CanJS has a test suite which you can see a part of
here: http://canjs.com/can/test/jquery.html . It has about 1200 tests.
Before a release, those tests are ran against every browser that CanJS
supports. Those tests are also ran against all the underlying libraries
like Zepto, Dojo, etc. Those tests are also ran against the build
distributable and an AMD build. Finally the new version is ran against
the old version's tests for backwards compatibility.
This is all managed by several grunt tasks: https://github.com/bitovi/canjs/blob/master/Gruntfile.js
For security, there is little that can be done or is needed for
JS libraries like CanJS. There are a few places we try to enforce
best practices:
CanJS helps prevent XSS by defaulting to escaping in mustache
templates like {{name}}. That escaping is tested by mustache's
specs:
https://github.com/bitovi/canjs/tree/master/view/mustache/spec/specs
and a few other places for things we added on top of mustache:
https://github.com/bitovi/canjs/blob/master/view/stache/stache_test.js#L283.
CanJS encourages you to return an
object instead of an array for all responses. For example,
on: http://canjs.com/docs/can.Model.findAll.html you'll
find a warning:
Note:
.findAll can also accept an array, but you probably should not be
doing that.
