Skip to content

Releases: devAlphaSystem/NLcURL

v0.7.0

Choose a tag to compare

@devAlphaSystem devAlphaSystem released this 08 Mar 17:44

Added

  • Implemented HTTP response caching following RFC 9111 specifications.
  • Added support for HTTP Strict Transport Security (HSTS) policy enforcement.
  • Implemented DNS-over-HTTPS (DoH) and HTTPS Resource Record (HTTPS-RR) resolution.
  • Added support for Encrypted Client Hello (ECH) to enhance TLS privacy.
  • Implemented TLS session ticket caching for session resumption.
  • Added certificate public key pinning support via SHA-256 hashes.
  • Implemented Alt-Svc support for automatic HTTP/3 discovery.
  • Added initial support for the HTTP/3 protocol and QUIC detection.
  • Added automatic proxy resolution from standard environment variables like HTTP_PROXY and NO_PROXY.
  • Implemented Server-Sent Events (SSE) parsing and stream consumption.
  • Added support for WebSocket per-message compression via the permessage-deflate extension.
  • Added upload and download progress callbacks for monitoring data transfer.
  • Enabled support for multiple Content-Encoding layers and added decompression protection.
  • Added TLS 1.2 support to the stealth TLS engine.
  • Added support for secure HTTPS proxies.

Changed

  • Migrated cookie storage to a least-recently-used (LRU) eviction policy.
  • Enhanced cookie domain validation to support IP addresses.
  • Improved HTTP header validation compliance with RFC 7230 control character restrictions.
  • Updated the Public Suffix List database.

Fixed

  • Fixed potential errors in rate limiter token replenishment logic.
  • Fixed SOCKS5 authentication response parsing for improved proxy reliability.

v0.6.0

Choose a tag to compare

@devAlphaSystem devAlphaSystem released this 07 Mar 12:41

Added

  • Added a FormData class to support multipart/form-data uploads.
  • Added support for mTLS client certificates and custom CA trust configuration.
  • Added support for ReadableStream upload bodies.
  • Added cookie security enforcement using the Mozilla Public Suffix List and cookie prefix validation.
  • Added RFC 7230 compliant header validation to prevent HTTP injection attacks.
  • Added security hardening for HTTP/2 HPACK decompression and WebSocket frame validation.

Changed

  • Changed default cookie behavior to SameSite=Lax.
  • Updated CookieJar to support configurable limits and preserve HttpOnly flags.
  • Improved request retry logic with expanded HTTP/2 error coverage and capped exponential backoff.
  • Hardened SOCKS5 and HTTP CONNECT proxy implementations with stricter field validation.

Fixed

  • Fixed an issue where the HttpOnly attribute was lost during Netscape cookie jar exports.

v0.5.0

Choose a tag to compare

@devAlphaSystem devAlphaSystem released this 06 Mar 19:56

Added

  • Implemented Happy Eyeballs (RFC 8305) for automatic dual-stack TCP connection establishment, significantly improving connection reliability and performance.
  • Added comprehensive unit tests for Happy Eyeballs connection logic.
  • Introduced firstByte timing metric for HTTP/2 responses.

Changed

  • Revised default Content-Type header behavior for request bodies: string bodies now default to text/plain; charset=utf-8, URLSearchParams to application/x-www-form-urlencoded, and buffer/stream bodies no longer have a default Content-Type.
  • Updated API and documentation for the dnsFamily option, now pinning the Happy Eyeballs resolver to a specific address family instead of restricting the OS resolver.
  • Refactored connection logic to support Happy Eyeballs, including separate TCP and TLS timeouts, and recording DNS resolution time.

Fixed

  • Improved HTTP/2 client resource cleanup by clearing stream-related maps on timeouts, connection closure, and protocol errors.
  • Corrected HTTP/2 stream receive window update logic.
  • Added validation to prevent invalid index 0 access during HPACK decoding.
  • Implemented timeout and improved error handling for SOCKS proxy read operations.
  • Added timeout handling for WebSocket upgrade handshakes.

v0.4.0

Choose a tag to compare

@devAlphaSystem devAlphaSystem released this 04 Mar 16:43

Added

  • Introduced robust input validation for all public API configurations and requests, enhancing overall reliability and security.
  • Implemented a new, flexible logging system with configurable levels and support for child loggers, improving diagnostics.
  • Integrated Prettier for consistent code formatting and added "format" and "format:check" scripts.

Changed

  • Updated NLcURLSession and core request functions to accept a Logger instance for granular, request-scoped diagnostics.
  • Enhanced HTTP/2 client's connection management, including a transparent retry mechanism for graceful GOAWAY shutdowns.
  • Refined HTTP/1.1 and HTTP/2 header processing to ensure request-specific headers correctly override session-wide defaults.

Fixed

  • Addressed a critical security vulnerability by implementing strict size limits and integer overflow checks in HTTP/2 HPACK decoding, frame parsing, and internal buffer writing.
  • Resolved an issue where AbortSignal listeners were not always correctly detached, preventing potential resource leaks.
  • Corrected the rawHeaders property in HTTP/1.1 responses to preserve original header casing, improving fidelity.
  • Ensured proper stripping of Content-Type and Content-Length headers during HTTP redirects (e.g., 301/302 for POST requests).
  • Patched a cryptographic vulnerability in hkdfExpandLabel and deriveSecret functions for TLS 1.3 key schedule calculations.
  • Corrected an incorrect PONG opcode value in WebSocket frame encoding.
  • Fixed import for generateKeyPairSync in TLS client hello generation.
  • Ensured WebSocketClient "state" and "protocol" properties are public as intended.

v0.3.1

Choose a tag to compare

@devAlphaSystem devAlphaSystem released this 03 Mar 09:49

Changed

  • Updated ALPN protocol negotiation to dynamically set default values based on HTTP version.
  • Refined TLS connection timeout handling to prioritize specific configurations.
  • Extended default retry mechanism to include TLS-related errors.

Fixed

  • Improved error messages for TLS and TCP connection failures.

v0.3.0

Choose a tag to compare

@devAlphaSystem devAlphaSystem released this 02 Mar 20:58

Added

  • New comprehensive usage examples documentation for both package API and CLI.
  • Ability to directly provide a CookieJar instance to cookieJar options for flexible cookie management.

Changed

  • NLcURLResponse.rawHeaders now preserves the original casing of header names as received over the wire.
  • HTTP/2 client now ensures request-level headers take precedence over any default profile headers.
  • HTTP/2 streaming responses (from streamRequest) now resolve immediately when the server sends HEADERS with END_STREAM, including empty-body responses like 204 No Content.
  • Redirect following logic strictly implements RFC 7231 semantics: 307/308 redirects preserve method and body, while 301/302 POST and 303 redirects correctly strip content headers.
  • Default Content-Type for plain object request bodies now automatically set to application/json if not explicitly specified.
  • Improved handling of HTTP/2 GOAWAY frames, ensuring that streams with IDs less than or equal to lastStreamId can complete, and the connection closure (onClose) is deferred until all covered streams are finalized.
  • The Protocol Negotiator now transparently retries a request once on a graceful HTTP/2 GOAWAY (error code 0).
  • The TLS 1.3 key schedule implementation has been revised for precise RFC 8446 compliance in HKDF-Expand operations.
  • WebSocket client immediately processes any buffered frames from the transport stream after the HTTP upgrade.
  • Updated documentation to include detailed explanations for body serialization, redirect behavior, and request timing (NLcURLResponse.timings) fields.

Removed

  • Removed outdated "Known Workstreams" section from the onboarding documentation.

Fixed

  • Ensured AbortSignal event listeners are properly cleaned up to prevent potential resource leaks during request abortion.
  • Resolved an issue where createHash utility was not correctly re-exported, impacting ESM environments.
  • Corrected HPACK decoder's integer prefix handling, improving dynamic table updates and header roundtripping reliability.

v0.2.0

Choose a tag to compare

@devAlphaSystem devAlphaSystem released this 02 Mar 12:49

Added

  • Implemented streaming response bodies for both HTTP/1.1 and HTTP/2, allowing consumption of large payloads with automatic decompression via a Readable stream.
  • Introduced an automatic request retry mechanism in NLcURLSession, which handles connection errors, timeouts, specific HTTP status codes (429, 503), and retryable HTTP/2 RST_STREAM protocol errors.
  • Added an option to configure the DNS resolution family (IPv4 or IPv6) for connections, including proxy and TLS engines.
  • Integrated full RFC 9113 bidirectional flow control into the HTTP/2 client, supporting connection and stream-level send/receive windows, PADDED frames, and CONTINUATION frames.
  • Enabled CLI --cookie-jar flag to persist cookies to/from a Netscape-format file.
  • Added support for HTTP CONNECT and SOCKS4/5 proxy tunneling.
  • Introduced NLcURLResponse.getAll(name) to retrieve all raw values for a given response header, preserving multiple Set-Cookie entries.
  • Implemented TLS 1.3 certificate chain validation, hostname matching, and CertificateVerify signature verification in the stealth TLS engine.
  • Enabled HPACK Huffman encoding by default for all outgoing HTTP/2 header blocks, improving compression efficiency.
  • Upgraded @types/node and undici-types dependencies.

Changed

  • Modified NLcURLResponse.text() and NLcURLResponse.json() methods to throw an error when called on a streaming response, directing users to consume the response.body stream instead.
  • Improved CookieJar to correctly handle and preserve multiple Set-Cookie headers from responses via rawHeaders, and updated internal parsing to use semicolon-space for joined Set-Cookie headers.

Fixed

  • Resolved previously documented functional gaps for proxy support, retry middleware integration, and CLI cookie persistence, which are now fully implemented and operational.

v0.1.0 — Initial Release

Choose a tag to compare

@devAlphaSystem devAlphaSystem released this 01 Mar 11:00

Initial public release.

What is NLcURL?

A pure TypeScript HTTP client that impersonates real browser TLS fingerprints at the byte level — JA3/JA3N, Akamai HTTP/2 — enabling requests that pass bot-detection systems. Built entirely on Node.js built-in modules with zero runtime dependencies.

Features

  • Browser impersonation — Chrome, Firefox, Safari, Edge, and Tor profiles (15+ versions each)
  • Dual TLS engine — Standard (node:tls) and Stealth (raw byte-level ClientHello construction)
  • HTTP/1.1 and HTTP/2 — Full protocol support with HPACK header compression and Akamai H2 fingerprinting
  • Connection pooling — Per-origin keep-alive reuse
  • Cookie jar — RFC 6265 compliant, automatic per-session handling
  • Proxy support — HTTP CONNECT and SOCKS4/5 tunneling
  • Middleware — Request/response interceptors, configurable retry with exponential backoff, rate limiting
  • WebSocket — RFC 6455 with TLS impersonation on the upgrade handshake
  • CLI — curl-like command-line interface (nlcurl <url> --impersonate chrome136)
  • Zstd decompression — Native on Node.js ≥ 22; graceful fallback on Node.js 18–21

Requirements

  • Node.js ≥ 18.17.0

Installation

npm install nlcurl

Notes

  • This is an initial release — APIs may evolve before v1.0.0.
  • Profiles tested against real browser captures; impersonation quality may vary by target.