Release 9.1.0

Release Notes

Security and Architecture Improvements

CORS Modernization and Security Hardening

This release includes a comprehensive overhaul of CORS (Cross-Origin Resource Sharing) handling to improve security, reduce bandwidth usage, and modernize the codebase. #588

Bug Fixes

• Fixed NullPointerException in MongoPermissions parsing when filter values are null ([6d68a66](https://github.com/SoftInstigate/restheart/commit/6d68a6609)) - This could have caused authorization checks to fail unexpectedly

Infrastructure & CI/CD

• Upgraded GitHub Actions dependencies:
• Updated checkout action
• Updated setup-java action
• Updated upload-artifact action
• Migrated build workflow to use GraalVM distribution
• Simplified release workflow configuration
• Update GraalVM and Truffle versions to 25.0.2
• Pin GraalVM version to 25.0.1 for macOS Intel in native image workflow (*)

(*) Support for macOS x64 has been removed from GraalVM Community images. Version 25.0.1 was the last release that supported this hardware architecture. GraalVM now only supports macOS on AArch64 (Apple Silicon).

Migration Notes

⚠️ Breaking Change for Custom CORS Configurations

The CORS changes in this release are significantly more restrictive by default. If you have services with custom CORS requirements, you may need to:

1. Override accessControlAllowHeaders() if your service requires headers beyond the new defaults (Authorization, Content-Type, X-Requested-With, No-Auth-Challenge)
2. Override accessControlExposeHeaders() to explicitly expose any custom headers your service sets
3. Review any custom services using the old OptionsHandler pattern and migrate to Request.handleOptions()

The new approach provides better security out-of-the-box while maintaining flexibility through the enhanced CORSHeaders interface methods. (See documentation for details.)

Full Changelog: https://github.com/SoftInstigate/restheart/compare/9.0.0...9.1.0