@rhinostone/swig 2.4.3 → 2.5.1

package/HISTORY.md

@@ -1,3 +1,25 @@
+[2.5.1](https://github.com/gina-io/swig/tree/v2.5.1) / 2026-05-28
+-----------------------------------------------------------------
+
+* **Fixed** Restored the JSDoc blocks on the top-level Swig public API methods (setFilter, setTag, setExtension, precompile, compile, compileFile, render, renderFile, run, invalidateCache) that were inadvertently stripped from lib/swig.js when the Swig constructor body was carved into @rhinostone/swig-core/lib/engine.js. The documentation comments now sit above the corresponding exports.* re-exports where make build-docs and IDE hover tooling read them. No runtime behavior change — the published lib/ code is byte-identical and only the JSDoc surface is updated.
+
+* **Changed** Rephrased two stale internal-process tracker references in lib/tags/set.js source comments that survived the prior single-line audit sweep because the markers spanned a line wrap. The explanatory content is preserved verbatim; only the dead tracker tokens are dropped, per the in-repo no-internal-markers-in-shipping-source convention. No behavior change.
+
+* **Changed** Migrated the test toolchain from mocha 1.12.0 to the Node.js built-in test runner (node:test) with built-in line coverage, removing the mocha, blanket, and travis-cov dev dependencies. This clears all 6 npm audit advisories (4 high, 2 critical) that were rooted in mocha's transitive dependency tree; the full suite passes unchanged and the 95% coverage gate over lib/ is preserved. The published package is unaffected — its only runtime dependency remains @rhinostone/swig-core.
+
+* **Changed** Removed the unmaintained phantomjs and mocha-phantomjs browser-test toolchain, dropping the vulnerable form-data (CVE-2025-7783) and the rest of the legacy request dependency subtree from the dev dependency tree. Browser parity is verified through the production bundle build, pending a modern browser-test harness.
+
+* **Changed** Upgraded the ESLint dev dependency from 8.57.1 to 9.x and migrated the lint configuration from the deprecated .eslintrc.json (eslintrc format) to the flat-config eslint.config.js, adding the globals dev dependency. The lenient rule set is preserved exactly (no indent enforcement, eqeqeq/no-eval/no-new-func off, semi always, max-len 600, plus an explicit linterOptions.reportUnusedDisableDirectives off to match the eslintrc default). ESLint 9 raises the lint toolchain Node floor to >=18.18, which affects development and CI only; the published package is unaffected and its only runtime dependency remains @rhinostone/swig-core.
+
+* **Changed** Upgraded the example/development express dependency from the abandoned 3.x line to 4.x, dropping the vulnerable transitive morgan (CVE-2019-5413) and the legacy connect subtree from the dev dependency tree. The Express view-engine example runs unchanged. The published package is unaffected; its only runtime dependency remains @rhinostone/swig-core.
+
+* **Changed** Upgraded the development lodash dependency from 1.3.x to 4.x, dropping the prototype-pollution and command-injection advisories (affecting lodash through 4.17.23) from the dev dependency tree. lodash is a test-only utility and the full suite passes unchanged on 4.x. The published package is unaffected; its only runtime dependency remains @rhinostone/swig-core.
+
+[2.5.0](https://github.com/gina-io/swig/tree/v2.5.0) / 2026-05-27
+-----------------------------------------------------------------
+
+* **Added** @rhinostone/swig-jinja2 — a Python Jinja2-syntax frontend on the shared swig-core engine (13 tags, 39 filters, 16 is-tests, async loader support, autoescape and CVE-2023-25345 guards inherited from swig-core). Releases in lockstep with @rhinostone/swig, @rhinostone/swig-core, and @rhinostone/swig-twig.
+
 [2.4.3](https://github.com/gina-io/swig/tree/v2.4.3) / 2026-05-22
 -----------------------------------------------------------------
 
