dulwich 1.2.5

This is a security release. All users are encouraged to upgrade.

Security fixes

• GHSA-gfhv-vqv2-4544 -- Validate submodule paths in porcelain.submodule_update (and thus porcelain.clone(recurse_submodules=True)). A crafted upstream repository could carry a submodule whose path was .git/hooks (or any other path inside .git or above the work tree), causing the submodule's tree contents to be written there with their executable bits intact. The dulwich analogue of git's CVE-2024-32002 / CVE-2024-32004. (Reported by tonghuaroot)

• CVE-2026-42305 -- Harden tree path validation against entry names that are harmless on POSIX but dangerous when checked out on Windows. validate_path_element_ntfs now also rejects Windows path separators, the alternate data stream marker :, NTFS 8.3 short-name aliases of .git, and reserved Windows device names. core.protectNTFS now defaults to true on every platform, and both core.protectNTFS and core.protectHFS are now read under their correct option names. (Reported by Christopher Toth)

• CVE-2026-42563 -- Shell-quote values substituted into ProcessMergeDriver commands. A malicious branch could inject shell commands when a merge driver referencing %P was configured. (Reported by Ravishanker Kusuma (hayageek))

• CVE-2026-47712 -- Sanitize commit subjects used in porcelain.format_patch filenames so a malicious subject (e.g. x/../../x) cannot direct the generated patch outside outdir. (Reported by Christopher Toth)

• receive.maxInputSize -- Honour receive.maxInputSize in ReceivePackHandler. Previously a remote unauthenticated client could send a tiny crafted pack that declared a huge dest_size and trigger hundreds of MB of allocation over git-receive-pack. (Reported by Liyi, Ziyue, Strick, Maurice and Chenchen @ University of Sydney)

dulwich-1.2.4

Tolerate ref names with empty path components (e.g. `refs/tags//v1.0`) for now, emitting a `DeprecationWarning` rather than raising a `RefFormatError`. Such names are constructed by older Poetry releases (fixed in Poetry 2.4.0) and were silently accepted before Dulwich 1.2.3. `local_branch_name`, `local_tag_name` and `local_replace_name` likewise warn about, and strip, a leading slash instead of raising `ValueError`. Both will become errors again in a future release. (Jelmer Vernooij, #2192)

dulwich-1.2.1

Changes since 1.2.0

• Derive the LFS endpoint as the remote's on-disk LFS store
  (<remote>/.git/lfs for worktrees, <remote>/lfs for bare repos)
  when remote.origin.url points at a local filesystem path or
  file:// URL, matching git-lfs behaviour. Previously the built-in
  smudge filter constructed an HTTP-style <remote>.git/info/lfs path
  that did not exist on disk, leaving LFS-tracked files as pointers
  when cloning from a local repo.

• Deduplicate objects when writing a multi-pack-index. Objects present
  in multiple packs (e.g. after git gc creates a cruft pack) would
  otherwise produce an OIDL chunk with repeated SHAs, causing
  git multi-pack-index verify to fail with "oid lookup out of order".
  (#2152)

• Extend ignorecase and precomposeunicode support to index lookups.
  (#1807)

1.2.0

Notable changes since 1.1.0

New features

• Add am command and porcelain.am() for applying mailbox-style email patches (git am), with state persistence for --continue, --skip, --abort, and --quit recovery (#1692).
• Add apply command and porcelain.apply_patch() for applying unified diffs, including rename/copy detection, binary patches with Git's base85 encoding, and --3way merge fallback (#1784).
• Expand log command options: --oneline, --abbrev-commit, --author, --committer, --grep, --since/--after, --until/--before, -n/--max-count, --no-merges, --merges, --stat, -p/--patch, --name-only, and --follow (#1779).
• Add support for push options (-o/--push-option) in push, enabling AGit flow and other server-side push option workflows.
• Add missing push options: --all, --tags, --delete, --dry-run, --prune, --set-upstream, --follow-tags, and --mirror (#1844).
• Add support for atomic push operations (--atomic): either all ref updates succeed or none are applied (#1781).
• Add support for extensions.relativeworktrees repository extension, allowing worktrees to use relative paths (#2112).

Configuration support

• gc.pruneExpire — grace period before unreachable objects are pruned (#1859).
• core.precomposeunicode — normalize NFD Unicode paths from macOS filesystems to NFC (#1804).
• core.gitProxy — proxy command for git:// protocol connections (#1850).
• core.maxStat — limit stat operations when checking for unstaged changes (#1853).
• core.packedGitLimit — cap memory used for mmapped pack files, closing LRU packs when exceeded (#1848).
• core.deltaBaseCacheLimit — cap memory used for caching delta base objects; defaults to 96 MiB (#1849).
• http.userAgent — customize the User-Agent header (global and URL-specific); default is git/dulwich/{version}.

Fixes

• Fix GPG signature verification to raise BadSignature for all GPG errors, not just BadSignatures; also detect when GPG returns no signatures.
• Fix client incorrectly sending unborn argument in Git protocol v2 ls-refs requests to servers that don't advertise ls-refs=unborn, preventing clones from older servers like Gerrit 3.12.2 (#2104).
• Improve error message in read_info_refs() to show the actual line content when parsing fails (#2103).
• Preserve quoted trailing whitespace in config values (#2145, Christopher Toth).
• Fix .gitignore parent re-include handling so a later !dir/ re-include allows a subsequent file-level negation to take effect (#2141, N0zoM1z0).
• Fix host key verification in contrib/paramiko_vendor.py by loading known hosts and rejecting unknown SSH host keys by default (#2123, quart27219).

Packaging

• No longer ship contrib/ as part of the distribution. The contrib/ directory has always been documented as unsupported and is now excluded from the installed package (#2122).

dulwich-0.23.0

What's Changed

• Bump ruff from 0.9.7 to 0.9.9 by @dependabot in #1502
• Install libatomic - necessary for rustup by @jelmer in #1507
• cli: protocol argument consistency and fixups by @jayaddison in #1506
• cli: adjust 'message' argument parsing to require a value by @jayaddison in #1511
• cli: adjust parsing of positional path arguments by @jayaddison in #1512
• Handle empty commit messages in porcelain.log by @jelmer in #1515
• Bump ruff from 0.9.9 to 0.9.10 by @dependabot in #1516
• Bump ruff by @jelmer in #1518
• cli: add basic branch management commands by @jayaddison in #1514
• Document dulwich.porcelain functions by their Python identi… by @marnanel in #1520
• Update NEWS by @jelmer in #1522
• Bump ruff from 0.11.0 to 0.11.2 by @dependabot in #1523
• Bump ruff from 0.11.2 to 0.11.4 by @dependabot in #1525
• Bump ruff from 0.11.4 to 0.11.5 by @dependabot in #1526
• Bump ruff from 0.11.5 to 0.11.6 by @dependabot in #1527
• Resolve datetime deprecation warnings by @emmanuel-ferdman in #1528
• client: Ensure thin_packs parameter is honored with git protocol v2 by @anlambert in #1530
• Fix some warnings by @jelmer in #1529
• Add more tests by @jelmer in #1531
• Bump ruff from 0.11.6 to 0.11.7 by @dependabot in #1532
• Bump ruff from 0.11.7 to 0.11.8 by @dependabot in #1533
• Bump ruff from 0.11.8 to 0.11.9 by @dependabot in #1534
• Add tests for log_utils and submodule by @jelmer in #1535
• Add more release robot tests by @jelmer in #1536
• Add tests for cloud_gcs by @jelmer in #1537
• Add more object_store tests by @jelmer in #1538
• Add more tests by @jelmer in #1539
• Bump ruff from 0.11.9 to 0.11.10 by @dependabot in #1540
• Bump ruff from 0.11.10 to 0.11.11 by @dependabot in #1544
• Bump PyO3 to 0.25 by @jelmer in #1547
• Split out Config.set and Config.add by @jelmer in #1549
• Support core.sshCommand by @jelmer in #1550
• Fix typing issues. Fixes #1521 by @jelmer in #1551
• SubprocessClient: timeout after 60s of inactivity when closing channel by @jelmer in #1552
• Add merge command by @jelmer in #1554
• Add type hint for get_ssh_vendor by @jelmer in #1553
• Fix handling of casing of subsection names in config by @jelmer in #1556
• Update working tree in pull by @jelmer in #1555
• Cope with missing merge3 by @jelmer in #1557
• Implement dulwich.porcelain.checkout by @jelmer in #1558
• Add script for fixing dulwich' history by @jelmer in #1559
• Fix warnings by @jelmer in #1562
• Add basic support for manyfiles feature by @jelmer in #1560
• Use dissolve to manage deprecations by @jelmer in #1563
• Use dissolve's remove_in by @jelmer in #1565
• Bump ruff from 0.11.11 to 0.11.12 by @dependabot in #1566
• Handle trailing backslashes in config files appropriately by @jelmer in #1568
• Bump mypy by @jelmer in #1569
• Add basic commit graph support. See #1191 by @jelmer in #1564
• Factor out varint by @jelmer in #1571
• Fix tests by @jelmer in #1572
• Revert "Factor out varint" by @jelmer in #1573
• Port remaining dulwich.cli commands to argparse by @jelmer in #1574
• Fix gitignore pattern matching for directory negation patterns by @jelmer in #1575
• Pydoctor fixes by @jelmer in #1576
• Fix porcelain.add() to handle symlinks pointing outside repository by @jelmer in #1577
• Two fixes for add handling by @jelmer in #1578
• Bump ruff from 0.11.12 to 0.11.13 by @dependabot in #1579
• More add fixes by @jelmer in #1580
• Fix compatibility with testtools by @jelmer in #1581
• Bump pyo3 from 0.25.0 to 0.25.1 by @dependabot in #1582
• Bump memchr from 2.7.4 to 2.7.5 by @dependabot in #1583
• Add support for format argument to Repo.init() and Repo.init_bare() by @jelmer in #1584
• Fix Rust implementation of sorted_tree_items() for submodules (#1325) by @jelmer in #1585
• Fix LocalGitClient assertion error with MemoryRepo by @jelmer in #1588
• Add support for os.PathLike objects throughout the API by @jelmer in #1586
• Initial work on pack index v3 by @jelmer in #1119
• Add unpack-objects plumbing command by @jelmer in #1592
• docs: Clarify trailing slash requirement for directory ignore checks by @jelmer in #1591
• Add merge-tree plumbing command by @jelmer in #1589
• Support garbage collection by @jelmer in #1593
• Add porcelain.count_objects() function by @jelmer in #1590
• Support pack.indexVersion config option by @jelmer in #1594
• Fix DictRefsContainer.set_if_equals() to only update requested ref by @jelmer in #1596
• Implement basic rebase by @jelmer in #1595

New Contributors

• @emmanuel-ferdman made their first contribution in #1528

Full Changelog: dulwich-0.22.8...dulwich-0.23.0

1.1.0

What's Changed

• Add reference to c-git-compatibility doc in README.md by @jelmer in #2069
• Implement cli commands for more porcelain by @jelmer in #2071
• Support GIT_TRACE_PACKET by @jelmer in #2073
• Fix cloning of SHA-256 repositories with protocol v2 by @jelmer in #2074
• skip tests that require merge3 when it's not available by @kulikjak in #2075
• Add test-minimal to CI; run tests without installing any optional dependencies by @jelmer in #2076
• Update SECURITY.md by @jelmer in #2077
• Don't skip 3.14 wheels by @bowiechen in #2078
• Add Git protocol v2 packfile-uris client support by @jelmer in #2079
• Attempt to fix occasional issues with long running lfs processes in tests by @jelmer in #2081
• Allow passing commit and author timestamps into porcelain.commit by @ading2210 in #2080
• Skip Python 3.14 x86_64/universal2 wheels on macOS by @jelmer in #2082
• Improve exception message for tags by @jelmer in #2083
• ci(deps): bump dependabot/fetch-metadata from 2.4.0 to 2.5.0 by @dependabot[bot] in #2084
• ci(deps): bump actions/checkout from 6.0.1 to 6.0.2 by @dependabot[bot] in #2085
• deps(deps-dev): bump ruff from 0.14.10 to 0.14.14 in the pip group by @dependabot[bot] in #2086
• Add bundle URI support for faster clones and fetches by @jelmer in #2087
• Add basic subtree support by @jelmer in #2088
• Add support for core.trustctime configuration option by @jelmer in #2091
• Fix LFS client selection for file:// URLs by @jelmer in #2089
• Add support for core.commentChar configuration option (#1852) by @jelmer in #2092
• Add --unshallow support to fetch command by @jelmer in #2093
• Add progress reporting during pack file downloads by @jelmer in #2094
• Macos wheels fix by @jelmer in #2095
• Disable git-lfs filter process in LFS status tests to fix flaky Windows failures by @jelmer in #2096
• Server side hooks by @jelmer in #2097
• Fix checkout skipping files with paths starting with '.git' by @jelmer in #2098

New Contributors

• @bowiechen made their first contribution in #2078
• @ading2210 made their first contribution in #2080

Full Changelog: dulwich-1.0.0...dulwich-1.1.0

1.0.0

What's Changed

• More tests by @jelmer in #2066
• Document C git compatibility by @jelmer in #2067
• Remove deprecated functions by @jelmer in #2068

Full Changelog: dulwich-0.25.2...dulwich-1.0.0

dulwich-0.25.1

What's Changed

• Fix GPG signature test to handle InvalidSigners exception by @jelmer in #2064
• Make object store close() idempotent and warn on unclosed resources by @jelmer in #2065

Full Changelog: dulwich-0.25.1...dulwich-0.25.2

0.22.6

What's Changed

• Various minor rust improvements by @jelmer in #1390
• Fix handling of symrefs with protocol v2. Fixes #1389 by @jelmer in #1392
• Refactor ref handling by @jelmer in #1393
• Bump mypy from 1.12.0 to 1.12.1 by @dependabot in #1395
• Bump ruff from 0.6.9 to 0.7.0 by @dependabot in #1396
• Build pure wheels by @jelmer in #1398
• Bump mypy from 1.12.1 to 1.13.0 by @dependabot in #1401
• Bump ruff from 0.7.0 to 0.7.1 by @dependabot in #1400
• Add ObjectStore.iter_prefix by @jelmer in #1402
• Test symrefs handling for git protocol v2 by @stspdotname in #1403
• use a default ref-prefix when fetching with git protocol v2 by @stspdotname in #1404
• Revert back to Cargo.lock format version 3 by @jelmer in #1406
• Upgrade disperse config by @jelmer in #1408
• Fix new version by @jelmer in #1409
• Drop outdated performance.txt file. Fixes #1411 by @jelmer in #1412
• return peeled refs from GitClient.get_refs() if protocol-v2 is used by @stspdotname in #1413
• Bump ruff from 0.7.1 to 0.7.2 by @dependabot in #1415
• Drop support for Python 3.8 by @jelmer in #1414
• build: respect the "pure" argument at metadata generation time by @eli-schwartz in #1417
• Move ref_prefix default behaviour down by @jelmer in #1418
• Drop broken refspecs argument for porcelain.clone by @jelmer in #1420
• consistently pass around ref_prefix and protocol_version in dulwich.client by @jelmer in #1421
• Revert broken ref_prefix handling, consistently apply ref_prefix by @jelmer in #1422
• Strip pkt-line when negotiating Git protocol v2 by @Lordshinjo in #1424
• add easy type hints to some function returns by @castedo in #1426
• Bump ruff from 0.7.2 to 0.7.3 by @dependabot in #1427
• iter_prefix: fix handling of missing loose object directories by @jelmer in #1428
• type hints for ShaFile.copy and Tree.lookup_path by @castedo in #1430
• Improve unittest calls by @jelmer in #1433
• Upgrade Python code to a modern version by @jelmer in #1436
• Reject refcontainer values that are not 40 char sha or symref by @abn in #1437

New Contributors

• @eli-schwartz made their first contribution in #1417
• @Lordshinjo made their first contribution in #1424
• @abn made their first contribution in #1437

Full Changelog: v0.22.2...v0.22.6

dulwich-0.25.1

Full Changelog: dulwich-0.25.0...dulwich-0.25.1