Skip to content
Back to home

Changelog

What's new in Shipnative

All notable changes to Shipnative are documented here. We follow Semantic Versioning.

v1.0.0-rc14LATEST
May 6, 2026

Web Scroll Fix on Home & Profile

fixed
  • `HomeScreen` and `ProfileScreen` weren't scrollable on web — content past the first viewport was unreachable. Both screens wrapped their `ScrollView` in a `LinearGradient` with `flex:1 + minHeight:100vh`, and stacking two `100vh`-floor layers above the `ScrollView` left it unable to constrain its own height on web. The other tab screens (Components, Paywall) used the shared `<Container>` helper and weren't affected. Moved the gradient to an absolute-positioned background so the `ScrollView` is a direct child of the screen container, matching the pattern the rest of the app already uses.
  • Updated the screen template in `vibe/DESIGN_SYSTEM.md` with the corrected pattern and a note about the web-scroll gotcha, so it doesn't propagate to new screens.
v1.0.0-rc13
May 5, 2026

Code-Quality Pass

changed
  • OAuth redirect allow-list in `convex/auth.ts` falls back to the `shipnative://` default for any URL outside the dev-scheme allow-list and the `SITE_URL` env var.
  • OAuth CSRF state validation unified across both Convex and Supabase callbacks via a shared `consumeOAuthState` prologue. Convex social-auth hook now creates and clears state to match the Supabase path.
  • Private user preferences (`dark_mode_enabled`, `notifications_enabled`, push/email toggles, onboarding completion) moved off the world-readable `profiles` table onto the RLS-locked `user_preferences` table — new migration with backfill, plus `services/preferencesSync.ts` and both `auth/authHelpers.ts` variants updated.
  • Convex `widgets.getData` argument tightened — `table` is a `v.union(v.literal(...))` instead of a free-form string, with an exhaustive `never`-checked default. Unused `filters: v.any()` removed.
  • `deleteAccount` cascades through `posts`, `comments`, `notifications`, `files`, `presence`, `pushTokens`, and `profiles` (each via `withIndex`, in parallel) before deleting the user.
  • Rate limiter keys signin attempts on `installId:email` instead of just `email`, sourced from `expo-application` with an MMKV-cached fallback.
  • `filterByOwner` helper in `convex/lib/security.ts` now takes an index name and uses `withIndex` instead of a full-table `.filter()` scan.
  • OAuth callback `console.log` calls and the root `/` debug route in Convex are dev-only.
added
  • `convex/posts.ts` — first-class `list`/`create`/`remove` mutations and queries used by the demo screen, mirroring the security patterns from `convex/users.ts` (`requireAuth`, `withIndex`, `requireOwnership`).
  • `syncGoalPreference` helper in `services/preferencesSync.ts` for the new onboarding goal capture.
  • MMKV storage hook split into `utils/storage/index.native.ts` and `utils/storage/index.web.ts` so platform resolution is automatic — no more conditional hooks or `eslint-disable`.
  • `destroySupabaseAuthAutoRefresh()` export on `services/supabase.ts` for tests / env-switch flows.
fixed
  • Both `DataDemoScreen` variants compile cleanly without `as any` escape hatches and are fully translatable. Supabase variant types its client via the generated `Database` type; Convex variant imports `api.posts.*` directly. Convex variant memoizes its row component to match the Supabase sibling.
  • `OnboardingScreen` goal step now captures the user's selection. Three goal rows toggle a `selectedGoal` state instead of all firing `handleNext`; a single Continue button persists the choice via `syncGoalPreference` before advancing. Selected row gets a primary border + check icon.
  • `HomeScreen` notification toggle now persists across devices — `togglePush()` reads the active `userId` from the auth store itself, so callers don't need to thread it through.
  • `HomeScreen` stat cards show real values from existing stores — unread count, total notifications, plus Pro/Free plan — instead of placeholder numbers.
  • `Progress` indeterminate animation rewritten to `withRepeat(withTiming(...), -1, false)` with a `cancelAnimation` cleanup, replacing the JS `setInterval` that re-issued `withTiming` every cycle.
  • `useEmailVerificationPolling` no longer tears down and recreates its interval on every successful poll — effect deps trimmed to `[isEmailConfirmed, user?.id]`, with `initialize` captured via a stable ref.
  • `EmailVerificationScreen` `handleBackToLogin` awaits `signOut()` before navigating, so AppNavigator can't re-route the user back mid-flight.
  • `subscriptionStore` circular-import workaround replaced with a direct ES import. `revenueCat` is now explicitly typed as `SubscriptionService` at its export site.
  • `services/supabase.ts` AppState listener is tracked in a module variable and removed before re-registering — mirrors the pattern from `services/backend/supabase/client.ts`.
  • Theme tokens replace hardcoded numerics on `HomeScreen` and `EmailVerificationScreen`.
  • `setup.ts` exits non-zero on prerequisite failure in non-interactive mode, so CI runs that should hard-fail no longer succeed silently.
v1.0.0-rc12
May 4, 2026

