@nativewindow/webview 1.0.1 → 1.0.2

package/dist/index.js

@@ -1,406 +1,392 @@
-import { NativeWindow as NativeWindow$1, init, pumpEvents } from "../native-window.js";
-import { checkRuntime, ensureRuntime, loadHtmlOrigin } from "../native-window.js";
-let _pump = null;
-let _windowCount = 0;
+import { NativeWindow as NativeWindow$1, checkRuntime, ensureRuntime, init, loadHtmlOrigin, pumpEvents } from "../native-window.js";
+//#region index.ts
+var _pump = null;
+var _windowCount = 0;
 function ensureInit() {
-  if (_pump) return;
-  init();
-  _pump = setInterval(() => {
-    try {
-      pumpEvents();
-    } catch (e) {
-      console.error("[native-window] pumpEvents() error:", e);
-    }
-  }, 16);
+	if (_pump) return;
+	init();
+	_pump = setInterval(() => {
+		try {
+			pumpEvents();
+		} catch (e) {
+			console.error("[native-window] pumpEvents() error:", e);
+		}
+	}, 16);
 }
 function stopPump() {
-  if (_pump) {
-    clearInterval(_pump);
-    _pump = null;
-  }
-}
-class NativeWindow {
-  /** @internal */
-  _native;
-  /** @internal */
-  _closed = false;
-  /** @internal */
-  _unsafe;
-  /** @internal */
-  _devtools;
-  constructor(options) {
-    ensureInit();
-    _windowCount++;
-    this._native = new NativeWindow$1(options);
-    this._native.onClose(() => this._handleClose());
-  }
-  /** @internal */
-  _handleClose() {
-    if (this._closed) return;
-    this._closed = true;
-    _windowCount--;
-    this._userCloseCallback?.();
-    if (_windowCount <= 0) {
-      _windowCount = 0;
-      setTimeout(() => stopPump(), 200);
-    }
-  }
-  /**
-   * Throws if the window has been closed.
-   * @internal
-   */
-  _ensureOpen() {
-    if (this._closed) {
-      throw new Error("Window is closed");
-    }
-  }
-  // ---- onClose with user callback support ----
-  _userCloseCallback;
-  /**
-   * Register a handler for the window close event.
-   * The pump is automatically stopped when all windows are closed.
-   *
-   * Calling this multiple times replaces the previous handler.
-   */
-  onClose(callback) {
-    if (this._userCloseCallback) {
-      console.warn(
-        "NativeWindow: onClose() called multiple times. The previous handler will be replaced."
-      );
-    }
-    this._userCloseCallback = callback;
-  }
-  // ---- Getters ----
-  /** Unique window ID */
-  get id() {
-    return this._native.id;
-  }
-  // ---- Content loading ----
-  loadUrl(url) {
-    this._ensureOpen();
-    this._native.loadUrl(url);
-  }
-  /**
-   * Load raw HTML content into the webview.
-   *
-   * @security **Injection risk.** Never interpolate unsanitized user input
-   * into HTML strings. Use a dedicated sanitization library such as
-   * [DOMPurify](https://github.com/cure53/DOMPurify) or
-   * [sanitize-html](https://github.com/apostrophecms/sanitize-html) to
-   * sanitize untrusted content before embedding it.
-   */
-  loadHtml(html) {
-    this._ensureOpen();
-    this._native.loadHtml(html);
-  }
-  postMessage(message) {
-    this._ensureOpen();
-    this._native.postMessage(message);
-  }
-  // ---- Unsafe operations ----
-  /**
-   * Namespace for operations that require extra care to avoid injection risks.
-   * Methods under `unsafe` execute arbitrary code in the webview context.
-   *
-   * @security Never pass unsanitized user input to these methods.
-   * Use {@link sanitizeForJs} to escape strings before embedding them in
-   * script code.
