Upgrade the JavaScript bundles inlined into the offline HTML export:
DOMPurify 3.1.7 -> 3.4.9 (clears 10 OSV advisories), marked 12.0.2 -> 18.0.5,
highlight.js 11.9.0 -> 11.11.1. mermaid 10.9.6 and MathJax 3.2.2 are kept
(no known CVEs) and now guarded rather than chased.
Pin every bundle in assets/web_export/MANIFEST.json (npm name, version, source,
sha256, licence) and add tool/check_bundled_js.dart: it verifies each file
still matches the manifest hash and queries the OSV database for known
vulnerabilities. Wired as `make deps-check`, into `check-full`, and into CI
next to the licence check. THIRD_PARTY_NOTICES.md updated for the now-standalone
DOMPurify bundle.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
New export target: a single offline .html rendered from the deck's Marp
Markdown. Bundles (inlines) marked, highlight.js, MathJax (tex-svg, no font
files) and mermaid, so code highlighting, LaTeX math and mermaid diagrams all
render in any browser with no network access.
- MarpHtmlService splits the deck on `---`, strips front-matter, and inlines
the vendored libraries (assets/web_export/) with a </script> breakout guard.
The asset loader is injectable for testing.
- ExportFormat.html wired through ExportService (no rasterization needed),
the export dialog (new button, skips slide rendering) and app_shell
(passes the generated Markdown). Export dialog is now scrollable.
Note: rendered with marked, not Marp Core, so theme fidelity differs from the
in-app preview / PDF / PPTX; the win is a portable, dependency-free deck.
Tests: slide splitting, library inlining, breakout escaping, and an
end-to-end .html export.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
