v4.0.0

Breaking Changes ⚠️

• Dropped support for older CFML engines (Adobe ColdFusion 8 and below). Tested against Lucee 5+; should work on ACF 2016+.
• Complete rewrite of the entire codebase (no intentional functional breaks beyond the engine drop).

New Features

• OpenAPI/Swagger JSON generation plus links from the dashboard and docs UI to the generated swagger JSON.
  • Add hint metadata attributes to your components, functions, and arguments to control the generated OpenAPI spec. See the docs for details.
• Input constraint documentation new taffy_minlength, taffy_maxlength, taffy_min, taffy_max, and taffy_pattern metadata on resource method arguments. Display-only (Taffy does not enforce), useful for generated docs.
• Dashboard resource sorting sortable by matching order (previous default), Alpha by URI, or Alpha by Name (new default). User preference persisted in LocalStorage.
• variables.framework.allowGoogleFonts (default: true) opts into Atkinson Hyperlegible for dashboard/docs; disable to fall back to system fonts.

Improvements

• All CFCs migrated to full cfscript.
• jQuery, Bootstrap, and LessCSS removed from dashboard/docs in favor of vanilla JS + CSS.
• Dashboard UI redesigned.
• Generated API docs redesigned to match the dashboard.

Bug Fixes

• Now testing against Lucee 5, 6, and 7; fixed various compatibility issues across versions.
• Default returnExceptionsAsJson to false to prevent inadvertent stack trace disclosure.
• Exception log adapter config was visible in the dashboard config modal and could leak API keys/secrets. Now shown as "redacted".
• Fixed inverted cache timing calculation (one branch computed startTime - endTime, producing negative values).
• Fixed queryToArray polyfill return type (declared struct, implementation returns array).
• Fixed isInstanceOf in factory.cfc failing on Lucee (mapped-path metadata traversal).
• Worked around Lucee metadata-checking oddities.
• Fixed regression: query params configured in the dashboard weren't sent with the request.
• Fixed 3 bugs in the script-based api.cfc that broke all e2e tests.
• Docs correction: exceptionLogAdapter default is LogToDevNull, not LogToEmail.

Removed

• Dead Railo references (structKeyExists(server, "railo") checks).

Tests / CI / Housekeeping

• Test suite completely rewritten and updated to latest Testbox.
• Replaced stub ConfigurationSpec tests with real assertions.
• Added end-to-end HTTP tests via cfhttp. New test API app (tests/testapi/) with echo resources. Covers GET/POST/PUT/DELETE, URI token extraction, JSON deserialization, custom headers, 404/405 responses, and X-HTTP-Method-Override tunneling.
• E2E compatibility fixes across Lucee 5, 6, and 7 (byte-array fileContent on L5, getDirectoryFromPath() trailing-slash behavior on L7, charset encoding, output whitespace leakage).
• Lucee 7 CI fix: CFConfig doesn't support Lucee 7, so added a taffy symlink in the webroot so extends="taffy.core.api" resolves at compile time without the mapping.
• box.json bumped to 4.0.0.

v3.7.1

Patches on v.3.7.0:

• added validation of JSONP callback function name to prevent possible XSS
• new default value for returnExceptionsAsJSON config setting, was true, now: false.

v4.0.0-beta.6

Exact same as beta5, but with a regression fix: Query params setup in dashboard requests weren't being sent to the API when the request was made.

v4.0.0-beta.5

Beta 5

Cumulative updates; everything new in 4.x so far:

• Bug Fixes
  • Fix inverted cache timing calculation - one instance was computed as (startTime - endTime), producing a negative value.
  • Fix queryToArray polyfill return type - Function signature declared struct but the implementation returns an array.
  • Docs: exceptionLogAdapter default - Documentation incorrectly said LogToEmail; actual default is LogToDevNull and has been for quite some time.
  • Fix: if you use an exception log adapter, its config was available on the dashboard, which possibly leaked api keys/etc. The config modal on the dashboard now shows "redacted" if you have exception log adapter config rather than the contents of that config.
• Improvements
  • Dashboard resources are now sortable by matching order (this was the only way, previously), Alpha by URI, and Alpha by Name. New default is alpha by name. Your selection is persisted in LocalStorage.
  • Added support for taffy_minlength, taffy_maxlength, taffy_min, taffy_max, and taffy_pattern metadata on resource method arguments. These are DISPLAY ONLY - Taffy does not enforce them. But they are handy for documentation.
  • Added Atkinson Hyperlegible from google fonts. By default the docs and dashboard now use Atkinson Hyperlegible -- a font designed for accessibility -- from Google Fonts. I realize not everyone wants to allow google fonts usage, so you can disable it with variables.framework.allowGoogleFonts (default: true). Doing so will fall back to more typically available system fonts.
  • Updated generated API docs to use the same design as the new dashboard
  • Replace evaluate() with invoke() for setter-based DI - evaluate() is a known injection vector and anti-pattern. invoke() is the modern CFML approach. Pretty sure the evaluate approach was a relic of old ACF/Railo support that we no longer maintain.
  • Replace duplicate logic for handling detection of docs/dashboard requests with reusable handleDashboardRequest().
  • Decouple baseSerializer from application scope - noData() no longer reads application._taffy.settings directly. Added instance variable with setter, injected by the framework. Enables standalone unit testing without mocking the application scope.
• Removed
  • Remove dead Railo references - No need to keep structKeyExists(server, "railo") checks.
• Tests
  • Add end-to-end HTTP tests - New test API app (tests/testapi/) with echo resources and e2e spec making real cfhttp requests. Covers GET/POST/PUT/DELETE, URI token extraction, JSON deserialization, custom headers, 404/405 responses, and X-HTTP-Method-Override tunneling.
  • Fix e2e test compatibility across Lucee 5, 6, and 7 - Handle byte array fileContent on Lucee 5, getDirectoryFromPath() trailing-slash behavior on Lucee 7, charset encoding, and output whitespace leakage.
• CI
  • Fix Lucee 7 CI - CFConfig (which applies the /Taffy CFML mapping from .cfconfig.json) doesn't support Lucee 7 and is uninstalled. Added a taffy symlink in the webroot so extends="taffy.core.api" resolves at compile time without the mapping.
• Housekeeping
  • Update box.json version to 4.0.0.

4.x.x Breaking changes! ⚠️

The only intentional breaking change is dropping support for older CFML engines/versions.

This release is a COMPLETE REWRITE of almost the entire codebase. In the process, we're finally stepping away from support for Adobe ColdFusion 8. If you're still on that version, God help you.

I was testing against Lucee 5.x because that's the earliest CFML engine I have at my disposal easily right now. In theory it should be compatible with ACF 2016+, possibly earlier. If anyone wants to figure out what the minimum capable ACF version is, that would be nice.

• All CFC's have migrated to full-cfscript
• jQuery, Bootstrap, and LessCSS have all been removed in favor of vanilla JS+CSS (dashboard + docs)
• Test suite completely rewritten and updated to latest version of Testbox
• Dashboard design overhauled... It's the same, but different.
• Generated API docs got the same treatment as the dashboard

v4.0.0-beta.4

Beta 4

Cumulative updates; everything new in 4.x so far:

• Bug Fixes
  • Fix inverted cache timing calculation - one instance was computed as (startTime - endTime), producing a negative value.
  • Fix queryToArray polyfill return type - Function signature declared struct but the implementation returns an array.
  • Docs: exceptionLogAdapter default - Documentation incorrectly said LogToEmail; actual default is LogToDevNull and has been for quite some time.
• Improvements
  • Added Atkinson Hyperlegible from google fonts. By default the docs and dashboard now use Atkinson Hyperlegible -- a font designed for accessibility -- from Google Fonts. I realize not everyone wants to allow google fonts usage, so you can disable it with variables.framework.allowGoogleFonts (default: true). Doing so will fall back to more typically available system fonts.
  • Updated generated API docs to use the same design as the new dashboard
  • Replace evaluate() with invoke() for setter-based DI - evaluate() is a known injection vector and anti-pattern. invoke() is the modern CFML approach. Pretty sure the evaluate approach was a relic of old ACF/Railo support that we no longer maintain.
  • Replace duplicate logic for handling detection of docs/dashboard requests with reusable handleDashboardRequest().
  • Decouple baseSerializer from application scope - noData() no longer reads application._taffy.settings directly. Added instance variable with setter, injected by the framework. Enables standalone unit testing without mocking the application scope.
• Removed
  • Remove dead Railo references - No need to keep structKeyExists(server, "railo") checks.
• Tests
  • Add end-to-end HTTP tests - New test API app (tests/testapi/) with echo resources and e2e spec making real cfhttp requests. Covers GET/POST/PUT/DELETE, URI token extraction, JSON deserialization, custom headers, 404/405 responses, and X-HTTP-Method-Override tunneling.
  • Fix e2e test compatibility across Lucee 5, 6, and 7 - Handle byte array fileContent on Lucee 5, getDirectoryFromPath() trailing-slash behavior on Lucee 7, charset encoding, and output whitespace leakage.
• CI
  • Fix Lucee 7 CI - CFConfig (which applies the /Taffy CFML mapping from .cfconfig.json) doesn't support Lucee 7 and is uninstalled. Added a taffy symlink in the webroot so extends="taffy.core.api" resolves at compile time without the mapping.
• Housekeeping
  • Update box.json version to 4.0.0.

