@shopify/shop-minis-react 0.4.8 → 0.4.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (12) hide show
  1. package/dist/_virtual/index4.js +2 -2
  2. package/dist/_virtual/index5.js +2 -3
  3. package/dist/_virtual/index5.js.map +1 -1
  4. package/dist/_virtual/index6.js +3 -2
  5. package/dist/_virtual/index6.js.map +1 -1
  6. package/dist/shop-minis-react/node_modules/.pnpm/@videojs_xhr@2.7.0/node_modules/@videojs/xhr/lib/index.js +1 -1
  7. package/dist/shop-minis-react/node_modules/.pnpm/mpd-parser@1.3.1/node_modules/mpd-parser/dist/mpd-parser.es.js +1 -1
  8. package/dist/shop-minis-react/node_modules/.pnpm/querystringify@2.2.0/node_modules/querystringify/index.js +1 -1
  9. package/eslint/README.md +59 -0
  10. package/eslint/config.cjs +33 -0
  11. package/package.json +1 -2
  12. package/stylelint/config.mjs +0 -27
package/dist/_virtual/index4.js CHANGED
@@ -1,5 +1,5 @@
1
- var e = { exports: {} };
1
+ var r = {};
2
2
  export {
3
- e as __module
3
+ r as __exports
4
4
  };
5
5
  //# sourceMappingURL=index4.js.map
package/dist/_virtual/index5.js CHANGED
@@ -1,6 +1,5 @@
1
- import { __require as r } from "../shop-minis-react/node_modules/.pnpm/@xmldom_xmldom@0.8.10/node_modules/@xmldom/xmldom/lib/index.js";
2
- var i = r();
1
+ var e = { exports: {} };
3
2
  export {
4
- i as l
3
+ e as __module
5
4
  };
6
5
  //# sourceMappingURL=index5.js.map
package/dist/_virtual/index5.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index5.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;"}
1
+ {"version":3,"file":"index5.js","sources":[],"sourcesContent":[],"names":[],"mappings":";"}
package/dist/_virtual/index6.js CHANGED
@@ -1,5 +1,6 @@
1
- var r = {};
1
+ import { __require as r } from "../shop-minis-react/node_modules/.pnpm/@xmldom_xmldom@0.8.10/node_modules/@xmldom/xmldom/lib/index.js";
2
+ var i = r();
2
3
  export {
3
- r as __exports
4
+ i as l
4
5
  };
5
6
  //# sourceMappingURL=index6.js.map
package/dist/_virtual/index6.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index6.js","sources":[],"sourcesContent":[],"names":[],"mappings":";"}
1
+ {"version":3,"file":"index6.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;"}
package/dist/shop-minis-react/node_modules/.pnpm/@videojs_xhr@2.7.0/node_modules/@videojs/xhr/lib/index.js CHANGED
@@ -1,4 +1,4 @@
1
- import { __module as q } from "../../../../../../../../_virtual/index4.js";
1
+ import { __module as q } from "../../../../../../../../_virtual/index5.js";
2
2
  import { __require as F } from "../../../../../global@4.4.0/node_modules/global/window.js";
3
3
  import { __require as N } from "../../../../../@babel_runtime@7.27.6/node_modules/@babel/runtime/helpers/extends.js";
4
4
  import { __require as J } from "../../../../../is-function@1.0.2/node_modules/is-function/index.js";
package/dist/shop-minis-react/node_modules/.pnpm/mpd-parser@1.3.1/node_modules/mpd-parser/dist/mpd-parser.es.js CHANGED
@@ -2,7 +2,7 @@ import L from "../../../../@videojs_vhs-utils@4.1.1/node_modules/@videojs/vhs-ut
2
2
  import T from "../../../../../../../_virtual/window.js";
3
3
  import { forEachMediaGroup as Z } from "../../../../@videojs_vhs-utils@4.1.1/node_modules/@videojs/vhs-utils/es/media-groups.js";
4
4
  import J from "../../../../@videojs_vhs-utils@4.1.1/node_modules/@videojs/vhs-utils/es/decode-b64-to-uint8-array.js";
5
- import { l as Q } from "../../../../../../../_virtual/index5.js";
5
+ import { l as Q } from "../../../../../../../_virtual/index6.js";
6
6
  /*! @name mpd-parser @version 1.3.1 @license Apache-2.0 */
7
7
  const w = (e) => !!e && typeof e == "object", E = (...e) => e.reduce((n, t) => (typeof t != "object" || Object.keys(t).forEach((r) => {
8
8
  Array.isArray(n[r]) && Array.isArray(t[r]) ? n[r] = n[r].concat(t[r]) : w(n[r]) && w(t[r]) ? n[r] = E(n[r], t[r]) : n[r] = t[r];
package/dist/shop-minis-react/node_modules/.pnpm/querystringify@2.2.0/node_modules/querystringify/index.js CHANGED
@@ -1,4 +1,4 @@
1
- import { __exports as i } from "../../../../../../_virtual/index6.js";
1
+ import { __exports as i } from "../../../../../../_virtual/index4.js";
2
2
  var c;
3
3
  function d() {
4
4
  if (c) return i;
package/eslint/README.md CHANGED
@@ -39,6 +39,9 @@ npx eslint . --fix
39
39
  ### Security Rules (Using Built-in ESLint Rules)
40
40
  - ✅ WebAssembly usage blocked - prevents WASM in Shop Minis environment
41
41
  - ✅ Unsafe code execution blocked - prevents `eval()`, Function constructor, and dynamic code execution
42
+ - ✅ `dangerouslySetInnerHTML` blocked - prevents XSS vulnerabilities
43
+ - ✅ `window.open` blocked - use SDK navigation instead
44
+ - ✅ Navigator APIs blocked - `clipboard`, `credentials`, `geolocation`, `share` are not available
42
45
 
