luciano/nippy
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

v3.0.0-RC1

Browse source
This commit is contained in:
Peter Taoussanis 2020-09-11 11:35:19 +02:00
parent 9cac0afb98
commit f91292c969
3 changed files with 64 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

58
CHANGELOG.md
View file

@ -1,12 +1,68 @@
> This project uses [Break Versioning](https://github.com/ptaoussanis/encore/blob/master/BREAK-VERSIONING.md) as of **Aug 16, 2014**.
## v3.0.0-RC1 / 2020 Sep 11
```clojure
[com.taoensso/nippy "3.0.0-RC1"]
```
> Major **BREAKING** feature + security release.
> See [here](https://github.com/ptaoussanis/encore#recommended-steps-after-any-significant-dependency-update) for recommended steps when updating any Clojure/Script dependencies.
> This release is focused on smoothing out rough edges left by `CVE-2020-24164` [#130], and to **ease transition** from version of Nippy < `v2.15.0` final.
> Apologies for the recent breaking changes!
Note that there's separate documentation below if upgrading from `v2.15` or `v2.14`:
## Since `v2.15.0` (incl. BREAKING changes)
See [#130] for **detailed upgrade instructions**.
### Changes
- **[BREAKING]** Bumped minimum Clojure version from `v1.5` to `v1.7`.
- **[BREAKING]** `*serializable-whitelist*` has been split into two separate vars: `*freeze-serializable-allowlist*`, `*thaw-serializable-allowlist`*. See [#130] for details.
- **[BREAKING]** `:nippy/unthawable` responses now have a standardized form: `{:nippy/unthawable {:type _ :cause _ ...}`. Most folks won't care about this change unless you have code specifically to deal with `:nippy/unthawable` responses.
- By default, `freeze` now allows the use of Java's Serializable for any class. `thaw` continues to be restrictive by default, and will quarantine any objects not on the class allowlist. See [#130] for details.
### New
- [#122] Option to disable freezing and/or thawing of metadata.
- `freeze` and `thaw` now support opts: `:serializable-allowlist`, `:incl-metadata?`.
- New `read-quarantined-serializable-object-unsafe!` util to read quarantined Serializable objects. See [#130] for details.
## Since `v2.14.0` (incl. BREAKING changes)
See [#130] for **detailed upgrade instructions**.
### Changes
- **[BREAKING]** [#130] `thaw` will now quarantine Serializable objects whose class is not allowed by `*thaw-serializable-allowlist*`. See [#130] for details.
- **[BREAKING]** Bumped minimum Clojure version from `v1.5` to `v1.7`.
- **[BREAKING]** `:nippy/unthawable` responses now have a standardized form: `{:nippy/unthawable {:type _ :cause _ ...}`. Most folks won't care about this change unless you have code specifically to deal with `:nippy/unthawable` responses.
- [#101] Switch default encryptor from `AES-CBC` to `AES-GCM` (faster, includes integrity check)
### New
- [#127] Add utils: `freeze-to-string`, `thaw-from-string` (@piotr-yuxuan)
- [#113 #114] Add support for object arrays (@isaksky)
- [#83 #112] Add support for deftype (@isaksky)
- [#83 #113] Add support for URIs (@isaksky)
- [#126] `extend-freeze`: include id collision odds in docstring
### Fixes
- [#120] Update `freezable?` to cover `nil`
## v2.15.3 / 2020 Sep 10
```clojure
[com.taoensso/nippy "2.15.3"]
```
> Non-breaking release. See [here](https://github.com/ptaoussanis/encore#recommended-steps-after-any-significant-dependency-update) recommended steps when updating any Clojure/Script dependencies.
> Non-breaking release. See [here](https://github.com/ptaoussanis/encore#recommended-steps-after-any-significant-dependency-update) for recommended steps when updating any Clojure/Script dependencies.
#### Changes since `v2.15.2`

18
README.md
View file

@ -4,23 +4,18 @@
**[CHANGELOG]** | [API] | current [Break Version]:
```clojure
[com.taoensso/nippy "2.15.3"] ; BREAKING, see CHANGELOG for details
[com.taoensso/nippy "3.0.0-RC1"] ; BREAKING, see CHANGELOG for details
[com.taoensso/nippy "2.15.3"] ; BREAKING, see CHANGELOG for details
```
## ** SECURITY ADVISORY **
> See [here](https://taoensso.com/clojure/backers) if you're interested in helping support my open-source work, thanks! - Peter
Users of Nippy older than **v2.15.0 final** should **please upgrade ASAP** due to a **Remote Code Execution vulnerability** when deserializing data from an **untrusted source**.
## _SECURITY ADVISORY_
Users of Nippy older than **v2.15.0 final** should **please upgrade ASAP** due to a **Remote Code Execution (RCE) vulnerability** when deserializing data from an **untrusted source**.
Please see [here](https://github.com/ptaoussanis/nippy/issues/130) for details, including upgrade instructions.
--
> Please consider helping to [support my continued open-source Clojure/Script work]?
>
> Even small contributions can add up + make a big difference to help sustain my time writing, maintaining, and supporting Nippy and other Clojure/Script libraries. **Thank you!**
>
> \- Peter Taoussanis
# Nippy
## The fastest serialization library for Clojure
@ -195,7 +190,6 @@ Copyright &copy; 2012-2020 [Peter Taoussanis].
[@ptaoussanis]: https://www.taoensso.com
[More by @ptaoussanis]: https://www.taoensso.com
[Break Version]: https://github.com/ptaoussanis/encore/blob/master/BREAK-VERSIONING.md
[support my continued open-source Clojure/Script work]: http://taoensso.com/clojure/backers
<!--- Standard links (repo specific) -->
[CHANGELOG]: https://github.com/ptaoussanis/nippy/releases

2
project.clj
View file

@ -1,4 +1,4 @@
(defproject com.taoensso/nippy "2.15.3"
(defproject com.taoensso/nippy "3.0.0-RC1"
:author "Peter Taoussanis <https://www.taoensso.com>"
:description "High-performance serialization library for Clojure"
:url "https://github.com/ptaoussanis/nippy"