zero-query 0.9.9 → 1.0.1

package/src/store.js

@@ -1,5 +1,5 @@
 /**
- * zQuery Store — Global reactive state management
+ * zQuery Store - Global reactive state management
  * 
  * A lightweight Redux/Vuex-inspired store with:
  *   - Reactive state via Proxy
@@ -38,22 +38,22 @@ class Store {
     this._history = [];              // action log
     this._maxHistory = config.maxHistory || 1000;
     this._debug = config.debug || false;
+    this._batching = false;
+    this._batchQueue = [];           // pending notifications during batch
+    this._undoStack = [];
+    this._redoStack = [];
+    this._maxUndo = config.maxUndo || 50;
 
-    // Create reactive state
+    // Store initial state for reset
     const initial = typeof config.state === 'function' ? config.state() : { ...(config.state || {}) };
+    this._initialState = JSON.parse(JSON.stringify(initial));
 
     this.state = reactive(initial, (key, value, old) => {
-      // Notify key-specific subscribers
-      const subs = this._subscribers.get(key);
-      if (subs) subs.forEach(fn => {
-        try { fn(value, old, key); }
-        catch (err) { reportError(ErrorCode.STORE_SUBSCRIBE, `Subscriber for "${key}" threw`, { key }, err); }
-      });
-      // Notify wildcard subscribers
-      this._wildcards.forEach(fn => {
-        try { fn(key, value, old); }
-        catch (err) { reportError(ErrorCode.STORE_SUBSCRIBE, 'Wildcard subscriber threw', { key }, err); }
-      });
+      if (this._batching) {
+        this._batchQueue.push({ key, value, old });
+        return;
+      }
+      this._notifySubscribers(key, value, old);
     });
 
     // Build getters as computed properties
@@ -66,10 +66,90 @@ class Store {
     }
   }
 
+  /** @private Notify key-specific and wildcard subscribers */
+  _notifySubscribers(key, value, old) {
+    const subs = this._subscribers.get(key);
+    if (subs) subs.forEach(fn => {
+      try { fn(key, value, old); }
+      catch (err) { reportError(ErrorCode.STORE_SUBSCRIBE, `Subscriber for "${key}" threw`, { key }, err); }
+    });
+    this._wildcards.forEach(fn => {
+      try { fn(key, value, old); }
+      catch (err) { reportError(ErrorCode.STORE_SUBSCRIBE, 'Wildcard subscriber threw', { key }, err); }
+    });
+  }
+
+  /**
+   * Batch multiple state changes - subscribers fire once at the end
+   * with only the latest value per key.
+   */
+  batch(fn) {
+    this._batching = true;
+    this._batchQueue = [];
+    try {
+      fn(this.state);
+    } finally {
+      this._batching = false;
+      // Deduplicate: keep only the last change per key
+      const last = new Map();
+      for (const entry of this._batchQueue) {
+        last.set(entry.key, entry);
+      }
+      this._batchQueue = [];
+      for (const { key, value, old } of last.values()) {
+        this._notifySubscribers(key, value, old);
+      }
+    }
+  }
+
+  /**
+   * Save a snapshot for undo. Call before making changes you want to be undoable.
+   */
+  checkpoint() {
+    const snap = JSON.parse(JSON.stringify(this.state.__raw || this.state));
+    this._undoStack.push(snap);
+    if (this._undoStack.length > this._maxUndo) {
+      this._undoStack.splice(0, this._undoStack.length - this._maxUndo);
+    }
+    this._redoStack = [];
+  }
+
+  /**
+   * Undo to the last checkpoint
+   * @returns {boolean} true if undo was performed
+   */
+  undo() {
+    if (this._undoStack.length === 0) return false;
+    const current = JSON.parse(JSON.stringify(this.state.__raw || this.state));
+    this._redoStack.push(current);
+    const prev = this._undoStack.pop();
+    this.replaceState(prev);
+    return true;
+  }
+
+  /**
+   * Redo the last undone state change
+   * @returns {boolean} true if redo was performed
+   */
+  redo() {
+    if (this._redoStack.length === 0) return false;
+    const current = JSON.parse(JSON.stringify(this.state.__raw || this.state));
+    this._undoStack.push(current);
+    const next = this._redoStack.pop();
+    this.replaceState(next);
+    return true;
+  }
+
+  /** Check if undo is available */
+  get canUndo() { return this._undoStack.length > 0; }
+
+  /** Check if redo is available */
+  get canRedo() { return this._redoStack.length > 0; }
+
   /**
    * Dispatch a named action
-   * @param {string} name — action name
-   * @param  {...any} args — payload
+   * @param {string} name - action name
+   * @param  {...any} args - payload
    */
   dispatch(name, ...args) {
     const action = this._actions[name];
@@ -108,13 +188,13 @@ class Store {
 
