Skip to content

Commit 7f331c8

Browse files
cableheadcablehead
committed
chore: release v0.15.0
1 parent e384377 commit 7f331c8

3 files changed

Lines changed: 26 additions & 2 deletions

File tree

Cargo.lock

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ members = [".", "tests/test_plugin"]
33

44
[package]
55
name = "http-nu"
6-
version = "0.14.1-dev"
6+
version = "0.15.0"
77
edition = "2021"
88
rust-version = "1.88.0"
99
description = "The surprisingly performant, Nushell-scriptable, cross.stream-powered, Datastar-ready HTTP server that fits in your back pocket."

changes/v0.15.0.md

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
# v0.15.0
2+
3+
## Highlights
4+
5+
- **Updated to Nushell 0.112.1 and cross.stream 0.12.0.** Nushell removed the `--merge` flag from `metadata set`. If you were using `metadata set --merge {...}`, switch to the closure form: `metadata set { merge {'http.response': {status: 404}} }`. The `{ merge {...} }` form that was already used in examples and docs continues to work unchanged.
6+
7+
- **Security hardening for HTML output.** Minijinja templates now autoescape by default. The `.md` command escapes code fence language attributes. HTML DSL attribute values are properly escaped. The `escape-html` utility consistently escapes all five HTML-significant characters (`& < > " '`) everywhere.
8+
9+
- **SSRF fix in reverse proxy.** The `strip_prefix` logic now rejects URLs with authority components (e.g. `//evil.com`) that could confuse downstream routing.
10+
11+
## Raw commits
12+
13+
* deps: update nushell to 0.112.1 and cross-stream to 0.12.0 (2026-04-13)
14+
* refactor: unify escape-html to escape all 5 chars everywhere (2026-04-13)
15+
* fix: consolidate HTML escaping, add attribute escaping to HTML DSL (2026-04-13)
16+
* fix: escape code fence language in .md to prevent XSS (2026-04-08)
17+
* fix: enable HTML autoescape in minijinja templates to prevent XSS (2026-04-08)
18+
* fix: prevent SSRF via URL authority confusion in reverse proxy strip_prefix (2026-04-08)
19+
* feat: add cargo-docs example (2026-04-07)
20+
* docs: update v0.14.0 release notes (2026-04-04)
21+
* fix: rename const to avoid collision when sourced from www/serve.nu (2026-04-04)
22+
* fix: use path self for cwd-independent path resolution in templates example (2026-04-03)
23+
* docs: rewrite v0.14.0 release notes (2026-04-04)
24+
* chore: bump to v0.14.1-dev (2026-04-03)

0 commit comments

Comments
 (0)