html-minifier-next 6.1.1 → 6.1.3

package/README.md

@@ -1,6 +1,6 @@
 # HTML Minifier Next
 
-[![npm version](https://img.shields.io/npm/v/html-minifier-next.svg)](https://www.npmjs.com/package/html-minifier-next) [![Build status](https://github.com/j9t/html-minifier-next/workflows/Tests/badge.svg)](https://github.com/j9t/html-minifier-next/actions) [![Socket](https://badge.socket.dev/npm/package/html-minifier-next)](https://socket.dev/npm/package/html-minifier-next)
+[![npm version](https://img.shields.io/npm/v/html-minifier-next.svg)](https://www.npmjs.com/package/html-minifier-next) [![Build status](https://github.com/j9t/html-minifier-next/workflows/Tests/badge.svg)](https://github.com/j9t/html-minifier-next/actions) [![Socket](https://badge.socket.dev/npm/package/html-minifier-next)](https://socket.dev/npm/package/html-minifier-next) [![GitHub Sponsors](https://badgen.net/static/Support/Open%20Source/cyan)](https://github.com/j9t/html-minifier-next?sponsor=1)
 
 Your web page optimization precision tool: HTML Minifier Next (HMN) is a **super-configurable, well-tested, JavaScript-based HTML minifier** able to also handle in-document CSS, JavaScript, and SVG minification.
 
@@ -603,4 +603,12 @@ Parameters:
 
 ## Acknowledgements
 
-With many thanks to all the previous authors of HTML Minifier, especially [Juriy “kangax” Zaytsev](https://github.com/kangax), and to everyone who helped make this new edition better, particularly [Daniel Ruf](https://github.com/DanielRuf) and [Jonas Geiler](https://github.com/jonasgeiler).
+With many thanks to all the previous authors of HTML Minifier, especially [Juriy “kangax” Zaytsev](https://github.com/kangax), and to everyone who helped make this new edition better, particularly [Daniel Ruf](https://github.com/DanielRuf) and [Jonas Geiler](https://github.com/jonasgeiler).
+
+***
+
+You might like some of my other work:
+
+* Optimization tools: HTML Minifier Next · [ObsoHTML](https://github.com/j9t/obsohtml) · [Image Guard](https://github.com/j9t/image-guard) · [Compressor.js Next](https://github.com/j9t/compressorjs-next) · [.htaccess Punk](https://github.com/j9t/htaccess-punk)
+* Defense tools: [IA Defensa](https://iadefensa.com/solutions/)
+* Resources for quality web development: [Articles](https://meiert.com/topics/development/) · [Books](https://meiert.com/topics/books/) (including [_On Web Development_](https://meiert.com/blog/on-web-development-2/)) · [News](https://frontenddogma.com/) · [Terminology](https://webglossary.info/)

package/cli.js

@@ -173,32 +173,48 @@ function readFile(file) {
 }
 
 /**
- * Load config from a file path, trying JSON, CJS, then ESM
+ * Load config from a file path—for unambiguous extensions (.json, .cjs, .mjs) only the
+ * matching format is attempted and its error shown on failure; for .js or unknown extensions
+ * all formats are tried and the most relevant error is reported
  * @param {string} configPath - Path to config file
  * @returns {Promise<object>} Loaded config object
  */
 async function loadConfigFromPath(configPath) {
-  const data = readFile(configPath);
+  const abs = path.resolve(configPath);
+  const ext = path.extname(configPath).toLowerCase();
 
-  // Try JSON first
-  try {
-    return JSON.parse(data);
-  } catch (jsonErr) {
-    const abs = path.resolve(configPath);
+  if (ext === '.json') {
+    try { return JSON.parse(readFile(abs).replace(/^\uFEFF/, '')); }
+    catch (err) { fatal(`Cannot parse config file as JSON: ${err.message}`); }
+  }
 
-    // Try CJS require
+  if (ext === '.cjs') {
     try {
       const result = require(abs);
-      // Handle ESM interop: If `require()` loads an ESM file, it may return `{__esModule: true, default: …}`
-      return (result && result.__esModule && result.default) ? result.default : result;
-    } catch (cjsErr) {
-      // Try ESM import
-      try {
-        const mod = await import(pathToFileURL(abs).href);
-        return mod.default || mod;
-      } catch (esmErr) {
-        fatal('Cannot read the specified config file.\nAs JSON: ' + jsonErr.message + '\nAs CJS: ' + cjsErr.message + '\nAs ESM: ' + esmErr.message);
-      }
+      return (result && typeof result === 'object' && result.__esModule === true) ? result.default : result;
+    } catch (err) { fatal(`Cannot load config file: ${err.message}`); }
+  }
+
+  if (ext === '.mjs') {
+    try { const mod = await import(pathToFileURL(abs).href); return 'default' in mod ? mod.default : mod; }
+    catch (err) { fatal(`Cannot load config file: ${err.message}`); }
+  }
+
+  // For .js or extension-less files, try JSON first, then CJS, then ESM
+  let jsonErr;
+  try { return JSON.parse(readFile(abs).replace(/^\uFEFF/, '')); }
+  catch (err) { jsonErr = err; }
+
+  try {
+    const result = require(abs);
+    // Handle ESM interop: If `require()` loads an ESM file, it may return `{__esModule: true, default: …}`
+    return (result && typeof result === 'object' && result.__esModule === true) ? result.default : result;
+  } catch (cjsErr) {
+    try { const mod = await import(pathToFileURL(abs).href); return 'default' in mod ? mod.default : mod; }
+    catch (esmErr) {
+      fatal(ext === '.js'
+        ? `Cannot load config file: ${cjsErr.message}\nAs module: ${esmErr.message}`
+        : `Cannot read the specified config file.\nAs JSON: ${jsonErr.message}\nAs CJS: ${cjsErr.message}\nAs module: ${esmErr.message}`);
     }
   }
 }

