Skip to content

Releases: libgit2/libgit2

libgit2 v1.9.0

28 Dec 15:14
@ethomson ethomson
v1.9.0
338e6fb
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
libgit2 v1.9.0 Latest
Latest

This is release v1.9.0, "Schwibbogen". As usual, it contains numerous bug fixes, compatibility improvements, and new features.

This is expected to be the final release in the libgit2 v1.x lineage. libgit2 v2.0 is expected to be the next version, with support for SHA256 moving to "supported" status (out of "experimental" status). This means that v2.0 will have API and ABI changes to support SHA256, as well as other breaking changes.

Major changes

  • Documentation improvements
    We've launched a new website for our API reference docs at https://libgit2.org/docs/reference/main. To support this, we've updated the documentation to ensure that all APIs are well-documented, and added docurium-style specifiers to indicate more depth about the API surface.

    We now also publish a JSON blob with the API structure and the documentation that may be helpful for binding authors.

  • TLS cipher updates
    libgit2 has updated our TLS cipher selection to match the "compatibility" cipher suite settings as documented by Mozilla.

  • Blame improvements
    The blame API now contains committer information and commit summaries for blame hunks, and the ability to get information about the line of text that was modified. In addition, a CLI blame command has been added so that the blame functionality can be benchmarked by our benchmark suite.

  • More CLI commands
    libgit2 has added blame and init commands, which have allowed for further benchmarking and several API improvements and git compatibility updates.

  • Warning when configuring without SHA1DC
    Users are encouraged to use SHA1DC, which is git's hash; users should not use SHA1 in the general case. Users will now be warned if they try to configure cmake with a SHA1 backend (-DUSE_SHA1=...).

Breaking changes

There are several ABI-breaking changes that integrators, particularly maintainers of bindings or FFI users, may want to be aware of.

  • Blame hunk structure updates (ABI breaking change)
    There are numerous additions to the git_blame_hunk structure to accommodate more information about the blame process.

  • Checkout strategy updates (ABI breaking change)
    The values for GIT_CHECKOUT_SAFE and GIT_CHECKOUT_NONE have been updated. GIT_CHECKOUT_SAFE is now 0; this was implicitly the default value (with the options constructors setting that as the checkout strategy). It is now the default if the checkout strategy is set to 0. This allows for an overall code simplification in the library.

  • Configuration entry member removal (ABI breaking change)
    The git_config_entry structure no longer contains a free member; this was an oversight as end-users should not try to free that structure.

  • Configuration backend function changes (ABI breaking change)
    git_config_backends should now return git_config_backend_entry objects instead of git_config_entry objects. This allows backends to provide a mechanism to nicely free the configuration entries that they provide.

What's Changed

New features

  • The git_signature_default_from_env API will now produce a pair of git_signatures representing the author, and the committer, taking the GIT_AUTHOR_NAME and GIT_COMMITTER_NAME environment variables into account. Added by @u-quark in #6706

  • packbuilder can now be interrupted from a callback. Added @roberth in #6874

  • libgit2 now claims to honor the preciousObject repository extension. This extension indicates that the client will never delete objects (in other words, will not garbage collect). libgit2 has no functionality to remove objects, so it implicitly obeys this in all cases. Added by @ethomson in #6886

  • Push status will be reported even when a push fails. This is useful to give information from the server about possible updates, even when the overall status failed. Added by @yerseg in #6876

  • You can now generate a thin pack from a mempack instance using git_mempack_write_thin_pack. Added by @roberth in #6875

  • The new LIBGIT2_VERSION_CHECK macro will indicate whether the version of libgit2 being compiled against is at least the version specified. For example: #if LIBGIT2_VERSION_CHECK(1, 6, 3) is true for libgit2 version 1.6.3 or newer. In addition, the new LIBGIT2_VERSION_NUMBER macro will return an integer version representing the libgit2 version number. For example, for version 1.6.3, LIBGIT2_VERSION_NUMBER will evaluate to 010603. Added by @HamedMasafi in #6882

  • Custom X509 certificates can be added to OpenSSL's certificate store using the GIT_OPT_ADD_SSL_X509_CERT option. Added by @yerseg in #6877

  • The libgit2 compatibility CLI now has a git blame command. Added by @ethomson in #6907

  • Remote callbacks now provide an update_refs callback so that users can now get the refspec of the updated reference during push. This gives more complete information about the remote reference that was updated. Added by @ethomson in #6559

  • An optional FIPS-compliant mode for hashing is now available; you can set -DUSE_SHA256=OpenSSL-FIPS to enable it. Added by @marcind-dot in #6906

  • The git-compatible CLI now supports the git init command, which has been useful in identifying API improvements and incompatibilities with git. Added by @ethomson in #6984

  • Consumers can now query more information about how libgit2 was compiled, and query the "backends" that libgit2 uses. Added by @ethomson in #6971

Bug fixes

  • Fix constness issue introduced in #6716 by @ethomson in #6829
  • odb: conditional git_hash_ctx_cleanup in git_odb_stream by @gensmusic in #6836
  • Fix shallow root maintenance during fetch by @kcsaul in #6846
  • Headers cleanup by @anatol in #6842
  • http: Initialize on_status when using the http-parser backend by @civodul in #6870
  • Leak in truncate_racily_clean in index.c by @lstoppa in #6884
  • ssh: Omit port option from ssh command unless specified in remote url by @jayong93 in #6845
  • diff: print the file header on GIT_DIFF_FORMAT_PATCH_HEADER by @carlosmn in #6888
  • Add more robust reporting to SecureTransport errors on macos by @vcfxb in #6848
  • transport: do not filter tags based on ref dir in local by @rindeal in #6881
  • push: handle tags to blobs by @ethomson in #6898
  • Fixes for OpenSSL dynamic by @ethomson in #6901
  • realpath: unbreak build on OpenBSD by @ajacoutot in #6932
  • util/win32: Continue if access is denied when deleting a folder by @lrm29 in #6929
  • object: git_object_short_id fails with core.abbrev string values by @lrm29 in #6944
  • Clear data after negotiation by @lrm29 in #6947
  • smart: ignore shallow/unshallow packets during ACK processing by @kempniu in #6973

Security fixes

  • ssh: Include rsa-sha2-256 and rsa-sha2-512 in the list of hostkey types by @lrm29 in #6938
  • TLS: v1.2 and updated cipher list by @ethomson in #6960

Code cleanups

Benchmarks

Read more

Contributors

anatol, ehuss, and 25 other contributors
Assets 2
Loading
1 Join discussion

libgit2 v1.8.4

30 Oct 22:29
@ethomson ethomson
v1.8.4
3f4182d
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
libgit2 v1.8.4

v1.8.4

We erroneously shipped v1.8.3 without actually including the change in v1.8.2. This release re-re-introduces the pre-v1.8.0 commit constness behavior.

What's Changed

Bug fixes

Full Changelog: v1.8.3...v1.8.4

Contributors

ethomson
Assets 2
Loading

libgit2 v1.8.3

26 Oct 19:17
@ethomson ethomson
v1.8.3
3353f78
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
libgit2 v1.8.3

This release fixes a bug introduced in v1.8.1 for users of the legacy Node.js http-parser dependency.

What's Changed

Bug fixes

  • http: Backport on_status initialize fix for http-parser by @ethomson in #6931

Full Changelog: v1.8.2...v1.8.3

Contributors

ethomson
Assets 2
Loading

libgit2 v1.8.2

19 Oct 16:25
@ethomson ethomson
v1.8.2
4ce872a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
libgit2 v1.8.2

v1.8.2

This release reverts a const-correctness change introduced in
v1.8.0 for the git_commit_create functions. We now retain the
const-behavior for the commits arguments from prior to v1.8.0.

This change was meant to resolve compatibility issues with bindings
and downstream users.

What's Changed

New features

  • Introduce a stricter debugging allocator for testing by @ethomson in #6811

Bug fixes

Build and CI improvements

Full Changelog: v1.8.1...v1.8.2

Contributors

ethomson
Assets 2
Loading

libgit2 v1.8.2 RC 1

14 Jun 08:45
@ethomson ethomson
v1.8.2-rc1
4ce872a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
libgit2 v1.8.2 RC 1 Pre-release
Pre-release

v1.8.2

This release reverts a const-correctness change introduced in
v1.8.0 for the git_commit_create functions. We now retain the
const-behavior for the commits arguments from prior to v1.8.0.

This change was meant to resolve compatibility issues with bindings
and downstream users.

What's Changed

New features

  • Introduce a stricter debugging allocator for testing by @ethomson in #6811

Bug fixes

Build and CI improvements

Full Changelog: v1.8.1...v1.8.2

Contributors

ethomson
Assets 2
Loading

libgit2 v1.8.1

16 May 10:19
@ethomson ethomson
v1.8.1
36f7e21
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
libgit2 v1.8.1

This release primarily includes straightforward bugfixes, as well as new functionality to have more control over the HTTP User-Agent header. However, there is an API change from v1.8 that was required for cross-platform compatibility.

