Git 2.32 Release Notes
======================
Backward compatibility notes
----------------------------
* ".gitattributes", ".gitignore", and ".mailmap" files that are
symbolic links are ignored.
* "git apply --3way" used to first attempt a straight application,
and only fell back to the 3-way merge algorithm when the stright
application failed. Starting with this version, the command will
first try the 3-way merge algorithm and only when it fails (either
resulting with conflict or the base versions of blobs are missing),
falls back to the usual patch application.
Updates since v2.31
-------------------
UI, Workflows & Features
* It does not make sense to make ".gitattributes", ".gitignore" and
".mailmap" symlinks, as they are supposed to be usable from the
object store (think: bare repositories where HEAD:.mailmap etc. are
used). When these files are symbolic links, we used to read the
contents of the files pointed by them by mistake, which has been
corrected.
* "git stash show" learned to optionally show untracked part of the
stash.
* "git log --format='...'" learned "%(describe)" placeholder.
* "git repack" so far has been only capable of repacking everything
under the sun into a single pack (or split by size). A cleverer
strategy to reduce the cost of repacking a repository has been
introduced.
* The http codepath learned to let the credential layer to cache the
password used to unlock a certificate that has successfully been
used.
* "git commit --fixup=<commit>", which was to tweak the changes made
to the contents while keeping the original log message intact,
learned "--fixup=(amend|reword):<commit>", that can be used to
tweak both the message and the contents, and only the message,
respectively.
* "git send-email" learned to honor the core.hooksPath configuration.
* "git format-patch -v<n>" learned to allow a reroll count that is
not an integer.
* "git commit" learned "--trailer <key>[=<value>]" option; together
with the interpret-trailers command, this will make it easier to
support custom trailers.
* "git clone --reject-shallow" option fails the clone as soon as we
notice that we are cloning from a shallow repository.
* A configuration variable has been added to force tips of certain
refs to be given a reachability bitmap.
* "gitweb" learned "e-mail privacy" feature to redact strings that
look like e-mail addresses on various pages.
* "git apply --3way" has always been "to fall back to 3-way merge
only when straight application fails". Swap the order of falling
back so that 3-way is always attempted first (only when the option
is given, of course) and then straight patch application is used as
a fallback when it fails.
* "git apply" now takes "--3way" and "--cached" at the same time, and
work and record results only in the index.
* The command line completion (in contrib/) has learned that
CHERRY_PICK_HEAD is a possible pseudo-ref.
* Userdiff patterns for "Scheme" has been added.
* "git log" learned "--diff-merges=<style>" option, with an
associated configuration variable log.diffMerges.
* "git log --format=..." placeholders learned %ah/%ch placeholders to
request the --date=human output.
* Replace GIT_CONFIG_NOSYSTEM mechanism to decline from reading the
system-wide configuration file with GIT_CONFIG_SYSTEM that lets
users specify from which file to read the system-wide configuration
(setting it to an empty file would essentially be the same as
setting NOSYSTEM), and introduce GIT_CONFIG_GLOBAL to override the
per-user configuration in $HOME/.gitconfig.
* "git add" and "git rm" learned not to touch those paths that are
outside of sparse checkout.
* "git rev-list" learns the "--filter=object:type=<type>" option,
which can be used to exclude objects of the given kind from the
packfile generated by pack-objects.
* The command line completion (in contrib/) for "git stash" has been
updated.
* "git subtree" updates.
* It is now documented that "format-patch" skips merges.
* Options to "git pack-objects" that take numeric values like
--window and --depth should not accept negative values; the input
validation has been tightened.
* The way the command line specified by the trailer.<token>.command
configuration variable receives the end-user supplied value was
both error prone and misleading. An alternative to achieve the
same goal in a safer and more intuitive way has been added, as
the trailer.<token>.cmd configuration variable, to replace it.
* "git add -i --dry-run" does not dry-run, which was surprising. The
combination of options has taught to error out.
* "git push" learns to discover common ancestor with the receiving
end over protocol v2. This will hopefully make "git push" as
efficient as "git fetch" in avoiding objects from getting
transferred unnecessarily.
* "git mailinfo" (hence "git am") learned the "--quoted-cr" option to
control how lines ending with CRLF wrapped in base64 or qp are
handled.
Performance, Internal Implementation, Development Support etc.
* Rename detection rework continues.
* GIT_TEST_FAIL_PREREQS is a mechanism to skip test pieces with
prerequisites to catch broken tests that depend on the side effects
of optional pieces, but did not work at all when negative
prerequisites were involved.
(merge 27d578d904 jk/fail-prereq-testfix later to maint).
* "git diff-index" codepath has been taught to trust fsmonitor status
to reduce number of lstat() calls.
(merge 7e5aa13d2c nk/diff-index-fsmonitor later to maint).
* Reorganize Makefile to allow building git.o and other essential
objects without extra stuff needed only for testing.
* Preparatory API changes for parallel checkout.
* A simple IPC interface gets introduced to build services like
fsmonitor on top.
* Fsck API clean-up.
* SECURITY.md that is facing individual contributors and end users
has been introduced. Also a procedure to follow when preparing
embargoed releases has been spelled out.
(merge 09420b7648 js/security-md later to maint).
* Optimize "rev-list --use-bitmap-index --objects" corner case that
uses negative tags as the stopping points.
* CMake update for vsbuild.
* An on-disk reverse-index to map the in-pack location of an object
back to its object name across multiple packfiles is introduced.
* Generate [ec]tags under $(QUIET_GEN).
* Clean-up codepaths that implements "git send-email --validate"
option and improves the message from it.
* The last remnant of gettext-poison has been removed.
* The test framework has been taught to optionally turn the default
merge strategy to "ort" throughout the system where we use
three-way merges internally, like cherry-pick, rebase etc.,
primarily to enhance its test coverage (the strategy has been
available as an explicit "-s ort" choice).
* A bit of code clean-up and a lot of test clean-up around userdiff
area.
* Handling of "promisor packs" that allows certain objects to be
missing and lazily retrievable has been optimized (a bit).
* When packet_write() fails, we gave an extra error message
unnecessarily, which has been corrected.
* The checkout machinery has been taught to perform the actual
write-out of the files in parallel when able.
* Show errno in the trace output in the error codepath that calls
read_raw_ref method.
* Effort to make the command line completion (in contrib/) safe with
"set -u" continues.
* Tweak a few tests for "log --format=..." that show timestamps in
various formats.
* The reflog expiry machinery has been taught to emit trace events.
* Over-the-wire protocol learns a new request type to ask for object
sizes given a list of object names.
Fixes since v2.31
-----------------
* The fsmonitor interface read from its input without making sure
there is something to read from. This bug is new in 2.31
timeframe.
* The data structure used by fsmonitor interface was not properly
duplicated during an in-core merge, leading to use-after-free etc.
* "git bisect" reimplemented more in C during 2.30 timeframe did not
take an annotated tag as a good/bad endpoint well. This regression
has been corrected.
* Fix macros that can silently inject unintended null-statements.
* CALLOC_ARRAY() macro replaces many uses of xcalloc().
* Update insn in Makefile comments to run fuzz-all target.
* Fix a corner case bug in "git mv" on case insensitive systems,
which was introduced in 2.29 timeframe.
* We had a code to diagnose and die cleanly when a required
clean/smudge filter is missing, but an assert before that
unnecessarily fired, hiding the end-user facing die() message.
(merge 6fab35f748 mt/cleanly-die-upon-missing-required-filter later to maint).
* Update C code that sets a few configuration variables when a remote
is configured so that it spells configuration variable names in the
canonical camelCase.
(merge 0f1da600e6 ab/remote-write-config-in-camel-case later to maint).
* A new configuration variable has been introduced to allow choosing
which version of the generation number gets used in the
commit-graph file.
(merge 702110aac6 ds/commit-graph-generation-config later to maint).
* Perf test update to work better in secondary worktrees.
(merge 36e834abc1 jk/perf-in-worktrees later to maint).
* Updates to memory allocation code around the use of pcre2 library.
(merge c1760352e0 ab/grep-pcre2-allocfix later to maint).
