@techiev2/vajra 1.4.2 → 1.4.3

package/README

@@ -22,7 +22,13 @@ Like the Vajra, this server delivers maximum power in minimal form.
 
 ## Changelog
 
-### 1.4.1 (Current)
+### 1.4.3 (2026-01-02)
+- Adds guardrails for unsafe operations with template paths.
+
+### 1.4.2 (2026-01-02)
+- Fixes bug in parsing params that dropped file extensions.
+
+### 1.4.1 (2026-01-01)
 - Added support to handle drift in system time after signing
 
 ### 1.4.0 (2025-12-31)

package/README.md

@@ -22,7 +22,13 @@ Like the Vajra, this server delivers maximum power in minimal form.
 
 ## Changelog
 
-### 1.4.1 (Current)
+### 1.4.3 (2026-01-02)
+- Adds guardrails for unsafe operations with template paths.
+
+### 1.4.2 (2026-01-02)
+- Fixes bug in parsing params that dropped file extensions.
+
+### 1.4.1 (2026-01-01)
 - Added support to handle drift in system time after signing
 
 ### 1.4.0 (2025-12-31)

package/_

@@ -0,0 +1,5 @@
+const MIMES={html: 'text/html',js: 'application/javascript',css: 'text/css',json: 'application/json',png: 'image/png',jpg: 'image/jpeg',jpeg: 'image/jpeg',gif: 'image/gif',svg: 'image/svg+xml'}
+
+res.sendFile = (filePath) => new Promise((resolve) => {
+createReadStream(filePath).on('open', () => { res.setHeader('Content-Type', MIMES[filePath.split('.').pop()?.toLowerCase()] || 'application/octet-stream'); !res.getHeader('Accept-Ranges') && res.setHeader('Accept-Ranges', 'bytes'); }).on('error', (err) => { (err.code === 'ENOENT' ? default_404(req, res, `${filePath.split('/').slice(-1)} not found.`) : default_500(req, res)); resolve() }).pipe(res).on('finish', resolve).on('error', resolve);
+});

