savon 2.17.1 → 2.17.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 00ae14802f108cb0df2757b85888a35df4b6b0e462ae0d01c1eedc9b4f9c123c
-  data.tar.gz: cee1d2d13ed6e869611817271c43352c470c4c7fb79e72dc7e6e7a4d9ac37191
+  metadata.gz: ffcf3a770d4dd548ec193c9f6d8b8723eef3a661273dc50e8bb5a06ba99f0f13
+  data.tar.gz: d03d1de9d1bc5b1af722b56dc71e99acc1a46f951f45d377b9eea2974016f2ed
 SHA512:
-  metadata.gz: 8b754234ac51e2213f92254a88345743cc54e09026e220d85931b8bfe0ba78f5a417f81e561047b37410f52713f3583120c6d3095ab68a2b9705427f03822d07
-  data.tar.gz: 49a3260e064073d9370b80b376db5f9c75bab5e38dbdf7db2ffc8533dc2a58652bb0699830468f1e59319a98fd7210503a6c999b386e3ec6c9f4d23ac7f813e1
+  metadata.gz: 5a5e490cbf30a0e2216439dc9ceb51493c5b5fec107ce3ff4219eb8c5ded1c9e3b612b6bb8b44c4163d12a97c73415f441f33542b35e22bd7b1908f8cb123fa2
+  data.tar.gz: c6d5c85d39f406f75e5e0b005b250e5a97da5d60e42ca44fe827d72f97b2fd967a054684be73e8134c19506e8da6e8dcc7222769fa017d2b7c02cf2336e6dc12

data/CHANGELOG.md

@@ -1,38 +1,91 @@
 # Savon changelog
 
-## 2.17.1 (2026-05-21)
+All notable changes to this project will be documented in this file.
 
-* Fix: [#1008](https://github.com/savonrb/savon/pull/1008) - The HTTPI and Faraday transports no longer set an explicit `Content-Length` request header. The underlying HTTP library already computes it from the body; sending it as well produced a duplicate header on adapters that do not deduplicate (e.g. httpclient), which some servers reject.
-* Fix: Requests using `attachments` were sent with a plain `text/xml` Content-Type instead of `multipart/related`. The 2.17.0 transport refactor assembled the request headers before the multipart body was built, leaving `Builder#multipart` empty at header time, so servers received a multipart body labelled as plain XML. 2.16.x and earlier are unaffected.
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## 2.17.0 (2026-05-19)
+## [2.17.2] - 2026-06-10
+
+**Fix CVE-2026-53510 and restore 2.17.0 cookie regressions**
+
+### Fixed
+
+* **Fix CVE-2026-53510** `Savon::Model` generated SOAP operation methods by interpolating operation names into Ruby source passed to `module_eval`. An attacker who can control the operation names of a WSDL, can inject Ruby code that executes in the application process. This affects only the `.all_operations` class method provided by `Savon::Model` to automatically register all operations provided by the WSDL. Configuring `Savon::Model` with trusted operation names via `.operations` is safe. Thanks to @connorshea for securely disclosing this, providing a proof and a great report.
+* **`:cookies` request option works again.** The 2.17.0 transport refactor reimplemented cookie handling on top of `Array#map`, which broke callers passing an object that responds to `#cookies` and lost cookie-name de-duplication via `HTTPI::CookieStore`. The HTTPI transport delegates to `HTTPI::Request#set_cookies` again, restoring both shapes.
+* **`response.http.cookies` works again.** 2.17.0's `Savon::Transport::Response` only exposed `code`, `headers`, and `body`. The HTTPI transport now returns `Array<HTTPI::Cookie>` (matching 2.12.1). The Faraday transport returns `Hash<String, String>` so Faraday callers do not need HTTPI types.
+* **`:attachments` now works with a user-supplied `:xml` envelope** ([#761](https://github.com/savonrb/savon/pull/761)). Multipart support shipped in 2.13.0 but only wrapped envelopes Savon built itself. When a caller passed their own `:xml`, attachments were silently dropped.
+
+### Added
+
+* **Faraday `:cookies` option accepts a `String` or `Hash`.** Strings are used verbatim, Hashes are formatted as `"name=value; name=value"`. Round-trippable with the Faraday response shape.
+* **Three Nori response-parsing options exposed as Savon globals:** `:empty_tag_value` (default `nil`), `:convert_dashes_to_underscores` (default `true`), and `:scrub_xml` (default `true`). Defaults match Nori's own for backwards compatibility.
+
+### Changed
+
+* **Minimum Nori version is now `~> 2.7`** (was `~> 2.4`). Needed for the new parsing options (`:empty_tag_value` arrived in Nori 2.6.0, `:scrub_xml` in 2.7.0). The 2.5–2.7 series also brings fixes callers benefit from automatically: invalid byte sequences parse instead of raising, REXML no longer turns `&lt;` inside CDATA into `<`, `xs:date`/`xs:time`/`xs:dateTime` typecasting was corrected, and Nori stopped monkey-patching `String` and `Object`.
+* **Faraday migration hints are now value-aware and verified.** Each hint prints the caller's actual option value and spells out the full gem/require/setup where needed. Fixed several incorrect examples and added tests to verify every hint.
+
+### Deprecated
+
+* Deprecated the global and local `:multipart` options. They have been no-ops since v2.13.0. Specifically since commit 4e7ae5e. Savon detects multipart responses by checking the `Content-Type` header.
+
+## [2.17.1] - 2026-05-21
+
+### Fixed
+
+* [#1008](https://github.com/savonrb/savon/pull/1008) - The HTTPI and Faraday transports no longer set an explicit `Content-Length` request header. The underlying HTTP library already computes it from the body. Sending it as well produced a duplicate header on adapters that do not deduplicate (e.g. httpclient), which some servers reject.
+* Requests using `attachments` were sent with a plain `text/xml` Content-Type instead of `multipart/related`. The 2.17.0 transport refactor assembled the request headers before the multipart body was built, leaving `Builder#multipart` empty at header time, so servers received a multipart body labelled as plain XML. 2.16.x and earlier are unaffected.
+
+## [2.17.0] - 2026-05-19
 
