npm - tina4-nodejs - Versions diffs - 3.13.6 → 3.13.7 - Mend

tina4-nodejs 3.13.6 → 3.13.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/CLAUDE.md +2 -2
package/package.json +1 -1
package/packages/core/src/server.ts +31 -4
package/packages/core/templates/errors/500.twig +1 -1

package/CLAUDE.md CHANGED Viewed

@@ -1,10 +1,10 @@
-# CLAUDE.md — AI Developer Guide for tina4-nodejs (v3.13.6)
+# CLAUDE.md — AI Developer Guide for tina4-nodejs (v3.13.7)
 > This file helps AI assistants (Claude, Copilot, Cursor, etc.) understand and work on this codebase effectively.
 ## What This Project Is
-Tina4 for Node.js/TypeScript v3.13.6 — The Intelligent Native Application 4ramework. A convention-over-configuration structural paradigm. The developer writes TypeScript; Tina4 is invisible infrastructure.
+Tina4 for Node.js/TypeScript v3.13.7 — The Intelligent Native Application 4ramework. A convention-over-configuration structural paradigm. The developer writes TypeScript; Tina4 is invisible infrastructure.
 The philosophy: zero ceremony, batteries included, file system as source of truth.

package/package.json CHANGED Viewed

@@ -3,7 +3,7 @@
-  "version": "3.13.6",
+  "version": "3.13.7",
   "type": "module",
   "description": "Tina4 for Node.js/TypeScript \u2014 54 built-in features, zero dependencies",

package/packages/core/src/server.ts CHANGED Viewed

@@ -1278,7 +1278,31 @@ ${reset}
         res({ error: "Not Found", statusCode: 404, message: `No route found for ${req.method} ${pathname}` }, 404);
       }
     } catch (err) {
-      console.error("  Error:", err);
+      // v3.13.7: log structured + surface to observability BEFORE rendering.
+      // Listeners get the canonical {exception, request} payload mirrored
+      // by Python / PHP / Ruby. Listener errors are swallowed + warning-
+      // logged so a broken listener can't break the 500 page.
+      Log.error(`Route error: ${err instanceof Error ? `${err.name}: ${err.message}` : String(err)}`, {
+        method: req?.method,
+        path: req?.path,
+      });
+      try {
+        const { Events } = await import("./events.js");
+        Events.emit("tina4.request.error", { exception: err, request: req });
+      } catch (listenerErr) {
+        try {
+          Log.warn(
+            `Listener for tina4.request.error raised: ${
+              listenerErr instanceof Error
+                ? `${listenerErr.name}: ${listenerErr.message}`
+                : String(listenerErr)
+            }`
+          );
+        } catch {
+          // Log failures must never block the 500 render.
+        }
+      }
       if (!res.raw.writableEnded) {
         if (isDevMode() && err instanceof Error) {
           // Rich error overlay with stack trace, source context, and line numbers
@@ -1287,9 +1311,12 @@ ${reset}
           res.raw.writeHead(500, { "Content-Type": "text/html; charset=utf-8" });
           res.raw.end(overlayHtml);
         } else {
-          const errorMessage = !isTruthy(process.env.TINA4_DEBUG) ? "Internal Server Error" : String(err);
+          // v3.13.7 SECURITY (CWE-209): production response body must NOT
+          // contain the stack trace or exception message. Pass an empty
+          // error_message — the 500.twig template only renders the trace
+          // block when error_message is truthy.
           const html500 = await renderErrorPage(500, {
-            error_message: errorMessage,
+            error_message: "",
             request_id: `${Date.now().toString(36)}`,
             path: req.path,
           }, templatesDir);
@@ -1297,7 +1324,7 @@ ${reset}
             res.raw.writeHead(500, { "Content-Type": "text/html; charset=utf-8" });
             res.raw.end(html500);
           } else {
-            res({ error: "Internal Server Error", statusCode: 500, message: errorMessage }, 500);
+            res({ error: "Internal Server Error", statusCode: 500 }, 500);
           }
         }
       }

package/packages/core/templates/errors/500.twig CHANGED Viewed

@@ -27,7 +27,7 @@ body { font-family: system-ui, -apple-system, sans-serif; background: #0f172a; c
         <div class="error-title">Server Error</div>
     </div>
     <div class="error-msg">Something went wrong while processing your request.</div>
-    <pre class="error-trace">{{ error_message }}</pre>
+    {% if error_message %}<pre class="error-trace">{{ error_message }}</pre>{% endif %}
     <div class="error-footer">
         <span class="error-hint">Fix the error and save to auto-reload</span>
         <span class="error-id">{{ request_id }}</span>