SVR.JS change log

SVR.JS 3.14.16 LTS

Prevented DoS attacks performed with forward proxy HTTP requests with malformed URLs.

SVR.JS 3.15.0

Changed URL parser from wrapper over WHATWG URL parser to custom regex-based URL parser.
Optimized server code.
Redesigned default error pages.
Removed blocking file system calls from the directory listing function.
Replaced path.extname() function with regex-based function.

SVR.JS 3.14.15

Fixed crashes related to the request ID generation.
Optimized HTTP compression functionality.

SVR.JS 3.14.14

console.log and stdout are now disabled, when stdout is not a TTY (for example in situation when SVR.JS is running as a daemon), in order to improve performance.
Errors that occurred, while adding SNI context to a server are now ignored.

SVR.JS 3.14.13

Optimized code.
SVR.JS now uses os.availableParallelism() function for determining amount of processes to fork, when it is available.

SVR.JS 3.14.12

Fix “.dirimages” directory returning an 500 error, if it is not present in the web root.

SVR.JS 3.14.11

Added CVE-2024-27982 Node.JS vulnerability warning.
Fixed bug with Brotli compression not working, when SVR.JS is running on Bun.
Improved the performance of the server.

SVR.JS 3.14.10

Disabled trailing slash removal for proxy requests.

SVR.JS 3.14.9

Changed default file extensions compression exclude list.
Lifted scrypt restrictions on Bun.
Optimized server script size (268 KiB => 256 KiB).
The compression exclude list is now in SVR.JS itself.

SVR.JS 3.14.8

Fixed bug with res.writeHead method.

SVR.JS 3.14.7

Fixed bug with request domain names not showing in server logs.

SVR.JS 3.14.6

Added CVE-2024-22019 Node.JS vulnerability warning.
Improved protection against user enumeration in HTTP authentication.
Replaced block list message with generic 403 Forbidden error.
Replaced some instances of “blacklist” with “block list”.
Some terminal output is now bold.
Updated SVR.JS log viewer (logviewer.js) and log highlighter (loghighlight.js)
When “block localhost” CLI command is executed, SVR.JS now adds “localhost” to the block list instead of “::ffff:localhost”.

SVR.JS 3.14.5

Fixed “www.” URL redirect functionality.
Improved HTTP/1.x API compatibility with HTTP/2.

SVR.JS 3.14.4

Updated tar and graceful-fs libraries.
Added support for URLs with double slashes.
Rewritten HTTP to HTTPS redirect functionality.
Changed default directory listing icons.

SVR.JS 3.14.3

Fixed bug with URLs beginning with multiple slashes being rewritten incorrectly.

SVR.JS 3.14.2

Added new SVR.JS mod and server-side JavaScript property: authUser.

SVR.JS 3.14.1

Added support for IP-based virtual hosts.
Fixed SVR.JS crashes with X-SVR-JS-From-Main-Thread header and unknown client IPs.

SVR.JS 3.4.42 LTS

Custom head and foot inclusion is now returning 500 error in case of server error instead of crashing the server.

SVR.JS 3.14.0

Added new config.json properties: useClientCertificate, rejectUnauthorizedClientCertificates, cipherSuite, ecdhCurve, tlsMinVersion, tlsMaxVersion, signatureAlgorithms and http2Settings.
Added support for web root postfixes (along with postfix prefixes).
Custom head and foot inclusion is now returning 500 error in case of server error instead of crashing the server.

SVR.JS 3.13.1

Fixed error handling for invalid URL rewrite regexes.
Fixed bug with non-working HTTP proxy handler (excluding CONNECT method).

SVR.JS 3.4.41 LTS

Removed all remnants of “DorianTech”.
Mitigated log file injection vulnerability for HTTP authentication.
Mitigated log file injection vulnerability for SVR.JS mod file names.
SVR.JS no longer crashes, when access to a log file is denied.

SVR.JS 3.13.0

Added support for skipping URL rewriting, when the URL refers to a file or a directory.
Dropped support for svrmodpack.
Added support for 307 and 308 redirects (both in config.json and in redirect() SVR.JS API method).
Mitigated log file injection vulnerability for HTTP authentication.
Mitigated log file injection vulnerability for SVR.JS mod file names.
SVR.JS no longer crashes, when access to a log file is denied.

SVR.JS 3.12.3

Removed all remnants of “DorianTech”.
Fixed bug with wildcard in domain name selectors.

