
• bump trivy-action to v0.36.0 — 0.31.0 tag does not exist (#86) (#87) (aa583f9)
• docker: drive drizzle-kit through an expect script (e1d2272)
• docker: give drizzle-kit a pseudo-TTY so piped newlines reach prompts (23feb35)
• docker: unblock migrator when drizzle-kit prompts despite --force (0604b68)
• docker: unblock migrator when drizzle-kit prompts despite --force (560ec6f)
• duplicate authorization header with create-pull-request (c665869)
• generate inviteToken in app code to guarantee invite emails are sent (#117) (8646566)
• harden gift-group contributor email edits (b887bc6)
• harden register, occasions, and gift-group review findings (ed64dec)
• include wishlist items in reminder email shortlist (#129) (bb33681), closes #128
• log email errors in gift group actions (#119) (609608e)
• re-apply: restore security fixes (c5b0fa3)
• remove from sync-gemini to unblock Actions on main (#70) (e7ed402), closes #69
• remove from sync-gemini to unblock Actions on main (#71) (818904c)
• resolve npm security vulnerabilities (Next.js CVEs + PostCSS XSS) (#102) (d83a9e9)
• resolve package-lock.json conflict markers and sync version to 1.3.5 (64320c5)
• restore missing occasionKind enum in schema (0e563c2)
• revert erroneous commits and restore stable 1865c61 (a6e7fda)
• revert server action arrow wrappers causing serialization crash (849cc8e)
• satisfy Codacy object-injection rule in parsePence (2840025)
• sender display name and digest promotional classification (#127) (aa87df1)
• strip esbuild binaries from runner image (CVE-2024-24790, CVE-2025-68121) (#91) (a8ec880)
• ui: move iCal URL onFocus handler into a client component (7489701)
• upgrade Next.js, next-auth, drizzle-kit to resolve CVEs (#93) (690833a)
• use PRs for bot branch updates and setup-node v6 (3dd9657)
• wrap useSearchParams in Suspense boundary on /login/register (27e919d)

Performance

• DB indexes, connection pool, request caching, SQL reminders filter (e05f11d)

Miscellaneous

• add app health check endpoint and Docker healthcheck (#89) (cf413ed)
• add CODEOWNERS, Dependabot, CodeQL, SECURITY.md, CONTRIBUTING.md (f726f11)
• add concurrency groups to pr-checks and docker-publish (#95) (90b34b7)
• add Dependabot auto-merge for patch and minor updates (#81) (1f451dd)
• add Docker memory limits and wire Sentry env vars (#85) (19b5719)
• add husky + lint-staged + commitlint pre-commit enforcement (#77) (26ff8d3)
• add PR auto-labeller (area from file paths, type from title prefix) (a639a36)
• add release helper workflow (#97) (ffadf14)
• add Release Please and Codecov automation (#105) (063d7a3)
• add Sentry error tracking (#79) (8660a23)
• add Trivy container image vulnerability scan (#83) (04a6508)
• add Vitest unit tests (repo advisory item 1) (#75) (a62dca4)
• allow Release Please to use optional PAT for PR creation (6ca0401)
• archive old CHANGELOG entries [changelog-archive] (#132) (99d856c)
• bump version to 1.3.2 for CI and Docker registry fixes (5b9cb0c)
• bump version to 1.3.2 for CI and Docker registry fixes (#72) (9418805)
• bump version to 1.3.3 (a088869)
• bump version to 1.3.4 and compact CHANGELOG (ebc1629)
• bump version to 1.3.5 (85aee71)
• Compact CHANGELOG.MD to legacy file (#139) (85fdef9)
• Development → main (v1.3.3) (#73) (b984d14)
• Development → main (v1.3.4) (#98) (15149f8)
• Development → main (v1.3.5) (#103) (1a04ec6)
• disable auto-delete branches; clean up dependabot branches on merge (94e0c38)
• migrate Docker registry to GHCR with docs-only skip (#63) (ffe52f5), closes #62
• migrate Docker registry to GHCR with docs-only skip (#65) (27b19b9)
• phase 8 docs and changelog archive workflow (d965bd7)
• release 1.4.0 (#131) (f983acc)
• replace Closes with Related to in PR template to prevent auto-close (e148ae5)
• revert all PR review fixes to restore stable 4bcb6fc (87b9c46)
• sync Development → main (v1.3.5) (#106) (b3ba051)
• sync GEMINI.md from CLAUDE.md (abbc322)
• sync GEMINI.md from CLAUDE.md (95b2a74)
• sync GEMINI.md from CLAUDE.md [gemini-sync] (#135) (747e958)
• tune Release Please (skip root changelog, sync Dev, docs) (e2c5f0d)
• wire Release Please manifest config in workflow (47e19ec)

