Sourced from github.com/eclipse/paho.mqtt.golang's releases.

v1.5.1

This is a minor release incorporating changes made in the 14 months since v1.5.0 (including updating dependencies, and raising the Go version to 1.24). The changes are relatively minor but address a potential security issue (CVE-2025-10543), possible panic, enable users to better monitor the connection status, and incorporate a few optimisations.

Thanks to those who have provided fixes/enhancements included in this release!

Special thanks to Paul Gerste at Sonar for reporting issue #730 via the Eclipse security team (fix was implemented in PR #714 in May, github issue created just prior to this release). This issue arose where a topic > 65535 bytes was passed to the Publish function, due to the way the data was encoded the topic could leak into the message body. Please see issue #730 or CVE-2025-10543 for further details.

What's Changed

• Updating go dependencies from pub and sub into the containers before building by @​JefJrFigueiredo in eclipse-paho/paho.mqtt.golang#691
• Optimize TCP connection logic by @​geekeryy in eclipse-paho/paho.mqtt.golang#713
• Fields over 65535 bytes not encoded correctly by @​MattBrittan in eclipse-paho/paho.mqtt.golang#714
• Reduce slice allocations in route dispatch by @​alespour in eclipse-paho/paho.mqtt.golang#710
• Add a ConnectionNotificationHandler by @​RangelReale in eclipse-paho/paho.mqtt.golang#727
• Potential panic when using manual ACK by @​MattBrittan in eclipse-paho/paho.mqtt.golang#729

Full Changelog: eclipse-paho/paho.mqtt.golang@v1.5.0...v1.5.1

v1.5.0

In the year since the release of v1.4.3 the majority of changes have been small incremental improvements/fixes. One notable change is that Go v1.20+ is now required (due to PR #646).

What's Changed

• Wrap connection network errors by @​adriansmares in eclipse/paho.mqtt.golang#646
• Clarify use of token.WaitTimeout by @​MattBrittan in eclipse/paho.mqtt.golang#659
• fix (#661): Add NewClientOptionsReader for mocking purposes. by @​avmunm in eclipse/paho.mqtt.golang#662
• fix: fix keep-alive timeouts on small intervals by @​lefinal in eclipse/paho.mqtt.golang#667
• Replace the time.After with the timer for efficiency. by @​DVasselli in eclipse/paho.mqtt.golang#671
• fix: deprecation warnings for ioutil by @​vruge in eclipse/paho.mqtt.golang#665
• fix: issue 675：goroutine leak when connectionUp(true) return error by @​kiqi007 in eclipse/paho.mqtt.golang#678
• Update dependencies by @​MattBrittan in eclipse/paho.mqtt.golang#683

New Contributors

• @​adriansmares made their first contribution in eclipse/paho.mqtt.golang#646
• @​avmunm made their first contribution in eclipse/paho.mqtt.golang#662
• @​lefinal made their first contribution in eclipse/paho.mqtt.golang#667
• @​DVasselli made their first contribution in eclipse/paho.mqtt.golang#671
• @​vruge made their first contribution in eclipse/paho.mqtt.golang#665
• @​kiqi007 made their first contribution in eclipse/paho.mqtt.golang#678

Full Changelog: eclipse-paho/paho.mqtt.golang@v1.4.3...v1.5.0

• b305237 Update dependencies in docker examples
• 35ee03d Potential panic when using manual ACK
• 433bd22 address data race in test
• 4debe3a Potential panic when using manual ACK
• 601453b Resolve issues in fvt_client_test
• 439e2ab Dependency update (also rise Go version to 1.24)
• d276593 ConnectionNotificationHandler - generic callback for all types of connection ...
• 8a350a9 notifications
• 5620c5e notifications
• 45048cc notifications
• Additional commits viewable in compare view

• 5307a0c go.mod: update golang.org/x dependencies
• 9d77937 acme: include order problem in OrderError
• 8f580de ssh: remove Go 1.24 build tag for ML-KEM kex
• a4d1237 ssh/knownhosts: improve IPv6 support in Normalize
• b8d8dae curve25519: include potential fips140=only error in panic message
• f5a2eab ssh: use curve25519.X25519 instead of curve25519.ScalarMult
• 44ecf3a all: upgrade go directive to at least 1.24.0 [generated]
• ef5341b go.mod: update golang.org/x dependencies
• b999374 acme: fix pebble subprocess output data race
• c247dea x509roots/fallback: store bundle certs directly in DER
• Additional commits viewable in compare view

Sourced from github.com/cloudflare/circl's releases.

CIRCL v1.6.1

• Fixes some point checks on the FourQ curve.
• Hybrid KEM fails on low-order points.

What's Changed

• kem/hybrid: ensure X25519 hybrids fails with low order points by @​Lekensteyn in cloudflare/circl#541
• .github: Use native ARM64 builders instead of QEMU by @​Lekensteyn in cloudflare/circl#542
• Fixes several errors on twisted Edwards curves. by @​armfazh in cloudflare/circl#545
• Release v1.6.1 by @​armfazh in cloudflare/circl#546

Full Changelog: cloudflare/circl@v1.6.0...v1.6.1

CIRCL v1.6.0

New!

• Prio3 Verifiable Distributed Aggregation Function (draft-irtf-cfrg-vdaf).
• X-Wing: general-purpose hybrid post-quantum KEM (draft-connolly-cfrg-xwing-kem)

What's Changed

• Add OIDs to ML-DSA by @​bwesterb in cloudflare/circl#519
• Adds Prio3 a set of verifiable distributed aggregation functions. by @​armfazh in cloudflare/circl#522
• Run semgrep cronjob only in upstream repository. by @​armfazh in cloudflare/circl#526
• X-Wing PQ/T hybrid by @​bwesterb in cloudflare/circl#471
• ckem: move crypto/elliptic to crypto/ecdh by @​MingLLuo in cloudflare/circl#529
• hpke: Update HPKE code to use ecdh stdlib package. by @​armfazh in cloudflare/circl#530
• prio3: Adds polynomial multiplication using NTT by @​armfazh in cloudflare/circl#532
• Add Prio3 in readme. by @​armfazh in cloudflare/circl#527

New Contributors

• @​MingLLuo made their first contribution in cloudflare/circl#529

Full Changelog: cloudflare/circl@v1.5.0...v1.6.0

CIRCL v1.5.0

New: ML-DSA, Module-Lattice-based Digital Signature Algorithm.

What's Changed

• kem: add X25519MLKEM768 TLS hybrid KEM by @​bwesterb in cloudflare/circl#510
• Create semgrep.yml by @​hrushikeshdeshpande in cloudflare/circl#514
• repo: Some fixes reported by CodeQL by @​armfazh in cloudflare/circl#515
• Add ML-DSA (FIPS204) by @​bwesterb in cloudflare/circl#480
• sign/mldsa: Add test for ML-DSA signature verification. by @​armfazh in cloudflare/circl#517
• Release v1.5.0 by @​armfazh in cloudflare/circl#518

New Contributors

• @​hrushikeshdeshpande made their first contribution in cloudflare/circl#514

Full Changelog: cloudflare/circl@v1.4.0...v1.5.0

... (truncated)

• c6d33e3 Release v1.6.1
• 0c3868e curve4q: Shared must fail with low order points.
• 9fd570d curve4q: Test showing DH does not fails on identity point.
• c988ceb fourq: Correctly unmarshalling point.
• ef2611d fourq: Test showing point unmarshal fails.
• 05eba44 fourq: Handle the case of Z=0 for IsOnCurve and IsEqual.
• eef0878 fourq: Test showing isEqual and IsOnCurve fail.
• 2298474 goldilocks; Handling points with z=0.
• 5a940a1 goldilocks: Test for IsEqual must fail with Z=0
• 48c3b6a ed25519: Fix isEqual to handle points with Z=0.
• Additional commits viewable in compare view

Sourced from github.com/go-chi/chi/v5's releases.

v5.2.2

What's Changed

• Use strings.Cut in a few places by @​JRaspass in go-chi/chi#971
• Fix non-constant format strings in t.Fatalf by @​JRaspass in go-chi/chi#972
• Apply fieldalignment fixes to optimize struct memory layout by @​pixel365 in go-chi/chi#974
• go 1.24 by @​pkieltyka in go-chi/chi#977
• chore: delint ioutil usage by @​costela in go-chi/chi#962
• Fixed typo in Router interface definition by @​mithileshgupta12 in go-chi/chi#958
• Add support for TinyGo by @​efraimbart in go-chi/chi#978
• Exclude middleware/profiler.go in TinyGo, as there's no net/http/pprof pkg by @​cxjava in go-chi/chi#982
• Make use of strings.Cut by @​scop in go-chi/chi#1005
• Change install command format to code block by @​sglkc in go-chi/chi#1001
• Correct documentation by @​mrdomino in go-chi/chi#992

Security fix

• Fixes GHSA-vrw8-fxc6-2r93 - "Host Header Injection Leads to Open Redirect in RedirectSlashes" commit
  • a lower-severity Open Redirect that can't be exploited in browser or email client, as it requires manipulation of a Host header
  • reported by Anuraag Baishya, @​anuraagbaishya. Thank you!

New Contributors

• @​pixel365 made their first contribution in go-chi/chi#974
• @​mithileshgupta12 made their first contribution in go-chi/chi#958
• @​efraimbart made their first contribution in go-chi/chi#978
• @​cxjava made their first contribution in go-chi/chi#982
• @​sglkc made their first contribution in go-chi/chi#1001
• @​mrdomino made their first contribution in go-chi/chi#992

Full Changelog: go-chi/chi@v5.2.1...v5.2.2

v5.2.1

⚠️ Chi supports Go 1.20+

Starting this release, we will now support the four most recent major versions of Go. See go-chi/chi#963 for related discussion.

What's Changed

• Support the four most recent major versions of Go by @​VojtechVitek in go-chi/chi#969

Full Changelog: go-chi/chi@v5.2.0...v5.2.1

v5.2.0

What's Changed

• update credits section to link to goji license by @​pkieltyka in go-chi/chi#944
• go 1.23 by @​pkieltyka in go-chi/chi#945
• Make Context.RoutePattern() nil-safe by @​gaiaz-iusipov in go-chi/chi#927
• govet: Fix non-constant format string by @​marcofranssen in go-chi/chi#952
• Add Find to Routes interface by @​joeriddles in go-chi/chi#872
• Fix grammar error by @​AntonC9018 in go-chi/chi#917
• feat(): add CF-Connecting-IP by @​n33pm in go-chi/chi#908
  • Revert "feat(): add CF-Connecting-IP" by @​VojtechVitek in go-chi/chi#966

... (truncated)

• 23c395f Correct documentation (#992)
• 5516d14 docs: change install code to code block (#1001)
• e235052 Make use of strings.Cut (#1005)
• 1be7ad9 Merge commit from fork
• d7034fd Exclude profiler when use tinygo (#982)
• d047034 support tinygo (#978)
• fe2c065 Fixed the typo (#958)
• 1aae5b2 chore: delint ioutil usage (#962)
• c6225e3 go 1.24 (#977)
• e846b83 Apply fieldalignment fixes to optimize struct memory layout (#974)
• Additional commits viewable in compare view

Sourced from github.com/go-jose/go-jose/v3's releases.

v3.0.4

What's Changed

Backport fix for GHSA-c6gw-w398-hv78 CVE-2025-27144 go-jose/go-jose#174

Full Changelog: go-jose/go-jose@v3.0.3...v3.0.4

• 5253038 Backport fix 167 to v3 (#174)
• 047dc99 CI: Update github actions and go version (#173)
• 0f017e9 Revert #26 (ignore unsupported JWKs in Sets) (#131)
• 3e2bbef Unmarshal jwk keys with unsupported key type or algorithm into empty … (#26)
• See full diff in compare view

Sourced from github.com/golang-jwt/jwt/v5's releases.

v5.2.2

What's Changed

• Fixed GHSA-mh63-6h87-95cp by @​mfridman
• Fixed some typos by @​Ashikpaul in golang-jwt/jwt#382
• build: add go1.22 to ci workflows by @​mfridman in golang-jwt/jwt#383
• Bump golangci/golangci-lint-action from 4 to 5 by @​dependabot in golang-jwt/jwt#387
• Bump golangci/golangci-lint-action from 5 to 6 by @​dependabot in golang-jwt/jwt#389
• chore: bump ci tests to include go1.23 by @​mfridman in golang-jwt/jwt#405
• Fix jwt -show by @​AlexanderYastrebov in golang-jwt/jwt#406
• docs: typo by @​kvii in golang-jwt/jwt#407
• Update SECURITY.md by @​oxisto in golang-jwt/jwt#416
• Update jwt.Parse example to use jwt.WithValidMethods by @​mattt in golang-jwt/jwt#425

New Contributors

• @​Ashikpaul made their first contribution in golang-jwt/jwt#382
• @​kvii made their first contribution in golang-jwt/jwt#407
• @​mattt made their first contribution in golang-jwt/jwt#425

Full Changelog: golang-jwt/jwt@v5.2.1...v5.2.2

• 0951d18 Merge commit from fork
• c035977 Update Parse example to use WithValidMethods (#425)
• bc8bdca Update SECURITY.md (#416)
• 5ec246c docs: typo (#407)
• 0123f1a Fix jwt -show (#406)
• f961c72 chore: bump ci tests to include go1.23 (#405)
• 62e504c Bump golangci/golangci-lint-action from 5 to 6 (#389)
• 1a56dcf Bump golangci/golangci-lint-action from 4 to 5 (#387)
• c8043ea build: add go1.22 to ci workflows (#383)
• 7c3f6dc Update README.md (#382)
• See full diff in compare view

Sourced from github.com/golang/glog's releases.

v1.2.4

What's Changed

• Fail if log file already exists by @​chressie in golang/glog#74:
  • glog: Don't try to create/rotate a given syncBuffer twice in the same second
  • glog: introduce createInDir function as in internal version
  • glog: have createInDir fail if the file already exists

Full Changelog: golang/glog@v1.2.3...v1.2.4

v1.2.3

What's Changed

• glog: check that stderr is valid before using it by default by @​chressie in golang/glog#72
• glog: fix typo by @​chressie in golang/glog#73

Full Changelog: golang/glog@v1.2.2...v1.2.3

• a0e3c40 glog: have createInDir fail if the file already exists
• 7139da2 glog: introduce createInDir function as in internal version
• dd58629 glog: Don't try to create/rotate a given syncBuffer twice in the same second
• 04dbec0 glog: fix typo (#73)
• 459cf3b glog: check that stderr is valid before using it by default (#72)
• See full diff in compare view

Sourced from github.com/pion/interceptor's releases.

v0.1.39

Changelog

• fa5b35ea867389cec33a9c82fffbd459ca8958e5 Fix padding overflow with PacketFactory
• 791455129d4ef736c4009692e8ce108afe0fff14 Update module github.com/pion/rtp to v1.8.18
• bfb8425f36083bd9e85e782e9b9aa8025cd30ef7 Update module github.com/pion/rtp to v1.8.17
• 0e794c49c5c6f5f4d4eae2c2a3ac31451ac401f7 Do not use cyrillic letter in error message
• 46631964a3bc420099cfbe39e1750fbc8cd100a0 Update module github.com/pion/rtp to v1.8.16

v0.1.38

What's Changed

• Move buffer for RTP packets into internal by @​Sean-Der in pion/interceptor#280
• Fix: Excessive GC CPU pressure caused by unwanted heap memory #281 by @​nithu1991 in pion/interceptor#284
• Remove tralinig newlines from logs by @​mengelbart in pion/interceptor#288
• gcc: fix missing if-else in kalman by @​sterlingdeng in pion/interceptor#287
• Fixed typo in string method by @​nils-ohlmeier in pion/interceptor#289
• Update module github.com/stretchr/testify to v1.10.0 by @​renovate in pion/interceptor#290
• Update module github.com/pion/rtcp to v1.2.15 by @​renovate in pion/interceptor#293
• Fix nack buffer RTX issue by @​kcaffrey in pion/interceptor#294
• Update module github.com/pion/rtp to v1.8.10 by @​renovate in pion/interceptor#295
• Fixes bug in group accumulator by @​sterlingdeng in pion/interceptor#291
• Update module github.com/pion/rtp to v1.8.11 by @​renovate in pion/interceptor#303
• Binary formatters in packetdump by @​aalekseevx in pion/interceptor#304
• Deduplicate unwrapper by @​mengelbart in pion/interceptor#302
• Update module github.com/pion/logging to v0.2.3 by @​renovate in pion/interceptor#307
• Move NTP function to ntp package and add ToTime32 by @​mengelbart in pion/interceptor#301
• NACK responder: bypass auxiliary SSRCs by @​aalekseevx in pion/interceptor#310
• Fix race in nack responder by @​aalekseevx in pion/interceptor#311
• Upgrade golangci-lint, more linters by @​JoeTurki in pion/interceptor#314
• Update module github.com/pion/rtp to v1.8.12 by @​renovate in pion/interceptor#315
• Update module github.com/pion/rtp to v1.8.13 by @​renovate in pion/interceptor#316
• Fix report timestamps by @​mengelbart in pion/interceptor#305
• Update social media links, move to discord by @​JoeTurki in pion/interceptor#319
• Update lint rules, force testify/assert for tests by @​JoeTurki in pion/interceptor#323
• Update CI configs to v0.11.19 by @​pionbot in pion/interceptor#325
• Update module github.com/pion/rtp to v1.8.15 by @​renovate in pion/interceptor#326
• Improve memory efficiency by @​arjunshajitech in pion/interceptor#327
• Fix malformed FlexFEC-03 by @​aalekseevx in pion/interceptor#330
• FEC interceptor enhancements by @​aalekseevx in pion/interceptor#333

New Contributors

• @​nithu1991 made their first contribution in pion/interceptor#284
• @​sterlingdeng made their first contribution in pion/interceptor#287
• @​nils-ohlmeier made their first contribution in pion/interceptor#289
• @​JoeTurki made their first contribution in pion/interceptor#314
• @​arjunshajitech made their first contribution in pion/interceptor#327

Full Changelog: pion/interceptor@v0.1.37...v0.1.38

• fa5b35e Fix padding overflow with PacketFactory
• 7914551 Update module github.com/pion/rtp to v1.8.18
• bfb8425 Update module github.com/pion/rtp to v1.8.17
• 0e794c4 Do not use cyrillic letter in error message
• 4663196 Update module github.com/pion/rtp to v1.8.16
• 5003ed5 FEC interceptor enhancements
• 8d3fc6d Test encoder with different payload sizes
• 9ab7d95 Copilot review
• 5a23b30 Fix malformed FlexFEC-03
• f30b304 Improve memory efficiency
• Additional commits viewable in compare view

Sourced from github.com/quic-go/quic-go's releases.

v0.57.0

This release contains a fix for CVE-2025-64702 by reworking the HTTP/3 header processing logic:

• Both client and server now send their respective header size constraints using the SETTINGS_MAX_FIELD_SECTION_SIZE setting: #5431
• For any QPACK-related errors, the correct error code (QPACK_DECOMPRESSION_FAILED) is now used: #5439
• QPACK header parsing is now incremental (instead of parsing all headers at once), which is ~5-10% faster and reduces allocations: #5435 (and quic-go/qpack#67)
• The server now sends a 431 status code (Request Header Fields Too Large) when encountering HTTP header fields exceeding the size constraint: #5452

 

Breaking Changes

• http3: Transport.MaxResponseBytes is now an int (before: int64): #5433  

Notable Fixes

• qlogwriter: fix storing of event schemas (this prevented qlog event logging from working for HTTP/3): #5430
• http3: errors sending the request are now ignored, instead, the response from the server is read (thereby allowing the client to read the status code, for example): #5432

What's Changed

• build(deps): bump golangci/golangci-lint-action from 8 to 9 by @​dependabot[bot] in quic-go/quic-go#5426
• qlogwriter: fix storing of event schemas by @​marten-seemann in quic-go/quic-go#5430
• http3: send SETTINGS_MAX_FIELD_SECTION_SIZE in the SETTINGS frame by @​marten-seemann in quic-go/quic-go#5431
• http3: read response after encountering error sending the request by @​marten-seemann in quic-go/quic-go#5432
• http3: make Transport.MaxResponseBytes an int by @​marten-seemann in quic-go/quic-go#5433
• http3: add a benchmark for header parsing by @​marten-seemann in quic-go/quic-go#5435
• update qpack to v0.6.0 by @​marten-seemann in quic-go/quic-go#5434
• http3: use QPACK_DECOMPRESSION_FAILED for QPACK errors by @​marten-seemann in quic-go/quic-go#5439
• add documentation for Conn.NextConnection by @​marten-seemann in quic-go/quic-go#5442
• ackhandler: don’t generate an immediate ACK for the first packet by @​marten-seemann in quic-go/quic-go#5447
• don’t arm connection timer for connection ID retirement by @​marten-seemann in quic-go/quic-go#5449
• README: add nodepass to list of projects by @​yosebyte in quic-go/quic-go#5448
• qlogwriter: use synctest to make tests deterministic by @​marten-seemann in quic-go/quic-go#5454
• http3: limit size of decompressed headers by @​marten-seemann in quic-go/quic-go#5452

New Contributors

• @​yosebyte made their first contribution in quic-go/quic-go#5448

Full Changelog: quic-go/quic-go@v0.56.0...v0.57.0

v0.56.0

This release introduces qlog support for HTTP/3 (#5367, #5372, #5374, #5375, #5376, #5381, #5383).

For this, we completely changed how connection tracing works. Instead of a general-purpose logging.ConnectionTracer (which we removed entirely), we now have a qlog-specific tracer (#5356, #5417). quic-go users can now implement their own qlog events.

It also removes the Prometheus-based metrics collection. Please comment on the tracking issue (#5294) if you rely on metrics and are interested in seeing metrics brought back in a future release.

Notable Changes

• replaced the unmaintained gojay with a custom, performance-optimized JSON encoder (#5353, #5371)

... (truncated)

• 5b2d212 http3: limit size of decompressed headers (#5452)
• e80b378 qlogwriter: use synctest to make tests deterministic (#5454)
• d43c589 README: add nodepass to list of projects (#5448)
• ca2835d don’t arm connection timer for connection ID retirement (#5449)
• e84ebae ackhandler: don’t generate an immediate ACK for the first packet (#5447)
• d4d168f add documentation for Conn.NextConnection (#5442)
• 4cdebbe http3: use QPACK_DECOMPRESSION_FAILED for QPACK errors (#5439)
• b7886d5 update qpack to v0.6.0 (#5434)
• 2fc9705 http3: add a benchmark for header parsing (#5435)
• dafdd6f http3: make Transport.MaxResponseBytes an int (#5433)
• Additional commits viewable in compare view

• 681b4d8 jws: split token into fixed number of parts
• 3f78298 all: upgrade go directive to at least 1.23.0 [generated]
• 109dabf endpoints: add links/provider for Discord
• ac571fa oauth2: fix docs for Config.DeviceAuth
• 314ee5b endpoints: add patreon endpoint
• b9c813b google: add warning about externally-provided credentials
• 49a531d all: make method and struct comments match the names
• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.