Skip to content

@next-safe/middleware@0.9.0
Compare
Choose a tag to compare
@github-actions github-actions released this 24 Jul 03:26
· 32 commits to main since this release
@next-safe/middleware@0.9.0
d660b41

Notes

  • Next 12.2 brought some significant changes to script insertion behavior / ISR that break the lib in certain cases with prior versions

  • All routes with getServerSideProps have to be wrapped with gsspWithNonceAppliedToCsp from now on for Nonce-based CSP to work

  • Only Next >= 12.2 is supported by this lib from now on

Minor Changes

  • #47 071f993 Thanks @nibtime! - provide gsspWithNonceAppliedToCsp and gipWithNonceAppliedToCsp wrappers to inject nonce into pages with getServerSideProps / getInitialProps.

    BREAKING CHANGE: nonce doesn't get applied to CSP automatically anymore. This extra step is neccessary
    as there is no longer a way of reliably do that with Next 12.2.

    BREAKING CHANGE: drop enhanceAppWithNonce, it's no longer needed as nonce is injected though getServerSideProps of routes/pages now. That's actually a good thing, because customizing renderPage is discouranged

  • #47 f9ecbe3 Thanks @nibtime! - 💥 changes to ChainableMiddleware decrease resource utilization (fixes #45)

    • new MiddlewareChainContext interface

    perf: decrease CPU utilization

    • use ctx.cache.get and ctx.cache.set for caching CSP in middleware chain (no serialize/deserialize)
    • write to repsonse only once from chain cache at the end
    • remove unnecessary some double ops

    perf: decrease deployed size

    • use new built-in userAgent from next/server

    BREAKING CHANGE: supports only Stable middleware from now on (needs next >= 12.2, as is specified in peerDeps)

    BREAKING CHANGE: replace ua-parser-js with userAgent from next/server available since 12.2

    BREAKING CHANGE: ChainableMiddleware with (ctx: MiddlewareChainContext) as 3rd parameter.

    BREAKING CHANGE: turn positional params into named params for Configinitializer

Patch Changes

  • #47 f9ecbe3 Thanks @nibtime! - fix(document): use any type (children and return value) for components of provideComponents(fixes #46)

  • #47 071f993 Thanks @nibtime! - fix(document): support new script insertion behavior

    • handle getPreloadDynamicChunks and getPreloadMainLinks in <Head>
    • hash beforeInteractiveInlineScripts in <Head>
    • handle scripts also in drop-in component for <NextScript>
    • trustify scripts in initialProps.head

  • #47 071f993 Thanks @nibtime! - fix(document): prevent application of nonce in production builds (fixes #49)

  • #47 f9ecbe3 Thanks @nibtime! - provide base logical operators for chain matchers (request predicates): matchNot, matchAnd, matchOr

  • #47 071f993 Thanks @nibtime! - fix(strictDynamic): exclude Safari from Hash-based Strict CSP

  • #47 071f993 Thanks @nibtime! - fix: consider basePath from next.config.js for writing and fetching hashes (fixes #48)

  • #47 f9ecbe3 Thanks @nibtime! - fix: better isPageRequest matcher

    • exclude only basepaths /_next and /api
    • exclude all paths with file endings
    • exclude isPreviewModeRequest and isNextJsDataRequest (new matchers)

  • #47 071f993 Thanks @nibtime! - perf(middleware): telemetry wrapper to log basic measurements and infos from middleware execution

  • #47 f9ecbe3 Thanks @nibtime! - fix(csp): handle boolean directives correctly

Assets 2