8.5.0

RESTHeart 8.5.0 Release Notes

Release Date: June 25, 2025

Summary

RESTHeart 8.5.0 introduces origin whitelist patterns for enhanced CSRF protection with glob-like pattern matching, Docker image improvements with better certificate handling and optimized package management, and comprehensive dependency updates across the entire stack for improved security and performance.

New Features

Security Enhancements

Origin Whitelist Patterns Support

• Added support for glob-like patterns in the OriginVetoer authorizer through a new whitelist-patterns configuration property
• Enables flexible origin matching with patterns like *.example.com or https://*.mydomain.com
• Patterns are automatically converted to regular expressions for efficient matching
• Maintains full backward compatibility with the existing whitelist property for exact and prefix matches
• Enhanced logging to clarify which whitelist mechanism is being used
• Provides more flexible and secure CSRF protection for deployments with dynamic or wildcard origins

Infrastructure Improvements

Docker Image Optimization

• Added explicit installation of ca-certificates package for improved SSL/TLS certificate handling
• Enhanced package management with --no-install-recommends flag and autoremove to minimize image size
• Simplified default ping message configuration in environment variables
• Improved security and reliability through optimized package installation process

Dependency Updates

Core Dependencies

• mongodb-driver-sync: Updated to latest version for improved MongoDB connectivity
• caffeine: Updated caching library for better performance
• gson: Updated JSON processing library
• commons-codec: Updated Apache Commons codec utilities
• commons-jxpath: Updated XPath processing library
• snakeyaml: Updated YAML configuration processing
• jna: Updated Java Native Access library
• tika-core: Updated Apache Tika content detection

Development and Testing

• junit-jupiter: Updated testing framework
• mockito-core: Updated mocking framework for tests
• checker-qual: Updated type checker annotations
• metrics-core & metrics-jvm: Updated application metrics libraries
• classgraph: Updated classpath scanning library
• Various Maven plugins: Updated build toolchain

Code Quality Improvements

• Enhanced code readability through strategic addition of final modifiers
• Improved annotation formatting for better maintainability
• General code quality improvements and refactoring

Technical Notes

The whitelist-patterns feature in OriginVetoer represents a significant enhancement for organizations deploying RESTHeart in environments with dynamic subdomains or multiple related domains. The glob pattern support allows for more maintainable security configurations while preserving the security guarantees of the existing exact-match whitelist system.

The Docker image optimizations can result in substantially smaller deployment artifacts, reducing both storage requirements and deployment times, particularly beneficial for containerized environments and CI/CD pipelines.

---

Contributors: Maurizio Turatti

8.4.3

RESTHeart 8.4.3 Release Notes

Release Date: June 9, 2025

Bug Fixes

Embedded Static Resources

• Fixed validation logic for embedded static resources: Removed incorrect validation that was preventing embedded static resources from using absolute paths. This fix allows embedded static resources to properly use absolute classpath paths starting with '/' as required by ResourcesExtractor.extract() and ClassLoader.getResource() methods.

• Corrected error messages: Fixed misleading error messages in the Bootstrapper that incorrectly referenced the 'where' parameter when actually validating the 'what' parameter for embedded static resources binding.

• Removed redundant null check: Cleaned up unnecessary null validation for the 'what' parameter in embedded static resources binding logic.

Technical Details

The primary issue addressed in this release was related to the validation of embedded static resources configuration. Previously, the system incorrectly blocked the use of absolute paths like "/assets" for embedded static resources, even though these paths are required for proper resource resolution from the classpath. This release ensures that embedded static resources can be properly configured and accessed as intended.

---

Full Changelog: 8.4.2...8.4.3

8.4.2

RESTHeart 8.4.2 Release Notes

Documentation Improvements

This patch release focuses on enhancing the documentation and developer experience:

• Improved Javadoc Coverage: Added comprehensive documentation to plugin interfaces and core packages
• Package Documentation: Added package-info files for commons packages to provide better module-level documentation
• Fixed Documentation Issues:
  • Corrected injection documentation from "conf" to "config" parameter name
  • Resolved Javadoc warnings in the commons module
  • Enhanced Provider and Inject annotations documentation
  • Improved documentation for the org.restheart.plugins package

Summary

Version 8.4.2 is a documentation-focused release that improves the developer experience by providing clearer and more comprehensive API documentation throughout the codebase. No functional changes or bug fixes are included in this release.

8.4.1

RESTHeart 8.4.1 Release Notes

Documentation Improvements

This release significantly enhances API documentation across multiple core packages:

• Comprehensive JavaDoc Coverage: Added detailed documentation to the following packages:
  • org.restheart.polyglot - Polyglot scripting support
  • org.restheart.security - Security components
  • org.restheart.mongodb - MongoDB integration
  • org.restheart.graal - GraalVM integration
  • org.restheart.handlers - Request handlers
  • org.restheart.metrics - Metrics collection
  • org.restheart.configuration - Configuration management
  • org.restheart.cache - Caching utilities
  • org.restheart.utils - Utility classes

Bug Fixes

• Fixed incorrect parameter type in interpolateBson method
• Fixed lenient flag documentation in overrides method
• Corrected various typos in method names, exception classes, comments, and error messages throughout the codebase

Testing

• Added test coverage for MongoRequest with path template mounts, including support for trailing wildcards

Infrastructure Updates

• Maven Central Integration: Updated build configuration for Maven Central publishing
• JDK 24 Support: Added optimized Dockerfile for JDK 24
• Build Improvements:
  • Migrated to central-publishing-maven-plugin
  • Updated dependencies and versions
  • Improved POM formatting
  • Excluded test-plugins from publishing

Summary

Version 8.4.1 is a quality-focused release that improves documentation coverage, fixes minor issues, and updates the build infrastructure for better maintainability and distribution through Maven

6.6.4

RESTHeart 6.6.4 Release Notes

Bugfix release

This release applies the bug fix e70b6c4 to the 6.4.x branch: Use Pattern.quote() for regex escaping in MongoRequest

6.6.3

RESTHeart 6.6.3 Release Notes

This is a bug fix release.

A bug was fixed related to invalid collection names when the length is 64 characters

Several dependencies were upgraded:

• MongoDB drivers to v4.8.2
• Undertow to v2.3.3.Final
• org.json to v20220924

8.4.0

Release Notes - Version 8.4.0

Features

• Raw Request Body Access

  • Added new RawBodyAccessor interface for retrieving raw request bodies
  • Implemented RawBodyAccessor in BsonRequest and JsonRequest classes for direct access to raw body content

• Enhanced Ping Service

  • Added enable-extended-response configuration option for ping service
  • Extended ping response now includes client IP address and host information
  • Updated ping service configuration in YAML files to support the new extended response details

Example of new extended ping service:

GET http://localhost:8080/ping

HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Location, ETag, Auth-Token, Auth-Token-Valid-Until, Auth-Token-Location, X-Powered-By
Connection: keep-alive
Content-Encoding: gzip
Content-Length: 126
Content-Type: application/json
Date: Fri, 21 Mar 2025 11:18:29 GMT
X-Powered-By: restheart.org

{
    "client_ip": "127.0.0.1",
    "host": "localhost:8080",
    "message": "Greetings from RESTHeart!",
    "version": "8.4.0"
}

• Docker Improvements
  • Enhanced Dockerfiles with additional metadata labels for better container information
  • Optimized Docker image size for improved efficiency
  • Updated base image to Debian 12.10-slim in native Dockerfile

Full Changelog: 8.3.4...8.4.0

8.3.4

RESTHeart 8.3.4 Release Notes

This release primarily focuses on improving regex handling consistency and safety within RESTHeart's codebase.

Highlights

• Regex Handling Improvements: Standardized the use of Pattern.quote() to ensure proper regex escaping in all replaceFirst() and replaceAll() invocations.

Changes

• Refactoring for Regex Safety:
  • Updated all instances of replaceFirst() and replaceAll() to use Pattern.quote() for safer regex handling ([b6b556b]).
  • Applied Pattern.quote() specifically to regex escaping in MongoRequest ([e70b6c4]).

Full Changelog: 8.3.3...8.3.4

8.3.3

RESTHeart 8.3.3 Release Notes

Bug Fixes

• MongoRequest URI Processing: Fixed an issue where certain mongo-mount mapped URIs could be mistakenly interpreted as regular expressions, potentially leading to unintended behavior. This fix ensures that URI processing is handled correctly without regex interpretation issues. ([cdbee84])

Release Information

• Version: 8.3.3
• Release Date: February 24, 2025

Full Changelog: 8.3.2...8.3.3

8.3.2

Release 8.3.2

Bug Fixes

• 🐛 Fixed stale cache issues in GraphQL AppDefinitionLoadingCache
  Resolved an issue where outdated cached data could cause NOT FOUND in existing GraphQL app.

Dependency Updates

• ⬆️ Upgraded dependencies to latest versions:
  • gson
  • java-jwt
  • tika-core
• ⬆️ Updated MongoDB Java driver (mongodb-driver-sync) to version 5.3.1

Full Changelog: 8.3.1...8.3.2