selparsecss-selector 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (45) hide show
  1. package/API.md +874 -0
  2. package/CHANGELOG.md +573 -0
  3. package/LICENSE-MIT +22 -0
  4. package/README.md +87 -0
  5. package/dist/index.js +45 -0
  6. package/dist/parser.js +1116 -0
  7. package/dist/processor.js +153 -0
  8. package/dist/selectors/attribute.js +440 -0
  9. package/dist/selectors/className.js +59 -0
  10. package/dist/selectors/combinator.js +33 -0
  11. package/dist/selectors/comment.js +33 -0
  12. package/dist/selectors/constructors.js +43 -0
  13. package/dist/selectors/container.js +433 -0
  14. package/dist/selectors/fragment.js +13 -0
  15. package/dist/selectors/guards.js +61 -0
  16. package/dist/selectors/id.js +36 -0
  17. package/dist/selectors/index.js +20 -0
  18. package/dist/selectors/namespace.js +96 -0
  19. package/dist/selectors/nesting.js +34 -0
  20. package/dist/selectors/node.js +195 -0
  21. package/dist/selectors/pseudo.js +45 -0
  22. package/dist/selectors/root.js +56 -0
  23. package/dist/selectors/selector.js +33 -0
  24. package/dist/selectors/string.js +33 -0
  25. package/dist/selectors/tag.js +33 -0
  26. package/dist/selectors/types.js +16 -0
  27. package/dist/selectors/universal.js +34 -0
  28. package/dist/selectors/wrapper.js +14 -0
  29. package/dist/sortAscending.js +7 -0
  30. package/dist/tokenTypes.js +37 -0
  31. package/dist/tokenize.js +301 -0
  32. package/dist/util/ensureObject.js +17 -0
  33. package/dist/util/getProp.js +18 -0
  34. package/dist/util/index.js +18 -0
  35. package/dist/util/maxNestingDepth.js +25 -0
  36. package/dist/util/propAssemble.js +5 -0
  37. package/dist/util/propBind.js +9 -0
  38. package/dist/util/propCache.js +9 -0
  39. package/dist/util/propPaths.js +8 -0
  40. package/dist/util/propSync.js +11 -0
  41. package/dist/util/stripComments.js +20 -0
  42. package/dist/util/unesc.js +71 -0
  43. package/dist/util/webpack.min.js +1 -0
  44. package/package.json +62 -0
  45. package/selparsecss-selector.d.ts +570 -0
package/CHANGELOG.md ADDED
@@ -0,0 +1,573 @@
1
+ # 7.1.4 - 2026-06-11
2
+
3
+ - fix: tolerate non-node children when serializing selectors
4
+
5
+ # 7.1.3 - 2026-06-11
6
+
7
+ - Improve fix CVE-2026-9358 (NVD) / SNYK-JS-POSTCSSSELECTORPARSER-16873882 (clone/walk)
8
+
9
+ # 7.1.2 - 2026-06-09
10
+
11
+ - Fix [CVE-2026-9358]
12
+
13
+ # 7.1.1
14
+
15
+ - perf: replace startsWith with strict equality (#308)
16
+ - fix(types): add walkUniversal declaration (#311)
17
+
18
+ # 7.1.0
19
+
20
+ - feat: insert(Before|After) support multiple new node
21
+
22
+ # 7.0.0
23
+
24
+ - Feat: make insertions during iteration safe (major)
25
+
26
+ # 6.1.2
27
+
28
+ - Fixed: erroneous trailing combinators in pseudos
29
+
30
+ # 6.1.1
31
+
32
+ - Fixed: improve typings of constructor helpers (#292)
33
+
34
+ # 6.1.0
35
+
36
+ - Feature: add `sourceIndex` to `Selector` nodes (#290)
37
+
38
+ # 6.0.16
39
+
40
+ - Fixed: add missing `index` argument to `each`/`walk` callback types (#289)
41
+
42
+ # 6.0.15
43
+
44
+ - Fixed: Node#prev and Node#next type for the first/last node
45
+
46
+ # 6.0.14
47
+
48
+ - Fixed: type definitions
49
+
50
+ # 6.0.13
51
+
52
+ - Fixed: throw on unexpected pipe symbols
53
+
