- Correctly invoke async callback asynchronously
- Fix handling of URLs containing
://
in the path
- deps: [email protected]
- deps: on-finished@~2.1.1
- deps: debug@~2.1.0
- Implement
DEBUG_FD
env variable support
- Implement
- deps: [email protected]
- Terminate in progress response only on error
- Use
on-finished
to determine request status - deps: debug@~2.1.0
- deps: debug@~2.0.0
- deps: [email protected]
- Set
X-Content-Type-Options: nosniff
header - deps: debug@~2.0.0
- Set
- deps: parseurl@~1.3.0
- deps: [email protected]
- deps: [email protected]
- Respond after request fully read
- deps: [email protected]
- deps: parseurl@~1.2.0
- Cache URLs based on original value
- Remove no-longer-needed URL mis-parse work-around
- Simplify the "fast-path"
RegExp
- perf: reduce executed logic in routing
- perf: refactor location of
try
block
- deps: [email protected]
- Add support for multiple wildcards in namespaces
- deps: parseurl@~1.1.3
- faster parsing of href-only URLs
- use
finalhandler
for final response handling - deps: [email protected]
- No changes
- Call error stack even when response has been sent
- Prevent default 404 handler after response sent
- dep: [email protected]
- encode stack in HTML for default error handler
- remove
proto
export
- move middleware to separate repos
- remove docs
- remove node patches
- remove connect(middleware...)
- remove the old
connect.createServer()
method - remove various private
connect.utils
functions - drop node.js 0.8 support
- Correctly invoke async callback asynchronously
- deps: csurf@~1.6.3
- bump csrf
- bump http-errors
- Fix handling of URLs containing
://
in the path - deps: body-parser@~1.9.2
- deps: [email protected]
- deps: [email protected]
- Fix parsing of mixed objects and values
- deps: body-parser@~1.9.1
- deps: on-finished@~2.1.1
- deps: [email protected]
- deps: type-is@~1.5.2
- deps: express-session@~1.9.1
- Remove unnecessary empty write call
- deps: [email protected]
- deps: on-finished@~2.1.1
- deps: morgan@~1.4.1
- deps: on-finished@~2.1.1
- deps: [email protected]
- Fix parsing of mixed implicit and explicit arrays
- deps: serve-static@~1.7.1
- deps: [email protected]
- Use
http-errors
module for creating errors - Use
utils-merge
module for merging objects - deps: body-parser@~1.9.0
- include the charset in "unsupported charset" error message
- include the encoding in "unsupported content encoding" error message
- deps: depd@~1.0.0
- deps: compression@~1.2.0
- deps: debug@~2.1.0
- deps: connect-timeout@~1.4.0
- Create errors with
http-errors
- deps: debug@~2.1.0
- Create errors with
- deps: debug@~2.1.0
- Implement
DEBUG_FD
env variable support
- Implement
- deps: depd@~1.0.0
- deps: express-session@~1.9.0
- deps: debug@~2.1.0
- deps: depd@~1.0.0
- deps: [email protected]
- Terminate in progress response only on error
- Use
on-finished
to determine request status - deps: debug@~2.1.0
- deps: method-override@~2.3.0
- deps: debug@~2.1.0
- deps: morgan@~1.4.0
- Add
debug
messages - deps: depd@~1.0.0
- Add
- deps: response-time@~2.2.0
- Add
header
option for custom header name - Add
suffix
option - Change
digits
argument to anoptions
argument - deps: depd@~1.0.0
- Add
- deps: serve-favicon@~2.1.6
- deps: etag@~1.5.0
- deps: serve-index@~1.5.0
- Add
dir
argument tofilter
function - Add icon for mkv files
- Create errors with
http-errors
- Fix incorrect 403 on Windows and Node.js 0.11
- Lookup icon by mime type for greater icon support
- Support using tokens multiple times
- deps: accepts@~1.1.2
- deps: debug@~2.1.0
- deps: mime-types@~2.0.2
- Add
- deps: serve-static@~1.7.0
- deps: [email protected]
- deps: compression@~1.1.2
- deps: accepts@~1.1.2
- deps: compressible@~2.0.1
- deps: csurf@~1.6.2
- bump http-errors
- fix cookie name when using
cookie: true
- deps: errorhandler@~1.2.2
- deps: accepts@~1.1.2
- Fix accepting non-object arguments to
logger
- deps: serve-static@~1.6.4
- Fix redirect loop when index file serving disabled
- deps: morgan@~1.3.2
- Fix
req.ip
integration whenimmediate: false
- Fix
- deps: type-is@~1.5.2
- deps: mime-types@~2.0.2
- deps: body-parser@~1.8.4
- fix content encoding to be case-insensitive
- deps: serve-favicon@~2.1.5
- deps: etag@~1.4.0
- deps: serve-static@~1.6.3
- deps: [email protected]
- deps: body-parser@~1.8.3
- deps: [email protected]
- deps: [email protected]
- Fix issue with object keys starting with numbers truncated
- deps: body-parser@~1.8.2
- deps: [email protected]
- deps: [email protected]
- deps: express-session@~1.8.2
- Use
crc
instead ofbuffer-crc32
for speed - deps: [email protected]
- Use
- deps: morgan@~1.3.1
- Remove un-used
bytes
dependency - deps: [email protected]
- Remove un-used
- deps: serve-favicon@~2.1.4
- Fix content headers being sent in 304 response
- deps: etag@~1.3.1
- deps: serve-static@~1.6.2
- deps: [email protected]
- deps: body-parser@~1.8.1
- add
parameterLimit
option tourlencoded
parser - change
urlencoded
extended array limit to 100 - make empty-body-handling consistent between chunked requests
- respond with 415 when over
parameterLimit
inurlencoded
- deps: [email protected]
- deps: [email protected]
- deps: type-is@~1.5.1
- add
- deps: compression@~1.1.0
- deps: accepts@~1.1.0
- deps: compressible@~2.0.0
- deps: debug@~2.0.0
- deps: connect-timeout@~1.3.0
- deps: debug@~2.0.0
- deps: cookie-parser@~1.3.3
- deps: [email protected]
- deps: [email protected]
- deps: csurf@~1.6.1
- add
ignoreMethods
option - bump cookie-signature
- csrf-tokens -> csrf
- set
code
property on CSRF token errors
- add
- deps: debug@~2.0.0
- deps: errorhandler@~1.2.0
- Display error using
util.inspect
if no other representation - deps: accepts@~1.1.0
- Display error using
- deps: express-session@~1.8.1
- Do not resave already-saved session at end of request
- Prevent session prototype methods from being overwritten
- deps: [email protected]
- deps: debug@~2.0.0
- deps: [email protected]
- Set
X-Content-Type-Options: nosniff
header - deps: debug@~2.0.0
- Set
- deps: [email protected]
- deps: [email protected]
- Throw error when parameter format invalid on parse