   /**
    * Subscribe to changes on a specific state key
-   * @param {string|Function} keyOrFn — state key, or function for all changes
-   * @param {Function} [fn] — callback (value, oldValue, key)
-   * @returns {Function} — unsubscribe
+   * @param {string|Function} keyOrFn - state key, or function for all changes
+   * @param {Function} [fn] - callback (key, value, oldValue)
+   * @returns {Function} - unsubscribe
    */
   subscribe(keyOrFn, fn) {
     if (typeof keyOrFn === 'function') {
-      // Wildcard — listen to all changes
+      // Wildcard - listen to all changes
       this._wildcards.add(keyOrFn);
       return () => this._wildcards.delete(keyOrFn);
     }
@@ -160,11 +240,13 @@ class Store {
   }
 
   /**
-   * Reset state to initial values
+   * Reset state to initial values. If no argument, resets to the original state.
    */
   reset(initialState) {
-    this.replaceState(initialState);
+    this.replaceState(initialState || JSON.parse(JSON.stringify(this._initialState)));
     this._history = [];
+    this._undoStack = [];
+    this._redoStack = [];
   }
 }
 

package/src/utils.js

@@ -1,5 +1,5 @@
 /**
- * zQuery Utils — Common utility functions
+ * zQuery Utils - Common utility functions
  * 
  * Quality-of-life helpers that every frontend project needs.
  * Attached to $ namespace for convenience.
@@ -10,7 +10,7 @@
 // ---------------------------------------------------------------------------
 
 /**
- * Debounce — delays execution until after `ms` of inactivity
+ * Debounce - delays execution until after `ms` of inactivity
  */
 export function debounce(fn, ms = 250) {
   let timer;
@@ -23,7 +23,7 @@ export function debounce(fn, ms = 250) {
 }
 
 /**
- * Throttle — limits execution to once per `ms`
+ * Throttle - limits execution to once per `ms`
  */
 export function throttle(fn, ms = 250) {
   let last = 0;
@@ -42,14 +42,14 @@ export function throttle(fn, ms = 250) {
 }
 
 /**
- * Pipe — compose functions left-to-right
+ * Pipe - compose functions left-to-right
  */
 export function pipe(...fns) {
   return (input) => fns.reduce((val, fn) => fn(val), input);
 }
 
 /**
- * Once — function that only runs once
+ * Once - function that only runs once
  */
 export function once(fn) {
   let called = false, result;
@@ -60,7 +60,7 @@ export function once(fn) {
 }
 
 /**
- * Sleep — promise-based delay
+ * Sleep - promise-based delay
  */
 export function sleep(ms) {
   return new Promise(resolve => setTimeout(resolve, ms));
@@ -111,8 +111,12 @@ export function trust(htmlStr) {
  * Generate UUID v4
  */
 export function uuid() {
-  return crypto?.randomUUID?.() || 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, c => {
-    const r = Math.random() * 16 | 0;
+  if (crypto?.randomUUID) return crypto.randomUUID();
+  // Fallback using crypto.getRandomValues (wider support than randomUUID)
+  return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, c => {
+    const buf = new Uint8Array(1);
+    crypto.getRandomValues(buf);
+    const r = buf[0] & 15;
     return (c === 'x' ? r : (r & 0x3 | 0x8)).toString(16);
   });
 }
@@ -140,13 +144,50 @@ export function kebabCase(str) {
 // ---------------------------------------------------------------------------
 
 /**
- * Deep clone
+ * Deep clone via structuredClone (handles circular refs, Dates, etc.).
+ * Falls back to a manual deep clone that preserves Date, RegExp, Map, Set,
+ * ArrayBuffer, TypedArrays, undefined values, and circular references.
  */
 export function deepClone(obj) {
   if (typeof structuredClone === 'function') return structuredClone(obj);
-  return JSON.parse(JSON.stringify(obj));
+
+  const seen = new Map();
+  function clone(val) {
+    if (val === null || typeof val !== 'object') return val;
+    if (seen.has(val)) return seen.get(val);
+    if (val instanceof Date) return new Date(val.getTime());
+    if (val instanceof RegExp) return new RegExp(val.source, val.flags);
+    if (val instanceof Map) {
+      const m = new Map();
+      seen.set(val, m);
+      val.forEach((v, k) => m.set(clone(k), clone(v)));
+      return m;
+    }
+    if (val instanceof Set) {
+      const s = new Set();
+      seen.set(val, s);
+      val.forEach(v => s.add(clone(v)));
+      return s;
+    }
+    if (ArrayBuffer.isView(val)) return new val.constructor(val.buffer.slice(0));
+    if (val instanceof ArrayBuffer) return val.slice(0);
+    if (Array.isArray(val)) {
+      const arr = [];
+      seen.set(val, arr);
+      for (let i = 0; i < val.length; i++) arr[i] = clone(val[i]);
+      return arr;
+    }
+    const result = Object.create(Object.getPrototypeOf(val));
+    seen.set(val, result);
+    for (const key of Object.keys(val)) result[key] = clone(val[key]);
+    return result;
+  }
+  return clone(obj);
 }
 
+// Keys that must never be written through data-merge or path-set operations
+const _UNSAFE_KEYS = new Set(['__proto__', 'constructor', 'prototype']);
+
 /**
  * Deep merge objects
  */
@@ -156,6 +197,7 @@ export function deepMerge(target, ...sources) {
     if (seen.has(src)) return tgt;
     seen.add(src);
     for (const key of Object.keys(src)) {
+      if (_UNSAFE_KEYS.has(key)) continue;
       if (src[key] && typeof src[key] === 'object' && !Array.isArray(src[key])) {
         if (!tgt[key] || typeof tgt[key] !== 'object') tgt[key] = {};
         merge(tgt[key], src[key]);
@@ -362,10 +404,13 @@ export function setPath(obj, path, value) {
   let cur = obj;
   for (let i = 0; i < keys.length - 1; i++) {
     const k = keys[i];
+    if (_UNSAFE_KEYS.has(k)) return obj;
     if (cur[k] == null || typeof cur[k] !== 'object') cur[k] = {};
     cur = cur[k];
   }
-  cur[keys[keys.length - 1]] = value;
+  const lastKey = keys[keys.length - 1];
+  if (_UNSAFE_KEYS.has(lastKey)) return obj;
+  cur[lastKey] = value;
   return obj;
 }
 
@@ -416,9 +461,16 @@ export function memoize(fn, keyFnOrOpts) {
 
   const memoized = (...args) => {
     const key = keyFn ? keyFn(...args) : args[0];
-    if (cache.has(key)) return cache.get(key);
+    if (cache.has(key)) {
+      // LRU: promote to newest by re-inserting
+      const value = cache.get(key);
+      cache.delete(key);
+      cache.set(key, value);
+      return value;
+    }
     const result = fn(...args);
     cache.set(key, result);
+    // LRU eviction: drop the least-recently-used entry
     if (maxSize > 0 && cache.size > maxSize) {
       cache.delete(cache.keys().next().value);
     }

package/tests/audit.test.js

@@ -12,6 +12,7 @@ import {
   escapeHtml, html, trust, TrustedHTML, uuid, camelCase, kebabCase,
   deepClone, deepMerge, isEqual, param, parseQuery,
   storage, session, EventBus, bus,
+  setPath,
 } from '../src/utils.js';
 import { createRouter, getRouter } from '../src/router.js';
 import { component, mount, mountAll, destroy, prefetch, getInstance } from '../src/component.js';
@@ -2861,7 +2862,7 @@ describe('Store', () => {
       actions: { inc(state) { state.count++; } }
     });
     const received = [];
-    store.subscribe('count', (val, old) => received.push({ val, old }));
+    store.subscribe('count', (key, val, old) => received.push({ val, old }));
     store.dispatch('inc');
     store.dispatch('inc');
     expect(received).toEqual([
@@ -2876,7 +2877,7 @@ describe('Store', () => {
       actions: { bump(state) { state.x++; } }
     });
     const received = [];
-    const unsub = store.subscribe('x', (val) => received.push(val));
+    const unsub = store.subscribe('x', (key, val) => received.push(val));
     store.dispatch('bump');
     unsub();
     store.dispatch('bump');
@@ -3062,7 +3063,7 @@ describe('Store', () => {
     });
     const received = [];
     store.subscribe('x', () => { throw new Error('sub error'); });
-    store.subscribe('x', (val) => received.push(val));
+    store.subscribe('x', (key, val) => received.push(val));
     store.dispatch('bump');
     // The second subscriber still gets called because reportError is used (not re-throw)
     expect(received).toEqual([1]);
@@ -3093,7 +3094,7 @@ describe('Store', () => {
       state: { x: 0 }
     });
     const received = [];
-    store.subscribe('x', (val) => received.push(val));
+    store.subscribe('x', (key, val) => received.push(val));
     store.state.x = 99;
     expect(received).toEqual([99]);
   });
@@ -3895,7 +3896,7 @@ describe('TrustedHTML and html template tag', () => {
 
 
 // ===========================================================================
-// 24. Bug 9 — `new` constructor globals reachable
+// 24. Bug 9 - `new` constructor globals reachable
 // ===========================================================================
 describe('new constructor globals (Bug 9)', () => {
   const eval_ = (expr, ctx = {}) => safeEval(expr, [ctx]);
@@ -3912,10 +3913,9 @@ describe('new constructor globals (Bug 9)', () => {
     expect(result.has(2)).toBe(true);
   });
 
-  it('new RegExp creates a RegExp', () => {
+  it('new RegExp is blocked (ReDoS prevention)', () => {
     const result = eval_('new RegExp(pat, flags)', { pat: '^hello', flags: 'i' });
-    expect(result).toBeInstanceOf(RegExp);
-    expect(result.test('Hello world')).toBe(true);
+    expect(result).toBeUndefined();
   });
 
   it('new URL creates a URL', () => {
@@ -3931,10 +3931,9 @@ describe('new constructor globals (Bug 9)', () => {
     expect(result.get('b')).toBe('2');
   });
 
-  it('new Error creates an Error', () => {
+  it('new Error is blocked (info disclosure prevention)', () => {
     const result = eval_('new Error(msg)', { msg: 'test error' });
-    expect(result).toBeInstanceOf(Error);
-    expect(result.message).toBe('test error');
+    expect(result).toBeUndefined();
   });
 
   it('Map and Set are accessible as identifiers for instanceof', () => {
@@ -3945,7 +3944,7 @@ describe('new constructor globals (Bug 9)', () => {
 
 
 // ===========================================================================
-// 25. Bug 10 — optional_call preserves `this` binding
+// 25. Bug 10 - optional_call preserves `this` binding
 // ===========================================================================
 describe('optional_call this binding (Bug 10)', () => {
   const eval_ = (expr, ctx = {}) => safeEval(expr, [ctx]);
@@ -3974,7 +3973,7 @@ describe('optional_call this binding (Bug 10)', () => {
 
 
 // ===========================================================================
-// 26. Bug 11 — HTTP abort vs timeout distinction
+// 26. Bug 11 - HTTP abort vs timeout distinction
 // ===========================================================================
 describe('HTTP abort vs timeout message (Bug 11)', () => {
   it('user abort says "aborted" not "timeout"', async () => {
@@ -4000,7 +3999,7 @@ describe('HTTP abort vs timeout message (Bug 11)', () => {
 