package/_README.md

@@ -0,0 +1,226 @@
+# Vajra ⚡
+
+![Vajra Thunderbolt](assets/vajra.jpg)  <!-- or use one of the above hosted URLs if you like -->
+
+
+**Ultra-minimal, zero-dependency Node.js HTTP server**  
+Routing · Middleware · Multipart parsing · HTML templating  
+All in **111 lines** of pure JavaScript
+
+## Name Origin
+
+Vajra draws from the Rigvedic thunderbolt weapon of Indra — crafted from the bones of Sage Dadhichi, symbolizing unbreakable strength through selfless sacrifice.
+
+Like the Vajra, this server delivers maximum power in minimal form.
+
+
+[![npm version](https://img.shields.io/npm/v/@techiev2/vajra.svg?style=flat-square)](https://www.npmjs.com/package/@techiev2/vajra)
+[![npm downloads](https://img.shields.io/npm/dm/vajra.svg?style=flat-square)](https://www.npmjs.com/package/@techiev2/vajra)
+[![Node.js version](https://img.shields.io/node/v/@techiev2/vajra.svg?style=flat-square)](https://nodejs.org)
+[![License](https://img.shields.io/npm/l/@techiev2/vajra.svg?style=flat-square)](LICENSE)
+
+
+## Changelog
+
+### 1.4.3 (2026-01-02)
+- Adds guardrails for unsafe operations with template paths.
+
+### 1.4.2 (2026-01-02)
+- Fixes bug in parsing params that dropped file extensions.
+
+### 1.4.1 (2026-01-01)
+- Added support to handle drift in system time after signing
+
+### 1.4.0 (2025-12-31)
+- Added full HS256 JWT support (`@techiev2/vajra/libs/auth/jwt.js`)
+  - Ultra-minimal, zero-dependency implementation
+  - Key and header caching for maximum performance
+  - Robust base64url handling
+  - Numeric exp validation and expiration checks
+
+### 1.3.0 (2025-12-30)
+- Performance improvements to routing in bare routes
+
+### 1.2.0 (2025-12-30)
+- Adds cookie support
+
+### 1.0.0 (2025-12-25)
+- Initial release
+
+## Features
+
+- Zero external dependencies
+- Built-in routing with named parameters (`:id`)
+- Asynchronous batched logging for performance
+- Global middleware support with `next()` chaining
+- JSON, urlencoded, and **multipart/form-data** body parsing
+- Fast HTML templating with loops, nested objects, and simple array headers
+- Helper methods: `res.json()`, `res.html()`, `res.status()`, `res.writeMessage()`
+- Payload size limiting with 413 responses
+- Sensible defaults for 404/405/500
+
+## Performance (Apple M4, Node 20+)
+
+| Test Case                                      | Vajra          | Express + Multer | Notes                     |
+|------------------------------------------------|----------------|------------------|---------------------------|
+| 1MB Multipart Upload (wrk -t16 -c600)          | **~94–98k req/s** | ~72k req/s      | +30% faster               |
+| Idle RSS                                       | ~52–53 MB      | ~44 MB           | Zero deps vs extra packages |
+| Peak RSS under load                            | ~228 MB        | ~209 MB          | Full buffering trade-off  |
+| Code size (source)                             | **111 lines**  | ~2k+ lines       | Hand-crafted minimalism   |
+
+## Performance Benchmarks (wrk)
+
+![wrk multipart benchmarks on M4 and VPS](assets/wrk-benchmarks.png)
+
+## Installation
+
+```bash
+npm install vajra
+```
+
+
+## Quick Start
+```JavaScript
+import Vajra from '../index.js';
+import { encode } from 'node:querystring';
+
+async function getUsers(query = {}) {
+  return (await fetch(`https://jsonplaceholder.typicode.com/users?${encode(query)}`)).json()
+}
+
+const { get, post, use, start, setProperty, log } = Vajra.create();
+
+setProperty({ viewsRoot: `${import.meta.url}/views` })
+// Or as a key-value pair
+// setProperty('viewsRoot', `${import.meta.url}/views`)
+
+use((req, res, next) => {
+  // Vajra provides an async batched logger to provide a balance between 100% log coverage and performance.
+  // If you prefer blocking immediate logs, you can switch to console.log
+  // or any other library of your choice.
+  log(`${req.method} ${req.url}`);
+  next();
+});
+
+get('/', (req, res) => {
+  res.writeMessage('Hello from Vajra ⚡');
+});
+
+post('/upload', (req, res) => {
+  res.json({ received: true, filesCount: req.files.length, files: req.files, body: req.body });
+});
+
+start({ port: 4002 }, () => {
+  console.log('Ready at http://localhost:4002');
+});
+
+get('/api/users', async ({ query }, res) => {
+  const users = await getUsers(query)
+  return res.json({ users })
+})
+
+get('/web/users', async ({ query }, res) => {
+  const users = await getUsers(query)
+  const headers = Object.keys(users[0])
+  return res.html(`users.html`, { users, headers })
+})
+```
+
+## HTML Templating
+```JavaScript
+import Vajra from '../index.js';
+const { get, post, use, start, setProperty } = Vajra.create();
+
+get('/users', (req, res) => {
+  const data = {
+    users: [
+      { id: 1, name: 'Alice' },
+      { id: 2, name: 'Bob' }
+    ],
+    headers: ['ID', 'Name']
+  };
+
+  // If no view root is set, .html() expects the absolute path.
+  res.html('views/users.html', data);
+});
+```
+
+#### views/users.html
+```html
+<table>
+  <thead>
+    {{# headers }}
+      <th>{{ header@ }}</th>
+    {{/ headers }}
+  </thead>
+  <tbody>
+    {{# users }}
+      <tr>
+        <td>{{ id }}</td>
+        <td>{{ name }}</td>
+      </tr>
+    {{/ users }}
+  </tbody>
+</table>
+```
+
+Supports:
+
+- Loops ({{# array }} ... {{/ array }})
+- Dot notation ({{ user.name }})
+- Special header shorthand ({{ header@ }} for simple arrays)
+
+
+## Configuration
+```JavaScript
+const app = vajra.create({
+  maxFileSize: 10 // in MB (default: 2)
+});
+
+// Set view root path
+app.setProperty('viewRoot', './views');
+```
+
+
+## API
+
+- `get/post/put/patch/delete/head/options(path, handler)`
+- `use(middleware)`
+- `start({ port, host }, callback?)`
+- `setProperty(key, value)` or `setProperty({ key: value })`
+- `log(message)`
+
+
+#### Response helpers:
+
+`res.status(code)`
+`res.json(data)`
+`res.writeMessage(text)`
+`res.html(pathOrString, data)`
+
+
+## Philosophy
+
+Vajra is built on the principle that minimalism can maximise outcomes.
+
+Everything you need for real internal tools, admin panels, APIs, and prototypes — without the bloat.
+
+No dependencies.
+No build step.
+Just copy `index.js` and go.
+
+
+## Benchmarks & Memory
+Run under extreme multipart load (wrk -t16 -c600 -d30s 1MB payloads):
+
+Throughput: ~95k req/s
+Idle RSS: ~52 MB
+Peak under load: ~228 MB (drops back on idle)
+
+## License
+MIT
+
+## Credits
+Hand-crafted by [[Sriram Velamur](https://linkedin.com/in/techiev2)/[@techiev2](https://x.com/techiev2)]
+
+Inspired by the desire for a truly tiny, powerful, and dependency-free Node server.

