| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| README.md | 2026-06-11 | 1.9 kB | |
| v0.38.1 source code.tar.gz | 2026-06-11 | 2.6 MB | |
| v0.38.1 source code.zip | 2026-06-11 | 3.3 MB | |
| Totals: 3 Items | 6.0 MB | 0 | |
Changed
- Refuse-to-boot / refuse-to-sign guardrails now explain themselves. The
error messages thrown by the framework's fail-fast security checks are now
actionable instead of terse: a weak
session()secret,jwt()configured withalg: "none"(both the signer and the verifier allowlist),secureDefaults: falsein production, asession()chain on a state-changing route withoutcsrf(), and an unconfiguredtrustProxywhen a forwarded header is present each now describe the concrete risk (forged sessions, signature-stripping / algorithm-confusion, cross-site state changes, spoofed client IPs), suggest a fix (e.g.openssl rand -base64 32, picking HS256 / RS256 / ES256, the righttrustProxyvalue), and link to the relevant docs page. The error codes (alg_none_refused, …) and the validation behavior are unchanged — only the human-readable guidance improved, so existing programmatic checks keep working. create-daloy --with-ciworkflow templates and the repo's own workflows refresh their pinned GitHub Actions SHAs (CodeQL, OpenGrep, Scorecard, and the container-scan jobs) to current upstream releases. Actions remain fully SHA-pinned; only the pinned commits moved forward.
Documentation
- New "where DaloyJS fits in OAuth2 & OpenID Connect" auth-architecture
guide clarifies that DaloyJS is a resource-server / relying-party toolkit
rather than an identity provider or authorization server, with managed-vs
self-hosted IdP guidance and the two recommended designs. It is linked from
the auth overview and summarized in the
@daloyjs/coreandcreate-daloyREADMEs and every scaffolded template README. - New "Coming from ts-rest?" comparison on the typed-client docs page, plus a ts-rest row in the README framework-comparison table.
Full changelog: https://github.com/daloyjs/daloy/compare/v0.38.0...v0.38.1