Sourced from @modelcontextprotocol/sdk's releases.
\n\nv1.26.0
\nAddresses "Sharing server/transport instances can leak cross-client response data" in this GHSA https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-345p-7cg4-v4c7
\nWhat's Changed
\n\n
\n- chore: bump v1.25.3 for backport fixes by
\n@pcarletonin modelcontextprotocol/typescript-sdk#1412- fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x backport) by
\n@samuvin modelcontextprotocol/typescript-sdk#1382- Fix #1430: Client Credentials providers scopes support (backported) by
\n@NSeydouxin modelcontextprotocol/typescript-sdk#1442- chore: bump version to 1.26.0 by
\n@pcarletonin modelcontextprotocol/typescript-sdk#1479New Contributors
\n\n
\n- \n
@samuvmade their first contribution in modelcontextprotocol/typescript-sdk#1382- \n
@NSeydouxmade their first contribution in modelcontextprotocol/typescript-sdk#1442Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/v1.25.3...v1.26.0
\nv1.25.3
\nWhat's Changed
\n\n
\n- [v1.x backport] Use correct schema for client sampling validation when tools are present by
\n@olaservoin modelcontextprotocol/typescript-sdk#1407- fix: prevent Hono from overriding global Response object (v1.x) by
\n@mattzcareyin modelcontextprotocol/typescript-sdk#1411Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/v1.25.2...v1.25.3
\nv1.25.2
\nWhat's Changed
\n\n
\n- ci: trigger workflow on v1.x branch by
\n@felixweinbergerin modelcontextprotocol/typescript-sdk#1319- fix: README badges links destinations by
\n@antonpk1in modelcontextprotocol/typescript-sdk#907- fix: prevent ReDoS in UriTemplate regex patterns (v1.x backport) by
\n@pcarletonin modelcontextprotocol/typescript-sdk#1365New Contributors
\n\n
\n- \n
@antonpk1made their first contribution in modelcontextprotocol/typescript-sdk#907Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/1.25.1...v1.25.2
\n1.25.1
\nWhat's Changed
\n\n
\n- spec types - backwards compatibility changes by
\n@KKonstantinovin modelcontextprotocol/typescript-sdk#1306- chore: bump version for patch fix by
\n@felixweinbergerin modelcontextprotocol/typescript-sdk#1307Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/1.25.0...1.25.1
\n1.25.0
\nWhat's Changed
\n\n
\n\n- list changed handlers on client constructor by
\n@mattzcareyin modelcontextprotocol/typescript-sdk#1206- Role - moved from inline to reusable type by
\n@KKonstantinovin modelcontextprotocol/typescript-sdk#1221- fix: use versioned npm tag for non-main branch releases by
\n@pcarletonin modelcontextprotocol/typescript-sdk#1236- No automatic completion support unless needed - Revisited yet again by
\n@cliffhallin modelcontextprotocol/typescript-sdk#1237- fix: Support updating output schema by
\n@vincent0426in modelcontextprotocol/typescript-sdk#1048
... (truncated)
\nfe9c07b chore: bump version to 1.26.0 (#1479)4f01e7e fix: add non-null assertions for optional setupServer fields in stateful testa05be17 Merge commit from fork50d9fa3 Fix #1430: Client Credentials providers scopes support (backported) (#1442)aa81a66 fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x back...6aba065 chore: bump v1.25.3 for backport fixes (#1412)6e8f7e1 fix: prevent Hono from overriding global Response object (v1.x) (#1411)12ae856 [v1.x backport] Use correct schema for client sampling validation when tools ...b392f02 fix: prevent ReDoS in UriTemplate regex patterns (v1.x backport) (#1365)a0c9b13 fix: README badges links destinations (#907)This version was pushed to npm by pcarleton, a new releaser for @modelcontextprotocol/sdk since your current version.
Sourced from qs's changelog.
