mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 18:18:55 +00:00
c6aa9719478ec874cef625f7c44326d12e371c74
8414 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
dependabot[bot]
|
c6aa971947 |
build(deps): bump fast-xml-parser from 5.2.5 to 5.3.0 in /website (#10841)
Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) from 5.2.5 to 5.3.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md">fast-xml-parser's changelog</a>.</em></p> <blockquote> <p><!-- raw HTML omitted -->Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.<!-- raw HTML omitted --></p> <p><strong>5.3.1 / 2025-11-03</strong></p> <ul> <li>Performance improvement for stopNodes (By <a href="https://github.com/macieklamberski">Maciek Lamberski</a>)</li> </ul> <p><strong>5.3.0 / 2025-10-03</strong></p> <ul> <li>Use <code>Uint8Array</code> in place of <code>Buffer</code> in Parser</li> </ul> <p><strong>5.2.5 / 2025-06-08</strong></p> <ul> <li>Inform user to use <a href="https://github.com/NaturalIntelligence/fxp-cli">fxp-cli</a> instead of in-built CLI feature</li> <li>Export typings for direct use</li> </ul> <p><strong>5.2.4 / 2025-06-06</strong></p> <ul> <li>fix (<a href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/747">#747</a>): fix EMPTY and ANY with ELEMENT in DOCTYPE</li> </ul> <p><strong>5.2.3 / 2025-05-11</strong></p> <ul> <li>fix (<a href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/747">#747</a>): support EMPTY and ANY with ELEMENT in DOCTYPE</li> </ul> <p><strong>5.2.2 / 2025-05-05</strong></p> <ul> <li>fix (<a href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/746">#746</a>): update strnum to fix parsing issues related to enotations</li> </ul> <p><strong>5.2.1 / 2025-04-22</strong></p> <ul> <li>fix: read DOCTYPE entity value correctly</li> <li>read DOCTYPE NOTATION, ELEMENT exp but not using read values</li> </ul> <p><strong>5.2.0 / 2025-04-03</strong></p> <ul> <li>feat: support metadata on nodes (<a href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/593">#593</a>) (By <a href="https://github.com/srl295">Steven R. Loomis</a>)</li> </ul> <p><strong>5.1.0 / 2025-04-02</strong></p> <ul> <li>feat: declare package as side-effect free (<a href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/738">#738</a>) (By <a href="https://github.com/tbouffard">Thomas Bouffard</a>)</li> <li>fix cjs build mode</li> <li>fix builder return type to string</li> <li></li> </ul> <p><strong>5.0.9 / 2025-03-14</strong></p> <ul> <li>fix: support numeric entities with values over 0xFFFF (<a href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/726">#726</a>) (By <a href="https://github.com/mcdurdin">Marc Durdin</a>)</li> <li>fix: update strnum to fix parsing 0 if skiplike option is used</li> </ul> <p><strong>5.0.8 / 2025-02-27</strong></p> <ul> <li>fix parsing 0 if skiplike option is used. <ul> <li>updating strnum dependency</li> </ul> </li> </ul> <p><strong>5.0.7 / 2025-02-25</strong></p> <ul> <li>fix (<a href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/724">#724</a>) typings for cjs.</li> </ul> <p><strong>5.0.6 / 2025-02-20</strong></p> <ul> <li>fix cli output (By <a href="https://github.com/angeld7">Angel Delgado</a>) <ul> <li>remove multiple JSON parsing</li> </ul> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
a9058c7f55 |
build(deps): bump known-folders from 1.3.1 to 1.4.0 in /rust (#10831)
Bumps [known-folders](https://github.com/artichoke/known-folders-rs) from 1.3.1 to 1.4.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/artichoke/known-folders-rs/releases">known-folders's releases</a>.</em></p> <blockquote> <h2>v1.4.0</h2> <h2>What's Changed</h2> <ul> <li>Bump thor from 1.3.2 to 1.4.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/artichoke/known-folders-rs/pull/85">artichoke/known-folders-rs#85</a></li> <li>Bump rubocop from 1.77.0 to 1.79.1 in the bundler-deps group by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/artichoke/known-folders-rs/pull/86">artichoke/known-folders-rs#86</a></li> <li>Bump the gha-deps group with 3 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/artichoke/known-folders-rs/pull/87">artichoke/known-folders-rs#87</a></li> <li>Use zizmor audit action by <a href="https://github.com/lopopolo"><code>@lopopolo</code></a> in <a href="https://redirect.github.com/artichoke/known-folders-rs/pull/88">artichoke/known-folders-rs#88</a></li> <li>Bump rubocop from 1.79.1 to 1.81.1 in the bundler-deps group by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/artichoke/known-folders-rs/pull/89">artichoke/known-folders-rs#89</a></li> <li>Bump the gha-deps group with 5 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/artichoke/known-folders-rs/pull/91">artichoke/known-folders-rs#91</a></li> <li>Relax windows-sys version requirement, prepare for v1.4.0 release by <a href="https://github.com/lopopolo"><code>@lopopolo</code></a> in <a href="https://redirect.github.com/artichoke/known-folders-rs/pull/92">artichoke/known-folders-rs#92</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/artichoke/known-folders-rs/compare/v1.3.1...v1.4.0">https://github.com/artichoke/known-folders-rs/compare/v1.3.1...v1.4.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
e9fcb20564 |
build(deps): bump nu-ansi-term from 0.50.1 to 0.50.3 in /rust (#10830)
Bumps [nu-ansi-term](https://github.com/nushell/nu-ansi-term) from 0.50.1 to 0.50.3. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/nushell/nu-ansi-term/commits">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
Thomas Eizinger
|
6e85638360 |
chore(connlib): silence hickory_resolver (#10848)
Logs from the `hickory_resolver` module are a bit noisy, so filter those out from our logs. |
||
|
Thomas Eizinger
|
49b7701536 |
ci: promote preview .deb to stable on release (#10846)
The current CI job expects the release to have the `.deb` files attached. Since writing that workflow, I've changed my mind on attaching the `.deb` files there. Instead, they are only uploaded to the repository. Without documentation on how to use them, these `.deb` files are unlikely to provide a good user experience. We change the job to instead promote the latest "preview` archives to the stable repo. |
||
|
Jamil
|
bd2abbaae3 |
feat(apple): config to hide resource list (#10824)
Adds a configuration variable `hideResourceList` accessible by provisioning profile only to hide or show the Resource list. This is helpful when end-users need not be concerned with the resources available to their account. Also updates the associated ProfileManifests, docs, and a little bit of housekeeping around `configuration`, making it public for direct access. <img width="292" height="228" alt="Screenshot 2025-11-09 at 9 12 47 PM" src="https://github.com/user-attachments/assets/a4ce5586-bf92-4ebc-bc0d-51215e1efd61" /> Related: https://github.com/ProfileManifests/ProfileManifests/pull/839 Fixes: #10808 --------- Signed-off-by: Jamil <jamilbk@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
Firezone Bot
|
5ae2707719 | chore: publish gateway 1.4.18 (#10823) | ||
|
Thomas Eizinger
|
3022c019e1 |
chore(connlib): set user.account_slug for Sentry logs (#10815)
By default, the Sentry SDK doesn't include custom user attributes when it sends logs. To make viewing logs easier, we add the `account_slug` attribute to all logs that are posted to Sentry. |
||
|
Thomas Eizinger
|
166b0d1573 |
feat(linux): compute device ID from /etc/machine-id (#10805)
All of our Linux applications have a soft-dependency on systemd. That is, in the default configuration, we expect systemd to be present on the machine. The only exception here are the docker containers for Headless Client and Gateway. For the GUI client in particular, systemd is a hard-dependency in order to control DNS on the system which we do via `systemd-resolved`. To secure the communication between the GUI client and its tunnel process, we automatically create a group called `firezone-client` to which the user gets added. All members of the group are allowed to access the unix socket which is used for IPC between the two processes. Membership in this group is also a prerequisite for accessing any of the configuration files. On the first launch of the GUI client on a Linux system, this presents a problem. For group membership changes to take the effect, the user needs to reboot. We say that in the documentation but it is unclear whether all users will read that thoroughly enough. To help the user, the GUI client checks for membership of the current user in the group and alerts the user via a dialog box if that isn't the case. This would all be fine if it would actually work. Unfortunately, that check ends up being too late in the process. If we aren't a member of the group, we cannot read the device ID and bail early, thus never reaching the check and terminating the process without any dialog box or user-visible error. We could attempt to fix this by shuffling around some of the startup init code. That is a sub-optimal solution however because it a) may get broken again in the future and b) it means we have to delay initialisation of telemetry until a much later point. Given that this is only a problem on Linux, a better solution is to simply not rely on the disk-based device ID at all. Instead, we can integrate with systemd and deterministically derive a device ID from the unique machine ID and a randomly chosen "app ID". For backwards-compatibility reasons, the disk-based device ID is still prioritised. For all new installs however, we will use the one based on `/etc/machine-id`. |
||
|
Thomas Eizinger
|
8651413a95 |
chore(gateway): downgrade warning if peer not found (#10814)
Logging this on WARN appears to be a bit excessive and there is not really anything we can do about it. Resolves: #10813 |
||
|
Thomas Eizinger
|
f4216710e0 |
fix(telemetry): don't append duplicate attributes in Sentry log (#10819)
When we are building the log message that is sent to Sentry, we append several attributes to mimic the formatting that we get from `tracing_subscriber::fmt`. To do that, we strip the span name from the attribute which can result in us processing the same attribute such as `cid` twice: Once from a span and once from the actual log message. In order to not append the same message twice, we check for its presence in the attributes map first. This avoids having message in Sentry such as: ``` Sampled relay cid=c18e1da8-8ef8-4e11-a325-28d6b387d503 rid=3af15c76-9e84-46a6-90e1-63ecb2bc9f80 cid=c18e1da8-8ef8-4e11-a325-28d6b387d503 ``` |
||
|
Thomas Eizinger
|
bc95a1f425 |
chore(snownet): log connection state on failure (#10820)
When investigating, why a connection fails it is useful to know right away, what the last connection state was, including the kind of connection, such as `PeerToPeer`, `RelayToPeer` etc. |
||
|
Thomas Eizinger
|
123c5a5d97 |
chore(connlib): always include wire::api as Sentry breadcrumb (#10821)
Sentry appends "breadcrumbs" to every error that gets sent to the backend. By default, those include the last 500 DEBUG logs. Our `phoenix_channel` module logs the incoming and outgoing messages on TRACE using the `wire::api::send` and `wire::api::recv` targets. To make debugging these easier, we always include anything on `wire::api` in the breadcrumbs. |
||
|
Thomas Eizinger
|
74bd28d25a |
ci(gui-client): fix .deb test installation (#10816)
The current test installation fails because it is operating in a headless environment without a display user. Some more testing of the `who` command showed that we can simply take the first user. That avoids `grep` which was previously failing with an exit code of 1, aborting the installation because our `postinst` script has `pipefail` set. |
||
|
Thomas Eizinger
|
3eead925fe |
chore(gui-client): tidy up postinst script (#10804)
Specifying `sudo` in the script is unnecessary as it already runs as root. Additionally, only executing `systemd-sysusers` for our config file is better because it narrows the scope of what should be done. |
||
|
Thomas Eizinger
|
f98c4dd428 |
fix(gateway): declare hard-dependency on systemd (#10803)
Several aspects of the Gateway's Debian package depend on `systemd` being present. Without it, we don't have the necessary users and files in place for the Gateway to function. With that specified, we can fail the `postinst` script (and therefore the installation) if anything in there goes wrong. |
||
|
dependabot[bot]
|
839cc4b7b3 |
build(deps): bump parking_lot from 0.12.4 to 0.12.5 in /rust (#10780)
Bumps [parking_lot](https://github.com/Amanieu/parking_lot) from 0.12.4 to 0.12.5. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/Amanieu/parking_lot/blob/master/CHANGELOG.md">parking_lot's changelog</a>.</em></p> <blockquote> <h2><code>parking_lot</code> - <a href="https://github.com/Amanieu/parking_lot/compare/parking_lot-v0.12.4...parking_lot-v0.12.5">0.12.5</a> - 2025-09-30</h2> <ul> <li>Bumped MSRV to 1.71</li> <li>Fixed Miri when the <code>hardware-lock-elision</code> feature is enabled (<a href="https://redirect.github.com/Amanieu/parking_lot/issues/491">#491</a>)</li> <li>Added missing <code>into_arc(_fair)</code> methods (<a href="https://redirect.github.com/Amanieu/parking_lot/issues/472">#472</a>)</li> <li>Fixed <code>RawRwLock::bump_*()</code> not releasing lock when there are multiple readers (<a href="https://redirect.github.com/Amanieu/parking_lot/issues/471">#471</a>)</li> </ul> <h2><code>parking_lot_core</code> - <a href="https://github.com/Amanieu/parking_lot/compare/parking_lot_core-v0.9.11...parking_lot_core-v0.9.12">0.9.12</a> - 2025-09-30</h2> <ul> <li>Bumped MSRV to 1.71</li> <li>Switched from <code>windows-targets</code> to <code>windows-link</code>. (<a href="https://redirect.github.com/Amanieu/parking_lot/issues/493">#493</a>)</li> <li>Replaced <code>thread-id</code> dependency with <code>std::thread::ThreadId</code> (<a href="https://redirect.github.com/Amanieu/parking_lot/issues/483">#483</a>)</li> <li>Added SGX implementation for <code>ThreadParker.park_until</code> (<a href="https://redirect.github.com/Amanieu/parking_lot/issues/481">#481</a>)</li> </ul> <h2><code>lock_api</code> - <a href="https://github.com/Amanieu/parking_lot/compare/lock_api-v0.4.13...lock_api-v0.4.14">0.4.14</a> - 2025-09-30</h2> <ul> <li>Fixed use of <code>doc_cfg</code> when building on docs.rs.</li> <li>Bumped MSRV to 1.71</li> <li>Added <code>#[track_caller]</code> where locking implementations could feasibly need to panic</li> <li>Added <code>try_map_or_err</code> to various mutex guards (<a href="https://redirect.github.com/Amanieu/parking_lot/issues/480">#480</a>)</li> <li>Removed unnecessary build script and <code>autocfg</code> dependency (<a href="https://redirect.github.com/Amanieu/parking_lot/issues/474">#474</a>)</li> <li>Added missing <code>into_arc(_fair)</code> methods (<a href="https://redirect.github.com/Amanieu/parking_lot/issues/472">#472</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
89f0af3fd7 | fix(gateway): remove exclamation mark from sysusers.conf (#10802) | ||
|
Thomas Eizinger
|
024b1864b4 |
feat(linux): automatically add user to firezone-client group (#10787)
By checking various environment variables, we can automatically add the current user to the `firezone-client` group which allows them to connect to the IPC socket of the tunnel process. Unfortunately, they still have to create a new login session / reboot for that to be reflected. The docs update for this will follow once we have cut a release with this code in it. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
Mariusz Klochowicz
|
470680cb1f |
chore(apple): Migrate to latest Xcode recommended settings (#10766)
Prompted by Xcode warning at project startup. Most of the changes are simple migrations from entitlements files to build settings, which is the recommended approach, and were done automatically by Xcode. new settings: - REGISTER_APP_GROUPS - Automatically registers app groups with provisioning profile (I had to set this manually when setting up, so it's a welcome change) - STRING_CATALOG_GENERATE_SYMBOLS - type-safe localization (no regression, we're not doing any localization currently) - ENABLE_USER_SCRIPT_SANDBOXING - sandboxing all the build scripts Note: I had to turn off the recommended `ENABLE_USER_SCRIPT_SANDBOXING` as it would interfere with our building of connlib during the build. Also: make Makefile more ergonomic to use (setup LSP config during first build) |
||
|
Thomas Eizinger
|
602844ae4a |
fix(gateway): always update translation table from DNS response (#10796)
For DNS resources, the Gateway maintains a per-peer NAT table from the client-assigned proxy IPs to the real IPs of the domain. Whenever the Client re-queries a DNS resource domain locally, we asynchronously ping the Gateway to also re-query said domain. This allows us to detect changes in the DNS records of DNS resources. To avoid breaking existing connections, the mapping between proxy IPs and real IPs is currently not updated if there are any active UDP or TCP flows for a proxy IP. This logic turns out to be unnecessarily restrictive as TCP flows can linger around for up to 2h before they timeout if they are not closed with a TCP RST. What we really need to do is always update the mapping of proxy IP <> real IP but honor existing NAT table entries when we route packets before creating new ones. This ensures that an existing connection to a previously resolved IP remains intact, even if a later DNS response for the same domain updates the mapping. At the same time, new connections (i.e. with a different source port) will immediately use the new destination IP. |
||
|
Mariusz Klochowicz
|
b5048ad779 |
refactor(apple): Convert IPCClient from actor to stateless enum (#10797)
Refactors IPCClient from an actor to a stateless enum with static methods, removing unnecessary actor isolation and instance management. - IPCClient: Actor → enum with static methods taking session parameter - Store: Removed IPCClient instance caching, added resource list caching - Store: Moved resource fetching logic from IPCClient into Store - All call sites: Updated to pass session directly to static methods Store now directly manages resource list hashing and caching via fetchResources() method, using SHA256 hash optimisation to avoid redundant updates when resource lists haven't changed. |
||
|
Mariusz Klochowicz
|
936b095391 |
chore(apple): Enable Swift 6.2 Approachable Concurrency features (#10799)
Enables SWIFT_APPROACHABLE_CONCURRENCY build setting which activates a few key Swift 6.2 concurrency features, including: 1. NonisolatedNonsendingByDefault - Makes nonisolated async functions run on the caller's executor instead of the global executor, providing more predictable performance and behaviour 2. InferIsolatedConformances - Protocol conformances automatically inherit global actor isolation, reducing annotation burden Read more: https://www.donnywals.com/what-is-approachable-concurrency-in-xcode-26/ Also bumps swift-tools-version from 6.0 to 6.2 in Package.swift to enable newer Package Manager manifest APIs. As a result of better type inference, removes 1 redundant @Sendable annotation in Store.swift: - vpnStatusChangeHandler: @MainActor closures are implicitly Sendable |
||
|
Thomas Eizinger
|
72dd7187f4 |
revert: specify systemd-resolved dependency (#10798)
I can't make the CI smoke install work with this change. Reverts firezone/firezone#10783 |
||
|
Mariusz Klochowicz
|
bf95dc45a3 |
refactor(apple): Upgrade to Swift 6.2 with concurrency checks (#10682)
This PR upgrades the Swift client from Swift 5 to Swift 6.2, addressing
all
concurrency-related warnings and runtime crashes that come with Swift
6's
strict concurrency checking.
## Swift 6 Concurrency Primer
**`actor`** - A new reference type that provides thread-safe, serialised
access to mutable state. Unlike classes, actors ensure that only one
piece of
code can access their mutable properties at a time. Access to actor
methods/properties requires await and automatically hops to the actor's
isolated executor.
**`@MainActor`** - An attribute that marks code to run on the main
thread.
Essential for UI updates and anything that touches UIKit/AppKit. When a
class/function is marked @MainActor, all its methods and properties
inherit
this isolation.
**`@Sendable`** - A protocol indicating that a type can be safely passed
across concurrency domains (between actors, tasks, etc.). Value types
(structs, enums) with Sendable stored properties are automatically
Sendable.
Reference types (classes) need explicit @unchecked Sendable if they
manage
thread-safety manually.
**`nonisolated`** - Opts out of the containing type's actor isolation.
For
example, a nonisolated method in a @MainActor class can be called from
any
thread without await. Useful for static methods or thread-safe
operations.
**`@concurrent`** - Used on closure parameters in delegate methods.
Indicates
the closure may be called from any thread, preventing the closure from
inheriting the surrounding context's actor isolation. Critical for
callbacks
from system frameworks that call from background threads.
**Data Races** - Swift 6 enforces at compile-time (and optionally at
runtime)
that mutable state cannot be accessed concurrently from multiple
threads. This
eliminates entire classes of bugs that were previously only caught
through
testing or production crashes.
## Swift Language Upgrade
- **Bump Swift 5 → 6.2**: Enabled strict concurrency checking throughout
the
codebase
- **Enable ExistentialAny (SE-0335)**: Adds compile-time safety by
making
protocol type erasure explicit (e.g., any Protocol instead of implicit
Protocol)
- **Runtime safety configuration**: Added environment variables to log
concurrency violations during development instead of crashing, allowing
gradual migration
## Concurrency Fixes
### Actor Isolation
- **TelemetryState actor** (Telemetry.swift:10): Extracted mutable
telemetry
state into a dedicated actor to eliminate data races from concurrent
access
- **SessionNotification @MainActor isolation**
(SessionNotification.swift:25):
Properly isolated the class to MainActor since it manages UI-related
callbacks
- **IPCClient caching** (IPCClient.swift): Fixed actor re-entrance
issues and
resource hash-based optimisation by caching the client instance in Store
### Thread-Safe Callbacks
- **WebAuthSession @concurrent delegate** (WebAuthSession.swift:46): The
authentication callback is invoked from a background thread by
ASWebAuthenticationSession. Marked the wrapper function as @concurrent
to
prevent MainActor inference on the completion handler closure, then
explicitly hopped back to MainActor for the session.start() call. This
fixes EXC_BAD_INSTRUCTION crashes at _dispatch_assert_queue_fail.
- **SessionNotification @concurrent delegate**
(SessionNotification.swift:131): Similarly marked the notification
delegate
method as @concurrent and used Task { @MainActor in } to safely invoke
the
MainActor-isolated signInHandler
### Sendable Conformances
- Added Sendable to Resource, Site, Token, Configuration, and other
model
types that are passed between actors and tasks
- **LogWriter immutability** (Log.swift): Made jsonData immutable to
prevent
capturing mutable variables in @Sendable closures
### Nonisolated Methods
- **Static notification display** (SessionNotification.swift:73): Marked
showSignedOutNotificationiOS() as nonisolated since it's called from the
Network Extension (different process) and only uses thread-safe APIs
Fixes #10674
Fixes #10675
|
||
|
Thomas Eizinger
|
bae38ec345 |
feat(connlib): add HTTP2 client with pluggable sockets (#10788)
Firezone's ability to tunnel all traffic on a particular Client (i.e. the Internet Resource) means we have to ensure that traffic originating from within the Firezone process does not get routed back into the tunnel. On MacOS and iOS, this is automatically taken care of for us. On all other platforms, we need to take steps to prevent these routing loops. This functionality is abstracted away using our `SocketFactory`. A socket created with such a factory is guaranteed to route its traffic outside of the tunnel. These sockets are used for the WebSocket connection to the portal, as well as for recursive UDP and TCP DNS queries. In order to support DoH, we need to also be able to send HTTPS requests without causing packet loops. This PR adds a new crate `http-client` that does exactly that. It composes together `hyper` and `rustls` such that the configured `SocketFactory` is used to create the TCP socket for the underlying HTTP2 connection. Consequently, HTTPS requests made with this library will automatically be routed outside of the tunnel, assuming the `SocketFactory` is adequately configured. Right now, this crate just stands by itself. It will be integrated into connlib at a later point. Resolves: #10774 Related: #4668 Related: #10272 |
||
|
Thomas Eizinger
|
b8b52c1f07 |
fix(portal): do not allow ports for upstream DNS servers (#10772)
DNS servers are standarised to be contacted on port 53. This is also hard-coded within `connlib` when we contact an upstream server. As such, we should disallow users inputting any custom port for upstream DNS servers. Luckily - or perhaps because it doesn't presently work - no users in production have actually put in a port. Resolves: #8330 |
||
|
Thomas Eizinger
|
352a83bbb0 |
refactor(connlib): allow creating multiple layer 4 DNS servers (#10763)
Within Firezone, there are multiple components that deal with DNS queries. Two of those components are the `l4-udp-dns-server` and `l4-tcp-dns-server`. Both of them are responsible for receiving DNS queries on layer 4, i.e. UDP or TCP. In other words, they do _not_ operate on an IP level (which would be layer 3) but instead use `UdpSocket` and `TcpListener` to receive queries and sent back responses. Right now, the interfaces of these crates are designed for the usecase of receiving forwarded DNS queries from the CLient on the Gateway's TUN device. This is a special-case of DNS resolution. When receiving a TXT or SRV query for a domain that is covered by a DNS resources, Firezone Client's will forward that query to the corresponding Gateway and resolve it in its network context. SRV and TXT records are commonly used for service discovery and as such, should be resolved in the network context of the service, i.e. the site that assigned to the resource. For that usecase, it made sense to allow each DNS server to listen on 1 IPv4 and 1 IPv6 address. Since then, our event-loop has evolved a bit, being able to handle multiple inputs at once. As such, we can simplify the API of these crates to only listen on a single address and instead create multiple instances of them inside `Io`. Depending on how the design of our DNS implementation for the Clients evolves, this may be used to listen on multiple IPs later (e.g. from the `127.0.0.0/8` subnet). Related: #8263 |
||
|
Thomas Eizinger
|
804ef7a3fb |
fix(connlib): retain order of system/upstream DNS servers (#10773)
Right now, connlib hands out a `BiMap` of sentinel IPs <> upstream servers whenever it emits a `TunInterfaceUpdated` event. This `BiMap` internally uses two `HashMap`s. The iteration order of `HashMap`s is non-deterministic and therefore, we lose the order in which the upstream / system resolvers have been passed to us originally. To prevent that, we now emit a dedicated `DnsMapping` type that does not expose its internal data structure but only getters for retrieving the sentinel and upstream servers. Internally, it uses a `Vec` to store this mapping and thus retains the original order. This is asserted as part of our proptests by comparing the resulting `Vec`s. This fix is preceded by a few refactorings that encapsulate the code for creating and updating this DNS mapping. Resolves: #8439 |
||
|
Thomas Eizinger
|
1b7313622a |
feat(connlib): introduce l3-udp-dns-client (#10764)
With #8263, we will stop receiving UDP and TCP DNS queries on the tunnel but use regular sockets instead. This means that for UDP DNS queries that need to be sent _through_ the tunnel, we actually need to make new IP packets again. For TCP, we already have a crate that does this for us because there, we need to manage an entire TCP stack. For UDP, the story is a bit simpler but there are still a few things involved. In particular, we need to set a source address for the packets and we need to sample a new random port for each query. The crate added in this PR does exactly that. It is not yet used anywhere but split out into a separate PR to reduce the reviewing burden of the larger refactor. Related: #8263 Related: #10758 |
||
|
Thomas Eizinger
|
9e33e514c4 |
chore(linux): specify systemd-resolved dependency (#10783)
On Ubuntu, this should be the default anyway and already be installed but to be correct, we should list this dependency in the `depends` section of our `.deb`. That way, it will automatically get installed again if a user chooses to install the GUI client from our repository and doesn't have `systemd-resolved` installed. |
||
|
Jamil
|
0f73ec18ab | fix(website): azure app id json structure (#10785) | ||
|
dependabot[bot]
|
b5c420bd5b |
build(deps): bump serde_with from 3.14.0 to 3.15.0 in /rust (#10777)
Bumps [serde_with](https://github.com/jonasbb/serde_with) from 3.14.0 to 3.15.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/jonasbb/serde_with/releases">serde_with's releases</a>.</em></p> <blockquote> <h2>serde_with v3.15.0</h2> <h3>Added</h3> <ul> <li> <p>Added error inspection to <code>VecSkipError</code> and <code>MapSkipError</code> by <a href="https://github.com/michelhe"><code>@michelhe</code></a> (<a href="https://redirect.github.com/jonasbb/serde_with/issues/878">#878</a>) This allows interacting with the previously hidden error, for example for logging. Checkout the newly added example to both types.</p> </li> <li> <p>Allow documenting the types generated by <code>serde_conv!</code>. The <code>serde_conv!</code> macro now acceps outer attributes before the optional visibility modifier. This allow adding doc comments in the shape of <code>#[doc = "..."]</code> or any other attributes, such as lint modifiers.</p> <pre lang="rust"><code>serde_conv!( #[doc = "Serialize bools as string"] #[allow(dead_code)] pub BoolAsString, bool, |x: &bool| ::std::string::ToString::to_string(x), |x: ::std::string::String| x.parse() ); </code></pre> </li> <li> <p>Add support for <code>hashbrown</code> v0.16 (<a href="https://redirect.github.com/jonasbb/serde_with/issues/877">#877</a>)</p> <p>This extends the existing support for <code>hashbrown</code> v0.14 and v0.15 to the newly released version.</p> </li> </ul> <h3>Changed</h3> <ul> <li>Bump MSRV to 1.76, since that is required for <code>toml</code> dev-dependency.</li> </ul> <h2>serde_with v3.14.1</h2> <h3>Fixed</h3> <ul> <li>Show macro expansion in the docs.rs generated rustdoc. Since macros are used to generate trait implementations, this is useful to understand the exact generated code.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
6d60653bac |
build(deps): bump gat-lending-iterator from 0.1.6 to 0.1.7 in /rust (#10776)
Bumps [gat-lending-iterator](https://github.com/Crazytieguy/gat-lending-iterator) from 0.1.6 to 0.1.7. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/Crazytieguy/gat-lending-iterator/commits/v0.1.7">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
5bf8482826 |
build(deps): bump com.google.firebase.appdistribution from 5.1.1 to 5.2.0 in /kotlin/android (#10781)
Bumps com.google.firebase.appdistribution from 5.1.1 to 5.2.0. [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
f6aa499711 |
