Merged
Conversation
…notifications, and buckets support
- Added optional `validator` function to prop definitions for value validation. - Introduced lifecycle hooks: `beforeMount`, `beforeUpdate`, and `onError` for better component management. - Updated documentation to reflect new prop validation and lifecycle features. feat: extend reactive module with watch and readonly utilities - Implemented `watch` function to observe signal changes with access to old values. - Added `readonly` function to create read-only views of signals. - Enhanced utility functions with type guards for signals and computed values. fix: improve security measures in sanitize function - Added checks to remove dangerous tags even if explicitly allowed. - Implemented protections against DOM clobbering via reserved IDs and names. - Enhanced URL normalization to prevent bypass attempts using Unicode characters. feat: introduce new methods in BQueryElement for DOM manipulation - Added `wrap`, `unwrap`, `replaceWith`, and `scrollTo` methods for easier element manipulation. - Implemented `delegate` method for efficient event handling on child elements. test: add comprehensive tests for new features and security enhancements - Created tests for new methods in BQueryElement. - Added tests for `watch` and `readonly` functionalities in the reactive module. - Implemented tests for security improvements in the sanitize function and prototype pollution prevention in utils.
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request introduces version 1.1.0 of bQuery.js, a minor version update that adds new DOM manipulation methods, enhanced reactive primitives, extended component lifecycle hooks, and significant security improvements. The changes also include comprehensive documentation updates and GitHub Actions workflow enhancements for automated documentation deployment.
Changes:
- Added 7 new DOM manipulation methods (delegate, wrap, unwrap, replaceWith, scrollTo, serialize, serializeString) to core API
- Introduced 5 new reactive primitives (watch, readonly, untrack, isSignal, isComputed) with TypeScript type support
- Extended component system with 3 new lifecycle hooks (beforeMount, beforeUpdate, onError) and prop validation
- Enhanced HTML sanitizer with protection against SVG/MathML XSS, DOM clobbering, and Unicode bypass attacks
- Updated documentation across all modules to reflect new APIs and modular import paths
- Added GitHub Pages deployment workflow and VitePress configuration for dynamic base URLs
Reviewed changes
Copilot reviewed 29 out of 32 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| src/reactive/signal.ts | Implemented watch, readonly, untrack primitives; optimized observer stack to O(1) operations; added type guards |
| src/core/element.ts | Added wrap, unwrap, replaceWith, scrollTo, delegate, serialize, serializeString methods for enhanced DOM manipulation |
| src/core/collection.ts | Added delegate method for event delegation across element collections |
| src/component/index.ts | Added beforeMount, beforeUpdate, onError lifecycle hooks and validator property for prop validation |
| src/security/sanitize.ts | Extended dangerous tags list, added DOM clobbering protection, enhanced URL normalization with Unicode bypass prevention |
| src/core/utils.ts | Added prototype pollution protection to merge() with isPrototypePollutionKey check |
| tests/*.test.ts | Added comprehensive test suites for new security features, reactive primitives, and DOM methods |
| docs/guide/*.md | Updated all documentation to reflect new features, security enhancements, and corrected import paths |
| package.json | Version bump to 1.1.0 and dependency updates for 2026 |
| .github/workflows/npm-publish.yml | Added docs build and GitHub Pages deployment jobs |
| CHANGELOG.md | Documented all new features, changes, and security fixes for 1.1.0 |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This workflow automatically marks stale issues and pull requests based on inactivity, helping to manage repository maintenance.
Add stale.yml workflow for managing inactive issues and PRs
Add GitHub Actions workflow to summarize new issues
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Add CodeQL analysis workflow configuration
- Updated `beforeUpdate` to accept props for better control during updates. - Added support for `beforeMount` lifecycle hook. - Implemented prop validation in component definition. - Introduced delegated event handling in BQueryElement with `delegate` and `undelegate` methods. - Expanded security measures by adding more dangerous tags and reserved IDs in sanitizer. - Added tests for lifecycle hooks and prop validation to ensure correct behavior.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 33 out of 37 changed files in this pull request and generated 4 comments.
Comments suppressed due to low confidence (1)
README.md:194
- This
user-cardexample interpolatesprops.usernamedirectly into anhtmltemplate that will end up ininnerHTML, buthtmldoes not escape or sanitize its values. Ifusernameever contains attacker-controlled HTML, following this example will render that payload verbatim in the DOM and allow XSS (e.g.,<script>or event-handler attributes). Consider updating the docs to show thesafeHtml/sanitizeHtmlusage for untrusted props (or otherwise emphasize thathtmlmust not be used with raw user input) so component templates are safe-by-default.
import { component, html } from '@bquery/bquery/component';
component('user-card', {
props: {
username: { type: String, required: true },
age: { type: Number, validator: (v) => v >= 0 && v <= 150 },
},
// Extended lifecycle hooks
beforeMount() {
console.log('About to mount');
},
connected() {
console.log('Mounted');
},
beforeUpdate(props) {
// Return false to prevent update
return props.username !== '';
},
onError(error) {
console.error('Component error:', error);
},
render({ props }) {
return html`<div>Hello ${props.username}</div>`;
},
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces a minor update to bQuery.js, adding new features, improving security, and updating documentation and workflows to reflect the expanded modular architecture. The most important changes include new core and reactive APIs, enhanced component lifecycle hooks, significant security improvements, and updates to documentation and build/deploy workflows.
Feature Additions and API Changes
delegate,wrap,unwrap,replaceWith,scrollTo,serialize, andserializeStringfor improved DOM manipulation and event handling.watch,readonly,untrack, type guardsisSignal/isComputed, andReadonlySignal<T>type for more robust reactivity and immutability.beforeMount,beforeUpdate,onError) and prop validation via thevalidatorproperty.Security Improvements
utils.merge().Documentation and Architecture Updates
.github/copilot-instructions.mdwith a comprehensive project overview, architecture, module structure, conventions, and common pitfalls.README.md,docs/definition.md,docs/guide/agents.md) to reflect new APIs, security practices, and modular import paths (@bquery/bquery/...). [1] [2]Build, Testing, and Deployment
Changelog and Versioning
CHANGELOG.mdfor version 1.1.0, detailing all new features, changes, and security fixes.