 **Add opt-in Faraday transport**
 
 Callers who set `transport: :faraday` get a memoized `Faraday::Connection` via `client.faraday` and full control over middleware, SSL, auth, and timeouts. Callers who do not set this option see no behavior change. HTTPI remains the default for 2.x.
 
-* Add: `transport: :faraday` global option. Defaults to `:httpi` (#992).
-* Add: `client.faraday` returns a memoized `Faraday::Connection` for configuring middleware, SSL, auth, and timeouts when using the Faraday transport.
-* Add: `Savon.client` raises if `transport: :faraday` is set but the faraday gem is not installed, or if any httpi-specific global option (`proxy`, timeouts, `ssl`, auth, `adapter`) is set alongside it. All conflicts are reported with their Faraday equivalents.
-* Change: Observers must return `Savon::Transport::Response` (or `nil`) instead of `HTTPI::Response`. Returning `HTTPI::Response` still works but emits a deprecation warning.
-* Unblocks:
-  * redirect following for WSDL fetches via `faraday-follow-redirects` middleware (#1033, savonrb/wasabi#18)
-  * digest authentication via `faraday-digestauth` middleware (#1021, savonrb/httpi#250)
-  * proxy authentication with special characters in passwords (#941)
-  * and setting an `Accept` header for WSDL requests from Rails apps (savonrb/wasabi#115)
+### Added
 
-## 2.16.0 (2026-05-18)
+* `transport: :faraday` global option. Defaults to `:httpi` (#992).
+* `client.faraday` returns a memoized `Faraday::Connection` for configuring middleware, SSL, auth, and timeouts when using the Faraday transport.
+* `Savon.client` raises if `transport: :faraday` is set but the faraday gem is not installed, or if any httpi-specific global option (`proxy`, timeouts, `ssl`, auth, `adapter`) is set alongside it. All conflicts are reported with their Faraday equivalents.
+
+### Changed
+
+* Observers must return `Savon::Transport::Response` (or `nil`) instead of `HTTPI::Response`.
+
+### Deprecated
+
+* The HTTPI transport (currently the default) and all HTTPI-specific global options enumerated in `Savon::FaradayMigrationHint::OPTIONS` (`proxy`, `open_timeout`, `read_timeout`, `write_timeout`, the `ssl_*` family, `basic_auth`, `digest_auth`, `ntlm`, `follow_redirects`, `adapter`) will be removed in 3.0. Migrate to `transport: :faraday`. `FaradayMigrationHint` shows the Faraday equivalent for each option.
+* Returning `HTTPI::Response` from observers emits a deprecation warning and will be removed in 3.0. Return `Savon::Transport::Response` instead.
+
+The Faraday transport unblocks:
+
+* redirect following for WSDL fetches via `faraday-follow-redirects` middleware (#1033, savonrb/wasabi#18)
+* digest authentication via `faraday-digestauth` middleware (#1021, savonrb/httpi#250)
+* proxy authentication with special characters in passwords (#941)
+* and setting an `Accept` header for WSDL requests from Rails apps (savonrb/wasabi#115)
+
+## [2.16.0] - 2026-05-18
 
 **Restore compatibility**
 
 If you stayed on 2.12.1 because a later version broke something, this release is for you. The fixes below target the most commonly reported upgrade blockers. Existing code should work without modification.
 
-* Fix: Restore `Savon::Response#hash` removed in 2.14.0 (#985). Callers on 2.12.1 that use `response.hash` get the soap body back instead of Ruby's integer object id. A deprecation warning is emitted on each call. Use `#full_hash` going forward.
-* Fix: Require wasabi >= 5.1.0 (#1015, #1016). Wasabi 4.x used message names as soap body element names and SOAPAction header values instead of operation names (savonrb/wasabi#122), causing servers to return a fault or reject the action for operations whose message name carried an `In` suffix.
-* Fix: Stop dumping all WSDL namespaces into every soap envelope (#1014, #942). 2.13.0 injected every namespace from the entire WSDL document into each request, including structural ones that have no place in a request body. Strict servers reject envelopes with unexpected or duplicate declarations.
-* Fix: Raise a proper `SOAPFault` instead of a raw exception when `soap:Fault` contains invalid encoding (#923).
-* Fix: `SOAPFault.present?` was ignoring its `xml` argument and always operating on the instance's own body.
-* Change: Added Ruby 3.4 (#1024) and Ruby 4.0 (#1039) to the CI test matrix.
+### Fixed
+
+* Restore `Savon::Response#hash` removed in 2.14.0 (#985). Callers on 2.12.1 that use `response.hash` get the soap body back instead of Ruby's integer object id.
+* Require wasabi >= 5.1.0 (#1015, #1016). Wasabi 4.x used message names as soap body element names and SOAPAction header values instead of operation names (savonrb/wasabi#122), causing servers to return a fault or reject the action for operations whose message name carried an `In` suffix.
+* Stop dumping all WSDL namespaces into every soap envelope (#1014, #942). 2.13.0 injected every namespace from the entire WSDL document into each request, including structural ones that have no place in a request body. Strict servers reject envelopes with unexpected or duplicate declarations.
+* Raise a proper `SOAPFault` instead of a raw exception when `soap:Fault` contains invalid encoding (#923).
+* `SOAPFault.present?` was ignoring its `xml` argument and always operating on the instance's own body.
+
+### Changed
+
+* Added Ruby 3.4 (#1024) and Ruby 4.0 (#1039) to the CI test matrix.
+
+### Deprecated
+
+* `Savon::Response#hash` emits a deprecation warning on each call. Use `#full_hash` going forward. Will be removed in 3.0.
 
 ## 2.15.1 (2024-07-08)
 
@@ -1186,3 +1239,8 @@ Pay attention to the following list and read the updated Wiki: http://wiki.githu
 ## 0.5.0 (2009-11-29)
 
 * Complete rewrite and public release.
+
+[2.17.2]: https://github.com/savonrb/savon/compare/v2.17.1...v2.17.2
+[2.17.1]: https://github.com/savonrb/savon/compare/v2.17.0...v2.17.1
+[2.17.0]: https://github.com/savonrb/savon/compare/v2.16.0...v2.17.0
+[2.16.0]: https://github.com/savonrb/savon/compare/v2.15.1...v2.16.0

data/README.md

@@ -6,7 +6,7 @@ Heavy metal SOAP client
 [![Gem Version](https://badge.fury.io/rb/savon.svg)](http://badge.fury.io/rb/savon)
 [![Coverage Status](https://coveralls.io/repos/savonrb/savon/badge.svg)](https://coveralls.io/r/savonrb/savon)
 
-Savon is a SOAP client for Ruby. [SOAP is the protocol](https://www.w3.org/TR/soap/) spoken by many enterprise systems in banking, government, ERP or payroll. When they hand you a WSDL URL or file instead of a REST spec, it's SOAP. Savon reads the WSDL, maps available operations to Ruby symbols, converts Ruby hashes to SOAP envelopes and turns XML responses into hashes you can work with.
+Savon is a SOAP client for Ruby. [SOAP is the protocol](https://www.w3.org/TR/soap/) spoken by many enterprise systems. When they hand you a WSDL URL or file instead of a REST spec, it's SOAP. Savon reads the WSDL, maps available operations to Ruby symbols, converts Ruby hashes to SOAP envelopes and turns XML responses into hashes you can work with.
 
 Full documentation is at [savonrb.com](https://savonrb.com).
 
@@ -68,7 +68,17 @@ Savon uses [HTTPI](https://github.com/savonrb/httpi) for HTTP by default. Since
 
 ## Ruby support
 
-Savon 2.x requires Ruby 3.0 or later. See the [changelog](CHANGELOG.md) for historical compatibility.
+Savon 2.x requires Ruby >= 3.0.0, kept as the lower bound for backward compatibility. Note that Ruby 3.0–3.3 are EOL or security-only. Ruby 3.4+ is the minimum version with active maintenance.
+
+## Versioning & stability
+
+Savon follows [Semantic Versioning 2.0.0](https://semver.org/spec/v2.0.0.html). The changelog format is [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
+
+**The 2.x line is anchored on 2.12.1.** Every 2.x release is supposed to be safe to upgrade to from 2.12.1, and anything that worked in 2.12.1 keeps working. We do not remove or rename public APIs in the 2.x line. New behavior is opt-in and requires an explicit option change. If you found a problem with that, please let us know.
+
+We only soft-deprecate APIs we plan to remove. The `Deprecated` sections of the [changelog](CHANGELOG.md) list every API that is planned to be removed with version 3.0.
+
+Callers on 2.13.0–2.15.x may see specific post-2.12.1 behaviors restored to the 2.12.1 contract. This is intentional.
 
