Update dependency vapor/vapor to from: "4.101.2"

[renovate]

This PR contains the following updates:

Package	Update	Change
vapor/vapor	minor	from: "4.83.1" -> from: "4.101.2"

---

Release Notes

vapor/vapor (vapor/vapor)

v4.101.2: - Adds TIFF and WebP HTTP Media Types

Compare Source

What's Changed

Adds TIFF and WebP HTTP Media Types by @​qalandarov in #​3194

Add additional image types:

app.post("upload") { req in
    guard [.jpeg, .png, .tiff, .webp].contains(req.content.contentType) else {
        throw Abort(.unsupportedMediaType)
    }
    // ...
}

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.101.1...4.101.2

v4.101.1: - Exclude Query and Fragment from URI semicolon fix on Linux

Compare Source

On Linux, URLComponents does not have 100% the same behavior like on macOS. Vapor accounts for this unfixed bug by replacing percent-encoded semicolon %3B with ; in URIs.

This is however not fully correct, because if a URI contains a percent encoded semicolon, this might have a different meaning, than when it is not percent encoded, compare the following sentence from RFC 3986:

A percent-encoding mechanism is used to represent a data octet in a
component when that octet's corresponding character is outside the
allowed set or is being used as a delimiter of, or within, the component.

This PR aims to limit the impact of the required semicolon fix by ensuring that query and fragments are not unnecessarily and incorrectly modified.

Hopefully, in a future with the new swift-foundation this fix will not be needed anymore. But for now it would solve an issue on our side which is related to the concept of a signed request.

v4.101.0: - Add Async Storage shutdown

Compare Source

What's Changed

Add Async Storage shutdown by @​0xTim in #​3196

Currently running

Task {
    try? await Task.sleep(for: .seconds(5))
    app.running?.stop()
}

When you try and install NIO as the global executor will crash because the storage API didn’t have any async entry points so stopping would trigger a synchronous shutdown, with a wait(). This fixes that

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.100.2...4.101.0

v4.100.2: - asyncBoot will no longer try booting server again if it is already booted

Compare Source

What's Changed

asyncBoot will no longer try booting server again if it is already booted by @​RussBaz in #​3195

The synchronous boot function skips running the lifecycle handlers if the server is already booted. However, the async version ignored this check. I have added a small fix to add this check again.

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.100.1...4.100.2

v4.100.1: - Update URLEncodedFormEncoder encoding rules

Compare Source

What's Changed

Update URLEncodedFormEncoder encoding rules by @​ptoffy in #​3192

Solves #​3173
References https://url.spec.whatwg.org/#application-x-www-form-urlencoded-percent-encode-set to set the encoding rules

The application/x-www-form-urlencoded percent-encode set contains all code points, except the ASCII alphanumeric, U+002A (*), U+002D (-), U+002E (.), and U+005F (_).

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.100.0...4.100.1

v4.100.0: - Add Async Lifecycle Handlers

Compare Source

What's Changed

Add Async Lifecycle Handlers by @​0xTim in #​3193

Adds new protocol functions to LifecycleHandlers to support async contexts. This is important because packages like Redis use this to know when to shutdown their connection pool. In the shutdown function, these call .wait() which can cause application crashes if called when trying to use NIO’s event loop concurrency executor.

This provides async alternatives to allow packages to provide full async calls through their stack to avoid these crashes

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.99.3...4.100.0

v4.99.3: - Async Serve Command

Compare Source

What's Changed

Async Serve Command by @​0xTim in #​3190

Migrate ServeCommand to an AsyncCommand to enable proper custom executor support and remove any calls to wait()

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.99.2...4.99.3

v4.99.2: - Support compiling against Musl

Compare Source

What's Changed

Support compiling against Musl by @​simonjbeaumont in #​3188

Vapor already makes some provision for compiling against Musl in the RFC1123 implementation, where Glibc is not assumed and is imported conditionally alongside a conditional import of Musl. However, there are a couple of other places where Glibc is still assumed when compiling for Linux.

This patch replaces these imports with the same #if canImport(...) pattern.

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.99.1...4.99.2

v4.99.1: - Fix availability message

Compare Source

What's Changed

Fix availability message by @​valeriyvan in #​3191

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.99.0...4.99.1

v4.99.0: - Add async alternative for Application.shutdown

Compare Source

What's Changed

Add async alternative for Application.shutdown by @​0xTim in #​3189

Adds an async alternative for Application.shutdown() and annotates shutdown() with noasync

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.98.0...4.99.0

v4.98.0: - Mark all functions that use wait as noasync

Compare Source

What's Changed

Mark all functions that use wait as noasync by @​0xTim in #​3168

⚠️ WARNING: If you have strict concurrency checking enabled you should migrate to the async Application.make()

NIO’s EventLoopFuture.wait() is marked as noasync because is can cause issues when used in a concurrency context. All places where we call .wait() should also be marked as noasync to avoid this issue.

This adds async alternatives for those functions and adds noasync annotations where appropriate.

Also adds an async Application.make to replace the old initialiser that is now noasync

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.97.1...4.98.0

v4.97.1: - Log source file and line info for errors in ErrorMiddleware when possible

Compare Source

What's Changed

Log source file and line info for errors in ErrorMiddleware when possible by @​gwynne in #​3187

Ever since the last changes to ErrorMiddleware (by me, naturally), the error logging fails to correctly report file/line/function information even when the error has that data available. We now correctly pass these along to the logging machinery. The error responses sent to clients are unchanged.

Additional changes:

• Restore recognition of the DebuggableError protocol (reason and source location information for such errors are now used again).
• Handle generating error responses slightly more efficiently.
• Include the original error message in the fallback text if encoding an error to JSON fails.
• Improve the correctness of the reason messages used for DecodingErrors.

This patch was released by @​gwynne

Full Changelog: vapor/vapor@4.97.0...4.97.1

v4.97.0: - Provide AsyncFileStreaming API

Compare Source

What's Changed

Provide AsyncFileStreaming API by @​0xTim in #​3184

Builds on the work of #​2998, #​3170 and #​3167 to provide a full async streaming API that can be used in Swift Concurrency environments:

• Provides a new asyncStreamFile(at:chunkSize:mediaType:advancedETagComparison:onCompleted:) that takes advantage of the full async response streaming
• Fixes a number of bugs with the async Response body streaming
• FileMiddleware is now an AsyncMiddleware
• Replaces usages of FileManager with NIOFileSystem apart from in one deprecated API that can’t be async
• Correctly marks XCTVapor functions as noasync where they use .wait() and provides proper async alternatives

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.96.0...4.97.0

v4.96.0: - Make # of connections accepted per event loop cycle configurable, and raise the default

Compare Source

What's Changed

Make # of connections accepted per event loop cycle configurable, and raise the default by @​gwynne in #​3186

As per @​weissi’s suggestion in this forums post, we raise the default maximum number of connections accepted per cycle of the server’s event loop from 4 to 256, and the value is now user-configurable.

There are no new tests for this because I’m not sure if there’s a way to measure the effect of changing this value that doesn’t involve nondeterministic timing measurements.

Also takes the opportunity/excuse to add the missing customCertificateVerifyCallback parameter to the initializers of HTTPServer.Configuration.

Reviewers

Thanks to the reviewers for their help:

• @​weissi
• @​MahdiBM

This patch was released by @​gwynne

Full Changelog: vapor/vapor@4.95.0...4.96.0

v4.95.0: - Add support for asynchronous body stream writing

Compare Source

What's Changed

Add support for asynchronous body stream writing by @​Joannis in #​2998

• Fixes #​2930 - a crash when users try to write a body from within a task towards the ELF APIs.
• Introduces a new API for writing chunked HTTP response bodies
• Adds a helper that automatically manages failing and closing streams

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.94.1...4.95.0

v4.94.1: - Patch configuration and log actual port on startup

Compare Source

What's Changed

Patch configuration and log actual port on startup by @​bisgardo in #​3160

Before this change, the application

let app = Application(.testing)
defer { app.shutdown() }
try app.server.start(hostname: nil, port: 0)
defer { app.server.shutdown() }

would log the following message before starting the server:

[Vapor] Server starting on http://127.0.0.1:0

After this change it instead logs a message like the following after starting the server:

[Vapor] Server starting on http://127.0.0.1:57935

The input configuration is also patched such that app.http.server.configuration.port will hold the actual port after startup. Currently if it has value 0 it will keep that value (only app.http.server.shared.localAddress?.port will have the correct one).

Fixes #​3159.

Reviewers

Thanks to the reviewers for their help:

• @​dimitribouniol

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.94.0...4.94.1

v4.94.0: - Migrate to Async NIOFileIO APIs

Compare Source

What's Changed

Migrate to Async NIOFileIO APIs by @​0xTim in #​3167

This migrates collectFile(at:) and writeFile(_:at:) to use NIO’s async NIOFileIO APIs introduced in https://github.com/apple/swift-nio/releases/tag/2.63.0

Also adds a new API for streaming files using a AsyncSequence based on the new NIOFileSystem.

This work is required to move the DotEnv support over to an async API to avoid calling wait()s in an async context which can cause issues

Reviewers

Thanks to the reviewers for their help:

• @​ptoffy

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.93.2...4.94.0

v4.93.2: - Removed streamFile deprecation + deactivated advancedETagComparison by default

Compare Source

What's Changed

Removed streamFile deprecation + deactivated advancedETagComparison by default by @​linus-hologram in #​3177

As discussed on Discord, this PR removes the deprecation and deactivates the lately introduced advanced ETag Comparison for the time being while the revised implementation is worked on.

New Contributor

• @​linus-hologram made their first contribution in #​3177 🎉

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.93.1...4.93.2

v4.93.1: - Remove HeadResponder

Compare Source

What's Changed

Remove HeadResponder by @​baarde in #​3147

The HEAD method is identical to GET except that the server must not send content in the response (RFC 9110, section 9.3.2).

The previous default behaviour of returning 200 OK to every HEAD request to a constant route is not standard-compliant.

The new behaviour is to always forward the request to the GET route, unless the developer explicitely configured a custom HEAD route.

This PR fixes #​2680 and #​2749.

New Contributor

• @​baarde made their first contribution in #​3147 🎉

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.93.0...4.93.1

v4.93.0: - Advanced ETag Comparison now supported

Compare Source

What's Changed

Advanced ETag Comparison now supported by @​linus-hologram in #​3015

Vapor now supports strong (byte-by-byte) ETag validation and caches ETags for rapid responses. This provides a stronger alternative to the current weak comparison, which only guarantees semantic file equivalence. This new strong comparison is enabled by default and can be deactivated during FileMiddleware initialization if needed. This PR closes #​2948.

• streamFile method was deprecated and replaced by an alternative returning an EventLoopFuture
• vapor’s unit tests were updated to reflect the changes
• documentation was updated to reflect the changes

New Contributor

• @​linus-hologram made their first contribution in #​3015 🎉

Reviewers

Thanks to the reviewers for their help:

• @​vzsg

This patch was released by @​gwynne

Full Changelog: vapor/vapor@4.92.9...4.93.0

v4.92.9: - Enabled Request Decompression By Default

Compare Source

What's Changed

Enabled Request Decompression By Default by @​dimitribouniol in #​3175

This enables request decompression by default and sets the decompression limit to 25×.

New Contributor

• @​dimitribouniol made their first contribution in #​3175 🎉

Reviewers

Thanks to the reviewers for their help:

• @​MahdiBM

This patch was released by @​gwynne

Full Changelog: vapor/vapor@4.92.8...4.92.9

v4.92.8: - HTTP2 Response Compression/Request Decompression

Compare Source

What's Changed

HTTP2 Response Compression/Request Decompression by @​dimitribouniol in #​3126

Fixed an issue where HTTP2 didn’t support response compression and request decompression.

