chore: release

[github-actions]

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@eigenpal/docx-editor-core@1.9.0

Minor Changes

• 826aa32: Add an { all: true } option to setContentControlContent, setContentControlValue, and removeContentControl to apply the change to every content control matching the filter — across headers and footers with { includeHeadersFooters: true } — instead of only the first. This covers one logical value that recurs under a shared tag (e.g. a name in the body, a running header, and several table cells). The default stays first-match. An { all: true } run is atomic: if any matched control is refused by a lock, type, or data-binding guard, nothing is written unless { force: true }.

• 826aa32: Add createContentControl to wrap a text span (including inside a table cell) in a new content control, returning a new document plus the created control with an auto-assigned unique w:id. setContentControlValue now sets dropdown/date/checkbox values on inline controls too, including inside table cells and — with { includeHeadersFooters: true } — headers and footers. Date controls serialize their format to <w:dateFormat>.

• 826aa32: Content-control addressing now covers inline (w:sdt-in-paragraph) controls, including inside table cells: findContentControls, findContentControl, setContentControlContent, setContentControlValue, and removeContentControl discover and edit them, and { includeHeadersFooters: true } also reaches headers and footers. Results carry kind and location. The live-editor DocxEditorRef methods (React and Vue) gain the same inline support.

  Because of this, findContentControls now returns inline controls in the body that earlier versions skipped — code relying on the old block-only results (counts, first match) should re-check.

Patch Changes

• 4b47daf: Chinese, Korean, and Japanese documents now render and measure with the matching Noto webfont instead of a system fallback. CJK theme typefaces — by their native or romanized name (e.g. SimSun, Malgun Gothic, PMingLiU, MS Mincho) — map to the corresponding Noto Sans/Serif SC/TC/KR/JP family, and the font loader fetches that family rather than the unresolvable raw name.
• 12c1f87: Fix export corruption for comments overlapping tracked changes.
• 7839ee9: Fix CJK text overflowing the right margin when a document's theme leaves the East Asian font slot empty. The East Asian theme font is now resolved from the document's w:themeFontLang (e.g. Japanese → MS Mincho), so line breaking and rendering use the correct font and wrap within the page.
• 9454c9a: Preserve explicit nil/none borders on export. A cell that hides the table's default grid by setting <w:tcBorders> sides to nil no longer loses that override on save, so hidden gridlines stay hidden after a round-trip instead of re-inheriting the table's grid. The same applies to paragraph (w:pBdr) and page (w:pgBorders) borders, which had the identical bug. Fixes DOCX export drops explicit per-cell nil <w:tcBorders>, making hidden table gridlines reappear #947.
• f61435b: Harden openPrintWindow to build the print window via DOM APIs instead of document.write, so a crafted document title cannot break out into executable markup. The framework-agnostic print helpers are now exported from @eigenpal/docx-editor-core as the single source of truth, and the React package re-exports them unchanged.

@eigenpal/nuxt-docx-editor@1.9.0

Patch Changes

• @eigenpal/docx-editor-vue@1.9.0

@eigenpal/docx-editor-react@1.9.0

Patch Changes

• f61435b: Harden openPrintWindow to build the print window via DOM APIs instead of document.write, so a crafted document title cannot break out into executable markup. The framework-agnostic print helpers are now exported from @eigenpal/docx-editor-core as the single source of truth, and the React package re-exports them unchanged.
• Updated dependencies [4b47daf]
• Updated dependencies [826aa32]
• Updated dependencies [826aa32]
• Updated dependencies [12c1f87]
• Updated dependencies [7839ee9]
• Updated dependencies [826aa32]
• Updated dependencies [9454c9a]
• Updated dependencies [f61435b]
  • @eigenpal/docx-editor-core@1.9.0
  • @eigenpal/docx-editor-agents@1.9.0
  • @eigenpal/docx-editor-i18n@1.9.0

@eigenpal/docx-editor-vue@1.9.0

Patch Changes

• Updated dependencies [4b47daf]
• Updated dependencies [826aa32]
• Updated dependencies [826aa32]
• Updated dependencies [12c1f87]
• Updated dependencies [7839ee9]
• Updated dependencies [826aa32]
• Updated dependencies [9454c9a]
• Updated dependencies [f61435b]
  • @eigenpal/docx-editor-core@1.9.0
  • @eigenpal/docx-editor-agents@1.9.0
  • @eigenpal/docx-editor-i18n@1.9.0

@eigenpal/docx-editor-agents@1.9.0

@eigenpal/docx-editor-i18n@1.9.0

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docx-editor	Ready	Preview, Comment	Jun 20, 2026 8:58pm

[greptile-apps]

Greptile Summary

This is a standard Changesets-generated release PR bumping all packages from 1.8.3 to 1.8.4. The primary code change (commit f61435b) hardened openPrintWindow in @eigenpal/docx-editor-core by replacing document.write with DOM API construction, preventing a crafted document title from injecting executable markup.

