Skip to content

feat: rework igo-signal into igo-component#46

Closed
mickael-coquer-igocreate wants to merge 6 commits intov6from
feat/igo-component
Closed

feat: rework igo-signal into igo-component#46
mickael-coquer-igocreate wants to merge 6 commits intov6from
feat/igo-component

Conversation

@mickael-coquer-igocreate
Copy link
Copy Markdown
Contributor

@mickael-coquer-igocreate mickael-coquer-igocreate commented Mar 10, 2026
edited
Loading

Summary

  • Rename @igojs/signal package to @igojs/component to better reflect its purpose
  • Add ComponentLoader for automatic client-side component loading
  • Add ComponentController and ComponentHelper for server-side component rendering
  • Add ComponentSplitter in dust package for single-file component compilation
  • Update skeleton project and all references to use the new package name
  • Update documentation (README) for all packages
  • Fix bug in create.js (recursive replaceInDirectory missing replacements parameter)

🤖 Generated with Claude Code

@mickael-coquer-igocreate mickael-coquer-igocreate changed the title Rename @igojs/signal to @igojs/component feat: rework igo-signal into igo-component Mar 10, 2026
@mickael-coquer-igocreate mickael-coquer-igocreate force-pushed the feat/igo-component branch 2 times, most recently from 4586b2f to bf02b28 Compare March 10, 2026 14:12
@mickael-coquer-igocreate
Copy link
Copy Markdown
Contributor Author

mickael-coquer-igocreate commented Mar 10, 2026

Code review

Found 1 issue:

  1. Path traversal in templates endpoint -- The templates handler reads req.query.file directly without any validation, while the component endpoint right below it uses SAFE_NAME_RE and a .. check. A request like GET /__component/templates?file=../../../../etc/passwd would attempt to read an arbitrary .dust file on disk. The same SAFE_NAME_RE guard should be applied to templates.

igo/packages/component/src/server/ComponentController.js

Lines 39 to 53 in bf02b28

const templates = async (req, res) => {
const file = req.query.file;
const source = await IgoDust.getSource(`${file}.dust`);
res.json({ file, source });
};
// Validate component name to prevent path traversal
const SAFE_NAME_RE = /^[a-zA-Z0-9_/-]+$/;
// Serve component data (script + template source) for client hydration
const component = async (req, res) => {
const name = req.query.name;
if (!name || !SAFE_NAME_RE.test(name) || name.includes('..')) {
return res.status(400).json({ error: 'Invalid component name' });
}

🤖 Generated with Claude Code

- If this code review was useful, please react with 👍. Otherwise, react with 👎.

mickael-coquer-igocreate and others added 5 commits April 2, 2026 09:15
@mickael-coquer-igocreate
feat: rework igo-signal into igo-component
7e1ed45 
# Conflicts:
#	packages/db/README.md
@mickael-coquer-igocreate
revue
08454f7
@mickael-coquer-igocreate @claude
feat: reactive props and client-side @component helper
d310287 
Props are now reactive via StateProxy (same as state) — mutations
trigger re-renders and cascade to child components automatically.
Added client-side @component dust helper so the same syntax works
in both SSR page templates and client-side component templates.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
fix: [igo/component] skel project
f18fafa
feat: [igo/dust] shorthand params
dcf65f7
@arnaudm arnaudm force-pushed the feat/igo-component branch from c6c1673 to dcf65f7 Compare April 2, 2026 14:36
@arnaudm arnaudm closed this Apr 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mickael-coquer-igocreate @arnaudm