npm - @pyreon/runtime-server - Versions diffs - 0.24.4 → 0.24.6 - Mend

@pyreon/runtime-server 0.24.4 → 0.24.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/package.json +3 -5
package/src/index.ts +0 -885
package/src/manifest.ts +0 -126
package/src/tests/for-key-marker.test.ts +0 -86
package/src/tests/integration.test.ts +0 -310
package/src/tests/manifest-snapshot.test.ts +0 -39
package/src/tests/reactive-props.test.ts +0 -95
package/src/tests/ssr.test.ts +0 -1365
package/src/tests/suspense-stream-error.test.ts +0 -83
package/src/tests/unsafe-tag-warning.test.ts +0 -55
package/src/tests/xss-attribute-escape.test.ts +0 -40

package/src/tests/suspense-stream-error.test.ts DELETED Viewed

@@ -1,83 +0,0 @@
-import { h, Suspense } from '@pyreon/core'
-import type { ComponentFn } from '@pyreon/core'
-import { renderToStream } from '../index'
-async function collectStream(stream: ReadableStream<string>): Promise<string> {
-  const reader = stream.getReader()
-  let out = ''
-  while (true) {
-    const { value, done } = await reader.read()
-    if (done) break
-    out += value
-  }
-  return out
-}
-// PR #233 follow-up: when an async child inside a Suspense boundary
-// rejects mid-stream, what happens? The fallback should stay visible,
-// the swap must NOT be emitted, and the stream must close (not hang
-// waiting for a resolution that will never come).
-describe('renderToStream — Suspense boundary rejection', () => {
-  test('keeps fallback visible and closes stream when async child rejects', async () => {
-    async function Rejects(): Promise<ReturnType<typeof h>> {
-      await new Promise<void>((r) => setTimeout(r, 5))
-      throw new Error('deliberate test failure')
-    }
-    const vnode = h(Suspense, {
-      fallback: h('p', { id: 'fallback' }, 'loading...'),
-      children: h(Rejects as unknown as ComponentFn, null),
-    })
-    // If the stream hangs, this test will time out. Passing means it
-    // closed cleanly via controller.close().
-    const html = await collectStream(renderToStream(vnode))
-    // Fallback placeholder + content are present
-    expect(html).toContain('id="pyreon-s-0"')
-    expect(html).toContain('loading...')
-    // NO swap template or __NS invocation for this boundary — those only
-    // emit on successful resolution. The __NS helper FUNCTION is always
-    // inlined once per stream; distinguish definition vs call.
-    expect(html).not.toContain('id="pyreon-t-0"')
-    expect(html).not.toContain('__NS("pyreon-s-0"')
-  })
-  test('one rejecting boundary does not abort siblings — other content still streams', async () => {
-    async function Rejects(): Promise<ReturnType<typeof h>> {
-      await new Promise<void>((r) => setTimeout(r, 5))
-      throw new Error('sibling rejection')
-    }
-    async function Resolves(): Promise<ReturnType<typeof h>> {
-      await new Promise<void>((r) => setTimeout(r, 10))
-      return h('span', { id: 'ok' }, 'ok')
-    }
-    const vnode = h(
-      'div',
-      null,
-      h(Suspense, {
-        fallback: h('span', { id: 'fb-a' }, 'fb-a'),
-        children: h(Rejects as unknown as ComponentFn, null),
-      }),
-      h(Suspense, {
-        fallback: h('span', { id: 'fb-b' }, 'fb-b'),
-        children: h(Resolves as unknown as ComponentFn, null),
-      }),
-    )
-    const html = await collectStream(renderToStream(vnode))
-    // Both fallbacks shipped
-    expect(html).toContain('id="fb-a"')
-    expect(html).toContain('id="fb-b"')
-    // The resolving sibling's swap still went through. The rejecting
-    // sibling (boundary id 0) must NOT swap; the resolving one (id 1)
-    // must. Assert the specific invocations.
-    expect(html).toContain('id="ok"')
-    expect(html).not.toContain('__NS("pyreon-s-0"')
-    expect(html).toContain('__NS("pyreon-s-1"')
-  })
-})

