v3.0.0 2020-09-20

taoensso · Sep 20, 2020 · 21a2cf4 · 21a2cf4
1 parent 6b855b2
commit 21a2cf4
Show file tree

Hide file tree

Showing 3 changed files with 60 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,60 @@
 > This project uses [Break Versioning](https://github.com/ptaoussanis/encore/blob/master/BREAK-VERSIONING.md) as of **Aug 16, 2014**.
 
+## v3.0.0 / 2020 Sep 20
+
+```clojure
+[com.taoensso/nippy "3.0.0"]
+```
+
+> This release is focused on smoothing out rough edges left by `CVE-2020-24164` [#130], and to **ease transition** from versions of Nippy < `v2.15.0 final`.
+
+> See [here](https://github.com/ptaoussanis/encore#recommended-steps-after-any-significant-dependency-update) for recommended steps when updating any Clojure/Script dependencies.
+
+Note that there's **separate details** below for upgrading from `v2.15` vs `v2.14`:
+
+### Upgrading from `v2.15.0` (usually non-breaking)
+
+Usually a non-breaking drop-in replacement, but there's some changes you might like to take advantage of. See [#130] for **detailed upgrade instructions**.
+
+#### Changes
+
+  - **[BREAKING]** Bumped minimum Clojure version from `v1.5` to `v1.7`.
+  - **[BREAKING]** `:nippy/unthawable` responses now have a standardized form: `{:nippy/unthawable {:type _ :cause _ ...}`. Most folks won't care about this change unless they have code specifically to deal with `:nippy/unthawable` responses.
+  - [Deprecated] `*serializable-whitelist*` has been split into two separate vars: `*freeze-serializable-allowlist*`, `*thaw-serializable-allowlist`*. See [#130] for details.
+  - By default, `freeze` now **allows** the use of Java's Serializable for **any** class. `thaw` continues to be restrictive by default, and will quarantine any objects not on the class allowlist. See [#130] for details.
+
+#### New
+
+  - [#122] Option to disable freezing and/or thawing of metadata.
+  - `freeze` and `thaw` now support opts: `:serializable-allowlist`, `:incl-metadata?`.
+  - New `read-quarantined-serializable-object-unsafe!` util to read quarantined Serializable objects. See [API docs](http://ptaoussanis.github.io/nippy/taoensso.nippy.html#var-read-quarantined-serializable-object-unsafe.21) and/or [#130] for details.
+  - Add `allow-and-record-any-serializable-class-unsafe` util. See [API docs](http://ptaoussanis.github.io/nippy/taoensso.nippy.html#var-allow-and-record-any-serializable-class-unsafe) and/or [#130] for details.
+
+
+### Upgrading from `v2.14.0` (may be BREAKING)
+
+Likely breaking. Please see [#130] for **detailed upgrade instructions**.
+
+#### Changes
+
+  - **[BREAKING]** Bumped minimum Clojure version from `v1.5` to `v1.7`.
+  - **[BREAKING]** [#130] `thaw` will now quarantine Serializable objects whose class is not allowed by `*thaw-serializable-allowlist*`. See [#130] for details.
+  - **[BREAKING]** `:nippy/unthawable` responses now have a standardized form: `{:nippy/unthawable {:type _ :cause _ ...}`. Most folks won't care about this change unless you have code specifically to deal with `:nippy/unthawable` responses.
+  - [#101] Switch default encryptor from `AES-CBC` to `AES-GCM` (faster, includes integrity check)
+
+#### New
+
+  - [#127] Add utils: `freeze-to-string`, `thaw-from-string` (@piotr-yuxuan)
+  - [#113 #114] Add support for object arrays (@isaksky)
+  - [#83 #112] Add support for deftype (@isaksky)
+  - [#83 #113] Add support for URIs (@isaksky)
+  - [#126] `extend-freeze`: include id collision odds in docstring
+
+#### Fixes
+
+  - [#120] Update `freezable?` to cover `nil`
+
+
 ## v3.0.0-RC3 / 2020 Sep 12
 
 ```clojure

diff --git a/README.md b/README.md
@@ -4,8 +4,7 @@
 **[CHANGELOG]** | [API] | current [Break Version]:
 
 ```clojure
-[com.taoensso/nippy "3.0.0-RC3"] ; BREAKING, see CHANGELOG for details
-[com.taoensso/nippy "2.15.3"]    ; BREAKING, see CHANGELOG for details
+[com.taoensso/nippy "3.0.0"] ; See CHANGELOG for details
 ```
 
 <!-- ![build status](https://github.com/ptaoussanis/nippy/workflows/build/badge.svg?branch=master) -->
@@ -14,9 +13,9 @@
 
 ## _SECURITY ADVISORY_
 
-Users of Nippy older than **v2.15.0 final** should **please upgrade ASAP** due to a **Remote Code Execution (RCE) vulnerability** when deserializing data from an **untrusted source**.
+Users of Nippy <= `v2.15.0-RC1` should **please upgrade ASAP** due to a **Remote Code Execution (RCE) vulnerability** when deserializing data from an **untrusted source**.
 
-Please see [here](https://github.com/ptaoussanis/nippy/issues/130) for details, including upgrade instructions.
+See [here](https://github.com/ptaoussanis/nippy/issues/130) for details, including upgrade instructions.
 
 # Nippy
 
@@ -43,7 +42,7 @@ Nippy is an attempt to provide a reliable, high-performance **drop-in alternativ
 Add the necessary dependency to your project:
 
 ```clojure
-[com.taoensso/nippy "2.15.3"]
+[com.taoensso/nippy "3.0.0"]
 ```
 
 And setup your namespace imports:

diff --git a/project.clj b/project.clj
@@ -1,4 +1,4 @@
-(defproject com.taoensso/nippy "3.0.0-RC3"
+(defproject com.taoensso/nippy "3.0.0"
   :author "Peter Taoussanis <https://www.taoensso.com>"
   :description "High-performance serialization library for Clojure"
   :url "https://github.com/ptaoussanis/nippy"