--- title: SVR.JS change log excerpt: Learn more about changes introduced in various SVR.JS versions. date: 2023-12-21 17:10:14 --- ## SVR.JS 3.14.7 * Fixed bug with request domain names not showing in server logs. ## SVR.JS 3.14.6 * Added CVE-2024-22019 Node.JS vulnerability warning. * Improved protection against user enumeration in HTTP authentication. * Replaced block list message with generic 403 Forbidden error. * Replaced some instances of "blacklist" with "block list". * Some terminal output is now bold. * Updated SVR.JS log viewer (_logviewer.js_) and log highlighter (_loghighlight.js_) * When "block localhost" CLI command is executed, SVR.JS now adds "localhost" to the block list instead of "::ffff:localhost". ## SVR.JS 3.14.5 * Fixed "www." URL redirect functionality. * Improved HTTP/1.x API compatibility with HTTP/2. ## SVR.JS 3.14.4 * Updated _tar_ and _graceful-fs_ libraries. * Added support for URLs with double slashes. * Rewritten HTTP to HTTPS redirect functionality. * Changed default directory listing icons. ## SVR.JS 3.14.3 * Fixed bug with URLs beginning with multiple slashes being rewritten incorrectly. ## SVR.JS 3.14.2 * Added new SVR.JS mod and server-side JavaScript property: _authUser_. ## SVR.JS 3.14.1 * Added support for IP-based virtual hosts. * Fixed SVR.JS crashes with _X-SVR-JS-From-Main-Thread_ header and unknown client IPs. ## SVR.JS 3.4.42 LTS * Custom head and foot inclusion is now returning 500 error in case of server error instead of crashing the server. ## SVR.JS 3.14.0 * Added new _config.json_ properties: _useClientCertificate_, _rejectUnauthorizedClientCertificates_, _cipherSuite_, _ecdhCurve_, _tlsMinVersion_, _tlsMaxVersion_, _signatureAlgorithms_ and _http2Settings_. * Added support for web root postfixes (along with postfix prefixes). * Custom head and foot inclusion is now returning 500 error in case of server error instead of crashing the server. ## SVR.JS 3.13.1 * Fixed error handling for invalid URL rewrite regexes. * Fixed bug with non-working HTTP proxy handler (excluding CONNECT method). ## SVR.JS 3.4.41 LTS * Removed all remnants of "DorianTech". * Mitigated log file injection vulnerability for HTTP authentication. * Mitigated log file injection vulnerability for SVR.JS mod file names. * SVR.JS no longer crashes, when access to a log file is denied. ## SVR.JS 3.13.0 * Added support for skipping URL rewriting, when the URL refers to a file or a directory. * Dropped support for svrmodpack. * Added support for 307 and 308 redirects (both in config.json and in redirect() SVR.JS API method). * Mitigated log file injection vulnerability for HTTP authentication. * Mitigated log file injection vulnerability for SVR.JS mod file names. * SVR.JS no longer crashes, when access to a log file is denied. ## SVR.JS 3.12.3 * Removed all remnants of "DorianTech". * Fixed bug with wildcard in domain name selectors. ## SVR.JS 3.12.2 * SVR.JS now refuses to start with misconfigured SNI in order to prevent ReDoS vulnerabilities. * Add _Host_ header pre-processing. * Changed SNI regular expression generation function. ## SVR.JS 3.4.40 LTS * SVR.JS now refuses to start with misconfigured SNI in order to prevent ReDoS vulnerabilities. ## SVR.JS 3.12.1 * Added client errors, server errors, and malformed HTTP request counts to SVR.JS status page. * Fixed multiple XSS vulnerabilities. ## SVR.JS 3.4.39 LTS * Invalid compression exclusion list regexes no longer crash SVR.JS. * Fixed multiple XSS vulnerabilities. ## SVR.JS 3.12.0 * Added trailing slash redirect support. * Added new _config.json_ property — _environmentVariables_. * Replaces base 1000 size prefixes with base 1024 ones. * Invalid compression exclusion list regexes no longer crash SVR.JS. * Changed invalid regex error message. * Corrected language errors — replaced _recieve_ with _receive_. ## SVR.JS 3.4.38 LTS * SVR.JS now sends configuration file saving request to one random good worker instead of all workers to prevent configuration file corruption. * Fixed crashes due to destroyed HTTP/2 stream (Node.JS bug: [https://github.com/nodejs/node/issues/24470](https://github.com/nodejs/node/issues/24470)) * Fixed crash while trying to report communication problem with workers. ## SVR.JS 3.11.0 * SVR.JS now sends configuration file saving request to one random good worker instead of all workers to prevent configuration file corruption. * Fixed crashes due to destroyed HTTP/2 stream (Node.JS bug: [https://github.com/nodejs/node/issues/24470](https://github.com/nodejs/node/issues/24470)) * Fixed language errors in HTTP error code descriptions, error console messages and the index page. * Updated the logo in the SVR.JS log viewer. ## SVR.JS 3.4.37 LTS * Fixed bug with non-standard code regex replacements ## SVR.JS 3.10.3 * Fixed bug with non-standard code regex replacements ## SVR.JS 3.10.2 * Fixed bug with mods (and server-side JavaScript) executing in wrong order (bug was related with access control vulnerability fix; bug was not present in LTS versions) ## SVR.JS 3.4.36 LTS * Removed undocumented and non-working code. * Fixed bug: _.notindex_ files in directories now no longer cause server timeouts caused by non-working undocumented code. ## SVR.JS 3.10.1 * Dropped _pretty-bytes_ dependency. * Removed undocumented and non-working code. * Fixed bug: _.notindex_ files in directories now no longer cause server timeouts caused by non-working undocumented code. * Replaced function converting byte count to human-readable representation with new one. ## SVR.JS 3.4.35 LTS * Added warning about worker count being limited to one when using Bun 1.0 and newer with shimmed (not native) clustering module. * Disabled server-side JavaScript bug workaround for Bun 1.0 and newer (it's not needed anymore for these Bun versions). * Improved clustering shim for Bun. ## SVR.JS 3.10.0 * Added warning about worker count being limited to one when using Bun 1.0 and newer with shimmed (not native) clustering module. * Disabled server-side JavaScript bug workaround for Bun 1.0 and newer (it's not needed anymore for these Bun versions). * Improved clustering shim for Bun. * Improved web root error handling. ## SVR.JS 3.4.34 LTS * Changed _enableRemoteLogBrowsing_ property to be `false` by default. * Mitigated security vulnerability: Sensitive data is no longer leaked from temp directory inside SVR.JS installation directory. ## SVR.JS 3.9.6 * Changed _enableRemoteLogBrowsing_ property to be `false` by default. * Fixed log files only partially saving on failed master startup. * Mitigated security vulnerability: Sensitive data is no longer leaked from temp directory inside SVR.JS installation directory. * SVR.JS now logs certificate loading errors. ## SVR.JS 3.4.33 LTS * Changed enableRemoteLogBrowsing property to be false by default. * Mitigated security vulnerability: Sensitive data is no longer leaked from temp directory inside SVR.JS installation directory. _This version is unpublished and no longer available for download, because of failed security vulnerability mitigation._ ## SVR.JS 3.9.5 * Changed enableRemoteLogBrowsing property to be false by default. * Mitigated security vulnerability: Sensitive data is no longer leaked from temp directory inside SVR.JS installation directory. _This version is unpublished and no longer available for download, because of failed security vulnerability mitigation._ ## SVR.JS 3.4.32 LTS * Added "svrmodpack" deprecation warning. * Removed unmaintained primitive analytics mod. * Removed unmaintained and undocumented hexstrbase64 library. * Added TypeError workaround for Bun 1.0.0 ## SVR.JS 3.9.4 * Changed warning about no support for HTTP/2. * Added "svrmodpack" deprecation warning. * Removed unmaintained primitive analytics mod. * Removed unmaintained and undocumented hexstrbase64 library. * Added TypeError workaround for Bun 1.0.0 ## SVR.JS 3.4.31 LTS * Mitigated security vulnerability: SVR.JS mods and server-side JavaScript not using href or uobject.pathname in some path checks are no longer vulnerable to access control bypass (from SVR.JS configuration). ## SVR.JS 3.9.3 * Mitigated security vulnerability: SVR.JS mods and server-side JavaScript not using href or uobject.pathname in some path checks are no longer vulnerable to access control bypass (from SVR.JS configuration). ## SVR.JS 3.4.30 LTS * Mitigated security vulnerability: SVR.JS mods and server-side JavaScript using req.url are no longer vulnerable to path traversal (not including query strings). ## SVR.JS 