package/dist/htmlminifier.cjs

@@ -135,9 +135,14 @@ const singleAttrValues = [
   /"([^"]*)"+/.source,
   // Attr value, single quotes
   /'([^']*)'+/.source,
-  // Attr value, no quotes
+  // Attr value, no quotes (strict: excludes `=` per HTML spec)
   /([^ \t\n\f\r"'`=<>]+)/.source
 ];
+// Lenient unquoted value pattern for `continueOnParseError`:
+// allows `=` and `` ` `` per spec error-recovery rules
+// (both are parse errors in unquoted-attribute-value state but appended to the value)
+// `"` and `'` remain excluded—permitting them requires broader test coverage
+const singleAttrValueLenientUnquoted = /([^ \t\n\f\r"'<>]+)/.source;
 // https://www.w3.org/TR/1999/REC-xml-names-19990114/#NT-QName
 const qnameCapture = (function () {
   // https://www.npmjs.com/package/ncname
@@ -203,9 +208,11 @@ function stripDelimited(str, open, close) {
 }
 
 function buildAttrRegex(handler) {
+  const unquotedValue = handler.continueOnParseError ? singleAttrValueLenientUnquoted : singleAttrValues[2];
+  const attrValues = [singleAttrValues[0], singleAttrValues[1], unquotedValue];
   let pattern = singleAttrIdentifier.source +
     '(?:\\s*(' + joinSingleAttrAssigns(handler) + ')' +
-    '[ \\t\\n\\f\\r]*(?:' + singleAttrValues.join('|') + '))?';
+    '[ \\t\\n\\f\\r]*(?:' + attrValues.join('|') + '))?';
   if (handler.customAttrSurround) {
     const attrClauses = [];
     for (let i = handler.customAttrSurround.length - 1; i >= 0; i--) {
@@ -607,7 +614,7 @@ class HTMLParser {
                   // Note: Unquoted attribute values are intentionally not handled here.
                   // Per HTML spec, unquoted values cannot contain spaces or special chars,
                   // making a 20 KB+ unquoted value practically impossible. If encountered,
-                  // it's malformed HTML and using the truncated regex match is acceptable.
+                  // it’s malformed HTML and using the truncated regex match is acceptable.
                 }
               }
             }
@@ -2632,7 +2639,7 @@ function buildAttr(normalized, hasUnarySlash, options, isLast, uidAttr) {
         attrValue = attrValue.replace(/'/g, '&#39;');
       }
     } else {
-      // `preventAttributesEscaping` mode: Choose safe quotes but don't escape
+      // `preventAttributesEscaping` mode: Choose safe quotes but don’t escape
       // except when both quote types are present—then escape to prevent invalid HTML
       const hasDoubleQuote = attrValue.indexOf('"') !== -1;
       const hasSingleQuote = attrValue.indexOf("'") !== -1;
@@ -3002,6 +3009,8 @@ let svgMinifyCache = null;
 
 // Pre-compiled patterns for script merging (avoid repeated allocation in hot path)
 const RE_SCRIPT_ATTRS = /([^\s=]+)(?:=(?:"([^"]*)"|'([^']*)'|([^\s>]+)))?/g;
+const RE_SCRIPT_OPEN = /<script(?=[\s>])/gi; // Finds tag start; use `findTagEnd()` for the actual closing `>`
+const RE_SCRIPT_CLOSE = /<\/script\s*>/gi;
 const SCRIPT_BOOL_ATTRS = new Set(['async', 'defer', 'nomodule']);
 const DEFAULT_JS_TYPES = new Set(['', 'text/javascript', 'application/javascript']);
 
@@ -3014,6 +3023,28 @@ const RE_HTML_ENCODING = /^(text\/html|application\/xhtml\+xml)$/i;
 