CI Lint Fixes

fixed
  • Resolved 11 ESLint errors blocking `lint:check` in CI — `import/order` violations in `app.tsx`, `hooks/useAuth.ts`, and `services/preferencesSync.ts`, plus `prettier/prettier` formatting in `useRealtimeMessages.ts`, `AuthCallbackScreen.tsx`, and `PaywallScreen.tsx`.
v1.0.0-rc11
April 28, 2026

Auth Reliability, Backend Cleanup & DX Fixes

fixed
  • Convex magic-link auth now works end-to-end in the shared passwordless screens, including send, resend, and OTP verification.
  • Supabase mobile OAuth callbacks and deep links now use the configured app scheme instead of assuming `shipnative`.
  • Autoconfirmed signups no longer get pushed into Email Verification because of stale pre-submit auth state.
  • Non-English locale files now inherit missing keys from English, restoring out-of-the-box typecheck health.
  • The default `yarn dev` flow no longer depends on a machine-specific iOS simulator UUID.
  • `clearPendingSyncs()` runs on logout, so MMKV preference writes from one session can't leak into the next user's session.
changed
  • `backend.db` is Supabase-only on the Convex provider - it now throws a clear error pointing customers at `useQuery` from `convex/_generated/api`.
  • Realtime hooks (`useRealtimeMessages`, `useRealtimePresence`, `useRealtimeSubscription`) are no-ops on Convex - `useQuery` is already reactive, so there's nothing to bridge.
  • Passwordless auth screens delegate provider-specific behavior through the shared auth hook for Supabase and Convex.
  • Runtime app-scheme resolution is centralized so setup-time scheme changes stay aligned across OAuth and deep linking.
added
  • `requireAdmin(ctx)` helper in `convex/lib/security.ts` for role-changing or destructive mutations. `setUserRole` is the canonical example, including a last-admin lockout guard.
  • Subscription trust boundary documented: `isPro` is a UX cache, server functions should verify entitlement against RevenueCat or a webhook-synced server table. See `vibe/MONETIZATION.md` → Trust Boundary.
  • `private_profiles` example migration showing the canonical owner-only sibling table pattern for storing PII away from the public `profiles` table.
  • `vibe/ERROR_HANDLING.md` - explains what `ErrorBoundary` catches (render errors only) and points at Sentry for async / event-handler coverage.
  • `patches/README.md` - documents `@bittingz+expo-widgets+3.0.2.patch` and how to add or remove patches.
  • Shared `appScheme` utility for building runtime-safe mobile auth redirects.
v1.0.0-rc10
March 2026

Security, Performance & Reliability Audit

fixed
  • OAuth CSRF bypass: callback now requires a valid state parameter - omitting it no longer skips verification.
  • Memory leak in realtime messages: typing timeout cleanup no longer holds stale references across re-renders.
  • Rules of Hooks violation in onboarding: `useMemo` moved out of a conditional block to prevent runtime crashes.
  • Translation keys for login and error screens were inside a demo-removal block - moved to production scope.
  • Sentry now initializes before app startup so early initialization errors are actually captured and reported.
  • iOS password autofill: confirm password field no longer triggers a second strong-password suggestion.
  • Environment variable reading uses nullish coalescing (`??`) so falsy values like `"0"` are no longer silently dropped.
  • Convex auth sync no longer creates a fake user with id `"pending"` - it stays in loading state until the real user document exists.
  • Fire-and-forget preference syncs now report failures to Sentry instead of silently swallowing errors.
  • Duplicate i18n initialization removed - single synchronous init at module load.
changed
  • Root-level `ErrorBoundary` added - unhandled errors now show a recovery screen instead of a white page.
  • Zustand auth selectors converted to proper selector functions for correct memoization.
  • Realtime presence hook stabilized - `customData` changes are now compared by value, not reference.
  • Rate limiter fails open on internal errors (client-side defense-in-depth) with full error logging.
  • Certificate pinning misconfiguration now throws in production instead of logging silently.
  • OAuth state consumption is now atomic - read-and-clear in a single call to prevent race conditions.
  • API timeout is now configurable via `EXPO_PUBLIC_API_TIMEOUT`.
  • All screens are fully internationalized - `WelcomeScreen`, `LoginScreen`, and `PaywallScreen` hardcoded strings were replaced with translation keys.
added
  • AuthErrorCode type and `createAuthError` helper for typed error handling across auth flows.
  • `Logger.trace()` for granular debug output below the debug level.
v1.0.0-rc9
February 17, 2026

