@small-tech/https 2.1.0 → 2.2.0

package/CHANGELOG.md

@@ -4,6 +4,32 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.2.0] - 2022-06-07
+
+Dependency update.
+
+### Changed
+
+  - Update Auto Encrypt to version 2.3.0. This updates the certificate signing request (CSR) signature algorithm from the obsolete SHA-1 to SHA-256. (Let’s Encrypt will beging to reject certificate requests signed with SHA-1 on September 15, 2022. See https://community.letsencrypt.org/t/rejecting-sha-1-csrs-and-validation-using-tls-1-0-1-1-urls/175144)
+
+## [2.1.2] - 2021-03-08
+
+Update Auto Encrypt to version 2.2.0
+
+## Fixed
+
+  - Bug when checking for certificate renewals.
+
+## Updated
+
+  - Adds latest Let’s Encrypt staging certificate authority root certificate.
+
+## [2.1.1] - 2021-02-16
+
+## Changed
+
+   - Upgrade auto-encrypt to version 2.0.6. Fixes assignment to constant that would result in a crash when a Retry-After header was received from Let’s Encrypt.
+
 ## [2.1.0] - 2020-11-04
 
 ### Changed

package/README.md

@@ -2,6 +2,8 @@
 
 A drop-in standard Node.js HTTPS module replacement with both automatic development-time (localhost) certificates via Auto Encrypt Localhost and automatic production certificates via Auto Encrypt.
 
+__Note:__ This is the CommonJS (CJS) version of the library. For the ECMAScript Modules (ESM) version, please see the main branch.
+
 Simply replace Node’s `https` module with `@small-tech/https` and get:
 
   - Automatically-provisioned TLS certificates at localhost with no browser warnings.
@@ -34,93 +36,43 @@ Works on Linux, macOS, and Windows (WSL is not supported for certificates at loc
 npm i @small-tech/https
 ```
 
-## A note on Linux and the security farce that is “privileged ports”
-
-Linux has an outdated feature dating from the mainframe days that requires a process that wants to bind to ports < 1024 to have elevated privileges. While this was a security feature in the days of dumb terminals, today it is a security anti-feature. (macOS has dropped this requirement as of macOS Mojave.)
+## Examples
 
-On modern Linux systems, you can disable privileged ports like this:
+### At localhost with automatically-provisioned development certificates via mkcert.
 
-```sh
-sudo sysctl -w net.ipv4.ip_unprivileged_port_start=0
-```
+```js
+const https = require('@small-tech/https')
 
-Or, if you want to cling to ancient historic relics like a conservative to a racist statue, ensure your Node process has the right to bind to so-called “privileged” ports by issuing the following command before use:
+const server = https.createServer((request, response) => {
+  response.end('Hello, world!')
+})
 
-```sh
-sudo setcap cap_net_bind_service=+ep $(which node)
+server.listen(443, () => {
+  console.log(' 🎉 Server running at https://localhost.')
+})
 ```
 
-If you are wrapping your Node app into an executable binary using a module like [Nexe](https://github.com/nexe/nexe), you will have to ensure that every build of your app has that capability set. For an example of how we do this in [Site.js](https://sitejs.org), [see this listing](https://source.ind.ie/site.js/app/blob/master/bin/lib/ensure.js#L124).
-
-## Example
-
-Here’s a basic Express “hello, world” app that shows you how this module can be used. Note that you don’t need express to use it.
-
-1. ### Set up:
-
-    ```sh
-    # Create the project folder and switch to it.
-    mkdir example && cd example
-
-    # Create a new npm module for the example.
-    npm init --yes
-
-    # Install dependencies.
-    npm i @small-tech/https express
-
-    # Open up the main file in your default editor.
-    $EDITOR index.js
-    ```
-
-2. ### Code (index.js):
-
-    ```javascript
-    const https = require('..')
-
-    // Helpers
-    function html(message) {
-      return `<!doctype html><html lang='en'><head><meta charset='utf-8'/><title>Hello, world!</title><style>body{background-color: white; font-family: sans-serif;}</style></head><body><h1>${message}</h1></body></html>`
-    }
-    const contentTypeHTML = {'Content-Type': 'text/html'}
-
-    let options = {}
-
-    // For globally-trusted Let’s Encrypt certificates uncomment the following section.
-    // To provision certificates, also remove “staging: true” property.
-
-    // const os = require('os')
-    // options = {
-    //   domains: [os.hostname()],
-    //   staging: true
-    // }
+Hit `https://localhost` and you should see your site with locally-trusted TLS certificates.
 
-    // Create HTTPS server at https://localhost
-    // with locally-trusted certificates.
-    const server = https.createServer(options, (request, response) => {
-      if (request.method !== 'GET') {
-        response.writeHead(404, contentTypeHTML)
-        response.end(html('Not found.'))
-        return
-      }
-      // Respond to all routes with the same page.
-      response.writeHead(200, contentTypeHTML)
-      response.end(html('Hello, world!'))
-    })
+### At hostname with automatically-provisioned Let’s Encrypt certificates.
 
-    server.listen(443, () => {
-      console.log(' 🎉 Server running on port 443.')
-    })
-    ```
+```js
+const https = require('@small-tech/https')
+const os = require('os')
 
-3. ### Run:
+const hostname = os.hostname()
+const options = { domains: [hostname] }
 
-    ```sh
-    node index
-    ```
+const server = https.createServer((request, response) => {
+  response.end('Hello, world!')
+})
 
-Hit `https://localhost` and you should see your site with locally-trusted TLS certificates.
+server.listen(443, () => {
+  console.log(` 🎉 Server running at https://${hostname}.`)
+})
+```
 
-To provision globally-trusted Let’s Encrypt certificates instead, uncomment the `options` object and pass it as the first argument in the `createServer()` method.
+To provision globally-trusted Let’s Encrypt certificates, we additionally create an `options` object containing the domain(s) we want to support, and pass it as the first argument in the `createServer()` method.
 
 You can find a version of this example in the `/example` folder. To download and run that version:
 
@@ -138,6 +90,24 @@ npm i
 npm run example
 ```
 
+## A note on Linux and the security farce that is “privileged ports”
+
+Linux has an outdated feature dating from the mainframe days that requires a process that wants to bind to ports < 1024 to have elevated privileges. While this was a security feature in the days of dumb terminals, today it is a security anti-feature. (macOS has dropped this requirement as of macOS Mojave.)
+
+On modern Linux systems, you can disable privileged ports like this:
+
+```sh
+sudo sysctl -w net.ipv4.ip_unprivileged_port_start=0
+```
+
+Or, if you want to cling to ancient historic relics like a conservative to a racist statue, ensure your Node process has the right to bind to so-called “privileged” ports by issuing the following command before use:
+
+```sh
+sudo setcap cap_net_bind_service=+ep $(which node)
+```
+
+If you are wrapping your Node app into an executable binary using a module like [Nexe](https://github.com/nexe/nexe), you will have to ensure that every build of your app has that capability set. For an example of how we do this in [Site.js](https://sitejs.org), [see this listing](https://source.ind.ie/site.js/app/blob/master/bin/lib/ensure.js#L124).
+
 ## Related projects
 
 Lower-level:
@@ -167,7 +137,7 @@ A complete [small technology](https://small-tech.org/about/#small-technology) to
 
 ## Copyright
 
-&copy; 2020 [Aral Balkan](https://ar.al), [Small Technology Foundation](https://small-tech.org).
+&copy; 2020-2021 [Aral Balkan](https://ar.al), [Small Technology Foundation](https://small-tech.org).
 
 Let’s Encrypt is a trademark of the Internet Security Research Group (ISRG). All rights reserved. Node.js is a trademark of Joyent, Inc. and is used with its permission. We are not endorsed by or affiliated with Joyent or ISRG.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@small-tech/https",
-  "version": "2.1.0",
+  "version": "2.2.0",
   "description": "A drop-in standard Node.js HTTPS module replacement with both automatic development-time (localhost) certificates via Auto Encrypt Localhost and automatic production certificates via Auto Encrypt.",
   "main": "index.js",
   "keywords": [
@@ -37,9 +37,9 @@
   },
   "license": "AGPL-3.0-or-later",
   "dependencies": {
-    "fs-extra": "^9.0.1",
-    "@small-tech/auto-encrypt": "^2.0.5",
-    "@small-tech/auto-encrypt-localhost": "^6.1.0"
+    "@small-tech/auto-encrypt": "^2.3.0",
+    "@small-tech/auto-encrypt-localhost": "^6.1.0",
+    "fs-extra": "^9.0.1"
   },
   "devDependencies": {
     "@small-tech/cross-platform-hostname": "^1.0.0",

package/publish

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+npm publish --tag=cjs