\n\n\n6.15.0
\n\n
\n- [New]
\nparse: addstrictMergeoption to wrap object/primitive conflicts in an array (#425, #122)- [Fix]
\nduplicatesoption should not apply to bracket notation keys (#514)6.14.2
\n\n
\n- [Fix]
\nparse: mark overflow objects for indexed notation exceedingarrayLimit(#546)- [Fix]
\narrayLimitmeans max count, not max index, incombine/merge/parseArrayValue- [Fix]
\nparse: throw onarrayLimitexceeded with indexed notation whenthrowOnLimitExceededis true (#529)- [Fix]
\nparse: enforcearrayLimitoncomma-parsed values- [Fix]
\nparse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)- [Robustness] avoid
\n.push, usevoid- [readme] document that
\naddQueryPrefixdoes not add?to empty output (#418)- [readme] clarify
\nparseArraysandarrayLimitdocumentation (#543)- [readme] replace runkit CI badge with shields.io check-runs badge
\n- [meta] fix changelog typo (
\narrayLength→arrayLimit)- [actions] fix rebase workflow permissions
\n6.14.1
\n\n
\n- [Fix] ensure
\narrayLimitapplies to[]notation as well- [Fix]
\nparse: when a custom decoder returnsnullfor a key, ignore that key- [Refactor]
\nparse: extract key segment splitting helper- [meta] add threat model
\n- [actions] add workflow permissions
\n- [Tests]
\nstringify: increase coverage- [Dev Deps] update
\neslint,@ljharb/eslint-config,npmignore,es-value-fixtures,for-each,object-inspect
d9b4c66 v6.15.0cb41a54 [New] parse: add strictMerge option to wrap object/primitive conflicts in...88e1563 [Fix] duplicates option should not apply to bracket notation keys9d441d2 Merge backport release tags v6.0.6–v6.13.3 into main85cc8ca v6.12.5ffc12aa v6.11.40506b11 [actions] update reusable workflows6a37faf [actions] update reusable workflows8e8df5a [Fix] fix regressions from robustness refactord60bab3 v6.10.7Sourced from @modelcontextprotocol/sdk's releases.
\n\nv1.26.0
\nAddresses "Sharing server/transport instances can leak cross-client response data" in this GHSA https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-345p-7cg4-v4c7
\nWhat's Changed
\n\n
\n- chore: bump v1.25.3 for backport fixes by
\n@pcarletonin modelcontextprotocol/typescript-sdk#1412- fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x backport) by
\n@samuvin modelcontextprotocol/typescript-sdk#1382- Fix #1430: Client Credentials providers scopes support (backported) by
\n@NSeydouxin modelcontextprotocol/typescript-sdk#1442- chore: bump version to 1.26.0 by
\n@pcarletonin modelcontextprotocol/typescript-sdk#1479New Contributors
\n\n
\n- \n
@samuvmade their first contribution in modelcontextprotocol/typescript-sdk#1382- \n
@NSeydouxmade their first contribution in modelcontextprotocol/typescript-sdk#1442Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/v1.25.3...v1.26.0
\nv1.25.3
\nWhat's Changed
\n\n
\n- [v1.x backport] Use correct schema for client sampling validation when tools are present by
\n@olaservoin modelcontextprotocol/typescript-sdk#1407- fix: prevent Hono from overriding global Response object (v1.x) by
\n@mattzcareyin modelcontextprotocol/typescript-sdk#1411Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/v1.25.2...v1.25.3
\nv1.25.2
\nWhat's Changed
\n\n
\n- ci: trigger workflow on v1.x branch by
\n@felixweinbergerin modelcontextprotocol/typescript-sdk#1319- fix: README badges links destinations by
\n@antonpk1in modelcontextprotocol/typescript-sdk#907- fix: prevent ReDoS in UriTemplate regex patterns (v1.x backport) by
\n@pcarletonin modelcontextprotocol/typescript-sdk#1365New Contributors
\n\n
\n- \n
@antonpk1made their first contribution in modelcontextprotocol/typescript-sdk#907Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/1.25.1...v1.25.2
\n1.25.1
\nWhat's Changed
\n\n
\n- spec types - backwards compatibility changes by
\n@KKonstantinovin modelcontextprotocol/typescript-sdk#1306- chore: bump version for patch fix by
\n@felixweinbergerin modelcontextprotocol/typescript-sdk#1307Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/1.25.0...1.25.1
\n1.25.0
\nWhat's Changed
\n\n
\n\n- list changed handlers on client constructor by
\n@mattzcareyin modelcontextprotocol/typescript-sdk#1206- Role - moved from inline to reusable type by
\n@KKonstantinovin modelcontextprotocol/typescript-sdk#1221- fix: use versioned npm tag for non-main branch releases by
\n@pcarletonin modelcontextprotocol/typescript-sdk#1236- No automatic completion support unless needed - Revisited yet again by
\n@cliffhallin modelcontextprotocol/typescript-sdk#1237- fix: Support updating output schema by
\n@vincent0426in modelcontextprotocol/typescript-sdk#1048
... (truncated)
\nfe9c07b chore: bump version to 1.26.0 (#1479)4f01e7e fix: add non-null assertions for optional setupServer fields in stateful testa05be17 Merge commit from fork50d9fa3 Fix #1430: Client Credentials providers scopes support (backported) (#1442)aa81a66 fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x back...6aba065 chore: bump v1.25.3 for backport fixes (#1412)6e8f7e1 fix: prevent Hono from overriding global Response object (v1.x) (#1411)12ae856 [v1.x backport] Use correct schema for client sampling validation when tools ...b392f02 fix: prevent ReDoS in UriTemplate regex patterns (v1.x backport) (#1365)a0c9b13 fix: README badges links destinations (#907)This version was pushed to npm by pcarleton, a new releaser for @modelcontextprotocol/sdk since your current version.
Sourced from qs's changelog.
\n\n\n6.15.0
\n\n
\n- [New]
\nparse: addstrictMergeoption to wrap object/primitive conflicts in an array (#425, #122)- [Fix]
\nduplicatesoption should not apply to bracket notation keys (#514)6.14.2
\n\n
\n- [Fix]
\nparse: mark overflow objects for indexed notation exceedingarrayLimit(#546)- [Fix]
\narrayLimitmeans max count, not max index, incombine/merge/parseArrayValue- [Fix]
\nparse: throw onarrayLimitexceeded with indexed notation whenthrowOnLimitExceededis true (#529)- [Fix]
\nparse: enforcearrayLimitoncomma-parsed values- [Fix]
\nparse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)- [Robustness] avoid
\n.push, usevoid- [readme] document that
\naddQueryPrefixdoes not add?to empty output (#418)- [readme] clarify
\nparseArraysandarrayLimitdocumentation (#543)- [readme] replace runkit CI badge with shields.io check-runs badge
\n- [meta] fix changelog typo (
\narrayLength→arrayLimit)- [actions] fix rebase workflow permissions
\n6.14.1
\n\n
\n- [Fix] ensure
\narrayLimitapplies to[]notation as well- [Fix]
\nparse: when a custom decoder returnsnullfor a key, ignore that key- [Refactor]
\nparse: extract key segment splitting helper- [meta] add threat model
\n- [actions] add workflow permissions
\n- [Tests]
\nstringify: increase coverage- [Dev Deps] update
\neslint,@ljharb/eslint-config,npmignore,es-value-fixtures,for-each,object-inspect
d9b4c66 v6.15.0cb41a54 [New] parse: add strictMerge option to wrap object/primitive conflicts in...88e1563 [Fix] duplicates option should not apply to bracket notation keys9d441d2 Merge backport release tags v6.0.6–v6.13.3 into main85cc8ca v6.12.5ffc12aa v6.11.40506b11 [actions] update reusable workflows6a37faf [actions] update reusable workflows8e8df5a [Fix] fix regressions from robustness refactord60bab3 v6.10.7Sourced from @modelcontextprotocol/sdk's releases.
\n\nv1.26.0
\nAddresses "Sharing server/transport instances can leak cross-client response data" in this GHSA https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-345p-7cg4-v4c7
\nWhat's Changed
\n\n
\n- chore: bump v1.25.3 for backport fixes by
\n@pcarletonin modelcontextprotocol/typescript-sdk#1412- fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x backport) by
\n@samuvin modelcontextprotocol/typescript-sdk#1382- Fix #1430: Client Credentials providers scopes support (backported) by
\n@NSeydouxin modelcontextprotocol/typescript-sdk#1442- chore: bump version to 1.26.0 by
\n@pcarletonin modelcontextprotocol/typescript-sdk#1479New Contributors
\n\n
\n- \n
@samuvmade their first contribution in modelcontextprotocol/typescript-sdk#1382- \n
@NSeydouxmade their first contribution in modelcontextprotocol/typescript-sdk#1442Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/v1.25.3...v1.26.0
\nv1.25.3
\nWhat's Changed
\n\n
\n- [v1.x backport] Use correct schema for client sampling validation when tools are present by
\n@olaservoin modelcontextprotocol/typescript-sdk#1407- fix: prevent Hono from overriding global Response object (v1.x) by
\n@mattzcareyin modelcontextprotocol/typescript-sdk#1411Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/v1.25.2...v1.25.3
\nv1.25.2
\nWhat's Changed
\n\n
\n- ci: trigger workflow on v1.x branch by
\n@felixweinbergerin modelcontextprotocol/typescript-sdk#1319- fix: README badges links destinations by
\n@antonpk1in modelcontextprotocol/typescript-sdk#907- fix: prevent ReDoS in UriTemplate regex patterns (v1.x backport) by
\n@pcarletonin modelcontextprotocol/typescript-sdk#1365New Contributors
\n\n
\n- \n
@antonpk1made their first contribution in modelcontextprotocol/typescript-sdk#907Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/1.25.1...v1.25.2
\n1.25.1
\nWhat's Changed
\n\n
\n- spec types - backwards compatibility changes by
\n@KKonstantinovin modelcontextprotocol/typescript-sdk#1306- chore: bump version for patch fix by
\n@felixweinbergerin modelcontextprotocol/typescript-sdk#1307Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/1.25.0...1.25.1
\n1.25.0
\nWhat's Changed
\n\n
\n\n- list changed handlers on client constructor by
\n@mattzcareyin modelcontextprotocol/typescript-sdk#1206- Role - moved from inline to reusable type by
\n@KKonstantinovin modelcontextprotocol/typescript-sdk#1221- fix: use versioned npm tag for non-main branch releases by
\n@pcarletonin modelcontextprotocol/typescript-sdk#1236- No automatic completion support unless needed - Revisited yet again by
\n@cliffhallin modelcontextprotocol/typescript-sdk#1237- fix: Support updating output schema by
\n@vincent0426in modelcontextprotocol/typescript-sdk#1048
... (truncated)
\nfe9c07b chore: bump version to 1.26.0 (#1479)4f01e7e fix: add non-null assertions for optional setupServer fields in stateful testa05be17 Merge commit from fork50d9fa3 Fix #1430: Client Credentials providers scopes support (backported) (#1442)aa81a66 fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x back...6aba065 chore: bump v1.25.3 for backport fixes (#1412)6e8f7e1 fix: prevent Hono from overriding global Response object (v1.x) (#1411)12ae856 [v1.x backport] Use correct schema for client sampling validation when tools ...b392f02 fix: prevent ReDoS in UriTemplate regex patterns (v1.x backport) (#1365)a0c9b13 fix: README badges links destinations (#907)This version was pushed to npm by pcarleton, a new releaser for @modelcontextprotocol/sdk since your current version.
Sourced from qs's changelog.
\n\n\n6.15.0
\n\n
\n- [New]
\nparse: addstrictMergeoption to wrap object/primitive conflicts in an array (#425, #122)- [Fix]
\nduplicatesoption should not apply to bracket notation keys (#514)6.14.2
\n\n
\n- [Fix]
\nparse: mark overflow objects for indexed notation exceedingarrayLimit(#546)- [Fix]
\narrayLimitmeans max count, not max index, incombine/merge/parseArrayValue- [Fix]
\nparse: throw onarrayLimitexceeded with indexed notation whenthrowOnLimitExceededis true (#529)- [Fix]
\nparse: enforcearrayLimitoncomma-parsed values- [Fix]
\nparse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)- [Robustness] avoid
\n.push, usevoid- [readme] document that
\naddQueryPrefixdoes not add?to empty output (#418)- [readme] clarify
\nparseArraysandarrayLimitdocumentation (#543)- [readme] replace runkit CI badge with shields.io check-runs badge
\n- [meta] fix changelog typo (
\narrayLength→arrayLimit)- [actions] fix rebase workflow permissions
\n6.14.1
\n\n
\n- [Fix] ensure
\narrayLimitapplies to[]notation as well- [Fix]
\nparse: when a custom decoder returnsnullfor a key, ignore that key- [Refactor]
\nparse: extract key segment splitting helper- [meta] add threat model
\n- [actions] add workflow permissions
\n- [Tests]
\nstringify: increase coverage- [Dev Deps] update
\neslint,@ljharb/eslint-config,npmignore,es-value-fixtures,for-each,object-inspect
d9b4c66 v6.15.0cb41a54 [New] parse: add strictMerge option to wrap object/primitive conflicts in...88e1563 [Fix] duplicates option should not apply to bracket notation keys9d441d2 Merge backport release tags v6.0.6–v6.13.3 into main85cc8ca v6.12.5ffc12aa v6.11.40506b11 [actions] update reusable workflows6a37faf [actions] update reusable workflows8e8df5a [Fix] fix regressions from robustness refactord60bab3 v6.10.7Sourced from hono's releases.
\n\n\nv4.11.9
\nWhat's Changed
\n\n
\n- fix(url): ignore fragment identifiers in getPath() by
\n@sano-suguruin honojs/hono#4627- fix: determine if rendered or not by
\nnode.vC[0]instead of referring tonode.pPby@usualomain honojs/hono#4663Full Changelog: https://github.com/honojs/hono/compare/v4.11.8...v4.11.9
\nv4.11.8
\nWhat's Changed
\n\n
\n- fix(jsx): preserve context when using await before html helper by
\n@kaigritunin honojs/hono#4662- fix(bearer-auth): make auth-scheme case-insensitive by
\n@bytaesuin honojs/hono#4659New Contributors
\n\n
\n- \n
@kaigritunmade their first contribution in honojs/hono#4662Full Changelog: https://github.com/honojs/hono/compare/v4.11.7...v4.11.8
\nv4.11.7
\nSecurity Release
\nThis release includes security fixes for multiple vulnerabilities in Hono and related middleware. We recommend upgrading if you are using any of the affected components.
\nComponents
\nIP Restriction Middleware
\nFixed an IPv4 address validation bypass that could allow IP-based access control to be bypassed under certain configurations.
\nCache Middleware
\nFixed an issue where responses marked with
\nCache-Control: privateorno-storecould be cached, potentially leading to information disclosure on some runtimes.Serve Static Middleware (Cloudflare Workers adapter)
\nFixed an issue that could allow unintended access to internal asset keys when serving static files with user-controlled paths.
\nhono/jsx
\nErrorBoundaryFixed a reflected Cross-Site Scripting (XSS) issue in the
\nErrorBoundarycomponent that could occur when untrusted strings were rendered without proper escaping.Recommendation
\nUsers are encouraged to upgrade to this release, especially if they:
\n\n
\n\n- Use IP Restriction Middleware
\n- Use Cache Middleware on Deno, Bun, or Node.js
\n- Use Serve Static Middleware with user-controlled paths on Cloudflare Workers
\n- Render untrusted data inside
\nErrorBoundarycomponents
... (truncated)
\n69ad885 4.11.93d536ff fix: determine if rendered or not by node.vC[0] instead of referring to `no...0c1d4c7 fix(url): ignore fragment identifiers in getPath() (#4627)5ca5c3e 4.11.83aa2f9a fix(bearer-auth): make auth-scheme case-insensitive (#4659)cea7b7b fix(jsx): preserve context when using await before html helper (#4662)f7d272a 4.11.72cf6004 Merge commit from forkcf9a78d Merge commit from forkedbf6ee Merge commit from forkSourced from bytes's releases.
\n\n\nBytes v1.11.1
\n1.11.1 (February 3rd, 2026)
\n\n
\n- Fix integer overflow in
\nBytesMut::reserveBytes v1.11.0
\n1.11.0 (November 14th, 2025)
\n\n
\n- Bump MSRV to 1.57 (#788)
\nFixed
\n\n
\n- fix:
\nBytesMutonly reuse if src has remaining (#803)- Specialize
\nBytesMut::put::<Bytes>(#793)- Reserve capacity in
\nBytesMut::put(#794)- Change
\nBytesMut::remaining_mutto useisize::MAXinstead ofusize::MAX(#795)Internal changes
\n\n
Sourced from bytes's changelog.
\n\n\n1.11.1 (February 3rd, 2026)
\n\n
\n- Fix integer overflow in
\nBytesMut::reserve1.11.0 (November 14th, 2025)
\n\n
\n- Bump MSRV to 1.57 (#788)
\nFixed
\n\n
\n- fix:
\nBytesMutonly reuse if src has remaining (#803)- Specialize
\nBytesMut::put::<Bytes>(#793)- Reserve capacity in
\nBytesMut::put(#794)- Change
\nBytesMut::remaining_mutto useisize::MAXinstead ofusize::MAX(#795)Internal changes
\n\n
417dccd Release bytes v1.11.1 (#820)d0293b0 Merge commit from forka7952fb chore: prepare bytes v1.11.0 (#804)60cbb77 fix: BytesMut only reuse if src has remaining (#803)7ce330f Move drop_fn of from_owner into vtable (#801)4b53a29 Tweak BytesMut::remaining_mut (#795)016fdbd Reserve capacity in BytesMut::put (#794)ef7f257 Specialize BytesMut::put::<Bytes> (#793)8b4f54d Ignore BytesMut::freeze doctest on wasm (#790)16132ad Fix latest clippy warnings (#787)Sourced from bytes's releases.
\n\n\nBytes v1.11.1
\n1.11.1 (February 3rd, 2026)
\n\n
\n- Fix integer overflow in
\nBytesMut::reserveBytes v1.11.0
\n1.11.0 (November 14th, 2025)
\n\n
\n- Bump MSRV to 1.57 (#788)
\nFixed
\n\n
\n- fix:
\nBytesMutonly reuse if src has remaining (#803)- Specialize
\nBytesMut::put::<Bytes>(#793)- Reserve capacity in
\nBytesMut::put(#794)- Change
\nBytesMut::remaining_mutto useisize::MAXinstead ofusize::MAX(#795)Internal changes
\n\n
Sourced from bytes's changelog.
\n\n\n1.11.1 (February 3rd, 2026)
\n\n
\n- Fix integer overflow in
\nBytesMut::reserve1.11.0 (November 14th, 2025)
\n\n
\n- Bump MSRV to 1.57 (#788)
\nFixed
\n\n
\n- fix:
\nBytesMutonly reuse if src has remaining (#803)- Specialize
\nBytesMut::put::<Bytes>(#793)- Reserve capacity in
\nBytesMut::put(#794)- Change
\nBytesMut::remaining_mutto useisize::MAXinstead ofusize::MAX(#795)Internal changes
\n\n
417dccd Release bytes v1.11.1 (#820)d0293b0 Merge commit from forka7952fb chore: prepare bytes v1.11.0 (#804)60cbb77 fix: BytesMut only reuse if src has remaining (#803)7ce330f Move drop_fn of from_owner into vtable (#801)4b53a29 Tweak BytesMut::remaining_mut (#795)016fdbd Reserve capacity in BytesMut::put (#794)ef7f257 Specialize BytesMut::put::<Bytes> (#793)8b4f54d Ignore BytesMut::freeze doctest on wasm (#790)16132ad Fix latest clippy warnings (#787)Sourced from time's releases.
\n\n\nv0.3.47
\nSee the changelog for details.
\nv0.3.46
\nSee the changelog for details.
\n
Sourced from time's changelog.
\n\n\n0.3.47 [2026-02-05]
\nSecurity
\n\n
\n- \n
\nThe possibility of a stack exhaustion denial of service attack when parsing RFC 2822 has been\neliminated. Previously, it was possible to craft input that would cause unbounded recursion. Now,\nthe depth of the recursion is tracked, causing an error to be returned if it exceeds a reasonable\nlimit.
\nThis attack vector requires parsing user-provided input, with any type, using the RFC 2822 format.
\nCompatibility
\n\n
\n- Attempting to format a value with a well-known format (i.e. RFC 3339, RFC 2822, or ISO 8601) will\nerror at compile time if the type being formatted does not provide sufficient information. This\nwould previously fail at runtime. Similarly, attempting to format a value with ISO 8601 that is\nonly configured for parsing (i.e.
