Releases: devAlphaSystem/NLcURL
Releases · devAlphaSystem/NLcURL
Release list
v0.7.0
Added
- Implemented HTTP response caching following RFC 9111 specifications.
- Added support for HTTP Strict Transport Security (HSTS) policy enforcement.
- Implemented DNS-over-HTTPS (DoH) and HTTPS Resource Record (HTTPS-RR) resolution.
- Added support for Encrypted Client Hello (ECH) to enhance TLS privacy.
- Implemented TLS session ticket caching for session resumption.
- Added certificate public key pinning support via SHA-256 hashes.
- Implemented Alt-Svc support for automatic HTTP/3 discovery.
- Added initial support for the HTTP/3 protocol and QUIC detection.
- Added automatic proxy resolution from standard environment variables like HTTP_PROXY and NO_PROXY.
- Implemented Server-Sent Events (SSE) parsing and stream consumption.
- Added support for WebSocket per-message compression via the permessage-deflate extension.
- Added upload and download progress callbacks for monitoring data transfer.
- Enabled support for multiple Content-Encoding layers and added decompression protection.
- Added TLS 1.2 support to the stealth TLS engine.
- Added support for secure HTTPS proxies.
Changed
- Migrated cookie storage to a least-recently-used (LRU) eviction policy.
- Enhanced cookie domain validation to support IP addresses.
- Improved HTTP header validation compliance with RFC 7230 control character restrictions.
- Updated the Public Suffix List database.
Fixed
- Fixed potential errors in rate limiter token replenishment logic.
- Fixed SOCKS5 authentication response parsing for improved proxy reliability.
v0.6.0
Added
- Added a FormData class to support multipart/form-data uploads.
- Added support for mTLS client certificates and custom CA trust configuration.
- Added support for ReadableStream upload bodies.
- Added cookie security enforcement using the Mozilla Public Suffix List and cookie prefix validation.
- Added RFC 7230 compliant header validation to prevent HTTP injection attacks.
- Added security hardening for HTTP/2 HPACK decompression and WebSocket frame validation.
Changed
- Changed default cookie behavior to SameSite=Lax.
- Updated CookieJar to support configurable limits and preserve HttpOnly flags.
- Improved request retry logic with expanded HTTP/2 error coverage and capped exponential backoff.
- Hardened SOCKS5 and HTTP CONNECT proxy implementations with stricter field validation.
Fixed
- Fixed an issue where the HttpOnly attribute was lost during Netscape cookie jar exports.
v0.5.0
Added
- Implemented Happy Eyeballs (RFC 8305) for automatic dual-stack TCP connection establishment, significantly improving connection reliability and performance.
- Added comprehensive unit tests for Happy Eyeballs connection logic.
- Introduced
firstBytetiming metric for HTTP/2 responses.
Changed
- Revised default
Content-Typeheader behavior for request bodies: string bodies now default totext/plain; charset=utf-8,URLSearchParamstoapplication/x-www-form-urlencoded, and buffer/stream bodies no longer have a defaultContent-Type. - Updated API and documentation for the
dnsFamilyoption, now pinning the Happy Eyeballs resolver to a specific address family instead of restricting the OS resolver. - Refactored connection logic to support Happy Eyeballs, including separate TCP and TLS timeouts, and recording DNS resolution time.
Fixed
- Improved HTTP/2 client resource cleanup by clearing stream-related maps on timeouts, connection closure, and protocol errors.
- Corrected HTTP/2 stream receive window update logic.
- Added validation to prevent invalid index
0access during HPACK decoding. - Implemented timeout and improved error handling for SOCKS proxy read operations.
- Added timeout handling for WebSocket upgrade handshakes.
v0.4.0
Added
- Introduced robust input validation for all public API configurations and requests, enhancing overall reliability and security.
- Implemented a new, flexible logging system with configurable levels and support for child loggers, improving diagnostics.
- Integrated Prettier for consistent code formatting and added "format" and "format:check" scripts.
Changed
- Updated NLcURLSession and core request functions to accept a Logger instance for granular, request-scoped diagnostics.
- Enhanced HTTP/2 client's connection management, including a transparent retry mechanism for graceful GOAWAY shutdowns.
- Refined HTTP/1.1 and HTTP/2 header processing to ensure request-specific headers correctly override session-wide defaults.
Fixed
- Addressed a critical security vulnerability by implementing strict size limits and integer overflow checks in HTTP/2 HPACK decoding, frame parsing, and internal buffer writing.
- Resolved an issue where AbortSignal listeners were not always correctly detached, preventing potential resource leaks.
- Corrected the rawHeaders property in HTTP/1.1 responses to preserve original header casing, improving fidelity.
- Ensured proper stripping of Content-Type and Content-Length headers during HTTP redirects (e.g., 301/302 for POST requests).
- Patched a cryptographic vulnerability in hkdfExpandLabel and deriveSecret functions for TLS 1.3 key schedule calculations.
- Corrected an incorrect PONG opcode value in WebSocket frame encoding.
- Fixed import for generateKeyPairSync in TLS client hello generation.
- Ensured WebSocketClient "state" and "protocol" properties are public as intended.
v0.3.1
Changed
- Updated ALPN protocol negotiation to dynamically set default values based on HTTP version.
