Releases: hapijs/yar
v10.1.1
Hapi 17 and Async/Await
Yar v9 is an update to support Hapi 17. If you are using an older version of Hapi please continue to use v8 of Yar.
Work better with typescript
v8.1.2 8.1.2
Update dependencies
I'm update the node-uuid module, which was deprecated, to uuid, which is the successor. I'm also bumping the code dev dependency while I'm in here.
Custom session ids
Thanks to @sirgallifrey for adding the ability to add custom session ids via a session id generator function.
v8.0.0
I added 'isSameSite' to the default cookie options. This corresponds to a recent change in statehood that added this functionality, and set the default to 'Strict'. This causes problems with session cookies in Chrome. Our new default is 'Lax', which should work for most folks just fine. You can also disable the feature entirely by setting isSameSite to false.
** NOTE ** This version requires an update to Hapi version > 14.
Insist on a specific node-uuid version
Node-uuid version 1.4.4 and previous had a security issue (minor). I'm specifying a specific, later version to avoid the potential for hitting this issue.
Updating dependencies and testing Node 6
The module didn't change. I just updated the list of dependencies to bring everything up to date, specifically lab, and changed the travis configuration so that we start testing with Node 6.
Requiring longer passwords
Starting with Hapi 13 and Statehood 4 the password requirement for Iron encrypted cookies is now a minimum of 32 characters. The intention of increasing the size requirement is to make brute force guessing of your cookie password harder. Please update your app configuration to include a longer password if it is not already 32 characters long, or your server will not start.
Moving data and adding skip option
Due to changes in Hapi, I am moving the data storage from request.session to request.yar. This will be more future proof, but will necessitate some code changes for those upgrading from v5 or earlier. I apologize for the inconvenience, but that is why this is a major version change.
This also includes a new route level configuration option that allows you to disable yar on a route by route basis. This let's you avoid any processing from yar on routes that don't need sessions, making your application more responsive. See the docs for more info.