v0.14.2 - Standards & Safety Patch
v0.14.2 ships the first implementation slice from ADR 0024. It keeps the scope narrow: standards correctness, raw head-injection safety, dynamic SSG route path safety, and stronger self-hosted docs build coverage.
What changed
- DSD output now includes
shadowrootclonableand serializesshadowrootcustomelementregistryas a boolean content attribute. headExtrasandinject.headFragmentsnow reject<script>tags. Scripts should go through structuredinject.scripts, where LessJS validates and escapes script URLs.- Dynamic SSG route params are resolved as single URL path segments and encoded
with
encodeURIComponent(). Unsafe path traversal values are skipped. - The docs smoke test now imports the real SSR server bundle, calls
renderRoute('/roadmap'), and verifies roadmap, i18n, content, ADR, UI island, PWA, and DSD output. - The roadmap and package metadata now identify v0.14.2 as the current release.
Verification
deno test --allow-read --allow-write --allow-env --allow-net --allow-run packages/core/__tests__/render-dsd.test.ts packages/adapter-vite/__tests__/index-plugin.test.ts packages/adapter-vite/__tests__/ssg-render.test.ts packages/adapter-vite/__tests__/ssg-smoke.test.tsdeno task typecheckdeno task build