* "git -c core.bare=false clone --bare ..." would have segfaulted,
which has been corrected.
(merge 75555676ad bc/clone-bare-with-conflicting-config later to maint).
* When "git checkout" removes a path that does not exist in the
commit it is checking out, it wasn't careful enough not to follow
symbolic links, which has been corrected.
(merge fab78a0c3d mt/checkout-remove-nofollow later to maint).
* A few option description strings started with capital letters,
which were corrected.
(merge 5ee90326dc cc/downcase-opt-help later to maint).
* Plug or annotate remaining leaks that trigger while running the
very basic set of tests.
(merge 68ffe095a2 ah/plugleaks later to maint).
* The hashwrite() API uses a buffering mechanism to avoid calling
write(2) too frequently. This logic has been refactored to be
easier to understand.
(merge ddaf1f62e3 ds/clarify-hashwrite later to maint).
* "git cherry-pick/revert" with or without "--[no-]edit" did not spawn
the editor as expected (e.g. "revert --no-edit" after a conflict
still asked to edit the message), which has been corrected.
(merge 39edfd5cbc en/sequencer-edit-upon-conflict-fix later to maint).
* "git daemon" has been tightened against systems that take backslash
as directory separator.
(merge 9a7f1ce8b7 rs/daemon-sanitize-dir-sep later to maint).
* A NULL-dereference bug has been corrected in an error codepath in
"git for-each-ref", "git branch --list" etc.
(merge c685450880 jk/ref-filter-segfault-fix later to maint).
* Streamline the codepath to fix the UTF-8 encoding issues in the
argv[] and the prefix on macOS.
(merge c7d0e61016 tb/precompose-prefix-simplify later to maint).
* The command-line completion script (in contrib/) had a couple of
references that would have given a warning under the "-u" (nounset)
option.
(merge c5c0548d79 vs/completion-with-set-u later to maint).
* When "git pack-objects" makes a literal copy of a part of existing
packfile using the reachability bitmaps, its update to the progress
meter was broken.
(merge 8e118e8490 jk/pack-objects-bitmap-progress-fix later to maint).
* The dependencies for config-list.h and command-list.h were broken
when the former was split out of the latter, which has been
corrected.
(merge 56550ea718 sg/bugreport-fixes later to maint).
* "git push --quiet --set-upstream" was not quiet when setting the
upstream branch configuration, which has been corrected.
(merge f3cce896a8 ow/push-quiet-set-upstream later to maint).
* The prefetch task in "git maintenance" assumed that "git fetch"
from any remote would fetch all its local branches, which would
fetch too much if the user is interested in only a subset of
branches there.
(merge 32f67888d8 ds/maintenance-prefetch-fix later to maint).
* Clarify that pathnames recorded in Git trees are most often (but
not necessarily) encoded in UTF-8.
(merge 9364bf465d ab/pathname-encoding-doc later to maint).
* "git --config-env var=val cmd" weren't accepted (only
--config-env=var=val was).
(merge c331551ccf ps/config-env-option-with-separate-value later to maint).
* When the reachability bitmap is in effect, the "do not lose
recently created objects and those that are reachable from them"
safety to protect us from races were disabled by mistake, which has
been corrected.
(merge 2ba582ba4c jk/prune-with-bitmap-fix later to maint).
* Cygwin pathname handling fix.
(merge bccc37fdc7 ad/cygwin-no-backslashes-in-paths later to maint).
* "git rebase --[no-]reschedule-failed-exec" did not work well with
its configuration variable, which has been corrected.
(merge e5b32bffd1 ab/rebase-no-reschedule-failed-exec later to maint).
* Portability fix for command line completion script (in contrib/).
(merge f2acf763e2 si/zsh-complete-comment-fix later to maint).
* "git repack -A -d" in a partial clone unnecessarily loosened
objects in promisor pack.
* "git bisect skip" when custom words are used for new/old did not
work, which has been corrected.
* A few variants of informational message "Already up-to-date" has
been rephrased.
(merge ad9322da03 js/merge-already-up-to-date-message-reword later to maint).
* "git submodule update --quiet" did not propagate the quiet option
down to underlying "git fetch", which has been corrected.
(merge 62af4bdd42 nc/submodule-update-quiet later to maint).
* Document that our test can use "local" keyword.
(merge a84fd3bcc6 jc/test-allows-local later to maint).
* The word-diff mode has been taught to work better with a word
regexp that can match an empty string.
(merge 0324e8fc6b pw/word-diff-zero-width-matches later to maint).
* "git p4" learned to find branch points more efficiently.
(merge 6b79818bfb jk/p4-locate-branch-point-optim later to maint).
* When "git update-ref -d" removes a ref that is packed, it left
empty directories under $GIT_DIR/refs/ for
(merge 5f03e5126d wc/packed-ref-removal-cleanup later to maint).
* "git clean" and "git ls-files -i" had confusion around working on
or showing ignored paths inside an ignored directory, which has
been corrected.
(merge b548f0f156 en/dir-traversal later to maint).
* The handling of "%(push)" formatting element of "for-each-ref" and
friends was broken when the same codepath started handling
"%(push:<what>)", which has been corrected.
(merge 1e1c4c5eac zh/ref-filter-push-remote-fix later to maint).
* The bash prompt script (in contrib/) did not work under "set -u".
(merge 5c0cbdb107 en/prompt-under-set-u later to maint).
* The "chainlint" feature in the test framework is a handy way to
catch common mistakes in writing new tests, but tends to get
expensive. An knob to selectively disable it has been introduced
to help running tests that the developer has not modified.
(merge 2d86a96220 jk/test-chainlint-softer later to maint).
* The "rev-parse" command did not diagnose the lack of argument to
"--path-format" option, which was introduced in v2.31 era, which
has been corrected.
(merge 99fc555188 wm/rev-parse-path-format-wo-arg later to maint).
* Other code cleanup, docfix, build fix, etc.
(merge f451960708 dl/cat-file-doc-cleanup later to maint).
(merge 12604a8d0c sv/t9801-test-path-is-file-cleanup later to maint).
(merge ea7e63921c jr/doc-ignore-typofix later to maint).
(merge 23c781f173 ps/update-ref-trans-hook-doc later to maint).
(merge 42efa1231a jk/filter-branch-sha256 later to maint).
(merge 4c8e3dca6e tb/push-simple-uses-branch-merge-config later to maint).
(merge 6534d436a2 bs/asciidoctor-installation-hints later to maint).
(merge 47957485b3 ab/read-tree later to maint).
(merge 2be927f3d1 ab/diff-no-index-tests later to maint).
(merge 76593c09bb ab/detox-gettext-tests later to maint).
(merge 28e29ee38b jc/doc-format-patch-clarify later to maint).
(merge fc12b6fdde fm/user-manual-use-preface later to maint).
(merge dba94e3a85 cc/test-helper-bloom-usage-fix later to maint).
(merge 61a7660516 hn/reftable-tables-doc-update later to maint).
(merge 81ed96a9b2 jt/fetch-pack-request-fix later to maint).
(merge 151b6c2dd7 jc/doc-do-not-capitalize-clarification later to maint).
(merge 9160068ac6 js/access-nul-emulation-on-windows later to maint).
(merge 7a14acdbe6 po/diff-patch-doc later to maint).
(merge f91371b948 pw/patience-diff-clean-up later to maint).
(merge 3a7f0908b6 mt/clean-clean later to maint).
(merge d4e2d15a8b ab/streaming-simplify later to maint).
(merge 0e59f7ad67 ah/merge-ort-i18n later to maint).
(merge e6f68f62e0 ls/typofix later to maint).
Brief description of application changes:
integrate Official HN APIs:
-#36: use the official APIs to display the Story View - Front Page similarly to
HN front-page.
-#37: remove StoryPooling feature and replace it with LazyLoadingComments
feature which lazily loads comments on demand.
-#39: allow all configuration options to be optional. Previously, user needs to
create the config file based the example config. Now, if an option is not
specified, a default value will be used instead (for more information/
documentation, refer to the example config file).
Brief description of codebase changes:
-Refactor the repo into 3 separate crates: hackernews_tui for main binary crate,
config_parser (lib) and config_parser_derive (proc-macro) for the libraries to
parse configuration options from the config file.
-#38: reduce the .clone() usage, move the application's hn_client::HNClient to
global state.
-small refactoring and documentation improvements
htmlwidgets 1.5.3
-------------------------------------------------------
### New features
* Added a `reportTheme` argument to `shinyWidgetOutput()`. If `TRUE`,
CSS styles of the widget's output container are made available to
`shiny::getCurrentOutputInfo()`, making it possible to provide
'smart' styling defaults in a `renderWidget()` context. (#361)
* `shinyRenderWidget()` now has a `cacheHint` parameter, for use with
Shiny's new `bindCache()` function. (#391)
* Support a new `PACKAGE::widget_html.WIDGETNAME` convention for
defining custom widget HTML. This replaces the earlier
`PACKAGE::WIDGETNAME_html` convention, which continues to work but
may be deprecated at some point in the future. The goal for the new
convention is to prevent accidentally matching functions that were
never intended for this purpose. (Thanks, @thebioengineer!) (#376)
* Export the `JSEvals` function, allowing other packages to support
`JS()` in non-widget contexts.
### Bug fixes
* `saveWidget()` now `file` argument now properly handles relative
paths. (#299)
* Fixed an issue with passing named function declarations to `JS()`
and `onRender()` (introduced by v1.4). (#356)
htmlwidgets 1.5.2
-------------------------------------------------------
* Emergency patch release to fix an issue with rendering htmlwidgets
in flexdashboard. More generally, this change implies that any
htmlwidget is printed via a knitr code chunk with multiple values
for fig.width/fig.height, only the first value is used for the
widget's sizing policy. (#387)
htmlwidgets 1.5.1
-------------------------------------------------------
* Fixed an issue with dynamically rendered widgets (i.e., using
`shiny::uiOutput()` to render a widget) with any version of shiny
prior to 1.4. This issue was introduced by htmlwidgets 1.5. (#351)
htmlwidgets 1.5
-----------------------------------------------------------------------
* Fixed an incompatibility with Shiny v1.4.0: due to Shiny upgrading
from jQuery 1.x to 3.x, the timing of some initialization routines
has changed. This caused some widget `renderValue` calls to occur at
an earlier point in Shiny's initialization process than with earlier
versions of Shiny. (#345)
htmlwidgets 1.4 (unreleased)
-----------------------------------------------------------------------
* JavaScript statements can now be passed along to `onRender()` and
`JS()` (#329).
0.10.1
Bugs fixed
Fix blocking of pty_read when there isn't pty data ready to read
Contributors to this release
0.10.0
Enhancements made
Support creating terminal given name in kwargs.
Bugs fixed
avoid persistent handle on IOLoop instance
Maintenance and upkeep improvements
async/await syntax
PR: Pin pywinpty version to 1.1.0
0.9.5
Pin pywinpty version
0.9.4
Allow non-strict decode for process output
Switch to GitHub Actions
Add generated changelog
0.9.3
Make sure SIGPIPE has default handler set
0.9.2
Add js files in package manifest
Add support to ppc64le
Fix config files for publication
0.9.1
v0.9.1
0.9.0
Drop python 2 and 3.4 and 3.5 support
Make sure that all process output makes it to the terminal
7.6
---
To see the full list of pull requests and issues, see the [7.6.0 milestone](https://github.com/jupyter-widgets/ipywidgets/milestone/31?closed=1) on GitHub.
The main change in this release is that installing `ipywidgets` 7.6.0 will now automatically enable ipywidgets support in JupyterLab 3.0—a user has no extra JupyterLab installation step and no rebuild of JupyterLab, nor do they need Node.js installed. Simply install the python ipywidgets package with pip (`pip install ipywidgets==7.6.0`) or conda/mamba (`conda install -c conda-forge ipywidgets=7.6.0`) and ipywidgets will automatically work in classic Jupyter Notebook and in JupyterLab 3.0.
This is accomplished with the new python package `jupyterlab_widgets` version 1.0, on which `ipywidgets` 7.6.0 now depends (similar to how `ipywidgets` already depends on the `widgetsnbextension` package to configure ipywidgets for the classic Jupyter Notebook). The `jupyterlab_widgets` Python package is a JupyterLab 3.0 prebuilt extension, meaning that it can be installed into JupyterLab 3.0 without rebuilding JupyterLab and without needing Node.js installed.
Updates for Widget Maintainers
Custom widget maintainers will need to make two changes to update for JupyterLab 3:
1. Update the `@jupyter-widgets/base` dependency version to include `^4` to work in JupyterLab 3.0. For example, if you had a dependency on `@jupyter-widgets/base` version `^2 || ^3`, update to `^2 || ^3 || ^4` for your widget to work in classic Jupyter Notebook, JupyterLab 1, JupyterLab 2, and JupyterLab 3.
2. In the `package.json`, add the following `sharedPackages` configuration inside the `jupyterlab` key. See the [JupyterLab extension documentation](https://jupyterlab.readthedocs.io/en/stable/extension/extension_dev.html#requiring-a-service) for more information.
```json
"jupyterlab": {
"sharedPackages": {
"@jupyter-widgets/base": {
"bundled": false,
"singleton": true
}
}
}
```
Separate from these two steps to update for JupyterLab 3, we also recommend that you make your widget's JupyterLab extension a prebuilt extension for JupyterLab 3.0. Users will be able to install your JupyterLab 3.0 prebuilt extension without rebuilding JupyterLab or needing Node.js. See the [JupyterLab 3 extension developer documentation](https://jupyterlab.readthedocs.io/en/stable/extension/extension_dev.html) or the new [widget extension cookiecutter](https://github.com/jupyter-widgets/widget-ts-cookiecutter/tree/jlab3) for more details.
5.1.3
=====
- Change id generation to be hash based to avoid problematic word combinations
- Added tests for python 3.9
- Fixed setup.py build operations to include package data
5.1.2
=====
- Fixed missing file in manifest
5.1.1
=====
- Changes convert.upgrade to upgrade minor 4.x versions to 4.5
5.1.0
=====
- Implemented CellIds from JEP-62
- Fixed a regression introduced when using fastjsonschema,
which does not directly support to validate a "reference"/"subschema"
- Removed unreachable/unneeded code
- Added CI workflow for package release on tag push
Switch to Latchset distribution now that Uninett version is abandonware.
Changes since 0.14.2 from the NEWS file:
Version 0.17.0
---------------------------------------------------------------------------
Enhancements:
* New option MellonSendExpectHeader (default On) which allows to disable
sending the Expect header in the HTTP-Artifact binding to improve
performance when the remote party does not support this header.
* Set SameSite attribute to None on on the cookietest cookie.
* Bump default generated keysize to 3072 bits in mellon_create_metadata.
Bug fixes:
* Validate if the assertion ID has not been used earlier before creating
a new session.
* Release session cache after calling invalidate endpoint.
* In MellonCond directives, fix a bug that setting the NC option would
also activate substring match and that REG would activate REF.
* Fix MellonCond substring match to actually match the substring on
the attribute value.
Version 0.16.0
---------------------------------------------------------------------------
Enhancements:
* The MellonCookieSameSite option accepts a new valid "None". This is intended
to be used together with "MellonSecureCookie On". With some newer browsers,
only cookies with "SameSite=None; Secure" would be available for cross-site
access.
* A new option MellonEnabledInvalidateSessionEndpoint was added. When this
option is enabled, then a user can invalidate their session locally by
calling the "/invalidate" endpoint.
Version 0.15.0
---------------------------------------------------------------------------
Security fixes:
* [CVE-2019-13038] Redirect URL validation bypass
Version 0.14.1 and older of mod_auth_mellon allows the redirect URL
validation to be bypassed by specifying an URL formatted as
"http:www.hostname.com". In this case, the APR parsing utility
would parse the scheme as http, host as NULL and path as www.hostname.com.
Browsers, however, interpret the URL differently and redirect to
www.hostname.com. This could be reproduced with:
https://application.com/mellon/login?ReturnTo=http:www.hostname.com
This version fixes that issue by rejecting all URLs with
scheme, but no host name.
