- Put your changes here...
- Removed
toobusy
feature since it is temperamental and the dependency is no longer maintained. - Refactored internal
wildcardMatch
to useminimatch
under the hood. - Replaced
html-minifier
withhtml-minifier-terser
sincehtml-minifier-terser
is better-maintained. - Updated various dependencies.
- Added feature that scans the router stack to move the 404 route (the
*
route) to the end of the stack every time a new route is added, even if the route is added at runtime so that you can dynamically add routes while the app is running. - Updated various dependencies.
- Removed
cores
feature since it is largely redundant now thanks to the widespread popularity of tools like pm2. Also removed various deprecated cluster module support as well. - Updated various dependencies.
- Made it possible to disable
helmet
by setting thehelmet
param to false. - Updated various dependencies.
- Added option to exempt certain routes from CSRF protection.
- Updated various dependencies.
- The JS bundler will now add
mode: "development"
anddevtool: "source-map"
automatically to your Webpack bundles in development mode. - Updated various dependencies.
- Altered helmet's defaults again. The
form-action
directive has been set tonull
. This makes it possible to submit forms to other domains in production mode.
- Added
'unsafe-inline'
option to helmet'sContent-Security-Policy
'sscript-src
directive by default in Roosevelt. This will prevent inline scripts from being blocked in production mode. - Updated various dependencies.
- Added
DISABLE_HTTPS
environment variable which when set totrue
, the HTTPS server will be disabled and the app will revert to HTTP regardless of what is set in therooseveltConfig
. - Updated various dependencies.
- Enabled WAL in the SQLite instance used for session storage by default.
- Updated various dependencies.
- Fixed an issue with cert generation from CLI scripts properly this time.
- Fixed an issue with cert generation from CLI scripts.
- Updated various dependencies.
- Added a max age to the default express-session configuration.
- Fixed an issue with cert generation in production mode.
- Updated various dependencies.
- Fixed a bug that caused self-signed certs to get regenerated every time the app restarted.
- Updated various dependencies.
- Certs generator will now run in production mode as well if
https
is enabled and if the files do not already exist. This behavior can be suppressed by settinghttps.autoCert
tofalse
. - Fixed bug that prevented the static site generator feature from working in dev mode when the HTML validator was enabled.
- Fixed README formatting typos.
- Updated various dependencies.
- Made it possible to set
expressSession
totrue
which will set a sane default config so you don't have to spell one out.
- Updated default session store to use SQLite instead of an in-memory database so that sessions are not invalidated when the server restarts.
- Updated various dependencies.
- Fixed a bug that caused self-signed certs to get regenerated every time the app restarted.
- Updated various dependencies.
- Exposed the
express-session
middleware for use in Roosevelt apps. - Updated various dependencies.
- Breaking: Added a unified
secrets
directory for various app secrets such as HTTPS certs, session secret, CSRF secret, etc. The name of the directory is configurable, but when upgrading an app from the previous version, you may need to alter your rooseveltConfig to remove directories from yourcert
orkey
paths. You must now specify only a file name in those params. - Added support for
express-session
for session support. - Added CSRF protection.
- Improved dev sync script for developing Roosevelt significantly.
- Updated various dependencies.
- Fixed an issue that could cause the server to start before all the controller routes were loaded.
- Updated various dependencies.
- Updated various dependencies.
- Updated various dependencies.
- Certs will be auto-generated in dev mode now if they don't exist.
- Various dependencies updated.
- Fixed isomorphic controllers bundler webpack bug in Windows.
- Various dependencies updated.
- Added a new
--build
CLI flag that will instruct Roosevelt to just build the build artifacts but not start the server. - Added new
onStaticAssetsGenerated
event that is fired when the server finishes init but before the server starts. - Fixed an issue that would cause the server to start even when
makeBuildArtifacts
is set tostaticsOnly
. This has the side effect of causingserverStart()
to revert to the behavior ofinit()
ifmakeBuildArtifacts
is set tostaticsOnly
. - Fixed a bug that would cause roosevelt-router to produce a false negative when detecting teddy.
- Various dependencies updated.
- Added
--webpack=verbose
and--wp=verbose-file
CLI flags to make it easier to see verbose webpack errors. Available shorthands:--wp
and-w
. - Added detection of undefined template literal variables (e.g. via typo) in rooseveltConfig.
- Added more helpful error if starting an app with broken symlinks.
- Various dependencies updated.
- Fixed frontend reload when https is enabled with self-signed certs.
- Removed parent-require dependency.
- Added new
dev_sync.sh
to make writing code for Roosevelt easier. See instructions on how to use it in the README. - Various dependencies updated.
- Added wildcard matching to views bundler feature.
- Fixed bug that could cause build artifact generation to crash starting the app.
- Various dependencies updated.
- Fixed CSS preprocessor breaking on Windows when using the default configuration in a newly generated app.
- Various dependencies updated.
- The
certs-generator
script's default name has been changed togenerate-certs
. The config auditor will now expect it to be named that. - The
config-audit
script's default name has been changed toaudit-config
. The config auditor will now expect it to be named that. allowlist
in CSS preprocessor now supports wildcard matching, e.g.dir/*
.- Various dependencies updated.
allowlist
andblocklist
in static site generator feature now supports wildcard matching, e.g.dir/*
.- Various dependencies updated.
- Added
allowlist
andblocklist
to the static site generator feature. - Fixed bug with the static site generator feature that required absolute paths for including child templates in a main template.
- Various dependencies updated.
- When
versionedPublic
is true, Roosevelt will no longer deposit static HTML pages into the versioned directory. - Various dependencies updated.
- Fixed bug where the config auditor would complain about the
makeBuildArtifacts
param being set to string. - Static site generator will now run the HTML validator against rendered templates in dev mode only.
- Various dependencies updated.
- Static site generator can now be supplied models by file instead of by configuration. If model data is not supplied by configuration, Roosevelt will try to automatically load a model from a JS file with the same name alongside the template if it exists instead.
- Static site generator will now run the HTML validator against rendered templates.
- Bumped CI Node versions.
- Breaking:
htmlMinifier
param renamed and expanded tohtml
. You will need to update your Roosevelt config.- Added feature
html.sourcePath
,html.models
, andhtml.output
which lets you generate static HTML pages from the your statics directory by compiling them with a view engine and depositing the output to the public folder at start time.
- Added feature
- Fixed issue with
symlinks
that would cause symlinking to a file rather than a directory to fail in Windows. - Some error message copyediting.
- Some minor refactoring and documentation fixes.
- Various dependencies updated.
makeBuildArtifacts
will now accept a new value of'staticsOnly'
which will allow Roosevelt to create static files but skip the creation of the MVC directories.initServer
can now also be called asinit
instead.- Various dependencies updated.
- Breaking: Renamed
generateFolderStructure
tomakeBuildArtifacts
. - Various dependencies updated.
- Breaking: Among them,
formidable
was updated which is a breaking change for any app that takes file uploads as property names in req.files have been renamed, most notablyfile.path
is nowfile.filepath
andfile.name
is nowfile.originalname
.
- Breaking: Among them,
- Removed
checkDependencies
.
- Fixed bug that required admin permissions to start an app in Windows.
- Added script to generate self-signed HTTPS certs:
npm run certs-generator
: Generates self-signed HTTPS certs for your app.- Default shorthand:
npm run c
- Script is short for:
node ./node_modules/roosevelt/lib/scripts/certsGenerator.js
- Default shorthand:
- Some refactoring.
- Various dependencies updated.
- Various dependencies updated.
- Migrated colors to @colors/colors.
- Fixed bug that caused isoRequire to only work with absolute paths.
- Various dependencies updated.
- Added
roosevelt-router
feature to improve support for writing isomorphic code for SPAs. - Added
isomorphicControllers
config option that will permit Roosevelt to make a list of all your controller files that can be used client-side as well so they can be auto-loaded client-side too. - Altered
clientViews
such that the template list will lack file extensions if the file extension of the template matches the default view engine's file extension. - Breaking: Default
clientViews
output bundle changed from bundle.js to views.js. - Fixed confusing console warning.