 ## Known limitations
 

data/lib/savon/builder.rb

@@ -70,10 +70,17 @@ module Savon
       @body_attributes ||= @signature.nil? ? {} : @signature.body_attributes
     end
 
+    # Returns the request body as a String. When the caller supplies a pre-built
+    # envelope via the :xml local option it is used verbatim, but it must still
+    # be wrapped in a multipart message when :attachments are present.
+    # Otherwise the attachments are silently dropped.
     def to_s
-      return @locals[:xml] if @locals.include? :xml
-
-      build_document
+      if @locals.include?(:xml)
+        xml = @locals[:xml]
+        @locals[:attachments] ? build_multipart_message(xml) : xml
+      else
+        build_document
+      end
     end
 
     private

data/lib/savon/faraday_migration_hint.rb

@@ -0,0 +1,186 @@
+# frozen_string_literal: true
+
+require "uri"
+
+module Savon
+  # Formats the replacement Faraday setup for one HTTPI-only option.
+  class FaradayMigrationHint
+    VALUE_AWARE_OPTIONS = %i[
+      proxy
+      open_timeout
+      read_timeout
+      write_timeout
+      ssl_version
+      ssl_min_version
+      ssl_max_version
+      ssl_verify_mode
+      ssl_cert_key_file
+      ssl_cert_file
+      ssl_ca_cert_file
+      ssl_ciphers
+      ssl_ca_cert_path
+      adapter
+    ].freeze
+
+    STATIC_HINTS = {
+      ssl_cert_key: "client.faraday.ssl.client_key = key",
+      ssl_cert_key_password: [
+        "key = OpenSSL::PKey.read(File.read(key_path), password)",
+        "client.faraday.ssl.client_key = key"
+      ],
+      ssl_cert: "client.faraday.ssl.client_cert = cert",
+      ssl_ca_cert: [
+        "store = OpenSSL::X509::Store.new",
+        "store.set_default_paths",
+        "store.add_cert(cert)",
+        "client.faraday.ssl.cert_store = store"
+      ],
+      ssl_cert_store: "client.faraday.ssl.cert_store = store",
+      basic_auth: "client.faraday.request :authorization, :basic, user, pass",
+      digest_auth: [
+        "gem 'faraday-digestauth'",
+        "require 'faraday/digestauth'",
+        "client.faraday.request :digest, user, pass"
+      ],
+      ntlm: [
+        "gem 'faraday-ntlm_auth'",
+        "require 'faraday/ntlm_auth'",
+        "client.faraday.adapter :net_http_persistent",
+        "client.faraday.request :ntlm_auth, auth: [user, pass, domain]"
+      ],
+      follow_redirects: [
+        "gem 'faraday-follow_redirects'",
+        "require 'faraday/follow_redirects'",
+        "client.faraday.response :follow_redirects"
+      ]
+    }.freeze
+
+    OPTIONS = (VALUE_AWARE_OPTIONS + STATIC_HINTS.keys).freeze
+
+    def initialize(option, value)
+      @option = option
+      @value = value
+    end
+
+    def message
+      hint = hint_lines
+      return "  #{option} - Use: #{hint}" unless hint.is_a?(Array)
+
+      "  #{option} - Use:\n#{hint.map { |line| "    #{line}" }.join("\n")}"
+    end
+
+    private
+
+    attr_reader :option, :value
+
+    def hint_lines
+      case option
+      when :proxy
+        "client.faraday.proxy = #{redacted_proxy_value}"
+      when :open_timeout, :read_timeout, :write_timeout
+        "client.faraday.options.#{option} = #{value.inspect}"
+      when :ssl_version, :ssl_min_version, :ssl_max_version
+        ssl_version_hint
+      when :ssl_verify_mode
+        ssl_verify_mode_hint
+      when :ssl_cert_key_file
+        ssl_cert_key_file_hint
+      when :ssl_cert_file
+        ssl_cert_file_hint
+      when :ssl_ca_cert_file
+        "client.faraday.ssl.ca_file = #{value.inspect}"
+      when :ssl_ciphers
+        "client.faraday.ssl.ciphers = #{value.inspect}"
+      when :ssl_ca_cert_path
+        "client.faraday.ssl.ca_path = #{value.inspect}"
+      when :adapter
+        adapter_hint
+      else
+        STATIC_HINTS.fetch(option)
+      end
+    end
+
+    def redacted_proxy_value
+      uri = URI.parse(value.to_s)
+      return value.inspect unless uri.absolute? && uri.host
+
+      redacted = uri.dup
+      redacted.userinfo = "..." if redacted.userinfo
+      redacted.path = "" if redacted.respond_to?(:path=)
+      redacted.query = nil if redacted.respond_to?(:query=)
+      redacted.fragment = nil if redacted.respond_to?(:fragment=)
+      redacted.to_s.inspect
+    rescue URI::InvalidURIError
+      '"[redacted proxy URL]"'
+    end
+
+    def ssl_version_hint
+      faraday_option = {
+        ssl_version: "version",
+        ssl_min_version: "min_version",
+        ssl_max_version: "max_version"
+      }.fetch(option)
+
+      "client.faraday.ssl.#{faraday_option} = #{value.inspect}"
+    end
+
+    def ssl_cert_key_file_hint
+      [
+        "key = OpenSSL::PKey.read(File.read(#{value.inspect}))",
+        "client.faraday.ssl.client_key = key"
+      ]
+    end
+
+    def ssl_cert_file_hint
+      [
+        "cert = OpenSSL::X509::Certificate.new(File.read(#{value.inspect}))",
+        "client.faraday.ssl.client_cert = cert"
+      ]
+    end
+
+    def adapter_hint
+      case value
+      when :net_http
+        "client.faraday.adapter :net_http"
+      when :httpclient
+        [
+          "gem 'faraday-httpclient'",
+          "require 'faraday/httpclient'",
+          "client.faraday.adapter :httpclient"
+        ]
+      when :excon
+        [
+          "gem 'faraday-excon'",
+          "require 'faraday/excon'",
+          "client.faraday.adapter :excon"
+        ]
+      when :net_http_persistent
+        [
+          "gem 'faraday-net_http_persistent'",
+          "require 'faraday/net_http_persistent'",
+          "client.faraday.adapter :net_http_persistent"
+        ]
+      else
+        [
+          "choose and install a Faraday adapter matching #{value.inspect}",
+          "client.faraday.adapter :net_http"
+        ]
+      end
+    end
+
+    def ssl_verify_mode_hint
+      case value
+      when :none
+        "client.faraday.ssl.verify_mode = OpenSSL::SSL::VERIFY_NONE"
+      when :peer
+        "client.faraday.ssl.verify_mode = OpenSSL::SSL::VERIFY_PEER"
+      when :fail_if_no_peer_cert
+        "client.faraday.ssl.verify_mode = OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT"
+      when :client_once
+        "client.faraday.ssl.verify_mode = OpenSSL::SSL::VERIFY_CLIENT_ONCE"
+      else
+        "client.faraday.ssl.verify_mode = OpenSSL::SSL::VERIFY_PEER or OpenSSL::SSL::VERIFY_NONE"
+      end
+    end
+  end
+end

data/lib/savon/model.rb

@@ -28,20 +28,25 @@ module Savon
 
     # Defines a class-level SOAP operation.
     def define_class_operation(operation)
-      class_operation_module.module_eval %{
-        def #{StringUtils.snakecase(operation.to_s)}(locals = {})
-          client.call #{operation.inspect}, locals
-        end
-      }, __FILE__, __LINE__ - 4 # -4 points to the line where the eval string starts
+      method_name = operation_method_name(operation)
+
+      class_operation_module.define_method(method_name) do |locals = {}|
+        client.call operation, locals
+      end
     end
 
     # Defines an instance-level SOAP operation.
     def define_instance_operation(operation)
-      instance_operation_module.module_eval %{
-        def #{StringUtils.snakecase(operation.to_s)}(locals = {})
-          self.class.#{StringUtils.snakecase(operation.to_s)} locals
-        end
-      }, __FILE__, __LINE__ - 4 # -4 points to the line where the eval string starts
+      method_name = operation_method_name(operation)
+
+      instance_operation_module.define_method(method_name) do |locals = {}|
+        self.class.public_send(method_name, locals)
+      end
+    end
+
+    # Returns the generated Ruby method name for a SOAP operation.
+    def operation_method_name(operation)
+      StringUtils.snakecase(operation.to_s).to_sym
     end
 
     # Class methods.

data/lib/savon/operation.rb

@@ -177,8 +177,13 @@ module Savon
       return response if response.is_a?(Transport::Response)
 
       if response.is_a?(HTTPI::Response)
-        warn "Observers returning HTTPI::Response is deprecated - return Savon::Transport::Response instead."
-        return Transport::Response.from_httpi(response)
+        warn "Observers returning HTTPI::Response is deprecated - return Savon::Transport::Response instead.", uplevel: 1
+        return Transport::Response.new(
+          response.code,
+          response.headers,
+          response.body,
+          cookies: HTTPI::Cookie.list_from_headers(response.headers)
+        )
       end
 
       raise Error, "Observers need to return a Savon::Transport::Response " \

data/lib/savon/options.rb

@@ -2,6 +2,7 @@
 
 require "logger"
 require "httpi"
+require "savon/faraday_migration_hint"
 
 module Savon
   # Base class for GlobalOptions and LocalOptions.
@@ -73,46 +74,24 @@ module Savon
     end
   end
 