 // Script merging
 
+/**
+ * Find the index of the `>` that closes an opening tag, correctly skipping
+ * over quoted attribute values (which may contain `>`).
+ * @param {string} html
+ * @param {number} pos - Start position (just after the tag name)
+ * @returns {number} Index of the closing `>`, or -1 if not found
+ */
+function findTagEnd(html, pos) {
+  let i = pos;
+  while (i < html.length) {
+    const ch = html[i];
+    if (ch === '>') return i;
+    if (ch === '"' || ch === "'") {
+      const q = ch;
+      i++;
+      while (i < html.length && html[i] !== q) i++;
+    }
+    i++;
+  }
+  return -1;
+}
+
 /**
  * Merge consecutive inline script tags into one (`mergeConsecutiveScripts`).
  * Only merges scripts that are compatible:
@@ -3021,79 +3052,104 @@ const RE_HTML_ENCODING = /^(text\/html|application\/xhtml\+xml)$/i;
  * - Same `type` (or both default JavaScript)
  * - No conflicting attributes (`async`, `defer`, `nomodule`, different `nonce`)
  *
- * Limitation: This function uses regex-based matching (`pattern` variable below),
- * which can produce incorrect results if a script’s content contains a literal
- * `</script>` string (e.g., `document.write('<script>…</script>')`). In valid
- * HTML, such strings should be escaped as `<\/script>` or split like
- * `'</scr' + 'ipt>'`, so this limitation rarely affects real-world code. The
- * earlier `minifyJS` step (if enabled) typically handles this escaping already.
+ * Uses a scanner rather than a regex to locate script boundaries, so literal
+ * `</script>` strings inside script content are handled correctly per the HTML
+ * spec (raw text ends at the first `</script>`).
  *
  * @param {string} html - The HTML string to process
  * @returns {string} HTML with consecutive scripts merged
  */
 function mergeConsecutiveScripts(html) {
-  // `pattern`: Regex to match consecutive `</script>` followed by `<script…>`.
-  // See function JSDoc above for known limitations with literal `</script>` in content.
-  // Captures:
-  // 1. first script attrs
-  // 2. first script content
-  // 3. whitespace between
-  // 4. second script attrs
-  // 5. second script content
-  const pattern = /<script([^>]*)>([\s\S]*?)<\/script>([\s]*)<script([^>]*)>([\s\S]*?)<\/script>/gi;
-
-  let result = html;
+  // Parse an attribute string into a name→value map
+  const parseAttrs = (attrStr) => {
+    const attrs = {};
+    RE_SCRIPT_ATTRS.lastIndex = 0;
+    let m;
+    while ((m = RE_SCRIPT_ATTRS.exec(attrStr)) !== null) {
+      const name = m[1].toLowerCase();
+      const value = m[2] ?? m[3] ?? m[4] ?? '';
+      attrs[name] = value;
+    }
+    return attrs;
+  };
+
   let changed = true;
 
   // Keep merging until no more changes (handles chains of 3+ scripts)
   while (changed) {
     changed = false;
-    result = result.replace(pattern, (match, attrs1, content1, whitespace, attrs2, content2) => {
-      // Parse attributes from both script tags (uses pre-compiled RE_SCRIPT_ATTRS)
-      const parseAttrs = (attrStr) => {
-        const attrs = {};
-        RE_SCRIPT_ATTRS.lastIndex = 0; // Reset for reuse
-        let m;
-        while ((m = RE_SCRIPT_ATTRS.exec(attrStr)) !== null) {
-          const name = m[1].toLowerCase();
-          const value = m[2] ?? m[3] ?? m[4] ?? '';
-          attrs[name] = value;
-        }
-        return attrs;
-      };
+    RE_SCRIPT_OPEN.lastIndex = 0;
+    let m1;
+
+    while ((m1 = RE_SCRIPT_OPEN.exec(html)) !== null) {
+      // Use findTagEnd() to get the real closing '>', skipping quoted attribute values
+      const tagEnd1 = findTagEnd(html, m1.index + 7);
+      if (tagEnd1 === -1) break;
+
+      const attrs1Str = html.slice(m1.index + 7, tagEnd1);
+      const contentStart1 = tagEnd1 + 1;
+
+      // Find end of this script’s content (first `</script>`—per HTML spec, raw text ends here)
+      RE_SCRIPT_CLOSE.lastIndex = contentStart1;
+      const close1 = RE_SCRIPT_CLOSE.exec(html);
+      if (!close1) break;
+
+      const content1 = html.slice(contentStart1, close1.index);
+      const afterClose1 = close1.index + close1[0].length;
+
+      // Skip optional whitespace and check for a consecutive <script> tag
+      let i = afterClose1;
+      while (i < html.length && (html[i] === ' ' || html[i] === '\t' || html[i] === '\n' || html[i] === '\r' || html[i] === '\f')) i++;
+      if (html.slice(i, i + 7).toLowerCase() !== '<script' || (html[i + 7] !== '>' && !/\s/.test(html[i + 7]))) {
+        RE_SCRIPT_OPEN.lastIndex = afterClose1;
+        continue;
+      }
+
+      const tagStart2 = i;
+      const tagEnd2 = findTagEnd(html, tagStart2 + 7);
+      if (tagEnd2 === -1) break;
+
+      const attrs2Str = html.slice(tagStart2 + 7, tagEnd2);
+      const contentStart2 = tagEnd2 + 1;
 
-      const a1 = parseAttrs(attrs1);
-      const a2 = parseAttrs(attrs2);
+      // Find end of second script’s content
+      RE_SCRIPT_CLOSE.lastIndex = contentStart2;
+      const close2 = RE_SCRIPT_CLOSE.exec(html);
+      if (!close2) break;
+
+      const content2 = html.slice(contentStart2, close2.index);
+      const afterClose2 = close2.index + close2[0].length;
+
+      const a1 = parseAttrs(attrs1Str);
+      const a2 = parseAttrs(attrs2Str);
 
