This file records the changes in each m3api release.
The annotated tag (and GitHub release) for each version also lists the changes, but this file may sometimes contain later improvements (e.g. typo fixes).
- Updated the link to the User-Agent policy after it was moved from metawiki to foundationwiki.
- Error responses with non-200 HTTP status codes are now supported,
as long as the
MediaWiki-API-Errorresponse header is present to indicate that the response represents a regular error and not an internal error. (The status code is ignored; the response body is expected to contain a response with one or more regular errors.) - Updated dependencies.
- Updated undici, avoiding CVE-2023-45143. The potential impact of this security vulnerability should have been very low: when using the fetch-node backend and a cookie-based session type, an attacker with the ability to create an open redirect on the target API could potentially have obtained session cookies for the API. (I see no reason to expect an open redirect vulnerability to exist in the action API: I’m not aware of any API action that issues HTTP-level redirects at all.)
- Updated dependencies.
- BREAKING CHANGE: m3api now requires at least Node.js version 18.2.0, up from Node 12.22.0 or Node 14.17.0 previously. The internal breaking changes below are also related to this.
- Internal Breaking Change:
The file
add-performance-global.jshas been removed, as it is no longer needed. - Internal Breaking Change:
The file
axios.jshas been removed, as axios is no longer used. Its role has been taken over byfetch-node.js. - Internal Breaking Change:
The file
fetch.jsis no longer suitable for use in Chrome-like browsers. The functionality of renaming theuser-agentrequest header toapi-user-agenthas been moved tofetch-browser.js. - m3api now uses
fetch()on all supported platforms. The public interface,browser.jsandnode.js, can be used as before. The internal interface has been rearranged, withfetch.jsnow used for both backends, augmented byfetch-browser.jsandfetch-node.js. - m3api now supports
BlobandFileparameters in POST requests. This can be used to upload files. - Improved
README.mdformatting for npmjs.com. - Updated dependencies.
- The new
errorHandlersoption can be used to customize error handling. It is only part of the internal interface, not of the stable, public interface. Using this option, extension packages or end users can register handlers for certain API error codes; the handlers can e.g. perform necessary cleanup actions and/or retry the request. The existing support for retrying aftermaxlag,readonlyorbadtokenerrors is now also internally implemented in terms of this new option. - Updated dependencies.
- Internal Breaking Change:
The signature of the
internalGet()andinternalPost()methods has changed; anapiUrlstring has been added as the first parameter, and the last parameter is now aheadersobject instead of auserAgentstring. TheapiUrlshould always be used instead ofthis.apiUrl. Inheaders, the header names are always in all-lowercase, so you can safely get theuserAgentvalue asheaders['user-agent']. - m3api now has a stable interface policy, see README.md § stability. Internal breaking changes, such as the one above, do not require bumping the major version number.
- The new
authorizationrequest option can be used to set anAuthorization:request header. This will be used by the upcoming m3api-oauth2 package to support OAuth 2.0; you can also use it directly using the access token of an owner-only client. - The
apiUrlmember of aSessionis now public. This will be used by m3api-oauth2. - A new protected method,
getUserAgent(), can be used to get the user agent for a request. This will be used by m3api-oauth2. - The
dropTruncatedResultWarningoption didn’t work properly when using the defaulterrorformaton current MediaWiki versions; this has been fixed. (It’s still a good idea to set a non-bcerror format in general.) - Exclude axios 1.2.0, which should not be used due to a bug.
- Updated other dependencies.
- Publish documentation on GitHub pages: latest version, v0.7.1.
- Add a
@typedefforOptions, the request options; this may help if you are using m3api with TypeScript or in an IDE. - Updated dependencies.
