Skip to content

feat: remove memoryLimit; add templateLimit, outputLengthLimit, maxDepth#937

Merged
harttle merged 10 commits into
nextfrom
feat/drop-memory-limit
Jul 15, 2026
Merged

feat: remove memoryLimit; add templateLimit, outputLengthLimit, maxDepth#937
harttle merged 10 commits into
nextfrom
feat/drop-memory-limit

Conversation

@harttle

@harttle harttle commented Jul 14, 2026

Copy link
Copy Markdown
Owner

Summary

Test plan

  • npm run build
  • npm test (dos.spec.ts, for.spec.ts)

harttle and others added 2 commits July 11, 2026 15:29
Co-authored-by: Cursor <cursoragent@cursor.com>
Enforce v11 resource guards in render and tags, fix for offset/else behavior, and update tutorials for Tag-class registration.

Co-authored-by: Cursor <cursoragent@cursor.com>
@coveralls

coveralls commented Jul 14, 2026

Copy link
Copy Markdown

Coverage Report for CI Build 29350402930

Warning

No base build found for commit f0b6cd3 on next.
Coverage changes can't be calculated without a base build.
If a base build is processing, this comment will update automatically when it completes.

Coverage: 99.551%

Details

  • Patch coverage: 41 of 41 lines across 13 files are fully covered (100%).

Uncovered Changes

No uncovered changes found.

Coverage Regressions

Requires a base build to compare against. How to fix this →


Coverage Stats

Coverage Status
Relevant Lines: 2971
Covered Lines: 2962
Line Coverage: 99.7%
Relevant Branches: 1041
Covered Branches: 1032
Branch Coverage: 99.14%
Branches in Coverage %: Yes
Coverage Strength: 19001.34 hits per line

💛 - Coveralls

@harttle harttle changed the title feat: remove memoryLimit and add v11 DoS limits feat: remove memoryLimit; add templateLimit, outputLengthLimit, maxDepth Jul 14, 2026
harttle and others added 8 commits July 14, 2026 21:41
Restore the two-example register-filters-tags structure (Value + Hash)
and undo unrelated constructor/emitter doc edits not required for DoS limits.

Co-authored-by: Cursor <cursoragent@cursor.com>
Remove diary-style engine comparisons from security-model.md.
Update render-tag-content tutorial to Tag class examples with tpls class field.

Co-authored-by: Cursor <cursoragent@cursor.com>
Explain why async render does not need maxDepth for stack protection based on generator/toPromise driving.

Co-authored-by: Cursor <cursoragent@cursor.com>
Replace increaseDepth/decreaseDepth with a shared Limiter that supports
paired use/release, matching templateLimit and outputLengthLimit patterns.

Co-authored-by: Cursor <cursoragent@cursor.com>
Restore misc.ts from origin/next with LF line endings and re-apply only
memoryLimit removal, avoiding CRLF and blank-line churn in the export block.

Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
docs: restructure security model with production guidance
Co-authored-by: Cursor <cursoragent@cursor.com>
Drop try/finally around depthLimit in include, layout, and render; release at generator end. Consolidate production guidance in security-model.md. Fix padded-blocks lint in dos.spec.ts.

Co-authored-by: Cursor <cursoragent@cursor.com>
@harttle
harttle merged commit 61ed163 into next Jul 15, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants