mastercontroller 1.3.25 → 1.3.27

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/MasterControl.js +4 -19
  2. package/MasterRouter.js +6 -1
  3. package/package.json +1 -1
package/MasterControl.js CHANGED
@@ -146,25 +146,10 @@ class MasterControl {
146
146
  // Only freeze in production to allow for easier debugging in development
147
147
  const isProduction = process.env.NODE_ENV === 'production';
148
148
 
149
- if (isProduction) {
150
- // Freeze prototypes to prevent prototype pollution attacks
151
- try {
152
- Object.freeze(Object.prototype);
153
- Object.freeze(Array.prototype);
154
- Object.freeze(Function.prototype);
155
-
156
- logger.info({
157
- code: 'MC_SECURITY_PROTOTYPE_FROZEN',
158
- message: 'Prototypes frozen in production mode for security'
159
- });
160
- } catch (err) {
161
- logger.warn({
162
- code: 'MC_SECURITY_FREEZE_FAILED',
163
- message: 'Failed to freeze prototypes',
164
- error: err.message
165
- });
166
- }
167
- }
149
+ // NOTE: Prototype freezing was removed. Freezing Object.prototype/Array.prototype/
150
+ // Function.prototype breaks third-party libraries (e.g., long, mysql2) that define
151
+ // properties on their prototypes after framework init. Prototype pollution protection
152
+ // is handled via input validation in MasterValidator.js instead.
168
153
 
169
154
  // Add prototype pollution detection utility
170
155
  this._detectPrototypePollution = (obj) => {
package/MasterRouter.js CHANGED
@@ -37,7 +37,9 @@ const HTTP_METHODS = {
37
37
  GET: 'get',
38
38
  POST: 'post',
39
39
  PUT: 'put',
40
+ PATCH: 'patch',
40
41
  DELETE: 'delete',
42
+ HEAD: 'head',
41
43
  OPTIONS: 'options'
42
44
  };
43
45
 
@@ -239,7 +241,10 @@ const ROUTER_CONFIG = {
239
241
  const pathObj = normalizePaths(requestObject.pathName, route.path, testParams);
240
242
 
241
243
  // if we find the route that matches the request
242
- if(pathObj.requestPath === pathObj.routePath && route.type === requestObject.type){
244
+ // HEAD requests match GET routes per HTTP spec (RFC 9110 §9.3.2)
245
+ const methodMatches = route.type === requestObject.type
246
+ || (requestObject.type === HTTP_METHODS.HEAD && route.type === HTTP_METHODS.GET);
247
+ if(pathObj.requestPath === pathObj.routePath && methodMatches){
243
248
  // Only commit the extracted params if this route actually matches
244
249
  requestObject.params = testParams;
245
250
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "mastercontroller",
3
- "version": "1.3.25",
3
+ "version": "1.3.27",
4
4
  "description": "Fortune 500 ready Node.js MVC framework with enterprise security, monitoring, and horizontal scaling",
5
5
  "main": "MasterControl.js",
6
6
  "license": "MIT",