http 5.3.1 → 6.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b6053cab7210860d3464e9441746186b46c7ac1dc5716ea59cc69dff0d4ef460
-  data.tar.gz: 49f6d6c66a674e792208f1c17fff2c5dd8fdda330c6bdbabbaddec1f69eebac8
+  metadata.gz: 1567381d914309e80e272367711f0e26f48f0123730078e1cde3f6f1eb19447e
+  data.tar.gz: f8b6826b7a57470157a9caa3524bd89b77e3274ae69736f3983ad1e512ae8306
 SHA512:
-  metadata.gz: 11585d59c45a6e762e6df8792e30107ec1011440ddc4597ad63f4ab5951f0e5c3fd801153bdb32bf74cae90c8ca716368003b3fb59cd98d8dc28c595899be177
-  data.tar.gz: 481d4f96d65e80226f505b93ff0da954ee4d0c3ee443d6dd4b72711cd0b44ae95c150eeb82d24442a34105dbb75013cb689f4b2ee0a2272d8320b473d91fc72d
+  metadata.gz: 698b3d83287e492df7aced8106af2cd861b196c0691a484a007f8f3d56fff8bdaa278f3b3c860b851b4ec51e18b8f63d00b29242d8e1c7aa79ef590abc5f7ab3
+  data.tar.gz: b853190dabe880ee5232536f716b493e095f888c53a1fef3e7a598a05fce8864444096113de10f2d7e7ded74b08737bd2f50ac19788dd3c8a2b86e29bd6b6e78

data/CHANGELOG.md

@@ -5,63 +5,263 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [Unreleased]
-
-
-## [5.3.1] - 2025-06-09
+## [6.0.0] - 2026-03-16
 
 ### Changed
 
-- Revert switch to the native llhttp on MRI, as it's not compatible with
-  standalone bundles
-  ([#802](https://github.com/httprb/http/issues/802))
+- Merged `http-form_data` gem into the main `http` gem. The `HTTP::FormData`
+  module (including `Part`, `File`, `Multipart`, `Urlencoded`, and `CompositeIO`)
+  is now shipped directly with `http` instead of being a separate dependency.
+  The public API is unchanged.
 
+### Fixed
 
-## [5.3.0] - 2025-06-09
+- `Inflater` no longer raises `Zlib::BufError` when a response declares
+  `Content-Encoding: gzip` (or deflate) but the body is not valid compressed
+  data. This commonly occurred when following redirects with `auto_inflate`
+  enabled, because the redirect response had a `Content-Encoding` header but a
+  non-compressed body. ([#621])
+- Persistent connections now auto-flush unread response bodies before sending
+  the next request, instead of raising `StateError`. Bodies up to 1 MiB are
+  drained transparently; larger bodies cause the connection to close and reopen.
+  This prevents the silent body clobbering described in [#371], where an unread
+  response body would return `""` after a subsequent request. ([#371])
+- `Response#content_length` now handles duplicate `Content-Length` headers per
+  RFC 7230 Section 3.3.2. When all values are identical, they are collapsed into
+  a single valid value. When values conflict, `nil` is returned instead of
+  raising `TypeError`. ([#566])
+- HTTP 1xx informational responses (e.g. `100 Continue`) are now transparently
+  skipped, returning the final response. This was a regression introduced when
+  the parser was migrated from http-parser to llhttp. ([#667])
+- Redirect loop detection now considers cookies, so a redirect back to the
+  same URL with different cookies is no longer falsely detected as an endless
+  loop. Fixes cookie-dependent redirect flows where a server sets a cookie on
+  one hop and expects it on the next. ([#544])
+- Per-operation timeouts (`HTTP.timeout(read: n, write: n, connect: n)`) no
+  longer default unspecified values to 0.25 seconds. Omitted timeouts now mean
+  no timeout for that operation, matching the behavior when no timeout is
+  configured at all. ([#579])
+- Per-operation timeout handler now correctly handles `:wait_writable` from
+  `read_nonblock` and `:wait_readable` from `write_nonblock` on SSL sockets
+  during TLS renegotiation. Previously these symbols were returned as data
+  instead of being waited on. ([#358])
+- Persistent sessions now follow cross-origin redirects instead of raising
+  `StateError`. `HTTP.persistent` returns an `HTTP::Session` that pools one
+  `HTTP::Client` per origin, so redirects to a different domain transparently
+  open (and reuse) a separate persistent connection. Cookie management is
+  preserved across all hops. ([#557])
+- Chaining configuration methods (`.headers`, `.auth`, `.cookies`, etc.) on a
+  persistent session no longer breaks connection reuse. Child sessions created
+  by chaining now share the parent's connection pool, so
+  `HTTP.persistent(host).headers(...).get(path)` reuses the same underlying
+  TCP connection across calls. ([#372])
 
-### Added
+### Changed
 
-- (backported) Add .retriable feature to Http
-- (backported) Add more specific ConnectionError classes
-- (backported) New feature: RaiseError
+- **BREAKING** `HTTP.persistent` now returns an `HTTP::Session` instead of an
+  `HTTP::Client`. The session pools persistent clients per origin and exposes
+  the same chainable API (`get`, `post`, `headers`, `follow`, etc.) plus a
+  `close` method that shuts down all pooled connections. Code that called
+  `HTTP::Client`-only methods on the return value will need updating. ([#557])
+- **BREAKING** Convert options hash parameters to explicit keyword arguments
+  across the public API. Methods like `HTTP.get(url, body: "data")` continue to
+  work, but passing an explicit hash (e.g., `HTTP.get(url, {body: "data"})`) is
+  no longer supported, and unrecognized keyword arguments now raise
+  `ArgumentError`. Affected methods: all HTTP verb methods (`get`, `post`,
+  etc.), `request`, `follow`, `retriable`, `URI.new`, `Request.new`,
+  `Response.new`, `Redirector.new`, `Retriable::Performer.new`,
+  `Retriable::DelayCalculator.new`, and `Timeout::Null.new` (and subclasses).
+  `HTTP::URI.new` also no longer accepts `Addressable::URI` objects.
+- **BREAKING** `addressable` is no longer a runtime dependency. It is now
+  lazy-loaded only when parsing non-ASCII (IRI) URIs or normalizing
+  internationalized hostnames. Install the `addressable` gem if you need
+  non-ASCII URI support. ASCII-only URIs use Ruby's stdlib `URI` parser
+  exclusively.
+- **BREAKING** Extract request building into `HTTP::Request::Builder`. The
+  `build_request` method has been removed from `Client`, `Session`, and the
+  top-level `HTTP` module. Use `HTTP::Request::Builder.new(options).build(verb, uri)`
+  to construct requests without executing them.
 
-### Changed
+### Added
 
-- (backported) Drop depenency on base64
-- (backported) Cache header normalization to reduce object allocation
-- (backported) Use native llhttp on MRI
+- Block form for verb methods and `request` that auto-closes the connection
+  after the block returns. `HTTP.get(url) { |response| response.status }` yields
+  the response, closes the underlying connection, and returns the block's value.
+  Works with all verb methods and chained options. ([#270])
+- HTTP caching feature (`HTTP.use(:caching)`) that stores and reuses responses
+  according to RFC 7234. Supports `Cache-Control` (`max-age`, `no-cache`,
+  `no-store`), `Expires`, `ETag` / `If-None-Match`, and
+  `Last-Modified` / `If-Modified-Since` for freshness checks and conditional
+  revalidation. Ships with a default in-memory store; custom stores can be
+  passed via `store:` option. Only GET and HEAD responses are cached. ([#223])
+- `HTTP.digest_auth(user:, pass:)` for HTTP Digest Authentication (RFC 2617 /
+  RFC 7616). Automatically handles 401 challenges with digest credentials,
+  supporting MD5, SHA-256, MD5-sess, and SHA-256-sess algorithms with
+  quality-of-protection negotiation. Works as a chainable feature:
+  `HTTP.digest_auth(user: "admin", pass: "secret").get(url)` ([#448])
+- Happy Eyeballs (RFC 8305) support via Ruby 3.4's native `TCPSocket`
+  implementation. Connection attempts now try multiple addresses (IPv6 and
+  IPv4) concurrently, improving reliability on dual-stack networks. Connect
+  timeouts are passed natively to `TCPSocket` instead of using
+  `Timeout.timeout`, avoiding `Thread.raise` interference with the Happy
+  Eyeballs state machine. ([#739])
+- `HTTP.base_uri` for setting a base URI that resolves relative request paths
+  per RFC 3986. Supports chaining (`HTTP.base_uri("https://api.example.com/v1")
+  .get("users")`), and integrates with `persistent` connections by deriving the
+  host when omitted ([#519], [#512], [#493])
+- `Request::Body#loggable?` and `Response::Body#loggable?` predicates, and a
+  `binary_formatter` option for the logging feature. Binary bodies
+  (IO/Enumerable request sources, binary-encoded request strings, and
+  binary-encoded responses) are now formatted instead of dumped raw,
+  preventing unreadable log output when transferring files like images or
+  audio. Available formatters: `:stats` (default, logs byte count),
+  `:base64` (logs base64-encoded content), or a custom `Proc`. Invalid
+  formatter values raise `ArgumentError` ([#784])
+- `Feature#on_request` and `Feature#around_request` lifecycle hooks, called
+  before/around each request attempt (including retries), for per-attempt side
+  effects like instrumentation spans and circuit breakers ([#826])
+- Pattern matching support (`deconstruct_keys`) for Response, Response::Status,
+  Headers, ContentType, and URI ([#642])
+- Combined global and per-operation timeouts: global and per-operation timeouts
+  are no longer mutually exclusive. Use
+  `HTTP.timeout(global: 60, read: 30, write: 30, connect: 5)` to set both a
+  global request timeout and individual operation limits ([#773])
 
