JavaGolangJavaScriptSwiftAndroidRustMiddleware
4 hours ago
resty
go-resty

v3.0.0-rc.2

v3 Release Candidate 2

v3 Guide

Bug Fixes

New Contributors

Full Changelog: https://github.com/go-resty/resty/compare/v3.0.0-rc.1...v3.0.0-rc.2

14 hours ago
echo
labstack

v4.15.3 - Static encoded-separator route bypass fix (GHSA-vfp3-v2gw-7wfq)

Security

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler (used by Static/StaticFS) and the Static middleware are affected. Backport of the v5 fix (#3009, released in v5.2.0). Thanks to @a-tt-om and @oran-gugu for reporting.

Full Changelog: https://github.com/labstack/echo/compare/v4.15.2...v4.15.3

14 hours ago
wails
wailsapp

Wails v3.0.0-alpha.102

Wails v3 Alpha Release - v3.0.0-alpha.102

Added

  • Add experimental wails3 setup wizard for interactive project setup and dependency checking
  • Add --json flag to wails3 doctor for machine-readable output
  • Add signing status section to wails3 doctor command

Fixed

  • Fix npm detection on Linux to check PATH in addition to package manager

🤖 This is an automated nightly release generated from the latest changes on master.

Installation:

go install github.com/wailsapp/wails/v3/cmd/wails3@v3.0.0-alpha.102

⚠️ Alpha Warning: This is pre-release software and may contain bugs or incomplete features.

16 hours ago
echo
labstack

v5.2.0 - Static encoded-separator route bypass fix (GHSA-vfp3-v2gw-7wfq)

Security

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler/StaticFS and the Static middleware are affected. Thanks to @a-tt-om and @oran-gugu for reporting.

Enhancements

New Contributors

Full Changelog: https://github.com/labstack/echo/compare/v5.1.1...v5.2.0

1 days ago
wails
wailsapp

Wails v3.0.0-alpha.101

Wails v3 Alpha Release - v3.0.0-alpha.101

Added

  • iOS: native message dialogs (UIAlertController) and open file/files/directory dialogs (UIDocumentPickerViewController); save dialogs return an explicit error
  • iOS: clipboard support via UIPasteboard
  • iOS: real screen metrics via UIScreen (points, pixels, scale, safe-area work area)
  • iOS: device builds (IOS_PLATFORM=device), code-signing identity / provisioning profile / entitlements support, .ipa packaging, and deploy-device via devicectl
  • iOS: configurable minimum iOS version (ios.minIOSVersion in build/config.yml)
  • iOS: wails3 doctor reports Xcode and iOS SDK availability on macOS
  • iOS: system events — battery, network, theme, screen-lock and low-memory surface as events.IOS.* and platform-neutral events.Common.* application events
  • iOS: native mobile feature bridge (exported application.IOS*) — share sheet, open URL, keep-awake, torch, safe-area insets, brightness, app info, orientation lock, status bar, biometrics (Face ID/Touch ID), local notifications and Keychain secure storage
  • iOS: sensors & hardware — haptics, one-shot geolocation, accelerometer, proximity, text-to-speech, storage info, power/battery state, network status, keyboard insets and screen-capture detection
  • iOS: documentation (IOS.md and a docs-site guide)
  • Android: native message dialogs (AlertDialog) and open file/files dialogs (Storage Access Framework, imported as cache copies); open-directory and save dialogs return an explicit error
  • Android: clipboard support via ClipboardManager
  • Android: real screen metrics via WindowMetrics/DisplayMetrics (dp, pixels, scale, system-bar work area)
  • Android: haptics (Android.Haptics.Vibrate), device info (Android.Device.Info) and toast (Android.Toast.Show) runtime methods
  • Android: typed lifecycle events (events.Android.*, generated from events.txt) with ActivityCreated mapped to Common.ApplicationStarted
  • Android: build pipeline produces installable debug and release APKs (android:run, android:package, android:package:fat); release signing via the debug keystore by default or a real keystore through ANDROID_KEYSTORE_* env vars
  • Android: wails3 doctor reports the Android SDK, NDK and JDK
  • Android: system events — battery, network, theme, screen-lock and low-memory surface as events.Android.* and platform-neutral events.Common.* application events
  • Android: native mobile feature bridge (exported application.Android*) — share, open URL, keep-awake, torch, safe-area insets, brightness, app info, orientation lock, status bar, biometrics (BiometricPrompt), local notifications and EncryptedSharedPreferences secure storage
  • Android: sensors & hardware — haptics, one-shot geolocation, accelerometer, proximity, text-to-speech, storage info, power/battery state, network status, keyboard insets and FLAG_SECURE screen-capture blocking
  • Android: documentation (ANDROID.md and a docs-site guide)
  • Example: the mobile kitchen sink gains Mobile and Hardware tabs demonstrating the native feature bridge across iOS and Android (pill tabs wrap to multiple rows)
  • Mobile: battery — the accelerometer, proximity sensor, torch and the example's periodic clock are paused when the app is backgrounded and restored on return (Android keeps the process running in the background, and the torch is hardware state that persists on iOS), and Android system-event receivers are only registered while the app is in the foreground
  • iOS: camera capture — application.IOSCapturePhoto/IOSCaptureVideo (UIImagePickerController → a native:capture event with a base64 thumbnail)
  • iOS: background execution — application.IOSBeginBackgroundTask/IOSEndBackgroundTask (a UIApplication background-task window) and a configurable ios.backgroundModes (build/config.yml) that templates UIBackgroundModes into the generated Info.plist
  • Android: camera capture — application.AndroidCapturePhoto/AndroidCaptureVideo (system camera via FileProvider → a native:capture event)
  • Android: foreground service — application.AndroidStartForegroundService/AndroidStopForegroundService (a WailsForegroundService with an ongoing notification keeps the process alive for long-running background work)
  • Example: a Camera tab demonstrating photo/video capture and background execution (foreground service on Android, background-task window on iOS)

Fixed

  • Fix getUserMedia always failing with NotAllowedError on Linux: WebKitGTK denies permission requests nobody handles, and the permission-request signal was not connected. Camera/microphone are now handled per a new cross-platform WebviewWindowOptions.Permissions map (map[PermissionType]Permission), honored on both Linux (WebKitGTK) and Windows (WebView2). On Linux, which has no native prompt, camera/microphone default to allowed (restoring getUserMedia) and can be turned off with PermissionDeny (#5552)
  • iOS: GOOS=ios compiles again (exported events.IOS, mobile method-name stubs) and production-tagged builds compile (build-tag fixes in pkg/application and several services)
  • iOS: Go→JS events and ExecJS now work — the page no longer loads twice at startup and the wails:runtime:ready handshake can no longer be lost
  • iOS: ApplicationDidFinishLaunching/ApplicationStarted no longer race app startup; removed the fixed 2-second startup sleep
  • iOS: fixed a C-string leak on every Go→JS JavaScript execution
  • iOS: hasListeners now reflects real listener registration
  • iOS: framework debug logging is compiled out of production builds
  • Android: GOOS=android compiles again — defined events.Android, removed the out-of-bounds events_android.go listener array, added the mobile method-name stub, and stopped desktop-Linux files (linux_cgo.*, events_linux.*, environment_linux.go) leaking into Android builds
  • Android: JS→Go bindings now work — the WebView cannot deliver fetch() POST bodies to shouldInterceptRequest, so runtime calls route through a JavascriptInterface transport (nativeHandleRuntimeCall) instead of crashing on a nil request body
  • Android: Screens.* runtime calls return real data — the ScreenManager is now populated at startup (it was never wired, so GetAll returned nil)
  • Android: framework debug logging is compiled out of production builds and routes through logcat under the Wails tag in debug builds
  • Android: real hasListeners registry, JNI reference/exception handling, and a single-load page lifecycle (no double navigation)
  • Fix wails3 generate bindings failing with "Access is denied" on Windows when the Vite dev server is running, by syncing generated files into the output directory instead of renaming over it (#5515)
  • Fix intermittent fatal crash on macOS when reading screen information after a display change: the screen id and name stored pointers to autoreleased UTF8String buffers that could be freed before Go copied them (use-after-free). The strings are now strdup'd and freed after conversion, and screen enumeration runs in an explicit autorelease pool so it no longer leaks when called from Go goroutines (#5556)
  • Fix intermittent SIGSEGV on Linux when the assetserver closes a WebKitURISchemeRequest: the final g_object_unref ran on the assetserver goroutine, finalizing a WebKit GObject off the GTK main thread. The unref is now marshalled onto the GTK main context via g_main_context_invoke (#5557)

🤖 This is an automated nightly release generated from the latest changes on master.

Installation:

go install github.com/wailsapp/wails/v3/cmd/wails3@v3.0.0-alpha.101

⚠️ Alpha Warning: This is pre-release software and may contain bugs or incomplete features.

2 days ago
wails
wailsapp

Wails v3.0.0-alpha.100

Wails v3 Alpha Release - v3.0.0-alpha.100

Added

  • Extend MacWebviewPreferences with additional WKWebView configuration options: EnableAutoplayWithoutUserAction, AllowsAirPlayForMediaPlayback, AllowsMagnification, JavaScriptCanOpenWindowsAutomatically, MinimumFontSize, and ApplicationNameForUserAgent (#5549)

Fixed

  • Fix wails3 generate bindings failing with "Access is denied" on Windows when the Vite dev server is running, by syncing generated files into the output directory instead of renaming over it (#5561)
  • Fix JS resize events not firing for frameless windows on Linux; fix scrollbar edge detection for frameless windows (#5368)
  • Fix updater on Windows failing with "invalid cross-device link" when the temp directory is on a different volume to the install directory (#5560)

🤖 This is an automated nightly release generated from the latest changes on master.

Installation:

go install github.com/wailsapp/wails/v3/cmd/wails3@v3.0.0-alpha.100

⚠️ Alpha Warning: This is pre-release software and may contain bugs or incomplete features.

3 days ago
redis
go-redis

9.20.1

This is a patch release containing bug fixes only. There are no new features or breaking changes; upgrading from 9.20.0 is a drop-in replacement.

🚀 Highlights

RESP3 pub/sub message loss fixed

PeekPushNotificationName previously inspected only the bytes already buffered by bufio, so when a push frame header straddled a buffer fill boundary it could return a truncated notification name (e.g. "messa" instead of "message"). The push processor then mis-routed the frame and ReadReply silently dropped it, causing intermittent RESP3 pub/sub message loss. The peek now grows its window (36 bytes → up to 4 KiB) and reads more from the connection until the header is complete, cleanly separating incomplete prefixes from corrupt frames (including overflow-safe bulk-length handling). Fixes #3839.

(#3842) by @ndyakov

🐛 Bug Fixes

  • RESP3 push peeking: PeekPushNotificationName no longer returns a truncated notification name when a push frame header spans a buffer boundary, preventing silent RESP3 pub/sub message loss (fixes #3839) (#3842) by @ndyakov
  • FT.HYBRID vector params: Vector data is now always sent via PARAMS with auto-generated param names (__vector_param_N, with collision avoidance) when VectorParamName is omitted, since Redis no longer accepts inline vector blobs; the FTHybridOptions.Params map is no longer mutated, so the same options struct can be reused across calls (#3844) by @ndyakov
  • CLUSTER SHARDS forward compatibility: Unknown shard- and node-level attributes in the CLUSTER SHARDS reply are now skipped via DiscardNext() instead of erroring, so clients keep working when the server introduces new fields (#3843) by @madolson
  • PubSub double reconnect: PubSub.releaseConn no longer reconnects twice when a connection is both unusable (or pending handoff) and reports a bad-connection error, avoiding a wasted connection establish-then-close cycle (#3833) by @cxljs

👥 Contributors

We'd like to thank all the contributors who worked on this release!

@cxljs, @madolson, @ndyakov

Full Changelog: https://github.com/redis/go-redis/compare/v9.20.0...v9.20.1

3 days ago
go-redis
redis

9.20.1

This is a patch release containing bug fixes only. There are no new features or breaking changes; upgrading from 9.20.0 is a drop-in replacement.

🚀 Highlights

RESP3 pub/sub message loss fixed

PeekPushNotificationName previously inspected only the bytes already buffered by bufio, so when a push frame header straddled a buffer fill boundary it could return a truncated notification name (e.g. "messa" instead of "message"). The push processor then mis-routed the frame and ReadReply silently dropped it, causing intermittent RESP3 pub/sub message loss. The peek now grows its window (36 bytes → up to 4 KiB) and reads more from the connection until the header is complete, cleanly separating incomplete prefixes from corrupt frames (including overflow-safe bulk-length handling). Fixes #3839.

(#3842) by @ndyakov

🐛 Bug Fixes

  • RESP3 push peeking: PeekPushNotificationName no longer returns a truncated notification name when a push frame header spans a buffer boundary, preventing silent RESP3 pub/sub message loss (fixes #3839) (#3842) by @ndyakov
  • FT.HYBRID vector params: Vector data is now always sent via PARAMS with auto-generated param names (__vector_param_N, with collision avoidance) when VectorParamName is omitted, since Redis no longer accepts inline vector blobs; the FTHybridOptions.Params map is no longer mutated, so the same options struct can be reused across calls (#3844) by @ndyakov
  • CLUSTER SHARDS forward compatibility: Unknown shard- and node-level attributes in the CLUSTER SHARDS reply are now skipped via DiscardNext() instead of erroring, so clients keep working when the server introduces new fields (#3843) by @madolson
  • PubSub double reconnect: PubSub.releaseConn no longer reconnects twice when a connection is both unusable (or pending handoff) and reports a bad-connection error, avoiding a wasted connection establish-then-close cycle (#3833) by @cxljs

👥 Contributors

We'd like to thank all the contributors who worked on this release!

@cxljs, @madolson, @ndyakov

Full Changelog: https://github.com/redis/go-redis/compare/v9.20.0...v9.20.1

4 days ago
go-micro
micro

v5.28.0

What's Changed

Full Changelog: https://github.com/micro/go-micro/compare/v5.27.0...v5.28.0

5 days ago
pdfcpu
pdfcpu

v0.13.0

A Release Featuring CLI Pipelines and Safer Defaults

Starting with this release, pdfcpu improves CLI usability with broader stdin/stdout pipeline support and stricter overwrite handling.

Check out the refreshed documentation at https://pdfcpu.io

Many commands now support - for stdin/stdout, making pdfcpu easier to use in shell pipelines. Explicit output files and non-empty output directories are no longer overwritten implicitly. Use the new global --force flag when overwriting is intentional.

Example:

pdfcpu optimize - out.pdf < in.pdf

or:

cat in.pdf | pdfcpu optimize - - > out.pdf

or a pipeline:

aws s3 cp s3://acme-contracts/master.pdf - \
      | pdfcpu optimize - - \
      | aws s3 cp - s3://acme-contracts/optimized/master.pdf

CLI Improvements

This release adds and refines several user-facing CLI features:

  • Broader stdin/stdout support using -
  • Global --force flag for explicit overwrite handling
  • annotations list --json
  • form list --json
  • certificates list --json
  • merge --bookmark-mode wrap|preserve
  • Improved version command behavior
  • Clarified help text around signature validation scope and trust boundaries

The new overwrite behavior is intentionally stricter. Existing scripts that relied on implicit overwrites may need to add --force.

Merge Bookmarks

The merge command now supports bookmark handling modes:

pdfcpu merge --bookmark-mode wrap out.pdf in1.pdf in2.pdf

Supported modes:

  • wrap
  • preserve

The default is wrap.

This release also improves bookmark tree preservation and handling of bookmark destination collisions.

JSON Output

JSON output is now available for selected listing commands:

pdfcpu annotations list --json in.pdf
pdfcpu form list --json in.pdf
pdfcpu certificates list --json

form list --json also supports multi-file form export JSON.

Certificate Trust Store Packaging

Standard builds now start with an empty trusted certificate directory.

Embedded EUTL certificate bundles are only included when building with:

-tags pdfcpu_eutl

certificates reset now resets the certificate directory to the build defaults.

This keeps standard builds smaller and avoids implying a bundled trust store unless it was explicitly selected at build time.

Experimental Windows 7 Build

An experimental Windows 7 x64 build is available in the release assets:

pdfcpu_0.13.0_Windows_x86_64_win7_experimental.zip

This build uses a patched Go toolchain and is not part of the regular supported release matrix. Feedback from Windows 7 SP1 x64 users is welcome (at #870), especially the output of:

cmd
ver
pdfcpu.exe version
pdfcpu.exe validate test.pdf

Robustness & Safer Processing

This release adds configurable parser and resource limits for:

  • stream bytes
  • decoded bytes
  • image pixels and bytes
  • object counts
  • xref entries
  • recursion depth

The corresponding limits are also part of the configuration. Users of older version will be prompted by the CLI to reset their configuration.

Additional cycle and depth checks were added for page trees, form fields, name trees, and object graph traversal.

Stream parsing and filter decoding have also been hardened against oversized, malformed, and overflowing inputs.

Very large or malformed PDFs that were previously attempted may now be rejected earlier.

Fixes and Improvements

This release includes targeted fixes and compatibility improvements for:

  • annotation geometry during resize, including Rect and QuadPoints
  • merge bookmark handling
  • form filling with user fonts
  • removing document properties and associated catalog XMP metadata
  • relaxed validation for selected malformed JavaScript action and structure-tree object-reference cases
  • booklet page count and content-buffer handling
  • FlateDecode predictor and EOF handling
  • output path handling in extraction, fonts, forms, split/cut, and attachment-related workflows
  • watermarks, stamps, validation, fonts, properties, and related command behavior

Dependencies were updated, including go-runewidth, x/crypto, x/image, and x/text.

Signature Validation Notes

Now usage, help text and docs describe the current signature validation scope and trust boundaries more clearly.

This release does not claim complete legal, eIDAS, LTV, or long-term trust validation.

Development

Behind the scenes, this release includes command plumbing refactoring in pkg/cli, updated tests around command dispatch, and an experimental Windows 7 build workflow.

Thanks

Everybody for testing, reporting issues, and feeding back real-world PDFs. Your bug reports and edge cases continue to make pdfcpu more robust and useful. Shoutouts to @harish for spending time on submitting a PR.

Changelog

  • 2226694 bump version, fix #1410, #1411
  • a212fad refactor cli cmd plumbing
  • 982b418 clarify signature trust boundaries
  • d27afe2 fix version cmd
  • 80b99fe add certificate JSON listing and reset defaults
  • a3225ab refactor parameter handling
  • 4f4129e add experimental Win7 build
  • 84a68af decrease binary size via default build w/o bundled certificates, provide build tag pdfcpu_eutl for bundling EUTL trust-list certs
  • ecb6888 fix #1291
  • 3491406 fix identify version
  • e102024 fix #1316
  • d886d17 fix #1375
  • d27963b fix #1317
  • 174230a fix #1359
  • 8719193 fix merge bookmark destination collisions
  • 991e0ec fix: #1364
  • b11ad47 fix: #1394
  • 3a73dfa refactor: cli command plumbing
  • 6ac18f9 fix arg validation
  • 895371a fix #1396
  • 59ca0db fix #1402
  • 14e191d fix handling of os.Exit
  • cbbb3b5 add missing GoDoc comments
  • 8983029 add cycle-detection
  • b4c1f98 add recursion-depth checking
  • 54d7f0a add limits to configuration
  • 21f8b3b sanitize file paths
  • e8abb82 harden filter decoders and stream parsing against overflow
  • 0ea56f8 update scripts
  • 05e8897 add stdin/stdout support, add --force