Skip to content

Audit/full audit#34

Merged
hexplus merged 38 commits into
mainfrom
audit/full-audit
Jun 12, 2026
Merged

Audit/full audit#34
hexplus merged 38 commits into
mainfrom
audit/full-audit

Conversation

@hexplus

@hexplus hexplus commented Jun 12, 2026

Copy link
Copy Markdown
Owner

Description

Full audit-and-improve cycle for the SibuJS core framework, covering integrity, performance, security, documentation, and test coverage.

Correctness & security fixes

  • Fixed CSS-selector injection (CWE-74) in preloadModule; routed resource-hint hrefs (preloadModule/preloadResource/prefetch) through sanitizeUrl; hardened testing-helper selectors with quote/backslash escaping.
  • watch / store.subscribe / store.subscribeKey callbacks now run untracked (no dependency leaks); reactive srcset consolidated to a single shared sanitization policy (static + reactive paths can no longer drift).

Performance

  • sanitizeCSSValue fast-path (7.4×), tagFactory blocked-tag precompute (4.2×), and removal of per-notification closure allocations in watch/store.

Cleanup & docs

  • Deleted dead deprecation stubs and cleaned the coverage config; fixed the bench.mjs list-render callback.
  • Documented the LIFO effect-firing order and the when/match eager-branch-read gotcha (code JSDoc + AGENTS.md "Common mistakes").
  • sibujs-web AGENTS.md: added the required sibujs-ui/themes/base.css import instruction and corrected the available-themes list.

Test coverage: 92.41% → 98.70%

  • core, reactivity, browser, utils now at 100%; every feature dir at 96–99%.
  • Added a production-mode coverage harness, barrel-export tests, an OWASP regression suite, and ~150 new test cases (3,945 passing).
  • IMPROVEMENTS.md tracks remaining work (router concurrency/abort internals, async-cache races) where literal 100% would trade flakiness for marginal gain.

Related Issue

Closes #

Type of Change

  • Bug fix
  • New feature
  • Breaking change
  • Documentation update

Checklist

  • I have read CONTRIBUTING.md
  • My code builds without errors
  • I have tested my changes
  • I have updated documentation if needed

hexplus added 30 commits March 28, 2026 15:11
@hexplus hexplus merged commit c3c5f70 into main Jun 12, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant