All Versions
Latest Version
Avg Release Cycle
57 days
Latest Release
973 days ago

Changelog History
Page 20

  • v0.9.1.1 Changes

    September 06, 2014
    • ๐Ÿ›  Fix backwards compatibility for packages that had weak dependencies on packages renamed in 0.9.1 (ui, deps, livedata). #2521

    • ๐Ÿ›  Fix error when using the reactive-dict package without the mongo package.

  • v0.9.0 Changes

    August 26, 2014

    ๐Ÿ“ฆ Meteor 0.9.0 introduces the Meteor Package Server. Incorporating lessons from our community's Meteorite tool, Meteor 0.9.0 allows users to develop and publish ๐Ÿ“ฆ Meteor packages to a central repository. The meteor publish command is used to ๐Ÿ“ฆ publish packages. Non-core packages can now be added with meteor add, and you ๐Ÿ“ฆ can specify version constraints on the packages you use. Binary packages can be published for additional architectures with meteor publish-for-arch, which ๐Ÿ‘ allows cross-platform deploys and bundling. You can search for packages with meteor search and display information on them with meteor show, or you can ๐ŸŒ use the Atmosphere web interface developed by Percolate Studio at

    ๐Ÿ‘€ See and ๐Ÿ“ฆ for more details.

    Other packaging-related changes:

    • ๐Ÿ“ฆ meteor list now lists the packages your app is using, which was formerly the behavior of meteor list --using. To search for packages you are not currently using, use meteor search. The concept of an "internal" package (which did not show up in meteor list) no longer exists.

    • To prepare a bundle created with meteor bundle for execution on a server, you now run npm install with no arguments instead of having to specify a few specific npm modules and their versions explicitly. See the README in the generated bundle for more details.

    • ๐Ÿ’… All under_score-style package.js APIs (Package.on_use, api.add_files, etc) have been replaced with camelCase names (Package.onUse, api.addFiles, etc). The old names continue to work for now.

    • ๐Ÿ”Œ There's a new archMatching option to Plugin.registerSourceHandler, which should be used by any plugin whose output is only for the client or only for the server (eg, CSS and HTML templating packages); this allows Meteor to avoid restarting the server when files processed by these plugins change.

    Other changes:

    • When running your app with the local development server, changes that only affect the client no longer require restarting the server. Changes that only affect CSS no longer require the browser to refresh the page, both in local development and in some production environments. #490

    • ๐ŸŒฒ When a call to match fails in a method or subscription, log the failure on the server. (This matches the behavior described in our docs)

    • ๐Ÿ“ฆ The appcache package now defaults to functioning on all browsers that support the AppCache API, rather than a whitelist of browsers. The main effect of this change is that appcache is now enabled by default on Firefox, because Firefox no longer makes a confusing popup. You can still disable individual browsers with AppCache.config. #2241

    • ๐Ÿ’ป The forceApprovalPrompt option can now be specified in Accounts.ui.config in addition to Meteor.loginWithGoogle. #2149

    • Don't leak websocket clients in server-to-server DDP in some cases (and fix "Got open from inactive client" error).

    • โšก๏ธ Updated OAuth url for login with Meetup.

    • ๐Ÿ‘ Allow minimongo changed callbacks to mutate their oldDocument argument. #2231

    • ๐Ÿ›  Fix upsert called from client with no callback. #2413

    • Avoid a few harmless exceptions in OplogObserveDriver.

    • ๐Ÿ”จ Refactor observe-sequence package.

    • ๐Ÿ›  Fix spiderable race condition.

    • Re-apply our fix of NPM bug which got accidentally reverted upstream.

    • โ†ช Workaround for a crash in recent Safari versions.

    • โฌ†๏ธ Upgraded dependencies:

      • less: 1.7.4 (from 1.7.1)
      • tar: 1.0.1 (from 0.1.19)
      • fstream: 1.0.2 (from 0.1.25)

    Patches by GitHub users Cangit, dandv, ImtiazMajeed, MaximDubrovin, mitar, mquandalle, rcy, RichardLitt, thatneat, and twhy.

  • v0.9.0.1 Changes

    August 27, 2014
    • ๐Ÿ›  Fix issues preventing hot code reload from automatically reloading webapps in two cases: when the old app was a pre-0.9.0 app, and when the app used appcache. (In both cases, an explicit reload still worked.)

    • ๐Ÿ›  Fix publishing packages containing a plugin with platform-specific code but no platform-specific code in the main package.

    • ๐Ÿ›  Fix meteor add package@version when the package was already added with a different version constraint.

    • ๐Ÿ‘Œ Improve treatment of pre-release packages (packages with a dash in their version). Guarantee that they will not be chosen by the constraint solver unless explicitly requested. meteor list won't suggest that you update to them.

    • ๐Ÿ›  Fix slow spiderable executions.

    • ๐Ÿ›  Fix dev-mode client-only restart when client files changed very soon after server restart.

    • ๐Ÿ›  Fix stack trace on meteor add constraint solver failure.

    • ๐Ÿ›  Fix "access-denied" stack trace when publishing packages.

  • v0.8.3 Changes

    July 29, 2014
    • ๐Ÿ”จ Refactor Blaze to simplify internals while preserving the public API. UI.Component has been replaced with Blaze.View.

    • ๐Ÿ›  Fix performance issues and memory leaks concerning event handlers.

    • โž• Add UI.remove, which removes a template after UI.render/UI.insert.

    • โž• Add this.autorun to the template instance, which is like Deps.autorun but is automatically stopped when the template is destroyed.

    • Create <a> tags as SVG elements when they have xlink:href attributes. (Previously, <a> tags inside SVGs were never created as SVG elements.) #2178

    • Throw an error in {{foo bar}} if foo is missing or not a function.

    • Cursors returned from template helpers for #each should implement the observeChanges method and don't have to be Minimongo cursors (allowing new custom data stores for Blaze like Miniredis).

    • โœ‚ Remove warnings when {{#each}} iterates over a list of strings, numbers, or other items that contains duplicates. #1980

    Meteor Accounts
    • ๐Ÿ›  Fix regression in 0.8.2 where an exception would be thrown if Meteor.loginWithPassword didn't have a callback. Callbacks to Meteor.loginWithPassword are now optional again. #2255

    • ๐Ÿ›  Fix OAuth popup flow in mobile apps that don't support window.opener. #2302

    • ๐Ÿ›  Fix "Email already exists" error with MongoDB 2.6. #2238

    mongo-livedata and minimongo
    • ๐Ÿ›  Fix performance issue where a large batch of oplog updates could block the node event loop for long periods. #2299.

    • ๐Ÿ›  Fix oplog bug resulting in error message "Buffer inexplicably empty". #2274

    • ๐Ÿ›  Fix regression from 0.8.2 that caused collections to appear empty in reactive findOne() or fetch queries that run before a mutator returns. #2275

    • 0๏ธโƒฃ Stop including code by default that automatically refreshes the page if JavaScript and CSS don't load correctly. While this code is useful in some multi-server deployments, it can cause infinite refresh loops if there are errors on the page. Add the reload-safetybelt package to your app if you want to include this code.

    • On the server, Meteor.startup(c) now calls c immediately if the server has already started up, matching the client behavior. #2239

    • โž• Add support for server-side source maps when debugging with node-inspector.

    • โž• Add WebAppInternals.addStaticJs() for adding static JavaScript code to be served in the app, inline if allowed by browser-policy.

    • โœ… Make the tinytest/run method return immediately, so that wait method calls from client tests don't block on server tests completing.

    • ๐ŸŒฒ Log errors from method invocations on the client if there is no callback provided.

    • โฌ†๏ธ Upgraded dependencies:

      • node: 0.10.29 (from 0.10.28)
      • less: 1.7.1 (from 1.6.1)

    Patches contributed by GitHub users Cangit, cmather, duckspeaker, zol.

  • v0.8.3.1 Changes

    December 09, 2014
    • ๐Ÿ›  Fix a security issue in allow/deny rules that could result in data loss. If your app uses allow/deny rules, or uses packages that use allow/deny rules, we recommend that you update immediately. Backport from 1.0.1.
  • v0.8.2 Changes

    June 23, 2014
    Meteor Accounts
    • Switch accounts-password to use bcrypt to store passwords on the server. (Previous versions of Meteor used a protocol called SRP.) Users will be transparently transitioned when they log in. This transition is one-way, so you cannot downgrade a production app once you upgrade to 0.8.2. If you are maintaining an authenticating DDP client:

      • Clients that use the plaintext password login handler (i.e. call the login method with argument { password: <plaintext password> }) will continue to work, but users will not be transitioned from SRP to bcrypt when logging in with this login handler.
      • Clients that use SRP will no longer work. These clients should instead directly call the login method, as in Meteor.loginWithPassword. The argument to the login method can be either:
        • { password: <plaintext password> }, or
        • { password: { digest: <password hash>, algorithm: "sha-256" } }, where the password hash is the hex-encoded SHA256 hash of the plaintext password.
    • ๐Ÿ‘‰ Show the display name of the currently logged-in user after following an email verification link or a password reset link in accounts-ui.

    • โž• Add a userEmail option to Meteor.loginWithMeteorDeveloperAccount to pre-fill the user's email address in the OAuth popup.

    • โšก๏ธ Ensure that the user object has updated token information before it is passed to email template functions. #2210

    • Export the function that serves the HTTP response at the end of an OAuth flow as OAuth._endOfLoginResponse. This function can be overridden to make the OAuth popup flow work in certain mobile environments where window.opener is not supported.

    • โœ‚ Remove support for OAuth redirect URLs with a redirect query parameter. This OAuth flow was never documented and never fully worked.

    • ๐Ÿ’… Blaze now tracks individual CSS rules in style attributes and won't overwrite changes to them made by other JavaScript libraries.

    • โž• Add {{> UI.dynamic}} to make it easier to dynamically render a template with a data context.

    • โž• Add UI._templateInstance() for accessing the current template instance from within a block helper.

    • โž• Add UI._parentData(n) for accessing parent data contexts from within a block helper.

    • โž• Add preliminary API for registering hooks to run when Blaze intends to insert, move, or remove DOM elements. For example, you can use these hooks to animate nodes as they are inserted, moved, or removed. To use them, you can set the _uihooks property on a container DOM element. _uihooks is an object that can have any subset of the following three properties:

      • insertElement: function (node, next): called when Blaze intends to insert the DOM element node before the element next
      • moveElement: function (node, next): called when Blaze intends to move the DOM element node before the element next
      • removeElement: function (node): called when Blaze intends to remove the DOM element node

      Note that when you set one of these functions on a container element, Blaze will not do the actual operation; it's your responsibility to actually insert, move, or remove the node (by calling $(node).remove(), for example).

    • The findAll method on template instances now returns a vanilla array, not a jQuery object. The $ method continues to return a jQuery object. #2039

    • ๐Ÿ›  Fix a Blaze memory leak by cleaning up event handlers when a template instance is destroyed. #1997

    • ๐Ÿ›  Fix a bug where helpers used by {{#with}} were still re-running when their reactive data sources changed after they had been removed from the DOM.

    • โšก๏ธ Stop not updating form controls if they're focused. If a field is edited by one user while another user is focused on it, it will just lose its value but maintain its focus. #1965

    • โž• Add _nestInCurrentComputation option to UI.render, fixing a bug in {{#each}} when an item is added inside a computation that subsequently gets invalidated. #2156

    • ๐Ÿ›  Fix bug where "=" was not allowed in helper arguments. #2157

    • ๐Ÿ›  Fix bug when a template tag immediately follows a Spacebars block comment. #2175

    Command-line tool
    • โž• Add --directory flag to meteor bundle. Setting this flag outputs a directory rather than a tarball.

    • โšก๏ธ Speed up updates of NPM modules by upgrading Node to include our fix for instead of passing --force to npm install.

    • Always rebuild on changes to npm-shrinkwrap.json files. #1648

    • ๐Ÿ›  Fix uninformative error message when deploying to long hostnames. #1208

    • Increase a buffer size to avoid failing when running MongoDB due to a large number of processes running on the machine, and fix the error message when the failure does occur. #2158

    • Clarify a meteor mongo error message when using the MONGO_URL environment variable. #1256

    โœ… Testing
    • โœ… Run server tests from multiple clients serially instead of in parallel. This allows testing features that modify global server state. #2088
    ๐Ÿ”’ Security
    • โž• Add Content-Type headers on JavaScript and CSS resources.