54
+ # 6.0.12
55
+
56
+ - Fixed: `clone` arguments should be optional
57
+
58
+ # 6.0.11
59
+
60
+ - Fixed: parse attribute case insensitivity flag
61
+
62
+ # 6.0.10
63
+
64
+ - Fixed: `isPseudoElement()` supports `:first-letter` and `:first-line`
65
+
66
+ # 6.0.9
67
+
68
+ - Fixed: `Combinator.raws` property type
69
+
70
+ # 6.0.8
71
+
72
+ - Fixed: reduced size
73
+
74
+ # 6.0.7
75
+
76
+ - Fixed: parse animation percents
77
+
78
+ # 6.0.6
79
+
80
+ - Fixed: parse quoted attributes containing a newline correctly
81
+
82
+ # 6.0.5
83
+
84
+ - Perf: rework unesc for a 63+% performance boost
85
+
86
+ # 6.0.4
87
+
88
+ - Fixed: ts errors
89
+
90
+ # 6.0.3
91
+
92
+ - Fixed: replace node built-in "util" module with "util-deprecate"
93
+ - Fixed: handle uppercase pseudo elements
94
+ - Fixed: do not create invalid combinator before comment
95
+
96
+ # 6.0.2
97
+
98
+ - Fixed an issue with parsing and stringifying an empty attribute value
99
+
100
+ # 6.0.1
101
+
102
+ - Fixed an issue with unicode surrogate pair parsing
103
+
104
+ # 6.0.0
105
+
106
+ - Updated: `cssesc` to 3.0.0 (major)
107
+ - Fixed: Issues with escaped `id` and `class` selectors
108
+
109
+ # 5.0.0
110
+
111
+ - Allow escaped dot within class name.
112
+ - Update PostCSS to 7.0.7 (patch)
113
+
114
+ # 5.0.0-rc.4
115
+
116
+ - Fixed an issue where comments immediately after an insensitive (in attribute)
117
+ were not parsed correctly.
118
+ - Updated `cssesc` to 2.0.0 (major).
119
+ - Removed outdated integration tests.
120
+ - Added tests for custom selectors, tags with attributes, the universal
121
+ selector with pseudos, and tokens after combinators.
122
+
123
+ # 5.0.0-rc.1
124
+
125
+ To ease adoption of the v5.0 release, we have relaxed the node version
126
+ check performed by npm at installation time to allow for node 4, which
127
+ remains officially unsupported, but likely to continue working for the
128
+ time being.
129
+
130
+ # 5.0.0-rc.0
131
+
132
+ This release has **BREAKING CHANGES** that were required to fix regressions
133
+ in 4.0.0 and to make the Combinator Node API consistent for all combinator
134
+ types. Please read carefully.
135
+
136
+ ## Summary of Changes
137
+
138
+ * The way a descendent combinator that isn't a single space character (E.g. `.a .b`) is stored in the AST has changed.
139
+ * Named Combinators (E.g. `.a /for/ .b`) are now properly parsed as a combinator.
140
+ * It is now possible to look up a node based on the source location of a character in that node and to query nodes if they contain some character.
141
+ * Several bug fixes that caused the parser to hang and run out of memory when a `/` was encountered have been fixed.
142
+ * The minimum supported version of Node is now `v6.0.0`.
143
+
144
+ ### Changes to the Descendent Combinator
145
+
146
+ In prior releases, the value of a descendant combinator with multiple spaces included all the spaces.
147
+
148
+ * `.a .b`: Extra spaces are now stored as space before.
149
+ - Old & Busted:
150
+ - `combinator.value === " "`
151
+ - New hotness:
152
+ - `combinator.value === " " && combinator.spaces.before === " "`
153
+ * `.a /*comment*/.b`: A comment at the end of the combinator causes extra space to become after space.
154
+ - Old & Busted:
155
+ - `combinator.value === " "`
156
+ - `combinator.raws.value === " /*comment/"`
157
+ - New hotness:
158
+ - `combinator.value === " "`
159
+ - `combinator.spaces.after === " "`
160
+ - `combinator.raws.spaces.after === " /*comment*/"`
161
+ * `.a<newline>.b`: whitespace that doesn't start or end with a single space character is stored as a raw value.
162
+ - Old & Busted:
163
+ - `combinator.value === "\n"`
164
+ - `combinator.raws.value === undefined`
165
+ - New hotness:
166
+ - `combinator.value === " "`
167
+ - `combinator.raws.value === "\n"`
168
+
169
+ ### Support for "Named Combinators"
170
+
171
+ Although, nonstandard and unlikely to ever become a standard, combinators like `/deep/` and `/for/` are now properly supported.
172
+
173
+ Because they've been taken off the standardization track, there is no spec-official name for combinators of the form `/<ident>/`. However, I talked to [Tab Atkins](https://twitter.com/tabatkins) and we agreed to call them "named combinators" so now they are called that.
174
+
175
+ Before this release such named combinators were parsed without intention and generated three nodes of type `"tag"` where the first and last nodes had a value of `"/"`.
176
+
177
+ * `.a /for/ .b` is parsed as a combinator.
178
+ - Old & Busted:
179
+ - `root.nodes[0].nodes[1].type === "tag"`
180
+ - `root.nodes[0].nodes[1].value === "/"`
181
+ - New hotness:
182
+ - `root.nodes[0].nodes[1].type === "combinator"`
183
+ - `root.nodes[0].nodes[1].value === "/for/"`
184
+ * `.a /F\6fR/ .b` escapes are handled and uppercase is normalized.
185
+ - Old & Busted:
186
+ - `root.nodes[0].nodes[2].type === "tag"`
187
+ - `root.nodes[0].nodes[2].value === "F\\6fR"`
188
+ - New hotness:
189
+ - `root.nodes[0].nodes[1].type === "combinator"`
190
+ - `root.nodes[0].nodes[1].value === "/for/"`
191
+ - `root.nodes[0].nodes[1].raws.value === "/F\\6fR/"`
192
+
193
+ ### Source position checks and lookups
194
+
195
+ A new API was added to look up a node based on the source location.
196
+
197
+ ```js
198
+ const selectorParser = require("selparsecss-selector");
199
+ // You can find the most specific node for any given character
200
+ let combinator = selectorParser.astSync(".a > .b").atPosition(1,4);
201
+ combinator.toString() === " > ";
202
+ // You can check if a node includes a specific character
203
+ // Whitespace surrounding the node that is owned by that node
204
+ // is included in the check.
205
+ [2,3,4,5,6].map(column => combinator.isAtPosition(1, column));
206
+ // => [false, true, true, true, false]
207
+ ```
208
+
209
+ # 4.0.0
210
+
211
+ This release has **BREAKING CHANGES** that were required to fix bugs regarding values with escape sequences. Please read carefully.
212
+
213
+ * **Identifiers with escapes** - CSS escape sequences are now hidden from the public API by default.
214
+ The normal value of a node like a class name or ID, or an aspect of a node such as attribute
215
+ selector's value, is unescaped. Escapes representing Non-ascii characters are unescaped into
216
+ unicode characters. For example: `bu\tton, .\31 00, #i\2764\FE0Fu, [attr="value is \"quoted\""]`
217
+ will parse respectively to the values `button`, `100`, `i❤️u`, `value is "quoted"`.
218
+ The original escape sequences for these values can be found in the corresponding property name
219
+ in `node.raws`. Where possible, deprecation warnings were added, but the nature
220
+ of escape handling makes it impossible to detect what is escaped or not. Our expectation is
221
+ that most users are neither expecting nor handling escape sequences in their use of this library,
222
+ and so for them, this is a bug fix. Users who are taking care to handle escapes correctly can
223
+ now update their code to remove the escape handling and let us do it for them.
