koa-classic-server 2.5.2 โ 2.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/docs/CHANGELOG.md +69 -0
- package/package.json +7 -4
package/docs/CHANGELOG.md
CHANGED
|
@@ -5,6 +5,75 @@ All notable changes to koa-classic-server will be documented in this file.
|
|
|
5
5
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
|
6
6
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
7
7
|
|
|
8
|
+
## [2.6.0] - 2026-03-01
|
|
9
|
+
|
|
10
|
+
### ๐ฆ Dependency Upgrades
|
|
11
|
+
|
|
12
|
+
#### mime-types: ^2.1.35 โ ^3.0.2 (Major)
|
|
13
|
+
- **Breaking change upstream**: New `mimeScore` algorithm for extension conflict resolution
|
|
14
|
+
- **Impact on this project**: Minimal โ the 11 changed MIME mappings affect only uncommon extensions
|
|
15
|
+
- **Notable mapping changes**:
|
|
16
|
+
- `.wav`: `audio/wave` โ `audio/wav` (equivalent, all browsers accept both)
|
|
17
|
+
- `.js`: `application/javascript` โ `text/javascript` (correct per RFC 9239)
|
|
18
|
+
- `.rtf`: `text/rtf` โ `application/rtf` (marginal, rare usage)
|
|
19
|
+
- `.mp4`: Unchanged in v3.0.2 โ still resolves to `video/mp4`
|
|
20
|
+
- **Node.js requirement**: mime-types 3 requires Node.js >= 18
|
|
21
|
+
|
|
22
|
+
#### ejs: ^3.1.10 โ ^4.0.0 (Major)
|
|
23
|
+
- **Breaking changes upstream**: None affecting this project
|
|
24
|
+
- EJS 4 removed deprecated `with()` statement support (this project never used it)
|
|
25
|
+
- EJS 4 added stricter `exports` map in package.json
|
|
26
|
+
- **API fully compatible**: `ejs.render()` and `ejs.renderFile()` work identically
|
|
27
|
+
- **Security**: EJS 3.x is EOL โ v4 resolves known CVEs in the 3.x line
|
|
28
|
+
|
|
29
|
+
### ๐ง Configuration Changes
|
|
30
|
+
|
|
31
|
+
#### Added `engines` field
|
|
32
|
+
- Added `"engines": { "node": ">=18" }` to package.json
|
|
33
|
+
- Formalizes the Node.js minimum version requirement imposed by mime-types 3
|
|
34
|
+
|
|
35
|
+
#### Tightened Koa peerDependency for 2.x
|
|
36
|
+
- **koa**: `"^2.0.0 || >=3.1.2"` โ `"^2.16.4 || >=3.1.2"`
|
|
37
|
+
- Excludes Koa 2.0.0โ2.16.3 which are affected by 4 known CVEs:
|
|
38
|
+
- CVE-2025-25200: ReDoS via `X-Forwarded-Proto`/`X-Forwarded-Host` (CVSS 9.2, fixed in 2.15.4)
|
|
39
|
+
- CVE-2025-32379: XSS via `ctx.redirect()` (fixed in 2.16.1)
|
|
40
|
+
- CVE-2025-62595: Open Redirect via trailing `//` (fixed in 2.16.3)
|
|
41
|
+
- CVE-2026-27959: Host Header Injection via `ctx.hostname` (CVSS 7.5, fixed in 2.16.4)
|
|
42
|
+
|
|
43
|
+
### ๐งช Testing
|
|
44
|
+
- All 309 tests pass across 11 test suites (zero regressions)
|
|
45
|
+
- No code changes required โ both library upgrades are API-compatible
|
|
46
|
+
|
|
47
|
+
### ๐ฆ Package Changes
|
|
48
|
+
- **Version**: `2.5.2` โ `2.6.0`
|
|
49
|
+
- **Semver**: Minor version bump (dependency upgrades, no API changes)
|
|
50
|
+
|
|
51
|
+
---
|
|
52
|
+
|
|
53
|
+
## [2.5.2] - 2026-03-01
|
|
54
|
+
|
|
55
|
+
### ๐ Security Fix
|
|
56
|
+
|
|
57
|
+
#### Resolved all 11 npm audit vulnerabilities
|
|
58
|
+
- **jest**: `^29.7.0` โ `^30.2.0` (major โ fixes minimatch ReDoS, brace-expansion ReDoS, @babel/helpers inefficient RegExp)
|
|
59
|
+
- **supertest**: `^7.0.0` โ `^7.2.2` (fixes critical form-data unsafe random boundary)
|
|
60
|
+
- **inquirer**: `^12.4.1` โ `^13.3.0` (fixes tmp arbitrary file write via symlink, external-editor chain)
|
|
61
|
+
- **autocannon**: `^7.15.0` โ `^8.0.0` (major)
|
|
62
|
+
|
|
63
|
+
#### Updated peerDependency
|
|
64
|
+
- **koa**: `"^2.0.0 || ^3.0.0"` โ `"^2.0.0 || >=3.1.2"`
|
|
65
|
+
- Excludes Koa 3.0.0โ3.1.1 which had Host Header Injection via `ctx.hostname`
|
|
66
|
+
|
|
67
|
+
### ๐งช Testing
|
|
68
|
+
- All 309 tests pass across 11 test suites (zero regressions)
|
|
69
|
+
- `npm audit` reports 0 vulnerabilities
|
|
70
|
+
|
|
71
|
+
### ๐ฆ Package Changes
|
|
72
|
+
- **Version**: `2.5.1` โ `2.5.2`
|
|
73
|
+
- **Semver**: Patch version bump (security fixes only, no API changes)
|
|
74
|
+
|
|
75
|
+
---
|
|
76
|
+
|
|
8
77
|
## [2.5.1] - 2026-03-01
|
|
9
78
|
|
|
10
79
|
### ๐ Documentation
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "koa-classic-server",
|
|
3
|
-
"version": "2.
|
|
3
|
+
"version": "2.6.0",
|
|
4
4
|
"description": "High-performance Koa middleware for serving static files with Apache-like directory listing, HTTP caching, template engine support, and comprehensive security fixes",
|
|
5
5
|
"main": "index.cjs",
|
|
6
6
|
"exports": {
|
|
@@ -33,15 +33,18 @@
|
|
|
33
33
|
"type": "git",
|
|
34
34
|
"url": "https://github.com/italopaesano/koa-classic-server"
|
|
35
35
|
},
|
|
36
|
+
"engines": {
|
|
37
|
+
"node": ">=18"
|
|
38
|
+
},
|
|
36
39
|
"dependencies": {
|
|
37
|
-
"mime-types": "^
|
|
40
|
+
"mime-types": "^3.0.2"
|
|
38
41
|
},
|
|
39
42
|
"peerDependencies": {
|
|
40
|
-
"koa": "^2.
|
|
43
|
+
"koa": "^2.16.4 || >=3.1.2"
|
|
41
44
|
},
|
|
42
45
|
"devDependencies": {
|
|
43
46
|
"autocannon": "^8.0.0",
|
|
44
|
-
"ejs": "^
|
|
47
|
+
"ejs": "^4.0.0",
|
|
45
48
|
"inquirer": "^13.3.0",
|
|
46
49
|
"jest": "^30.2.0",
|
|
47
50
|
"supertest": "^7.2.2"
|