npm - mnfst - Versions diffs - 0.5.132 → 0.5.134 - Mend

mnfst 0.5.132 → 0.5.134

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/lib/manifest.css +26 -17
package/lib/manifest.data.js +10 -2
package/lib/manifest.dropdown.css +12 -11
package/lib/manifest.dropdowns.js +70 -40
package/lib/manifest.form.css +17 -9
package/lib/manifest.integrity.json +6 -6
package/lib/manifest.localization.js +103 -55
package/lib/manifest.markdown.js +12 -2
package/lib/manifest.min.css +1 -1
package/lib/manifest.sidebar.css +4 -4
package/lib/manifest.svg.js +5 -1
package/lib/manifest.toast.css +1 -1
package/lib/manifest.tooltip.css +4 -4
package/lib/manifest.tooltips.js +16 -4
package/package.json +3 -2

package/lib/manifest.localization.js CHANGED Viewed

@@ -11,6 +11,102 @@ const originalHtmlLang = (typeof document !== 'undefined' && document.documentEl
     ? (document.documentElement.lang || '')
     : '';
+// RTL language codes — module scope so both the init plugin (sets <html dir>)
+// and the $locale magic (sets $locale.list direction) share one table.
+const rtlLanguages = new Set([
+    // Arabic script
+    'ar',     // Arabic
+    'az-Arab',// Azerbaijani (Arabic script)
+    'bal',    // Balochi
+    'ckb',    // Central Kurdish (Sorani)
+    'fa',     // Persian (Farsi)
+    'glk',    // Gilaki
+    'ks',     // Kashmiri
+    'ku-Arab',// Kurdish (Arabic script)
+    'lrc',    // Northern Luri
+    'mzn',    // Mazanderani
+    'pnb',    // Western Punjabi (Shahmukhi)
+    'ps',     // Pashto
+    'sd',     // Sindhi
+    'ur',     // Urdu
+    // Hebrew script
+    'he',     // Hebrew
+    'yi',     // Yiddish
+    'jrb',    // Judeo-Arabic
+    'jpr',    // Judeo-Persian
+    'lad-Hebr',// Ladino (Hebrew script)
+    // Thaana script
+    'dv',     // Dhivehi (Maldivian)
+    // N’Ko script
+    'nqo',    // N’Ko (West Africa)
+    // Syriac script
+    'syr',    // Syriac
+    'aii',    // Assyrian Neo-Aramaic
+    'arc',    // Aramaic
+    'sam',    // Samaritan Aramaic
+    // Mandaic script
+    'mid',    // Mandaic
+    // Other RTL minority/obscure scripts
+    'uga',    // Ugaritic
+    'phn',    // Phoenician
+    'xpr',    // Parthian (ancient)
+    'peo',    // Old Persian (cuneiform, but RTL)
+    'pal',    // Middle Persian (Pahlavi)
+    'avst',   // Avestan
+    'man',    // Manding (N'Ko variants)
+]);
+// Detect if a language is RTL
+function isRTL(lang) {
+    return rtlLanguages.has(lang);
+}
+// Native language name (endonym) for a BCP-47 code, e.g. 'fr' → "français".
+// Derived from the browser's Intl.DisplayNames — no data files, no fetches.
+// Falls back to the raw code for custom/unsupported codes.
+const localeNameCache = new Map();
+function localeName(code) {
+    if (localeNameCache.has(code)) return localeNameCache.get(code);
+    let name = code;
+    try {
+        if (typeof Intl !== 'undefined' && typeof Intl.DisplayNames === 'function') {
+            name = new Intl.DisplayNames([code], { type: 'language' }).of(code) || code;
+        }
+    } catch { /* unsupported code — keep raw code */ }
+    localeNameCache.set(code, name);
+    return name;
+}
+// Rich list backing $locale.list: one object per available locale, with
+// ordering views hung off the array as non-enumerable getters so x-for and
+// spreads only ever see the locale items, never the view accessors.
+//   $locale.list                → source (manifest.json) order
+//   $locale.list.alphabetical   → by native name, locale-aware compare
+//   $locale.list.currentFirst   → active locale first, rest in source order
+function buildLocaleList(available, current) {
+    const list = available.map(code => ({
+        code,
+        name: localeName(code),
+        direction: isRTL(code) ? 'rtl' : 'ltr',
+        current: code === current
+    }));
+    Object.defineProperty(list, 'alphabetical', {
+        enumerable: false,
+        get() { return [...list].sort((a, b) => a.name.localeCompare(b.name)); }
+    });
+    Object.defineProperty(list, 'currentFirst', {
+        enumerable: false,
+        get() { return [...list].sort((a, b) => (b.current === true) - (a.current === true)); }
+    });
+    return list;
+}
 // Global setLocale wrapper - will be replaced with real implementation
 let setLocaleImpl = null;
@@ -45,61 +141,6 @@ function initializeLocalizationPlugin() {
     // Debug logging disabled for production
     const debugLog = () => { };
-    // RTL language codes - using Set for O(1) lookups
-    const rtlLanguages = new Set([
-        // Arabic script
-        'ar',     // Arabic
-        'az-Arab',// Azerbaijani (Arabic script)
-        'bal',    // Balochi
-        'ckb',    // Central Kurdish (Sorani)
-        'fa',     // Persian (Farsi)
-        'glk',    // Gilaki
-        'ks',     // Kashmiri
-        'ku-Arab',// Kurdish (Arabic script)
-        'lrc',    // Northern Luri
-        'mzn',    // Mazanderani
-        'pnb',    // Western Punjabi (Shahmukhi)
-        'ps',     // Pashto
-        'sd',     // Sindhi
-        'ur',     // Urdu
-        // Hebrew script
-        'he',     // Hebrew
-        'yi',     // Yiddish
-        'jrb',    // Judeo-Arabic
-        'jpr',    // Judeo-Persian
-        'lad-Hebr',// Ladino (Hebrew script)
-        // Thaana script
-        'dv',     // Dhivehi (Maldivian)
-        // N’Ko script
-        'nqo',    // N’Ko (West Africa)
-        // Syriac script
-        'syr',    // Syriac
-        'aii',    // Assyrian Neo-Aramaic
-        'arc',    // Aramaic
-        'sam',    // Samaritan Aramaic
-        // Mandaic script
-        'mid',    // Mandaic
-        // Other RTL minority/obscure scripts
-        'uga',    // Ugaritic
-        'phn',    // Phoenician
-        'xpr',    // Parthian (ancient)
-        'peo',    // Old Persian (cuneiform, but RTL)
-        'pal',    // Middle Persian (Pahlavi)
-        'avst',   // Avestan
-        'man',    // Manding (N'Ko variants)
-    ]);
-    // Detect if a language is RTL
-    function isRTL(lang) {
-        return rtlLanguages.has(lang);
-    }
     function isPrerenderedStaticBuild() {
         return document.head?.querySelector('meta[name="manifest:prerendered"][content="1"]') !== null;
     }
@@ -712,6 +753,13 @@ function registerLocaleMagic() {
                     if (prop === 'current') return currentStore?.current || document.documentElement.lang || 'en';
                     if (prop === 'available') return currentStore?.available || [document.documentElement.lang || 'en'];
                     if (prop === 'direction') return currentStore?.direction || 'ltr';
+                    if (prop === 'list') {
+                        const fallback = document.documentElement.lang || 'en';
+                        return buildLocaleList(
+                            currentStore?.available || [fallback],
+                            currentStore?.current || fallback
+                        );
+                    }
                     if (prop === 'set') {
                         // Use the global setLocale function (wrapper or real implementation)
                         return async (locale, updateUrl = false) => {