SVR.JS 3.12.2

SVR.JS now refuses to start with misconfigured SNI in order to prevent ReDoS vulnerabilities.
Add Host header pre-processing.
Changed SNI regular expression generation function.

SVR.JS 3.4.40 LTS

SVR.JS now refuses to start with misconfigured SNI in order to prevent ReDoS vulnerabilities.

SVR.JS 3.12.1

Added client errors, server errors, and malformed HTTP request counts to SVR.JS status page.
Fixed multiple XSS vulnerabilities.

SVR.JS 3.4.39 LTS

Invalid compression exclusion list regexes no longer crash SVR.JS.
Fixed multiple XSS vulnerabilities.

SVR.JS 3.12.0

Added trailing slash redirect support.
Added new config.json property — environmentVariables.
Replaces base 1000 size prefixes with base 1024 ones.
Invalid compression exclusion list regexes no longer crash SVR.JS.
Changed invalid regex error message.
Corrected language errors — replaced recieve with receive.

SVR.JS 3.4.38 LTS

SVR.JS now sends configuration file saving request to one random good worker instead of all workers to prevent configuration file corruption.
Fixed crashes due to destroyed HTTP/2 stream (Node.JS bug: https://github.com/nodejs/node/issues/24470)
Fixed crash while trying to report communication problem with workers.

SVR.JS 3.11.0

SVR.JS now sends configuration file saving request to one random good worker instead of all workers to prevent configuration file corruption.
Fixed crashes due to destroyed HTTP/2 stream (Node.JS bug: https://github.com/nodejs/node/issues/24470)
Fixed language errors in HTTP error code descriptions, error console messages and the index page.
Updated the logo in the SVR.JS log viewer.

SVR.JS 3.4.37 LTS

Fixed bug with non-standard code regex replacements

SVR.JS 3.10.3

Fixed bug with non-standard code regex replacements

SVR.JS 3.10.2

Fixed bug with mods (and server-side JavaScript) executing in wrong order (bug was related with access control vulnerability fix; bug was not present in LTS versions)

SVR.JS 3.4.36 LTS

Removed undocumented and non-working code.
Fixed bug: .notindex files in directories now no longer cause server timeouts caused by non-working undocumented code.

SVR.JS 3.10.1

Dropped pretty-bytes dependency.
Removed undocumented and non-working code.
Fixed bug: .notindex files in directories now no longer cause server timeouts caused by non-working undocumented code.
Replaced function converting byte count to human-readable representation with new one.

SVR.JS 3.4.35 LTS

Added warning about worker count being limited to one when using Bun 1.0 and newer with shimmed (not native) clustering module.
Disabled server-side JavaScript bug workaround for Bun 1.0 and newer (it’s not needed anymore for these Bun versions).
Improved clustering shim for Bun.

SVR.JS 3.10.0

Added warning about worker count being limited to one when using Bun 1.0 and newer with shimmed (not native) clustering module.
Disabled server-side JavaScript bug workaround for Bun 1.0 and newer (it’s not needed anymore for these Bun versions).
Improved clustering shim for Bun.
Improved web root error handling.

SVR.JS 3.4.34 LTS

Changed enableRemoteLogBrowsing property to be false by default.
Mitigated security vulnerability: Sensitive data is no longer leaked from temp directory inside SVR.JS installation directory.

SVR.JS 3.9.6

Changed enableRemoteLogBrowsing property to be false by default.
Fixed log files only partially saving on failed master startup.
Mitigated security vulnerability: Sensitive data is no longer leaked from temp directory inside SVR.JS installation directory.
SVR.JS now logs certificate loading errors.

SVR.JS 3.4.33 LTS

Changed enableRemoteLogBrowsing property to be false by default.

Mitigated security vulnerability: Sensitive data is no longer leaked from temp directory inside SVR.JS installation directory.

This version is unpublished and no longer available for download, because of failed security vulnerability mitigation.

SVR.JS 3.9.5

Changed enableRemoteLogBrowsing property to be false by default.

Mitigated security vulnerability: Sensitive data is no longer leaked from temp directory inside SVR.JS installation directory.

This version is unpublished and no longer available for download, because of failed security vulnerability mitigation.

