httpx-patched 1.6.2.1

data/doc/release_notes/0_2_1.md

@@ -0,0 +1,16 @@
+# 0.2.1
+
+* fixed setting timeouts using the chainable API
+
+* Basic Auth: proper user/password escaping
+
+* Improved multi-request support, by allowing to pass request-specific options for multiple requests
+
+```ruby
+tokens = ["TOKEN1", "TOKEN2", "TOKEN3"]
+uri = "https://example.com/protected"
+
+requests = tokens.map { |token| [uri, {headers: {'authorization': token} }] }
+
+responses = HTTPX.get(*requests)
+```

data/doc/release_notes/0_3_0.md

@@ -0,0 +1,12 @@
+# 0.3.0
+
+* removed `http_parser.rb`, which is unmaintained, builds an old version of node's parser, and doesn't work on JRuby 9.2; also, better support over HTTP/1 features.
+
+* Alt-Svc support (all remaining origin requests will be routed there); Supports both `Alt-Svc` header and the `altsvc` HTTP/2 frame.
+
+* moved multipart requests support to a separate plugin, which removed `http_form_data` as a hard dependency (you'll still need it for the plugin though).
+
+* new `HTTP.wrap { |client| }` method.
+
+* We have a cheatsheet! 
+

data/doc/release_notes/0_3_1.md

@@ -0,0 +1,6 @@
+# 0.3.1
+
+* improved DNS resolution error handling (decoding/encoding errors, system resolver)
+
+* hotfix: Native/HTTPS resolver not retrying same record type after cache expired, effectively not working after some time for long-running processes
+

data/doc/release_notes/0_4_0.md

@@ -0,0 +1,51 @@
+# 0.4.0
+
+* Feature: SSH proxy plugin -> send requests over ssh gateway;
+
+```ruby
+HTTPX.plugin(:"proxy/ssh").
+	  with_proxy(uri: "ssh://localhost:2222",
+                 username: "root",
+                 auth_methods: %w[publickey],
+                 host_key: "ssh-rsa",
+                 keys: %w[test/support/ssh/ssh_host_ed25519_key]).get(URI)
+```
+
+* Feature: Faraday Adapter
+
+* refactoring: cookies plugin API simplification (this is a breaking change!):
+
+```ruby
+session = HTTPX.plugin(:cookies)
+session.with_cookies("a" => "b").get(...
+session.cookies #=> session current cookie store, persists/updates session cookies as requests are processed
+session.wrap do |session|
+  session.get(..) #=> "Set-Cookie"
+  ...
+end #=> after this, cookie store resets to the state previous to wrap
+```
+
+Removed `Session#cookie_store`
+
+```ruby
+client = HTTPX.plugin(:cookies)
+redirect_response = client.get(URI) #=> ... 302 ... Set-Cookie: "blablalba" ...
+# this sets the cookies
+# GET .... Cookie: "blablabla" ....
+response = client.get(URI) #=> ... 200 ...
+# also, setting cookies:
+
+client.cookies("a" => "b").get(URI) # ... Cookie: "a=b" ...
+
+#also seamlessly integrates with redirect follows
+client = HTTPX.plugins(:follow_redirects, :cookies)
+response = client.get(URI) #=> ... 200 ...
+```
+
+* refactoring: connection pool now thread-local, improves thread-safety;
+
+* bugfix: leaking dns query when passing IO object as option;
+
+* bugfix: now multiple different resolvers are supported;
+
+* support: JRuby is again supported (as usual, only latest stable is guaranteed)

data/doc/release_notes/0_4_1.md

@@ -0,0 +1,3 @@
+# 0.4.1
+
+This was a fix release for some issues around exceptions on requests, and to make the faraday adapter work well with ssl.