+### Fixed
 
-## [5.2.0] - 2024-02-05
+- `HTTP::URI.form_encode` now encodes newlines as `%0A` instead of
+  `%0D%0A` ([#449])
+- Thread-safety: `Headers::Normalizer` cache is now per-thread via
+  `Thread.current`, eliminating a potential race condition when multiple
+  threads share a normalizer instance
+- Instrumentation feature now correctly starts a new span for each retry
+  attempt, fixing `NoMethodError` with `ActiveSupport::Notifications` when
+  using `.retriable` with the instrumentation feature ([#826])
+- Raise `HTTP::URI::InvalidError` for malformed or schemeless URIs and
+  `ArgumentError` for nil or empty URIs, instead of confusing
+  `UnsupportedSchemeError` or `Addressable::URI::InvalidURIError` ([#565])
+- Strip `Authorization` and `Cookie` headers when following redirects to a
+  different origin (scheme, host, or port) to prevent credential leakage
+  ([#516], [#770])
+- AutoInflate now preserves the response charset encoding instead of
+  defaulting to `Encoding::BINARY` ([#535])
+- `LocalJumpError` when using instrumentation with instrumenters that
+  unconditionally yield in `#instrument` (e.g., `ActiveSupport::Notifications`)
+  ([#673])
+- Logging feature no longer eagerly consumes the response body at debug level;
+  body chunks are now logged as they are streamed, preserving
+  `response.body.each` ([#785])
 
-### Added
+### Removed
 
-- Add `Connection#finished_request?`
-  ([#743](https://github.com/httprb/http/pull/743))
-- Add `Instrumentation#on_error`
-  ([#746](https://github.com/httprb/http/pull/746))
-- Add `base64` dependency (suppresses warnings on Ruby 3.0)
-  ([#759](https://github.com/httprb/http/pull/759))
-- Add `PURGE` HTTP verb
-  ([#757](https://github.com/httprb/http/pull/757))
-- Add Ruby-3.3 support
+- `HTTP::URI` setter methods (`scheme=`, `user=`, `password=`, `authority=`,
+  `origin=`, `port=`, `request_uri=`, `fragment=`) and normalized accessors
+  (`normalized_user`, `normalized_password`, `normalized_port`,
+  `normalized_path`, `normalized_query`) that were delegated to
+  `Addressable::URI` but never used internally
+- `HTTP::URI#origin` is no longer delegated to `Addressable::URI`. The new
+  implementation follows RFC 6454, normalizing scheme and host to lowercase
+  and excluding user info from the origin string
+- `HTTP::URI#request_uri` is no longer delegated to `Addressable::URI`
+- `HTTP::URI#omit` is no longer delegated to `Addressable::URI` and now
+  returns `HTTP::URI` instead of `Addressable::URI` ([#491])
+- `HTTP::URI#query_values` and `HTTP::URI#query_values=` delegations to
+  `Addressable::URI`. Query parameter merging now uses stdlib
+  `URI.decode_www_form`/`URI.encode_www_form`
+- `HTTP::URI` delegations for `normalized_scheme`, `normalized_authority`,
+  `normalized_fragment`, and `authority` to `Addressable::URI`. The URI
+  normalizer now inlines these operations directly
+- `HTTP::URI#join` is no longer delegated to `Addressable::URI` and now
+  returns `HTTP::URI` instead of `Addressable::URI`. Uses stdlib `URI.join`
+  with automatic percent-encoding of non-ASCII characters ([#491])
+- `HTTP::URI.form_encode` no longer delegates to `Addressable::URI`. Uses
+  stdlib `URI.encode_www_form` instead
 
