Releases: cloudflare/capnweb
Release list
[email protected]
Minor Changes
- #185
0b20ec6Thanks @ndisidore! - Add configurable receiver-side resource limits (RpcSessionOptions.limits) that cap bigint length, message nesting depth, and incoming message size to guard against untrusted-peer resource exhaustion (#184).
Patch Changes
-
#190
6e5c562Thanks @taylorodell! - Several correctness and robustness fixes:- Error deserialization no longer resolves an attacker-supplied error type name to an inherited
Object.prototypemember.ERROR_TYPESnow has a null prototype, so a wire value such as["error","constructor",...]no longer resolves toObject(which produced aStringwrapper instead of anError, bypassinginstanceof Errorchecks), and a name like"toString"no longer resolves to a non-constructor and throws. Unknown names correctly fall back toError. - Error deserialization now filters inherited
Object.prototypekeys (andtoJSON) out of an error's own-property bag, matching the behavior already applied when deserializing plain objects. Keys such as__proto__,toString, andvalueOfare no longer copied onto deserialized errors. - Resolving an import that has already been resolved now disposes the redundant resolution instead of overwriting (and leaking) the previous one.
- The
abortmessage handler now hands error handlers the unwrapped abort reason rather than the internal payload wrapper, matching therejecthandler. - WebSocket close reasons longer than the 123-byte limit are now truncated on a UTF-8 character boundary, so aborting a session with a long reason no longer throws from
WebSocket.close().
- Error deserialization no longer resolves an attacker-supplied error type name to an inherited
[email protected]
Patch Changes
- #195
78744caThanks @aleister1102! - Fix nodeHttpBatchRpcResponse leaving the connection open and crashing with
ERR_HTTP_HEADERS_SENT on non-POST requests. It now returns 405 immediately.
[email protected]
Minor Changes
-
#186
c70bbb7Thanks @teamchong! - Add transport encoding levels so custom RPC transports can work withjsonCompatiblevalues,jsonCompatibleWithBytesvalues, orstructuredClonablemessages instead of always receiving JSON strings.Note:
MessagePortsessions now post structured-clonable objects over the port instead of JSON strings. This changes the wire format between the two ends of the port, so both ends of aMessagePortsession must upgrade to this version together.
[email protected]
Patch Changes
- #197
0409821Thanks @teamchong! - Treat Workersfetchandconnectlifecycle methods as passthrough methods onWorkerEntrypointandDurableObjecttargets.
[email protected]
Patch Changes
- #194
4093556Thanks @teamchong! - Fix@validateRpc()breaking decorated classes that extend other decorated classes: prototype methods are now wrapped in place instead of returning a Proxy from the constructor, so subclass-only methods validate correctly, instances stay real brandedRpcTargets, and incoming callback stubs pass through as native stubs (opt in to validating them withvalidateStub<T>(stub)).
[email protected]
Minor Changes
- #169
2cb51ebThanks @teamchong! - Introduced capnweb-validate, a separate package that allows you to wrap your RPC interfaces in runtime type-checking based on your TypeScript interfaces.
v0.8.0
Minor Changes
- #155
48f4d49Thanks @G4brym! - AddBlobas a serializable type over RPC.Blobobjects can now be passed as call arguments and return values. The MIME type (blob.type) is preserved across the wire.
Patch Changes
-
#166
7413e43Thanks @aron-cf! - Errors properties, usingObject.keys(), are now preserved across the wire. Attach fields likecodeordetailsto anErrorand they propagate to the other side. Thecauseanderrors(forAggregateError) properties will also be preserved. -
#168
25baebfThanks @kentonv! - Fix memory leak that kept all messages received in a session pinned in memory until the session ended, due to surprising implementation details of JavaScript Promises. -
#152
9e499e2Thanks @VastBlast! - Fix serialization for Invalid/NaN dates
v0.7.0
v0.6.1
v0.6.0
Minor Changes
-
#145
5667226Thanks @kentonv! - When Node'sBufferis available, Cap'n Web will now serialize it the same asUint8Array, and will deserialize all byte arrays asBufferby default.Bufferis a subclass ofUint8Array, so this should be compatible while being convenient in Node apps. -
#142
60be60dThanks @VastBlast! - Major improvements to type definitions, fixing bugs and making them more accurate.