cloudflare/chanfana v3.1.0

v3.1.0

Repository: cloudflare/chanfana

Tag: v3.1.0

Published: 2026-02-24T23:17:02Z

Prerelease: no

Release notes:

chanfana@3.1.0

Minor Changes

Breaking Changes

• Parameter helpers removed — Str(), Num(), Int(), Bool(), DateTime(), DateOnly(), Email(), Uuid(), Hostname(), Ipv4(), Ipv6(), Ip(), Regex(), Enumeration(), and convertParams() removed. Use native Zod schemas directly.
• Legacy type support removed — legacyTypeIntoZod, Arr(), Obj() no longer exported. contentJson() now requires a Zod schema.
• D1 error messages sanitized — Database errors no longer expose internals. Use constraintsMessages for user-friendly messages.
• D1 delete/update restricted to primary key filters — Only primaryKeys filters used in WHERE clauses.
• D1 `per_page` capped at 100 — Configurable via maxPerPage.
• `raiseUnknownParameters` enforced — Was previously accepted but non-functional; now active.

New Features

• 10 new exception classes — UnauthorizedException (401), ForbiddenException (403), MethodNotAllowedException (405), ConflictException (409), UnprocessableEntityException (422), TooManyRequestsException (429), InternalServerErrorException (500), BadGatewayException (502), ServiceUnavailableException (503), GatewayTimeoutException (504)
• D1 SQL injection prevention — validateSqlIdentifier(), validateTableName(), validateColumnName(), buildSafeFilters(), buildPrimaryKeyFilters(), getD1Binding(), handleDbError(), and query clause builders
• `Retry-After` header — Automatically set for TooManyRequestsException and ServiceUnavailableException
• `getUnvalidatedData()` — Access raw request data before Zod defaults/transformations
• Hono `basePath()` auto-detection — Detected automatically; combining basePath() and base option now throws a descriptive error
• Hono error flow — Errors flow through Hono's app.onError as HTTPException instances instead of being caught internally

Bug Fixes

• D1: Prevent unscoped DELETE/UPDATE via buildPrimaryKeyFilters()
• D1: Fix shared exception instances, empty update SQL, LIKE wildcard escaping
• D1: Column names validated against model schema
• D1: Read/Delete endpoints use consistent primary key filters and error handling
• Fixed: schema generation errors now propagate instead of being silently swallowed
• Fixed: CreateEndpoint response schema references 201 instead of 200
• Fixed: falsy defaults (0, false, "") correctly applied
• Fixed: BigInt coercion uses BigInt() directly to avoid precision loss
• Fixed: boolean coercion null guard, HEAD request body parsing, YAML URL generation
• Fixed: ApiException import changed to value import for instanceof checks
• Fixed: ReadEndpoint/ListEndpoint document InputValidationException in 400 responses

Improvements

• D1 parallel queries via Promise.all() for list endpoint
• Configurable maxPerPage class property
• Normalized ORDER BY to lowercase "asc"/"desc"
• sanitizeOperationId() removes special characters
• Router constructor validation throws if router argument is missing
• Error responses include result: {} for consistent shape
• Comprehensive JSDoc across exception classes, D1 endpoints, and handler methods

Patch Changes

• Include source code, AI coding skills, and documentation in npm package. Added llms.txt entry point.