Tags: sahat/hackathon-starter
Tags
v10.0.0 New AI and Integration Features - AI: AI Agent (ReAct: Reasoning+Acting) boilerplate with LangChain as a starting point for AI Agent development with support for: - Tool execution with automatic retry middleware for transient failures - MongoDB session persistence for chat history for authenticated users - Input guardrails for safety against prompt injection/jailbreak (Llama Guard 4) - Conversation summarization for long conversations to stay within context limits - Real-time streaming for live response chat experience using Server-Sent Events (SSE) - Streaming of the Agent's internal chatter, tool calls, etc., for debugging - AI: RAG boilerplate (LangChain, Huggingface, Groq (Llama 3.3), MongoDB Vector Search, Keyv caching) - AI: Serverless LLM integration - text classification (Llama 3.3 hosted on Groq) - AI: Vision - device camera and LLM vision model usage (Llama 4 Scout hosted on Groq) - AI: OpenAI Moderation model usage example - API Integration: trakt.tv - API Integration: Wikipedia (@nikeshadhikari9) - API Integration: Pubchem chemical info data source (@hemanthsavasere) - API Integration: ~~Tenor~~ GIPHY (@DanielLuu122 @YasharF) New Core Features - 2FA via email and code generator apps (TOTP) - Login with passkeys (biometrics, Face ID, etc.) - Passwordless authentication (login via email link) - OAuth token revocation (RFC 7009-style and provider-specific variants) when users unlink an OAuth provider or delete their account - Login with Discord - Login with Microsoft (@dev-shahed) - Multiple profile picture support Enhancements - Enhanced Express.js logging with custom Morgan configuration - Reduced startup friction for new projects by making reCAPTCHA credentials optional - Consolidated the AI integrations to be separate from API integrations - Refactored Passport.js strategies to use a common auth-login handler for easier swapping of OAuth providers, maintenance, and core testing - Updated the included sample Terms of Service and Privacy Policy for formatting and compliance with Google and Facebook requirements - Various visual and UX improvements - Improved pre-commit hook scripts for running `eslint --fix` and `Prettier --write` on files being committed - Consolidated temporary artifacts in tmp/ Bug Fixes - Fix Facebook OAuth: missing email scope, and infinite loop in certain cases - Fix upload folder being created in controllers/ instead of the app root - Fix error handling issues in Google Sheets and Google Drive integration - Fix various npm script-related issues for Windows development environments - Fix error from not having husky installed in production environments when using `npm ci --omit dev` Chores & Maintenance - Replaced unmaintained express-flash npm package with our own middleware (@Prasanth-S7) - Replaced moment.js in favor of the native Node.js date API - Updated minimum engine to Node.js 24.13 which is the latest fully security-patched LTS version. - Updated dependencies - Improved dependabot and GitHub Action scripts to automate keeping dependencies up-to-date. - Updated Google Maps API integration - Updated Google branding per their requirements - Updated NYT API integration to use v3 endpoint - Updated QuickBooks API integration per required changes - Migrated Foursquare API integration to use the new Places API endpoints (@mheavey2) - Migrated reCAPTCHA to GCP - Removed Pinterest OAuth and API Integration - Removed SendGrid references as they no longer offer a reasonable free tier for hackathon participants (@nylla8444) - Removed lodash dependency, as much of the functionality can be fulfilled with current versions of JS with minimal code. - Removed Airbnb eslint (fork) usage in favor of direct rules within eslint 9 configs - Removed docker support documentation as it won't be officially supported any more (Docker workflows don't align with the hackathon development model and deployment environments vary too widely for a single Docker configuration to be useful or maintainable.) - Added Pull Request template with a checklist to remind devs on various pre-checks for shippable code - Updated various documentation (@YasharF @nylla8444 @FrontendBy-GJ) Tests - Add API call recording and replay capability and fixtures to enable end-to-end testing without API keys - Add Playwright harness for UI-driven testing and end-to-end (E2E) test examples - Base harness and E2E for automated UI testing (@akilesh1706 @YasharF) - E2E tests for GitHub integration (@akilesh1706) - E2E tests for last.fm integration (@hsavasere) - E2E tests for the web scraping (@Mrinank-Bhowmick) - E2E tests for OpenAI Moderation (@Mrinank-Bhowmick) - E2E tests for Pubchem integration (@hemanthsavasere) - E2E tests for Lob integration (@hemanthsavasere) - E2E tests for trakt.tv integration (@hemanthsavasere) - E2E tests for NY Times integration (@Vedant794) - E2E tests for Wikipedia integration (@nikeshadhikari9) - E2E tests for Google Maps integration (@AndersonTsaiTW) - E2E tests for the file upload (@hemanthsavasere) - E2E tests for Twilio integration (@henockt) - E2E tests for HERE Maps integration (@AndersonTsaiTW) - E2E tests for Foursquare integration (@Sid0004) - E2E tests for ChartJS and Alpha Vantage integration (@AndersonTsaiTW)