Enhancements:
* A XSLT script that allows converting attribute maps from Shibboleth
to a set of MellonSetEnvNoPrefix entries was added. The script can
be found at doc/mellon-attribute-map.xsl
* A new configuration option MellonEnvPrefix was added. This option allows
you to configure the variable prefix, which normally defaults to MELLON_
* A new configuration option MellonAuthnContextComparisonType was added.
This option allows you to set the "Comparison" attribute within
the AuthnRequest
Notable bug fixes:
* Compilation issues on Solaris were fixed
Simplifies custom 'CSS' styling of both 'shiny' and 'rmarkdown' via
'Bootstrap' 'Sass'. Supports both 'Bootstrap' 3 and 4 as well as their
various 'Bootswatch' themes. An interactive widget is also provided
for previewing themes in real time.
shiny 1.6.0
================
This release focuses on improvements in three main areas:
1. Better theming (and Bootstrap 4) support:
* The `theme` argument of `fluidPage()`, `navbarPage()`, and
`bootstrapPage()` all now understand `bslib::bs_theme()` objects,
which can be used to opt-into Bootstrap 4, use any Bootswatch
theme, and/or implement custom themes without writing any CSS.
* The `session` object now includes `$setCurrentTheme()` and
`$getCurrentTheme()` methods to dynamically update (or obtain) the
page's `theme` after initial load, which is useful for things such
as [adding a dark mode switch to an
app](https://rstudio.github.io/bslib/articles/theming.html#dynamic-shiny)
or some other "real-time" theming tool like `bslib::bs_themer()`.
* For more details, see [`{bslib}`'s
website](https://rstudio.github.io/bslib/)
2. Caching of `reactive()` and `render*()` (e.g. `renderText()`,
`renderTable()`, etc) expressions.
* Such expressions automatically cache their _most recent value_,
which helps to avoid redund ant computation within a single "flush" of
reactivity. The new `bindCache()` function can be used to cache _all
previous values_ (as long as they fit in the cache). This cache may be
optionally scoped within and/or across user sessions, possibly leading
to huge performance gains, especially when deployed at scale across
user sessions.
* For more details, see `help(bindCache, package = "shiny")`
3. Various improvements to accessibility for screen-reader and keyboard users.
* For more details, see the accessibility section below.
## Full changelog
### Breaking changes
* Closed#3074: Shiny no longer supports file uploads for Internet Explorer 8 or 9. (#3075)
* Subtle changes, and some soft-deprecations, have come to
`freezeReactiveValue` and `freezeReactiveVal` (#3055). These functions
have been fragile at best in previous releases (issues #1791, #2463,
#2946). In this release, we've solved all the problems we know about with
`freezeReactiveValue(input, "x")`, by 1) invalidating `input$x` and set
it to `NULL` whenever we freeze, and 2) ensuring that, after a freeze,
even if the effect of `renderUI` or `updateXXXInput` is to set `input$x`
to the same value it already has, this will result in an invalidation
(whereas by default, Shiny filters out such spurious assignments).
Similar problems may exist when using `freezeReactiveVal`, and when using
`freezeReactiveValue` with non-`input` reactive values objects. But
support for those was added mostly for symmetry with
`freezeReactiveValue(input)`, and given the above issues, it's not clear
to us how you could have used these successfully in the past, or why you
would even want to. For this release, we're soft-deprecating both of
those uses, but we're more than willing to un-deprecate if it turns out
people are using these; if that includes you, please join the
conversation at https://github.com/rstudio/shiny/issues/3063. In the
meantime, you can squelch the deprecation messages for these functions
specifically, by setting `options(shiny.deprecation.messages.freeze =
FALSE)`.
### Accessibility
* Added [bootstrap accessibility
plugin](https://github.com/paypal/bootstrap-accessibility-plugin) under
the hood to improve accessibility of shiny apps for screen-reader and
keyboard users: the enhancements include better navigations for alert,
tooltip, popover, modal dialog, dropdown, tab Panel, collapse, and
carousel elements. (#2911)
* Closed#2987: Improved accessibility of "live regions" -- namely,
`*Output()` bindings and `update*Input()`. (#3042)
* Added appropriate labels to `icon()` element to provide screen-reader
users with alternative descriptions for the `fontawesome` and
`glyphicon`: `aria-label` is automatically applied based on the
fontawesome name. For example, `icon("calendar")` will be announced as
"calendar icon" to screen readers. "presentation" aria role has also been
attached to `icon()` to remove redundant semantic info for screen
readers. (#2917)
* Closed#2929: Fixed keyboard accessibility for file picker button:
keyboard users can now tab to focus on `fileInput()` widget. (#2937)
* Fixed#2951: screen readers correctly announce labels and date formats
for `dateInput()` and `dateRangeInput()` widgets. (#2978)
* Closed#2847: `selectInput()` is reasonably accessible for screen readers
even when `selectize` option is set to TRUE. To improve `selectize.js`
accessibility, we have added
[selectize-plugin-a11y](https://github.com/SLMNBJ/selectize-plugin-a11y)
by default. (#2993)
* Closed#612: Added `alt` argument to `renderPlot()` and
`renderCachedPlot()` to specify descriptive texts for `plotOutput()`
objects, which is essential for screen readers. By default, alt text is
set to the static text, "Plot object," but even dynamic text can be made
with reactive function. (#3006, thanks @trafficonese and @leonawicz for
the original PR and discussion via #2494)
* Added semantic landmarks for `mainPanel()` and `sidebarPanel()` so that
assistive technologies can recognize them as "main" and "complementary"
region respectively. (#3009)
* Closed#2844: Added `lang` argument to ui `*Page()` functions (e.g.,
`fluidPage`, `bootstrapPage`) that specifies document-level language
within the app for the accessibility of screen readers and search-engine
parsers. By default, it is set to empty string which is commonly
recognized as a browser's default locale. (#2920)
* Improved accessibility for `radioButtons()` and `checkboxGroupInput()`:
All options are now grouped together semantically for assistive
technologies. (thanks @jooyoungseo, #3187).
### Minor new features and improvements
* Added support for Shiny Developer Mode. Developer Mode enables a number
of `options()` to make a developer's life easier, like enabling
non-minified JS and printing messages about deprecated functions and
options. See `?devmode()` for more details. (#3174)
* New `reactiveConsole()` makes it easier to interactively experiment with
reactivity at the console (#2518).
* When UI is specified as a function (e.g. `ui <- function(req) { ... }`),
the response can now be an HTTP response as returned from the (newly
exported) `httpResponse()` function. (#2970)
* `selectInput` and `selectizeInput` now warn about performance
implications when thousands of choices are used, and recommend
[server-side
selectize](https://shiny.rstudio.com/articles/selectize.html) be used
instead. (#2959)
* Closed#2980: `addResourcePath()` now allows paths with a leading `.`
(thanks to @ColinFay). (#2981)
* Closed#2972: `runExample()` now supports the `shiny.port` option (thanks
to @ColinFay). (#2982)
* Closed#2692: `downloadButton()` icon can now be changed via the `icon`
parameter (thanks to @ColinFay). (#3010)
* Closed#2984: improved documentation for `renderCachedPlot()` (thanks to
@aalucaci). (#3016)
* `reactiveValuesToList()` will save its `reactlog` label as
`reactiveValuesToList(<ID>)` vs `as.list(<ID>)` (#3017)
* Removed unused (and non-exported) `cacheContext` class.
* `testServer()` can accept a single server function as input (#2965).