SVR.JS 3.4.32 LTS

Added “svrmodpack” deprecation warning.
Removed unmaintained primitive analytics mod.
Removed unmaintained and undocumented hexstrbase64 library.
Added TypeError workaround for Bun 1.0.0

SVR.JS 3.9.4

Changed warning about no support for HTTP/2.
Added “svrmodpack” deprecation warning.
Removed unmaintained primitive analytics mod.
Removed unmaintained and undocumented hexstrbase64 library.
Added TypeError workaround for Bun 1.0.0

SVR.JS 3.4.31 LTS

Mitigated security vulnerability: SVR.JS mods and server-side JavaScript not using href or uobject.pathname in some path checks are no longer vulnerable to access control bypass (from SVR.JS configuration).

SVR.JS 3.9.3

Mitigated security vulnerability: SVR.JS mods and server-side JavaScript not using href or uobject.pathname in some path checks are no longer vulnerable to access control bypass (from SVR.JS configuration).

SVR.JS 3.4.30 LTS

Mitigated security vulnerability: SVR.JS mods and server-side JavaScript using req.url are no longer vulnerable to path traversal (not including query strings).

SVR.JS 3.9.2

Mitigated security vulnerability: SVR.JS mods and server-side JavaScript using req.url are no longer vulnerable to path traversal (not including query strings).

SVR.JS 3.4.29 LTS

Added new config.json property - exposeModsInErrorPages

SVR.JS 3.9.1

Added new config.json property - exposeModsInErrorPages

SVR.JS 3.9.0

Dropped support for undocumented unused non-standard SVR.JS-specific headers.
Fixed bug with wwwredirect.
Replaced HTTP => HTTPS redirect handler
Added support for listening to specific IP address.
Added new config.json property - useWebRootServerSideScript
Added notice about logged user (HTTP authentication).
Added validation of X-Forwarded-For header

SVR.JS 3.4.28 LTS

Added validation for X-Forwarded-For header.

SVR.JS 3.4.27 LTS

Dropped support for undocumented unused non-standard SVR.JS-specific headers.
Fixed bug with wwwredirect.

SVR.JS 3.4.26 LTS

Changed default SVR.JS configuration.
Disabled server-side script exposure by default.

SVR.JS 3.8.1

Changed default SVR.JS configuration.
Disabled server-side script exposure by default.

SVR.JS 3.8.0

Added partial virtual hosting support
Added host field to nonStandardCodes and rewriteMap properties.
Added userList field to nonStandardCodes properties (with scode set to 401).
Added new config.json properties: errorPages, enableDirectoryListingVHost and customHeadersVHost.
Improved HTTP authentication error handling.

SVR.JS 3.4.25 LTS

Improved HTTP authentication error handling.
Updated SVR.JS license.

SVR.JS 3.7.5

Fixed non-working blacklist.
Updated SVR.JS license.

SVR.JS 3.4.24 LTS

Added reverse DNS lookup support.

SVR.JS 3.7.4

Added reverse DNS lookup support.

SVR.JS 3.4.23 LTS

Fixed server crashes while one of two ports are in use

SVR.JS 3.7.3

Fixed server crashes while one of two ports are in use

SVR.JS 3.4.22 LTS

ENAMETOOLONG errors now correspond to 414 code.
EMFILE errors now correspond to 503 code.

SVR.JS 3.7.2

ENAMETOOLONG errors now correspond to 414 code.

SVR.JS 3.7.1

Fixed bug with SVR.JS hang-up check requests logged in server logs (bug occurred on upstream Node.JS v12.22.12).

SVR.JS 3.4.21 LTS

Changed descriptions of 501 and 503 errors.
Disabled open proxy in default server-side JavaScript.
Fixed NotImplementedError in “cluster” module when running SVR.JS on newer versions of Bun.
Fixed redirect loops related to URL sanitizer.
Fixed SVR.JS proxy API (fixed bug, which relied of calling wrong callback [Mod.callback] instead of proper one [Mod.proxyCallback]).
Improved Bun IPC shim connection error handling.
Improved server error handling for Bun.
Updated svrpasswd tool.

