v1.48.1 🫎
Revert #6432 due to a dumpless upgrade bug report.
Full Changelog: https://github.com/meilisearch/meilisearch/compare/v1.48.0...v1.48.1
3.13.0-rc.1 / 2026-06-22
Release notes of the 3.13-rc.1 release:
The 3.13.0-rc.0 release was only partially successful due to the migration from NPM to PNPM and subsequent CI issues, so most of the changes in this release candidate are CI/build-related. The only user-facing change is:
- [CHANGE] UI: Third-party npm dependency licenses are now embedded in the Prometheus binary and served at
/assets/third-party-licenses.txt, replacing thenpm_licenses.tar.bz2archive previously shipped in release tarballs and container images. #18997
Release notes of the 3.13-rc.0 release, as it was not published in partial state:
- [SECURITY] UI: Bump
sanitize-htmlto fix a cross-site scripting vulnerability (CVE-2026-44990). #18697 - [CHANGE] API: Use SHA-256 instead of SHA-1 to generate rule group pagination tokens. #18927
- [CHANGE] HTTP clients: Credentials (Authorization header, basic auth, bearer token, OAuth2, configured headers) are no longer forwarded when following a redirect to a different host; affects scraping, remote read/write, alerting, and service discovery. Via prometheus/common v0.69.0 (CVE-2025-4673 CVE-2023-45289). #18949
- [CHANGE] promtool: Relative file paths in the file passed to
--http.config.fileare now resolved relative to that config file's directory instead of its parent directory. Via prometheus/common v0.69.0. #18949 - [CHANGE] PromQL: Rename the
min()andmax()duration-expression functions (experimental feature flagexperimental-duration-expr) tomin_of()andmax_of()to avoid confusion with theminandmaxaggregate operators. #18687 - [FEATURE] API: Add experimental search endpoints to search metric names, label names, and label values. #18573
- [FEATURE] Discovery/AWS: Add ability to filter RDS instances. #18859
- [FEATURE] PromQL: Add
min_of(a, b)andmax_of(a, b)scalar experimental functions, returning the smaller or larger of two scalar values. #18687 - [FEATURE] PromQL: Add support for smoothed/anchored rate with native histograms. #18564
- [FEATURE] PromQL: Expose per-query
samplesRead(andsamplesReadPerStepwithstats=alland thepromql-per-step-statsfeature flag) in the query stats response, and add theprometheus_engine_query_samples_read_totalengine counter.samplesReadreflects storage I/O distinct fromtotalQueryableSamples, which counts samples loaded into the evaluator (and so over-counts when a sample is reused across multiple range-vector windows). #18081 - [FEATURE] Scrape: Add
__convert_classic_histograms_to_nhcb__internal label to allow per-target override ofconvert_classic_histograms_to_nhcbscrape configuration via relabeling. #18840 - [FEATURE] TSDB: Add
storage.tsdb.chunk_encoding.floatsconfiguration field to select float chunk encoding (xororxor2) at runtime, independently of the--enable-feature=xor2-encodingflag. #18769 - [FEATURE] remote_write: Add Certificate support for ingesting data into an Azure Monitor Workspace. #18217
- [FEATURE] Scrape: Add
__always_scrape_classic_histograms__and__scrape_native_histograms__internal labels to allow per-target override of thealways_scrape_classic_histogramsandscrape_native_histogramsscrape configuration via relabeling. #18929 - [ENHANCEMENT] Release: Container images are now also published to the GitHub Container Registry (ghcr.io). #18791
- [ENHANCEMENT] PromQL: Prettify
fill_left(x) fill_right(x)asfill(x)when both fill values are equal. #18851 - [ENHANCEMENT] UI: Improve autocompletion after closing a function bracket. #18894
- [PERF] Labels: Add case-insensitive prefix matching to speed up evaluation of long case-insensitive regular expressions (up to ~2x faster). #18540
- [PERF] TSDB: Reduce per-sample overhead in chunk population, speeding up affected queries by ~12-15% in benchmarks. #18699
- [PERF] TSDB: Eliminate unnecessary heap allocations in the V2 histogram WAL decoder, reducing allocations by up to 50% and memory by up to 10% for deployments using native histograms with created-timestamp storage enabled (
--enable-feature=created-timestamp-zero-ingestion). #18813 - [BUGFIX] Discovery/AWS: Fix failure when processing an AWS RDS cluster without instances. #18845
- [BUGFIX] Fix race condition in initTime that could cause ErrOutOfBounds. #18629
- [BUGFIX] PromQL: A range query whose
endwas not aligned tostepcaused subqueries inside it to evaluate past the parent's last actual step, inflatingpeakSamplesin the query stats and against thequery.max-sampleslimit, and wasting storage I/O reading samples that were never used in the result. #18081 - [BUGFIX] PromQL: A range query containing an at-modifier-unsafe function over a range-vector with an
@modifier (e.g.predict_linear(metric[60s] @ T, X)) silently under-countedtotalQueryableSamplesfor steps after step 0. #18081 - [BUGFIX] PromQL: Fix
fill_left/fill_rightproducing missing samples in range queries when usinggroup_left/group_right. #18850 - [BUGFIX] PromQL: Fix for resets() and changes() in anchored range extenders with histograms. #18906
- [BUGFIX] PromQL: Fix panic on
1[5m] smoothedand similar expressions when extended range selectors are enabled. #18764 - [BUGFIX] PromQL: Fix panic when a
smoothedinstant vector selector produces no samples for a series. #18943 - [BUGFIX] PromQL: Fix panic when using a parenthesised plain number as an offset (e.g.
