*_console.log_ and _stdout_ are now disabled, when _stdout_ is not a TTY (for example in situation when SVR.JS is running as a daemon), in order to improve performance.
* Errors that occurred, while adding SNI context to a server are now ignored.
* SVR.JS now refuses to start with misconfigured SNI in order to prevent ReDoS vulnerabilities.
## SVR.JS 3.12.1
* Added client errors, server errors, and malformed HTTP request counts to SVR.JS status page.
* Fixed multiple XSS vulnerabilities.
## SVR.JS 3.4.39 LTS
* Invalid compression exclusion list regexes no longer crash SVR.JS.
* Fixed multiple XSS vulnerabilities.
## SVR.JS 3.12.0
* Added trailing slash redirect support.
* Added new _config.json_ property — _environmentVariables_.
* Replaces base 1000 size prefixes with base 1024 ones.
* Invalid compression exclusion list regexes no longer crash SVR.JS.
* Changed invalid regex error message.
* Corrected language errors — replaced _recieve_ with _receive_.
## SVR.JS 3.4.38 LTS
* SVR.JS now sends configuration file saving request to one random good worker instead of all workers to prevent configuration file corruption.
* Fixed crashes due to destroyed HTTP/2 stream (Node.JS bug: [https://github.com/nodejs/node/issues/24470](https://github.com/nodejs/node/issues/24470))
* Fixed crash while trying to report communication problem with workers.
## SVR.JS 3.11.0
* SVR.JS now sends configuration file saving request to one random good worker instead of all workers to prevent configuration file corruption.
* Fixed crashes due to destroyed HTTP/2 stream (Node.JS bug: [https://github.com/nodejs/node/issues/24470](https://github.com/nodejs/node/issues/24470))
* Fixed language errors in HTTP error code descriptions, error console messages and the index page.
* Updated the logo in the SVR.JS log viewer.
## SVR.JS 3.4.37 LTS
* Fixed bug with non-standard code regex replacements
## SVR.JS 3.10.3
* Fixed bug with non-standard code regex replacements
## SVR.JS 3.10.2
* Fixed bug with mods (and server-side JavaScript) executing in wrong order (bug was related with access control vulnerability fix; bug was not present in LTS versions)
## SVR.JS 3.4.36 LTS
* Removed undocumented and non-working code.
* Fixed bug: _.notindex_ files in directories now no longer cause server timeouts caused by non-working undocumented code.
## SVR.JS 3.10.1
* Dropped _pretty-bytes_ dependency.
* Removed undocumented and non-working code.
* Fixed bug: _.notindex_ files in directories now no longer cause server timeouts caused by non-working undocumented code.
* Replaced function converting byte count to human-readable representation with new one.
## SVR.JS 3.4.35 LTS
* Added warning about worker count being limited to one when using Bun 1.0 and newer with shimmed (not native) clustering module.
* Disabled server-side JavaScript bug workaround for Bun 1.0 and newer (it's not needed anymore for these Bun versions).
* Improved clustering shim for Bun.
## SVR.JS 3.10.0
* Added warning about worker count being limited to one when using Bun 1.0 and newer with shimmed (not native) clustering module.
* Disabled server-side JavaScript bug workaround for Bun 1.0 and newer (it's not needed anymore for these Bun versions).
* Improved clustering shim for Bun.
* Improved web root error handling.
## SVR.JS 3.4.34 LTS
* Changed _enableRemoteLogBrowsing_ property to be `false` by default.
* Mitigated security vulnerability: Sensitive data is no longer leaked from temp directory inside SVR.JS installation directory.
## SVR.JS 3.9.6
* Changed _enableRemoteLogBrowsing_ property to be `false` by default.
* Fixed log files only partially saving on failed master startup.
* Mitigated security vulnerability: Sensitive data is no longer leaked from temp directory inside SVR.JS installation directory.
* SVR.JS now logs certificate loading errors.
## <s>SVR.JS 3.4.33 LTS</s>
<s>
* Changed enableRemoteLogBrowsing property to be false by default.
* Mitigated security vulnerability: Sensitive data is no longer leaked from temp directory inside SVR.JS installation directory.
</s>
_This version is unpublished and no longer available for download, because of failed security vulnerability mitigation._
## <s>SVR.JS 3.9.5</s>
<s>
* Changed enableRemoteLogBrowsing property to be false by default.
* Mitigated security vulnerability: Sensitive data is no longer leaked from temp directory inside SVR.JS installation directory.
</s>
_This version is unpublished and no longer available for download, because of failed security vulnerability mitigation._
## SVR.JS 3.4.32 LTS
* Added "svrmodpack" deprecation warning.
* Removed unmaintained primitive analytics mod.
* Removed unmaintained and undocumented hexstrbase64 library.
* Added TypeError workaround for Bun 1.0.0
## SVR.JS 3.9.4
* Changed warning about no support for HTTP/2.
* Added "svrmodpack" deprecation warning.
* Removed unmaintained primitive analytics mod.
* Removed unmaintained and undocumented hexstrbase64 library.
* Added TypeError workaround for Bun 1.0.0
## SVR.JS 3.4.31 LTS
* Mitigated security vulnerability: SVR.JS mods and server-side JavaScript not using href or uobject.pathname in some path checks are no longer vulnerable to access control bypass (from SVR.JS configuration).
## SVR.JS 3.9.3
* Mitigated security vulnerability: SVR.JS mods and server-side JavaScript not using href or uobject.pathname in some path checks are no longer vulnerable to access control bypass (from SVR.JS configuration).
## SVR.JS 3.4.30 LTS
* Mitigated security vulnerability: SVR.JS mods and server-side JavaScript using req.url are no longer vulnerable to path traversal (not including query strings).
## SVR.JS 3.9.2
* Mitigated security vulnerability: SVR.JS mods and server-side JavaScript using req.url are no longer vulnerable to path traversal (not including query strings).
## SVR.JS 3.4.29 LTS
* Added new config.json property - exposeModsInErrorPages
## SVR.JS 3.9.1
* Added new config.json property - exposeModsInErrorPages
## SVR.JS 3.9.0
* Dropped support for undocumented unused non-standard SVR.JS-specific headers.
* Fixed bug with _wwwredirect_.
* Replaced HTTP => HTTPS redirect handler
* Added support for listening to specific IP address.
* Added new config.json property - useWebRootServerSideScript
* Added notice about logged user (HTTP authentication).
* Added validation of X-Forwarded-For header
## SVR.JS 3.4.28 LTS
* Added validation for X-Forwarded-For header.
## SVR.JS 3.4.27 LTS
* Dropped support for undocumented unused non-standard SVR.JS-specific headers.
* Fixed bug with _wwwredirect_.
## SVR.JS 3.4.26 LTS
* Changed default SVR.JS configuration.
* Disabled server-side script exposure by default.
## SVR.JS 3.8.1
* Changed default SVR.JS configuration.
* Disabled server-side script exposure by default.
## SVR.JS 3.8.0
* Added partial virtual hosting support
* Added _host_ field to _nonStandardCodes_ and _rewriteMap_ properties.
* Added _userList_ field to _nonStandardCodes_ properties (with _scode_ set to 401).
* Added new config.json properties: _errorPages_, _enableDirectoryListingVHost_ and _customHeadersVHost_.
* Improved HTTP authentication error handling.
## SVR.JS 3.4.25 LTS
* Improved HTTP authentication error handling.
* Updated SVR.JS license.
## SVR.JS 3.7.5
* Fixed non-working blacklist.
* Updated SVR.JS license.
## SVR.JS 3.4.24 LTS
* Added reverse DNS lookup support.
## SVR.JS 3.7.4
* Added reverse DNS lookup support.
## SVR.JS 3.4.23 LTS
* Fixed server crashes while one of two ports are in use
## SVR.JS 3.7.3
* Fixed server crashes while one of two ports are in use
## SVR.JS 3.4.22 LTS
* ENAMETOOLONG errors now correspond to 414 code.
* EMFILE errors now correspond to 503 code.
## SVR.JS 3.7.2
* ENAMETOOLONG errors now correspond to 414 code.
## SVR.JS 3.7.1
* Fixed bug with SVR.JS hang-up check requests logged in server logs (bug occurred on upstream Node.JS v12.22.12).
## SVR.JS 3.4.21 LTS
* Changed descriptions of 501 and 503 errors.
* Disabled open proxy in default server-side JavaScript.
* Fixed NotImplementedError in "cluster" module when running SVR.JS on newer versions of Bun.
* Fixed redirect loops related to URL sanitizer.
* Fixed SVR.JS proxy API (fixed bug, which relied of calling wrong callback [Mod.callback] instead of proper one [Mod.proxyCallback]).
* Improved Bun IPC shim connection error handling.
* Improved server error handling for Bun.
* Updated svrpasswd tool.
## SVR.JS 3.7.0
* Added new config.json property - disableUnusedWorkerTermination.
* Added option to rewrite "dirty" URLs - rewriteDirtyURLs.
* Added PBKDF2 and scrypt support for HTTP authentication.
* Added termination of unused workers.
* Changed descriptions of 501 and 503 errors.
* Disabled checking for hung up server processes, while SVR.JS is not yet listening.
* Disabled open proxy in default server-side JavaScript.
* Disabled X-SVR-JS-From-Main-Thread header for non-localhost clients.
* EMFILE errors now correspond to 503 Service Unavailable error code.
* Fixed NotImplementedError in "cluster" module when running SVR.JS on newer versions of Bun.
* Fixed redirect loops related to URL sanitizer.
* Fixed SVR.JS proxy API. (fixed bug, which relied of calling wrong callback [Mod.callback] instead of proper one [Mod.proxyCallback])
* Improved Bun IPC shim connection error handling.
* Improved extension checking function in directory listing generation.
* Improved server error handling for Bun.
* SVR.JS now exits gracefully on "stop" command.
* Updated svrpasswd tool.
## SVR.JS 3.4.20 LTS
* Improved reliability while loading server-side JavaScript.
## SVR.JS 3.6.4
* Improved reliability while loading server-side JavaScript.
## SVR.JS 3.4.19 LTS
* Fixed bug with directory listing generating invalid HTML with custom head containing _<html>_ tag with attributes.
## SVR.JS 3.6.3
* Fixed bug with directory listing generating invalid HTML with custom head containing _<html>_ tag with attributes.
## SVR.JS 3.4.18 LTS
* Fixed bug with ENOTDIR error (was 500, now it's 404).
* Fixed bug with forbidden path checker.
## SVR.JS 3.6.2
* Fixed bug with ENOTDIR error (was 500, now it's 404).
* Fixed bug with forbidden path checker.
* Optimized regular expression creating function.
## SVR.JS 3.4.17 LTS
* Improved URL sanitizer.
* Fixed bug with formidable wrapper.
## SVR.JS 3.6.1
* Added support for ETags.
* Added new config.json property: enableETag.
* Improved URL sanitizer.
* Fixed bug with formidable wrapper.
## SVR.JS 3.6.0
* Optimized sanitized URL comparison function.
* Expanded warning messages.
* Added support for Unix sockets and Windows named pipes.
* Cleaned up SVR.JS code.
## SVR.JS 3.4.16 LTS
* Improved URL sanitizer and mitigates security vulnerability: attacker could use "..." to traverse directories, while SVR.JS is run in Windows.
* Cleaned up code.
## SVR.JS 3.5.6
* Improved URL sanitizer and mitigates security vulnerability: attacker could use "..." to traverse directories, while SVR.JS is run in Windows.
* Cleaned up code.
## SVR.JS 3.4.15 LTS
* Fixed broken URL sanitation redirect.
* Improved URL sanitizer. ("%2F" now turns into "/" instead of "%252F")
## SVR.JS 3.5.5
* Fixed broken URL sanitation redirect.
* Improved URL sanitizer. ("%2F" now turns into "/" instead of "%252F")
## SVR.JS 3.4.14 LTS
* Fixed bug: SVR.JS mods now load reliably with multiple threads on startup.
## SVR.JS 3.5.4
* Fixed bug: SVR.JS mods now load reliably with multiple threads on startup.
## SVR.JS 3.4.13 LTS
* Improved compatibility with Bun 0.9.14.
* Replaced more blocking system calls with non-blocking ones.
## SVR.JS 3.5.3
* Improved compatibility with Bun 0.9.14.
## SVR.JS 3.5.2
* Replaced more blocking system calls with non-blocking ones.
## SVR.JS 3.5.1
* Added better HTTP error handler.
## SVR.JS 3.4.12 LTS
* Added better HTTP error handler.
## SVR.JS 3.5.0
* Dropped support for Node.JS 8.x and 9.x.
* Directory listing icons now show even, if ".dirimages" directory is missing from web root.
* Updated formidable module.
## SVR.JS 3.4.11 LTS
* Added support for Brotli compression.
## SVR.JS 3.4.10
* Added OCSP module loading failure warning.
* SVR.JS now displays error message, when it's run on JS runtime non-compatible with Node.JS.
## SVR.JS 3.4.9
* Added new config.json option: enableOCSPStapling.
* Added support for OCSP stapling.
* Added new dependency: ocsp
* Replaced some blocking system calls in directory listing function with non-blocking ones.
* Optimized HTTP basic authentication algorithm.
## SVR.JS 3.4.8
* Added HTTP authentication brute force protection.
## SVR.JS 3.4.7
* Fixed SVR.JS crashing on Node.JS 8.x and 9.x.
## SVR.JS 3.4.6
* Improved reliability in loading mods, server-side JavaScript and saving configuration file.
## SVR.JS 3.4.5
* Fixed bug with custom head and SVR.JS status page.
## SVR.JS 3.4.4
* req.socket.realRemoteAddress and res.socket.realRemotePort are now original users remote address and port respectively.
## SVR.JS 3.4.3
* Fixed bug related with saving config.json.
* Disabled gzip compression for .gz files.
## SVR.JS 3.4.2
* Fixed bug with regular expression non-standard HTTP status codes.
## SVR.JS 3.4.1
* SVR.JS now uses 2 public IP providers: SeeIP.org and ipify.
## SVR.JS 3.4.0
* autocannon is no longer included with SVR.JS.
* Fixed requirement on pretty-bytes library.
* Removed version field from config.json
* Fixed random worker crashes that occur, while config.json is saved.
* SVR.JS no longer overrides config.json values, that are set after SVR.JS has been started.
* SVR.JS no longer displays native Node.JS error message, while SVR.JS is run on read-only file system.
## SVR.JS 3.3.3
* Improved reliability of loading mods and server-side JavaScript.
## SVR.JS 3.3.2
* Calling callServerError or res.writeHead mutltiple times now invokes a warning instead of crashing SVR.JS.
## SVR.JS 3.3.1
* Fixed bug: Logs didn't save during crash report generation.
* Fixed bug: Worker crashes didn't display message about starting new workers.
* Fixed bug with SVR.JS status page.
* Added image icons for .ico and .icn files in directory listings.
* Added OpenSSL 1.x EOL warning message.
* SVR.JS now uses WHATWG URL parser instead of deprecated url.parse() function.
## SVR.JS 3.3.0
* SVR.JS now forks itself at startup as many times the CPU host has cores (max 16 cores).
* Fixed bug and potential security vulnerability: Non-standard codes didn't work, and thus attackers could bypass HTTP authentication.
## SVR.JS 3.2.1
* Optimized SVR.JS blacklist and path sanitation code.
* Mitigated security vulnerability: Attacker could access directory listing of directory above web root using "/.." path.
## SVR.JS 3.2.0
* Optimized SVR.JS code.
* Logs from single-threaded SVR.JS now begin with "singlethread".
* Cyclic links now causes server to return 508 error instead of 404 error.
## SVR.JS 3.1.2
* Improved forbidden paths access control.
## SVR.JS 3.1.1
* SVR.JS is now able to run on Node.JS versions without crypto.
* Changed IP provider to SeeIP (used, when crypto support is available).
* Added new server status metrics: CPU usage percentage, Average request rate.
* Added new command: restart.
## SVR.JS 3.1.0
* SVR.JS is now able to run on Node.JS versions without crypto.
* Added HTTP/2 no-support indication for Bun.
* Added more indication of request methods.
* Cleaned up SVR.JS code.
* Updated supplied tar and minipass modules.
## SVR.JS 3.0.3
* Changed public IP provider to ipify.
## SVR.JS 3.0.2
* Fixed server-side JavaScript handling.
## SVR.JS 3.0.1
* Improved error stack generation.
* SVR.JS now serves files from directory on which script resides, unless wwwroot is specified.
## SVR.JS 3.0.0
* 502 errors now logs their stacks.
* Added better exception handler.
* Added callServerError function for use in server-side JavaScript and mods.
* Added cluster+ipc shim used when SVR.JS is running on Bun (SVR.JS can now run multi-threaded on Bun).
* Added command-line parameter: -v/--version.
* Added Content-Range support for static files.
* Added custom Expect header handler.
* Added custom request parse error handler.
* Added date and time to logs.
* Added --disable-mods option. (disables all mods and server side JavaScript)
* Added displaying of contact information on 500 error.
* Added experimental support for Bun (no SVR.JS command line for now...).
* Added HTTP status code message to logs.
* Added new command-line option: --single-threaded
* Added new config.json properties: sni, serverAdministratorEmail, stackHidden, enableRemoteLogBrowsing, dontCompress, enableIPSpoofing, allowStatus, disableServerSideScriptExpose, exposeServerVersion, rewriteMap, secure, wwwroot, disableNonEncryptedServer and disableToHTTPSRedirect.
* Added new depedency - formidable.
* Added new method callable from mods: getCustomHeaders (gets headers from config.json file along with "Server" header).
* Added new mod methods - getCustomHeaders, origHref, parsePostData and redirect.