refactor: v2 release

[wmertens]

This PR is for showing progress on v2, and having installable npm packages.

DO NOT MERGE

The changes are meant to be readable and maintainable, so if things are unclear please let us know.

[changeset-bot]

🦋 Changeset detected

Latest commit: 338ac31

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/QwikDev/qwik/@qwik.dev/core@6903

npm i https://pkg.pr.new/QwikDev/qwik/@qwik.dev/router@6903

npm i https://pkg.pr.new/QwikDev/qwik/eslint-plugin-qwik@6903

npm i https://pkg.pr.new/QwikDev/qwik/create-qwik@6903

commit: 338ac31

[github-actions]

built with Refined Cloudflare Pages Action

⚡ Cloudflare Pages Deployment

Name	Status	Preview	Last Commit
qwik-docs	✅ Ready (View Log)	Visit Preview	338ac31

To fix the problem, we need to ensure that entry.filePath is properly sanitized before being used in the dynamically generated JavaScript code. We can achieve this by escaping potentially dangerous characters in the entry.filePath string. This can be done by implementing a function similar to escapeUnsafeChars from the example provided in the background section.

1. Implement a function escapeUnsafeChars to escape potentially dangerous characters.
2. Use this function to sanitize entry.filePath before including it in the generated code.

The best fix is to replace String(e || 'Error') in the HTTP response body with a generic error message that does not provide any implementation details (e.g., "An unexpected error occurred."). The actual exception's details (e) should still be logged to the server console (as is already done with console.error(e)), so as not to lose valuable debugging information. Specifically:

• In the catch block starting on line 90, modify the Response creation to use a hard-coded generic error message instead of stringifying the caught exception.
• No new imports or methods are needed, as logging is already in place.

---

To fix the issue, we should replace String(e || 'Error') in the error response with a generic message, e.g. "An internal server error occurred", and log the actual error on the server using console.error(e).

• Don't send details about the error, including stack traces or error messages, in the HTTP response.
• Only log the error server-side so developers can triage it.
• Make this change only where the error is sent in the HTTP response in file packages/qwik-router/src/middleware/bun/index.ts, specifically in the catch block on lines 115–121.

---

To fix the problem, do not return the raw stringified exception (String(e)) in the HTTP response to the client. Instead, return a generic error message such as "Internal Server Error" or "An error occurred". Retain the current behavior of logging the full details (console.error(e);) on the server so developers can still perform diagnosis. The actual code change is to update line 170 in the staticFile handler to send only a generic message instead of the stringified error. No new methods or definitions are necessary, and there is no need to add an external logging library unless requested—the existing console.error is sufficient.

---

To fix the information exposure issue, the error handling code (specifically within the catch (e: any) block at or after line 127 in packages/qwik-router/src/middleware/cloudflare-pages/index.ts) should be updated so that the HTTP response to the user does not include any information from the caught exception. Instead, return a generic error message such as "Internal Server Error" or "An unexpected error occurred". The detailed error (including stack trace/message) should continue to be logged server-side using console.error(e);.
No additional imports or methods are required to implement the fix, as the existing logging mechanism is sufficient. Only the return statement in the catch block needs to be modified.

---

To fix the problem, modify the router's error-returning code (lines 91–97). Instead of passing potentially sensitive contents of the error (such as a stack trace or message) to the Response body, return a generic error message like "Internal Server Error". Server-side logging (console.error(e)) should be retained for debugging. Only the router function's catch block (lines 91–97) needs changing; other usages (such as in the notFound handler) may remain unless similarly problematic and flagged, but should be checked separately.

No new imports or dependencies are required for this fix because the solution only involves modifying the content of the error message sent in the response body.

To fix the issue, we should avoid sending stack trace or error object details to the client within error responses. Instead, send a generic message like "Internal Server Error" or "An unexpected error occurred." For server-side debugging, the full error (including stack trace) should be logged using console.error(e) as is already done. Specifically, in packages/qwik-router/src/middleware/deno/index.ts, on line 118 inside the catch block of the notFound handler, change new Response(String(e || 'Error'), ...) to new Response("Internal Server Error", ...) (or a similarly generic message). No new methods or imports are needed, as logging is already present.

To fix this information exposure, we should make sure that the client only ever receives a generic error message, such as "Internal Server Error" or "An error occurred", instead of the actual error message or stack trace. The detailed error should still be logged on the server for debugging purposes, as is already done with console.error(e).

How to apply the fix:

• Change the response on line 163 to return a constant string like "An error occurred" or "Internal Server Error" instead of using the stringified error object.
• This change should only affect the call to the Response constructor in the catch block inside the staticFile function, so that existing behavior (server-side logging) remains unchanged and error information is still available to developers.

Files/Regions/Lines to change:

• File: packages/qwik-router/src/middleware/deno/index.ts
• Editing the return statement at line 163.

What is needed:

• No additional imports or utility methods are required, as the fix is a literal string substitution.

---

To fix the problem, the error handler should return a generic error message to the user rather than exposing the details of the thrown error object. The stack trace and error details should be logged on the server (using console.error(e) as is currently done) but not exposed in the body of the HTTP response. In this file, specifically, we need to change line 91 so that the response always contains a generic message, such as "Internal Server Error" or "An unexpected error occurred". No new imports are needed—just modify the error response construction to avoid passing String(e) to the client.

---

To fix this issue, we should ensure that error details sent back to clients do not expose stack traces, implementation details, or server-side file paths. Instead, only a generic error message ("Internal Server Error" or similar) should be returned in the HTTP response, while details should be logged server-side for debugging purposes.

Specifically, in packages/qwik-router/src/middleware/vercel-edge/index.ts, within the catch block at line 116, only a generic error message should be sent in the response, while the detailed error (e) should continue to be logged using console.error(e). The relevant code to edit starts at line 116:

• Replace String(e || 'Error') (user-facing) with a safe, generic string like "Internal Server Error".
• No extra dependency is required: logging with console.error suffices for server-side logs.
• Ensure the change is only made at the point of user-facing error creation; the logging remains unchanged.

To fix the problem, you should add a permissions block to the workflow or to the specific job. The best practice is to set the minimal permissions required for the workflow to function. In this case, the workflow uses the styfle/cancel-workflow-action, which typically only needs actions: write permission to cancel workflow runs. Therefore, you should add a permissions block with actions: write at either the workflow root (to apply to all jobs) or at the job level (to apply only to the cancel job). The change should be made in .github/workflows/cancel.yml, above the jobs: key (for workflow-level) or inside the cancel: job (for job-level). No additional imports or definitions are needed.

To fix the issue, the shell command should avoid direct interpolation of environment-derived values. Instead, the execSync call should be replaced with execFileSync, which allows passing arguments separately. This ensures that the shell does not interpret special characters in the tarballOutDir or other dynamically constructed paths.

Steps to fix:

1. Replace the execSync call with execFileSync.
2. Pass the pnpm command and its arguments as separate parameters to execFileSync.
3. Ensure that the tarballOutDir and other paths are passed as arguments, not interpolated into the command string.

---

[github-advanced-security]

CodeQL found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.