LOW: Auto-generated encryption key stored in same SQLite database as encrypted data
MEDIUM: TrackerPage.jsx is 2386 lines with 44 hooks - maintainability and re-render risks
closed 0.34.3
MEDIUM: TrackerPage.jsx is 2386 lines with 44 hooks - maintainability and re-render risks
MEDIUM: 10x .catch(() => {}) silently swallowing errors in client code
MEDIUM: Floating-point REAL type for monetary amounts in SQLite
HIGH: No explicit JSON body size limit on express.json() - default 100KB
Add Bill link should always be visible at top, not only under Tracker tab
HIGH: No process-level unhandledRejection/uncaughtException handler
Overview page — Upcoming bills field hard to read
HIGH: Payment UPDATE/DELETE lack user_id in WHERE clause (defense-in-depth)
HIGH: SQL injection surface in analyticsService.js - string interpolation in WHERE clause
Both patterns are safe and no changes are needed. The report confused "string interpolation of SQL fragments" (safe, it's just building the query structure) with "string interpolation of user…
HIGH: SQL injection surface in analyticsService.js - string interpolation in WHERE clause