5.2

Security

• StaticFiles: prevent path traversal by normalizing the resolved path with
  Path.GetFullPath, rejecting '..' / NUL sequences, and verifying containment
  inside the configured site root (case-insensitive on Windows/macOS).
  Both IsValidPath() and the data-reading methods now use the safe resolver.

• FilesInMemoryCache / InMemoryFilesCacheHandler: bound the in-memory cache
  (MaxItems, default 1024), normalize keys case-insensitively to defeat
  path case-variant OOM DoS, and invalidate stale entries based on the
  file's last-modification timestamp.

• Redirector: harden Redirect(string) - accept same-origin relative paths
  only when they start with '/' (rejecting '//' and '/' scheme-spoofs)
  and compare absolute URLs by scheme+host+port instead of substring
  StartsWith. All redirect/login/previous-page cookies are now HttpOnly,
  SameSite=Lax, Secure.

• SimplifyWebSettings: default HideExceptionDetails to true so unhandled
  exception stack traces are no longer leaked to anonymous users by default.

• LanguageManager: language cookie switched from SameSite=None to Lax.

Fixed

• WebContext: pass leaveOpen:true to the StreamReader used to consume the
  request body so subsequent middleware/model binders can still read it;
  add double-check inside semaphore-guarded sections; implement IDisposable
  so per-scope semaphores release their kernel handles.

• ControllerMetadata: detect [Authorize] on base controllers (inherit:true)
  so derived controllers don't silently become anonymous.

• AuthRedirectExtensions: only issue the 401->redirect when the response
  has not started, avoiding InvalidOperationException 500s when upstream
  authentication middleware already flushed a challenge.

• FileReader: replace static Dictionary caches guarded by an external lock
  with ConcurrentDictionary to eliminate read-while-write corruption.

• TemplateFactory: replace Dictionary + dual lock/semaphore primitives with
  a ConcurrentDictionary cache and unify sync/async paths on a single
  SemaphoreSlim to avoid duplicate-add races.

Dependencies

• Microsoft.Extensions.Configuration.Binder bump to 8.0.2
• Simplify.DI bump to 4.2.11

5.1

Added

• Static files in-memory cache (#267)

Fixed

• Web context is not available on WriteErrorResponseAsync causing NRE

5.0

Breaking

• Internal framework restructure and rewrite (http request and response handling related functionality and metadata rewritten from scratch). Can affect any customizations to related functionality

Added

• Version 2 controllers
• Built-in Json response using System.Text.Json
• Built-in JSON model binder (enabled by default)
• Switchable measurements (StopwatchProvider), disabled by default

Removed

• .NET Framework 4.8 explicit support
• UseSimplifyWebWithoutRegistrations and UseSimplifyWebNonTerminalWithoutRegistrations IApplicationBuilder methods
• ISimplifyWebSettings override via RegisterSimplifyWebSettings
• IConfiguration override via OverrideConfiguration or RegisterConfiguration
• 400 special controller attribute

Changed

• UseSimplifyWeb and UseSimplifyWebNoNTerminal now require passing true to automatically register it's own bootstrapper registrations
• RegisterSimplifyWeb now extension method ofIDIRegistrator instead of IDIContainerProvider, custom internal IDIContainerProvider can be passed via method parameter, if required
• Internal IConfiguration registration override via RegisterSimplifyWeb
• Static files disabled by default (when disabled, static files IOC container registrations will be skipped)
• Environment split to Environment and DynamicEnvironment
• V1 controllers RouteParameters defaulted to empty ExpandoObject to avoid NRE
• SimplifyWebSettings loading thru binder
• Controllers search on execution optimized
• XML comments revisited/updated

Fixed

• Multiple one route controllers handling
• Multiple middlewares having same IsTerminal status

Dependencies

• Switched to explicit Simplify.System 1.6.2 instead of internal Simplify.System.Sources
• Microsoft.Extensions.Configuration.Json bump to 8.0.0
• Microsoft.Extensions.Configuration.Binder 8.0.1 added
• Simplify.Templates bump to 2.0.2
• Internal Simplify.Xml.Sources bump to 1.4

5.0-pre01

Breaking

• Internal framework restructure and rewrite (http request and response handling related functionality and metadata rewritten from scratch). Can affect any customizations to related functionality

Added

• Version 2 controllers
• Built-in Json response using System.Text.Json
• Built-in JSON model binder (enabled by default)
• Switchable measurements (StopwatchProvider), disabled by default

Removed

• .NET Framework 4.8 explicit support
• UseSimplifyWebWithoutRegistrations and UseSimplifyWebNonTerminalWithoutRegistrations IApplicationBuilder methods
• ISimplifyWebSettings override via RegisterSimplifyWebSettings
• IConfiguration override via OverrideConfiguration or RegisterConfiguration
• 400 special controller attribute

Changed

• UseSimplifyWeb and UseSimplifyWebNoNTerminal now require passing true to automatically register it's own bootstrapper registrations
• RegisterSimplifyWeb now extension method ofIDIRegistrator instead of IDIContainerProvider, custom internal IDIContainerProvider can be passed via method parameter, if required
• Internal IConfiguration registration override via RegisterSimplifyWeb
• Static files disabled by default (when disabled, static files IOC container registrations will be skipped)
• Environment split to Environment and DynamicEnvironment
• V1 controllers RouteParameters defaulted to empty ExpandoObject to avoid NRE
• SimplifyWebSettings loading thru binder
• Controllers search on execution optimized
• XML comments revisited/updated

Fixed

• Multiple one route controllers handling
• Multiple middlewares having same IsTerminal status

Dependencies

• Switched to explicit Simplify.System 1.6.2 instead of internal Simplify.System.Sources
• Microsoft.Extensions.Configuration.Json bump to 8.0.0
• Microsoft.Extensions.Configuration.Binder 8.0.1 added
• Simplify.Templates bump to 2.0.2
• Internal Simplify.Xml.Sources bump to 1.4

4.9

Added

• Add Model Validation Attribute For Range Of Numbers (#236)
• Add Model Validation Attributes For Min Max (#251)

4.8.1

Fixed

• Missing Set content type text/plain for all string responses by default for shortcut methods (#247)

4.8

Changed

• !Important! Setting language from cookie on requests disabled by default, to enable set AcceptCookieLanguage setting to true in SimplifyWebSettings (#246)
• AcceptBrowserLanguage setting renamed to AcceptHeaderLanguage (#246)
• The way framework checks that applying language is valid

Fixed

• Invariant language setting and check

Added

• Set content type text/plain for all string responses by default (#247)
• AcceptCookieLanguage setting

4.7.1

Fixed

• Controller with IList<T> model validation exception (#240)

4.7

Removed

• .NET 5 support
• .NET Core 3.1 support
• .NET Framework 4.6.2 support

Added

• .NET Standard 2.1 support
• Created response with HTTP 201 status (#226)
• Additional comments

Dependencies

• Simplify.DI bump to 4.2.10
• Simplify.Templates bump to 2.0.1
• Internal Simplify.Sting.Sources bump to 1.2.2
• Internal Simplify.System.Sources bump to 1.6.2
• Internal Simplify.Xml.Sources bump to 1.3.1

For target frameworks .NET Standard 2.1, .NET Standard 2.0, .NET Framework 4.8

• Microsoft.Extensions.Configuration.Json bump to 3.1.32

• Microsoft.AspNetCore.Http dependency removed

• Microsoft.AspNetCore.Hosting.Abstractions dependency removed

1.7

Dependencies

• Simplify.Templates to 2.0
• Microsoft.Owin to 4.2.2
• Simplify.DI bump to 4.2.8
• Internal Simplify.Xml.Sources to 1.3.0
• Internal Simplify.System.Sources to 1.6.1
• Microsoft.Extensions.Configuration to 6.0.0
• System.IO.Abstractions bump to 7.1.10