In v1.8, libgit2 introduced the report_unchanged member in the git_fetch_options structure. We mistakenly introduced this as a bitfield, which is not suitable for our public API. To correct this mistake, we have removed the report_unchanged member. To support the report unchanged tips option, users can set the update_fetchhead member to include the GIT_REMOTE_UPDATE_REPORT_UNCHANGED value.

The libgit2 projects regrets the API change, but this was required to support cross-platform compatibility.

What's Changed

New features

Bug fixes

Build and CI improvements

Documentation improvements

Dependency updates

New Contributors

Full Changelog: v1.8.0...v1.8.1

Contributors

ConradIrwin, csware, and 6 other contributors
Assets 2
Loading

libgit2 v1.8.0

20 Mar 20:54
@ethomson ethomson
v1.8.0
d74d491
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
libgit2 v1.8.0

v1.8

This is release v1.8.0, "Das Fliegende Klassenzimmer". This release includes optional, experimental support for invoking OpenSSH to fetch and push, an easier mechanism to perform the default behavior of git commit, and has many improvements for worktrees. This release also includes many other new features and bugfixes.

Major changes

  • Executable SSH (OpenSSH) support
    libgit2 can now invoke the command-line OpenSSH to fetch from and push to remotes over SSH. This support takes the place of libssh2 support. To use it, configure libgit2 with cmake -DUSE_SSH=exec, and please report any problems that you discover. By @ethomson in #6617

  • Simplified commit creation
    The git_commit_create_from_stage API was introduced to allow users to better emulate the behavior of git commit without needing to provide unnecessary information. The current state of the index is committed to the current branch. By @ethomson in #6716

  • Worktree improvements
    A number of worktree improvements have been made for better compatibility with core git. First, libgit2 now understands per-worktree references, thanks to @csware in #6387. Worktree-specific configuration is now supported, thanks to @vermiculus in #6202. And improved compatibility with git worktree add is now supported, thanks to @herrerog in #5319.

Breaking changes

  • Adding WORKTREE configuration level (ABI breaking change)
    To support worktree configurations at the appropriate level (higher priority than local configuration, but lower priority than app-specific configuration), the GIT_CONFIG_LEVEL_WORKTREE level was introduced at priority 6. GIT_CONFIG_LEVEL_APP now begins at priority 7.

  • Changes to git_config_entry (ABI breaking change) The git_config_entry structure now contains information about the backend_type and origin_path. The unused payload value has been removed.

  • git_push_options includes remote push options (ABI breaking change)
    The git_push_options structure now contains a value for remote push options.

Other changes

New features

Bug fixes

  • repository: make cleanup safe for re-use with grafts by @carlosmn in #6600
  • fix: Add missing include for oidarray. by @dvzrv in #6608
  • ssh: fix known_hosts leak in _git_ssh_setup_conn by @steven9724 in #6599
  • proxy: Return an error for invalid proxy URLs instead of crashing. by @lrm29 in #6597
  • errors: refactoring - never return NULL in git_error_last() by @ethomson in #6625
  • Reject potential option injections over ssh by @carlosmn in #6636
  • remote: fix memory leak in git_remote_download() by @7Ji in #6651
  • git2: Fix crash when called w/o parameters by @csware in #6673
  • Avoid macro redefinition of ENABLE_INTSAFE_SIGNED_FUNCTIONS by @csware in #6666
  • util: suppress some uninitialized variable warnings by @boretrk in #6659
  • fetch: enable deepening/shortening shallow clones by @kempniu in #6662
  • push: set generic error in push_negotiation cb by @ethomson in #6675
  • process: test /usr/bin/false on BSDs by @ethomson in #6677
  • clone: don't mix up "http://url" with "http:/url" when figuring out if we should do a local clone by @boretrk in #6361
  • Several compatibility fixes by @ethomson in #6678
  • Git blame buffer gives the wrong result in many cases where there are… by @thosey in #6572
  • Fix 'path cannot exist in repository' during diff for in-memory repository by @kcsaul in #6683
  • process: don't try to close the status by @ethomson in #6693
  • Minor bug fixes by @ethomson in #6695
  • Bypass shallow clone support for in-memory repositories by @kcsaul in #6684
  • examples: use unsigned int for bitfields by @ethomson in #6699
  • Fix some bugs caught by UBscan by @ethomson in #6700
  • git_diff_find_similar doesn't always remove unmodified deltas by @yori in #6642
  • httpclient: clear client->parser.data after use by @ethomson in #6705
  • Do not normalize safe.directory paths by @csware in #6668
  • clone: don't swallow error in should_checkout by @ethomson in #6727
  • Correct index add directory/file conflict detection by @ethomson in #6729
  • Correct git_revparse_single and add revparse fuzzing by @ethomson in #6730
  • config: properly delete or rename section containing multivars by @samueltardieu in #6723
  • revparse: ensure bare '@' is truly bare by @ethomson in #6742
  • repo: ensure we can initialize win32 paths by @ethomson in #6743
  • Swap GIT_DIFF_LINE_(ADD|DEL)_EOFNL to match other Diffs by @xphoniex in #6240
  • diff: fix test for SHA256 support in diff_from_buffer by @ethomson in #6745
  • http: support empty http.proxy config setting by @ethomson in #6744
  • More safe.directory improvements by @ethomson in #6739
  • Ensure that completely ignored diff is empty by @ethomson in #5893
  • Fix broken regexp that matches submodule names containing ".path" by @csware in #6749
  • Fix memory leaks by @csware in #6748
  • Make refdb_fs (hopefully) fully aware of per worktree refs by @csware in #6387
  • fix log example by @albfan in #6359
  • fetch: fail on depth for local transport by @ethomson in #6757
  • Fix message trailer parsing by @ethomson in #6761
  • config: correct fetching the HIGHEST_LEVEL config by @ethomson in #6766
  • Avoid some API breaking changes in v1.8 by @ethomson in #6768