- deps: method-override@~2.2.0
- deps: debug@~2.0.0
- deps: morgan@~1.3.0
- Assert if
format
is not a function or string
- Assert if
- deps: [email protected]
- Fix issue where first empty value in array is discarded
- deps: serve-favicon@~2.1.3
- Accept string for
maxAge
(converted byms
) - Use
etag
to generateETag
header - deps: [email protected]
- Accept string for
- deps: serve-index@~1.2.1
- Add
debug
messages - Resolve relative paths at middleware setup
- deps: accepts@~1.1.0
- Add
- deps: serve-static@~1.6.1
- Add
lastModified
option - deps: [email protected]
- Add
- deps: type-is@~1.5.1
- fix
hasbody
to be true forcontent-length: 0
- deps: [email protected]
- deps: mime-types@~2.0.1
- fix
- deps: vhost@~3.0.0
- deps: serve-static@~1.5.4
- deps: [email protected]
- deps: body-parser@~1.6.7
- deps: [email protected]
- deps: [email protected]
- deps: body-parser@~1.6.6
- deps: [email protected]
- deps: csurf@~1.4.1
- deps: [email protected]
- Array parsing fix
- Performance improvements
- deps: body-parser@~1.6.5
- deps: [email protected]
- deps: express-session@~1.7.6
- Fix exception on
res.end(null)
calls
- Fix exception on
- deps: morgan@~1.2.3
- deps: [email protected]
- deps: serve-static@~1.5.3
- deps: [email protected]
- deps: body-parser@~1.6.4
- deps: [email protected]
- deps: [email protected]
- deps: serve-static@~1.5.2
- deps: [email protected]
- Fix backwards compatibility in
logger
- Fix
query
middleware breaking with argument- It never really took one in the first place
- deps: body-parser@~1.6.3
- deps: [email protected]
- deps: compression@~1.0.11
- deps: on-headers@~1.0.0
- deps: parseurl@~1.3.0
- deps: connect-timeout@~1.2.2
- deps: on-headers@~1.0.0
- deps: express-session@~1.7.5
- Fix parsing original URL
- deps: on-headers@~1.0.0
- deps: parseurl@~1.3.0
- deps: method-override@~2.1.3
- deps: on-headers@~1.0.0
- deps: parseurl@~1.3.0
- deps: [email protected]
- deps: response-time@~2.0.1
- deps: on-headers@~1.0.0
- deps: serve-index@~1.1.6
- Fix URL parsing
- deps: serve-static@~1.5.1
- Fix parsing of weird
req.originalUrl
values - deps: parseurl@~1.3.0 = deps: [email protected]
- Fix parsing of weird
- deps: [email protected]
- Fix potential double-callback
- deps: body-parser@~1.6.2
- deps: [email protected]
- deps: [email protected]
- Fix parsing array of objects
- deps: body-parser@~1.6.1
- deps: [email protected]
- deps: [email protected]
- Accept urlencoded square brackets
- Accept empty values in implicit array notation
- deps: body-parser@~1.6.0
- deps: [email protected]
- deps: compression@~1.0.10
- Fix upper-case Content-Type characters prevent compression
- deps: compressible@~1.1.1
- deps: csurf@~1.4.0
- Support changing
req.session
aftercsurf
middleware - Calling
res.csrfToken()
afterreq.session.destroy()
will now work
- Support changing
- deps: express-session@~1.7.4
- Fix
res.end
patch to call correct upstreamres.write
- Fix response end delay for non-chunked responses
- Fix
- deps: [email protected]
- Complete rewrite
- Limits array length to 20
- Limits object depth to 5
- Limits parameters to 1,000
- deps: serve-static@~1.5.0
- Add
extensions
option - deps: [email protected]
- Add
- deps: serve-index@~1.1.5
- Fix Content-Length calculation for multi-byte file names
- deps: accepts@~1.0.7
- deps: serve-static@~1.4.4
- Fix incorrect 403 on Windows and Node.js 0.11
- deps: [email protected]
- deps: body-parser@~1.5.2
- deps: [email protected]
- Work-around v8 generating empty stack traces
- deps: express-session@~1.7.2
- deps: morgan@~1.2.2
- deps: serve-static@~1.4.2
- deps: body-parser@~1.5.1
- deps: [email protected]
- Fix exception when global
Error.stackTraceLimit
is too low
- Fix exception when global
- deps: express-session@~1.7.1
- deps: morgan@~1.2.1
- deps: serve-index@~1.1.4
- deps: serve-static@~1.4.1
- deps: body-parser@~1.5.0
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: type-is@~1.3.2
- deps: compression@~1.0.9
- Add
debug
messages - deps: accepts@~1.0.7
- Add
- deps: connect-timeout@~1.2.1
- Accept string for
time
(converted byms
) - deps: [email protected]
- Accept string for
- deps: [email protected]
- deps: [email protected]
- Add
TRACE_DEPRECATION
environment variable - Remove non-standard grey color from color output
- Support
--no-deprecation
argument - Support
--trace-deprecation
argument
- Add
- deps: express-session@~1.7.0
- Improve session-ending error handling
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- Respond after request fully read
- deps: [email protected]
- deps: method-override@~2.1.2
- deps: [email protected]
- deps: parseurl@~1.2.0
- deps: morgan@~1.2.0
- Add
:remote-user
token - Add
combined
log format - Add
common
log format - Remove non-standard grey color from
dev
format
- Add
- deps: [email protected]
- deps: parseurl@~1.2.0
- Cache URLs based on original value
- Remove no-longer-needed URL mis-parse work-around
- Simplify the "fast-path"
RegExp
- deps: serve-static@~1.4.0
- Add
dotfiles
option - deps: parseurl@~1.2.0
- deps: [email protected]
- Add
- deps: [email protected]
- Add support for multiple wildcards in namespaces
- deps: express-session@~1.6.4
- deps: method-override@~2.1.0
- add simple debug output
- deps: [email protected]
- deps: parseurl@~1.1.3
- deps: parseurl@~1.1.3
- faster parsing of href-only URLs
- deps: serve-static@~1.3.1
- deps: parseurl@~1.1.3
- deps: csurf@~1.3.0
- Fix
cookie.signed
option to actually sign cookie
- Fix
- deps: express-session@~1.6.1
- Fix
res.end
patch to return correct value - Fix
res.end
patch to handle multipleres.end
calls - Reject cookies with missing signatures
- Fix
- deps: [email protected]
- Always emit close after all parts ended
- Fix callback hang in node.js 0.8 on errors
- deps: serve-static@~1.3.0
- Accept string for
maxAge
(converted byms
) - Add
setHeaders
option - Include HTML link in redirect response
- deps: [email protected]
- Accept string for
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- fix for timing attacks
- deps: express-session@~1.5.2
- deps: [email protected]
- deps: type-is@~1.3.2
