Skip to content

V3#2

Merged
SerhiyGreench merged 7 commits into
masterfrom
v3
Jul 10, 2026
Merged

V3#2
SerhiyGreench merged 7 commits into
masterfrom
v3

Conversation

@SerhiyGreench

Copy link
Copy Markdown
Contributor

No description provided.

- native ES modules: type=module, exports map, explicit .js import
  extensions, engines node >=22.12.0
- @imqueue/net updated to ^3.0.0 (ESM major); NOTE: package-lock.json is
  intentionally not committed here — regenerate with npm install once
  @imqueue/net@3.0.0 is published to the registry
- ioredis imported via named { Redis } binding (default import of the
  module mock is not a constructor under node:test module mocking)
- TypeScript 7 (tsgo) with es2024 target, nodenext resolution,
  verbatimModuleSyntax and explicit types: [node]
- tests migrated from mocha/chai/mock-require/nyc to node:test; ioredis
  mock registered via mock.module preloaded with --import
- lint/format switched from eslint to oxlint + oxfmt; devDeps reduced
- version bumped to 3.0.0
Adds behavioral specs for safeNetworks bypass, isBanned(), middleware()
pass-through and blocking, and json/text middleware error responses
(status codes, content types and payload shape).
Adds a getClientIp option to HttpProtectOptions. It defaults to
request-ip's getClientIp() (unchanged behaviour), but lets callers plug
in a trust-aware resolver - e.g. one built on proxy-addr configured with
known proxies - so forwarded headers cannot be spoofed to evade rate
limits or poison the ban list when running behind untrusted proxies.

- HttpProtect.getClientIp is resolved once in the constructor and used by
  verify(); request-ip stays the default dependency
- tests cover the default resolver and a custom override (including that
  a spoofed x-forwarded-for is ignored when the override reads x-real-ip)
- README: documented the option and fixed the stale manual-injection
  example (verify() takes the request, not a pre-extracted IP)
The migration commit had pre-set 3.0.0, which would make the usual
'npm version major' release flow skip to 4.0.0. Align back to the
published 2.0.1 so the release flow itself produces 3.0.0 with its tag
and commit.
The committed package-lock.json still pinned @imqueue/net to a local
scratchpad tarball (file:/tmp/.../imqueue-net-3.0.0.tgz) used during the
pre-publish migration, so 'npm ci' failed on CI with ENOENT. @imqueue/net
3.0.0 is now on the registry, so the lockfile resolves it from
registry.npmjs.org and npm ci works.
@SerhiyGreench SerhiyGreench merged commit 5dce96f into master Jul 10, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant