npm - @openparachute/hub - Versions diffs - 0.5.13-rc.35 → 0.5.13-rc.37 - Mend

@openparachute/hub 0.5.13-rc.35 → 0.5.13-rc.37

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json +1 -1
package/src/__tests__/hub.test.ts +19 -0
package/src/hub.ts +5 -1

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@openparachute/hub",
-  "version": "0.5.13-rc.35",
+  "version": "0.5.13-rc.37",
   "description": "parachute — the local hub for the Parachute ecosystem (discovery, ports, lifecycle, soon OAuth).",
   "license": "AGPL-3.0",
   "publishConfig": {

package/src/__tests__/hub.test.ts CHANGED Viewed

@@ -13,6 +13,25 @@ describe("renderHub", () => {
     expect(html).toContain("<script>");
   });
+  test("inline <script> body parses as valid JS (regression: hub#366)", () => {
+    // The script lives inside HTML_TEMPLATE — a backtick template literal.
+    // Backslash escapes inside the template silently mangle regex literals:
+    // `/\/+$/` written in the source becomes `//+$/` in the served HTML,
+    // which JS parses as the start of a line comment, killing the entire
+    // IIFE. Every section that renders inside that IIFE (Get started,
+    // Services, Admin) then never paints.
+    //
+    // Content assertions don't catch this — they pass on the broken
+    // string. A parse-check via `new Function(body)` does: it parses
+    // (no execution, no DOM needed) and throws SyntaxError on the bad
+    // regex. Wrap in a try/catch so future template-escaping regressions
+    // surface here with a clear message rather than as a runtime mystery.
+    const m = html.match(/<script>([\s\S]*?)<\/script>/);
+    const scriptBody = m?.[1];
+    expect(scriptBody).toBeDefined();
+    expect(() => new Function(scriptBody as string)).not.toThrow();
+  });
   test("fetches /.well-known/parachute.json for the Use section", () => {
     expect(html).toContain("/.well-known/parachute.json");
     expect(html).toContain("doc.services");

package/src/hub.ts CHANGED Viewed

@@ -496,7 +496,11 @@ const HTML_TEMPLATE = `<!doctype html>
       // firstVaultName() shape.
       let vaultName = 'default';
       if (typeof vault.path === 'string' && vault.path.startsWith('/vault/')) {
-        const tail = vault.path.slice('/vault/'.length).replace(/\/+$/, '');
+        // Character class for the slash so the template literal can't eat
+        // the backslash-escape — \/ collapses to / inside backticks, and
+        // /\/+$/ degenerates to a // line comment that breaks the whole
+        // IIFE. [/]+$ keeps the same semantics with no escape needed.
+        const tail = vault.path.slice('/vault/'.length).replace(/[/]+$/, '');
         if (tail.length > 0) vaultName = tail;
       }
       tiles.push({