Build and CI improvements

Read more

Contributors

russell, samueltardieu, and 28 other contributors
Assets 2
Loading
0 Join discussion

libgit2 v1.7.2

06 Feb 20:20
@ethomson ethomson
v1.7.2
a418d9d
Compare
Choose a tag to compare
libgit2 v1.7.2

🔒 This is a security release with multiple changes.

  • A bug in git_revparse_single is fixed that could have caused the function to enter an infinite loop given well-crafted inputs, potentially causing a Denial of Service attack in the calling application. This fixes CVE-2024-24575, which was discovered by researchers at Amazon AWS.

  • A bug in git_index_add is fixed that could have caused the function to corrupt its heap and possibly lead to arbitrary code execution. This fixes CVE-2024-24577, which was discovered by researchers at Amazon AWS.

  • A bug in the smart transport negotiation could have caused an out-of-bounds read when a remote server did not advertise capabilities.

The libgit2 project thanks the researchers and outreach team at AWS Security for finding the git_index_add and git_revparse_single bugs, and providing details and reproduction steps during their responsible disclosure.

All users of the v1.7 release line are recommended to upgrade.

Assets 2
Loading

libgit2 v1.6.5

06 Feb 20:20
@ethomson ethomson
v1.6.5
1555785
Compare
Choose a tag to compare
libgit2 v1.6.5

🔒 This is a security release with multiple changes.

  • A bug in git_revparse_single is fixed that could have caused the function to enter an infinite loop given well-crafted inputs, potentially causing a Denial of Service attack in the calling application. This fixes CVE-2024-24575, which was discovered by researchers at Amazon AWS.

  • A bug in git_index_add is fixed that could have caused the function to corrupt its heap and possibly lead to arbitrary code execution. This fixes CVE-2024-24577, which was discovered by researchers at Amazon AWS.

  • A bug in the smart transport negotiation could have caused an out-of-bounds read when a remote server did not advertise capabilities.

The libgit2 project thanks the researchers and outreach team at AWS Security for finding the git_index_add and git_revparse_single bugs, and providing details and reproduction steps during their responsible disclosure.

All users of the v1.6 release line are recommended to upgrade.

Assets 2
Loading

libgit2 v1.7.1

14 Aug 21:49
@ethomson ethomson
v1.7.1
a2bde63
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
libgit2 v1.7.1

v1.7.1

What's Changed

Bug fixes

  • proxy: Return an error for invalid proxy URLs instead of crashing. by @lrm29 in #6597
  • ssh: fix known_hosts leak in _git_ssh_setup_conn by @steven9724 in #6599
  • repository: make cleanup safe for re-use with grafts by @carlosmn in #6600
  • fix: Add missing include for oidarray. by @dvzrv in #6608
  • Revert "CMake: Search for ssh2 instead of libssh2." by @ethomson in #6619

Compatibility improvements

  • stransport: macOS: replace errSSLNetworkTimeout, with hard-coded value by @mascguy in #6610

New Contributors

Full Changelog: v1.7.0...v1.7.1

Contributors

carlosmn, lrm29, and 4 other contributors
Assets 2
Loading