v3.0.0-RC1 / 2020 Sep 11

[com.taoensso/nippy "3.0.0-RC1"]

Major BREAKING feature + security release.
See here for recommended steps when updating any Clojure/Script dependencies.

This release is focused on smoothing out rough edges left by CVE-2020-24164 [#130], and to ease transition from version of Nippy < v2.15.0 final.

Apologies for the recent breaking changes!

Note that there's separate documentation below if upgrading from v2.15 or v2.14:

Since v2.15.0 (incl. BREAKING changes)

See [#130] for detailed upgrade instructions.

Changes

• [BREAKING] Bumped minimum Clojure version from v1.5 to v1.7.
• [BREAKING] *serializable-whitelist* has been split into two separate vars: *freeze-serializable-allowlist*, *thaw-serializable-allowlist*. See [#130] for details.
• [BREAKING] :nippy/unthawable responses now have a standardized form: {:nippy/unthawable {:type _ :cause _ ...}. Most folks won't care about this change unless you have code specifically to deal with :nippy/unthawable responses.
• By default, freeze now allows the use of Java's Serializable for any class. thaw continues to be restrictive by default, and will quarantine any objects not on the class allowlist. See [#130] for details.

New

• [#122] Option to disable freezing and/or thawing of metadata.
• freeze and thaw now support opts: :serializable-allowlist, :incl-metadata?.
• New read-quarantined-serializable-object-unsafe! util to read quarantined Serializable objects. See [#130] for details.

Since v2.14.0 (incl. BREAKING changes)

See [#130] for detailed upgrade instructions.

Changes

• [BREAKING] [#130] thaw will now quarantine Serializable objects whose class is not allowed by *thaw-serializable-allowlist*. See [#130] for details.
• [BREAKING] Bumped minimum Clojure version from v1.5 to v1.7.
• [BREAKING] :nippy/unthawable responses now have a standardized form: {:nippy/unthawable {:type _ :cause _ ...}. Most folks won't care about this change unless you have code specifically to deal with :nippy/unthawable responses.
• [#101] Switch default encryptor from AES-CBC to AES-GCM (faster, includes integrity check)

New

• [#127] Add utils: freeze-to-string, thaw-from-string (@piotr-yuxuan)
• [#113 #114] Add support for object arrays (@isaksky)
• [#83 #112] Add support for deftype (@isaksky)
• [#83 #113] Add support for URIs (@isaksky)
• [#126] extend-freeze: include id collision odds in docstring

Fixes

• [#120] Update freezable? to cover nil

v2.15.3 / 2020 Sep 10

[com.taoensso/nippy "2.15.3"]

Non-breaking release. See here recommended steps when updating any Clojure/Script dependencies.

Changes since v2.15.2

• *serializable-whitelist*: added a number of common classes to default value. See default-serializable-whitelist for details.

v2.15.2 / 2020 Aug 31

[com.taoensso/nippy "2.15.2"]

This is a quick hotfix release, should be non-breaking.

Only change since v2.15.0 is to bump Encore dependency (v2.124.0->v2.126.2).

Encore v1.123.0 introduced an issue affecting Timbre.
Issue was addressed with Encore v2.125.2.

Updating Encore here doesn't affect Nippy, but may be helpful for users of
Nippy that also use Timbre and that haven't otherwise updated to a newer
version of Encore yet.

v2.15.1 / 2020 Aug 27

[com.taoensso/nippy "2.15.1"]

This is a minor feature release. Should be non-breaking.
See here for a tip re: general recommended steps when updating any Clojure/Script dependencies.

New since v2.15.0:

• *serializable-whitelist*: sets of approved class names may now contain "*" wildcards.
• *serializable-whitelist*: added JVM properties and env vars to override initial value. See updated docstring for details.

Changes since v2.15.0:

• [#126] extend-freeze: include id collision odds in docstring.

v2.15.0 / 2020 Jul 24

[com.taoensso/nippy "2.15.0"]

This is a major feature release. It may be BREAKING!

BREAKING CHANGES since v2.14.0:

• [#130] [Security] Add *serialization-whitelist*, ENABLED BY DEFAULT to address Remote Code Execution vulnerability.

See #130 for details, incl. upgrade instructions.

Big thanks to Timo Mihaljov (@solita-timo-mihaljov) for an excellent report identifying this vulnerability!

New since v2.14.0:

• [#127] Add utils: freeze-to-string, thaw-from-string (@piotr-yuxuan)
• [#113 #114] Add support for object arrays (@isaksky)
• [#83 #112] Add support for deftype (@isaksky)
• [#83 #113] Add support for URIs (@isaksky)

Changes since v2.14.0:

• [#101] Switch default encryptor from AES-CBC to AES-GCM (faster, includes integrity check)
• Refactor encryption utils for extra flexibility in future
• Latest dependencies

Fixes since v2.14.0:

• [#120] Update freezable? to cover nil

v2.14.2 / 2020 Jul 24

[com.taoensso/nippy "2.14.2"]

This is a non-breaking hotfix security release. PLEASE READ CAREFULLY.

New since v2.14.0:

• [#130] Add *serialization-whitelist* feature, DISABLED BY DEFAULT.

** SECURITY ADVISORY **

To prevent a possible Remote Code Execution (RCE) vulnerability (#130), you must opt-in to use the new *serialization-whitelist* feature.

See the nippy/*serialization-whitelist* docstring for usage instructions.

v2.14.0 / 2017 Dec 21

[com.taoensso/nippy "2.14.0"]

This is a minor, non-breaking maintenance release.

• Impl: Update a number of dependencies
• [#104] Impl: Micro-optimization: remove unnecessary runtime 'if' in extend-freeze macro (@scramjet)
• [#93] Impl: Pickup record redefinitions at REPL, etc. (@smee)

v2.13.0 / 2017 Feb 13

[com.taoensso/nippy "2.13.0"]

This is a minor, non-breaking maintenance release.

• [#91] New: Add freeze-to-file and thaw-from-file utils (@Engelberg)
• [#85] Impl: Lazily create LZ4 instance, fixes issue with Google App Engine
• Impl: Bump 1-byte cacheable types from 5->8

v2.13.0-RC1 / 2016 Dec 17

[com.taoensso/nippy "2.13.0-RC1"]

This should be a minor, non-breaking release.

• [#85] Impl: Lazily create LZ4 instance, fixes issue with Google App Engine
• Impl: Bump 1-byte cacheable types from 5->8

v2.12.2 / 2016 Aug 23

[com.taoensso/nippy "2.12.2"]

• Hotfix: private API typo