specra 0.2.10 → 0.2.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/dist/components/docs/Header.svelte +17 -2
  2. package/dist/components/docs/Header.svelte.d.ts +15 -2
  3. package/dist/mdx-security.js +12 -11
  4. package/dist/mdx.js +9 -1
  5. package/package.json +4 -2
package/dist/components/docs/Header.svelte CHANGED
@@ -21,7 +21,8 @@
21
21
  hidden?: boolean;
22
22
  }
23
23
 
24
- interface ProductItem {
24
+ /** Flat shape (from page components) */
25
+ interface ProductItemFlat {
25
26
  slug: string;
26
27
  label: string;
27
28
  icon?: string;
@@ -30,13 +31,27 @@
30
31
  isDefault: boolean;
31
32
  }
32
33
 
34
+ /** Nested shape (from SDK getProducts()) */
35
+ interface ProductItemNested {
36
+ slug: string;
37
+ config: {
38
+ label: string;
39
+ icon?: string;
40
+ badge?: string;
41
+ activeVersion?: string;
42
+ };
43
+ isDefault: boolean;
44
+ }
45
+
46
+ type ProductInput = ProductItemFlat | ProductItemNested;
47
+
33
48
  interface Props {
34
49
  currentVersion: string;
35
50
  versions: string[];
36
51
  versionsMeta?: VersionMeta[];
37
52
  versionBanner?: BannerConfig;
38
53
  config?: SpecraConfig;
39
- products?: ProductItem[];
54
+ products?: ProductInput[];
40
55
  currentProduct?: string;
41
56
  subheader?: Snippet;
42
57
  }
package/dist/components/docs/Header.svelte.d.ts CHANGED
@@ -7,7 +7,8 @@ interface VersionMeta {
7
7
  badge?: string;
8
8
  hidden?: boolean;
9
9
  }
10
- interface ProductItem {
10
+ /** Flat shape (from page components) */
11
+ interface ProductItemFlat {
11
12
  slug: string;
12
13
  label: string;
13
14
  icon?: string;
@@ -15,13 +16,25 @@ interface ProductItem {
15
16
  activeVersion?: string;
16
17
  isDefault: boolean;
17
18
  }
19
+ /** Nested shape (from SDK getProducts()) */
20
+ interface ProductItemNested {
21
+ slug: string;
22
+ config: {
23
+ label: string;
24
+ icon?: string;
25
+ badge?: string;
26
+ activeVersion?: string;
27
+ };
28
+ isDefault: boolean;
29
+ }
30
+ type ProductInput = ProductItemFlat | ProductItemNested;
18
31
  interface Props {
19
32
  currentVersion: string;
20
33
  versions: string[];
21
34
  versionsMeta?: VersionMeta[];
22
35
  versionBanner?: BannerConfig;
23
36
  config?: SpecraConfig;
24
- products?: ProductItem[];
37
+ products?: ProductInput[];
25
38
  currentProduct?: string;
26
39
  subheader?: Snippet;
27
40
  }
package/dist/mdx-security.js CHANGED
@@ -44,22 +44,23 @@ export function validatePathWithinDirectory(filePath, allowedDir) {
44
44
  * These patterns can execute arbitrary code during SSR
45
45
  */
46
46
  const DANGEROUS_PATTERNS = [
47
- // JavaScript execution
48
- /eval\s*\(/gi,
49
- /Function\s*\(/gi,
50
- /import\s*\(/gi,
51
- /require\s*\(/gi,
47
+ // JavaScript execution — require expression context (after { ; = or line start)
48
+ // to avoid false positives on prose like "bulk import (CSV...)" or "fetch (data)"
49
+ /(?:^|[{;=,])\s*eval\s*\(/gim,
50
+ /(?:^|[{;=,])\s*Function\s*\(/gim,
51
+ /(?:^|[{;=,])\s*import\s*\(/gim,
52
+ /(?:^|[{;=,])\s*require\s*\(/gim,
52
53
  // File system access
53
54
  /fs\.[a-z]+/gi,
54
- /readFile/gi,
55
- /writeFile/gi,
55
+ /(?:^|[{;=,])\s*readFile/gim,
56
+ /(?:^|[{;=,])\s*writeFile/gim,
56
57
  /process\.env/gi,
57
- // Network requests during SSR (legitimate client-side usage should use components)
58
- /fetch\s*\(/gi,
58
+ // Network requests during SSR require expression context
59
+ /(?:^|[{;=,])\s*fetch\s*\(/gim,
59
60
  // Dangerous Node.js modules
60
61
  /child_process/gi,
61
- /exec\s*\(/gi,
62
- /spawn\s*\(/gi,
62
+ /(?:^|[{;=,])\s*exec\s*\(/gim,
63
+ /(?:^|[{;=,])\s*spawn\s*\(/gim,
63
64
  // Script tag injection
64
65
  /<script[>\s]/gi,
65
66
  /javascript:/gi,
package/dist/mdx.js CHANGED
@@ -1,6 +1,7 @@
1
1
  import fs from "fs";
2
2
  import path from "path";
3
3
  import matter from "gray-matter";
4
+ import yaml from "js-yaml";
4
5
  import { unified } from "unified";
5
6
  import remarkParse from "remark-parse";
6
7
  import remarkGfm from "remark-gfm";
@@ -1135,7 +1136,14 @@ function readDocFromFile(filePath, originalSlug) {
1135
1136
  return null;
1136
1137
  }
1137
1138
  const fileContents = fs.readFileSync(filePath, "utf8");
1138
- const { data, content } = matter(fileContents);
1139
+ const { data, content } = matter(fileContents, {
1140
+ engines: {
1141
+ yaml: {
1142
+ parse: (str) => yaml.load(str),
1143
+ stringify: (obj) => yaml.dump(obj),
1144
+ },
1145
+ },
1146
+ });
1139
1147
  // Security: Validate MDX content for dangerous patterns
1140
1148
  const securityCheck = validateMDXSecurity(content, {
1141
1149
  strictMode: process.env.NODE_ENV === 'production',
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "specra",
3
- "version": "0.2.10",
3
+ "version": "0.2.12",
4
4
  "description": "A modern documentation library for SvelteKit with built-in versioning, API reference generation, full-text search, and MDX support",
5
5
  "svelte": "./dist/index.js",
6
6
  "types": "./dist/index.d.ts",
@@ -78,13 +78,14 @@
78
78
  "date-fns": "^4.1.0",
79
79
  "embla-carousel-svelte": "^8.5.1",
80
80
  "gray-matter": "^4.0.3",
81
+ "hast-util-to-html": "^9.0.0",
82
+ "js-yaml": "^4.1.1",
81
83
  "katex": "^0.16.27",
82
84
  "lucide-svelte": "^0.454.0",
83
85
  "mdsvex": "^0.12.0",
84
86
  "meilisearch": "^0.54.0",
85
87
  "mermaid": "^11.12.2",
86
88
  "mode-watcher": "^0.5.0",
87
- "hast-util-to-html": "^9.0.0",
88
89
  "rehype-katex": "^7.0.1",
89
90
  "rehype-raw": "^7.0.0",
90
91
  "rehype-slug": "^6.0.0",
@@ -103,6 +104,7 @@
103
104
  "@sveltejs/kit": "^2.0.0",
104
105
  "@sveltejs/package": "^2.0.0",
105
106
  "@sveltejs/vite-plugin-svelte": "^6.0.0",
107
+ "@types/js-yaml": "^4.0.9",
106
108
  "@types/node": "^22",
107
109
  "svelte": "^5.0.0",
108
110
  "svelte-check": "^4.0.0",