🔒 Security Enhancements
This patch release includes all security enhancements from v2.3.0, resolving the npm publishing conflict.
JWT Validation
- Advanced replay protection with self-signed token reusability
- Consistent strictValidation behavior - issuer/audience validation properly controlled
- Race condition mitigation in concurrent token verification
- Separate tracking for reusable vs. single-use tokens
Path Traversal Defense
- Iterative URL decoding (up to 5 passes) to catch sophisticated attacks
- Double-encoded path detection:
%252e%252e%252f→%2e%2e%2f→../ - Malformed encoding handling - treated as attack indicator
- Critical violations always throw regardless of configuration
Defense-in-Depth Architecture
- Path traversal violations always throw, even with
throwOnInvalid=false - Object depth limit violations always throw to prevent DoS
- Enhanced security monitoring with blocked attempt tracking
- Comprehensive audit event logging
📚 Documentation Updates
- Updated version references throughout README.md
- Corrected roadmap timelines to reflect 2026 targets
- Added v2.3.1 changelog entry
- Updated PROJECT_ROADMAP with realistic feature targets
✅ Quality Metrics
- 113 security tests passing across 2 dedicated security suites
- Zero production vulnerabilities (
npm audit --production) - All CI workflows passing (lint, test, build, security)
- 100% backward compatible with v2.3.0
📦 Installation
```bash
npm install @devilsdev/rag-pipeline-utils@2.3.1
```
🔗 Links
🤖 Generated with Claude Code