Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor: v2 release #6903

Open
wants to merge 679 commits into
base: main
Choose a base branch
from
Open

refactor: v2 release #6903

wants to merge 679 commits into from
+113,883 −76,940

Conversation

wmertens
Copy link
Member

@wmertens wmertens commented Sep 22, 2024
edited
Loading

This PR is for showing progress on v2, and having installable npm packages.

DO NOT MERGE

The changes are meant to be readable and maintainable, so if things are unclear please let us know.

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Sep 22, 2024
edited
Loading

🦋 Changeset detected

Latest commit: 6ed1284

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 5 packages
Name Type
@qwik.dev/core Patch
eslint-plugin-qwik Patch
@qwik.dev/react Patch
@qwik.dev/router Patch
create-qwik Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@pkg-pr-new pkg.pr.new
Copy link

pkg-pr-new bot commented Sep 23, 2024
edited
Loading

Open in Stackblitz

npm i https://pkg.pr.new/QwikDev/qwik/@qwik.dev/core@6903

npm i https://pkg.pr.new/QwikDev/qwik/@qwik.dev/router@6903

npm i https://pkg.pr.new/QwikDev/qwik/eslint-plugin-qwik@6903

npm i https://pkg.pr.new/QwikDev/qwik/create-qwik@6903

commit: 9b71fc0

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Sep 23, 2024
edited
Loading

built with Refined Cloudflare Pages Action

⚡ Cloudflare Pages Deployment

Name Status Preview Last Commit
qwik-docs ✅ Ready (View Log) Visit Preview 9b71fc0

github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 26, 2024
View reviewed changes
packages/qwik/src/core/client/dom-container.ts
}
errorDiv.setAttribute('q:key', '_error_');
const journal: VNodeJournal = [];
vnode_getDOMChildNodes(journal, vHost).forEach((child) => errorDiv.appendChild(child));

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
packages/qwik/src/core/client/vnode.ts
} else if (key === 'value' && key in element) {
(element as any).value = escapeHTML(String(value));
} else if (key === dangerouslySetInnerHTML) {
(element as any).innerHTML = value!;

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix AI 2 days ago

To fix the problem, we need to ensure that any content assigned to innerHTML is properly sanitized to prevent XSS attacks. The best way to fix this is to use a library like DOMPurify to sanitize the HTML content before setting it. This approach ensures that any potentially dangerous HTML content is cleaned, removing any malicious scripts or tags.

  1. Import the DOMPurify library.
  2. Use DOMPurify.sanitize to clean the value before assigning it to innerHTML.
Suggested changeset 2
packages/qwik/src/core/client/vnode.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/qwik/src/core/client/vnode.ts b/packages/qwik/src/core/client/vnode.ts
--- a/packages/qwik/src/core/client/vnode.ts
+++ b/packages/qwik/src/core/client/vnode.ts
@@ -1 +1,2 @@
+import DOMPurify from 'dompurify';
 /**
@@ -895,3 +896,3 @@
         } else if (key === dangerouslySetInnerHTML) {
-          (element as any).innerHTML = value!;
+          (element as any).innerHTML = DOMPurify.sanitize(value!);
         } else {
EOF
@@ -1 +1,2 @@
import DOMPurify from 'dompurify';
/**
@@ -895,3 +896,3 @@
} else if (key === dangerouslySetInnerHTML) {
(element as any).innerHTML = value!;
(element as any).innerHTML = DOMPurify.sanitize(value!);
} else {
packages/qwik/package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/qwik/package.json b/packages/qwik/package.json
--- a/packages/qwik/package.json
+++ b/packages/qwik/package.json
@@ -10,3 +10,4 @@
   "dependencies": {
-    "csstype": "^3.1"
+    "csstype": "^3.1",
+    "dompurify": "^3.2.3"
   },
EOF
@@ -10,3 +10,4 @@
"dependencies": {
"csstype": "^3.1"
"csstype": "^3.1",
"dompurify": "^3.2.3"
},
This fix introduces these dependencies
Package Version Security advisories
dompurify (npm) 3.2.3 None
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
packages/qwik/src/core/client/vnode.ts
const insertBefore = journal[idx++] as Element | Text | null;
let newChild: any;
while (idx < length && typeof (newChild = journal[idx]) !== 'number') {
insertParent.insertBefore(newChild, insertBefore);

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
@wmertens wmertens changed the title refactor: v2 framework rewrite refactor: v2 release Oct 8, 2024
@wmertens wmertens marked this pull request as ready for review October 17, 2024 21:25
@wmertens wmertens requested review from a team as code owners October 17, 2024 21:25
shairez and others added 17 commits October 18, 2024 02:53
Varixo and others added 30 commits December 21, 2024 10:05
@Varixo
Merge pull request #7189 from QwikDev/v2-fix-repl-2
6f98088 
fix: repl tabs
@Varixo
add changesets
5408c40
@Varixo
fix: convert destructured string prop to props variable
1413bc0
@wmertens
Merge pull request #7191 from QwikDev/v2-destructuring-colon-prop
7160354 
fix: convert destructured string prop to props variable
@Varixo
fix: destructured props for inline components
48af55c
@Varixo
fix: string prop destructuring
d8a19ca
@Varixo
remove tests duplicates
d266bdd
@Varixo
fix: serialize var prop
6578707
@Varixo
add error location to textarea and ref errors
bfb07d9
@Varixo @steffanek
fix: updating signal-based var props
0166199 
Co-authored-by: Steff <[email protected]>
@Varixo
Merge pull request #7190 from QwikDev/v2-inline-destructured-props
2a60951 
fix: destructured props for inline components
@Varixo
Merge pull request #7193 from QwikDev/v2-fix-serialize-var-prop
d21ff10 
fix: serialize var prop
@Varixo
fix: textarea with null value
ef92d10
@Varixo
Merge pull request #7198 from QwikDev/v2-updating-var-props
cef6a0d 
fix: updating signal-based var props
@Varixo
Merge pull request #7196 from QwikDev/v2-textarea-null-value
c029c32 
fix: textarea with null value
@Varixo
fix: finding context parent and sorting projections in the scheduler
58ba5b4
@Varixo
fix: add and remove var prop attribute
fbbfb21
@Varixo
update qwik-ui
2ff2551
@Varixo
better use-resource comment
81a2f7b
@Varixo
fix: for of handlers as var prop
834a451
@Varixo
add test for moving has_const condition
da226e5
@Varixo
Merge branch 'build/v2' into pr/gimonaa/7085
f346257
@Varixo
fix snapshots and tests after merge
e26a525
@Varixo
fix: moving existing virtual node during vnode diffing
08cb7c4
@wmertens
Merge pull request #7208 from QwikDev/v2-fix-moving-found-vnode
0bc9555 
fix: moving existing virtual node during vnode diffing
@wmertens
Merge pull request #7206 from QwikDev/v2-fix-release-bugs
31cd137 
fix: add and remove var prop attribute
@Varixo
fix: top level inline components props
90a6ede
@Varixo
extend use-lexical-scope test
997b672
@Varixo
Merge pull request #7085 from gimonaa/test-v2-useResource
9b71fc0 
fix: const/var props in loops/functions
@wmertens
Merge pull request #7204 from QwikDev/v2-find-context-error
6ed1284 
fix: finding context parent and sorting projections in the scheduler
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
VERSION: upcoming major
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@wmertens @shairez @Varixo @gimonaa @gioboa