bedrock-express - npm Package Versions

6.4.1 - 2022-03-24

Fixed

• Fix remaining non-ESM internals.

6.4.0 - 2022-03-24

Changed

• Update peer deps:
  • bedrock@4.5
  • bedrock-server@3.2.
• Update internals to use esm style and use esm.js to transpile to CommonJS.

6.3.0 - 2022-01-21

Added

• Add tests and expose private test helper functions in API.

6.2.2 - 2022-01-16

Fixed

• Only set Private Network Access header on preflight request.

6.2.1 - 2022-01-16

Fixed

• Add patch to ensure current CORS behavior continues for bedrock-express servers running on localhost. This is mostly for development purposes, but does apply to any bedrock-express server that actually does run in production on localhost. The new Private Network Access CORS security feature has been added to Chrome to stop cross-origin requests from being made to private networks (without specific permission via a new CORS header). The header is:

  Access-Control-Allow-Private-Network: true

  This change enables sending that header on every response -- if the bedrock server's host is configured such that the string localhost appears in its value. This alone will not enable CORS on an endpoint, the Access-Control-Allow-Origin header must also be set. This header is only set if the cors middleware has been used (or some other means has been used) on a specific route. Therefore, this change should not expose any routes that were not previously exposed via CORS headers, rather, it should only enable any routes that were previously exposed to continue to be hit just like before, provided that they are running on localhost. If the server runs on some other private network, the new version of Chrome will not allow them to be accessed even if the other CORS headers have been set, because this patch will not set the new header in that case. If this feature needs to be disabled, set bedrock.config.express.allowLocalhostCors=false.

6.2.0 - 2022-01-11

Changed

• Add automatic fix for calling next from an asyncHandler. In previous versions process.nextTick(next) was required to safely call a subsequent middleware from a middleware created with asyncHandler. It is still safe to keep doing that, however, now it is also safe to just call next() normally because this behavior is built into the asyncHandler helper.

6.1.0 - 2021-10-26

Added

• Add fastifyOptions to the Bedrock config.

6.0.0 - 2021-10-07

Changed

• BREAKING: Set default value for dumpExceptions to false. This prevents unwanted stack traces from being included with HTML error responses.

5.0.1 - 2021-08-25

Fixed

• Fixed bug when http/1.1 is used. Outgoing messages would not be flushed when using an augmented response object instead of one where the prototype was set to express's response object (which is the default express behavior). The previous version of the code attempted to avoid this prototype overriding in all cases (http/2 and http/1.1), but only the http/2 version functions properly. Until the root of the problem is sorted out with http/1.1, this patch restores the prototype overriding method for http/1.1 requests.

5.0.0 - 2021-08-24

Added

• Add bedrock-express.fastify.init event to allow modules to listen to when fastify has been initialized. No events are currently emitted for adding routes/middleware/etc. to fastify as no pattern for this has been yet determined. For now, the events for adding routes via express should continue to be used.
• Add bedrock-express.fastify.ready event when the express app is ready and has been added to fastify.
• Expose fastify instance and Fastify class via module API.
• A new option, config.express.session.ttl, used by session storage libraries.
• Updated the Configuration section of the README with ttl options.

Changed

• Update underlying engine to use fastify with an express compatibility layer. This approach is intended to allow node's native http2 implementation to be used and provides a pathway to upgrading to fastify and deprecating express.
• BREAKING: Change bedrock-server peer dependency to 3.x. This is not a hard requirement; bedrock-server 2.x should work with this change, however, a new major revision avoids having to support 2.x.
• BREAKING: config.express.session.saveUninitialized now defaults to false. Unmodified sessions will no longer save to the database until data has been added to the session.
• BREAKING: The Fastify trustProxy option is disabled by default. This option is used when a Bedrock application is running with httpOnly = true behind a load balancer that is doing TLS termination. The ability to enable trustProxy was added in the v6.1 release.

Removed

• Removed broken/obsolete/unusable multiview hack to underlying express library.