 ### Changed
 
-- **BREAKING** Process features in reverse order
-  ([#766](https://github.com/httprb/http/pull/766))
-- **BREAKING** Downcase Content-Type charset name
-  ([#753](https://github.com/httprb/http/pull/753))
-- **BREAKING** Make URI normalization more conservative
-  ([#758](https://github.com/httprb/http/pull/758))
+- **BREAKING** `HTTP::Response::Status` no longer inherits from `Delegator`.
+  It now uses `Comparable` and `Forwardable` instead, providing `to_i`,
+  `to_int`, and `<=>` for numeric comparisons and range matching. Code that
+  called `__getobj__`/`__setobj__` or relied on implicit delegation of
+  arbitrary `Integer` methods (e.g., `status.even?`) will need to be updated
+  to use `status.code` instead
+- **BREAKING** Chainable option methods (`.headers`, `.timeout`, `.cookies`,
+  `.auth`, `.follow`, `.via`, `.use`, `.encoding`, `.nodelay`, `.basic_auth`,
+  `.accept`) now return a thread-safe `HTTP::Session` instead of `HTTP::Client`.
+  `Session` creates a new `Client` for each request, making it safe to share a
+  configured session across threads. `HTTP.persistent` still returns
+  `HTTP::Client` since persistent connections require mutable state. Code that
+  calls HTTP verb methods (`.get`, `.post`, etc.) or accesses `.default_options`
+  is unaffected. Code that checks `is_a?(HTTP::Client)` on the return value of
+  chainable methods will need to be updated to check for `HTTP::Session`
+- **BREAKING** `.retriable` now returns `HTTP::Session` instead of
+  `HTTP::Retriable::Client`. Retry is a session-level option: it flows through
+  `HTTP::Options` into `HTTP::Client#perform`, eliminating the need for
+  separate `Retriable::Client` and `Retriable::Session` classes
+- Improved error message when request body size cannot be determined to suggest
+  setting `Content-Length` explicitly or using chunked `Transfer-Encoding` ([#560])
+- **BREAKING** `Connection#readpartial` now raises `EOFError` instead of
+  returning `nil` at end-of-stream, and supports an `outbuf` parameter,
+  conforming to the `IO#readpartial` API. `Body#readpartial` and
+  `Inflater#readpartial` also raise `EOFError` ([#618])
+- **BREAKING** Stricter timeout options parsing: `.timeout()` with a Hash now
+  rejects unknown keys, non-numeric values, string keys, and empty hashes ([#754])
+- Bumped min llhttp dependency version
+- **BREAKING** Handle responses in the reverse order from the requests ([#776])
+- **BREAKING** `Response#cookies` now returns `Array<HTTP::Cookie>` instead of
+  `HTTP::CookieJar`. The `cookies` option has been removed from `Options`;
+  `Chainable#cookies` now sets the `Cookie` header directly with no implicit
+  merging — the last `.cookies()` call wins ([#536])
+- Cookie jar management during redirects moved from `Redirector` to `Session`.
+  `Redirector` is now a pure redirect-following engine with no cookie
+  awareness; `Session#request` manages cookies across redirect hops
+- **BREAKING** `HTTP::Options.new`, `HTTP::Client.new`, and `HTTP::Session.new`
+  now accept keyword arguments instead of an options hash. For example,
+  `HTTP::Options.new(response: :body)` continues to work, but
+  `HTTP::Options.new({response: :body})` must be updated to
+  `HTTP::Options.new(**options)`. Invalid option names now raise
+  `ArgumentError` automatically ([#447])
 
-### Fixed
+### Removed
 
-- Close sockets on initialize failure
-  ([#762](https://github.com/httprb/http/pull/762))
-- Prevent CRLF injection due to broken URL normalizer
-  ([#765](https://github.com/httprb/http/pull/765))
+- **BREAKING** Drop Ruby 2.x support
+- **BREAKING** Remove `Headers::Mixin` and the `[]`/`[]=` delegators on
+  `Request` and `Response`. Use `request.headers["..."]` and
+  `response.headers["..."]` instead ([#537])
 
