chore: update package version and changelog

CHANGELOG.md

@@ -4,6 +4,105 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+# [4.0.0] - 2017-09-08
+
+See the full [release notes](https://github.com/dadi/web/releases/tag/v4.0.0).
+
+## Added
+
+### Introduce Brotli compression and cache compressed responses
+
+* [#158](http://github.com/dadi/web/issues/158): compress response before caching
+* [#174](http://github.com/dadi/web/issues/174): introduce Brotli compression
+* Static assets now obey configured compression settings; previously public folder assets were not subject to compression. Files will only be compressed if doing so will save space.
+
+#### Compression configuration
+
+To support the introduction of the new compression engine, the configuration setting for compression has changed. To enable compression in Version 4.0, use `config.headers.useCompression` rather than `config.headers.useGzipCompression`.  The `config.headers.useGzipCompression` property is deprecated and will be removed in a future release.
+
+### Security: CSRF tokens
+
+DADI Web 4.0 adds CSRF security, giving developers the ability to add a per-request CSRF token into the view context, and ensures that all POST requests supply a correct CSRF token. Without a correct token, and with CSRF enabled, users will be greeted with an HTTP 403 response.
+
+To enable CSRF, set the `security.csrf` configuration option:
+
+```json
+"security": {
+  "csrf": true
+}
+```
+
+Once enabled, the property `csrfToken` will be added to the view context. You will need to add this to any forms which perform a POST using the field name _csrf, like so:
+
+```html
+<form action="/" method="post">
+  <input type="text" name="test_input_safe">
+  <input type="hidden" name="_csrf" value="{csrfToken}">
+  <input type="submit" value="Submit form">
+</form>
+```
+
+### Application launch
+
+Launching the application now returns a Promise which, when resolved, returns an object containing the application instance and the loaded route/page components.
+
+```js
+// start the application
+require('@dadi/web')({
+  "engines":[
+    require("@dadi/web-dustjs")
+  ]
+}).then(loaded => {
+  console.log(loaded.App)
+  console.log(loaded.Components)
+})
+```
+
+This change replaces the exported modules in previous versions. To obtain a reference to these modules when the application has already started (for example when loading template helpers), require @dadi/web without passing an engine argument:
+
+```js
+require('@dadi/web')().then(loaded => {
+  console.log(loaded.App)
+  console.log(loaded.Components)
+})
+```
+
+## Changed
+
+#### Page caching
+
+Page caching is now on by default if `caching` is specified in the configuration. Page specification files no longer require `cache: true` for caching to be enabled.
+
+### Route processing
+
+Version 4.0 performs route determination faster. In previous versions a request was tested against all loaded page components at the beginning of the request, and an array of matching routes was added to the middleware stack. In this version matching app-specific routes are loaded only if processing the middleware stack yields no matching handlers.
+
+### Request logging
+
+Requests for static files are now passed through the request logger, giving more detailed access logs for the full request cycle.
+
+### Other
+
+* Removed support for event-logging system "Sentry". This feature was untested and unused
+* Added new middleware to serve content from the public folder, removing dependency on Express.js modules [serve-static](https://github.com/expressjs/serve-static) and [serve-favicon](https://github.com/expressjs/serve-favicon).
+* Moved helper methods `sendBackJSON`, `sendBackHTML` into `view/send.js`
+* Removed unused helper `sendBackJSONP`
+* Removed outdated/unused `media` path.
+* Refactor of cache flush under `api/flush`. Added corresponding error page when method is not `POST`.
+* Added `npm run format` to run for [standard](https://www.npmjs.com/package/standard) & [prettier](https://www.npmjs.com/package/prettier)
+* Hide the err.stack from default error pages when the `NODE_ENV` environment variable is `production` (`NODE_ENV=production`)
+* An improved developer experience: changes to event files & template partials/includes reinitialises the application without requiring a restart.
+
+### Resolved issues
+
+* [#51](http://github.com/dadi/web/issues/51): cache flush command fails when no matching page is found
+* [#59](http://github.com/dadi/web/issues/59): add CSRF token
+* [#168](http://github.com/dadi/web/issues/168): process routes after middleware
+* [#173](http://github.com/dadi/web/issues/173): listener should trigger a 302 redirect
+* [#175](http://github.com/dadi/web/issues/175): remove 'server' response header
+* [#193](http://github.com/dadi/web/issues/193): reload templates and event files when changed on disk (without restarting app)
+* [#212](http://github.com/dadi/web/issues/212): fix default workspace config error
+
 # [3.1.0] - 2017-08-30
 
 ## Added

package.json

@@ -1,13 +1,12 @@
 {
   "name": "@dadi/web",
-  "version": "3.1.0",
+  "version": "4.0.0",
   "description": "Web frontend and template layer for @dadi/api",
   "main": "main.js",
   "scripts": {
     "start": "node ./start.js",
     "test": "standard 'lib/**/*.js' | snazzy && env NODE_ENV=test ./node_modules/.bin/istanbul cover -x '**/workspace/**' -x '**/app/**' --report cobertura --report text --report html --report lcov ./node_modules/mocha/bin/_mocha test",
     "posttest": "node ./scripts/coverage.js",
-    "postinstall": "node ./scripts/copy-config.js && node ./scripts/copy-workspace.js && node ./scripts/init-web.js",
     "snyk-protect": "snyk protect",
     "prepublish": "npm run snyk-protect",
     "precommit": "lint-staged",