v9.0.0 New Features - Introduced "Logout Everywhere" functionality for enhanced security (Thanks to @vimark1). - Added support for Google Analytics 4, Facebook Pixel, and Open Graph metadata. Enhancements - Removed unnecessary session saves for uninitialized sessions. - Cleaned up GitHub Actions by removing unnecessary CodeQL references. - Updated documentation for improved clarity and relevance. - Optimized Dockerfile and updated Docker image for better performance (Thanks to @akarys2304). - Replaced favicon.png with favicon.ico to match browser default requests. - Added Apple touch icons. - Refactored Nodemailer calls into config/nodemailer.js for unified security and configuration settings. - Removed redundant installation of body-parser, now included with ExpressJS. - Renamed getValidateReCAPTCHA to validateReCAPTCHA for better clarity. - Adopted Prettier for consistent code formatting. - Suppressed unactionable Sass import deprecation warnings. - Renamed handleOAuth2Callback to saveOAuth2UserTokens for clarity. Security Updates - Addressed Host-header Injection vulnerability in Password Reset & Email Verification (CVE-2025-29036). - Added upload size limit for Multer and moved its configuration to api.js. - Replaced MD5 with SHA256 for Gravatar generation. Bug Fixes - Updated to the latest HERE Maps API as the prior API version calls were no longer working. - Corrected the path for popper.js. - Fixed pre-commit test and lint execution. - Updated the default privacy policy to comply with Facebook terms and other regulations. - Improved OAuth2 token handling logic: - Properly save tokens without expiration dates. - Consolidated token-saving logic across all providers to fix multiple issues. - Prevented infinite redirect loops in isAuthorized during failed token refresh attempts. Chore & Maintenance - [Breaking] Upgraded to Express 5.x. - [Breaking] Migrated from axios to Node.js's built-in fetch, reducing dependencies and improving performance. - Switched from the deprecated nyc to c8 for code coverage reporting. - Updated all dependencies. Tests - Added unit tests for isAuthorized and saveOAuth2UserTokens in config/passport.js. - Fixed unit tests for app.js.
v8.1.0 Security Enhancements - Added URL validation for redirects through session.returnTo (CWE-601). - Fixed OAuth state parameter generation and handling to address CSRF attack vectors in the OAuth workflow. - Added additional sanitization for user input in database queries using $eq in MongoDB. API and Integration: - Unified formatting for authentication parameters in route definitions and passport.js configuration. - Refactored common code for OAuth 2 token processing in passport strategies to improve maintainability. - Reworked the GitHub and Twitch API integration examples with additional data from the APIs. - Reworked the Twilio API integration example to use Twilio’s sandbox servers and test phone numbers. - Upgraded the Pinterest API example to use v5 calls instead of the broken v1. - Reworked the Tumblr API integration example with additional data from the API. - Added a properly working OAuth 1.0a integration for Tumblr. - Removed sign-in by Snapchat due to increased difficulty for developers and a focus on hackathon participants. - Removed Foursquare OAuth authorization and updated the API demo with new examples. - Renamed Twitter to X (Some of the backend and code still reference Twitter due to upstream dependencies, and the login button is using Twitter colors pending X addition to bootstrap-social). Update/Upgrades: - Dropped support for Nodejs < 22 due to ESM module import issues prior to that version. - Migrated from the unmaintained passport-linkedin-oauth2 to a passport-openidconnect strategy. --- Added support and examples for openid-client. - Migrated from the deprecated paypal-rest-sdk to an example without the SDK, providing OAuth calls depending on the page state. - Migrated from the unmaintained bootstrap-social to a fork that can be easily patched and updated. - Migrated eslint to v9, and its new config format (breaking change). - Migrated Husky to v9, and its new config format (breaking change). Fixed Windows commit issue. - Updated dependencies. - Added temporary patch files for connect-flash and passport-openidconnect based on pending pull requests or issues on GitHub. Other: - Fixed a bug that prevented profile pictures from being displayed. - Added authentication link/unlink options to the user profile page for all OAuth/Identity providers. - Fixed typos, broken links, and minor formatting alignment issues on various pages. - Fixed spelling errors in startup information displayed in the console. - Refactored URL validation in unit tests for Gravatar generation to conform with CodeQL rules. Even though CodeQL does vulnerability checks, this is not a security issue since it is unit tests. - Updated the placeholder main.js to use the current format (not deprecated JS). - Updated the GitHub repo worker/runner configs to use proper permissions - Return exit code 1 if there is a database connection issue at startup. - Added the --trace-deprecation flag to startup to provide better information on runtime deprecation warnings. - .gitignore file to exclude the uploads path. - Updated the copyright year. - Updated documentation.
