Merge pull request #9 from PSPDFKit-labs/release/2.0.0

jdrhyne · web-flow · commit 1517a8096f3c · 2026-01-28T08:37:23.000-05:00
Release/2.0.0
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,42 +7,38 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+_Nothing yet._
+
+## [2.0.0] - 2026-01-27
+
 ### Security
 
 - Updated `axios` from ^1.10.0 to ^1.13.2 to fix DoS vulnerability (GHSA-4hjh-wcwx-xvwj)
 - Updated `form-data` from ^4.0.4 to ^4.0.5
 - Added npm overrides for transitive dependency vulnerabilities:
   - `glob` ^11.0.4 (fixes GHSA-5j98-mcp5-4vw2 command injection)
   - `js-yaml` ^4.1.1 (fixes GHSA-mh29-5h37-fv8m prototype pollution)
+- URL inputs are no longer fetched client-side; URLs are passed to the server to mitigate SSRF risks
 
 ### Changed
 
-- Updated devDependencies to latest compatible versions:
-  - `@eslint/eslintrc` ^3.3.3
-  - `@eslint/js` ^9.39.2
-  - `@types/node` ^24.10.7
-  - `@typescript-eslint/eslint-plugin` ^8.53.0
-  - `@typescript-eslint/parser` ^8.53.0
-  - `dotenv` ^17.2.3
-  - `eslint` ^9.39.2
-  - `eslint-config-prettier` ^10.1.8
-  - `eslint-plugin-jest` ^29.12.1
-  - `globals` ^16.5.0
-  - `jest` ^30.2.0
-  - `openapi-typescript` ^7.10.1
-  - `prettier` ^3.7.4
-  - `rimraf` ^6.1.2
-  - `ts-jest` ^29.4.6
-  - `tsup` ^8.5.1
-  - `tsx` ^4.21.0
-  - `typescript` ^5.9.3
+- Most methods accept URL inputs via `FileInputWithUrl` and pass URLs to the server for fetching
+- `sign()` now only accepts local files (file paths, Buffers, or Uint8Arrays); fetch remote files first
+- Updated devDependencies to latest compatible versions
 - Switched Jest coverage provider from Istanbul to V8 for Node.js 25+ compatibility
 - Excluded generated API types from coverage collection (reduces noise in coverage reports)
 
+### Removed
+
+- Removed client-side URL fetching helper `processRemoteFileInput` from public exports
+- Removed client-side PDF parsing helpers (`getPdfPageCount`, `isValidPdf`)
+
 ### Added
 
+- SSRF protection documentation in README
 - This CHANGELOG.md file to track project changes
 
+
 ## [1.0.1] - 2025-01-09
 
 ### Changed
@@ -68,6 +64,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Comprehensive error handling with typed error classes
 - AI agent integration rules for Claude Code, Cursor, GitHub Copilot, Junie, and Windsurf
 
-[Unreleased]: https://github.com/PSPDFKit-labs/nutrient-dws-client-typescript/compare/v1.0.1...HEAD
+[Unreleased]: https://github.com/PSPDFKit-labs/nutrient-dws-client-typescript/compare/v2.0.0...HEAD
+[2.0.0]: https://github.com/PSPDFKit-labs/nutrient-dws-client-typescript/compare/v1.0.1...v2.0.0
 [1.0.1]: https://github.com/PSPDFKit-labs/nutrient-dws-client-typescript/compare/v1.0.0...v1.0.1
 [1.0.0]: https://github.com/PSPDFKit-labs/nutrient-dws-client-typescript/releases/tag/v1.0.0
diff --git a/README.md b/README.md
@@ -34,6 +34,10 @@ or
 yarn add @nutrient-sdk/dws-client-typescript
 ```
 
+## Migration Guides
+
+- v2.0.0: See `docs/MIGRATION.md` for URL input changes and `sign()` restrictions.
+
 ## Integration with Coding Agents
 
 This package has built-in support with popular coding agents like Claude Code, GitHub Copilot, Cursor, and Windsurf by exposing scripts that will inject rules instructing the coding agents on how to use the package. This ensures that the coding agent doesn't hallucinate documentation, as well as making full use of all the features offered in Nutrient DWS TypeScript Client.
diff --git a/docs/MIGRATION.md b/docs/MIGRATION.md
@@ -0,0 +1,32 @@
+# Migration Guide
+
+## 2.0.0
+
+### 1) URL inputs now use `FileInputWithUrl`
+
+`FileInput` no longer includes URLs. If you need to pass URLs, use `FileInputWithUrl`.
+
+```ts
+import type { FileInputWithUrl } from '@nutrient-sdk/dws-client-typescript';
+
+const input: FileInputWithUrl = 'https://example.com/doc.pdf';
+const result = await client.convert(input, 'docx');
+```
+
+### 2) `processRemoteFileInput` removed
+
+If you previously used `processRemoteFileInput`, fetch the remote file yourself and pass a buffer.
+
+```ts
+// v1.x (no longer available)
+import { processRemoteFileInput } from '@nutrient-sdk/dws-client-typescript';
+
+// v2.0.0+
+const res = await fetch('https://example.com/doc.pdf');
+const buffer = Buffer.from(await res.arrayBuffer());
+const result = await client.sign(buffer, { data: { signatureType: 'cms' } });
+```
+
+### 3) `sign()` no longer accepts URLs
+
+`sign()` only accepts local inputs (file path, Buffer, or Uint8Array). For remote files, fetch first and pass a buffer.
diff --git a/examples/package-lock.json b/examples/package-lock.json
diff --git a/examples/package.json b/examples/package.json
@@ -10,7 +10,7 @@
   "private": true,
   "dependencies": {
     "dotenv": "^17.0.0",
-    "@nutrient-sdk/dws-client-typescript": "file:../nutrient-sdk-dws-client-typescript-1.0.1.tgz"
+    "@nutrient-sdk/dws-client-typescript": "file:../nutrient-sdk-dws-client-typescript-2.0.0.tgz"
   },
   "devDependencies": {
     "@types/node": "^24.0.7",
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@nutrient-sdk/dws-client-typescript",
-  "version": "1.0.1",
+  "version": "2.0.0",
   "description": "Node.js TypeScript client library for Nutrient Document Web Services (DWS) API",
   "keywords": [
     "nutrient",

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@nutrient-sdk/dws-client-typescript",`
`3`		`- "version": "1.0.1",`
	`3`	`+ "version": "2.0.0",`
`4`	`4`	`"description": "Node.js TypeScript client library for Nutrient Document Web Services (DWS) API",`
`5`	`5`	`"keywords": [`
`6`	`6`	`"nutrient",`