@@ -57,7 +79,7 @@
 [2.0.0](https://github.com/gina-io/swig/tree/v2.0.0) / 2026-05-06
 -----------------------------------------------------------------
 
-* **Fixed** Refreshed stale external URL references across documentation surfaces from the 2026-04-13 link-health audit (gina-io/gina#18). `README.md`, `packages/swig-core/README.md`, `packages/swig-twig/README.md` — swapped `www.npmjs.org` for the canonical `www.npmjs.com` in the NPM badges (the old `.org` form now redirects). `README.md` — rewrote the "Swig v0.x → v1.x migration notes" bullet, since the `paularmstrong/swig/wiki/Migrating-from-...` page was deleted upstream (302s to repo root). `HISTORY.md` — dropped the three dead upstream-wiki links around the v1.0.0 / v1.0.0-pre1 entries; the breaking-change prose stays intact. `browser/comments.js` — updated the DateZ `@license` URL from `TomoUniversalis/DateZ` to `ocrybit/DateZ` (the upstream GitHub user was renamed). `packages/swig-core/lib/dateformatter.js` — dropped the dead `http://tomouniversalis.com` parenthetical from the DateZ copyright comment (domain NXDOMAINs). `.changes/v1.0.0.md` and `.changes/v1.0.0-pre1.md` synced to match the rewritten `HISTORY.md` lines so future `changie merge` runs stay idempotent. Documentation and comment-only; no runtime or API change.
+* **Fixed** Refreshed stale external URL references across documentation surfaces from the 2026-04-13 link-health audit (gina-io/gina#18). `README.md`, `packages/swig-core/README.md`, `packages/swig-twig/README.md` — swapped `www.npmjs.org` for the canonical `www.npmjs.com` in the NPM badges (the old `.org` form now redirects). `README.md` — rewrote the "Swig v0.x → v1.x migration notes" bullet, since the `paularmstrong/swig/wiki/Migrating-from-...` page was deleted upstream (302s to repo root). `HISTORY.md` — dropped the three dead upstream-wiki links around the v1.0.0 / v1.0.0-pre1 entries; the breaking-change prose stays intact. `browser/comments.js` — updated the DateZ `@license` URL from `TomoUniversalis/DateZ` to `ocrybit/DateZ` (the upstream GitHub user was renamed). `packages/swig-core/lib/dateformatter.js` — dropped the dead `tomouniversalis.com` parenthetical from the DateZ copyright comment (domain NXDOMAINs). `.changes/v1.0.0.md` and `.changes/v1.0.0-pre1.md` synced to match the rewritten `HISTORY.md` lines so future `changie merge` runs stay idempotent. Documentation and comment-only; no runtime or API change.
 
 * **Changed** `2.0.0` stable. Multi-flavor architecture (introduced across `2.0.0-alpha.1` through `2.0.0-alpha.5`) is the production-ready cut. No functional or API changes since `2.0.0-alpha.5`; the `alpha.6`–`alpha.8` cycle was metadata republishes plus removal of the soft-deprecated `exports.parse` Path B wrapper from `@rhinostone/swig-twig`. IR ABI is stable from this release onward; cross-package dependencies pin exact versions and frontends + core release in lockstep. README messaging refreshed across all three packages to reflect production-ready status; package descriptions cleaned of historical internal-tracking references.
 

package/README.md

@@ -3,7 +3,7 @@ Swig
 
 [![CI](https://github.com/gina-io/swig/actions/workflows/ci.yml/badge.svg?branch=develop)](https://github.com/gina-io/swig/actions/workflows/ci.yml) [![NPM version](http://img.shields.io/npm/v/@rhinostone/swig.svg?style=flat)](https://www.npmjs.com/package/@rhinostone/swig) [![NPM Downloads](http://img.shields.io/npm/dm/@rhinostone/swig.svg?style=flat)](https://www.npmjs.com/package/@rhinostone/swig) [![Socket Badge](https://socket.dev/api/badge/npm/package/@rhinostone/swig)](https://socket.dev/npm/package/@rhinostone/swig)
 
