@rhinostone/swig 2.5.3 → 2.7.0

package/HISTORY.md

@@ -1,3 +1,17 @@
+[2.7.0](https://github.com/gina-io/swig/tree/v2.7.0) / 2026-06-07
+-----------------------------------------------------------------
+
+* **Added** `@rhinostone/swig-django` is a new Django Template Language frontend for the `@rhinostone/swig-core` engine — the fourth flavor in the multi-flavor family alongside the native, Twig, and Jinja2 frontends. It renders real Django templates: the full built-in tag set (`for`/`empty` with `forloop`, `if`/`elif`/`else`, `block`/`extends`/`include`, `with`, `autoescape`, `spaceless`, `comment`, `verbatim`, `cycle`, `firstof`), ~42 built-in filters with colon-argument syntax such as `{{ value|date:"Y-m-d" }}`, a Django-faithful variable resolver (auto-calls callable attributes while honoring `alters_data`/`do_not_call_in_templates`, numeric indexing like `{{ list.0 }}`, and `.keys`/`.values`/`.items` dict iteration), and async loader support via `renderFile(path, locals, cb)`. Installs as `npm install @rhinostone/swig-django`.
+
+* **Fixed** De-linked the dead `paularmstrong/swig` issue and pull-request references in `HISTORY.md` and the matching `.changes/v*.md` fragments (2026-06-01 link-health scan, gina-io/gina#33). The upstream repository remains but its issue tracker is disabled, so the inline `[gh-N](...)` links are now plain `gh-N` text — every reference is preserved for historical traceability, and the fragments are edited in lockstep with `HISTORY.md` to keep `changie merge` idempotent. Documentation / changelog only; no runtime or API change.
+
+[2.6.0](https://github.com/gina-io/swig/tree/v2.6.0) / 2026-06-03
+-----------------------------------------------------------------
+
+* **Changed** The native `json` / `json_encode` filters now HTML-escape their output (`<`, `>`, `&`, `'`) and are marked safe, so `{{ data|json }}` renders valid JSON that is safe to embed directly inside a `<script>` block instead of `&quot;`-escaped text. `url_encode` is now marked safe as well — its output never contains HTML-significant characters. `url_decode` is unchanged — its output remains autoescaped, since decoded content can contain HTML.
+
+* **Changed** Replaced the `expect.js` test-assertion dev dependency with a small in-repo shim (`tests/lib/expect.js`) that reproduces the subset of its API the suite uses, with verified behavioral parity. Dev-only — the published packages are unaffected (their only runtime dependency remains `@rhinostone/swig-core`), and the full test suite plus the CVE-2023-25345 regressions pass unchanged. `npm audit` was already clean (`expect.js` is zero-dependency and advisory-free), so this is dependency-hygiene polish, not a security fix.
+
 [2.5.3](https://github.com/gina-io/swig/tree/v2.5.3) / 2026-06-02
 -----------------------------------------------------------------
 
@@ -320,29 +334,29 @@ Migrating from v0.x.x? The upstream wiki has since been deleted; see the individ
 [1.0.0-pre3](https://github.com/paularmstrong/swig/tree/v1.0.0-pre3) / 2013-08-20
 ---------------------------------------------------------------------------------
 
-* **Changed** Allow tags at block-level if specified. [gh-289](https://github.com/paularmstrong/swig/issues/289)
-* **Fixed** `swig.compileFile` runs callback template is found in cache. [gh-291](https://github.com/paularmstrong/swig/issues/291)
-* **Fixed** Accidental modification of Swig Options Object. [gh-287](https://github.com/paularmstrong/swig/issues/287)
-* **Fixed** Preserve forward-slashes in text chunks. [gh-285](https://github.com/paularmstrong/swig/issues/285)
+* **Changed** Allow tags at block-level if specified. gh-289
+* **Fixed** `swig.compileFile` runs callback template is found in cache. gh-291
+* **Fixed** Accidental modification of Swig Options Object. gh-287
+* **Fixed** Preserve forward-slashes in text chunks. gh-285
 
 [1.0.0-pre2](https://github.com/paularmstrong/swig/tree/v1.0.0-pre2) / 2013-08-18
 ---------------------------------------------------------------------------------
 
 * **Changed** Binary: Allow --method-name to be a shortcut for --wrap-start var setting.
 * **Changed** Make reverse filter an alias for `sort(true)`.
-* **Added** Allow asyncronous `compileFile` and `renderFile` operations. [gh-283](https://github.com/paularmstrong/swig/issues/283)
+* **Added** Allow asyncronous `compileFile` and `renderFile` operations. gh-283
 * **Added** Filter: `sort`.
-* **Added** Allow {% end[tag] tokens... %}. [gh-278](https://github.com/paularmstrong/swig/issues/278)
+* **Added** Allow {% end[tag] tokens... %}. gh-278
 * **Added** Built source map for minified browser source.
-* **Added** Contextual support for object method calls. [gh-275](https://github.com/paularmstrong/swig/issues/275)
-* **Added** `parser.on('start'|'end'...` options. [gh-274](https://github.com/paularmstrong/swig/issues/274)
-* **Added** Allow object prototypal inheritance. [gh-273](https://github.com/paularmstrong/swig/issues/273)
-* **Fixed** Prevent circular extends. [gh-282](https://github.com/paularmstrong/swig/issues/282)
-* **Fixed** Throw an error if reserved word is used as var. [gh-276](https://github.com/paularmstrong/swig/issues/276)
-* **Fixed** Add filename to errors if possible. [gh-280](https://github.com/paularmstrong/swig/issues/280)
-* **Fixed** Filters work over arrays/objects if possible. [gh-259](https://github.com/paularmstrong/swig/issues/259)
-* **Fixed** Allow {% parent %} to work in middle parent templates. [gh-277](https://github.com/paularmstrong/swig/issues/277)
-* **Fixed** Allow newlines in tags/vars/comments. [gh-272](https://github.com/paularmstrong/swig/issues/272)
+* **Added** Contextual support for object method calls. gh-275
+* **Added** `parser.on('start'|'end'...` options. gh-274
+* **Added** Allow object prototypal inheritance. gh-273
+* **Fixed** Prevent circular extends. gh-282
+* **Fixed** Throw an error if reserved word is used as var. gh-276
+* **Fixed** Add filename to errors if possible. gh-280
+* **Fixed** Filters work over arrays/objects if possible. gh-259
+* **Fixed** Allow {% parent %} to work in middle parent templates. gh-277
+* **Fixed** Allow newlines in tags/vars/comments. gh-272
 
 [1.0.0-pre1](https://github.com/paularmstrong/swig/tree/v1.0.0-pre1) / 2013-08-14
 ---------------------------------------------------------------------------------
@@ -363,57 +377,57 @@ Migrating from v0.x.x? The upstream wiki has since been deleted; see the individ
 * **Changed** allow `_`, `$` to start var names in templates.
 * **Changed** Documentation is auto-generated from jsdoc comments in-files.
 * **Added** Ability to set custom var/tag/comment controls (`{{`, `}}`, etc, can be customized).
-* **Added** Variable/string concatenation [gh-135](https://github.com/paularmstrong/swig/issues/135).
+* **Added** Variable/string concatenation gh-135.
 * **Added** Binary application for `compile`, `run`, and `render` (Lets you pre-compile templates into JS functions for client-side delivery).
 * **Fixed** Lots.
 
 [0.14.0](https://github.com/paularmstrong/swig/tree/v0.14.0) / 2013-06-08
 -------------------------------------------------------------------------
 
-* **Added** Allow executing functions from within templates [gh-182](https://github.com/paularmstrong/swig/pull/182)
-* **Added** New `spaceless` tag [gh-193](https://github.com/paularmstrong/swig/pull/193)
-* **Fixed** bug when attempting to loop over nested vars with `for`. [gh-232](https://github.com/paularmstrong/swig/pull/232)
+* **Added** Allow executing functions from within templates gh-182
+* **Added** New `spaceless` tag gh-193
+* **Fixed** bug when attempting to loop over nested vars with `for`. gh-232
 
 [0.13.5](https://github.com/paularmstrong/swig/tree/v0.13.5) / 2013-01-29
 -------------------------------------------------------------------------
 
-* **Fixed** date filter output for 'O' when time-zone offset is negative [gh-185](https://github.com/paularmstrong/swig/pull/185)
+* **Fixed** date filter output for 'O' when time-zone offset is negative gh-185
 
 [0.13.4](https://github.com/paularmstrong/swig/tree/v0.13.4) / 2012-12-19
 -------------------------------------------------------------------------
 
-* **Fixed** Runaway loop on missing template [gh-162](https://github.com/paularmstrong/swig/pull/162) [gh-165](https://github.com/paularmstrong/swig/pull/165)
-* **Fixed** Allow variables in if tag conditionals to have filters with arguments [gh-167](https://github.com/paularmstrong/swig/pull/167)
+* **Fixed** Runaway loop on missing template gh-162 gh-165
+* **Fixed** Allow variables in if tag conditionals to have filters with arguments gh-167
 
 [0.13.3](https://github.com/paularmstrong/swig/tree/v0.13.3) / 2012-12-07
 -------------------------------------------------------------------------
 
-* **Added** Support % (modulus) in if tags [gh-155](https://github.com/paularmstrong/swig/pull/155)
-* **Added** Support multi-root via array [gh-143](https://github.com/paularmstrong/swig/pull/143)
+* **Added** Support % (modulus) in if tags gh-155
+* **Added** Support multi-root via array gh-143
 
 [0.13.2](https://github.com/paularmstrong/swig/tree/v0.13.2) / 2012-10-28
 -------------------------------------------------------------------------
 
-* **Changed** Allow variables, filters, arguments to span lines [gh-122](https://github.com/paularmstrong/swig/issues/122)
-* **Changed** Throw Errors when using undefined filters [gh-115](https://github.com/paularmstrong/swig/issues/115)
-* **Fixed** compiling files from absolute paths [gh-103](https://github.com/paularmstrong/swig/issues/103)
-* **Fixed** Prevent global variables from being used before context variables [gh-117](https://github.com/paularmstrong/swig/issues/117)
+* **Changed** Allow variables, filters, arguments to span lines gh-122
+* **Changed** Throw Errors when using undefined filters gh-115
+* **Fixed** compiling files from absolute paths gh-103
+* **Fixed** Prevent global variables from being used before context variables gh-117
 
 [Documentation](https://github.com/paularmstrong/swig/tree/v0.13.2/docs)
 
 [0.13.1](https://github.com/paularmstrong/swig/tree/v0.13.1) / 2012-10-28
 -------------------------------------------------------------------------
 
