Releases: libgit2/libgit2
v1.8.2 RC 1
v1.8.2
This release reverts a const-correctness change introduced in
v1.8.0 for the git_commit_create
functions. We now retain the
const-behavior for the commits
arguments from prior to v1.8.0.
This change was meant to resolve compatibility issues with bindings
and downstream users.
What's Changed
New features
Bug fixes
Build and CI improvements
Full Changelog: v1.8.1...v1.8.2
libgit2 v1.8.1
This release primarily includes straightforward bugfixes, as well as new functionality to have more control over the HTTP User-Agent header. However, there is an API change from v1.8 that was required for cross-platform compatibility.
In v1.8, libgit2 introduced the report_unchanged
member in the git_fetch_options
structure. We mistakenly introduced this as a bitfield, which is not suitable for our public API. To correct this mistake, we have removed the report_unchanged
member. To support the report unchanged tips option, users can set the update_fetchhead
member to include the GIT_REMOTE_UPDATE_REPORT_UNCHANGED
value.
The libgit2 projects regrets the API change, but this was required to support cross-platform compatibility.
What's Changed
New features
Bug fixes
- commit: Fix git_commit_create_from_stage without author and committer by @florianpircher in #6781
- process.c: fix environ for macOS by @barracuda156 in #6792
- Bounds check for pack index read by @ConradIrwin in #6796
- transport: provide a useful error message during cancellation by @ethomson in #6802
- transport: support sha256 oids by @ethomson in #6803
- Revparse: Correctly accept ref with '@' at the end by @csware in #6809
- remote: drop bitfields in git_remote_fetch_options by @ethomson in #6806
- examples: fix memory leak in for-each-ref.c by @qaqland in #6808
- xdiff: use proper free function by @ethomson in #6810
- rand: avoid uninitialized loadavg warnings by @ethomson in #6812
- cli: include alloca on illumos / solaris / sunos by @ethomson in #6813
- Update git_array allocator to obey strict aliasing rules by @ethomson in #6814
- tree: avoid mixed signedness comparison by @ethomson in #6815
Build and CI improvements
- ci: update nightly workflows by @ethomson in #6773
- ci: give all nightly builds a unique id by @ethomson in #6782
- cmake: remove workaround that isn't compatible with Windows on ARM by @hackhaslam in #6794
Documentation improvements
Dependency updates
- Enable llhttp for HTTP parsing by @sgallagher in #6713
New Contributors
- @florianpircher made their first contribution in #6781
- @barracuda156 made their first contribution in #6792
- @sgallagher made their first contribution in #6713
- @ConradIrwin made their first contribution in #6796
- @qaqland made their first contribution in #6808
Full Changelog: v1.8.0...v1.8.1
libgit2 v1.8.0
v1.8
This is release v1.8.0, "Das Fliegende Klassenzimmer". This release includes optional, experimental support for invoking OpenSSH to fetch and push, an easier mechanism to perform the default behavior of git commit
, and has many improvements for worktrees. This release also includes many other new features and bugfixes.
Major changes
-
Executable SSH (OpenSSH) support
libgit2 can now invoke the command-line OpenSSH to fetch from and push to remotes over SSH. This support takes the place of libssh2 support. To use it, configure libgit2 withcmake -DUSE_SSH=exec
, and please report any problems that you discover. By @ethomson in #6617 -
Simplified commit creation
Thegit_commit_create_from_stage
API was introduced to allow users to better emulate the behavior ofgit commit
without needing to provide unnecessary information. The current state of the index is committed to the current branch. By @ethomson in #6716 -
Worktree improvements
A number of worktree improvements have been made for better compatibility with core git. First, libgit2 now understands per-worktree references, thanks to @csware in #6387. Worktree-specific configuration is now supported, thanks to @vermiculus in #6202. And improved compatibility withgit worktree add
is now supported, thanks to @herrerog in #5319.
Breaking changes
-
Adding
WORKTREE
configuration level (ABI breaking change)
To support worktree configurations at the appropriate level (higher priority than local configuration, but lower priority than app-specific configuration), theGIT_CONFIG_LEVEL_WORKTREE
level was introduced at priority 6.GIT_CONFIG_LEVEL_APP
now begins at priority 7. -
Changes to
git_config_entry
(ABI breaking change) Thegit_config_entry
structure now contains information about thebackend_type
andorigin_path
. The unusedpayload
value has been removed. -
git_push_options
includes remote push options (ABI breaking change)
Thegit_push_options
structure now contains a value for remote push options.
Other changes
New features
- config: provide an "origin" for config entries by @ethomson in #6615
- cli: add a
git config
command by @ethomson in #6616 - Add OpenSSH support by @ethomson in #6617
- remote: optionally report unchanged tips by @ethomson in #6645
- Support setting oid type for in-memory repositories by @kcsaul in #6671
- cli: add
index-pack
command by @ethomson in #6681 - Add
git_repository_commit_parents
to identify the parents of the next commit given the repository state by @ethomson in #6707 - commit: introduce git_commit_create_from_stage by @ethomson in #6716
- set SSH timeout by @vafada in #6721
- Implement push options on push by @russell in #6439
- Support index.skipHash true config by @parnic in #6738
- worktree: mimic 'git worktree add' behavior. by @herrerog in #5319
- Support the extension for worktree-specific config by @vermiculus in #6202
- Separate config reader and writer backend priorities (for worktree configs) by @ethomson in #6756
- fetch: enable deepening/shortening shallow clones by @kempniu in #6662
Bug fixes
- repository: make cleanup safe for re-use with grafts by @carlosmn in #6600
- fix: Add missing include for oidarray. by @dvzrv in #6608
- ssh: fix known_hosts leak in _git_ssh_setup_conn by @steven9724 in #6599
- proxy: Return an error for invalid proxy URLs instead of crashing. by @lrm29 in #6597
- errors: refactoring - never return
NULL
ingit_error_last()
by @ethomson in #6625 - Reject potential option injections over ssh by @carlosmn in #6636
- remote: fix memory leak in git_remote_download() by @7Ji in #6651
- git2: Fix crash when called w/o parameters by @csware in #6673
- Avoid macro redefinition of ENABLE_INTSAFE_SIGNED_FUNCTIONS by @csware in #6666
- util: suppress some uninitialized variable warnings by @boretrk in #6659
- fetch: enable deepening/shortening shallow clones by @kempniu in #6662
- push: set generic error in push_negotiation cb by @ethomson in #6675
- process: test /usr/bin/false on BSDs by @ethomson in #6677
- clone: don't mix up "http://url" with "http:/url" when figuring out if we should do a local clone by @boretrk in #6361
- Several compatibility fixes by @ethomson in #6678
- Git blame buffer gives the wrong result in many cases where there are… by @thosey in #6572
- Fix 'path cannot exist in repository' during diff for in-memory repository by @kcsaul in #6683
- process: don't try to close the status by @ethomson in #6693
- Minor bug fixes by @ethomson in #6695
- Bypass shallow clone support for in-memory repositories by @kcsaul in #6684
- examples: use unsigned int for bitfields by @ethomson in #6699
- Fix some bugs caught by UBscan by @ethomson in #6700
- git_diff_find_similar doesn't always remove unmodified deltas by @yori in #6642
- httpclient: clear client->parser.data after use by @ethomson in #6705
- Do not normalize safe.directory paths by @csware in #6668
- clone: don't swallow error in should_checkout by @ethomson in #6727
- Correct index add directory/file conflict detection by @ethomson in #6729
- Correct
git_revparse_single
and add revparse fuzzing by @ethomson in #6730 - config: properly delete or rename section containing multivars by @samueltardieu in #6723
- revparse: ensure bare '@' is truly bare by @ethomson in #6742
- repo: ensure we can initialize win32 paths by @ethomson in #6743
- Swap
GIT_DIFF_LINE_(ADD|DEL)_EOFNL
to match other Diffs by @xphoniex in #6240 - diff: fix test for SHA256 support in diff_from_buffer by @ethomson in #6745
- http: support empty http.proxy config setting by @ethomson in #6744
- More
safe.directory
improvements by @ethomson in #6739 - Ensure that completely ignored diff is empty by @ethomson in #5893
- Fix broken regexp that matches submodule names containing ".path" by @csware in #6749
- Fix memory leaks by @csware in #6748
- Make refdb_fs (hopefully) fully aware of per worktree refs by @csware in #6387
- fix log example by @albfan in #6359
- fetch: fail on depth for local transport by @ethomson in #6757
- Fix message trailer parsing by @ethomson in #6761
- config: correct fetching the HIGHEST_LEVEL config by @ethomson in #6766
- Avoid some API breaking changes in v1.8 by @ethomson in #6768
Build and CI improvements
- meta: update version numbers to v1.8 by @ethomson in #6596
- Revert "CMake: Search for ssh2 instead of libssh2." by @ethomson in #6619
- cmake: fix openssl build on win32 by @lazka in #6626
- ci: retry flaky online tests by @ethomson in #6628
- ci: update to macOS 12 by @ethomson in #6629
- Use #!/bin/bash for script with bash-specific commands by @roehling in #6581
- ci: overwrite nonsense in /usr/local during macOS setup by @ethomson in #6664
- release: add a compatibility label by @ethomson in #6676
- actions: set permissions by @ethomson in #6680
- cmake: rename FindIconv to avoid collision with cmake by @ethomson in #6682
- ci: allow workflows to read and write packages...
libgit2 v1.7.2
🔒 This is a security release with multiple changes.
-
A bug in
git_revparse_single
is fixed that could have caused the function to enter an infinite loop given well-crafted inputs, potentially causing a Denial of Service attack in the calling application. This fixes CVE-2024-24575, which was discovered by researchers at Amazon AWS. -
A bug in
git_index_add
is fixed that could have caused the function to corrupt its heap and possibly lead to arbitrary code execution. This fixes CVE-2024-24577, which was discovered by researchers at Amazon AWS. -
A bug in the smart transport negotiation could have caused an out-of-bounds read when a remote server did not advertise capabilities.
The libgit2 project thanks the researchers and outreach team at AWS Security for finding the git_index_add
and git_revparse_single
bugs, and providing details and reproduction steps during their responsible disclosure.
All users of the v1.7 release line are recommended to upgrade.
libgit2 v1.6.5
🔒 This is a security release with multiple changes.
-
A bug in
git_revparse_single
is fixed that could have caused the function to enter an infinite loop given well-crafted inputs, potentially causing a Denial of Service attack in the calling application. This fixes CVE-2024-24575, which was discovered by researchers at Amazon AWS. -
A bug in
git_index_add
is fixed that could have caused the function to corrupt its heap and possibly lead to arbitrary code execution. This fixes CVE-2024-24577, which was discovered by researchers at Amazon AWS. -
A bug in the smart transport negotiation could have caused an out-of-bounds read when a remote server did not advertise capabilities.
The libgit2 project thanks the researchers and outreach team at AWS Security for finding the git_index_add
and git_revparse_single
bugs, and providing details and reproduction steps during their responsible disclosure.
All users of the v1.6 release line are recommended to upgrade.
libgit2 v1.7.1
v1.7.1
What's Changed
Bug fixes
- proxy: Return an error for invalid proxy URLs instead of crashing. by @lrm29 in #6597
- ssh: fix known_hosts leak in _git_ssh_setup_conn by @steven9724 in #6599
- repository: make cleanup safe for re-use with grafts by @carlosmn in #6600
- fix: Add missing include for oidarray. by @dvzrv in #6608
- Revert "CMake: Search for ssh2 instead of libssh2." by @ethomson in #6619
Compatibility improvements
New Contributors
- @dvzrv made their first contribution in #6608
- @steven9724 made their first contribution in #6599
Full Changelog: v1.7.0...v1.7.1
libgit2 v1.7.0
This is release v1.7.0, "Kleine Raupe Nimmersatt". This release adds shallow clone support, completes the experimental SHA256 support, adds Schannel support for Windows, and includes many other newj features and bugfixes.
Major changes
-
Shallow clone support
libgit2 now supports shallow clone and shallow repositories, thanks to a significant investment from many community members -- hundreds of commits by many contributors. -
SHA256 support
libgit2 should now support SHA256 repositories using theextensions.objectFormat
configuration option when the library is built withEXPERIMENTAL_SHA256=ON
. Users are encouraged to begin testing their applications with this option and provide bug reports and feedback. This is a breaking API change; SHA256 support will be enabled by default in libgit2 v2.0. -
Schannel and SSPI for Windows
libgit2 now supports the Windows Schannel and SSPI APIs for HTTPS support on Windows, when configured withUSE_HTTPS=Schannel
. Setting this option will not use the existing WinHTTP support, but will use libgit2's standard HTTP client stack with Windows TLS primitives. Windows users are encouraged to begin testing their applications with this option and provide bug reports and feedback. This will be enabled by default in a future version of libgit2.
Breaking changes
-
Simplify custom pluggable allocator (System API / ABI breaking change)
Thegit_allocator
structure (configurable by theGIT_OPT_SET_ALLOCATOR
option) now only containsgmalloc
,grealloc
andgfree
members. This simplifies both the work needed by an implementer and allows more flexibility and correctness in libgit2 itself, especially during out-of-memory situations and errors during bootstrapping.
Other changes
New features
- repo: honor environment variables for more scenarios by @ethomson in #6544
- Introduce timeouts on sockets by @ethomson in #6535
Performance improvements
- midx: do not try to look at every object in the index by @carlosmn in #6585
- Partial fix for #6532: insert-by-date order. by @arroz in #6539
Bug fixes
- repo: don't allow repeated extensions by @ethomson in #6505
- config: return
GIT_ENOTFOUND
for missing programdata by @ethomson in #6547 - Fix missing oid type for "fake" repositories by @oreiche in #6554
- Thread-local storage: handle failure cases by @ethomson in #5722
- midx: allow unknown chunk ids in multi-pack index files by @carlosmn in #6583
- pack: cast the number of objects to size_t by @carlosmn in #6584
- Fixes #6344: git_branch_move now renames the reflog instead of deleting. by @arroz in #6345
- #6576 git_diff_index_to_workdir reverse now loads untracked content by @arroz in #6577
Build and CI improvements
- meta: the main branch is now v1.7.0 by @ethomson in #6516
- xdiff: move xdiff to 'deps' by @ethomson in #6482
- util: detect all possible qsort_r and qsort_s variants by @DimitryAndric in #6555
- Work around -Werror problems when detecting qsort variants by @DimitryAndric in #6558
- actions: simplify execution with composite action by @ethomson in #6488
- CMake: Search for ssh2 instead of libssh2. by @Faless in #6586
Documentation improvements
- docs: fix IRC server from freenode to libera by @vincenzopalazzo in #6590
Dependency upgrades
- Update xdiff to git 2.40.1's version by @ethomson in #6561
- deps: update pcre to 8.45 by @ethomson in #6593
New Contributors
- @oreiche made their first contribution in #6554
- @DimitryAndric made their first contribution in #6555
- @vincenzopalazzo made their first contribution in #6590
- @Faless made their first contribution in #6586
Full Changelog: v1.6.3...v1.7.0
libgit2 v1.6.4
libgit2 v1.6.3
What's Changed
Bug fixes
- odb: restore
git_odb_open
by @ethomson in #6520 - Ensure that
git_index_add_all
handles ignored directories by @ethomson in #6521 - pack: use 64 bits for the number of objects by @carlosmn in #6530
Build and CI improvements
- Remove unused wditer variable by @georgthegreat in #6518
- fs_path: let root run the ownership tests by @ethomson in #6513
- sysdir: Do not declare win32 functions on non-win32 platforms by @Batchyx in #6527
- cmake: don't include
include/git2
by @ethomson in #6529
New Contributors
- @georgthegreat made their first contribution in #6518
Full Changelog: v1.6.2...v1.6.3
libgit2 v1.6.2
What's Changed
Bug fixes
-
remote: always populate old id in update tips by @ethomson in #6506
The update tips callback would not always be properly provided with an empty (0000000...
) OID for new refs. -
Revert #6503 by @ethomson in #6511
The certificate callback added port information for callbacks in #6503, but the format was ambiguous with IPv6 addresses. Revert this change temporarily. -
Add
git_odb_backend_loose
back by @ethomson in #6512
During SHA256 refactoring, thegit_odb_backend_loose
API was accidentally removed. Add it back. -
meta: configure pkg-config .pc correctly by @ethomson in #6514
During SHA256 refactoring, the pkg-config.pc
file was erroneously renamed togit2
instead oflibgit2
. Repair this.
Full Changelog: v1.6.1...v1.6.2