package/_index.js

@@ -0,0 +1,110 @@
+import { createServer } from 'node:http'
+import { readFile, access } from 'node:fs/promises'
+import { resolve, isAbsolute } from 'path'
+
+const BLOCK_MATCHER=/{{\s*#\s*(?<grpStart>\w+)\s*}}\s*(?<block>.*?)\s*{{\s*\/\s*(?<grpEnd>\w+)\s*}}/gmsi; const INNER_BLOCK_MATCHER = /{\s*(.*?)\s*}/gmsi
+const LOOP_MATCHER=/({\s*\w+@\s*})/gmis; const ESCAPE = { regex: /[&<>"']/g, map: { '&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;', "'": '&#x27;' }}
+
+function default_404({ url, method, isPossibleJSON }, res) {
+  const message = `Route ${url} not found for method ${method}.`
+  res.status(404); return isPossibleJSON ? res.json({ message }) : res.writeMessage(message)
+}
+function default_405({ url, method, isPossibleJSON }, res) {
+  const message = `Method ${method} not allowed by route ${url}.`
+  res.status(405); return isPossibleJSON ? res.json({ message }) : res.writeMessage(message)
+}
+function default_500({ url, method }, res, error) {
+  process.env.DEBUG && console.log({ error })
+  res.status(500).writeMessage(process.env.DEBUG ? `${error.stack}` : `Server error.\nRoute: ${url}\nMethod: ${method}\nTimestamp: ${new Date().getTime()}\n`)
+}
+function default_413(res) {
+  res.status(413).writeMessage('Payload Too Large')
+}
+
+const MAX_MB = 2; const MAX_FILE_SIZE = MAX_MB * 1024 * 1024
+
+export default class Vajra {
+  static #app; static #routes = {}; static #middlewares = []; static #straightRoutes = {}; static #MAX_FILE_SIZE; static #onCreate; static #props = {}
+  static create({ maxFileSize } = { maxFileSize: 2 }) {
+    Vajra.#app = createServer()
+    const _queue = []; const LOG_QUEUE_SIZE = 100; const logOut = () => { if (_queue.length) { process.stdout.write(`${_queue.join('').trim()}\n`) }; _queue.length = 0 };
+    const flushAndShutDown = () => { logOut(); Vajra.#app.close(() => { process.exit(0); }); }; 'SIGINT_SIGTERM_SIGABRT'.split('_').map((evt) => process.on(evt, flushAndShutDown));
+    process.on('exit', logOut); function log(message) { _queue.push(`${message}\n`); if (_queue.length >= LOG_QUEUE_SIZE) { logOut(); _queue.length = 0; } }
+    Vajra.#MAX_FILE_SIZE = !+MAX_FILE_SIZE ? +maxFileSize * 1024 * 1024 : MAX_FILE_SIZE
+    Vajra.#app.on('request', async (req, res) => {
+      if (+(req.headers['Content-Length'] || req.headers['content-length']) > Vajra.#MAX_FILE_SIZE) { return default_413(res) }
+      res.sent = false; res.status = (/**@type{code} Number*/ code) => { if (!+code || +code < 100 || +code > 599) { throw new Error(`Invalid status code ${code}`) }; res.statusCode = code; res.statusSet = true; return res }
+      res.json = data => {
+        if (res.sent) return res; if (!res.statusSet) res.statusCode = 200
+        const response = JSON.stringify(data); res.sent = true; res.setHeader('Content-Type', 'application/json'); res.setHeader('Content-Length', Buffer.from(response).byteLength); res.write(response); res.end(); return res
+      }
+      res.writeMessage = (message = '') => {
+        if (res.sent) { return res };  if (!message) { res.status(500); message = 'Server error'; }
+        res.sent = true; res.setHeader('Content-Type', 'text/plain'); res.setHeader('Content-Length', Buffer.from(message).byteLength); res.write(message); res.end()
+        return res
+      }
+      function sanitize(value) { if (value == null) return ''; return String(value).replace(ESCAPE.regex, m => ESCAPE.map[m]); }
+      res.html = async (templatePath, data = {}) => {
+        templatePath = resolve(templatePath); const appRoot = resolve(process.cwd()); const root = this.#props.viewRoot ? resolve(this.#props.viewRoot) : appRoot;
+        const _templatePath = resolve(`${root}/${templatePath}`)
+        if (templatePath.includes('..') || !_templatePath.startsWith(appRoot) || !root.startsWith(appRoot)) { return default_500(req, res, new Error("Invalid template path")) }