v8.0.0 - Security: Renamed the cookie and set secure attribute for cookie transmission when https is present - Security: Migrated off known deprecated, vulnerable or unmaintained dependencies - Security: Added express rate limiter - Added additional sanitization and validation for external inputs. Lusca provides input protection. The additional sanitization and validation are to add another layer of protection. - Added patch-package for temporary patching dependencies - Temporary patch for passportjs to handle logout failures - Temporary patch for passport-oauth2: better auth failure reporting - Removed broken Instagram oauth support as Meta no longer supports it - Added handler for 404(page not found) to avoid 500 errors when a route is not found - Fixed unhandled error during logout - Fixed pug tags with multiple attributes (thanks to @soundz77) - Added Lint-stage and Husky to lint all commits - Fix req.logout for passport 0.6 - Fix broken unit test - Update default gravatar - Visual UI improvements - Added Github Actions: NodeJS CI check unit test and lint - Upgrade nodejs for docker - Removed express-handlebars npm package as it was not used and is not that popular compared to pug (breaking change) - Removed chalk npm package as it was not used (breaking change) - Updated documentation - Upgraded to mongoose 7 (breaking change) - Upgraded to popper2 - Migrated from googleapis npm package to @googleapis/drive and @googleapis/sheets to reduce size and improve performance (breaking change) - Migrated from passport-twitch-new to twitch-passport (breaking change) - Migrated from lob to @lob/lob-typescript-sdk (breaking change) - Migrated from deprecated node-sass to Dart Sass - Migrated off passport-openid (breaking change) - Migrated off nodemailer-sendgrid (breaking change) - Migrated off passport-twitter and twitter-lite (breaking change) - Migrated off node-quickbooks (breaking change) - Updated dependencies - Removed travis.yml API example changes: - Removed the twitter API example as the APIs are actively changing and mostly not free (breaking change) - Removed the Instagram API example as it was broken and Meta has significantly reduced the API scope and availablity for devs - Improved the Chartjs+AlphaVantage to handle API failures - Fix minor formatting issues and missing images - Tumblr - Fixed the Tumblr example and moved off tumblrjs (breaking change) - Added missing parameters for the Lob's new API requirements - Improved the Last.fm API example as the artist image is no longer vended by last.fm
6.0.0 - Dropped support for NodeJS 8.x, due to its EOL - Use HTML5 native client form validation (thanks to @peterblazejewicz) - Fix navbar rendering issues when using themes (thanks to @peterblazejewicz) - Fix button formatting issues when applying themes (thanks to @peterblazejewicz) - Fixed drop down menu to show correct formatting from the theme (thanks to @jonasroslund) - Config mongoose to use the new Server Discovery and Monitoring - Fix validation bug in Twitter, Pinterest, and Twilio API examples - Fix HERE icon in the API examples - Fix minor issues in Stripe and Lob API examples - Update dependencies - Update documentation (thanks in part to @noftaly, @yanivm)
5.1.4 (May 14, 2019) - Migrate from requestjs to axios (thanks to @FX-Wood) - Enable page templates to add items to the HTML head element - Fix bold font issue on macs (thanks to @neighlyd) - Use BASE_URL for github - Update min node engine to require Feb 2019 NodeJS security release - Add Node.js 12 to the travis build - Update dependencies - Update documentation (thanks in part to @anubhavsrivastava, @Fullchee, @luckymurari)
5.1.3 (April 7, 2019) - Update Steam API Integration - Upgrade flatly theme files to 4.3.1 - Migrate from bcrypt-nodejs to bcrypt - Use BASE_URL for twitter and facebook callbacks - Add a ChartJS example in combination with Alpha Vantage API usage (thanks to @T-travis) - Improve Github integration – use the user’s private email address if there is no public email listed (thanks to @danielhunt) - Improve the error handling for the NYT API Example - Add lodash 4.7 - Fixed gender radio buttons spacing - Fixed alignment Issue for login / sign in buttons at certain screen widths. (thanks to @eric-sciberras) - Remove Mozilla Persona information from README since it has been deprecated - Remove utils - Remove GSDK since it does not support Bootstrap 4(thanks to @laurenquinn5924) - Adding additional tests to cover some of the API examples - Add prod-checklist.md - Update dependencies - Update documentation (thanks in part to @GregBrimble)
PreviousNext