-  # HTTPI-specific transport options included in GlobalOptions.
+  # Options that belong to HTTPI's transport layer.
   #
-  # Every option in this module is handled by HTTPI and has no effect when
-  # transport: :faraday is set. Faraday callers configure these concerns
-  # directly on the Faraday::Connection returned by client.faraday.
+  # They still work with the default HTTPI transport. With `transport: :faraday`,
+  # Savon does not translate them because Faraday exposes its own setup API for
+  # proxy, timeout, TLS, auth, redirects, and adapter choices.
   module HTTPITransportOptions
-    # Maps each httpi-only option to the Faraday equivalent so the
-    # error raised at init tells the caller exactly what to do instead.
-    # Options with a :default entry are only flagged when the caller
-    # sets a value that differs from the GlobalOptions default.
-    FARADAY_INCOMPATIBLE_GLOBALS = {
-      proxy: { hint: "client.faraday.proxy = url" },
-      open_timeout: { hint: "client.faraday.options.timeout = N" },
-      read_timeout: { hint: "client.faraday.options.timeout = N" },
-      write_timeout: { hint: "client.faraday.options.write_timeout = N" },
-      ssl_version: { hint: "client.faraday.ssl.version = version" },
-      ssl_min_version: { hint: "client.faraday.ssl.min_version = version" },
-      ssl_max_version: { hint: "client.faraday.ssl.max_version = version" },
-      ssl_verify_mode: { hint: "client.faraday.ssl.verify = true/false" },
-      ssl_cert_key_file: { hint: "client.faraday.ssl.client_key_file = path" },
-      ssl_cert_key: { hint: "client.faraday.ssl.client_key = key" },
-      ssl_cert_key_password: { hint: "configure ssl context on client.faraday.ssl" },
-      ssl_cert_file: { hint: "client.faraday.ssl.client_cert_file = path" },
-      ssl_cert: { hint: "client.faraday.ssl.client_cert = cert" },
-      ssl_ca_cert_file: { hint: "client.faraday.ssl.ca_file = path" },
-      ssl_ca_cert: { hint: "client.faraday.ssl.ca_cert = cert" },
-      ssl_ciphers: { hint: "client.faraday.ssl.ciphers = ciphers" },
-      ssl_ca_cert_path: { hint: "client.faraday.ssl.ca_path = path" },
-      ssl_cert_store: { hint: "client.faraday.ssl.cert_store = store" },
-      basic_auth: { hint: "client.faraday.request :basic_auth, user, pass" },
-      digest_auth: { hint: "client.faraday.request :authorization, :Digest, credentials" },
-      ntlm: { hint: "client.faraday.request :ntlm, user, pass" },
-      follow_redirects: { hint: "client.faraday.use :follow_redirects", default: false },
-      adapter: { hint: "client.faraday.adapter :net_http", default: nil }
+    TRANSPORT_DEFAULTS = {
+      adapter: nil,
+      follow_redirects: false
     }.freeze
 
-    # Validates that the chosen transport is compatible with the options set.
-    # Must be called after all options (including any block-form options) are set.
-    # Collects every conflict and raises a single InitializationError listing all
-    # problems and solutions at once.
+    # These are rejected for `transport: :faraday` once the caller has set a
+    # non-default value. The error points to the matching Faraday setup.
+    FARADAY_INCOMPATIBLE_GLOBALS = FaradayMigrationHint::OPTIONS
+
+    # Runs after all global options have been assigned, including options set in
+    # the client block. Reports every HTTPI-only option in one error so callers
+    # can move their transport setup to Faraday in one pass.
     def validate_transport!
       return unless self[:transport] == :faraday
 
@@ -122,11 +101,11 @@ module Savon
               "Add to your Gemfile: gem 'faraday'"
       end
 
-      violations = FARADAY_INCOMPATIBLE_GLOBALS.filter_map { |option, config|
+      violations = FARADAY_INCOMPATIBLE_GLOBALS.filter_map { |option|
         next unless include?(option)
-        next if config.key?(:default) && self[option] == config[:default]
+        next if default_transport_option?(option)
 
-        "  #{option} - Use: #{config[:hint]}"
+        FaradayMigrationHint.new(option, self[option]).message
       }
 
       return if violations.empty?
@@ -252,6 +231,10 @@ module Savon
 
     private
 
+    def default_transport_option?(option)
+      TRANSPORT_DEFAULTS.key?(option) && self[option] == TRANSPORT_DEFAULTS[option]
+    end
+
     # Attempts to load faraday. Returns true if available, false on LoadError.
     def faraday_loaded?
       require "faraday"
@@ -271,33 +254,6 @@ module Savon
 
     def initialize(options = {})
       @option_type = :global
-
-      defaults = {
-        encoding: "UTF-8",
-        soap_version: 1,
-        namespaces: {},
-        logger: Logger.new($stdout),
-        log: false,
-        log_headers: true,
-        filters: [],
-        pretty_print_xml: false,
-        raise_errors: true,
-        strip_namespaces: true,
-        delete_namespace_attributes: false,
-        convert_response_tags_to: ->(tag) { StringUtils.snakecase(tag).to_sym },
-        convert_attributes_to: ->(k, v) { [k, v] },
-        multipart: false,
-        use_wsa_headers: false,
-        no_message_tag: false,
-        unwrap: false,
-        host: nil,
-        transport: :httpi,
-
-        # httpi transport defaults
-        adapter: nil,
-        follow_redirects: false
-      }
-
       options = defaults.merge(options)
 
       # this option is a shortcut on the logger which needs to be set
@@ -427,6 +383,26 @@ module Savon
       @options[:delete_namespace_attributes] = delete_namespace_attributes
     end
 