foo offset -(5)). #18768 - [BUGFIX] promtool: Fix panic when parsing exposition text containing empty braces
{}. Via prometheus/common v0.69.0. #18949 - [BUGFIX] Promtool: Fix
check healthyandcheck readywhen--urlends with a trailing slash. #18854 - [BUGFIX] Rules: Close PromQL query after each rule evaluation to ensure resources are released. #18733
- [BUGFIX] Scaleway SD: Resolve VPC/IPAM-only instances that have no legacy
private_iporpublic_ipfield, but do have private NICs attached. #18772 - [BUGFIX] TSDB: Do not leak head series when an integer histogram append is rejected (e.g. out-of-order). #18838
- [BUGFIX] UI: Escape label values offered by PromQL autocomplete. #18658
- [BUGFIX] TSDB: Fix chunk snapshot encoding for EncXOR2 chunks, preventing corruption on TSDB restart when EncXOR2-encoded series were present. #18739
- [BUGFIX] TSDB: Store a millisecond timestamp (not a WAL segment number) in walExpiries when a series is evicted via CompactStaleHead/CompactSelectedSeries, so the series's label record is correctly retained in the next WAL checkpoint and replays cleanly. #18847
- [BUGFIX] TSDB: Prevent loss of samples at the chunk-range boundary when CompactSelectedSeries (and CompactStaleHead) evict the series — the per-slice compaction loop now runs one more iteration so the boundary timestamp is captured in a block before the in-memory copy is removed. #18849
v1.48.0 🫎
by @Mubelotix in https://github.com/meilisearch/meilisearch/pull/5765
Introduces a new POST /render-template route that can be used to render any template or fragment on any input and associated renderRoute experimental feature that gates access to the route.
This route can be used to test document templates and fragments before and after having configured an embedder.
A body payload for the route is of the form:
where template describes the template or fragment to render, and input describes what to use to render the template.
Upon calling this route, Meilisearch responds with:
{
"template": "{{doc.text}}",
"rendered": "template text after rendering using the input"
}
where template contains the unrendered base text of the document template, or the unrendered base JSON object of a fragment, and rendered contains the result of rendering the template of the chosen input.
If input is null in the request, then rendered is null in the response, and the route can be used solely to retrieve a template or fragment from the settings of an index.
The API of this route is subject to change, so before calling this route, please enable the renderRoute experimental feature:
PATCH /experimental-features --json '{"renderRoute": true}'
- Rendering a document from an index on a document template from an embedder of that index
request
// POST /render-template
{
"template": {
"kind": "documentTemplate",
"indexUid": "movies",
"embedder": "myMoviesEmbedder"
},
"input": {
"kind": "indexDocument",
"indexUid": "movies",
"id": "2"
}
response
{
"template": "A movie titled {{doc.title}} whose description starts with {{doc.overview|truncatewords:10}}",
"rendered": "A movie titled Ariel whose description starts with Taisto Kasurinen is a Finnish coal miner whose father has..."
}
- Rendering an inline document on a fragment from an embedder of an index
request
// POST /render-template
{
"template": {
"kind": "indexingFragment",
"indexUid": "dogs",
"embedder": "multi",
"fragment": "captionedImage"
},
"input": {
"kind": "inlineDocument",
"inline": { // pass your document inline as a JSON object
"kind": "dog",
"name": "iko",
"breed": "jack russell",
"mime": "image/png",
"image": "/9j/4AAQSk..."
}
}
}
response
{
"template": {
"content": [
{
"type": "text",
"text": "A picture of a {{doc.kind}} of breed {{doc.breed}}"
},
{
"type": "image_base64",
"image_base64": "data:{{doc.mime}};base64,{{doc.image}}"
}
]
},
"rendered": {
"content": [
{
"type": "text",
"text": "A picture of a dog of breed jack russell"
},
{
"type": "image_base64",
"image_base64": "data:image/png;base64,/9j/4AAQSk..."
}
]
}
}
- Rendering a search query on a search fragment from a multimodal embedder of an index
request
// POST /render-template
{
"template": {
"kind": "searchFragment",
"indexUid": "testIndex",
"embedder": "testEmbedder",
"fragment": "justBreed"
},
"input": {
"kind": "inlineSearch",
"inline": { // pass the search query inline
"q": "unused",
"media": {
"name": "iko",
"breed": "jack russell"
},
"filter": "ignored"
}
}
}
response
{
"template": "It's a {{ media.breed }}",
"rendered": "It's a jack russell"
}
- Rendering an inline document on the document template from the chat settings of an index
request
// POST /render-template
{
"template": {
"kind": "chatDocumentTemplate",
"indexUid": "movies"
// no embedder to specify since chat document template is global to index
},
"input": {
"kind": "indexDocument",
"indexUid": "movies",
"id": "2"
}
response
{
"template": "{% for field in fields %}{% if field.is_searchable and field.value != nil %}{{ field.name }}: {{ field.value }}\n{% endif %}{% endfor %}",
"rendered": "id: 2\ntitle: Ariel\noverview: Taisto Kasurinen is a Finnish coal miner whose father has just committed suicide and who is framed for a crime he did not commit. In jail, he starts to dream about leaving the country and starting a new life. He escapes from prison but things don't go as planned...\ngenres: DramaCrimeComedy\nposter: https://image.tmdb.org/t/p/w500/ojDg0PGvs6R9xYFodRct2kdI6wC.jpg\nrelease_date: 593395200\n"
}
- Rendering a document from an index on an inline document template
request
// POST /render-template
{
"template": {
"kind": "inlineDocumentTemplate",
"inline": "You can pass templates inline as well: nice to test them! {{doc.id}}"
},
"input": {
"kind": "indexDocument",
"indexUid": "movies",
"id": "2"
}
response
{
"template": "You can pass templates inline as well: nice to test them! {{doc.id}}",
"rendered": "You can pass templates inline as well: nice to test them! 2"
}
- Rendering an inline document on an inline indexing fragment
request
// POST /render-template
{
"template": {
"kind": "inlineFragment",
"inline": {
"json_maps": "supported for fragments",
"any_string": "is in liquid format: {{doc.test}}"
}
},
"input": {
"kind": "inlineDocument",
"inline": {
"test": true
}
}
}
response
{
"template": {
"json_maps": "supported for fragments",
"any_string": "is in liquid format: {{doc.test}}"
},
"rendered": {
"json_maps": "supported for fragments",
"any_string": "is in liquid format: true"
}
}
by @ManyTheFish in https://github.com/meilisearch/meilisearch/pull/6446
Foreign filters are meant to be used in a retrieval context (search, get document...), but all the actions related to writing or modifying a document could have several unexpected behaviors if foreign filters are accepted. We prefer forbidding the usage of this feature on the writing routes.
