chore(release): 2.0.0

Prepare release notes and bump package metadata.

BREAKING CHANGE: URL inputs are now passed to the server; FileInput no longer includes URLs, sign() only accepts local inputs, and processRemoteFileInput was removed.

Author: jdrhyne

CHANGELOG.md

@@ -7,42 +7,38 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+_Nothing yet._
+
+## [2.0.0] - 2026-01-27
+
 ### Security
 
 - Updated `axios` from ^1.10.0 to ^1.13.2 to fix DoS vulnerability (GHSA-4hjh-wcwx-xvwj)
 - Updated `form-data` from ^4.0.4 to ^4.0.5
 - Added npm overrides for transitive dependency vulnerabilities:
   - `glob` ^11.0.4 (fixes GHSA-5j98-mcp5-4vw2 command injection)
   - `js-yaml` ^4.1.1 (fixes GHSA-mh29-5h37-fv8m prototype pollution)
+- URL inputs are no longer fetched client-side; URLs are passed to the server to mitigate SSRF risks
 
 ### Changed
 
-- Updated devDependencies to latest compatible versions:
-  - `@eslint/eslintrc` ^3.3.3
-  - `@eslint/js` ^9.39.2
-  - `@types/node` ^24.10.7
-  - `@typescript-eslint/eslint-plugin` ^8.53.0
-  - `@typescript-eslint/parser` ^8.53.0
-  - `dotenv` ^17.2.3
-  - `eslint` ^9.39.2
-  - `eslint-config-prettier` ^10.1.8
-  - `eslint-plugin-jest` ^29.12.1
-  - `globals` ^16.5.0
-  - `jest` ^30.2.0
-  - `openapi-typescript` ^7.10.1
-  - `prettier` ^3.7.4
-  - `rimraf` ^6.1.2
-  - `ts-jest` ^29.4.6
-  - `tsup` ^8.5.1
-  - `tsx` ^4.21.0
-  - `typescript` ^5.9.3
+- Most methods accept URL inputs via `FileInputWithUrl` and pass URLs to the server for fetching
+- `sign()` now only accepts local files (file paths, Buffers, or Uint8Arrays); fetch remote files first
+- Updated devDependencies to latest compatible versions
 - Switched Jest coverage provider from Istanbul to V8 for Node.js 25+ compatibility
 - Excluded generated API types from coverage collection (reduces noise in coverage reports)
 
+### Removed
+
+- Removed client-side URL fetching helper `processRemoteFileInput` from public exports
+- Removed client-side PDF parsing helpers (`getPdfPageCount`, `isValidPdf`)
+
 ### Added
 
+- SSRF protection documentation in README
 - This CHANGELOG.md file to track project changes
 
+
 ## [1.0.1] - 2025-01-09
 
 ### Changed
@@ -68,6 +64,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Comprehensive error handling with typed error classes
 - AI agent integration rules for Claude Code, Cursor, GitHub Copilot, Junie, and Windsurf
 
-[Unreleased]: https://github.com/PSPDFKit-labs/nutrient-dws-client-typescript/compare/v1.0.1...HEAD
+[Unreleased]: https://github.com/PSPDFKit-labs/nutrient-dws-client-typescript/compare/v2.0.0...HEAD
+[2.0.0]: https://github.com/PSPDFKit-labs/nutrient-dws-client-typescript/compare/v1.0.1...v2.0.0
 [1.0.1]: https://github.com/PSPDFKit-labs/nutrient-dws-client-typescript/compare/v1.0.0...v1.0.1
 [1.0.0]: https://github.com/PSPDFKit-labs/nutrient-dws-client-typescript/releases/tag/v1.0.0

examples/package-lock.json

@@ -10,7 +10,7 @@
   "private": true,
   "dependencies": {
     "dotenv": "^17.0.0",
-    "@nutrient-sdk/dws-client-typescript": "file:../nutrient-sdk-dws-client-typescript-1.0.1.tgz"
+    "@nutrient-sdk/dws-client-typescript": "file:../nutrient-sdk-dws-client-typescript-2.0.0.tgz"
   },
   "devDependencies": {
     "@types/node": "^24.0.7",

examples/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nutrient-sdk/dws-client-typescript",
-  "version": "1.0.1",
+  "version": "2.0.0",
   "description": "Node.js TypeScript client library for Nutrient Document Web Services (DWS) API",
   "keywords": [
     "nutrient",