Skip to content

v0.3.0 — self-contained runtime protection

Choose a tag to compare

@devlob devlob released this 13 Jul 14:39
418bf0b

Runtime protection is now built into connect

@patchstack/connect now ships an always-on runtime guard — no separate package, no user code changes.

What's new

  • Vendored the node-waf engine into connect. The real Patchstack WAF rule engine (RuleEngine + rule client + fetch/node adapters) now ships inside this package, exposed as @patchstack/connect/protect. One self-contained install; no peer dependency on @patchstack/node-waf.
  • patchstack-connect protect wires the always-on guard into a TanStack Start + Supabase app. It tunnels the app's Supabase traffic through an in-app guard route (/_patchstack/guard) that inspects payloads before they reach Supabase — zero changes to the user's own code.
  • Always-on by default. The guard blocks matching exploit traffic out of the box. Set PATCHSTACK_MODE=dry-run for log-only.
  • Rules from the Patchstack API (PATCHSTACK_WAF_TOKEN), cached last-known-good, with a bundled fallback rule until a token is configured.
  • SSRF-hardened: the guard only forwards to the configured SUPABASE_URL origin.

Compatibility

  • scan, mark-build, init, status unchanged.
  • New subpath export @patchstack/connect/protect (ESM + CJS).

Requires Node >= 18.