    • โž• Add X-Content-Type-Options: nosniff header to browser-policy-content's default policy. If you are using browser-policy-content and you don't want your app to send this header, then call BrowserPolicy.content.allowContentTypeSniffing().

    • ๐Ÿ‘‰ Use Meteor.absoluteUrl() to compute the redirect URL in the force-ssl package (instead of the host header).

    • ๐Ÿ‘ Allow check to work on the server outside of a Fiber. #2136

    • EJSON custom type conversion functions should not be permitted to yield. #2136

    • The legacy polling observe driver handles errors communicating with MongoDB better and no longer gets "stuck" in some circumstances.

    • Automatically rewind cursors before calls to fetch, forEach, or map. On the client, don't cache the return value of cursor.count() (consistently with the server behavior). cursor.rewind() is now a no-op. #2114

    • โœ‚ Remove an obsolete hack in reporting line numbers for LESS errors. #2216

    • Avoid exceptions when accessing localStorage in certain Internet Explorer configurations. #1291, #1688.

    • ๐Ÿ‘‰ Make handle.ready() reactively stop, where handle is a subscription handle.

    • ๐Ÿ›  Fix an error message from audit-argument-checks after login.

    • ๐Ÿ‘‰ Make the DDP server send an error if the client sends a connect message with a missing or malformed support field. #2125

    • ๐Ÿ›  Fix missing jquery dependency in the amplify package. #2113

    • Ban inserting EJSON custom types as documents. #2095

    • ๐Ÿ›  Fix incorrect URL rewrites in stylesheets. #2106

    • โฌ†๏ธ Upgraded dependencies:

      • node: 0.10.28 (from 0.10.26)
      • uglify-js: 2.4.13 (from 2.4.7)
      • sockjs server: 0.3.9 (from 0.3.8)
      • websocket-driver: 0.3.4 (from 0.3.2)
      • stylus: 0.46.3 (from 0.42.3)

    Patches contributed by GitHub users awwx, babenzele, Cangit, dandv, ducdigital, emgee3, felixrabe, FredericoC, jbruni, kentonv, mizzao, mquandalle, subhog, tbjers, tmeasday.

  • v0.8.1 Changes

    April 30, 2014
    Meteor Accounts
    • ๐Ÿ›  Fix a security flaw in OAuth1 and OAuth2 implementations. If you are using any OAuth accounts packages (such as accounts-google or accounts-twitter), we recommend that you update immediately and log out your users' current sessions with the following MongoDB command:

      $ db.users.update({}, { $set: { 'services.resume.loginTokens': [] } }, { multi: true });

    • OAuth redirect URLs are now required to be on the same origin as your app.

    • ๐ŸŒฒ Log out a user's other sessions when they change their password.

    • Store pending OAuth login results in the database instead of in-memory, so that an OAuth flow succeeds even if different requests go to different server processes.

    • When validateLoginAttempt callbacks return false, don't override a more specific error message.

    • โž• Add Random.secret() for generating security-critical secrets like login tokens.

    • Meteor.logoutOtherClients now calls the user callback when other login tokens have actually been removed from the database, not when they have been marked for eventual removal. #1915

    • ๐Ÿ“‡ Rename Oauth to OAuth. Oauth is now an alias for backwards compatibility.

    • โž• Add oauth-encryption package for encrypting sensitive account credentials in the database.

    • ๐Ÿ‘ป A validate login hook can now override the exception thrown from beginPasswordExchange like it can for other login methods.

    • โœ‚ Remove an expensive observe over all users in the accounts-base package.

    • 0๏ธโƒฃ Disallow javascript: URLs in URL attribute values by default, to help prevent cross-site scripting bugs. Call UI._allowJavascriptUrls() to allow them.

    • ๐Ÿ›  Fix UI.toHTML on templates containing {{#with}}.

    • ๐Ÿ›  Fix {{#with}} over a data context that is mutated. #2046

    • ๐Ÿ’ป Clean up autoruns when calling UI.toHTML.

    • Properly clean up event listeners when removing templates.

    • โž• Add support for {{!-- block comments --}} in Spacebars. Block comments may contain }}, so they are more useful than {{! normal comments}} for commenting out sections of Spacebars templates.

    • Don't dynamically insert <tbody> tags in reactive tables

    • When handling a custom jQuery event, additional arguments are no longer lost -- they now come after the template instance argument. #1988

    DDP and MongoDB
    • ๐Ÿšค Extend latency compensation to support an arbitrary sequence of inserts in methods. Previously, documents created inside a method stub on the client would eventually be replaced by new documents from the server, causing the screen to flicker. Calling insert inside a method body now generates the same ID on the client (inside the method stub) and on the server. A sequence of inserts also generates the same sequence of IDs. Code that wants a random stream that is consistent between method stub and real method execution can get one with DDP.randomStream.

    • The document passed to the insert callback of allow and deny now only has a _id field if the client explicitly specified one; this allows you to use allow/deny rules to prevent clients from specifying their own _id. As an exception, allow/deny rules with a transform always have an _id.

    • DDP now has an implementation of bidirectional heartbeats which is consistent across SockJS and websocket transports. This enables connection keepalive and allows servers and clients to more consistently and efficiently detect disconnection.

    • The DDP protocol version number has been incremented to "pre2" (adding randomSeed and heartbeats).

    • The oplog observe driver handles errors communicating with MongoDB better and knows to re-poll all queries after a MongoDB failover.

    • ๐Ÿ›  Fix bugs involving mutating DDP method arguments.

    meteor command-line tool
    • ๐Ÿšš Move boilerplate HTML from tools to webapp. Change internal Webapp.addHtmlAttributeHook API.

    • โž• Add meteor list-sites command for listing the sites that you have deployed to with your Meteor developer account.

    • Third-party template languages can request that their generated source loads before other JavaScript files, just like *.html files, by passing the isTemplate option to Plugin.registerSourceHandler.

    • You can specify a particular interface for the dev mode runner to bind to with meteor -p host:port.

    • Don't include proprietary tar tags in bundle tarballs.

    • ๐Ÿ”€ Convert relative URLs to absolute URLs when merging CSS files.

    โฌ†๏ธ Upgraded dependencies
    • Node.js from 0.10.25 to 0.10.26.
    • MongoDB driver from 1.3.19 to 1.4.1
    • stylus: 0.42.3 (from 0.42.2)
    • ๐Ÿ‘‰ showdown: 0.3.1
    • ๐Ÿš€ css-parse: an unreleased version (from 1.7.0)
    • ๐Ÿš€ css-stringify: an unreleased version (from 1.4.1)

    Patches contributed by GitHub users aldeed, apendua, arbesfeld, awwx, dandv, davegonzalez, emgee3, justinsb, mquandalle, Neftedollar, Pent, sdarnell, and timhaines.

  • v0.8.1.3 Changes

    May 22, 2014
    • ๐Ÿ›  Fix a security issue in the spiderable package. spiderable now uses the ROOT_URL environment variable instead of the Host header to determine which page to snapshot.

    • ๐Ÿ›  Fix hardcoded Twitter URL in oauth1 package. This fixes a regression in that broke Atmosphere packages that do OAuth1 logins. #2154.

    • โž• Add credentialSecret argument to Google.retrieveCredential, which was forgotten in a previous release.

    • โœ‚ Remove nonexistent -a and -r aliases for --add and --remove in meteor help authorized. #2155

    • โž• Add missing underscore dependency in the oauth-encryption package. #2165

    • โ†ช Work around IE8 bug that caused some apps to fail to render when minified. #2037.

  • v0.8.1.2 Changes

    May 12, 2014
    • ๐Ÿ›  Fix memory leak (introduced in 0.8.1) by making sure to unregister sessions at the server when they are closed due to heartbeat timeout.

    • โž• Add credentialSecret argument to Google.retrieveCredential, Facebook.retrieveCredential, etc., which is needed to use them as of 0.8.1. #2118

    • ๐Ÿ›  Fix 0.8.1 regression that broke apps using a ROOT_URL with a path prefix. #2109

  • v0.8.1.1 Changes

    May 01, 2014
    • ๐Ÿ›  Fix 0.8.1 regression preventing clients from specifying _id on insert. #2097

    • ๐Ÿ›  Fix handling of malformed URLs when merging CSS files. #2103, #2093

    • Loosen the checks on the options argument to Collection.find to allow undefined values.