Skip to content

Releases: patchstack/connect

v0.3.8

Choose a tag to compare

@github-actions github-actions released this 14 Jul 09:13
4a3c39d

What's Changed

  • Add MAINTAINING.md — a guide for editing the install prompt and setup docs by @ejntaylor in #54
  • Fix Release to Publish cascade so releases actually publish to npm by @ejntaylor in #55
  • Harden Release versioning against lagging publishes and tag collisions by @ejntaylor in #56

Full Changelog: v0.3.7...v0.3.8

v0.3.7

Choose a tag to compare

@github-actions github-actions released this 14 Jul 08:51
06a02d8

What's Changed

  • Add one-click Release workflow and surface publishes as GitHub deployments by @ejntaylor in #53

Full Changelog: v0.3.6...v0.3.7

v0.3.6

Choose a tag to compare

@ejntaylor ejntaylor released this 14 Jul 08:29
95e6e1b
Bump version from 0.2.11 to 0.3.6 (#52)

v0.3.5

Choose a tag to compare

@ejntaylor ejntaylor released this 13 Jul 20:26
c555177

What's Changed

  • Make the guide state-aware and shorten the agent install prompt by @ejntaylor in #45

Full Changelog: v0.3.4...v0.3.5

v0.3.4 — server-function guard on the canonical lineage

Choose a tag to compare

@devlob devlob released this 13 Jul 17:23
538c9e9

Runtime protection now covers the TanStack server-function path

Unifies the connector on the vendored node-waf engine and adds the server-function guard (#43), superseding 0.3.3 (which shipped only the browser-tunnel guard).

  • protect wires the guard as both a request middleware (browser → Supabase tunnel) and a function middleware (TanStack server functions) — so both of a Lovable app's data paths are covered, however it was built.
  • The WAF engine is vendored into the package (@patchstack/connect/protect); the installer scaffolds only guard.ts + rules.json.
  • protect is per-piece idempotent (clean re-runs and upgrades); ships types for the ./protect subpath.

Validated live end-to-end on a fresh Lovable app: a UI task-add carrying a stored-XSS marked payload is refused by the server-function guard (receipt returned, task never saved), while benign tasks save. Requires Node >= 18.

v0.3.3: Derive release version from the tag instead of pushing to main (#40)

Choose a tag to compare

@ejntaylor ejntaylor released this 13 Jul 16:25
a0d7c18
The one-click Release workflow pushed the npm-version bump commit
straight to main, which branch protection rejects (PRs + signed commits
+ status checks required). Drop that approach.

Instead, make Publish read the version from the release tag (v0.3.3 ->
0.3.3), write it into package.json in CI only, then build and publish.
Nothing is committed to main, so it works with branch protection and the
tag can never disagree with the published version. Removes the old
tag/version match guard (now unnecessary) and the release.yml workflow.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

v0.3.2 — idempotent upgrades (clean re-run of protect)

Choose a tag to compare

@devlob devlob released this 13 Jul 15:53
e33e1e4

Re-running protect now reconciles cleanly across upgrades

0.3.1 added the server-function guard, but protect's idempotency check keyed off a single
marker (patchstackGuard) — so re-running it on an app already wired by 0.3.0 silently did
nothing, and that app never gained the new function-middleware guard.

Fix

  • patchStart is now idempotent per piece. It extends the guard import, adds each middleware
    definition, and registers each guard only when missing. So installing on a fresh app wires
    everything; re-running after a connect upgrade adds exactly the newly-introduced pieces (no
    duplication); a second run is a no-op.
  • Verified: an app wired by 0.3.0 gains patchstackFunctionGuard in functionMiddleware with no
    duplicate request guard, and re-running reports "already wired".

No API changes. Requires Node >= 18.

v0.3.1 — guard covers TanStack server functions

Choose a tag to compare

@devlob devlob released this 13 Jul 15:46
c2274a2

Runtime protection now covers the server-function data path

Validating 0.3.0 on a fresh Lovable app surfaced a real gap: modern Lovable scaffolds mutate data through TanStack server functions (createServerFn) using a server-side Supabase client, which bypasses the browser-client tunnel the guard patches. Exploit payloads reached the database.

What's new

  • protect registers the guard on functionMiddleware too. In addition to the existing browser tunnel (requestMiddleware), the installer now wires a TanStack function middleware that inspects every server-function call's args and blocks on a rule match before the handler writes to the DB. Covers both Lovable data shapes (browser-direct Supabase and server functions) — still zero user-code changes.
  • New runtime export createServerFnGuard({ protection }) — evaluates decoded server-fn args through the same policy as the tunnel (args become the request body, so the engine resolves post.<field> identically). Fail-open.
  • @patchstack/connect/protect now ships types. Added a types condition to the ./protect export (hand-authored dist/protect.d.ts), so strict-TS builds no longer need a .d.ts shim.

Compatibility

  • scan, mark-build, init, status, and the 0.3.0 browser-tunnel guard are unchanged.
  • protect is idempotent; re-running upgrades the wiring in place.

Requires Node >= 18.

v0.3.0 — self-contained runtime protection

Choose a tag to compare

@devlob devlob released this 13 Jul 14:39
418bf0b

Runtime protection is now built into connect

@patchstack/connect now ships an always-on runtime guard — no separate package, no user code changes.

What's new

  • Vendored the node-waf engine into connect. The real Patchstack WAF rule engine (RuleEngine + rule client + fetch/node adapters) now ships inside this package, exposed as @patchstack/connect/protect. One self-contained install; no peer dependency on @patchstack/node-waf.
  • patchstack-connect protect wires the always-on guard into a TanStack Start + Supabase app. It tunnels the app's Supabase traffic through an in-app guard route (/_patchstack/guard) that inspects payloads before they reach Supabase — zero changes to the user's own code.
  • Always-on by default. The guard blocks matching exploit traffic out of the box. Set PATCHSTACK_MODE=dry-run for log-only.
  • Rules from the Patchstack API (PATCHSTACK_WAF_TOKEN), cached last-known-good, with a bundled fallback rule until a token is configured.
  • SSRF-hardened: the guard only forwards to the configured SUPABASE_URL origin.

Compatibility

  • scan, mark-build, init, status unchanged.
  • New subpath export @patchstack/connect/protect (ESM + CJS).

Requires Node >= 18.

0.2.11

Choose a tag to compare

@ejntaylor ejntaylor released this 13 Jul 14:24
e49df12

First release cut from main since 0.2.8 — reconciles the out-of-band 0.2.9/0.2.10 releases.

  • patchstack-connect protect — runtime-protection guard installer for TanStack Start + Supabase apps; guard is always-on by default, dry-run via explicit env (#36, previously published out-of-band as 0.2.9/0.2.10)
  • mark-build now detects and injects a build-stack descriptor into built HTML (#35)
  • Manifest endpoint test helper (#33)