- more mime types
- deprecate
connect(middleware)
-- useapp.use(middleware)
instead - deprecate
connect.createServer()
-- useconnect()
instead - fix
res.setHeader()
patch to work with get -> append -> set pattern - deps: compression@~1.0.8
- deps: errorhandler@~1.1.1
- deps: express-session@~1.5.0
- Deprecate integration with
cookie-parser
middleware - Deprecate looking for secret in
req.secret
- Directly read cookies;
cookie-parser
no longer required - Directly set cookies;
res.cookie
no longer required - Generate session IDs with
uid-safe
, faster and even less collisions
- Deprecate integration with
- deps: serve-index@~1.1.3
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- fix global variable leak
- deprecate
verify
option tojson
-- usebody-parser
npm module instead - deprecate
verify
option tourlencoded
-- usebody-parser
npm module instead - deprecate things with
depd
module - use
finalhandler
for final response handling - use
media-typer
to parsecontent-type
for charset - deps: [email protected]
- check accepted charset in content-type (accepts utf-8)
- check accepted encoding in content-encoding (accepts identity)
- deprecate
urlencoded()
without providedextended
option - lazy-load urlencoded parsers
- support gzip and deflate bodies
- set
inflate: false
to turn off - deps: [email protected]
- deps: [email protected]
- Support all encodings from
iconv-lite
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- export parsing functions
req.cookies
andreq.signedCookies
are now plain objects- slightly faster parsing of many cookies
- deps: [email protected]
- deps: [email protected]
- Display error on console formatted like
throw
- Escape HTML in stack trace
- Escape HTML in title
- Fix up edge cases with error sent in response
- Set
X-Content-Type-Options: nosniff
header - Use accepts for negotiation
- Display error on console formatted like
- deps: [email protected]
- Add
genid
option to generate custom session IDs - Add
saveUninitialized
option to control saving uninitialized sessions - Add
unset
option to control unsettingreq.session
- Generate session IDs with
rand-token
by default; reduce collisions - Integrate with express "trust proxy" by default
- deps: [email protected]
- deps: [email protected]
- Add
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- improve type parsing
- deps: [email protected]
- Accept
RegExp
object forhostname
- Provide
req.vhost
object - Support IPv6 literal in
Host
header
- Accept
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- use vary module for better
Vary
behavior - deps: [email protected]
- deps: [email protected]
- use vary module for better
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- Do not throw un-catchable error on file open race condition
- deps: [email protected]
- deps: [email protected]
- refactor to use csrf-tokens@~1.0.2
- deps: [email protected]
- deps: [email protected]
- fix "event emitter leak" warnings
- deps: [email protected]
- deps: [email protected]
- Switch dependency from
mime
to[email protected]
- Switch dependency from
- deps: [email protected]
- Pass on errors from reading error files
- deps: [email protected]
- use vary module for better
Vary
behavior
- use vary module for better
- deps: [email protected]
- Reduce byte size of
ETag
header
- Reduce byte size of
- deps: [email protected]
- fix listeners for delayed stream creation
- fix regression for certain
stream.pipe(res)
situations - fix regression when negotiation fails
- deps: [email protected]
- fix adding
Vary
when value stored as array - fix back-pressure behavior
- fix length check for
res.end
- fix adding
- fix deprecated
utils.escape
- deprecate
methodOverride()
-- usemethod-override
npm module instead - deps: [email protected]
- add
extended
option to urlencoded parser
- add
- deps: [email protected]
- set
Vary
header - deps: [email protected]
- set
- deps: [email protected]
- deps: [email protected]
- add
digits
argument - do not override existing
X-Response-Time
header - timer not subject to clock drift
- timer resolution down to nanoseconds
- add
- deps: [email protected]
- send max-age in Cache-Control in correct format
- use
escape-html
for escaping - deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- Fix content negotiation when no
Accept
header - Properly support all HTTP methods
- Support vanilla node.js http servers
- Treat
ENAMETOOLONG
as code 414 - Use accepts for negotiation
- Fix content negotiation when no
- deps: [email protected]
- Calculate ETag with md5 for reduced collisions
- Fix wrong behavior when index file matches directory
- Ignore stream errors after request ends
- Skip directories in index file search
- deps: [email protected]
- deps: [email protected]
- Fix
resave
such thatresave: true
works
- Fix
- deps: [email protected]
- invoke
next(err)
after request fully read - deps: [email protected]
- invoke
- deps: [email protected]
- Handle
req.body
key referencing array or object - Handle multiple HTTP headers
- Handle
- fix
res.charset
appending charset whencontent-type
has one
- deps: [email protected]
- Add
resave
option to control saving unmodified sessions
- Add
- deps: [email protected]
- "dev" format will use same tokens as other formats
:response-time
token is now empty when immediate used:response-time
token is now monotonic:response-time
token has precision to 1 μs- fix
:status
+ immediate output in node.js 0.8 - improve
buffer
option to prevent indefinite event loop holding - simplify method to get remote address
- deps: [email protected]
- deps: [email protected]
- Fix error from non-statable files in HTML view
- fix edge-case in
res.appendHeader
that would append in wrong order - deps: [email protected]
- remove usages of
res.headerSent
from core
- deprecate
res.headerSent
-- useres.headersSent
- deprecate
res.on("header")
-- use on-headers module instead - fix
connect.version
to reflect the actual version - json: use body-parser
- add
type
option - fix repeated limit parsing with every request
- improve parser speed
- add
- urlencoded: use body-parser
- add
type
option - fix repeated limit parsing with every request
- add
- dep: [email protected]
- add negative support
- dep: [email protected]
- deps: [email protected]
- dep: [email protected]
- add support for double-submit cookie
- dep: [email protected]
- Add
name
option; replacement forkey
option - Use
setImmediate
in MemoryStore for node.js >= 0.10
- Add
- Add simple
res.cookie
support - Add
res.appendHeader
- Call error stack even when response has been sent
- Patch
res.headerSent
to return Boolean - Patch
res.headersSent
for node.js 0.8 - Prevent default 404 handler after response sent
- dep: [email protected]
- support headers given to
res.writeHead
- deps: [email protected]
- deps: [email protected]
- support headers given to
- dep: [email protected]
- Add
req.timedout
property - Add
respond
option to constructor - Clear timer on socket destroy
- deps: [email protected]
- Add
- dep: debug@^0.8.0
- add
enable()
method - change from stderr to stdout
- add
- dep: [email protected]
- Clean up error CSS
- Do not respond after headers sent
- dep: [email protected]
- Remove import of
setImmediate
- Use
res.cookie()
instead ofres.setHeader()
- deps: [email protected]
- deps: [email protected]
- Remove import of
- dep: [email protected]
- Make buffer unique per morgan instance
- deps: [email protected]
- dep: [email protected]
- Accept
Buffer
of icon as first argument - Non-GET and HEAD requests are denied
- Send valid max-age value
- Support conditional requests
- Support max-age=0
- Support OPTIONS method
- Throw if
path
argument is directory
- Accept
- dep: [email protected]
- Add stylesheet option
- deps: [email protected]
- dep: [email protected]
- allow true as an option
- deps: [email protected]
- dep: [email protected]
- Accept options directly to
send
module - deps: [email protected]
- Accept options directly to
- dep: [email protected]
- added terabyte support
- dep: [email protected]
- add constant-time string compare
- dep: [email protected]
- Resolve relative paths at middleware setup
- Use parseurl to parse the URL from request
- fix node.js 0.8 compatibility with memory session
- dep: [email protected]
- Fixed content of default icon
- dep: [email protected]
- Fixed path to default icon
- dep: [email protected]
- no real changes
- dep: [email protected]
- deps: [email protected]
- dep: [email protected]
- deps: [email protected]
- basicAuth: use basic-auth-connect
- cookieParser: use cookie-parser
- compress: use compression
- csrf: use csurf
- dep: [email protected]
- directory: use serve-index
- errorHandler: use errorhandler
- favicon: use static-favicon
- logger: use morgan
- methodOverride: use method-override
- responseTime: use response-time
- session: use express-session
- static: use serve-static
- timeout: use connect-timeout
- vhost: use vhost
- cookieSession: compare full value rather than crc32
- deps: [email protected]
- fix typo in memory store warning #974 @rvagg
- compress: use compressible
- directory: add template option #990 @gottaloveit @Earl-Brown
- csrf: prevent deprecated warning with old sessions
- bump qs
- directory: sort folders before files
- directory: add folder icons
- directory: de-duplicate icons, details/mobile views #968 @simov
- errorHandler: end default 404 handler with a newline #972 @rlidwka
- session: remove long cookie expire check #870 @undoZen
- bump raw-body
- bump raw-body
- errorHandler: use
res.setHeader()
instead ofres.writeHead()
#949 @lo1tuma
- update bytes
- update uid2
- update negotiator
- sessions: add rolling session option #944 @ilmeo
- sessions: property set cookies when given FQDN
- cookieSessions: properly set cookies when given FQDN #948 @bmancini55
- proto: fix FQDN mounting when multiple handlers #945 @bmancini55
- fixed; fixed a bug with static middleware at root and trailing slashes #942 (@dougwilson)
- fixed: set headers written by writeHead before emitting 'header'
- fixed: mounted path should ignore querystrings on FQDNs #940 (@dougwilson)
- fixed: parsing protocol-relative URLs with @ as pathnames #938 (@dougwilson)
- fixed: fix static directory redirect for mount's root #937 (@dougwilson)
- fixed: setting set-cookie header when mixing arrays and strings #893 (@anuj123)
- bodyParser: optional verify function for urlencoded and json parsers for signing request bodies
- compress: compress checks content-length to check threshold
- compress: expose
res.flush()
for flushing responses - cookieParser: pass options into node-cookie #803 (@cauldrath)
- errorHandler: replace
\n
s with<br/>
s in error handler
- warn about multiparty and limit middleware deprecation for v3
- fix fully qualified domain name mounting. #920 (@dougwilson)
- directory: Fix potential security issue with serving files outside the root. #929 (@dougwilson)
- logger: store IP at beginning in case socket prematurely closes #930 (@dougwilson)
- update multiparty
- compress: Set vary header only if Content-Type passes filter #904
- directory: Fix directory middleware URI escaping #917 (@dougwilson)
- directory: Fix directory seperators for Windows #914 (@dougwilson)
- directory: Keep query string intact during directory redirect #913 (@dougwilson)
- directory: Fix paths in links #730 (@JacksonTian)
- errorHandler: Don't escape text/plain as HTML #875 (@johan)
- logger: Write '0' instead of '-' when response time is zero #910 (@dougwilson)
- logger: Log even when connections are aborted #760 (@dylanahsmith)
- methodOverride: Check req.body is an object #907 (@kbjr)
- multipart: Add .type back to file parts for backwards compatibility #912 (@dougwilson)
- multipart: Allow passing options to the Multiparty constructor #902 (@niftylettuce)
- multipart: add docs regarding tmpfiles
- multipart: add .name back to file parts
- multipart: use multiparty instead of formidable
- csrf: change to math.random() salt and remove csrfToken() callback
- csrf: prevent salt generation on every request, and add async req.csrfToken(fn)
- csrf: refactor to use HMAC tokens (BREACH attack)
- compress: add compression of SVG and common font files by default.
- add: compress Dart source files by default
- update fresh
- update send
- add a name back to static middleware ("staticMiddleware")
- fix .hasBody() utility to require transfer-encoding or content-length
- update send
- update cookie dep.
- add better debug() for middleware
- add whitelisting of supported methods to methodOverride()
- fix: escape req.method in 404 response
- add
threshold
option tocompress()
to prevent compression of small responses - add support for vendor JSON mime types in json()
- add X-Forwarded-Proto initial https proxy support
- change static redirect to 303
- change octal escape sequences for strict mode
- change: replace utils.uid() with uid2 lib
- remove other "static" function name. Fixes #794
- fix: hasBody() should return false if Content-Length: 0
- update send
- update qs
- update formidable
- fix: write/end to noop() when request aborted
- update qs
- drop support for node < v0.8
- update qs
- update qs dependency
- remove "static" function name. Closes #794
- update node-formidable
- update buffer-crc32
- revert cookie signature which was creating session race conditions
- update cookie-signature
- limit: do not consume request in node 0.10.x
- session: add long expires check and prevent excess set-cookie
- session: add console.error() of session#save() errors
- add name to compress middleware
- add appending Accept-Encoding to Vary when set but missing
- add tests for csrf middleware
- add 'next' support for connect() server handler
- change utils.uid() to return url-safe chars. Closes #753
- fix treating '.' as a regexp in vhost()
- fix duplicate bytes dep in package.json. Closes #743
- fix #733 - parse x-forwarded-proto in a more generally compatibly way
- revert "add support for
next(status[, msg])
"; makes composition hard
- add support for
next(status[, msg])
back - add utf-8 meta tag to support foreign characters in filenames/directories
- change
timeout()
408 to 503 - replace 'node-crc' with 'buffer-crc32', fixes licensing
- fix directory.html IE support
- add directory() tests
- add support for bodyParser to ignore Content-Type if no body is present (jquery primarily does this poorely)
- fix errorHandler signature
- add support for leading JSON whitespace
- add logging of
req.ip
when present - add basicAuth support for
:
-delimited string - update cookie module. Closes #688
- add
debug()
for disconnected session store - fix session regeneration bug. Closes #681
- add passing of
connect.timeout()
errors tonext()
- replace signature utils with cookie-signature module
- add
defer
option tomultipart()
[Blake Miner] - fix mount path case sensitivity. Closes #663
- fix default of ascii encoding from
logger()
, now utf8. Closes #293
- add
err.status = 400
to multipart() errors - add double-encoding protection to
compress()
. Closes #659 - add graceful handling cookie parsing errors [shtylman]
- fix typo X-Response-time to X-Response-Time
- update qs
- add session store "connect" / "disconnect" support [louischatriot]
- fix
:url
log token
- fix
static()
pause regression from "send" integration
- fix
.write()
encoding for zlib inconstancy. Closes #561
- remove limit default from
urlencoded()
- remove limit default from
json()
- remove limit default from
multipart()
- fix
cookieSession()
clear cookie path / domain bug. Closes #636
- fix
options
mutation instatic()
- add
connect.timeout()
- add GET / HEAD check to
directory()
. Closes #634 - add "pause" util dep
- update send dep for normalization bug
- add more descriptive invalid json error message
- update send dep for root normalization regression
- fix staticCache fresh dep
- fix
connect.static()
404 regression, passnext()
. Closes #629
- add
json()
utf-8 illustration test. Closes #621 - add "send" dependency
- change
connect.static()
internals to use "send" - fix
session()
req.session generation with pathname mismatch - fix
cookieSession()
req.session generation with pathname mismatch - fix mime export. Closes #618
- Fixed cookieSession() with cookieParser() secret regression. Closes #602
- Fixed set-cookie header fields on cookie.path mismatch. Closes #615
- Remove
logger()
mount check - Fixed
staticCache()
dont cache responses with set-cookie. Closes #607 - Fixed
staticCache()
when Cookie is present
- Added
err.buf
to urlencoded() and json() - Update cookie to 0.0.4. Closes #604
- Fixed: only send 304 if original response in 2xx or 304 [timkuijsten]
- Added ETags back to
static()
[timkuijsten] - Replaced
utils.parseRange()
withrange-parser
module - Replaced
utils.parseBytes()
withbytes
module - Replaced
utils.modified()
withfresh
module - Fixed
cookieSession()
regression with invalid cookie signing [shtylman]
- expose mime module
- Update crc dep (which bundled nodeunit)
- Added
secret
option tocookieSession
middleware [shtylman] - Added
secret
option tosession
middleware [shtylman] - Added
req.remoteUser
back tobasicAuth()
as alias ofreq.user
- Performance: improve signed cookie parsing
- Update
cookie
dependency [shtylman]
- Added limit option to
json()
- Added limit option to
urlencoded()
- Added limit option to
multipart()
- Fixed: remove socket error event listener on callback
- Fixed ENOTDIR error on
static
middleware
- Added support to csrf middle for pre-flight CORS requests
- Updated
engines
to allow newer version of node - Removed duplicate repo prop. Closes #560
- Fixed
static()
redirect when mounted. Closes #554
- Added
make benchmark
- Perf: memoize url parsing (~20% increase)
- Fixed
connect(fn, fn2, ...)
. Closes #549
- Added optional json()
reviver
function to be passed to JSON.parse [jed] - Fixed: emit drain in compress middleware [nsabovic]
- Fixed cookieParser()
req.cookies
regression
- Fixed
session()
browser-session length cookies & examples - Fixed: make
query()
"self-aware" [jed]
- Added
debug()
calls to.use()
(DEBUG=connect:displatcher
) - Added
urlencoded()
support for GET - Added
json()
support for GET. Closes #497 - Added
strict
option tojson()
- Changed:
session()
only set-cookie when modified - Removed
Session#lastAccess
property. Closes #399
- Added:
cookieSession()
only sets cookie on change. Closes #442 - Added
connect:dispatcher
debug() probes
- Added test for ENAMETOOLONG now that node is fixed
- Fixed static() index "/" check on windows. Closes #498
- Fixed Content-Range behaviour to match RFC2616 [matthiasdg / visionmedia]
- Added test coverage for
vhost()
middleware - Changed
cookieParser()
signed cookie support to use SHA-2 [senotrusov] - Fixed
static()
Range: respond with 416 when unsatisfiable - Fixed
vhost()
middleware. Closes #494
- Added
cookieSession()
middleware for cookie-only sessions - Added
compress()
middleware for gzip / deflate support - Added
session()
"proxy" setting to trustX-Forwarded-Proto
- Added
json()
middleware to parse "application/json" - Added
urlencoded()
middleware to parse "application/x-www-form-urlencoded" - Added
multipart()
middleware to parse "multipart/form-data" - Added
cookieParser(secret)
support so anything using this middleware may access signed cookies - Added signed cookie support to
cookieParser()
- Added support for JSON-serialized cookies to
cookieParser()
- Added
err.status
support in Connect's default end-point - Added X-Cache MISS / HIT to
staticCache()
- Added public
res.headerSent
checking nodesres._headerSent
until node does - Changed
basicAuth()
req.remoteUser to req.user - Changed: default
session()
to a browser-session cookie. Closes #475 - Changed: no longer lowercase cookie names
- Changed
bodyParser()
to usejson()
,urlencoded()
, andmultipart()
- Changed:
errorHandler()
is now a development-only middleware - Changed middleware to
next()
errors when possible so applications can unify logging / handling - Removed
http[s].Server
inheritance, now just a function, making it easy to have an app providing both http and https - Removed
.createServer()
(useconnect()
) - Removed
secret
option fromsession()
, usecookieParser(secret)
- Removed
connect.session.ignore
array support - Removed
router()
middleware. Closes #262 - Fixed: set-cookie only once for browser-session cookies
- Fixed FQDN support. dont add leading "/"
- Fixed 404 XSS attack vector. Closes #473
- Fixed HEAD support for 404s and 500s generated by Connect's end-point
- Fixed: actually allow empty body for json
- Changed: allow empty body for json/urlencoded requests. Backport for #443
- Fixed
static()
index.html support on windows
- Fixed potential security issue, store files in req.files. Closes #431 [reported by dobesv]
- Added nesting support for multipart/form-data [jackyz]
- Added multipart/form-data support to
bodyParser()
using formidable
- Fixed
req.body
, always default to {} - Fixed HEAD support for 404s and 500s
- "node": ">= 0.4.1 < 0.7.0"
- Added
static()
redirect option. Closes #398 - Changed
limit()
: respond with 413 when content-length exceeds the limit - Removed socket error listener in static(). Closes #389
- Fixed
staticCache()
Age header field - Fixed race condition causing errors reported in #329.
- Added: make
Store
inherit fromEventEmitter
- Added session
Store#load(sess, fn)
to fetch aSession
instance - Added backpressure support to
staticCache()
- Changed
res.socket.destroy()
toreq.socket.destroy()
- Added
staticCache()
middleware, a memory cache forstatic()
- Added public
res.headerSent
checking nodesres._headerSent
(remove when node adds this) - Changed: ignore error handling middleware when header is sent
- Changed: dispatcher errors after header is sent destroy the sock
- Revert "Added double-next reporting"
- Added double-
next()
reporting - Added
immediate
option tologger()
. Closes #321 - Dependency
qs >= 0.3.1
- Fixed
connect.static()
null byte vulnerability - Fixed
connect.directory()
null byte vulnerability - Changed: 301 redirect in
static()
to postfix "/" on directory. Closes #289
- Added: allow retval
== null
from logger callback to ignore line - Added
getOnly
option toconnect.static.send()
- Added response "header" event allowing augmentation
- Added
X-CSRF-Token
header field check - Changed dep
qs >= 0.3.0
- Changed: persist csrf token. Closes #322
- Changed: sort directory middleware files alphabetically
- Added :response-time to "dev" logger format
- Added simple
csrf()
middleware. Closes #315 - Fixed
res._headers
logger regression. Closes #318 - Removed support for multiple middleware being passed to
.use()
- Added
filter
function option todirectory()
[David Rio Deiros] - Changed: re-write of the
logger()
middleware, with extensible tokens and formats - Changed:
static.send()
".." in path without root considered malicious - Fixed quotes in docs. Closes #312
- Fixed urls when mounting
directory()
, useoriginalUrl
[Daniel Dickison]
- Added malicious path check to
directory()
middleware - Added
utils.forbidden(res)
- Added
connect.query()
middleware
- Added
connect.directory()
middleware for serving directory listings
- Fixed
connect.static()
root with..
- Fixed
connect.static()
EBADF
- Fixed EBADF in
connect.static()
. Closes #297
- Changed
connect.static()
to check resolved dirname. Closes #294
- Fixed fd leak in
connect.static()
when the socket is closed - Fixed;
bodyParser()
ignoring GET/HEAD. Closes #285
- Changed to
devDependencies
- Fixed stream creation on
static()
HEAD request. [Andreas Lind Petersen] - Fixed Win32 support for
static()
- Fixed monkey-patch issue. Closes #261
- Added "hidden" option to
static()
. ignores hidden files by default. Closes * Added; exposeconnect.static.mime.define()
. Closes #251 - Fixed
errorHandler
middleware for missing stack traces. [aseemk] #274
- Added route-middleware
next('route')
support to jump passed the route itself - Added Content-Length support to
limit()
- Added route-specific middleware support (used to be in express)
- Changed; refactored duplicate session logic
- Changed; prevent redefining
store.generate
per request - Fixed;
static()
does not set Content-Type when explicitly set [nateps] - Fixed escape
errorHandler()
{error} contents - NOTE:
router
will be removed in 2.0
- Added
router.remove(path[, method])
to remove a route
- Fixed basicAuth realm issue when passing strings. Closes #253
- Added
basicAuth(username, password)
support - Added
errorHandler.title
defaulting to "Connect" - Changed
errorHandler
css
- Fixed
logger()
httpsremoteAddress
logging [Alexander Simmerl]
- Added
router.lookup(path[, method])
- Added
router.match(url[, method])
- Added basicAuth async support. Closes #223
- Added; allow
logger()
callback function to return an empty string to ignore logging - Fixed; utilizing
mime.charsets.lookup()
forstatic()
. Closes 245
- Added
logger()
support for format function - Fixed
logger()
to support mess of writeHead()/progressive api for node 0.4.x
- Changed;
limit()
now callsreq.destroy()
- Added request "limit" event to
limit()
middleware - Changed;
limit()
middleware willnext(err)
on failure
- Fixed session middleware for HTTPS. Closes #241 [reported by mt502]
- Added
Session#reload(fn)
- Fixed
res.setHeader()
patch, preserve casing
- Fixed;
logger()
usingreq.originalUrl
instead ofreq.url
- Added
res.charset
- Added conditional sessions example
- Added support for
session.ignore
to be replaced. Closes #227 - Fixed
Cache-Control
delimiters. Closes #228
- Fixed;
static.send()
invokes callback with connection error
- Fixed exported connect function
- Fixed package.json; node ">= 0.4.1 < 0.5.0"
- Added
Session#save(fn)
. Closes #213 - Added callback support to
connect.static.send()
for express - Added
connect.static.send()
"path" option - Fixed content-type in
static()
for index.html
- Added
stack
,message
, anddump
errorHandler option aliases - Added
req.originalMethod
to methodOverride - Added
favicon()
maxAge option support - Added
connect()
alternative toconnect.createServer()
- Added new documentation
- Added Range support to
static()
- Added HTTPS support
- Rewrote session middleware. The session API now allows for session-specific cookies, so you may alter each individually. Click to view the new session api.
- Added middleware self-awareness. This helps prevent
middleware breakage when used within mounted servers.
For example
cookieParser()
will not parse cookies more than once even when within a mounted server. - Added new examples in the
./examples
directory - Added limit() middleware
- Added profiler() middleware
- Added responseTime() middleware
- Renamed
staticProvider
tostatic
- Renamed
bodyDecoder
tobodyParser
- Renamed
cookieDecoder
tocookieParser
- Fixed ETag quotes. [reported by papandreou]
- Fixed If-None-Match comma-delimited ETag support. [reported by papandreou]
- Fixed; only set req.originalUrl once. Closes #124
- Fixed symlink support for
static()
. Closes #123
- Fixed SID space issue. Closes #196
- Fixed; proxy
res.end()
to commit session data - Fixed directory traversal attack in
staticProvider
. Closes #198
- qs >= 0.0.4
- Added
qs
dependency - Fixed router race-condition causing possible failure
when
next()
ing to one or more routes with parallel requests
- Added
onvhost()
call so Express (and others) can know when they are - Revert "Added stylus support" (use the middleware which ships with stylus)
- Removed custom
Server#listen()
to allow regularhttp.Server#listen()
args to work properly - Fixed long standing router issue (#83) that causes '.' to be disallowed within named placeholders in routes [Andreas Lind Petersen]
- Fixed
utils.uid()
length error [Jxck] mounted
- Added stylus support to
compiler
- favicon.js cleanup
- compiler.js cleanup
- bodyDecoder.js cleanup
- Changed; using sha256 HMAC instead of md5. [Paul Querna]
- Changed; generated a longer random UID, without time influence. [Paul Querna]
- Fixed; session middleware throws when secret is not present. [Paul Querna]
- Added; throw when router path or callback is missing
- Fixed;
next(err)
on cookie parse exception instead of ignoring - Revert "Added utils.pathname(), memoized url.parse(str).pathname"
- Added docs/api.html
- Added
utils.pathname()
, memoized url.parse(str).pathname - Fixed
session.id
issue. Closes #183 - Changed; Defaulting
staticProvider
maxAge to 0 not 1 year. Closes #179 - Removed bad outdated docs, we need something new / automated eventually
- Added default OPTIONS support to router middleware
- Added
req.session.id
mirroringreq.sessionID
- Refactored router, exposing
connect.router.methods
- Exclude non-lib files from npm
- Removed imposed headers
X-Powered-By
,Server
, etc
- Added ./index.js
- Added route segment precondition support and example
- Added named capture group support to router
- Added
basicAuth
middleware - Added more HTTP methods to the
router
middleware
- Added staticGzip middleware
- Added
connect.utils
to expose utils - Added
connect.session.Session
- Added
connect.session.Store
- Added
connect.session.MemoryStore
- Added
connect.middleware
to expose the middleware getters - Added
buffer
option to logger for performance increase - Added favicon middleware for serving your own favicon or the connect default
- Added option support to staticProvider, can now pass root and lifetime.
- Added; mounted
Server
instances now have theroute
property exposed for reflection - Added support for callback as first arg to
Server#use()
- Added support for
next(true)
in router to bypass match attempts - Added
Server#listen()
host support - Added
Server#route
whenServer#use()
is called with a route on aServer
instance - Added methodOverride X-HTTP-Method-Override support
- Refactored session internals, adds secret option
- Renamed
lifetime
option tomaxAge
in staticProvider - Removed connect(1), it is now spark(1)
- Removed connect(1) dependency on examples, they can all now run with node(1)
- Remove a typo that was leaking a global.
- Removed
Object.prototype
forEach() and map() methods - Removed a few utils not used
- Removed
connect.createApp()
- Removed
res.simpleBody()
- Removed format middleware
- Removed flash middleware
- Removed redirect middleware
- Removed jsonrpc middleware, use visionmedia/connect-jsonrpc
- Removed pubsub middleware
- Removed need for
params.{captures,splat}
in router middleware,params
is an array - Changed; compiler no longer 404s
- Changed; router signature now matches connect middleware signature
- Fixed a require in session for default
MemoryStore
- Fixed nasty request body bug in router. Closes #54
- Fixed less support in compiler
- Fixed bug preventing proper bubbling of exceptions in mounted servers
- Fixed bug in
Server#use()
preventingServer
instances as the first arg - Fixed ENOENT special case, is now treated as any other exception
- Fixed spark env support
- Added support for router
next()
to continue calling matched routes - Added mime type for cache.manifest files.
- Changed compiler middleware to use async require
- Changed session api, stores now only require
#get()
, and#set()
- Fixed cacheManifest by adding
utils.find()
back
- Added calls to
Session()
casts the given object as aSession
instance - Added passing of
next()
to router callbacks. Closes #46 - Changed;
MemoryStore#destroy()
removesreq.session
- Changed
res.redirect("back")
to default to "/" when Referr?er is not present - Fixed staticProvider urlencoded paths issue. Closes #47
- Fixed staticProvider middleware responding to GET requests
- Fixed jsonrpc middleware
Accept
header check. Closes #43 - Fixed logger format option
- Fixed typo in compiler middleware preventing the dest option from working
- Revamped the api, view the Connect documentation for more info (hover on the right for menu)
- Added extended api docs
- Added docs for several more middleware layers
- Added
connect.Server#use()
- Added compiler middleware which provides arbitrary static compilation
- Added
req.originalUrl
- Removed blog example
- Removed sass middleware (use compiler)
- Removed less middleware (use compiler)
- Renamed middleware to be camelcase, body-decoder is now bodyDecoder etc.
- Fixed
req.url
mutation bug when matchingconnect.Server#use()
routes - Fixed
mkdir -p
implementation used in bin/connect. Closes #39 - Fixed bug in bodyDecoder throwing exceptions on request empty bodies
make install
installing lib to $LIB_PREFIX aka $HOME/.node_libraries
- Added static middleware usage example
- Added support for regular expressions as paths for router
- Added
util.merge()
- Increased performance of static by ~ 200 rps
- Renamed the rest middleware to router
- Changed rest api to accept a callback function
- Removed router middleware
- Removed proto.js, only
Object#forEach()
remains
- Added Server#use() which contains the Layer normalization logic
- Added documentation for several middleware
- Added several new examples
- Added less middleware
- Added repl middleware
- Added vhost middleware
- Added flash middleware
- Added cookie middleware
- Added session middleware
- Added
utils.htmlEscape()
- Added
utils.base64Decode()
- Added
utils.base64Encode()
- Added
utils.uid()
- Added bin/connect app path and --config path support for .js suffix, although optional. Closes #26
- Moved mime code to
utils.mime
, exutils.mime.types
, andutils.mime.type()
- Renamed req.redirect() to res.redirect(). Closes #29
- Fixed sass 404 on ENOENT
- Fixed +new Date duplication. Closes #24
- Added workerPidfile() to bin/connect
- Added --workers support to bin/connect stop and status commands
- Added redirect middleware
- Added better --config support to bin/connect. All flags can be utilized
- Added auto-detection of ./config.js
- Added config example
- Added
net.Server
support to bin/connect - Writing worker pids relative to
env.pidfile
- s/parseQuery/parse/g
- Fixed npm support
- Fixed node dependency in package.json, now ">= 0.1.98-0" to support HEAD
- Added
-V, --version
to bin/connect - Added
utils.parseCookie()
- Added
utils.serializeCookie()
- Added
utils.toBoolean()
- Added sass middleware
- Added cookie middleware
- Added format middleware
- Added lint middleware
- Added rest middleware
- Added ./package.json (npm install connect)
- Added
handleError()
support - Added
process.connectEnv
- Added custom log format support to log middleware
- Added arbitrary env variable support to bin/connect (ext: --logFormat ":method :url")
- Added -w, --workers to bin/connect
- Added bin/connect support for --user NAME and --group NAME
- Fixed url re-writing support
- Initial release