[1.6.0] - 2026-03-14

Added (1.6.0)

• Component: Added bool() for boolean attribute interpolation in html / safeHtml templates, making component markup more ergonomic for disabled, checked, and similar flags.
• Component: Added typed state-aware component definitions and element helpers so component() / defineComponent() preserve explicit state generics in render(), lifecycle hooks, getState(), and setState().
• Component: Added explicit signals support for component renders plus exported ComponentSignalLike / ComponentSignals types for strongly typed external reactive inputs.
• Component: Added AttributeChange metadata for updated() hooks and previous props for beforeUpdate(newProps, oldProps).
• Security: Added trusted() fragment composition for safely splicing previously sanitized markup into safeHtml templates without double-escaping.
• Storybook: Added the @bquery/bquery/storybook entry point with storyHtml() and when() helpers for authoring web-component stories with sanitization and boolean-attribute shorthand.

Changed (1.6.0)

• Docs: Expanded the README and VitePress guides to document boolean template attributes, typed component state, trusted fragment composition, explicit component signals, and Storybook story helpers.
• Bundle exports: The package metadata, agent reference files, and public entry-point documentation now reflect the new storybook export and the expanded component/security surface.

Fixed (1.6.0)

• Component: Components now reuse their Shadow DOM style element across re-renders instead of recreating styles on every update.
• Component: Default input and textarea components preserve stable native controls during value updates while still re-rendering correctly for structural prop changes.
• Component: Declared signal subscriptions are now restored correctly across disconnect/reconnect cycles and ignore undeclared reactive reads during render.

Security (1.6.0)

• Component / Storybook: Story-authored and component-authored markup is sanitized while preserving explicitly authored custom-element tags and opted-in attributes, improving secure composition for design-system stories.

What's Changed

• Version 1.6.0 by @JosunLP in #64

Full Changelog: v1.5.0...v1.6.0

[1.5.0] - 2026-03-12

Added (1.5.0)

• Reactive: Added async composables useAsyncData(), useFetch(), and createUseFetch() for signal-driven request lifecycles with data, error, status, pending, refresh(), clear(), and dispose().
• Reactive: Exported async helper types from @bquery/bquery/reactive, including AsyncDataState, AsyncDataStatus, AsyncWatchSource, FetchInput, UseAsyncDataOptions, and UseFetchOptions.
• Platform: Added global configuration helpers defineBqueryConfig() and getBqueryConfig() for fetch, cookies, announcers, page meta, transitions, and default component-library settings.
• Platform: Added useCookie() for reactive cookie state with typed serialization/deserialization, default config inheritance, and automatic persistence.
• Platform: Added definePageMeta() for document title, meta/link tags, and temporary html / body attribute management with cleanup support.
• Platform: Added useAnnouncer() for accessible ARIA live-region announcements with configurable politeness, timing, and teardown.
• Component: Added registerDefaultComponents() plus typed DefaultComponentLibraryOptions / RegisteredDefaultComponents exports to register a default native component library (button, card, input, textarea, checkbox) with configurable prefixes.
• Motion: Expanded transition() to support richer TransitionOptions, including root classes, transition types, reduced-motion skipping, and onReady / onFinish callbacks.

Changed (1.5.0)

• Tooling: Replaced the legacy playground workflow with Storybook-based component development, preview styling, and first-party stories for the default component library.
• Platform / Motion / Component: Global defaults can now be shared across modules via defineBqueryConfig(), allowing centralized configuration for transitions, fetch requests, cookies, announcers, page metadata, and default component prefixes.
• Bundle exports: The full bundle and module entry points now expose the new reactive composables, platform helpers, default component library registration, and their associated public types.

Fixed (1.5.0)

• Reactive: useAsyncData() now handles watcher-triggered refreshes, disposal, and concurrent execution races more safely so stale executions do not overwrite newer state.
• Reactive / Platform: useFetch() now preserves Request inputs and headers more reliably, merges configured/default headers safely, keeps factory typing intact in createUseFetch(), and rejects bodies on GET / HEAD requests.
• Platform: useCookie() now only auto-parses likely JSON values, avoids write-on-initialization side effects, and automatically enforces Secure when SameSite=None is used.
• Platform: useAnnouncer() now guards teardown and timer cleanup more defensively in edge cases and non-DOM environments.
• Component: Default form controls avoid duplicate custom events and unnecessary full Shadow DOM re-renders while users type into input and textarea controls.
• Motion: Transition class/type tokens are now sanitized before being applied, preventing empty or whitespace-only tokens from leaking into the document root or View Transitions API.

Security (1.5.0)

• Component: Shadow DOM sanitization now preserves standard form-related attributes required by the default input, textarea, and checkbox components while still enforcing security-by-default rendering.

What's Changed

• Fix PR review issues: duplicate keys, cleanup leaks, export conflicts, and SSR safety by @Copilot in #17
• Fix security, type safety, and API surface issues from PR #16 review by @Copilot in #18
• Fix router cancellation, component example, and ref directive expression handling by @Copilot in #19
• Fix router compatibility, isDev default, style cleanup, and changelog format by @Copilot in #20
• Fix hash routing bugs and add comprehensive test coverage by @Copilot in #21
• Fix router base path handling, bq-if DOM stability, and CHANGELOG consistency by @Copilot in #22
• Add JsDelivr badge to README by @JosunLP in #23
• Fix defineComponent tests, store reactivity leak, view directive signal handling, and hash-routing interception by @Copilot in #24
• Fix async handling, type safety, environment guards, and add test coverage from PR #16 review by @Copilot in #25
• Fix DOM order reversal, stale dependency tracking, localStorage SafariError, and reactive bq-for updates by @Copilot in #26
• Fix view template root validation, store optimizations, and utils API cleanup by @Copilot in #27
• Fix bq-show display restoration and timeline.seek() time calculation by @Copilot in #28
• Fix router base path duplication and add SSR guards for Element checks by @Copilot in #29
• Fix interceptLinks() browser behavior and createTemplate() validation by @Copilot in #30
• Fix bq-class bracket detection, once() failure caching, mount bq-for validation, and component pre-mount renders by @Copilot in #31
• Fix bq-style whitespace handling and spring variable frame rate by @Copilot in #32
• Fix bq-on method reference context loss and remove style attribute from security defaults by @Copilot in #33
• Fix persistedSignal localStorage test key collision by @Copilot in #34
• Fix bq-class directive stale class cleanup for object syntax by @Copilot in #35
• Fix timeline() to account for animation iterations in duration calculations by @Copilot in #36
• fix: Reactive robustness, security hardening, storage compat, expression parsing by @Copilot in #37
• Fix css() getter, add Signal.dispose(), debounce/throttle cancel, collection.find(), element.is() by @Copilot in #39
• Add ESLint workflow for code analysis by @JosunLP in #42
• labeler by @JosunLP in #45
• Add native data/page composables, richer view transitions, a default component library, and Storybook-based component development by @Copilot in #44
• Exclude Storybook static output from published package by @Copilot in #54
• Version 1.5.0 by @JosunLP in #53

Full Changelog: v1.4.0...v1.5.0

What's Changed

• Version Release 1.4.0 by @JosunLP in #40

Full Changelog: v1.3.0...v1.4.0

Added (1.4.0)

• Core: css() on BQueryElement and BQueryCollection now acts as a getter when called with a single property name, returning the computed style value via getComputedStyle(). TypeScript overload signatures distinguish getter (string) from setter (this).
• Core: is(selector) method on BQueryElement as a jQuery-style alias for matches().
• Core: find(selector) method on BQueryCollection to query descendant elements matching a CSS selector across all elements, with automatic deduplication via Set.
• Core: debounce() and throttle() now return enhanced functions with a .cancel() method — debounce.cancel() clears the pending timeout, throttle.cancel() resets the throttle timer allowing immediate re-execution.
• Core: Exported DebouncedFn<TArgs> and ThrottledFn<TArgs> interfaces from @bquery/bquery/core for typed usage of cancellable debounced/throttled functions.
• Reactive: Signal.dispose() method to remove all subscribers from a signal, preventing memory leaks when a signal is no longer needed. Also cleans up observer dependency references bidirectionally.

Fixed (1.4.0)

• Reactive: effect() now catches errors thrown inside the effect body and logs them via console.error instead of crashing the reactive system. Subsequent signal updates continue to trigger the effect.
• Reactive: Effect cleanup functions are now wrapped in try/catch — errors during cleanup are caught and logged rather than propagating and breaking the reactive graph.
• Reactive: Batch flush (flushObservers()) now catches errors thrown by individual observers and continues executing remaining pending observers, preventing a single failing observer from blocking others.
• Reactive: endBatch() now guards against underflow — calling endBatch() without a matching beginBatch() is a safe no-op instead of decrementing batchDepth below zero.
• Platform: WebStorageAdapter.keys() now uses the spec-compliant Storage.key(index) iteration API instead of Object.keys(), which is more reliable across environments (e.g., happy-dom, Safari).
• View: parseObjectExpression() now correctly handles escaped backslashes before quotes by counting consecutive backslashes — a double backslash (\\) before a quote no longer incorrectly treats the quote as escaped, fixing edge cases in bq-class and bq-style object expressions.

Security (1.4.0)

• srcset attributes are now validated per-URL rather than as a single URL string, correctly catching javascript: URLs embedded in responsive image descriptors. If any entry is unsafe, the entire srcset attribute is removed (e.g., "safe.jpg 1x, javascript:alert(1) 2x" → attribute removed).
• action attribute on <form> elements is now validated as a URL attribute (like href/src), preventing javascript: protocol URLs in form actions.

What's Changed

• Version 1.3.0 by @JosunLP in #16

Added (1.3.0)

• Core: Added attribute helpers removeAttr() and toggleAttr(), plus collection DOM helpers append(), prepend(), before(), after(), wrap(), unwrap(), and replaceWith().
• Core: Expanded utilities with new array, function, number, and string helpers (e.g. ensureArray(), unique(), chunk(), compact(), flatten(), once(), noop(), inRange(), toNumber(), truncate(), slugify(), escapeRegExp(), hasOwn(), isDate(), isPromise(), isObject()).
• Motion: Modularized motion utilities with new single-purpose helpers and presets.
  • New helpers: animate, sequence, timeline, scrollAnimate, stagger, flipElements.
  • New presets: easingPresets, keyframePresets, plus individual easing exports.
  • Improved reduced-motion support via prefersReducedMotion().
• Component: defineComponent() factory for manual class creation and custom registration.
• Reactive: linkedSignal() helper for writable computed values that bridge getters and setters.
• Store: New helpers defineStore(), mapGetters(), and watchStore() for ergonomic factories, getter mapping, and targeted subscriptions.

Changed (1.3.0)

• Core: Internal DOM helpers extracted into focused utilities to improve core modularity (no breaking API changes).
• Core: Utilities modularized into focused helper modules and re-exported as named exports from @bquery/bquery/core (the utils namespace remains for compatibility).
• Security: Internals modularized (sanitize core, Trusted Types, CSP helpers, constants/types) with no API changes.
• Router: Internals modularized into focused submodules with no public API changes.
• Component: Internals modularized into focused submodules with no public API changes.
• Reactive: Internals modularized into focused submodules with no public API changes.
• Store: Internals modularized into focused submodules (types, registry, plugins, helpers) with no public API breaks.
• View: Internals modularized into focused submodules with no public API changes.