4.x.x Breaking changes! ⚠️

The only intentional breaking change is dropping support for older CFML engines/versions.

This release is a COMPLETE REWRITE of almost the entire codebase. In the process, we're finally stepping away from support for Adobe ColdFusion 8. If you're still on that version, God help you.

I was testing against Lucee 5.x because that's the earliest CFML engine I have at my disposal easily right now. In theory it should be compatible with ACF 2016+, possibly earlier. If anyone wants to figure out what the minimum capable ACF version is, that would be nice.

• All CFC's have migrated to full-cfscript
• jQuery, Bootstrap, and LessCSS have all been removed in favor of vanilla JS+CSS (dashboard UI)
• Test suite completely rewritten and updated to latest version of Testbox
• Dashboard design overhauled... It's the same, but different.
• Generated API docs got the same treatment as the dashboard

v4.0.0-beta.3

Beta 3

• Added Atkinson Hyperlegible from google fonts (see below)
• Updated generated API docs to use the same design as the new dashboard

4.x.x Breaking changes! ⚠️

... but no significant functional changes. 🧐 The only intentional breaking change is dropping support for older CFML engines/versions.

This release is a COMPLETE REWRITE of almost the entire codebase. In the process, we're finally stepping away from support for Adobe ColdFusion 8. If you're still on that version, God help you.

I was testing against Lucee 5.x because that's the earliest CFML engine I have at my disposal easily right now. In theory it should be compatible with ACF 2016+, possibly earlier. If anyone wants to figure out what the minimum capable ACF version is, that would be nice.

• All CFC's have migrated to full-cfscript
• jQuery, Bootstrap, and LessCSS have all been removed in favor of vanilla JS+CSS (dashboard UI)
• Test suite completely rewritten and updated to latest version of Testbox
• Dashboard design overhauled... It's the same, but different.
• Generated API docs got the same treatment as the dashboard
• The one new feature: variables.framework.allowGoogleFonts (default: true). By default the docs and dashboard use Atkinson Hyperlegible -- a font designed for accessibility -- from Google Fonts. I realize not everyone wants to allow google fonts usage, so you can disable it with this setting. Doing so will fall back to more typically available system fonts.

v4.0.0-beta.1

*Checks watch*... It's been a minute. Hi.

Breaking changes! ⚠️

... but no functional changes. 🧐 The only intentional breaking change is dropping support for older CFML engines/versions.

This release is a COMPLETE REWRITE of almost the entire codebase. In the process, we're finally stepping away from support for Adobe ColdFusion 8. If you're still on that version, God help you.

I was testing against Lucee 5.x because that's the earliest CFML engine I have at my disposal easily right now. In theory it should be compatible with ACF 2016+, possibly earlier. If anyone wants to figure out what the minimum capable ACF version is, that would be nice.

• All CFC's have migrated to full-cfscript
• jQuery, Bootstrap, and LessCSS have all been removed in favor of vanilla JS+CSS (dashboard UI)
• Test suite completely rewritten and updated to latest version of Testbox
• Dashboard design overhauled... It's the same, but different.

Rewrite methodology

1. The tests were updated first, without modifying any framework code, and all passed.
2. Then the framework was updated without modifying any test code, and all tests passed.
3. Then changes like redesigning the dashboard and rewriting dashboard JS were done.

In theory, everything's ready for production. I've done some poking around and it seeeeems fine. I'm going to plug it in at work and see if anything goes boom. It would be really nice if others could try it in low-stakes projects too, hence the beta release.

v3.7.0

• Resolve compatibility issue with Lucee 6 (queryToStruct now available as qToStruct, and queryToArray as qToArray), thanks, @tomchiverton for the report.

v3.6.0

Full Changelog: v3.5.0...v3.6.0

v3.5.0

What's Changed

New Features 🎉

• Tweet about new versions of Taffy by @atuttle in #425

Full Changelog: https://github.com/atuttle/Taffy/commits/v3.5.0