       // Check for `src`—cannot merge external scripts
       if ('src' in a1 || 'src' in a2) {
-        return match;
+        RE_SCRIPT_OPEN.lastIndex = afterClose1;
+        continue;
       }
 
       // Check `type` compatibility (both must be default JS)
+      // Non-JS types (modules, JSON, etc.) must not be merged:
+      // Module scripts have per-script lexical scope, and non-JS content (e.g., JSON)
+      // is not concatenable; even identical non-JS types are incompatible
       const type1 = (a1.type || '').toLowerCase();
       const type2 = (a2.type || '').toLowerCase();
-
-      if (DEFAULT_JS_TYPES.has(type1) && DEFAULT_JS_TYPES.has(type2)) ; else {
-        // Non-JS types (modules, JSON, etc.) must not be merged:
-        // Module scripts have per-script lexical scope, and non-JS content (e.g., JSON)
-        // is not concatenable. Even identical non-JS types are incompatible.
-        return match;
+      if (!DEFAULT_JS_TYPES.has(type1) || !DEFAULT_JS_TYPES.has(type2)) {
+        RE_SCRIPT_OPEN.lastIndex = afterClose1;
+        continue;
       }
 
-      // Check for conflicting boolean attributes (uses pre-compiled SCRIPT_BOOL_ATTRS)
+      // Check for conflicting boolean attributes
+      let boolConflict = false;
       for (const attr of SCRIPT_BOOL_ATTRS) {
-        const has1 = attr in a1;
-        const has2 = attr in a2;
-        if (has1 !== has2) {
-          // One has it, one doesn't - incompatible
-          return match;
-        }
+        if ((attr in a1) !== (attr in a2)) { boolConflict = true; break; }
       }
 
       // Check `nonce`—must be same or both absent
-      if (a1.nonce !== a2.nonce) {
-        return match;
+      if (boolConflict || a1.nonce !== a2.nonce) {
+        RE_SCRIPT_OPEN.lastIndex = afterClose1;
+        continue;
       }
 
       // Scripts are compatible—merge them
@@ -3114,11 +3170,12 @@ function mergeConsecutiveScripts(html) {
       }
 
       // Use first script’s attributes (they should be compatible)
-      return `<script${attrs1}>${mergedContent}</script>`;
-    });
+      html = html.slice(0, m1.index) + `<script${attrs1Str}>${mergedContent}</script>` + html.slice(afterClose2);
+      break; // Restart scanning (outer while loop)
+    }
   }
 
-  return result;
+  return html;
 }
 
 // Type definitions
@@ -3344,7 +3401,7 @@ function mergeConsecutiveScripts(html) {
  *  event handler attributes. If an object is provided, it can include:
  *  - `engine`: The minifier to use (`terser` or `swc`). Default: `terser`.
  *    Note: Inline event handlers (e.g., `onclick="…"`) always use Terser
- *    regardless of engine setting, as swc doesn’t support bare return statements.
+ *    regardless of engine setting, as SWC doesn’t support bare return statements.
  *  - Engine-specific options (e.g., Terser options if `engine: 'terser'`,
  *    SWC options if `engine: 'swc'`).
  *  If a function is provided, it will be used to perform
@@ -4564,7 +4621,7 @@ function joinResultSegments(results, options, restoreCustom, restoreIgnore) {
  * - Cache sizes are locked after first initialization—subsequent calls use the same caches
  *   even if different `cacheCSS`/`cacheJS`/`cacheSVG` options are provided
  * - The first call’s options determine the cache sizes for subsequent calls
- * - Explicit `0` values are coerced to `1` (minimum functional cache size)
+ * - Invalid values (NaN, Infinity) fall back to the default size (500); values below `1` are clamped to `1`
  */
 function initCaches(options) {
   // Only create caches once (on first call)—sizes are locked after this
@@ -4581,6 +4638,9 @@ function initCaches(options) {
       return parsed;
     };
 
+    // Sanitize a cache size: Non-finite/NaN falls back to `defaultSize`; otherwise clamped to min 1 and floored
+    const sanitizeSize = (size) => Number.isFinite(size) ? Math.max(1, Math.floor(size)) : defaultSize;
+
     // Get cache sizes with precedence: Options > env > default
     const cssSize = options.cacheCSS !== undefined ? options.cacheCSS
                  : (parseEnvCacheSize(process.env.HMN_CACHE_CSS) ?? defaultSize);
@@ -4589,10 +4649,9 @@ function initCaches(options) {
     const svgSize = options.cacheSVG !== undefined ? options.cacheSVG
                  : (parseEnvCacheSize(process.env.HMN_CACHE_SVG) ?? defaultSize);
 