* `shinyOptions()` now has session-level scoping, in addition to global and
application-level scoping. (#3080)
* `runApp()` now warns when running an application in an R package
directory. (#3114)
* Shiny now uses `cache_mem` from the cachem package, instead of
`memoryCache` and `diskCache`. (#3118)
* Closed#3140: Added support for `...` argument in `icon()`. (#3143)
* Closed#629: All `update*` functions now have a default value for
`session`, and issue an informative warning if it is missing. (#3195,
#3199)
* Improved error messages when reading reactive values outside of a
reactive domain (e.g., `reactiveVal()()`). (#3007)
### Bug fixes
* Fixed#1942: Calling `runApp("app.R")` no longer ignores options passed
into `shinyApp()`. This makes it possible for Shiny apps to specify what
port/host should be used by default. (#2969)
* Fixed#3033: When a `DiskCache` was created with both `max_n` and
`max_size`, too many items could get pruned when `prune()` was
called. (#3034)
* Fixed#2703: Fixed numerous issues with some combinations of
`min`/`value`/`max` causing issues with `date[Range]Input()` and
`updateDate[Range]Input()`. (#3038, #3201)
* Fixed#2936: `dateYMD` was giving a warning when passed a vector of dates
from `dateInput` which was greater than length 1. The length check was
removed because it was not needed. (#3061)
* Fixed#2266, #2688: `radioButtons` and `updateRadioButtons` now accept
`character(0)` to indicate that none of the options should be selected
(thanks to @ColinFay). (#3043)
* Fixed a bug that `textAreaInput()` doesn't work as expected for relative
`width` (thanks to @shrektan). (#2049)
* Fixed#2859: `renderPlot()` wasn't correctly setting
`showtext::showtext_opts()`'s `dpi` setting with the correct resolution
on high resolution displays; which means, if the font was rendered by
showtext, font sizes would look smaller than they should on such
displays. (#2941)
* Closed#2910, #2909, #1552: `sliderInput()` warns if the `value` is
outside of `min` and `max`, and errors if `value` is `NULL` or
`NA`. (#3194)
### Library updates
* Removed html5shiv and respond.js, which were used for IE 8 and IE 9
compatibility. (#2973)
* Removed es5-shim library, which was internally used within
`selectInput()` for ECMAScript 5 compatibility. (#2993)
shiny 1.5.0
===========
## Full changelog
### Breaking changes
* Fixed#2869: Until this release, `renderImage()` had a dangerous default
of `deleteFile = TRUE`. (Sorry!) Going forward, calls to `renderImage()`
will need an explicit `deleteFile` argument; for now, failing to provide
one will result in a warning message, and the file will be deleted if it
appears to be within the `tempdir()`. (#2881)
### New features
* The new `shinyAppTemplate()` function creates a new template Shiny
application, where components are optional, such as helper files in an R/
subdirectory, a module, and various kinds of tests. (#2704)
* `runTests()` is a new function that behaves much like R CMD
check. `runTests()` invokes all of the top-level R files in the tests/
directory inside an application, in that application's
environment. (#2585)
* `testServer()` is a new function for testing reactive behavior inside
server functions and
modules. ([#2682](https://github.com/rstudio/shiny/pull/2682),
[#2764](https://github.com/rstudio/shiny/pull/2764),
[#2807](https://github.com/rstudio/shiny/pull/2807))
* The new `moduleServer` function provides a simpler interface for creating
and using modules. (#2773)
* Resolved#2732: `markdown()` is a new function for writing Markdown with
Github extensions directly in Shiny UIs. Markdown rendering is performed
by the [commonmark](https://github.com/jeroen/commonmark)
package. (#2737)
* The `getCurrentOutputInfo()` function can now return the background color
(`bg`), foreground color (`fg`), `accent` (i.e., hyperlink) color, and
`font` information of the output's HTML container. This information is
reported by `plotOutput()`, `imageOutput()`, and any other output
bindings containing a class of `.shiny-report-theme`. This feature allows
developers to style an output's contents based on the container's CSS
styling. (#2740)
### Minor new features and improvements
* Fixed#2042, #2628: In a `dateInput` and `dateRangeInput`, disabled
months and years are now a lighter gray, to make it easier to see that
they are disabled. (#2690)
* `getCurrentOutputInfo()` previously threw an error when called from
outside of an output; now it returns `NULL`. (#2707 and #2858)
* Added a label to observer that auto-reloads `R/` directory to avoid
confusion when using `reactlog`. (#58)
* `getDefaultReactiveDomain()` can now be called inside a
`session$onSessionEnded` callback and will return the calling `session`
information. (#2757)
* Added a `'function'` class to `reactive()` and `reactiveVal()`
objects. (#2793)
* Added a new option (`type = "hidden"`) to `tabsetPanel()`, making it
easier to set the active tab via other input controls (e.g.,
`radioButtons()`) rather than tabs or pills. Use this option in
conjunction with `updateTabsetPanel()` and the new `tabsetPanelBody()`
function (see `help(tabsetPanel)` for an example and more details).
(#2814)
* Added function `updateActionLink()` to update an `actionLink()` label
and/or icon value. (#2811)
* Fixed#2856: Bumped jQuery 3 from 3.4.1 to 3.5.1. (#2857)
### Bug fixes
* Fixed#2606: `debounce()` would not work properly if the code in the
reactive expression threw an error on the first run. (#2652)
* Fixed#2653: The `dataTableOutput()` could have incorrect output if
certain characters were in the column names. (#2658)
### Documentation Updates
### Library updates
* Updated from Font-Awesome 5.3.1 to 5.13.0, which includes icons related
to COVID-19. For upgrade notes, see
https://github.com/FortAwesome/Font-Awesome/blob/master/UPGRADING.md. (#2891)
shiny 1.4.0.2
===========
Minor patch release: fixed some timing-dependent tests failed
intermittently on CRAN build machines.
shiny 1.4.0.1
===========
Minor patch release to account for changes to the grid package that will be
upcoming in the R 4.0 release (#2776).
shiny 1.4.0
===========
## Full changelog
### Breaking changes
* Resolved#2554: Upgraded jQuery from v.1.12.4 to v3.4.1 and bootstrap
from v3.3.7 to v3.4.1. (#2557). Since the jQuery upgrade may introduce
breaking changes to user code, there is an option to switch back to the
old version by setting `options(shiny.jquery.version = 1)`. If you've
hard-coded `shared/jquery[.min].js` in the HTML of your Shiny app, in
order to downgrade, you'll have to change that filepath to
`shared/legacy/jquery[.min].js`.
### Improvements
* Resolved#1433: `plotOutput()`'s coordmap info now includes discrete axis
limits for **ggplot2** plots. As a result, any **shinytest** tests that
contain **ggplot2** plots with discrete axes (that were recorded before
this change) will now report differences that can safely be updated. This
new coordmap info was added to correctly infer what data points are
within an input brush and/or near input click/hover in scenarios where a
non-trivial discrete axis scale is involved (e.g., whenever
`scale_[x/y]_discrete(limits = ...)` and/or free scales across multiple
discrete axes are used). (#2410)
* Resolved#2402: An informative warning is now thrown for mis-specified
(date) strings in `dateInput()`, `updateDateInput()`, `dateRangeInput()`,
and `updateDateRangeInput()`. (#2403)
* If the `shiny.autoload.r` option is set to `TRUE`, all files ending in
`.r` or `.R` contained in a directory named `R/` adjacent to your
application are sourced when your app is started. This will become the
default Shiny behavior in a future release (#2547)
* Resolved#2442: The `shiny:inputchanged` JavaScript event now triggers on
the related input element instead of `document`. Existing event listeners
bound to `document` will still detect the event due to event
bubbling. (#2446)
* Fixed#1393, #2223: For plots with any interactions enabled, the image is
no longer draggable. (#2460)
* Resolved#2469: `renderText` now takes a `sep` argument that is passed to `cat`. (#2497)
* Added `resourcePaths()` and `removeResourcePaths()` functions. (#2459)
* Resolved#2433: An informative warning is now thrown if subdirectories of
the app's `www/` directory are masked by other resource prefixes and/or
the same resource prefix is mapped to different local file paths. (#2434)
* Resolved#2478: `cmd + shift + f3` and `ctrl + shift + f3` can now be
used to add a reactlog mark. If reactlog keybindings are used and the
reactlog is not enabled, an error page is displayed showing how to enable
reactlog recordings. (#2560)
### Bug fixes
* Partially resolved#2423: Reactivity in Shiny leaked some memory, because
R can leak memory whenever a new symbols is interned, which happens
whenever a new name/key is used in an environment. R now uses the fastmap
package, which avoids this problem. (#2429)
* Fixed#2267: Fixed a memory leak with `invalidateLater`. (#2555)
* Fixed#1548: The `reactivePoll` function leaked an observer; that is the
observer would continue to exist even if the `reactivePoll` object was no
longer accessible. #2522
* Fixed#2116: Fixed an issue where dynamic tabs could not be added when on
a hosted platform. (#2545)
* Resolved#2515: `selectInput()` and `selectizeInput()` now deal
appropriately with named factors. Note that `updateSelectInput()` and
`updateSelectizeInput()` **do not** yet handle factors; their behavior is
unchanged. (#2524, #2540, #2625)
* Resolved#2471: Large file uploads to a Windows computer were
slow. (#2579)
* Fixed#2387: Updating a `sliderInput()`'s type from numeric to date no
longer changes the rate policy from debounced to immediate. More
generally, updating an input binding with a new type should (no longer)
incorrectly alter the input rate policy. (#2404)
* Fixed#868: If an input is initialized with a `NULL` label, it can now be
updated with a string. Moreover, if an input label is initialized with a
string, it can now be removed by updating with `label=character(0)`
(similar to how `choices` and `selected` can be cleared in
`updateSelectInput()`). (#2406)
* Fixed#2250: `updateSliderInput()` now works with un-specified (or
zero-length) `min`, `max`, and `value`. (#2416)
* Fixed#2396: `selectInput("myID", ...)` resulting in an extra
`myID-selectized` input (introduced in v1.2.0). (#2418)
* Fixed#2233: `verbatimTextOutput()` produced wrapped text on Safari, but
the text should not be wrapped. (#2353)
* Fixed#2335: When `dateInput()`'s `value` was unspecified, and `max`
and/or `min` was set to `Sys.Date()`, the value was not being set
properly. (#2526)
* Fixed#2591: Providing malformed date-strings to `min` or `max` no longer
results in JS errors for `dateInput()` and `dateRangeInput()`. (#2592)
* Fixed
[rstudio/reactlog#36](https://github.com/rstudio/reactlog/issues/36):
Changes to reactive values not displaying accurately in reactlog. (#2424)
* Fixed#2598: Showcase files don't appear with a wide window. (#2582)
* Fixed#2329, #1817: These bugs were reported as fixed in Shiny 1.3.0 but
were not actually fixed because some JavaScript changes were accidentally
not included in the release. The fix resolves issues that occur when
`withProgressBar()` or bookmarking are combined with the
[networkD3](https://christophergandrud.github.io/networkD3/) package's
Sankey plot.
Obtain any major version of 'jQuery' (<https://code.jquery.com/>) and
use it in any webpage generated by 'htmltools' (e.g. 'shiny',
'htmlwidgets', and 'rmarkdown'). Most R users don't need to use this
package directly, but other R packages (e.g. 'shiny', 'rmarkdown',
etc.) depend on this package to avoid bundling redundant copies of
'jQuery'.
An 'SCSS' compiler, powered by the 'LibSass' library. With this, R
developers can use variables, inheritance, and functions to generate
dynamic style sheets. The package uses the 'Sass CSS' extension
language, which is stable, powerful, and CSS compatible.
httpuv 1.6.1
============
* The `timegm()` function is a non-standard GNU extension, so it has
been replaced with an internal `timegm2()` function. (#300)
httpuv 1.6.0
============
* Remove BH dependency. httpuv now requires a compiler which supports
C++11. (#297)
httpuv 1.5.5
============
* Fix SHA1 calculation, and thus WebSocket server handshakes, on
big-endian systems. (#284)
* Fixed#195: Responses required `headers` to be a named list. Now it
can also be `NULL`, an empty unnamed list, or it can be
unset. (#289)
* Allow responses to omit `body` (or set it as `NULL`) to avoid
sending a body or setting the `Content-Length` header. This is
intended for use with HTTP 204/304 responses. (#288)
httpuv 1.5.4
============
* Fixed#275: Large HTTP request headers could get truncated if they
spanned more than one TCP message. (#277)
* Fixed build for Solaris. (#271)
* Fixed a test that had incorrect logic. (#272)
httpuv 1.5.3.1
==============
* Updated libuv to version 1.37.0. (#266)
* Fixed#204: On UBSAN builds of R, there were warnings about
unaligned memory access. (#246)
* Avoid creating a new Rook error stream object for each request. This
should improve performance. (#245)
* Resolved#247: httpuv no longer returns a HTTP 400 code for static
files when the "Content-Length" header is 0. This Content-Length
header is inserted by some proxies even for messages without
payloads. (#248)
* Resolved#253: Setting the FRAMEWORK environment variable would
break compilation. This change removes any dependency on that
variable. (#254)
httpuv 1.5.2
============
* In the static file-serving code path, httpuv previously looked for a
`Connection: upgrade` header; if it found this header, it would not
try to serve a static file, and it would instead forward the HTTP
request to the R code path. However, some proxies are configured to
always set this header, even when the connection is not actually
meant to be upgraded. Now, instead of looking for a `Connection:
upgrade` header, httpuv looks for the presence of an `Upgrade`
header (with any value), and should be more robust to
incorrectly-configured proxies. (#215)
* Fixed handling of messages without payloads: (#219)
* Fixed#224: Static file serving on Windows did not work correctly if
it was from a path that contained non-ASCII characters. (#227)
* Resolved#194, #233: Added a `quiet` option to `startServer`, which
suppresses startup error messages that are normally printed to
console (and can't be intercepted with `capture.output()`). (#234)
* Added a new function `randomPort()`, which returns a random
available port for listening on. (#234)
* Added a new (unexported) function `logLevel()`, for controlling
debugging information that will be printed to the
console. Previously, httpuv occasionally printed messages like
`ERROR: [uv_write] broken pipe` and `ERROR: [uv_write] bad file
descriptor` by default. This happened when the server tried to write
to a pipe that was already closed, but the situation was not
harmful, and was already being handled correctly. Now these messages
are printed only if the log level is set to `INFO` or
`DEBUG`. (#223)
* If an application's `$call()` method is missing, it will now give a
404 response instead of a 500 response. (#237)
* Disallowed backslash in static path, to prevent path traversal attacks. (#235)
* Static file serving on Windows could fail if multiple requests
accessed the same file simultaneously. (#239)
Django 2.2.24 fixes two security issues in 2.2.23.
CVE-2021-33203: Potential directory traversal via admindocs
Staff members could use the admindocs TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by the developers to also expose the file contents, then not only the existence but also the file contents would have been exposed.
As a mitigation, path sanitation is now applied and only files within the template root directories can be loaded.
CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses¶
URLValidator, validate_ipv4_address(), and validate_ipv46_address() didn’t prohibit leading zeros in octal literals. If you used such values you could suffer from indeterminate SSRF, RFI, and LFI attacks.
validate_ipv4_address() and validate_ipv46_address() validators were not affected on Python 3.9.5+.
Django 3.2.4 fixes two security issues and several bugs in 3.2.3.
CVE-2021-33203: Potential directory traversal via admindocs
Staff members could use the admindocs TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by the developers to also expose the file contents, then not only the existence but also the file contents would have been exposed.
As a mitigation, path sanitation is now applied and only files within the template root directories can be loaded.
CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses¶
URLValidator, validate_ipv4_address(), and validate_ipv46_address() didn’t prohibit leading zeros in octal literals. If you used such values you could suffer from indeterminate SSRF, RFI, and LFI attacks.
validate_ipv4_address() and validate_ipv46_address() validators were not affected on Python 3.9.5+.
