Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/workflows/build-and-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@ jobs:
with:
node-version: 20
cache: npm
- name: Check package.json file references
run: node scripts/check-referenced-files.mjs
- run: npm ci
- run: npm run lint
- run: npm run typecheck
Expand Down
8 changes: 4 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -77,13 +77,13 @@ could reach. Pin both with SRI so a bad CDN day fails closed instead of open:

```html
<script
src="https://cdn.jsdelivr.net/npm/dompurify@3.4.11/dist/purify.min.js"
integrity="sha384-o44XUELLEnv/iSlA1NWxBweqbD4TSR0qgq2VzVsxtkHS989JJjGKSE9vkfo5MN4K"
src="https://cdn.jsdelivr.net/npm/dompurify@3.4.12/dist/purify.min.js"
integrity="sha384-piCcpDdJ7qVeK4Tv8Z6Hpcr3ZBIgP16TxQTPVfsLFdZ5uDgwc3Y8Ho7oUnqf12qu"
crossorigin="anonymous"
></script>
<script
src="https://cdn.jsdelivr.net/npm/domfortify@0.4.0/dist/fortify.min.js"
integrity="sha384-oaTzl0Zl3KdISWVHzJErLGpAIL2MYX+raPA5b9uhn/6Ljz117SCLRPKx8p8jhsyD"
src="https://cdn.jsdelivr.net/npm/domfortify@1.0.0/dist/fortify.min.js"
integrity="sha384-UTHngTnDjkP35mHLyvskA7klpBRoONpcOpENk+XQEi2plYIGb4WKpYIgci8vV3PG"
crossorigin="anonymous"
></script>
```
Expand Down
4 changes: 2 additions & 2 deletions dist/fortify.cjs.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions dist/fortify.es.mjs
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
/*! DOMFortify 0.5.0 | (c) Cure53 and contributors | (MPL-2.0 OR Apache-2.0) */
/*! DOMFortify 1.0.0 | (c) Cure53 and contributors | (MPL-2.0 OR Apache-2.0) */
// Cached up front so later prototype pollution or clobbering can't swap hasOwnProperty out.
const hasOwn = Object.prototype.hasOwnProperty;
/** True only for an own (non-inherited) property, so a polluted prototype is never consulted. */
Expand Down Expand Up @@ -78,7 +78,7 @@ function urlMatches(pattern, url) {
* - Fails closed: no sanitizer means sinks throw, never leak.
* - Only covers Trusted Types sinks; inline handlers / style / URL props stay open.
*/
const VERSION = '0.5.0';
const VERSION = '1.0.0';
// Natives captured up front, so later prototype pollution or clobbering can't swap them out.
const root = typeof globalThis !== 'undefined' ? globalThis : window;
const doc = typeof document !== 'undefined' ? document : undefined;
Expand Down
4 changes: 2 additions & 2 deletions dist/fortify.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions dist/fortify.min.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

20 changes: 15 additions & 5 deletions docs/maintaining.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,8 @@ Covers the Branch-Protection and Code-Review checks:

## Secrets

- `NPM_TOKEN` - a granular npm automation token scoped to publish this package only. Keep 2FA on the
npm account. Publishing runs from `publish.yml` via OIDC with `--provenance`.
- npm publishing is done **manually** by a maintainer (`npm publish` from the release tag); there is
no publish workflow and no `NPM_TOKEN` repo secret. Keep 2FA on the npm account.
- `SCORECARD_TOKEN` - a fine-grained PAT so the Scorecard workflow can read branch-protection status
on a public repo. See the
[scorecard-action docs](https://github.com/ossf/scorecard-action#authentication-with-fine-grained-pat-optional).
Expand All @@ -33,6 +33,16 @@ Covers the Branch-Protection and Code-Review checks:

## Releasing

1. Bump the version in `package.json` (the build injects it in place of `__VERSION__`).
2. Create a GitHub Release / tag. `publish.yml` builds, tests, and publishes with provenance.
3. Publish the SRI hashes for `dist/fortify.min.js` in the release notes so integrators can pin them.
1. Bump the version in `package.json` (the build injects it in place of `__VERSION__`), sync the
lockfile (`npm install --package-lock-only`), run `npm run build`, and commit the rebuilt `dist`
- CI (`Verify committed dist is in sync with src`) fails otherwise. If DOMPurify shipped, bump
the `dompurify` devDependency and refresh the pinned version and SRI hash in the README first.
2. Land that via PR, then create a GitHub Release / tag on the release commit. On publish,
`sign-release.yml` checks out the tag, rebuilds, and attaches Sigstore bundles, and
`slsa-provenance.yml` attests build provenance for the same bytes.
3. Publish manually from a clean checkout of the tag: `npm ci && npm publish`
(`prepublishOnly` rebuilds `dist`; the build is reproducible, so the published bytes match the
committed and attested ones).
4. Publish the SRI hashes for `dist/fortify.min.js` in the release notes so integrators can pin
them (`openssl dgst -sha384 -binary dist/fortify.min.js | openssl base64 -A`), and verify the
hash in the README's CDN snippet matches the published artifact.
12 changes: 6 additions & 6 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 3 additions & 2 deletions package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "domfortify",
"version": "0.5.0",
"version": "1.0.0",
"description": "Retrofit Trusted Types onto a legacy page: claim the realm's default policy so old DOM-XSS sinks get sanitized without touching the code.",
"license": "(MPL-2.0 OR Apache-2.0)",
"homepage": "https://github.com/cure53/DOMFortify",
Expand Down Expand Up @@ -59,6 +59,7 @@
"prebuild": "rimraf dist",
"build": "rollup -c config/rollup.config.mjs",
"typecheck": "tsc -p tsconfig.json --noEmit",
"check:files": "node scripts/check-referenced-files.mjs",
"lint": "prettier --check \"{src,test,config,scripts}/**/*.{ts,js,mjs}\"",
"format": "prettier --write \"{src,test,config,scripts}/**/*.{ts,js,mjs}\" \"**/*.md\"",
"test:node": "node test/node-runner.mjs",
Expand All @@ -75,7 +76,7 @@
"@rollup/plugin-terser": "^1.0.0",
"@rollup/plugin-typescript": "^12.1.1",
"angular": "1.8.3",
"dompurify": "^3.4.11",
"dompurify": "^3.4.12",
"fast-check": "^4.8.0",
"jquery": "3.4.1",
"nyc": "^18.0.0",
Expand Down
Loading