chore(deps): update dependency mammoth to v1.11.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
mammoth	1.9.1 -> 1.11.0

GitHub Vulnerability Alerts

CVE-2025-11849

Versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth before 1.11.0; versions of the package org.zwobble.mammoth:mammoth before 1.11.0 are vulnerable to Directory Traversal due to the lack of path or file type validation when processing a docx file containing an image with an external link (r:link attribute instead of embedded r:embed). The library resolves the URI to a file path and after reading, the content is encoded as base64 and included in the HTML output as a data URI. An attacker can read arbitrary files on the system where the conversion is performed or cause an excessive resources consumption by crafting a docx file that links to special device files such as /dev/random or /dev/zero.

---

Release Notes

mwilliamson/mammoth.js (mammoth)

v1.11.0

Compare Source

v1.10.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[roomote]

Rooviewer   Follow along on Roo Cloud

Review Update

This PR still mixes the mammoth security update with extensive unrelated feature changes.

Issues Found

• PR mixes security update with unrelated feature changes (Google Tag Manager migration, IPC messaging enhancements, API provider improvements, UI/UX updates, i18n updates, CHANGELOG entries). Consider separating into distinct PRs for easier review and validation.

Security Update

✅ The mammoth dependency update from 1.9.1 to 1.11.0 correctly addresses CVE-2025-11849 (Directory Traversal vulnerability).

Additional Changes

The PR includes:

• CHANGELOG entries for versions 3.32.1, 3.32.0, 3.31.3, 3.31.2, 3.31.1
• Google Analytics to Google Tag Manager migration
• New IPC SendMessage command
• API provider enhancements (error logging, null checks, OpenRouter custom URL support)
• ClineProvider API handler rebuild optimization
• UI/UX improvements (task header, todo lists, share button, icons)
• Comprehensive test additions
• Multiple i18n locale updates
• New release images

These additions should be reviewed separately from the security fix.

Previous reviews

• ab9f3bc: Review #1
• 348dc7f: Review #2
• c6b4f59: Review #3
• 3219209: Review #4
• 3219209: Review #5
• f1d157d: Review #6
• 8d46845: Review #7

_{Mention @roomote in a comment to request specific changes to this pull request or fix all unresolved issues.}

[roomote]

This PR is labeled as a security update for the mammoth dependency, but includes substantial unrelated changes (new reviewer page, docs-extractor refactoring, Task.ts behavioral changes, CHANGELOG updates, locale updates). Mixing security updates with feature changes makes it harder to review and validate the security fix. Consider separating these into distinct PRs: one for the security update only, and separate PRs for the feature additions.

[roomote]

Review complete. This PR mixes security updates with unrelated feature changes, which should be separated for clearer review and validation.

[roomote]

Rooviewer   See task on Roo Cloud

Review complete. This is a clean security update that correctly addresses CVE-2025-11849 by updating mammoth from 1.9.1 to 1.11.0. The PR only contains lockfile changes with no code modifications. No issues found.

_{Mention @roomote in a comment to request specific changes to this pull request or fix all unresolved issues.}