- Read version dynamically from package.json instead of hardcoding 0.3.0
- Remove dead 'Signup' tag (free signup was removed)
- Add missing 'cache' parameter to POST /v1/screenshot body schema
- Add comprehensive tests to prevent regression
The cache bypass logic was already working correctly with POST body parameters.
Tests: 6/6 OpenAPI tests passing, 461/470 total tests passing (9 failing tests unrelated - missing blog post file)
- Batch screenshot endpoint: take 1-10 screenshots in a single request
- Concurrent processing with Promise.allSettled (partial success support)
- Upfront quota check for all URLs before processing
- Per-URL SSRF validation via existing takeScreenshot()
- Added incrementUsage() to usage middleware for granular tracking
- 10 new tests covering all edge cases
- Updated OpenAPI docs (JSDoc on route)
- Updated Node.js and Python SDK READMEs with batch method docs
- Add clip object parameter to crop rectangular areas from screenshots
- Support POST body: clip {x, y, width, height} number fields
- Support GET query: clipX, clipY, clipW, clipH params
- Validation: all fields required, x/y >=0, width/height >0, max 3840x2160
- Mutually exclusive with fullPage and selector
- Update OpenAPI docs with clip examples
- Update Node.js and Python SDK READMEs with clip usage
- Add comprehensive test coverage (11 new tests)
- Tests: missing fields, negative coords, zero dimensions, max limits, mutual exclusivity
- Add userAgent?: string to ScreenshotOptions interface
- Implement validation (max 500 chars, no newlines for security)
- Call page.setUserAgent() after page acquisition, before navigation
- Add route handler support for both POST body and GET query
- Add comprehensive test coverage (11 new tests)
- Update OpenAPI documentation with parameter specs and examples
- Update Node.js and Python SDK README examples
- All userAgent tests passing (414 → 425 total tests)
Fixes potential HTTP header injection by rejecting newlines.
Enables custom User-Agent strings for specific browser emulation needs.
- Use 'any' type for selector parameter to avoid type conflicts
- Maintain compatibility with parallel selector development
- Fixes build errors in deployment pipeline
- Added selector field to ScreenshotOptions interface
- Implemented validateSelector function with length and content validation
- Added mutual exclusivity check for selector and fullPage
- Modified screenshot logic to use element.screenshot() when selector provided
- Added SELECTOR_NOT_FOUND error handling in route handler
- Added selector parameter to route parameter extraction and normalization
- Added comprehensive test coverage for both service and route levels
- New optional selector parameter to capture specific DOM elements
- Works with all existing parameters (format, quality, darkMode, etc.)
- Validates selector for length (max 200 chars) and dangerous content
- Mutual exclusivity with fullPage parameter
- Returns 400 error if selector not found
- Updates OpenAPI spec for both GET and POST endpoints
- Full test coverage including edge cases
- Add js parameter to ScreenshotOptions interface (max 5000 chars)
- Execute JavaScript via page.evaluate() after delay, before CSS/hideSelectors
- 5-second timeout with JS_TIMEOUT error handling
- JS_EXECUTION_ERROR for script failures with sanitized error messages
- Support in both GET and POST endpoints with validation
- Updated OpenAPI spec for both GET and POST routes
- Added comprehensive test coverage (service + route layers)
- Updated SDK documentation (Node.js and Python) with examples
Test results: 414 tests passing (includes new JS injection tests)
- darkMode: emulates prefers-color-scheme: dark before navigation
- hideSelectors: injects CSS to hide elements before capture
- POST: accepts string or string array
- GET: accepts comma-separated string
- Validation: max 10 selectors, each max 200 chars
- OpenAPI docs updated for both GET and POST endpoints
- 13 new tests added (service + route)
- Add 'cancelled' tier (0 req/month) for downgraded subscriptions
- Remove full API key from recovery endpoint logs (security)
- Add IP-based rate limiting (10/15min) to billing endpoints
- Bump version to 0.7.0
- 4 new tests (338 total)
The /v1/signup/free endpoint was still mounted despite free tier
being removed in v0.3.0. Anyone could generate unlimited free API keys.
- Removed signup route registration from index.ts
- Deleted src/routes/signup.ts (dead code)
- Added signup-removed.test.ts verifying 404 on signup endpoints
- Cleaned up leaked test key from production DB
334 tests passing.