224
+
225
+ * **Mutating values with escapes** - When you make an update to a node property that has escape handling
226
+ The value is assumed to be unescaped, and any special characters are escaped automatically and
227
+ the corresponding `raws` value is immediately updated. This can result in changes to the original
228
+ escape format. Where the exact value of the escape sequence is important there are methods that
229
+ allow both values to be set in conjunction. There are a number of new convenience methods for
230
+ manipulating values that involve escapes, especially for attributes values where the quote mark
231
+ is involved.
232
+
233
+
234
+ **Upgrade/API Example**
235
+
236
+ In `3.x` there was no unescape handling and internal consistency of several properties was the caller's job to maintain. It was very easy for the developer
237
+ to create a CSS file that did not parse correctly when some types of values
238
+ were in use.
239
+
240
+ ```js
241
+ const selectorParser = require("selparsecss-selector");
242
+ let attr = selectorParser.attribute({attribute: "id", operator: "=", value: "a-value"});
243
+ attr.value; // => "a-value"
244
+ attr.toString(); // => [id=a-value]
245
+ // Add quotes to an attribute's value.
246
+ // All these values have to be set by the caller to be consistent:
247
+ // no internal consistency is maintained.
248
+ attr.raws.unquoted = attr.value
249
+ attr.value = "'" + attr.value + "'";
250
+ attr.value; // => "'a-value'"
251
+ attr.quoted = true;
252
+ attr.toString(); // => "[id='a-value']"
253
+ ```
254
+
255
+ In `4.0` there is a convenient API for setting and mutating values
256
+ that may need escaping. Especially for attributes.
257
+
258
+ ```js
259
+ const selectorParser = require("selparsecss-selector");
260
+
261
+ // The constructor requires you specify the exact escape sequence
262
+ let className = selectorParser.className({value: "illegal class name", raws: {value: "illegal\\ class\\ name"}});
263
+ className.toString(); // => '.illegal\\ class\\ name'
264
+
265
+ // So it's better to set the value as a property
266
+ className = selectorParser.className();
267
+ // Most properties that deal with identifiers work like this
268
+ className.value = "escape for me";
269
+ className.value; // => 'escape for me'
270
+ className.toString(); // => '.escape\\ for\\ me'
271
+
272
+ // emoji and all non-ascii are escaped to ensure it works in every css file.
273
+ className.value = "😱🦄😍";
274
+ className.value; // => '😱🦄😍'
275
+ className.toString(); // => '.\\1F631\\1F984\\1F60D'
276
+
277
+ // you can control the escape sequence if you want, or do bad bad things
278
+ className.setPropertyAndEscape('value', 'xxxx', 'yyyy');
279
+ className.value; // => "xxxx"
280
+ className.toString(); // => ".yyyy"
281
+
282
+ // Pass a value directly through to the css output without escaping it.
283
+ className.setPropertyWithoutEscape('value', '$REPLACE_ME$');
284
+ className.value; // => "$REPLACE_ME$"
285
+ className.toString(); // => ".$REPLACE_ME$"
286
+
287
+ // The biggest changes are to the Attribute class
288
+ // passing quoteMark explicitly is required to avoid a deprecation warning.
289
+ let attr = selectorParser.attribute({attribute: "id", operator: "=", value: "a-value", quoteMark: null});
290
+ attr.toString(); // => "[id=a-value]"
291
+ // Get the value with quotes on it and any necessary escapes.
292
+ // This is the same as reading attr.value in 3.x.
293
+ attr.getQuotedValue(); // => "a-value";
294
+ attr.quoteMark; // => null
295
+
296
+ // Add quotes to an attribute's value.
297
+ attr.quoteMark = "'"; // This is all that's required.
298
+ attr.toString(); // => "[id='a-value']"
299
+ attr.quoted; // => true
300
+ // The value is still the same, only the quotes have changed.
