v0.3.0 — self-contained runtime protection
Runtime protection is now built into connect
@patchstack/connect now ships an always-on runtime guard — no separate package, no user code changes.
What's new
- Vendored the node-waf engine into connect. The real Patchstack WAF rule engine (RuleEngine + rule client + fetch/node adapters) now ships inside this package, exposed as
@patchstack/connect/protect. One self-contained install; no peer dependency on@patchstack/node-waf. patchstack-connect protectwires the always-on guard into a TanStack Start + Supabase app. It tunnels the app's Supabase traffic through an in-app guard route (/_patchstack/guard) that inspects payloads before they reach Supabase — zero changes to the user's own code.- Always-on by default. The guard blocks matching exploit traffic out of the box. Set
PATCHSTACK_MODE=dry-runfor log-only. - Rules from the Patchstack API (
PATCHSTACK_WAF_TOKEN), cached last-known-good, with a bundled fallback rule until a token is configured. - SSRF-hardened: the guard only forwards to the configured
SUPABASE_URLorigin.
Compatibility
scan,mark-build,init,statusunchanged.- New subpath export
@patchstack/connect/protect(ESM + CJS).
Requires Node >= 18.