Releases: patchstack/connect
Release list
v0.3.8
What's Changed
- Add MAINTAINING.md — a guide for editing the install prompt and setup docs by @ejntaylor in #54
- Fix Release to Publish cascade so releases actually publish to npm by @ejntaylor in #55
- Harden Release versioning against lagging publishes and tag collisions by @ejntaylor in #56
Full Changelog: v0.3.7...v0.3.8
v0.3.7
What's Changed
- Add one-click Release workflow and surface publishes as GitHub deployments by @ejntaylor in #53
Full Changelog: v0.3.6...v0.3.7
v0.3.6
v0.3.5
What's Changed
- Make the guide state-aware and shorten the agent install prompt by @ejntaylor in #45
Full Changelog: v0.3.4...v0.3.5
v0.3.4 — server-function guard on the canonical lineage
Runtime protection now covers the TanStack server-function path
Unifies the connector on the vendored node-waf engine and adds the server-function guard (#43), superseding 0.3.3 (which shipped only the browser-tunnel guard).
protectwires the guard as both a request middleware (browser → Supabase tunnel) and a function middleware (TanStack server functions) — so both of a Lovable app's data paths are covered, however it was built.- The WAF engine is vendored into the package (
@patchstack/connect/protect); the installer scaffolds onlyguard.ts+rules.json. protectis per-piece idempotent (clean re-runs and upgrades); ships types for the./protectsubpath.
Validated live end-to-end on a fresh Lovable app: a UI task-add carrying a stored-XSS marked payload is refused by the server-function guard (receipt returned, task never saved), while benign tasks save. Requires Node >= 18.
v0.3.3: Derive release version from the tag instead of pushing to main (#40)
The one-click Release workflow pushed the npm-version bump commit straight to main, which branch protection rejects (PRs + signed commits + status checks required). Drop that approach. Instead, make Publish read the version from the release tag (v0.3.3 -> 0.3.3), write it into package.json in CI only, then build and publish. Nothing is committed to main, so it works with branch protection and the tag can never disagree with the published version. Removes the old tag/version match guard (now unnecessary) and the release.yml workflow. Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
v0.3.2 — idempotent upgrades (clean re-run of protect)
Re-running protect now reconciles cleanly across upgrades
0.3.1 added the server-function guard, but protect's idempotency check keyed off a single
marker (patchstackGuard) — so re-running it on an app already wired by 0.3.0 silently did
nothing, and that app never gained the new function-middleware guard.
Fix
patchStartis now idempotent per piece. It extends the guard import, adds each middleware
definition, and registers each guard only when missing. So installing on a fresh app wires
everything; re-running after a connect upgrade adds exactly the newly-introduced pieces (no
duplication); a second run is a no-op.- Verified: an app wired by 0.3.0 gains
patchstackFunctionGuardinfunctionMiddlewarewith no
duplicate request guard, and re-running reports "already wired".
No API changes. Requires Node >= 18.
v0.3.1 — guard covers TanStack server functions
Runtime protection now covers the server-function data path
Validating 0.3.0 on a fresh Lovable app surfaced a real gap: modern Lovable scaffolds mutate data through TanStack server functions (createServerFn) using a server-side Supabase client, which bypasses the browser-client tunnel the guard patches. Exploit payloads reached the database.
What's new
protectregisters the guard onfunctionMiddlewaretoo. In addition to the existing browser tunnel (requestMiddleware), the installer now wires a TanStack function middleware that inspects every server-function call's args and blocks on a rule match before the handler writes to the DB. Covers both Lovable data shapes (browser-direct Supabase and server functions) — still zero user-code changes.- New runtime export
createServerFnGuard({ protection })— evaluates decoded server-fn args through the same policy as the tunnel (args become the request body, so the engine resolvespost.<field>identically). Fail-open. @patchstack/connect/protectnow ships types. Added atypescondition to the./protectexport (hand-authoreddist/protect.d.ts), so strict-TS builds no longer need a.d.tsshim.
Compatibility
scan,mark-build,init,status, and the 0.3.0 browser-tunnel guard are unchanged.protectis idempotent; re-running upgrades the wiring in place.
Requires Node >= 18.
v0.3.0 — self-contained runtime protection
Runtime protection is now built into connect
@patchstack/connect now ships an always-on runtime guard — no separate package, no user code changes.
What's new
- Vendored the node-waf engine into connect. The real Patchstack WAF rule engine (RuleEngine + rule client + fetch/node adapters) now ships inside this package, exposed as
@patchstack/connect/protect. One self-contained install; no peer dependency on@patchstack/node-waf. patchstack-connect protectwires the always-on guard into a TanStack Start + Supabase app. It tunnels the app's Supabase traffic through an in-app guard route (/_patchstack/guard) that inspects payloads before they reach Supabase — zero changes to the user's own code.- Always-on by default. The guard blocks matching exploit traffic out of the box. Set
PATCHSTACK_MODE=dry-runfor log-only. - Rules from the Patchstack API (
PATCHSTACK_WAF_TOKEN), cached last-known-good, with a bundled fallback rule until a token is configured. - SSRF-hardened: the guard only forwards to the configured
SUPABASE_URLorigin.
Compatibility
scan,mark-build,init,statusunchanged.- New subpath export
@patchstack/connect/protect(ESM + CJS).
Requires Node >= 18.
0.2.11
First release cut from main since 0.2.8 — reconciles the out-of-band 0.2.9/0.2.10 releases.
patchstack-connect protect— runtime-protection guard installer for TanStack Start + Supabase apps; guard is always-on by default, dry-run via explicit env (#36, previously published out-of-band as 0.2.9/0.2.10)mark-buildnow detects and injects a build-stack descriptor into built HTML (#35)- Manifest endpoint test helper (#33)