What's Changed

🔒 Security

This release contains fixes for multiple vulnerabilities concerning STARTTLS stripping, argument validation, and denial of service attacks.

Breaking Changes

• ⚡ ResponseReader memoizes Config#max_response_size in #642.
  Changes to #max_response_size now take effect once per response, not on every IO#read.
  NOTE: It is not expected that this will affect any current usage. See the PR for details.

Added

• ✨ Support BINARY extention to #append (RFC3516) by @nevans in #616
• ✨ Support LITERAL+ and LITERAL- non-synchronizing literals (RFC7888) by @nevans in #649
• 🔒 Add ScramAuthenticator#max_iterations by @nevans in #654
• 🏷️ Add number64 and nz-number64 to NumValidator by @nevans in #625
• ♻️ Add MailboxQuota#quota_root alias by @nevans in #636
• 🔍 Simplify Net::IMAP#inspect with basic state by @nevans in #612
• 🥅 Add ResponseParseError#parser_methods (and override #==) by @nevans in #615

Fixed

• 🔒 Fix STARTTLS stripping vulnerability in #664, reported by @Masamuneee
• Argument validation, reported by @manunio
  • 🔒️ Strictly validate symbol (\flag) arguments in #657
  • 🔒️ Validate and send STORE attr as an atom in #658
  • 🔒 Validate #setquota storage limit argument in #659
  • 🔒 Validate RawData for CRLF injection in #660
  • 📚 Improve documentation of RawData arguments in #661
• ⚡ Much faster ResponseReader performance by @nevans in #642
• 🥅 Successfully parse invalid response code data by @nevans in #614
• Fix JRuby SSL connection failure: use SSLContext#setup instead of #freeze by @idahomst in #627
• 🐛 Fix InvalidResponseError in #get_tagged_response by @nevans in #633
• Pass an Exception to #raise by @eregon in #643
• 🐛 Fix empty SearchResult#to_sequence_set in #644, reported by @Quintasan
• 🐛 Wait to continue RawData literals by @nevans in #660

Documentation

• 📚 Fix rdoc 7.2 compatibility (section bugfix) by @nevans in #617
• 📚 Switch back to rdoc's darkfish generator (🚧TMP) by @nevans in #618
• 📚 Use .document and .rdoc_options files, where possible by @nevans in #619
• Update README example: Expunge is implicit in MOVE by @sebbASF in #623
• 📚️ Fix QUOTA documentation by @nevans in #636
• 📚 Minor documentation fixes by @nevans in #638
• 📚 Improve documentation of RawData arguments by @nevans in #661

Other Changes

• Handle deep response recursion as ResponseParseError by @Masamuneee in #629

Miscellaneous

• ✅ Fix typo in FakeServer (tests only) by @nevans in #620
• ⬆️ Bump step-security/harden-runner from 2.14.2 to 2.15.0 by @dependabot[bot] in #621
• Bump step-security/harden-runner from 2.15.0 to 2.15.1 by @dependabot[bot] in #626
• ⬆️ Bump step-security/harden-runner from 2.15.1 to 2.16.0 by @dependabot[bot] in #628
• ⬆️ Bump actions/configure-pages from 5 to 6 by @dependabot[bot] in #635
• ✅ Test #setquota by @nevans in #636
• ⬆️ Bump actions/deploy-pages from 4 to 5 by @dependabot[bot] in #634
• ⬆️ Bump step-security/harden-runner from 2.16.0 to 2.17.0 by @dependabot[bot] in #639
• Test TruffleRuby release in CI for improved stability by @eregon in #640
• ⬆️ Bump actions/upload-pages-artifact from 4 to 5 by @dependabot[bot] in #646
• ⬆️ Bump step-security/harden-runner from 2.17.0 to 2.19.0 by @dependabot[bot] in #647

New Contributors

• @sebbASF made their first contribution in #623
• @idahomst made their first contribution in #627
• @Masamuneee made their first contribution in #629
• @eregon made their first contribution in #640

Full Changelog: v0.6.3...v0.6.4

What's Changed

🔒 Security

This release contains fixes for multiple vulnerabilities concerning STARTTLS stripping, argument validation, and denial of service attacks.

Added

• 🔒 Add ScramAuthenticator#max_iterations (backports #654) in #656, reported by @Masamuneee

Fixed

• 🔒 Fix STARTTLS stripping vulnerability (backports #664) in #665, reported by @Masamuneee
• 🔒 Fix CRLF injection vulnerabilities (backports #657, #658, #659, #660, #636, #661) in #662, reported by @manunio
• ⚡ Much faster ResponseReader performance (backports #642) in #650, reported by @Masamuneee
• 🐛 Config version_defaults should be attr_reader (backports #594) by @nevans in #631
• 🐛 Wait to continue RawData literals (backports #660) by @nevans in #662

Other Changes

• ♻️ Improve internal literal sending (partially backports #616, #649) by @nevans in #652

Miscellaneous

• ✅ Fix Data polyfill tests for ruby 4.1 by @nevans in #632

Full Changelog: v0.5.13...v0.5.14

What's Changed

🔒 Security

This release contains fixes for multiple vulnerabilities concerning STARTTLS stripping, argument validation, and denial of service attacks.

