The newest Meteor release is out today! Meteor 0.6.6 has new features and bugfixes across many different packages. We've upgraded to Node's 0.10 stable track, added new capabilities to our Mongo database layer like upsert and $near queries, and wrote a new
browser-policypackage that helps you lock down your application on modern browsers.
We also held our first team-wide Bug Week in San Francisco last month. With help from core contributors around the world, we closed 62 issues. Many of the fixes in 0.6.6 came out of this work.
To update a Meteor application to 0.6.6, just run
meteor update inside your project directory. You can also try an application on 0.6.6 before upgrading it by running
meteor --release 0.6.6. If you're new to Meteor, you can get started on OS X or Linux right away by running
$ curl https://install.meteor.com | /bin/sh
in your terminal window.
Portions of this release were contributed by GitHub users ansman, awwx, codeinthehole, jacott, Maxhodges, meawoppl, mitar, mizzao, mquandalle, nathan-muir, RobertLowe, ryw, and timhaines. Many thanks to all of them. Full release notes are available in GitHub. Please read on for some of the highlights.
Emily Stark wrote a new
browser-policy package that makes it easy to use new browser standards to help protect against cross-site scripting and clickjacking attacks. The package implements two new security standards. The first,
X-Frame-Options, prevents untrusted sites from embedding your application in a frame. And
We recommend using
browser-policy in all your applications. To help you get started, we have a default starter policy that works well for many apps without needing any additional configuration. Under the starter policy, your app's client code will be able to load content (images, scripts, fonts, etc.) only from its own origin, except that XHRs and WebSocket connections can go to any origin. Your client code will not be able to use functions such as
eval that convert strings to code. And users' browsers will only let your app be framed by web pages on the same origin as your app.
Of course, you can modify the starter policy. Constructing the correct HTTP headers manually is a handful, so we ship an API that you can use to control each restriction separately. For example, calling
<img>tags to reference images on your CDN. See the package documentation for details.
There is another security benefit in 0.6.6. Where available, Meteor now uses a cryptographically strong pseudorandom number generator, on both the client (via
window.crypto.getRandomValues) and server (via
David Greenspan and Emily Stark added the long-requested support for Mongo's
upsertoperation. This works on the client (in minimongo) and on the server (using the native Mongo driver).
Slava Kim added support for the
$near operator in minimongo when using
David Glasser implemented ECMAScript-style callbacks that pass along an index for
cursor.map. This change closes what was the oldest open item in our GitHub issue tracker.
We also improved
$not when querying objects with arrays, supported using
count on the client, and added support for projecting documents with
fields on the client.
A new option called
Accounts.config restricts new users to emails of specific domain (eg. only users with @meteor.com emails) or a custom validator.
We now expire login tokens periodically.
You can log out all other connections for the current user by calling
Meteor is now built against glibc 2.9. This expands our Linux platform support to include Ubuntu 10.04+, RHEL and CentOS 6+, Fedora 10+, and Debian 6+, as well as other distributions based on glibc 2.9 or later.
The Meteor command line tools support the
HTTPS_PROXY environment variables, so you can install Meteor, upgrade releases, and deploy applications when running behind a proxy.
And numerous upgrades to dependencies: Node 0.10.20, MongoDB 2.4.6, http-proxy to a 1.0.0 prerelease, underscore 1.5.2, connect 2.9.0, and many more.