-   */
-  get unsafe() {
-    this._ensureOpen();
-    if (!this._unsafe) {
-      this._unsafe = {
-        evaluateJs: (script) => {
-          this._ensureOpen();
-          this._native.evaluateJs(script);
-        }
-      };
-    }
-    return this._unsafe;
-  }
-  // ---- Devtools ----
-  /**
-   * Namespace for controlling the browser devtools panel.
-   * Requires `devtools: true` in {@link WindowOptions} at window creation.
-   *
-   * @example
-   * ```ts
-   * const win = new NativeWindow({ devtools: true });
-   * win.devtools.open();
-   * console.log(win.devtools.isOpen()); // true
-   * win.devtools.close();
-   * ```
-   */
-  get devtools() {
-    this._ensureOpen();
-    if (!this._devtools) {
-      this._devtools = {
-        open: () => {
-          this._ensureOpen();
-          this._native.openDevtools();
-        },
-        close: () => {
-          this._ensureOpen();
-          this._native.closeDevtools();
-        },
-        isOpen: () => {
-          this._ensureOpen();
-          return this._native.isDevtoolsOpen();
-        }
-      };
-    }
-    return this._devtools;
-  }
-  // ---- Window control ----
-  setTitle(title) {
-    this._ensureOpen();
-    this._native.setTitle(title);
-  }
-  setSize(width, height) {
-    this._ensureOpen();
-    this._native.setSize(width, height);
-  }
-  setMinSize(width, height) {
-    this._ensureOpen();
-    this._native.setMinSize(width, height);
-  }
-  setMaxSize(width, height) {
-    this._ensureOpen();
-    this._native.setMaxSize(width, height);
-  }
-  setPosition(x, y) {
-    this._ensureOpen();
-    this._native.setPosition(x, y);
-  }
-  setResizable(resizable) {
-    this._ensureOpen();
-    this._native.setResizable(resizable);
-  }
-  setDecorations(decorations) {
-    this._ensureOpen();
-    this._native.setDecorations(decorations);
-  }
-  setAlwaysOnTop(alwaysOnTop) {
-    this._ensureOpen();
-    this._native.setAlwaysOnTop(alwaysOnTop);
-  }
-  /**
-   * Set the window icon from a PNG or ICO file path.
-   * On macOS this is silently ignored (macOS doesn't support per-window icons).
-   * Relative paths resolve from the working directory.
-   */
-  setIcon(path) {
-    this._ensureOpen();
-    this._native.setIcon(path);
-  }
-  // ---- Window state ----
-  show() {
-    this._ensureOpen();
-    this._native.show();
-  }
-  hide() {
-    this._ensureOpen();
-    this._native.hide();
-  }
-  close() {
-    this._ensureOpen();
-    this._native.close();
-  }
-  focus() {
-    this._ensureOpen();
-    this._native.focus();
-  }
-  maximize() {
-    this._ensureOpen();
-    this._native.maximize();
-  }
-  minimize() {
-    this._ensureOpen();
-    this._native.minimize();
-  }
-  unmaximize() {
-    this._ensureOpen();
-    this._native.unmaximize();
-  }
-  reload() {
-    this._ensureOpen();
-    this._native.reload();
-  }
-  // ---- Event handlers ----
-  /**
-   * Register a handler for messages from the webview.
-   *
-   * @security **No origin filtering.** The raw `onMessage` API does not
-   * enforce origin restrictions. If your webview navigates to untrusted
-   * URLs, validate the `sourceUrl` parameter before processing messages.
-   * For automatic origin filtering, use `createChannel()` with the
-   * `trustedOrigins` option from `native-window-ipc`.
-   *
-   * @security **No rate limiting.** Messages from the webview are delivered
-   * without throttling. A malicious page can flood the host with messages.
-   * Consider implementing application-level rate limiting if loading
-   * untrusted content.