Added

• 🔒 Add ScramAuthenticator#max_iterations (backports #654) in #655, reported by @Masamuneee

Fixed

• 🔒 Fix STARTTLS stripping vulnerability (backports #664) in #666, reported by @Masamuneee
• 🔒 Fix CRLF injection vulnerabilities (backports #657, #658, #659, #660, #636, #661) in #663, reported by @manunio
• ⚡ Much faster ResponseReader performance (backports #642) in #651, reported by @Masamuneee
• 🐛 Wait to continue RawData literals (backports #660) by @nevans in #663

Other Changes

• ♻️ Improve internal literal sending (partially backports #358, #616, #649) by @nevans in #653

Full Changelog: v0.4.23...v0.4.24

What's Changed

🔒 Security

Fixes

• 🔒 Fix STARTTLS stripping vulnerability (backports #664, #395, #198) in #667, reported by @Masamuneee

Full Changelog: v0.3.9...v0.3.10

What's Changed

Added

• 🥅 Add parser state and #detailed_message to ResponseParseError by @nevans in #599
  • 🥅💄 Support (monochrome) highlights in parse error details by @nevans in #603
  • 🥅💄 Auto-highlight parse error detailed_message using TERM and FORCE_COLOR by @nevans in #607
  • 🥅💄 Add color highlights to parse error details (default honors NO_COLOR) by @nevans in #609
• 🔧 Add Config#overrides? (opposite of #inherited?) by @nevans in #610
• 🔧 Add recursive Config#inherits_defaults? by @nevans in #611

Fixed

• 🐛 Parse resp-text with invalid resp-text-code by @nevans in #601
• 🐛 Config.version_defaults should be read only by @nevans in #594

Other Changes

• 🥅 Only print parser debug for unhandled errors by @nevans in #600
• ♻️ Don't hardcode parser deprecation warning uplevel by @nevans in #602
• ♻️ Simplify Config::AttrAccessors a little by @nevans in #606
• ♻️ Set Config[:default] as alias of Config[VERSION] by @nevans in #608

Fixes for unreleased code:

• 🐛 Return ResponseText from resp-text fallback by @nevans in #605
• 🐛 Fix parse error parser_backtrace (for ruby <= 3.3) by @nevans in #604

Miscellaneous

• Delete test/net/imap/test_data_lite.rb by @nobu in #593
• ⬆️ Bump step-security/harden-runner from 2.14.0 to 2.14.1 by @dependabot[bot] in #596
• Bump step-security/harden-runner from 2.14.1 to 2.14.2 by @dependabot[bot] in #598

Full Changelog: v0.6.2...v0.6.3

What's Changed

Fixed

• 🐛 Fix SequenceSet#delete?(num..num) to return set by @nevans in #583
• 🐛 Fix #responses() freezing internal arrays by @nevans in #587, reported by @yurikoval in #581

Full Changelog: v0.6.1...v0.6.2

What's Changed

Fixed

• 🐛 Fix SequenceSet#max(n) when cardinality < n <= size by @nevans in #580

Miscellaneous

• ⬆️ Bump step-security/harden-runner from 2.13.3 to 2.14.0 by @dependabot[bot] in #579

Full Changelog: v0.6.0...v0.6.1

What's Changed

Fixed

• 🐛 Fix SequenceSet#delete?(num..num) to return set (backport to 0.5) by @nevans in #585
• 🐛 Fix SequenceSet#max(n) when cardinality < n <= size (backport to 0.5) by @nevans in #586
• 🐛 Fix config.responses_without_block = :frozen_dup (backport to 0.5) by @nevans in #588, reported by @yurikoval in #581

Documentation

• 📚 Improve rdoc example for #uid_fetch with partial by @nevans in #532

Other Changes

• ♻️ Refactor Config.versioned_defaults to reduce merge conflicts (backport to 0.5) by @nevans in #584

Miscellaneous

• 📦 Drop digest from Gemfile (workaround for #576, backport to 0.5) by @nevans in #591

Full Changelog: v0.5.12...v0.5.13

What's Changed

• 🐛 Fix config.responses_without_block = :frozen_dup (backport to 0.4) by @nevans in #589
• 📦 Drop digest from Gemfile (workaround for #576, backport to 0.4) by @nevans in #592

Full Changelog: v0.4.22...v0.4.23

What's Changed

Breaking Changes

• 🔧 Update default config for v0.6 by @nevans in #539
  • responses_without_block changed from :warn to :frozen_dup
  • parser_use_deprecated_uidplus_data changed from :up_to_max_size to false (and is deprecated)
  • parser_max_deprecated_uidplus_data_size changed from 100 to 0 (and is deprecated)
• 💥 Require ruby >= 3.2 (drop support for 3.1) by @nevans in #538
• 💥✨ Change SequenceSet#size to count * and repeated numbers by @nevans in #564
  SequenceSet is used to represent both sorted sets and ordered lists (which may contain duplicates). Members are non-zero UInt32 numbers, but "*" has special meaning as "the number corresponding to the last mailbox entry". So there are four different ways to count the members of a SequenceSet.
  Previously, #size was an alias for #count. Now it differs in both relevant aspects.

  	* is a unique member	* is treated like 2³² - 1
  distinct set members	#cardinality	#count
  ordered list, including duplicates	#size	#count_with_duplicates

• 🔥 Remove deprecated UIDPlusData class by @nevans in #540
  UIDPlusData was deprecated by v0.5.6. AppendUIDData or CopyUIDData will always be returned instead.
• 🔥 Delete deprecated MessageSet by @nevans in #573
  MessageSet was deprecated by v0.5.0. Use SequenceSet instead.
• 🔥 Use psych (>= 5.2.5) for encoding Data objects by @nevans in #543
  This changes the YAML tag for Data subclasses from ruby/object:Net::IMAP::DataSubclass to ruby/data:Net::IMAP::DataSubclass. YAML dumped by earlier net-imap versions may not load correctly. Psych >= 5.2.5 is required to dump these objects correctly.
• 💥 Do not include OpenSSL and OpenSSL::SSL modules into Net::IMAP by @nevans in #533
  This only affects the ability to use OpenSSL constants from the Net::IMAP namespace.
• 💥 Don't set verify_callback to VerifyCallbackProc by @nevans in #534
  This functionality was never documented and is redundant with the verify_callback option.

Deprecated

• Deprecated config options for UIDPlusData in #540
  The parser_use_deprecated_uidplus_data and parser_max_deprecated_uidplus_data_size config options will be removed in v0.7.0. They are kept for backward compatibility, but they do not affect response parser results. When parser_use_deprecated_uidplus_data is changed from the default value (false), deprecation warnings are printed when parsing APPENDUID or COPYUID response codes.

Added

• 🔒 Add when_capabilities_cached option for Config#sasl_ir by @nevans in #561
• Net::IMAP::Config improvements
  • 🔍 Improve Config#inspect output by @nevans in #546
  • 🔍 Improve Config#pretty_print (for Kernel::pp) by @nevans in #547
  • 🔧 Update Config#inherited? for any number of args by @nevans in #552
• Net::IMAP::SequenceSet improvements
  • ✨ Add SequenceSet#intersect! for in-place set AND by @nevans in #549
  • ✨ Add SequenceSet#xor! for in-place set XOR by @nevans in #550
  • ♻️ Coalesce entries in SequenceSet#append by @nevans in #553
  • ✨ Add SequenceSet#normalized? by @nevans in #558
  • ✨ Add SequenceSet#cardinality method by @nevans in #563
  • 💥✨ Change SequenceSet#size to count * and repeated numbers by @nevans in #564
• Net::IMAP::NumValidator improvements
  • 🏷️ Support mod-sequence-valzer (RFC4551) in NumValidator by @nevans in #570
  • 🏷️ Add NumValidator.coerce_{type} methods by @nevans in #571

Documentation

• 📚 Improve rdoc example for #uid_fetch with partial by @nevans in #532
• 📚 Document SearchResult/ESearchResult compatibility by @nevans in #559
• 📚 Minor rdoc formatting fixes by @nevans in #560

Other Changes

• 🔥 Drop Data polyfill by @nevans in #541
  This was only used for ruby 3.1, which is no longer supported. So this is not considered a breaking change.
• ♻️ Refactor Config.versioned_defaults to reduce merge conflcts by @nevans in #544
• Improved Net::IMAP::SequenceSet performance
  • ⚡️ Don't memoize SequenceSet#string on normalized sets by @nevans in #554
  • ⚡ Faster SequenceSet#normalize when frozen by @nevans in #556
  • ⚡️ Faster SequenceSet#full? by @nevans in #565
  • ⚡️ Slightly faster SequenceSet#xor by @nevans in #567
  • ⚡ Avoid allocating arrays for SequenceSet bsearch (♻️ extract abstract strategy methods) by @nevans in #569
  • ♻️ Rename SequenceSet internals by @nevans in #562
  • ♻️ Reorganize SequenceSet internals by @nevans in #568

Miscellaneous

• ✅ Stop using deprecated UIDPlusData in tests by @nevans in #542
• ⬆️ Bump step-security/harden-runner from 2.13.1 to 2.13.2 by @dependabot[bot] in #548
• 🐛 Fix workflow to deploy RDoc to GitHub pages by @nevans in #551
• ⬆️ Bump actions/checkout from 5 to 6 by @dependabot[bot] in #555
• 📦 Update release.yml for github_actions label by @nevans in #557
• ⬆️ Bump step-security/harden-runner from 2.13.2 to 2.13.3 by @dependabot[bot] in #566
• 🔖 Release 0.6 by @nevans in #574
• Workarounds for "Publishing gem fails with digest gem activation failure" issue #576
  • 📦 Use latest rubygems/bundler to release gem by @nevans in #575
  • 📦 Drop digest from Gemfile by @nevans in #577

Full Changelog: v0.5.12...v0.6.0