v1.0.0

Breaking

Both sirv and sirv-cli now require at least Node v10.x to function (19061be).
This is the oldest LTS version of Node.js that's still possesses the "ACTIVE" label.

Features

• (sirv-cli) Added HTTP/2 support (#2, #64): 36ba734, 8c92751

• (sirv-cli) Added --gzip and --brotli flags (#3)

• (sirv-cli) Allow --single to accept custom fallback: fd55eca

• (sirv-cli) Added --ignores option to escape single: 918102e

• (sirv) Added TypeScript definitions (#61): 05058a2

• (sirv) Support If-None-Match/ETag matching (#56, #46)

• (sirv) Added single option, with customizable fallback: f13fbb8, fd55eca

• (sirv) Allow serving of precompiled gzip and/or brotli files: 3d34763

• (sirv): Ships separate "module" (ESM) and "main" (CJS) entries: 9754302

Patches

• (sirv) Prevent server crash with malformed URLs (#54): 1757b26
• (sirv) Allow dotfiles option in "dev" mode (#51)
• (sirv) Allow requests to /.well-known/* files (#50): 0a04d66
• (sirv) Force Cache-Control: no-store value for "dev" mode (#45): 604f926
• (sirv) Respect any previous Content-Type on response (#38): c08ac50, 5ef168f
• (sirv) Ignore deeply-nested dotfiles (default): 84d4f33

Chores

• (sirv) Refactor: Consolidate "dev" & "prod" handlers: f1bcc43
• (sirv): Refactor: Extract list utility into totalist: 535b2c2
• Update benchmarks, include directly: a346382
• Update documentation: 8e9cb49
• Add multiple test suites for 99% code coverage: cbe0a47, 461b8de, 5953004, 07c65ac, 3cfb51e, 4608c92, b3b89cb, f6b1e72, 5f583e5, bdfc9b0, 3009ae0, 5d555d2

v0.4.6

NOTICE
This version patches a directory-traversal security vulnerability that exists in dev mode only. All users should update immediately, even if they don't think they're using --dev or opts.dev on live servers. There are no other changes in this release.

Patches

• Fixes dev mode security vulnerability (#63): 1e0bac5
  Thank you @marvinhagemeister~!

  As Marvin describes:

  This allows an attacker to traverse the file system outside of the specified directory.

  Let's say sirv was initialized to serve files from /foo/bar:

  sirv("/foo/bar");

  ...and an attacker makes a request to:

  GET /../../etc/passwd
  

  ...then they are able to download the contents of that file.

Chores

• Attach GitHub Actions: ea15d6a

• Update test runner: 2b965cd

• Update lerna version: 0b6de8d

v0.4.4

Patches

• (sirv-cli): Hide network address on non-localhost hostnames: aeb4d72
  Passing --host without a value is an alias for --host 0.0.0.0
  It will be displayed if --host flag is defined

• (sirv-cli): Correct --single 404 handler (#30): 3d27ed1

v0.4.3

Patches

• (sirv-cli): Add missing --host flag to change hostname (#29): 210302e

• (sirv-cli): Add missing support for PORT and HOST environment variables: 04ea942

  $ PORT=3000 sirv public
  $ HOST=0.0.0.0 sirv public
  $ sirv public --host 10.0.0.1

Chores

• Add --dev flag to README docs (#28): 11cc39a
  Thank you @paulocoghi

v0.4.2

Patches

• Immediately fix regression for --single flag in "dev" mode: c73fd13

v0.4.1

Patches

• (sirv): Handle files without an extension correctly (#26): b2e1baf
  Wrongly assumed all extensionless files were pathnames meant to be expanded.

• (sirv): Call return from for-loop directly: c39f0e4

v0.4.0

Breaking

• (sirv) Change opts.onNoMatch from (res) to (req, res): abe9d69
  Allowing the callback to consume the original request & response is more expected and flexible.

Patches

• Fix(sirv-cli) Maintain Range/partial requests during --dev mode: abe9d69
  By sending an empty object, the original request's headers were all lost.

v0.3.2

Patches

• Fix(sirv-cli) Ensure req.headers exists during --single mode (#23): 1f515fe
  Thank you @bryanwood!

v0.3.1

Patches

• Run custom opts.setHeaders function in dev mode: (#22): e4b7cc3

v0.3.0

Features

• (sirv) Respond to Range headers/partial requests correctly! (#19): 135db55

  Now, larger files (video, PDF, etc) will be served correctly. Previously, sirv would ignore the ranged requests and pipe down the entire file at once.

Patches

• (sirv) Running dev mode will also send Last-Modified and Content-Length headers: 135db55