43
46
  ## Rules
44
47
 
@@ -234,6 +237,62 @@ window.location = 'https://example.com'
234
237
  - `no-implied-eval` - blocks `setTimeout()` / `setInterval()` with string arguments
235
238
  - `no-script-url` - blocks `javascript:` URLs
236
239
 
240
+ ### Dangerous HTML Injection
241
+
242
+ **Rule:** `react/no-danger`
243
+
244
+ ```tsx
245
+ // ❌ Error
246
+ <div dangerouslySetInnerHTML={{__html: userInput}} />
247
+
248
+ // ✅ Correct
249
+ <div>{sanitizedContent}</div>
250
+ ```
251
+
252
+ **Why:** Injecting raw HTML can lead to XSS (Cross-Site Scripting) attacks.
253
+
254
+ ### Window Open Restriction
255
+
256
+ **Rule:** `no-restricted-syntax`
257
+
258
+ ```tsx
259
+ // ❌ Error
260
+ window.open('https://example.com', '_blank')
261
+
262
+ // ✅ Correct
263
+ // Use SDK navigation methods instead
264
+ import {useNavigation} from '@shopify/shop-minis-react'
265
+ const {navigate} = useNavigation()
266
+ navigate('https://example.com')
267
+ ```
268
+
269
+ **Why:** `window.open` is not allowed in the Shop Minis environment. Use SDK navigation methods instead.
270
+
271
+ ### Navigator API Restrictions
272
+
273
+ **Rule:** `no-restricted-syntax`
274
+
275
+ The following Navigator APIs are not available in the Shop Minis environment:
276
+
277
+ ```tsx
278
+ // ❌ Error - Clipboard API
279
+ navigator.clipboard.writeText('text')
280
+ navigator.clipboard.readText()
281
+
282
+ // ❌ Error - Credentials API
283
+ navigator.credentials.get({password: true})
284
+ navigator.credentials.store(credential)
285
+
286
+ // ❌ Error - Geolocation API
287
+ navigator.geolocation.getCurrentPosition(callback)
288
+ navigator.geolocation.watchPosition(callback)
289
+
290
+ // ❌ Error - Share API
291
+ navigator.share({title: 'Title', url: 'https://...'})
292
+ ```
293
+
294
+ **Why:** These browser APIs are not supported in the Shop Minis security sandbox. Use the appropriate SDK alternatives when available.
295
+
237
296
  ## Extending Rules
238
297
 
