@exxatdesignux/ui 0.5.0 → 0.5.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +40 -0
- package/dist/components/ui/banner.d.ts +2 -2
- package/package.json +1 -1
- package/tokens/hooks-index.json +2 -2
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,45 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## 0.5.1
|
|
4
|
+
|
|
5
|
+
### Patch Changes
|
|
6
|
+
|
|
7
|
+
- [`06bd06a`](https://github.com/ExxatDesign/Exxat-DS-Workspace/commit/06bd06a6ce5ebbe7ee9aba7c16c9329b4f9bdb5f) - **Scaffolded template (`create-exxat-app`) — add `overrides` / `pnpm.overrides` for `postcss` + `ws`**
|
|
8
|
+
|
|
9
|
+
A fresh `pnpm dlx create-exxat-app my-app` (or `npx --package=@exxatdesignux/ui exxat-ui init`) was producing an app that `npm audit` reported as having **4 moderate severity vulnerabilities** on first install:
|
|
10
|
+
|
|
11
|
+
| Advisory | Vulnerable transitive | Pulled in by |
|
|
12
|
+
| ------------------------------------------------------------------- | --------------------- | ------------------------------------------- |
|
|
13
|
+
| GHSA-qx2v-qp2m-jg93 (XSS via unescaped `</style>` in CSS stringify) | `postcss <8.5.10` | `next@16.2.6` (only published 16.x release) |
|
|
14
|
+
| GHSA-58qx-3vcg-4xpx (uninitialized memory disclosure) | `ws@8.0.0 - 8.20.0` | `pm2@^7.0.1` (only published 7.x release) |
|
|
15
|
+
|
|
16
|
+
`npm audit fix --force` would have _downgraded_ `next` to 9.3.3 and `pm2` to 6.0.14 — both major regressions. The actual upstream fixes haven't shipped yet, so the correct mitigation is package-manager overrides that force the resolver to pick a safer version of the transitive dep without touching the parents.
|
|
17
|
+
|
|
18
|
+
Added to `packages/ui/template/package.json`:
|
|
19
|
+
|
|
20
|
+
```json
|
|
21
|
+
"overrides": {
|
|
22
|
+
"postcss": "$postcss",
|
|
23
|
+
"ws": "^8.20.1"
|
|
24
|
+
},
|
|
25
|
+
"pnpm": {
|
|
26
|
+
"overrides": {
|
|
27
|
+
"postcss@<8.5.10": "^8.5.14",
|
|
28
|
+
"ws@<8.20.1": "^8.20.1"
|
|
29
|
+
}
|
|
30
|
+
}
|
|
31
|
+
```
|
|
32
|
+
|
|
33
|
+
The `"postcss": "$postcss"` reference uses npm's special syntax that aliases the override to the direct devDep version (`^8.5.14`, already safe), avoiding the `EOVERRIDE` "conflicts with direct dependency" error. pnpm doesn't support `$name`, so we use its semver-range targeting (`@<8.5.10`) which fires only on the vulnerable subset and keeps newer versions unaffected.
|
|
34
|
+
|
|
35
|
+
After the fix: fresh scaffolds report `npm audit: found 0 vulnerabilities` and install ~4s faster from dedup (951 → 947 packages).
|
|
36
|
+
|
|
37
|
+
Workspace-internal apps (`apps/web`) are unaffected — the workspace root `package.json` already carries `pnpm.overrides` for these CVEs. Only the template was leaking them to consumers because scaffolded apps don't inherit workspace overrides.
|
|
38
|
+
|
|
39
|
+
**Existing consumers (already-scaffolded apps):** apply the same `overrides` + `pnpm.overrides` blocks to their `package.json` and re-run `npm install` / `pnpm install`. The shipped `consumer-upgrade-checklist.md` will mention this on the next sync.
|
|
40
|
+
|
|
41
|
+
**New consumers:** get the fix automatically on the next `create-exxat-app` invocation once `@exxatdesignux/ui@0.5.1` is published.
|
|
42
|
+
|
|
3
43
|
## 0.5.0
|
|
4
44
|
|
|
5
45
|
### Minor Changes
|
|
@@ -4,7 +4,7 @@ import * as React from 'react';
|
|
|
4
4
|
import { VariantProps } from 'class-variance-authority';
|
|
5
5
|
|
|
6
6
|
declare const systemBannerVariants: (props?: ({
|
|
7
|
-
variant?: "
|
|
7
|
+
variant?: "error" | "success" | "warning" | "info" | "promo" | null | undefined;
|
|
8
8
|
emphasis?: "prominent" | "subtle" | null | undefined;
|
|
9
9
|
actionPosition?: "inline" | "bottom" | null | undefined;
|
|
10
10
|
} & class_variance_authority_types.ClassProp) | undefined) => string;
|
|
@@ -32,7 +32,7 @@ interface SystemBannerProps extends React.HTMLAttributes<HTMLDivElement>, Varian
|
|
|
32
32
|
}
|
|
33
33
|
declare function SystemBanner({ children, title, variant, emphasis, dismissible, onDismiss, action, actionPosition, icon, decorativeOverlay, className, style, ...props }: SystemBannerProps): react_jsx_runtime.JSX.Element | null;
|
|
34
34
|
declare const localBannerVariants: (props?: ({
|
|
35
|
-
variant?: "
|
|
35
|
+
variant?: "error" | "success" | "warning" | "info" | "promo" | null | undefined;
|
|
36
36
|
} & class_variance_authority_types.ClassProp) | undefined) => string;
|
|
37
37
|
interface LocalBannerProps extends React.HTMLAttributes<HTMLDivElement>, VariantProps<typeof localBannerVariants> {
|
|
38
38
|
/** Banner title (optional) */
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@exxatdesignux/ui",
|
|
3
|
-
"version": "0.5.
|
|
3
|
+
"version": "0.5.1",
|
|
4
4
|
"description": "Exxat shared design system (components, hooks, tokens). Monorepo setup: clone repo then pnpm bootstrap at workspace root — see github.com/ExxatDesign/Exxat-DS-Workspace README.",
|
|
5
5
|
"license": "UNLICENSED",
|
|
6
6
|
"author": "Exxat Design",
|
package/tokens/hooks-index.json
CHANGED