SVR.JS 3.7.0

Added new config.json property - disableUnusedWorkerTermination.
Added option to rewrite “dirty” URLs - rewriteDirtyURLs.
Added PBKDF2 and scrypt support for HTTP authentication.
Added termination of unused workers.
Changed descriptions of 501 and 503 errors.
Disabled checking for hung up server processes, while SVR.JS is not yet listening.
Disabled open proxy in default server-side JavaScript.
Disabled X-SVR-JS-From-Main-Thread header for non-localhost clients.
EMFILE errors now correspond to 503 Service Unavailable error code.
Fixed NotImplementedError in “cluster” module when running SVR.JS on newer versions of Bun.
Fixed redirect loops related to URL sanitizer.
Fixed SVR.JS proxy API. (fixed bug, which relied of calling wrong callback [Mod.callback] instead of proper one [Mod.proxyCallback])
Improved Bun IPC shim connection error handling.
Improved extension checking function in directory listing generation.
Improved server error handling for Bun.
SVR.JS now exits gracefully on “stop” command.
Updated svrpasswd tool.

SVR.JS 3.4.20 LTS

Improved reliability while loading server-side JavaScript.

SVR.JS 3.6.4

Improved reliability while loading server-side JavaScript.

SVR.JS 3.4.19 LTS

Fixed bug with directory listing generating invalid HTML with custom head containing tag with attributes.

SVR.JS 3.6.3

Fixed bug with directory listing generating invalid HTML with custom head containing tag with attributes.

SVR.JS 3.4.18 LTS

Fixed bug with ENOTDIR error (was 500, now it’s 404).
Fixed bug with forbidden path checker.

SVR.JS 3.6.2

Fixed bug with ENOTDIR error (was 500, now it’s 404).
Fixed bug with forbidden path checker.
Optimized regular expression creating function.

SVR.JS 3.4.17 LTS

Improved URL sanitizer.
Fixed bug with formidable wrapper.

SVR.JS 3.6.1

Added support for ETags.
Added new config.json property: enableETag.
Improved URL sanitizer.
Fixed bug with formidable wrapper.

SVR.JS 3.6.0

Optimized sanitized URL comparison function.
Expanded warning messages.
Added support for Unix sockets and Windows named pipes.
Cleaned up SVR.JS code.

SVR.JS 3.4.16 LTS

Improved URL sanitizer and mitigates security vulnerability: attacker could use “…” to traverse directories, while SVR.JS is run in Windows.
Cleaned up code.

SVR.JS 3.5.6

Improved URL sanitizer and mitigates security vulnerability: attacker could use “…” to traverse directories, while SVR.JS is run in Windows.
Cleaned up code.

SVR.JS 3.4.15 LTS

Fixed broken URL sanitation redirect.
Improved URL sanitizer. (“%2F” now turns into “/“ instead of “%252F”)

SVR.JS 3.5.5

Fixed broken URL sanitation redirect.
Improved URL sanitizer. (“%2F” now turns into “/“ instead of “%252F”)

SVR.JS 3.4.14 LTS

Fixed bug: SVR.JS mods now load reliably with multiple threads on startup.

SVR.JS 3.5.4

Fixed bug: SVR.JS mods now load reliably with multiple threads on startup.

SVR.JS 3.4.13 LTS

Improved compatibility with Bun 0.9.14.
Replaced more blocking system calls with non-blocking ones.

SVR.JS 3.5.3

Improved compatibility with Bun 0.9.14.

SVR.JS 3.5.2

Replaced more blocking system calls with non-blocking ones.

SVR.JS 3.5.1

Added better HTTP error handler.

SVR.JS 3.4.12 LTS

Added better HTTP error handler.

SVR.JS 3.5.0

Dropped support for Node.JS 8.x and 9.x.
Directory listing icons now show even, if “.dirimages” directory is missing from web root.
Updated formidable module.

SVR.JS 3.4.11 LTS

Added support for Brotli compression.

SVR.JS 3.4.10

Added OCSP module loading failure warning.
SVR.JS now displays error message, when it’s run on JS runtime non-compatible with Node.JS.

SVR.JS 3.4.9

Added new config.json option: enableOCSPStapling.
Added support for OCSP stapling.
Added new dependency: ocsp
Replaced some blocking system calls in directory listing function with non-blocking ones.
Optimized HTTP basic authentication algorithm.

SVR.JS 3.4.8

Added HTTP authentication brute force protection.

SVR.JS 3.4.7

Fixed SVR.JS crashing on Node.JS 8.x and 9.x.

SVR.JS 3.4.6

Improved reliability in loading mods, server-side JavaScript and saving configuration file.

SVR.JS 3.4.5

Fixed bug with custom head and SVR.JS status page.

SVR.JS 3.4.4

req.socket.realRemoteAddress and res.socket.realRemotePort are now original users remote address and port respectively.

SVR.JS 3.4.3

Fixed bug related with saving config.json.
Disabled gzip compression for .gz files.