Bugfixes
Fixed a bug in Django 3.2 where a final catch-all view in the admin didn’t respect the server-provided value of SCRIPT_NAME when redirecting unauthenticated users to the login page
Fixed a bug in Django 3.2 where a system check would crash on an abstract model
Prevented unnecessary initialization of unused caches following a regression in Django 3.2
Fixed a crash in Django 3.2 that could occur when running mod_wsgi with the recommended settings while the Windows colorama library was installed
Fixed a bug in Django 3.2 that would trigger the auto-reloader for template changes when directory paths were specified with strings
Fixed a regression in Django 3.2 that caused a crash of auto-reloader with AttributeError, e.g. inside a Conda environment
Fixed a regression in Django 3.2 that caused a loss of precision for operations with DecimalField on MySQL
0.14.0
Added
Defaults ws max_size on server to 16MB
Improve user feedback if no ws library installed
Support 'reason' field in 'websocket.close' messages
Implemented lifespan.shutdown.failed
Changed
Upgraded websockets requirements
Switch to asyncio streams API
Update httptools from 0.1.* to 0.2.*
Allow Click 8.0
Add search for a trusted host in ProxyHeadersMiddleware
Up wsproto to 1.0.0
Fixed
Force reload_dirs to be a list
Fix gunicorn worker not running if extras not installed
Fix socket port 0
Prevent garbage collection of main lifespan task
Changes with Apache 2.4.48
*) mod_proxy_wstunnel: Add ProxyWebsocketFallbackToProxyHttp to opt-out the
fallback to mod_proxy_http for WebSocket upgrade and tunneling.
[Yann Ylavic]
*) mod_proxy: Fix flushing of THRESHOLD_MIN_WRITE data while tunneling.
BZ 65294. [Yann Ylavic]
*) core: Fix a regression that stripped the ETag header from 304 responses.
PR 61820 [Ruediger Pluem, Roy T. Fielding]
*) core: Adding SSL related inquiry functions to the server API.
These function are always available, even when no module providing
SSL is loaded. They provide their own "shadowing" implementation for
the optional functions of similar name that mod_ssl and impersonators
of mod_ssl provide.
This enables loading of several SSL providing modules when all but
one of them registers itself into the new hooks. Two old-style SSL
modules will not work, as they replace the others optional functions
with their own.
Modules using the old-style optional functions will continue to work
as core supplies its own versions of those.
The following has been added so far:
- ap_ssl_conn_is_ssl() to query if a connection is using SSL.
- ap_ssl_var_lookup() to query SSL related variables for a
server/connection/request.
- Hooks for 'ssl_conn_is_ssl' and 'ssl_var_lookup' where modules
providing SSL can install their own value supplying functions.
- ap_ssl_add_cert_files() to enable other modules like mod_md to provide
certificate and keys for an SSL module like mod_ssl.
- ap_ssl_add_fallback_cert_files() to enable other modules like mod_md to
provide a fallback certificate in case no 'proper' certificate is
available for an SSL module like mod_ssl.
- ap_ssl_answer_challenge() to enable other modules like mod_md to
provide a certificate as used in the RFC 8555 'tls-alpn-01' challenge
for the ACME protocol for an SSL module like mod_ssl. The function
and its hook provide PEM encoded data instead of file names.
- Hooks for 'ssl_add_cert_files', 'ssl_add_fallback_cert_files' and
'ssl_answer_challenge' where modules like mod_md can provide providers
to the above mentioned functions.
- These functions reside in the new 'http_ssl.h' header file.
[Stefan Eissing]
*) core/mod_ssl/mod_md: adding OCSP response provisioning as core feature. This
allows modules to access and provide OCSP response data without being tied
of each other. The data is exchanged in standard, portable formats (PEM encoded
certificates and DER encoded responses), so that the actual SSL/crypto
implementations used by the modules are independant of each other.
Registration and retrieval happen in the context of a server (server_rec)
which modules may use to decide if they are configured for this or not.
The area of changes:
1. core: defines 2 functions in include/http_ssl.h, so that modules may
register a certificate, together with its issuer certificate for OCSP
response provisioning and ask for current response data (DER bytes) later.
Also, 2 hooks are defined that allow modules to implement this OCSP
provisioning.
2. mod_ssl uses the new functions, in addition to what it did already, to
register its certificates this way. If no one is interested in providing
OCSP, it falls back to its own (if configured) stapling implementation.
3. mod_md registers itself at the core hooks for OCSP provisioning. Depending
on configuration, it will accept registrations of its own certificates only,
all certificates or none.
[Stefan Eissing]
*) mod_md: v2.4.0 with improvements and bugfixes
- MDPrivateKeys allows the specification of several types. Beside "RSA" plus
optional key lengths elliptic curves can be configured. This means you can
have multiple certificates for a Managed Domain with different key types.
With ```MDPrivateKeys secp384r1 rsa2048``` you get one ECDSA and one RSA
certificate and all modern client will use the shorter ECDSA, while older
client will get the RSA certificate.
Many thanks to @tlhackque who pushed and helped on this.
- Support added for MDomains consisting of a wildcard. Configuring
```MDomain *.host.net``` will match all virtual hosts matching that pattern
and obtain one certificate for it (assuming you have 'dns-01' challenge
support configured). Addresses #239.
- Removed support for ACMEv1 servers. The only known installation used to
be Let's Encrypt which has disabled that version more than a year ago for
new accounts.
- Andreas Ulm (<https://github.com/root360-AndreasUlm>) implemented the
```renewing``` call to ```MDMessageCmd``` that can deny a certificate
renewal attempt. This is useful in clustered installations, as
discussed in #233).
- New event ```challenge-setup:<type>:<domain>```, triggered when the
challenge data for a domain has been created. This is invoked before the
ACME server is told to check for it. The type is one of the ACME challenge
types. This is invoked for every DNS name in a MDomain.
- The max delay for retries has been raised to daily (this is like all
retries jittered somewhat to avoid repeats at fixed time of day).
- Certain error codes reported by the ACME server that indicate a problem
with the configured data now immediately switch to daily retries. For
example: if the ACME server rejects a contact email or a domain name,
frequent retries will most likely not solve the problem. But daily retries
still make sense as there might be an error at the server and un-supervised
certificate renewal is the goal. Refs #222.
- Test case and work around for domain names > 64 octets. Fixes#227.
When the first DNS name of an MD is longer than 63 octets, the certificate
request will not contain a CN field, but leave it up to the CA to choose one.
Currently, Lets Encrypt looks for a shorter name in the SAN list given and
fails the request if none is found. But it is really up to the CA (and what
browsers/libs accept here) and may change over the years. That is why
the decision is best made at the CA.
- Retry delays now have a random +/-[0-50]% modification applied to let
retries from several servers spread out more, should they have been
restarted at the same time of day.
- Fixed several places where the 'badNonce' return code from an ACME server
was not handled correctly. The test server 'pebble' simulates this behaviour
by default and helps nicely in verifying this behaviour. Thanks, pebble!
- Set the default `MDActivationDelay` to 0. This was confusing to users that
new certificates were deemed not usably before a day of delay. When clocks are
correct, using a new certificate right away should not pose a problem.
- When handling ACME authorization resources, the module no longer requires
the server to return a "Location" header, as was necessary in ACMEv1.
Fixes#216.
- Fixed a theoretical uninitialized read when testing for JSON error responses
from the ACME CA. Reported at <https://bz.apache.org/bugzilla/show_bug.cgi?id=64297>.
- ACME problem reports from CAs that include parameters in the Content-Type
header are handled correctly. (Previously, the problem text would not be
reported and retries could exceed CA limits.)
- Account Update transactions to V2 CAs now use the correct POST-AS-GET method.
Previously, an empty JSON object was sent - which apparently LE accepted,
but others reject.
[Stefan Eissing, @tlhackque, Andreas Ulm]
Changes with Apache 2.4.47
*) mod_dav_fs: Improve logging output when failing to open files for
writing. PR 64413. [Bingyu Shen <ahshenbingyu gmail.com>]
*) mod_http2: Fixed a race condition that could lead to streams being
aborted (RST to the client), although a response had been produced.
[Stefan Eissing]
*) mod_lua: Add support to Lua 5.4 [Joe Orton, Giovanni Bechis, Ruediger Pluem]
*) MPM event/worker: Fix possible crash in child process on early signal
delivery. PR 64533. [Ruediger Pluem]
*) mod_http2: sync with github standalone version 1.15.17
- Log requests and sent the configured error response in case of early detected
errors like too many or too long headers. [Ruediger Pluem]
- new option 'H2OutputBuffering on/off' which controls the buffering of stream output.
The default is on, which is the behaviour of older mod-h2 versions. When off, all
bytes are made available immediately to the main connection for sending them
out to the client. This fixes interop issues with certain flavours of gRPC, see
also <https://github.com/icing/mod_h2/issues/207>.