+    # The value Nori assigns to empty XML tags in the SOAP response.
+    # Defaults to nil, matching Nori's default; set to "" to map empty tags
+    # to an empty String instead.
+    def empty_tag_value(value)
+      @options[:empty_tag_value] = value
+    end
+
+    # Instruct Nori whether to convert dashes in response tag names to
+    # underscores before they become Hash keys. Defaults to true.
+    def convert_dashes_to_underscores(convert)
+      @options[:convert_dashes_to_underscores] = convert
+    end
+
+    # Instruct Nori whether to scrub invalid byte sequences from the response
+    # body before parsing it. Defaults to true, which lets responses containing
+    # invalid characters still be parsed.
+    def scrub_xml(scrub)
+      @options[:scrub_xml] = scrub
+    end
+
     # Tell Gyoku how to convert Hash key Symbols to XML tags.
     # Accepts one of :lower_camelcase, :camelcase, :upcase, or :none.
     def convert_request_keys_to(converter)
@@ -455,6 +431,12 @@ module Savon
 
     # Instruct Savon to create a multipart response if available.
     def multipart(multipart)
+      if multipart
+        warn "The global :multipart option has been a no-op since v2.13.0. " \
+          "Savon detects whether the response is multipart by checking if the " \
+          "response Content-Type header contains 'multipart'. You can remove" \
+          "this option from your code to make this warning disappear.", uplevel: 1
+      end
       @options[:multipart] = multipart
     end
 
@@ -469,12 +451,41 @@ module Savon
     end
 
     # HTTP transport to use. Accepts :httpi (default) or :faraday.
-    # When set to :faraday, configure transport concerns directly on the
-    # Faraday::Connection returned by client.faraday instead of using
-    # the HTTPITransportOptions.
+    # With :faraday, set proxy, timeout, TLS, auth, redirect, and adapter
+    # details on `client.faraday`; the HTTPI transport options are not copied.
     def transport(transport)
       @options[:transport] = transport
     end
+
+    private
+
+    # The default value for every global option.
+    def defaults
+      HTTPITransportOptions::TRANSPORT_DEFAULTS.merge(
+        encoding: "UTF-8",
+        soap_version: 1,
+        namespaces: {},
+        logger: Logger.new($stdout),
+        log: false,
+        log_headers: true,
+        filters: [],
+        pretty_print_xml: false,
+        raise_errors: true,
+        strip_namespaces: true,
+        delete_namespace_attributes: false,
+        empty_tag_value: nil,
+        convert_dashes_to_underscores: true,
+        scrub_xml: true,
+        convert_response_tags_to: ->(tag) { StringUtils.snakecase(tag).to_sym },
+        convert_attributes_to: ->(k, v) { [k, v] },
+        multipart: false,
+        use_wsa_headers: false,
+        no_message_tag: false,
+        unwrap: false,
+        host: nil,
+        transport: :httpi
+      )
+    end
   end
 
   # Per-request options passed to client.call.
@@ -578,6 +589,12 @@ module Savon
 
     # Instruct Savon to create a multipart response if available.
     def multipart(multipart)
+      if multipart
+        warn "The local :multipart option has been a no-op since v2.13.0. " \
+            "Savon detects whether the response is multipart by checking if the " \
+            "response Content-Type header contains 'multipart'. You can remove" \
+            "this option from your code to make this warning disappear.", uplevel: 1
+      end
       @options[:multipart] = multipart
     end
 

data/lib/savon/response.rb

@@ -155,6 +155,9 @@ module Savon
       nori_options = {
         delete_namespace_attributes: @globals[:delete_namespace_attributes],
         strip_namespaces: @globals[:strip_namespaces],
+        empty_tag_value: @globals[:empty_tag_value],
+        convert_dashes_to_underscores: @globals[:convert_dashes_to_underscores],
+        scrub_xml: @globals[:scrub_xml],
         convert_tags_to: @globals[:convert_response_tags_to],
         convert_attributes_to: @globals[:convert_attributes_to],
         advanced_typecasting: @locals[:advanced_typecasting],

data/lib/savon/transport/faraday.rb

@@ -38,13 +38,31 @@ module Savon
         log_request(url, headers, body) if log?
 
         faraday_response = @connection.post(url, body, headers)
-        response = Response.from_faraday(faraday_response)
+        response = Response.new(
+          faraday_response.status,
+          faraday_response.headers.to_h,
+          faraday_response.body,
+          cookies: self.class.parse_cookies(faraday_response.headers)
+        )
 
         log_response(response) if log?
-
         response
       end
 
+      # Parses Set-Cookie headers into a Hash of name => value. Accepts both
+      # the Array and String form. Attributes after the first ';' are discarded.
+      def self.parse_cookies(headers)
+        raw = headers["set-cookie"] || headers["Set-Cookie"]
+        return {} unless raw
+
+        raw_array = raw.is_a?(Array) ? raw : raw.split(/,\s*/)
+        raw_array.each_with_object({}) do |cookie_str, hash|
+          name_value = cookie_str.split(";", 2).first.to_s.strip
+          name, value = name_value.split("=", 2)
+          hash[name] = value if name && !name.empty?
+        end
+      end
+
       private
 
