I Shipped...

I added two defences to the Jazz sync server to prevent a type of denial-of-service attack called a “reconnect storm”. First, I capped the number of simultaneous WebSocket connections allowed per client at 4, automatically dropping the oldest connection when the limit is hit and sending a “RateLimited” error code. Second, I added a 10-second timeout for connections that start their handshake but never finish, so idle half-open connections can’t pile up indefinitely.

When using jazz with Next.js, our withJazz helper was mistakenly telling Next.js to load jazz-tools as a separate server-side module instead of bundling it together with your app. This caused two separate copies of React to be loaded at the same time — one for the server-rendered pages, one for the client components — which crashes Next.js during pre-rendering. I fixed it by only excluding jazz-napi (the native binary) from bundling, so jazz-tools gets bundled normally with your app and there’s just one React instance throughout.

I found that the WebSocket handshake frame (the first message when a new connection opens) was being decompressed before we’d checked who was connecting. A malicious actor could send a tiny compressed frame that claimed to expand to gigabytes, crashing the server by running out of memory. I added a check that rejects any handshake frame claiming to be larger than 1 MB — since a real handshake is only a few kilobytes of data, anything bigger is suspicious.

I replaced the Mermaid diagram library in the Jazz docs with a custom-built engine using <Graph> and <Sequence> components. Mermaid wasn’t great for interactive, mobile-friendly diagrams — theming and layout control were too limited. The new engine handles desktop and mobile layouts in a single definition and supports animations. I also migrated the four existing diagrams and added 35 unit tests covering the geometry and layout logic.

I added an interactive diagram to the Jazz documentation that lets you pick a durability tier — local, edge, or global — and watch how a data write propagates across a network of devices. This makes it easier to understand how Jazz handles consistency at different levels and what happens when a device is offline, without having to read through dense text explanations.

I wrote docs for several previously-undocumented Jazz features: a CLI command for inspecting local schema hashes, guidance on what values to use in JWT sub claims (and why changing them later causes problems), how permission columns like $canRead work within nested queries, and two performance optimizations — .indexOnly() for leaner index lookups and .merge("counter") for summing concurrent integer edits without conflicts.

I fixed a crash in the Jazz MCP server that happened on Node.js versions older than 22. The crash was caused by the text-search fallback accidentally importing node:sqlite — a database built-in that doesn’t exist in older Node versions — before it even had a chance to activate. I extracted the SQLite-free parsing helpers into a new standalone file so the fallback module’s dependency chain never touches the database code.

When you install Jazz using pnpm, it creates a symlink (a shortcut) pointing to the actual CLI program. The CLI checks whether it’s the entry point by comparing file paths, but the symlinked path and the real path are different strings, so it thought it wasn’t the entry point and quietly exited without doing anything — making schema pushes and migrations appear to succeed while actually no-oping. I fixed it by resolving both paths to their real locations before comparing them, so the CLI now dispatches correctly whether called directly or through pnpm’s symlinks.

I added a new example app showing how to build a local-first todo list using Vue 3 and Jazz. It mirrors the existing React, Svelte, and TypeScript examples, so Vue developers now have a reference starting point too. The example also includes browser-based integration tests using Vitest.

Node.js 20 reached end-of-life, meaning it no longer receives security updates. I bumped the minimum required Node.js version to 22.12 and took the opportunity to clean up backwards-compatibility workarounds scattered across 19 files that only existed to support older Node versions.

The Jazz starter templates had a lot of repetitive boilerplate for setting up authentication. I updated the SvelteKit, React, and Next.js starters to use the new LocalFirstAuth reactive class and framework-specific hooks, which means cleaner code and auth state that automatically rebuilds when something changes — no manual page reload needed.

Jazz already had a React hook for LocalFirstAuth — a way to handle user login in local-first apps (apps that work offline and sync data in the background). I added matching reactive integrations for Svelte and Vue, so developers using those frameworks can use LocalFirstAuth without having to wire up their own reactivity. I also fixed a crash that occurred when the module was imported on the server side, and made sign-out properly propagate across all open tabs.

I added a link to the Jazz Dashboard in the top navigation bar of the docs site, alongside the existing Blog and Docs links. It opens in a new tab and makes it easier for users to jump between the documentation and the dashboard without having to hunt for the URL.

I replaced a static diagram on the “how sync works” docs page with an animated SVG that shows how writes flow between global sync servers, edge servers, and local clients in real time. To keep things readable, I made each writer get a randomly generated color that’s always different enough from its previous color. I also refactored the diagram building blocks into a shared module so future diagrams can reuse the same code.

When you use hopTo() to jump from one table to a related table in a Jazz query, TypeScript was wrongly inferring that the result still had the type of the original table instead of the destination. I fixed this by properly threading the destination table’s type information through the hopTo method, so now TypeScript correctly knows the shape of the data you’re working with after the hop. The runtime behaviour was already correct — this was a purely type-level fix.

Several Jazz example apps had accumulated inconsistencies: some still used Playwright for testing while others had moved to Vitest browser mode, and their docs and feature sets had drifted out of sync. I migrated the remaining auth examples to Vitest browser mode and fixed the various inconsistencies to bring the examples back to parity.

When you subscribed to Jazz data with deeply nested relationships — like posts that include authors that include teams — changes more than one level deep wouldn’t trigger a UI update. The subscription system only registered top-level tables as dependencies and missed the deeper ones. I fixed the graph compilation step to walk all nesting levels and register every nested table, so deep mutations correctly invalidate subscriptions.

Two separate regressions had quietly broken the browser benchmark tests so they weren’t running in CI at all. A recent refactor changed how database insert results are structured, breaking the seed step, and a separate issue prevented the test files from being discovered. I fixed both problems so the benchmark suite runs correctly again.

The world-tour example app used a third-party map library to display a globe, which was a heavy external dependency. I replaced it with a hand-rolled canvas-based dot globe made from 50,000 Fibonacci sphere points, dropped the dependency entirely, added the example to the monorepo workspace, and included Jazz+Vue integration tests alongside it.

Adding the Jazz SvelteKit plugin to vite.config.ts with TypeScript strict mode enabled would fail to compile because the plugin’s ssr.external option was typed as string[], but Vite’s actual type is true | string[]. I widened the type to match what Vite expects, so it compiles cleanly under strict mode.