Skip to content

v5.0.0 — Safe-by-default error handler

Latest
Latest

Choose a tag to compare

View all tags
@molty3000 molty3000 released this 14 May 16:21
· 5 commits to master since this release
v5.0.0
e18834c

Breaking Change

DEFAULT_ERROR_HANDLER is now safe-by-default. Error details are only exposed when NODE_ENV=development.

NODE_ENV Before (v4.x) After (v5.0)
unset ❌ leaks err.message ✅ Internal Server Error
production ✅ safe ✅ safe
development ❌ leaks ✅ leaks (by design)
staging ❌ leaks ✅ safe
testing ❌ leaks ✅ safe

If your app relies on error messages in non-development environments, set NODE_ENV=development or provide a custom errorHandler in router config.

Security

Comprehensive penetration test suite added (tooling/pentest.js) — 48 vectors across 10 categories:

  • 13 prototype pollution vectors — all blocked (direct, encoded, double-encoded, nested)
  • 8 path traversal vectors — all blocked (dot-dot, null byte, quad-dot)
  • 6 DoS vectors — all resilient (large queries, cache exhaustion, deep nesting)
  • 5 information disclosure vectors — all safe
  • 6 method confusion and cache vectors — all clean
  • 3 request tampering vectors — all protected

Changed Files

  • lib/router/sequential.js — flipped error handler condition + Content-Type header
  • tests/nested-routers.test.js — updated error expectations
  • tests/router-coverage.test.js — updated error expectations
  • tests/v4.4.test.js — added NODE_ENV-unset test
  • tooling/pentest.js — new 48-vector security test suite

Full Changelog: v4.4.0...v5.0.0

Assets 2
Loading