-> **Multi-flavor template engine** for Node.js and browsers — native Swig syntax (Jinja2/Django-inspired) and Twig syntax via dedicated frontends sharing one IR backend. [gina-io/swig](https://github.com/gina-io/swig) started as a maintained continuation of the abandoned [paularmstrong/swig](https://github.com/paularmstrong/swig) (last released 2014) and is now a standalone project. Security and bug fixes ship here.
+> **Multi-flavor template engine** for Node.js and browsers — native Swig syntax (Jinja2/Django-inspired), Twig syntax, and Python Jinja2 syntax via dedicated frontends sharing one IR backend. [gina-io/swig](https://github.com/gina-io/swig) started as a maintained continuation of the abandoned [paularmstrong/swig](https://github.com/paularmstrong/swig) (last released 2014) and is now a standalone project. Security and bug fixes ship here.
 
 > **Part of the [Gina](https://github.com/gina-io/gina) ecosystem.** This is the built-in template engine for [Gina](https://gina.io) ([npm](https://www.npmjs.com/package/gina)), a Node.js MVC framework with HTTP/2, multi-bundle architecture, and scope-based data isolation.
 
@@ -11,6 +11,8 @@ Swig is a **Jinja2/Django-inspired** template engine for node.js and browsers. T
 
 > **Coming from Twig?** Install [@rhinostone/swig-twig](https://www.npmjs.com/package/@rhinostone/swig-twig) instead — a dedicated Twig-syntax frontend with closer parity than working around incompatibilities here.
 
+> **Coming from Python Jinja2?** Install [@rhinostone/swig-jinja2](https://www.npmjs.com/package/@rhinostone/swig-jinja2) — a dedicated Jinja2-syntax frontend (near-subset) with closer parity than porting to native Swig syntax here.
+
 Workspace packages
 ------------------
 
@@ -18,9 +20,10 @@ Workspace packages
 | --- | --- | --- |
 | [`@rhinostone/swig`](https://www.npmjs.com/package/@rhinostone/swig) | Native Swig syntax (Jinja2/Django-inspired). Drop-in for `@rhinostone/swig@1.x` consumers. | Upgrading from `@rhinostone/swig@1.x`, or starting fresh with Swig syntax. |
 | [`@rhinostone/swig-twig`](https://www.npmjs.com/package/@rhinostone/swig-twig) | Twig-syntax frontend with closer Twig parity. | Migrating from PHP Twig, or writing new templates in Twig syntax. |
+| [`@rhinostone/swig-jinja2`](https://www.npmjs.com/package/@rhinostone/swig-jinja2) | Python Jinja2-syntax frontend (near-subset). | Migrating from Python Jinja2, or writing new templates in Jinja2 syntax. |
 | [`@rhinostone/swig-core`](https://www.npmjs.com/package/@rhinostone/swig-core) | Shared IR, backend, and runtime primitives. | Building a custom flavor frontend. Otherwise pulled in transitively. |
 
-Each frontend pins the matching `@rhinostone/swig-core` version exactly during the alpha cycle — the IR is not stable across alpha minors. From `2.0.0` stable onward, frontends and the core release in lockstep.
+Each frontend pins the matching `@rhinostone/swig-core` version exactly (no caret, no tilde) — frontends and the core release in lockstep on every cut.
 
 Features
 --------
@@ -29,7 +32,7 @@ Features
 * [Express](http://expressjs.com/) compatible.
 * Object-Oriented template inheritance.
 * Apply filters and transformations to output in your templates.
-* **Hardened against prototype-pollution** — `__proto__` / `constructor` / `prototype` blocked at parser, tag-side, and IR-emission layers. CVE-2023-25345 fully patched. 9 regression cases under [`tests/regressions.test.js`](./tests/regressions.test.js).
+* **Hardened against prototype-pollution** — `__proto__` / `constructor` / `prototype` blocked at parser, tag-side, and IR-emission layers. CVE-2023-25345 fully patched. 11 CVE regression cases under [`tests/regressions.test.js`](./tests/regressions.test.js).
 * Automatically escapes all variable output (HTML by default; configurable per-call).
 * Lots of iteration and conditionals supported.
 * Robust without the bloat.
@@ -61,10 +64,14 @@ For Twig syntax:
 
     npm install @rhinostone/swig-twig
 
+For Python Jinja2 syntax:
+
+    npm install @rhinostone/swig-jinja2
+
 Documentation
 -------------
 