It seems like it may have been omitted when adding explicit support for HTTP2. Not sure what to do about testing as I couldn’t find any tests for the HTTP1.1 pathway, but I did verify it works in my pet project 😅

Fixes #​3125

New Contributor

• @​dimitribouniol made their first contribution in #​3126 🎉

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.92.7...4.92.8

v4.92.7: - Don't set ignore status for SIGTERM and SIGINT on Linux

Compare Source

What's Changed

Don't set ignore status for SIGTERM and SIGINT on Linux by @​gwynne in #​3174

Changes the behavior of ServeCommand’s signal handling setup to more closely match that of swift-service-lifecycle. Hopefully finally solves #​2502 🤞

This patch was released by @​gwynne

Full Changelog: vapor/vapor@4.92.6...4.92.7

v4.92.6: - Fix typos across the codebase

Compare Source

What's Changed

Fix typos across the codebase by @​mrs1669 in #​3162

Fixes a number of typos in the codebase.

⚠️ the logger for loading environment files now has the correctly spelt label - dot-env-logger if you need to search for that

New Contributor

• @​mrs1669 made their first contribution in #​3162 🎉

Reviewers

Thanks to the reviewers for their help:

• @​dimitribouniol

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.92.5...4.92.6

v4.92.5: - Fix some Sendable warnings on 5.10

Compare Source

What's Changed

Fix some Sendable warnings on 5.10 by @​sidepelican in #​3158

Fix a number of warnings in Swift 5.10 like below.

Fix simple issues that can be addressed by simply adding Sendable.

New Contributor

• @​sidepelican made their first contribution in #​3158 🎉

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.92.4...4.92.5

v4.92.4: - Allow HTTPServer's configuration to be dynamically updatable

Compare Source

What's Changed

Allow HTTPServer's configuration to be dynamically updatable by @​dimitribouniol in #​3132

This allows many aspects of the HTTP server configuration to be changed after the server starts without needing to stop and restart it, or drop existing connections in the process.

Some things that can now be re-configured include request/response configuration options, HTTP version support, HTTP pipelining, TLS configuration (ie. enabling/disabling, rotating certificates, etc…), server name, metrics reporting, the logger, and the shutdown timer.

Fixes #​3130.

New Contributor

• @​dimitribouniol made their first contribution in #​3132 🎉

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.92.3...4.92.4

v4.92.3: - Fix issue when client disconnects midway through a stream

Compare Source

What's Changed

Fix issue when client disconnects midway through a stream by @​0xTim in #​3102

Fixes an issue when a client disconnects mid way through streaming a request in a Swift concurrency context. In certain cases this would trigger a de-init off the event loop, leading to a crash.

This fixes the issue by using a lock instead of a loop bound wrapper

Reviewers

Thanks to the reviewers for their help:

• @​MahdiBM

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.92.2...4.92.3

v4.92.2: - Fix handling of "flag" URL query params

Compare Source

What's Changed

Fix handling of "flag" URL query params by @​gwynne in #​3151

Flag query parameters (e.g. /foo?bar&baz) were broken by 4.75.0, and apparently no one noticed for quite awhile. They now work again. Many thanks to @​daveanderson for reporting this!

Fixes #​3150.

This patch was released by @​gwynne

Full Changelog: vapor/vapor@4.92.1...4.92.2

v4.92.1: - Fix URI handling with multiple slashes and variable components.

Compare Source

What's Changed

Fix URI handling with multiple slashes and variable components. by @​gwynne in #​3143

Resolves some more subtle remaining issues in how URI is handled with respect to HTTP requests.

Fixes #​3142.

This patch was released by @​gwynne

Full Changelog: vapor/vapor@4.92.0...4.92.1

v4.92.0: - Fix broken URI behaviors

Compare Source

What's Changed

Fix broken URI behaviors by @​gwynne in #​3140

Numerous issues have arisen with the changes made to URI as a result of the fix for GHSA-r6r4-5pr8-gjcp. This update fixes all known issues and restores several changed URI behaviors (although, quite deliberately, not all of them), including new tests. Fixes #​3133, #​3135, #​3137, and #​3138.

Also addresses Sendable warnings in ContentEncoder, ContentDecoder, ContentContainer, PlaintextDecoder, PlaintextEncoder, URLQueryDecoder, URLQueryEncoder, URLQueryContainer, URLEncodedFormDecoder, and URLEncodedFormEncoder.

Shoutout to @​weissi, @​grahamburgsma, and @​finestructure for their help tracking down the various problems, thank you all!

Reviewers

Thanks to the reviewers for their help:

• @​MahdiBM

This patch was released by @​gwynne

Full Changelog: vapor/vapor@4.91.1...4.92.0

v4.91.1: - Update routing-kit version

Compare Source

What's Changed

Update routing-kit version by @​marius-se in #​3131

Update routing-kit version to get Equatable conformance for PathComponents

Related to https://github.com/vapor/routing-kit/pull/129
anhttps://github.com/swift-server/swift-openapi-vapor/pull/13#issuecomment-187975282929

New Contributor

• @​marius-se made their first contribution in #​3131 🎉

This patch was released by @​gwynne

Full Changelog: vapor/vapor@4.91.0...4.91.1

v4.91.0: - Use singleton EventLoopGroup

Compare Source

What's Changed

Use singleton EventLoopGroup by @​MahdiBM in #​3128

Use the new singleton EventLoopGroup for more convenient and sometimes more performant APIs.

Reviewers

Thanks to the reviewers for their help:

• @​dimitribouniol

This patch was released by @​MahdiBM

Full Changelog: vapor/vapor@4.90.0...4.91.0

v4.90.0

Compare Source

⚠️ Security Update ⚠️

This release fixes a long standing issue in Vapor's URI parsing if users attempt to parse untrusted input that could lead to potential host spoofing. This was caused by using a C implementation with a uint16_t index with no bounds checking. For more details see the security advisory GHSA-qvxg-wjxc-r4gg.

This vulnerability has been designated as CVE-2024-21631. Thank you to baarde for reporting!

v4.89.3: - Fix setting public folder for FileMiddleware when using bundles

Compare Source

What's Changed

Fix setting public folder for FileMiddleware when using bundles by @​grantjbutler in #​3113

This PR fixes an issue where, if you provided a subfolder within a bundle’s resources, the wrong path would be provided to the FileMiddleware, causing the resources to not be loaded.

For example, given a bundle with the following structure:

App.app/
└── Contents/
    ├── MacOS/
    │   └── App
    └── Resources/
        └── web-app/
            └── Public
                └── index.html

If you tried to create an instance of FileMiddleware that tried to use web-app/Public/ as the folder to serve files from, FileMiddleware would incorrectly use the resource path of the bundle (App.app/Resources/) instead of the full path to the specified folder (App.app/Resources/web-app/Public/).

New Contributor

• @​grantjbutler made their first contribution in #​3113 🎉

This patch was released by @​gwynne

Full Changelog: vapor/vapor@4.89.2...4.89.3

v4.89.2: - Consistently use the value from X-Request-Id as the request's ID when present

Compare Source

What's Changed

Consistently use the value from X-Request-Id as the request's ID when present by @​baarde in #​3117

Changes

This PR ensures that the Request’s id and the value of the logger’s request-id value are the same.

Motivation

The Request’s id property was added in #​2964 to expose the request-id identifier used for logging.

#​3072 changed this behavior. The request-id identifier is now set:

• to the value from the X-Request-Id header, when the header is present,
• to a random identifier, when the header is absent.

Having two different identifiers is confusing. So, this PR reconciles the two values.

History

The first version of this PR allowed the two identifiers to differ when the X-Request-Id header is present, in order to maintain the original semantics of the id property.

New Contributor

• @​baarde made their first contribution in #​3117 🎉

Reviewers

Thanks to the reviewers for their help:

• @​MahdiBM

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.89.1...4.89.2

v4.89.1: - Fix encoding and decoding of HTTPHeaders

Compare Source

What's Changed

Fix encoding and decoding of HTTPHeaders by @​gwynne in #​3116

The Codable conformance Vapor adds to the HTTPHeaders type now correctly handles cases where more than one header with the same name (such as Set-Cookie) is present, for both encoding and decoding.