       # Merges all header sources in precedence order:
@@ -58,12 +76,23 @@ module Savon
         # soap_headers are lowest priority
         soap_headers.each do |k, v| headers[k] ||= v end
 
-        if locals[:cookies]&.any?
-          headers["Cookie"] = locals[:cookies].map(&:name_and_value).join(";")
-        end
+        cookie_header = format_cookies(locals[:cookies])
+        headers["Cookie"] = cookie_header if cookie_header
 
         headers
       end
+
+      # Builds the Cookie header from a given value.
+      # Accepts:
+      #   * String - passed through verbatim
+      #   * Hash   - formatted as "name=value; name=value" (browser style)
+      # Returns nil when no cookies were supplied.
+      def format_cookies(cookies)
+        return nil if cookies.nil?
+        return cookies if cookies.is_a?(String)
+
+        cookies.map { |name, value| "#{name}=#{value}" }.join("; ")
+      end
     end
   end
 end

data/lib/savon/transport/httpi.rb

@@ -34,10 +34,14 @@ module Savon
         log_request(http_request.url, http_request.headers, http_request.body) if log?
 
         http_response = ::HTTPI.post(http_request, @globals[:adapter])
-        response = Response.from_httpi(http_response)
+        response = Response.new(
+          http_response.code,
+          http_response.headers,
+          http_response.body,
+          cookies: ::HTTPI::Cookie.list_from_headers(http_response.headers)
+        )
 
         log_response(response) if log?
-
         response
       end
 
@@ -56,14 +60,11 @@ module Savon
         # soap_headers are lowest priority
         soap_headers.each do |k, v| headers[k] ||= v end
 
-        if locals[:cookies]&.any?
-          headers["Cookie"] = locals[:cookies].map(&:name_and_value).join(";")
-        end
-
         http_request = ::HTTPI::Request.new
         http_request.url = url
         http_request.body = body
         http_request.headers = headers
+        http_request.set_cookies(locals[:cookies]) if locals[:cookies]
         configure_http_request(http_request)
         http_request
       end

data/lib/savon/transport/response.rb

@@ -6,24 +6,20 @@ module Savon
     #
     # Every transport produces a Transport::Response so that higher-level code
     # never depends on transport-specific code. Immutable once constructed.
+    #
+    # The shape of #cookies is transport-specific: HTTPI responses expose an
+    # Array of HTTPI::Cookie, while Faraday responses expose a plain Hash so
+    # Faraday users do not depend on HTTPI types.
     class Response
-      # Creates a Transport::Response from an HTTPI::Response.
-      def self.from_httpi(httpi_response)
-        new(httpi_response.code, httpi_response.headers, httpi_response.body)
-      end
-
-      # Creates a Transport::Response from a Faraday::Response.
-      def self.from_faraday(faraday_response)
-        new(faraday_response.status, faraday_response.headers.to_h, faraday_response.body)
-      end
-
       # @param code    [Integer] HTTP status code
       # @param headers [Hash]    response headers
       # @param body    [String]  response body
-      def initialize(code, headers, body)
+      # @param cookies [Object]  parsed cookies in a transport-specific shape
+      def initialize(code, headers, body, cookies: nil)
         @code    = code
         @headers = headers
         @body    = body
+        @cookies = cookies
       end
 
       # Returns the HTTP status code.
@@ -35,6 +31,10 @@ module Savon
       # Returns the response body string.
       attr_reader :body
 
+      # Returns the parsed cookies in a transport-specific shape.
+      # See class-level docs.
+      attr_reader :cookies
+
       # Returns true when the HTTP status code indicates an error (>= 300).
       def error?
         @code >= 300

data/lib/savon/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Savon
-  VERSION = '2.17.1'
+  VERSION = '2.17.2'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: savon
 version: !ruby/object:Gem::Version
-  version: 2.17.1
+  version: 2.17.2
 platform: ruby
 authors:
 - Daniel Harrington
@@ -105,14 +105,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.4'
+        version: '2.7'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.4'
+        version: '2.7'
 - !ruby/object:Gem::Dependency
   name: wasabi
   requirement: !ruby/object:Gem::Requirement
@@ -151,22 +151,16 @@ dependencies:
   name: puma
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 4.3.8
-    - - "<"
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '7'
+        version: 8.0.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 4.3.8
-    - - "<"
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '7'
+        version: 8.0.2
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -265,6 +259,7 @@ files:
 - lib/savon/block_interface.rb
 - lib/savon/builder.rb
 - lib/savon/client.rb
+- lib/savon/faraday_migration_hint.rb
 - lib/savon/header.rb
 - lib/savon/http_error.rb
 - lib/savon/log_message.rb
@@ -290,7 +285,7 @@ licenses:
 metadata:
   rubygems_mfa_required: 'true'
   source_code_uri: https://github.com/savonrb/savon
-  changelog_uri: https://github.com/savonrb/savon/blob/v2.x/CHANGELOG.md
+  changelog_uri: https://github.com/savonrb/savon/blob/main/CHANGELOG.md
   bug_tracker_uri: https://github.com/savonrb/savon/issues
 rdoc_options: []
 require_paths: