v1.70.0

What's Changed

• Go 1.26 and golangci-lint updates by @erikdubbelboer in #2146
• Add WithLimit methods for uncompression by @erikdubbelboer in #2147
• Honor Root for fs.FS and normalize fs-style roots by @erikdubbelboer in #2145
• Sanitize header values in all setter paths to prevent CRLF injection by @erikdubbelboer in #2162
• Add ServeFileLiteral, ServeFSLiteral and SendFileLiteral by @erikdubbelboer in #2163
• Prevent chunk extension request smuggling by @erikdubbelboer in #2165
• Validate request URI format during header parsing to reject malformed requests by @erikdubbelboer in #2168
• HTTP1/1 requires exactly one Host header by @erikdubbelboer in #2164
• Strict HTTP version validation and simplified first line parsing by @erikdubbelboer in #2167
• Only normalize pre-colon whitespace for HTTP headers by @erikdubbelboer in #2172
• fs: reject '..' path segments in rewritten paths by @erikdubbelboer in #2173
• fasthttpproxy: reject CRLF in HTTP proxy CONNECT target by @erikdubbelboer in #2174
• fasthttpproxy: scope proxy auth cache to GetDialFunc by @erikdubbelboer in #2144
• feat: enhance performance by @ReneWerner87 in #2135
• export ErrConnectionClosed by @pjebs in #2152
• fix: detect master process death in prefork children by @meruiden in #2158
• return prev values by @pjebs in #2123
• docs: added httpgo to related projects by @MUlt1mate in #2169
• chore(deps): bump actions/upload-artifact from 6 to 7 by @dependabot[bot] in #2149
• chore(deps): bump github.com/andybalholm/brotli from 1.2.0 to 1.2.1 by @dependabot[bot] in #2170
• chore(deps): bump github.com/klauspost/compress from 1.18.2 to 1.18.3 by @dependabot[bot] in #2129
• chore(deps): bump github.com/klauspost/compress from 1.18.3 to 1.18.4 by @dependabot[bot] in #2140
• chore(deps): bump github.com/klauspost/compress from 1.18.4 to 1.18.5 by @dependabot[bot] in #2166
• chore(deps): bump golang.org/x/crypto from 0.47.0 to 0.48.0 by @dependabot[bot] in #2139
• chore(deps): bump golang.org/x/net from 0.48.0 to 0.49.0 by @dependabot[bot] in #2128
• chore(deps): bump golang.org/x/net from 0.49.0 to 0.50.0 by @dependabot[bot] in #2138
• chore(deps): bump golang.org/x/sys from 0.39.0 to 0.40.0 by @dependabot[bot] in #2125
• chore(deps): bump golang.org/x/sys from 0.40.0 to 0.41.0 by @dependabot[bot] in #2137
• chore(deps): bump securego/gosec from 2.22.11 to 2.23.0 by @dependabot[bot] in #2142
• Update securego/gosec from 2.23.0 to 2.25.0 by @erikdubbelboer in #2161

New Contributors

• @MUlt1mate made their first contribution in #2169
• @meruiden made their first contribution in #2158

Full Changelog: v1.69.0...v1.70.0

v1.69.0

What's Changed

• Add sortkeys by @pjebs in #2118
• Expose header parsing error variables by @ReneWerner87 in #2096
• Add documentation that modifying during iteration can panic by @erikdubbelboer in #2122
• update readme by @pjebs in #2114
• chore(deps): bump actions/upload-artifact from 4 to 5 by @dependabot[bot] in #2092
• chore(deps): bump golangci/golangci-lint-action from 8 to 9 by @dependabot[bot] in #2095
• chore(deps): bump golang.org/x/sys from 0.37.0 to 0.38.0 by @dependabot[bot] in #2094
• chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.44.0 by @dependabot[bot] in #2098
• chore(deps): bump golang.org/x/net from 0.46.0 to 0.47.0 by @dependabot[bot] in #2097
• chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 by @dependabot[bot] in #2099
• chore(deps): bump actions/checkout from 5 to 6 by @dependabot[bot] in #2101
• chore(deps): bump github.com/klauspost/compress from 1.18.1 to 1.18.2 by @dependabot[bot] in #2103
• chore(deps): bump golang.org/x/net from 0.47.0 to 0.48.0 by @dependabot[bot] in #2109
• chore(deps): bump actions/upload-artifact from 5 to 6 by @dependabot[bot] in #2111
• chore(deps): bump securego/gosec from 2.22.10 to 2.22.11 by @dependabot[bot] in #2110

Full Changelog: v1.68.0...v1.69.0

v1.68.0

What's Changed

• Fix named return bugs by @erikdubbelboer in 1b8c559
• chore(deps): bump golang.org/x/sys from 0.36.0 to 0.37.0 by @dependabot[bot] in #2087
• chore(deps): bump golang.org/x/crypto from 0.42.0 to 0.43.0 by @dependabot[bot] in #2086
• chore(deps): bump golang.org/x/net from 0.45.0 to 0.46.0 by @dependabot[bot] in #2085
• chore(deps): bump securego/gosec from 2.22.9 to 2.22.10 by @dependabot[bot] in #2088
• chore(deps): bump github.com/klauspost/compress from 1.18.0 to 1.18.1 by @dependabot[bot] in #2089

Full Changelog: v1.67.0...v1.68.0

v1.67.0

Special thanks to the following security researchers who reported the issues fixed in this release:

• @zer0yu (Enze Wang)
• @P3ngu1nW (Jingcheng Yang)
• @9vvert (Zehui Miao)

What's Changed

• Add DNS cache management methods for TCPDialer by @aabishkaryal in #2072
• Fix username:password@ validation in urls by @erikdubbelboer in #2080
• Validate IPv6 addresses in urls by @erikdubbelboer in #2079
• Validate schemes by @erikdubbelboer in #2078
• Reject invalid hosts with multiple port delimiters by @erikdubbelboer in #2077
• Reject backslash absolute URIs and cache parse errors by @erikdubbelboer in #2075
• Reject bad ipv6 hostnames by @erikdubbelboer in #2076
• Reimplement flushing support for fasthttpadaptor by @erikdubbelboer in #2081
• chore(deps): bump securego/gosec from 2.22.8 to 2.22.9 by @dependabot[bot] in #2073

New Contributors

• @aabishkaryal made their first contribution in #2072

Full Changelog: v1.66.0...v1.67.0

v1.66.0

What's Changed

• chore(deps): bump securego/gosec from 2.22.7 to 2.22.8 by @dependabot[bot] in #2056
• docs: add fasthttp-auth to related projects section by @FAUST-BENCHOU in #2057
• server: refactor to use atomic type by @cuiweixie in #2058
• chore(deps): bump actions/setup-go from 5 to 6 by @dependabot[bot] in #2060
• Fix extra whitespace parsing in HTTP request lines to prevent cache poisoning by @Copilot in #2061
• Drop Go 1.23 support by @erikdubbelboer in #2065
• Add flushing support to fasthttpadaptor by @grivera64 in #2054

New Contributors

• @FAUST-BENCHOU made their first contribution in #2057
• @cuiweixie made their first contribution in #2058
• @Copilot made their first contribution in #2061 😄
• @grivera64 made their first contribution in #2054

Full Changelog: v1.65.0...v1.66.0

v1.65.0

‼️ ⚠️ backwards incompatibility! ⚠️ ‼️

In this version of fasthttp, headers delimited by just \n (instead of \r\n) are no longer supported!