Component Stability, Performance & DX Fixes

fixed
  • FilePicker document filtering now uses correct extension-to-MIME mapping for common formats like PDF, DOCX, and XLSX.
  • TextField clear behavior now works correctly in both controlled and uncontrolled usage.
  • DatePicker iOS datetime flow now honors cancel/confirm semantics so canceled edits are not committed.
  • OTPInput auto-focus behavior no longer re-schedules focus repeatedly during rerenders.
  • Toast lifecycle now uses effect-based timer cleanup to prevent stale animations and unexpected dismiss behavior.
  • Vertical Divider rendering now consistently displays as a line instead of a square.
changed
  • Chart components (Line, Bar, Pie) now gracefully handle empty, single-point, and zero-total datasets.
  • Avatar shimmer animation lifecycle moved out of the render path for cleaner performance behavior.
  • Button now wires through `accessibilityLabel` for improved accessibility and API consistency.
v1.0.0-rc8
February 17, 2026

Logic and Performance Hardening

fixed
  • Subscription lifecycle reliability: subscription listeners now clean up correctly and no longer duplicate on repeated initialization.
  • Sentry side effects: SDK is now lazy-loaded during init to avoid module-load timers and open-handle test noise.
  • Screen auto preset stability: removed render-phase state updates in auto-scroll logic.
  • Auth and paywall UX stability: transient timers now clean up on unmount in paywall and email/OTP verification flows.
  • Loading screen cleanup: animation loops and delayed dot animations now stop cleanly on unmount.
  • Testing reliability: fixed async `act` usage in subscription integration tests.
changed
  • Zustand subscription performance: switched key screens/hooks to selector-based subscriptions to prevent broad rerenders.
  • App cleanup path: subscription store now has explicit cleanup lifecycle handling alongside notification cleanup.
v1.0.0-rc7
January 2026

Convex Backend Support & UI Refinements

added
  • Convex backend support as an alternative to Supabase with auth, realtime, and data storage.
  • Backend provider abstraction: switch between Supabase and Convex via `EXPO_PUBLIC_BACKEND_PROVIDER`.
  • Convex auth support for Google and Apple native mobile OAuth flows.
  • Provider-specific data fetching examples in `DataDemoScreen`.
  • Setup wizard option to remove unused backend code after selecting a provider.
  • New `vibe/BACKEND_PATTERNS.md` guide for unified vs native APIs.
changed
  • Unified `useAuth()` now works identically across Supabase and Convex backends.
  • Badge component refreshed with subtle borders and pill styling.
  • Card component updated with larger radius, more padding, and tighter typography.
  • iOS widgets received an aurora-themed visual refresh.
  • Account deletion is now backend-agnostic.
  • Preferences sync works with both backends.
fixed
  • Convex auth provider ResendOTP configuration.
  • TypeScript issues in realtime presence and broadcast hooks.
  • Missing Convex package dependencies in both the root and app workspace.
v1.0.0-rc6
January 2026

Realtime Features, CI/CD & UI Components

added
  • Supabase realtime hooks: `useRealtimeMessages`, `useRealtimePresence`, and `useRealtimeSubscription`.
  • GitHub Actions CI/CD with deploy and preview workflows.
  • Toast provider with variants, actions, and animations.
  • Reusable modal component plus `AlertModal` helper.
  • Native iOS and Android widgets with real Supabase HTTP calls.
  • Profile-level widget toggle via feature flag.
changed
  • Enhanced components including `TextField`, `Skeleton`, `Progress`, `Button`, and `Avatar`.
  • Screen polish for `ProfileScreen` and `HomeScreen`.
  • Expanded documentation for realtime hooks and CI/CD.
  • Updated `AGENTS.md` directory map with hooks, types, and workflow references.
notes
  • Realtime hooks work in mock mode without Supabase credentials.
  • CI/CD workflows support Vercel, EAS Build, and manual artifact uploads.
  • All styling uses theme tokens and remains fully typed with dark mode support.
v1.0.0-rc5
January 4, 2026