- BREAKING CHANGE:
A new request option,
maxRetriesSeconds, limits the total duration of retried requests, replacing the previousmaxRetriesoption that limited the number of retried requests. It defaults to 65 seconds, which should be enough to cover a typical brief read-only period on Wikimedia wikis. Interactive applications may wish to use a lower value, to show an error to users earlier rather than waiting for a long time. The previousmaxRetriesoption should no longer be used. - m3api can now automatically add token parameters to requests,
controlled by the two new request options
tokenTypeandtokenName. The most common case, e.g. foraction=edit, is to usetokenType: 'csrf'with the defaulttokenName('token'). m3api will automatically fetch and cache the token (and this internal request can be automatically combined with otheraction=queryrequests), discarding stale tokens and retrying upon encountering abadtokenerror. Tokens are cached in the publicSession.tokensMap, which users and extension packages are encouraged toclear()after changing the session state (e.g. login), to avoid the overhead of abadtokenerror. (Note that the m3api-botpassword extension package does this for you.) - The public interface of m3api has been clarified.
Most importantly,
Session.defaultParams,Session.defaultOptionsandDEFAULT_OPTIONShave been declared public, and extension packages are encouraged to use the latter two for their own options as well. Guidelines for extension packages have also been added to the README. - Requests that produced
maxlagorreadonlyerrors are now automatically retried, even if the response did not include aRetry-Afterresponse header. (Currently, MediaWiki only sends this header formaxlagerrors.) Two new request options,retryAfterMaxlagSecondsandretryAfterReadonlySeconds, control the default retry delay (in seconds) for these errors. The defaults of 5 and 30 seconds respectively are intended to be useful for Wikimedia wikis. If you increase these values, don’t forget to increasemaxRetriesSecondsas well. - The Node.js backend (specifically
axios.js) now keeps the network connection alive (using Node’s default Keep-Alive settings), which can speed up consecutive API requests (e.g. to get and then use a token). - Requests with technically different options can be combined in some more situations.
Specifically, a request explicitly specifying a default option is compatible
with a request not specifying the option at all (both will use the default),
and the
dropTruncatedResultWarningoption does not affect compatibility at all (the option is handled while combining requests, so that truncated result warnings are only sent to the correct requests). - Updated dependencies.
- A new request option,
dropTruncatedResultWarning, is available. Previously, this behavior was hard-coded inrequestAndContinueReducingBatch(); now, it can be optionally enabled inrequest()andrequestAndContinue(), or disabled inrequestAndContinueReducingBatch(). By default, the option is enabled in the latter function and disbled in the former two, so there is no change in behavior unless you set the option with a request. - Updated dependencies.
- BREAKING CHANGE:
Warnings are now always logged to the console by default.
Previously, the Node.js backend only did this if NODE_ENV = “development” was set.
If you use m3api for an interactive CLI application on Node.js,
you may want to configure a custom
warnhandler (using the second constructor argument, next to theuserAgentoption), so that warnings are not shown to end users. You should make sure that the warnings still reach the developers, though. - BREAKING CHANGE:
It is no longer possible to modify continuation
by modifying the contents of a response’s
continuemember; continuation now always proceeds according to the originalcontinuecontents. The fact that this previously worked was not intended, and if any code actually behaves differently due to this change, it is assumed that the previous behavior was a bug rather than intended. If you really want to modify continuation, implement it yourself instead of usingrequestAndContinue. - A new function,
requestAndContinueReducingBatch, is available to work with continuation. It is useful in cases where data for a batch of pages is spread across multiple responses, i.e. in cases where not every response is markedbatchcomplete. (An example is generator=search with prop=revisions: the generator can yield up to 500 results per response, but revisions are limited to 50, so ten requests are required to get the revisions of the whole batch, after which the next batch of 500 search results can commence.) It is expected to be mainly used in libraries, such as the upcoming m3api-query. - The Node.js backend (specifically
axios.js) now requests gzip compression of the response from the server, which should reduce network traffic somewhat. - Fixed a bug in handling warnings for combined requests.
- The “modern” requirements of m3api, i.e. compatibility with different platforms, are documented in the README now.
- Updated dependencies.
- Internal Breaking Change:
The
Sessionconstructor now requires the default request options to includewarn, which must be a function. Thefetch.jsandaxios.jsbackends already add a default for this option, so this is only relevant for you if you wrote a custom network implementation; if you just importbrowser.jsornode.js, it doesn’t matter. - The first constructor argument can now be a domain name instead of a full
api.phpURL, e.g.en.wikipedia.orginstead ofhttps://en.wikipedia.org/w/api.php. - Requests that do not specify a user agent will now trigger a warning,
limited to once per session.
If you see this warning, you should add a user agent to your requests –
see the User-Agent policy.
Usually you would add it to the default options at construction time:
But it can also be specified for an individual request:
const session = new Session( 'en.wikipedia.org', { formatversion: 2, // other default params... }, { userAgent: 'my-cool-tool', // other default options... } );
Recall that the default warning handler isconst response = await session.request( { action: 'query', // other params... }, { userAgent: 'my-cool-tool', // other options... } );
console.warnin the browser, and also in Node.js if NODE_ENV = “development” is set, but otherwise the Node.js backend ignores warnings.
- BREAKING CHANGE:
The third constructor parameter is now an object with default request options,
and the user agent string is just one option, under the
userAgentkey. Convert constructor calls likenew Session( ..., {}, 'user-agent' )tonew Session( ..., {}, { userAgent: 'user-agent' } )instead. - Internal Breaking Change:
The
internalGetandinternalPostmethods now receive an additional parameter, the user agent string, which should be used instead of the constructor option. This is only relevant for you if you wrote a custom network implementation; if you just importbrowser.jsornode.js, it doesn’t matter. - Thanks to the constructor change mentioned above,
the
userAgentrequest option can now specified for an individual request if you want to, and conversely other options likemaxRetriescan be defaulted in the constructor. - Added the
warnrequest option, which can be used to handle warnings from a request. In the browser, and with NODE_ENV = “development” in Node.js, warnings are sent to the console by default. If you use the Node.js backend, but not for a CLI application, consider logging warnings regardless of environment by addingwarn: console.warnto the default request options (or use a custom warning handler). - Added the
responseBooleanutility function, to get a boolean out of a response value regardless offormatversion. - Updated dependencies.
- m3api now automatically combines concurrent compatible API requests.
To make use of this feature, import the
set()helper as a named import, and then useset( ... )instead of[ ... ]for list-like parameters where additional values from other requests can be safely added, such asaction=query’sprop,listandmetaparameters. For more information, see the updated README, especially the new “automatically combining requests” section. - Updated dependencies.
- Updated axios, avoiding CVE-2021-3749. The potential impact of this security vulnerability should have been fairly low: when using the axios backend (but not the fetch backend), a malicious API server could have provoked long processing times, by sending response headers with long sequences of interior whitespace. This would likely have required custom server software, since common servers like Apache and nginx limit the maximum header length, and the performance impact appears to be negligible at 8K characters.
- Updated other dependencies.
First proper update over a previous release.
- Internal Breaking Change:
The
internalGetandinternalPostmethods now return additional data. This is only relevant for you if you wrote a custom network implementation; if you just importbrowser.jsornode.js, it doesn’t matter. - Automatically retry requests when encountering a Retry-After response header.
By default, retry once; adjust or disable with the
maxRetriesrequest option. - A non-200 HTTP response status is now detected and throws an error.
- Improved the default user agent.
- Added package metadata.
First proper release successfully published on npm. No actual change from v0.1.1 apart from the version number.
First release on npm. However, at the time this release was published, the npm registry was apparently confused due to the 0.1.0 release (see below), so the package could not be installed until I fixed the issue by publishing v0.1.2. In theory you can now install this version, but there’s absolutely no reason to. No functional change from v0.1.0.
First release ever published.
I ran npm publish in my working tree with some extra files in it and didn’t notice until it was too late,
so I unpublished the package from npm again and also deleted the Git tag.
The Git commit for this version was probably 00e278a13b50cc903b6fb3d530033098d3a21c90,
but I see no reason to recreate the tag now.