Release version 0.2.0

Security improvements and server implementation alignment. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-26 16:36:29 +01:00
parent a11aa4260a
commit 7fc838ada7
2 changed files with 33 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,34 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 ## [Unreleased]

+## [0.2.0] - 2026-01-26
+
+### Added
+
+- SSRF protection with URL validation and private IP range blocking
+- `allowInsecureHttp` constructor parameter for development environments
+- Input validation in all DTO `fromArray()` methods
+- DateTime exception handling in DTOs
+- Recursive key sorting in `ResponseSignature` for nested objects
+
+### Changed
+
+- Key derivation now uses RFC 5869 compliant `hash_hkdf()` instead of custom HMAC
+- Exception messages sanitized to prevent information disclosure
+- Header normalization treats empty values as null
+
+### Fixed
+
+- JSON encoding error handling in `ResponseSignature::buildSignaturePayload()`
+- Header normalization null risk in `SecureLicenseClient`
+
+### Security
+
+- Comprehensive security audit performed
+- SSRF vulnerability mitigated
+- Information disclosure in error messages fixed
+- Improved cryptographic key derivation
+
 ## [0.1.0] - 2026-01-22

 ### Added