Releases: guzzle/guzzle
Releases · guzzle/guzzle
Release list
7.14.0
Added
- Added the
on_trailersrequest option to expose parsed HTTP response trailers - Added the
multiplexrequest option withMultiplexing::*modes to control or require HTTP/2 multiplexing - Added rejection of explicit
multiplexrequests whenCURLMOPT_PIPELININGdisables multiplexing - Added the
max_host_connectionsandmax_total_connectionsclient and cURL multi handler options
Changed
- Redirects that discard the request body no longer require it to be rewindable
- Synchronous cURL multi handler requests no longer wait for other queued transfers
- Section SOCKS proxy connections by credentials on libcurl before 7.69.0
- Reject request-level
CURLOPT_SHAREwhen combined with authenticated SOCKS proxy configuration - Redact proxy userinfo containing raw control bytes in cURL errors
- Check linked curl/libcurl NTLM support before applying NTLM auth
- Clarify that NTLM is deprecated by both Guzzle and curl/libcurl
- Remove deprecation for the raw cURL
CURLOPT_CERTINFOoption - Warn when a cURL multi option cannot be applied
Deprecated
- Deprecate the raw
CURLOPT_PIPEWAITcURL option in favour of themultiplexrequest option - Deprecate unknown handler constructor options
- Deprecate invalid
select_timeoutcURL multi handler option values - Deprecate raw cURL multi connection cap options in favour of the named options
7.13.3
Changed
- Adjusted
guzzlehttp/promisesversion constraint to^2.5.1 - Adjusted
guzzlehttp/psr7version constraint to^2.12.4 - Pass explicit trim characters ahead of the PHP 8.6 trim default change
Fixed
- Stop matching cookie domains against hosts with a trailing newline
- Reject HTTP status codes and certificate type extensions with a trailing newline
- Treat PCRE engine failures as invalid cookie names during cookie validation
- Report PCRE engine failures when formatting log messages
- Report PCRE engine failures when splitting
no_proxyvalues
7.13.2
Fixed
- Stop the cURL multi handler busy-waiting on request delays shorter than one second
- Stop cURL HEAD requests with request bodies hanging on responses that declare a content length
- The cURL handler no longer transmits request bodies on HEAD requests
- Preserve response headers when a response includes HTTP trailers
- Harden cURL response header block detection when HTTP trailers are received
- Corrected the PSR-7 class names in the Pool iterator exception
- Redirect body rewind failures no longer leak a bare
RuntimeException
7.13.1
Fixed
- Allow middleware to rewrite partial URIs before transports validate them
7.13.0
Added
- Added the
crypto_method_maxrequest option to cap the maximum TLS protocol version - Added HTTP QUERY redirect support, preserving method and body on 301 and 302
Changed
- Section proxy tunnel connection reuse by credential so distinct credentials never share a tunnel
- Isolate concurrent foreign cURL proxy tunnels added while another owner's tunnel is active
- Route credentialed HTTP(S) proxy Proxy-Authorization headers through cURL proxy header handling
- Reject request-level
CURLOPT_SHAREwhen combined with authenticated HTTP/HTTPS proxy tunnel configuration - Remove deprecation for raw cURL
CURLOPT_PREREQFUNCTIONcallbacks when defined by PHP cURL - Route TLS 1.2
crypto_methodrequests to the stream handler when cURL cannot select TLS 1.2 - Reject final request URIs missing a scheme or host before transfer
Deprecated
- Deprecate invalid protocols, force_ip_resolve, delay, cookies, and allow_redirects values
7.12.3
Changed
- Adjusted
guzzlehttp/psr7version constraint to^2.12.3
Security
- Treat IP and numeric cookie domains as exact-match-only (GHSA-g446-98w2-8p5w)
7.12.2
Fixed
- Clamp out-of-range
Max-Ageso a very large value no longer overflows to an already-expired timestamp - Use strict comparison in
CookieJarconflict resolution so distinct numeric-string names don't overwrite - Store a cookie whose
Domainhas a trailing dot on the origin host instead of silently discarding it - Fix
StreamHandlerhard-failing on bracketed IPv6 literal hosts whenforce_ip_resolveis set - Use strict cookie
Pathcomparison soCookieJar::clear()with a numeric path keeps a distinct-path cookie - Fixed cookie handling for falsey
Domain,Max-Age, path, and name values - Fixed
decode_contenthandling for falsey string values - Fixed deprecated request option values reaching built-in handlers before normalization
7.12.1
Changed
- Adjusted
guzzlehttp/psr7version constraint to^2.12.1
Fixed
- Reject proxy URLs with a malformed scheme in the cURL handlers instead of letting libcurl mishandle them
Security
- Reject HTTPS proxies when the installed libcurl lacks HTTPS-proxy support (GHSA-wpwq-4j6v-78m3)
- Reject dot-only cookie
Domainattributes as match-all (GHSA-cwxw-98qj-8qjx)
7.12.0
Added
- Added
RequestOptionsconstants forcurl,retries, andstream_context
Changed
- Adjusted
guzzlehttp/psr7version constraint to^2.12 - Constrain cURL transport sharing to safe libcurl DNS and SSL session support
- Resolve proxy environment variables in the cURL handlers; libcurl no longer reads the environment itself
- Ignore proxy environment variables when the
proxyrequest option makes a decision - Disable proxy environment variables on Windows SAPIs other than CLI (httpoxy hardening)
- Redact proxy credentials from cURL handler error messages, following
Psr7\Utils::redactUserInfo() - Normalize no-proxy domain and IP literal matching across the cURL and stream handlers
Deprecated
- Deprecated the request-level
handleroption, which will be ignored in 8.0 - Deprecated raw cURL request options outside the built-in cURL handlers' allow-list
- Deprecated the
CURLOPT_PROXYTYPEcURL request option; set the proxy type via a scheme-prefixed proxy URL - Deprecated PHP stream context options outside the built-in stream handler allow-list
- Deprecated passing
ntlmas a built-inauthtype - Deprecated
Utils::describeType() - Deprecated non-finite floats in the
queryandform_paramsoptions; 8.0 rejects them - Deprecated non-string scalar values in the
bodyoption; 8.0 rejects them
Fixed
- Fix cURL TLS and HTTP/2 capability detection using libcurl feature checks
- Fix proxy
nolist matches being re-proxied through environment-configured proxies by libcurl - Fix
nolist andNO_PROXYmatching to support IP CIDR ranges, matching libcurl - Fix the stream handler not applying scheme-less proxies and their credentials
7.11.2
Fixed
- Fixed non-finite float values emitting coercion warnings on PHP 8.5