 
 // ===========================================================================
-// 27. Bug 12 — isEqual circular reference protection
+// 27. Bug 12 - isEqual circular reference protection
 // ===========================================================================
 describe('isEqual circular reference protection (Bug 12)', () => {
   it('does not stack overflow on circular objects', () => {
@@ -4008,7 +4007,7 @@ describe('isEqual circular reference protection (Bug 12)', () => {
     a.self = a;
     const b = { x: 1 };
     b.self = b;
-    // Should not throw — just return true (both are circular in the same shape)
+    // Should not throw - just return true (both are circular in the same shape)
     expect(() => isEqual(a, b)).not.toThrow();
     expect(isEqual(a, b)).toBe(true);
   });
@@ -4028,3 +4027,132 @@ describe('isEqual circular reference protection (Bug 12)', () => {
     expect(isEqual([1, 2], [1, 3])).toBe(false);
   });
 });
+
+
+// ===========================================================================
+// SECURITY AUDIT v2 - Prototype Pollution, ReDoS, Expression Safety
+// ===========================================================================
+
+describe('Security: deepMerge prototype pollution prevention', () => {
+  it('blocks __proto__ key from being merged', () => {
+    const target = {};
+    const malicious = JSON.parse('{"__proto__": {"polluted": true}}');
+    deepMerge(target, malicious);
+    expect(target.polluted).toBeUndefined();
+    expect(({}).polluted).toBeUndefined();
+  });
+
+  it('blocks constructor key from being merged', () => {
+    const target = {};
+    deepMerge(target, { constructor: { prototype: { polluted: true } } });
+    expect(({}).polluted).toBeUndefined();
+  });
+
+  it('blocks prototype key from being merged', () => {
+    const target = {};
+    deepMerge(target, { prototype: { polluted: true } });
+    expect(target.prototype).toBeUndefined();
+  });
+
+  it('still merges safe keys normally', () => {
+    const result = deepMerge({}, { a: 1, b: { c: 2 } });
+    expect(result).toEqual({ a: 1, b: { c: 2 } });
+  });
+
+  it('blocks nested __proto__ pollution attempt', () => {
+    const target = { nested: {} };
+    const malicious = JSON.parse('{"nested": {"__proto__": {"deep": true}}}');
+    deepMerge(target, malicious);
+    expect(({}).deep).toBeUndefined();
+    expect(target.nested.deep).toBeUndefined();
+  });
+});
+
+describe('Security: setPath prototype pollution prevention', () => {
+  it('blocks __proto__ in path segments', () => {
+    const obj = {};
+    setPath(obj, '__proto__.polluted', true);
+    expect(({}).polluted).toBeUndefined();
+  });
+
+  it('blocks constructor in path segments', () => {
+    const obj = {};
+    setPath(obj, 'constructor.prototype.polluted', true);
+    expect(({}).polluted).toBeUndefined();
+  });
+
+  it('blocks prototype as final key', () => {
+    const obj = {};
+    setPath(obj, 'prototype', { evil: true });
+    expect(obj.prototype).toBeUndefined();
+  });
+
+  it('still sets safe paths normally', () => {
+    const obj = {};
+    setPath(obj, 'a.b.c', 42);
+    expect(obj.a.b.c).toBe(42);
+  });
+});
+
+describe('Security: expression evaluator - blocked constructors', () => {
+  it('blocks RegExp constructor (ReDoS prevention)', () => {
+    expect(eval_('new RegExp(".*")')).toBeUndefined();
+    expect(eval_('RegExp')).toBeUndefined();
+  });
+
+  it('blocks Error constructor (info leak prevention)', () => {
+    expect(eval_('new Error("test")')).toBeUndefined();
+  });
+
+  it('blocks Function constructor', () => {
+    expect(eval_('new Function("return 1")')).toBeUndefined();
+  });
+
+  it('still allows safe constructors', () => {
+    expect(eval_('new Date(2024, 0, 1)')).toBeInstanceOf(Date);
+    expect(eval_('new Map')).toBeInstanceOf(Map);
+    expect(eval_('new Set')).toBeInstanceOf(Set);
+    expect(eval_('new Array(3)')).toBeInstanceOf(Array);
+    expect(eval_('new URL("https://example.com")')).toBeInstanceOf(URL);
+  });
+});
+
+describe('Security: expression evaluator - blocked property access', () => {
+  it('blocks __proto__ access', () => {
+    expect(eval_('obj.__proto__', { obj: {} })).toBeUndefined();
+  });
+
+  it('blocks constructor access', () => {
+    expect(eval_('obj.constructor', { obj: {} })).toBeUndefined();
+  });
+
+  it('blocks prototype access', () => {
+    expect(eval_('obj.prototype', { obj: function(){} })).toBeUndefined();
+  });
+
+  it('blocks __defineGetter__ access', () => {
+    expect(eval_('obj.__defineGetter__', { obj: {} })).toBeUndefined();
+  });
+
+  it('blocks call/apply/bind', () => {
+    expect(eval_('fn.call', { fn: () => {} })).toBeUndefined();
+    expect(eval_('fn.apply', { fn: () => {} })).toBeUndefined();
+    expect(eval_('fn.bind', { fn: () => {} })).toBeUndefined();
+  });
+});
+
+describe('Security: template expression HTML escaping', () => {
+  it('escapeHtml escapes script tags', () => {
+    expect(escapeHtml('<script>alert(1)</script>')).toBe('&lt;script&gt;alert(1)&lt;/script&gt;');
+  });
+
+  it('escapeHtml escapes quotes and ampersands', () => {
+    expect(escapeHtml('"&\'')).toBe('&quot;&amp;&#39;');
+  });
+
+  it('escapeHtml handles non-string input', () => {
+    expect(escapeHtml(42)).toBe('42');
+    expect(escapeHtml(null)).toBe('null');
+    expect(escapeHtml(undefined)).toBe('undefined');
+  });
+});