@blamejs/blamejs-shop 0.0.106 → 0.0.107
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +2 -0
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
|
|
|
8
8
|
|
|
9
9
|
## v0.0.x
|
|
10
10
|
|
|
11
|
+
- v0.0.107 (2026-05-23) — **`X-Robots-Tag: noindex, nofollow` on `/cart` — crawlers stop indexing the session-bound empty-state.** The guest `/cart` route ships an empty-cart render at the edge for visitors without a session cookie. Crawlers reaching the page were indexing it as if it were content; the empty-state snippet ("Your cart is empty") was appearing in SERPs as a stale search result for unrelated queries. The handler now sets `X-Robots-Tag: noindex, nofollow` on the response so well-behaved crawlers skip indexing. `robots.txt` already `Disallow`s the route — the response header is belt-and-suspenders. **Changed:** *`_edgeCartEmpty` sets `X-Robots-Tag: noindex, nofollow`* — The handler now builds its own Response (instead of routing through `_html`) so the response carries the X-Robots-Tag header alongside the full security-header set + Link preload + minification. Per-route headers compose cleanly without changing `_html`'s signature for one outlier.
|
|
12
|
+
|
|
11
13
|
- v0.0.106 (2026-05-23) — **RFC 9116 `/.well-known/security.txt` served from the edge.** Vulnerability researchers, automated scanners, and bug-bounty platforms look for `/.well-known/security.txt` (RFC 9116) before opening an unsolicited email to a generic address. The Worker now serves the canonical text with `Contact`, `Expires`, `Encryption`, `Policy`, and `Preferred-Languages` fields. Contact points at `security@blamejs.shop` and the GitHub Security Advisories private-disclosure URL; Policy points at the repo's `SECURITY.md`. Cached `public, max-age=3600, s-maxage=86400`. **Added:** *`/.well-known/security.txt` — RFC 9116 vulnerability-disclosure metadata* — The Worker emits the canonical text with five fields. `Contact: mailto:security@blamejs.shop` + `Contact: https://github.com/blamejs/blamejs.shop/security/advisories/new` (private-disclosure path through GitHub Security Advisories — researchers don't have to email to start a disclosure). `Expires:` is set to one year from response time so crawlers don't refetch constantly. `Policy: https://github.com/blamejs/blamejs.shop/blob/main/SECURITY.md` points at the in-repo disclosure policy. `Preferred-Languages: en`. Every line ends `\r\n` per the RFC. Carries the full security-header set + 1h browser / 24h edge cache.
|
|
12
14
|
|
|
13
15
|
- v0.0.105 (2026-05-23) — **Per-route Link preloads — PDP carries its hero image in the HTTP/103 Early Hints frame.** `_html(body, method, env, preloads)` now accepts an extra `preloads` array of `{ href, as }` entries — Worker render handlers can append per-route preload hints alongside the always-present theme-stylesheet preload introduced in v0.0.103. `_edgeProduct` uses the new shape to pass the first media row's image URL as `rel=preload; as=image`, so Cloudflare's HTTP/103 Early Hints frame on a PDP carries both the stylesheet AND the hero image. The browser starts both fetches before the HTML body finishes streaming — cuts product-page LCP by another ~100-200ms on a typical render with a large hero. **Added:** *`_html` accepts per-route preloads via a 4th `preloads` array argument* — `_earlyHintsLink(env, extras)` merges the always-on theme-stylesheet preload with any caller-supplied `{ href, as }` entries into a single comma-separated Link header. Cloudflare's edge promotes the full header to multiple HTTP/103 Early Hints frame entries. Per-route preloads cost zero render time (already part of the response headers); the browser-side fetch starts during the round-trip the HTML body is using. · *`_edgeProduct` preloads the first media row's hero image* — The PDP's LCP element is almost always the hero image. The handler now appends `{ href: "/assets/<r2_key>", as: "image" }` to the `_html` preloads when the product has media; products without media render the placeholder letter-mark without a network fetch (no preload needed). Combined with the v0.0.103 theme-stylesheet preload, the HTTP/103 frame on a PDP carries both critical-path assets.
|
package/package.json
CHANGED