## Release Notes for oraclejet-tooling ##

### 20.1.1
* Security tightening: programmatic `ojet.serve()` watch configuration now rejects unknown string commands. Built-in commands such as `compileSass` and `copyThemes` may still be strings, but custom commands must use structured command objects and are run without shell interpretation, for example `commands: [{ cmd: 'npm', args: ['run', 'generate-docs'] }]` instead of `commands: ['npm run generate-docs']`.
* Security tightening: serve defaults now bind to `127.0.0.1`, and directory listing is disabled unless explicitly enabled through serve/connect options. CLI users can intentionally expose the development server or enable directory listing from a trusted `before_serve` hook by setting `connectOpts.hostname` or `connectOpts.directoryListing`.
* Updated svgo version to 4.0.1
* Reference component npm installs derived from downloaded Exchange metadata now require explicit approval in interactive environments and are blocked by default in non-interactive environments unless explicitly allowed. These installs now also validate package metadata and use `--ignore-scripts`.

### 20.0.2
* Reference component npm installs derived from downloaded Exchange metadata now require explicit approval in interactive environments and are blocked by default in non-interactive environments unless explicitly allowed. These installs now also validate package metadata and use `--ignore-scripts`.
* Security tightening: programmatic `ojet.serve()` watch configuration now rejects unknown string commands. Built-in commands such as `compileSass` and `copyThemes` may still be strings, but custom commands must use structured command objects and are run without shell interpretation, for example `commands: [{ cmd: 'npm', args: ['run', 'generate-docs'] }]` instead of `commands: ['npm run generate-docs']`.
* Security tightening: serve defaults now bind to `127.0.0.1`, and directory listing is disabled unless explicitly enabled through serve/connect options. CLI users can intentionally expose the development server or enable directory listing from a trusted `before_serve` hook by setting `connectOpts.hostname` or `connectOpts.directoryListing`.

### 20.0.1
* Updated svgo version to 4.0.1

### 20.0.0
* Updated glob version to 12.0.0
* Updated form-data version to 4.0.5

### 19.0.3
* Security tightening: programmatic `ojet.serve()` watch configuration now rejects unknown string commands. Built-in commands such as `compileSass` and `copyThemes` may still be strings, but custom commands must use structured command objects and are run without shell interpretation, for example `commands: [{ cmd: 'npm', args: ['run', 'generate-docs'] }]` instead of `commands: ['npm run generate-docs']`.
* Security tightening: serve defaults now bind to `127.0.0.1`, and directory listing is disabled unless explicitly enabled through serve/connect options. CLI users can intentionally expose the development server or enable directory listing from a trusted `before_serve` hook by setting `connectOpts.hostname` or `connectOpts.directoryListing`.
* Reference component npm installs derived from downloaded Exchange metadata now require explicit approval in interactive environments and are blocked by default in non-interactive environments unless explicitly allowed. These installs now also validate package metadata and use `--ignore-scripts`.

### 19.0.2
* Updated svgo version to 4.0.1

### 19.0.1
* Updated glob version to 12.0.0

### 18.1.3
* Security tightening: programmatic `ojet.serve()` watch configuration now rejects unknown string commands. Built-in commands such as `compileSass` and `copyThemes` may still be strings, but custom commands must use structured command objects and are run without shell interpretation, for example `commands: [{ cmd: 'npm', args: ['run', 'generate-docs'] }]` instead of `commands: ['npm run generate-docs']`.
* Security tightening: serve defaults now bind to `127.0.0.1`, and directory listing is disabled unless explicitly enabled through serve/connect options. CLI users can intentionally expose the development server or enable directory listing from a trusted `before_serve` hook by setting `connectOpts.hostname` or `connectOpts.directoryListing`.
* Reference component npm installs derived from downloaded Exchange metadata now require explicit approval in interactive environments and are blocked by default in non-interactive environments unless explicitly allowed. These installs now also validate package metadata and use `--ignore-scripts`.

### 18.1.2
* Updated svgo version to 4.0.1

### 18.1.1
* Updated glob version to 12.0.0

### 18.0.3
* Security tightening: programmatic `ojet.serve()` watch configuration now rejects unknown string commands. Built-in commands such as `compileSass` and `copyThemes` may still be strings, but custom commands must use structured command objects and are run without shell interpretation, for example `commands: [{ cmd: 'npm', args: ['run', 'generate-docs'] }]` instead of `commands: ['npm run generate-docs']`.
* Security tightening: serve defaults now bind to `127.0.0.1`, and directory listing is disabled unless explicitly enabled through serve/connect options. CLI users can intentionally expose the development server or enable directory listing from a trusted `before_serve` hook by setting `connectOpts.hostname` or `connectOpts.directoryListing`.
* Reference component npm installs derived from downloaded Exchange metadata now require explicit approval in interactive environments and are blocked by default in non-interactive environments unless explicitly allowed. These installs now also validate package metadata and use `--ignore-scripts`.

### 18.0.2
* Updated svgo version to 4.0.1

### 18.0.1
* Updated glob version to 12.0.0

### 18.0.0
* Switch to chokidar from gaze

### 17.1.1
* Updated glob version to 12.0.0

### 17.0.1
* Updated glob version to 12.0.0

### 11.0.0
* oraclejet-tooling now requires node 12.21 or later

### 5.2.0
* No changes

### 5.1.0
* No changes

### 5.0.0
* No changes

### 4.2.0
* No changes

### 4.1.0
* No changes

### 4.0.0
* Moved module into @oracle scope, changing the name to @oracle/oraclejet-tooling

### 3.2.0
* No changes

### 3.1.0
* No changes

### 3.0.0
* Replaced bower with npm
* SASS tasks now run in CCA directories also
* Added --destination=server-only option for web apps
* Removed --destination=deviceOrEmulatorName option
* Added ability to cutomize serve tasks such as watching additional files
* Added gap://ready to inserted CSP meta tag for iOS 10 compatibility

### 2.3.0
* No changes

### 2.2.0
* Allow developers to configure release paths
* Provide help page for tooling tasks
* Allow multiple themes to be included in a built app
* Grunt serve to specific iOS emulator fails
* no-build option missing from grunt serve