Releases: vapor/vapor
4.92.1 - Fix URI handling with multiple slashes and variable components.
What's Changed
Fix URI handling with multiple slashes and variable components. by @gwynne in #3143
Resolves some more subtle remaining issues in how
URI
is handled with respect to HTTP requests.Fixes #3142.
This patch was released by @gwynne
Full Changelog: 4.92.0...4.92.1
4.92.0 - Fix broken URI behaviors
What's Changed
Fix broken URI behaviors by @gwynne in #3140
Numerous issues have arisen with the changes made to
URI
as a result of the fix for GHSA-r6r4-5pr8-gjcp. This update fixes all known issues and restores several changedURI
behaviors (although, quite deliberately, not all of them), including new tests. Fixes #3133, #3135, #3137, and #3138.Also addresses
Sendable
warnings inContentEncoder
,ContentDecoder
,ContentContainer
,PlaintextDecoder
,PlaintextEncoder
,URLQueryDecoder
,URLQueryEncoder
,URLQueryContainer
,URLEncodedFormDecoder
, andURLEncodedFormEncoder
.Shoutout to @weissi, @grahamburgsma, and @finestructure for their help tracking down the various problems, thank you all!
Reviewers
Thanks to the reviewers for their help:
This patch was released by @gwynne
Full Changelog: 4.91.1...4.92.0
4.91.1 - Update routing-kit version
What's Changed
Update routing-kit version by @marius-se in #3131
Update routing-kit version to get
Equatable
conformance forPathComponent
sRelated to vapor/routing-kit#129
and swift-server/swift-openapi-vapor#13 (comment)
New Contributor
- @marius-se made their first contribution in #3131 ๐
This patch was released by @gwynne
Full Changelog: 4.91.0...4.91.1
4.91.0 - Use `singleton` `EventLoopGroup`
What's Changed
Use singleton
EventLoopGroup
by @MahdiBM in #3128
Use the new
singleton
EventLoopGroup
for more convenient and sometimes more performant APIs.
Reviewers
Thanks to the reviewers for their help:
This patch was released by @MahdiBM
Full Changelog: 4.90.0...4.91.0
4.90.0
This release fixes a long standing issue in Vapor's URI parsing if users attempt to parse untrusted input that could lead to potential host spoofing. This was caused by using a C implementation with a uint16_t
index with no bounds checking. For more details see the security advisory GHSA-qvxg-wjxc-r4gg.
This vulnerability has been designated as CVE-2024-21631. Thank you to baarde for reporting!
4.89.3 - Fix setting public folder for `FileMiddleware` when using bundles
What's Changed
Fix setting public folder for FileMiddleware
when using bundles by @grantjbutler in #3113
This PR fixes an issue where, if you provided a subfolder within a bundleโs resources, the wrong path would be provided to the
FileMiddleware
, causing the resources to not be loaded.For example, given a bundle with the following structure:
App.app/ โโโ Contents/ โโโ MacOS/ โ โโโ App โโโ Resources/ โโโ web-app/ โโโ Public โโโ index.html
If you tried to create an instance of
FileMiddleware
that tried to useweb-app/Public/
as the folder to serve files from,FileMiddleware
would incorrectly use the resource path of the bundle (App.app/Resources/
) instead of the full path to the specified folder (App.app/Resources/web-app/Public/
).
New Contributor
- @grantjbutler made their first contribution in #3113 ๐
This patch was released by @gwynne
Full Changelog: 4.89.2...4.89.3
4.89.2 - Consistently use the value from `X-Request-Id` as the request's ID when present
What's Changed
Consistently use the value from X-Request-Id
as the request's ID when present by @baarde in #3117
Changes
This PR ensures that the Requestโs
id
and the value of the loggerโsrequest-id
value are the same.Motivation
The Requestโs
id
property was added in #2964 to expose therequest-id
identifier used for logging.#3072 changed this behavior. The
request-id
identifier is now set:
- to the value from the
X-Request-Id
header, when the header is present,- to a random identifier, when the header is absent.
Having two different identifiers is confusing. So, this PR reconciles the two values.
History
The first version of this PR allowed the two identifiers to differ when the
X-Request-Id
header is present, in order to maintain the original semantics of theid
property.
New Contributor
Reviewers
Thanks to the reviewers for their help:
This patch was released by @0xTim
Full Changelog: 4.89.1...4.89.2
4.89.1 - Fix encoding and decoding of HTTPHeaders
What's Changed
Fix encoding and decoding of HTTPHeaders by @gwynne in #3116
The
Codable
conformance Vapor adds to theHTTPHeaders
type now correctly handles cases where more than one header with the same name (such asSet-Cookie
) is present, for both encoding and decoding.The previous encoding format is still recognized for decoding, so that existing serialized data can be safely read.
This patch was released by @gwynne
Full Changelog: 4.89.0...4.89.1
4.89.0 - Add fully async entrypoints
What's Changed
Add fully async entrypoints by @gwynne in #3114
Pretty much what it says on the tin. Use the new
execute()
API instead ofrun()
, and/orstartup()
instead ofstart()
.
Reviewers
Thanks to the reviewers for their help:
This patch was released by @gwynne
Full Changelog: 4.88.0...4.89.0
4.88.0 - Bring back AsyncCommands
What's Changed
Bring back AsyncCommands by @marius-se in #3109
Brings async commands back by adding a new property
asyncCommands
toApplication
.
New Contributor
- @marius-se made their first contribution in #3109 ๐
This patch was released by @0xTim
Full Changelog: 4.87.1...4.88.0