301
+ attr.value; // => a-value
302
+ attr.getQuotedValue(); // => "'a-value'";
303
+
304
+ // deprecated assignment, no warning because there's no escapes
305
+ attr.value = "new-value";
306
+ // no quote mark is needed so it is removed
307
+ attr.getQuotedValue(); // => "new-value";
308
+
309
+ // deprecated assignment,
310
+ attr.value = "\"a 'single quoted' value\"";
311
+ // > (node:27859) DeprecationWarning: Assigning an attribute a value containing characters that might need to be escaped is deprecated. Call attribute.setValue() instead.
312
+ attr.getQuotedValue(); // => '"a \'single quoted\' value"';
313
+ // quote mark inferred from first and last characters.
314
+ attr.quoteMark; // => '"'
315
+
316
+ // setValue takes options to make manipulating the value simple.
317
+ attr.setValue('foo', {smart: true});
318
+ // foo doesn't require any escapes or quotes.
319
+ attr.toString(); // => '[id=foo]'
320
+ attr.quoteMark; // => null
321
+
322
+ // An explicit quote mark can be specified
323
+ attr.setValue('foo', {quoteMark: '"'});
324
+ attr.toString(); // => '[id="foo"]'
325
+
326
+ // preserves quote mark by default
327
+ attr.setValue('bar');
328
+ attr.toString(); // => '[id="bar"]'
329
+ attr.quoteMark = null;
330
+ attr.toString(); // => '[id=bar]'
331
+
332
+ // with no arguments, it preserves quote mark even when it's not a great idea
333
+ attr.setValue('a value \n that should be quoted');
334
+ attr.toString(); // => '[id=a\\ value\\ \\A\\ that\\ should\\ be\\ quoted]'
335
+
336
+ // smart preservation with a specified default
337
+ attr.setValue('a value \n that should be quoted', {smart: true, preferCurrentQuoteMark: true, quoteMark: "'"});
338
+ // => "[id='a value \\A that should be quoted']"
339
+ attr.quoteMark = '"';
340
+ // => '[id="a value \\A that should be quoted"]'
341
+
342
+ // this keeps double quotes because it wants to quote the value and the existing value has double quotes.
343
+ attr.setValue('this should be quoted', {smart: true, preferCurrentQuoteMark: true, quoteMark: "'"});
344
+ // => '[id="this should be quoted"]'
345
+
346
+ // picks single quotes because the value has double quotes
347
+ attr.setValue('a "double quoted" value', {smart: true, preferCurrentQuoteMark: true, quoteMark: "'"});
348
+ // => "[id='a "double quoted" value']"
349
+
350
+ // setPropertyAndEscape lets you do anything you want. Even things that are a bad idea and illegal.
351
+ attr.setPropertyAndEscape('value', 'xxxx', 'the password is 42');
352
+ attr.value; // => "xxxx"
353
+ attr.toString(); // => "[id=the password is 42]"
354
+
355
+ // Pass a value directly through to the css output without escaping it.
356
+ attr.setPropertyWithoutEscape('value', '$REPLACEMENT$');
357
+ attr.value; // => "$REPLACEMENT$"
358
+ attr.toString(); // => "[id=$REPLACEMENT$]"
359
+ ```
360
+
361
+ # 3.1.2
362
+
363
+ * Fix: Removed dot-prop dependency since it's no longer written in es5.
364
+
365
+ # 3.1.1
366
+
367
+ * Fix: typescript definitions weren't in the published package.
368
+
369
+ # 3.1.0
370
+
371
+ * Fixed numerous bugs in attribute nodes relating to the handling of comments
372
+ and whitespace. There's significant changes to `attrNode.spaces` and `attrNode.raws` since the `3.0.0` release.
373
+ * Added `Attribute#offsetOf(part)` to get the offset location of
374
+ attribute parts like `"operator"` and `"value"`. This is most
375
+ often added to `Attribute#sourceIndex` for error reporting.
376
+
377
+ # 3.0.0
378
+
379
+ ## Breaking changes
380
+
381
+ * Some tweaks to the tokenizer/attribute selector parsing mean that whitespace
382
+ locations might be slightly different to the 2.x code.
383
+ * Better attribute selector parsing with more validation; postcss-selector-parser
384
+ no longer uses regular expressions to parse attribute selectors.