- Refined TLS connection timeout handling to prioritize specific configurations.
- Extended default retry mechanism to include TLS-related errors.
Fixed
- Improved error messages for TLS and TCP connection failures.
v0.3.0
Added
- New comprehensive usage examples documentation for both package API and CLI.
- Ability to directly provide a CookieJar instance to cookieJar options for flexible cookie management.
Changed
- NLcURLResponse.rawHeaders now preserves the original casing of header names as received over the wire.
- HTTP/2 client now ensures request-level headers take precedence over any default profile headers.
- HTTP/2 streaming responses (from streamRequest) now resolve immediately when the server sends HEADERS with END_STREAM, including empty-body responses like 204 No Content.
- Redirect following logic strictly implements RFC 7231 semantics: 307/308 redirects preserve method and body, while 301/302 POST and 303 redirects correctly strip content headers.
- Default Content-Type for plain object request bodies now automatically set to application/json if not explicitly specified.
- Improved handling of HTTP/2 GOAWAY frames, ensuring that streams with IDs less than or equal to lastStreamId can complete, and the connection closure (onClose) is deferred until all covered streams are finalized.
- The Protocol Negotiator now transparently retries a request once on a graceful HTTP/2 GOAWAY (error code 0).
- The TLS 1.3 key schedule implementation has been revised for precise RFC 8446 compliance in HKDF-Expand operations.
- WebSocket client immediately processes any buffered frames from the transport stream after the HTTP upgrade.
- Updated documentation to include detailed explanations for body serialization, redirect behavior, and request timing (NLcURLResponse.timings) fields.
Removed
- Removed outdated "Known Workstreams" section from the onboarding documentation.
Fixed
- Ensured AbortSignal event listeners are properly cleaned up to prevent potential resource leaks during request abortion.
- Resolved an issue where createHash utility was not correctly re-exported, impacting ESM environments.
- Corrected HPACK decoder's integer prefix handling, improving dynamic table updates and header roundtripping reliability.
v0.2.0
Added
- Implemented streaming response bodies for both HTTP/1.1 and HTTP/2, allowing consumption of large payloads with automatic decompression via a Readable stream.
- Introduced an automatic request retry mechanism in NLcURLSession, which handles connection errors, timeouts, specific HTTP status codes (429, 503), and retryable HTTP/2 RST_STREAM protocol errors.
- Added an option to configure the DNS resolution family (IPv4 or IPv6) for connections, including proxy and TLS engines.
- Integrated full RFC 9113 bidirectional flow control into the HTTP/2 client, supporting connection and stream-level send/receive windows, PADDED frames, and CONTINUATION frames.
- Enabled CLI
--cookie-jarflag to persist cookies to/from a Netscape-format file. - Added support for HTTP CONNECT and SOCKS4/5 proxy tunneling.
- Introduced
NLcURLResponse.getAll(name)to retrieve all raw values for a given response header, preserving multipleSet-Cookieentries. - Implemented TLS 1.3 certificate chain validation, hostname matching, and
CertificateVerifysignature verification in the stealth TLS engine. - Enabled HPACK Huffman encoding by default for all outgoing HTTP/2 header blocks, improving compression efficiency.
- Upgraded
@types/nodeandundici-typesdependencies.
Changed
- Modified
NLcURLResponse.text()andNLcURLResponse.json()methods to throw an error when called on a streaming response, directing users to consume theresponse.bodystream instead. - Improved
CookieJarto correctly handle and preserve multipleSet-Cookieheaders from responses viarawHeaders, and updated internal parsing to use semicolon-space for joinedSet-Cookieheaders.
Fixed
- Resolved previously documented functional gaps for proxy support, retry middleware integration, and CLI cookie persistence, which are now fully implemented and operational.
v0.1.0 — Initial Release
Initial public release.
What is NLcURL?
A pure TypeScript HTTP client that impersonates real browser TLS fingerprints at the byte level — JA3/JA3N, Akamai HTTP/2 — enabling requests that pass bot-detection systems. Built entirely on Node.js built-in modules with zero runtime dependencies.
Features
- Browser impersonation — Chrome, Firefox, Safari, Edge, and Tor profiles (15+ versions each)
- Dual TLS engine — Standard (
node:tls) and Stealth (raw byte-level ClientHello construction) - HTTP/1.1 and HTTP/2 — Full protocol support with HPACK header compression and Akamai H2 fingerprinting
- Connection pooling — Per-origin keep-alive reuse
- Cookie jar — RFC 6265 compliant, automatic per-session handling
- Proxy support — HTTP CONNECT and SOCKS4/5 tunneling
- Middleware — Request/response interceptors, configurable retry with exponential backoff, rate limiting
- WebSocket — RFC 6455 with TLS impersonation on the upgrade handshake
- CLI — curl-like command-line interface (
nlcurl <url> --impersonate chrome136) - Zstd decompression — Native on Node.js ≥ 22; graceful fallback on Node.js 18–21
Requirements
- Node.js ≥ 18.17.0
Installation
npm install nlcurlNotes
- This is an initial release — APIs may evolve before v1.0.0.
- Profiles tested against real browser captures; impersonation quality may vary by target.