@blamejs/blamejs-shop 0.0.107 → 0.0.108
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +2 -0
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
|
|
|
8
8
|
|
|
9
9
|
## v0.0.x
|
|
10
10
|
|
|
11
|
+
- v0.0.108 (2026-05-23) — **ETag + `If-None-Match` 304 handling on `/privacy` + `/terms` — saves the body bytes on every browser revalidate.** `/privacy` and `/terms` carry `max-age=3600` so a returning visitor's browser revalidates the resource every hour. Previously the revalidate downloaded the full body each time (~5KB); now the response carries an `ETag` derived from a FNV-1a hash of the minified body, and the handler compares incoming `If-None-Match` against the same etag — on a match it returns `304 Not Modified` with no body. The Edge cache (24h s-maxage) holds the 200 response; revalidates hit the Worker, run the cheap hash, and 99% of the time return a few hundred bytes instead of the full page. FNV-1a is chosen for speed + zero allocation — collision irrelevant because operators (not visitors) control the policy text, so the attacker-controlled input space at this surface is empty. **Added:** *ETag + `If-None-Match` 304 handling in `_staticHtml`* — `_staticHtml(body, method, env, request)` minifies the body, computes a 32-bit FNV-1a hash of the minified bytes, formats as a quoted hex ETag (`"<hash>"`), and returns 304 (with the ETag header repeated per RFC 7232 §4.1) when the incoming `If-None-Match` matches. The hash is content-stable — a re-render of the same operator-set policy text produces the same ETag across edge instances. Carries through to `/privacy` and `/terms`; the dynamic edge-rendered routes (`/`, `/search`, `/products/:slug`, `/blog`, `/blog/:slug`) keep their `no-store` posture since their D1-sourced content changes per-request.
|
|
12
|
+
|
|
11
13
|
- v0.0.107 (2026-05-23) — **`X-Robots-Tag: noindex, nofollow` on `/cart` — crawlers stop indexing the session-bound empty-state.** The guest `/cart` route ships an empty-cart render at the edge for visitors without a session cookie. Crawlers reaching the page were indexing it as if it were content; the empty-state snippet ("Your cart is empty") was appearing in SERPs as a stale search result for unrelated queries. The handler now sets `X-Robots-Tag: noindex, nofollow` on the response so well-behaved crawlers skip indexing. `robots.txt` already `Disallow`s the route — the response header is belt-and-suspenders. **Changed:** *`_edgeCartEmpty` sets `X-Robots-Tag: noindex, nofollow`* — The handler now builds its own Response (instead of routing through `_html`) so the response carries the X-Robots-Tag header alongside the full security-header set + Link preload + minification. Per-route headers compose cleanly without changing `_html`'s signature for one outlier.
|
|
12
14
|
|
|
13
15
|
- v0.0.106 (2026-05-23) — **RFC 9116 `/.well-known/security.txt` served from the edge.** Vulnerability researchers, automated scanners, and bug-bounty platforms look for `/.well-known/security.txt` (RFC 9116) before opening an unsolicited email to a generic address. The Worker now serves the canonical text with `Contact`, `Expires`, `Encryption`, `Policy`, and `Preferred-Languages` fields. Contact points at `security@blamejs.shop` and the GitHub Security Advisories private-disclosure URL; Policy points at the repo's `SECURITY.md`. Cached `public, max-age=3600, s-maxage=86400`. **Added:** *`/.well-known/security.txt` — RFC 9116 vulnerability-disclosure metadata* — The Worker emits the canonical text with five fields. `Contact: mailto:security@blamejs.shop` + `Contact: https://github.com/blamejs/blamejs.shop/security/advisories/new` (private-disclosure path through GitHub Security Advisories — researchers don't have to email to start a disclosure). `Expires:` is set to one year from response time so crawlers don't refetch constantly. `Policy: https://github.com/blamejs/blamejs.shop/blob/main/SECURITY.md` points at the in-repo disclosure policy. `Preferred-Languages: en`. Every line ends `\r\n` per the RFC. Carries the full security-header set + 1h browser / 24h edge cache.
|
package/package.json
CHANGED