+        if (res.sent) { return res }; let content; templatePath = `${root}/${_templatePath}`
+        try { await access(templatePath); content = (await readFile(templatePath)).toString() } catch (_) { content = templatePath }
+        content.matchAll(BLOCK_MATCHER).forEach((match) => { if (!match?.groups || (match.groups.grpStart !== match.groups.grpEnd)) { return }; const data_ = (data[match.groups.grpStart] || []); if (match.groups.block.indexOf('@') !== -1) { content = content.replace(match[2], data_.map((key) => match.groups.block.replace(LOOP_MATCHER, sanitize(key))).join('')); return }
+          if (!data_.length) { content = content.replace(match.groups.block, '') } else { data_.forEach((dataItem) => { match.groups.block.matchAll(INNER_BLOCK_MATCHER).forEach((_match) => { const parts = _match[1].split('.').slice(1); let value = dataItem; parts.forEach((part) => (value = value ? value[part] : value)); content = content.replace(_match[0], sanitize(value)) }) }) }
+        }); content = content.replace(/{{\s*# .*?\s*}}/gmsi, '').replace(/{{\s*\/.*?}}/gmsi, '')
+        if (!res.statusSet) res.statusCode = 200; res.sent = true; res.setHeader('Content-Type', 'text/html'); res.setHeader('Content-Length', Buffer.from(content).byteLength); res.write(content); res.end(); return res
+      }
+      req._headers = { ...req.headers }; req.headers = Object.fromEntries(req.rawHeaders.map((e, i) => i % 2 ? false : [e, req.rawHeaders[i + 1]]).filter(Boolean)); req.isPossibleJSON = req._headers['content-type'] === 'application/json'; req.params = {}
+      res.cookie = (k, v, options) => {
+        let { expires, path, maxAge, domain, secure, httpOnly, sameSite } = typeof options === 'object' ? options : typeof v === 'object' ? v : {}; const cookieOpts = [];!isNaN(+maxAge) && cookieOpts.push(`Max-Age=${Math.floor(maxAge)}`); !isNaN(+expires) && cookieOpts.push(`Expires=${new Date(expires).toUTCString()}`); expires instanceof Date && cookieOpts.push(`Expires=${expires.toUTCString()}`)
+        path && cookieOpts.push(`Path=${path}`); domain && cookieOpts.push(`Domain=${domain}`); !!secure && cookieOpts.push(`Secure`); !!httpOnly && cookieOpts.push(`HttpOnly`); sameSite = sameSite && (sameSite === true ? 'Strict' : typeof sameSite === 'string' ? sameSite.charAt(0).toUpperCase() + sameSite.slice(1).toLowerCase() : ''); !['Strict', 'Lax', 'None'].includes(sameSite) ? sameSite = 'Strict' : sameSite = sameSite; cookieOpts.push(`SameSite=${sameSite}`)
+        res.setHeader('Set-Cookie', (typeof k === 'object') ? Object.entries(k).map(([k_, v_]) => `${k_}=${encodeURIComponent(v_)}${cookieOpts.length ? `; ${cookieOpts.join('; ')}` : ''}`) : [...(res.getHeader('Set-Cookie') || []).filter(Boolean), `${k}=${encodeURIComponent(v)}${cookieOpts.length ? `; ${cookieOpts.join('; ')}` : ''}`])
+      }
+      let url = `http://${req.headers.host || req.headers.host}/${req.url}`; req.query = Object.fromEntries(new URL(url).searchParams)
+      if (req.method === 'GET' || req.method === 'HEAD') { return runMiddlwares() }
+      async function runMiddlwares() { let idx = 0; const next = async () => { if (idx >= Vajra.#middlewares.length) { return setImmediate(handleRoute) } const fn = Vajra.#middlewares[idx]; idx++; try { await fn(req, res, next); } catch (err) { return default_500({ url: req.url, method: req.method }, res, err); } }; await next(); }
+      setImmediate(() => {
+        req.body = {}; req.rawData = ''; req.formData = {}; let dataSize = 0
+        req.on('data', (chunk) => { dataSize += chunk.length; if (dataSize > Vajra.#MAX_FILE_SIZE) { return default_413(res) }; req.rawData+=chunk })
+        const formDataMatcher = /Content-Disposition: form-data; name=['"](?<name>[^"']+)['"]\s+(?<value>.*?)$/smi;
+        let boundaryMatch = (req.headers['Content-Type'] || '').match(/boundary=(.*)/); const boundary = boundaryMatch ? '--' + boundaryMatch[1] : null; const fileDataMatcher = /^Content-Disposition:.*?name=["'](?<field>[^"']+)["'].*?filename=["'](?<fileName>[^"']+)["'].*?Content-Type:\s*(?<contentType>[^\r\n]*)\r?\n\r?\n(?<content>[\s\S]*)$/ims
+        req.on('end', async () => {
+          req.files = []; if (boundary) { req.rawData.split(boundary).filter(Boolean).map((line) => {
+              let key, value; if (line.includes('filename')) { req.files.push(fileDataMatcher.exec(line)?.groups || {}); return }
+              [key, value] = Object.values(line.match(formDataMatcher)?.groups || {}); (key && value) && Object.assign(req.formData, { [key]: value });  return
+            })
+          }
+          if (Object.keys(req.formData).length) { req.body = req.formData } else {
+            try { req.body = JSON.parse(req.rawData); req.isPossibleJSON = true } catch (_) { req.body = Object.fromEntries(req.rawData.split('&').map((pair) => pair.split('='))) }
+          }; setImmediate(runMiddlwares)
+        })
+        req.cookies = Object.fromEntries((req.headers.Cookie || req.headers.cookie || '').split(/;\s*/).map((k) => k.split('=')).map(([k, v]) => [k.trim(), decodeURIComponent(v).trim()]))
+      })
+      async function handleRoute() {
+        let _url = req.url.split('?')[0]; if (_url.endsWith('/')) _url = _url.split('/').slice(0, -1).join('/')
+        let match_; const directHandler = (Vajra.#straightRoutes[_url] || Vajra.#straightRoutes[`${_url}/`] || {})[req.method.toLowerCase()]
+        if (directHandler) { try { await directHandler(req, res); if (!res.sent && !res.writableEnded) res.end() } catch (error) { return default_500(req, res, error) }; return }
+        Object.entries(Vajra.#routes).map(([route, handler]) => {
+          if (match_) { return }; const match = new RegExp(route).exec(req.url); if (!!match && handler[req.method.toLowerCase()]) { match_ = handler; Object.assign(req.params, match.groups); return }
+        })
+        if (!match_) { return default_404(req, res) }
+        if (!match_[req.method.toLowerCase()]) { return default_405(req, res) }
+        try { await match_[req.method.toLowerCase()](req, res); if (!res.sent && !res.writableEnded) res.end() } catch (error) { return default_500(req, res, error) }
+      }
+    })
+    function setProperty(k, v) { Object.assign(Vajra.#props, typeof k == 'object' ? k: { k: v }); return defaults }
+    function start({ port, host = '127.0.0.1' }, cb) { Vajra.#app.listen(port, () => { console.log(`App listening at http://${host}:${port}`); if (typeof cb === 'function') { cb() } }); return defaults }
+    function register(method, path, handler) {
+      const paramMatcher = /.*?(?<param>\:[a-zA-Z]{1,})/g; let pathMatcherStr = path
+      path.matchAll(paramMatcher).forEach(match => pathMatcherStr = pathMatcherStr.replace(match.groups.param, `{0,1}(?<${match.groups.param.slice(1)}>[\\w|\.]+)`))
+      if (path !== '/' && pathMatcherStr.endsWith('/')) { pathMatcherStr = pathMatcherStr.replace(/(\/)$/, '/?') }
+      if (!paramMatcher.exec(path)?.groups) { Vajra.#straightRoutes[pathMatcherStr] = Object.assign(Vajra.#straightRoutes[pathMatcherStr] || {}, { [method]: handler }); return }
+      Vajra.#routes[pathMatcherStr] = Object.assign(Vajra.#routes[pathMatcherStr] || {}, {[method]: handler}); return defaults
+    }
+    function use(fn) {
+      if (typeof fn !== "function") { throw new Error(`${fn} is not a function. Can't use as middleware`) }; Vajra.#middlewares.push(fn);  return defaults
+    }
+    const defaults = Object.freeze(Object.assign({}, { use, setProperty, start, log }, Object.fromEntries('get__post__put__patch__delete__head__options'.split('__').map((method) => [method, (...args) => register(method, ...args)])))); return Object.assign({}, { start }, defaults)
+  }
+}

package/index.js

@@ -1,8 +1,9 @@
 import { createServer } from 'node:http'
 import { readFile, access } from 'node:fs/promises'
+import { resolve, isAbsolute } from 'path'
 
 const BLOCK_MATCHER=/{{\s*#\s*(?<grpStart>\w+)\s*}}\s*(?<block>.*?)\s*{{\s*\/\s*(?<grpEnd>\w+)\s*}}/gmsi; const INNER_BLOCK_MATCHER = /{\s*(.*?)\s*}/gmsi
-const LOOP_MATCHER=/({\s*\w+@\s*})/gmis
+const LOOP_MATCHER=/({\s*\w+@\s*})/gmis; const ESCAPE = { regex: /[&<>"']/g, map: { '&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;', "'": '&#x27;' }}
 
 function default_404({ url, method, isPossibleJSON }, res) {
   const message = `Route ${url} not found for method ${method}.`
@@ -32,14 +33,9 @@ export default class Vajra {
     Vajra.#MAX_FILE_SIZE = !+MAX_FILE_SIZE ? +maxFileSize * 1024 * 1024 : MAX_FILE_SIZE
     Vajra.#app.on('request', async (req, res) => {
       if (+(req.headers['Content-Length'] || req.headers['content-length']) > Vajra.#MAX_FILE_SIZE) { return default_413(res) }
-      res.sent = false;
-      res.status = (/**@type{code} Number*/ code) => {
-        if (!+code || +code < 100 || +code > 599) { throw new Error(`Invalid status code ${code}`) }
-        res.statusCode = code; res.statusSet = true; return res
-      }
+      res.sent = false; res.status = (/**@type{code} Number*/ code) => { if (!+code || +code < 100 || +code > 599) { throw new Error(`Invalid status code ${code}`) }; res.statusCode = code; res.statusSet = true; return res }
       res.json = data => {
-        if (res.sent) return res
-        if (!res.statusSet) res.statusCode = 200
+        if (res.sent) return res; if (!res.statusSet) res.statusCode = 200
         const response = JSON.stringify(data); res.sent = true; res.setHeader('Content-Type', 'application/json'); res.setHeader('Content-Length', Buffer.from(response).byteLength); res.write(response); res.end(); return res
       }
       res.writeMessage = (message = '') => {
@@ -47,17 +43,17 @@ export default class Vajra {
         res.sent = true; res.setHeader('Content-Type', 'text/plain'); res.setHeader('Content-Length', Buffer.from(message).byteLength); res.write(message); res.end()
         return res
       }
+      function sanitize(value) { if (value == null) return ''; return String(value).replace(ESCAPE.regex, m => ESCAPE.map[m]); }
       res.html = async (templatePath, data = {}) => {
-        if (res.sent) { return res }; let content;
-        if (this.#props.viewRoot) templatePath = `${this.#props.viewRoot}/${templatePath}`
+        templatePath = resolve(templatePath); const appRoot = resolve(process.cwd()); const root = this.#props.viewRoot ? resolve(this.#props.viewRoot) : appRoot;
+        const _templatePath = resolve(`${root}/${templatePath}`)
+        if (templatePath.includes('..') || !_templatePath.startsWith(appRoot) || !root.startsWith(appRoot)) { return default_500(req, res, new Error("Invalid template path")) }
+        if (res.sent) { return res }; let content; templatePath = `${root}/${_templatePath}`
         try { await access(templatePath); content = (await readFile(templatePath)).toString() } catch (_) { content = templatePath }
-        content.matchAll(BLOCK_MATCHER).forEach((match) => {
-          if (!match?.groups || (match.groups.grpStart !== match.groups.grpEnd)) { return }
-          const data_ = (data[match.groups.grpStart] || []); if (match.groups.block.indexOf('@') !== -1) { content = content.replace(match[2], data_.map((key) => match.groups.block.replace(LOOP_MATCHER, key)).join('')); return }
