Skip to content

chore(release): react-ui 0.12.0, lang-core 0.2.6, cli 0.0.8#630

Open
ankit-thesys wants to merge 2 commits into
mainfrom
release/2026-06-version-bumps
Open

chore(release): react-ui 0.12.0, lang-core 0.2.6, cli 0.0.8#630
ankit-thesys wants to merge 2 commits into
mainfrom
release/2026-06-version-bumps

Conversation

@ankit-thesys

@ankit-thesys ankit-thesys commented Jun 10, 2026
edited by vishxrad
Loading

Copy link
Copy Markdown
Contributor

Summary

Situation — All nine @openuidev/* packages have been at parity with npm since the 2026-05-20 publish (4b663b90, #534; browser-bundle republished 2026-06-09 from current main). Since then, main accumulated consumer-visible work — the CSS cascade-layers re-land, a parser correctness fix, and a security-driven dependency major — with no version bumps, so none of it is releasable.

Task — Audit every commit per package since the publish baseline, decide which packages actually need a release and at what semver level, cut the bumps, and verify the artifacts are publish-ready.

Action — Reviewed each package's diff against 4b663b90 (final baseline: main at #624) and separated consumer-visible changes from internal/dev-only churn (catalog migration #612/#624, test-script hygiene, build tooling #604/#627/#628). Three packages have real consumer impact and are bumped here; six are deliberately left alone. Verified release mechanics empirically: packed the bumped packages with both pnpm 10.23.0 and the publish workflow's pinned pnpm 9.15.4 to confirm catalog:/workspace:^ specifiers are replaced with concrete ranges in the published manifests (this release is the first with catalog: in package manifests, including the react/react-dom peers from #624). The tarball inspection caught a release blocker: the @layer build wrapper pushed Sass's UTF-8 BOM mid-stylesheet, where U+FEFF parses as an identifier and silently killed the first CSS rule — the entire :root theme-token block of components.css. Confirmed the dead rule empirically in Chrome and fixed it in this PR.

Result — Three packages ready to publish, artifacts verified:

Package Version Level Why
@openuidev/react-ui 0.11.8 → 0.12.0 minor @layer openui changes CSS override behavior; react-syntax-highlighter 15→16
@openuidev/lang-core 0.2.5 → 0.2.6 patch parser fix, no API change
@openuidev/cli 0.0.7 → 0.0.8 patch build-tooling only, keeps versions moving

Not republished: react-lang / svelte-lang / vue-lang (depend on lang-core via ^0.2.5 — consumers get 0.2.6 transitively on lockfile refresh), react-headless / react-email (no consumer-visible delta), browser-bundle (0.1.1 already published from current main on 2026-06-09).

Also in this PR

  • fix(react-ui): strip leading BOM before wrapping CSS in @layer openui (cp-css.js) — without this, dist/components/index.css, dist/styles/index.css, and dist/styles/markDownRenderer.css shipped with a mid-file BOM that made browsers drop their first rule (verified in Chrome: a BOM-prefixed :root rule inside the layer does not apply; the same rule without the BOM does). Caught during pre-publish tarball inspection; never shipped publicly.

Changelog

@openuidev/react-ui 0.12.0

Changed — component CSS now ships inside @layer openui (#589, #621)

Every published component stylesheet — the components.css aggregate and each per-component file under ./styles/* — is wrapped in @layer openui { ... }. Since unlayered CSS always beats layered CSS, plain app rules like .openui-button-base-primary { background: hotpink; } now override OpenUI without !important or specificity hacks. ./defaults.css (theme tokens) and ThemeProvider's runtime style injection intentionally stay unlayered so runtime theming keeps winning. (Component JS does not import CSS — stylesheets are loaded explicitly, as before.)

Migration:

  • Tailwind v3 / CSS Modules / CSS-in-JS / plain CSS — nothing to do; you can delete old !important workarounds.
  • Tailwind v4 — pin layer order in your entry stylesheet, and import OpenUI CSS from exactly one place: 
    @layer theme, base, openui, components, utilities;
@import "@openuidev/react-ui/components.css";
@import "tailwindcss";
  • Unlayered global resets (* { margin: 0 }, :where(...)-based) now beat OpenUI styles regardless of specificity — wrap them in a lower layer, e.g. @layer base { ... }.
  • Browser floor: cascade layers need Chrome/Edge 99+, Firefox 97+, Safari 15.4+ (March 2022). Older browsers drop the layered block entirely and render components unstyled — stay on 0.11.x if you support them. The package now declares "browserslist": "defaults and supports css-cascade-layers".

