Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor: v2 release #6903

Open
wants to merge 786 commits into
base: main
Choose a base branch
from
Open

refactor: v2 release #6903

wants to merge 786 commits into from

Conversation

wmertens
Copy link
Member

@wmertens wmertens commented Sep 22, 2024
edited
Loading

This PR is for showing progress on v2, and having installable npm packages.

DO NOT MERGE

The changes are meant to be readable and maintainable, so if things are unclear please let us know.

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Sep 22, 2024
edited
Loading

🦋 Changeset detected

Latest commit: a6ea466

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 5 packages
Name Type
@qwik.dev/core Patch
eslint-plugin-qwik Patch
@qwik.dev/react Patch
@qwik.dev/router Patch
create-qwik Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@pkg-pr-new pkg.pr.new
Copy link

pkg-pr-new bot commented Sep 23, 2024
edited
Loading

Open in Stackblitz

npm i https://pkg.pr.new/QwikDev/qwik/@qwik.dev/core@6903

npm i https://pkg.pr.new/QwikDev/qwik/@qwik.dev/router@6903

npm i https://pkg.pr.new/QwikDev/qwik/eslint-plugin-qwik@6903

npm i https://pkg.pr.new/QwikDev/qwik/create-qwik@6903

commit: a6ea466

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Sep 23, 2024
edited
Loading

built with Refined Cloudflare Pages Action

⚡ Cloudflare Pages Deployment

Name Status Preview Last Commit
qwik-docs ✅ Ready (View Log) Visit Preview a6ea466

github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 26, 2024
View reviewed changes
packages/qwik/src/core/client/dom-container.ts
}
errorDiv.setAttribute('q:key', '_error_');
const journal: VNodeJournal = [];
vnode_getDOMChildNodes(journal, vHost).forEach((child) => errorDiv.appendChild(child));

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
packages/qwik/src/core/client/vnode.ts
} else if (key === 'value' && key in element) {
(element as any).value = escapeHTML(String(value));
} else if (key === dangerouslySetInnerHTML) {
(element as any).innerHTML = value!;

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix AI 4 days ago

To fix the problem, we need to ensure that any HTML content assigned to innerHTML is properly sanitized to prevent XSS attacks. This can be achieved by using a library like DOMPurify to sanitize the HTML content before assigning it to innerHTML.

  • Import the DOMPurify library.
  • Use DOMPurify.sanitize to sanitize the value before assigning it to innerHTML.
  • Ensure that the DOMPurify library is included in the project dependencies.
Suggested changeset 2
packages/qwik/src/core/client/vnode.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/qwik/src/core/client/vnode.ts b/packages/qwik/src/core/client/vnode.ts
--- a/packages/qwik/src/core/client/vnode.ts
+++ b/packages/qwik/src/core/client/vnode.ts
@@ -1,4 +1,4 @@
+import DOMPurify from 'dompurify';
 /**
  * @file
- *
  *   VNode is a DOM like API for walking the DOM but it:
@@ -895,3 +895,3 @@
         } else if (key === dangerouslySetInnerHTML) {
-          (element as any).innerHTML = value!;
+          (element as any).innerHTML = DOMPurify.sanitize(value!);
         } else {
EOF
@@ -1,4 +1,4 @@
import DOMPurify from 'dompurify';
/**
* @file
*
* VNode is a DOM like API for walking the DOM but it:
@@ -895,3 +895,3 @@
} else if (key === dangerouslySetInnerHTML) {
(element as any).innerHTML = value!;
(element as any).innerHTML = DOMPurify.sanitize(value!);
} else {
packages/qwik/package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/qwik/package.json b/packages/qwik/package.json
--- a/packages/qwik/package.json
+++ b/packages/qwik/package.json
@@ -10,3 +10,4 @@
   "dependencies": {
-    "csstype": "^3.1"
+    "csstype": "^3.1",
+    "dompurify": "^3.2.4"
   },
EOF
@@ -10,3 +10,4 @@
"dependencies": {
"csstype": "^3.1"
"csstype": "^3.1",
"dompurify": "^3.2.4"
},
This fix introduces these dependencies
Package Version Security advisories
dompurify (npm) 3.2.4 None
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
packages/qwik/src/core/client/vnode.ts
const insertBefore = journal[idx++] as Element | Text | null;
let newChild: any;
while (idx < length && typeof (newChild = journal[idx]) !== 'number') {
insertParent.insertBefore(newChild, insertBefore);

