Skip to content

v0.7.0

Choose a tag to compare

View all tags
@SisyphusZheng SisyphusZheng released this 07 May 14:55
· 610 commits to main since this release
v0.7.0
66fd80a

LessJS v0.7.0 — 稳定基线(P0 审计修复)

发布日期:2026-05-07

v0.7.0 是一次稳定化发布,修复了 2026-05-07 四维审计的全部 P0 发现。核心目标是消除不可信行为、建立工程纪律。本版本包含破坏性变更(XSS 修复、catch 行为变更),因此按 SemVer 0.x 约定升 MINOR。

变更概览

测试覆盖(新增 73 个测试)

模块 测试数 覆盖行数
render-dsd.ts 44 770 行(此前零覆盖)
island.ts 29 321 行(此前零覆盖)

render-dsd.ts — 覆盖 escapeHtml、escapeAttr、escapeAttrValue、serializeAttributes、renderDSD 全路径、L2 Nested DSD、XSS 安全、DSD options(delegatesFocus/serializable/slotAssignment/customElementRegistry)、pure-island layer、adapter protocol、边界情况。

island.ts — 覆盖 tagName 验证、元数据标记(__island/__tagName/__layer)、DSD opt-out、四种升级策略(eager/lazy/idle/visible)、幂等注册、connectedCallback 包装、getSSRProps、lessBind。

Bug 修复

  • runtime-shim 一致性修复runtime-shim.tsserializeAttributes() 改用 escapeAttrValue(),与 render-dsd.ts 保持一致。此前 null/undefined 值处理不一致。
  • headExtras/headFragments XSS 警告:添加 @security/@dangerous JSDoc 标注。当注入内容包含 <script> 标签时,运行时打印 console.warn 提醒开发者注意 XSS 风险。
  • 静默 catch 消除:修复 6 处残余静默 catch 块,改为 console.debug/console.warn,使错误可观测。涉及文件:island.ts、render-dsd.ts、cli/build-ssg.ts、cli/build-client.ts。

基础设施

  • Pre-commit Hooks.githooks/pre-commit 自动运行 deno fmt --check + deno lint + deno check,通过 deno task hooks:install 启用。
  • CI adapter-lit 测试:test.yml 新增 test-adapter-lit job。
  • CI 发布门禁:publish.yml 添加 needs: [test] 依赖,测试不通过不能发布。
  • Cloudflare Pages 迁移:从 GitHub Pages 迁移到 Cloudflare Pages Connect GitHub 模式。main → Production(lessjs.com),dev → Preview(每次推送自动分配 URL)。

破坏性变更

  • runtime-shim serializeAttributes:现在通过 escapeAttrValue 处理 null/undefined,而非直接传给 escapeAttr。如果你之前依赖 null 被字符串化的行为,现在会输出空字符串。
  • 静默 catch → 可观测错误:此前吞没错误的代码现在会打印 console.warnconsole.debug(带 [LessJS] 前缀)。如果错误监控将这些视为噪音,请调整日志过滤规则。

测试结果

354 passed, 0 failed

版本策略

完整的 v0.7 → v2.0 路线图详见 ADR 0006: 版本号策略

下一个版本:v0.8.0 — P1 功能完善 + Island Manifest + Blog 开发启动。

升级方式

# 更新项目依赖
deno run -A jsr:@lessjs/create

# 安装 pre-commit hooks(推荐)
deno task hooks:install

LessJS v0.7.0 — Stable Baseline (P0 Audit Fixes)

Release Date: 2026-05-07

v0.7.0 is a stability release that addresses all P0 findings from the four-dimensional audit (2026-05-07). The focus is on eliminating untrusted behaviors and establishing engineering discipline. This release contains breaking changes (XSS fix, catch behavior change), hence the MINOR bump per SemVer 0.x conventions.

What Changed

Testing (73 new tests)

Module Tests Lines Covered
render-dsd.ts 44 770 (was 0)
island.ts 29 321 (was 0)

render-dsd.ts — Covers escapeHtml, escapeAttr, escapeAttrValue, serializeAttributes, renderDSD (all paths), L2 Nested DSD, XSS safety, DSD options (delegatesFocus/serializable/slotAssignment/customElementRegistry), pure-island layer, adapter protocol, and edge cases.

island.ts — Covers tag name validation, metadata markers (__island/__tagName/__layer), DSD opt-out, four upgrade strategies (eager/lazy/idle/visible), idempotent registration, connectedCallback wrapping, getSSRProps, and lessBind.

Bug Fixes

  • runtime-shim consistency: serializeAttributes() in runtime-shim.ts now uses escapeAttrValue() instead of escapeAttr, matching render-dsd.ts. Previously, null/undefined values were not handled consistently.
  • headExtras/headFragments XSS warnings: Added @security/@dangerous JSDoc annotations. Runtime console.warn is emitted when injected content contains <script> tags.
  • Silent catch elimination: 6 remaining silent catch blocks replaced with console.debug/console.warn, making errors observable. Affected files: island.ts, render-dsd.ts, cli/build-ssg.ts, cli/build-client.ts.

Infrastructure

  • Pre-commit hooks: .githooks/pre-commit runs deno fmt --check + deno lint + deno check. Enable with deno task hooks:install.
  • CI adapter-lit tests: New test-adapter-lit job in test.yml.
  • CI publish gate: publish.yml now requires needs: [test] — no publish without passing tests.
  • Cloudflare Pages migration: Deployed from GitHub Pages to Cloudflare Pages (Connect GitHub mode). main → Production (lessjs.com), dev → Preview (auto-assigned URL per push).

Breaking Changes

  • runtime-shim serializeAttributes: Now handles null/undefined via escapeAttrValue instead of passing through escapeAttr. If you were relying on the old behavior of stringifying null, this will now output an empty string.
  • Silent catch → observable errors: Code that previously swallowed errors silently will now log console.warn or console.debug with [LessJS] prefix. If your error monitoring treats these as noise, adjust your log filters.

Full Test Suite

354 passed, 0 failed

Version Strategy

See ADR 0006: Version Strategy for the full roadmap from v0.7 → v2.0.

Next: v0.8.0 — P1 feature improvements + Island Manifest + Blog development kickoff.

Upgrade

# Update your project's dependency
deno run -A jsr:@lessjs/create

# Install pre-commit hooks (recommended)
deno task hooks:install

Full Changelog: v0.6.1...0.7.0

Full Changelog: v0.6.1...v0.7.0

Assets 2
Loading