This patch includes a requested security feature for denying symlinks. Enable, using --deny-symlinks flag and symlinks will receive a "Forbidden" response for all files that are symlinks.

Node Security Advisory
https://www.npmjs.com/advisories/816

HackerOne Reprot
https://hackerone.com/reports/530289

Patch release that fixes unauthorized file access via encoded underscore.

Node Security Advisory
https://www.npmjs.com/advisories/807

HackerOne Reprot
https://hackerone.com/reports/453820

Detailed tests added in [email protected]
https://github.com/sintaxi/terraform/commit/b1934873bba39427e3324a999b19b0741b04df0f

Basic harp test added...
https://github.com/sintaxi/harp/commit/6547336e87096bd92e10aa0dedfe3b73b5f41a9f

• tested on node v8.x
• updates node-sass to latest
• updates jade
• updates coffeescript mime type

• fixes address error when starting server https://github.com/sintaxi/harp/issues/549 (problem introduced in v0.20.2)
• fixes range error when compiling https://github.com/sintaxi/harp/issues/538 (fixes https://github.com/angular/angular.io compile issue)

Harp v0.14.0 – Implicit Autoprefixing

A new release of Harp is available today. Harp now takes care of vendor prefixing for you, via the fantastic Autoprefixer.

Create any .sass, .scss, .less, or .styl file…

// main.scss
h1 {
  font-feature-settings: "liga";
  transition: color 0.25s;
}

…and it will be preprocessed and prefixed automatically.

/* main.css */
h1 {
  -webkit-font-feature-settings: "liga";
  -moz-font-feature-settings: "liga";
  font-feature-settings: "liga";
  -webkit-transition: color 0.25s;
  transition: color 0.25s
}

Get started

You shouldn’t have to think about vendor prefixing or configuring your preprossors while building static sites and apps. To get this taken care of for you, install the latest version of Harp:

npm install -g harp

Note you may need to preface this with sudo depending on your setup.

You can read the rest of the release notes on the Harp blog.

A new release of Harp is available today. We’re happily adding one of Harp’s most-requested features: built-in preprocessing of Sass’ indented syntax.

Now, you can write .sass files and they will be implicitly preprocessed as .css files, without any configuration necessary. This works exactly the same as with .scss, .styl, and .less files.

Read the rest of the release notes on the Harp blog.

Additions

Basic Auth support (takes an array in _harp.jsonfile)

{
  "basicAuth": ["batman:darkknight", "superman:supersecret"]
}

OR just takes a single user cred as a string

{
  "basicAuth": "foo:bar"
}

Fixes

• changes !!! to doctype in init to prepare for jade v1
• CLI impovements

API Breakage

none

• adds sass support
• cleanup CLI output
• minor bug fixes

Patch release with just LESS updated. Nothing else changed.

Preprocessor updates

• LESS updated to v1.5.1

Overview

• adds 200.xxx fallback feature that behaves the same as custom 404 pages except returns status code 200 instead.
• changes data to _data in public object.
• changes contents to _contents in public object.

Fixes

• css error messages now returns 200 status code so the error will show up in main html file.

Preprocessor updates

• LESS updated to v1.5.0
• Stylus updated to v0.40.0

API Breakage

A very common API has change. The change is low risk but will break a lot of apps. All instances of data in the public object now begins with underscore. Its now _data. The same change is made for the less commonly used contents arrays. Now _contents.

small release where harp ignores hidden directories. that is all.

Overview

• now works on windows (tested on windows 8)
• minor layout rendering fix (Zhang Yichao)
• rewrote 404 fallback codepath
• simplified error pages
• many bug fixes

Preprocessor updates

• jade updated to v0.35.0
• less updated to v1.4.2
• stylus updated to v0.38.0
• marked updated to v0.2.9

API Breakage

• Jade made a small change script and style tags must be changed to script. and style.
• Less also had minor API breakage see v1.4.2 release notes

As of this release, Harp apps are now mountable. This makes it trivial to tack a blog or whatever onto an express/connect server.

API

harp.mount(mountPoint*, harpPath)

if you would like to mount an application at the "/docs" route just add that as your mountPoint

var docsPath = __dirname + "/docs"
app.use(harp.mount("/docs", docsPath))

The mountPath is optional. If you would like to use harp as your asset pipeline, just omit the mountPath and point it to your harp app....

app.use(harp.mount(__dirname + "/public"))

Layout engine got a pretty major overhaul

1) Cascading Layout lookup

Layouts walk the directory tree by default looking for _layout.xxx in each directory until it hits the public directory. (specifying a layout file in _data.json) will be how you override this behaviour.

2) Overrides are a relative path to the template file (or _data.json)

Specifying a layout in _data.json is how to override the implicit layout behaviour and this file path should be relative to the template file. This makes sense because the _data.json file lives where the template file lives. The system falls back to using an absolute path if no layout is found at the relative path specified. This is to make it easier to accidentally do the right thing.

3) Layout file opt-out.

Specifying a "layout": false in the _data.json does not use a layout file and "layout": true works just like the default behaviour.

How to Upgrade

Zero to minimal API breakage expected. Upgrade by running the following...

sudo npm install harp -g

Restart your harp webserver and your good to go.

There was a small bug found in the static serving of "root style" projects. This patch fixes that.

important - there were changes to the globals object. skip to bottom for upgrade path.

Disposable web serving.

Harp now works as a great little disposable web server for serving assets in a hurry. To use simply run harp server in the root of any directory that you want served. You may also create a _harp.json file in the root of your project for addition configuration.

The framework style directory structure still functions as usual but now requires a harp.json file in the root directory. When a harp.json file (no underscore) is found, it tells the server to serve a public directory instead of the root.

How global objects now work.

You put your globals in harp.json file as you did before...

{
  "globals": {
    "title": "Sintaxi Blog"
  }
}

and now you can reference then as first class attributes in all your templates...

h1= title

Breakdown of our planned API breakage (marked tasks are completed):

• make globals truely global
• server default to serve root
• make templates look up the tree for the nearest _layout.xxx
• make layout overrides relative paths
• replace EJS with handlebars

Upgrade Path

• run sudo npm install -g harp and restart your server node server.
• remove globals scope form all references to the global variables in your app. For example globals.name is now referenced as just name. And globals.public.data is referenced as public.data.
• add a harp.json file to your project if you want to keep your current application running the same way.