chore: release v6.6.3

package.json

@@ -1,6 +1,6 @@
 {
     "name": "lwc-monorepo",
-    "version": "6.6.2",
+    "version": "6.6.3",
     "private": true,
     "description": "Lightning Web Components",
     "repository": {
@@ -12,7 +12,7 @@
         "lint": "eslint packages/ scripts/ --ext=js,mjs,ts,only,skip",
         "format": "prettier --write .",
         "bundlesize": "node scripts/bundlesize/bundlesize.mjs",
-        "build": "nx run-many --target=build --all --exclude=@lwc/perf-benchmarks,@lwc/perf-benchmarks-components,@lwc/integration-tests,lwc",
+        "build": "nx run-many --target=build --exclude=@lwc/perf-benchmarks,@lwc/perf-benchmarks-components,@lwc/integration-tests,lwc",
         "build:performance": "yarn build:performance:components && yarn build:performance:benchmarks",
         "build:performance:components": "nx build @lwc/perf-benchmarks-components",
         "build:performance:benchmarks": "nx build @lwc/perf-benchmarks",

packages/@lwc/aria-reflection/package.json

@@ -4,7 +4,7 @@
         "You can safely modify dependencies, devDependencies, keywords, etc., but other props will be overwritten."
     ],
     "name": "@lwc/aria-reflection",
-    "version": "6.6.2",
+    "version": "6.6.3",
     "description": "ARIA element reflection polyfill for strings",
     "keywords": [
         "aom",

packages/@lwc/babel-plugin-component/package.json

@@ -4,7 +4,7 @@
         "You can safely modify dependencies, devDependencies, keywords, etc., but other props will be overwritten."
     ],
     "name": "@lwc/babel-plugin-component",
-    "version": "6.6.2",
+    "version": "6.6.3",
     "description": "Babel plugin to transform a LWC module",
     "keywords": [
         "lwc"
@@ -43,8 +43,8 @@
     },
     "dependencies": {
         "@babel/helper-module-imports": "7.24.3",
-        "@lwc/errors": "6.6.2",
-        "@lwc/shared": "6.6.2",
+        "@lwc/errors": "6.6.3",
+        "@lwc/shared": "6.6.3",
         "line-column": "~1.0.2"
     },
     "devDependencies": {

packages/@lwc/compiler/package.json

@@ -4,7 +4,7 @@
         "You can safely modify dependencies, devDependencies, keywords, etc., but other props will be overwritten."
     ],
     "name": "@lwc/compiler",
-    "version": "6.6.2",
+    "version": "6.6.3",
     "description": "LWC compiler",
     "keywords": [
         "lwc"
@@ -43,16 +43,16 @@
     },
     "dependencies": {
         "@babel/core": "7.24.4",
-        "@babel/plugin-proposal-async-generator-functions": "7.20.7",
-        "@babel/plugin-proposal-class-properties": "7.18.6",
-        "@babel/plugin-proposal-object-rest-spread": "7.20.7",
+        "@babel/plugin-transform-async-generator-functions": "7.24.3",
         "@babel/plugin-transform-async-to-generator": "7.24.1",
+        "@babel/plugin-transform-class-properties": "7.24.1",
+        "@babel/plugin-transform-object-rest-spread": "7.24.5",
         "@locker/babel-plugin-transform-unforgeables": "0.20.0",
-        "@lwc/babel-plugin-component": "6.6.2",
-        "@lwc/errors": "6.6.2",
-        "@lwc/shared": "6.6.2",
-        "@lwc/ssr-compiler": "6.6.2",
-        "@lwc/style-compiler": "6.6.2",
-        "@lwc/template-compiler": "6.6.2"
+        "@lwc/babel-plugin-component": "6.6.3",
+        "@lwc/errors": "6.6.3",
+        "@lwc/shared": "6.6.3",
+        "@lwc/ssr-compiler": "6.6.3",
+        "@lwc/style-compiler": "6.6.3",
+        "@lwc/template-compiler": "6.6.3"
     }
 }

packages/@lwc/compiler/src/transformers/javascript.ts

@@ -5,19 +5,17 @@
  * For full license text, see the LICENSE file in the repo root or https://opensource.org/licenses/MIT
  */
 import * as babel from '@babel/core';
-import { isAPIFeatureEnabled, APIFeature } from '@lwc/shared';
-import babelClassPropertiesPlugin from '@babel/plugin-proposal-class-properties';
-import babelObjectRestSpreadPlugin from '@babel/plugin-proposal-object-rest-spread';
-import lwcClassTransformPlugin from '@lwc/babel-plugin-component';
-import lockerBabelPluginTransformUnforgeables from '@locker/babel-plugin-transform-unforgeables';
+import babelAsyncGeneratorFunctionsPlugin from '@babel/plugin-transform-async-generator-functions';
 import babelAsyncToGenPlugin from '@babel/plugin-transform-async-to-generator';
-import babelAsyncGeneratorFunctionsPlugin from '@babel/plugin-proposal-async-generator-functions';
-
+import babelClassPropertiesPlugin from '@babel/plugin-transform-class-properties';
+import babelObjectRestSpreadPlugin from '@babel/plugin-transform-object-rest-spread';
+import lockerBabelPluginTransformUnforgeables from '@locker/babel-plugin-transform-unforgeables';
+import lwcClassTransformPlugin, { type LwcBabelPluginOptions } from '@lwc/babel-plugin-component';
 import { normalizeToCompilerError, TransformerErrors } from '@lwc/errors';
+import { isAPIFeatureEnabled, APIFeature } from '@lwc/shared';
 
 import { NormalizedTransformOptions } from '../options';
 import { TransformResult } from './transformer';
-import type { LwcBabelPluginOptions } from '@lwc/babel-plugin-component';
 
 /**
  * Transforms a JavaScript file.

packages/@lwc/compiler/src/typings/babel.d.ts

@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2024, Salesforce, Inc.
+ * All rights reserved.
+ * SPDX-License-Identifier: MIT
+ * For full license text, see the LICENSE file in the repo root or https://opensource.org/licenses/MIT
+ */
+declare module '@babel/plugin-transform-async-generator-functions' {
+    const props: any;
+    export = props;
+}
+declare module '@babel/plugin-transform-class-properties' {
+    const props: any;
+    export = props;
+}
+declare module '@babel/plugin-transform-object-rest-spread' {
+    const spread: any;
+    export = spread;
+}
+declare module '@babel/plugin-transform-async-to-generator' {
+    const props: any;
+    export = props;
+}

packages/@lwc/engine-core/package.json

@@ -4,7 +4,7 @@
         "You can safely modify dependencies, devDependencies, keywords, etc., but other props will be overwritten."
     ],
     "name": "@lwc/engine-core",
-    "version": "6.6.2",
+    "version": "6.6.3",
     "description": "Core LWC engine APIs.",
     "keywords": [
         "lwc"
@@ -42,9 +42,9 @@
         }
     },
     "dependencies": {
-        "@lwc/features": "6.6.2",
-        "@lwc/shared": "6.6.2",
-        "@lwc/signals": "6.6.2"
+        "@lwc/features": "6.6.3",
+        "@lwc/shared": "6.6.3",
+        "@lwc/signals": "6.6.3"
     },
     "devDependencies": {
         "observable-membrane": "2.0.0"

packages/@lwc/engine-dom/package.json

@@ -4,7 +4,7 @@
         "You can safely modify dependencies, devDependencies, keywords, etc., but other props will be overwritten."
     ],
     "name": "@lwc/engine-dom",
-    "version": "6.6.2",
+    "version": "6.6.3",
     "description": "Renders LWC components in a DOM environment.",
     "keywords": [
         "lwc"
@@ -42,8 +42,8 @@
         }
     },
     "devDependencies": {
-        "@lwc/engine-core": "6.6.2",
-        "@lwc/shared": "6.6.2"
+        "@lwc/engine-core": "6.6.3",
+        "@lwc/shared": "6.6.3"
     },
     "lwc": {
         "modules": [

packages/@lwc/engine-server/package.json

@@ -4,7 +4,7 @@
         "You can safely modify dependencies, devDependencies, keywords, etc., but other props will be overwritten."
     ],
     "name": "@lwc/engine-server",
-    "version": "6.6.2",
+    "version": "6.6.3",
     "description": "Renders LWC components in a server environment.",
     "keywords": [
         "lwc"
@@ -42,9 +42,9 @@
         }
     },
     "devDependencies": {
-        "@lwc/engine-core": "6.6.2",
-        "@lwc/rollup-plugin": "6.6.2",
-        "@lwc/shared": "6.6.2",
+        "@lwc/engine-core": "6.6.3",
+        "@lwc/rollup-plugin": "6.6.3",
+        "@lwc/shared": "6.6.3",
         "@parse5/tools": "^0.4.0",
         "@rollup/plugin-virtual": "^3.0.1",
         "parse5": "^7.1.2"

packages/@lwc/engine-server/src/__tests__/validate-style-text-contents.spec.ts

@@ -0,0 +1,40 @@
+/*
+ * Copyright (c) 2024, Salesforce, Inc.
+ * All rights reserved.
+ * SPDX-License-Identifier: MIT
+ * For full license text, see the LICENSE file in the repo root or https://opensource.org/licenses/MIT
+ */
+import { validateStyleTextContents } from '../utils/validate-style-text-contents';
+
+// See https://html.spec.whatwg.org/multipage/syntax.html#cdata-rcdata-restrictions
+describe('validateStyleTextContents', () => {
+    it('throws an error for invalid style text content', () => {
+        const invalidStrings = [
+            '</style\t',
+            '</style\n',
+            '</style\f',
+            '</style\r',
+            '</style ',
+            '</style>',
+            '</style/',
+        ];
+
+        for (const invalidString of invalidStrings) {
+            expect(() => validateStyleTextContents(invalidString)).toThrow(
+                /CSS contains unsafe characters/
+            );
+            expect(() => validateStyleTextContents(invalidString.toUpperCase())).toThrow(
+                /CSS contains unsafe characters/
+            );
+        }
+    });
+
+    it('does not throw for valid text content', () => {
+        const validStrings = ['</style', '</ style>', `data-foo="<>'&"] {}`, `data-foo='"'] {}`];
+
+        for (const validString of validStrings) {
+            expect(() => validateStyleTextContents(validString)).not.toThrow();
+            expect(() => validateStyleTextContents(validString.toUpperCase())).not.toThrow();
+        }
+    });
+});

packages/@lwc/engine-server/src/serializer.ts

@@ -108,7 +108,6 @@ function serializeTextContent(contents: string, tagName?: string) {
     if (tagName === 'style') {
         // Special validation for <style> tags since their content must be served unescaped, and we need to validate
         // that the contents are safe to serialize unescaped.
-        // TODO [#3454]: move this validation to compilation
         validateStyleTextContents(contents);
         // If we haven't thrown an error during validation, then the content is safe to serialize unescaped
         return contents;

packages/@lwc/engine-server/src/utils/validate-style-text-contents.ts

@@ -5,44 +5,45 @@
  * For full license text, see the LICENSE file in the repo root or https://opensource.org/licenses/MIT
  */
 
