Releases: h3js/h3
Releases · h3js/h3
v2.0.1-rc.15
🚀 Enhancements
- handler: New
defineJsonRpcHandleranddefineJsonRpcWebSocketHandler(#1180)
🔥 Performance
- resolveLazyHandler: Replace with inline expression (#1296)
🩹 Fixes
- sse: Sanitize newlines in event stream fields to prevent SSE injection (7791538)
- static: Prevent path traversal via percent-encoded dot segments (0e751b4)
📖 Documentation
📦 Build
- Bundle docs as skill +
h3 docs(#1311)
❤️ Contributors
- Pooya Parsa (@pi0)
- Sandro Circi (@sandros94)
- Octavio Araiza (@8ctavio)
- Legacy (@3m1n3nc3)
Contributors
pi0, sandros94, and 2 other contributors
Assets 2
v1.15.6
v2.0.1-rc.14
💅 Refactors
- tracing: Rename tracing channel
.fetchto.request(#1294) - auth: Enhance randomJitter function for cryptographic security (#1295)
❤️ Contributors
- Pooya Parsa (@pi0)
- Sandro Circi (@sandros94)
- Abdelrahman Awad (@logaretm)
Contributors
pi0, logaretm, and sandros94
Assets 2
v2.0.1-rc.13
v2.0.1-rc.12
🚀 Enhancements
💅 Refactors
- Allow better debugging
headers are frozen(#1287)
📖 Documentation
- Update example to use
event.res.headers.set(#1289)
🏡 Chore
- Migrate to oxlint and oxfmt (#1286)
🤖 CI
- Add pkg.pr.new integration (f6f152a)
❤️ Contributors
- Pooya Parsa (@pi0)
- Kricsleo (@kricsleo)
- Daniel Slepov danil.slepov@gmail.com
Contributors
pi0 and kricsleo
Assets 2
v2.0.1-rc.11
v2.0.1-rc.10
v2.0.1-rc.9
v1.15.5
Important
Security: Fixed a bug in readBody(event) and readRawBody(event) utils where certain Transfer-Encoding header formats could cause the request body to be ignored.
In some deployments (for example, behind TCP load balancers or non-normalizing proxies), this could allow request smuggling. The handling is now safe and fully compliant. (read more)
🩹 Fixes
- readRawBody: Fix case-sensitive
Transfer-Encodingcheck causing request smuggling risk (618ccf4)