5.0.0-dev7

• POST /recovery/members/{memberId}:recover is now authenticated by COSE Sign1, making it consistent with the other POST endpoints in governance, and avoiding a potential denial of service where un-authenticated and un-authorised clients could submit invalid shares repeatedly. The submit_recovery_share.sh script has been amended accordingly, and now takes a --member-id-privk and --member-id-cert (#5821).

MCR Docker Images: App Development, C++ Runtime, TypeScript/JavaScript Runtime

5.0.0-dev6

• Lifted parser size limits on forwarded request from default values to more permissive ones. Note that the limits set out on the interface of the inbound node still apply (#5803).
• ccf.crypto.unwrapKey() has been added to the JS API (#5792).

MCR Docker Images: App Development, C++ Runtime, TypeScript/JavaScript Runtime

4.0.12

• Lifted parser size limits on forwarded request from default values to more permissive ones. Note that the limits set out on the interface of the inbound node still apply (#5803).

5.0.0-dev5

• In governance contexts, JS runtimes now only use runtime limits from the public:ccf.gov.js_runtime_options map if they are strictly higher than the defaults (#5730).
• Fixed an issue where a JS runtime limit could be hit out of user code execution, leading to an incorrectly constructed JS runtime or a crash (#5730).
• Added a GET /node/primary endpoint, returning 200 when primary and 404 when not, for load balancers to use (#5789).

MCR Docker Images: App Development, C++ Runtime, TypeScript/JavaScript Runtime

4.0.11

• Path to the enclave file should now be passed as --enclave-file CLI argument to cchost, rather than enclave.file entry within configuration file. A potential SNP security context directory environment variable override, where desired, should now be passed as --snp-security-context-dir-var CLI argument to cchost, rather than attestation.environment.security_context_directory entry within configuration file. This is to ensure that these values are attested on Confidential Containers/SNP, even if the configuration itself is provided from un-attested storage, such as an external mount. The configuration entries are deprecated, and will be removed in a future release.
• A new versioned governance API is now available, with the api-version=2023-06-01-preview query parameter. This will fully replace the previous governance endpoints, which will be removed in a future release. A guide to aid in upgrading from the previous API is available here
• Added a consensus.max_uncommitted_tx_count configuration option, which specifies the maximum number of transactions that can be pending on the primary. When that threshold is exceeded, a 503 Service Unavailable is temporarily returned on all but the /node/* paths (#5692).
• In governance contexts, JS runtimes now only use runtime limits from the public:ccf.gov.js_runtime_options map if they are strictly higher than the defaults (#5730).
• Fixed an issue where a JS runtime limit could be hit out of user code execution, leading to an incorrectly constructed JS runtime or a crash (#5730).

5.0.0-dev4

• Fix for JS execution behaviour when reusing interpreters. Storing KV handles on the global state may lead to unsafe accesses. Work around that by lazily requesting handles in the TypedKvMap for TypeScript apps.
• On retirement, nodes that are primary now request that their most likely successor triggers and instant election, without waiting for a timeout. This speeds up some reconfigurations, particularly code updates since they result in all the nodes being replaced. (#5697)

MCR Docker Images: App Development, C++ Runtime, TypeScript/JavaScript Runtime

5.0.0-dev3

• Added a consensus.max_uncommitted_tx_count configuration option, which specifies the maximum number of transactions that can be pending on the primary. When that threshold is exceeded, a 503 Service Unavailable is temporarily returned on all but the /node/* paths (#5692).
• A new versioned governance API is now available, with the api-version=2023-06-01-preview query parameter. This will fully replace the previous governance endpoints, which will be removed in a future release. A guide to aid in upgrading from the previous API is available here

MCR Docker Images: App Development, C++ Runtime, TypeScript/JavaScript Runtime

4.0.10

• The CCF Python package now requires cryptography 41.*

5.0.0-dev2

• Updated llhttp from 6.0.9 to 9.0.1.
• Updated fmt library from 9.1.0 to 10.1.1.
• Updated QCBOR from 1.1 to 1.2.
• Updated nghttp2 from 1.51.0 to 1.55.1.
• Converted SNP attestation UVM endorsements from integer to arbitrary string.
• Updated Intel SGX PSW from 2.17 to 2.20 (#5616)
• Path to the enclave file should now be passed as --enclave-file CLI argument to cchost, rather than enclave.file entry within configuration file. A potential SNP security context directory environment variable override, where desired, should now be passed as --snp-security-context-dir-var CLI argument to cchost, rather than attestation.environment.security_context_directory entry within configuration file. This is to ensure that these values are attested on Confidential Containers/SNP, even if the configuration itself is provided from un-attested storage, such as an external mount. The configuration entries are deprecated, and will be removed in a future release.
• Added ccf.SnpAttestation.verifySnpAttestation() endpoint for TypeScript apps. (#5653)
• Secret sharing used for ledger recovery now relies on a much simpler implementation that requires no external dependencies. Note that while the code still accepts shares generated by the old code for now, it only generates shares with the new implementation. As a result, a DR attempt that would downgrade the code to a version that pre-dates this change, after having previously picked it up, would not succeed if a reshare had already taken place (#5655).

MCR Docker Images: App Development, C++ Runtime, TypeScript/JavaScript Runtime

4.0.9

• Secret sharing used for ledger recovery now relies on a much simpler implementation that requires no external dependencies. Note that while the code still accepts shares generated by the old code for now, it only generates shares with the new implementation. As a result, a DR attempt that would downgrade the code to a version that pre-dates this change, after having previously picked it up, would not succeed if a reshare had already taken place (#5655).