
Security News
Next.js moves to scheduled security releases
Vercel is formalizing a monthly release program for Next.js. The change follows React2Shell and a sharp rise in AI-assisted vulnerability discovery.
@czap/core
Advanced tools
Primitives: Boundary, Token, Style, Theme, Signal, DocumentGraph + GraphPatch (the content-addressed IR), AI cast, Compositor, ECS, HLC, DAG, Plan, AVBridge
Creates the definitions — boundaries (named states over a numeric signal), design tokens, styles, themes — that the rest of LiteShip compiles to CSS and evaluates at runtime.
Install this directly when you want the definition primitives without a framework integration. If you're starting a new project, start with liteship or @czap/astro instead.
pnpm add @czap/core effect@beta
effect is the one peer dependency and it must be the Effect 4 beta (effect@beta) — a bare pnpm add effect installs 3.x and fails the peer check.
import { Boundary } from '@czap/core';
const viewport = Boundary.make({
input: 'viewport.width',
at: [
[0, 'mobile'],
[768, 'tablet'],
[1280, 'desktop'],
],
hysteresis: 20,
});
console.log(Boundary.evaluate(viewport, 800)); // 'tablet'
console.log(viewport.id); // 'fnv1a:bf4e9a2f'
Logs tablet (800 sits between the 768 and 1280 thresholds), then the boundary's content address — the same address on every machine, because it is computed from the definition itself. The hysteresis: 20 is a dead zone that stops state flicker right at a threshold.
This is the foundation layer — every other @czap/* package imports its primitives. Its one @czap dependency is @czap/_spine, the shared type declarations its published types reference. Two things commonly assumed to be here live elsewhere: live evaluation against a changing signal is @czap/quantizer, and compiling definitions to CSS text is @czap/compiler. It does own the canonical signal-input vocabulary, though: SignalSource ⇄ SignalInput via sourceToInput/inputToSource — the source of truth for input strings like viewport.width, scroll.progress, audio.amplitude that every host reads through rather than re-parsing. See the
package surfaces map
for the full layout.
Part of LiteShip — powered by the CZAP engine (Content-Zoned Adaptive Projection), distributed as @czap/* packages.
FAQs
The heart of LiteShip: define UI boundaries, tokens, themes, and signals once as a content-addressed graph, then drive the engine that keeps every rendered output in sync.
The npm package @czap/core receives a total of 155 weekly downloads. As such, @czap/core popularity was classified as not popular.
We found that @czap/core demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Security News
Vercel is formalizing a monthly release program for Next.js. The change follows React2Shell and a sharp rise in AI-assisted vulnerability discovery.

Research
/Security News
11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.

Research
/Security News
4 compromised asyncapi packages deliver miasma botnet loader on macOS, Linux and Windows.