SVR.JS change log

See the changes done to SVR.JS web server.

SVR.JS 4.2.0

Released in November 12, 2024
  • Added a CLI option and configuration property to not save the configuration file.
  • Added a CLI option to enable "stdout" even when it's not a TTY.
  • "config.wwwroot" property is now a normalized path to the webroot.
  • Fixed a bug which caused SVR.JS to crash when an image in ".dirimages" directory is accessed and when no image in any of the ".dirimages" directories are present.

SVR.JS 4.1.0

Released in October 19, 2024
  • Added experimental support for Deno 2.

SVR.JS 4.0.2

Released in October 15, 2024
  • Fixed a bug with 497, 598, and 599 status code HTTP responses.

SVR.JS 4.0.1

Released in September 25, 2024
  • Fixed a bug with no request ID shown for multiline log entries for HTTP requests.

SVR.JS 4.0.0

Released in September 14, 2024
  • Added support for SVR.JS mods with ".js" extension.
  • Changed SVR.JS logo.
  • Optimized many functions
  • Redesigned default pages and default error pages.
  • Regex strings now can have single unescaped "/" within square parentheses ("[" and "]").
  • Removed "graceful-fs" dependency.
  • Rewritten SVR.JS to use multiple split files for the source instead of single one.
  • SVR.JS now uses build system consisting of esbuild, ESLint, Prettier, and Jest.

SVR.JS 3.15.7

Released in August 26, 2024
  • Fix bug in getting public IP address without crypto support.
  • Fix bug in partial content serving functionality.
  • Fix bug in the factory reset function.
  • Fix bug in the IP address match function.
  • Fix bug in the URL parser with href attribute of a parsed URL missing a port number.
  • Fix bug with config.json read errors being undefined.
  • Fix bugs in the block list.
  • Main process crashes no longer display as worker crashes.
  • Server crashes now results in exit code of 1 if no exit code is not specified.
  • Updated dependencies.

SVR.JS 3.14.18 LTS

Released in August 26, 2024
  • Fix bug in getting public IP address without crypto support.
  • Fix bug in the factory reset function.
  • Fix bug in the IP address match function.
  • Fix bug with config.json read errors being undefined.
  • Fix bugs in the block list.
  • Server crashes now results in exit code of 1 if no exit code is not specified.
  • Updated dependencies.

SVR.JS 3.15.6

Released in August 7, 2024
  • Added new config.json property - optOutOfStatisticsServer.
  • Implemented sending data to the statistics server, so that SVR.JS can measure the popularity of the web server.

SVR.JS 3.14.17 LTS

Released in June 13, 2024
  • Lifted PBKDF2 restrictions on Bun 1.1.13 and later.

SVR.JS 3.15.5

Released in June 13, 2024
  • Lifted PBKDF2 restrictions on Bun 1.1.13 and later.

SVR.JS 3.15.4

Released in May 30, 2024
  • Added cap on minimum number of workers to 12 to reduce idle memory usage.

SVR.JS 3.15.3

Released in May 21, 2024
  • Fixed bug in the URL parser (URLs with "@" got erroneously "sanitized" to "/").

SVR.JS 3.15.2

Released in May 20, 2024
  • Removed the limit of 16 workers.

SVR.JS 3.15.1

Released in May 13, 2024
  • Added Content-Range support for HTML files.
  • MIME type lookups are now performed once, not twice.
  • Optimized static file serving function.

SVR.JS 3.14.16 LTS

Released in May 6, 2024
  • Prevented DoS attacks performed with forward proxy HTTP requests with malformed URLs.

SVR.JS 3.15.0

Released in May 6, 2024
  • Changed URL parser from wrapper over WHATWG URL parser to custom regex-based URL parser.
  • Optimized server code.
  • Redesigned default error pages.
  • Removed blocking file system calls from the directory listing function.
  • Replaced path.extname() function with regex-based function.

SVR.JS 3.14.15

Released in April 29, 2024
  • Fixed crashes related to the request ID generation.
  • Optimized HTTP compression functionality.

SVR.JS 3.14.14

Released in April 27, 2024
  • console.log and stdout are now disabled, when stdout is not a TTY (for example in situation when SVR.JS is running as a daemon), in order to improve performance.
  • Errors that occurred, while adding SNI context to a server are now ignored.

SVR.JS 3.14.13

Released in April 24, 2024
  • Optimized code.
  • SVR.JS now uses os.availableParallelism() function for determining amount of processes to fork, when it is available.

SVR.JS 3.14.12

Released in April 13, 2024
  • Fix ".dirimages" directory returning an 500 error, if it is not present in the web root.

SVR.JS 3.14.11

Released in April 7, 2024
  • Added CVE-2024-27982 Node.JS vulnerability warning.
  • Fixed bug with Brotli compression not working, when SVR.JS is running on Bun.
  • Improved the performance of the server.

