fletch 2.0.0

A fast, Express-inspired HTTP framework for Dart. Build production-ready REST APIs with built-in sessions, CORS, rate limiting, and middleware support.

Changelog

All notable changes to fletch will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

2.0.0 - 2025-01-22

💥 BREAKING CHANGES - Complete Package Repurposing

This package has been completely repurposed from a jQuery-like library to an Express-inspired HTTP framework.

Package History

• Versions 0.1.0 - 0.3.0 (2014): jQuery-like library by Rob Kellett
• Version 2.0.0 (2025): Express-inspired HTTP framework by Kartikey Mahawar

Thank you to Rob Kellett for graciously transferring the package name to enable this new project!

For Users of the Original Library (v0.3.0)

If you were using the jQuery-like library:

• Version 0.3.0 remains available: https://pub.dev/packages/fletch/versions/0.3.0
• Original repository: https://github.com/RobKellett/Fletch
• Pin your version in pubspec.yaml:

  dependencies:
    fletch: 0.3.0
  

What's New in 2.0.0

This is a completely new HTTP framework with:

• Express-like API: Familiar app.get(), app.post(), middleware patterns
• Production-ready: HMAC-signed sessions, CORS, rate limiting
• Fast routing: Radix-tree router with path parameters
• Dependency injection: GetIt-powered DI container
• Modular design: Controllers, isolated containers
• Comprehensive docs: https://docs.fletch.mahawarkartikey.in/

Features

• ✅ Express-inspired routing and middleware
• ✅ Built-in session management with HMAC signing
• ✅ CORS and rate limiting middleware
• ✅ Request/response helpers (req.params, res.json())
• ✅ Error handling with custom error types
• ✅ Graceful shutdown support
• ✅ 98 passing tests
• ✅ Full TypeScript-like type safety

Documentation

• Homepage: https://docs.fletch.mahawarkartikey.in/
• GitHub: https://github.com/kartikey321/fletch
• Examples: See /example directory

---

0.3.0 - 2014-07-26 (Original Package by Rob Kellett)

jQuery-like library for Dart. See original repository for details.

---

1.0.0 - 2024-12-13 (Internal Development Version)

🔒 Security Enhancements

• Added HMAC-SHA256 session signing: Session cookies are now cryptographically signed to prevent tampering
• Changed session cookie defaults: Now use secure: true, httpOnly: true, SameSite: Lax by default
• Added constant-time signature comparison: Protection against timing attacks
• Fixed rate limiter memory leak: Cleanup timers now properly disposed on shutdown

✨ New Features

• Pluggable Session Stores: Abstract SessionStore interface for custom persistence backends
• MemorySessionStore: Built-in in-memory store with automatic TTL expiration
• Session lifecycle hooks: Automatic load/save with error handling
• sessionSecret parameter: Configure HMAC secret for production
• secureCookies parameter: Control HTTPS enforcement (default: true)
• sessionStore parameter: Use Redis, PostgreSQL, or custom backends

🔧 Bug Fixes

• Fixed cookie parser discarding empty cookie values (e.g., logout=)
• Fixed rate limiter cleanup timer memory leak
• Removed broken Session.regenerate() method (session ID is immutable)
• Added proper resource cleanup on server shutdown

💥 BREAKING CHANGES

• Session cookies now require HTTPS in production (default secure: true)
  • Set secureCookies: false for local HTTP development
  • Ensure HTTPS is configured for production deployments

Dependencies

• Added: crypto: ^3.0.3