What's Changed

• Rewrite header parsing to improve spec compliance by @erikdubbelboer in #2030
• Simplify Client.Do function and lock usage by @byte0o in #2038
• chore(deps): bump securego/gosec from 2.22.5 to 2.22.7 by @dependabot[bot] in #2039
• Fix trailer security by @erikdubbelboer in #2043
• Fix RequestHeader.ContentLength() if disableSpecialHeader is true by @erikdubbelboer in #2042
• Add reuseport support for Solaris by @jwntree in #2046
• test: replace atomic operations with atomic types by @alexandear in #2048
• chore(deps): bump golang.org/x/net from 0.42.0 to 0.43.0 by @dependabot[bot] in #2049
• Optimize fs to have 0 allocations by @erikdubbelboer in #2052
• chore(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in #2055

New Contributors

• @jwntree made their first contribution in #2046

Full Changelog: v1.64.0...v1.65.0

v1.64.0

⚠️ Deprecation warning! ⚠️

In the next version of fasthttp headers delimited by just \n (instead of \r\n) are no longer supported!

What's Changed

• Add warning for deprecated newline separator by @erikdubbelboer in #2031
• refact: eliminate duplication in Request/Response via struct embedding by @ksw2000 in #2027
• chore(deps): bump golang.org/x/sys from 0.33.0 to 0.34.0 by @dependabot[bot] in #2034
• chore(deps): bump golang.org/x/crypto from 0.39.0 to 0.40.0 by @dependabot[bot] in #2036
• chore(deps): bump golang.org/x/net from 0.41.0 to 0.42.0 by @dependabot[bot] in #2035

Full Changelog: v1.63.0...v1.64.0

v1.63.0

What's Changed

• chore(deps): bump securego/gosec from 2.22.3 to 2.22.4 by @dependabot in #2007
• fix: removed resolved issue link from readme file, issue no longer ex… by @viralkansarav in #2008
• feat: Add iter.Seq2 iterator by @ksw2000 in #2011
• Removed old information from main documentation as these functions does not exist by @viralkansarav in #2012
• Proposal : To add Unsafe Zero-Allocation Conversions Sections in main documentation by @viralkansarav in #2013
• chore(deps): bump golang.org/x/net from 0.40.0 to 0.41.0 by @dependabot in #2018
• Drop support before go1.20 by @erikdubbelboer in #2022
• chore(deps): bump securego/gosec from 2.22.4 to 2.22.5 by @dependabot in #2025
• Implement io.StringWriter on some more types by @erikdubbelboer in #2023
• chore(deps): bump github.com/andybalholm/brotli from 1.1.1 to 1.2.0 by @dependabot in #2029

New Contributors

• @viralkansarav made their first contribution in #2008

Full Changelog: v1.62.0...v1.63.0

v1.62.0

What's Changed

• Add support for streaming identity-encoded or unknown length response bodies by @osxtest in #2000
• feat: move user values to Request structure by @mdenushev in #1999
• chore(deps): bump golangci/golangci-lint-action from 7 to 8 by @dependabot in #2001
• chore(deps): bump golang.org/x/crypto from 0.37.0 to 0.38.0 by @dependabot in #2002
• chore(deps): bump golang.org/x/net from 0.39.0 to 0.40.0 by @dependabot in #2003
• modify acceptConn for RIO by @wamshawn in #2005

New Contributors

• @osxtest made their first contribution in #2000
• @wamshawn made their first contribution in #2005

Full Changelog: v1.61.0...v1.62.0

v1.61.0

What's Changed

• chore(deps): bump golang.org/x/sys from 0.31.0 to 0.32.0 by @dependabot in #1989
• chore(deps): bump golang.org/x/crypto from 0.36.0 to 0.37.0 by @dependabot in #1988
• chore(deps): bump securego/gosec from 2.22.2 to 2.22.3 by @dependabot in #1990
• chore(deps): bump golang.org/x/net from 0.38.0 to 0.39.0 by @dependabot in #1991
• Fix round robin addresses in dual stack dialing by @raviqqe in #1995
• Fix panic when perIPConn.Close is called multiple times by @erikdubbelboer in #1993
• early hint functionality by @pjebs in #1996

New Contributors

• @raviqqe made their first contribution in #1995

Full Changelog: v1.60.0...v1.61.0