v1.1.0 - Security Audit & Dependency Updates

What's Changed

Dependency Updates (90+ packages)

• Next.js 16.2.0-canary.69, React 19.3.0-canary, TypeScript 6.0.0-dev.20260301
• Prisma 7.5.0-dev.32, Biome 2.5.0, Turborepo 2.8.12
• Hono 4.12.3, Wrangler 4.68.0, Vitest 4.1.0-beta.5, KaTeX 0.16.33
• Three.js 0.183.2, jose 6.1.3 (new dependency for JWT verification)

Security Hardening

• JWT verification: WebSocket auth now uses jose.jwtVerify() with signature verification (was base64 decode)
• IDOR fixes: Worksheet queries enforce ownership; unshareWorksheet validates shareId
• XSS prevention: Removed dangerouslySetInnerHTML for plain-text content
• Error leak prevention: Worker error responses no longer expose internal err.message
• Atomic counters: Forum post and worksheet view counters use atomic Prisma operations
• Profile fix: Corrected authorId → userId field reference

Math Engine Correctness

• modPow and lucasLehmer rewritten with BigInt (overflow-safe for all inputs)
• RSA key generation fixed for sizes >= 64 bits (randomBigIntBelow() helper)
• Limits: copy-paste bug fix (v1 → v2) and infinite recursion guard

Performance

• Iterative Tarjan SCC (no stack overflow on large graphs)
• O(1) topological sort dequeue (was O(V²) with Array.shift())
• Lazy-loaded Lorenz3DRenderer via next/dynamic
• Stack-safe Math.min/max with .reduce() for large arrays
• Rate limiter skips KV for unlimited tiers

Code Quality

• Number.isFinite()/Number.isNaN() across 12 files
• node: import protocol for Node.js builtins
• Removed redundant Prisma index, exported FavoriteType enum
• Sentry env vars in Turbo build cache keys

Full Changelog: v1.0.0...v1.1.0