-import * as parse5 from 'parse5';
-import { DocumentFragment } from '@parse5/tools';
-
-function isSingleStyleNodeContainingSingleTextNode(node: DocumentFragment) {
-    if (node.childNodes.length !== 1) {
-        return false;
-    }
-
-    const style = node.childNodes[0];
-
-    if (style.nodeName !== 'style' || style.childNodes.length !== 1) {
-        return false;
-    }
-
-    const textNode = style.childNodes[0];
-
-    return textNode.nodeName === '#text';
-}
+/**
+ * Per the HTML spec on restrictions for "raw text elements" like `<style>`:
+ *
+ * > The text in raw text and escapable raw text elements must not contain any occurrences of the string
+ * > "</" (U+003C LESS-THAN SIGN, U+002F SOLIDUS) followed by characters that case-insensitively match the tag name of
+ * > the element followed by one of:
+ * > - U+0009 CHARACTER TABULATION (tab)
+ * > - U+000A LINE FEED (LF)
+ * > - U+000C FORM FEED (FF)
+ * > - U+000D CARRIAGE RETURN (CR)
+ * > - U+0020 SPACE
+ * > - U+003E GREATER-THAN SIGN (>), or
+ * > - U+002F SOLIDUS (/)
+ * @see https://html.spec.whatwg.org/multipage/syntax.html#cdata-rcdata-restrictions
+ */
+const INVALID_STYLE_CONTENT = /<\/style[\t\n\f\r >/]/i;
 
 /**
- * The text content inside `<style>` is a special case. It is _only_ rendered by the LWC engine itself; <style> tags
- * are disallowed inside of templates. Also, we want to avoid over-escaping, since CSS containing strings like
- * `&amp;` and `&quot;` is not valid CSS (even when inside a `<style>` element).
+ * The text content inside `<style>` is a special case. It is _only_ rendered by the LWC engine itself; `<style>` tags
+ * are disallowed inside of HTML templates.
+ *
+ * The `<style>` tag is unusual in how it's defined in HTML. Like `<script>`, it is considered a "raw text element,"
+ * which means that it is parsed as raw text, but certain character sequences are disallowed, namely to avoid XSS
+ * attacks like `</style><script>alert("pwned")</script>`.
+ *
+ * This also means that we cannot use "normal" HTML escaping inside `<style>` tags, e.g. we cannot use `&lt;`,
+ * `&gt;`, etc., because these are treated as-is by the HTML parser.
+ *
  *
- * However, to avoid XSS attacks, we still need to check for things like `</style><script>alert("pwned")</script>`,
- * since a user could use that inside of a *.css file to break out of a <style> element.
  * @param contents CSS source to validate
  * @throws Throws if the contents provided are not valid.
+ * @see https://html.spec.whatwg.org/multipage/syntax.html#raw-text-elements
  * @see https://github.com/salesforce/lwc/issues/3439
  * @example
  * validateStyleTextContents('div { color: red }') // Ok
  * validateStyleTextContents('</style><script>alert("pwned")</script>') // Throws
  */
 export function validateStyleTextContents(contents: string): void {
-    // If parse5 parses this as more than one `<style>` tag, then it is unsafe to be rendered as-is
-    const fragment = parse5.parseFragment(`<style>${contents}</style>`);
-
-    if (!isSingleStyleNodeContainingSingleTextNode(fragment)) {
+    if (INVALID_STYLE_CONTENT.test(contents)) {
         throw new Error(
             'CSS contains unsafe characters and cannot be serialized inside a style element'
         );

packages/@lwc/errors/package.json

@@ -4,7 +4,7 @@
         "You can safely modify dependencies, devDependencies, keywords, etc., but other props will be overwritten."
     ],
     "name": "@lwc/errors",
-    "version": "6.6.2",
+    "version": "6.6.3",
     "description": "LWC Error Utilities",
     "keywords": [
         "lwc"

packages/@lwc/features/package.json

@@ -4,7 +4,7 @@
         "You can safely modify dependencies, devDependencies, keywords, etc., but other props will be overwritten."
     ],
     "name": "@lwc/features",
-    "version": "6.6.2",
+    "version": "6.6.3",
     "description": "LWC Features Flags",
     "keywords": [
         "lwc"
@@ -42,6 +42,6 @@
         }
     },
     "dependencies": {
-        "@lwc/shared": "6.6.2"
+        "@lwc/shared": "6.6.3"
     }
 }