- HTML validator frontend scripts moved to
<head>
. - Various dependencies updated.
- Made Webpack errors less verbose.
- Various dependencies updated.
- Updated for support for Node 16.x. This required a migraiton from node-sass to dart-sass.
- Dropped official Node 15 support, though it will probably still work. Node 14 remains officially supported.
- Various dependencies updated.
clientViews
allowlist
now allows directories.- Default command line flags and environment variables recognized by Roosevelt can now be overridden via source-configs.
- Various dependencies updated.
- Added
onAppExit
event. - Fixed bug with https feature.
- Various dependencies updated.
- Fix for Node 15 / npm 7 regression. Config auditor and deprecation checker will no longer run as postinstall scripts to compensate for INIT_CWD being removed from npm. These checks will be run exclusively on application first run instead (or any time the public folder is removed). (Closes #975)
- Dropped Node 12 support.
- Various dependencies updated.
- Fixed bug that caused Roosevelt to not listen to
NODE_ENV
. - Moved symlink creation to a separate step and made happen earlier in the app initialization process to maek it easier to work with the various Roosevelt server starting events.
- Various dependencies bumped.
- Fixed bug which could cause CSS preprocessor to fail if there are subdirectories in your CSS folder.
- Various dependencies bumped.
- Breaking:
clientViews
no longer exports a function, instead exporting a JSON object. - Breaking:
clientViews
will no longer minify templates by default. - Fixed bug with
clientViews
exposeAll
feature that would cause it to scoop up any system files that might be present in your views directories. - Fixed bug with
clientViews
blocklist mistakenly defaulting to an object instead of an array which could cause crashes in some configurations. - Fixed bug with CSS preprocessor that would cause it to scoop up any system files that might be present in your CSS directories.
- Various dependencies bumped.
- Added ability to configure helmet dependency.
- Fixed bug that caused frontend reload not to work.
- Fixed a bug in the Express
env
variable that would cause it to be incorrectly set at times. - Updated some out of date into in the README.
- Removed some unnecessary code.
- Various dependencies bumped.
- Breaking: Production mode behavior changed significantly:
localhostOnly
andalwaysHostPublic
defaults were flipped to false and true respectively.alwaysHostPublic
was renamed tohostPublic
.- The
--host-public
command line flag was removed, since it is no logner needed becausehostPublic
defaults to true now. - New command line flag added called
production-proxy
to let you opt-in tolocalhostOnly
andalwaysHostPublic
being set to true and false respectively as before.
- Various dependencies bumped.
- You can now use PHP as your templating engine in a Roosevelt app or any other Express application. PHP should be faster than any JS-based templating engine for complex templates since its parser is written in C rather than JS.
- Breaking: blacklist/whitelist params throughout the API have been renamed to blocklist/allowlist.
- README was copyedited to improve the clarity of the default behaviors of some of the API, remove outdated information, and other small improvements.
- The host-public warning was made more prominent so that production mode default behavior regarding statics is less confusing to people.
- CI improvements.
- Breaking: Roosevelt is no longer tested on Node 10.x. We didn't do anything to explicitly break older Node versions, but use at your own risk.
- Various dependencies bumped.
- Added helmet middleware to improve security by default.
- Replaced
body-parser
middleware with native Express integration. - Various dependencies bumped.
- Changed
passphrase
option fromhttps.p12.passphrase
tohttps.passphrase
so it can be used for certAndKey configurations as well. - CI improvements.
- Various dependencies bumped.
- Replaced the vnu-jar based HTML validator with express-html-validator 🎉.
- Roosevelt no longer does any background process management as a result.
- Moved all developer facing dependencies to optionalDependencies.
- They can be omitted from installion when using
npm i --no-optional
.
- They can be omitted from installion when using
- Refactored frontend reload implementation.
- check-dependencies now only runs in dev mode.
- API changes:
- Removed
separateProcess
fromhtmlValidator
. - Removed
port
fromhtmlValidator
. - Removed
showWarnings
fromhtmlValidator
. - Added
validatorConfig
tohtmlValidator
which respresents a set of rules for the validator to check for.- Rules can also be set in a
.htmlValidate.json
placed in the app root.