SVR.JS 3.14.10

Released in April 2, 2024
  • Disabled trailing slash removal for proxy requests.

SVR.JS 3.14.9

Released in April 2, 2024
  • Changed default file extensions compression exclude list.
  • Lifted scrypt restrictions on Bun.
  • Optimized server script size (268 KiB => 256 KiB).
  • The compression exclude list is now in SVR.JS itself.

SVR.JS 3.14.8

Released in March 29, 2024
  • Fixed bug with res.writeHead method.

SVR.JS 3.14.7

Released in March 19, 2024
  • Fixed bug with request domain names not showing in server logs.

SVR.JS 3.14.6

Released in March 17, 2024
  • Added CVE-2024-22019 Node.JS vulnerability warning.
  • Improved protection against user enumeration in HTTP authentication.
  • Replaced block list message with generic 403 Forbidden error.
  • Replaced some instances of "blacklist" with "block list".
  • Some terminal output is now bold.
  • Updated SVR.JS log viewer (logviewer.js) and log highlighter (loghighlight.js)
  • When "block localhost" CLI command is executed, SVR.JS now adds "localhost" to the block list instead of "::ffff:localhost".

SVR.JS 3.14.5

Released in March 9, 2024
  • Fixed "www." URL redirect functionality.
  • Improved HTTP/1.x API compatibility with HTTP/2.

SVR.JS 3.14.4

Released in March 3, 2024
  • Updated tar and graceful-fs libraries.
  • Added support for URLs with double slashes.
  • Rewritten HTTP to HTTPS redirect functionality.
  • Changed default directory listing icons.

SVR.JS 3.14.3

Released in February 11, 2024
  • Fixed bug with URLs beginning with multiple slashes being rewritten incorrectly.

SVR.JS 3.14.2

Released in February 7, 2024
  • Added new SVR.JS mod and server-side JavaScript property: authUser.

SVR.JS 3.14.1

Released in February 2, 2024
  • Added support for IP-based virtual hosts.
  • Fixed SVR.JS crashes with X-SVR-JS-From-Main-Thread header and unknown client IPs.

SVR.JS 3.4.42 LTS

Released in February 2, 2024
  • Custom head and foot inclusion is now returning 500 error in case of server error instead of crashing the server.

SVR.JS 3.14.0

Released in January 24, 2024
  • Added new config.json properties: useClientCertificate, rejectUnauthorizedClientCertificates, cipherSuite, ecdhCurve, tlsMinVersion, tlsMaxVersion, signatureAlgorithms and http2Settings.
  • Added support for web root postfixes (along with postfix prefixes).
  • Custom head and foot inclusion is now returning 500 error in case of server error instead of crashing the server.

SVR.JS 3.13.1

Released in January 18, 2024
  • Fixed error handling for invalid URL rewrite regexes.
  • Fixed bug with non-working HTTP proxy handler (excluding CONNECT method).

SVR.JS 3.4.41 LTS

Released in January 14, 2024
  • Removed all remnants of "DorianTech".
  • Mitigated log file injection vulnerability for HTTP authentication.
  • Mitigated log file injection vulnerability for SVR.JS mod file names.
  • SVR.JS no longer crashes, when access to a log file is denied.

SVR.JS 3.13.0

Released in January 14, 2024
  • Added support for skipping URL rewriting, when the URL refers to a file or a directory.
  • Dropped support for svrmodpack.
  • Added support for 307 and 308 redirects (both in config.json and in redirect() SVR.JS API method).
  • Mitigated log file injection vulnerability for HTTP authentication.
  • Mitigated log file injection vulnerability for SVR.JS mod file names.
  • SVR.JS no longer crashes, when access to a log file is denied.

SVR.JS 3.12.3

Released in December 30, 2023
  • Removed all remnants of "DorianTech".
  • Fixed bug with wildcard in domain name selectors.

SVR.JS 3.12.2

Released in December 16, 2023
  • SVR.JS now refuses to start with misconfigured SNI in order to prevent ReDoS vulnerabilities.
  • Add Host header pre-processing.
  • Changed SNI regular expression generation function.

SVR.JS 3.4.40 LTS

Released in December 16, 2023
  • SVR.JS now refuses to start with misconfigured SNI in order to prevent ReDoS vulnerabilities.

SVR.JS 3.12.1

Released in December 12, 2023
  • Added client errors, server errors, and malformed HTTP request counts to SVR.JS status page.
  • Fixed multiple XSS vulnerabilities.

SVR.JS 3.4.39 LTS

Released in December 12, 2023
  • Invalid compression exclusion list regexes no longer crash SVR.JS.
  • Fixed multiple XSS vulnerabilities.

SVR.JS 3.12.0

Released in December 3, 2023
  • Added trailing slash redirect support.
  • Added new config.json property — environmentVariables.
  • Replaces base 1000 size prefixes with base 1024 ones.
  • Invalid compression exclusion list regexes no longer crash SVR.JS.
  • Changed invalid regex error message.
  • Corrected language errors — replaced recieve with receive.

SVR.JS 3.4.38 LTS

Released in November 12, 2023
  • SVR.JS now sends configuration file saving request to one random good worker instead of all workers to prevent configuration file corruption.
  • Fixed crashes due to destroyed HTTP/2 stream (Node.JS bug: [https://github.com/nodejs/node/issues/24470](https://github.com/nodejs/node/issues/24470))
  • Fixed crash while trying to report communication problem with workers.

SVR.JS 3.11.0

Released in November 12, 2023
  • SVR.JS now sends configuration file saving request to one random good worker instead of all workers to prevent configuration file corruption.
  • Fixed crashes due to destroyed HTTP/2 stream (Node.JS bug: [https://github.com/nodejs/node/issues/24470](https://github.com/nodejs/node/issues/24470))
  • Fixed language errors in HTTP error code descriptions, error console messages and the index page.
  • Updated the logo in the SVR.JS log viewer.

SVR.JS 3.4.37 LTS

Released in September 17, 2023
  • Fixed bug with non-standard code regex replacements

SVR.JS 3.10.3

Released in September 17, 2023
  • Fixed bug with non-standard code regex replacements

SVR.JS 3.10.2

Released in September 12, 2023
  • Fixed bug with mods (and server-side JavaScript) executing in wrong order (bug was related with access control vulnerability fix; bug was not present in LTS versions)

SVR.JS 3.4.36 LTS

Released in September 12, 2023
  • Removed undocumented and non-working code.
  • Fixed bug: .notindex files in directories now no longer cause server timeouts caused by non-working undocumented code.

SVR.JS 3.10.1

Released in September 12, 2023
  • Dropped pretty-bytes dependency.
  • Removed undocumented and non-working code.
  • Fixed bug: .notindex files in directories now no longer cause server timeouts caused by non-working undocumented code.
  • Replaced function converting byte count to human-readable representation with new one.

SVR.JS 3.4.35 LTS

Released in September 11, 2023
  • Added warning about worker count being limited to one when using Bun 1.0 and newer with shimmed (not native) clustering module.
  • Disabled server-side JavaScript bug workaround for Bun 1.0 and newer (it's not needed anymore for these Bun versions).
  • Improved clustering shim for Bun.

SVR.JS 3.10.0

Released in September 11, 2023
  • Added warning about worker count being limited to one when using Bun 1.0 and newer with shimmed (not native) clustering module.
  • Disabled server-side JavaScript bug workaround for Bun 1.0 and newer (it's not needed anymore for these Bun versions).
  • Improved clustering shim for Bun.
  • Improved web root error handling.

SVR.JS 3.4.34 LTS

Released in September 10, 2023
  • Changed enableRemoteLogBrowsing property to be `false` by default.
  • Mitigated security vulnerability: Sensitive data is no longer leaked from temp directory inside SVR.JS installation directory.

SVR.JS 3.9.6

Released in September 10, 2023
  • Changed enableRemoteLogBrowsing property to be `false` by default.
  • Fixed log files only partially saving on failed master startup.
  • Mitigated security vulnerability: Sensitive data is no longer leaked from temp directory inside SVR.JS installation directory.
  • SVR.JS now logs certificate loading errors.

SVR.JS 3.4.32 LTS

Released in September 8, 2023
  • Added "svrmodpack" deprecation warning.
  • Removed unmaintained primitive analytics mod.
  • Removed unmaintained and undocumented hexstrbase64 library.
  • Added TypeError workaround for Bun 1.0.0

SVR.JS 3.9.4

Released in September 8, 2023
  • Changed warning about no support for HTTP/2.
  • Added "svrmodpack" deprecation warning.
  • Removed unmaintained primitive analytics mod.
  • Removed unmaintained and undocumented hexstrbase64 library.
  • Added TypeError workaround for Bun 1.0.0

SVR.JS 3.4.31 LTS

Released in September 7, 2023
  • Mitigated security vulnerability: SVR.JS mods and server-side JavaScript not using href or uobject.pathname in some path checks are no longer vulnerable to access control bypass (from SVR.JS configuration).

SVR.JS 3.9.3

Released in September 7, 2023
  • Mitigated security vulnerability: SVR.JS mods and server-side JavaScript not using href or uobject.pathname in some path checks are no longer vulnerable to access control bypass (from SVR.JS configuration).

SVR.JS 3.4.30 LTS

Released in September 6, 2023
  • Mitigated security vulnerability: SVR.JS mods and server-side JavaScript using req.url are no longer vulnerable to path traversal (not including query strings).

SVR.JS 3.9.2

Released in September 6, 2023
  • Mitigated security vulnerability: SVR.JS mods and server-side JavaScript using req.url are no longer vulnerable to path traversal (not including query strings).

SVR.JS 3.4.29 LTS

Released in September 5, 2023
  • Added new config.json property - exposeModsInErrorPages

SVR.JS 3.9.1

Released in September 5, 2023
  • Added new config.json property - exposeModsInErrorPages

SVR.JS 3.9.0

Released in September 3, 2023
  • Dropped support for undocumented unused non-standard SVR.JS-specific headers.
  • Fixed bug with wwwredirect.
  • Replaced HTTP => HTTPS redirect handler
  • Added support for listening to specific IP address.
  • Added new config.json property - useWebRootServerSideScript
  • Added notice about logged user (HTTP authentication).
  • Added validation of X-Forwarded-For header

SVR.JS 3.4.28 LTS

Released in September 3, 2023
  • Added validation for X-Forwarded-For header.

SVR.JS 3.4.27 LTS

Released in September 2, 2023
  • Dropped support for undocumented unused non-standard SVR.JS-specific headers.
  • Fixed bug with wwwredirect.

SVR.JS 3.4.26 LTS

Released in September 2, 2023
  • Changed default SVR.JS configuration.
  • Disabled server-side script exposure by default.

SVR.JS 3.8.1

Released in September 2, 2023
  • Changed default SVR.JS configuration.
  • Disabled server-side script exposure by default.

SVR.JS 3.8.0

Released in September 1, 2023
  • Added partial virtual hosting support
  • Added host field to nonStandardCodes and rewriteMap properties.
  • Added userList field to nonStandardCodes properties (with scode set to 401).
  • Added new config.json properties: errorPages, enableDirectoryListingVHost and customHeadersVHost.
  • Improved HTTP authentication error handling.

SVR.JS 3.4.25 LTS

Released in August 31, 2023
  • Improved HTTP authentication error handling.
  • Updated SVR.JS license.

SVR.JS 3.7.5

Released in August 29, 2023
  • Fixed non-working blacklist.
  • Updated SVR.JS license.

SVR.JS 3.4.24 LTS

Released in August 28, 2023
  • Added reverse DNS lookup support.

SVR.JS 3.7.4

Released in August 28, 2023
  • Added reverse DNS lookup support.

SVR.JS 3.4.23 LTS

Released in August 25, 2023
  • Fixed server crashes while one of two ports are in use

SVR.JS 3.7.3

Released in August 25, 2023
  • Fixed server crashes while one of two ports are in use

SVR.JS 3.4.22 LTS

Released in August 21, 2023
  • ENAMETOOLONG errors now correspond to 414 code.
  • EMFILE errors now correspond to 503 code.

SVR.JS 3.7.2

Released in August 21, 2023
  • ENAMETOOLONG errors now correspond to 414 code.

SVR.JS 3.7.1

Released in August 21, 2023
  • Fixed bug with SVR.JS hang-up check requests logged in server logs (bug occurred on upstream Node.JS v12.22.12).

SVR.JS 3.4.21 LTS

Released in August 20, 2023
  • Changed descriptions of 501 and 503 errors.
  • Disabled open proxy in default server-side JavaScript.
  • Fixed NotImplementedError in "cluster" module when running SVR.JS on newer versions of Bun.
  • Fixed redirect loops related to URL sanitizer.
  • Fixed SVR.JS proxy API (fixed bug, which relied of calling wrong callback [Mod.callback] instead of proper one [Mod.proxyCallback]).
  • Improved Bun IPC shim connection error handling.
  • Improved server error handling for Bun.
  • Updated svrpasswd tool.

SVR.JS 3.7.0

Released in August 20, 2023
  • Added new config.json property - disableUnusedWorkerTermination.
  • Added option to rewrite "dirty" URLs - rewriteDirtyURLs.
  • Added PBKDF2 and scrypt support for HTTP authentication.
  • Added termination of unused workers.
  • Changed descriptions of 501 and 503 errors.
  • Disabled checking for hung up server processes, while SVR.JS is not yet listening.
  • Disabled open proxy in default server-side JavaScript.
  • Disabled X-SVR-JS-From-Main-Thread header for non-localhost clients.
  • EMFILE errors now correspond to 503 Service Unavailable error code.
  • Fixed NotImplementedError in "cluster" module when running SVR.JS on newer versions of Bun.
  • Fixed redirect loops related to URL sanitizer.
  • Fixed SVR.JS proxy API. (fixed bug, which relied of calling wrong callback [Mod.callback] instead of proper one [Mod.proxyCallback])
  • Improved Bun IPC shim connection error handling.
  • Improved extension checking function in directory listing generation.
  • Improved server error handling for Bun.
  • SVR.JS now exits gracefully on "stop" command.
  • Updated svrpasswd tool.

SVR.JS 3.4.20 LTS

Released in August 4, 2023
  • Improved reliability while loading server-side JavaScript.

SVR.JS 3.6.4

Released in August 4, 2023
  • Improved reliability while loading server-side JavaScript.

SVR.JS 3.4.19 LTS

Released in August 3, 2023
  • Fixed bug with directory listing generating invalid HTML with custom head containing <html> tag with attributes.

SVR.JS 3.6.3

Released in August 3, 2023
  • Fixed bug with directory listing generating invalid HTML with custom head containing <html> tag with attributes.

SVR.JS 3.4.18 LTS

Released in August 2, 2023
  • Fixed bug with ENOTDIR error (was 500, now it's 404).
  • Fixed bug with forbidden path checker.

SVR.JS 3.6.2

Released in August 2, 2023
  • Fixed bug with ENOTDIR error (was 500, now it's 404).
  • Fixed bug with forbidden path checker.
  • Optimized regular expression creating function.

SVR.JS 3.4.17 LTS

Released in July 28, 2023
  • Improved URL sanitizer.
  • Fixed bug with formidable wrapper.

SVR.JS 3.6.1

Released in July 28, 2023
  • Added support for ETags.
  • Added new config.json property: enableETag.
  • Improved URL sanitizer.
  • Fixed bug with formidable wrapper.

SVR.JS 3.6.0

Released in July 28, 2023
  • Optimized sanitized URL comparison function.
  • Expanded warning messages.
  • Added support for Unix sockets and Windows named pipes.
  • Cleaned up SVR.JS code.

SVR.JS 3.4.16 LTS

Released in July 26, 2023
  • Improved URL sanitizer and mitigates security vulnerability: attacker could use "..." to traverse directories, while SVR.JS is run in Windows.
  • Cleaned up code.

SVR.JS 3.5.6

Released in July 26, 2023
  • Improved URL sanitizer and mitigates security vulnerability: attacker could use "..." to traverse directories, while SVR.JS is run in Windows.
  • Cleaned up code.

SVR.JS 3.4.15 LTS

Released in July 18, 2023
  • Fixed broken URL sanitation redirect.
  • Improved URL sanitizer. ("%2F" now turns into "/" instead of "%252F")

SVR.JS 3.5.5

Released in July 18, 2023
  • Fixed broken URL sanitation redirect.
  • Improved URL sanitizer. ("%2F" now turns into "/" instead of "%252F")

SVR.JS 3.4.14 LTS

Released in July 18, 2023
  • Fixed bug: SVR.JS mods now load reliably with multiple threads on startup.

SVR.JS 3.5.4

Released in July 18, 2023
  • Fixed bug: SVR.JS mods now load reliably with multiple threads on startup.

SVR.JS 3.4.13 LTS

Released in July 17, 2023
  • Improved compatibility with Bun 0.9.14.
  • Replaced more blocking system calls with non-blocking ones.

SVR.JS 3.5.3

Released in July 17, 2023
  • Improved compatibility with Bun 0.9.14.

SVR.JS 3.5.2

Released in July 17, 2023
  • Replaced more blocking system calls with non-blocking ones.

SVR.JS 3.5.1

Released in July 16, 2023
  • Added better HTTP error handler.

SVR.JS 3.4.12 LTS

Released in July 16, 2023
  • Added better HTTP error handler.

SVR.JS 3.5.0

Released in July 16, 2023
  • Dropped support for Node.JS 8.x and 9.x.
  • Directory listing icons now show even, if ".dirimages" directory is missing from web root.
  • Updated formidable module.

SVR.JS 3.4.11 LTS

Released in July 16, 2023
  • Added support for Brotli compression.

SVR.JS 3.4.10

Released in July 15, 2023
  • Added OCSP module loading failure warning.
  • SVR.JS now displays error message, when it's run on JS runtime non-compatible with Node.JS.

SVR.JS 3.4.9

Released in July 14, 2023
  • Added new config.json option: enableOCSPStapling.
  • Added support for OCSP stapling.
  • Added new dependency: ocsp
  • Replaced some blocking system calls in directory listing function with non-blocking ones.
  • Optimized HTTP basic authentication algorithm.

SVR.JS 3.4.8

Released in July 13, 2023
  • Added HTTP authentication brute force protection.

SVR.JS 3.4.7

Released in July 11, 2023
  • Fixed SVR.JS crashing on Node.JS 8.x and 9.x.

SVR.JS 3.4.6

Released in July 10, 2023
  • Improved reliability in loading mods, server-side JavaScript and saving configuration file.

SVR.JS 3.4.5

Released in July 9, 2023
  • Fixed bug with custom head and SVR.JS status page.

SVR.JS 3.4.4

Released in July 7, 2023
  • req.socket.realRemoteAddress and res.socket.realRemotePort are now original users remote address and port respectively.

SVR.JS 3.4.3

Released in July 7, 2023
  • Fixed bug related with saving config.json.
  • Disabled gzip compression for .gz files.

SVR.JS 3.4.2

Released in July 7, 2023
  • Fixed bug with regular expression non-standard HTTP status codes.

SVR.JS 3.4.1

Released in July 5, 2023
  • SVR.JS now uses 2 public IP providers: SeeIP.org and ipify.