package/lib/manifest.markdown.js CHANGED Viewed

@@ -43,7 +43,13 @@ if (!window.ManifestDOMPurify) {
             if (this._promise) return this._promise;
             this._promise = new Promise((resolve, reject) => {
                 const script = document.createElement('script');
-                script.src = 'https://cdn.jsdelivr.net/npm/dompurify@latest/dist/purify.min.js';
+                // Pinned + Subresource Integrity: a moving `@latest` (or a
+                // tampered CDN file) would otherwise run arbitrary JS in the
+                // user's page. The browser rejects the script if the bytes don't
+                // match the hash. Bump version AND integrity together.
+                script.src = 'https://cdn.jsdelivr.net/npm/dompurify@3.4.10/dist/purify.min.js';
+                script.integrity = 'sha384-eguRoJERj8ghOpzO//Rl7+ScQsQIR1cH+ajll7+fG+IpbNPlkZsQn9h8ccr+wPXx';
+                script.crossOrigin = 'anonymous';
                 script.onload = () => {
                     if (typeof window.DOMPurify !== 'undefined') {
                         resolve(window.DOMPurify);
@@ -96,7 +102,11 @@ async function loadMarkedJS() {
     markedPromise = new Promise((resolve, reject) => {
         const script = document.createElement('script');
-        script.src = 'https://cdn.jsdelivr.net/npm/marked/marked.min.js';
+        // Pinned + Subresource Integrity (see DOMPurify loader above) — a
+        // floating version or tampered CDN file can't inject arbitrary JS.
+        script.src = 'https://cdn.jsdelivr.net/npm/marked@15.0.12/marked.min.js';
+        script.integrity = 'sha384-948ahk4ZmxYVYOc+rxN1H2gM1EJ2Duhp7uHtZ4WSLkV4Vtx5MUqnV+l7u9B+jFv+';
+        script.crossOrigin = 'anonymous';
         script.onload = () => {
             // Initialize marked.js
             if (typeof marked !== 'undefined') {