-   */
-  onMessage(callback) {
-    this._ensureOpen();
-    this._native.onMessage(callback);
-  }
-  onResize(callback) {
-    this._ensureOpen();
-    this._native.onResize(callback);
-  }
-  onMove(callback) {
-    this._ensureOpen();
-    this._native.onMove(callback);
-  }
-  onFocus(callback) {
-    this._ensureOpen();
-    this._native.onFocus(callback);
-  }
-  onBlur(callback) {
-    this._ensureOpen();
-    this._native.onBlur(callback);
-  }
-  onPageLoad(callback) {
-    this._ensureOpen();
-    this._native.onPageLoad(callback);
-  }
-  onTitleChanged(callback) {
-    this._ensureOpen();
-    this._native.onTitleChanged(callback);
-  }
-  onReload(callback) {
-    this._ensureOpen();
-    this._native.onReload(callback);
-  }
-  /**
-   * Register a handler for blocked navigation events.
-   * Fired when a navigation is blocked by the {@link WindowOptions.allowedHosts}
-   * restriction. Receives the URL that was blocked.
-   *
-   * @example
-   * ```ts
-   * win.onNavigationBlocked((url) => {
-   *   console.log("Blocked navigation to:", url);
-   * });
-   * ```
-   */
-  onNavigationBlocked(callback) {
-    this._ensureOpen();
-    this._native.onNavigationBlocked(callback);
-  }
-  // ---- Cookie access ----
-  /**
-   * Validate and parse a raw cookies JSON array from the native layer.
-   * Returns a cleaned {@link CookieInfo} array or `null` if the payload
-   * is malformed.
-   *
-   * @internal
-   */
-  _validateCookies(raw) {
-    let parsed;
-    try {
-      parsed = JSON.parse(raw);
-    } catch {
-      return null;
-    }
-    if (!Array.isArray(parsed)) return null;
-    const cookies = [];
-    for (const item of parsed) {
-      if (typeof item !== "object" || item === null) continue;
-      const obj = item;
-      if (typeof obj.name !== "string" || typeof obj.value !== "string") {
-        continue;
-      }
-      if (typeof obj.domain !== "string" || typeof obj.path !== "string") {
-        continue;
-      }
-      if (typeof obj.httpOnly !== "boolean" || typeof obj.secure !== "boolean") {
-        continue;
-      }
-      if (typeof obj.sameSite !== "string" || typeof obj.expires !== "number") {
-        continue;
-      }
-      cookies.push({
-        name: obj.name,
-        value: obj.value,
-        domain: obj.domain,
-        path: obj.path,
-        httpOnly: obj.httpOnly,
-        secure: obj.secure,
-        sameSite: obj.sameSite,
-        expires: obj.expires
-      });
-    }
-    return cookies;
-  }
-  /**
-   * Query cookies from the native cookie store.
-   *
-   * Returns a Promise that resolves with validated {@link CookieInfo} objects,
-   * including `HttpOnly` cookies that are invisible to `document.cookie`.
-   *
-   * - **macOS**: Uses `WKHTTPCookieStore.getAllCookies` with client-side
-   *   URL filtering (domain + path match).
-   * - **Windows**: Uses `ICoreWebView2CookieManager.GetCookies` which
-   *   filters by URI natively.
-   *
-   * @param url  If provided, only cookies matching this URL are returned.
-   *             If omitted, all cookies in the webview's cookie store are returned.
-   *
-   * @example
-   * ```ts
-   * const cookies = await win.getCookies("https://example.com");
-   * const session = cookies.find((c) => c.name === "session_id");
-   * if (session) console.log("Session:", session.value, "HttpOnly:", session.httpOnly);
-   * ```
-   */
-  getCookies(url) {
-    this._ensureOpen();
-    return new Promise((resolve, reject) => {
-      const timeout = setTimeout(() => {
-        reject(new Error("getCookies() timed out after 10 seconds"));
-      }, 1e4);
-      this._native.onCookies((raw) => {
-        clearTimeout(timeout);
-        const validated = this._validateCookies(raw);
-        if (validated) {
-          resolve(validated);
-        } else {
-          reject(new Error("Failed to parse cookie response"));
-        }
-      });
-      this._native.getCookies(url);
-    });
-  }
-  /**
-   * Clear cookies from the native cookie store.