-[unreleased]: https://github.com/httprb/http/compare/v5.3.0...5-x-stable
-[5.3.0]: https://github.com/httprb/http/compare/v5.2.0...v5.3.0
-[5.2.0]: https://github.com/httprb/http/compare/v5.1.1...v5.2.0
+[#270]: https://github.com/httprb/http/issues/270
+[#223]: https://github.com/httprb/http/issues/223
+[#358]: https://github.com/httprb/http/issues/358
+[#371]: https://github.com/httprb/http/issues/371
+[#372]: https://github.com/httprb/http/issues/372
+[#447]: https://github.com/httprb/http/issues/447
+[#448]: https://github.com/httprb/http/issues/448
+[#449]: https://github.com/httprb/http/issues/449
+[#491]: https://github.com/httprb/http/issues/491
+[#493]: https://github.com/httprb/http/pull/493
+[#512]: https://github.com/httprb/http/issues/512
+[#516]: https://github.com/httprb/http/issues/516
+[#519]: https://github.com/httprb/http/issues/519
+[#535]: https://github.com/httprb/http/issues/535
+[#536]: https://github.com/httprb/http/issues/536
+[#537]: https://github.com/httprb/http/issues/537
+[#544]: https://github.com/httprb/http/issues/544
+[#557]: https://github.com/httprb/http/issues/557
+[#560]: https://github.com/httprb/http/pull/560
+[#565]: https://github.com/httprb/http/issues/565
+[#566]: https://github.com/httprb/http/issues/566
+[#579]: https://github.com/httprb/http/issues/579
+[#618]: https://github.com/httprb/http/pull/618
+[#621]: https://github.com/httprb/http/issues/621
+[#642]: https://github.com/httprb/http/issues/642
+[#667]: https://github.com/httprb/http/issues/667
+[#673]: https://github.com/httprb/http/issues/673
+[#739]: https://github.com/httprb/http/issues/739
+[#754]: https://github.com/httprb/http/pull/754
+[#770]: https://github.com/httprb/http/issues/770
+[#773]: https://github.com/httprb/http/issues/773
+[#776]: https://github.com/httprb/http/issues/776
+[#784]: https://github.com/httprb/http/issues/784
+[#785]: https://github.com/httprb/http/issues/785
+[#826]: https://github.com/httprb/http/issues/826
+[unreleased]: https://github.com/httprb/http/compare/v5.3.0...main

data/LICENSE.txt

@@ -1,4 +1,4 @@
-Copyright (c) 2011-2022 Tony Arcieri, Erik Michaels-Ober, Alexey V. Zapparov, Zachary Anker
+Copyright (c) 2011-2026 Tony Arcieri, Erik Berlin, Alexey V. Zapparov, Zachary Anker
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.md

@@ -2,8 +2,11 @@
 
 [![Gem Version][gem-image]][gem-link]
 [![MIT licensed][license-image]][license-link]
-[![Build Status][build-image]][build-link]
-[![Code Climate][codeclimate-image]][codeclimate-link]
+[![Docs][docs-image]][docs-link]
+[![Lint][lint-image]][lint-link]
+[![Mutant][mutant-image]][mutant-link]
+[![Test][test-image]][test-link]
+[![Typecheck][typecheck-image]][typecheck-link]
 
 [Documentation]
 
@@ -105,18 +108,91 @@ and call `#readpartial` on it repeatedly until it returns `nil`:
 => nil
 ```
 
+### Pattern Matching
+
+Response objects support Ruby's pattern matching:
+
+```ruby
+case HTTP.get("https://api.example.com/users")
+in { status: 200..299, body: body }
+  JSON.parse(body.to_s)
+in { status: 404 }
+  nil
+in { status: 400.. }
+  raise "request failed"
+end
+```
+
+Pattern matching is also supported on `HTTP::Response::Status`, `HTTP::Headers`,
+`HTTP::ContentType`, and `HTTP::URI`.
+
+### Base URI
+
+Set a base URI to avoid repeating the scheme and host in every request:
+
+```ruby
+api = HTTP.base_uri("https://api.example.com/v1")
+api.get("users")       # GET https://api.example.com/v1/users
+api.get("users/1")     # GET https://api.example.com/v1/users/1
+```
+
+Relative paths are resolved per [RFC 3986](https://www.rfc-editor.org/rfc/rfc3986#section-5).
+Combine with `persistent` to reuse the connection:
+
+```ruby
+HTTP.base_uri("https://api.example.com/v1").persistent do |http|
+  http.get("users")
+  http.get("posts")
+end
+```
+
+### Thread Safety
+
+Configured sessions are safe to share across threads:
+
+```ruby
+# Build a session once, use it from any thread
+session = HTTP.headers("Accept" => "application/json")
+              .timeout(10)
+              .auth("Bearer token")
+
+threads = 10.times.map do
+  Thread.new { session.get("https://example.com/api/data") }
+end
+threads.each(&:join)
+```
+
+Chainable configuration methods (`.headers`, `.timeout`, `.auth`, etc.) return
+an `HTTP::Session`, which creates a fresh `HTTP::Client` for every request.
+
+Persistent connections (`HTTP.persistent`) return an `HTTP::Session` that pools
+one `HTTP::Client` per origin. The session itself is **not** thread-safe. For
+thread-safe persistent connections, use the
+[connection_pool](https://rubygems.org/gems/connection_pool) gem:
+
+```ruby
+pool = ConnectionPool.new(size: 5) { HTTP.persistent("https://example.com") }
+pool.with { |http| http.get("/path") }
+```
+
+Cross-origin redirects are handled transparently — the session opens a separate
+persistent connection for each origin encountered during a redirect chain:
+
+```ruby
+HTTP.persistent("https://example.com").follow do |http|
+  http.get("/moved-to-other-domain")  # follows redirect across origins
+end
+```
+
 ## Supported Ruby Versions
 
 This library aims to support and is [tested against][build-link]
 the following Ruby  versions:
 
-- JRuby 9.3
-- Ruby 2.6
-- Ruby 2.7
-- Ruby 3.0
-- Ruby 3.1
 - Ruby 3.2
 - Ruby 3.3
+- Ruby 3.4
+- Ruby 4.0
 
 If something doesn't work on one of these versions, it's a bug.
 
@@ -132,8 +208,20 @@ exist at the time of a major release, support for that Ruby version may be
 dropped.
 
 
+## Upgrading
+
+See [UPGRADING.md] for a detailed migration guide between major versions.
+
+
+## Security
+
+See [SECURITY.md] for reporting vulnerabilities.
+
+
 ## Contributing to http.rb
 
+See [CONTRIBUTING.md] for guidelines, or the quick version:
+
 - Fork http.rb on GitHub
 - Make your changes
 - Ensure all tests pass (`bundle exec rake`)
@@ -144,7 +232,7 @@ dropped.
 
 ## Copyright
 
-Copyright © 2011-2022 Tony Arcieri, Alexey V. Zapparov, Erik Michaels-Ober, Zachary Anker.
+Copyright © 2011-2026 Tony Arcieri, Erik Berlin, Alexey V. Zapparov, Zachary Anker.
 See LICENSE.txt for further details.
 
 
@@ -154,13 +242,22 @@ See LICENSE.txt for further details.
 [gem-link]: https://rubygems.org/gems/http
 [license-image]: https://img.shields.io/badge/license-MIT-blue.svg
 [license-link]: https://github.com/httprb/http/blob/main/LICENSE.txt
-[build-image]: https://github.com/httprb/http/workflows/CI/badge.svg
-[build-link]: https://github.com/httprb/http/actions/workflows/ci.yml
-[codeclimate-image]: https://codeclimate.com/github/httprb/http.svg?branch=main
-[codeclimate-link]: https://codeclimate.com/github/httprb/http
+[docs-image]: https://github.com/httprb/http/actions/workflows/docs.yml/badge.svg
+[docs-link]: https://github.com/httprb/http/actions/workflows/docs.yml
+[lint-image]: https://github.com/httprb/http/actions/workflows/lint.yml/badge.svg
+[lint-link]: https://github.com/httprb/http/actions/workflows/lint.yml
+[mutant-image]: https://github.com/httprb/http/actions/workflows/mutant.yml/badge.svg
+[mutant-link]: https://github.com/httprb/http/actions/workflows/mutant.yml
+[test-image]: https://github.com/httprb/http/actions/workflows/test.yml/badge.svg
+[test-link]: https://github.com/httprb/http/actions/workflows/test.yml
+[typecheck-image]: https://github.com/httprb/http/actions/workflows/typecheck.yml/badge.svg
+[typecheck-link]: https://github.com/httprb/http/actions/workflows/typecheck.yml
 
 [//]: # (links)
 
+[contributing.md]: https://github.com/httprb/http/blob/main/CONTRIBUTING.md
 [documentation]: https://github.com/httprb/http/wiki
-[requests]: https://docs.python-requests.org/en/latest/
 [llhttp]: https://llhttp.org/
+[requests]: https://docs.python-requests.org/en/latest/
+[security.md]: https://github.com/httprb/http/blob/main/SECURITY.md
+[upgrading.md]: https://github.com/httprb/http/blob/main/UPGRADING.md