feat: v1.0.7 — Security middleware, Express parity, 97%+ API compatibility

[ShayanHussainSB]

Summary

The biggest release since 1.0. This PR ships three security middleware, a complete Express API parity rewrite, and brings bunWay to 97%+ Express 4.x compatibility — verified by 1,662 tests with zero failures.

What's in this PR

29 commits across 44 files — 5,202 lines added, 431 removed.

---

Security & Protection Middleware (3 new)

timeout(ms, options?) — Request Timeout

• Configurable timeout with automatic 408 response
• req.timedout boolean flag for async handler awareness
• skip function to exempt specific requests (e.g., file uploads)
• respond: false mode for manual timeout handling
• Express connect-timeout compatible

hpp(options?) — HTTP Parameter Pollution Protection

• Sanitizes duplicate query/body parameters (picks last value)
• whitelist option to allow arrays for specific params
• Stores original polluted values in req.queryPolluted
• Express hpp package compatible

validate(schema, options?) — Request Validation

• Declarative schema for body, query, and params
• 10+ built-in validators: required, isEmail, isInt, isLength, matches, isIn, isURL, isUUID, isISO8601, custom
• Async custom validators supported
• Configurable abortEarly, statusCode, errorFormatter, onError
• Express express-validator compatible patterns

---

Express Parity (15 improvements)

Content Negotiation — RFC 7231 Compliant

• req.accepts() — rewritten with quality-value parsing (replaces substring matching)
• req.acceptsCharsets(), req.acceptsEncodings(), req.acceptsLanguages() — full quality-value support with language range matching (en matches en-US)
• req.is() — proper MIME type matching with wildcard support (text/*, */json)
• New src/utils/content-negotiation.ts engine — replaces the accepts + type-is npm packages

Response Enhancements

• res.send() auto-detection — string→text/html, object→application/json, buffer→application/octet-stream (Express behavior)
• res.send() and res.json() now return this for chaining
• res.sendFile() callback — res.sendFile(path, [options], callback)
• res.sendFile() extended options — lastModified, cacheControl, immutable, acceptRanges
• res.download() callback — res.download(path, [filename], [options], callback)
• res.attachment() Content-Type — auto-detects from filename extension
• res.end() encoding + callback — res.end(data, encoding, callback)

Routing Enhancements

• Regex route support — app.get(/\/users\/(?<id>\d+)/, handler) with named capture groups
• Catch-all * routes — app.all("*", handler) normalized to match all paths
• app.mountpath — property set when sub-app is mounted
• app.path() — returns canonical path for nested mounts

Request Enhancements

• req.param('name') — now checks params → body → query (Express parity)

---

Testing

Metric	Before	After
Tests	1,386	1,662
Assertions	3,155	3,653
Test files	72	91
Failures	0	0

276 new tests across:

• 19 new test files (unit, integration, acceptance, Express compat)
• Edge case coverage: malformed headers, empty bodies, unknown extensions, error callbacks
• Express compatibility tests verifying behavioral parity

New test files

• tests/unit/utils/content-negotiation.spec.ts — 30 tests for RFC 7231 parsing
• tests/unit/core/request-negotiation.spec.ts — 17 tests for accepts/is/param
• tests/unit/core/response-send.spec.ts — 15 tests for send auto-detect + chaining
• tests/unit/core/response-sendfile.spec.ts — 16 tests for sendFile/download/attachment
• tests/unit/core/router-regex.spec.ts — 44 tests for regex routes + catch-all
• tests/unit/core/app-mountpath.spec.ts — 4 tests for mountpath/path()
• tests/unit/middleware/timeout.spec.ts — 12 tests
• tests/unit/middleware/hpp.spec.ts — 12 tests
• tests/unit/middleware/validation.spec.ts — 30 tests
• tests/integration/middleware/timeout.test.ts — HTTP round-trip timeout tests
• tests/integration/middleware/hpp.test.ts — HTTP round-trip HPP tests
• tests/integration/middleware/validation.test.ts — HTTP round-trip validation tests
• tests/integration/response/send-autodetect.test.ts — Content-Type auto-detection
• tests/integration/routing/regex-routes.test.ts — Regex route matching
• tests/acceptance/phase3.spec.ts — End-to-end security middleware
• tests/express-compat/phase3.spec.ts — Express behavior parity (middleware)
• tests/express-compat/phase4.spec.ts — Express behavior parity (API surface)

---

Documentation

• 3 new middleware guides: timeout, hpp, validation (with examples, options tables, integration patterns)
• Express migration guide updated with all new API comparisons
• README rewritten — full Express parity tables, 19-middleware showcase, marketing copy
• npm README rewritten (src/README.md) — before/after import, feature showcase
• CHANGELOG consolidated — single 1.0.7 entry covering all changes
• llms.txt / llms-full.txt updated for AI discoverability
• overview.md updated with mountpath, sub-app mounting

---

Version Bump

• package.json: 1.0.6 → 1.0.7
• VERSION: 1.0.6 → 1.0.7
• package.json description updated: "97%+ Express parity"
• All 6 contributors added to package.json

---

Files Changed (44)

Source (8 files)

• src/core/request.ts — rewritten accepts/is/param with content negotiation
• src/core/response.ts — send auto-detect, json chaining, sendFile callback/options, download callback, attachment Content-Type, end encoding
• src/core/router.ts — regex routes, catch-all * normalization
• src/core/fast-matcher.ts — regex route matching
• src/core/app.ts — mountpath, path()
• src/index.ts — export timeout, hpp, validate
• src/types.ts — SendFileOptions extended
• src/utils/content-negotiation.ts — NEW RFC 7231 engine

Middleware (3 new files)

• src/middleware/timeout.ts
• src/middleware/hpp.ts
• src/middleware/validation.ts

Tests (19 new + 3 modified)

• See testing section above

Documentation (11 files)

• README.md, src/README.md, CHANGELOG.md, package.json, VERSION
• docs/guide/express-migration.md, overview.md
• docs/guide/middleware/timeout.md, hpp.md, validation.md
• docs/public/llms.txt, llms-full.txt, docs/.vitepress/config.ts

---

Test plan

• bun test — all 1,662 tests pass, 0 failures
• Manual verification of all Express parity checklist items (content negotiation, send auto-detect, regex routes, mountpath, sendFile options, download callback, attachment)
• Cache-Control edge case fix verified (cacheControl=true without maxAge defaults to max-age=0)
• No regressions in existing test suite
• All commits authored by tanv33

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
bunway	Ready	Preview, Comment	Mar 10, 2026 3:23pm