flowchart-sequence-designer 1.2.2 → 1.2.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +39 -0
- package/README.md +31 -2
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -6,6 +6,45 @@ Versioning: [Semantic Versioning](https://semver.org/).
|
|
|
6
6
|
|
|
7
7
|
## [Unreleased]
|
|
8
8
|
|
|
9
|
+
## [1.2.2] - 2026-05-18
|
|
10
|
+
|
|
11
|
+
### Fixed
|
|
12
|
+
- Resolved all CodeQL security alerts: incomplete multi-character sanitization
|
|
13
|
+
(while loops), polynomial regex backtracking (bounded quantifiers, negated
|
|
14
|
+
character classes), and unused variable warnings.
|
|
15
|
+
- Fixed ESLint `no-useless-escape` error in mermaid parser EDGE_RE.
|
|
16
|
+
|
|
17
|
+
## [1.2.1] - 2026-05-18
|
|
18
|
+
|
|
19
|
+
### Fixed
|
|
20
|
+
- Bumped Vite in demo from ^5.4.2 to ^6.4.2 to resolve CVE-2026-39365
|
|
21
|
+
(path traversal in optimized deps `.map` handling).
|
|
22
|
+
- Fixed CI publish workflow: added `actions/setup-node` with `registry-url`
|
|
23
|
+
for proper npm authentication, and `contents: write` permission for
|
|
24
|
+
GitHub Release creation.
|
|
25
|
+
|
|
26
|
+
## [1.2.0] - 2026-05-18
|
|
27
|
+
|
|
28
|
+
### Added
|
|
29
|
+
- Input sanitization module (`src/core/sanitize.ts`): `sanitizeLabel()`,
|
|
30
|
+
`sanitizeURL()`, `sanitizeForSVG()` — strips HTML tags, dangerous URI
|
|
31
|
+
schemes, event handlers, and control characters.
|
|
32
|
+
- Resource exhaustion limits: MAX_NODES=500, MAX_EDGES=2000, MAX_ACTORS=100,
|
|
33
|
+
MAX_MESSAGES=2000, MAX_IMPORT_LENGTH=2MB.
|
|
34
|
+
- JSON importer validates schema and strips `__proto__`/`constructor`/`prototype`
|
|
35
|
+
keys to prevent prototype pollution.
|
|
36
|
+
- `SECURITY.md` — vulnerability disclosure policy.
|
|
37
|
+
- ESLint + Prettier dev tooling with flat config.
|
|
38
|
+
- CI pipeline: typecheck, lint, format check, test, build, bundle size gate.
|
|
39
|
+
- CodeQL weekly security scanning + on PRs.
|
|
40
|
+
- Auto-publish to npm on `v*` tag push (with GitHub Release).
|
|
41
|
+
- Dependabot for npm + GitHub Actions dependencies (weekly).
|
|
42
|
+
- `noUncheckedIndexedAccess` in tsconfig for stricter type safety.
|
|
43
|
+
- CSP meta tag in demo site.
|
|
44
|
+
- 28 new security tests (105 total).
|
|
45
|
+
|
|
46
|
+
## [1.1.0] - 2026-05-17
|
|
47
|
+
|
|
9
48
|
### Added
|
|
10
49
|
- Toast notification system (`useToast` hook + `ToastContainer`) for
|
|
11
50
|
import/export success/failure feedback in both editors. Replaces silent
|
package/README.md
CHANGED
|
@@ -1,5 +1,9 @@
|
|
|
1
1
|
# flowchart-sequence-designer
|
|
2
2
|
|
|
3
|
+
[](https://www.npmjs.com/package/flowchart-sequence-designer)
|
|
4
|
+
[](https://github.com/ag-gr-hub/flowchart-sequence-designer/actions/workflows/test.yml)
|
|
5
|
+
[](https://github.com/ag-gr-hub/flowchart-sequence-designer/actions/workflows/codeql.yml)
|
|
6
|
+
|
|
3
7
|
A TypeScript-first Bun/npm package for building and editing flowchart and sequence diagrams — both programmatically via a fluent API and visually via a React drag-and-drop canvas editor.
|
|
4
8
|
|
|
5
9
|
**🔗 [Live demo & developer docs →](https://ag-gr-hub.github.io/flowchart-sequence-designer/)**
|
|
@@ -520,10 +524,35 @@ The `"."` export gives you the core API; `"./ui"` gives you the React components
|
|
|
520
524
|
|
|
521
525
|
---
|
|
522
526
|
|
|
527
|
+
## Security
|
|
528
|
+
|
|
529
|
+
This package takes security seriously:
|
|
530
|
+
|
|
531
|
+
- **Input sanitization** — All user-provided text is sanitized before rendering
|
|
532
|
+
(HTML tags, `javascript:`/`data:`/`vbscript:` URIs, `on*` event handlers, and
|
|
533
|
+
control characters are stripped). See `src/core/sanitize.ts`.
|
|
534
|
+
- **Resource limits** — Importers enforce hard caps (500 nodes, 2000 edges, 100
|
|
535
|
+
actors, 2000 messages, 2MB input) to prevent resource exhaustion.
|
|
536
|
+
- **Prototype pollution defense** — JSON importer strips `__proto__`,
|
|
537
|
+
`constructor`, and `prototype` keys recursively.
|
|
538
|
+
- **SVG export** — Defence-in-depth: sanitize first, then XML-escape. Safe even
|
|
539
|
+
if consumed by less-strict parsers.
|
|
540
|
+
- **No `eval` / `innerHTML`** — The codebase never uses dynamic code execution
|
|
541
|
+
or raw HTML injection.
|
|
542
|
+
- **CodeQL** — Automated security scanning runs weekly and on every PR.
|
|
543
|
+
- **Dependabot** — Dependency updates monitored weekly.
|
|
544
|
+
|
|
545
|
+
To report a vulnerability, see [SECURITY.md](./SECURITY.md).
|
|
546
|
+
|
|
547
|
+
---
|
|
548
|
+
|
|
523
549
|
## Building from source
|
|
524
550
|
|
|
525
551
|
```bash
|
|
526
552
|
bun install
|
|
527
|
-
bun run build
|
|
528
|
-
bun test
|
|
553
|
+
bun run build # outputs to dist/
|
|
554
|
+
bun test # 105 tests
|
|
555
|
+
bun run typecheck # tsc --noEmit
|
|
556
|
+
bun run lint # eslint
|
|
557
|
+
bun run format:check # prettier --check
|
|
529
558
|
```
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "flowchart-sequence-designer",
|
|
3
|
-
"version": "1.2.
|
|
3
|
+
"version": "1.2.3",
|
|
4
4
|
"description": "TypeScript library for building and editing flowcharts and sequence diagrams — programmatic API, React UI, and multi-format export (Mermaid, PlantUML, SVG, PNG, JSON).",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"author": "ag-gr-hub",
|