FlexGate Proxy

Appearance

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

[0.1.0-beta.2] - 2026-03-27

🔒 Security

  • Removed jade dependency — was a direct production dependency but completely unused. Eliminated 4 CVEs it carried transitively: constantinople (critical — sandbox bypass/RCE), uglify-js (critical — ReDoS), clean-css (moderate — ReDoS), transformers (high — ReDoS)
  • Upgraded http-proxy-middleware ^2.0.6^3.0.5 — removes the vulnerable picomatch@2.3.1 transitive path. Breaking change handled: proxy event handlers migrated from top-level onProxyReq/onProxyRes/onError to nested on: { proxyReq, proxyRes, error } (v3 API)
  • Upgraded morgan ~1.9.1~1.10.1 — fixes on-headers HTTP response header manipulation vulnerability (CVE GHSA-76c9-3jph-rj3q)
  • Added overrides in package.json to force safe transitive dependency versions:
    • picomatch^4.0.4 (fixes ReDoS + method injection CVEs)
    • flatted^3.4.2 (fixes unbounded recursion DoS + prototype pollution)
    • brace-expansion^5.0.5 (fixes zero-step sequence memory exhaustion)
  • Result: npm audit now reports 0 vulnerabilities (down from 13: 3 critical, 4 high, 3 moderate, 3 low)

Changed

  • CORS is now restricted — previously app.use(cors()) allowed all origins; now uses an allowlist via ALLOWED_ORIGINS environment variable (comma-separated). Defaults to localhost development origins
  • API rate limiting is now tiered:
    • globalApiRateLimiter — 100 req/min applied to all /api/*
    • adminApiRateLimiter — 60 req/min applied to admin routes (routes, webhooks, settings, logs, metrics, AI, troubleshooting)
    • authRateLimiter — 5 req/15min on /api/auth to prevent brute-force attacks

Added

  • New API routes registered in app.ts:
    • GET|PUT|POST /api/settings — general settings management with validation, sanitization and backup
    • GET|PUT /api/settings/ai — AI provider configuration
    • GET|PUT /api/settings/claude — Claude-specific settings
    • GET|POST /api/ai — AI analysis endpoints
    • GET|POST|PUT|DELETE /api/ai-incidents — AI incident tracking

[0.1.0-beta.1] - 2026-02-04

🎉 First Public Beta Release

This is the initial beta release of FlexGate Proxy available on npm!

⚠️ Beta Status: Not recommended for production use. Please report issues on GitHub.

Added

NPM Package & CLI

  • NPM Package: Published as flexgate-proxy on npm registry
  • CLI Tool: flexgate command for easy management
    • flexgate start - Start the gateway
    • flexgate init - Generate configuration file
    • flexgate migrate - Run database migrations
    • flexgate status - Check health status
  • Programmatic API: Use as a library in Node.js applications
  • Post-Install Guide: Helpful welcome message and quick start
  • TypeScript Definitions: Full .d.ts files included

Developer Experience

  • QUICK_START.md: Get started in 5 minutes guide
  • Beta Release Checklist: Complete release process documentation
  • Examples: Common use case examples
  • Automated Security: Dependabot + CodeQL configured

Changed

  • Version: Set to 0.1.0-beta.1 for initial beta release
  • Package Metadata: Updated author, repository, and npm configuration
  • Build Output: Optimized dist/ folder for npm distribution

Known Limitations

  • Admin UI requires separate build step
  • Limited test coverage in some areas
  • Performance not yet optimized for high load
  • Some advanced features still in development

Contributors

  • @tapas100

1.0.0 - 2026-01-26

Added

  • Core proxy functionality

    • HTTP/HTTPS request proxying
    • Streaming large responses
    • Connection pooling

  • Security

    • SSRF protection (IP blacklist, host allowlist)
    • Header sanitization
    • Request/response size limits
    • API key authentication (HMAC-SHA256)

  • Reliability

    • Circuit breaker pattern per upstream
    • Exponential backoff retries with jitter
    • Request/connection/DNS timeouts
    • Graceful degradation under load

  • Rate Limiting

    • Token bucket algorithm
    • Redis-backed distributed rate limiting
    • Fallback to local rate limiting
    • Per-route configuration

  • Observability

    • Structured JSON logging with correlation IDs
    • Prometheus metrics (RPS, latency, errors)
    • Health check endpoints (live, ready, deep)
    • Log sampling (configurable)

  • Configuration

    • YAML-based config
    • Hot reload support
    • Per-route overrides
    • Environment variable support

  • Deployment

    • Docker support with multi-stage build
    • Kubernetes manifests (Deployment, Service, HPA, PDB)
    • Docker Compose for local dev
    • Prometheus/Grafana stack

  • Documentation

    • Comprehensive README
    • Threat model analysis
    • Observability guide
    • Traffic control patterns
    • Architectural trade-offs
    • Benchmark results

Security

  • SSRF protection against cloud metadata endpoints
  • Deny-by-default security posture
  • Input validation and sanitization

[Unreleased]

Planned

  • mTLS support for upstream connections
  • OpenTelemetry distributed tracing
  • GraphQL federation support
  • Admin UI for configuration management
  • gRPC proxying
  • WebAssembly plugin system

Released under the MIT License.

Copyright © 2024–2026 tapas100