10.0.0

New AI and Integration Features

• AI: AI Agent (ReAct: Reasoning+Acting) boilerplate with LangChain as a starting point for AI Agent development with support for:

  • Tool execution with automatic retry middleware for transient failures
  • MongoDB session persistence for chat history for authenticated users
  • Input guardrails for safety against prompt injection/jailbreak (Llama Guard 4)
  • Conversation summarization for long conversations to stay within context limits
  • Real-time streaming for live response chat experience using Server-Sent Events (SSE)
  • Streaming of the Agent's internal chatter, tool calls, etc., for debugging

• AI: RAG boilerplate (LangChain, Huggingface, Groq (Llama 3.3), MongoDB Vector Search, Keyv caching)

• AI: Serverless LLM integration - text classification (Llama 3.3 hosted on Groq)

• AI: Vision - device camera and LLM vision model usage (Llama 4 Scout hosted on Groq)

• AI: OpenAI Moderation model usage example

• API Integration: trakt.tv

• API Integration: Wikipedia (@nikeshadhikari9)

• API Integration: Pubchem chemical info data source (@hemanthsavasere)

• API Integration: Tenor GIPHY (@DanielLuu122 @YasharF)

New Core Features

• 2FA via email and code generator apps (TOTP)
• Login with passkeys (biometrics, Face ID, etc.)
• Passwordless authentication (login via email link)
• OAuth token revocation (RFC 7009-style and provider-specific variants) when users unlink an OAuth provider or delete their account
• Login with Discord
• Login with Microsoft (@dev-shahed)
• Multiple profile picture support

Enhancements

• Enhanced Express.js logging with custom Morgan configuration
• Reduced startup friction for new projects by making reCAPTCHA credentials optional
• Consolidated the AI integrations to be separate from API integrations
• Refactored Passport.js strategies to use a common auth-login handler for easier swapping of OAuth providers, maintenance, and core testing
• Updated the included sample Terms of Service and Privacy Policy for formatting and compliance with Google and Facebook requirements
• Various visual and UX improvements
• Improved pre-commit hook scripts for running eslint --fix and Prettier --write on files being committed
• Consolidated temporary artifacts in tmp/

Bug Fixes

• Fix Facebook OAuth: missing email scope, and infinite loop in certain cases
• Fix upload folder being created in controllers/ instead of the app root
• Fix error handling issues in Google Sheets and Google Drive integration
• Fix various npm script-related issues for Windows development environments
• Fix error from not having husky installed in production environments when using npm ci --omit dev

Chores & Maintenance

• Replaced unmaintained express-flash npm package with our own middleware (@Prasanth-S7)
• Replaced moment.js in favor of the native Node.js date API
• Updated minimum engine to Node.js 24.13 which is the latest fully security-patched LTS version.
• Updated dependencies
• Improved dependabot and GitHub Action scripts to automate keeping dependencies up-to-date.
• Updated Google Maps API integration
• Updated Google branding per their requirements
• Updated NYT API integration to use v3 endpoint
• Updated QuickBooks API integration per required changes
• Migrated Foursquare API integration to use the new Places API endpoints (@mheavey2)
• Migrated reCAPTCHA to GCP
• Removed Pinterest OAuth and API Integration
• Removed SendGrid references as they no longer offer a reasonable free tier for hackathon participants (@nylla8444)
• Removed lodash dependency, as much of the functionality can be fulfilled with current versions of JS with minimal code.
• Removed Airbnb eslint (fork) usage in favor of direct rules within eslint 9 configs
• Removed docker support documentation as it won't be officially supported any more (Docker workflows don't align with the hackathon development model and deployment environments vary too widely for a single Docker configuration to be useful or maintainable.)
• Added Pull Request template with a checklist to remind devs on various pre-checks for shippable code
• Updated various documentation (@YasharF @nylla8444 @FrontendBy-GJ)

Tests

• Add API call recording and replay capability and fixtures to enable end-to-end testing without API keys
• Add Playwright harness for UI-driven testing and end-to-end (E2E) test examples
  • Base harness and E2E for automated UI testing (@akilesh1706 @YasharF)
  • E2E tests for GitHub integration (@akilesh1706)
  • E2E tests for last.fm integration (@hsavasere)
  • E2E tests for the web scraping (@Mrinank-Bhowmick)
  • E2E tests for OpenAI Moderation (@Mrinank-Bhowmick)
  • E2E tests for Pubchem integration (@hemanthsavasere)
  • E2E tests for Lob integration (@hemanthsavasere)
  • E2E tests for trakt.tv integration (@hemanthsavasere)
  • E2E tests for NY Times integration (@Vedant794)
  • E2E tests for Wikipedia integration (@nikeshadhikari9)
  • E2E tests for Google Maps integration (@AndersonTsaiTW)
  • E2E tests for the file upload (@hemanthsavasere)
  • E2E tests for Twilio integration (@henockt)
  • E2E tests for HERE Maps integration (@AndersonTsaiTW)
  • E2E tests for Foursquare integration (@Sid0004)
  • E2E tests for ChartJS and Alpha Vantage integration (@AndersonTsaiTW)

9.0.0

New Features

• Introduced "Logout Everywhere" functionality for enhanced security (Thanks to @vimark1).
• Added support for Google Analytics 4, Facebook Pixel, and Open Graph metadata.

Enhancements

• Removed unnecessary session saves for uninitialized sessions.
• Cleaned up GitHub Actions by removing unnecessary CodeQL references.
• Updated documentation for improved clarity and relevance.
• Optimized Dockerfile and updated Docker image for better performance (Thanks to @akarys2304).
• Replaced favicon.png with favicon.ico to match browser default requests.
• Added Apple touch icons.
• Refactored Nodemailer calls into config/nodemailer.js for unified security and configuration settings.
• Removed redundant installation of body-parser, now included with ExpressJS.
• Renamed getValidateReCAPTCHA to validateReCAPTCHA for better clarity.
• Adopted Prettier for consistent code formatting.
• Suppressed unactionable Sass import deprecation warnings.
• Renamed handleOAuth2Callback to saveOAuth2UserTokens for clarity.

Security Updates

• Addressed Host-header Injection vulnerability in Password Reset & Email Verification (CVE-2025-29036).
• Added upload size limit for Multer and moved its configuration to api.js.
• Replaced MD5 with SHA256 for Gravatar generation.

Bug Fixes

• Updated to the latest HERE Maps API as the prior API version calls were no longer working.
• Corrected the path for popper.js.
• Fixed pre-commit test and lint execution.
• Updated the default privacy policy to comply with Facebook terms and other regulations.
• Improved OAuth2 token handling logic:
  • Properly save tokens without expiration dates.
  • Consolidated token-saving logic across all providers to fix multiple issues.
  • Prevented infinite redirect loops in isAuthorized during failed token refresh attempts.

Chore & Maintenance

• [Breaking] Upgraded to Express 5.x.
• [Breaking] Migrated from axios to Node.js's built-in fetch, reducing dependencies and improving performance.
• Switched from the deprecated nyc to c8 for code coverage reporting.
• Updated all dependencies.

Tests

• Added unit tests for isAuthorized and saveOAuth2UserTokens in config/passport.js.
• Fixed unit tests for app.js.

8.1.0

Security Enhancements

• Added URL validation for redirects through session.returnTo (CWE-601).
• Fixed OAuth state parameter generation and handling to address CSRF attack vectors in the OAuth workflow.
• Added additional sanitization for user input in database queries using $eq in MongoDB.