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
@wmertens wmertens changed the title refactor: v2 framework rewrite refactor: v2 release Oct 8, 2024
@wmertens wmertens marked this pull request as ready for review October 17, 2024 21:25
@wmertens wmertens requested review from a team as code owners October 17, 2024 21:25
This was referenced Oct 29, 2024
Closed
Closed
wmertens and others added 17 commits November 13, 2024 23:44
@wmertens
chore: move internals out of JSXNode type
49b02b3 
`flags`, `varProps` and `constProps`

This assures compatibility with v1 types
@wmertens
fix(core): correct serializeAttribute type
0b22123
@Varixo @wmertens
fix build
60d6583
@wmertens
fix imports qwik/testing
70bcc0f
@wmertens
chore: remove html types
d00396e 
they are not necessary and they make the API harder to grasp
@wmertens
chore: manually select TS exports
d609244
@wmertens
fix(eslint): ignore temporary vite config
dd15da7
@wmertens
fix(repl): handle moved types files
edaa75e
@wmertens
fix(repl): don't crash from extension messages
84cdc36
@wmertens
Merge pull request #7045 from QwikDev/v2-jsxnode
ddd293b 
chore: make v2 types v1 compatible
@Varixo
Merge pull request #7061 from QwikDev/fix-component-as-func-case-2
d533e19 
fix: component as function call
@Varixo
fix component type
a2eb7ec
@wmertens
Merge pull request #7063 from QwikDev/v2-fix-component-type
0309a11 
fix(v2): fix component type
@github-actions
Version Packages (alpha)
fb8e170
@shairez
Merge pull request #7018 from QwikDev/changeset-release/build/v2
3624e5d 
V2 Version Packages (alpha)
@shairez
added publishconfig to package.json files
dd93926
@Varixo
fix function serialization
4411d4a
wmertens and others added 30 commits February 6, 2025 12:26
@wmertens
chore(optimizer): remove _hW export
2e162a5 
get it from a different qrl instead
@wmertens
refactor(core): schedule tasks via core qrl
3571f3b
@wmertens
chore(core): remove unused qrl refSymbol
9648e55
@wmertens
fix(core): schedule qrls instead of direct call
de11be6
@wmertens
fix(scheduler+ssr): correct order and draining
33afdb3
@Varixo @wmertens
refactor(scheduler): remove COMPONENT_SSR type
df1a502
@Varixo @wmertens
fix(scheduler): dont await for RUN_QRL chore
f0db311
@Varixo @wmertens
fix(scheduler): scheduling wait for all on server
1f193d5
@wmertens
fix(core): canSerialize self-references
91f8308
@wmertens
fix: await all run qrls in wait_for_all
22446c9 
also refactor
@Varixo @wmertens
fix: RUN_QRL host object
59df27d
@Varixo @wmertens
don't await for qrls
9857941
@Varixo @wmertens
fix adding event attribute name for csr
b6b5018
@Varixo @wmertens
fix spa init script
e064f19
@Varixo @wmertens
feat: schedule resource task
385e0a5
@Varixo @wmertens
remove q:nbs attribute handling from link component
2d8dc0b
@wmertens
Merge pull request #7269 from QwikDev/remove-hW
7c21496 
refactor(core): schedule QRLs instead of direct execution
@JerryWu1234
fix: export SVG type (#7222)
60c8202 
Co-authored-by: wuls <[email protected]>
@sreeisalso
Updated ComponentStylesPrefixContent from ⭐ to ⚡ (#7304)
cb8013c 
this provides a better hint it's done by Qwik ⚡
@Varixo
fix: build and codeql
5f88797
@wmertens
Merge pull request #7322 from QwikDev/v2-fix-build-2
9982b1d 
fix: build and codeql
@Varixo
fix: create svg nested children with correct namespace (#7323)
2739ddc
@Varixo
fix(perf): use sets instead of arrays for effects
269bd8d
@wmertens
fix(repl): properly resolve handlers.mjs
16803c9
@wmertens
Merge pull request #7328 from QwikDev/v2-fix-repl
b2b8bd0 
fix(repl): properly resolve handlers.mjs
@JerryWu1234
fix: optimizer is now better at recognizing constProp (#7316)
ef18cce 
Co-authored-by: wuls <[email protected]>
@Varixo @wmertens
feat: global map of all effect subscriptions
36e22f8 
Co-authored-by: Wout Mertens <[email protected]>
@Varixo
feat: emit qrender event
b904b9d
@Varixo
fix e2e tests
afa1089
@wmertens
Merge pull request #7327 from QwikDev/v2-use-set-for-effects
a6ea466 
fix(perf): use sets instead of arrays for effects
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
VERSION: upcoming major
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@wmertens @Varixo @shairez @gimonaa @gioboa @JerryWu1234 @damianpumar @GrandSchtroumpf @sreeisalso