-   *
-   * - If `host` is provided, only cookies whose domain matches that host
-   *   are deleted (e.g. `"example.com"` deletes `.example.com` cookies).
-   * - If omitted, all cookies in the webview's cookie store are cleared.
-   *
-   * @example
-   * ```ts
-   * // Clear all cookies
-   * win.clearCookies();
-   *
-   * // Clear cookies for a specific host
-   * win.clearCookies("example.com");
-   * ```
-   */
-  clearCookies(host) {
-    this._ensureOpen();
-    this._native.clearCookies(host);
-  }
+	if (_pump) {
+		clearInterval(_pump);
+		_pump = null;
+	}
 }
+/**
+* A native OS window with an embedded webview.
+*
+* Automatically initializes the native subsystem and starts pumping
+* events on first construction. Stops the pump when all windows close.
+*/
+var NativeWindow = class {
+	/** @internal */
+	_native;
+	/** @internal */
+	_closed = false;
+	/** @internal */
+	_unsafe;
+	/** @internal */
+	_devtools;
+	constructor(options) {
+		ensureInit();
+		_windowCount++;
+		this._native = new NativeWindow$1(options);
+		this._native.onClose(() => this._handleClose());
+	}
+	/** @internal */
+	_handleClose() {
+		if (this._closed) return;
+		this._closed = true;
+		_windowCount--;
+		this._userCloseCallback?.();
+		if (_windowCount <= 0) {
+			_windowCount = 0;
+			setTimeout(() => stopPump(), 200);
+		}
+	}
+	/**
+	* Throws if the window has been closed.
+	* @internal
+	*/
+	_ensureOpen() {
+		if (this._closed) throw new Error("Window is closed");
+	}
+	_userCloseCallback;
+	/**
+	* Register a handler for the window close event.
+	* The pump is automatically stopped when all windows are closed.
+	*
+	* Calling this multiple times replaces the previous handler.
+	*/
+	onClose(callback) {
+		if (this._userCloseCallback) console.warn("NativeWindow: onClose() called multiple times. The previous handler will be replaced.");
+		this._userCloseCallback = callback;
+	}
+	/** Unique window ID */
+	get id() {
+		return this._native.id;
+	}
+	loadUrl(url) {
+		this._ensureOpen();
+		this._native.loadUrl(url);
+	}
+	/**
+	* Load raw HTML content into the webview.
+	*
+	* @security **Injection risk.** Never interpolate unsanitized user input
+	* into HTML strings. Use a dedicated sanitization library such as
+	* [DOMPurify](https://github.com/cure53/DOMPurify) or
+	* [sanitize-html](https://github.com/apostrophecms/sanitize-html) to
+	* sanitize untrusted content before embedding it.
+	*/
+	loadHtml(html) {
+		this._ensureOpen();
+		this._native.loadHtml(html);
+	}
+	postMessage(message) {
+		this._ensureOpen();
+		this._native.postMessage(message);
+	}
+	/**
+	* Namespace for operations that require extra care to avoid injection risks.
+	* Methods under `unsafe` execute arbitrary code in the webview context.
+	*
+	* @security Never pass unsanitized user input to these methods.
+	* Use {@link sanitizeForJs} to escape strings before embedding them in
+	* script code.
+	*/
+	get unsafe() {
+		this._ensureOpen();
+		if (!this._unsafe) this._unsafe = { evaluateJs: (script) => {
+			this._ensureOpen();
+			this._native.evaluateJs(script);
+		} };
+		return this._unsafe;
+	}
+	/**
+	* Namespace for controlling the browser devtools panel.
+	* Requires `devtools: true` in {@link WindowOptions} at window creation.