data/doc/release_notes/0_5_0.md

@@ -0,0 +1,15 @@
+# 0.5.0
+
+This release is a minor bump only because it introduces a new dependency:
+
+## the `timers` gem
+
+We've introduced the [`timers` gem](https://github.com/socketry/timers) as a dependency to deal with total timeouts, thereby making the timeout object only a container of values to be refactored. This was in itself a small gain for such a big addition, but other future time-based features can be best built upon it than the existing work.
+
+
+## Bugfixes
+
+* the altsvc header wasn't properly parsed, and was breaking requests to google. Don't break requests to google!
+* Added support for faraday 0.16;
+* Made the IO selector less flaky;
+* Fixed the homepage, which was being displayed without styles;

data/doc/release_notes/0_5_1.md

@@ -0,0 +1,14 @@
+# 0.5.1
+
+## Improvements
+
+* Fixed flakiness of test suite introduced in the 0.4 versions;
+* compression plugin:
+  * do not send `accept-encoding` header when `range` is present;
+  * Remove from `content-encoding` if body stream decodes it;
+  * Added `HTTPX::Response::Body#encodings` to return the decoded encoding(s);
+
+## Bugfixes
+
+* non-UTF-8 bodies weren't being properly handled, which led to a loop report (`slice` -> `byteslice`);
+* connection reuse now also happens for requests with body (it was only working with `GET`s and other bodyless requests before);

data/doc/release_notes/0_6_0.md

@@ -0,0 +1,5 @@
+# 0.6.0
+
+## Improvements
+
+* Switches `http-2` gem with `http-2-next`, a fork with a focus on spec compliance.

data/doc/release_notes/0_6_1.md

@@ -0,0 +1,6 @@
+# 0.6.1
+
+## Bugfixes
+
+* If an http2 connection error happened before streams were open, errors weren't propagated, and there was an infinite loop.
+* Bumping `http-2-next`, fixes the flow control issue causing requests to cloudfront to fail.

data/doc/release_notes/0_6_2.md

@@ -0,0 +1,6 @@
+# 0.6.2
+
+## Bugfixes
+
+* Remove escaping of request uri;
+* strip header value (if value have newline, for example);

data/doc/release_notes/0_6_3.md

@@ -0,0 +1,13 @@
+# 0.6.3
+
+## Improvements
+
+* HTTP/2 `ORIGIN` frame support (https://tools.ietf.org/html/draft-ietf-httpbis-origin-frame-06);
+* Added functional tests for HTTP/2 connection coalescing (and fixed it, as it hasn't been working for a while);
+* Added functional tests for `Alt-Svc` header support;
+
+## Bugfixes
+
+* fixing alternative service redirection if `alt-svc` header pointed to the current peer;
+* fixing `alt-svc` support when ruby version does not support ALPN negotation;
+

data/doc/release_notes/0_6_4.md

@@ -0,0 +1,21 @@
+# 0.6.4
+
+This release takes where the last left off, and makes a concerted effort to improve both the test coverage and the number of features for which there are functional tests.
+
+## Improvements
+
+* Running Ruby 2.7 with no warnings;
+
+* Test suite now has functional tests for:
+  * authentication on proxies (http, socks4a, socks5);
+  * DNS-over-HTTPS;
+  * connect timeouts (still a bit flaky though);
+
+* Improved test coverage of project to 90%;
+
+* building website/blog with Jekyll 4;
+
+## Bugfixes
+
+* fixed regressions on HTTP, SOCKS4a and SOCKS5 proxy authentication;
+* fixed DNS-over-HTTPS implementation to be compliant with the latest RFC;

data/doc/release_notes/0_6_5.md

@@ -0,0 +1,22 @@
+# 0.6.5
+
+This release fixes important bugs, and automates the PKI for the test suite.
+
+## Features
+
+* `resolver_options` can now receive a `:cache` flag (default: `true`). This bypasses caching and forces the lookup;
+
+## Improvements
+
+* Building the TLS certs necessary for the test suite has been scripted, after the initial certs expired and brought the CI to a halt;
+* All DNS resolvers have a functional test, both for the happy as well as the error case;
+* Added functional tests for HTTP and HTTPS proxy with authentication, making all proxy options now tested with authentication;
+
+
+## Bugfixes
+
+* native and https DNS resolvers weren't usable after a resolving error;
+* system DNS resolver could halt the system after a dns resolving error;
+* fixed system halt on HTTP proxy authentication error;
+
+

data/doc/release_notes/0_6_6.md

@@ -0,0 +1,19 @@
+# 0.6.6
+
+## Features
+
+* The `retries` plugin receives two new options:
+  * `retry_on`: a callable that receives the failed response as an argument; the return value will determine whether there'll be a retried request.
+  * `retry_after`: time (in seconds) after which there request will be retried. Can be an integer or a callable that receives the request and returns an integer (one can do exponential back-off like that, for example).
+* Added support for DNS-over-HTTPS GET requests as per the latest spec.
+
+## Improvements
+
+* `HTTPX.plugins` got deprecated; basically, it's great until you have to pass options to a plugin, and then it just works (not). The recommended way to load multiple plugins is `HTTPX.plugin(...).plugin(...)`.
+
+
+## Bugfixes
+
+* fixed a proxy bug where an `Alt-Svc` response header would make the client try to connect. Just like connection coalescing and the ORIGIN frame, it ignores it when going through a proxy.  
+
+

data/doc/release_notes/0_6_7.md

@@ -0,0 +1,5 @@
+# 0.6.7
+
+## Bugfixes
+
+* An error was reported when using the follow plugin allowing insecure redirects: if the insecure redirect would be for the same host, and the original request was performed with HTTP/2, the library would try to coalesce the request, and blocks the reactor. A check was made to ensure that connection only coalesces if both are https connections.

data/doc/release_notes/0_7_0.md

@@ -0,0 +1,46 @@
+# 0.7.0
+
+
+## Features
+
+New option: `:max_requests`. This is a connection-level option signalizing how many requests can be performed on a connection. Although the HTTP/1 parser defined this well, in HTTP/2 this wasn't very clear, so: by definition, the remote MAX_CONCURRENT_STREAMS setting will be used to define it, unless the user explicitly passed the option. You can also pass `:max_requests => Float::INFINITY` if you know that the server allows more requests than that on a connection.
+
+New plugin: `:expect`. 
+
+Although there was support for `expect: 100-continue` header already when passed, this plugin can:
+
+* automatically set the header on requests with body;
+* execute the flow;
+* recover from 417 status errors (i.e. try again without it);
+* send body after X seconds if no 100 response came;
+
+Suport for `with_` methods for the session. As long as the suffix is a valid attribute, it's just like that:
+
+```ruby
+HTTPX.with_timeout(...).with_ssl(...)
+# same as:
+# HTTPX.with(timeout: ..., ssl: ...)
+```
+
+## Improvements
+
+### Connections
+
+The following improvements make the `persistent` plugin way more resilient:
+
+* Better balancing of HTTP/2 connections by distributing requests among X connections depending of how many requests they can process.
+* Exhausted connections can off-load to a new same-origin connection (such as, when the server negotiates less `MAX_CONCURRENT_STREAMS` than what's expected).
+
+### Timeouts
+
+(Timeouts will be one of the main improvements from the 0.7.x series)
+
+`:total_timeout` is now a connection-level directive, which means that this feature will actually make more sense and account for all requests in a block at the same time, instead of one-by-one.
+
+### Options
+
+Option setters were being bypassed, therefore a lot of the type-checks defined there weren't effectively being picked upon, which could have led to weird user errors.
+
+## Bugfixes
+
+* fixed the `push_promise` plugin integration (wasn't working well since `http-2-next` was adopted);

data/doc/release_notes/0_8_0.md

@@ -0,0 +1,27 @@
+# 0.8.0
+
+
+## Features
+
+* `keep_alive_timeout`: for persistent connections, the keep alive timeout will set the connection to be closed if not reused for a request **after** the last received response;
+
+## Improvements
+
+* using `max_requests` for HTTP/1 pipelining as well;
+* `retries` plugin now works with plain HTTP responses (not just error responses);
+* reduced the number of string allocations from log labels;
+* performance: a lot of improvements were made to optimize the "waiting for IO events" phase, which dramatically reduced the CPU usage and make the performance of the library more on-par with other ruby HTTP gems for the 1-shot request scenario.
+
+
+## Bugfixes
+
+* fixed `HTTPX::Response#copy_to`;
+* fixed `compression` plugin not properly compressing request bodies using `gzip`;
+* fixed `compression` plugin not handling `content-encoding: identity` payloads;
+* do not overwrite user-defined `max_requests`on HTTP2 connection handshake;
+* `retries` plugin: connection was blocking when a request with body was retried;
+* `alt-svc: clear` response header was causing the process to hang;
+
+## Tests
+
+* Code coverage improved to 91%;

