Nostream v3.0.0 released! 🚀✊ Thanks to each of the following students from the Summer of Bitcoin 2026 program for their contributions: Anshuman (@Anshumancanrock) Mohit Davar (@Mohit-Davar) Kanishka (@kanishka0411) Kartik (@kartikangiras) Chetan Reddy Kodidela (@CKodidela) Yash Agarwal (@YashIIT0909) Saniddhya Dubey (@saniddhyaDubey) XD22 (@Justxd22) Vikash Siwach (@vikashsiwach) Kushagra Kinra (@kushagra0902) Mahmoud Khedr (@Mahmoud-s-Khedr) Khadar Vali (@khadar1020) Sagar (@sagar-h007) Divyanshu Kumar (@d1vyanshu-kumar) archief2910 (@archief2910) Abhinav Rathee (@abhinavrathee) Radosvet Petrov (@radosvet93) Khushal (@a-khushal) Tharupahan Jayawardana (@tharu-jwd) Ferryx (@Ferryx349)

Replies (4)

Breaking changes v2 → v3: 1. Node.js v24 LTS required (standalone only) — v2 ran on Node 14/16/18. 2. npm replaced by pnpm (standalone only) — run "corepack enable && pnpm install" instead of "npm install". 3. scripts/ shell wrappers removed — replaced by the unified nostream CLI. Anything referencing scripts/start, scripts/stop, etc. (including systemd units) must be updated: scripts/start → nostream start scripts/start_with_tor → nostream start --tor scripts/start_with_i2p → nostream start --i2p scripts/start_with_nginx → nostream start --nginx scripts/stop → nostream stop scripts/print_tor_hostname → nostream info --tor-hostname 4. network.remote_ip_header renamed — must be network.remoteIpHeader (camelCase) in .nostr/settings.yaml. 5. Pubkey whitelist/blacklist requires exact full hex pubkeys — partial/prefix matching no longer works. Review limits.event.pubkey.whitelist and blacklist in settings. 6. NIP-26 Delegated Event Signing removed — the relay will reject delegated events. 7. X-Forwarded-For no longer trusted unconditionally — if behind a reverse proxy, configure trusted proxies in settings to preserve correct client IPs. --- Upgrade checklist: 1. Back up your database 2. Pull the v3.0.0 Docker image (or git pull && git checkout v3.0.0 for standalone) 3. Run database migrations: pnpm db:migrate (Docker does this automatically on start) 4. Update .nostr/settings.yaml: - Rename network.remote_ip_header → network.remoteIpHeader - Replace partial pubkeys in whitelist/blacklist with full hex pubkeys - Add trusted proxy config if behind a reverse proxy 5. Update any systemd units or scripts referencing scripts/* 6. (Standalone only) Upgrade Node.js to v24 and switch to pnpm 7. NIP-26 delegated events are no longer accepted
New NIPs supported in Nostream v3 (not in v2.1.0 at all): - NIP-03: OpenTimestamps Attestations for Events (kind 1040) - NIP-05: Mapping Nostr keys to DNS-based internet identifiers - NIP-14: Subject tag in text events - NIP-25: Reactions (kind 7 and kind 17) - NIP-44: Encrypted Payloads v2 (Versioned) - NIP-45: Event Counts (COUNT) - NIP-62: Request to Vanish - NIP-65: Relay List Metadata (kind 10002) NIPs that were in v2 but fixed/properly supported in v3: - NIP-01: Three compliance fixes: deterministic event ordering by event_id, correct dedup keys for parameterized replaceable events, and proper tiebreaker semantics for replaceable events with equal timestamps - NIP-11: Now served on all relay paths (not just root), correct max_filters mapping in relay info document - NIP-42: Client authentication handler and WebSocket session wiring added (docs need to be updated but support is here)
Non-NIP new features and changes in v3: DEPLOYMENT - Unified nostream CLI/TUI replaces all scripts/* shell wrappers (start, stop, update, clean, info, dev) - nginx reverse proxy option added to docker-compose (nostream start --nginx) - I2P support added (nostream start --i2p) - New docker-compose variants: i2p, nginx, Windows - Docker DNS pre-flight check before startup - Dockerfile now auto-runs migrations on container start - Railway.app deployment template included PERFORMANCE - New hot-path PostgreSQL indexes for subscription, vanish, retention, and invoice queries - User admission check converted to a PostgreSQL stored function - User admission check result cached in Redis - EWMA rate limiter with configurable strategy support - Vanish (NIP-62) query optimized - db:benchmark and db:verify-index-impact tooling added IMPORT / EXPORT - Export events to JSON Lines (.jsonl) or JSON array (.json) - Import events from .jsonl or .json files - Gzip and XZ compression for both import and export PAYMENTS - NWC (Nostr Wallet Connect) added as a payment processor - Callback routes now only registered when the matching processor is active - LNbits: stale pending invoices now expired automatically - Nodeless: timing-safe HMAC comparison for webhook verification RELIABILITY & SECURITY - X-Forwarded-For no longer unconditionally trusted — trusted proxies must be configured - Dead WebSocket connections closed even when they have active subscriptions - Rate limiter TOCTOU race condition fixed via Lua atomic script - Mirroring: silent event drops fixed when mirror has no limits configured - Redis: AUTH skipped automatically when credentials are unset - CSP hardened: removed unsafe-inline, added script nonces - serialize-javascript updated to fix RCE CVE (GHSA-5c6j-r48x-rmvq) NEW SETTINGS - nip05.domainWhitelist / nip05.domainBlacklist - limits.event.retention.kind.whitelist - limits.event.retention.pubkey.whitelist - limits.admissionCheck.ipWhitelist - limits.message.ipWhitelist - info.self (relay pubkey for NIP-11 relay info) - Opt-in event retention purge (limits.event.retention) TOOLING (developer-facing) - pnpm replaces npm - Biome replaces ESLint + Prettier - Zod replaces Joi for validation - Changesets replaces semantic-release - Knip added for dead code detection - Pino replaces custom logging across adapters and services - CodeQL security analysis workflow added