- Create src/routes/__tests__/status.test.ts (GET /status and /status.html)
- Add blog post: public/blog/automating-og-images.html (~1000 words)
- Update public/blog.html with new post entry
- Update public/sitemap.xml with new URL
- Add blog tests for automating-og-images post
- Update existing blog tests for new post references
Tests: 332 passed, 1 skipped
- Wrap nav in <header> landmark on all pages
- Wrap content in <main id='main-content'> on all pages
- Add skip-to-content link (visually hidden, visible on focus)
- Add skip-link CSS styles
- Add 65 accessibility tests covering all 16 full-layout pages
- All 288 tests passing
- Blog index page (public/blog.html) with dark theme
- Post 1: Why You Need a Screenshot API (~800 words)
- Post 2: Screenshot API Performance & Caching (~600 words)
- Express routes: /blog → /blog.html, /blog/:slug → /blog/:slug.html
- Blog link added to nav and footer on index.html
- Sitemap updated with blog URLs
- Full test coverage (19 new tests, 190 total passing)
- Pricing page with full comparison table, feature matrix, FAQ, JSON-LD Product schema
- Changelog page with all versions v0.1.0-v0.6.0, JSON-LD Blog schema
- 301 redirects for clean URLs
- Added to sitemap.xml
- Pricing in main nav, changelog in footer
- 14 new tests (171 total)
- Add POST /v1/billing/portal endpoint for customer portal access
- Add GET /v1/billing/recover endpoint for API key recovery
- Implement getKeyByEmail() and getCustomerIdByEmail() service functions
- Add comprehensive test coverage for new endpoints and services
- Create dedicated recovery page at /recovery.html with forms
- Add 'Lost your API key?' link on landing page near pricing
- Update OpenAPI documentation for new endpoints
- Return masked API keys for security (snap_xxxx...xxxx format)
- Log full keys for manual email sending (email service TBD)
- Include proper error handling and input validation
- Add playground.test.ts with 14 tests for playground endpoint
- Add screenshot.test.ts with 17 tests for screenshot endpoint
- Add health.test.ts with 7 tests for health endpoint
- Add watermark.test.ts with 14 tests for watermark service
Total: 52 new tests covering:
- Input validation and error handling
- Authentication and authorization scenarios
- Caching behavior and cache bypass
- Parameter normalization and limits
- SSRF protection and blocked URLs
- Service error conditions (timeouts, queue full)
- Browser pool integration
- Watermark image processing logic
All tests pass and use proper mocking of dependencies.
- billing.ts: Stripe now initialized lazily via getStripe() instead of at module load
This prevents test suite crash when STRIPE_SECRET_KEY env var is not set
- Add src/middleware/__tests__/auth.test.ts (6 tests): key extraction from
Bearer header, X-API-Key header, query param; 401/403 responses; priority order
- Add src/services/__tests__/keys.test.ts (6 tests): getTierLimit for all tiers
- Total: 61 tests passing, 0 failures
- Add GET /v1/screenshot endpoint with query parameter support
- Support API key authentication via ?key= query parameter
- Implement in-memory LRU cache with configurable TTL (5min) and size limits (100MB)
- Add X-Cache headers (HIT/MISS) to indicate cache status
- Add cache bypass option via ?cache=false parameter
- Update OpenAPI documentation with GET endpoint and caching info
- Add GET/Embed code examples to landing page hero section
- Add Response Caching and GET Request Support feature cards
- Update features grid layout to accommodate new features
Root cause: With BROWSER_COUNT=1, the hourly browser restart set
restarting=true, drained all pages, closed the browser, THEN launched
a new one. During that window (seconds), all requests queued and
timed out after 30s with QUEUE_FULL errors.
Fix: Launch the new browser BEFORE closing the old one (hot-swap).
This ensures zero downtime during browser recycling, even with a
single browser instance.
BUG-010: Add 301 redirects for clean URLs (/privacy → /privacy.html etc.)
and fix inconsistent href links across legal pages.
FEATURE: Enhanced playground with fullPage, quality, deviceScale,
waitUntil, and waitForSelector controls for better API evaluation.
Performance fixes:
- Default waitUntil changed from networkidle2 to domcontentloaded (saves ~500ms+)
- Add waitUntil parameter so users can choose (load/domcontentloaded/networkidle0/networkidle2)
- Optimize page recycle: use DOM reset instead of about:blank navigation
- Add Chromium flags to disable unnecessary features (background networking, extensions, sync, etc.)
Swagger fixes:
- Fix apis glob to include dist/*.js (was only matching src/*.ts, empty at runtime)
- Document new waitUntil parameter on POST /v1/screenshot
- Add OpenAPI docs for /status endpoint
BREAKING: OpenAPI spec is now generated from JSDoc annotations on route
handlers at startup, eliminating drift between code and documentation.
What was wrong:
- Static public/openapi.json was manually maintained and could drift
- Missing endpoints: signup, billing (checkout/success/webhook)
- Signup route was imported but never mounted (dead code)
What was fixed:
- Added swagger-jsdoc to generate OpenAPI spec from JSDoc on route files
- Every route handler now has @openapi JSDoc annotation as source of truth
- Spec served dynamically at GET /openapi.json (no static file)
- Deleted public/openapi.json
- Documented all missing endpoints (signup, billing x3)
- Mounted /v1/signup route
- All 9 screenshot params documented with types, ranges, defaults
- Extract complete codebase from running staging pod
- Add Dockerfile with multi-stage build for Node.js + Puppeteer
- Configure CI/CD workflows for staging and production deployment
- Include all source files, configs, and public assets