Fixed (1.3.0)

• Security: security/sanitize now re-exports generateNonce() and isTrustedTypesSupported() for legacy deep imports.
• Component: Sanitize component render markup before writing to the Shadow DOM (security-by-default consistency).
• Component: attributeChangedCallback now only triggers re-renders after initial mount, preventing double renders.
• Component: Styles are now applied via <style> element with textContent instead of innerHTML to prevent markup injection.
• Core: unwrap() on collections now correctly de-duplicates parents to avoid removing the same parent multiple times.
• Core: insertContent() now maintains correct DOM order when inserting multiple elements for beforebegin, afterbegin, and afterend positions.
• Core: once() utility no longer caches failures; function is retried on subsequent calls after an exception.
• Motion: timeline.seek() now correctly calculates currentTime without double-subtracting delay offset.
• Motion: timeline.duration() now properly accounts for iterations option when calculating total duration.
• Router: interceptLinks() now skips middle-click, Ctrl+click, Cmd+click, Shift+click, Alt+click, and already-prevented events.
• Router: Hash-routing mode now correctly parses query parameters and hash fragments for route matching.
• Router: Navigation guards cancelling popstate now restore the full URL including query and hash.
• Router: Link interception now correctly strips base path and handles hash-routing links (href="#/route").
• Reactive: untrack() now properly suppresses dependency tracking for computed values without breaking internal computed dependencies.
• Reactive: persistedSignal() now gracefully handles Safari private mode and environments without localStorage.
• Store: defineStore() now caches store instances properly and respects destroyStore() invalidation.
• Store: $state snapshot now uses untrack() to prevent accidental reactive dependencies inside effects.
• Store: Actions can now assign non-state properties without throwing TypeError in strict mode.
• View: bq-class now correctly distinguishes bracket property access (obj['key']) from array literals.
• View: bq-style now removes stale style properties when the style object changes.
• View: bq-show now correctly shows elements that start with display: none.
• View: bq-for now warns when duplicate keys are detected and falls back to index-based keying.
• View: bq-ref now correctly handles nested object property access (e.g., refs.inputEl) and cleans up object refs on destroy.
• View: bq-on now supports signal mutations in event expressions (e.g., count.value++).
• View: createTemplate() now rejects templates with multiple root elements or bq-for/bq-if on root.
• View: mount() now rejects mounting on elements with bq-for directive to prevent detached root issues.
• Docs: Corrected the event section heading in the Core API guide for BQueryElement.

Full Changelog: v1.2.0...v1.3.0

What's Changed

• Add tests for router, store, and view modules by @JosunLP in #14
• Version 1.2.0 by @JosunLP in #15

Added

• Router: New SPA client-side routing module with History API support.
  • createRouter() factory with routes, base path, and hash mode options.
  • navigate(), back(), forward() navigation functions.
  • beforeEach / afterEach navigation guards.
  • Route params (:id), query string parsing, and wildcard (*) routes.
  • currentRoute reactive signal for tracking current route state.
  • link() and interceptLinks() helpers for declarative navigation.
  • resolve() for named route URL generation.
  • isActive() and isActiveSignal() for active link styling.
• Store: New Pinia/Vuex-style state management module built on signals.
  • createStore({ id, state, getters, actions }) for defining stores.
  • Reactive getters via computed() and state via signal().
  • Actions with automatic this context binding.
  • $reset(), $patch(), $subscribe(), $state store utilities.
  • createPersistedStore() for localStorage persistence.
  • registerPlugin() for extending store functionality.
  • mapState() and mapActions() composition helpers.
  • getStore(), listStores(), destroyStore() for store registry.
  • Devtools integration via window.__BQUERY_DEVTOOLS__.
• View: New declarative DOM binding module (Vue/Alpine-style directives).
  • bq-text and bq-html for content binding.
  • bq-if and bq-show for conditional rendering.
  • bq-class and bq-style for class/style binding.
  • bq-model for two-way input binding.
  • bq-bind:attr for attribute binding.
  • bq-on:event for event binding.
  • bq-for for list rendering with (item, index) in items syntax.
  • bq-ref for element references.
  • mount() function to bind context to DOM.
  • createTemplate() for reusable template factories.
  • Custom directive prefix support.
  • Automatic HTML sanitization for security.