- Rules can also be set in a
- Removed
verbose
fromfrontendReload
.- These logs are now controlled by the general verbose logging param.
- Removed
ROOSEVELT_VALIDATOR
environment variable. - Removed
ROOSEVELT_AUTOKILLER
environment variable. - Removed
--attach-validator
and-a
cli flags. - Removed
--background-validator
and-b
cli flags. - Removed
--disable-validator-autokiller
,--no-autokiller
, and-n
cli flags. - Removed
--enable-validator-autokiller
,--html-validator-autokiller
, and-k
cli flags.
- Removed
- Removed dependencies:
- execa
- fkill
- html-validator
- prismjs
- ps-node
- tamper
- vnu-jar
- Various dependencies bumped.
- Fixed a CSS bug where CSS files were still not being written due to a file existence check.
- Fixed a CSS bug where empty CSS files were being written because their LESS equivalent would never generate CSS in that particular file.
- Various dependencies bumped.
- Breaking: Replaced
staticsSymlinksToPublic
withsymlinks
. - Breaking: Replaced
routers
param with a simplifiedroutePrefix
param which defines a subfolder to mount the app to. - Breaking: Renamed
multipart
param toformidable
. - Added ability to configure Roosevelt via a rooseveltConfig.json config file placed in app root instead of from a rooseveltConfig object in package.json.
- Added
router
Express variable that opens up access to internally used router instance. - Added
routePrefix
Express variable that exposes currently used routePrefix or an empty string if not used. - Fixed bug where changes to CSS files were not being written to the output directory.
- Refactored internal
fsr
module. - Updated internal usage of formidable API.
- Internal changes to stabilize the automated tests.
- Various dependencies bumped.
- Added deprecation check for old compiler sub modules.
- Various dependencies bumped.
- Stopped the config auditor from complaining about obsolete scripts.
- Fixed cases where some CLI flags weren't being applied to config.
- Test fixes.
- Various dependencies bumped.
- Replaced browserify with webpack. This has significant breaking API changes. You will need to totally rewrite your JS bundles from browserify bundles to webpack bundles to upgrade to this version of Roosevelt. It is also recommended that you remove all references to old build artifacts such as
.build
and.bundled
in your application as well from package.json, .gitignore, etc. - Eliminated concept of separate JS compilers in favor of declaring this via your webpack config. Note: webpack defaults to minifying JS using terser.
- Eliminated concept of CSS preprocessor middleware modules in favor of built-in support for LESS, Sass, and Stylus. Other CSS preprocessors can be used as well with a bit of extra configuration.
- API changes:
- Removed
symlinkToPublic
,compiler
,output
,whitelist
, andblacklist
params fromjs
. - Replaced
js.bundles
withjs.webpack
. - Removed
css.symlinkToPublic
. - Replaced
css.compiler.params.cleanCSS
withcss.minifier
. - Added
css.compiler.enable
. - Replaced
css.compiler.nodeModule
withcss.compiler.module
. - Replaced
css.compiler.params
withcss.compiler.options
. css.output
is now relative topublicFolder
instead ofstaticsRoot
.clientViews.output
is now relative topublicFolder
instead ofstaticsRoot
.- Removed
cleanTimer
(Obsolete in absense of.build
).
- Removed
- App cleaner has been removed.
source-configs
integration is now more tightly knit.- Config auditor no longer complains about missing params.
- Auditor now checks config params on a case-by-case basis.
- ES6 style variables can now be used in
rooseveltConfig
referencing otherrooseveltConfig
entries. - Introduced views bundler: An API that allows you to expose view code to frontend JS for client-side templating.
- Added a button to the validation error page to display the page anyway and another button to disable the validator entirely until the server restarts.
- Fixed bug with frontend reload causing it to inject the script tag in the wrong location in some situations.
- Fixed bug where
router
would cause app routes to fail when no controller files exist. - Fixed bug where auto build scanner would crash the app when
generateFolderStructure
is false. - Fixed bug which resulted in a cryptic error if a Roosevelt app was moved to another directory.
- Fixed bug where symlink failed errors would appear when
generateFolderStructure
is false. - Complete rewrite of HTML validator and related helper scripts.
- Refactored multipart middlware.
- Various dependencies bumped.
- CI improvements.
- Many rewritten tests.
- Fixed bug causing apps to crash in dev mode.
- Various dependencies bumped.
- Moved CSS minification from roosevelt-less to Roosevelt using
clean-css
as a direct dependency. Theclean-css
library had an update with breaking changes so therooseveltConfig
params inadvanced
andaggressiveMerging
incleanCSS
are now outdated. - New default script
npm run proddev
: Runs the app in production mode, but with the public folder hosted by the Roosevelt app. This is useful for doing development in production mode without having to stage a complex simulation of your production environment, which would likely include hosting static files via another web server better-suited to serving statics like Apache or nginx. - Roosevelt now sources configs internally using source-configs.
- Validator will now be disabled if
HTTP_PROXY
orHTTPS_PROXY
are set but localhost is not inNO_PROXY
. - Fixed a bug where not having
devDependencies
ordependencies
objects in your app's package.json would throw errors when installing dependencies. Accordingly re-reverted most changes in 0.14.1 to fix buggy behavior withdevDependencies
in npm installs. - The
check-dependencies
call will now only apply to production dependencies. - Some internal refactoring to clean things up.
- Various dependencies bumped.
- Fixed a bug that caused
devDependencies
of Roosevelt to be removed ifnpm i
was run more than once. - Fixed a bug that caused the automated testing to break if your clone of Roosevelt was not named "roosevelt."
- Various dependencies bumped.
staticsSymlinksToPublic
will now create missing subdirectories necessary to create a symlink in a target location.- Fixed a bug which caused Java hs_err_pid error logs to pile up in your app directory under certain conditions.
- Fixed a bug which caused frontend reload to not work on the various error pages.
- Added code comment above frontend reload script tag to explain that it is injected by Roosevelt.
- Did some copyediting on frontend reload logging.
- Various dependencies bumped.
- Added automatic browser reloading when your frontend code changes (via reload).
- A console warning will now appear explaining why public static assets don't load in prod mode when alwaysHostPublic is set to false (the default).
- New Express variable added:
routes
containing a list of all routes loaded in the application. - Various dependencies bumped.
- CI improvements.
- Restored move of several things to devDependencies to shrink production builds. Feature is now activated using
ROOSEVELT_DEPLOYMENT
environment variable. There are also new correspondingnpm run
commandsdev-install
anddev-prune
to manage this. See README for more details. - Copyediting on several logs to improve clarity.
- Various dependencies bumped.
- CI improvements.
- Reverted most changes in 0.14.1 to fix #713, but preserved modularization of htmlValidator.js so that if any devDependencies are missing, the app will not crash in production mode.
- Various dependencies bumped.
- Moved several things to devDependencies to shrink production builds.
- Various dependencies bumped.
- Replaced internal logger with roosevelt-logger. Note: this removes the
winston
Express variable that was previously provided, but it is still indirectly accessible by drilling down through thelogger
Express variable now. See roosevelt-logger member variable documentation. - If custom routers are being used, the
res.redirect()
method will now prepend the prefix to redirects that are relative to the hostname. To override this setting passtrue
as the last argument. - HTML validator
exceptions
param will now accept an array of values instead of just a single string value. - Various dependencies bumped.
- CI improvements.
- Roosevelt will now warn you if your CSS/JS compile directory is getting stale and might need to be cleaned with
npm run clean
. A newcleanTimer
param has been added to configure or disable this check. - Added new param
routers
to add support for Express Routers. - Added new feature to create custom CSS/JS preprocessors on the fly.
- Added environment variable to enable/disable the HTML validator autokiller.
- Added OpenJDK support to the Java HTML Validator.
- Various dependencies bumped.
- CI improvements.
- Introduced changelog.
- Autokiller now sends human-readable GET.
- Fixed bug which caused the config auditor to report false errors in the case of third party module params being set to configurations other than the default.
- Fixed bug related to HTTPS cert parsing.
- Disabled option in HTML minifier which removes HTML comments by default.
- Various dependencies bumped.
- CI improvements.