build(deps): bump com.google.firebase:firebase-bom from 34.4.0 to 34.5.0 in /kotlin/android (#10782)
Bumps com.google.firebase:firebase-bom from 34.4.0 to 34.5.0. [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
Thomas Eizinger
|
9016ffc9dc |
build(rust): bump to Rust 1.91.0 (#10767)
Rust 1.91 has been released and brings with it a few new lints that we need to tidy up. In addition, it also stabilizes `BTreeMap::extract_if`: A really nifty std-lib function that allows us to conditionally take elements from a map. We need that in a bunch of places. |
||
|
dependabot[bot]
|
21846b81e5 |
build(deps): bump vite from 7.1.7 to 7.1.11 in /rust/gui-client in the npm_and_yarn group across 1 directory (#10769)
Bumps the npm_and_yarn group with 1 update in the /rust/gui-client directory: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite). Updates `vite` from 7.1.7 to 7.1.11 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vitejs/vite/releases">vite's releases</a>.</em></p> <blockquote> <h2>v7.1.11</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v7.1.11/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v7.1.10</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v7.1.10/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v7.1.9</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v7.1.9/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v7.1.8</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v7.1.8/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md">vite's changelog</a>.</em></p> <blockquote> <h2><!-- raw HTML omitted --><a href="https://github.com/vitejs/vite/compare/v7.1.10...v7.1.11">7.1.11</a> (2025-10-20)<!-- raw HTML omitted --></h2> <h3>Bug Fixes</h3> <ul> <li><strong>dev:</strong> trim trailing slash before <code>server.fs.deny</code> check (<a href="https://redirect.github.com/vitejs/vite/issues/20968">#20968</a>) (<a href=" |
||
|
dependabot[bot]
|
1ac1bb044a |
build(deps): bump the sentry group in /rust with 2 updates (#10727)
Bumps the sentry group in /rust with 2 updates: [sentry](https://github.com/getsentry/sentry-rust) and [sentry-tracing](https://github.com/getsentry/sentry-rust). Updates `sentry` from 0.42.0 to 0.43.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/getsentry/sentry-rust/releases">sentry's releases</a>.</em></p> <blockquote> <h2>0.43.0</h2> <h3>Breaking changes</h3> <ul> <li>ref(tracing): rework tracing to Sentry span name/op conversion (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/887">#887</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li>The <code>tracing</code> integration now uses the tracing span name as the Sentry span name by default.</li> <li>Before this change, the span name would be set based on the <code>tracing</code> span target (<code><module>::<function></code> when using the <code>tracing::instrument</code> macro).</li> <li>The <code>tracing</code> integration now uses <code><span target>::<span name></code> as the default Sentry span op (i.e. <code><module>::<function></code> when using <code>tracing::instrument</code>).</li> <li>Before this change, the span op would be set based on the <code>tracing</code> span name.</li> <li>Read below to learn how to customize the span name and op.</li> <li>When upgrading, please ensure to adapt any queries, metrics or dashboards to use the new span names/ops.</li> </ul> </li> <li>ref(tracing): use standard code attributes (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/899">#899</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li>Logs now carry the attributes <code>code.module.name</code>, <code>code.file.path</code> and <code>code.line.number</code> standardized in OTEL to surface the respective information, in contrast with the previously sent <code>tracing.module_path</code>, <code>tracing.file</code> and <code>tracing.line</code>.</li> </ul> </li> <li>fix(actix): capture only server errors (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/877">#877</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li>The Actix integration now properly honors the <code>capture_server_errors</code> option (enabled by default), capturing errors returned by middleware only if they are server errors (HTTP status code 5xx).</li> <li>Previously, if a middleware were to process the request after the Sentry middleware and return an error, our middleware would always capture it and send it to Sentry, regardless if it was a client, server or some other kind of error.</li> <li>With this change, we capture errors returned by middleware only if those errors can be classified as server errors.</li> <li>There is no change in behavior when it comes to errors returned by services, in which case the Sentry middleware only captures server errors exclusively.</li> </ul> </li> <li>fix: send trace origin correctly (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/906">#906</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li><code>TraceContext</code> now has an additional field <code>origin</code>, used to report which integration created a transaction.</li> </ul> </li> </ul> <h3>Behavioral changes</h3> <ul> <li>feat(tracing): send both breadcrumbs and logs by default (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/878">#878</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li>If the <code>logs</code> feature flag is enabled, and <code>enable_logs: true</code> is set on your client options, the default Sentry <code>tracing</code> layer now sends logs for all events at or above INFO.</li> </ul> </li> </ul> <h3>Features</h3> <ul> <li> <p>ref(tracing): rework tracing to Sentry span name/op conversion (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/887">#887</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a></p> <ul> <li>Additional special fields have been added that allow overriding certain data on the Sentry span: <ul> <li><code>sentry.op</code>: override the Sentry span op.</li> <li><code>sentry.name</code>: override the Sentry span name.</li> <li><code>sentry.trace</code>: given a string matching a valid <code>sentry-trace</code> header (sent automatically by client SDKs), continues the distributed trace instead of starting a new one. If the value is not a valid <code>sentry-trace</code> header or a trace is already started, this value is ignored.</li> </ul> </li> <li><code>sentry.op</code> and <code>sentry.name</code> can also be applied retroactively by declaring fields with value <code>tracing::field::Empty</code> and then recorded using <code>tracing::Span::record</code>.</li> <li>Example usage: <pre lang="rust"><code>#[tracing::instrument(skip_all, fields( sentry.op = "http.server", sentry.name = "GET /payments", sentry.trace = headers.get("sentry-trace").unwrap_or(&"".to_owned()), ))] async fn handle_request(headers: std::collections::HashMap<String, String>) { // ... } </code></pre> </li> <li>Additional attributes are sent along with each span by default: <ul> <li><code>sentry.tracing.target</code>: corresponds to the <code>tracing</code> span's <code>metadata.target()</code></li> <li><code>code.module.name</code>, <code>code.file.path</code>, <code>code.line.number</code></li> </ul> </li> </ul> </li> <li> <p>feat(core): add Response context (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/874">#874</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a></p> <ul> <li>The <code>Response</code> context can now be attached to events, to include information about HTTP responses such as headers, cookies and status code.</li> </ul> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/getsentry/sentry-rust/blob/master/CHANGELOG.md">sentry's changelog</a>.</em></p> <blockquote> <h2>0.43.0</h2> <h3>Breaking changes</h3> <ul> <li>ref(tracing): rework tracing to Sentry span name/op conversion (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/887">#887</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li>The <code>tracing</code> integration now uses the tracing span name as the Sentry span name by default.</li> <li>Before this change, the span name would be set based on the <code>tracing</code> span target (<code><module>::<function></code> when using the <code>tracing::instrument</code> macro).</li> <li>The <code>tracing</code> integration now uses <code><span target>::<span name></code> as the default Sentry span op (i.e. <code><module>::<function></code> when using <code>tracing::instrument</code>).</li> <li>Before this change, the span op would be set based on the <code>tracing</code> span name.</li> <li>Read below to learn how to customize the span name and op.</li> <li>When upgrading, please ensure to adapt any queries, metrics or dashboards to use the new span names/ops.</li> </ul> </li> <li>ref(tracing): use standard code attributes (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/899">#899</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li>Logs now carry the attributes <code>code.module.name</code>, <code>code.file.path</code> and <code>code.line.number</code> standardized in OTEL to surface the respective information, in contrast with the previously sent <code>tracing.module_path</code>, <code>tracing.file</code> and <code>tracing.line</code>.</li> </ul> </li> <li>fix(actix): capture only server errors (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/877">#877</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li>The Actix integration now properly honors the <code>capture_server_errors</code> option (enabled by default), capturing errors returned by middleware only if they are server errors (HTTP status code 5xx).</li> <li>Previously, if a middleware were to process the request after the Sentry middleware and return an error, our middleware would always capture it and send it to Sentry, regardless if it was a client, server or some other kind of error.</li> <li>With this change, we capture errors returned by middleware only if those errors can be classified as server errors.</li> <li>There is no change in behavior when it comes to errors returned by services, in which case the Sentry middleware only captures server errors exclusively.</li> </ul> </li> <li>fix: send trace origin correctly (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/906">#906</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li><code>TraceContext</code> now has an additional field <code>origin</code>, used to report which integration created a transaction.</li> </ul> </li> </ul> <h3>Behavioral changes</h3> <ul> <li>feat(tracing): send both breadcrumbs and logs by default (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/878">#878</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li>If the <code>logs</code> feature flag is enabled, and <code>enable_logs: true</code> is set on your client options, the default Sentry <code>tracing</code> layer now sends logs for all events at or above INFO.</li> </ul> </li> </ul> <h3>Features</h3> <ul> <li> <p>ref(tracing): rework tracing to Sentry span name/op conversion (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/887">#887</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a></p> <ul> <li>Additional special fields have been added that allow overriding certain data on the Sentry span: <ul> <li><code>sentry.op</code>: override the Sentry span op.</li> <li><code>sentry.name</code>: override the Sentry span name.</li> <li><code>sentry.trace</code>: given a string matching a valid <code>sentry-trace</code> header (sent automatically by client SDKs), continues the distributed trace instead of starting a new one. If the value is not a valid <code>sentry-trace</code> header or a trace is already started, this value is ignored.</li> </ul> </li> <li><code>sentry.op</code> and <code>sentry.name</code> can also be applied retroactively by declaring fields with value <code>tracing::field::Empty</code> and then recorded using <code>tracing::Span::record</code>.</li> <li>Example usage: <pre lang="rust"><code>#[tracing::instrument(skip_all, fields( sentry.op = "http.server", sentry.name = "GET /payments", sentry.trace = headers.get("sentry-trace").unwrap_or(&"".to_owned()), ))] async fn handle_request(headers: std::collections::HashMap<String, String>) { // ... } </code></pre> </li> <li>Additional attributes are sent along with each span by default: <ul> <li><code>sentry.tracing.target</code>: corresponds to the <code>tracing</code> span's <code>metadata.target()</code></li> <li><code>code.module.name</code>, <code>code.file.path</code>, <code>code.line.number</code></li> </ul> </li> </ul> </li> <li> <p>feat(core): add Response context (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/874">#874</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a></p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Jamil
|
20c40312dd | chore(website): add entra sync domain association (#10771) | ||
|
dependabot[bot]
|
a426ee2608 |
build(deps): bump the react group in /rust/gui-client with 2 updates (#10722)
Bumps the react group in /rust/gui-client with 2 updates: [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react) and [react-router](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router). Updates `@types/react` from 19.1.13 to 19.1.15 <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react">compare view</a></li> </ul> </details> <br /> Updates `react-router` from 7.9.1 to 7.9.3 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/remix-run/react-router/releases">react-router's releases</a>.</em></p> <blockquote> <h2>v7.9.3</h2> <p>See the changelog for release notes: <a href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v793">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v793</a></p> <h2>v7.9.2</h2> <p>See the changelog for release notes: <a href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v792">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v792</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/remix-run/react-router/blob/main/packages/react-router/CHANGELOG.md">react-router's changelog</a>.</em></p> <blockquote> <h2>7.9.3</h2> <h3>Patch Changes</h3> <ul> <li> <p>Do not try to use <code>turbo-stream</code> to decode CDN errors that never reached the server (<a href="https://redirect.github.com/remix-run/react-router/pull/14385">#14385</a>)</p> <ul> <li>We used to do this but lost this check with the adoption of single fetch</li> </ul> </li> <li> <p>Fix Data Mode regression causing a 404 during initial load in when <code>middleware</code> exists without any <code>loader</code> functions (<a href="https://redirect.github.com/remix-run/react-router/pull/14393">#14393</a>)</p> </li> </ul> <h2>7.9.2</h2> <h3>Patch Changes</h3> <ul> <li> <ul> <li>Update client-side router to run client <code>middleware</code> on initial load even if no loaders exist (<a href="https://redirect.github.com/remix-run/react-router/pull/14348">#14348</a>)</li> <li>Update <code>createRoutesStub</code> to run route middleware <ul> <li>You will need to set the <code><RoutesStub future={{ v8_middleware: true }} /></code> flag to enable the proper <code>context</code> type</li> </ul> </li> </ul> </li> <li> <p>Update Lazy Route Discovery manifest requests to use a singular comma-separated <code>paths</code> query param instead of repeated <code>p</code> query params (<a href="https://redirect.github.com/remix-run/react-router/pull/14321">#14321</a>)</p> <ul> <li>This is because Cloudflare has a hard limit of 100 URL search param key/value pairs when used as a key for caching purposes</li> <li>If more that 100 paths were included, the cache key would be incomplete and could produce false-positive cache hits</li> </ul> </li> <li> <p>[UNSTABLE] Add <code>fetcher.unstable_reset()</code> API (<a href="https://redirect.github.com/remix-run/react-router/pull/14206">#14206</a>)</p> </li> <li> <p>Made useOutlet element reference have stable identity in-between route chages (<a href="https://redirect.github.com/remix-run/react-router/pull/13382">#13382</a>)</p> </li> <li> <p>feat: enable full transition support for the rsc router (<a href="https://redirect.github.com/remix-run/react-router/pull/14362">#14362</a>)</p> </li> <li> <p>In RSC Data Mode, handle SSR'd client errors and re-try in the browser (<a href="https://redirect.github.com/remix-run/react-router/pull/14342">#14342</a>)</p> </li> <li> <p>Support <code>middleware</code> prop on <code><Route></code> for usage with a data router via <code>createRoutesFromElements</code> (<a href="https://redirect.github.com/remix-run/react-router/pull/14357">#14357</a>)</p> </li> <li> <p>Handle encoded question mark and hash characters in ancestor splat routes (<a href="https://redirect.github.com/remix-run/react-router/pull/14249">#14249</a>)</p> </li> <li> <p>Fail gracefully on manifest version mismatch logic if <code>sessionStorage</code> access is blocked (<a href="https://redirect.github.com/remix-run/react-router/pull/14335">#14335</a>)</p> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
398bb09880 |
build(deps): bump lru from 0.12.5 to 0.16.1 in /rust (#10650)
Bumps [lru](https://github.com/jeromefroe/lru-rs) from 0.12.5 to 0.16.1. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/jeromefroe/lru-rs/blob/master/CHANGELOG.md">lru's changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/jeromefroe/lru-rs/tree/0.16.1">v0.16.1</a> - 2025-09-08</h2> <ul> <li>Fix <code>Clone</code> for unbounded cache.</li> </ul> <h2><a href="https://github.com/jeromefroe/lru-rs/tree/0.16.0">v0.16.0</a> - 2025-07-02</h2> <ul> <li>Implement <code>Clone</code> for caches with custom hashers.</li> </ul> <h2><a href="https://github.com/jeromefroe/lru-rs/tree/0.15.0">v0.15.0</a> - 2025-06-26</h2> <ul> <li>Return bool from <code>promote</code> and <code>demote</code> to indicate whether key was found.</li> </ul> <h2><a href="https://github.com/jeromefroe/lru-rs/tree/0.14.0">v0.14.0</a> - 2025-04-12</h2> <ul> <li>Use <code>NonZeroUsize::MAX</code> instead of <code>unwrap()</code>, and update MSRV to 1.70.0.</li> </ul> <h2><a href="https://github.com/jeromefroe/lru-rs/tree/0.13.0">v0.13.0</a> - 2025-01-27</h2> <ul> <li>Add <code>peek_mru</code> and <code>pop_mru</code> methods, upgrade dependency on <code>hashbrown</code> to 0.15.2, and update MSRV to 1.65.0.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
3811a793f0 |
chore(connlib): log fatal tunnel errors (#10768)
Resolves: #10765 |
||
|
seer-by-sentry[bot]
|
ac7aaf820c |
fix(apple): move reset command to work queue (#10707)
Fixes [APPLE-CLIENT-7S](https://sentry.io/organizations/firezone-inc/issues/6812982801/). The issue was that: Synchronous access to `Adapter.systemConfigurationResolvers` during concurrent deallocation causes an EXC_BAD_ACCESS crash. - Moves the `reset` command execution to the `workQueue` to prevent potential deadlocks or race conditions when accessing shared resources or interacting with the network extension's internal state. This fix was generated by Seer in Sentry, triggered by jamil@firezone.dev. 👁️ Run ID: 2183818 Not quite right? [Click here to continue debugging with Seer.](https://sentry.io/organizations/firezone-inc/issues/6812982801/?seerDrawer=true) Fixes #10195 --------- Co-authored-by: seer-by-sentry[bot] <157164994+seer-by-sentry[bot]@users.noreply.github.com> Co-authored-by: Mariusz Klochowicz <mariusz@klochowicz.com> Co-authored-by: Jamil <jamilbk@users.noreply.github.com> |
||
|
Thomas Eizinger
|
3308e3c010 |
fix(linux): introduce tiered routing tables (#10742)
With the fix of taking into account link-scoped routes in #10554 we introduced a bug: If a customer defines routes in Firezone that conflict with the link-scope ones, those currently take priority as they are usually more specific. To fix this, we introduce tiered routing tables controlled by a set of rules with different priority. 1. In the first "Firezone" routing table, we add all CIDR/IP routes that users define in Firezone. 2. In the second "Firezone" routing table, we sync in all link-scope routes from the system. 3. In the third "Firezone" routing table, we only add the Internet Resource if it is active. By evaluating the routing tables in this order, we effectively always prioritize Firezone-controlled routes over local ones but still allow access to LAN resources when the Internet Resource is active. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Jamil <jamilbk@users.noreply.github.com> |
||
|
Thomas Eizinger
|
9cde3265e7 |
chore: enable lints in dns-over-tcp (#10762)
Appears to have been an oversight when we first introduced this crate. |
||
|
dependabot[bot]
|
498c0de006 |
build(deps): bump the hilt group in /kotlin/android with 4 updates (#10735)
Bumps the hilt group in /kotlin/android with 4 updates: [com.google.dagger.hilt.android](https://github.com/google/dagger), [com.google.dagger:hilt-android](https://github.com/google/dagger), [com.google.dagger:hilt-android-compiler](https://github.com/google/dagger) and [com.google.dagger:hilt-android-testing](https://github.com/google/dagger). Updates `com.google.dagger.hilt.android` from 2.57.1 to 2.57.2 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/google/dagger/releases">com.google.dagger.hilt.android's releases</a>.</em></p> <blockquote> <h2>Dagger 2.57.2</h2> <h1>Bug fixes</h1> <ul> <li>Fixed <a href="https://redirect.github.com/google/dagger/issues/4847">#4847</a>: Fixed an issue with the Hilt Gradle Plugin registered transforms on projects using Gradle 9.0.0 (ea570e7)</li> <li>Fixes <a href="https://redirect.github.com/google/dagger/issues/4898">#4898</a>: Fixed an issue with backwards compatibility handling for libraries that export Hilt roots. (85c470ca4)</li> <li>Fixes <a href="https://redirect.github.com/google/dagger/issues/4937">#4937</a>: Fixed the incorrectly declared version of the Kotlin stdlib dependency in the Hilt Gradle Plugin. (deefd9a2d)</li> <li>Updated ASM dependency to 9.8 (365bc499d)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
4fa92e514c |
build(deps): bump axum from 0.8.4 to 0.8.5 in /rust (#10719)
Bumps [axum](https://github.com/tokio-rs/axum) from 0.8.4 to 0.8.5. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/tokio-rs/axum/releases">axum's releases</a>.</em></p> <blockquote> <h2>axum v0.8.5</h2> <ul> <li><strong>fixed:</strong> Reject JSON request bodies with trailing characters after the JSON document (<a href="https://redirect.github.com/tokio-rs/axum/issues/3453">#3453</a>)</li> <li><strong>added:</strong> Implement <code>OptionalFromRequest</code> for <code>Multipart</code> (<a href="https://redirect.github.com/tokio-rs/axum/issues/3220">#3220</a>)</li> <li><strong>added:</strong> Getter methods <code>Location::{status_code, location}</code></li> <li><strong>added:</strong> Support for writing arbitrary binary data into server-sent events (<a href="https://redirect.github.com/tokio-rs/axum/issues/3425">#3425</a>)]</li> <li><strong>added:</strong> <code>middleware::ResponseAxumBodyLayer</code> for mapping response body to <code>axum::body::Body</code> (<a href="https://redirect.github.com/tokio-rs/axum/issues/3469">#3469</a>)</li> <li><strong>added:</strong> <code>impl FusedStream for WebSocket</code> (<a href="https://redirect.github.com/tokio-rs/axum/issues/3443">#3443</a>)</li> <li><strong>changed:</strong> The <code>sse</code> module and <code>Sse</code> type no longer depend on the <code>tokio</code> feature (<a href="https://redirect.github.com/tokio-rs/axum/issues/3154">#3154</a>)</li> <li><strong>changed:</strong> If the location given to one of <code>Redirect</code>s constructors is not a valid header value, instead of panicking on construction, the <code>IntoResponse</code> impl now returns an HTTP 500, just like <code>Json</code> does when serialization fails (<a href="https://redirect.github.com/tokio-rs/axum/issues/3377">#3377</a>)</li> <li><strong>changed:</strong> Update minimum rust version to 1.78 (<a href="https://redirect.github.com/tokio-rs/axum/issues/3412">#3412</a>)</li> </ul> <p><a href="https://redirect.github.com/tokio-rs/axum/issues/3154">#3154</a>: <a href="https://redirect.github.com/tokio-rs/axum/pull/3154">tokio-rs/axum#3154</a> <a href="https://redirect.github.com/tokio-rs/axum/issues/3220">#3220</a>: <a href="https://redirect.github.com/tokio-rs/axum/pull/3220">tokio-rs/axum#3220</a> <a href="https://redirect.github.com/tokio-rs/axum/issues/3377">#3377</a>: <a href="https://redirect.github.com/tokio-rs/axum/pull/3377">tokio-rs/axum#3377</a> <a href="https://redirect.github.com/tokio-rs/axum/issues/3412">#3412</a>: <a href="https://redirect.github.com/tokio-rs/axum/pull/3412">tokio-rs/axum#3412</a> <a href="https://redirect.github.com/tokio-rs/axum/issues/3425">#3425</a>: <a href="https://redirect.github.com/tokio-rs/axum/pull/3425">tokio-rs/axum#3425</a> <a href="https://redirect.github.com/tokio-rs/axum/issues/3443">#3443</a>: <a href="https://redirect.github.com/tokio-rs/axum/pull/3443">tokio-rs/axum#3443</a> <a href="https://redirect.github.com/tokio-rs/axum/issues/3453">#3453</a>: <a href="https://redirect.github.com/tokio-rs/axum/pull/3453">tokio-rs/axum#3453</a> <a href="https://redirect.github.com/tokio-rs/axum/issues/3469">#3469</a>: <a href="https://redirect.github.com/tokio-rs/axum/pull/3469">tokio-rs/axum#3469</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
97c69dfac6 |
build(deps): bump typescript-eslint from 8.34.1 to 8.44.1 in /rust/gui-client (#10723)
Bumps [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) from 8.34.1 to 8.44.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/typescript-eslint/typescript-eslint/releases">typescript-eslint's releases</a>.</em></p> <blockquote> <h2>v8.44.1</h2> <h2>8.44.1 (2025-09-22)</h2> <h3>🩹 Fixes</h3> <ul> <li><strong>eslint-plugin:</strong> [no-base-to-string] make ignoredTypeNames match type names without generics (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11597">#11597</a>)</li> <li><strong>eslint-plugin:</strong> [no-unsafe-enum-comparison] support unions of literals (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11599">#11599</a>)</li> <li><strong>eslint-plugin:</strong> [await-thenable] should not report passing values to promise aggregators which may be a promise in an array literal (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11611">#11611</a>)</li> <li><strong>typescript-estree:</strong> forbid class property with name <code>constructor</code> (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11590">#11590</a>)</li> </ul> <h3>❤️ Thank You</h3> <ul> <li>fisker Cheung <a href="https://github.com/fisker"><code>@fisker</code></a></li> <li>Kirk Waiblinger <a href="https://github.com/kirkwaiblinger"><code>@kirkwaiblinger</code></a></li> <li>mdm317</li> <li>Ronen Amiel</li> </ul> <p>You can read about our <a href="https://typescript-eslint.io/users/versioning">versioning strategy</a> and <a href="https://typescript-eslint.io/users/releases">releases</a> on our website.</p> <h2>v8.44.0</h2> <h2>8.44.0 (2025-09-15)</h2> <h3>🚀 Features</h3> <ul> <li><strong>eslint-plugin:</strong> [await-thenable] report invalid (non-promise) values passed to promise aggregator methods (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11267">#11267</a>)</li> </ul> <h3>🩹 Fixes</h3> <ul> <li><strong>deps:</strong> update dependency <code>@eslint-community/eslint-utils</code> to v4.8.0 (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11589">#11589</a>)</li> <li><strong>eslint-plugin:</strong> [no-unnecessary-type-conversion] ignore enum members (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11490">#11490</a>)</li> </ul> <h3>❤️ Thank You</h3> <ul> <li>Moses Odutusin <a href="https://github.com/thebolarin"><code>@thebolarin</code></a></li> <li>Ronen Amiel</li> </ul> <p>You can read about our <a href="https://typescript-eslint.io/users/versioning">versioning strategy</a> and <a href="https://typescript-eslint.io/users/releases">releases</a> on our website.</p> <h2>v8.43.0</h2> <h2>8.43.0 (2025-09-08)</h2> <h3>🚀 Features</h3> <ul> <li><strong>typescript-estree:</strong> disallow empty type parameter/argument lists (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11563">#11563</a>)</li> </ul> <h3>🩹 Fixes</h3> <ul> <li><strong>eslint-plugin:</strong> [no-non-null-assertion] do not suggest optional chain on LHS of assignment (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11489">#11489</a>)</li> <li><strong>eslint-plugin:</strong> [no-unnecessary-type-conversion] only report ~~ on integer literal types (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11517">#11517</a>)</li> <li><strong>eslint-plugin:</strong> [consistent-type-exports] fix declaration shadowing (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11457">#11457</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md">typescript-eslint's changelog</a>.</em></p> <blockquote> <h2>8.44.1 (2025-09-22)</h2> <p>This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.</p> <p>You can read about our <a href="https://typescript-eslint.io/users/versioning">versioning strategy</a> and <a href="https://typescript-eslint.io/users/releases">releases</a> on our website.</p> <h2>8.44.0 (2025-09-15)</h2> <p>This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.</p> <p>You can read about our <a href="https://typescript-eslint.io/users/versioning">versioning strategy</a> and <a href="https://typescript-eslint.io/users/releases">releases</a> on our website.</p> <h2>8.43.0 (2025-09-08)</h2> <h3>🩹 Fixes</h3> <ul> <li><strong>eslint-plugin:</strong> [no-deprecated] should report deprecated exports and reexports (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11359">#11359</a>)</li> </ul> <h3>❤️ Thank You</h3> <ul> <li>Victor Genaev <a href="https://github.com/mainframev"><code>@mainframev</code></a></li> </ul> <p>You can read about our <a href="https://typescript-eslint.io/users/versioning">versioning strategy</a> and <a href="https://typescript-eslint.io/users/releases">releases</a> on our website.</p> <h2>8.42.0 (2025-09-02)</h2> <h3>🚀 Features</h3> <ul> <li>deprecate tseslint.config() (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11531">#11531</a>)</li> </ul> <h3>🩹 Fixes</h3> <ul> <li><strong>typescript-eslint:</strong> handle non-normalized windows paths produced by jiti (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11546">#11546</a>)</li> </ul> <h3>❤️ Thank You</h3> <ul> <li>Kirk Waiblinger <a href="https://github.com/kirkwaiblinger"><code>@kirkwaiblinger</code></a></li> </ul> <p>You can read about our <a href="https://typescript-eslint.io/users/versioning">versioning strategy</a> and <a href="https://typescript-eslint.io/users/releases">releases</a> on our website.</p> <h2>8.41.0 (2025-08-25)</h2> <p>This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.</p> <p>You can read about our <a href="https://main--typescript-eslint.netlify.app/users/versioning">versioning strategy</a> and <a href="https://main--typescript-eslint.netlify.app/users/releases">releases</a> on our website.</p> <h2>8.40.0 (2025-08-18)</h2> <h3>🩹 Fixes</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
08e95d124b |
build(deps): bump libc from 0.2.175 to 0.2.176 in /rust (#10738)
Bumps [libc](https://github.com/rust-lang/libc) from 0.2.175 to 0.2.176. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rust-lang/libc/releases">libc's releases</a>.</em></p> <blockquote> <h2>0.2.176</h2> <h3>Support</h3> <ul> <li>The default FreeBSD version has been raised from 11 to 12. This matches <code>rustc</code> since 1.78. (<a href="https://redirect.github.com/rust-lang/libc/pull/2406">#2406</a>)</li> <li><code>Debug</code> is now always implemented, rather than being gated behind the <code>extra_traits</code> feature. (<a href="https://redirect.github.com/rust-lang/libc/pull/4624">#4624</a>)</li> </ul> <h3>Added</h3> <ul> <li>AIX: Restore some non-POSIX functions guarded by the <code>_KERNEL</code> macro. (<a href="https://redirect.github.com/rust-lang/libc/pull/4607">#4607</a>)</li> <li>FreeBSD 14: Add <code>st_fileref</code> to <code>struct stat</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4642">#4642</a>)</li> <li>Haiku: Add the <code>accept4</code> POSIX call (<a href="https://redirect.github.com/rust-lang/libc/pull/4586">#4586</a>)</li> <li>Introduce a wrapper for representing padding (<a href="https://redirect.github.com/rust-lang/libc/pull/4632">#4632</a>)</li> <li>Linux: Add <code>EM_RISCV</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4659">#4659</a>)</li> <li>Linux: Add <code>MS_NOSYMFOLLOW</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4389">#4389</a>)</li> <li>Linux: Add <code>backtrace_symbols(_fd)</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4668">#4668</a>)</li> <li>Linux: Add missing <code>SOL_PACKET</code> optnames (<a href="https://redirect.github.com/rust-lang/libc/pull/4669">#4669</a>)</li> <li>Musl s390x: Add <code>SYS_mseal</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4549">#4549</a>)</li> <li>NuttX: Add <code>__errno</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4687">#4687</a>)</li> <li>Redox: Add <code>dirfd</code>, <code>VDISABLE</code>, and resource consts (<a href="https://redirect.github.com/rust-lang/libc/pull/4660">#4660</a>)</li> <li>Redox: Add more <code>resource.h</code>, <code>fcntl.h</code> constants (<a href="https://redirect.github.com/rust-lang/libc/pull/4666">#4666</a>)</li> <li>Redox: Enable <code>strftime</code> and <code>mkostemp[s]</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4629">#4629</a>)</li> <li>Unix, Windows: Add <code>qsort_r</code> (Unix), and <code>qsort(_s)</code> (Windows) (<a href="https://redirect.github.com/rust-lang/libc/pull/4677">#4677</a>)</li> <li>Unix: Add <code>dlvsym</code> for Linux-gnu, FreeBSD, and NetBSD (<a href="https://redirect.github.com/rust-lang/libc/pull/4671">#4671</a>)</li> <li>Unix: Add <code>sigqueue</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4620">#4620</a>)</li> </ul> <h3>Changed</h3> <ul> <li>FreeBSD 15: Mark <code>kinfo_proc</code> as non-exhaustive (<a href="https://redirect.github.com/rust-lang/libc/pull/4553">#4553</a>)</li> <li>FreeBSD: Set the ELF symbol version for <code>readdir_r</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4694">#4694</a>)</li> <li>Linux: Correct the config for whether or not <code>epoll_event</code> is packed (<a href="https://redirect.github.com/rust-lang/libc/pull/4639">#4639</a>)</li> <li>Tests: Replace the old <code>ctest</code> with the much more reliable new implementation (<a href="https://redirect.github.com/rust-lang/libc/pull/4655">#4655</a> and many related PRs)</li> </ul> <h3>Fixed</h3> <ul> <li>AIX: Fix the type of the 4th arguement of <code>getgrnam_r</code> ([#4656](<a href="https://redirect.github.com/rust-lang/libc/pull/4656">rust-lang/libc#4656</a></li> <li>FreeBSD: Limit <code>P_IDLEPROC</code> to FreeBSD 15 (<a href="https://redirect.github.com/rust-lang/libc/pull/4640">#4640</a>)</li> <li>FreeBSD: Limit <code>mcontext_t::mc_tlsbase</code> to FreeBSD 15 (<a href="https://redirect.github.com/rust-lang/libc/pull/464">#4640</a>)</li> <li>FreeBSD: Update gating of <code>mcontext_t.mc_tlsbase</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4703">#4703</a>)</li> <li>Musl s390x: Correct the definition of <code>statfs[64]</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4549">#4549</a>)</li> <li>Musl s390x: Make <code>fpreg_t</code> a union (<a href="https://redirect.github.com/rust-lang/libc/pull/4549">#4549</a>)</li> <li>Redox: Fix the types of <code>gid_t</code> and <code>uid_t</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4689">#4689</a>)</li> <li>Redox: Fix the value of <code>MAP_FIXED</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4684">#4684</a>)</li> </ul> <h3>Deprecated</h3> <ul> <li>Apple: Correct the <code>deprecated</code> attribute for <code>iconv</code> (<a href=" |