\nIso8601::PARSING) will error at compile time.Added
\n\n
\n- Builder methods for format description modifiers, eliminating the need for verbose initialization\nwhen done manually.
\n- \n
date!(2026-W01-2)is now supported. Previously, a space was required betweenWand01.- \n
[end]now has atrailing_inputmodifier which can either beprohibit(the default) or\ndiscard. When it isdiscard, all remaining input is ignored. Note that if there are components\nafter[end], they will still attempt to be parsed, likely resulting in an error.Changed
\n\n
\n- More performance gains when parsing.
\nFixed
\n\n
\n- If manually formatting a value, the number of bytes written was one short for some components.\nThis has been fixed such that the number of bytes written is always correct.
\n- The possibility of integer overflow when parsing an owned format description has been effectively\neliminated. This would previously wrap when overflow checks were disabled. Instead of storing the\ndepth as
\nu8, it is stored asu32. This would require multiple gigabytes of nested input to\noverflow, at which point we've got other problems and trivial mitigations are available by\ndownstream users.0.3.46 [2026-01-23]
\nAdded
\n\n
\n\n- All possible panics are now documented for the relevant methods.
\n- The need to use
\n#[serde(default)]when using customserdeformats is documented. This applies\nonly when deserializing anOption<T>.- \n
Duration::nanoseconds_i128has been made public, mirroring\nstd::time::Duration::from_nanos_u128.
... (truncated)
\nd5144cd v0.3.47 releasef6206b0 Guard against integer overflow in release mode1c63dc7 Avoid denial of service when parsing Rfc28225940df6 Add builder methods to avoid verbose construction00881a4 Manually format macros everywherebb723b6 Add trailing_input modifier to end31c4f8e Permit W12 in date! macro490a17b Mark error paths in well-known formats as cold6cb1896 Optimize Rfc2822 parsing6d264d5 Remove erroneous #[inline(never)] attributesSourced from bytes's releases.
\n\n\nBytes v1.11.1
\n1.11.1 (February 3rd, 2026)
\n\n
\n- Fix integer overflow in
\nBytesMut::reserveBytes v1.11.0
\n1.11.0 (November 14th, 2025)
\n\n
\n- Bump MSRV to 1.57 (#788)
\nFixed
\n\n
\n- fix:
\nBytesMutonly reuse if src has remaining (#803)- Specialize
\nBytesMut::put::<Bytes>(#793)- Reserve capacity in
\nBytesMut::put(#794)- Change
\nBytesMut::remaining_mutto useisize::MAXinstead ofusize::MAX(#795)Internal changes
\n\n
Sourced from bytes's changelog.
\n\n\n1.11.1 (February 3rd, 2026)
\n\n
\n- Fix integer overflow in
\nBytesMut::reserve1.11.0 (November 14th, 2025)
\n\n
\n- Bump MSRV to 1.57 (#788)
\nFixed
\n\n
\n- fix:
\nBytesMutonly reuse if src has remaining (#803)- Specialize
\nBytesMut::put::<Bytes>(#793)- Reserve capacity in
\nBytesMut::put(#794)- Change
\nBytesMut::remaining_mutto useisize::MAXinstead ofusize::MAX(#795)Internal changes
\n\n
417dccd Release bytes v1.11.1 (#820)d0293b0 Merge commit from forka7952fb chore: prepare bytes v1.11.0 (#804)60cbb77 fix: BytesMut only reuse if src has remaining (#803)7ce330f Move drop_fn of from_owner into vtable (#801)4b53a29 Tweak BytesMut::remaining_mut (#795)016fdbd Reserve capacity in BytesMut::put (#794)ef7f257 Specialize BytesMut::put::<Bytes> (#793)8b4f54d Ignore BytesMut::freeze doctest on wasm (#790)16132ad Fix latest clippy warnings (#787)Sourced from git2's changelog.
\n\n\n0.20.4 - 2026-02-02
\n\nFixed
\n\n
\n- Fix undefined behavior when dereferencing empty
\nBuf.\n#1213