385
+ * Added an async API (thanks to @jacobp100); the default `process` API is now
386
+ async, and the sync API is now accessed through `processSync` instead.
387
+ * `process()` and `processSync()` now return a string instead of the Processor
388
+ instance.
389
+ * Tweaks handling of Less interpolation (thanks to @jwilsson).
390
+ * Removes support for Node 0.12.
391
+
392
+ ## Other changes
393
+
394
+ * `ast()` and `astSync()` methods have been added to the `Processor`. These
395
+ return the `Root` node of the selectors after processing them.
396
+ * `transform()` and `transformSync()` methods have been added to the
397
+ `Processor`. These return the value returned by the processor callback
398
+ after processing the selectors.
399
+ * Set the parent when inserting a node (thanks to @chriseppstein).
400
+ * Correctly adjust indices when using insertBefore/insertAfter (thanks to @tivac).
401
+ * Fixes handling of namespaces with qualified tag selectors.
402
+ * `process`, `ast` and `transform` (and their sync variants) now accept a
403
+ `postcss` rule node. When provided, better errors are generated and selector
404
+ processing is automatically set back to the rule selector (unless the `updateSelector` option is set to `false`.)
405
+ * Now more memory efficient when tokenizing selectors.
406
+
407
+ ### Upgrade hints
408
+
409
+ The pattern of:
410
+
411
+ `rule.selector = processor.process(rule.selector).result.toString();`
412
+
413
+ is now:
414
+
415
+ `processor.processSync(rule)`
416
+
417
+ # 2.2.3
418
+
419
+ * Resolves an issue where the parser would not reduce multiple spaces between an
420
+ ampersand and another simple selector in lossy mode (thanks to @adam-26).
421
+
422
+ # 2.2.2
423
+
424
+ * No longer hangs on an unescaped semicolon; instead the parser will throw
425
+ an exception for these cases.
426
+
427
+ # 2.2.1
428
+
429
+ * Allows a consumer to specify whitespace tokens when creating a new Node
430
+ (thanks to @Semigradsky).
431
+
432
+ # 2.2.0
433
+
434
+ * Added a new option to normalize whitespace when parsing the selector string
435
+ (thanks to @adam-26).
436
+
437
+ # 2.1.1
438
+
439
+ * Better unquoted value handling within attribute selectors
440
+ (thanks to @evilebottnawi).
441
+
442
+ # 2.1.0
443
+
444
+ * Added: Use string constants for all node types & expose them on the main
445
+ parser instance (thanks to @Aweary).
446
+
447
+ # 2.0.0
448
+
449
+ This release contains the following breaking changes:
450
+
451
+ * Renamed all `eachInside` iterators to `walk`. For example, `eachTag` is now
452
+ `walkTags`, and `eachInside` is now `walk`.
453
+ * Renamed `Node#removeSelf()` to `Node#remove()`.
454
+ * Renamed `Container#remove()` to `Container#removeChild()`.
455
+ * Renamed `Node#raw` to `Node#raws` (thanks to @davidtheclark).
456
+ * Now parses `&` as the *nesting* selector, rather than a *tag* selector.
457
+ * Fixes misinterpretation of Sass interpolation (e.g. `#{foo}`) as an
458
+ id selector (thanks to @davidtheclark).
459
+
460
+ and;
461
+
462
+ * Fixes parsing of attribute selectors with equals signs in them
463
+ (e.g. `[data-attr="foo=bar"]`) (thanks to @montmanu).
464
+ * Adds `quoted` and `raw.unquoted` properties to attribute nodes
465
+ (thanks to @davidtheclark).
466
+
467
+ # 1.3.3
468
+
469
+ * Fixes an infinite loop on `)` and `]` tokens when they had no opening pairs.
470
+ Now postcss-selector-parser will throw when it encounters these lone tokens.
471
+
472
+ # 1.3.2
473
+
474
+ * Now uses plain integers rather than `str.charCodeAt(0)` for compiled builds.
475
+
476
+ # 1.3.1
477
+
478
+ * Update flatten to v1.x (thanks to @shinnn).
479
+
480
+ # 1.3.0
481
+
482
+ * Adds a new node type, `String`, to fix a crash on selectors such as
483
+ `foo:bar("test")`.
484
+
485
+ # 1.2.1
486
+
487
+ * Fixes a crash when the parser encountered a trailing combinator.
488
+
489
+ # 1.2.0
490
+
491
+ * A more descriptive error is thrown when the parser expects to find a
492
+ pseudo-class/pseudo-element (thanks to @ashelley).
493
+ * Adds support for line/column locations for selector nodes, as well as a
494
+ `Node#sourceIndex` method (thanks to @davidtheclark).
495
+
496
+ # 1.1.4
497
+
498
+ * Fixes a crash when a selector started with a `>` combinator. The module will
499
+ now no longer throw if a selector has a leading/trailing combinator node.
500
+
501
+ # 1.1.3
502
+
503
+ * Fixes a crash on `@` tokens.
504
+
505
+ # 1.1.2
506
+
507
+ * Fixes an infinite loop caused by using parentheses in a non-pseudo element
508
+ context.
509
+
510
+ # 1.1.1
511
+
512
+ * Fixes a crash when a backslash ended a selector string.
513
+
514
+ # 1.1.0
515
+
516
+ * Adds support for replacing multiple nodes at once with `replaceWith`
517
+ (thanks to @jonathantneal).
518
+ * Parser no longer throws on sequential IDs and trailing commas, to support
519
+ parsing of selector hacks.
520
+
521
+ # 1.0.1
522
+
523
+ * Fixes using `insertAfter` and `insertBefore` during iteration.
524
+
525
+ # 1.0.0
526
+
527
+ * Adds `clone` and `replaceWith` methods to nodes.
528
+ * Adds `insertBefore` and `insertAfter` to containers.
529
+ * Stabilises API.
530
+
531
+ # 0.0.5
532
+
533
+ * Fixes crash on extra whitespace inside a pseudo selector's parentheses.
534
+ * Adds sort function to the container class.
535
+ * Enables the parser to pass its input through without transforming.
536
+ * Iteration-safe `each` and `eachInside`.
537
+
538
+ # 0.0.4
539
+
540
+ * Tidy up redundant duplication.
541
+ * Fixes a bug where the parser would loop infinitely on universal selectors
542
+ inside pseudo selectors.
543
+ * Adds `length` getter and `eachInside`, `map`, `reduce` to the container class.
544
+ * When a selector has been removed from the tree, the root node will no longer
545
+ cast it to a string.
546
+ * Adds node type iterators to the container class (e.g. `eachComment`).
547
+ * Adds filter function to the container class.
548
+ * Adds split function to the container class.
549
+ * Create new node types by doing `parser.id(opts)` etc.
550
+ * Adds support for pseudo classes anywhere in the selector.
551
+
552
+ # 0.0.3
553
+
554
+ * Adds `next` and `prev` to the node class.
555
+ * Adds `first` and `last` getters to the container class.
556
+ * Adds `every` and `some` iterators to the container class.
557
+ * Add `empty` alias for `removeAll`.
558
+ * Combinators are now types of node.
559
+ * Fixes the at method so that it is not an alias for `index`.
560
+ * Tidy up creation of new nodes in the parser.
561
+ * Refactors how namespaces are handled for consistency & less redundant code.
562
+ * Refactors AST to use `nodes` exclusively, and eliminates excessive nesting.
563
+ * Fixes nested pseudo parsing.
564
+ * Fixes whitespace parsing.
565
+
566
+ # 0.0.2
567
+
568
+ * Adds support for namespace selectors.
569
+ * Adds support for selectors joined by escaped spaces - such as `.\31\ 0`.
570
+
571
+ # 0.0.1
572
+
573
+ * Initial release.
package/LICENSE-MIT ADDED
@@ -0,0 +1,22 @@
1
+ Copyright (c) Ben Briggs <beneb.info@gmail.com> (http://beneb.info)
2
+
3
+ Permission is hereby granted, free of charge, to any person
4
+ obtaining a copy of this software and associated documentation
5
+ files (the "Software"), to deal in the Software without
6
+ restriction, including without limitation the rights to use,
7
+ copy, modify, merge, publish, distribute, sublicense, and/or sell
8
+ copies of the Software, and to permit persons to whom the
9
+ Software is furnished to do so, subject to the following
10
+ conditions:
11
+
12
+ The above copyright notice and this permission notice shall be
13
+ included in all copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
17
+ OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
19
+ HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
20
+ WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
21
+ FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
22
+ OTHER DEALINGS IN THE SOFTWARE.
package/README.md ADDED
@@ -0,0 +1,87 @@
1
+ # selparsecss-selector
2
+
3
+ [![npm package version](https://img.shields.io/npm/v/selparsecss-selector) ![npm downloads](https://img.shields.io/npm/dm/selparsecss-selector)](https://www.npmjs.com/package/selparsecss-selector)
4
+
5
+ > Selector parser with built in methods for working with selector strings.
6
+
7
+ ## Install
8
+
9
+ With [npm](https://npmjs.com/package/selparsecss-selector) do:
10
+
11
+ ```
12
+ npm install selparsecss-selector
13
+ ```
14
+
15
+ ## Quick Start
16
+
17
+ ```js
18
+ const parser = require('selparsecss-selector');
19
+ const transform = selectors => {
20
+ selectors.walk(selector => {
21
+ // do something with the selector
22
+ console.log(String(selector))
23
+ });
24
+ };
25
+
26
+ const transformed = parser(transform).processSync('h1, h2, h3');
27
+ ```
28
+
29
+ To normalize selector whitespace:
30
+
31
+ ```js
32
+ const parser = require('selparsecss-selector');
33
+ const normalized = parser().processSync('h1, h2, h3', {lossless: false});
34
+ // -> h1,h2,h3
35
+ ```
36
+
37
+ Async support is provided through `parser.process` and will resolve a Promise
38
+ with the resulting selector string.
39
+
40
+ ## API
41
+
42
+ Please see [API.md](API.md).
43
+
44
+ ## Security
45
+
46
+ ### Selector nesting depth (CVE-2026-9358)
47
+
48
+ The parser walks the selector AST recursively, both when parsing and when
49
+ serializing it back to a string (`.toString()`). In versions up to and
50
+ including `7.1.1`, a selector with extreme nesting — for example thousands of
51
+ nested `:not(...)` — could recurse deeply enough to overflow the call stack and
52
+ throw `RangeError: Maximum call stack size exceeded`, a potential
53
+ denial-of-service when processing untrusted CSS.
54
+
55
+ This is now bounded by a maximum nesting depth (default: `256`). Beyond that
56
+ depth, parsing and serialization throw a regular, catchable `Error` at a
57
+ predictable point instead of relying on the runtime hitting its stack limit.
58
+ The default is far above any realistic selector, so it does not affect normal
59
+ use.
60
+
61
+ **Practical impact is low.** The only attacker-controlled input is the selector
62
+ string itself, which is now capped by the default limit. The limit is
63
+ adjustable through the `maxNestingDepth` option, but that option is trusted
64
+ configuration provided by the integrating code — it is never derived from the
65
+ parsed CSS, so a malicious selector cannot change it:
66
+
67
+ ```js
68
+ // Tighten the limit when parsing untrusted input:
69
+ parser().processSync(untrustedSelector, {maxNestingDepth: 128});
70
+ ```
71
+
72
+ Raising `maxNestingDepth` to a very large value is an explicit, informed choice
73
+ and can reintroduce the stack-overflow risk in environments with a small call
74
+ stack (e.g. browser workers). The default is recommended unless you have a
75
+ specific need.
76
+
77
+ ## Credits
78
+
79
+ * Huge thanks to Andrey for work on PostCSS which helped accelerate this module's development.
80
+
81
+ ## License
82
+
83
+ MIT
84
+
85
+ ## Keywords
86
+
87
+ css, selector, parser, postcss, AST