v3.2.0 / 2022 Jul 18

Identical to v3.2.0-RC3 (2022 Jun 27)

[com.taoensso/nippy "3.2.0"]

This is a non-breaking maintenance release.
See here for recommended steps when updating any Clojure/Script dependencies.

New since v3.1.3

• [#144] [New] Add org.joda.time.DateTime to default-thaw-serializable-allowlist (@slipset)
• [#146] [New] Add Graal native configurations (@FieryCod)

Changes since v3.1.3

• Bump dependencies, incl. minimum Encore version

Fixes since v3.1.1

• [#89 #150] [Fix] Boxed Booleans incorrectly freezing to primitive true (@RolT)
• [#148] [Fix] tools/freeze should use *freeze-opts* even for unwrapped vals
• [#145] [Fix] Freezing custom types with munged field names

The boxed Boolean bug has been around since the first version of Nippy and is mostly
relevant to users doing Java interop. For more info see: 8909a32

v3.2.0-RC3 / 2022 Jun 27

[com.taoensso/nippy "3.2.0-RC3"]

This is a non-breaking maintenance release.
See here for recommended steps when updating any Clojure/Script dependencies.

New since v3.1.3

• [#144] [New] Add org.joda.time.DateTime to default-thaw-serializable-allowlist (@slipset)
• [#146] [New] Add Graal native configurations (@FieryCod)

Changes since v3.1.3

• Bump dependencies, incl. minimum Encore version

Fixes since v3.1.1

• [#89 #150] [Fix] Boxed Booleans incorrectly freezing to primitive true (@RolT)
• [#148] [Fix] tools/freeze should use *freeze-opts* even for unwrapped vals
• [#145] [Fix] Freezing custom types with munged field names

The boxed Boolean bug has been around since the first version of Nippy and is mostly
relevant to users doing Java interop. For more info see: 8909a32

v3.2.0-RC2 / 2022 Jun 23

[com.taoensso/nippy "3.2.0-RC2"]

This is a non-breaking maintenance release.
See here for recommended steps when updating any Clojure/Script dependencies.

New since v3.1.3

• [#144] [New] Add org.joda.time.DateTime to default-thaw-serializable-allowlist (@slipset)
• [#146] [New] Add Graal native configurations (@FieryCod)

Changes since v3.1.3

• Bump dependencies, incl. minimum Encore version

Fixes since v3.1.1

• [#148] [Fix] tools/freeze should use *freeze-opts* even for unwrapped vals
• [#89 #150] [Fix] Boxed Booleans incorrectly freezing to primitive true (@RolT)

The boxed Boolean bug has been around since the first version of Nippy and is mostly
relevant to users doing Java interop. For more info see: 8909a32

v3.1.3 / 2022 Jun 23

[com.taoensso/nippy "3.1.3"]

This is a non-breaking, bugfix release.
See here for recommended steps when updating any Clojure/Script dependencies.

Fixes since v3.1.1

• [#148] [Fix] tools/freeze should use *freeze-opts* even for unwrapped vals
• [#89 #150] [Fix] Boxed Booleans incorrectly freezing to primitive true (@RolT)

The boxed Boolean bug has been around since the first version of Nippy and is mostly
relevant to users doing Java interop. For more info see: 8909a32

v3.1.1 / 2020 Nov 18

[com.taoensso/nippy "3.1.1"]

This is a non-breaking, bugfix release. But please note that large keywords or symbols (with >127 characters) frozen with >=v3.1.1 will need >=v3.1.1 to thaw.

Fixes since v3.1.0

• Large keywords and symbols (with >127 characters) can now thaw without throwing (@danmason).

v3.1.0 / 2020 Nov 6

[com.taoensso/nippy "3.1.0"]

This is a non-breaking, minor feature release.

New since v3.0.0

• [#135 #128] Added native freeze/thaw support for java.time classes on JVM 8+: Instant, Duration, Period.
• [#137] Add thaw-from-resource convenience util.
• Add (DEPRECATED) swap-serializable-whitelist! for backwards compatibility.

Changes since v3.0.0

• Add several standard java.time classes to default *thaw-serializable-whitelist*.

v3.1.0-RC1 / 2020 Oct 24

[com.taoensso/nippy "3.1.0-RC1"]

This is a non-breaking, minor feature release.

New since v3.0.0

• [#135 #128] Added native freeze/thaw support for java.time.Instant on JVM 8+ (@cnuernber).

v3.0.0 / 2020 Sep 20

[com.taoensso/nippy "3.0.0"]

This release is focused on smoothing out rough edges left by CVE-2020-24164 [#130], and to ease transition from versions of Nippy < v2.15.0 final.

See here for recommended steps when updating any Clojure/Script dependencies.

Note that there's separate details below for upgrading from v2.15 vs v2.14:

Upgrading from v2.15 (usually non-breaking)

Usually a non-breaking drop-in replacement, but there's some changes you might like to take advantage of. See [#130] for detailed upgrade instructions.

