chore(release): react-ui 0.11.9, lang-core 0.2.6, cli 0.0.8#630
Merged
Conversation
….0.8 Version bumps for the first publish since 2026-05-20 (4b663b9): - @openuidev/react-ui 0.11.8 -> 0.12.0 (minor): component CSS now ships in `@layer openui` (#589/#621) and react-syntax-highlighter moved to ^16.1.1 (#577, fixes prismjs CVE-2024-53382) - @openuidev/lang-core 0.2.5 -> 0.2.6 (patch): parser preserves markdown fences and comments inside string props (#605) - @openuidev/cli 0.0.7 -> 0.0.8 (patch): cross-platform template build (#601, #627); no functional changes to the published CLI Remaining packages have no consumer-visible changes since the last publish and are not republished; the lang wrappers pick up lang-core 0.2.6 transitively via their ^0.2.5 ranges. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ankit-thesys
force-pushed
the
release/2026-06-version-bumps
branch
from
537fa5e to
0d1a02e
Compare
Sass emits a UTF-8 BOM for compressed output containing non-ASCII characters. At byte 0 the CSS decoder strips it, but wrapInLayer() concatenated the layer prelude in front of it, pushing the BOM inside the block where U+FEFF parses as an identifier: `:root` becomes a type selector that matches nothing, silently killing the first rule. In the packed 0.12.0 tarball this dropped the entire :root theme-token block of dist/components/index.css (and the first rule of dist/styles/index.css and markDownRenderer.css). Verified in Chrome: the BOM-poisoned rule does not apply; subsequent rules are unaffected. Strip the BOM before wrapping. Repacked tarball now has 0 BOMs across all 171 shipped CSS files and the :root block parses correctly. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Adopt #631's opt-in layered CSS (cp-css.js taken from main; the standalone BOM fix is superseded by wrapInLayer). react-ui -> 0.11.9 (patch): opt-in CSS is non-breaking, so the 0.12.0 minor rationale no longer applies; the react-syntax-highlighter 15->16 bump rides along at patch level. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ankit-thesys
changed the title
The opt-in re-land (#631) only strips the BOM when wrapping the layered mirror, so Sass's compressed-mode BOM leaked into the unlayered defaults (components.css, styles/index.css, markDownRenderer.css). A leading BOM is harmless to browsers but breaks the package's zero-BOM contract and would become fatal if those files were ever wrapped. cp-css.js now strips it from the unlayered output, and check-css-artifacts.js asserts the unlayered exports are BOM-free too (the guard previously only checked the layered mirror). Root cause is on main (#631's cp-css.js) — flagged for a follow-up. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
abhithesys
approved these changes
Jun 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Situation — All nine
@openuidev/*packages have been at parity with npm since the 2026-05-20 publish (4b663b90, #534; browser-bundle republished 2026-06-09). Since then main accumulated consumer-visible work — opt-in CSS cascade-layers support (#589/#621, re-landed as opt-in in #631), a parser correctness fix, and a security-driven dependency major — with no version bumps, so none of it is releasable.Task — Audit every commit per package since the publish baseline, decide which packages need a release and at what semver level, cut the bumps, and verify the artifacts are publish-ready.
Action — Reviewed each package's diff against
4b663b90and separated consumer-visible changes from internal churn (catalog migration #612/#624/#634/#645/#653, build tooling #604/#627/#628, docs/blog #638/#641/#646/#647, the LangGraph example #644). Three packages have real consumer impact and are bumped here; the rest are deliberately left alone. The@layer openuiwork shipped as opt-in (#631): the default stylesheets stay unlayered and byte-equivalent to 0.11.x, so this is a non-breaking release. Tarball inspection during the cascade-layer work caught a release blocker: the layer wrapper pushed Sass's UTF-8 BOM mid-stylesheet, whereU+FEFFparses as an identifier and silently killed the first CSS rule (the:roottheme tokens).wrapInLayernow strips it, with unit tests and acheck-css-artifacts.jsguard wired intoprepublishOnly.Result — Three packages ready to publish:
@openuidev/react-ui@layer openuiis additive/non-breaking; react-syntax-highlighter 15→16@openuidev/lang-core@openuidev/cliNot republished:
react-lang/svelte-lang/vue-lang(get lang-core 0.2.6 transitively via^0.2.5),react-headless/react-email(no consumer-visible delta),browser-bundle(0.1.1 already published 2026-06-09).Changelog
@openuidev/react-ui 0.11.9
Added — opt-in CSS cascade layers (#589, #621, #631)
Component styles still ship unlayered by default —
@openuidev/react-ui/styles/index.cssand the per-component./styles/*behave exactly as in 0.11.x (./components.cssis retained as an alias). New opt-in exports ship the same rules wrapped in@layer openui:@openuidev/react-ui/layered/styles/index.css— the full stylesheet@openuidev/react-ui/layered/styles/*— per componentWith the layered variant, unlayered app CSS overrides OpenUI without
!importantor specificity hacks (.openui-button-base-primary { background: hotpink }just wins)../defaults.css(theme tokens) andThemeProvider's runtime style injection stay unlayered in both modes, so runtime theming always wins.Migration: none — the default is unchanged. To opt in:
@openuidev/react-ui/layered/styles/index.cssinstead of the unlayered stylesheet, from exactly one place (multiple import sites under chunk-splitting bundlers like Turbopack can lock the wrong layer order).Security —
react-syntax-highlighter^15.6.1 → ^16.1.1 (#577)Removes the DOM-clobbering-vulnerable prismjs 1.27 (CVE-2024-53382) that v15 pinned via refractor 3 — semver could never resolve a patched copy on 15.x, so the major bump is the only consumer-side fix. Affects
CodeBlockand fenced code in markdown rendering; react-ui's public API is unchanged and no peer deps changed. Heads-up: refractor 5 is ESM-only, sorequire()-ing@openuidev/react-uifrom CommonJS (CJS SSR, Jest without ESM) needs Node ≥ 20.19 / ≥ 22.12. Prism 1.27 → 1.30 grammar updates may subtly change code-block tokenization.@openuidev/lang-core 0.2.6
Fixed — string-aware parser preprocessing (#605)
```) inside double-quoted string props no longer corrupt parsing — streaming a UI that displays a code snippet now works instead of erroring.//and#on continuation lines of multiline strings are no longer stripped as comments — URLs inside string props survive intact.parse,createParser,createStreamingParser, andmergeStatements.Migration: none. Consumers of
@openuidev/react-lang/svelte-lang/vue-langget this transitively (^0.2.5range) on lockfile refresh — no wrapper republish needed.@openuidev/cli 0.0.8
Maintenance release — template build scripts moved from Unix shell one-liners to cross-platform Node
fsAPIs (#601, #627), fixingpnpm install/build for Windows contributors. No functional changes to the published CLI; scaffolded output is identical to 0.0.7.Pre-publish checklist
pnpm build+pnpm run check:css+pnpm -r run cion this branch now that main is merged indist/styles/index.cssanddist/components/index.cssare unlayered (start with:root{);dist/layered/styles/index.cssstarts with@layer openui{and is BOM-free; 0 BOMs across all shipped CSS filescatalog:— verify with the publish workflow's pinned pnpm (9.15.4); note the merge added the eslint toolchain / typescript / @types/node catalog entries (chore: centralize eslint toolchain versions with pnpm catalog #634/chore: centralize typescript version with pnpm catalog #645/chore: centralize @types/node version with pnpm catalog #653)🤖 Generated with Claude Code