The previous encoding format is still recognized for decoding, so that existing serialized data can be safely read.

This patch was released by @​gwynne

Full Changelog: vapor/vapor@4.89.0...4.89.1

v4.89.0: - Add fully async entrypoints

Compare Source

What's Changed

Add fully async entrypoints by @​gwynne in #​3114

Pretty much what it says on the tin. Use the new execute() API instead of run(), and/or startup() instead of start().

Reviewers

Thanks to the reviewers for their help:

• @​Joannis

This patch was released by @​gwynne

Full Changelog: vapor/vapor@4.88.0...4.89.0

v4.88.0: - Bring back AsyncCommands

Compare Source

What's Changed

Bring back AsyncCommands by @​marius-se in #​3109

Brings async commands back by adding a new property asyncCommands to Application.

New Contributor

• @​marius-se made their first contribution in #​3109 🎉

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.87.1...4.88.0

v4.87.1: - General warnings and tests cleanup

Compare Source

What's Changed

General warnings and tests cleanup by @​gwynne in #​3107

These changes fix almost all of the extant warnings in Vapor, and clean up some issues in the tests, which can now run fully parallelized. There are no functional changes.

This patch was released by @​gwynne

Full Changelog: vapor/vapor@4.87.0...4.87.1

v4.87.0: - Add public initializer for XCTHTTPRequest

Compare Source

What's Changed

Add public initializer for XCTHTTPRequest by @​hsharghi in #​3106

Add public initializer for XCTHTTPRequest
This PR will fihttps://github.com/vapor/vapor/issues/310505

Add public initializer for XCTHTTPRequest

New Contributor

• @​hsharghi made their first contribution in #​3106 🎉

This patch was released by @​gwynne

Full Changelog: vapor/vapor@4.86.2...4.87.0

v4.86.2: - Make Async Request Body actually work

Compare Source

What's Changed

Make Async Request Body actually work by @​0xTim in #​3096

The existing implementation of adding an AsyncSequence to Request.Body had two issues:

• it didn’t ensure code was being called from the correct event loop which broke Sendable guarantees and was unsafe
• it would hit a precondition failure in the implementation if backpressure was triggered because the initial state was not accounted for

This fixes that

Reviewers

Thanks to the reviewers for their help:

• @​MahdiBM

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.86.1...4.86.2

v4.86.1: - Create a thread pool of System.coreCount rather than 64 when initializing an Application

Compare Source

What's Changed

Create a thread pool of System.coreCount rather than 64 when initializing an Application by @​dfed in #​3092

Following this recommendation, this PR simply changes the default number of cores when initializing an Application from 64 to the current number of cores.

This means that initializing an Application with default arguments now spins up 2x the number of threads as cores on device. We’ll create System.coreCount threads when instantiating the threadPool, and another System.coreCount threads when we instantiate the eventLoopGroup.

2x System.coreCount is still way better than System.coreCount + 64 on older devices, so while this PR does not directly address #​3003, it does reduce total thread usage on init.

New Contributor

• @​dfed made their first contribution in #​3092 🎉

This patch was released by @​gwynne

Full Changelog: vapor/vapor@4.86.0...4.86.1

v4.86.0: - Make Request Sendable

Compare Source

What's Changed

Make Request Sendable by @​0xTim in #​3093

Final stage of Vapor’s Sendable journey as Request is now Sendable.

There should be no more Sendable warnings in Vapor, even with complete concurrency checking turned on.

Reviewers

Thanks to the reviewers for their help:

• @​MahdiBM

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.85.1...4.86.0

v4.85.1: - Remove Sendable requirements on Authenticatable

Compare Source

What's Changed

Remove Sendable requirements on Authenticatable by @​0xTim in #​3095

Removes the requirement for Authenticatable types to be Sendable which was causing issues with Fluent models (and any reference types) and wasn’t solvable in a non-breaking way.

