kiso-icons 0.2.0.pre → 0.3.0.pre

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: abdce35f898bcd015e68eb0fd14ec634c00f48b7c439e1937cb57ce36da1b89b
-  data.tar.gz: e848efc526a44648dd41a34adf83ffe7f73666eb2bb38cefd48d188670a517c1
+  metadata.gz: 7b9b6a3f92b9860337d2979537c89195be478360d43370bdda7b7654396d7016
+  data.tar.gz: 3b75e9f062e60b7202499520e1fa2b59dfc849b20dea7837924af9ae94f200b9
 SHA512:
-  metadata.gz: 8ad7085b951095eb5540babda7bf8b0495b2111ee70bacbfdd7f0d63f6c4443427786b11d4e114657112bab9c99750fff4bd010c00e22b72d4bfc6996a5630b9
-  data.tar.gz: 0d528a7c8a0d73f3f7f3a6926a148bce8152738d8c54eaffa280cdf14bd10ef3fd743b8cfb741a1a271c79b846f97dbd74cdcd41118e4e93ac41cf1dd3469812
+  metadata.gz: f078789eaf4fb3e751f50f520ad9a79ad7fb37fffff59036937edc09253be207a2c44d3e776005bf34d7e68e715772a5221f1b58e6cbb7f804920c7e5de5c308
+  data.tar.gz: 208ba1be9bebd42e66090a4419ce95a7a636f99ba991e7acea961266d0ea538c9d7dec5215d8c2c27eeb0a5209314c25a38b372e6d1c9034aab66ca0ab394df2

data/CHANGELOG.md

@@ -7,6 +7,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.3.0.pre] - 2026-02-26
+
+### Removed
+
+- API fallback (`fallback_to_api` config option and `ApiClient` class). Icons must now be pinned explicitly with `bin/kiso-icons pin <set>`. The bundled Lucide set still works with no setup.
+
+## [0.2.0.pre] - 2026-02-25
+
+### Fixed
+
+- Sanitize SVG body content to prevent XSS via malicious icon data
+
 ## [0.1.0.pre] - 2026-02-25
 
 ### Added
@@ -22,5 +34,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Rails generator (`kiso_icons:install`) for project setup
 - `pristine` command to re-download all pinned sets
 
-[Unreleased]: https://github.com/steveclarke/kiso-icons/compare/v0.1.0.pre...HEAD
+[Unreleased]: https://github.com/steveclarke/kiso-icons/compare/v0.3.0.pre...HEAD
+[0.3.0.pre]: https://github.com/steveclarke/kiso-icons/releases/tag/v0.3.0.pre
+[0.2.0.pre]: https://github.com/steveclarke/kiso-icons/releases/tag/v0.2.0.pre
 [0.1.0.pre]: https://github.com/steveclarke/kiso-icons/releases/tag/v0.1.0.pre

data/README.md

@@ -2,7 +2,7 @@
 
 Iconify icons for Rails. Use any of [224 icon sets](https://icon-sets.iconify.design/) (299k+ icons) as inline SVG. No JavaScript needed.
 
-Icons live in `vendor/icons/` as JSON files. Commit them to git, just like vendored JavaScript with importmap-rails.
+Icons live in `vendor/icons/` as JSON files. Commit them to git.
 
 Part of the [Kiso 基礎](https://github.com/steveclarke/kiso) family. Works on its own in any Rails 8+ app.
 
@@ -51,7 +51,7 @@ You can pass any HTML attribute. If you add `aria: { label: "..." }`, screen rea
 
 ### Pin icon sets
 
-The `pin` command downloads an Iconify JSON file to `vendor/icons/`. Commit it to git. In production, icons load from these files with no API calls.
+The `pin` command downloads an Iconify JSON file to `vendor/icons/`. Commit it to git.
 
 ```bash
 ./bin/kiso-icons pin lucide             # pin Lucide (replaces the bundled copy)
@@ -70,7 +70,6 @@ Add an initializer to change the defaults:
 Kiso::Icons.configure do |config|
   config.default_set = "lucide"        # icon set used when no prefix is given
   config.vendor_path = "vendor/icons"  # where pinned JSON files are stored
-  config.fallback_to_api = false       # fetch missing icons from the Iconify API
 end
 ```
 
@@ -78,10 +77,6 @@ end
 |--------|---------|-------------|
 | `default_set` | `"lucide"` | Icon set used when you write `kiso_icon_tag("check")` with no prefix. |
 | `vendor_path` | `"vendor/icons"` | Where pinned JSON files are stored. |
-| `fallback_to_api` | `true` in dev, `false` in prod | If `true`, missing icons are fetched from the Iconify API. A log message tells you to pin the set. |
-
-> [!TIP]
-> In production, `fallback_to_api` is off. Pin all the sets you need so icons load from local files.
 
 ## How it works
 
@@ -89,7 +84,6 @@ Icons are found in this order:
 
 1. **Pinned JSON** — your sets in `vendor/icons/`
 2. **Bundled Lucide** — ships with the gem (81 KB gzipped), works with no setup
-3. **Iconify API** — only in dev mode, with a prompt to pin
 
 Each SVG uses `width="1em"`, `height="1em"`, and `currentColor`. It inherits its size from `font-size` and its color from the parent element. No CSS framework needed.
 
@@ -107,9 +101,11 @@ bin/dev      # start demo app at http://localhost:3100
 Run tests:
 
 ```bash
-bundle exec rake test            # unit tests (no Rails)
-bundle exec rake test_integration # integration tests (boots Rails)
-bundle exec rake                  # both
+bin/rake test              # unit tests (no Rails)
+bin/rake test_integration  # integration tests (boots Rails)
+bin/rake                   # both
+bin/standardrb             # lint (StandardRB)
+bin/standardrb --fix       # auto-fix lint
 ```
 
 See [CONTRIBUTING.md](CONTRIBUTING.md) to help out.

data/lib/kiso/icons/configuration.rb

@@ -1,14 +1,20 @@
 # frozen_string_literal: true
 
+require "logger"
+
 module Kiso
   module Icons
     class Configuration
-      attr_accessor :default_set, :vendor_path, :fallback_to_api
+      attr_accessor :default_set, :vendor_path
+      attr_writer :logger
 
       def initialize
         @default_set = "lucide"
         @vendor_path = "vendor/icons"
-        @fallback_to_api = defined?(Rails) ? Rails.env.development? : false
+      end
+
+      def logger
+        @logger ||= Logger.new($stderr, progname: "Kiso::Icons")
       end
     end
   end

data/lib/kiso/icons/railtie.rb

@@ -7,7 +7,7 @@ module Kiso
     class Railtie < ::Rails::Railtie
       initializer "kiso_icons.configure" do |_app|
         Kiso::Icons.configure do |config|
-          config.fallback_to_api = Rails.env.development? || Rails.env.test?
+          config.logger = Rails.logger
         end
       end
 

data/lib/kiso/icons/resolver.rb

@@ -24,9 +24,6 @@ module Kiso
         # 4. Bundled (lucide ships in gem)
         icon_data ||= resolve_from_bundled(set_prefix, icon_name)
 
-        # 5. API fallback (dev only)
-        icon_data ||= resolve_from_api(set_prefix, icon_name)
-
         Kiso::Icons.cache.set(set_prefix, icon_name, icon_data) if icon_data
 
         icon_data
@@ -67,12 +64,6 @@ module Kiso
         @mutex.synchronize { @loaded_sets[set_prefix] = set }
         set.icon(icon_name)
       end
-
-      def resolve_from_api(set_prefix, icon_name)
-        return nil unless Kiso::Icons.configuration.fallback_to_api
-
-        ApiClient.fetch_icon(set_prefix, icon_name)
-      end
     end
   end
 end

data/lib/kiso/icons/version.rb

@@ -2,6 +2,6 @@
 
 module Kiso
   module Icons
-    VERSION = "0.2.0.pre"
+    VERSION = "0.3.0.pre"
   end
 end

data/lib/kiso/icons.rb

@@ -19,6 +19,10 @@ module Kiso
         @resolver ||= Resolver.new
       end
 
+      def logger
+        configuration.logger
+      end
+
       def cache
         @cache ||= Cache.new
       end
@@ -42,5 +46,4 @@ require "kiso/icons/cache"
 require "kiso/icons/set"
 require "kiso/icons/resolver"
 require "kiso/icons/renderer"
-require "kiso/icons/api_client"
 require "kiso/icons/railtie" if defined?(Rails::Railtie)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: kiso-icons
 version: !ruby/object:Gem::Version
-  version: 0.2.0.pre
+  version: 0.3.0.pre
 platform: ruby
 authors:
 - Steve Clarke
@@ -68,7 +68,6 @@ files:
 - lib/install/install.rb
 - lib/kiso-icons.rb
 - lib/kiso/icons.rb
-- lib/kiso/icons/api_client.rb
 - lib/kiso/icons/cache.rb
 - lib/kiso/icons/commands.rb
 - lib/kiso/icons/configuration.rb

data/lib/kiso/icons/api_client.rb

@@ -1,79 +0,0 @@
-# frozen_string_literal: true
-
-require "net/http"
-require "uri"
-require "json"
-
-module Kiso
-  module Icons
-    class ApiClient
-      API_BASE = "https://api.iconify.design"
-      TIMEOUT = 5
-
-      class << self
-        def fetch_icon(set_prefix, icon_name)
-          start_time = Process.clock_gettime(Process::CLOCK_MONOTONIC)
-
-          uri = URI("#{API_BASE}/#{set_prefix}/#{icon_name}.json")
-          response = make_request(uri)
-          return nil unless response
-
-          data = JSON.parse(response.body)
-          return nil unless data["body"]
-
-          elapsed_ms = ((Process.clock_gettime(Process::CLOCK_MONOTONIC) - start_time) * 1000).round
-
-          warn_to_pin(set_prefix, icon_name, elapsed_ms)
-
-          {
-            body: data["body"],
-            width: data["width"] || 24,
-            height: data["height"] || 24
-          }
-        rescue JSON::ParserError => e
-          warn "[Kiso::Icons] Failed to parse API response for #{set_prefix}:#{icon_name}: #{e.message}"
-          nil
-        end
-
-        private
-
-        def make_request(uri)
-          http = Net::HTTP.new(uri.host, uri.port)
-          http.use_ssl = true
-          http.open_timeout = TIMEOUT
-          http.read_timeout = TIMEOUT
-
-          request = Net::HTTP::Get.new(uri)
-          request["Accept"] = "application/json"
-
-          response = http.request(request)
-
-          case response
-          when Net::HTTPSuccess then response
-          when Net::HTTPNotFound then nil
-          else
-            warn "[Kiso::Icons] API returned #{response.code} for #{uri}"
-            nil
-          end
-        rescue Net::OpenTimeout, Net::ReadTimeout
-          warn "[Kiso::Icons] API timeout for #{uri} (#{TIMEOUT}s)"
-          nil
-        rescue SocketError, Errno::ECONNREFUSED => e
-          warn "[Kiso::Icons] Network error: #{e.message}"
-          nil
-        end
-
-        def warn_to_pin(set_prefix, icon_name, elapsed_ms)
-          message = "[Kiso::Icons] Fetched #{set_prefix}:#{icon_name} from Iconify API (#{elapsed_ms}ms).\n" \
-            "  Pin this set for offline use: bin/kiso-icons pin #{set_prefix}"
-
-          if defined?(Rails) && defined?(Rails.logger)
-            Rails.logger.debug { message }
-          else
-            warn message
-          end
-        end
-      end
-    end
-  end
-end