We’re pleased to announce the release of Meteor 0.5.8. This release limits certain client database updates, adds AppCache support, improves the low-level Deps facility, and adds support for literate coffeescript and Meetup OAuth logins.

We recommend that all production sites update to 0.5.8 due to a security fix in this release. Sites that don’t want to go to 0.5.8 can instead update to the v0.5.7.1 tag, available in GitHub, which contains just the allow/deny API changes. We’ll post more information about the fix in a few days on meteor-talk. Credit goes to @jan-glx for discovering this problem yesterday afternoon and providing an excellent analysis.

Run $ meteor update to update your installed copy. If you're new to Meteor, you can get started on OS X or Linux by running

$ curl https://install.meteor.com | /bin/sh

in your terminal window.

Changes to allow/deny rules

Starting in 0.5.8, client-only code such as event handlers may only update or remove a single document at a time, specified by _id. Method code can still use arbitrary Mongo selectors to manipulate any number of documents at once. To run complex updates from an event handler, just define a method with Meteor.methods and call it from the event handler.

This change significantly simplifies the allow/deny API, encourages better application structure, avoids a potential DoS attack in which an attacker could force the server to do a lot of work to determine if an operation is authorized, and fixes the security issue reported by @jan-glx.

To update your code, change your allow and deny handlers to take a single document rather than an array of documents. This should significantly simplify your code. Also check to see if you have any update or remove calls in your event handlers that use Mongo selectors (this is quite rare), and if so, move them into methods. For details, see the update and remove docs.

Support for HTML5 AppCache

The new appcache package, written by Andrew Wilcox, stores the static parts of a Meteor application (the client side Javascript, HTML, CSS, and images) in the browser's HTML5 application cache.

AppCache-enabled applications load out of the local browser cache without contacting the server first, speeding up initial page load time and allowing the browser to process an incoming hot code push in the background. Apps can also load offline without an an Internet connection, though they won’t fetch subscriptions or call methods while disconnected.

See http://docs.meteor.com/#appcache for details.

Database transforms

On both the client and the server, database queries can now pass their result documents through an optional transform function. The transform can add methods to result objects or otherwise modify the object in some way. You can set a default transform for all queries on a collection, or supply the transform to an individual operation.

Transforms themselves don’t implement models, but we expect they will be a useful low-level hook for package and application authors exploring patterns for models. Seehttp://docs.meteor.com/#meteor_collection for details.

Other changes

Based on our growing experience with reactive packages, we rewrote the Deps reactivity library API to cleanly support the common use patterns. The new API is available under the Deps symbol. Authors of packages that supply or consume reactive data sources will need to port to the new API. See http://docs.meteor.com/#deps for details.

Publish functions can now publish documents out of more than one collection at once by returning an array of query cursors.

The coffeescript package adds support for literate CoffeeScript files with the extension .litcoffee .

The new accounts-meetup package adds support for OAuth to Meetup.com accounts.

The 0.5.8 release includes many other smaller changes and fixes. Complete release notes are available on GitHub.