SVR.JS 3.4.2

Fixed bug with regular expression non-standard HTTP status codes.

SVR.JS 3.4.1

SVR.JS now uses 2 public IP providers: SeeIP.org and ipify.

SVR.JS 3.4.0

autocannon is no longer included with SVR.JS.
Fixed requirement on pretty-bytes library.
Removed version field from config.json
Fixed random worker crashes that occur, while config.json is saved.
SVR.JS no longer overrides config.json values, that are set after SVR.JS has been started.
SVR.JS no longer displays native Node.JS error message, while SVR.JS is run on read-only file system.

SVR.JS 3.3.3

Improved reliability of loading mods and server-side JavaScript.

SVR.JS 3.3.2

Calling callServerError or res.writeHead mutltiple times now invokes a warning instead of crashing SVR.JS.

SVR.JS 3.3.1

Fixed bug: Logs didn’t save during crash report generation.
Fixed bug: Worker crashes didn’t display message about starting new workers.
Fixed bug with SVR.JS status page.
Added image icons for .ico and .icn files in directory listings.
Added OpenSSL 1.x EOL warning message.
SVR.JS now uses WHATWG URL parser instead of deprecated url.parse() function.

SVR.JS 3.3.0

SVR.JS now forks itself at startup as many times the CPU host has cores (max 16 cores).
Fixed bug and potential security vulnerability: Non-standard codes didn’t work, and thus attackers could bypass HTTP authentication.

SVR.JS 3.2.1

Optimized SVR.JS blacklist and path sanitation code.
Mitigated security vulnerability: Attacker could access directory listing of directory above web root using “/..” path.

SVR.JS 3.2.0

Optimized SVR.JS code.
Logs from single-threaded SVR.JS now begin with “singlethread”.
Cyclic links now causes server to return 508 error instead of 404 error.

SVR.JS 3.1.2

Improved forbidden paths access control.

SVR.JS 3.1.1

SVR.JS is now able to run on Node.JS versions without crypto.
Changed IP provider to SeeIP (used, when crypto support is available).
Added new server status metrics: CPU usage percentage, Average request rate.
Added new command: restart.

SVR.JS 3.1.0

SVR.JS is now able to run on Node.JS versions without crypto.
Added HTTP/2 no-support indication for Bun.
Added more indication of request methods.
Cleaned up SVR.JS code.
Updated supplied tar and minipass modules.

SVR.JS 3.0.3

Changed public IP provider to ipify.

SVR.JS 3.0.2

Fixed server-side JavaScript handling.

SVR.JS 3.0.1

Improved error stack generation.
SVR.JS now serves files from directory on which script resides, unless wwwroot is specified.