Profile Editing, Auth Stability & Preferences Sync

added
  • Cross-device preferences sync for theme and notification settings.
  • Dark mode sync for the `dark_mode_enabled` preference.
  • Push notification sync for `push_notifications_enabled`.
  • Automatic preference restore on login.
fixed
  • Edit Profile save button hanging due to `Supabase.updateUser` deadlock.
  • Password reset hanging on `updateUser` calls via timeout handling.
  • Auth state deadlocks caused by `USER_UPDATED` events triggering `getUser()`.
changed
  • Optimistic profile updates for instant feedback.
  • Fire-and-forget server updates while the UI responds immediately.
  • Preferences sync centralized in `preferencesSync.ts`.
v1.0.0-rc4
January 4, 2026

Google Sign-In Alignment & GDPR Account Deletion

added
  • Native Google Sign-In via `@react-native-google-signin/google-signin` on iOS and Android.
  • iOS scheme auto-setup generated from `EXPO_PUBLIC_GOOGLE_IOS_CLIENT_ID`.
  • Reliable Supabase auth persistence via SecureStore on iOS and Android.
  • GDPR-compliant account deletion with cryptographic JWT verification.
  • Optional RevenueCat and PostHog deletion integrations.
  • Node 20 tooling via Volta pinning.
  • Patch-package fix for `@bittingz/expo-widgets`.
changed
  • Safer Google auth defaults by moving the client secret into Supabase.
  • Simplified social-login docs aligned to official Supabase guidance.
  • Graceful degradation when third-party deletion services are not configured.
  • Improved invalid refresh-token handling and sign-out behavior.
  • Added an upgrade guide and AI merge prompt for customized apps.
v1.0.0-rc3
December 28, 2025

Documentation Audit & Schema Sync

changed
  • Updated backend docs to reflect `supabase-schema.sql` tables and naming.
  • Added a dedicated Backend & Database guide and fixed broken Mintlify links.
  • Verified the mock Supabase implementation against documented patterns.
fixed
  • Minor landing page layout inconsistencies.
v1.0.0-rc2
December 27, 2025

AGENTS.md Standard Migration

added
  • Full adoption of the AGENTS.md AI context standard.
  • Localized instructions for app, landing page, and docs directories.
  • Native `@AGENTS.md` import support for faster AI context loading.
changed
  • Replaced legacy vibe-folder messaging with AGENTS.md branding.
  • Synchronized global documentation around the same context hierarchy.
v1.0.0-rc1
December 26, 2025

Reliability & Security Update

added
  • PKCE OAuth flow support across all social providers.
  • In-app social login via `expo-web-browser`.
  • Network diagnostics that detect and warn when a Supabase project is paused.
  • Comprehensive neutral/slate design palette.
fixed
  • Subscription store staleness when logging out or switching accounts.
  • Deep linking coverage for all core screens and tab routes.
  • Mock authentication support for code-to-session flows.
v1.0.0-beta
December 1, 2025

Initial Beta Release

added
  • Complete React Native starter kit with Expo SDK 54.
  • AGENTS.md-based AI context management.
  • Mock mode for development without API keys.
  • Supabase authentication with social logins.
  • RevenueCat subscription management for iOS, Android, and Web.
  • PostHog analytics integration.
  • Sentry error tracking.
  • Push notifications support on iOS and Android.
  • Dev Dashboard for component testing.
  • CLI generators for screens and components.
  • Comprehensive documentation site.
  • Unistyles 3.0 styling system.
  • Zustand state management.
  • React Query for data fetching.
  • React Navigation configuration.
  • TypeScript strict mode.
  • Dark mode support.
  • Onboarding, Paywall, Profile, and Settings screens.

Want to see what's next?

Check out our roadmap for upcoming features and improvements.

View Roadmap
Shipping every week

This pace is what you're buying.

Every line above lands in your repo too. One license. No subscriptions, no upgrade fees, no expiry.

  • $99 one-time, lifetime updates
  • Unlimited apps
  • Full source on GitHub
Get every update — $99