-* **Fixed** Macros should be preserved when using inheritence [gh-132](https://github.com/paularmstrong/swig/issues/132) ([nsaun](https://github.com/nsaun))
-* **Fixed** bug in parent tag logic [gh-130](https://github.com/paularmstrong/swig/issues/130)
-* **Fixed** Error messaging when parent block failed compilation [gh-129](https://github.com/paularmstrong/swig/issues/129) ([nsaun](https://github.com/nsaun))
+* **Fixed** Macros should be preserved when using inheritence gh-132 ([nsaun](https://github.com/nsaun))
+* **Fixed** bug in parent tag logic gh-130
+* **Fixed** Error messaging when parent block failed compilation gh-129 ([nsaun](https://github.com/nsaun))
 
 [Documentation](https://github.com/paularmstrong/swig/tree/v0.13.1/docs)
 
 [0.13.0](https://github.com/paularmstrong/swig/tree/v0.13.0) / 2012-10-20
 -------------------------------------------------------------------------
 
-* **Added** Support for nested blocks! [gh-64](https://github.com/paularmstrong/swig/issues/64) [gh-129](https://github.com/paularmstrong/swig/issues/129) ([nsaun](https://github.com/nsaun))
+* **Added** Support for nested blocks! gh-64 gh-129 ([nsaun](https://github.com/nsaun))
 * **Changed** Removed the `parentBlock` argument from tags.
 * **Fixed** Object keys may now contain dots
 
@@ -442,28 +456,28 @@ Migrating from v0.x.x? The upstream wiki has since been deleted; see the individ
 [0.11.2](https://github.com/paularmstrong/swig/tree/v0.11.2) / 2012-04-10
 -------------------------------------------------------------------------
 
-* **Fixed** Update support for underscore@1.3.3 [gh-70](https://github.com/paularmstrong/swig/issues/70) [gh-71](https://github.com/paularmstrong/swig/issues/71)
+* **Fixed** Update support for underscore@1.3.3 gh-70 gh-71
 
 [Documentation](https://github.com/paularmstrong/swig/tree/v0.11.2/docs)
 
 [0.11.1](https://github.com/paularmstrong/swig/tree/v0.11.1) / 2012-04-01
 -------------------------------------------------------------------------
 
-* **Fixed** Duplicate (string) tokens were being removed when extending a base template. [gh-67](https://github.com/paularmstrong/swig/issues/67)
+* **Fixed** Duplicate (string) tokens were being removed when extending a base template. gh-67
 
 [Documentation](https://github.com/paularmstrong/swig/tree/v0.11.1/docs)
 
 [0.11.0](https://github.com/paularmstrong/swig/tree/v0.11.0) / 2012-02-27
 -------------------------------------------------------------------------
 
-* **Added** Support for Windows style paths [gh-57](https://github.com/paularmstrong/swig/issues/57)
+* **Added** Support for Windows style paths gh-57
 * **Added** `ignore missing` tokens to include tag
 * **Changed** include tag `with context` to only work if `context` is an object
 * **Changed** `autoescape` tag controls no longer 'yes' or 'no'. Use `true` and `false`
 * **Changed** parser is now passed into tags as an argument
 * **Changed** don't require passing context object when rendering template
-* **Fixed** dateformats `N` and `w` [gh-59](https://github.com/paularmstrong/swig/issues/59)
-* **Fixed** number changing to string after add filter or set from variable [gh-53](https://github.com/paularmstrong/swig/issues/53) [gh-58](https://github.com/paularmstrong/swig/issues/58)
+* **Fixed** dateformats `N` and `w` gh-59
+* **Fixed** number changing to string after add filter or set from variable gh-53 gh-58
 * **Fixed** speed decrease caused by loop.cycle fixed
 * **Fixed** Ensure set tag bubbles through extends and blocks
 
@@ -472,22 +486,22 @@ Migrating from v0.x.x? The upstream wiki has since been deleted; see the individ
 [0.10.0](https://github.com/paularmstrong/swig/tree/v0.10.0) / 2012-02-13
 -------------------------------------------------------------------------
 
-* **Added** loop.index0, loop.revindex, loop.revindex0, and loop.cycle [gh-48](https://github.com/paularmstrong/swig/issues/48)
-* **Added** init config `extensions` for 3rd party extension access in custom tags [gh-44](https://github.com/paularmstrong/swig/issues/44)
-* **Added** Whitespace Control [gh-46](https://github.com/paularmstrong/swig/issues/46)
-* **Changed** The `empty` tag in `for` loops is now `else` [gh-49](https://github.com/paularmstrong/swig/issues/49)
-* **Changed** `forloop` vars to `loop` closes [gh-47](https://github.com/paularmstrong/swig/issues/47)
-* **Fixed** `include` tag's `with` and `only` args documentation [gh-50](https://github.com/paularmstrong/swig/issues/50)
+* **Added** loop.index0, loop.revindex, loop.revindex0, and loop.cycle gh-48
+* **Added** init config `extensions` for 3rd party extension access in custom tags gh-44
+* **Added** Whitespace Control gh-46
+* **Changed** The `empty` tag in `for` loops is now `else` gh-49
+* **Changed** `forloop` vars to `loop` closes gh-47
+* **Fixed** `include` tag's `with` and `only` args documentation gh-50
 
 [Documentation](https://github.com/paularmstrong/swig/tree/v0.10.0/docs)
 
 [0.9.4](https://github.com/paularmstrong/swig/tree/v0.9.4) / 2012-02-07
 -----------------------------------------------------------------------
 
-* **Fixed** `parent` tag would not render when called within tags [gh-41](https://github.com/paularmstrong/swig/issues/41)
-* **Fixed** Documentation for forloop.index & forloop.key [gh-42](https://github.com/paularmstrong/swig/issues/42)
-* **Fixed** Errors when using `include` inside base template `block` tags [gh-43](https://github.com/paularmstrong/swig/issues/43)
-* **Fixed** Allow `set` tag to set values to numbers [gh-45](https://github.com/paularmstrong/swig/issues/45)
+* **Fixed** `parent` tag would not render when called within tags gh-41
+* **Fixed** Documentation for forloop.index & forloop.key gh-42
+* **Fixed** Errors when using `include` inside base template `block` tags gh-43
+* **Fixed** Allow `set` tag to set values to numbers gh-45
 * **Fixed** `set` tag for booleans using too many checks
 
 [Documentation](https://github.com/paularmstrong/swig/tree/v0.9.4/docs)
@@ -495,21 +509,21 @@ Migrating from v0.x.x? The upstream wiki has since been deleted; see the individ
 [0.9.3](https://github.com/paularmstrong/swig/tree/v0.9.3) / 2012-01-28
 -----------------------------------------------------------------------
 
-* **Fixed** Allow object and array values to be accessed via context variables [gh-40](https://github.com/paularmstrong/swig/issues/40)
+* **Fixed** Allow object and array values to be accessed via context variables gh-40
 
 [Documentation](https://github.com/paularmstrong/swig/tree/v0.9.3/docs)
 
 [0.9.2](https://github.com/paularmstrong/swig/tree/v0.9.2) / 2012-01-23
 -----------------------------------------------------------------------
 
-* **Fixed** Correctly reset autoescape after closing an autoescape tag. [gh-39](https://github.com/paularmstrong/swig/issues/39)
+* **Fixed** Correctly reset autoescape after closing an autoescape tag. gh-39
 
 [Documentation](https://github.com/paularmstrong/swig/tree/v0.9.2/docs)
 
 [0.9.1](https://github.com/paularmstrong/swig/tree/v0.9.1) / 2012-01-18
 -----------------------------------------------------------------------
 
-* **Fixed** Allow multi-line tags and comments. [gh-30](https://github.com/paularmstrong/swig/issues/30)
+* **Fixed** Allow multi-line tags and comments. gh-30
 
 [Documentation](https://github.com/paularmstrong/swig/tree/v0.9.1/docs)
 
@@ -517,7 +531,7 @@ Migrating from v0.x.x? The upstream wiki has since been deleted; see the individ
 -----------------------------------------------------------------------
 
 * **Added** DateZ license to browser header, use link to underscore license.
-* **Added** Timezone support in `date` filter [gh-27](https://github.com/paularmstrong/swig/issues/27).
+* **Added** Timezone support in `date` filter gh-27.
 * **Added** New `raw` tag.
 * **Changed** Swig is no longer node 0.4 compatible.
 * **Fixed** Filter `date('f')` for 10am times.
@@ -539,18 +553,18 @@ Migrating from v0.x.x? The upstream wiki has since been deleted; see the individ
 * **Changed** `swig.init()` will clear template cache.
 * **Changed** `swig.init()` is now optional for browser mode with no custom settings.
 * **Changed** Development dependencies are be more lenient.
-* **Fixed** Parser will properly preserver '\' escaping. [gh-24](https://github.com/paularmstrong/swig/issues/24)
+* **Fixed** Parser will properly preserver '\' escaping. gh-24
 * **Fixed** Rewrote tag argument parsing for proper space handling.
-* **Fixed** Rewrote filter argument parsing. [gh-23](https://github.com/paularmstrong/swig/issues/23)
-* **Fixed** Allow pipe `|` characters in filter arguments. [gh-22](https://github.com/paularmstrong/swig/issues/22)
+* **Fixed** Rewrote filter argument parsing. gh-23
+* **Fixed** Allow pipe `|` characters in filter arguments. gh-22
 
 [Documentation](https://github.com/paularmstrong/swig/tree/v0.8.0/docs)
 
 [0.7.0](https://github.com/paularmstrong/swig/tree/v0.7.0) / 2011-10-05
 -----------------------------------------------------------------------
 
-* **Added** `make browser` will build Swig for use in major browsers. [gh-3](https://github.com/paularmstrong/swig/issues/3)
-* **Changed** Allow overriding `escape` filters. [gh-19](https://github.com/paularmstrong/swig/issues/19)
+* **Added** `make browser` will build Swig for use in major browsers. gh-3
+* **Changed** Allow overriding `escape` filters. gh-19
 
 [Documentation](https://github.com/paularmstrong/swig/tree/v0.7.0/docs)
 

package/README.md

@@ -1,9 +1,9 @@
 Swig
 ====
 
-[![CI](https://github.com/gina-io/swig/actions/workflows/ci.yml/badge.svg?branch=develop)](https://github.com/gina-io/swig/actions/workflows/ci.yml) [![NPM version](http://img.shields.io/npm/v/@rhinostone/swig.svg?style=flat)](https://www.npmjs.com/package/@rhinostone/swig) [![NPM Downloads](http://img.shields.io/npm/dm/@rhinostone/swig.svg?style=flat)](https://www.npmjs.com/package/@rhinostone/swig) [![Socket Badge](https://socket.dev/api/badge/npm/package/@rhinostone/swig)](https://socket.dev/npm/package/@rhinostone/swig)
+[![CI](https://github.com/gina-io/swig/actions/workflows/ci.yml/badge.svg?branch=develop)](https://github.com/gina-io/swig/actions/workflows/ci.yml) [![NPM version](https://img.shields.io/npm/v/@rhinostone/swig.svg?style=flat)](https://www.npmjs.com/package/@rhinostone/swig) [![NPM Downloads](https://img.shields.io/npm/dm/@rhinostone/swig.svg?style=flat)](https://www.npmjs.com/package/@rhinostone/swig) [![Socket Badge](https://socket.dev/api/badge/npm/package/@rhinostone/swig)](https://socket.dev/npm/package/@rhinostone/swig)
 
-> **Multi-flavor template engine** for Node.js and browsers — native Swig syntax (Jinja2/Django-inspired), Twig syntax, and Python Jinja2 syntax via dedicated frontends sharing one IR backend. [gina-io/swig](https://github.com/gina-io/swig) started as a maintained continuation of the abandoned [paularmstrong/swig](https://github.com/paularmstrong/swig) (last released 2014) and is now a standalone project. Security and bug fixes ship here.
+> **Multi-flavor template engine** for Node.js and browsers — native Swig syntax (Jinja2/Django-inspired), Twig syntax, Python Jinja2 syntax, and Django Template Language syntax via dedicated frontends sharing one IR backend. [gina-io/swig](https://github.com/gina-io/swig) started as a maintained continuation of the abandoned [paularmstrong/swig](https://github.com/paularmstrong/swig) (last released 2014) and is now a standalone project. Security and bug fixes ship here.
 
 > **Part of the [Gina](https://github.com/gina-io/gina) ecosystem.** This is the built-in template engine for [Gina](https://gina.io) ([npm](https://www.npmjs.com/package/gina)), a Node.js MVC framework with HTTP/2, multi-bundle architecture, and scope-based data isolation.
 
@@ -13,6 +13,8 @@ Swig is a **Jinja2/Django-inspired** template engine for node.js and browsers. T
 
 > **Coming from Python Jinja2?** Install [@rhinostone/swig-jinja2](https://www.npmjs.com/package/@rhinostone/swig-jinja2) — a dedicated Jinja2-syntax frontend (near-subset) with closer parity than porting to native Swig syntax here.
 
+> **Coming from Django?** Install [@rhinostone/swig-django](https://www.npmjs.com/package/@rhinostone/swig-django) — a dedicated Django Template Language frontend that renders real Django templates, with far closer parity than native Swig syntax here.
+
 Workspace packages
 ------------------
 
@@ -21,6 +23,7 @@ Workspace packages
 | [`@rhinostone/swig`](https://www.npmjs.com/package/@rhinostone/swig) | Native Swig syntax (Jinja2/Django-inspired). Drop-in for `@rhinostone/swig@1.x` consumers. | Upgrading from `@rhinostone/swig@1.x`, or starting fresh with Swig syntax. |
 | [`@rhinostone/swig-twig`](https://www.npmjs.com/package/@rhinostone/swig-twig) | Twig-syntax frontend with closer Twig parity. | Migrating from PHP Twig, or writing new templates in Twig syntax. |
 | [`@rhinostone/swig-jinja2`](https://www.npmjs.com/package/@rhinostone/swig-jinja2) | Python Jinja2-syntax frontend (near-subset). | Migrating from Python Jinja2, or writing new templates in Jinja2 syntax. |
+| [`@rhinostone/swig-django`](https://www.npmjs.com/package/@rhinostone/swig-django) | Django Template Language frontend (real DTL). | Migrating from Django, or writing new templates in Django syntax. |
 | [`@rhinostone/swig-core`](https://www.npmjs.com/package/@rhinostone/swig-core) | Shared IR, backend, and runtime primitives. | Building a custom flavor frontend. Otherwise pulled in transitively. |
 
 Each frontend pins the matching `@rhinostone/swig-core` version exactly (no caret, no tilde) — frontends and the core release in lockstep on every cut.
@@ -68,6 +71,10 @@ For Python Jinja2 syntax:
 
     npm install @rhinostone/swig-jinja2
 
+For Django syntax:
+
+    npm install @rhinostone/swig-django
+
 Documentation
 -------------
 
@@ -116,7 +123,7 @@ Migrating from `@rhinostone/swig@1.x`
 
 `@rhinostone/swig@2.x` is **drop-in for `1.x` consumers** — `swig.compileFile`, `swig.renderFile`, `swig.setFilter`, `swig.setTag`, and the rest of the public API are unchanged. The internal carve into [@rhinostone/swig-core](https://www.npmjs.com/package/@rhinostone/swig-core) is transparent (test gate during the alpha cycle: byte-identical compiled output against the `1.x` test suite).
 
-`2.0.0` also ships [@rhinostone/swig-twig](https://www.npmjs.com/package/@rhinostone/swig-twig), a sibling Twig-syntax frontend, and `2.5.0` adds [@rhinostone/swig-jinja2](https://www.npmjs.com/package/@rhinostone/swig-jinja2) for Python Jinja2 syntax. Switching is opt-in — your existing `@rhinostone/swig` install keeps working.
+`2.0.0` also ships [@rhinostone/swig-twig](https://www.npmjs.com/package/@rhinostone/swig-twig), a sibling Twig-syntax frontend; `2.5.0` adds [@rhinostone/swig-jinja2](https://www.npmjs.com/package/@rhinostone/swig-jinja2) for Python Jinja2 syntax; and `2.7.0` adds [@rhinostone/swig-django](https://www.npmjs.com/package/@rhinostone/swig-django) for Django Template Language syntax. Switching is opt-in — your existing `@rhinostone/swig` install keeps working.
 
 Migrating from Jinja2 or Django
 -------------------------------
@@ -139,7 +146,7 @@ How it works
 
 Swig reads template files and translates them into cached JavaScript functions. The pipeline is: parse → emit IR → lower IR to JS source → `new Function(...)`. At render time, the compiled function runs against a context object to produce the output string.
 
-In `2.x`, frontend parsers (native Swig syntax in [@rhinostone/swig](https://www.npmjs.com/package/@rhinostone/swig), Twig syntax in [@rhinostone/swig-twig](https://www.npmjs.com/package/@rhinostone/swig-twig), Python Jinja2 syntax in [@rhinostone/swig-jinja2](https://www.npmjs.com/package/@rhinostone/swig-jinja2)) emit a shared intermediate representation. The backend in [@rhinostone/swig-core](https://www.npmjs.com/package/@rhinostone/swig-core) lowers IR to JS. New flavors plug in at the frontend without touching the runtime.
+In `2.x`, frontend parsers (native Swig syntax in [@rhinostone/swig](https://www.npmjs.com/package/@rhinostone/swig), Twig syntax in [@rhinostone/swig-twig](https://www.npmjs.com/package/@rhinostone/swig-twig), Python Jinja2 syntax in [@rhinostone/swig-jinja2](https://www.npmjs.com/package/@rhinostone/swig-jinja2), Django Template Language syntax in [@rhinostone/swig-django](https://www.npmjs.com/package/@rhinostone/swig-django)) emit a shared intermediate representation. The backend in [@rhinostone/swig-core](https://www.npmjs.com/package/@rhinostone/swig-core) lowers IR to JS. New flavors plug in at the frontend without touching the runtime.
 
 License
 -------

package/ROADMAP.md

@@ -15,13 +15,24 @@ _No near-term scheduled items. See [Future (post-2.0)](#future-post-20) for upco
 | Status | Item |
 | --- | --- |
 | Planned | Async parse path for the remaining dynamic targets — runtime-resolved `{% import %}` / `{% from %}` paths on the async-codegen branch. Static-target async dispatch shipped in 2.2.0; dynamic `{% extends %}` shipped in 2.5.2 (native + Twig + Jinja2) and dynamic `{% include %}` paths already resolve (the include path has always been an expression). Dynamic `import` / `from` are on hold pending consumer demand. |
-| Planned | Ship a Django frontend as an additional `@rhinostone/swig-*` package. On demand — when there's concrete user demand. (The Jinja2 frontend shipped in `2.5.0`.) |
-| Planned | Test framework migration. Replace mocha 1.x + expect.js with `node:test` + `node:assert/strict`, add a modern browser-test harness (the legacy phantomjs runner has been removed), swap blanket for `c8`. (The Node engines bump is upstream-driven by gina and is being treated as done.) |
+| Planned | Modern browser-test harness. The legacy phantomjs runner was removed; a replacement (e.g. Playwright or JSDOM) has not yet landed, so browser parity is verified in the interim via the production build plus a symbol grep. (The `mocha` → `node:test` runner migration, the `expect.js` → in-repo assertion-shim swap, and the `blanket` → `node:test` built-in coverage migration have all shipped.) |
 
 ---
 
 ## Completed
 
+### v2.7.0 (June 2026)
+
+- Added `@rhinostone/swig-django`, a Django Template Language frontend on the shared `@rhinostone/swig-core` engine — the fourth dialect in the multi-flavor family alongside native swig, `@rhinostone/swig-twig`, and `@rhinostone/swig-jinja2`. It renders real Django templates: 15 tags (`if` / `elif` / `else`, `for` / `empty` with `forloop`, `block`, `extends`, `include`, `with`, `autoescape`, `spaceless`, `comment`, `verbatim`, `cycle`, `firstof`), 42 built-in filters with Django's colon-argument syntax (`{{ value|date:"Y-m-d" }}`), and a Django-faithful variable resolver — callable attributes are auto-called (honoring `alters_data` / `do_not_call_in_templates`), numeric indexing works (`{{ list.0 }}`), and dicts iterate via `.keys` / `.values` / `.items`. Async loader support via `renderFileAsync` / `compileFileAsync` and `renderFile(path, locals, cb)` against an async loader. Autoescape and the CVE-2023-25345 guards are inherited from `@rhinostone/swig-core`. Every tag and filter was cross-checked against Django 5.2; the behavioural differences and explicit non-goals (no `{% load %}` / custom tag libraries, no `{% url %}` / `{% static %}` / `{% csrf_token %}` / `{% trans %}` / `{% blocktrans %}` framework infrastructure, no whitespace-control, no `is` tests) are documented in the Django templating guide.
+- All five packages (`@rhinostone/swig`, `@rhinostone/swig-core`, `@rhinostone/swig-twig`, `@rhinostone/swig-jinja2`, `@rhinostone/swig-django`) released in lockstep at `2.7.0`. `@rhinostone/swig-core` gained an additive opt-in loop-context flag and a variable-resolver primitive (`_utils.resolve`) consumed by the Django frontend; native swig, Twig, and Jinja2 are functionally unchanged (proven byte-identical compiled output).
+- Documentation housekeeping: de-linked the dead `paularmstrong/swig` issue and pull-request references in `HISTORY.md` (the upstream issue tracker is disabled), preserving every reference as plain text.
+
+### v2.6.0 (June 2026)
+
+- The native `json` / `json_encode` filters now HTML-escape their output (`<`, `>`, `&`, and `'` are emitted as `\u00XX` escapes) and are marked safe, so `{{ data|json }}` renders valid JSON that can be embedded directly inside a `<script>` block instead of `&quot;`-escaped text. `url_encode` is now marked safe as well — its output never contains HTML-significant characters. `url_decode` is deliberately unchanged: its output stays autoescaped, since decoded content can contain HTML. Only the native `@rhinostone/swig` flavor changes here — `@rhinostone/swig-twig` keeps `json_encode` / `url_encode` unescaped (Twig-faithful), and `@rhinostone/swig-jinja2` keeps its `tojson` (safe) / `urlencode` (not safe) split (Jinja2-faithful).
+- Replaced the `expect.js` test-assertion dev dependency with a small in-repo shim, with verified behavioral parity. Dev-only — the published packages are unaffected (their only runtime dependency remains `@rhinostone/swig-core`), and the full test suite plus the CVE-2023-25345 regressions pass unchanged.
+- All four packages (`@rhinostone/swig`, `@rhinostone/swig-core`, `@rhinostone/swig-twig`, `@rhinostone/swig-jinja2`) released in lockstep at `2.6.0`. The functional change is confined to native `@rhinostone/swig`'s filters; the `@rhinostone/swig-core`, `@rhinostone/swig-twig`, and `@rhinostone/swig-jinja2` runtimes are functionally identical to `2.5.3`.
+
 ### v2.5.3 (June 2026)
 
 - Dynamic `{% extends %}` on the synchronous render path now throws a clear error pointing to the async render path (`renderFile` with `loader.async === true`), instead of a generic "template not found" / "no filename" error. Dynamic extends has always required the async render path; this only improves the diagnostic. Applies to all flavors via the shared engine.

package/dist/swig.js

@@ -1,4 +1,4 @@
-/*! Swig v2.5.3 | https://github.com/gina-io/swig | @license https://github.com/gina-io/swig/blob/master/LICENSE */
+/*! Swig v2.7.0 | https://github.com/gina-io/swig | @license https://github.com/gina-io/swig/blob/master/LICENSE */
 /*! DateZ (c) 2011 Tomo Universalis | @license https://github.com/ocrybit/DateZ/blob/master/LISENCE */
 (() => {
   var __getOwnPropNames = Object.getOwnPropertyNames;
@@ -6,9 +6,17 @@
     return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
   };
 
+  // packages/swig-core/lib/security.js
+  var require_security = __commonJS({
+    "packages/swig-core/lib/security.js"(exports) {
+      exports.dangerousProps = ["__proto__", "constructor", "prototype"];
+    }
+  });
+
   // packages/swig-core/lib/utils.js
   var require_utils = __commonJS({
     "packages/swig-core/lib/utils.js"(exports) {
+      var security = require_security();
       var isArray;
       exports.strip = function(input) {
         return input.replace(/^\s+|\s+$/g, "");
@@ -201,6 +209,40 @@
       exports.coerceOutput = function(v) {
         return v === null || v === void 0 ? "" : v;
       };
+      function resolveSeg(obj, seg) {
+        var val;
+        if (obj === null || obj === void 0) {
+          return void 0;
+        }
+        if (security.dangerousProps.indexOf(seg) !== -1) {
+          return void 0;
+        }
+        val = obj[seg];
+        if (typeof val === "function") {
+          if (val.alters_data === true) {
+            return void 0;
+          }
+          if (val.do_not_call_in_templates === true) {
+            return val;
+          }
+          try {
+            return val.call(obj);
+          } catch (e) {
+            return void 0;
+          }
+        }
+        return val;
+      }
+      exports.resolve = function(obj, path) {
+        var cur = obj, i;
+        for (i = 0; i < path.length; i += 1) {
+          cur = resolveSeg(cur, path[i]);
+          if (cur === null || cur === void 0) {
+            return cur;
+          }
+        }
+        return cur;
+      };
     }
   });
 
@@ -1004,8 +1046,13 @@
         return input;
       };
       exports.json = function(input, indent) {
-        return JSON.stringify(input, null, indent || 0);
+        var json = JSON.stringify(input, null, indent || 0);
+        if (typeof json !== "string") {
+          return json;
+        }
+        return json.replace(/</g, "\\u003c").replace(/>/g, "\\u003e").replace(/&/g, "\\u0026").replace(/'/g, "\\u0027");
       };
+      exports.json.safe = true;
       exports.json_encode = exports.json;
       exports.last = function(input) {
         if (typeof input === "object" && !utils.isArray(input)) {
@@ -1115,6 +1162,7 @@
         }
         return encodeURIComponent(input);
       };
+      exports.url_encode.safe = true;
       exports.url_decode = function(input) {
         var out = iterateFilter.apply(exports.url_decode, arguments);
         if (out !== void 0) {
@@ -1223,13 +1271,6 @@
     }
   });
 