SVR.JS 3.0.0

502 errors now logs their stacks.
Added better exception handler.
Added callServerError function for use in server-side JavaScript and mods.
Added cluster+ipc shim used when SVR.JS is running on Bun (SVR.JS can now run multi-threaded on Bun).
Added command-line parameter: -v/–version.
Added Content-Range support for static files.
Added custom Expect header handler.
Added custom request parse error handler.
Added date and time to logs.
Added –disable-mods option. (disables all mods and server side JavaScript)
Added displaying of contact information on 500 error.
Added experimental support for Bun (no SVR.JS command line for now…).
Added HTTP status code message to logs.
Added new command-line option: –single-threaded
Added new config.json properties: sni, serverAdministratorEmail, stackHidden, enableRemoteLogBrowsing, dontCompress, enableIPSpoofing, allowStatus, disableServerSideScriptExpose, exposeServerVersion, rewriteMap, secure, wwwroot, disableNonEncryptedServer and disableToHTTPSRedirect.
Added new depedency - formidable.
Added new method callable from mods: getCustomHeaders (gets headers from config.json file along with “Server” header).
Added new mod methods - getCustomHeaders, origHref, parsePostData and redirect.
Added new server-side JavaScript fields - customvar1, customvar2, customvar3, customvar4.
Added new utility: log highlighter at loghighlighter.js
Added new utility: log viewer at logviewer.js
Added new utility: SVR.JS user utility at svrpasswd.js
Added option to disable HTTP => HTTPS redirect server.
Added option to listen only for HTTPS.
Added {path} directive in custom error pages and headers.
Added RegEx support for non-standard error codes.
Added request ID to logs.
Added server error descriptions.
Added SNI support.
Added status page at /svrjsstatus.svr.
Added support for CIDR notation in non-standard codes.
Added support for CONNECT method (along with mod callbacks).
Added support for HTTP authentication.
Added support for RegEx for nonStandardCodes property.
Added support for X-Forwarded-For header.
Added URL rewriting.
Added warning, when SVR.JS is run as root.
Addedd error message in case SVR.JS is attempted to be started without Node.JS.
Allowed Node.JS versions without HTTP/2 support. (although HTTP/2 will not work)
Allowed starting without Internet connection.
Attackers can no longer bypass content blocking mechanism (non-standard codes set in config.json), when SVR.JS is run in Windows.
Attackers can no longer bypass content blocking mechanism, when SVR.JS is run in Windows.
Bare minimum now requires only “svr.js” script and node_modules directory.
Broken server availability addresses are now invisible in the console.
Change of working directory is now possible.
Changed demo server-side JavaScript to use new callServerError function.
Changed file type icons.
Changed HTTP error descriptions.
Changed log format.
Changed logo to new one.
Changed SVR.JS log descriptions.
config.json options which are not used by SVR.JS are now kept.
Configuration file now has diffrent placeholder content.
Connection messages when using SVR.JS as proxy aren’t longer broken.
Connection with null req.socket are now dropped.
Corrected handling of multi-line log messages.
Custom headers are no longer set by default on proxy requests.
DEBUG: /crash.svr crashes the server (only in Nightly).
Default content type can be no longer set.
Deprecated config.json property: defaultpage.
Directory listing custom foots now are displayed even if foot.html file doesn’t exist.
Directory listing custom heads now are displayed even if head.html file doesn’t exist.
Directory listing no longer breaks with “<” and “>” characters (XSS mitigated).
Directory listing now shows original URL, when URL is rewritten.
Directory listing now shows whatever the file is block device, chacter device, FIFO or socket.
Directory traversal through symbolic links is no longer possible (new URL sanitation function).
Disabled HTTP compression for w3m and Netscape 4.x.
Error pages can use new format: . instead of .html.
Error stack can be now hidden using stackHidden property.
Factory reset no longer replaces config.json with placeholder one.
Files without extension are no longer presented as HTML content.
Fixed bug: Blacklist didn’t save into config.json file.
Fixed bug: Downloading files above 2GB now works properly.
Fixed bug: Next thread no longer starts after closing ports.
Fixed bug related to broken access controls in SVR.JS when it’s run in Windows.
Fixed bug with server version exposure.
Fixed crash on malformed public IP check response.
Fixed crashes with TCP resets, when using default handler for CONNECT method.
Fixed default config.json file.
Fixed directory listing, when URL contains “@” or “?”
Fixed filterHeaders method.
Fixed handling of some proxy requests by default redirect server.
Fixed HEAD method handling.
Fixed HTTP compression.
Fixed master process crash, when unable to fork process.
Fixed process crash, when unable to save to a log file.
Fixed proxy mod loader.
Fixed public IP address identification on server console.
Fixed security vulnerability: Attacker could append “%00” to URL to bypass access restrictions when SVR.JS is running on Bun.
Fixed security vulnerability: Attacker could send specially constructed HTTP request to bypass content block mechanism.
Fixed security vulnerability: Attacker could used encoded characters to bypass access restrictions.
Fixed server endlessly spawning threads in Node.JS 20.x.
Fixed SVR.JS not able to start in Android (d/node.js).
Fixed SVR.JS not able to start in Node.JS 16.x in Haiku OS.
Fixed URL mojibake.
Fixed website block, when SVR.JS is running on Bun
Fixed XSS bug in host name indication in default error pages.
HTTP => HTTPS redirect server now returns 400 error when no host is specified.
HTTP requests made to HTTPS server now return 497 error page.
HTTP requests using CONNECT method now return 501 error, if SVR.JS is run on Bun.
Icons on directory listings are no longer stretched, when padding is applies to the table.
Improved bad request handler.
Improved compatibility with Bun.
Improved compatibility with Node.JS 20.x.
Improved default error pages and directory listings for mobile devices.
Improved directory listings.
Improved file handling by URL.
Improved handling of 405 error.
Improved handling of OPTIONS method.
Improved HTTP => HTTPS redirect handler.
Improved HTTP/2 => HTTP/1.x translation API.
Improved possible server access URLs.
IPv6 URLs are now shown properly.
Links now show sizes of referenced file in directory listing.
Logs are no longer remotely accessible, when enableRemoteLogBrowsing is set to false.
Made HTTP => HTTPS redirect server more compatible with Node.JS 20.x.
Main script moved to “svr.js” file.
Many request problem will now result in 500 error instead of crash.
Mitigated path traversal at bad URL rewriting.
Mod loader no longer uses eval.
Node.JS version is now exposed in Server header (unless exposeServerVersion is false).
Non-standard codes no longer works on proxy requests.
Patched supplied fs-minipass module to work with Bun.
Removed strict depedencies for: tar, svrmodpack, hexstrbase64 and formidable.
Removed “Welcome to DorianTech Node.JS Server!” and “Goodbye.” log, rendering welcomeMessage property useless.
Replaced 403 error page specific to disabled directory listing with generic one.
Replaced “domian” property with “domain” in config.json.
Replaced URL sanitation algorithm with faster one.
Server is now more protected against directory traversal attack.
Server no longer crashes on some malformed URIs.
Server now returns 403 error, when server software itself doesn’t have permissions to access files.
Size function now requires pretty-bytes library.
Size function now uses custom fallback.
Stack traces from 500 errors are now displayed in logs.
SVR.JS doesn’t use template config.json anymore, if config.json doesn’t exist
SVR.JS no longer crashes on mod loading problem.
SVR.JS no longer crashes when displaying listing of directory containing invalid files.
SVR.JS no longer drops connections having null response socket.
SVR.JS now keeps unused properties of config.json file.
SVR.JS used as HTTPS server works even without key and cert fields in config.json.
SVR.JS version is no longer leaked via svr.js file, when exposeServerVersion property is set to false.
Updated supplied mime-types and mime-db modules.
Using SVR.JS as an proxy without proxy mod now returns no-proxy message.