-    // Coerce `0` to `1` (minimum functional cache size) to avoid immediate eviction
-    const cssFinalSize = cssSize === 0 ? 1 : cssSize;
-    const jsFinalSize = jsSize === 0 ? 1 : jsSize;
-    const svgFinalSize = svgSize === 0 ? 1 : svgSize;
+    const cssFinalSize = sanitizeSize(cssSize);
+    const jsFinalSize = sanitizeSize(jsSize);
+    const svgFinalSize = sanitizeSize(svgSize);
 
     cssMinifyCache = new LRU(cssFinalSize);
     jsMinifyCache = new LRU(jsFinalSize);

package/dist/types/htmlminifier.d.ts

@@ -254,7 +254,7 @@ export type MinifierOptions = {
      * event handler attributes. If an object is provided, it can include:
      * - `engine`: The minifier to use (`terser` or `swc`). Default: `terser`.
      * Note: Inline event handlers (e.g., `onclick="…"`) always use Terser
-     * regardless of engine setting, as swc doesn’t support bare return statements.
+     * regardless of engine setting, as SWC doesn’t support bare return statements.
      * - Engine-specific options (e.g., Terser options if `engine: 'terser'`,
      * SWC options if `engine: 'swc'`).
      * If a function is provided, it will be used to perform

package/dist/types/htmlminifier.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"htmlminifier.d.ts","sourceRoot":"","sources":["../../src/htmlminifier.js"],"names":[],"mappings":"AAyrDO,8BAJI,MAAM,YACN,eAAe,GACb,OAAO,CAAC,MAAM,CAAC,CAwB3B;;;;;;;;;;;;UA99CS,MAAM;;;;;;;;;;;;;;;;;;mCAaA,MAAM,SAAS,aAAa,EAAE,yBAAyB,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,KAAK,OAAO;;;;;;;+BAM3F,MAAM,GAAG,IAAI,SAAS,aAAa,EAAE,GAAG,SAAS,qBAAqB,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,KAAK,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qBA6JtG,OAAO,KAAK,IAAI;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;2HA2BiF,MAAM,SAAS,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM;;;;;;;;;;;;;;;;iBASxG,QAAQ,GAAG,KAAK;gBAAgC,MAAM,WAAW,OAAO,KAAK,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM;;;;;;;;;;;eAa/H,MAAM;gBAAY,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM;;;;;;;;;;;;;;;;;mBAiBzE,MAAM,KAAK,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kDA+DF,MAAM,OAAO,MAAM,KAAK,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sCA2EpC,MAAM,SAAS,aAAa,EAAE,KAAK,IAAI;;;;;;;;;wCAQrC,MAAM,KAAK,MAAM;;;;;;;;;;;;;;;;;wBAjnBK,cAAc;0BAAd,cAAc;+BAAd,cAAc"}
+{"version":3,"file":"htmlminifier.d.ts","sourceRoot":"","sources":["../../src/htmlminifier.js"],"names":[],"mappings":"AA2uDO,8BAJI,MAAM,YACN,eAAe,GACb,OAAO,CAAC,MAAM,CAAC,CAwB3B;;;;;;;;;;;;UAh+CS,MAAM;;;;;;;;;;;;;;;;;;mCAaA,MAAM,SAAS,aAAa,EAAE,yBAAyB,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,KAAK,OAAO;;;;;;;+BAM3F,MAAM,GAAG,IAAI,SAAS,aAAa,EAAE,GAAG,SAAS,qBAAqB,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,KAAK,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qBA6JtG,OAAO,KAAK,IAAI;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;2HA2BiF,MAAM,SAAS,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM;;;;;;;;;;;;;;;;iBASxG,QAAQ,GAAG,KAAK;gBAAgC,MAAM,WAAW,OAAO,KAAK,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM;;;;;;;;;;;eAa/H,MAAM;gBAAY,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM;;;;;;;;;;;;;;;;;mBAiBzE,MAAM,KAAK,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kDA+DF,MAAM,OAAO,MAAM,KAAK,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sCA2EpC,MAAM,SAAS,aAAa,EAAE,KAAK,IAAI;;;;;;;;;wCAQrC,MAAM,KAAK,MAAM;;;;;;;;;;;;;;;;;wBAjqBK,cAAc;0BAAd,cAAc;+BAAd,cAAc"}

package/dist/types/htmlparser.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"htmlparser.d.ts","sourceRoot":"","sources":["../../src/htmlparser.js"],"names":[],"mappings":"AAgDA,4BAAkE;AAwGlE;IACE,qCAGC;IAFC,UAAgB;IAChB,aAAsB;IAGxB,uBAmmBC;CACF"}
+{"version":3,"file":"htmlparser.d.ts","sourceRoot":"","sources":["../../src/htmlparser.js"],"names":[],"mappings":"AAqDA,4BAAkE;AA0GlE;IACE,qCAGC;IAFC,UAAgB;IAChB,aAAsB;IAGxB,uBAmmBC;CACF"}

package/package.json

@@ -19,11 +19,11 @@
     "@rollup/plugin-json": "^6.1.0",
     "@rollup/plugin-node-resolve": "^16.0.3",
     "@swc/core": "^1.15.21",
-    "eslint": "^10.1.0",
+    "eslint": "^10.2.0",
     "rollup": "^4.60.0",
     "rollup-plugin-polyfill-node": "^0.13.0",
     "typescript": "^6.0.2",
-    "vite": "^8.0.5"
+    "vite": "^8.0.8"
   },
   "exports": {
     ".": {
@@ -96,5 +96,5 @@
   },
   "type": "module",
   "types": "./dist/types/htmlminifier.d.ts",
-  "version": "6.1.1"
+  "version": "6.1.3"
 }

package/src/htmlminifier.js

@@ -112,6 +112,8 @@ let svgMinifyCache = null;
 
 // Pre-compiled patterns for script merging (avoid repeated allocation in hot path)
 const RE_SCRIPT_ATTRS = /([^\s=]+)(?:=(?:"([^"]*)"|'([^']*)'|([^\s>]+)))?/g;
+const RE_SCRIPT_OPEN = /<script(?=[\s>])/gi; // Finds tag start; use `findTagEnd()` for the actual closing `>`
+const RE_SCRIPT_CLOSE = /<\/script\s*>/gi;
 const SCRIPT_BOOL_ATTRS = new Set(['async', 'defer', 'nomodule']);
 const DEFAULT_JS_TYPES = new Set(['', 'text/javascript', 'application/javascript']);
 
@@ -124,6 +126,28 @@ const RE_HTML_ENCODING = /^(text\/html|application\/xhtml\+xml)$/i;
 
 // Script merging
 
+/**
+ * Find the index of the `>` that closes an opening tag, correctly skipping
+ * over quoted attribute values (which may contain `>`).
+ * @param {string} html
+ * @param {number} pos - Start position (just after the tag name)
+ * @returns {number} Index of the closing `>`, or -1 if not found
+ */
+function findTagEnd(html, pos) {
+  let i = pos;
+  while (i < html.length) {
+    const ch = html[i];
+    if (ch === '>') return i;
+    if (ch === '"' || ch === "'") {
+      const q = ch;
+      i++;
+      while (i < html.length && html[i] !== q) i++;
+    }
+    i++;
+  }
+  return -1;
+}
+
 /**
  * Merge consecutive inline script tags into one (`mergeConsecutiveScripts`).
  * Only merges scripts that are compatible:
@@ -131,81 +155,104 @@ const RE_HTML_ENCODING = /^(text\/html|application\/xhtml\+xml)$/i;
  * - Same `type` (or both default JavaScript)
  * - No conflicting attributes (`async`, `defer`, `nomodule`, different `nonce`)
  *
- * Limitation: This function uses regex-based matching (`pattern` variable below),
- * which can produce incorrect results if a script’s content contains a literal
- * `</script>` string (e.g., `document.write('<script>…</script>')`). In valid
- * HTML, such strings should be escaped as `<\/script>` or split like
- * `'</scr' + 'ipt>'`, so this limitation rarely affects real-world code. The
- * earlier `minifyJS` step (if enabled) typically handles this escaping already.
+ * Uses a scanner rather than a regex to locate script boundaries, so literal
+ * `</script>` strings inside script content are handled correctly per the HTML
+ * spec (raw text ends at the first `</script>`).
  *
  * @param {string} html - The HTML string to process
  * @returns {string} HTML with consecutive scripts merged
  */
 function mergeConsecutiveScripts(html) {
-  // `pattern`: Regex to match consecutive `</script>` followed by `<script…>`.
-  // See function JSDoc above for known limitations with literal `</script>` in content.
-  // Captures:
-  // 1. first script attrs
-  // 2. first script content
-  // 3. whitespace between
-  // 4. second script attrs
-  // 5. second script content
-  const pattern = /<script([^>]*)>([\s\S]*?)<\/script>([\s]*)<script([^>]*)>([\s\S]*?)<\/script>/gi;
-
-  let result = html;
+  // Parse an attribute string into a name→value map
+  const parseAttrs = (attrStr) => {
+    const attrs = {};
+    RE_SCRIPT_ATTRS.lastIndex = 0;
+    let m;
+    while ((m = RE_SCRIPT_ATTRS.exec(attrStr)) !== null) {
+      const name = m[1].toLowerCase();
+      const value = m[2] ?? m[3] ?? m[4] ?? '';
+      attrs[name] = value;
+    }
+    return attrs;
+  };
+
   let changed = true;
 
   // Keep merging until no more changes (handles chains of 3+ scripts)
   while (changed) {
     changed = false;
-    result = result.replace(pattern, (match, attrs1, content1, whitespace, attrs2, content2) => {
-      // Parse attributes from both script tags (uses pre-compiled RE_SCRIPT_ATTRS)
-      const parseAttrs = (attrStr) => {
-        const attrs = {};
-        RE_SCRIPT_ATTRS.lastIndex = 0; // Reset for reuse
-        let m;
-        while ((m = RE_SCRIPT_ATTRS.exec(attrStr)) !== null) {
-          const name = m[1].toLowerCase();
-          const value = m[2] ?? m[3] ?? m[4] ?? '';
-          attrs[name] = value;
-        }
-        return attrs;
-      };
+    RE_SCRIPT_OPEN.lastIndex = 0;
+    let m1;
+
+    while ((m1 = RE_SCRIPT_OPEN.exec(html)) !== null) {
+      // Use findTagEnd() to get the real closing '>', skipping quoted attribute values
+      const tagEnd1 = findTagEnd(html, m1.index + 7);
+      if (tagEnd1 === -1) break;
+
+      const attrs1Str = html.slice(m1.index + 7, tagEnd1);
+      const contentStart1 = tagEnd1 + 1;
+
+      // Find end of this script’s content (first `</script>`—per HTML spec, raw text ends here)
+      RE_SCRIPT_CLOSE.lastIndex = contentStart1;
+      const close1 = RE_SCRIPT_CLOSE.exec(html);
+      if (!close1) break;
+
+      const content1 = html.slice(contentStart1, close1.index);
+      const afterClose1 = close1.index + close1[0].length;
+
+      // Skip optional whitespace and check for a consecutive <script> tag
+      let i = afterClose1;
+      while (i < html.length && (html[i] === ' ' || html[i] === '\t' || html[i] === '\n' || html[i] === '\r' || html[i] === '\f')) i++;
+      if (html.slice(i, i + 7).toLowerCase() !== '<script' || (html[i + 7] !== '>' && !/\s/.test(html[i + 7]))) {
+        RE_SCRIPT_OPEN.lastIndex = afterClose1;
+        continue;
+      }
+
+      const tagStart2 = i;
+      const tagEnd2 = findTagEnd(html, tagStart2 + 7);
+      if (tagEnd2 === -1) break;
 
-      const a1 = parseAttrs(attrs1);
-      const a2 = parseAttrs(attrs2);
+      const attrs2Str = html.slice(tagStart2 + 7, tagEnd2);
+      const contentStart2 = tagEnd2 + 1;
+
+      // Find end of second script’s content
+      RE_SCRIPT_CLOSE.lastIndex = contentStart2;
+      const close2 = RE_SCRIPT_CLOSE.exec(html);
+      if (!close2) break;
+
+      const content2 = html.slice(contentStart2, close2.index);
+      const afterClose2 = close2.index + close2[0].length;
+
+      const a1 = parseAttrs(attrs1Str);
+      const a2 = parseAttrs(attrs2Str);
 
       // Check for `src`—cannot merge external scripts
       if ('src' in a1 || 'src' in a2) {
-        return match;
+        RE_SCRIPT_OPEN.lastIndex = afterClose1;
+        continue;
       }
 
       // Check `type` compatibility (both must be default JS)
+      // Non-JS types (modules, JSON, etc.) must not be merged:
+      // Module scripts have per-script lexical scope, and non-JS content (e.g., JSON)
+      // is not concatenable; even identical non-JS types are incompatible
       const type1 = (a1.type || '').toLowerCase();
       const type2 = (a2.type || '').toLowerCase();
-
-      if (DEFAULT_JS_TYPES.has(type1) && DEFAULT_JS_TYPES.has(type2)) {
-        // Both are default JavaScript—compatible
-      } else {
-        // Non-JS types (modules, JSON, etc.) must not be merged:
-        // Module scripts have per-script lexical scope, and non-JS content (e.g., JSON)
-        // is not concatenable. Even identical non-JS types are incompatible.
-        return match;
+      if (!DEFAULT_JS_TYPES.has(type1) || !DEFAULT_JS_TYPES.has(type2)) {
+        RE_SCRIPT_OPEN.lastIndex = afterClose1;
+        continue;
       }
 
-      // Check for conflicting boolean attributes (uses pre-compiled SCRIPT_BOOL_ATTRS)
+      // Check for conflicting boolean attributes
+      let boolConflict = false;
       for (const attr of SCRIPT_BOOL_ATTRS) {
-        const has1 = attr in a1;
-        const has2 = attr in a2;
-        if (has1 !== has2) {
-          // One has it, one doesn't - incompatible
-          return match;
-        }
+        if ((attr in a1) !== (attr in a2)) { boolConflict = true; break; }
       }
 
       // Check `nonce`—must be same or both absent
-      if (a1.nonce !== a2.nonce) {
-        return match;
+      if (boolConflict || a1.nonce !== a2.nonce) {
+        RE_SCRIPT_OPEN.lastIndex = afterClose1;
+        continue;
       }
 
       // Scripts are compatible—merge them
@@ -226,11 +273,12 @@ function mergeConsecutiveScripts(html) {
       }
 
       // Use first script’s attributes (they should be compatible)
-      return `<script${attrs1}>${mergedContent}</script>`;
-    });
+      html = html.slice(0, m1.index) + `<script${attrs1Str}>${mergedContent}</script>` + html.slice(afterClose2);
+      break; // Restart scanning (outer while loop)
+    }
   }
 
