Skip to content

Releases: patchstack/connect

v0.3.11

Choose a tag to compare

@github-actions github-actions released this 14 Jul 13:29
12e7143

What's Changed

  • feat(protect): opt-in response screening for node/express + Supabase guard by @patchstackdave in #64
  • Remove install.txt references; add Uninstalling section to AGENT-INSTALL.md by @ejntaylor in #68

Full Changelog: v0.3.10...v0.3.11

v0.3.10

Choose a tag to compare

@github-actions github-actions released this 14 Jul 13:00
585877b

What's Changed

  • Add real-platform personas and a personas × models field-test matrix by @ejntaylor in #60
  • docs(protect): end-to-end demo + seed demo rules (public CVE) by @patchstackdave in #61
  • Harden install prompt against read-then-apply refusals (bolt.diy report) by @ejntaylor in #63
  • Verify-first install prompt + hostinger persona and two-turn confirm mode by @ejntaylor in #67

Full Changelog: v0.3.9...v0.3.10

v0.3.9

Choose a tag to compare

@github-actions github-actions released this 14 Jul 10:39
83bf1fc

What's Changed

  • feat(protect): rule-driven Tier-3 (response redaction + egress SSRF) + array-param fix by @patchstackdave in #57
  • test(protect): port engine unit suite + restructure tests/protect/ by @patchstackdave in #58
  • [feat] 49 - automate disclosure widget installation by @mariojgt in #59

New Contributors

Full Changelog: v0.3.8...v0.3.9

v0.3.8

Choose a tag to compare

@github-actions github-actions released this 14 Jul 09:13
4a3c39d

What's Changed

  • Add MAINTAINING.md — a guide for editing the install prompt and setup docs by @ejntaylor in #54
  • Fix Release to Publish cascade so releases actually publish to npm by @ejntaylor in #55
  • Harden Release versioning against lagging publishes and tag collisions by @ejntaylor in #56

Full Changelog: v0.3.7...v0.3.8

v0.3.7

Choose a tag to compare

@github-actions github-actions released this 14 Jul 08:51
06a02d8

What's Changed

  • Add one-click Release workflow and surface publishes as GitHub deployments by @ejntaylor in #53

Full Changelog: v0.3.6...v0.3.7

v0.3.6

Choose a tag to compare

@ejntaylor ejntaylor released this 14 Jul 08:29
95e6e1b
Bump version from 0.2.11 to 0.3.6 (#52)

v0.3.5

Choose a tag to compare

@ejntaylor ejntaylor released this 13 Jul 20:26
c555177

What's Changed

  • Make the guide state-aware and shorten the agent install prompt by @ejntaylor in #45

Full Changelog: v0.3.4...v0.3.5

v0.3.4 — server-function guard on the canonical lineage

Choose a tag to compare

@devlob devlob released this 13 Jul 17:23
538c9e9

Runtime protection now covers the TanStack server-function path

Unifies the connector on the vendored node-waf engine and adds the server-function guard (#43), superseding 0.3.3 (which shipped only the browser-tunnel guard).

  • protect wires the guard as both a request middleware (browser → Supabase tunnel) and a function middleware (TanStack server functions) — so both of a Lovable app's data paths are covered, however it was built.
  • The WAF engine is vendored into the package (@patchstack/connect/protect); the installer scaffolds only guard.ts + rules.json.
  • protect is per-piece idempotent (clean re-runs and upgrades); ships types for the ./protect subpath.

Validated live end-to-end on a fresh Lovable app: a UI task-add carrying a stored-XSS marked payload is refused by the server-function guard (receipt returned, task never saved), while benign tasks save. Requires Node >= 18.

v0.3.3: Derive release version from the tag instead of pushing to main (#40)

Choose a tag to compare

@ejntaylor ejntaylor released this 13 Jul 16:25
a0d7c18
The one-click Release workflow pushed the npm-version bump commit
straight to main, which branch protection rejects (PRs + signed commits
+ status checks required). Drop that approach.

Instead, make Publish read the version from the release tag (v0.3.3 ->
0.3.3), write it into package.json in CI only, then build and publish.
Nothing is committed to main, so it works with branch protection and the
tag can never disagree with the published version. Removes the old
tag/version match guard (now unnecessary) and the release.yml workflow.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

v0.3.2 — idempotent upgrades (clean re-run of protect)

Choose a tag to compare

@devlob devlob released this 13 Jul 15:53
e33e1e4

Re-running protect now reconciles cleanly across upgrades

0.3.1 added the server-function guard, but protect's idempotency check keyed off a single
marker (patchstackGuard) — so re-running it on an app already wired by 0.3.0 silently did
nothing, and that app never gained the new function-middleware guard.

Fix

  • patchStart is now idempotent per piece. It extends the guard import, adds each middleware
    definition, and registers each guard only when missing. So installing on a fresh app wires
    everything; re-running after a connect upgrade adds exactly the newly-introduced pieces (no
    duplication); a second run is a no-op.
  • Verified: an app wired by 0.3.0 gains patchstackFunctionGuard in functionMiddleware with no
    duplicate request guard, and re-running reports "already wired".

No API changes. Requires Node >= 18.