Download Latest Version v1.0.0-beta.4 source code.tar.gz (3.0 MB)
Email in envelope

Get an email when there's a new version of DaloyJS

Home / v0.38.1
Name Modified Size InfoDownloads / Week
Parent folder
README.md 2026-06-11 1.9 kB
v0.38.1 source code.tar.gz 2026-06-11 2.6 MB
v0.38.1 source code.zip 2026-06-11 3.3 MB
Totals: 3 Items   6.0 MB 0

Changed

  • Refuse-to-boot / refuse-to-sign guardrails now explain themselves. The error messages thrown by the framework's fail-fast security checks are now actionable instead of terse: a weak session() secret, jwt() configured with alg: "none" (both the signer and the verifier allowlist), secureDefaults: false in production, a session() chain on a state-changing route without csrf(), and an unconfigured trustProxy when a forwarded header is present each now describe the concrete risk (forged sessions, signature-stripping / algorithm-confusion, cross-site state changes, spoofed client IPs), suggest a fix (e.g. openssl rand -base64 32, picking HS256 / RS256 / ES256, the right trustProxy value), and link to the relevant docs page. The error codes (alg_none_refused, …) and the validation behavior are unchanged — only the human-readable guidance improved, so existing programmatic checks keep working.
  • create-daloy --with-ci workflow templates and the repo's own workflows refresh their pinned GitHub Actions SHAs (CodeQL, OpenGrep, Scorecard, and the container-scan jobs) to current upstream releases. Actions remain fully SHA-pinned; only the pinned commits moved forward.

Documentation

  • New "where DaloyJS fits in OAuth2 & OpenID Connect" auth-architecture guide clarifies that DaloyJS is a resource-server / relying-party toolkit rather than an identity provider or authorization server, with managed-vs self-hosted IdP guidance and the two recommended designs. It is linked from the auth overview and summarized in the @daloyjs/core and create-daloy READMEs and every scaffolded template README.
  • New "Coming from ts-rest?" comparison on the typed-client docs page, plus a ts-rest row in the README framework-comparison table.

Full changelog: https://github.com/daloyjs/daloy/compare/v0.38.0...v0.38.1

Source: README.md, updated 2026-06-11