-          data_.forEach((dataItem) => { match.groups.block.matchAll(INNER_BLOCK_MATCHER).forEach((_match) => { const parts = _match[1].split('.').slice(1); let value = dataItem; parts.forEach((part) => (value = value ? value[part] : value)) ; content = content.replace(_match[0], value) }) })
+        content.matchAll(BLOCK_MATCHER).forEach((match) => { if (!match?.groups || (match.groups.grpStart !== match.groups.grpEnd)) { return }; const data_ = (data[match.groups.grpStart] || []); if (match.groups.block.indexOf('@') !== -1) { content = content.replace(match[2], data_.map((key) => match.groups.block.replace(LOOP_MATCHER, sanitize(key))).join('')); return }
+          if (!data_.length) { content = content.replace(match.groups.block, '') } else { data_.forEach((dataItem) => { match.groups.block.matchAll(INNER_BLOCK_MATCHER).forEach((_match) => { const parts = _match[1].split('.').slice(1); let value = dataItem; parts.forEach((part) => (value = value ? value[part] : value)); content = content.replace(_match[0], sanitize(value)) }) }) }
         }); content = content.replace(/{{\s*# .*?\s*}}/gmsi, '').replace(/{{\s*\/.*?}}/gmsi, '')
-        if (!res.statusSet) res.statusCode = 200
-        res.sent = true; res.setHeader('Content-Type', 'text/html'); res.setHeader('Content-Length', Buffer.from(content).byteLength); res.write(content); res.end(); return res
+        if (!res.statusSet) res.statusCode = 200; res.sent = true; res.setHeader('Content-Type', 'text/html'); res.setHeader('Content-Length', Buffer.from(content).byteLength); res.write(content); res.end(); return res
       }
       req._headers = { ...req.headers }; req.headers = Object.fromEntries(req.rawHeaders.map((e, i) => i % 2 ? false : [e, req.rawHeaders[i + 1]]).filter(Boolean)); req.isPossibleJSON = req._headers['content-type'] === 'application/json'; req.params = {}
       res.cookie = (k, v, options) => {
@@ -67,10 +63,7 @@ export default class Vajra {
       }
       let url = `http://${req.headers.host || req.headers.host}/${req.url}`; req.query = Object.fromEntries(new URL(url).searchParams)
       if (req.method === 'GET' || req.method === 'HEAD') { return runMiddlwares() }
-      async function runMiddlwares() {
-        let idx = 0; const next = async () => { if (idx >= Vajra.#middlewares.length) { return setImmediate(handleRoute) } const fn = Vajra.#middlewares[idx]; idx++; try { await fn(req, res, next); } catch (err) { return default_500({ url: req.url, method: req.method }, res, err); } };
-        await next();
-      }
+      async function runMiddlwares() { let idx = 0; const next = async () => { if (idx >= Vajra.#middlewares.length) { return setImmediate(handleRoute) } const fn = Vajra.#middlewares[idx]; idx++; try { await fn(req, res, next); } catch (err) { return default_500({ url: req.url, method: req.method }, res, err); } }; await next(); }
       setImmediate(() => {
         req.body = {}; req.rawData = ''; req.formData = {}; let dataSize = 0
         req.on('data', (chunk) => { dataSize += chunk.length; if (dataSize > Vajra.#MAX_FILE_SIZE) { return default_413(res) }; req.rawData+=chunk })

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@techiev2/vajra",
-  "version": "1.4.2",
+  "version": "1.4.3",
   "description": "Blazing-fast, zero-dependency Node.js server with routing, middleware, multipart uploads, and templating. 111 lines · ~95k req/s · ~52 MB idle.",
   "keywords": [
     "http-server",
@@ -38,6 +38,6 @@
     "test": "tests"
   },
   "scripts": {
-    "test": "node --watch tests/tests.js"
+    "test": "node tests/tests.js"
   }
 }