API and Integration:

• Unified formatting for authentication parameters in route definitions and passport.js configuration.
• Refactored common code for OAuth 2 token processing in passport strategies to improve maintainability.
• Reworked the GitHub and Twitch API integration examples with additional data from the APIs.
• Reworked the Twilio API integration example to use Twilio’s sandbox servers and test phone numbers.
• Upgraded the Pinterest API example to use v5 calls instead of the broken v1.
• Reworked the Tumblr API integration example with additional data from the API.
• Added a properly working OAuth 1.0a integration for Tumblr.
• Removed sign-in by Snapchat due to increased difficulty for developers and a focus on hackathon participants.
• Removed Foursquare OAuth authorization and updated the API demo with new examples.
• Renamed Twitter to X (Some of the backend and code still reference Twitter due to upstream dependencies, and the login button is using Twitter colors pending X addition to bootstrap-social).

Update/Upgrades:

• Dropped support for Nodejs < 22 due to ESM module import issues prior to that version.
• Migrated from the unmaintained passport-linkedin-oauth2 to a passport-openidconnect strategy.
  --- Added support and examples for openid-client.
• Migrated from the deprecated paypal-rest-sdk to an example without the SDK, providing OAuth calls depending on the page state.
• Migrated from the unmaintained bootstrap-social to a fork that can be easily patched and updated.
• Migrated eslint to v9, and its new config format (breaking change).
• Migrated Husky to v9, and its new config format (breaking change). Fixed Windows commit issue.
• Updated dependencies.
• Added temporary patch files for connect-flash and passport-openidconnect based on pending pull requests or issues on GitHub.

Other:

• Fixed a bug that prevented profile pictures from being displayed.
• Added authentication link/unlink options to the user profile page for all OAuth/Identity providers.
• Fixed typos, broken links, and minor formatting alignment issues on various pages.
• Fixed spelling errors in startup information displayed in the console.
• Refactored URL validation in unit tests for Gravatar generation to conform with CodeQL rules. Even though CodeQL does vulnerability checks, this is not a security issue since it is unit tests.
• Updated the placeholder main.js to use the current format (not deprecated JS).
• Updated the GitHub repo worker/runner configs to use proper permissions
• Return exit code 1 if there is a database connection issue at startup.
• Added the --trace-deprecation flag to startup to provide better information on runtime deprecation warnings.
• .gitignore file to exclude the uploads path.
• Updated the copyright year.
• Updated documentation.

8.0.0

8.0.0 (July 28, 2023)

• Security: Renamed the cookie and set secure attribute for cookie transmission when https is present

• Security: Migrated off known deprecated, vulnerable or unmaintained dependencies

• Security: Added express rate limiter

• Added additional sanitization and validation for external inputs. Lusca provides input protection. The additional sanitization and validation are to add another layer of protection.

• Added patch-package for temporary patching dependencies

• Temporary patch for passportjs to handle logout failures

• Temporary patch for passport-oauth2: better auth failure reporting

• Removed broken Instagram oauth support as Meta no longer supports it

• Added handler for 404(page not found) to avoid 500 errors when a route is not found

• Fixed unhandled error during logout

• Fixed pug tags with multiple attributes (thanks to @soundz77)

• Added Lint-stage and Husky to lint all commits

• Fix req.logout for passport 0.6

• Fix broken unit test

• Update default gravatar

• Visual UI improvements

• Added Github Actions: NodeJS CI check unit test and lint

• Upgrade nodejs for docker

• Removed express-handlebars npm package as it was not used and is not that popular compared to pug (breaking change)

• Removed chalk npm package as it was not used (breaking change)

• Updated documentation

• Upgraded to mongoose 7 (breaking change)

• Upgraded to popper2

• Migrated from googleapis npm package to @googleapis/drive and @googleapis/sheets to reduce size and improve performance (breaking change)

• Migrated from passport-twitch-new to twitch-passport (breaking change)

• Migrated from lob to @lob/lob-typescript-sdk (breaking change)

• Migrated from deprecated node-sass to Dart Sass

• Migrated off passport-openid (breaking change)

• Migrated off nodemailer-sendgrid (breaking change)

• Migrated off passport-twitter and twitter-lite (breaking change)

• Migrated off node-quickbooks (breaking change)

• Updated dependencies

• Removed travis.yml

API example changes:

