Breeze.Server.NET Release Notes

Please update to 1.6.5 or later. All previous breeze.server.net releases have a security vulnerability in JSON deserialization.

1.6.5 June 1, 2017

Breeze.Server.NET Fixed Bugs

  • Security Issue in JSON deserialization. Changed TypeNameHandling to TypeNameHandling.None for JSON deserialization, to prevent a possible remote code execution vulnerability. Thanks to Alvaro Muñoz and Alexandr Mirosh from Hewlett-Packard Enterprise Security for pointing out this flaw. See their Black Hat Briefing regarding JSON vulnerabilities.

1.6.0 Dec. 1, 2016

Breeze.Server.NET Features

  • Server-side deletes sent to client as DeletedKeys property of SaveResult
  • Include .PDB files in NuGet packages (PR #38)
  • Updated NuGet dependencies

Breeze.Server.NET Fixed Bugs

  • Querystring parameters not re-encoded on $expand, $orderby, or $select (PR #44)

1.5.5 Feb. 2, 2016

Breeze.Server.NET Features

  • Allow arrays in originalValuesMap (Issue #2)
  • NHibernate: Changed NHExpander to expand IEnumerable (includes collections and sets) (Issue #28)
  • NHibernate: Change support to NH 4
  • Change to WebActivatorEx
  • Add XML comment information to Nuget packages

Breeze.Server.NET Fixed Bugs

  • NHibernate: Ordering of dependent entities during save
  • NHibernate: Error when using formula column (thanks lnu)
  • NHibernate: Transaction is rolled back twice, resulting in AdoTransaction error (thanks lnu)
  • Inline count executed twice
  • EFEntityError.ErrorName never set (thanks tschettler)
  • Error when SaveMap contains unknown EntityType

See the prior release notes for previous changes.