Releases: taoensso/nippy
v2.15.3 / 2020 Sep 10
[com.taoensso/nippy "2.15.3"]
Non-breaking release. See here recommended steps when updating any Clojure/Script dependencies.
Changes since v2.15.2
*serializable-whitelist*
: added a number of common classes to default value. Seedefault-serializable-whitelist
for details.
v2.15.2 / 2020 Aug 31
[com.taoensso/nippy "2.15.2"]
This is a quick hotfix release, should be non-breaking.
Only change since v2.15.0
is to bump Encore dependency (v2.124.0
->v2.126.2
).
Encore v1.123.0
introduced an issue affecting Timbre.
Issue was addressed with Encore v2.125.2
.
Updating Encore here doesn't affect Nippy, but may be helpful for users of
Nippy that also use Timbre and that haven't otherwise updated to a newer
version of Encore yet.
v2.15.1 / 2020 Aug 27
[com.taoensso/nippy "2.15.1"]
This is a minor feature release. Should be non-breaking.
See here for a tip re: general recommended steps when updating any Clojure/Script dependencies.
New since v2.15.0
:
*serializable-whitelist*
: sets of approved class names may now contain "*" wildcards.*serializable-whitelist*
: added JVM properties and env vars to override initial value. See updated docstring for details.
Changes since v2.15.0
:
- [#126]
extend-freeze
: include id collision odds in docstring.
v2.15.0 / 2020 Jul 24
[com.taoensso/nippy "2.15.0"]
This is a major feature release. It may be BREAKING!
BREAKING CHANGES since v2.14.0
:
- [#130] [Security] Add
*serialization-whitelist*
, ENABLED BY DEFAULT to address Remote Code Execution vulnerability.
See #130 for details, incl. upgrade instructions.
Big thanks to Timo Mihaljov (@solita-timo-mihaljov) for an excellent report identifying this vulnerability!
New since v2.14.0
:
- [#127] Add utils:
freeze-to-string
,thaw-from-string
(@piotr-yuxuan) - [#113 #114] Add support for object arrays (@isaksky)
- [#83 #112] Add support for deftype (@isaksky)
- [#83 #113] Add support for URIs (@isaksky)
Changes since v2.14.0
:
- [#101] Switch default encryptor from
AES-CBC
toAES-GCM
(faster, includes integrity check) - Refactor encryption utils for extra flexibility in future
- Latest dependencies
Fixes since v2.14.0
:
- [#120] Update
freezable?
to covernil
v2.14.2 / 2020 Jul 24
[com.taoensso/nippy "2.14.2"]
This is a non-breaking hotfix security release. PLEASE READ CAREFULLY.
New since v2.14.0
:
- [#130] Add
*serialization-whitelist*
feature, DISABLED BY DEFAULT.
** SECURITY ADVISORY **
To prevent a possible Remote Code Execution (RCE) vulnerability (#130), you must opt-in to use the new *serialization-whitelist*
feature.
See the nippy/*serialization-whitelist*
docstring for usage instructions.
v2.14.0 / 2017 Dec 21
v2.13.0 / 2017 Feb 13
[com.taoensso/nippy "2.13.0"]
This is a minor, non-breaking maintenance release.
- [#91] New: Add
freeze-to-file
andthaw-from-file
utils (@Engelberg) - [#85] Impl: Lazily create LZ4 instance, fixes issue with Google App Engine
- Impl: Bump 1-byte cacheable types from 5->8
v2.13.0-RC1 / 2016 Dec 17
[com.taoensso/nippy "2.13.0-RC1"]
This should be a minor, non-breaking release.
- [#85] Impl: Lazily create LZ4 instance, fixes issue with Google App Engine
- Impl: Bump 1-byte cacheable types from 5->8
v2.12.2 / 2016 Aug 23
[com.taoensso/nippy "2.12.2"]
- Hotfix: private API typo
v2.12.1 / 2016 Jul 26
[com.taoensso/nippy "2.12.1"]
- Hotfix: thaw was missing support for deprecated serializable, record types [@rwilson]