Full Changelog: v1.1.2...v1.2.0

What's Changed

• test: improve utils test clarity and performance by @Copilot in #11
• Fix import paths and add error handling in agents documentation by @Copilot in #10
• Add rel="noopener noreferrer" to external links for security by @Copilot in #9
• Add explanatory comment for protocol-relative URL check in sanitizer by @Copilot in #13
• Version 1.1.2 by @JosunLP in #12

New Contributors

• @Copilot made their first contribution in #11

Full Changelog: v1.1.1...v1.1.2

What's Changed

• Add stale.yml workflow for managing inactive issues and PRs by @JosunLP in #3
• Add GitHub Actions workflow to summarize new issues by @JosunLP in #4
• Add CodeQL analysis workflow configuration by @JosunLP in #2
• CICD by @JosunLP in #6
• Potential fix for code scanning alert no. 2: Workflow does not contain permissions by @JosunLP in #7
• Version 1.1.1 by @JosunLP in #8

Security and Playground Fixes:

• Replaced direct assignment of HTML via innerHTML with safer DOM manipulation in the logEvent function within playground/src/demos/core.ts to prevent possible HTML injection vulnerabilities.
• Updated collection handling in the same file to use the raw DOM element when re-appending items, improving code clarity and safety.

Workflow and Versioning:

• Added explicit contents: read permissions to both build and build-docs jobs in .github/workflows/npm-publish.yml to comply with GitHub Actions best practices. [1] [2]
• Bumped package version to 1.1.1 in package.json to reflect the new release.
• Added a changelog entry for version 1.1.1 noting the HTML handling fix in CHANGELOG.md.

Full Changelog: v1.1.0...v1.1.1

What's Changed

• Add GitHub Actions workflow for greetings by @JosunLP in #5
• Version 1.1.0 by @JosunLP in #1

Added

• Core: delegate(event, selector, handler) method for event delegation on dynamically added elements.
• Core: wrap(wrapper) method to wrap elements with a new parent container.
• Core: unwrap() method to remove parent element while keeping children.
• Core: replaceWith(content) method to replace an element with new content.
• Core: scrollTo(options?) method for smooth scrolling to elements.
• Core: serialize() method to serialize form data as an object.
• Core: serializeString() method to serialize form data as URL-encoded string.
• Reactive: watch(signal, callback) function to observe signal changes with old/new values.
• Reactive: readonly(signal) function to create immutable signal wrappers.
• Reactive: untrack(fn) function to read signals without creating dependencies.
• Reactive: isSignal(value) type guard to check if a value is a Signal.
• Reactive: isComputed(value) type guard to check if a value is a Computed.
• Reactive: ReadonlySignal<T> type for read-only signal interfaces.
• Component: beforeMount() lifecycle hook that runs before initial render.
• Component: beforeUpdate(props) lifecycle hook that can prevent updates by returning false.
• Component: onError(error) lifecycle hook for error handling in components.
• Component: validator property for prop definitions to validate prop values.
• Security: Extended dangerous tag list including svg, math, template, slot, base, meta.
• Security: DOM clobbering protection with reserved ID/name filtering.
• Security: Zero-width Unicode character stripping in URL normalization.

Changed

• Reactive: Optimized observer stack operations from O(n) array copy to O(1) push/pop (~40% performance improvement).
• Security: Added file: protocol to blocked URL schemes.
• Security: Extended dangerous attribute prefixes with xlink: and xmlns:.

Security

• Fixed prototype pollution vulnerability in utils.merge() by filtering __proto__, constructor, and prototype keys.
• Enhanced HTML sanitizer to block additional XSS vectors through SVG, MathML, and template elements.
• Added protection against DOM clobbering attacks by preventing reserved IDs like document, cookie, location.
• Improved URL sanitization to prevent Unicode bypass attacks using zero-width characters.

Full Changelog: v1.0.2...v1.1.0

Full Changelog: v1.0.1...v1.0.2

Full Changelog: https://github.com/bquery/bQuery/commits/v1.0.1