Changes

• [BREAKING] Bumped minimum Clojure version from v1.5 to v1.7.
• [BREAKING] :nippy/unthawable responses now have a standardized form: {:nippy/unthawable {:type _ :cause _ ...}. Most folks won't care about this change unless they have code specifically to deal with :nippy/unthawable responses.
• [Deprecated] *serializable-whitelist* has been split into two separate vars: *freeze-serializable-allowlist*, *thaw-serializable-allowlist*. See [#130] for details.
• By default, freeze now allows the use of Java's Serializable for any class. thaw continues to be restrictive by default, and will quarantine any objects not on the class allowlist. See [#130] for details.

New

• [#122] Option to disable freezing and/or thawing of metadata.
• freeze and thaw now support opts: :serializable-allowlist, :incl-metadata?.
• New read-quarantined-serializable-object-unsafe! util to read quarantined Serializable objects. See API docs and/or [#130] for details.
• Add allow-and-record-any-serializable-class-unsafe util. See API docs and/or [#130] for details.

Upgrading from v2.14 (may be BREAKING)

Likely breaking. Please see [#130] for detailed upgrade instructions.

Changes

• [BREAKING] Bumped minimum Clojure version from v1.5 to v1.7.
• [BREAKING] [#130] thaw will now quarantine Serializable objects whose class is not allowed by *thaw-serializable-allowlist*. See [#130] for details.
• [BREAKING] :nippy/unthawable responses now have a standardized form: {:nippy/unthawable {:type _ :cause _ ...}. Most folks won't care about this change unless you have code specifically to deal with :nippy/unthawable responses.
• [#101] Switch default encryptor from AES-CBC to AES-GCM (faster, includes integrity check)

New

• [#127] Add utils: freeze-to-string, thaw-from-string (@piotr-yuxuan)
• [#113 #114] Add support for object arrays (@isaksky)
• [#83 #112] Add support for deftype (@isaksky)
• [#83 #113] Add support for URIs (@isaksky)
• [#126] extend-freeze: include id collision odds in docstring

Fixes

• [#120] Update freezable? to cover nil

v3.0.0-RC3 / 2020 Sep 12

[com.taoensso/nippy "3.0.0-RC3"]

New since v3.0.0-RC1

• Serializable: add allow-and-record-any-serializable-class-unsafe util.

v3.0.0-RC1 / 2020 Sep 11

[com.taoensso/nippy "3.0.0-RC1"]

Major BREAKING feature + security release.
See here for recommended steps when updating any Clojure/Script dependencies.

This release is focused on smoothing out rough edges left by CVE-2020-24164 [#130], and to ease transition from version of Nippy < v2.15.0 final.

Apologies for the recent breaking changes!

Note that there's separate documentation below if upgrading from v2.15 or v2.14:

Since v2.15.0 (incl. BREAKING changes)

See [#130] for detailed upgrade instructions.

Changes

• [BREAKING] Bumped minimum Clojure version from v1.5 to v1.7.
• [BREAKING] *serializable-whitelist* has been split into two separate vars: *freeze-serializable-allowlist*, *thaw-serializable-allowlist*. See [#130] for details.
• [BREAKING] :nippy/unthawable responses now have a standardized form: {:nippy/unthawable {:type _ :cause _ ...}. Most folks won't care about this change unless you have code specifically to deal with :nippy/unthawable responses.
• By default, freeze now allows the use of Java's Serializable for any class. thaw continues to be restrictive by default, and will quarantine any objects not on the class allowlist. See [#130] for details.

New

• [#122] Option to disable freezing and/or thawing of metadata.
• freeze and thaw now support opts: :serializable-allowlist, :incl-metadata?.
• New read-quarantined-serializable-object-unsafe! util to read quarantined Serializable objects. See [#130] for details.

Since v2.14.0 (incl. BREAKING changes)

See [#130] for detailed upgrade instructions.

Changes

• [BREAKING] [#130] thaw will now quarantine Serializable objects whose class is not allowed by *thaw-serializable-allowlist*. See [#130] for details.
• [BREAKING] Bumped minimum Clojure version from v1.5 to v1.7.
• [BREAKING] :nippy/unthawable responses now have a standardized form: {:nippy/unthawable {:type _ :cause _ ...}. Most folks won't care about this change unless you have code specifically to deal with :nippy/unthawable responses.
• [#101] Switch default encryptor from AES-CBC to AES-GCM (faster, includes integrity check)

New

• [#127] Add utils: freeze-to-string, thaw-from-string (@piotr-yuxuan)
• [#113 #114] Add support for object arrays (@isaksky)
• [#83 #112] Add support for deftype (@isaksky)
• [#83 #113] Add support for URIs (@isaksky)
• [#126] extend-freeze: include id collision odds in docstring

Fixes

• [#120] Update freezable? to cover nil