-  // packages/swig-core/lib/security.js
-  var require_security = __commonJS({
-    "packages/swig-core/lib/security.js"(exports) {
-      exports.dangerousProps = ["__proto__", "constructor", "prototype"];
-    }
-  });
-
   // lib/tags/for.js
   var require_for = __commonJS({
     "lib/tags/for.js"(exports) {
@@ -1430,7 +1471,7 @@
             return;
           }
           if (node.type === "For") {
-            var forVal = node.value, forKey = node.key, forIterable, forBodyJS = "", ctxloopcache = ("_ctx.__loopcache" + Math.random()).replace(/\./g, ""), ctx = "_ctx.", ctxloop = "_ctx.loop";
+            var forVal = node.value, forKey = node.key, forIterable, forBodyJS = "", ctxloopcache = ("_ctx.__loopcache" + Math.random()).replace(/\./g, ""), ctx = "_ctx.", loopName = node.loopName || "loop", ctxloop = "_ctx." + loopName, loopFields = node.loopFields || {}, fIndex = loopFields.index || "index", fIndex0 = loopFields.index0 || "index0", fRevindex = loopFields.revindex || "revindex", fRevindex0 = loopFields.revindex0 || "revindex0", parentloopJS = node.loopParent ? ", parentloop: " + ctxloopcache + "." + loopName : "";
             if (node.iterable && typeof node.iterable === "object" && typeof node.iterable.type === "string") {
               forIterable = exports.emitExpr(node.iterable);
             } else {
@@ -1461,7 +1502,7 @@
               });
               forEmptyCheck = "  if (!__l || !__len) {\n" + forEmptyJS + "  return;\n  }\n";
             }
-            out += "(function () {\n  var __l = " + forIterable + ', __len = (_utils.isArray(__l) || typeof __l === "string") ? __l.length : _utils.keys(__l).length;\n' + forEmptyCheck + "    var " + ctxloopcache + " = { loop: " + ctxloop + ", " + forVal + ": " + ctx + forVal + ", " + forKey + ": " + ctx + forKey + " };\n    " + ctxloop + " = { first: false, index: 1, index0: 0, revindex: __len, revindex0: __len - 1, length: __len, last: false };\n  _utils.each(__l, function (" + forVal + ", " + forKey + ") {\n    " + ctx + forVal + " = " + forVal + ";\n    " + ctx + forKey + " = " + forKey + ";\n    " + ctxloop + ".key = " + forKey + ";\n    " + ctxloop + ".first = (" + ctxloop + ".index0 === 0);\n    " + ctxloop + ".last = (" + ctxloop + ".revindex0 === 0);\n    " + forBodyJS + "    " + ctxloop + ".index += 1; " + ctxloop + ".index0 += 1; " + ctxloop + ".revindex -= 1; " + ctxloop + ".revindex0 -= 1;\n  });\n  " + ctxloop + " = " + ctxloopcache + ".loop;\n  " + ctx + forVal + " = " + ctxloopcache + "." + forVal + ";\n  " + ctx + forKey + " = " + ctxloopcache + "." + forKey + ";\n  " + ctxloopcache + " = undefined;\n})();\n";
+            out += "(function () {\n  var __l = " + forIterable + ', __len = (_utils.isArray(__l) || typeof __l === "string") ? __l.length : _utils.keys(__l).length;\n' + forEmptyCheck + "    var " + ctxloopcache + " = { " + loopName + ": " + ctxloop + ", " + forVal + ": " + ctx + forVal + ", " + forKey + ": " + ctx + forKey + " };\n    " + ctxloop + " = { first: false, " + fIndex + ": 1, " + fIndex0 + ": 0, " + fRevindex + ": __len, " + fRevindex0 + ": __len - 1, length: __len, last: false" + parentloopJS + " };\n  _utils.each(__l, function (" + forVal + ", " + forKey + ") {\n    " + ctx + forVal + " = " + forVal + ";\n    " + ctx + forKey + " = " + forKey + ";\n    " + ctxloop + ".key = " + forKey + ";\n    " + ctxloop + ".first = (" + ctxloop + "." + fIndex0 + " === 0);\n    " + ctxloop + ".last = (" + ctxloop + "." + fRevindex0 + " === 0);\n    " + forBodyJS + "    " + ctxloop + "." + fIndex + " += 1; " + ctxloop + "." + fIndex0 + " += 1; " + ctxloop + "." + fRevindex + " -= 1; " + ctxloop + "." + fRevindex0 + " -= 1;\n  });\n  " + ctxloop + " = " + ctxloopcache + "." + loopName + ";\n  " + ctx + forVal + " = " + ctxloopcache + "." + forVal + ";\n  " + ctx + forKey + " = " + ctxloopcache + "." + forKey + ";\n  " + ctxloopcache + " = undefined;\n})();\n";
             return;
           }
           if (node.type === "Macro") {
@@ -1829,6 +1870,9 @@
         utils.each(node.path, function(segment) {
           checkDangerousSegment(segment, d, node);
         });
+        if (node.resolve) {
+          return "_utils.resolve(_ctx, " + JSON.stringify(node.path) + ")";
+        }
         return checkMatchExpr(node.path);
       }
       function emitVarRefExists(node, d) {
@@ -4705,7 +4749,7 @@
       var loaders = require_loaders2();
       var preWalker = require_pre_walker();
       var engine = require_engine();
-      exports.version = "2.5.3";
+      exports.version = "2.7.0";
       var defaultOptions = {
         autoescape: true,
         varControls: ["{{", "}}"],
@@ -4925,6 +4969,20 @@
     window.swig = swig;
   }
 })();
+/*!
+ * Resolve a single path segment against a value, Django-style. A plain
+ * property access (`obj[seg]`) covers dictionary, attribute, and array /
+ * string index lookup in one step (JS string-keys an array / string by a
+ * numeric segment, so `["a"][0]` and `["a"]["0"]` both yield the element).
+ * A callable leaf is auto-called with no arguments, bound to its receiver,
+ * honoring Django's opt-outs: `fn.alters_data === true` is not called and
+ * yields `undefined` (Django renders nothing for data-altering callables);
+ * `fn.do_not_call_in_templates === true` is returned uncalled. A call that
+ * throws (e.g. a method that needs arguments) yields `undefined`, mirroring
+ * Django's `string_if_invalid` fallback on a failed auto-call. The
+ * `_dangerousProps` segments are rejected at runtime as defense-in-depth.
+ * @private
+ */
 /*!
  * Attach `loc` to the node if provided, skipping the assignment otherwise
  * so consumers can tell "no source location available" from