[Stefan Eissing]
*) mod_unique_id: Fix potential duplicated ID generation under heavy load.
PR 65159
[Jonas Müntener <jonas.muentener ergon.ch>, Christophe Jaillet]
*) "[mod_dav_fs etag handling] should really honor the FileETag setting".
- It now does.
- Add "Digest" to FileETag directive, allowing a strong ETag to be
generated using a file digest.
- Add ap_make_etag_ex() and ap_set_etag_fd() to allow full control over
ETag generation.
- Add concept of "binary notes" to request_rec, allowing packed bit flags
to be added to a request.
- First binary note - AP_REQUEST_STRONG_ETAG - allows modules to force
the ETag to a strong ETag to comply with RFC requirements, such as those
mandated by various WebDAV extensions.
[Graham Leggett]
*) mod_proxy_http: Fix a possibly crash when the origin connection gets
interrupted before completion. PR 64234.
[Barnim Dzwillo <dzwillo strato.de>, Ruediger Pluem]
*) mod_ssl: Do not keep connections to OCSP responders alive when doing
OCSP requests. PR 64135. [Ruediger Pluem]
*) mod_ssl: Improve the coalescing filter to buffer into larger TLS
records, and avoid revealing the HTTP header size via TLS record
boundaries (for common response generators).
[Joe Orton, Ruediger Pluem]
*) mod_proxy_hcheck: Don't pile up health checks if the previous one did
not finish before hcinterval. PR 63010. [Yann Ylavic]
*) mod_session: Improve session parsing. [Yann Yalvic]
*) mod_authnz_ldap: Prevent authentications with empty passwords for the
initial bind to fail with status 500. [Ruediger Pluem]
*) mod_auth_digest: Fast validation of the nonce's base64 to fail early if
the format can't match anyway. [Yann Ylavic]
*) mod_proxy_fcgi: Honor "SetEnv proxy-sendcl" to forward a chunked
Transfer-Encoding from the client, spooling the request body when needed
to provide a Content-Length to the backend. PR 57087. [Yann Ylavic]
*) mod_proxy: Put mod_proxy_{connect,wstunnel} tunneling code in common in
proxy_util. [Yann Ylavic]
*) mod_proxy: Improve tunneling loop to support half closed connections and
pending data draining (for protocols like rsync). PR 61616. [Yann Ylavic]
*) mod_proxy_http: handle Upgrade request, 101 (Switching Protocol) response
and switched protocol forwarding. [Yann Ylavic]
*) mod_proxy_wstunnel: Leave Upgrade requests handling to mod_proxy_http,
allowing for (non-)Upgrade negotiation with the origin server.
[Yann Ylavic]
*) mod_proxy: Allow ProxyErrorOverride to be restricted to specific status
codes. PR63628. [Martin Drößler <mail martindroessler.de>]
*) core: Add ReadBufferSize, FlushMaxThreshold and FlushMaxPipelined
directives. [Yann Ylavic]
*) core: Ensure that aborted connections are logged as such. PR 62823
[Arnaud Grandville <contact@grandville.net>]
*) http: Allow unknown response status' lines returned in the form of
"HTTP/x.x xxx Status xxx". [Yann Ylavic]
*) mod_proxy_http: Fix 100-continue deadlock for spooled request bodies,
leading to Request Timeout (408). PR 63855. [Yann Ylavic]
*) core: Remove headers on 304 Not Modified as specified by RFC7234, as
opposed to passing an explicit subset of headers. PR 61820.
[Giovanni Bechis]
*) mpm_event: Don't reset connections after lingering close, restoring prior
to 2.4.28 behaviour. [Yann Ylavic]
*) mpm_event: Kill connections in keepalive state only when there is no more
workers available, not when the maximum number of connections is reached,
restoring prior to 2.4.30 behaviour. [Yann Ylavic]
*) mod_unique_id: Use base64url encoding for UNIQUE_ID variable,
avoiding the use of '@'. PR 57044.
[Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>]
*) mod_rewrite: Extend the [CO] (cookie) flag of RewriteRule to accept a
SameSite attribute. [Eric Covener]
*) mod_proxy: Add proxy check_trans hook. This allows proxy
modules to decline request handling at early stage.
*) mod_proxy_wstunnel: Decline requests without an Upgrade
header so ws/wss can be enabled overlapping with later
http/https.
*) mod_http2: Log requests and sent the configured error response in case of
early detected errors like too many or too long headers.
[Ruediger Pluem, Stefan Eissing]
*) mod_md: Lowered the required minimal libcurl version from 7.50 to 7.29
as proposed by <alexander.gerasimov codeit.pro>. [Stefan Eissing]
*) mod_ssl: Fix request body buffering with PHA in TLSv1.3. [Joe Orton]
*) mod_proxy_uwsgi: Fix a crash when sending environment variables with no
value. PR 64598 [Ruediger Pluem]
*) mod_proxy: Recognize parameters from ProxyPassMatch workers with dollar
substitution, such that they apply to the backend connection. Note that
connection reuse is disabled by default to avoid compatibility issues.
[Takashi Sato, Jan Kaluza, Eric Covener, Yann Ylavic, Jean-Frederic Clere]
1.4.2 (2021-05-22)
Fixes:
* Add proxy setting when url_prefix is changed (#1276, @ci)
* Default proxy scheme to http:// if necessary, fixes#1282 (#1283, @gurgeous)
Documentation:
* Improve introduction page (#1273, @gurgeous)
* Docs: add more middleware examples (#1277, @gurgeous)
Misc:
* Use external em_http and em_synchrony adapters (#1274, @iMacTia)
1.4.1 (2021-04-18)
Fixes
* Fix dependencies from external adapter gems (#1269, @iMacTia)
1.4.0 (2021-04-16)
Highlights
* With this release, we continue the work of gradually moving out adapters
into their own gems
* Thanks to @MikeRogers0 for helping the Faraday team in progressing with
this quest
* And thanks to @olleolleolle efforts, Faraday is becoming more inclusive
than ever
* Faraday's master branch has been renamed into main, we have an official
policy on inclusive language and even a rubocop plugin to check for
non-inclusive words!
* Checkout the "Misc" section below for more details!
Fixes
* Fix NoMethodError undefined method 'coverage' (#1255, @Maroo-b)
Documentation
* Some docs on EventMachine adapters. (#1232, @damau)
* CONTRIBUTING: Fix grammar and layout (#1261, @olleolleolle)
Misc
* Replacing Net::HTTP::Persistent with faraday-net_http_persistent (#1250,
@MikeRogers0)
* CI: Configure the regenerated Coveralls token (#1256, @olleolleolle)
* Replace Excon adapter with Faraday::Excon gem, and fix autoloading issue
with Faraday::NetHttpPersistent (#1257, @iMacTia)
* Drop CodeClimate (#1259, @olleolleolle)
* CI: Rename default branch to main (#1263, @olleolleolle)
* Drop RDoc support file .document (#1264, @olleolleolle, @iMacTia)
* CONTRIBUTING: add a policy on inclusive language (#1262, @olleolleolle)
* Add rubocop-inclusivity (#1267, @olleolleolle, @iMacTia)
1.3.1 (2021-04-16)
Fixes
* Escape colon in path segment (#1237, @yarafan)
* Handle IPv6 address String on Faraday::Connection#proxy_from_env (#1252,
@cosmo0920)
Documentation
* Fix broken Rubydoc.info links (#1236, @nickcampbell18)
* Add httpx to list of external adapters (#1246, @HoneyryderChuck)
Misc
* Refactor CI to remove duplicated line (#1230, @tricknotes)
* Gemspec: Pick a good ruby2_keywords release (#1241, @olleolleolle)
Faraday Net::HTTP adapter
This gem is a Faraday adapter for the Net::HTTP library.
Faraday is an HTTP client library that provides a common interface over many
adapters. Every adapter is defined into it's own gem.
This gem defines the adapter for Net::HTTP the HTTP library that's included
into the standard library of Ruby.
Faraday Excon adapter
This gem is a Faraday adapter for the Excon library.
Faraday is an HTTP client library that provides a common interface over many
adapters. Every adapter is defined into its own gem.
This gem defines the adapter for Excon.
