We're excited to announce a significant update to the Server Connect Node.js runtime, bringing critical security fixes, performance improvements, and rock-solid reliability through comprehensive automated testing.

Powered by AI: Using GitHub Copilot's advanced agentic capabilities and Claude Sonnet 4.5, we've created over 2,500 automated tests providing 93% code coverage. This AI-assisted testing infrastructure systematically discovered and fixed bugs that might have gone unnoticed for years.

Furthermore, we've introduced worker thread support for CPU-intensive operations, ensuring your server remains responsive even under heavy load.

In App Connect, we have added global XHR events for better request handling and improved reCaptcha support. See Handle Global Server Connect Events on the Page for more details.

About the new Server Connect NodeJS runtime update:

Performance Enhancements

New Worker Thread Support
Server Connect now uses worker threads for CPU-intensive operations, keeping your server responsive under heavy load:

• CSV Import/Export: Large files (100KB+) and datasets (1,000+ rows) now process in background
• Metadata Parsing: Media files (JPEG, MP4, MP3) no longer block the event loop
• Collection Joins: Large dataset joins (100×100+ rows) run in parallel threads

What This Means For You:

• Your server stays responsive even during heavy operations
• Better CPU utilization on multi-core systems
• Improved scalability for concurrent requests
• No code changes needed - it just works!

Critical Security Fixes

Path Traversal Vulnerability Eliminated

• Fixed critical webhook vulnerability allowing unauthorized file access
• Added comprehensive input sanitization and validation
• Implemented whitelist-based approach with double-verification

Authentication & Session Security

• Fixed authentication priority - Basic Auth now correctly takes precedence over cookies
• Fixed session data preservation during ID regeneration - no more unexpected logouts
• Enhanced protection against session fixation attacks
• Fixed autoLogin() to prevent logout when mixing auth methods

Input Validation Hardening

• Enhanced IBAN validation with country-specific formats
• Fixed SQL conditional filtering to prevent unintended operations
• Added proper parameter validation across all modules

Critical Bug Fixes

Core Runtime (35 bugs fixed)

Module Loading & Routing

• Fixed module loading to work regardless of current working directory
• Fixed custom route and webhook handler loading
• Fixed authentication provider type parameter handling

Data Binding & Parsing

• CRITICAL: Fixed _.property notation in repeat loops - member access now works correctly
• Fixed dataset JSON parsing to handle both strings and objects
• Fixed parseDate to handle null values - no more unexpected 1970-01-01 dates
• Fixed diacritics mapping - added 11 missing European characters

Image Processing

• Fixed percentage-based cropping and resizing
• Corrected watermark positioning calculations
• Added parameter validation to prevent NaN values
• Improved save path validation with helpful error messages

Email Operations

• Fixed URL conversion in HTML emails
• Corrected proxy configuration handling
• Fixed email template processing

Database & API

• Fixed undefined→null conversion in database results
• Fixed conditional filtering in SQL queries
• Fixed JWT token caching to prevent unnecessary regeneration
• Added JWT token flexibility - supports both standard and Server Connect parameter names

File Operations

• Fixed infinite loop in unique filename generation
• Improved type safety in file array handling

Authentication (OTP/2FA)

• Fixed critical HOTP algorithm to conform to RFC 4226/6238
• Fixed function name typos and const reassignment errors
• Improved QR code URI encoding for authenticator apps
• Now fully compatible with Google Authenticator

Parser Enhancements

• Added missing bitwise NOT (~) operator support
• Fixed bitwise operator chaining for OR, XOR, and shift operations

Code Quality Improvements

• Removed dead code and undefined variable references
• Fixed incorrect type validations
• Fixed null value rejection in object operations

Testing Infrastructure

AI-Powered Comprehensive Testing

• 2,518 automated tests created using GitHub Copilot and Claude Sonnet
• 93% code coverage achieved across the entire runtime
• Tests designed to detect real bugs, not just achieve coverage numbers

Quality & Reliability

Production-Ready Stability:

• All fixes maintain 100% backward compatibility
• Your existing Server Connect applications continue to work unchanged
• Comprehensive edge case handling
• Robust error messages for faster debugging

Real-World Testing:

• 380+ logical operator tests ensure expression parsing is rock-solid
• 115+ parser edge case tests cover special values and error conditions
• Comprehensive integration tests for multi-step workflows
• All major modules thoroughly tested

Impact Summary

Before This Update:

• 26 critical bugs in production code
• 9 additional bugs discovered during extended testing
• Limited test coverage
• Some features never tested since implementation

After This Update:

• 35 bugs fixed and verified
• 93% test coverage achieved
• 2,518 automated tests ensuring quality
• Worker thread support for better performance
• Enhanced security across the board
• Rock-solid reliability

What's Next

This update represents a major step forward in Server Connect quality and reliability. The comprehensive test suite and AI-assisted development process ensure that:

1. Future updates will be safer - bugs get caught automatically
2. Performance will continue improving - we can optimize with confidence
3. Security will remain strong - vulnerabilities are detected early
4. Your applications will be more stable - fewer edge cases slip through

Upgrade Recommendation

We strongly recommend updating to this version for:

• The critical security fixes (especially the path traversal vulnerability)
• The performance improvements from worker threads
• The enhanced stability from bug fixes
• The peace of mind from comprehensive testing

All changes are backward compatible - your existing applications will work without modifications while benefiting from these improvements.

Your Server Connect runtime is now more secure, faster, and more reliable than ever.

Other improvements in Wappler 7.4.0 include:

AI Assistant

• Reorganize the Ai Assistant App Connect and Server Connect prompts for better maintenance
• Improved loading prompts from subfolder (prefix) but not automatically from its subfolders

General

• Updated Wappler logo to adjust to theme

Wappler Local PHP Server

• When using the PHP local server with scoop make sure the zip module is also enabled

App Connect 2.1.5

• New DOM events for XHR requests
  • Success (200 success)
  • Invalid (400 invalid)
  • Unauthorized (401 unauthorized)
  • Forbidden (403 forbidden)
  • Rate limit (429 ratelimit)
  • Abort (xhr aborted)
  • Error (any error)

They are triggered in the DOM and Bubble up, so you can add an event handler on the document body to listen to all events or any DOM element to listen for a select group. The event is of type CustomEvent and detail property contains { status, response }.

• Fixed invalid setting readonly loading property on event
• Updated App Connect form to only apply callback to reCaptcha when it is invisible.
• event.target is a readonly property, do not set
• Support for detail on custom event
• Always wait for DOMContentLoaded event (readyState is interactive when using defer/module)

App Connect S3 Upload 2.0.4

• Fixed the reset() method for S3 Multi Upload

Fixed issues

• Targets (doing the same thing twice), option to Apply to ALL Targets?
• Socket behavior on the front end
• Deepseek problem
• Default Server Connect Actions - Client-side
• Socket message event cannot select $event in bindings