npm - @normed/bundle - Versions diffs - 4.8.3 → 4.8.6 - Mend

@normed/bundle 4.8.3 → 4.8.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/CHANGELOG.md +8 -0
package/bundles/bin/cli.js +128 -42
package/bundles/bin/cli.js.map +3 -3
package/bundles/esbuild-plugins/load_pug.d.ts +11 -0
package/bundles/index.js +128 -42
package/bundles/index.js.map +3 -3
package/package.json +1 -1

package/CHANGELOG.md CHANGED Viewed

@@ -6,6 +6,14 @@ Given a version number MAJOR.MINOR.PATCH, increment the:
 2. MINOR version when you add functionality in a backwards compatible manner, and
 3. PATCH version when you make backwards compatible bug fixes.
+# 4.8.6
+* PATCH: Fix pug-to-pug auto-discovery failing for `<a href="...pug">` links (and other elements) because the AST-based asset collector only checked a hardcoded element whitelist. Linking attributes (`src`, `srcset`, `href`) are now matched universally on all elements, with element-specific extras (`video[poster]`, `form[action]`, `object[data]`).
+# 4.8.5
+* PATCH: Fix asset attribute regex in pug plugin incorrectly matching strings inside inline `<script>` blocks. Asset references are now resolved exclusively from the pug AST (via `createAssetCollectorPlugin`), which is element-aware and only matches attributes on actual asset-bearing elements.
 # 4.8.3
 * PATCH: Add `--short` CLI flag and automatic coding agent detection (`CLAUDECODE`, `CURSOR_AGENT`, `AGENT` env vars) for condensed build output — prints file counts instead of file lists. Respects the `NO_COLOR` convention. Internal warnings in the pug plugin now go through the logger instead of `console.warn`.

