
Research
Malicious fezbox npm Package Steals Browser Passwords from Cookies via Innovative QR Code Steganographic Technique
A malicious package uses a QR code as steganography in an innovative technique.
@spectrum-web-components/asset
Advanced tools
Use an `<sp-asset>` element to visually represent a file, folder or image in your application. File and folder representations will center themselves horizontally and vertically in the space provided to the element. Images will be contained to the element
Use an <sp-asset>
element to visually represent a file, folder or image in your application. File and folder representations will center themselves horizontally and vertically in the space provided to the element. Images will be contained to the element, growing to the element's full height while centering itself within the width provided.
yarn add @spectrum-web-components/asset
Import the side effectful registration of <sp-asset>
via:
import '@spectrum-web-components/asset/sp-asset.js';
When looking to leverage the Asset
base class as a type and/or for extension purposes, do so via:
import { Asset } from '@spectrum-web-components/asset';
<sp-asset style="height: 128px">
<img src="https://picsum.photos/500/500" alt="Demo Image" />
</sp-asset>
<div class="flex">
<sp-asset variant="file"></sp-asset>
<sp-asset variant="file" label="Named File Asset"></sp-asset>
</div>
<div class="flex">
<sp-asset variant="folder"></sp-asset>
<sp-asset variant="folder" label="Named Folder Asset"></sp-asset>
</div>
1.8.0 (2025-09-23)
sp-picker: Fixed escape key behavior in modal overlays containing picker components. Previously, pressing the Escape key when a picker was open inside a modal overlay would not properly close the modal, instead moving focus to the picker. Now, the escape key correctly closes the picker first (if open), then closes the modal overlay on subsequent escape key presses.
This fix adds a check for this.open
in the picker's handleEscape
method to ensure proper modal overlay closure behavior.
sp-overlay: Added allow-outside-click
property to <sp-overlay>
with deprecation notice. This property allows clicks outside the overlay to close it, but is not recommended for accessibility reasons and will be removed in a future version.
This property is being added as deprecated to support the fallback for showModal()
which was removed as part of performance optimization. We will no longer support outside clicks for modal overlays as they violate accessibility guidelines.
The property defaults to false
and shows deprecation warnings when used. Consider using explicit close buttons or modal/page overlay types instead for better accessibility.
sp-menu: Fixed : Fix iPad scrolling issue in picker dropdown where scrolling through menu items would accidentally select the first touched item and close the picker.
The fix implements touch gesture detection to distinguish between scrolling and selection. Added isScrolling
getter for public API access. Test on iPad devices with long menus to validate scrolling behavior and selection accuracy.
sp-overlay: Fixed : Added body scroll prevention for modal and page overlays. Overlay automatically blocks body scroll when modal or page overlays are open and restores the original scroll state when they are closed, improving user experience and accessibility for modal dialogs.
sp-clear-button: Clear button styles have been updated to the latest Spectrum CSS version of the clear button. This update includes a major reduction in the number of custom property abstractions needed to support the multiple theming layers (as seen in the styles
package).
This update spans the following additional packages:
As the updated styles now offer additional styling options, we have added the following API to the clear button component that exists in the button
package:
quiet
- when set to true, the button will be rendered as a quiet button. This is useful for cases where you want to use the clear button in a more subtle way.disabled
- when set to true, the button will be rendered as a disabled button.static-color
- currently this only supports the white
context color. This is useful for cases where the button appears on a dark background texture. This is a replacement for the previously used variant="overBackground"
attribute which is deprecated.The variant="overBackground"
attribute is deprecated; please use the new static-color="white"
attribute instead. When this property is used in the component, a deprecation warning will be shown in the console when in debug mode. The variant
attribute will be removed in a future release.
sp-card: Fixed the card component's CSS by moving block-size: 100%
from the base :host
selector to only apply to gallery
and quiet
variants
sp-overlay: Fixed : external click registration behavior in the sp-overlay
component. Programmatic clicks on elements outside of modal overlays now properly register and close the overlay, while user-initiated clicks are prevented from doing so.
sp-card: Enhanced the Card component's checkbox functionality with improved screen reader support and keyboard navigation.
sp-progress-bar: Added: Deprecation warning for the over-background attribute.
sp-combobox: Replace the use of offsetWidth with a resizeObserver to avoid unecessary, performance-impacting layout reflows.
sp-styles: Bring the CJK font alias token fix from CSS #3883 4e3a120
.
The --spectrum-cjk-font
token was incorrectly mapped to the code font-family stack instead of --spectrum-cjk-font-family-stack
. Thanks @byteakp!
sp-color-wheel: Fixed <sp-color-wheel>
step attribute functionality for keyboard navigation. The step attribute now properly controls the increment size when using arrow keys to navigate the color wheel.
sp-switch: ### Fix down state colors for switch
Because the postcss-hover-media-feature
plugin converts hover styles into a media query for devices that support hover, the hover styles were overriding any active/down state styles. We needed to target the active/down states of the switch with additional active state selectors, in order to ensure that the active state takes precedence over the hover state, maintaining the correct visual behavior of the switch component across different interaction states.
This fix should address hover + active state discrepancies in S1 and S2 foundations.
sp-contextual-help: Fixed a typo in the default info
variant label from "Informations" to "Information".
Additionally, added package dependency for @spectrum-web-components/reactive-controllers@1.7.0
.
sp-slider: Editable sliders will now reliably emit input
events when interaction starts with the track.
sp-link: Fixed quiet variant links not showing keyboard focus state in Safari. Links with the quiet
attribute now properly display focus indicators when navigating with keyboard, improving accessibility for keyboard users.
sp-progress-bar: Smooths the transition animation of indeterminate progress bar by overriding the incoming CSS, and positioning the animating fill element completely off of the progress bar track in both LTR and RTL languages. Before, the fill element was automatically starting on the track which led to a jarring animation loop.
sp-divider: Added: staticColor
property to the Divider component, enabling programmatic control of the existing static color functionality.
FAQs
Use an `<sp-asset>` element to visually represent a file, folder or image in your application. File and folder representations will center themselves horizontally and vertically in the space provided to the element. Images will be contained to the element
The npm package @spectrum-web-components/asset receives a total of 3,142 weekly downloads. As such, @spectrum-web-components/asset popularity was classified as popular.
We found that @spectrum-web-components/asset demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 7 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
A malicious package uses a QR code as steganography in an innovative technique.
Research
/Security News
Socket identified 80 fake candidates targeting engineering roles, including suspected North Korean operators, exposing the new reality of hiring as a security function.
Application Security
/Research
/Security News
Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Hulud" supply chain attack that has now impacted nearly 500 packages.