This uses an unsafe box to wrap the Authenticatable types which removes compiler checking on usage of the box but should not be an issue due to the way Vapor’s auth is implemented

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.85.0...4.85.1

v4.85.0: - Sendable Response

Compare Source

What's Changed

Sendable Response by @​0xTim in #​3082

Make Response Sendable

Reviewers

Thanks to the reviewers for their help:

• @​MahdiBM

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.84.6...4.85.0

v4.84.6: - Handle query parameters in FileMiddleware redirects

Compare Source

What's Changed

Handle query parameters in FileMiddleware redirects by @​Captain-Kirkie in #​3077

Correctly handle query parameters when using the redirect functionality in FileMiddleware.

New Contributor

• @​Captain-Kirkie made their first contribution in #​3077 🎉

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.84.5...4.84.6

v4.84.5: - Update SwiftNIO HTTP/2 for CVE-2023-44487

Compare Source

What's Changed

Update SwiftNIO HTTP/2 for CVE-2023-44487 by @​0xTim in #​3083

See the forum post for more details

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.84.4...4.84.5

v4.84.4: - Fix NIOLoopBound issues

Compare Source

What's Changed

Fix NIOLoopBound issues by @​0xTim in #​3081

Fixes a number of issues where NIOLoopBound and NIOLoopBoundBox were used without ensuring we were on the correct event loop before accessing them. This could lead to precondition crashes

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.84.3...4.84.4

v4.84.3: - Fix AHC Dependency Mismatch

Compare Source

What's Changed

Fix AHC Dependency Mismatch by @​0xTim in #​3075

4.84.1 migrated the use of AHC to the new singletons API but didn’t bump the version required leading to build errors for some users. This fixes that

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.84.2...4.84.3

v4.84.2: - [SECURITY] Incorrect request error handling triggers server crash

Compare Source

⚠️ Security Update ⚠️

This release fixes an issue introduced in 4.83.2 Vapor incorrectly handles errors encountered during parsing of HTTP 1.x requests, making it vulnerable to a Denial of Service attack. For more details see the security advisory GHSA-qvxg-wjxc-r4gg.

This vulnerability has been designated as CVE-2023-44386. Thank you to t0rchwood for reporting!

v4.84.1: - Add numerous missing @​preconcurrency attributes

Compare Source

What's Changed

Add numerous missing @preconcurrency attributes by @​gwynne in #​3074

It has become standard practice to add @Sendable to @escaping closures passed as method parameters to improve Concurrency correctness. However, when this is done for pre-existing public methods that are not async, the result is source incompatibility for some users, as mutable values captured by such closures will cause unexpected build errors. The correct way to suppress this behavior is to mark such methods with the @preconcurrency attribute, signaling to the compiler that users may not yet expect the additional restrictions of @Sendable to apply without sacrificing correctness for Concurrency-ready code. Unfortunately, Vapor recently added @Sendable annotations to many of its APIs without also adding the @preconcurrency annotation; this update addresses that oversight.

This patch was released by @​gwynne

Full Changelog: vapor/vapor@4.84.0...4.84.1

v4.84.0: - More Sendable Conformances

Compare Source

What's Changed

More Sendable Conformances by @​0xTim in #​3057

This adds more Sendable conformances to Vapor and resolves any Sendable warnings that aren’t related to Request or Response

Reviewers

Thanks to the reviewers for their help:

• @​fabianfett

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.83.2...4.84.0

v4.83.2: - HTTPServerErrorHandler: Improve Error Handling for HTTPParserError

Compare Source

What's Changed

HTTPServerErrorHandler: Improve Error Handling for HTTPParserError by @​fred-sch in #​2922

Invalid HTTP previously just closed the connection, but did not actually handle the errors.

This PR uses an adapted version of https://github.com/apple/swift-nio/blob/main/Sources/NIOHTTP1/HTTPServerProtocolErrorHandler.swift to properly catch exceptions if they occur.

New Contributor

• @​fred-sch made their first contribution in #​2922 🎉

Reviewers

Thanks to the reviewers for their help:

• @​MrSkwiggs
• @​Joannis
• @​FranzBusch
• @​Lukasa

This patch was released by @​gwynne

Full Changelog: vapor/vapor@4.83.1...4.83.2

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.