SVR.JS 3.4.0

Released in July 4, 2023
  • autocannon is no longer included with SVR.JS.
  • Fixed requirement on pretty-bytes library.
  • Removed version field from config.json
  • Fixed random worker crashes that occur, while config.json is saved.
  • SVR.JS no longer overrides config.json values, that are set after SVR.JS has been started.
  • SVR.JS no longer displays native Node.JS error message, while SVR.JS is run on read-only file system.

SVR.JS 3.3.3

Released in July 3, 2023
  • Improved reliability of loading mods and server-side JavaScript.

SVR.JS 3.3.2

Released in July 2, 2023
  • Calling callServerError or res.writeHead mutltiple times now invokes a warning instead of crashing SVR.JS.

SVR.JS 3.3.1

Released in July 1, 2023
  • Fixed bug: Logs didn't save during crash report generation.
  • Fixed bug: Worker crashes didn't display message about starting new workers.
  • Fixed bug with SVR.JS status page.
  • Added image icons for .ico and .icn files in directory listings.
  • Added OpenSSL 1.x EOL warning message.
  • SVR.JS now uses WHATWG URL parser instead of deprecated url.parse() function.

SVR.JS 3.3.0

Released in June 29, 2023
  • SVR.JS now forks itself at startup as many times the CPU host has cores (max 16 cores).
  • Fixed bug and potential security vulnerability: Non-standard codes didn't work, and thus attackers could bypass HTTP authentication.

SVR.JS 3.2.1

Released in June 28, 2023
  • Optimized SVR.JS blacklist and path sanitation code.
  • Mitigated security vulnerability: Attacker could access directory listing of directory above web root using "/.." path.

SVR.JS 3.2.0

Released in June 28, 2023
  • Optimized SVR.JS code.
  • Logs from single-threaded SVR.JS now begin with "singlethread".
  • Cyclic links now causes server to return 508 error instead of 404 error.

SVR.JS 3.1.2

Released in June 27, 2023
  • Improved forbidden paths access control.

SVR.JS 3.1.1

Released in June 26, 2023
  • SVR.JS is now able to run on Node.JS versions without crypto.
  • Changed IP provider to SeeIP (used, when crypto support is available).
  • Added new server status metrics: CPU usage percentage, Average request rate.
  • Added new command: restart.

SVR.JS 3.1.0

Released in June 26, 2023
  • SVR.JS is now able to run on Node.JS versions without crypto.
  • Added HTTP/2 no-support indication for Bun.
  • Added more indication of request methods.
  • Cleaned up SVR.JS code.
  • Updated supplied tar and minipass modules.

SVR.JS 3.0.3

Released in June 26, 2023
  • Changed public IP provider to ipify.

SVR.JS 3.0.2

Released in June 25, 2023
  • Fixed server-side JavaScript handling.

SVR.JS 3.0.1

Released in June 25, 2023
  • Improved error stack generation.
  • SVR.JS now serves files from directory on which script resides, unless wwwroot is specified.

