LearnNewsExamplesServices
Frontmatter
tagName11.19.1
nameNeo.mjs v11.19.1 Release Notes
publishedAt1/9/2026, 8:57:58 PM
isPrerelease
isDraft

Neo.mjs v11.19.1 Release Notes

Release Type: Architectural Hardening & Autonomous Infrastructure
Stability: Production-Ready (Critical Security Patches)
Upgrade Path: Drop-in replacement for v11.19.0

TL;DR: v11.19.1 resolved 33 tickets in 11 hours, moving from the discovery of a critical prototype pollution vulnerability to a fully automated, conflict-free release pipeline. By leveraging the Neural Link for live "Scene Graph" inspection, we replaced guesswork with Empirical Certainty, allowing us to pinpoint "Zombie VNodes" and fix them with surgical precision. This release proves that AI-assisted engineering isn't just about faster codeโ€”it's about higher-fidelity architecture.

๐Ÿ›ก๏ธ The VDOM Firewall: Defensive Instance Isolation

v11.19.1 addresses the most subtle form of state corruption: Blueprint Pollution. We identified a vulnerability where early lifecycle access could corrupt the shared prototype of a component.

The Problem: Shared State Leakage

In a multi-threaded engine, state isolation is the foundation of stability. We discovered that if an afterSetId hook accessed this.vdom during the initial construction phase, it was inadvertently receiving a reference to the Class Prototype. Any modificationโ€”such as assigning an IDโ€”was written directly into the shared blueprint, polluting every subsequent instance of that class.

The Solution: Eager Blueprint Sandboxing

We refactored Neo.component.Base to enforce Eager Isolation.

  • The Firewall: The constructor now intercepts the initialization flow before super.construct() is called. It verifies the VDOM's ownership and clones the blueprint immediately.
  • The Result: Prototype pollution is now architecturally impossible. Every component instance is guaranteed to operate within its own private VDOM Sandbox before any logic layer (hooks or setters) can touch it.
  • Centralized ID Stability: We purged ad-hoc ID logic from the entire component library, routing all root and wrapper ID assignments through the centralized Neo.mixin.VdomLifecycle.ensureStableIds().
  • Impact: This eliminates an entire class of "Heisenbug" state corruption issues that could manifest as random UI glitches in production applications.

๐Ÿ›‘ The "GitHub Pages" Reality Check

We battle-tested v11.19.0 extensively locally. The new "Releases Overview" worked perfectly in our dev environments. But when we deployed the Portal to GitHub Pages, the Release Notes vanished.

  • The Constraint: We discovered that GitHub Pages strictly enforces a "No .github Folder" policy. Even with .nojekyll enabled, and even when the folder is deeply nested inside node_modules, GitHub's serving infrastructure silently refuses to serve any file path containing .github.
  • The Attempts: We tried symlinks. We tried copying the folder during the build. We tried nesting it. The platform said "No."
  • The Pivot: This physical platform constraint forced us to re-architect our content strategy. v11.19.1 moves all synced artifacts (Issues, Release Notes, Archive) from the hidden .github directory to a public-facing resources/content/ structure. This wasn't just a rename; it was a necessary migration to make our "Engine-as-Content" vision compatible with the real world of static hosting.

โš™๏ธ Operational Sovereignty: The Autonomous Release Pipeline

While v11.19.1 hardens the engine for users, it also revolutionizes how we maintain it. We have achieved Operational Sovereignty by automating our release workflow from scratch.

  • Autonomous Infrastructure: We created buildScripts/publishRelease.mjs to eliminate the friction of manual versioning, SEO generation, and conflict resolution.
  • Git Plumbing for Atomic Commits: By using low-level git commit-tree commands, we now snapshot the entire dev branch and project it onto main as a single, clean commit. This bypasses Git's rename detection entirely, turning "Merge Conflict Hell" into an instant, conflict-free operation.

๐ŸŽจ Eliminating Layout Thrash: First-Paint Stability

We've polished the Neo.mjs Portal to match the framework's stability improvements, proving that "Smooth is Fast."

Killing the "Visual Snap"

The Portal previously used a JavaScript ResizeObserver to apply responsive sizing. This created Layout Trashing: the UI would render, the worker would measure it, and the sidebar would "snap" into place. We've replaced this with Native CSS Media Queries. The layout is now perfectly stable from the very first paint frame.

Markdown Hardening

  • Image Containment: We implemented regex-based post-processing in the Markdown component to wrap all images in a scrollable flex-container, preventing side-navigation overlaps.
  • 404 Guardrails: The component now validates its input. If a server returns an HTML 404 page, the component rejects the update, preventing CSP violations and unintended HTML injection from error pages.

๐Ÿ”„ Process Evolution: Neural Link Certainty

This release marks a fundamental shift in AI-assisted engineering. We moved from "Static Guessing" to "Runtime Inspection."

Beyond Static Analysis

When we encountered the prototype pollution issue, we didn't just grep the code. We used the Neural Link to inspect live Scene Graphs.

  • The "Proof" Moment: Instead of assuming pollution might exist, the AI was able to inspect the VNode tree of a live component and state: "Tobi, THIS specific vnode id inside the prototype is the empirical proof."
  • High-Fidelity Testing: This level of introspection allowed us to rapidly generate Playwright unit tests (AutoId.spec.mjs) that perfectly mirrored the engine's internal VDOM/VNode/Component structures, enabling us to simulate, verify, and fix complex race conditions in minutes.

๐Ÿ”„ The SDK Pattern: Code Reuse Across Contexts

The new release automation script (buildScripts/publishRelease.mjs) demonstrates a key architectural pattern: MCP server capabilities are exposed as importable services, allowing them to be used outside AI contexts.

// buildScripts/publishRelease.mjs
// Step 6: Post-Release Cleanup
import { GH_SyncService } from '../ai/services.mjs';

await GH_SyncService.runFullSync(); // Same method agents use via MCP

This "SDK Pattern" proves that our AI infrastructure isn't siloed "magic"โ€”it's composable infrastructure. Build scripts, GitHub Actions, and developer tools can import and execute the same business logic services that power the Neural Link.

Velocity Metrics:

  • Scope: 33 Tickets (#8450 - #8482)
  • Total Duration: 11 Hours, 15 Minutes
  • Workflow: 100% Agent-led Implementation & Verification

๐Ÿ“ฆ Full Changelog

๐Ÿ›ก๏ธ Core & VDOM Hardening

  • Investigate VDOM ID Collisions and Create Reproduction Test (#8465)
  • Prevent Prototype VDOM Mutation in Component.Base afterSetId (#8466)
  • Centralize and Enforce Stable VDOM IDs in VdomLifecycle (#8467)
  • Fix Unit Test Failures after VDOM ID Stabilization (#8468)
  • Audit and Refactor all afterSetId Implementations (#8469)
  • Enhance VDOM AutoId Unit Test Documentation (#8470)
  • Refactor afterSetId in src/button/Base.mjs (#8471)
  • Implement Lazy VDOM Cloning in Component Base (#8472)
  • Refactor afterSetId in Split Button and Grid Body (#8473)
  • Enforce Eager VDOM Cloning in Component Constructor (#8474)
  • Remove redundant ensureStableIds from Button Base (#8475)
  • Refactor Gallery to remove manual afterSetId ID assignment (#8476)
  • Refactor Progress Component ID handling (#8477)
  • Refactor afterSetId in Form Fields to ensureStableIds (#8478)

๐Ÿš€ Portal & UI Enhancements

  • Add validation to Markdown component to reject HTML 404 responses (#8450)
  • Fix Portal Release buttons missing text due to missing name field (#8461)
  • Portal App: Update SectionsList styling to match new transparent design (#8462)
  • Fix Blog List Rendering Artifact in Release View (#8464)
  • Wrap Markdown images in scrollable container (#8479)
  • Constrain Markdown image wrapper width in Portal app (#8480)
  • Fix Portal layout trashing by replacing JS-driven size classes with CSS Media Queries (#8481)
  • Fix Markdown blockquote margin-right to override browser default (#8482)

โš™๏ธ Build & Infrastructure

  • Move GitHub Workflow Sync Target to resources/content (#8451)
  • Update .sync-metadata.json paths to reflect relocation to resources/content/ (#8452)
  • Refactor IssueSyncer to use relative paths in .sync-metadata.json (#8453)
  • Update release index generation to use correct path in resources/content (#8454)
  • Remove obsolete path substring in Release Component (#8455)
  • Automate Release Workflow with Git Squash & Local-First Strategy (#8456)
  • Optimize Release Squash using Git Plumbing (#8457)
  • Integrate Knowledge Base Upload into Publish Release Workflow (#8458)
  • Remove standalone prepare-release script from package.json (#8459)
  • Refactor: Enhance documentation and cleanup comments in publishRelease.mjs (#8460)
  • Disable Neural Link on GitHub Pages (#8463)

All changes delivered in 1 atomic commit: c659e42