+	*
+	* @example
+	* ```ts
+	* const win = new NativeWindow({ devtools: true });
+	* win.devtools.open();
+	* console.log(win.devtools.isOpen()); // true
+	* win.devtools.close();
+	* ```
+	*/
+	get devtools() {
+		this._ensureOpen();
+		if (!this._devtools) this._devtools = {
+			open: () => {
+				this._ensureOpen();
+				this._native.openDevtools();
+			},
+			close: () => {
+				this._ensureOpen();
+				this._native.closeDevtools();
+			},
+			isOpen: () => {
+				this._ensureOpen();
+				return this._native.isDevtoolsOpen();
+			}
+		};
+		return this._devtools;
+	}
+	setTitle(title) {
+		this._ensureOpen();
+		this._native.setTitle(title);
+	}
+	setSize(width, height) {
+		this._ensureOpen();
+		this._native.setSize(width, height);
+	}
+	setMinSize(width, height) {
+		this._ensureOpen();
+		this._native.setMinSize(width, height);
+	}
+	setMaxSize(width, height) {
+		this._ensureOpen();
+		this._native.setMaxSize(width, height);
+	}
+	setPosition(x, y) {
+		this._ensureOpen();
+		this._native.setPosition(x, y);
+	}
+	setResizable(resizable) {
+		this._ensureOpen();
+		this._native.setResizable(resizable);
+	}
+	setDecorations(decorations) {
+		this._ensureOpen();
+		this._native.setDecorations(decorations);
+	}
+	setAlwaysOnTop(alwaysOnTop) {
+		this._ensureOpen();
+		this._native.setAlwaysOnTop(alwaysOnTop);
+	}
+	/**
+	* Set the window icon from a PNG or ICO file path.
+	* On macOS this is silently ignored (macOS doesn't support per-window icons).
+	* Relative paths resolve from the working directory.
+	*/
+	setIcon(path) {
+		this._ensureOpen();
+		this._native.setIcon(path);
+	}
+	show() {
+		this._ensureOpen();
+		this._native.show();
+	}
+	hide() {
+		this._ensureOpen();
+		this._native.hide();
+	}
+	close() {
+		this._ensureOpen();
+		this._native.close();
+	}
+	focus() {
+		this._ensureOpen();
+		this._native.focus();
+	}
+	maximize() {
+		this._ensureOpen();
+		this._native.maximize();
+	}
+	minimize() {
+		this._ensureOpen();
+		this._native.minimize();
+	}
+	unmaximize() {
+		this._ensureOpen();
+		this._native.unmaximize();
+	}
+	reload() {
+		this._ensureOpen();
+		this._native.reload();
+	}
+	/**
+	* Register a handler for messages from the webview.
+	*
+	* @security **No origin filtering.** The raw `onMessage` API does not
+	* enforce origin restrictions. If your webview navigates to untrusted
+	* URLs, validate the `sourceUrl` parameter before processing messages.
+	* For automatic origin filtering, use `createChannel()` with the
+	* `trustedOrigins` option from `native-window-ipc`.
+	*
+	* @security **No rate limiting.** Messages from the webview are delivered
+	* without throttling. A malicious page can flood the host with messages.
+	* Consider implementing application-level rate limiting if loading
+	* untrusted content.
+	*/
+	onMessage(callback) {
+		this._ensureOpen();
+		this._native.onMessage(callback);
+	}
+	onResize(callback) {
+		this._ensureOpen();
+		this._native.onResize(callback);
+	}
+	onMove(callback) {
+		this._ensureOpen();
+		this._native.onMove(callback);
+	}
+	onFocus(callback) {
+		this._ensureOpen();
+		this._native.onFocus(callback);
+	}
+	onBlur(callback) {
+		this._ensureOpen();
+		this._native.onBlur(callback);
+	}
+	onPageLoad(callback) {
+		this._ensureOpen();
+		this._native.onPageLoad(callback);
+	}
+	onTitleChanged(callback) {
+		this._ensureOpen();
+		this._native.onTitleChanged(callback);
+	}
+	onReload(callback) {
+		this._ensureOpen();
+		this._native.onReload(callback);
+	}
+	/**
+	* Register a handler for blocked navigation events.
+	* Fired when a navigation is blocked by the {@link WindowOptions.allowedHosts}
+	* restriction. Receives the URL that was blocked.
+	*
+	* @example
+	* ```ts
+	* win.onNavigationBlocked((url) => {
+	*   console.log("Blocked navigation to:", url);
+	* });
+	* ```
+	*/
+	onNavigationBlocked(callback) {
+		this._ensureOpen();
+		this._native.onNavigationBlocked(callback);
+	}
+	/**
+	* Validate and parse a raw cookies JSON array from the native layer.
+	* Returns a cleaned {@link CookieInfo} array or `null` if the payload
+	* is malformed.
+	*
+	* @internal
+	*/
+	_validateCookies(raw) {
+		let parsed;
+		try {
+			parsed = JSON.parse(raw);
+		} catch {
+			return null;
+		}
+		if (!Array.isArray(parsed)) return null;
+		const cookies = [];
+		for (const item of parsed) {
+			if (typeof item !== "object" || item === null) continue;
+			const obj = item;
+			if (typeof obj.name !== "string" || typeof obj.value !== "string") continue;
+			if (typeof obj.domain !== "string" || typeof obj.path !== "string") continue;
+			if (typeof obj.httpOnly !== "boolean" || typeof obj.secure !== "boolean") continue;
+			if (typeof obj.sameSite !== "string" || typeof obj.expires !== "number") continue;
+			cookies.push({
+				name: obj.name,
+				value: obj.value,
+				domain: obj.domain,
+				path: obj.path,
+				httpOnly: obj.httpOnly,
+				secure: obj.secure,
+				sameSite: obj.sameSite,
+				expires: obj.expires
+			});
+		}
+		return cookies;
+	}
+	/**
+	* Query cookies from the native cookie store.
+	*
+	* Returns a Promise that resolves with validated {@link CookieInfo} objects,
+	* including `HttpOnly` cookies that are invisible to `document.cookie`.
+	*
+	* - **macOS**: Uses `WKHTTPCookieStore.getAllCookies` with client-side
+	*   URL filtering (domain + path match).
+	* - **Windows**: Uses `ICoreWebView2CookieManager.GetCookies` which
+	*   filters by URI natively.
+	*
+	* @param url  If provided, only cookies matching this URL are returned.
+	*             If omitted, all cookies in the webview's cookie store are returned.
+	*
+	* @example
+	* ```ts
+	* const cookies = await win.getCookies("https://example.com");
+	* const session = cookies.find((c) => c.name === "session_id");
+	* if (session) console.log("Session:", session.value, "HttpOnly:", session.httpOnly);
+	* ```
+	*/
+	getCookies(url) {
+		this._ensureOpen();
+		return new Promise((resolve, reject) => {
+			const timeout = setTimeout(() => {
+				reject(/* @__PURE__ */ new Error("getCookies() timed out after 10 seconds"));
+			}, 1e4);
+			this._native.onCookies((raw) => {
+				clearTimeout(timeout);
+				const validated = this._validateCookies(raw);
+				if (validated) resolve(validated);
+				else reject(/* @__PURE__ */ new Error("Failed to parse cookie response"));
+			});
+			this._native.getCookies(url);
+		});
+	}
+	/**
+	* Clear cookies from the native cookie store.
+	*
+	* - If `host` is provided, only cookies whose domain matches that host
+	*   are deleted (e.g. `"example.com"` deletes `.example.com` cookies).
+	* - If omitted, all cookies in the webview's cookie store are cleared.
+	*
+	* @example
+	* ```ts
+	* // Clear all cookies
+	* win.clearCookies();
+	*
+	* // Clear cookies for a specific host
+	* win.clearCookies("example.com");
+	* ```
+	*/
+	clearCookies(host) {
+		this._ensureOpen();
+		this._native.clearCookies(host);
+	}
+};
+/**
+* Escape a string for safe embedding inside a JavaScript string literal.
+* Handles backslashes, double quotes, newlines, carriage returns, null
+* bytes, closing `<\/script>` tags, Unicode line/paragraph separators
+* (U+2028, U+2029), backticks, and `${` template expressions.
+*
+* Safe for use in double-quoted, single-quoted, and template literal
+* contexts.
+*
+* @example
+* ```ts
+* import { NativeWindow, sanitizeForJs } from "native-window";
+*
+* const userInput = 'He said "hello"\n<script>alert(1)<\/script>';
+* win.unsafe.evaluateJs(`display("${sanitizeForJs(userInput)}")`);
+* ```
+*/
 function sanitizeForJs(input) {
-  return JSON.stringify(input).slice(1, -1).replace(/<\/script>/gi, "<\\/script>").replace(/`/g, "\\`").replace(/\$\{/g, "\\${");
+	return JSON.stringify(input).slice(1, -1).replace(/<\/script>/gi, "<\\/script>").replace(/`/g, "\\`").replace(/\$\{/g, "\\${");
 }
-export {
-  NativeWindow,
-  checkRuntime,
-  ensureRuntime,
-  loadHtmlOrigin,
-  sanitizeForJs
-};
+//#endregion
+export { NativeWindow, checkRuntime, ensureRuntime, loadHtmlOrigin, sanitizeForJs };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nativewindow/webview",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "description": "Native OS webview windows for Bun & Node.js (beta)",
   "homepage": "https://nativewindow.fcannizzaro.com",
   "bugs": {
@@ -34,34 +34,40 @@
   "exports": {
     ".": {
       "types": "./dist/index.d.ts",
-      "import": "./dist/index.js"
+      "import": "./dist/index.js",
+      "default": "./dist/index.js"
     }
   },
   "scripts": {
     "build": "napi build --release --platform && vite build",
     "build:debug": "napi build --platform && vite build",
     "build:ts": "vite build",
-    "version": "napi version"
+    "version": "napi version",
+    "fuzz": "cargo +nightly fuzz list --fuzz-dir fuzz",
+    "fuzz:json-escape": "cargo +nightly fuzz run fuzz_json_escape --fuzz-dir fuzz",
+    "fuzz:extract-origin": "cargo +nightly fuzz run fuzz_extract_origin --fuzz-dir fuzz",
+    "fuzz:host-matching": "cargo +nightly fuzz run fuzz_host_matching --fuzz-dir fuzz",
+    "fuzz:url-scheme": "cargo +nightly fuzz run fuzz_url_scheme --fuzz-dir fuzz"
   },
   "dependencies": {
     "zod": "^4.3.6"
   },
   "devDependencies": {
-    "@napi-rs/cli": "^3.0.0",
+    "@napi-rs/cli": "^3.6.0",
     "@types/bun": "^1.3.9",
-    "vite": "^7.3.1",
+    "vite": "^8.0.3",
     "vite-plugin-dts": "^4.5.4"
   },
   "peerDependencies": {
-    "typescript": "^5"
+    "typescript": "^6.0.2"
   },
   "optionalDependencies": {
-    "@nativewindow/webview-darwin-arm64": "1.0.1",
-    "@nativewindow/webview-darwin-x64": "1.0.1",
-    "@nativewindow/webview-linux-arm64-gnu": "1.0.1",
-    "@nativewindow/webview-linux-x64-gnu": "1.0.1",
-    "@nativewindow/webview-win32-arm64-msvc": "1.0.1",
-    "@nativewindow/webview-win32-x64-msvc": "1.0.1"
+    "@nativewindow/webview-darwin-arm64": "1.0.2",
+    "@nativewindow/webview-darwin-x64": "1.0.2",
+    "@nativewindow/webview-linux-arm64-gnu": "1.0.2",
+    "@nativewindow/webview-linux-x64-gnu": "1.0.2",
+    "@nativewindow/webview-win32-arm64-msvc": "1.0.2",
+    "@nativewindow/webview-win32-x64-msvc": "1.0.2"
   },
   "napi": {
     "binaryName": "native-window",