The following routes do not support Foreign-filter anymore:
- Edit documents by function: POST
/indexes/{index_uid}/documents/edit - Delete documents by filter: POST
/indexes/{index_uid}/documents/delete - Export to a remote Meilisearch: POST
/export
Additional change: we now ensure that the experimental features are checked when parsing a filter
- Support prefix search on words registered in the disableOnAttributes and disableOnNumbers settings by @antcybersec in https://github.com/meilisearch/meilisearch/pull/6432
- Add missing logs in search performance details @ManyTheFish in https://github.com/meilisearch/meilisearch/pull/6457
- Ensure the index map budget is a multiplier of the OS page size by @genisis0x in https://github.com/meilisearch/meilisearch/pull/6454
- Reduce risk of vulnerability exploits on GHA by @curquiza in https://github.com/meilisearch/meilisearch/pull/6451
- Replace the
queueDocumentsFetchexperimental feature withdisableDocumentsFetchQueueconverting the feature from an opt-in to an opt-out By @ManyTheFish in https://github.com/meilisearch/meilisearch/pull/6456 - Bump and removes unused dependencies by @Kerollmops in https://github.com/meilisearch/meilisearch/pull/6444
- Fix Ollama embeddings changes to fix CI tests by @Kerollmops in https://github.com/meilisearch/meilisearch/pull/6450
❤️ Thanks again to @genisis0x and @antcybersec
4.35
-
FUSE
- fix(command): preserve fuse option after writers by @7y-9 in https://github.com/seaweedfs/seaweedfs/pull/9972
- test: add FUSE database load/durability/perf benchmark by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9980
- mount: tolerance-window write pattern detection for concurrent writeback by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9984
- fix(mount): keep a deferred local create from vanishing when its dir is rebuilt by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9991
- fix(mount): pin rebuild entries by their own inode, not inodeToPath by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9993
- mount: fix deadlock reading an uncached remote-mounted file by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9995
- mount: cache supplementary group IDs for non-root access performance by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/10008
- fix(mount): run entry invalidations off the meta-cache apply loop by @kisow in https://github.com/seaweedfs/seaweedfs/pull/10002
- feat(mount): attach Content-MD5 to chunk uploads by @kisow in https://github.com/seaweedfs/seaweedfs/pull/10016
-
Misc
- security.toml: document WEED_ env override for jwt signing keys by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9981
- SECURITY.md: require working repro and trust-boundary impact by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9990
- mq(kafka): don't drop an existing topic when auto-create races by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9998
- Fix typo in SeaweedFS Filer description by @dantetemplar in https://github.com/seaweedfs/seaweedfs/pull/10009
- Logs typos by @m-sementsov in https://github.com/seaweedfs/seaweedfs/pull/10018
- feat: add Prometheus metrics for replication operations by @rushikesh90 in https://github.com/seaweedfs/seaweedfs/pull/10006
- install.sh: fix stale --version example (v3.93 -> 4.34) by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/10025
- feat: add Prometheus metric for volume creation operations by @rushikesh90 in https://github.com/seaweedfs/seaweedfs/pull/10026
- stats: define metric subsystems as constants by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/10027
-
Filer
- filer: tolerance-window read pattern detection for concurrent readahead by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9983
- filer: skip COLLATE "C" list fallback on CockroachDB by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/10015
-
Shell
- shell: show remote storage name/key in volume.list output by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9987
- fix(shell): return fs.verify topology errors by @7y-9 in https://github.com/seaweedfs/seaweedfs/pull/9982
-
Volume Server
- storage: register tier backends at the binary composition root by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9989
- volume: remove ec.bitrotChecksum and ec.bitrotBlockSizeMB flags by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/10000
- volume: validate remote S3 endpoints in FetchAndWriteNeedle (Rust) by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/10001
- volume: detect phantom volumes held open as deleted FDs by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/10011
-
Master
- use Leader() instead of MaybeLeader() in SendHeartbeat by @giftz in https://github.com/seaweedfs/seaweedfs/pull/10029
-
S3 API
- s3: bound streaming remote-cache wait so large cold GetObject returns 503, not a hang by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9988
- s3api: add optional request interceptor to circuit breaker by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9994
- s3: improve TTFB for large remote objects by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/10010
- fix(s3): verify SigV2 using percent-encoded path for Unicode object keys by @sergey-zinchenko in https://github.com/seaweedfs/seaweedfs/pull/10022
-
Helm Charts
- helm: reject emptyDir for volume idx, and rebuild a missing idx on restart by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/10005
-
Admin Server and Worker
- admin: surface user inline policies in object store user details by @msk-psp in https://github.com/seaweedfs/seaweedfs/pull/10013
-
Mini
- mini: resolve admin credentials from security.toml and env vars by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/10021
- @dantetemplar made their first contribution in https://github.com/seaweedfs/seaweedfs/pull/10009
- @sergey-zinchenko made their first contribution in https://github.com/seaweedfs/seaweedfs/pull/10022
Full Changelog: https://github.com/seaweedfs/seaweedfs/compare/4.34...4.35
v25.3.6
- ci: remove labeler and simplify change detection by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9751
- test: align GraphQL health check retries with gRPC pattern by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9752
- build(jemalloc): patch jemalloc 5.3.1 source for libstdc++ 16+ ABI removal by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9740
- dgraphtest: add WithStartupArg for arbitrary Alpha flags by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9741
- test: poll for HNSW index readiness instead of fixed sleeps by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9739
- fix: S390x compatibility by @navaneeswar1011 in https://github.com/dgraph-io/dgraph/pull/9746
- fix(security): compare poorman's auth token in constant time by @alhudz in https://github.com/dgraph-io/dgraph/pull/9736
- edgraph: add AlterNoAuth for trusted in-process schema callers by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9748
- x,edgraph,worker: add a reserved-namespace plugin registry by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9753
- x,edgraph: harden reserved-namespace registration and value-lock delete coverage by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9754
- alpha: add public extensibility hooks for the gRPC server and CLI flags by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9742
- @navaneeswar1011 made their first contribution in https://github.com/dgraph-io/dgraph/pull/9746
- @alhudz made their first contribution in https://github.com/dgraph-io/dgraph/pull/9736
Full Changelog: https://github.com/dgraph-io/dgraph/compare/v25.3.5...v25.3.6
v25.3.6
- ci: remove labeler and simplify change detection by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9751
- test: align GraphQL health check retries with gRPC pattern by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9752
- build(jemalloc): patch jemalloc 5.3.1 source for libstdc++ 16+ ABI removal by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9740
- dgraphtest: add WithStartupArg for arbitrary Alpha flags by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9741
- test: poll for HNSW index readiness instead of fixed sleeps by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9739
- fix: S390x compatibility by @navaneeswar1011 in https://github.com/dgraph-io/dgraph/pull/9746
- fix(security): compare poorman's auth token in constant time by @alhudz in https://github.com/dgraph-io/dgraph/pull/9736
- edgraph: add AlterNoAuth for trusted in-process schema callers by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9748
- x,edgraph,worker: add a reserved-namespace plugin registry by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9753
- x,edgraph: harden reserved-namespace registration and value-lock delete coverage by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9754
- alpha: add public extensibility hooks for the gRPC server and CLI flags by @matthewmcneely in https://github.com/dgraph-io/dgraph/pull/9742
- @navaneeswar1011 made their first contribution in https://github.com/dgraph-io/dgraph/pull/9746
- @alhudz made their first contribution in https://github.com/dgraph-io/dgraph/pull/9736
Full Changelog: https://github.com/dgraph-io/dgraph/compare/v25.3.5...v25.3.6
v3.6.15
- Re-fix 1xx handling by @matthoffman in https://github.com/Netflix/zuul/pull/2149
Full Changelog: https://github.com/Netflix/zuul/compare/v3.6.14...v3.6.15
2026-06-18, Version 26.3.1 (Current), @aduh95
This is a security release.
- (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
- (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
- (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium
- (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
- (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium
- (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
- (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium
- (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low
- (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low
- (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low
- (CVE-2026-48936) permission: guard pipe open and chmod with net scope (RafaelGSS) – Low
- [
98fbc89211] - (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) nodejs-private/node-private#878 - [
110840f2c7] - deps: update llhttp to 9.4.2 (Antoine du Hamel) nodejs-private/node-private#890 - [
8d36d522b2] - deps: update undici to 8.5.0 (Node.js GitHub Bot) #63903 - [
2e6d03993a] - deps: update undici to 8.4.0 (Node.js GitHub Bot) #63779 - [
5a17d5b07a] - deps: update archs files for openssl-3.5.7 (Node.js GitHub Bot) #63820 - [
362725d4e5] - deps: upgrade openssl sources to openssl-3.5.7 (Node.js GitHub Bot) #63820 - [
bd1214ab01] - (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) nodejs-private/node-private#868 - [
bc0b53813e] - (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) nodejs-private/node-private#846 - [
87d847bc70] - (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) nodejs-private/node-private#855 - [
9308084fcb] - (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) nodejs-private/node-private#867 - [
a67dd46891] - (CVE-2026-48936) permission: guard pipe open and chmod with net scope (RafaelGSS) nodejs-private/node-private#885 - [
7057c3f16c] - (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) nodejs-private/node-private#873 - [
6bc17a6b51] - (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) nodejs-private/node-private#870 - [
c8668beff8] - test: add session reuse host verification regressions (Matteo Collina) nodejs-private/node-private#854 - [
d1be630415] - (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) nodejs-private/node-private#854 - [
a14c158bb3] - (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) nodejs-private/node-private#857 - [
ebda73470d] - (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) nodejs-private/node-private#869
2026-06-18, Version 24.17.0 'Krypton' (LTS), @aduh95
This is a security release.
- (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
- (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
- (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium
- (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
- (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium
- (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
- (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium
- (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium
- (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low
- (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low
- (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low
- [
9e4dfc7bba] - (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) nodejs-private/node-private#878 - [
cb2aed980c] - deps: update llhttp to 9.4.2 (Antoine du Hamel) nodejs-private/node-private#890 - [
a8a0d12875] - (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 (Tim Perry) #62891 - [
66e6203c1c] - (SEMVER-MAJOR) deps: update nghttp2 to 1.69.0 (Node.js GitHub Bot) #62891 - [
dd627ced27] - deps: update archs files for openssl-3.5.7 (Node.js GitHub Bot) #63820 - [
684bae568f] - deps: upgrade openssl sources to openssl-3.5.7 (Node.js GitHub Bot) #63820 - [
3a631e7f83] - deps: fix aix implicit declaration in OpenSSL (Abdirahim Musse) #62656 - [
cf44df3996] - deps: update undici to 7.28.0 (Node.js GitHub Bot) #63703 - [
138c70294b] - (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) nodejs-private/node-private#868 - [
be7e719c3f] - (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) nodejs-private/node-private#846 - [
cc7c11b4d1] - (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) nodejs-private/node-private#855 - [
9224427b92] - (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) nodejs-private/node-private#867 - [
cf85d54839] - (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) nodejs-private/node-private#873 - [
a1bbc24f96] - (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) nodejs-private/node-private#870 - [
e3723ff2d6] - test: add session reuse host verification regressions (Matteo Collina) nodejs-private/node-private#854 - [
a77af4867b] - (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) nodejs-private/node-private#854 - [
31beb4f707] - (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) nodejs-private/node-private#857 - [
8e75c73f91] - (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) nodejs-private/node-private#869
2026-06-18, Version 22.23.0 'Jod' (LTS), @aduh95
This is a security release.
- (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
- (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
- (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium
- (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
- (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
- (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium
- (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium
- (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium
- (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low
- (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low
- (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low
- [
38b4c5ed51] - (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) nodejs-private/node-private#878 - [
ad8a10c1bb] - deps: update llhttp to 9.4.2 (Antoine du Hamel) nodejs-private/node-private#890 - [
ca825a87cc] - deps: update undici to 6.27.0 (aduh95) #63711 - [
a1a5bb9683] - (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 (Tim Perry) #62891 - [
0f48583512] - (SEMVER-MAJOR) deps: update nghttp2 to 1.69.0 (Node.js GitHub Bot) #62891 - [
38c869fc05] - deps: update nghttp2 to 1.68.0 (nodejs-github-bot) #61136 - [
290667c84f] - deps: update nghttp2 to 1.67.1 (nodejs-github-bot) #59790 - [
c9f3da76aa] - deps: update nghttp2 to 1.66.0 (Node.js GitHub Bot) #58786 - [
60890be563] - deps: update nghttp2 to 1.65.0 (Node.js GitHub Bot) #57269 - [
5024c7d5d8] - deps: update archs files for openssl-3.5.7 (Node.js GitHub Bot) #63820 - [
7f4eb5af2e] - deps: upgrade openssl sources to openssl-3.5.7 (Node.js GitHub Bot) #63820 - [
ebb4ec78a8] - deps: fix aix implicit declaration in OpenSSL (Abdirahim Musse) #62656 - [
5763d40826] - deps: update llhttp to 9.4.1 (Node.js GitHub Bot) #63045 - [
c551a51d0c] - (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) nodejs-private/node-private#868 - [
0a22d40180] - (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) nodejs-private/node-private#846 - [
c79968e108] - (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) nodejs-private/node-private#855 - [
0c37bff2ff] - http2: fix DEP0194 message (KaKa) #58669 - [
ea5dc6b529] - (SEMVER-MAJOR) http2: remove support for priority signaling (Matteo Collina) #58293 - [
9b6af26132] - (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) nodejs-private/node-private#867 - [
28dcd38864] - (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) nodejs-private/node-private#873 - [
2f62693801] - (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) nodejs-private/node-private#870 - [
1662a3ea09] - test: add session reuse host verification regressions (Matteo Collina) nodejs-private/node-private#854 - [
718d5d0e2c] - test: skiptest-fs-utimes-y2K38on armv7 (Richard Lau) #63836 - [
041185b61f] - test: skip test-cluster-dgram-reuse on AIX 7.3 (Stewart X Addison) #62238 - [
fd890ba01d] - (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) nodejs-private/node-private#854 - [
39d1d09684] - (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) nodejs-private/node-private#857 - [
2197a47144] - (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) nodejs-private/node-private#869
{ "template": /* templateTarget object */, "input": /* inputTarget object or null */ }