Security — react-syntax-highlighter ^15.6.1 → ^16.1.1 (#577)

Removes the DOM-clobbering-vulnerable prismjs 1.27 (CVE-2024-53382) that v15 pinned via refractor 3 — semver could never resolve a patched copy on 15.x, so the major bump is the only consumer-side fix. Affects CodeBlock and fenced code in markdown rendering; react-ui's public API is unchanged and no peer deps changed. Fresh installs also pick up patched lodash-es/lodash ≥ 4.18 (incl. high-severity _.template CVE-2026-4800) and mdast-util-to-hast 13.2.1 within existing ranges — refresh your lockfile.

Heads-up: refractor 5 is ESM-only, so require()-ing @openuidev/react-ui from CommonJS (CJS SSR, Jest without ESM) needs Node ≥ 20.19 / ≥ 22.12. If your app also depends on react-syntax-highlighter directly, align it to ^16 to avoid shipping two copies. Prism 1.27 → 1.30 grammar updates may subtly change code-block tokenization.

@openuidev/lang-core 0.2.6

Fixed — string-aware parser preprocessing (#605)

  • Markdown fences (```) inside double-quoted string props no longer corrupt parsing — streaming a UI that displays a code snippet now works instead of erroring.
  • // and # on continuation lines of multiline strings are no longer stripped as comments — URLs inside string props survive intact.
  • Apostrophes in surrounding prose ("Here's the code:") no longer confuse fence detection.
  • Applies to parse, createParser, createStreamingParser, and mergeStatements.

Migration: none. Consumers of @openuidev/react-lang / svelte-lang / vue-lang get this transitively (^0.2.5 range) on lockfile refresh — no wrapper republish needed.

@openuidev/cli 0.0.8

Maintenance release — template build scripts moved from Unix shell one-liners to cross-platform Node fs APIs (#601, #627), fixing pnpm install/build for Windows contributors. No functional changes to the published CLI; scaffolded output is identical to 0.0.7.

Pre-publish checklist

  • react-ui tarball spot-check (packed from this branch): dist/components/index.css starts with @layer openui{:root{ — BOM-free; dist/styles/openui-defaults.css is unlayered; 0 BOMs across all 171 shipped CSS files
  • Published manifests contain concrete ranges, not literal catalog: — packed manifest shows react: ^18.3.1 || ^19.0.0, react-dom: ^18.0.0 || ^19.0.0, zustand: ^4.5.5, zod: ^3.25.0 || ^4.0.0, @openuidev/react-headless: ^0.8.2, @openuidev/react-lang: ^0.2.6 (verified with pnpm 9.15.4 — the publish workflow's version — and 10.23.0)
  • Merge this PR, then dispatch the publish workflow per package: react-ui, lang-core, openui-cli

🤖 Generated with Claude Code

@ankit-thesys @claude
chore(release): bump react-ui to 0.12.0, lang-core to 0.2.6, cli to 0…
0d1a02e 
….0.8

Version bumps for the first publish since 2026-05-20 (4b663b9):

- @openuidev/react-ui 0.11.8 -> 0.12.0 (minor): component CSS now ships
  in `@layer openui` (#589/#621) and react-syntax-highlighter moved to
  ^16.1.1 (#577, fixes prismjs CVE-2024-53382)
- @openuidev/lang-core 0.2.5 -> 0.2.6 (patch): parser preserves markdown
  fences and comments inside string props (#605)
- @openuidev/cli 0.0.7 -> 0.0.8 (patch): cross-platform template build
  (#601, #627); no functional changes to the published CLI

Remaining packages have no consumer-visible changes since the last
publish and are not republished; the lang wrappers pick up lang-core
0.2.6 transitively via their ^0.2.5 ranges.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@ankit-thesys ankit-thesys force-pushed the release/2026-06-version-bumps branch from 537fa5e to 0d1a02e Compare June 10, 2026 10:19
@ankit-thesys @claude
fix(react-ui): strip leading BOM before wrapping CSS in @layer openui
263df21 
Sass emits a UTF-8 BOM for compressed output containing non-ASCII
characters. At byte 0 the CSS decoder strips it, but wrapInLayer()
concatenated the layer prelude in front of it, pushing the BOM inside
the block where U+FEFF parses as an identifier: `:root` becomes a
type selector that matches nothing, silently killing the first rule.

In the packed 0.12.0 tarball this dropped the entire :root theme-token
block of dist/components/index.css (and the first rule of
dist/styles/index.css and markDownRenderer.css). Verified in Chrome:
the BOM-poisoned rule does not apply; subsequent rules are unaffected.

Strip the BOM before wrapping. Repacked tarball now has 0 BOMs across
all 171 shipped CSS files and the :root block parses correctly.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@ankit-thesys ankit-thesys requested a review from abhithesys June 10, 2026 10:40
@ankit-thesys ankit-thesys mentioned this pull request Jun 10, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@abhithesys abhithesys Awaiting requested review from abhithesys

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ankit-thesys