SVR.JS 2.1.4

Fixed security vulnerability: Attacker could used encoded characters to bypass access restrictions. (fix backported from SVR.JS 3.0.0-beta19)
Fixed access control bypass vulnerability, when server is run in Windows (fix backported from SVR.JS 3.0.0-beta19)

SVR.JS 2.1.3

Added new config.json properties: exposeServerVersion and stackHidden (backported from SVR.JS 3.0.0-beta1)
Fixed path traversal vulnerability (fix backported from SVR.JS 3.0.0-beta1)
Fixed access control bypass vulnerability, when server is run in Windows (fix backported from SVR.JS 3.0.0-beta1)
Fixed server crash on malformed URL (fix backported from SVR.JS 3.0.0-beta1)

SVR.JS 2.1.2

Methods other than “POST”, “GET”, “OPTIONS” and “HEAD” are allowed.

SVR.JS 2.1.1

Fixed security vulnerability using directory listing to access secret files.

SVR.JS 2.1.0

Added new property of config.json “enableDirectoryListingWithDefaultHead”.
Added personalization of directory listing.
Added compability with Node.JS v8.10.0
Replaced MIME type table with one from mime-types module.
Fixed bug: Directory listing shows wrong icons.
Changed icons in directory listing.
Changed size display in directory listing.
Deleted analytics inside SVR.JS - those analytics are now in seperate mod, of which SVR.JS comes with it.

SVR.JS 2.0.0

Added support for .tar.gz mods and server side Javascript in .JS file.
Moved directory listing icons to seperate directory.
Replaced ASCII Art.
Added support for HTTP/2.0, disabled by default.
Changed default footer.
Added unpacking SVR.JS in first run.
Added checking, if head and foot exists.
Optimized directory listing for Lynx text client
Modified Server UI.
Added new properties of config.json “enableLogging” and “enableDirectoryListing”.
Added “–clean” and “–reset” arguments.
Fixed security vulnerability: The block is only covering part of SVR.JS
Fixed bug: Not saving config.json on Linux.
Added multi-threading.
Deleted “getip” command.

SVR.JS 1.2.2

Fixed bug, which caused mojibake in Unicode files.
Fixed bug, which caused SVR.JS to require SSL certificate, even if HTTPS mode is disabled.
Fixed bug, which caused SVR.JS to crash, if no mods are loaded.
Fixed bug, which caused SVR.JS to display blank directory, if URL is with query.

SVR.JS 1.2.1

Fixed bug, which caused SVR.JS in Ubuntu to not work
Added platform showing

SVR.JS 1.2.0

First released version of SVR.JS