Releases: BackendStack21/0http
Releases · BackendStack21/0http
v5.0.0 — Safe-by-default error handler
Breaking Change
DEFAULT_ERROR_HANDLER is now safe-by-default. Error details are only exposed when NODE_ENV=development.
| NODE_ENV | Before (v4.x) | After (v5.0) |
|---|---|---|
| unset | ❌ leaks err.message | ✅ Internal Server Error |
| production | ✅ safe | ✅ safe |
| development | ❌ leaks | ✅ leaks (by design) |
| staging | ❌ leaks | ✅ safe |
| testing | ❌ leaks | ✅ safe |
If your app relies on error messages in non-development environments, set NODE_ENV=development or provide a custom errorHandler in router config.
Security
Comprehensive penetration test suite added (tooling/pentest.js) — 48 vectors across 10 categories:
- 13 prototype pollution vectors — all blocked (direct, encoded, double-encoded, nested)
- 8 path traversal vectors — all blocked (dot-dot, null byte, quad-dot)
- 6 DoS vectors — all resilient (large queries, cache exhaustion, deep nesting)
- 5 information disclosure vectors — all safe
- 6 method confusion and cache vectors — all clean
- 3 request tampering vectors — all protected
Changed Files
lib/router/sequential.js— flipped error handler condition + Content-Type headertests/nested-routers.test.js— updated error expectationstests/router-coverage.test.js— updated error expectationstests/v4.4.test.js— added NODE_ENV-unset testtooling/pentest.js— new 48-vector security test suite
Full Changelog: v4.4.0...v5.0.0
v4.4.0
What's Changed
- chore: update Node.js version to 22.x in workflow and package.json by @jkyberneees in #49
- feat: enhance error handler security, optimize static nested routing and docs by @jkyberneees in #50
Full Changelog: v4.3.0...v4.4.0
Contributors
jkyberneees
Assets 2
v4.3.0
What's Changed
- Improve documentation by @jkyberneees in #44
- Update docs meta description by @jkyberneees in #45
- Fix async middleware errors by @jkyberneees in #46
- Add array middleware registration test by @jkyberneees in #47
- Fix nested routers typo by @jkyberneees in #48
Full Changelog: v4.2.1...v4.3.0
Contributors
jkyberneees
Assets 2
v4.2.1
What's Changed
- Enhance performance and security across router and query parameter handling by @jkyberneees in #43
Full Changelog: v4.2.0...v4.2.1
Contributors
jkyberneees
Assets 2
v4.2.0
Changes:
- Node.js v20+ required.
- Performance optimizations by @jkyberneees in #42
Full Changelog: v4.1.0...v4.2.0
Contributors
jkyberneees
Assets 2
v4.1.0
What's Changed
- Fixing default init of sequential router and improving cache by @jkyberneees in #41
Full Changelog: v4.0.0...v4.1.0
Contributors
jkyberneees
Assets 2
v4.0.0
What's Changed
- BREAKING: Updating
troutermodule to v4 (https://github.com/lukeed/trouter/releases/tag/v4.0.0)
New Contributors
Full Changelog: v3.5.3...v4.0.0
Contributors
lvcabral
Assets 2
Deps update + Performance Improvements
What's Changed
- Dependencies update + performance improvements by @jkyberneees in #37
Full Changelog: v3.5.2...v3.5.3
Contributors
jkyberneees
Assets 2
Remove "v" from package version in package.json
What's Changed
- Remove 'v' prefix in package.json version by @silverwind in #35
New Contributors
- @silverwind made their first contribution in #35
Full Changelog: v3.5.1...v3.5.2
Contributors
silverwind
Assets 2
Fix: including .d.ts files in module
Changes:
- Shipping
.d.tsfiles in packaged module