Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
38 commits
Select commit Hold shift + click to select a range
95db6ce
Updated CHANGELOG and package.json
hexplus Mar 28, 2026
56080d8
Merge branch 'main' of https://github.com/hexplus/SibuJS
hexplus Mar 28, 2026
7eeec49
Merge branch 'main' of https://github.com/hexplus/SibuJS
hexplus Mar 28, 2026
14a9cd4
Merge branch 'main' of https://github.com/hexplus/SibuJS
hexplus Mar 29, 2026
9487727
ci: use npm install instead of npm ci
hexplus Mar 29, 2026
6b4bd83
Merge branch 'main' of https://github.com/hexplus/SibuJS
hexplus Mar 29, 2026
0b9a0cc
Merge branch 'main' of https://github.com/hexplus/SibuJS
hexplus Mar 29, 2026
0777184
trusted-publisher
hexplus Mar 29, 2026
4d46e82
Merge branch 'main' of https://github.com/hexplus/SibuJS
hexplus Mar 29, 2026
bea9788
Merge branch 'main' of https://github.com/hexplus/SibuJS
hexplus Mar 29, 2026
825a8dc
Merge branch 'main' of https://github.com/hexplus/SibuJS
hexplus Mar 29, 2026
55c4436
Merge branch 'main' of https://github.com/hexplus/SibuJS
hexplus Mar 29, 2026
0d2c7e0
Merge branch 'main' of https://github.com/hexplus/SibuJS
hexplus Mar 29, 2026
8da81e8
Merge branch 'main' of https://github.com/hexplus/SibuJS
hexplus Mar 29, 2026
325ce5d
Merge branch 'main' of https://github.com/hexplus/SibuJS
hexplus Mar 29, 2026
0cad329
Merge branch 'main' of https://github.com/hexplus/SibuJS
hexplus Apr 1, 2026
aea6787
Merge branch 'main' of https://github.com/hexplus/SibuJS
hexplus Apr 4, 2026
00e5e88
Merge branch 'main' of https://github.com/hexplus/SibuJS
hexplus Apr 7, 2026
b10a2c5
Merge branch 'main' of https://github.com/hexplus/SibuJS
hexplus Apr 7, 2026
639eae0
Merge branch 'main' of https://github.com/hexplus/SibuJS
hexplus Apr 9, 2026
405e4fe
Merge branch 'main' of https://github.com/hexplus/SibuJS
hexplus Apr 11, 2026
ee7cf48
Updated main
hexplus Apr 11, 2026
8c77fca
Merge branch 'main' of https://github.com/hexplus/SibuJS
hexplus Apr 11, 2026
da6d752
Merge branch 'main' of https://github.com/hexplus/SibuJS
hexplus Apr 11, 2026
c047837
Merge branch 'main' of https://github.com/hexplus/SibuJS
hexplus Apr 12, 2026
a52fffc
Merge branch 'main' of https://github.com/hexplus/SibuJS
hexplus Apr 12, 2026
43b5675
Merge branch 'main' of https://github.com/hexplus/SibuJS
hexplus Apr 14, 2026
44df880
Merge branch 'main' of https://github.com/hexplus/SibuJS
hexplus Apr 18, 2026
aba311a
Merge branch 'main' of https://github.com/hexplus/SibuJS
hexplus Apr 19, 2026
4bf3286
Merge branch 'main' of https://github.com/hexplus/SibuJS
hexplus Apr 19, 2026
a086428
Merge branch 'main' of https://github.com/hexplus/SibuJS
hexplus May 29, 2026
e316ae0
Missing update package.json
hexplus May 29, 2026
278bfc6
Merge branch 'main' of https://github.com/hexplus/SibuJS
hexplus May 29, 2026
08bc9b8
Merge branch 'main' of https://github.com/hexplus/SibuJS
hexplus Jun 1, 2026
7b5557d
Merge branch 'main' of https://github.com/hexplus/SibuJS
hexplus Jun 5, 2026
226ae51
Merge branch 'main' of https://github.com/hexplus/SibuJS
hexplus Jun 5, 2026
0d5c8de
Merge branch 'main' of https://github.com/hexplus/SibuJS
hexplus Jun 12, 2026
d03b37a
Updating versioning
hexplus Jun 12, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,33 @@ This project follows [Semantic Versioning](https://semver.org/).

---

## [3.3.0] — 2026-06-11

A security-hardening, correctness, and performance release. No breaking changes.

### Security

- **Resource-hint URLs are sanitized** — `preloadModule`, `preloadResource`, and `prefetch` now run their `href` through the protocol allowlist and refuse dangerous schemes (`javascript:`/`data:`/`blob:`), consistent with the rest of the framework.
- **CSS-selector injection fixed in `preloadModule` (CWE-74)** — the dedup lookup interpolated the raw URL into a `querySelector` string; a URL containing `"`/`]` could throw or match the wrong element. The value is now escaped (matching the guard already used by the critical-resource preloader).
- **Testing-helper selectors hardened** — the query helpers in `testing/adapters` and `testing/a11y` escape interpolated values so labels/ids/roles with special characters can no longer break (or inject into) the selector.

### Fixed

- **`watch` / `store.subscribe` / `store.subscribeKey` callbacks run untracked** — signals read inside these callbacks are no longer recorded as dependencies, so a callback reading unrelated state can't cause spurious re-fires.
- **Reactive `srcset` uses per-candidate validation** — a reactively-bound `srcset` is now split and each candidate URL validated (matching the static path) instead of being passed through a single-URL sanitizer; the static and reactive write paths share one policy and can no longer drift.

### Performance

- **`sanitizeCSSValue` fast-path** — values containing none of the characters that gate a dangerous construct return immediately, skipping the decode + scan (~7× faster on common style values like `red`/`14px`/`#fff`). Affects every static and reactive style write.
- **`tagFactory` blocked-tag check precomputed** — the security blocklist is resolved once per tag factory instead of per element creation (~4× faster check, one fewer string allocation per element).
- **No per-notification closures** — `watch` and `store` subscriptions no longer allocate a closure on every notification.

### Removed

- Deleted empty deprecation stubs (`memo`, `memoFn`, and the `createSignal`/`createMemo`/`createEffect` pattern aliases) that had been no-ops since 1.4.0. Use `derived` / the canonical primitives directly.

---

## [3.2.2] — 2026-06-05


Expand Down
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "sibujs",
"version": "3.2.2",
"version": "3.3.0",
"description": "A lightweight, function-based frontend framework that combines the best of React, Svelte, and Vue — with zero VDOM and maximum simplicity. Designed for developers who want fine-grained reactivity and full control without compilation or magic.",
"keywords": [
"frontend",
Expand Down
Loading