Updates dompurify to 3.4.11 (fixes a leaky config for hooks via setConfig)
and regenerates the committed SocratiQ bundle (npm run build:vite under
node 20) so the shipped widget actually uses the new version. The bundle
build is reproducible (byte-identical across repeated builds).
Combines dependabot #1862 (markdown-it 14.1.1->14.2.0) and #1863
(dompurify 3.4.1->3.4.10) and regenerates the committed widget bundle
(book/quarto/tools/scripts/socratiQ/bundle.js) so it matches the bumped
sources, satisfying the SocratiQ Bundle Drift check that blocked both
dependabot PRs.
- Workflow: default contents:read for jobs without explicit permissions
- audit_math_rendering: match </script> and </style> with optional whitespace
- SocratiQ: tooltip via DOM APIs; iterative HTML stripping; quote normalization
for JSON repair; repeat-until-stable tag cleanup in SR/copy flows
- Rebuild bundle.js for Quarto embed path
vite-plugin-singlefile@2.0.2 declares a peer dependency on
vite ^5.4.11 || ^6.0.0, but socratiq/ pins vite ^8.0.10. npm refused
to resolve the dep tree, so 'npm ci' failed in the SocratiQ Bundle
Drift workflow on every PR that touched socratiq/package-lock.json
— including dependabot bumps for unrelated transitive packages
(see #1538 markdown-it, #1539 solid-js).
vite-plugin-singlefile@2.3.0+ supports vite 5/6/7/8, so a one-line
bump unblocks 'npm ci', which lets the bundle drift check actually
run again.
Also commits the regenerated production bundle and stylesheet to
satisfy the drift check itself.
The new bundle-drift CI guard caught a real inconsistency left over
from #1394: package.json declares "dompurify": "^3.4.0" (added as
part of the security-fix commits), but package-lock.json still
pinned dompurify@2.5.8. As a result:
- npm ci refused to install from the lock (exit code EUSAGE), which
broke both the drift guard and anyone running `npm ci` locally.
- The committed bundle.js was built against the old dompurify, so
the rendered book was silently serving the 2.5.x code instead of
the 3.4.x the package.json declared.
This commit runs `npm install` (lock: 2.5.8 -> 3.4.1) and `npm run
build:vite` to regenerate the bundle from sources that actually
match the declared dependency set. Vite reports 2976 modules
transformed, bundle size 6.6 MB unchanged.
The drift guard should now pass on this branch, validating that the
guard works end-to-end on its introduction PR.
* Restructure: Move book content to book/ subdirectory
- Move quarto/ → book/quarto/
- Move cli/ → book/cli/
- Move docker/ → book/docker/
- Move socratiQ/ → book/socratiQ/
- Move tools/ → book/tools/
- Move scripts/ → book/scripts/
- Move config/ → book/config/
- Move docs/ → book/docs/
- Move binder → book/binder
Git history fully preserved for all moved files.
Part of repository restructuring to support MLSysBook + TinyTorch.
Pre-commit hooks bypassed for this commit as paths need updating.
* Update pre-commit hooks for book/ subdirectory
- Update all quarto/ paths to book/quarto/
- Update all tools/ paths to book/tools/
- Update config/linting to book/config/linting
- Update project structure checks
Pre-commit hooks will now work with new directory structure.
* Update .gitignore for book/ subdirectory structure
- Update quarto/ paths to book/quarto/
- Update assets/ paths to book/quarto/assets/
- Maintain all existing ignore patterns
* Update GitHub workflows for book/ subdirectory
- Update all quarto/ paths to book/quarto/
- Update cli/ paths to book/cli/
- Update tools/ paths to book/tools/
- Update docker/ paths to book/docker/
- Update config/ paths to book/config/
- Maintain all workflow functionality
* Update CLI config to support book/ subdirectory
- Check for book/quarto/ path first
- Fall back to quarto/ for backward compatibility
- Maintain full CLI functionality
* Create new root and book READMEs for dual structure
- Add comprehensive root README explaining both projects
- Create book-specific README with quick start guide
- Document repository structure and navigation
- Prepare for TinyTorch integration