npm - @blamejs/blamejs-shop - Versions diffs - 0.0.105 → 0.0.106 - Mend

@blamejs/blamejs-shop 0.0.105 → 0.0.106

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/CHANGELOG.md +2 -0
package/package.json +1 -1

package/CHANGELOG.md CHANGED Viewed

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 ## v0.0.x
+- v0.0.106 (2026-05-23) — **RFC 9116 `/.well-known/security.txt` served from the edge.** Vulnerability researchers, automated scanners, and bug-bounty platforms look for `/.well-known/security.txt` (RFC 9116) before opening an unsolicited email to a generic address. The Worker now serves the canonical text with `Contact`, `Expires`, `Encryption`, `Policy`, and `Preferred-Languages` fields. Contact points at `security@blamejs.shop` and the GitHub Security Advisories private-disclosure URL; Policy points at the repo's `SECURITY.md`. Cached `public, max-age=3600, s-maxage=86400`. **Added:** *`/.well-known/security.txt` — RFC 9116 vulnerability-disclosure metadata* — The Worker emits the canonical text with five fields. `Contact: mailto:security@blamejs.shop` + `Contact: https://github.com/blamejs/blamejs.shop/security/advisories/new` (private-disclosure path through GitHub Security Advisories — researchers don't have to email to start a disclosure). `Expires:` is set to one year from response time so crawlers don't refetch constantly. `Policy: https://github.com/blamejs/blamejs.shop/blob/main/SECURITY.md` points at the in-repo disclosure policy. `Preferred-Languages: en`. Every line ends `\r\n` per the RFC. Carries the full security-header set + 1h browser / 24h edge cache.
 - v0.0.105 (2026-05-23) — **Per-route Link preloads — PDP carries its hero image in the HTTP/103 Early Hints frame.** `_html(body, method, env, preloads)` now accepts an extra `preloads` array of `{ href, as }` entries — Worker render handlers can append per-route preload hints alongside the always-present theme-stylesheet preload introduced in v0.0.103. `_edgeProduct` uses the new shape to pass the first media row's image URL as `rel=preload; as=image`, so Cloudflare's HTTP/103 Early Hints frame on a PDP carries both the stylesheet AND the hero image. The browser starts both fetches before the HTML body finishes streaming — cuts product-page LCP by another ~100-200ms on a typical render with a large hero. **Added:** *`_html` accepts per-route preloads via a 4th `preloads` array argument* — `_earlyHintsLink(env, extras)` merges the always-on theme-stylesheet preload with any caller-supplied `{ href, as }` entries into a single comma-separated Link header. Cloudflare's edge promotes the full header to multiple HTTP/103 Early Hints frame entries. Per-route preloads cost zero render time (already part of the response headers); the browser-side fetch starts during the round-trip the HTML body is using. · *`_edgeProduct` preloads the first media row's hero image* — The PDP's LCP element is almost always the hero image. The handler now appends `{ href: "/assets/<r2_key>", as: "image" }` to the `_html` preloads when the product has media; products without media render the placeholder letter-mark without a network fetch (no preload needed). Combined with the v0.0.103 theme-stylesheet preload, the HTTP/103 frame on a PDP carries both critical-path assets.
 - v0.0.104 (2026-05-23) — **Organization + WebSite + BreadcrumbList Schema.org JSON-LD — three more rich-result types covered.** Home page now emits Organization (Google knowledge-panel + logo + social link) and WebSite (sitelinks search box pointing at `/search?q=`) JSON-LD blocks. Product detail page gains a BreadcrumbList block matching the on-page `<nav class="breadcrumb">` markup. All three compose through the existing `jsonLdScript` helper from `worker/render/_lib.js`. Combined with the Product + Article blocks from v0.0.94, the storefront now ships five distinct Schema.org graph types — Product / Article / Organization / WebSite / BreadcrumbList — across the routes Google's rich-result tester maps. **Added:** *Organization + WebSite JSON-LD on `/`* — `worker/render/home.js#renderHome` appends two `<script type="application/ld+json">` blocks to the body. Organization: `name` + `url` + `logo` + `sameAs` (GitHub mirror) — surfaces in Google's knowledge-panel result. WebSite: `potentialAction` with a `SearchAction` template at `/search?q={search_term_string}` so Google's sitelinks search box hands queries directly to the storefront's search route. · *BreadcrumbList JSON-LD on `/products/:slug`* — `worker/render/product.js#renderProduct` appends a BreadcrumbList block alongside the existing Product block. Two positions: `Shop` (`/`) → `<product title>` (`/products/<slug>`) — matches the on-page breadcrumb nav. Google's product-rich-result panel renders this above the title.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.0.105",
+  "version": "0.0.106",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {