0.x

.github/workflows/build-and-test.yml

@@ -2,9 +2,9 @@ name: Build & Test
 
 on:
   push:
-    branches: [main]
+    branches: [main, '0.x']
   pull_request:
-    branches: [main]
+    branches: [main, '0.x']
 
 # Default token to read-only; jobs widen only what they need.
 permissions:
@@ -21,7 +21,7 @@ jobs:
         with:
           egress-policy: audit
       - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           persist-credentials: false
       - name: Setup Node
@@ -48,7 +48,7 @@ jobs:
         with:
           egress-policy: audit
       - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           persist-credentials: false
       - name: Setup Node

.github/workflows/codeql-analysis.yml

@@ -2,9 +2,9 @@ name: CodeQL
 
 on:
   push:
-    branches: [main]
+    branches: [main, '0.x']
   pull_request:
-    branches: [main]
+    branches: [main, '0.x']
   schedule:
     - cron: '0 19 * * 4'
 
@@ -29,7 +29,7 @@ jobs:
         with:
           egress-policy: audit
       - name: Checkout repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           persist-credentials: false
       - name: Initialize CodeQL

.github/workflows/scorecard.yml

@@ -38,7 +38,7 @@ jobs:
         with:
           egress-policy: audit
       - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           persist-credentials: false
       - name: Run analysis

.github/workflows/sign-release.yml

@@ -16,7 +16,7 @@ jobs:
       - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           egress-policy: audit
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           ref: ${{ github.event.release.tag_name }}
           persist-credentials: false

.github/workflows/slsa-provenance.yml

@@ -17,7 +17,7 @@ jobs:
       - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           egress-policy: audit
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           ref: ${{ github.event.release.tag_name }}
           persist-credentials: false

dist/fortify.d.ts

@@ -78,18 +78,6 @@ interface DOMFortifyApi {
     status(): Readonly<DOMFortifyStatus> | null;
 }
 
-/**
- * DOMFortify - bolt Trusted Types onto a legacy page so old DOM-XSS sinks get sanitized
- * without touching the code. See README for the full picture; the short version:
- *
- *  - Claims the realm's `default` Trusted Types policy and routes every HTML sink through a
- *    sanitizer. Script sinks (eval, javascript: URLs, script.src) are refused.
- *  - Does NOT switch enforcement on; a CSP does (header best, `<meta>` works).
- *  - Must load FIRST: the default policy is winner-takes-all.
- *  - Fails closed: no sanitizer means sinks throw, never leak.
- *  - Only covers Trusted Types sinks; inline handlers / style / URL props stay open.
- */
-
 declare function init(options?: DOMFortifyConfig): Readonly<DOMFortifyStatus>;
 declare function status(): Readonly<DOMFortifyStatus> | null;
 declare const DOMFortify: DOMFortifyApi;