Releases: libgit2/libgit2
libgit2 v1.8.1
This release primarily includes straightforward bugfixes, as well as new functionality to have more control over the HTTP User-Agent header. However, there is an API change from v1.8 that was required for cross-platform compatibility.
In v1.8, libgit2 introduced the report_unchanged
member in the git_fetch_options
structure. We mistakenly introduced this as a bitfield, which is not suitable for our public API. To correct this mistake, we have removed the report_unchanged
member. To support the report unchanged tips option, users can set the update_fetchhead
member to include the GIT_REMOTE_UPDATE_REPORT_UNCHANGED
value.
The libgit2 projects regrets the API change, but this was required to support cross-platform compatibility.
What's Changed
New features
Bug fixes
- commit: Fix git_commit_create_from_stage without author and committer by @florianpircher in #6781
- process.c: fix environ for macOS by @barracuda156 in #6792
- Bounds check for pack index read by @ConradIrwin in #6796
- transport: provide a useful error message during cancellation by @ethomson in #6802
- transport: support sha256 oids by @ethomson in #6803
- Revparse: Correctly accept ref with '@' at the end by @csware in #6809
- remote: drop bitfields in git_remote_fetch_options by @ethomson in #6806
- examples: fix memory leak in for-each-ref.c by @qaqland in #6808
- xdiff: use proper free function by @ethomson in #6810
- rand: avoid uninitialized loadavg warnings by @ethomson in #6812
- cli: include alloca on illumos / solaris / sunos by @ethomson in #6813
- Update git_array allocator to obey strict aliasing rules by @ethomson in #6814
- tree: avoid mixed signedness comparison by @ethomson in #6815
Build and CI improvements
- ci: update nightly workflows by @ethomson in #6773
- ci: give all nightly builds a unique id by @ethomson in #6782
- cmake: remove workaround that isn't compatible with Windows on ARM by @hackhaslam in #6794
Documentation improvements
Dependency updates
- Enable llhttp for HTTP parsing by @sgallagher in #6713
New Contributors
- @florianpircher made their first contribution in #6781
- @barracuda156 made their first contribution in #6792
- @sgallagher made their first contribution in #6713
- @ConradIrwin made their first contribution in #6796
- @qaqland made their first contribution in #6808
Full Changelog: v1.8.0...v1.8.1
libgit2 v1.8.0
v1.8
This is release v1.8.0, "Das Fliegende Klassenzimmer". This release includes optional, experimental support for invoking OpenSSH to fetch and push, an easier mechanism to perform the default behavior of git commit
, and has many improvements for worktrees. This release also includes many other new features and bugfixes.
Major changes
-
Executable SSH (OpenSSH) support
libgit2 can now invoke the command-line OpenSSH to fetch from and push to remotes over SSH. This support takes the place of libssh2 support. To use it, configure libgit2 withcmake -DUSE_SSH=exec
, and please report any problems that you discover. By @ethomson in #6617 -
Simplified commit creation
Thegit_commit_create_from_stage
API was introduced to allow users to better emulate the behavior ofgit commit
without needing to provide unnecessary information. The current state of the index is committed to the current branch. By @ethomson in #6716 -
Worktree improvements
A number of worktree improvements have been made for better compatibility with core git. First, libgit2 now understands per-worktree references, thanks to @csware in #6387. Worktree-specific configuration is now supported, thanks to @vermiculus in #6202. And improved compatibility withgit worktree add
is now supported, thanks to @herrerog in #5319.
Breaking changes
-
Adding
WORKTREE
configuration level (ABI breaking change)
To support worktree configurations at the appropriate level (higher priority than local configuration, but lower priority than app-specific configuration), theGIT_CONFIG_LEVEL_WORKTREE
level was introduced at priority 6.GIT_CONFIG_LEVEL_APP
now begins at priority 7. -
Changes to
git_config_entry
(ABI breaking change) Thegit_config_entry
structure now contains information about thebackend_type
andorigin_path
. The unusedpayload
value has been removed. -
git_push_options
includes remote push options (ABI breaking change)
Thegit_push_options
structure now contains a value for remote push options.
Other changes
New features
- config: provide an "origin" for config entries by @ethomson in #6615
- cli: add a
git config
command by @ethomson in #6616 - Add OpenSSH support by @ethomson in #6617
- remote: optionally report unchanged tips by @ethomson in #6645
- Support setting oid type for in-memory repositories by @kcsaul in #6671
- cli: add
index-pack
command by @ethomson in #6681 - Add
git_repository_commit_parents
to identify the parents of the next commit given the repository state by @ethomson in #6707 - commit: introduce git_commit_create_from_stage by @ethomson in #6716
- set SSH timeout by @vafada in #6721
- Implement push options on push by @russell in #6439
- Support index.skipHash true config by @parnic in #6738
- worktree: mimic 'git worktree add' behavior. by @herrerog in #5319
- Support the extension for worktree-specific config by @vermiculus in #6202
- Separate config reader and writer backend priorities (for worktree configs) by @ethomson in #6756
- fetch: enable deepening/shortening shallow clones by @kempniu in #6662
Bug fixes
- repository: make cleanup safe for re-use with grafts by @carlosmn in #6600
- fix: Add missing include for oidarray. by @dvzrv in #6608
- ssh: fix known_hosts leak in _git_ssh_setup_conn by @steven9724 in #6599
- proxy: Return an error for invalid proxy URLs instead of crashing. by @lrm29 in #6597
- errors: refactoring - never return
NULL
ingit_error_last()
by @ethomson in #6625 - Reject potential option injections over ssh by @carlosmn in #6636
- remote: fix memory leak in git_remote_download() by @7Ji in #6651
- git2: Fix crash when called w/o parameters by @csware in #6673
- Avoid macro redefinition of ENABLE_INTSAFE_SIGNED_FUNCTIONS by @csware in #6666
- util: suppress some uninitialized variable warnings by @boretrk in #6659
- fetch: enable deepening/shortening shallow clones by @kempniu in #6662
- push: set generic error in push_negotiation cb by @ethomson in #6675
- process: test /usr/bin/false on BSDs by @ethomson in #6677
- clone: don't mix up "http://url" with "http:/url" when figuring out if we should do a local clone by @boretrk in #6361
- Several compatibility fixes by @ethomson in #6678
- Git blame buffer gives the wrong result in many cases where there are… by @thosey in #6572
- Fix 'path cannot exist in repository' during diff for in-memory repository by @kcsaul in #6683
- process: don't try to close the status by @ethomson in #6693
- Minor bug fixes by @ethomson in #6695
- Bypass shallow clone support for in-memory repositories by @kcsaul in #6684
- examples: use unsigned int for bitfields by @ethomson in #6699
- Fix some bugs caught by UBscan by @ethomson in #6700
- git_diff_find_similar doesn't always remove unmodified deltas by @yori in #6642
- httpclient: clear client->parser.data after use by @ethomson in #6705
- Do not normalize safe.directory paths by @csware in #6668
- clone: don't swallow error in should_checkout by @ethomson in #6727
- Correct index add directory/file conflict detection by @ethomson in #6729
- Correct
git_revparse_single
and add revparse fuzzing by @ethomson in #6730 - config: properly delete or rename section containing multivars by @samueltardieu in #6723
- revparse: ensure bare '@' is truly bare by @ethomson in #6742
- repo: ensure we can initialize win32 paths by @ethomson in #6743
- Swap
GIT_DIFF_LINE_(ADD|DEL)_EOFNL
to match other Diffs by @xphoniex in #6240 - diff: fix test for SHA256 support in diff_from_buffer by @ethomson in #6745
- http: support empty http.proxy config setting by @ethomson in #6744
- More
safe.directory
improvements by @ethomson in #6739 - Ensure that completely ignored diff is empty by @ethomson in #5893
- Fix broken regexp that matches submodule names containing ".path" by @csware in #6749
- Fix memory leaks by @csware in #6748
- Make refdb_fs (hopefully) fully aware of per worktree refs by @csware in #6387
- fix log example by @albfan in #6359
- fetch: fail on depth for local transport by @ethomson in #6757
- Fix message trailer parsing by @ethomson in #6761
- config: correct fetching the HIGHEST_LEVEL config by @ethomson in #6766
- Avoid some API breaking changes in v1.8 by @ethomson in #6768
Build and CI improvements
- meta: update version numbers to v1.8 by @ethomson in #6596
- Revert "CMake: Search for ssh2 instead of libssh2." by @ethomson in #6619
- cmake: fix openssl build on win32 by @lazka in #6626
- ci: retry flaky online tests by @ethomson in #6628
- ci: update to macOS 12 by @ethomson in #6629
- Use #!/bin/bash for script with bash-specific commands by @roehling in #6581
- ci: overwrite nonsense in /usr/local during macOS setup by @ethomson in #6664
- release: add a compatibility label by @ethomson in #6676
- actions: set permissions by @ethomson in #6680
- cmake: rename FindIconv to avoid collision with cmake by @ethomson in #6682
- ci: allow workflows to read and write packages...
libgit2 v1.7.2
🔒 This is a security release with multiple changes.
-
A bug in
git_revparse_single
is fixed that could have caused the function to enter an infinite loop given well-crafted inputs, potentially causing a Denial of Service attack in the calling application. This fixes CVE-2024-24575, which was discovered by researchers at Amazon AWS. -
A bug in
git_index_add
is fixed that could have caused the function to corrupt its heap and possibly lead to arbitrary code execution. This fixes CVE-2024-24577, which was discovered by researchers at Amazon AWS. -
A bug in the smart transport negotiation could have caused an out-of-bounds read when a remote server did not advertise capabilities.
The libgit2 project thanks the researchers and outreach team at AWS Security for finding the git_index_add
and git_revparse_single
bugs, and providing details and reproduction steps during their responsible disclosure.
All users of the v1.7 release line are recommended to upgrade.
libgit2 v1.6.5
🔒 This is a security release with multiple changes.
-
A bug in
git_revparse_single
is fixed that could have caused the function to enter an infinite loop given well-crafted inputs, potentially causing a Denial of Service attack in the calling application. This fixes CVE-2024-24575, which was discovered by researchers at Amazon AWS. -
A bug in
git_index_add
is fixed that could have caused the function to corrupt its heap and possibly lead to arbitrary code execution. This fixes CVE-2024-24577, which was discovered by researchers at Amazon AWS. -
A bug in the smart transport negotiation could have caused an out-of-bounds read when a remote server did not advertise capabilities.
The libgit2 project thanks the researchers and outreach team at AWS Security for finding the git_index_add
and git_revparse_single
bugs, and providing details and reproduction steps during their responsible disclosure.
All users of the v1.6 release line are recommended to upgrade.
libgit2 v1.7.1
v1.7.1
What's Changed
Bug fixes
- proxy: Return an error for invalid proxy URLs instead of crashing. by @lrm29 in #6597
- ssh: fix known_hosts leak in _git_ssh_setup_conn by @steven9724 in #6599
- repository: make cleanup safe for re-use with grafts by @carlosmn in #6600
- fix: Add missing include for oidarray. by @dvzrv in #6608
- Revert "CMake: Search for ssh2 instead of libssh2." by @ethomson in #6619
Compatibility improvements
New Contributors
- @dvzrv made their first contribution in #6608
- @steven9724 made their first contribution in #6599
Full Changelog: v1.7.0...v1.7.1
libgit2 v1.7.0
This is release v1.7.0, "Kleine Raupe Nimmersatt". This release adds shallow clone support, completes the experimental SHA256 support, adds Schannel support for Windows, and includes many other newj features and bugfixes.
Major changes
-
Shallow clone support
libgit2 now supports shallow clone and shallow repositories, thanks to a significant investment from many community members -- hundreds of commits by many contributors. -
SHA256 support
libgit2 should now support SHA256 repositories using theextensions.objectFormat
configuration option when the library is built withEXPERIMENTAL_SHA256=ON
. Users are encouraged to begin testing their applications with this option and provide bug reports and feedback. This is a breaking API change; SHA256 support will be enabled by default in libgit2 v2.0. -
Schannel and SSPI for Windows
libgit2 now supports the Windows Schannel and SSPI APIs for HTTPS support on Windows, when configured withUSE_HTTPS=Schannel
. Setting this option will not use the existing WinHTTP support, but will use libgit2's standard HTTP client stack with Windows TLS primitives. Windows users are encouraged to begin testing their applications with this option and provide bug reports and feedback. This will be enabled by default in a future version of libgit2.
Breaking changes
-
Simplify custom pluggable allocator (System API / ABI breaking change)
Thegit_allocator
structure (configurable by theGIT_OPT_SET_ALLOCATOR
option) now only containsgmalloc
,grealloc
andgfree
members. This simplifies both the work needed by an implementer and allows more flexibility and correctness in libgit2 itself, especially during out-of-memory situations and errors during bootstrapping.
Other changes
New features
- repo: honor environment variables for more scenarios by @ethomson in #6544
- Introduce timeouts on sockets by @ethomson in #6535
Performance improvements
- midx: do not try to look at every object in the index by @carlosmn in #6585
- Partial fix for #6532: insert-by-date order. by @arroz in #6539
Bug fixes
- repo: don't allow repeated extensions by @ethomson in #6505
- config: return
GIT_ENOTFOUND
for missing programdata by @ethomson in #6547 - Fix missing oid type for "fake" repositories by @oreiche in #6554
- Thread-local storage: handle failure cases by @ethomson in #5722
- midx: allow unknown chunk ids in multi-pack index files by @carlosmn in #6583
- pack: cast the number of objects to size_t by @carlosmn in #6584
- Fixes #6344: git_branch_move now renames the reflog instead of deleting. by @arroz in #6345
- #6576 git_diff_index_to_workdir reverse now loads untracked content by @arroz in #6577
Build and CI improvements
- meta: the main branch is now v1.7.0 by @ethomson in #6516
- xdiff: move xdiff to 'deps' by @ethomson in #6482
- util: detect all possible qsort_r and qsort_s variants by @DimitryAndric in #6555
- Work around -Werror problems when detecting qsort variants by @DimitryAndric in #6558
- actions: simplify execution with composite action by @ethomson in #6488
- CMake: Search for ssh2 instead of libssh2. by @Faless in #6586
Documentation improvements
- docs: fix IRC server from freenode to libera by @vincenzopalazzo in #6590
Dependency upgrades
- Update xdiff to git 2.40.1's version by @ethomson in #6561
- deps: update pcre to 8.45 by @ethomson in #6593
New Contributors
- @oreiche made their first contribution in #6554
- @DimitryAndric made their first contribution in #6555
- @vincenzopalazzo made their first contribution in #6590
- @Faless made their first contribution in #6586
Full Changelog: v1.6.3...v1.7.0
libgit2 v1.6.4
libgit2 v1.6.3
What's Changed
Bug fixes
- odb: restore
git_odb_open
by @ethomson in #6520 - Ensure that
git_index_add_all
handles ignored directories by @ethomson in #6521 - pack: use 64 bits for the number of objects by @carlosmn in #6530
Build and CI improvements
- Remove unused wditer variable by @georgthegreat in #6518
- fs_path: let root run the ownership tests by @ethomson in #6513
- sysdir: Do not declare win32 functions on non-win32 platforms by @Batchyx in #6527
- cmake: don't include
include/git2
by @ethomson in #6529
New Contributors
- @georgthegreat made their first contribution in #6518
Full Changelog: v1.6.2...v1.6.3
libgit2 v1.6.2
What's Changed
Bug fixes
-
remote: always populate old id in update tips by @ethomson in #6506
The update tips callback would not always be properly provided with an empty (0000000...
) OID for new refs. -
Revert #6503 by @ethomson in #6511
The certificate callback added port information for callbacks in #6503, but the format was ambiguous with IPv6 addresses. Revert this change temporarily. -
Add
git_odb_backend_loose
back by @ethomson in #6512
During SHA256 refactoring, thegit_odb_backend_loose
API was accidentally removed. Add it back. -
meta: configure pkg-config .pc correctly by @ethomson in #6514
During SHA256 refactoring, the pkg-config.pc
file was erroneously renamed togit2
instead oflibgit2
. Repair this.
Full Changelog: v1.6.1...v1.6.2
libgit2 v1.6.1
This is release v1.6.1, "Hubbeliges Krokodil". This release adds experimental SHA256 support and includes many new features and bugfixes. This release replaces libgit2 v1.6.0, which did not correctly update its version number(s).
What's Changed
New features
-
Support for bare repositories with SHA256 support (experimental) by @ethomson in #6191
You can configure experimental SHA256 support in libgit2 withcmake -DEXPERIMENTAL_SHA256=ON
during project setup. This is useful for considering future integrations, work on clients, and work on language bindings. At present, working with bare repositories should largely work, including remote operations. But many pieces of functionality - including working with the index - are not yet supported. As a result, libgit2 with SHA256 support should not be used in production or released with package distribution. -
Support the notion of a home directory separately from global configuration directory by @ethomson in #6455 and #6456
Callers and language bindings can now configure the home directory that libgit2 uses for file lookups (eg, the.ssh
directory). This configuration is separate from the git global configuration path. -
stash: partial stash specific files by @gitkraken-jacobw in #6330
A stash can be created with only specific files, using a pathspec. This is similar to thegit stash push
command. -
push: revparse refspec source, so you can push things that are not refs by @sven-of-cord in #6362
Pushes can be performed using refspecs instead of only references. -
Support OpenSSL3 by @ethomson in #6464 and #6471
OpenSSL 3 is now supported, both when compiled directly and dynamically loaded.
Bug fixes
- winhttp: support long custom headers by @kcsaul in #6363
- Fix memory leak by @csware in #6382
- Don't fail the whole clone if you can't find a default branch by @torvalds in #6369
- #6366: When a worktree is missing, return
GIT_ENOTFOUND
. by @arroz in #6395 - commit-graph: only verify csum on
git_commit_graph_open()
. by @derrickstolee in #6420 - Ignore missing 'safe.directory' config during ownership checks by @kcsaul in #6408
- Fix leak in
git_tag_create_from_buffer
by @julianmesa-gitkraken in #6421 - http: Update httpclient options when reusing an existing connection. by @slackner in #6416
- Add support for
safe.directory *
by @csware in #6429 - URL parsing for google-compatible URLs by @ethomson in #6326
- Fixes #6433:
git_submodule_update
fails to update configured but missing submodule by @tagesuhu in #6434 - transport: fix capabilities calculation by @russell in #6435
- push: use resolved oid as the source by @ethomson in #6452
- Use
git_clone__submodule
to avoid file checks in workdir by @abizjak in #6444 - #6422: handle dangling symbolic refs gracefully by @arroz in #6423
diff_file
: Fix crash when freeing a patch representing an empty untracked file by @jorio in #6475- clone: clean up options on failure by @ethomson in #6479
- stash: update strarray usage by @ethomson in #6487
- #6491: Sets
oid_type
on repos open withgit_repository_open_bare
by @arroz in #6492 - Handle Win32 shares by @ethomson in #6493
- Make failure to connect to ssh-agent non-fatal by @fxcoudert in #6497
- odb: don't unconditionally add
oid_type
to stream by @ethomson in #6499 - Pass hostkey & port to host verify callback by @fxcoudert in #6503
Security fixes
Code cleanups
- meta: update version number to v1.6.0-alpha by @ethomson in #6352
- sha256: indirection for experimental functions by @ethomson in #6354
- Delete
create.c.bak
by @lrm29 in #6398 - Support non-cmake builds with an in-tree
experimental.h
by @ethomson in #6405
Build and CI improvements
- tests: skip flaky-ass googlesource tests by @ethomson in #6353
- clar: remove ftrunacte from libgit2 tests by @boretrk in #6357
- CI Improvements by @ethomson in #6403
- fix compile on Windows with
-DWIN32_LEAN_AND_MEAN
by @christoph-cullmann in #6373 - Fixes #6365 : Uppercase windows.h include fails build in case-sensitive OS by @Vinz2008 in #6377
- ci: update version numbers of actions by @ethomson in #6448
- thread: avoid warnings when building without threads by @ethomson in #6432
- src: hide unused hmac() prototype by @0-wiz-0 in #6458
- tests: update clar test runner by @ethomson in #6459
- ci: always create test summaries, even on failure by @ethomson in #6460
- Fix build failure with
-DEMBED_SSH_PATH
by @vicr123 in #6374 - Define correct
off64_t
for AIX by @bzEq in #6376 - Fix some warnings in main by @ethomson in #6480
- strarray: remove deprecated declaration by @ethomson in #6486
- tests: always unset
HTTP_PROXY
before starting tests by @ethomson in #6498
Documentation improvements
- add 2-clause BSD license to COPYING by @martinvonz in #6413
- Add new PHP bindings project to language bindings section of README.md by @RogerGee in #6473
- README: clarify the linking exception by @ethomson in #6494
- Correct the definition of "empty" in the docs for
git_repository_is_empty
by @timrogers in #6500
New Contributors
- @christoph-cullmann made their first contribution in #6373
- @Vinz2008 made their first contribution in #6377
- @torvalds made their first contribution in #6369
- @derrickstolee made their first contribution in #6420
- @julianmesa-gitkraken made their first contribution in #6421
- @slackner made their first contribution in #6416
- @martinvonz made their first contribution in #6413
- @tagesuhu made their first contribution in #6434
- @russell made their first contribution in #6435
- @sven-of-cord made their first contribution in #6362
- @0-wiz-0 made their first contribution in #6458
- @abizjak made their first contribution in #6444
- @vicr123 made their first contribution in #6374
- @bzEq made their first contribution in #6376
- @gitkraken-jacobw made their first contribution in #6330
- @fxcoudert made their first contribution in #6497