Feature/improvements core by hexplus · Pull Request #17 · hexplus/sibujs

hexplus · 2026-04-07T03:07:18Z

Description

Security hardening from internal audit + new Accessor<T> type for reactive signal getters.

Security fixes:

isDev() now defaults to false in browser environments without a build flag (was true), preventing DevTools from being silently active in production builds that don't use the Vite plugin
globalStore.dispatch() strips __proto__, constructor, and prototype keys from action patches before merging, preventing prototype pollution via malformed payloads
worker() JSDoc now documents CSP incompatibility (blob: URL / fn.toString() pattern) and the eval()-equivalent risk of user-controlled function arguments

New Accessor<T> brand type:

All reactive getters (signal, derived, memo, memoFn, writable, array, reactiveArray) now return Accessor<T> instead of plain () => T — zero runtime cost, compile-time phantom brand only
NodeChild / NodeChildren explicitly list Accessor<NodeChild> to surface the distinction in IDE hover tooltips
Companion eslint-plugin-sibujs ships the no-called-accessor-in-prop rule, which warns when a signal getter is called with () in a prop value position and offers an auto-fix

Related Issue

Closes #

Type of Change

Bug fix
New feature
Breaking change
Documentation update

Checklist

I have read CONTRIBUTING.md
My code builds without errors
I have tested my changes
I have updated documentation if needed

- isDev() defaults to false in production (no __SIBU_DEV__ flag) - globalStore strips __proto__/constructor/prototype from action patches - workerFn JSDoc documents CSP/blob-URL incompatibility - Accessor<T> phantom brand on all reactive getters (signal, derived, memo, memoFn, writable, array) — zero runtime cost, better DX hover - NodeChildren explicitly lists Accessor<NodeChild> - New sibujs-eslint-plugin: no-called-accessor-in-prop warns when a signal getter is called in a prop value position instead of passed directly

hexplus added 22 commits March 28, 2026 15:11

Updated CHANGELOG and package.json

95db6ce

Merge branch 'main' of https://github.com/hexplus/SibuJS

56080d8

Merge branch 'main' of https://github.com/hexplus/SibuJS

7eeec49

Merge branch 'main' of https://github.com/hexplus/SibuJS

14a9cd4

ci: use npm install instead of npm ci

9487727

Merge branch 'main' of https://github.com/hexplus/SibuJS

6b4bd83

Merge branch 'main' of https://github.com/hexplus/SibuJS

0b9a0cc

trusted-publisher

0777184

Merge branch 'main' of https://github.com/hexplus/SibuJS

4d46e82

Merge branch 'main' of https://github.com/hexplus/SibuJS

bea9788

Merge branch 'main' of https://github.com/hexplus/SibuJS

825a8dc

Merge branch 'main' of https://github.com/hexplus/SibuJS

55c4436

Merge branch 'main' of https://github.com/hexplus/SibuJS

0d2c7e0

Merge branch 'main' of https://github.com/hexplus/SibuJS

8da81e8

Merge branch 'main' of https://github.com/hexplus/SibuJS

325ce5d

Merge branch 'main' of https://github.com/hexplus/SibuJS

0cad329

Merge branch 'main' of https://github.com/hexplus/SibuJS

aea6787

Merge branch 'main' of https://github.com/hexplus/SibuJS

00e5e88

Updated version, added changelog input

e2195e3

Updated types

d160a78

Fixed linter issues

afa2b27

hexplus merged commit f94b1ff into main Apr 7, 2026
1 check passed

hexplus deleted the feature/improvements-core branch April 7, 2026 03:23

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Feature/improvements core#17

Feature/improvements core#17
hexplus merged 22 commits into
mainfrom
feature/improvements-core

hexplus commented Apr 7, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

hexplus commented Apr 7, 2026

Description

Related Issue

Type of Change

Checklist

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant