🠰 8.19.0 all changes pending release

Changes in 8.20.0 - April 29 2026

Changes:

• async-thrdd: use thread queue for resolving
• build: make NTLM disabled by default
• cmake: drop support for CMake 3.17 and older
• lib: add thread pool and queue
• lib: drop support for < c-ares 1.16.0
• lib: make SMB support opt-in
• multi.h: add CURLMNWC_CLEAR_ALL
• rtmp: drop support

Bugfixes:

• altsvc: cap the list at 5,000 entries
• altsvc: drop the prio field from the struct
• altsvc: skip expired entries read from file
• asyn-ares: connect async
• asyn-ares: drop orphaned variable references
• asyn-ares: fix HTTPS-lookup when not on port 443
• asyn-thrdd: drop redundant `result` check
• asyn-thrdd: fix clang-tidy unused value warning
• async-ares: fix query counter handling
• autotools: limit checksrc target to ignore non-repo test sources
• badwords-all: exit with correct code on errors
• badwords: combine the whitelisting into a single regex
• badwords: detect the the and with with
• badwords: only check comments and strings in source code
• badwords: rework exceptions, fix many of them
• boringssl: fix more coexist cases with Schannel/WinCrypt
• build: adjust/add casts to fix `-Wformat-signedness`
• build: assume `snprintf()` in `mprintf`, drop feature check
• build: compiler warning silencing tidy-ups
• build: drop `openssl` module dependency for BoringSSL from `libcurl.pc`
• build: drop duplicate `pthread.h` includes
• build: drop redundant `USE_QUICHE` guards
• build: enable `-Wimplicit-int-enum-cast` compiler warning, fix issues
• build: fix `-Wformat-signedness` by adjusting printf masks
• build: link `bcrypt.lib` via vcxproj files
• build: skip detecting `pipe2()` for Apple targets
• cf-https-connect: silence `-Wimplicit-int-enum-cast` with HTTPS-RR
• cf-https-connect: silence `-Wimplicit-int-enum-cast` with HTTPS-RR
• cf-ip-happy: limit concurrent attempts
• cf-socket: avoid low risk integer overflow on ancient Solaris
• cfilters: fix Curl_pollset_poll() return code mixup
• clang-tidy: avoid assignments in `if` expressions
• clang-tidy: enable more checks, fix fallouts
• cmake: add CMake Config-based dependency detection
• cmake: add CMake Config-based dependency detection for c-ares, wolfSSL
• cmake: document functions used from Windows system DLLs
• cmake: enable pthreads for BoringSSL/AWS-LC
• cmake: resolve targets recursively when generating `libcurl.pc`
• cmake: rework binutils ld hack to not read `LOCATION` property
• cmake: silence bad library `Threads::Threads` warning
• cmake: use `AIX` built-in variable (with CMake 4.0+)
• config2setopts: make --capath work in proxy disabled builds
• configure: fix `--with-ngtcp2=<path>` option for crypto libs
• configure: fix LibreSSL ngtcp2 1.15.0+ crypto lib selection logic
• configure: prefer dependency-specific variables over `$withval`
• configure: remove superfluous experimental warning for HTTP/3
• configure: silence useless clang warnings in C89 builds
• configure: tidy up comments
• connect: fix typo on error message
• cookie: fix rejection when tabs in value
• curl-wolfssl.m4: fix to use the correct value for pkg-config directory
• curl.h: replace macros with C++-friendly method to enforce 3 args
• curl_ctype.h: fix spelling in a couple of locally used macros
• curl_get_line: error out on read errors
• curl_get_line: fix potential infinite loop when filename is a directory
• curl_ngtcp2: extend and update callbacks for 1.22.0+
• curl_ntlm_core: drop redundant PP condition
• curl_ntlm_core: use wolfCrypt DES API with wolfSSL
• curl_setup.h: drop stray/unused `USE_OPENSSL_QUIC` guard
• curl_sha512_256: support delegating to wolfSSL API
• curl_version_info.md: clarify age details
• CURLOPT_HAPROXY_CLIENT_IP.md: mention assumption on data format
• CURLOPT_RTSP_SESSION_ID.md: clarify reuse "dangers"
• CURLOPT_RTSP_SESSION_ID.md: expand the comment
• CURLOPT_RTSP_SESSION_ID.md: minor language fix
• CURLOPT_SOCKS5_AUTH.md: an access property
• CURLOPT_SSL_CTX_FUNCTION.md: expand on effects connection reuse
• CURLOPT_UPLOAD_FLAGS.md: expand
• curlx_now(), prevent zero timestamp
• DEPRECATE: fix minor release number typo
• digest: pass in the username quoted (as well)
• dns: https-eyeballing async
• dnscache: own source file, improvements
• docs/cmdline-opts: tidy up retry-connrefused
• docs/lib: fix typos
• docs/libcurl: improve easy setopt examples
• docs: clarify retry-max-time timing
• docs: CURLOPT_LOGIN_OPTIONS is a login property
• docs: enable more compiler warnings for C snippets, fix 3 finds
• docs: list more dependencies for running Python HTTP tests
• docs: mention more zip bomb precautions
• docs: minor wording tweaks
• docs: noproxy wants the punycoded hostname version
• docs: SSH host verification is done at connect time
• docs: use the correct CURLOPT_WRITEFUNCTION signature
• doh: fix memory-leak when doing a second DoH resolve
• doh: remove superfluous doh_req check
• examples/websocket: fix to sleep more on Windows
• examples: drop warning silencers no longer hit
• examples: fix typo in comment
• file: init fd to -1 to prevent close fd 0 on early failure
• fopen: for temp files, inherit permissions only for owner
• ftp: do not strdup DATA hostname
• ftp: make the MDTM date parser stricter (again)
• ftp: reject PWD responses containing control characters
• gcc: guard `#pragma diagnostic` in core code for <4.6
• generate.bat: remove extra % from VC11 and VC12 runs
• genserv.pl: make external calls safe
• getinfo: initialize `PureInfo` field `used_proxy`
• getinfo: repair CURLINFO_TLS_SESSION
• gnutls: fix clang-tidy warning with !verbose
• gtls: fail for large files in `load_file()`
• h3: HTTPS-RR use in HTTP/3
• Happy Eyeballs: add resolution time delay
• haproxy: use correct ip version on client supplied address
• hostip: clear the sockaddr_in6 structure before use
• hostip: init the curl_jmpenv_lock appropriately
• hostip: resolve user supplied ip addresses
• HSTS: cap the list
• hsts: make the HSTS read callback handle name dupes
• hsts: skip expired HSTS entries read from file
• hsts: when a dupe host adds subdomains, use that
• http2: clear the h2 session at delete
• http2: prevent secure schemes pushed over insecure connections
• http2: return error on OOM in push headers
• HTTP3.md: drop outdated mentions of OpenSSL-QUIC
• http: clear credentials better on redirect
• http: clear digest nonce on cross-origin redirect
• http: clear the proxy credentials as well on port or scheme change
• http: fix auth_used and auth_avail
• http: fix Curl_compareheader for multi value headers
• http: make Curl_compareheader handle multiple commas in header
• http: on 303, switch to GET
• http: use header_has_value() instead of duplicate code
• imap: reset the UIDVALIDITY state between transfers
• include: drop badword from public headers
• INSTALL.md: update Cygwin instructions
• keylog.h: replace literal number with macro in declaration
• keylog: drop unused/redundant includes and guards
• ldap: drop duplicate `ldap_set_option()` on Windows
• ldap: fix to initialize cleartext connection on Windows
• lib1560: fix comment typo
• lib1960: fix test failure
• lib: accept larger input to md5/hmac/sha256/sha512 functions
• lib: always use Curl_1st_fatal instead of Curl_1st_err
• lib: fix typos in comments
• lib: make resolving HTTPS DNS records reliable:
• lib: minor comment typos
• lib: move request specific allocations to the request struct
• lib: replace `PRI*32` printf masks with C89 ones
• libssh2: allocate libssh2-friendly memory in kbd_callback
• libssh2: fix error handling on quote errors
• libssh: fix 64-bit printf mask for mingw-w64 <=6.0.0
• libssh: fix `-Wsign-compare` in 32-bit builds
• libssh: path length precaution
• libssh: propagate error back in SFTP function
• libtest: drop duplicate include
• location/follow: mention netrc
• man: fix argument type for `CURLSHOPT_[UN]SHARE` options
• mbedtls: cleanup more without care for 'initialized'
• mbedtls: fix ECJPAKE matching
• mbedtls: remove failf() call with first argument as NULL
• md4, md5: switch to wolfCrypt API in wolfSSL builds
• mime: only allow 40 levels of calls
• misc: fix code quality findings
• mk-ca-bundle.pl: make `ca-bundle.crt` timestamp match `certdata.txt`'s
• multi: enhance pending handles fairness
• multi: fix connection retry for non-http
• multi: improve wakeup and wait code
• netrc: find login-less password when user is given in URL
• netrc: remove unused parsenetrc() macro for netrc-disabled
• netrc: skip malformed macdef lines
• openssl channel_binding: lookup digest algorithm without NID
• openssl: drop obsolete SSLv2 logic
• openssl: fix build with 4.0.0-beta1 no-deprecated
• openssl: fix memory leaks in ECH code (OpenSSL 3)
• openssl: fix unused variable warnings in !verbose builds
• openssl: trace count of found / imported Windows native CA roots
• OS400: add new definitions to the ILE/RPG binding.
• os400sys: fix typo in comment (symmetry)
• parsedate: bsearch the time zones
• parsedate: fix wrong treatment of "military time zones"
• parsedate: refactor
• perl: harden external command invocations
• progress: count amount of data "delivered" to application
• protocol.h: fix the CURLPROTO_MASK
• protocol: disable connection reuse for SMB(S)
• protocol: use scheme names lowercase
• proxy: chunked response, error code
• pytest: add additional quiche check for flaky test_05_01
• pytest: check 429 handling
• rand: use `BCryptGenRandom()` in UWP builds
• ratelimit: reset on start
• request: reset resp_trailer in new requests
• runtests: skip setting ed25519 SSH key format
• rustls: fix memory leak on repeated SSLKEYLOGFILE fails
• rustls: handle EOF during initial handshake
• schannel: increase renegotiation timeout to 60 seconds
• scripts: drop redundant double-quotes: `"$var"` -> `$var` (Perl)
• scripts: harden / tidy up more Perl `system()` calls
• sendf: fix CR detection if no LF is in the chunk
• setopt: fix typos in comments
• setopt: move CURLOPT_CURLU
• setup connection filter: mark as setup
• sha256, sha512_256: switch to wolfCrypt API
• sha256: support delegating to wolfSSL API
• share: concurrency handling, easy updates
• share: do bitshifts after the type is checked to be valid
• socks: reject zero-length GSSAPI/SSPI tokens from proxy
• socks: use dns filter for resolving
• spelling: fix typos
• src: use ftruncate() unconditionally
• sshserver.pl: harden more `system()` calls
• sshserver.pl: pass command-line to `system()` safely
• strerr: correct the strerror_s() return code condition
• sws: fix potential OOB write
• synctime: fix off-by-one read and write to a read-only buffer (Windows)
• test 766: flag as timing-dependent
• test1675: unit tests for URL API helper functions
• test459: switch to mode="warn" for stderr check
• testcurl.pl: replace shell commands with Perl `rmtree()`
• tests/unit/README: describe how to unit test static functions
• tests: avoid infinite recursion for `make check`
• tests: use %b64[] instead of "raw" base64
• tool: check for curlinfo->age when determining if ssh backend
• tool: fix memory mixups
• tool: fix retries in parallel mode
• tool: fix two more allocator mismatches
• tool_cb_hdr: only truncate etags output when regular file
• tool_cb_rea: make waitfd() return void
• tool_cb_wrt: fix no-clobber error handling
• tool_cfgable: free the SSL signature algorithms
• tool_formparse: propagate my_get_line errors when reading headers
• tool_getparam: use correct free function for libcurl memory
• tool_ipfs: accept IPFS gateway URL without set port number
• tool_msgs: avoid null pointer deref for early errors
• tool_operate: actually apply the --parallel-max-host limit
• tool_operate: drop the scheme-guessing in the -G handling
• tool_operate: fix condition for loading `curl-ca-bundle.crt` (Windows)
• tool_operate: fix memory-leak on failed uploads
• tool_operate: fix minor memory-leak on early error
• tool_operate: reset the upload glob counter for next URL
• tool_operhlp: fix `add_file_name_to_url()` result on OOM
• tool_operhlp: iterate through all slashes to find name
• tool_operhlp: propagate low-level OOM in `add_file_name_to_url()`
• tool_setopt: return error on OOM correctly
• tool_urlglob: fix memory-leak on glob range overflow
• top-complexity: prevent filename-based shell injection risk
• transfer: clear the old autoreferer
• transfer: clear the URL pointer in OOM to avoid UAF
• transfer: enable custom methods again on next transfer
• transfer: enhance secure check
• unit1675: fix `-Wformat-signedness`
• url: do not reuse a non-tls starttls connection if new requires TLS
• url: improve connection reuse on negotiate
• url: init req.no_body in DO so that it works for h2 push
• url: set default upload flags to CURLULFLAG_SEEN
• url: use the socks type for socks proxy
• url: use URL for lowercase URL even in comments
• urlapi: fix handling of "file:///"
• urlapi: make dedotdotify handle leading dots correctly
• urlapi: same origin tests
• urlapi: stop extracting hostname from file:// URLs on Windows
• urlapi: verify the last letter of a scheme when set explicitly
• urldata.h: fix typo and lingering backtick
• urldata: connection bit ipv6_ip is wrong
• urldata: import port types and conn destination format
• urldata: make hstslist only present in HSTS builds
• urldata: make speeder_c uint32
• urldata: move cookiehost to struct SingleRequest
• urldata: remove trailers_state
• vquic: fix variable name in fallback code
• vtls: fix comment typos and tidy up a type
• vtls: log when key logging is enabled.
• vtls_scache: check reentrancy
• vtls_scache: include cert_blob independently of verifypeer
• wolfssl: document v5.0.0 (2021-11-01) as minimum required
• wolfssl: fix `-Wmissing-prototypes`
• wolfssl: fix handling of abrupt connection close
• ws: fix a blocking curl_ws_send() to report written length correctly
• x509asn1: fix to return error in an error case from `encodeOID()`
• x509asn1: fixed and adapted for ASN1tostr unit testing
• x509asn1: improve encodeOID

Further

The previous release was 8.19.0.