package/bundles/bin/cli.js CHANGED Viewed

@@ -68797,19 +68797,17 @@ function computeContentHash(content) {
   const num = hash.readUInt32BE(0);
   return num.toString(36).toUpperCase().padStart(8, "0").slice(0, 8);
 }
-var ASSET_ATTRIBUTES = {
-  img: ["src", "srcset"],
-  video: ["src", "poster"],
-  audio: ["src"],
-  source: ["src", "srcset"],
-  link: ["href"],
-  script: ["src"],
+var UNIVERSAL_LINKING_ATTRS = ["src", "srcset", "href"];
+var ELEMENT_SPECIFIC_LINKING_ATTRS = {
+  form: ["action"],
   object: ["data"],
-  embed: ["src"],
-  track: ["src"],
-  input: ["src"]
-  // for type="image"
+  video: ["poster"]
 };
+function getLinkingAttrs(elementName) {
+  if (!elementName) return void 0;
+  const extra = ELEMENT_SPECIFIC_LINKING_ATTRS[elementName];
+  return extra ? [...UNIVERSAL_LINKING_ATTRS, ...extra] : UNIVERSAL_LINKING_ATTRS;
+}
 function isRelativeAssetPath(assetPath) {
   if (!assetPath) return false;
   if (assetPath.startsWith("#")) return false;
@@ -68878,6 +68876,42 @@ function resolvePackagePath(packageSpecifier, fromFile) {
     return null;
   }
 }
+var packageRootCache = /* @__PURE__ */ new Map();
+function findPackageRoot(filePath) {
+  let dir = path5.dirname(path5.resolve(filePath));
+  const cacheKey = dir;
+  if (packageRootCache.has(cacheKey)) return packageRootCache.get(cacheKey);
+  while (true) {
+    if (fs6.existsSync(path5.join(dir, "package.json"))) {
+      packageRootCache.set(cacheKey, dir);
+      return dir;
+    }
+    const parent = path5.dirname(dir);
+    if (parent === dir) {
+      packageRootCache.set(cacheKey, null);
+      return null;
+    }
+    dir = parent;
+  }
+}
+function resolveAssetPath(assetPath, pugDir, srcWebRoot) {
+  if (assetPath.startsWith("/")) {
+    return path5.resolve(srcWebRoot, assetPath.slice(1));
+  }
+  return path5.resolve(pugDir, assetPath);
+}
+function assertWithinAllowedRoots(absolutePath, allowedRoots, originalValue, pugFilePath) {
+  const normalizedPath = path5.resolve(absolutePath);
+  const withinARoot = allowedRoots.some((root) => {
+    const normalizedRoot = path5.resolve(root);
+    return normalizedPath === normalizedRoot || normalizedPath.startsWith(normalizedRoot + path5.sep);
+  });
+  if (!withinARoot) {
+    throw new Error(
+      `Security: asset path "${originalValue}" resolves to "${normalizedPath}" which is outside the allowed source directories [${allowedRoots.join(", ")}]. Referenced in ${pugFilePath}. Use the copy: or build: prefix to resolve via Node module resolution.`
+    );
+  }
+}
 var discoveredPugReferences = /* @__PURE__ */ new Map();
 var discoveredLessReferences = /* @__PURE__ */ new Map();
 var discoveredScriptReferences = /* @__PURE__ */ new Map();
@@ -68912,7 +68946,7 @@ function computeHtmlAssetPath(opts) {
   }
   return path5.relative(opts.htmlOutputDir, opts.absoluteOutput);
 }
-async function processHtmlAssets(html, pugFilePath, options2, webRoot) {
+async function processHtmlAssets(html, pugFilePath, options2, webRoot, collectedReferences = []) {
   const assets = [];
   const pugReferences = [];
   const lessReferences = [];
@@ -68923,30 +68957,24 @@ async function processHtmlAssets(html, pugFilePath, options2, webRoot) {
   const outbase = options2.outbase || path5.dirname(pugFilePath);
   const pugDir = path5.dirname(pugFilePath);
   const publicPath = options2.publicPath || "";
-  const processedAssets = /* @__PURE__ */ new Map();
-  const allAttrs = [...new Set(Object.values(ASSET_ATTRIBUTES).flat())].join(
-    "|"
+  const srcWebRoot = webRoot ? path5.join(outbase, webRoot) : outbase;
+  const normalizedOutbase = path5.resolve(outbase);
+  const normalizedPug = path5.resolve(pugFilePath);
+  const pugWithinOutbase = normalizedPug === normalizedOutbase || normalizedPug.startsWith(normalizedOutbase + path5.sep);
+  const packageRoot = pugWithinOutbase ? null : findPackageRoot(pugFilePath);
+  const allowedRoots = [outbase, packageRoot].filter(
+    (r) => r != null
   );
-  const attrRegex = new RegExp(`(${allAttrs})\\s*=\\s*["']([^"']+)["']`, "gi");
+  const processedAssets = /* @__PURE__ */ new Map();
   let modifiedHtml = html;
-  const matches = [];
-  let match;
-  while ((match = attrRegex.exec(html)) !== null) {
-    const attr = match[1];
-    const value = match[2];
-    if (attr && value) {
-      matches.push({
-        fullMatch: match[0],
-        attr: attr.toLowerCase(),
-        value
-      });
-    }
-  }
+  const matches = collectedReferences.map(
+    (ref) => ({ attr: ref.attr, value: ref.value })
+  );
   const discoveredPugPaths = /* @__PURE__ */ new Set();
   const discoveredLessPaths = /* @__PURE__ */ new Set();
   const discoveredScriptPaths = /* @__PURE__ */ new Set();
   const discoveredPackageCssPaths = /* @__PURE__ */ new Set();
-  for (const { fullMatch, attr, value } of matches) {
+  for (const { attr, value } of matches) {
     let newValue = value;
     if (attr === "srcset") {
       const srcsetParts = value.split(",");
@@ -68959,7 +68987,13 @@ async function processHtmlAssets(html, pugFilePath, options2, webRoot) {
             [getVerbatimPath(assetPath), ...descriptors].filter(Boolean).join(" ")
           );
         } else if (assetPath && isPugReference(assetPath)) {
-          const absolutePath = path5.resolve(pugDir, assetPath);
+          const absolutePath = resolveAssetPath(assetPath, pugDir, srcWebRoot);
+          assertWithinAllowedRoots(
+            absolutePath,
+            allowedRoots,
+            assetPath,
+            pugFilePath
+          );
           if (!discoveredPugPaths.has(absolutePath)) {
             discoveredPugPaths.add(absolutePath);
             pugReferences.push({ originalHref: assetPath, absolutePath });
@@ -68976,6 +69010,8 @@ async function processHtmlAssets(html, pugFilePath, options2, webRoot) {
             publicPath,
             assets,
             processedAssets,
+            srcWebRoot,
+            allowedRoots,
             webRoot
           );
           if (hashedPath) {
@@ -68993,19 +69029,22 @@ async function processHtmlAssets(html, pugFilePath, options2, webRoot) {
     } else if (isVerbatimReference(value)) {
       newValue = getVerbatimPath(value);
     } else if (isPugReference(value)) {
-      const absolutePath = path5.resolve(pugDir, value);
+      const absolutePath = resolveAssetPath(value, pugDir, srcWebRoot);
+      assertWithinAllowedRoots(absolutePath, allowedRoots, value, pugFilePath);
       if (!discoveredPugPaths.has(absolutePath)) {
         discoveredPugPaths.add(absolutePath);
         pugReferences.push({ originalHref: value, absolutePath });
       }
     } else if (isLessReference(value)) {
-      const absolutePath = path5.resolve(pugDir, value);
+      const absolutePath = resolveAssetPath(value, pugDir, srcWebRoot);
+      assertWithinAllowedRoots(absolutePath, allowedRoots, value, pugFilePath);
       if (!discoveredLessPaths.has(absolutePath)) {
         discoveredLessPaths.add(absolutePath);
         lessReferences.push({ originalHref: value, absolutePath });
       }
     } else if (isScriptReference(value)) {
-      const absolutePath = path5.resolve(pugDir, value);
+      const absolutePath = resolveAssetPath(value, pugDir, srcWebRoot);
+      assertWithinAllowedRoots(absolutePath, allowedRoots, value, pugFilePath);
       if (!discoveredScriptPaths.has(absolutePath)) {
         discoveredScriptPaths.add(absolutePath);
         scriptReferences.push({ originalHref: value, absolutePath });
@@ -69137,6 +69176,8 @@ async function processHtmlAssets(html, pugFilePath, options2, webRoot) {
         publicPath,
         assets,
         processedAssets,
+        srcWebRoot,
+        allowedRoots,
         webRoot
       );
       if (hashedPath) {
@@ -69144,8 +69185,9 @@ async function processHtmlAssets(html, pugFilePath, options2, webRoot) {
       }
     }
     if (newValue !== value) {
-      const newFullMatch = fullMatch.replace(value, newValue);
-      modifiedHtml = modifiedHtml.replace(fullMatch, newFullMatch);
+      const escapedValue = value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+      const valueRegex = new RegExp(`(["'])${escapedValue}\\1`);
+      modifiedHtml = modifiedHtml.replace(valueRegex, `$1${newValue}$1`);
     }
   }
   return {
@@ -69157,8 +69199,14 @@ async function processHtmlAssets(html, pugFilePath, options2, webRoot) {
     packageCssReferences
   };
 }
-async function processAsset(assetPath, pugDir, pugFilePath, outdir, outbase, assetNames, publicPath, assets, processedAssets, webRoot) {
-  const absoluteSource = path5.resolve(pugDir, assetPath);
+async function processAsset(assetPath, pugDir, pugFilePath, outdir, outbase, assetNames, publicPath, assets, processedAssets, srcWebRoot, allowedRoots, webRoot) {
+  const absoluteSource = resolveAssetPath(assetPath, pugDir, srcWebRoot);
+  assertWithinAllowedRoots(
+    absoluteSource,
+    allowedRoots,
+    assetPath,
+    pugFilePath
+  );
   if (processedAssets.has(absoluteSource)) {
     return processedAssets.get(absoluteSource);
   }
@@ -69312,11 +69360,11 @@ function createRebaseAssetsPlugin(entryFilePath) {
         if (node.nodes) {
           pending.push(...node.nodes);
         }
-        const assetAttrs = ASSET_ATTRIBUTES[node.name];
-        if (!assetAttrs) continue;
+        const linkingAttrs = getLinkingAttrs(node.name);
+        if (!linkingAttrs) continue;
         if (!node.attrs) continue;
         for (const attr of node.attrs) {
-          if (!assetAttrs.includes(attr.name)) continue;
+          if (!linkingAttrs.includes(attr.name)) continue;
           const sourceFile = attr.filename || node.filename;
           if (!sourceFile) continue;
           const sourceDir = path5.dirname(sourceFile);
@@ -69353,6 +69401,36 @@ function createRebaseAssetsPlugin(entryFilePath) {
     }
   };
 }
+function createAssetCollectorPlugin(collectedReferences) {
+  return {
+    preCodeGen(ast) {
+      const pending = [...ast?.nodes || []];
+      while (pending.length > 0) {
+        const node = pending.shift();
+        if (!node) continue;
+        if (node.block?.nodes) {
+          pending.push(...node.block.nodes);
+        }
+        if (node.nodes) {
+          pending.push(...node.nodes);
+        }
+        const linkingAttrs = getLinkingAttrs(node.name);
+        if (!linkingAttrs) continue;
+        if (!node.attrs) continue;
+        for (const attr of node.attrs) {
+          if (!linkingAttrs.includes(attr.name)) continue;
+          const extracted = extractStaticString(attr.val);
+          if (!extracted) continue;
+          collectedReferences.push({
+            attr: attr.name,
+            value: extracted.value
+          });
+        }
+      }
+      return ast;
+    }
+  };
+}
 async function loadAsText2(_filepath) {
   return {
     loader: "text"
@@ -69394,12 +69472,14 @@ async function loadAsHtml(filepath, options2) {
 }
 async function loadAsEntrypoint(filepath, options2, webRoot) {
   const fileData = await fs6.promises.readFile(filepath, "utf8");
+  const collectedReferences = [];
   let contents = import_pug.default.render(fileData, {
     filename: filepath,
     basedir: options2.outbase,
     name: "render",
     plugins: [
       createRebaseAssetsPlugin(filepath),
+      createAssetCollectorPlugin(collectedReferences),
       pugTransformer(isScriptNodeWithSrcAttr, (nodes) => {
         nodes;
       })
@@ -69413,7 +69493,13 @@ async function loadAsEntrypoint(filepath, options2, webRoot) {
     lessReferences,
     scriptReferences,
     packageCssReferences
-  } = await processHtmlAssets(contents, filepath, options2, webRoot);
+  } = await processHtmlAssets(
+    contents,
+    filepath,
+    options2,
+    webRoot,
+    collectedReferences
+  );
   contents = processedHtml;
   if (pugReferences.length > 0) {
     discoveredPugReferences.set(filepath, pugReferences);