• packages/core: openPrintWindow rewritten to use doc.title = title (property assignment, not string interpolation) and DOMParser + importNode for body content; full unit test coverage added; function now exported from the core public surface.
• packages/react: PrintPreview.tsx refactored to re-export openPrintWindow (and related helpers) from @eigenpal/docx-editor-core instead of owning them locally.
• All other package version bumps (agents, i18n, vue, nuxt) are dependency-only cascade bumps with no logic changes.

Confidence Score: 5/5

Safe to merge — this is a Changesets release PR with a well-contained security hardening to the print window helper, backed by unit tests and clean re-export wiring.

The substantive change is the rewrite of openPrintWindow: it replaces document.write string interpolation with property assignment for the title and DOMParser + importNode for body content. The fix is correct, the attack vector it closes is confirmed by the new unit tests, and the re-export refactoring in PrintPreview.tsx is mechanical. All version bumps and dep-pin updates are generated by Changesets and look consistent across the monorepo.

No files require special attention.

Important Files Changed

Filename	Overview
packages/core/src/utils/print.ts	Core security fix: openPrintWindow rebuilt via DOM APIs; title assigned as property (not injected as HTML), content parsed with DOMParser+importNode. opener=null added for reverse-tabnabbing defence.
packages/core/src/utils/tests/print.test.ts	New unit tests verifying the title-breakout XSS payload renders as inert text and that no script element is introduced by content.
packages/react/src/components/ui/PrintPreview.tsx	PrintPreview now re-exports all framework-agnostic print helpers from core; React-specific JSX (PrintButton, PrintStyles) stays local.
packages/core/package.json	Version bumped from 1.8.3 to 1.8.4; no other changes.
packages/react/package.json	Version bumped to 1.8.4; internal monorepo dep pins updated to ^1.8.4.
packages/vue/package.json	Version bumped to 1.8.4; internal monorepo dep pins updated to ^1.8.4.
packages/nuxt/package.json	Version bumped to 1.8.4; vue peer dependency pin updated to ^1.8.4.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["openPrintWindow(title, content)"] --> B{window defined?}
    B -- No --> Z[return null]
    B -- Yes --> C["window.open('', '_blank')"]
    C --> D{popup opened?}
    D -- No --> Z
    D -- Yes --> E["w.opener = null\n(reverse-tabnabbing defence)"]
    E --> F["doc.title = title\n(property assignment — not HTML)"]
    F --> G["createElement('style')\nstyle.textContent = PRINT_CSS"]
    G --> H["DOMParser.parseFromString(content, 'text/html')\n(parsed in inert document)"]
    H --> I["importNode each child\ninto popup document"]
    I --> J[return popup Window]

    style E fill:#d4edda,stroke:#28a745
    style F fill:#d4edda,stroke:#28a745
    style H fill:#d4edda,stroke:#28a745
    style I fill:#d4edda,stroke:#28a745

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A["openPrintWindow(title, content)"] --> B{window defined?}
    B -- No --> Z[return null]
    B -- Yes --> C["window.open('', '_blank')"]
    C --> D{popup opened?}
    D -- No --> Z
    D -- Yes --> E["w.opener = null\n(reverse-tabnabbing defence)"]
    E --> F["doc.title = title\n(property assignment — not HTML)"]
    F --> G["createElement('style')\nstyle.textContent = PRINT_CSS"]
    G --> H["DOMParser.parseFromString(content, 'text/html')\n(parsed in inert document)"]
    H --> I["importNode each child\ninto popup document"]
    I --> J[return popup Window]

    style E fill:#d4edda,stroke:#28a745
    style F fill:#d4edda,stroke:#28a745
    style H fill:#d4edda,stroke:#28a745
    style I fill:#d4edda,stroke:#28a745

Loading

_{Reviews (1): Last reviewed commit: "chore: release" | Re-trigger Greptile}