Anders Kaseorg

[24.1.0 regression] Unsandboxed preload is restricted by Content-Security-Policy, but only after `readyState` becomes `interactive`

7

### Preflight Checklist - [x] I have read the [Contributing Guidelines](https://github.com/electron/electron/blob/main/CONTRIBUTING.md) for this project. - [x] I agree to follow the [Code of Conduct](https://github.com/electron/electron/blob/main/CODE_OF_CONDUCT.md) that this project adheres to. -...

`__mf` crashes with `EvalError` under a restrictive Content-Security-Policy

3

When using `__mf` in a website with a Content-Security-Policy that does not allow `unsafe-eval`, `__mf` crashes with `EvalError: Code generation from strings disallowed for this context`. The upstream issue suggests...

Don’t post-process the `MessageFormat` output in `__mf`

2

The output from the `MessageFormat` compiled function may contain arbitrary user-provided content, and cannot safely be re-parsed as an interval string, Mustache template, or `printf` format string. - Fixes #544.

Switch from `@messageformat/core` to `intl-messageformat`

1

In a website with a `Content-Security-Policy` that does not allow `unsafe-eval`, the `@messageformat/core` compiler crashes with `EvalError`, and upstream has no plans to address that; they recommend pre-compiling all functions...

One would expect this call to be safe, even if `name` is user-provided: ```js i18n.__mf('Hello, {name}!', {name}) ``` But instead, `__mf` unexpectedly reinterprets the value of `name` as Mustache template...

[3.6 regression] Semantically changes Markdown loose list to tight list

4

**Prettier 3.6.2** [Playground link](https://prettier.io/playground/#N4Igxg9gdgLgprEAuEBaABAQwDpV+9DAI1xABoQIAHGAS2gGdlRMAnViAdwAU2EmUmADadMATyYUirTGADWcGAGVMAWzgAZWlDjIAZsIZwKEIgCs4YGAHUZVZCCqs4R1gDddUmfMVKqs7QBzZBhWAFdjECNVWhDwyLgADyo4Vlp1WGEAeRSZGAhWbggGWjpoBwQAE3IQJNz0hBhhABVUqDZaF31DSJKoQKE4AEUwiHhuoSMKMwZEpSDBkbHdJANJyIBHUfhuDioBEEwGVB04SrOa0MxaISCAYQhVVUwHYSEavoG4AEEYUNoiGEdqktDoJlMQAALGCqITWSGlFz+MBwJT8Uq0NylMQOMAMSQgNwRACSUHOsCUYDSNG+ZKUMDEg3BkScxTgtkw9hQThcqQ8NW0rhgu0wgWezIo-lYrgcz1YckqXCgNSc2hstEqMEhyAAHAAGCjOLa0ZwisUvVY9ChNIjWDVa5AAJgoYSMzUwRAEawhcFURDO50qGkw-TCorgADECs8-kFXkCICAAL5JoA) ```sh # Options (if any): --parser markdown ``` **Input:** ```md - a - b ``` **Output:** ```md - a - b ``` **Expected output:** ```md -...

Enable `exactOptionalPropertyTypes` in TypeScript configuration

1

This will help prevent regressions similar to #6033 in the future.

debug: Enable jquery-migrate plugin in development

2

This [plugin](https://github.com/jquery/jquery-migrate) warns us about our use of [deprecated jQuery features](https://github.com/jquery/jquery-migrate/blob/master/warnings.md) in the console. It turns out we have a lot of them. ``` JQMIGRATE: jQuery.fn.keydown() event shorthand is deprecated...

login: Append hash to the next URL, not the form action

2

**Testing Plan:** Dev server.

The `@stylistic/curly-newline` rule was introduced in [`[email protected]`](https://github.com/eslint-stylistic/eslint-stylistic/releases/tag/v2.9.0), and conflicts with Prettier depending on configuration (such as the configuration [enabled by eslint-config-xo](https://github.com/xojs/eslint-config-xo/blob/v0.49.0/index.js#L109-L112)). Minimal test case: **`eslint.config.mjs`** ```js import eslintConfigPrettier from "eslint-config-prettier/flat";...