From 7fc838ada7f7e2800fd11850fb4551082ab42605 Mon Sep 17 00:00:00 2001 From: magdev Date: Mon, 26 Jan 2026 16:36:29 +0100 Subject: [PATCH] Release version 0.2.0 Security improvements and server implementation alignment. Co-Authored-By: Claude Opus 4.5 --- CHANGELOG.md | 28 ++++++++++++++++++++++++++++ CLAUDE.md | 6 +++++- 2 files changed, 33 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5d50dbe..228a637 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,34 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [0.2.0] - 2026-01-26 + +### Added + +- SSRF protection with URL validation and private IP range blocking +- `allowInsecureHttp` constructor parameter for development environments +- Input validation in all DTO `fromArray()` methods +- DateTime exception handling in DTOs +- Recursive key sorting in `ResponseSignature` for nested objects + +### Changed + +- Key derivation now uses RFC 5869 compliant `hash_hkdf()` instead of custom HMAC +- Exception messages sanitized to prevent information disclosure +- Header normalization treats empty values as null + +### Fixed + +- JSON encoding error handling in `ResponseSignature::buildSignaturePayload()` +- Header normalization null risk in `SecureLicenseClient` + +### Security + +- Comprehensive security audit performed +- SSRF vulnerability mitigated +- Information disclosure in error messages fixed +- Improved cryptographic key derivation + ## [0.1.0] - 2026-01-22 ### Added diff --git a/CLAUDE.md b/CLAUDE.md index 274856b..6471a6d 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -29,7 +29,11 @@ This project is proudly **"vibe-coded"** using Claude.AI - the entire codebase w No known bugs at the moment -### Version 0.2.0 +### Version 0.2.1 + +No pending tasks at the moment. + +### Version 0.3.0 No pending tasks at the moment.