package/src/tests/unsafe-tag-warning.test.ts DELETED Viewed

@@ -1,55 +0,0 @@
-import { h } from '@pyreon/core'
-import { renderToString } from '../index'
-// Security sweep follow-up to #233/#235. `vnode.type` is interpolated
-// into `<TAG>` and `</TAG>` unescaped (matching React/Vue/Solid — the
-// framework trusts callers not to feed user-controlled strings as tag
-// names). Defense-in-depth: dev-mode warning when the tag contains
-// characters that would break HTML structure, so the mistake surfaces
-// before it ships.
-describe('SSR — dev warning for unsafe tag names', () => {
-  let originalNodeEnv: string | undefined
-  let warnSpy: ReturnType<typeof vi.spyOn>
-  beforeEach(() => {
-    originalNodeEnv = process.env.NODE_ENV
-    // Ensure __DEV__ is true for the duration of these tests
-    process.env.NODE_ENV = 'development'
-    warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {})
-  })
-  afterEach(() => {
-    if (originalNodeEnv === undefined) delete process.env.NODE_ENV
-    else process.env.NODE_ENV = originalNodeEnv
-    warnSpy.mockRestore()
-  })
-  it('does not warn for a normal HTML tag', async () => {
-    await renderToString(h('div', null, 'ok'))
-    expect(warnSpy).not.toHaveBeenCalled()
-  })
-  it('does not warn for custom elements with hyphens', async () => {
-    await renderToString(h('my-element', null, 'ok'))
-    expect(warnSpy).not.toHaveBeenCalled()
-  })
-  it('warns when the tag contains > (HTML breakout attempt)', async () => {
-    await renderToString(h('div><script>alert(1)</script><div', null, 'x'))
-    expect(warnSpy).toHaveBeenCalled()
-    const msg = warnSpy.mock.calls[0]?.[0] as string
-    expect(msg).toContain('[Pyreon SSR]')
-    expect(msg).toContain('break HTML structure')
-  })
-  it('warns when the tag contains a space (attribute-smuggling attempt)', async () => {
-    await renderToString(h('div onerror=alert(1)', null, 'x'))
-    expect(warnSpy).toHaveBeenCalled()
-  })
-  it('warns when the tag starts with a non-letter', async () => {
-    await renderToString(h('123-bad', null, 'x'))
-    expect(warnSpy).toHaveBeenCalled()
-  })
-})

package/src/tests/xss-attribute-escape.test.ts DELETED Viewed

@@ -1,40 +0,0 @@
-import { h } from '@pyreon/core'
-import { renderToString } from '../index'
-// Lock-in regression suite for attribute-value escaping. Flagged as
-// PR #233 follow-up: would a user-supplied string with embedded
-// HTML-significant characters break out of an attribute value and
-// inject arbitrary markup? Verified: escapeHtml covers all five
-// critical characters (& < > " '); this suite locks the invariant.
-describe('renderToString — attribute value escaping', () => {
-  it('escapes double quotes in attribute values (breakout prevention)', async () => {
-    const html = await renderToString(h('div', { 'data-x': 'he said "hi"' }))
-    expect(html).toContain('data-x="he said &quot;hi&quot;"')
-  })
-  it('escapes single quotes in attribute values', async () => {
-    const html = await renderToString(h('div', { 'data-x': "it's fine" }))
-    expect(html).toContain('data-x="it&#39;s fine"')
-  })
-  it('escapes ampersands (prevent entity confusion)', async () => {
-    const html = await renderToString(h('a', { href: 'https://x.test?a=1&b=2' }))
-    expect(html).toContain('href="https://x.test?a=1&amp;b=2"')
-  })
-  it('escapes < and > (prevent tag injection via attribute)', async () => {
-    const html = await renderToString(h('div', { 'data-x': '<script>bad</script>' }))
-    expect(html).toContain('data-x="&lt;script&gt;bad&lt;/script&gt;"')
-  })
-  it('escapes all five critical characters in a single value', async () => {
-    const html = await renderToString(h('div', { title: `&<>"'` }))
-    expect(html).toContain('title="&amp;&lt;&gt;&quot;&#39;"')
-  })
-  it('escapes text children containing HTML-significant chars', async () => {
-    const html = await renderToString(h('p', null, 'a & b < c > "d"'))
-    expect(html).toContain('a &amp; b &lt; c &gt; &quot;d&quot;')
-  })
-})