239
298
  To add more component mappings to `prefer-sdk-components`, edit `eslint/rules/prefer-sdk-components.cjs`:
package/eslint/config.cjs CHANGED
@@ -62,6 +62,7 @@ module.exports = {
62
62
  ],
63
63
  'no-restricted-syntax': [
64
64
  'error',
65
+ // WebAssembly restrictions
65
66
  {
66
67
  selector: "MemberExpression[object.name='WebAssembly']",
67
68
  message:
@@ -72,6 +73,38 @@ module.exports = {
72
73
  message:
73
74
  'WebAssembly is not supported in the Shop Minis environment. Consider using alternative JavaScript implementations.',
74
75
  },
76
+ // window.open restriction
77
+ {
78
+ selector:
79
+ "CallExpression[callee.object.name='window'][callee.property.name='open']",
80
+ message:
81
+ 'window.open is not allowed in the Shop Minis environment. Use the appropriate SDK navigation methods instead.',
82
+ },
83
+ // Navigator API restrictions
84
+ {
85
+ selector:
86
+ "MemberExpression[object.name='navigator'][property.name='clipboard']",
87
+ message:
88
+ 'navigator.clipboard is not available in the Shop Minis environment.',
89
+ },
90
+ {
91
+ selector:
92
+ "MemberExpression[object.name='navigator'][property.name='credentials']",
93
+ message:
94
+ 'navigator.credentials is not available in the Shop Minis environment.',
95
+ },
96
+ {
97
+ selector:
98
+ "MemberExpression[object.name='navigator'][property.name='geolocation']",
99
+ message:
100
+ 'navigator.geolocation is not available in the Shop Minis environment.',
101
+ },
102
+ {
103
+ selector:
104
+ "MemberExpression[object.name='navigator'][property.name='share']",
105
+ message:
106
+ 'navigator.share is not available in the Shop Minis environment. Use the SDK share functionality instead.',
107
+ },
75
108
  ],
76
109
  'compat/compat': 'error',
77
110
  },
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@shopify/shop-minis-react",
3
3
  "license": "SEE LICENSE IN LICENSE.txt",
4
- "version": "0.4.8",
4
+ "version": "0.4.10",
5
5
  "sideEffects": false,
6
6
  "type": "module",
7
7
  "engines": {
@@ -76,7 +76,6 @@
76
76
  "react-window": "1.8.11",
77
77
  "sonner": "2.0.5",
78
78
  "stylelint": "^16.26.1",
79
- "stylelint-config-standard": "^39.0.1",
80
79
  "tailwind-merge": "2.6.0",
81
80
  "tailwindcss": "4.1.8",
82
81
  "thumbhash": "0.1.1",
package/stylelint/config.mjs CHANGED
@@ -5,35 +5,8 @@ const __dirname = dirname(fileURLToPath(import.meta.url))
5
5
 
6
6
  /** @type {import('stylelint').Config} */
7
7
  const config = {
8
- extends: ['stylelint-config-standard'],
9
8
  plugins: [join(__dirname, 'plugin-no-font-imports.mjs')],
10
9
  rules: {
11
- // Tailwind CSS v4 at-rules
12
- 'at-rule-no-unknown': [
13
- true,
14
- {
15
- ignoreAtRules: [
16
- 'theme',
17
- 'source',
18
- 'custom-variant',
19
- 'apply',
20
- 'config',
21
- 'plugin',
22
- 'utility',
23
- 'variant',
24
- 'tailwind',
25
- 'reference',
26
- ],
27
- },
28
- ],
29
- // Tailwind theme() function
30
- 'function-no-unknown': [
31
- true,
32
- {
33
- ignoreFunctions: ['theme'],
34
- },
35
- ],
36
- 'import-notation': 'string',
37
10
  'plugin/no-font-imports': true,
38
11
  },
39
12
  }