4.92.1 - Fix URI handling with multiple slashes and variable components.

What's Changed

Fix URI handling with multiple slashes and variable components. by @gwynne in #3143

Resolves some more subtle remaining issues in how URI is handled with respect to HTTP requests.

Fixes #3142.

This patch was released by @gwynne

Full Changelog: 4.92.0...4.92.1

4.92.0 - Fix broken URI behaviors

What's Changed

Fix broken URI behaviors by @gwynne in #3140

Numerous issues have arisen with the changes made to URI as a result of the fix for GHSA-r6r4-5pr8-gjcp. This update fixes all known issues and restores several changed URI behaviors (although, quite deliberately, not all of them), including new tests. Fixes #3133, #3135, #3137, and #3138.

Also addresses Sendable warnings in ContentEncoder, ContentDecoder, ContentContainer, PlaintextDecoder, PlaintextEncoder, URLQueryDecoder, URLQueryEncoder, URLQueryContainer, URLEncodedFormDecoder, and URLEncodedFormEncoder.

Shoutout to @weissi, @grahamburgsma, and @finestructure for their help tracking down the various problems, thank you all!

Reviewers

Thanks to the reviewers for their help:

• @MahdiBM

This patch was released by @gwynne

Full Changelog: 4.91.1...4.92.0

4.91.1 - Update routing-kit version

What's Changed

Update routing-kit version by @marius-se in #3131

Update routing-kit version to get Equatable conformance for PathComponents

Related to vapor/routing-kit#129
and swift-server/swift-openapi-vapor#13 (comment)

New Contributor

• @marius-se made their first contribution in #3131 🎉

This patch was released by @gwynne

Full Changelog: 4.91.0...4.91.1

4.91.0 - Use `singleton` `EventLoopGroup`

What's Changed

Use singleton EventLoopGroup by @MahdiBM in #3128

Use the new singleton EventLoopGroup for more convenient and sometimes more performant APIs.

Reviewers

Thanks to the reviewers for their help:

• @dimitribouniol

This patch was released by @MahdiBM

Full Changelog: 4.90.0...4.91.0

4.90.0

⚠️ Security Update ⚠️

This release fixes a long standing issue in Vapor's URI parsing if users attempt to parse untrusted input that could lead to potential host spoofing. This was caused by using a C implementation with a uint16_t index with no bounds checking. For more details see the security advisory GHSA-qvxg-wjxc-r4gg.

This vulnerability has been designated as CVE-2024-21631. Thank you to baarde for reporting!

4.89.3 - Fix setting public folder for `FileMiddleware` when using bundles

What's Changed

Fix setting public folder for FileMiddleware when using bundles by @grantjbutler in #3113

This PR fixes an issue where, if you provided a subfolder within a bundle’s resources, the wrong path would be provided to the FileMiddleware, causing the resources to not be loaded.

For example, given a bundle with the following structure:

App.app/
└── Contents/
    ├── MacOS/
    │   └── App
    └── Resources/
        └── web-app/
            └── Public
                └── index.html

If you tried to create an instance of FileMiddleware that tried to use web-app/Public/ as the folder to serve files from, FileMiddleware would incorrectly use the resource path of the bundle (App.app/Resources/) instead of the full path to the specified folder (App.app/Resources/web-app/Public/).

New Contributor

• @grantjbutler made their first contribution in #3113 🎉

This patch was released by @gwynne

Full Changelog: 4.89.2...4.89.3

4.89.2 - Consistently use the value from `X-Request-Id` as the request's ID when present

What's Changed

Consistently use the value from X-Request-Id as the request's ID when present by @baarde in #3117

Changes

This PR ensures that the Request’s id and the value of the logger’s request-id value are the same.

Motivation

The Request’s id property was added in #2964 to expose the request-id identifier used for logging.

#3072 changed this behavior. The request-id identifier is now set:

• to the value from the X-Request-Id header, when the header is present,
• to a random identifier, when the header is absent.

Having two different identifiers is confusing. So, this PR reconciles the two values.

History

The first version of this PR allowed the two identifiers to differ when the X-Request-Id header is present, in order to maintain the original semantics of the id property.

New Contributor

• @baarde made their first contribution in #3117 🎉

Reviewers

Thanks to the reviewers for their help:

• @MahdiBM

This patch was released by @0xTim

Full Changelog: 4.89.1...4.89.2

4.89.1 - Fix encoding and decoding of HTTPHeaders

What's Changed

Fix encoding and decoding of HTTPHeaders by @gwynne in #3116

The Codable conformance Vapor adds to the HTTPHeaders type now correctly handles cases where more than one header with the same name (such as Set-Cookie) is present, for both encoding and decoding.

The previous encoding format is still recognized for decoding, so that existing serialized data can be safely read.

This patch was released by @gwynne

Full Changelog: 4.89.0...4.89.1

4.89.0 - Add fully async entrypoints

What's Changed

Add fully async entrypoints by @gwynne in #3114

Pretty much what it says on the tin. Use the new execute() API instead of run(), and/or startup() instead of start().

Reviewers

Thanks to the reviewers for their help:

• @Joannis

This patch was released by @gwynne

Full Changelog: 4.88.0...4.89.0

4.88.0 - Bring back AsyncCommands

What's Changed

Bring back AsyncCommands by @marius-se in #3109

Brings async commands back by adding a new property asyncCommands to Application.

New Contributor

• @marius-se made their first contribution in #3109 🎉

This patch was released by @0xTim

Full Changelog: 4.87.1...4.88.0