SVR.JS 3.0.0

Released in June 25, 2023
  • 502 errors now logs their stacks.
  • Added better exception handler.
  • Added callServerError function for use in server-side JavaScript and mods.
  • Added cluster+ipc shim used when SVR.JS is running on Bun (SVR.JS can now run multi-threaded on Bun).
  • Added command-line parameter: -v/--version.
  • Added Content-Range support for static files.
  • Added custom Expect header handler.
  • Added custom request parse error handler.
  • Added date and time to logs.
  • Added --disable-mods option. (disables all mods and server side JavaScript)
  • Added displaying of contact information on 500 error.
  • Added experimental support for Bun (no SVR.JS command line for now...).
  • Added HTTP status code message to logs.
  • Added new command-line option: --single-threaded
  • Added new config.json properties: sni, serverAdministratorEmail, stackHidden, enableRemoteLogBrowsing, dontCompress, enableIPSpoofing, allowStatus, disableServerSideScriptExpose, exposeServerVersion, rewriteMap, secure, wwwroot, disableNonEncryptedServer and disableToHTTPSRedirect.
  • Added new depedency - formidable.
  • Added new method callable from mods: getCustomHeaders (gets headers from config.json file along with "Server" header).
  • Added new mod methods - getCustomHeaders, origHref, parsePostData and redirect.
  • Added new server-side JavaScript fields - customvar1, customvar2, customvar3, customvar4.
  • Added new utility: log highlighter at loghighlighter.js
  • Added new utility: log viewer at logviewer.js
  • Added new utility: SVR.JS user utility at svrpasswd.js
  • Added option to disable HTTP => HTTPS redirect server.
  • Added option to listen only for HTTPS.
  • Added {path} directive in custom error pages and headers.
  • Added RegEx support for non-standard error codes.
  • Added request ID to logs.
  • Added server error descriptions.
  • Added SNI support.
  • Added status page at /svrjsstatus.svr.
  • Added support for CIDR notation in non-standard codes.
  • Added support for CONNECT method (along with mod callbacks).
  • Added support for HTTP authentication.
  • Added support for RegEx for nonStandardCodes property.
  • Added support for X-Forwarded-For header.
  • Added URL rewriting.
  • Added warning, when SVR.JS is run as root.
  • Addedd error message in case SVR.JS is attempted to be started without Node.JS.
  • Allowed Node.JS versions without HTTP/2 support. (although HTTP/2 will not work)
  • Allowed starting without Internet connection.
  • Attackers can no longer bypass content blocking mechanism (non-standard codes set in config.json), when SVR.JS is run in Windows.
  • Attackers can no longer bypass content blocking mechanism, when SVR.JS is run in Windows.
  • Bare minimum now requires only "svr.js" script and node_modules directory.
  • Broken server availability addresses are now invisible in the console.
  • Change of working directory is now possible.
  • Changed demo server-side JavaScript to use new callServerError function.
  • Changed file type icons.
  • Changed HTTP error descriptions.
  • Changed log format.
  • Changed logo to new one.
  • Changed SVR.JS log descriptions.
  • config.json options which are not used by SVR.JS are now kept.
  • Configuration file now has diffrent placeholder content.
  • Connection messages when using SVR.JS as proxy aren't longer broken.
  • Connection with null req.socket are now dropped.
  • Corrected handling of multi-line log messages.
  • Custom headers are no longer set by default on proxy requests.
  • DEBUG: /crash.svr crashes the server (only in Nightly).
  • Default content type can be no longer set.
  • Deprecated config.json property: defaultpage.
  • Directory listing custom foots now are displayed even if foot.html file doesn't exist.
  • Directory listing custom heads now are displayed even if head.html file doesn't exist.
  • Directory listing no longer breaks with "<" and ">" characters (XSS mitigated).
  • Directory listing now shows original URL, when URL is rewritten.
  • Directory listing now shows whatever the file is block device, chacter device, FIFO or socket.
  • Directory traversal through symbolic links is no longer possible (new URL sanitation function).
  • Disabled HTTP compression for w3m and Netscape 4.x.
  • Error pages can use new format: .<errorcode> instead of <errorcode>.html.
  • Error stack can be now hidden using stackHidden property.
  • Factory reset no longer replaces config.json with placeholder one.
  • Files without extension are no longer presented as HTML content.
  • Fixed bug: Blacklist didn't save into config.json file.
  • Fixed bug: Downloading files above 2GB now works properly.
  • Fixed bug: Next thread no longer starts after closing ports.
  • Fixed bug related to broken access controls in SVR.JS when it's run in Windows.
  • Fixed bug with server version exposure.
  • Fixed crash on malformed public IP check response.
  • Fixed crashes with TCP resets, when using default handler for CONNECT method.
  • Fixed default config.json file.
  • Fixed directory listing, when URL contains "@" or "?"
  • Fixed filterHeaders method.
  • Fixed handling of some proxy requests by default redirect server.
  • Fixed HEAD method handling.
  • Fixed HTTP compression.
  • Fixed master process crash, when unable to fork process.
  • Fixed process crash, when unable to save to a log file.
  • Fixed proxy mod loader.
  • Fixed public IP address identification on server console.
  • Fixed security vulnerability: Attacker could append "%00" to URL to bypass access restrictions when SVR.JS is running on Bun.
  • Fixed security vulnerability: Attacker could send specially constructed HTTP request to bypass content block mechanism.
  • Fixed security vulnerability: Attacker could used encoded characters to bypass access restrictions.
  • Fixed server endlessly spawning threads in Node.JS 20.x.
  • Fixed SVR.JS not able to start in Android (d/node.js).
  • Fixed SVR.JS not able to start in Node.JS 16.x in Haiku OS.
  • Fixed URL mojibake.
  • Fixed website block, when SVR.JS is running on Bun
  • Fixed XSS bug in host name indication in default error pages.
  • HTTP => HTTPS redirect server now returns 400 error when no host is specified.
  • HTTP requests made to HTTPS server now return 497 error page.
  • HTTP requests using CONNECT method now return 501 error, if SVR.JS is run on Bun.
  • Icons on directory listings are no longer stretched, when padding is applies to the table.
  • Improved bad request handler.
  • Improved compatibility with Bun.
  • Improved compatibility with Node.JS 20.x.
  • Improved default error pages and directory listings for mobile devices.
  • Improved directory listings.
  • Improved file handling by URL.
  • Improved handling of 405 error.
  • Improved handling of OPTIONS method.
  • Improved HTTP => HTTPS redirect handler.
  • Improved HTTP/2 => HTTP/1.x translation API.
  • Improved possible server access URLs.
  • IPv6 URLs are now shown properly.
  • Links now show sizes of referenced file in directory listing.
  • Logs are no longer remotely accessible, when enableRemoteLogBrowsing is set to false.
  • Made HTTP => HTTPS redirect server more compatible with Node.JS 20.x.
  • Main script moved to "svr.js" file.
  • Many request problem will now result in 500 error instead of crash.
  • Mitigated path traversal at bad URL rewriting.
  • Mod loader no longer uses eval.
  • Node.JS version is now exposed in Server header (unless exposeServerVersion is false).
  • Non-standard codes no longer works on proxy requests.
  • Patched supplied fs-minipass module to work with Bun.
  • Removed strict depedencies for: tar, svrmodpack, hexstrbase64 and formidable.
  • Removed "Welcome to DorianTech Node.JS Server!" and "Goodbye." log, rendering welcomeMessage property useless.
  • Replaced 403 error page specific to disabled directory listing with generic one.
  • Replaced "domian" property with "domain" in config.json.
  • Replaced URL sanitation algorithm with faster one.
  • Server is now more protected against directory traversal attack.
  • Server no longer crashes on some malformed URIs.
  • Server now returns 403 error, when server software itself doesn't have permissions to access files.
  • Size function now requires pretty-bytes library.
  • Size function now uses custom fallback.
  • Stack traces from 500 errors are now displayed in logs.
  • SVR.JS doesn't use template config.json anymore, if config.json doesn't exist
  • SVR.JS no longer crashes on mod loading problem.
  • SVR.JS no longer crashes when displaying listing of directory containing invalid files.
  • SVR.JS no longer drops connections having null response socket.
  • SVR.JS now keeps unused properties of config.json file.
  • SVR.JS used as HTTPS server works even without key and cert fields in config.json.
  • SVR.JS version is no longer leaked via svr.js file, when exposeServerVersion property is set to false.
  • Updated supplied mime-types and mime-db modules.
  • Using SVR.JS as an proxy without proxy mod now returns no-proxy message.

SVR.JS 2.1.4

Released in June 18, 2023
  • Fixed security vulnerability: Attacker could used encoded characters to bypass access restrictions. (fix backported from SVR.JS 3.0.0-beta19)
  • Fixed access control bypass vulnerability, when server is run in Windows (fix backported from SVR.JS 3.0.0-beta19)

SVR.JS 2.1.3

Released in May 13, 2023
  • Added new config.json properties: exposeServerVersion and stackHidden (backported from SVR.JS 3.0.0-beta1)
  • Fixed path traversal vulnerability (fix backported from SVR.JS 3.0.0-beta1)
  • Fixed access control bypass vulnerability, when server is run in Windows (fix backported from SVR.JS 3.0.0-beta1)
  • Fixed server crash on malformed URL (fix backported from SVR.JS 3.0.0-beta1)

SVR.JS 2.1.2

Released in August 23, 2020
  • Methods other than "POST", "GET", "OPTIONS" and "HEAD" are allowed.

SVR.JS 2.1.1

Released in August 23, 2020
  • Fixed security vulnerability using directory listing to access secret files.

SVR.JS 2.1.0

Released in August 22, 2020
  • Added new property of config.json "enableDirectoryListingWithDefaultHead".
  • Added personalization of directory listing.
  • Added compability with Node.JS v8.10.0
  • Replaced MIME type table with one from mime-types module.
  • Fixed bug: Directory listing shows wrong icons.
  • Changed icons in directory listing.
  • Changed size display in directory listing.
  • Deleted analytics inside SVR.JS - those analytics are now in seperate mod, of which SVR.JS comes with it.

SVR.JS 2.0.0

Released in August 21, 2020
  • Added support for .tar.gz mods and server side Javascript in .JS file.
  • Moved directory listing icons to seperate directory.
  • Replaced ASCII Art.
  • Added support for HTTP/2.0, disabled by default.
  • Changed default footer.
  • Added unpacking SVR.JS in first run.
  • Added checking, if head and foot exists.
  • Optimized directory listing for Lynx text client
  • Modified Server UI.
  • Added new properties of config.json "enableLogging" and "enableDirectoryListing".
  • Added "--clean" and "--reset" arguments.
  • Fixed security vulnerability: The block is only covering part of SVR.JS
  • Fixed bug: Not saving config.json on Linux.
  • Added multi-threading.
  • Deleted "getip" command.

SVR.JS 1.2.2

Released in August 16, 2020
  • Fixed bug, which caused mojibake in Unicode files.
  • Fixed bug, which caused SVR.JS to require SSL certificate, even if HTTPS mode is disabled.
  • Fixed bug, which caused SVR.JS to crash, if no mods are loaded.
  • Fixed bug, which caused SVR.JS to display blank directory, if URL is with query.

SVR.JS 1.2.1

Released in August 14, 2020
  • Fixed bug, which caused SVR.JS in Ubuntu to not work
  • Added platform showing

SVR.JS 1.2.0

Released in August 5, 2020
  • First released version of SVR.JS