chore: sync quickjs-ng release v0.15.0

deps/quickjs-release.env

@@ -1,5 +1,5 @@
 QUICKJS_NG_REPO="quickjs-ng/quickjs"
-QUICKJS_NG_TAG="v0.14.0"
-QUICKJS_NG_TARBALL_URL="https://api.github.com/repos/quickjs-ng/quickjs/tarball/v0.14.0"
-QUICKJS_NG_RELEASE_URL="https://github.com/quickjs-ng/quickjs/releases/tag/v0.14.0"
-QUICKJS_NG_RELEASED_AT="2026-04-11T07:37:57Z"
+QUICKJS_NG_TAG="v0.15.0"
+QUICKJS_NG_TARBALL_URL="https://api.github.com/repos/quickjs-ng/quickjs/tarball/v0.15.0"
+QUICKJS_NG_RELEASE_URL="https://github.com/quickjs-ng/quickjs/releases/tag/v0.15.0"
+QUICKJS_NG_RELEASED_AT="2026-05-21T20:51:23Z"

deps/quickjs/.github/workflows/ci.yml

@@ -444,7 +444,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
-      - uses: mymindstorm/setup-emsdk@v15
+      - uses: mymindstorm/setup-emsdk@v16
       - name: check emsdk
         run: emcc -v
       - name: build

deps/quickjs/.github/workflows/docs.yml

@@ -24,7 +24,7 @@ jobs:
         working-directory: ./docs
         run: npm run build
       - name: Upload Build Artifact
-        uses: actions/upload-pages-artifact@v4
+        uses: actions/upload-pages-artifact@v5
         with:
           path: docs/build
 

deps/quickjs/.github/workflows/release.yml

@@ -156,7 +156,7 @@ jobs:
       - run: ls -R build
       - name: release
         if: ${{ startsWith(github.ref, 'refs/tags/v') }}
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@v3
         with:
           files: |
             build/*

deps/quickjs/CMakeLists.txt

@@ -108,7 +108,7 @@ if(NOT SUNOS)
 xcheck_add_c_compiler_flag(-funsigned-char)
 endif()
 
-# Clang on Windows without MSVC command line fails because the codebase uses 
+# Clang on Windows without MSVC command line fails because the codebase uses
 # functions like strcpy over strcpy_s
 if(CMAKE_C_COMPILER_ID STREQUAL "Clang" AND WIN32 AND NOT MSVC)
     add_compile_definitions(_CRT_SECURE_NO_WARNINGS)
@@ -381,6 +381,8 @@ add_qjs_libc_if_needed(qjs_exe)
 add_static_if_needed(qjs_exe)
 set_target_properties(qjs_exe PROPERTIES
     OUTPUT_NAME "qjs"
+    PDB_NAME "qjs_cli"
+    COMPILE_PDB_NAME "qjs_cli"
 )
 target_compile_definitions(qjs_exe PRIVATE ${qjs_defines})
 target_link_libraries(qjs_exe PRIVATE qjs)
@@ -557,7 +559,7 @@ if (QJS_ENABLE_INSTALL)
             RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR}
             LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR}
             ARCHIVE DESTINATION ${CMAKE_INSTALL_LIBDIR})
-    install(EXPORT qjsConfig DESTINATION ${CMAKE_INSTALL_LIBDIR}/cmake/quickjs)
+    install(EXPORT qjsConfig DESTINATION ${CMAKE_INSTALL_LIBDIR}/cmake/qjs)
     install(FILES LICENSE DESTINATION ${CMAKE_INSTALL_DOCDIR})
     install(DIRECTORY examples DESTINATION ${CMAKE_INSTALL_DOCDIR})
 endif()

deps/quickjs/SECURITY.md

@@ -0,0 +1,96 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Please report security vulnerabilities through GitHub's [private vulnerability
+reporting](https://github.com/quickjs-ng/quickjs/security/advisories/new)
+feature, **only if** your report meets the rules below. Reports that do not
+meet these rules should be filed as regular public issues instead.
+
+## Out of Scope
+
+**Bytecode hardening is out of scope.** QuickJS bytecode is not designed for
+adversarial input. Loading untrusted bytecode (e.g. via `JS_ReadObject` with
+`JS_READ_OBJ_BYTECODE`) is equivalent to executing untrusted native code, and
+crashes, memory corruption, or sandbox escapes resulting from malformed or
+malicious bytecode are not considered security vulnerabilities. Only load
+bytecode you produced yourself or obtained from a trusted source. See the
+documentation for `JS_READ_OBJ_BYTECODE` and `JS_READ_OBJ_SAB` for details.
+
+## Rules for Private Reports
+
+Private reporting exists to protect users from issues an attacker could not
+otherwise discover.
+
+**AI-detected bugs are by definition not secret.** If a publicly available
+tool found a bug by reading our public source, anyone else running the same
+tool will find the same bug. Filing such reports privately just produces
+duplicate work since previous reports of the same issue are not visible.
+The right place for these is a public issue, where duplicates are visible and
+the fix discussion is shared.
+
+AI tools are welcome, but use them to add value on top of what the tool
+produced. Read the code, confirm the bug, write a patch, write a test. A
+"drive-by" forward of a tool's raw output, with no real understanding behind
+it, is not a useful report.
+
+Before submitting a private report, ensure all of the following:
+
+- **You have manually verified the bug.** You understand the code path, you
+  have confirmed the issue is real, and you can explain it in your own words
+  without referring back to a tool's output. Reports that you cannot defend
+  on your own should not be filed.
+
+- **You have a working reproducer.** Attach a minimal reproducer (a JS file,
+  or a short C snippet against the public API) that triggers the bug on a
+  recent `master` commit. If you cannot produce one, the report should not be
+  filed privately.
+
+- **Impact is concrete and verifiable.** State what an attacker can actually
+  do (e.g. "out-of-bounds read of N bytes from the heap reachable from any
+  script"), not speculative consequences. Do not enumerate hypothetical
+  downstream impact.
+
+- **The report is concise and in plain text.** No multi-page write-ups, no
+  Markdown decorations, no boilerplate severity tables. Lead with the
+  affected file and function, the trigger, and the impact. If a triager has
+  to scroll to find what is broken, the report is too long.
+
+- **The threat model matches QuickJS.** The bug must be reachable from
+  untrusted JavaScript source running in an otherwise trusted embedder. Bugs
+  that require loading untrusted bytecode, passing crafted values through the
+  C API, or otherwise compromiing the embedder are out of scope (see above).
+
+- **A proposed fix is welcome, and must be tested.** If you include a patch,
+  it should compile, pass the existing test suite, and include a regression
+  test. Untested patches generated by a tool are worse than no patch.
+
+Reports that do not meet these rules may be closed without detailed response
+and asked to be refiled publicly.
+
+## CVEs
+
+Not every security-relevant fix in QuickJS requires a CVE. CVE identifiers
+exist to help downstream consumers track issues that meaningfully affect
+their security posture, they are not a scoreboard, and inflating the count
+with marginal or speculative findings makes the catalog less useful for the
+people who actually rely on it.
+
+We **mnight**  request a CVE when an issue:
+
+- Is reachable from untrusted JavaScript running in an otherwise trusted
+  embedder (matches the threat model in "Rules for Private Reports"),
+- Has a concrete, demonstrated high impact (memory corruption, out-of-bounds
+  access, etc.), and
+- Affects a released version that downstream users are likely to be running.
+
+We will generally **not** request a CVE for:
+
+- Crashes or assertion failures that require malicious bytecode, crafted C
+  API input, or other embedder compromise (out of scope, see above).
+- Bugs found purely by running a publicly available  AI tool against the code,
+  with no additional analysis. By definition, anyone else can run the same
+  tool and find the same thing.
+- Issues already discoverable from the public commit history or issue
+  tracker by the time the report arrives.
+