data/doc/release_notes/0_8_1.md

@@ -0,0 +1,8 @@
+# 0.8.1
+
+
+## Bugfixes
+
+* fixing HTTP/2 handshake IO interests calculation;
+* fixed the double ctrl+f issue when terminating an ongoing HTTP/2 request;
+* fixed connection comparison when passing headers;

data/doc/release_notes/0_8_2.md

@@ -0,0 +1,7 @@
+# 0.8.2
+
+## Features
+
+* `:expect` plugin now supports a new option, `:expect_threshold_size`, meaning: the byte size threshold below which no `expect` header will be sent with requests with payload.
+* `:compression` plugin now supports a new option, `:compression_threshold_size`, meaning: the bytesize threshold below which request payload won't be compressed before being sent.
+* for HTTP/2 connections, when `keep_alive_timeout` expires, a `PING` frame is used to check connection availability; if successful, the connection will be reused.

data/doc/release_notes/0_9_0.md

@@ -0,0 +1,38 @@
+# 0.9.0
+
+## Features
+
+### Multiple requests with specific options
+
+You can now pass a third element to the "request element" of an array to `.request`.
+
+```ruby
+requests = [
+  [:post, "https://url/post", { form: { foo: "bar" } }],
+  [:post, "https://url/post", { form: { foo: "bar2" } }]
+]
+HTTPX.request(requests)
+# or, if you want to pass options common to all requests
+HTTPX.request(requests, max_concurrent_requests: 1)
+```
+
+
+### HTTPX::Session#build_request
+
+`HTTPX::Session::build_request` is now public API from a session. You can now build requests before you send them. These request objects are still considered somewhat "internal", so consider them immutable and **do not rely on its API**. Just pass them forward.
+
+Note: this API is only available for instantiated session, so there is no `HTTPX.build_request`.
+
+
+```ruby
+
+HTTPX.wrap do |http|
+  requests = [
+    http.build_request(:post, "https://url/post", { form: { foo: "bar" } }),
+    http.build_request(:post, "https://url/post", { form: { foo: "bar2" } })
+  ]
+  http.request(requests)
+  # or, if you want to pass options common to all requests
+  http.request(requests, max_concurrent_requests: 1)
+end
+```

data/doc/release_notes/1_0_0.md

@@ -0,0 +1,60 @@
+# 1.0.0
+
+## Breaking changes
+
+* the minimum supported ruby version is 2.7.0 .
+* The fallback support for IDNA 2003 has been removed. If you require this feature, install the [idnx gem](https://github.com/HoneyryderChuck/idnx), which `httpx` automatically integrates with when available (and supports IDNA 2008).
+* `:total_timeout` option has been removed (no session-wide timeout supported, use `:request_timeout`).
+* `:read_timeout` and `:write_timeout` are now set to 60 seconds by default, and preferred over `:operation_timeout`;
+  * the exception being in the `:stream` plugin, as the response is theoretically endless (so `:read_timeout` is unset).
+* The `:multipart` plugin is removed, as its functionality and API are now loaded by default (no API changes).
+* The `:compression` plugin is removed, as its functionality and API are now loaded by default (no API changes).
+  * `:compression_threshold_size` was removed (formats in `"content-encoding"` request header will always encode the request body).
+  * the new `:compress_request_body` and `:decompress_response_body` can be set to `false` to (respectively) disable compression of passed input body, or decompression of the response body.
+* `:retries` plugin: the `:retry_on` condition will **not** replace default retriable error checks, it will now instead be triggered **only if** no retryable error has been found.
+
+### plugins
+
+* `:authentication` plugin becomes `:auth`.
+  * `.authentication` helper becomes `.authorization`.
+* `:basic_authentication` plugin becomes `:basic_auth`.
+  * `:basic_authentication` helper is removed.
+* `:digest_authentication` plugin becomes `:digest_auth`.
+  * `:digest_authentication` helper is removed.
+* `:ntlm_authentication` plugin becomes `:ntlm_auth`.
+  * `:ntlm_authentication` helper is removed.
+* OAuth plugin: `:oauth_authentication` helper is rename to `:oauth_auth`.
+* `:compression/brotli` plugin becomes `:brotli`.
+
+### Support removed for deprecated APIs
+
+* The deprecated `HTTPX::Client` constant lookup has been removed (use `HTTPX::Session` instead).
+* The deprecated `HTTPX.timeout({...})` function has been removed (use `HTTPX.with(timeout: {...})` instead).
+* The deprecated `HTTPX.headers({...})` function has been removed (use `HTTPX.with(headers: {...})` instead).
+* The deprecated `HTTPX.plugins(...)` function has been removed (use `HTTPX.plugin(...).plugin(...)...` instead).
+* The deprecated `:transport_options` option, which was only valid for UNIX connections, has been removed (use `:addresses` instead).
+* The deprecated `def_option(...)` function, previously used to define additional options in plugins, has been removed (use `def option_$new_option)` instead).
+* The deprecated `:loop_timeout` timeout option has been removed.
+* `:stream` plugin: the deprecated `HTTPX::InstanceMethods::StreamResponse` has been removed (use `HTTPX::StreamResponse` instead).
+* The deprecated usage of symbols to indicate HTTP verbs (i.e. `HTTPX.request(:get, ...)` or `HTTPX.build_request(:get, ...)`) is not supported anymore (use the upcase string always, i.e. `HTTPX.request("GET", ...)` or `HTTPX.build_request("GET", ...)`, instead).
+* The deprecated `HTTPX::ErrorResponse#status` method has been removed (use `HTTPX::ErrorResponse#error` instead).
+
+### dependencies
+
+* `http-2-next` minimum supported version is 1.0.0.
+* `:datadog` adapter only supports `ddtrace` gem 1.x or higher.
+* `:faraday` adapter only supports `faraday` gem 1.x or higher.
+
+## Improvements
+
+* `circuit_breaker`: the drip rate of real request during the "half-open" stage of a circuit will reliably distribute real requests (as per the drip rate) over the `max_attempts`, before the circuit is closed.
+
+## Bugfixes
+
+* Tempfiles are now correctly identified as file inputs for multipart requests.
+* fixed `proxy` plugin behaviour when loaded with the `follow_redirects` plugin and processing a 305 response (request needs to be retried on a different proxy).
+
+## Chore
+
+* `:grpc` plugin: connection won't buffer requests before HTTP/2 handshake is commpleted, i.e. works the same as plain `httpx` HTTP/2 connection establishment.
+  * if you are relying on this, you can keep the old behavior this way: `HTTPX.plugin(:grpc, http2_settings: { wait_for_handshake: false })`.

data/doc/release_notes/1_0_1.md

@@ -0,0 +1,5 @@
+# 1.0.1
+
+## Bugfixes
+
+* do not try to inflate empty chunks (it triggered an error during response decoding).

data/doc/release_notes/1_0_2.md

@@ -0,0 +1,7 @@
+# 1.0.2
+
+## bugfixes
+
+* bump `http-2-next` to 1.0.1, which fixes a bug where http/2 connection interprets MAX_CONCURRENT_STREAMS as request cap.
+* `grpc`: setup of rpc calls from camel-cased symbols has been fixed. As an improvement, the GRPC-enabled session will now support both snake-cased, as well as camel-cased calls.
+* `datadog` adapter has now been patched to support the most recent breaking changes of `ddtrace` configuration DSL (`env_to_bool` is no longer supported).

data/doc/release_notes/1_1_0.md

@@ -0,0 +1,32 @@
+# 1.1.0
+
+## Features
+
+A function, `#peer_address`, was added to the response object, which returns the IP (either a string or an `IPAddr` object) from the socket used to get the response from.
+
+```ruby
+response = HTTPX.get("https://example.com")
+response.peer_address #=> #<IPAddr: IPv4:93.184.216.34/255.255.255.255>
+```
+
+error responses will also expose an IP address via `#peer_address` as long a connection happened before the error.
+
+## Improvements
+
+* A performance regression involving the new default timeouts has been fixed, which could cause significant overhead in "multiple requests in sequence" scenarios, and was clearly visible in benchmarks.
+  * this regression will still be seen in jruby due to a bug, which fix will be released in jruby 9.4.5.0.
+* HTTP/1.1 connections are now set to handle as many requests as they can by default (instead of the past default of max 200, at which point they'd be recycled).
+* tolerate the inexistence of `openssl` in the installed ruby, like `net-http` does.
+* `on_connection_opened` and `on_connection_closed` will yield the `OpenSSL::SSL::SSLSocket` instance for `https` backed origins (instead of always the `Socket` instance).
+
+## Bugfixes
+
+* when using the `:native` resolver (default option), a default of 1 for ndots is set, for systems which do not set one.
+* replaced usage of `Float::INFINITY` with `nil` for timeout defaults, as the former can't be used in IO wait functions.
+* `faraday` adapter timeout setup now maps to `:read_timeout` and `:write_timeout` options from `httpx`.
+* fixed HTTP/1.1 connection recycling on number of max requests exhausted.
+* `response.json` will now work when "content-type" header is set to "application/hal+json".
+
+## Chore
+
+* when using the `:cookies` plugin, a warning message to install the idnx message will only be emitted if the cookie domain is an IDN (this message was being shown all the time since v1 release).

data/doc/release_notes/1_1_1.md

@@ -0,0 +1,17 @@
+# 1.1.1
+
+## improvements
+
+* (Re-)enabling default retries in DNS name queries; this had been disabled as a result of revamping timeouts, and resulted in queries only being sent once, which is very little for UDP-related traffic, and breaks if using DNs rate-limiting software. Retries the query just once, for now.
+
+## bugfixes
+
+* reset timers when adding new intervals, as these may be added as a result on after-select connection handling, and must wait for the next tick cycle (before the patch, they were triggering too soon).
+* fixed "on close" callback leak on connection reuse, which caused linear performance regression in benchmarks performing one request per connection.
+* fixed hanging connection when an HTTP/1.1 emitted a "connection: close" header but the server would not emit one (it closes the connection now).
+* fixed recursive dns cached lookups which may have already expired, and created nil entries in the returned address list.
+* dns system resolver is now able to retry on failure.
+
+## chore
+
+* remove duplicated callback unregitering connections.

data/doc/release_notes/1_1_2.md

@@ -0,0 +1,12 @@
+# 1.1.2
+
+## improvements
+
+* only moving eden connections to idle when they're recycled.
+
+## bugfixes
+
+* skip closing a connection which is already closed during reset.
+* sentry adapter: fixed `super` call which didn't have a super method (this prevented usinng sentry-enabled sessions with the `:retries` plugin).
+* sentry adapter: fixing registering of sentry config.
+* sentry adapter: do not propagate traces when relevant sdk options are disabled (such as `propagate_traces`).

data/doc/release_notes/1_1_3.md

@@ -0,0 +1,18 @@
+# 1.1.3
+
+## improvements
+
+## security
+
+* when using `:follow_redirects` plugin, the "authorization" header will be removed when following redirect responses to a different origin.
+
+## bugfixes
+
+* fixed `:stream` plugin not following redirect responses when used with the `:follow_redirects` plugin.
+* fixed `:stream` plugin not doing content decoding when responses were p.ex. gzip-compressed.
+* fixed bug preventing usage of IPv6 loopback or link-local addresses in the request URL in systems with no IPv6 internet connectivity (the request was left hanging).
+* protect all code which may initiate a new connection from abrupt errors (such as internet turned off), as it was done on the initial request call.
+
+## chore
+
+internal usage of `mutex_m` has been removed (`mutex_m` is going to be deprecated in ruby 3.3).

data/doc/release_notes/1_1_4.md

@@ -0,0 +1,6 @@
+# 1.1.4
+
+## bugfixes
+
+* datadog adapter: use `Gem::Version` to invoke the correct configuration API.
+* stream plugin: do not preempt request enqueuing (this was making integration with the `:follow_redirects` plugin fail when set up with `webmock`).

data/doc/release_notes/1_1_5.md

@@ -0,0 +1,12 @@
+# 1.1.5
+
+## improvements
+
+* pattern matching support for responses has been backported to ruby 2.7 as well.
+
+## bugfixes
+
+* `stream` plugin: fix for `HTTPX::StreamResponse#each_line` not yielding the last line of the payload when not delimiter-terminated.
+* `stream` plugin: fix `webmock` adapter integration when methods calls would happen in the `HTTPX::StreamResponse#each` block.
+* `stream` plugin: fix `:follow_redirects` plugin integration which was caching the redirect response and using it for method calls inside the `HTTPX::StreamResponse#each` block.
+* "103 early hints" responses will be ignored when processing the response (it was causing the response returned by sesssions to hold its headers, instead of the following 200 response, while keeping the 200 response body).

data/doc/release_notes/1_2_0.md

@@ -0,0 +1,49 @@
+# 1.2.0
+
+## Features
+
+### `:ssrf_filter` plugin
+
+The `:ssrf_filter` plugin prevents server-side request forgery attacks, by blocking requests to the internal network. This is useful when the URLs used to perform requests aren’t under the developer control (such as when they are inserted via a web application form).
+
+```ruby
+http = HTTPX.plugin(:ssrf_filter)
+
+# this works
+response = http.get("https://example.com")
+
+# this doesn't
+response = http.get("http://localhost:3002")
+response = http.get("http://[::1]:3002")
+response = http.get("http://169.254.169.254/latest/meta-data/")
+```
+
+More info under https://honeyryderchuck.gitlab.io/httpx/wiki/SSRF-Filter
+
+### `:callbacks` plugin
+
+The session callbacks introduced in v0.24.0 are in its own plugin. Older code will still work and emit a deprecation warning.
+
+More info under https://honeyryderchuck.gitlab.io/httpx/wiki/Callbacks
+
+### `:redirect_on` option for `:follow_redirects` plugin
+
+This option allows passing a callback which, when returning `false`, can interrupt the redirect loop.
+
+```ruby
+http = HTTPX.plugin(:follow_redirects).with(redirect_on: ->(location_uri) { BLACKLIST_HOSTS.include?(location_uri.host) })
+```
+
+### `:close_on_handshake_timeout` timeout
+
+A new `:timeout` option, `:close_handshake_timeout`, is added, which monitors connection readiness when performing HTTP/2 connection termination handshake.
+
+## Improvements
+
+* Internal "eden connections" concept was removed, and connection objects are now kept-and-reused during the lifetime of a session, even when closed. This simplified connectio pool implementation and improved performance.
+* request using `:proxy` and `:retries` plugin enabled sessions will now retry on proxy connection establishment related errors.
+
+## Bugfixes
+
+* webmock adapter: mocked responses storing decoded payloads won't try to decode them again (fixes vcr/webmock integrations).
+* webmock adapter: fix issue related with making real requests over webmock-enabled connection.

data/doc/release_notes/1_2_1.md

@@ -0,0 +1,6 @@
+# 1.2.1
+
+## Bugfixes
+
+* DoH resolver: try resolving other candidates on "domain not found" error (same behaviour as with native resolver).
+* Allow HTTP/2 connections to exit cleanly when TLS session gets corrupted and termination handshake can't be performed.

data/doc/release_notes/1_2_2.md

@@ -0,0 +1,10 @@
+# 1.2.2
+
+## Bugfixes
+
+* only raise "unknown option" error when option is not supported, not anymore when error happens in the setup of a support option.
+* usage of `HTTPX::Session#wrap` within a thread with other sessions using the `:persistent` plugin won't inadvertedly terminate its open connections.
+* terminate connections on `IOError` (`SocketError` does not cover them).
+* terminate connections on HTTP/2 protocol and handshake errors, which happen during establishment or termination of a HTTP/2 connection (they were being previously kept around, although they'd irrecoverable).
+* `:oauth` plugin: fixing check preventing the OAuth metadata server integration path to be exercised.
+* fix instantiation of the options headers object with the wrong headers class.

data/doc/release_notes/1_2_3.md

@@ -0,0 +1,16 @@
+# 1.2.3
+
+## Improvements
+
+* `:retries` plugin: allow `:max_retries` set to 0 (allows for a soft disable of retries when using the faraday adapter).
+
+## Bugfixes
+
+* `:oauth` plugin: fix for default auth method being ignored when setting grant type and scope as options only.
+*  ensure happy eyeballs-initiated cloned connections also set session callbacks (caused issues when server would respond with a 421 response, an event requiring a valid internal callback).
+*  native resolver cleanly transitions from tcp to udp after truncated DNS query (causing issues on follow-up CNAME resolution).
+* elapsing timeouts now guard against mutation of callbacks while looping (prevents skipping callbacks in situations where a previous one would remove itself from the collection).
+
+## Chore
+
+* datadog adapter: do not call `.lazy` on options (avoids deprecation warning, to be removed in ddtrace 2.0)