-  return result;
+  return html;
 }
 
 // Type definitions
@@ -456,7 +504,7 @@ function mergeConsecutiveScripts(html) {
  *  event handler attributes. If an object is provided, it can include:
  *  - `engine`: The minifier to use (`terser` or `swc`). Default: `terser`.
  *    Note: Inline event handlers (e.g., `onclick="…"`) always use Terser
- *    regardless of engine setting, as swc doesn’t support bare return statements.
+ *    regardless of engine setting, as SWC doesn’t support bare return statements.
  *  - Engine-specific options (e.g., Terser options if `engine: 'terser'`,
  *    SWC options if `engine: 'swc'`).
  *  If a function is provided, it will be used to perform
@@ -1676,7 +1724,7 @@ function joinResultSegments(results, options, restoreCustom, restoreIgnore) {
  * - Cache sizes are locked after first initialization—subsequent calls use the same caches
  *   even if different `cacheCSS`/`cacheJS`/`cacheSVG` options are provided
  * - The first call’s options determine the cache sizes for subsequent calls
- * - Explicit `0` values are coerced to `1` (minimum functional cache size)
+ * - Invalid values (NaN, Infinity) fall back to the default size (500); values below `1` are clamped to `1`
  */
 function initCaches(options) {
   // Only create caches once (on first call)—sizes are locked after this
@@ -1693,6 +1741,9 @@ function initCaches(options) {
       return parsed;
     };
 
+    // Sanitize a cache size: Non-finite/NaN falls back to `defaultSize`; otherwise clamped to min 1 and floored
+    const sanitizeSize = (size) => Number.isFinite(size) ? Math.max(1, Math.floor(size)) : defaultSize;
+
     // Get cache sizes with precedence: Options > env > default
     const cssSize = options.cacheCSS !== undefined ? options.cacheCSS
                  : (parseEnvCacheSize(process.env.HMN_CACHE_CSS) ?? defaultSize);
@@ -1701,10 +1752,9 @@ function initCaches(options) {
     const svgSize = options.cacheSVG !== undefined ? options.cacheSVG
                  : (parseEnvCacheSize(process.env.HMN_CACHE_SVG) ?? defaultSize);
 
-    // Coerce `0` to `1` (minimum functional cache size) to avoid immediate eviction
-    const cssFinalSize = cssSize === 0 ? 1 : cssSize;
-    const jsFinalSize = jsSize === 0 ? 1 : jsSize;
-    const svgFinalSize = svgSize === 0 ? 1 : svgSize;
+    const cssFinalSize = sanitizeSize(cssSize);
+    const jsFinalSize = sanitizeSize(jsSize);
+    const svgFinalSize = sanitizeSize(svgSize);
 
     cssMinifyCache = new LRU(cssFinalSize);
     jsMinifyCache = new LRU(jsFinalSize);

package/src/htmlparser.js

@@ -32,9 +32,14 @@ const singleAttrValues = [
   /"([^"]*)"+/.source,
   // Attr value, single quotes
   /'([^']*)'+/.source,
-  // Attr value, no quotes
+  // Attr value, no quotes (strict: excludes `=` per HTML spec)
   /([^ \t\n\f\r"'`=<>]+)/.source
 ];
+// Lenient unquoted value pattern for `continueOnParseError`:
+// allows `=` and `` ` `` per spec error-recovery rules
+// (both are parse errors in unquoted-attribute-value state but appended to the value)
+// `"` and `'` remain excluded—permitting them requires broader test coverage
+const singleAttrValueLenientUnquoted = /([^ \t\n\f\r"'<>]+)/.source;
 // https://www.w3.org/TR/1999/REC-xml-names-19990114/#NT-QName
 const qnameCapture = (function () {
   // https://www.npmjs.com/package/ncname
@@ -100,9 +105,11 @@ function stripDelimited(str, open, close) {
 }
 
 function buildAttrRegex(handler) {
+  const unquotedValue = handler.continueOnParseError ? singleAttrValueLenientUnquoted : singleAttrValues[2];
+  const attrValues = [singleAttrValues[0], singleAttrValues[1], unquotedValue];
   let pattern = singleAttrIdentifier.source +
     '(?:\\s*(' + joinSingleAttrAssigns(handler) + ')' +
-    '[ \\t\\n\\f\\r]*(?:' + singleAttrValues.join('|') + '))?';
+    '[ \\t\\n\\f\\r]*(?:' + attrValues.join('|') + '))?';
   if (handler.customAttrSurround) {
     const attrClauses = [];
     for (let i = handler.customAttrSurround.length - 1; i >= 0; i--) {
@@ -506,7 +513,7 @@ export class HTMLParser {
                   // Note: Unquoted attribute values are intentionally not handled here.
                   // Per HTML spec, unquoted values cannot contain spaces or special chars,
                   // making a 20 KB+ unquoted value practically impossible. If encountered,
-                  // it's malformed HTML and using the truncated regex match is acceptable.
+                  // it’s malformed HTML and using the truncated regex match is acceptable.
                 }
               }
             }

package/src/lib/attributes.js

@@ -580,7 +580,7 @@ function buildAttr(normalized, hasUnarySlash, options, isLast, uidAttr) {
         attrValue = attrValue.replace(/'/g, ''');
       }
     } else {
-      // `preventAttributesEscaping` mode: Choose safe quotes but don't escape
+      // `preventAttributesEscaping` mode: Choose safe quotes but don’t escape
       // except when both quote types are present—then escape to prevent invalid HTML
       const hasDoubleQuote = attrValue.indexOf('"') !== -1;
       const hasSingleQuote = attrValue.indexOf("'") !== -1;