• Removed the twitter API example as the APIs are actively changing and mostly not free (breaking change)
• Removed the Instagram API example as it was broken and Meta has significantly reduced the API scope and availablity for devs
• Improved the Chartjs+AlphaVantage to handle API failures
• Fix minor formatting issues and missing images
• Tumblr - Fixed the Tumblr example and moved off tumblrjs (breaking change)
• Added missing parameters for the Lob's new API requirements
• Improved the Last.fm API example as the artist image is no longer vended by last.fm

7.0.0

• Dropped support for Node.js <16
• Switched to Bootstrap 5
• Removed older Bootstrap 4 themes
• Updated dependencies

6.0.0

6.0.0 (January 2, 2020)

• Dropped support for NodeJS 8.x, due to its EOL
• Use HTML5 native client form validation (thanks to @peterblazejewicz)
• Fix navbar rendering issues when using themes (thanks to @peterblazejewicz)
• Fix button formatting issues when applying themes (thanks to @peterblazejewicz)
• Fixed drop down menu to show correct formatting from the theme (thanks to @jonasroslund)
• Config mongoose to use the new Server Discovery and Monitoring
• Fix validation bug in Twitter, Pinterest, and Twilio API examples
• Fix HERE icon in the API examples
• Fix minor issues in Stripe and Lob API examples
• Update dependencies
• Update documentation (thanks in part to @noftaly, @yanivm)

5.2.0

5.2.0 (July 28, 2019)

• Added API example: Google Drive (thanks to @tanaydin)
• Added Google Sheets API example (thanks to @clarkngo)
• Added HERE Maps API example
• Added support for Intuit Quickbooks API
• Improved Lob.com API example
• Added support for email verification
• Added support for refreshing OAuth tokens
• Fixed bug when users attempt to login by email for accounts that are created with a sign in provider
• Fixed bug in the password reset
• Added CSRF check to the File Upload API example -- security improvement -- breaking change
• Added validation check to password reset token -- security improvement
• Fixed missing await in the Foursquare API example
• Fixed Google Oauth2 profile picture (thanks to @tanaydin)
• Removed deprecated Instagram API calls -- breaking change
• Upgrade to login by LinkedIn v2, remove LinkedIn API example -- breaking change
• Removed express-validator in favor of validator.js -- breaking change
• Removed Aviary API example since the service has been shutdown
• Added additional unit tests for the user model (thanks to @Tolsee)
• Updated Steam's logo
• Updated dependencies
• Updated documentation (thanks in part to @TheMissingNTLDR, @Coteh)

5.1.4 b

Re-release of 5.1.4 since the original released missed to include "Adding Node.js 12 to the Travis build"

5.1.4

5.1.4 (May 14, 2019)

• Migrate from requestjs to axios (thanks to @FX-Wood)
• Enable page templates to add items to the HTML head element
• Fix bold font issue on macs (thanks to @neighlyd)
• Use BASE_URL for github
• Update min node engine to require Feb 2019 NodeJS security release
• Add Node.js 12 to the travis build
• Update dependencies
• Update documentation (thanks in part to @anubhavsrivastava, @Fullchee, @luckymurari)

5.1.3

5.1.3 (April 7, 2019)

• Update Steam API Integration
• Upgrade flatly theme files to 4.3.1
• Migrate from bcrypt-nodejs to bcrypt
• Use BASE_URL for twitter and facebook callbacks
• Add a ChartJS example in combination with Alpha Vantage API usage (thanks to @T-travis)
• Improve Github integration – use the user’s private email address if there is no public email listed (thanks to @danielhunt)
• Improve the error handling for the NYT API Example
• Add lodash 4.7
• Fixed gender radio buttons spacing
• Fixed alignment Issue for login / sign in buttons at certain screen widths. (thanks to @eric-sciberras)
• Remove Mozilla Persona information from README since it has been deprecated
• Remove utils
• Remove GSDK since it does not support Bootstrap 4(thanks to @laurenquinn5924)
• Adding additional tests to cover some of the API examples
• Add prod-checklist.md
• Update dependencies
• Update documentation (thanks in part to @GregBrimble)