3.9.2 * Mitigated security vulnerability: SVR.JS mods and server-side JavaScript using req.url are no longer vulnerable to path traversal (not including query strings). ## SVR.JS 3.4.29 LTS * Added new config.json property - exposeModsInErrorPages ## SVR.JS 3.9.1 * Added new config.json property - exposeModsInErrorPages ## SVR.JS 3.9.0 * Dropped support for undocumented unused non-standard SVR.JS-specific headers. * Fixed bug with _wwwredirect_. * Replaced HTTP => HTTPS redirect handler * Added support for listening to specific IP address. * Added new config.json property - useWebRootServerSideScript * Added notice about logged user (HTTP authentication). * Added validation of X-Forwarded-For header ## SVR.JS 3.4.28 LTS * Added validation for X-Forwarded-For header. ## SVR.JS 3.4.27 LTS * Dropped support for undocumented unused non-standard SVR.JS-specific headers. * Fixed bug with _wwwredirect_. ## SVR.JS 3.4.26 LTS * Changed default SVR.JS configuration. * Disabled server-side script exposure by default. ## SVR.JS 3.8.1 * Changed default SVR.JS configuration. * Disabled server-side script exposure by default. ## SVR.JS 3.8.0 * Added partial virtual hosting support * Added _host_ field to _nonStandardCodes_ and _rewriteMap_ properties. * Added _userList_ field to _nonStandardCodes_ properties (with _scode_ set to 401). * Added new config.json properties: _errorPages_, _enableDirectoryListingVHost_ and _customHeadersVHost_. * Improved HTTP authentication error handling. ## SVR.JS 3.4.25 LTS * Improved HTTP authentication error handling. * Updated SVR.JS license. ## SVR.JS 3.7.5 * Fixed non-working blacklist. * Updated SVR.JS license. ## SVR.JS 3.4.24 LTS * Added reverse DNS lookup support. ## SVR.JS 3.7.4 * Added reverse DNS lookup support. ## SVR.JS 3.4.23 LTS * Fixed server crashes while one of two ports are in use ## SVR.JS 3.7.3 * Fixed server crashes while one of two ports are in use ## SVR.JS 3.4.22 LTS * ENAMETOOLONG errors now correspond to 414 code. * EMFILE errors now correspond to 503 code. ## SVR.JS 3.7.2 * ENAMETOOLONG errors now correspond to 414 code. ## SVR.JS 3.7.1 * Fixed bug with SVR.JS hang-up check requests logged in server logs (bug occurred on upstream Node.JS v12.22.12). ## SVR.JS 3.4.21 LTS * Changed descriptions of 501 and 503 errors. * Disabled open proxy in default server-side JavaScript. * Fixed NotImplementedError in "cluster" module when running SVR.JS on newer versions of Bun. * Fixed redirect loops related to URL sanitizer. * Fixed SVR.JS proxy API (fixed bug, which relied of calling wrong callback [Mod.callback] instead of proper one [Mod.proxyCallback]). * Improved Bun IPC shim connection error handling. * Improved server error handling for Bun. * Updated svrpasswd tool. ## SVR.JS 3.7.0 * Added new config.json property - disableUnusedWorkerTermination. * Added option to rewrite "dirty" URLs - rewriteDirtyURLs. * Added PBKDF2 and scrypt support for HTTP authentication. * Added termination of unused workers. * Changed descriptions of 501 and 503 errors. * Disabled checking for hung up server processes, while SVR.JS is not yet listening. * Disabled open proxy in default server-side JavaScript. * Disabled X-SVR-JS-From-Main-Thread header for non-localhost clients. * EMFILE errors now correspond to 503 Service Unavailable error code. * Fixed NotImplementedError in "cluster" module when running SVR.JS on newer versions of Bun. * Fixed redirect loops related to URL sanitizer. * Fixed SVR.JS proxy API. (fixed bug, which relied of calling wrong callback [Mod.callback] instead of proper one [Mod.proxyCallback]) * Improved Bun IPC shim connection error handling. * Improved extension checking function in directory listing generation. * Improved server error handling for Bun. * SVR.JS now exits gracefully on "stop" command. * Updated svrpasswd tool. ## SVR.JS 3.4.20 LTS * Improved reliability while loading server-side JavaScript. ## SVR.JS 3.6.4 * Improved reliability while loading server-side JavaScript. ## SVR.JS 3.4.19 LTS * Fixed bug with directory listing generating invalid HTML with custom head containing __ tag with attributes. ## SVR.JS 3.6.3 * Fixed bug with directory listing generating invalid HTML with custom head containing __ tag with attributes. ## SVR.JS 3.4.18 LTS * Fixed bug with ENOTDIR error (was 500, now it's 404). * Fixed bug with forbidden path checker. ## SVR.JS 3.6.2 * Fixed bug with ENOTDIR error (was 500, now it's 404). * Fixed bug with forbidden path checker. * Optimized regular expression creating function. ## SVR.JS 3.4.17 LTS * Improved URL sanitizer. * Fixed bug with formidable wrapper. ## SVR.JS 3.6.1 * Added support for ETags. * Added new config.json property: enableETag. * Improved URL sanitizer. * Fixed bug with formidable wrapper. ## SVR.JS 3.6.0 * Optimized sanitized URL comparison function. * Expanded warning messages. * Added support for Unix sockets and Windows named pipes. * Cleaned up SVR.JS code. ## SVR.JS 3.4.16 LTS * Improved URL sanitizer and mitigates security vulnerability: attacker could use "..." to traverse directories, while SVR.JS is run in Windows. * Cleaned up code. ## SVR.JS 3.5.6 * Improved URL sanitizer and mitigates security vulnerability: attacker could use "..." to traverse directories, while SVR.JS is run in Windows. * Cleaned up code. ## SVR.JS 3.4.15 LTS * Fixed broken URL sanitation redirect. * Improved URL sanitizer. ("%2F" now turns into "/" instead of "%252F") ## SVR.JS 3.5.5 * Fixed broken URL sanitation redirect. * Improved URL sanitizer. ("%2F" now turns into "/" instead of "%252F") ## SVR.JS 3.4.14 LTS * Fixed bug: SVR.JS mods now load reliably with multiple threads on startup. ## SVR.JS 3.5.4 * Fixed bug: SVR.JS mods now load reliably with multiple threads on startup. ## SVR.JS 3.4.13 LTS * Improved compatibility with Bun 0.9.14. * Replaced more blocking system calls with non-blocking ones. ## SVR.JS 3.5.3 * Improved compatibility with Bun 0.9.14. ## SVR.JS 3.5.2 * Replaced more blocking system calls with non-blocking ones. ## SVR.JS 3.5.1 * Added better HTTP error handler. ## SVR.JS 3.4.12 LTS * Added better HTTP error handler. ## SVR.JS 3.5.0 * Dropped support for Node.JS 8.x and 9.x. * Directory listing icons now show even, if ".dirimages" directory is missing from web root. * Updated formidable module. ## SVR.JS 3.4.11 LTS * Added support for Brotli compression. ## SVR.JS 3.4.10 * Added OCSP module loading failure warning. * SVR.JS now displays error message, when it's run on JS runtime non-compatible with Node.JS. ## SVR.JS 3.4.9 * Added new config.json option: enableOCSPStapling. * Added support for OCSP stapling. * Added new dependency: ocsp * Replaced some blocking system calls in directory listing function with non-blocking ones. * Optimized HTTP basic authentication algorithm. ## SVR.JS 3.4.8 * Added HTTP authentication brute force protection. ## SVR.JS 3.4.7 * Fixed SVR.JS crashing on Node.JS 8.x and 9.x. ## SVR.JS 3.4.6 * Improved reliability in loading mods, server-side JavaScript and saving configuration file. ## SVR.JS 3.4.5 * Fixed bug with custom head and SVR.JS status page. ## SVR.JS 3.4.4 * req.socket.realRemoteAddress and res.socket.realRemotePort are now original users remote address and port respectively. ## SVR.JS 3.4.3 * Fixed bug related with saving config.json. * Disabled gzip compression for .gz files. ## SVR.JS 3.4.2 * Fixed bug with regular expression non-standard HTTP status codes. ## SVR.JS 3.4.1 * SVR.JS now uses 2 public IP providers: SeeIP.org and ipify. ## SVR.JS 3.4.0 * autocannon is no longer included with SVR.JS. * Fixed requirement on pretty-bytes library. * Removed version field from config.json * Fixed random worker crashes that occur, while config.json is saved. * SVR.JS no longer overrides config.json values, that are set after SVR.JS has been started. * SVR.JS no longer displays native Node.JS error message, while SVR.JS is run on read-only file system. ## SVR.JS 3.3.3 * Improved reliability of loading mods and server-side JavaScript. ## SVR.JS 3.3.2 * Calling callServerError or res.writeHead mutltiple times now invokes a warning instead of crashing SVR.JS. ## SVR.JS 3.3.1 * Fixed bug: Logs didn't save during crash report generation. * Fixed bug: Worker crashes didn't display message about starting new workers. * Fixed bug with SVR.JS status page. * Added image icons for .ico and .icn files in directory listings. * Added OpenSSL 1.x EOL warning message. * SVR.JS now uses WHATWG URL parser instead of deprecated url.parse() function. ## SVR.JS 3.3.0 * SVR.JS now forks itself at startup as many times the CPU host has cores (max 16 cores). * Fixed bug and potential security vulnerability: Non-standard codes didn't work, and thus attackers could bypass HTTP authentication. ## SVR.JS 3.2.1 * Optimized SVR.JS blacklist and path sanitation code. * Mitigated security vulnerability: Attacker could access directory listing of directory above web root using "/.." path. ## SVR.JS 3.2.0 * Optimized SVR.JS code. * Logs from single-threaded SVR.JS now begin with "singlethread". * Cyclic links now causes server to return 508 error instead of 404 error. ## SVR.JS 3.1.2 * Improved forbidden paths access control. ## SVR.JS 3.1.1 * SVR.JS is now able to run on Node.JS versions without crypto. * Changed IP provider to SeeIP (used, when crypto support is available). * Added new server status metrics: CPU usage percentage, Average request rate. * Added new command: restart. ## SVR.JS 3.1.0 * SVR.JS is now able to run on Node.JS versions without crypto. * Added HTTP/2 no-support indication for Bun. * Added more indication of request methods. * Cleaned up SVR.JS code. * Updated supplied tar and minipass modules. ## SVR.JS 3.0.3 * Changed public IP provider to ipify. ## SVR.JS 3.0.2 * Fixed server-side JavaScript handling. ## SVR.JS 3.0.1 * Improved error stack generation. * SVR.JS now serves files from directory on which script resides, unless wwwroot is specified. ## SVR.JS 3.0.0 * 502 errors now logs their stacks. * Added better exception handler. * Added callServerError function for use in server-side JavaScript and mods. * Added cluster+ipc shim used when SVR.JS is running on Bun (SVR.JS can now run multi-threaded on Bun). * Added command-line parameter: -v/--version. * Added Content-Range support for static files. * Added custom Expect header handler. * Added custom request parse error handler. * Added date and time to logs. * Added --disable-mods option. (disables all mods and server side JavaScript) * Added displaying of contact information on 500 error. * Added experimental support for Bun (no SVR.JS command line for now...). * Added HTTP status code message to logs. * Added new command-line option: --single-threaded * Added new config.json properties: sni, serverAdministratorEmail, stackHidden, enableRemoteLogBrowsing, dontCompress, enableIPSpoofing, allowStatus, disableServerSideScriptExpose, exposeServerVersion, rewriteMap, secure, wwwroot, disableNonEncryptedServer and disableToHTTPSRedirect. * Added new depedency - formidable. * Added new method callable from mods: getCustomHeaders (gets headers from config.json file along with "Server" header). * Added new mod methods - getCustomHeaders, origHref, parsePostData and redirect. * Added new server-side JavaScript fields - customvar1, customvar2, customvar3, customvar4. * Added new utility: log highlighter at loghighlighter.js * Added new utility: log viewer at logviewer.js * Added new utility: SVR.JS user utility at svrpasswd.js * Added option to disable HTTP => HTTPS redirect server. * Added option to listen only for HTTPS. * Added {path} directive in custom error pages and headers. * Added RegEx support for non-standard error codes. * Added request ID to logs. * Added server error descriptions. * Added SNI support. * Added status page at /svrjsstatus.svr. * Added support for CIDR notation in non-standard codes. * Added support for CONNECT method (along with mod callbacks). * Added support for HTTP authentication. * Added support for RegEx for nonStandardCodes property. * Added support for X-Forwarded-For header. * Added URL rewriting. * Added warning, when SVR.JS is run as root. * Addedd error message in case SVR.JS is attempted to be started without Node.JS. * Allowed Node.JS versions without HTTP/2 support. (although HTTP/2 will not work) * Allowed starting without Internet connection. * Attackers can no longer bypass content blocking mechanism (non-standard codes set in config.json), when SVR.JS is run in Windows. * Attackers can no longer bypass content blocking mechanism, when SVR.JS is run in Windows. * Bare minimum now requires only "svr.js" script and node_modules directory. * Broken server availability addresses are now invisible in the console. * Change of working directory is now possible. * Changed demo server-side JavaScript to use new callServerError function. * Changed file type icons. * Changed HTTP error descriptions. * Changed log format. * Changed logo to new one. * Changed SVR.JS log descriptions. * config.json options which are not used by SVR.JS are now kept. * Configuration file now has diffrent placeholder content. * Connection messages when using SVR.JS as proxy aren't longer broken. * Connection with null req.socket are now dropped. * Corrected handling of multi-line log messages. * Custom headers are no longer set by default on proxy requests. * DEBUG: /crash.svr crashes the server (only in Nightly). * Default content type can be no longer set. * Deprecated config.json property: defaultpage. * Directory listing custom foots now are displayed even if foot.html file doesn't exist. * Directory listing custom heads now are displayed even if head.html file doesn't exist. * Directory listing no longer breaks with "<" and ">" characters (XSS mitigated). * Directory listing now shows original URL, when URL is rewritten. * Directory listing now shows whatever the file is block device, chacter device, FIFO or socket. * Directory traversal through symbolic links is no longer possible (new URL sanitation function). * Disabled HTTP compression for w3m and Netscape 4.x. * Error pages can use new format: . instead of .html. * Error stack can be now hidden using stackHidden property. * Factory reset no longer replaces config.json with placeholder one. * Files without extension are no longer presented as HTML content. * Fixed bug: Blacklist didn't save into config.json file. * Fixed bug: Downloading files above 2GB now works properly. * Fixed bug: Next thread no longer starts after closing ports. * Fixed bug related to broken access controls in SVR.JS when it's run in Windows. * Fixed bug with server version exposure. * Fixed crash on malformed public IP check response. * Fixed crashes with TCP resets, when using default handler for CONNECT method. * Fixed default config.json file. * Fixed directory listing, when URL contains "@" or "?" * Fixed filterHeaders method. * Fixed handling of some proxy requests by default redirect server. * Fixed HEAD method handling. * Fixed HTTP compression. * Fixed master process crash, when unable to fork process. * Fixed process crash, when unable to save to a log file. * Fixed proxy mod loader. * Fixed public IP address identification on server console. * Fixed security vulnerability: Attacker could append "%00" to URL to bypass access restrictions when SVR.JS is running on Bun. * Fixed security vulnerability: Attacker could send specially constructed HTTP request to bypass content block mechanism. * Fixed security vulnerability: Attacker could used encoded characters to bypass access restrictions. * Fixed server endlessly spawning threads in Node.JS 20.x. * Fixed SVR.JS not able to start in Android (d/node.js). * Fixed SVR.JS not able to start in Node.JS 16.x in Haiku OS. * Fixed URL mojibake. * Fixed website block, when SVR.JS is running on Bun * Fixed XSS bug in host name indication in default error pages. * HTTP => HTTPS redirect server now returns 400 error when no host is specified. * HTTP requests made to HTTPS server now return 497 error page. * HTTP requests using CONNECT method now return 501 error, if SVR.JS is run on Bun. * Icons on directory listings are no longer stretched, when padding is applies to the table. * Improved bad request handler. * Improved compatibility with Bun. * Improved compatibility with Node.JS 20.x. * Improved default error pages and directory listings for mobile devices. * Improved directory listings. * Improved file handling by URL. * Improved handling of 405 error. * Improved handling of OPTIONS method. * Improved HTTP => HTTPS redirect handler. * Improved HTTP/2 => HTTP/1.x translation API. * Improved possible server access URLs. * IPv6 URLs are now shown properly. * Links now show sizes of referenced file in directory listing. * Logs are no longer remotely accessible, when enableRemoteLogBrowsing is set to false. * Made HTTP => HTTPS redirect server more compatible with Node.JS 20.x. * Main script moved to "svr.js" file. * Many request problem will now result in 500 error instead of crash. * Mitigated path traversal at bad URL rewriting. * Mod loader no longer uses eval. * Node.JS version is now exposed in Server header (unless exposeServerVersion is false). * Non-standard codes no longer works on proxy requests. * Patched supplied fs-minipass module to work with Bun. * Removed strict depedencies for: tar, svrmodpack, hexstrbase64 and formidable. * Removed "Welcome to DorianTech Node.JS Server!" and "Goodbye." log, rendering welcomeMessage property useless. * Replaced 403 error page specific to disabled directory listing with generic one. * Replaced "domian" property with "domain" in config.json. * Replaced URL sanitation algorithm with faster one. * Server is now more protected against directory traversal attack. * Server no longer crashes on some malformed URIs. * Server now returns 403 error, when server software itself doesn't have permissions to access files. * Size function now requires pretty-bytes library. * Size function now uses custom fallback. * Stack traces from 500 errors are now displayed in logs. * SVR.JS doesn't use template config.json anymore, if config.json doesn't exist * SVR.JS no longer crashes on mod loading problem. * SVR.JS no longer crashes when displaying listing of directory containing invalid files. * SVR.JS no longer drops connections having null response socket. * SVR.JS now keeps unused properties of config.json file. * SVR.JS used as HTTPS server works even without key and cert fields in config.json. * SVR.JS version is no longer leaked via svr.js file, when exposeServerVersion property is set to false. * Updated supplied mime-types and mime-db modules. * Using SVR.JS as an proxy without proxy mod now returns no-proxy message. ## SVR.JS 2.1.4 * Fixed security vulnerability: Attacker could used encoded characters to bypass access restrictions. (fix backported from SVR.JS 3.0.0-beta19) * Fixed access control bypass vulnerability, when server is run in Windows (fix backported from SVR.JS 3.0.0-beta19) ## SVR.JS 2.1.3 * Added new config.json properties: exposeServerVersion and stackHidden (backported from SVR.JS 3.0.0-beta1) * Fixed path traversal vulnerability (fix backported from SVR.JS 3.0.0-beta1) * Fixed access control bypass vulnerability, when server is run in Windows (fix backported from SVR.JS 3.0.0-beta1) * Fixed server crash on malformed URL (fix backported from SVR.JS 3.0.0-beta1) ## SVR.JS 2.1.2 * Methods other than "POST", "GET", "OPTIONS" and "HEAD" are allowed. ## SVR.JS 2.1.1 * Fixed security vulnerability using directory listing to access secret files. ## SVR.JS 2.1.0 * Added new property of config.json "enableDirectoryListingWithDefaultHead". * Added personalization of directory listing. * Added compability with Node.JS v8.10.0 * Replaced MIME type table with one from mime-types module. * Fixed bug: Directory listing shows wrong icons. * Changed icons in directory listing. * Changed size display in directory listing. * Deleted analytics inside SVR.JS - those analytics are now in seperate mod, of which SVR.JS comes with it. ## SVR.JS 2.0.0 * Added support for .tar.gz mods and server side Javascript in .JS file. * Moved directory listing icons to seperate directory. * Replaced ASCII Art. * Added support for HTTP/2.0, disabled by default. * Changed default footer. * Added unpacking SVR.JS in first run. * Added checking, if head and foot exists. * Optimized directory listing for Lynx text client * Modified Server UI. * Added new properties of config.json "enableLogging" and "enableDirectoryListing". * Added "--clean" and "--reset" arguments. * Fixed security vulnerability: The block is only covering part of SVR.JS * Fixed bug: Not saving config.json on Linux. * Added multi-threading. * Deleted "getip" command. ## SVR.JS 1.2.2 * Fixed bug, which caused mojibake in Unicode files. * Fixed bug, which caused SVR.JS to require SSL certificate, even if HTTPS mode is disabled. * Fixed bug, which caused SVR.JS to crash, if no mods are loaded. * Fixed bug, which caused SVR.JS to display blank directory, if URL is with query. ## SVR.JS 1.2.1 * Fixed bug, which caused SVR.JS in Ubuntu to not work * Added platform showing ## SVR.JS 1.2.0 * First released version of SVR.JS