Sourced from just-bash's releases.

just-bash@3.0.2

Patch Changes

• #272 150a915 Thanks @​trieloff! - interpreter: fix UTF-8 mojibake when a script interleaves text-output and byte-output statements

  A single exec() can interleave text-shaped statements (sed, awk, echo — ö as U+00F6) with byte-shaped ones (grep | head, cat — ö as bytes 0xC3 0xB6). executeScript / executeStatement concatenated each result's raw stdout, so the lone high byte from the text half made the combined stream invalid UTF-8, the output-boundary decoder bailed, and the byte half came back as Latin-1 mojibake (Köpenicker for Köpenicker). The same path backs command substitution, so echo "你好: $(cat /file)" was affected too.

  The fix decodes each statement/pipeline result to text via its explicit stdoutKind (decodedTextFromResult) before concatenating — no guessing from string contents, so text whose code units merely look like UTF-8 (ö) is preserved. tac (stdin path) and curl (response body) now declare stdoutKind: "bytes" on the results that forward raw bytes, so the decode is driven per output rather than by inspecting characters.

• #256 75d8dfd Thanks @​Hazzng! - js-exec: fix Buffer shim correctness — ascii encode now uses & 0xff (not & 0x7f), consolidate latin1/ascii into shared _rawEncode, fix Buffer.from(ArrayBuffer, offset, length), throw on invalid byteLength input, clamp negative toString start, throw RangeError for out-of-range write offset

• #239 1369b77 Thanks @​trieloff! - curl: interpret @file for -d/--data, --data-binary, and --data-urlencode

  Real curl reads file contents when these flags are passed @filename:

  • -d @file / --data @file — read file contents, strip CR/LF.
  • --data-binary @file — read file contents verbatim (newlines preserved).
  • --data-urlencode @file — read file, URL-encode the contents.
  • --data-urlencode name@file — prefix the URL-encoded contents with name=.

  just-bash's curl previously passed @filename through verbatim as the HTTP body. Posting JSON or any non-trivial payload via curl --data-binary @payload.json https://... sent the literal string @payload.json instead of the file. The new behavior matches upstream curl; --data-raw keeps the documented "no @ interpretation" semantics.

• #262 4ece258 Thanks @​chernetsov! - parser: don't treat quotes inside a heredoc body as shell quotes when finding the end of a command substitution

  A command substitution whose body contained a heredoc with an unbalanced quote in its body — most commonly an apostrophe in literal prose, e.g. June's — failed to parse with bash: syntax error: ... unexpected EOF while looking for matching ')':

  OUT=$(cat <<'SCRIPT'
  June's moon
  SCRIPT
  )

  Both the lexer's $(...) word scanner and the substitution boundary scanner walked into the heredoc body and applied shell quote tracking to it. The ' in June's opened a single-quoted string that never closed, so the closing ) was swallowed and the scan ran to EOF. In bash a heredoc body is literal text and must be skipped wholesale when locating the substitution boundary.

  Both scanners are now heredoc-aware: when scanning a $(...) they recognize << / <<- operators (but not the <<< here-string), capture the possibly-quoted delimiter, and skip the heredoc body lines literally — without quote or paren tracking — up to the terminator. Multiple heredocs on one line and tab-stripping (<<-) are handled. This fixes the common pattern of capturing the output of a connector/CLI invocation that is fed a heredoc script containing apostrophes, backticks, or parentheses.

  The heredoc scan also tracks arithmetic ((...)) nesting so a << left-shift inside $((...)) (or a nested arithmetic expansion) is not mistaken for a heredoc opener — previously a multi-line arithmetic expansion containing a shift, e.g. $((\n1 << 2\n)), had its closing )) swallowed by spurious body-skipping.

... (truncated)

• 38cede9 chore: release (#255)
• bd72734 fix(security): allow process.env.DEBUG proxy writes (#269)
• 150a915 fix(interpreter): decode each statement's stdout via stdoutKind to fix UTF-8 ...
• efabdb7 fix(tar): support GNU old-style bundled option letters (tar czf, tar xf) (#270)
• 9481331 fix(head/tail): read file arguments byte-clean, not UTF-8 (#264)
• 75d8dfd fix(js-exec): honor encoding arg in Buffer.from / toString / write / byteLeng...
• 4ece258 fix(parser): skip heredoc bodies when scanning $(...) command substitution (#...
• fb7ae3c feat(date): use local timezone by default, delegate to strftime (#251)
• c9904de fix(set): support bundled -o in short-flag clusters (set -euo pipefail) (#261)
• dfc5d65 feat(jq): add raw input mode (-R/--raw-input) (#260)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)