-User-facing documentation lives in the Gina Docusaurus site under the [Swig Template Engine](https://gina.io/docs/swig) section, maintained in [gina-io/docs](https://github.com/gina-io/docs) at `docs/swig/`. The JSDoc blocks in `lib/swig.js`, `lib/filters.js`, `lib/tags/`, and `lib/loaders/` remain the canonical source-of-truth for the public API and are mirrored into the Docusaurus pages.
+User-facing documentation lives in the Gina Docusaurus site under the [Swig Template Engine](https://gina.io/docs/swig) section, maintained in [gina-io/docs](https://github.com/gina-io/docs) at `docs/templating/swig/`. The JSDoc blocks in `lib/swig.js`, `lib/filters.js`, `lib/tags/`, and `lib/loaders/` remain the canonical source-of-truth for the public API and are mirrored into the Docusaurus pages.
 
 Basic Example
 -------------
@@ -109,7 +116,7 @@ Migrating from `@rhinostone/swig@1.x`
 
 `@rhinostone/swig@2.x` is **drop-in for `1.x` consumers** — `swig.compileFile`, `swig.renderFile`, `swig.setFilter`, `swig.setTag`, and the rest of the public API are unchanged. The internal carve into [@rhinostone/swig-core](https://www.npmjs.com/package/@rhinostone/swig-core) is transparent (test gate during the alpha cycle: byte-identical compiled output against the `1.x` test suite).
 
-`2.0.0` also ships [@rhinostone/swig-twig](https://www.npmjs.com/package/@rhinostone/swig-twig), a sibling Twig-syntax frontend. Switching is opt-in — your existing `@rhinostone/swig` install keeps working.
+`2.0.0` also ships [@rhinostone/swig-twig](https://www.npmjs.com/package/@rhinostone/swig-twig), a sibling Twig-syntax frontend, and `2.5.0` adds [@rhinostone/swig-jinja2](https://www.npmjs.com/package/@rhinostone/swig-jinja2) for Python Jinja2 syntax. Switching is opt-in — your existing `@rhinostone/swig` install keeps working.
 
 Migrating from Jinja2 or Django
 -------------------------------
@@ -132,7 +139,7 @@ How it works
 
 Swig reads template files and translates them into cached JavaScript functions. The pipeline is: parse → emit IR → lower IR to JS source → `new Function(...)`. At render time, the compiled function runs against a context object to produce the output string.
 
-In `2.x`, frontend parsers (native Swig syntax in [@rhinostone/swig](https://www.npmjs.com/package/@rhinostone/swig), Twig syntax in [@rhinostone/swig-twig](https://www.npmjs.com/package/@rhinostone/swig-twig)) emit a shared intermediate representation. The backend in [@rhinostone/swig-core](https://www.npmjs.com/package/@rhinostone/swig-core) lowers IR to JS. New flavors plug in at the frontend without touching the runtime.
+In `2.x`, frontend parsers (native Swig syntax in [@rhinostone/swig](https://www.npmjs.com/package/@rhinostone/swig), Twig syntax in [@rhinostone/swig-twig](https://www.npmjs.com/package/@rhinostone/swig-twig), Python Jinja2 syntax in [@rhinostone/swig-jinja2](https://www.npmjs.com/package/@rhinostone/swig-jinja2)) emit a shared intermediate representation. The backend in [@rhinostone/swig-core](https://www.npmjs.com/package/@rhinostone/swig-core) lowers IR to JS. New flavors plug in at the frontend without touching the runtime.
 
 License
 -------

package/ROADMAP.md

@@ -15,13 +15,25 @@ _No near-term scheduled items. See [Future (post-2.0)](#future-post-20) for upco
 | Status | Item |
 | --- | --- |
 | Planned | Async parse path for dynamic targets — full support for `{% extends parent_var %}`, `{% include user_template %}`, and runtime-resolved `import` / `from` paths on the async-codegen branch. Static-target async dispatch shipped in 2.2.0; dynamic-target support is on hold pending consumer demand. |
-| Planned | Ship Jinja2 and Django frontends as additional `@rhinostone/swig-*` packages. On demand — when there's concrete user demand. |
-| Planned | Test framework migration. Replace mocha 1.x + expect.js with `node:test` + `node:assert/strict`, swap mocha-phantomjs for a modern browser-test harness, swap blanket for `c8`. (The Node engines bump is upstream-driven by gina and is being treated as done.) |
+| Planned | Ship a Django frontend as an additional `@rhinostone/swig-*` package. On demand — when there's concrete user demand. (The Jinja2 frontend shipped in `2.5.0`.) |
+| Planned | Test framework migration. Replace mocha 1.x + expect.js with `node:test` + `node:assert/strict`, add a modern browser-test harness (the legacy phantomjs runner has been removed), swap blanket for `c8`. (The Node engines bump is upstream-driven by gina and is being treated as done.) |
 
 ---
 
 ## Completed
 
+### v2.5.1 (May 2026)
+
+- Restored JSDoc on the top-level `@rhinostone/swig` public API methods (`setFilter`, `setTag`, `setExtension`, `precompile`, `compile`, `compileFile`, `render`, `renderFile`, `run`, `invalidateCache`). The blocks were inadvertently stripped from `lib/swig.js` when the Swig constructor body was carved into `@rhinostone/swig-core` during the `2.0.0-alpha.1` cycle; `make build-docs` and IDE hover tooling read from `lib/swig.js`, so the documented surface for all ten methods had been missing since the carve. Doc-only restoration; `renderFile`'s block also documents the `v2.2.0` async-codegen dispatch (set `loader.async === true` on the loader to opt in).
+- Cleaned two stale internal-process tracker references from `lib/tags/set.js` source comments; the explanatory content is preserved and only the dead reference tokens were dropped.
+- Dev-tooling modernization riding the same release: retired the unmaintained `phantomjs` browser-test toolchain (also dropped the vulnerable `form-data` from the dev tree); bumped the example/development `express` dependency from `~3` to `^4` (also dropped the vulnerable `morgan` and `minimist` from the dev tree); bumped the test-utility `lodash` dependency from `~1.3.1` to `^4` (cleared five `lodash` advisories from the dev tree); migrated the test toolchain from `mocha` 1.12.0 to the Node built-in `node:test` runner with built-in line coverage (cleared the six remaining dev-tree audit findings, taking `npm audit` to zero); migrated the ESLint dev dependency from 8.x to 9.x with the new flat-config (`.eslintrc.json` → `eslint.config.js`), clearing the six "deprecated by maintainer" Socket Low alerts on the repo scan. None of this affects the published runtime — only the dev/CI toolchain.
+- All four packages (`@rhinostone/swig`, `@rhinostone/swig-core`, `@rhinostone/swig-twig`, `@rhinostone/swig-jinja2`) released in lockstep at `2.5.1`. The runtime in `@rhinostone/swig-core` / `@rhinostone/swig-twig` / `@rhinostone/swig-jinja2` is functionally identical to `2.5.0`; only `@rhinostone/swig`'s `lib/swig.js` and `lib/tags/set.js` carry source-comment changes.
+
+### v2.5.0 (May 2026)
+
+- Added `@rhinostone/swig-jinja2`, a Python Jinja2-syntax frontend on the shared `@rhinostone/swig-core` engine — the third dialect in the multi-flavor family alongside native swig and `@rhinostone/swig-twig`. Ships 13 tags (`set`, `if` / `elif` / `else`, `for` with `else`, `block`, `extends`, `include`, `macro`, `import`, `from`, `raw`, `filter`, `with`, `autoescape`), 39 filters, and 16 `is` tests, plus the `**` / `//` / `~` operators, inline-if, Python slicing, and `{{- … -}}` whitespace control. Async loader support via `renderFileAsync` / `compileFileAsync`. Autoescape and the CVE-2023-25345 guards are inherited from `@rhinostone/swig-core`. Every filter and is-test was cross-checked against Python Jinja2 3.x; the behavioural differences (where the JavaScript runtime diverges from CPython) and the explicit non-goals (no sandboxed rendering, `{% call %}` / `{% do %}` / `{% trans %}`, the `map` / `select` filter family, macro kwargs) are documented in the Jinja2 templating guide.
+- All four packages (`@rhinostone/swig`, `@rhinostone/swig-core`, `@rhinostone/swig-twig`, `@rhinostone/swig-jinja2`) released in lockstep at `2.5.0`. `@rhinostone/swig-core` gained additive `slice` and `coerceOutput` runtime helpers consumed by the Jinja2 frontend; native swig and Twig are functionally unchanged.
+
 ### v2.4.3 (May 2026)
 
 - Fixed native `import` leaking an imported file's own import aliases into the importing template's scope. The `{% import %}` carry-through added in `2.4.1` emitted those nested imports bare into the caller's context, where the leaked alias could clobber a same-named caller variable, corrupt a macro when the caller later reassigned that name (macros read the live context at call time), or cascade across import depth. The nested imports are now re-homed under the importing alias and kept local to the file that declares them — matching `@rhinostone/swig-twig`'s scoping and the Jinja2/Twig import contract. Macros still resolve their own file's imports at call time.

package/dist/swig.js

@@ -1,4 +1,4 @@
-/*! Swig v2.4.3 | https://github.com/gina-io/swig | @license https://github.com/gina-io/swig/blob/master/LICENSE */
+/*! Swig v2.5.1 | https://github.com/gina-io/swig | @license https://github.com/gina-io/swig/blob/master/LICENSE */
 /*! DateZ (c) 2011 Tomo Universalis | @license https://github.com/ocrybit/DateZ/blob/master/LISENCE */
 (() => {
   var __getOwnPropNames = Object.getOwnPropertyNames;
@@ -139,6 +139,68 @@
         }
         return out;
       };
+      exports.slice = function(obj, start, stop, step) {
+        var isString = typeof obj === "string", length, lower, upper, s, e, result = [], i;
+        function toInt(n) {
+          n = Number(n);
+          if (isNaN(n)) {
+            return NaN;
+          }
+          return n < 0 ? Math.ceil(n) : Math.floor(n);
+        }
+        function clamp(v, dflt) {
+          if (v === null || v === void 0) {
+            return dflt;
+          }
+          v = toInt(v);
+          if (isNaN(v)) {
+            return dflt;
+          }
+          if (v < 0) {
+            v += length;
+            if (v < lower) {
+              v = lower;
+            }
+          } else if (v > upper) {
+            v = upper;
+          }
+          return v;
+        }
+        if (obj === null || obj === void 0 || typeof obj.length !== "number") {
+          return isString ? "" : [];
+        }
+        length = obj.length;
+        if (step === null || step === void 0) {
+          step = 1;
+        } else {
+          step = toInt(step);
+          if (isNaN(step) || step === 0) {
+            step = 1;
+          }
+        }
+        if (step < 0) {
+          lower = -1;
+          upper = length - 1;
+        } else {
+          lower = 0;
+          upper = length;
+        }
+        s = clamp(start, step < 0 ? upper : lower);
+        e = clamp(stop, step < 0 ? lower : upper);
+        if (step > 0) {
+          for (i = s; i < e; i += step) {
+            result.push(obj[i]);
+          }
+        } else {
+          for (i = s; i > e; i += step) {
+            result.push(obj[i]);
+          }
+        }
+        return isString ? result.join("") : result;
+      };
+      exports.coerceOutput = function(v) {
+        return v === null || v === void 0 ? "" : v;
+      };
     }
   });
 
@@ -1366,7 +1428,22 @@
                 return;
               }
             });
-            out += "(function () {\n  var __l = " + forIterable + ', __len = (_utils.isArray(__l) || typeof __l === "string") ? __l.length : _utils.keys(__l).length;\n  if (!__l) { return; }\n    var ' + ctxloopcache + " = { loop: " + ctxloop + ", " + forVal + ": " + ctx + forVal + ", " + forKey + ": " + ctx + forKey + " };\n    " + ctxloop + " = { first: false, index: 1, index0: 0, revindex: __len, revindex0: __len - 1, length: __len, last: false };\n  _utils.each(__l, function (" + forVal + ", " + forKey + ") {\n    " + ctx + forVal + " = " + forVal + ";\n    " + ctx + forKey + " = " + forKey + ";\n    " + ctxloop + ".key = " + forKey + ";\n    " + ctxloop + ".first = (" + ctxloop + ".index0 === 0);\n    " + ctxloop + ".last = (" + ctxloop + ".revindex0 === 0);\n    " + forBodyJS + "    " + ctxloop + ".index += 1; " + ctxloop + ".index0 += 1; " + ctxloop + ".revindex -= 1; " + ctxloop + ".revindex0 -= 1;\n  });\n  " + ctxloop + " = " + ctxloopcache + ".loop;\n  " + ctx + forVal + " = " + ctxloopcache + "." + forVal + ";\n  " + ctx + forKey + " = " + ctxloopcache + "." + forKey + ";\n  " + ctxloopcache + " = undefined;\n})();\n";
+            var forEmptyCheck = "  if (!__l) { return; }\n";
+            if (node.emptyBody) {
+              var forEmptyJS = "";
+              utils.each(node.emptyBody, function(b) {
+                if (b.type === "LegacyJS") {
+                  forEmptyJS += b.js;
+                  return;
+                }
+                if (b.type === "Text" || b.type === "Raw") {
+                  forEmptyJS += '_output += "' + escapeTextValue(b.value) + '";\n';
+                  return;
+                }
+              });
+              forEmptyCheck = "  if (!__l || !__len) {\n" + forEmptyJS + "  return;\n  }\n";
+            }
+            out += "(function () {\n  var __l = " + forIterable + ', __len = (_utils.isArray(__l) || typeof __l === "string") ? __l.length : _utils.keys(__l).length;\n' + forEmptyCheck + "    var " + ctxloopcache + " = { loop: " + ctxloop + ", " + forVal + ": " + ctx + forVal + ", " + forKey + ": " + ctx + forKey + " };\n    " + ctxloop + " = { first: false, index: 1, index0: 0, revindex: __len, revindex0: __len - 1, length: __len, last: false };\n  _utils.each(__l, function (" + forVal + ", " + forKey + ") {\n    " + ctx + forVal + " = " + forVal + ";\n    " + ctx + forKey + " = " + forKey + ";\n    " + ctxloop + ".key = " + forKey + ";\n    " + ctxloop + ".first = (" + ctxloop + ".index0 === 0);\n    " + ctxloop + ".last = (" + ctxloop + ".revindex0 === 0);\n    " + forBodyJS + "    " + ctxloop + ".index += 1; " + ctxloop + ".index0 += 1; " + ctxloop + ".revindex -= 1; " + ctxloop + ".revindex0 -= 1;\n  });\n  " + ctxloop + " = " + ctxloopcache + ".loop;\n  " + ctx + forVal + " = " + ctxloopcache + "." + forVal + ";\n  " + ctx + forKey + " = " + ctxloopcache + "." + forKey + ";\n  " + ctxloopcache + " = undefined;\n})();\n";
             return;
           }
           if (node.type === "Macro") {
@@ -1381,11 +1458,14 @@
                 return;
               }
             });
-            var macroParams = node.params || [], macroSigJS, macroIndexOfJS;
+            var macroParams = node.params || [], macroSigJS, macroIndexOfJS, macroDefaultsJS = "";
             if (macroParams.length && typeof macroParams[0] === "object" && macroParams[0] !== null && typeof macroParams[0].name === "string") {
               var macroNames = [];
               utils.each(macroParams, function(p) {
                 macroNames.push(p.name);
+                if (p["default"]) {
+                  macroDefaultsJS += "  if (" + p.name + " === undefined) { " + p.name + " = " + exports.emitExpr(p["default"]) + "; }\n";
+                }
               });
               macroSigJS = macroNames.join(", ");
               var macroJsonNames = [];
@@ -1397,7 +1477,7 @@
               macroSigJS = macroParams.join("");
               macroIndexOfJS = '"' + macroParams.join('","') + '"';
             }
-            out += "_ctx." + node.name + " = function (" + macroSigJS + ') {\n  var _output = "",\n    __ctx = _utils.extend({}, _ctx);\n  _utils.each(_ctx, function (v, k) {\n    if ([' + macroIndexOfJS + "].indexOf(k) !== -1) { delete _ctx[k]; }\n  });\n" + macroBodyJS + "\n _ctx = _utils.extend(_ctx, __ctx);\n  return _output;\n};\n_ctx." + node.name + ".safe = true;\n";
+            out += "_ctx." + node.name + " = function (" + macroSigJS + ') {\n  var _output = "",\n    __ctx = _utils.extend({}, _ctx);\n' + macroDefaultsJS + "  _utils.each(_ctx, function (v, k) {\n    if ([" + macroIndexOfJS + "].indexOf(k) !== -1) { delete _ctx[k]; }\n  });\n" + macroBodyJS + "\n _ctx = _utils.extend(_ctx, __ctx);\n  return _output;\n};\n_ctx." + node.name + ".safe = true;\n";
             if (options && options.codegenMode === "async") {
               if (_security.dangerousProps.indexOf(node.name) !== -1) {
                 throw new Error('Macro name "' + node.name + '" is reserved.');
@@ -1625,7 +1705,11 @@
                 outExprJS = '_filters["' + fc.name + '"](' + outExprJS + fcArgsJS + ")";
               });
             }
-            out += "_output += " + outExprJS + ";\n";
+            if (node.coerce) {
+              out += "_output += _utils.coerceOutput(" + outExprJS + ");\n";
+            } else {
+              out += "_output += " + outExprJS + ";\n";
+            }
             return;
           }
           if (node.type === "Filter") {
@@ -2356,9 +2440,9 @@
          * `parseExpr` emits structured IR that {@link backend.emitExpr}
          * later lowers into an equivalent JS-source fragment. `.parse()` is
          * unchanged and remains the production path; `parseExpr` is the
-         * incoming target shape for Phase 2 (#T15), introduced additively in
-         * Session 14b so the IR grammar can be proven against real lexer
-         * output before consumers are flipped in Commits 3-8.
+         * incoming target shape for the IR migration, introduced additively
+         * so the IR grammar can be proven against real lexer output before
+         * consumers are flipped over to it.
          *
          * The CVE-2023-25345 prototype-chain guards (`_dangerousProps` on
          * VAR segments, DOTKEY matches, STRING-inside-BRACKETOPEN values,
@@ -4598,7 +4682,7 @@
       var loaders = require_loaders2();
       var preWalker = require_pre_walker();
       var engine = require_engine();
-      exports.version = "2.4.3";
+      exports.version = "2.5.1";
       var defaultOptions = {
         autoescape: true,
         varControls: ["{{", "}}"],