Releases · BackendStack21/0http

31 May 09:07

jkyberneees

v5.0.1 Latest

Latest

Bug fixes and a request hot-path performance improvement. No API changes.

⚠️ Notable behavior change

prioRequestsProcessing now correctly defaults to true even when you pass a partial config (e.g. zero({ router }), zero({ errorHandler })). Previously the documented default only applied to the zero-argument call zero(), and any config object silently disabled it. On standard http/https servers this means requests are now dispatched via setImmediate as documented. Set prioRequestsProcessing: false explicitly to opt out. (#52)

Cross-request req.params leak: route matches served from the LRU cache shared a single params object across all requests to the same method+path. A middleware mutating req.params could bleed state into later requests. req.params is now shallow-copied per request. (#52)

~36% faster query-string parsing on the request hot path: the array-notation regex now runs only when []= is present, and the prototype-pollution segment check skips its per-parameter allocation for normal keys. Behavior is identical, including __proto__/prototype/constructor filtering. (#53)

Landing page modernized; added regression and query-parser tests (suite: 71 passing, query parser at 100% line coverage).
Removed the TRON donate address from the README Support section. (#54)

Full changelog: v5.0.0...v5.0.1

Assets 2

14 May 16:21

molty3000

DEFAULT_ERROR_HANDLER is now safe-by-default. Error details are only exposed when NODE_ENV=development.

If your app relies on error messages in non-development environments, set NODE_ENV=development or provide a custom errorHandler in router config.

Comprehensive penetration test suite added (tooling/pentest.js) — 48 vectors across 10 categories:

13 prototype pollution vectors — all blocked (direct, encoded, double-encoded, nested)
8 path traversal vectors — all blocked (dot-dot, null byte, quad-dot)
6 DoS vectors — all resilient (large queries, cache exhaustion, deep nesting)
5 information disclosure vectors — all safe
6 method confusion and cache vectors — all clean
3 request tampering vectors — all protected

lib/router/sequential.js — flipped error handler condition + Content-Type header
tests/nested-routers.test.js — updated error expectations
tests/router-coverage.test.js — updated error expectations
tests/v4.4.test.js — added NODE_ENV-unset test
tooling/pentest.js — new 48-vector security test suite

Full Changelog: v4.4.0...v5.0.0

Assets 2

18 Nov 19:02

jkyberneees

v4.4.0

chore: update Node.js version to 22.x in workflow and package.json by @jkyberneees in #49
feat: enhance error handler security, optimize static nested routing and docs by @jkyberneees in #50

Full Changelog: v4.3.0...v4.4.0