Documentation

• add bot-comment review step to PR workflow memory (3b43e47)
• add MIT licence (93adf22)
• add version numbers to V2 phase table (f07742b)
• overhaul CLAUDE.md, memory files, CI checks, and GEMINI mirror (a27190d)
• pre-launch repo polish (#150) (428eb12)
• refresh README for public launch (#68) (c1497cb)
• refresh README for public launch with screenshots and badges (#67) (66f2a93)
• releases only required for code changes, not docs-only pushes (9229760)

---

This PR was generated with Release Please. See documentation.

Summary by CodeRabbit

• Chores
  • Version bumped to 1.4.1

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: fb024df6-6890-4c66-9ce9-6d105246c1c7

📥 Commits

Reviewing files that changed from the base of the PR and between c108948 and e0a95ed.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• .github/release-please-manifest.json
• package.json

---

📝 Walkthrough

Walkthrough

Bump package version from 1.4.0 to 1.4.1 in both .github/release-please-manifest.json and package.json; no other code or public API changes.

Changes

Version Bump

Layer / File(s)	Summary
Sync release-please and package.json versions .github/release-please-manifest.json, package.json	Root version fields updated from 1.4.0 → 1.4.1 in the Release Please manifest and npm package manifest.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• dbwg2009/Noted#105: The main PR’s version bump updates package.json and .github/release-please-manifest.json (the Release Please-controlled version), which directly overlaps with the retrieved PR’s addition/seeding of the same Release Please manifest/versioning setup.
• dbwg2009/Noted#151: Both PRs update the same version fields in .github/release-please-manifest.json and package.json (root/package manifest version bump).
• dbwg2009/Noted#106: The main PR’s version bump changes (.github/release-please-manifest.json root version and package.json version) overlap directly with the retrieved PR’s release/version sync edits to the same fields.

Suggested labels

autorelease: pending

Suggested reviewers

• dbwg2009

Poem

🐰 I nudged the numbers, swift and bright,
From one-four-oh to one-four-one tonight.
Manifest and package, in tidy tune,
A tiny hop beneath the moon.
Ready now for the release balloon!

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description deviates significantly from the template. It lacks 'What', 'Why', 'Changes', and 'Testing' sections; instead, it provides an autogenerated changelog from Release Please.	Follow the repository's PR template by adding concise 'What', 'Why', 'Changes', and 'Testing' sections. The autogenerated changelog can be included as additional context, but core template sections are required.
Title check	⚠️ Warning	The PR title states 'chore: release 1.4.1' but the actual changes update the version from 1.4.0 to 1.5.0, not 1.4.1. The title is misleading and does not match the changeset.	Update the PR title to 'chore: release 1.5.0' to accurately reflect the version bump in the changeset.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	This is an automated Release Please PR containing only version bumps; no linked issues have coding requirements that apply. The PR objectives reference resolved issues (#128, #69, #62) whose changes were already shipped on main before this release tag.
Out of Scope Changes check	✅ Passed	All changes are in-scope: only version bumps in .github/release-please-manifest.json and package.json, which are standard for Release Please release commits.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch release-please--branches--main--components--noted

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric	Results
Complexity	0
Duplication	0

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes.}

[codacy-production]

Pull Request Overview

The project version is correctly updated to 1.5.0 across package.json, package-lock.json, and the Release Please manifest. Codacy analysis indicates the changes are up to standards with no new issues introduced. The main concern is the absence of a CHANGELOG.md update, which is standard for Release Please workflows to ensure release notes are persisted in the repository. Additionally, an automated consistency check for version strings was not detected.

About this PR

• The PR diff does not contain an update to a CHANGELOG.md file. In a standard Release Please workflow, the changelog is expected to be updated to reflect the features and fixes included in version 1.5.0.

Test suggestions

• Verify version string consistency across package.json, package-lock.json, and the release manifest

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Verify version string consistency across package.json, package-lock.json, and the release manifest

_{TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[github-actions]

🤖 Created releases:

• v1.4.1

🌻