Version Packages (#877)

github-actions[bot] · web-flow · commit a8df1cf3b3ad · 2025-09-16T10:15:31.000+02:00
Co-authored-by: github-actions[bot] &lt;41898282+github-actions[bot]@users.noreply.github.com&gt;
diff --git a/.changeset/tiny-cups-push.md b/.changeset/tiny-cups-push.md
diff --git a/packages/blob/CHANGELOG.md b/packages/blob/CHANGELOG.md
@@ -1,5 +1,67 @@
 # @vercel/blob
 
+## 2.0.0
+
+### Major Changes
+
+- 0b8ead9: **BREAKING CHANGE:**
+
+  To continue receiving `onUploadCompleted` callback once a file is uploaded with Client Uploads when **not hosted on Vercel**, you need to provide the `callbackUrl` at the `onBeforeGenerateToken` step when using `handleUpload`.
+
+  **When hosted on Vercel:**
+  No code changes required. The `callbackUrl` is inferred from [Vercel system environment variables](https://vercel.com/docs/environment-variables/system-environment-variables):
+
+  - In preview environment: `VERCEL_BRANCH_URL` when available, otherwise `VERCEL_URL`
+  - In production environment: `VERCEL_PROJECT_PRODUCTION_URL`
+
+  If you're not hosted on Vercel or you're not using Vercel system environment variables, your will need to provide the `callbackUrl`:
+
+  **Before:**
+
+  ```ts
+  await handleUpload({
+    body,
+    request,
+    onBeforeGenerateToken: async (pathname) => {
+      /* options */
+    },
+    onUploadCompleted: async ({ blob, tokenPayload }) => {
+      /* code */
+    },
+  });
+  ```
+
+  **After:**
+
+  ```ts
+  await handleUpload({
+    body,
+    request,
+    onBeforeGenerateToken: async (pathname) => {
+      return { callbackUrl: 'https://example.com' }; // the path to call will be automatically computed
+    },
+    onUploadCompleted: async ({ blob, tokenPayload }) => {
+      /* code */
+    },
+  });
+  ```
+
+  **For local development:**
+  Set the `VERCEL_BLOB_CALLBACK_URL` environment variable to your tunnel URL:
+
+  ```bash
+  VERCEL_BLOB_CALLBACK_URL=https://abc123.ngrok-free.app
+  ```
+
+  See the updated documentation at https://vercel.com/docs/vercel-blob/client-upload to know more.
+
+  **Details:**
+
+  Before this commit, during Client Uploads, we would infer the `callbackUrl` at the client side level (browser) based on `location.href` (for convenience).
+  This is wrong and allows browsers to redirect the onUploadCompleted callback to a different website.
+
+  While not a security risk, because the blob urls are already public and the browser knows them, it still pose a risk of database drift if you're relying on onUploadCompleted callback to update any system on your side.
+
 ## 1.1.1
 
 ### Patch Changes
diff --git a/packages/blob/package.json b/packages/blob/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@vercel/blob",
-  "version": "1.1.1",
+  "version": "2.0.0",
   "description": "The Vercel Blob JavaScript API client",
   "homepage": "https://vercel.com/storage/blob",
   "repository": {
diff --git a/test/next/CHANGELOG.md b/test/next/CHANGELOG.md
@@ -1,5 +1,12 @@
 # vercel-storage-integration-test-suite
 
+## 0.3.10
+
+### Patch Changes
+
+- Updated dependencies [0b8ead9]
+  - @vercel/blob@2.0.0
+
 ## 0.3.9
 
 ### Patch Changes
diff --git a/test/next/package.json b/test/next/package.json
@@ -1,6 +1,6 @@
 {
   "name": "vercel-storage-integration-test-suite",
-  "version": "0.3.9",
+  "version": "0.3.10",
   "private": true,
   "scripts": {
     "build": "next build",

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@vercel/blob",`
`3`		`- "version": "1.1.1",`
	`3`	`+ "version": "2.0.0",`
`4`	`4`	`"description": "The Vercel Blob JavaScript API client",`
`5`	`5`	`"homepage": "https://vercel.com/storage/blob",`
`6`	`6`	`"repository": {`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "vercel-storage-integration-test-suite",`
`3`		`- "version": "0.3.9",`
	`3`	`+ "version": "0.3.10",`
`4`	`4`	`"private": true,`
`5`	`5`	`"scripts": {`
`6`	`6`	`"build": "next build",`