They say good things come to wait, and you've all had to wait a long time for 6.5.0 because @nateberkopec had another daughter: Sky!

• Features

  • Print RUBY_DESCRIPTION when Puma starts ([#3407])
  • Set the worker process count automatically when using WEB_CONCURRENCY=auto ([#3439], [#3437])
  • Mark as ractor-safe ([#3486], [#3422])
  • Add option enable_keep_alives. true (the default) mimics existing behavior, but now you can use false to disable keepalive to reduce queue tail latency ([#3496])
  • Add parameters to Puma methods to allow CI to change ENV in isolation ([#3485])
  • Add ssl_ciphersuites option for TLSv1.3 ciphers ([#3359], [#3343])
  • You can now use --threads 5 or threads 5 to config max/min threads with a single number (used to need to say 5:5) ([#3309])
  • Option to turn off systemd plugin ([#3425], [#3424])
  • Add on_stopped hook ([#3411], [#3380])

• Bugfixes

  • Handle blank environment variables when loading config ([#3539])
  • lib/rack/handler/puma.rb - fix for rackup v1.0.1, adjust Gemfile ([#3532], [#3531])
  • null_io.rb - add external_encoding, set_encoding, binmode, binmode? ([#3214])
  • Implement NullIO#seek and #pos to mimic IO ([#3468])
  • add support in rack handler & fix regression in binder for linux abstract namespace sockets ([#3508])
  • Use actual thread local for Puma::Server.current. ([#3360])
  • client.rb - fix request chunked body handling ([#3338], [#3337])
  • Properly handle two requests seen in the initial buffer ([#3332])
  • Fix response repeated status line when request is invalid or errors are raised ([#3308], [#3307])
  • Fix child processes not being reaped when Process.detach used ([#3314], [#3313])

• JRuby

  • Make HTTP length constants configurable ([#3518])
  • Fixup jruby_restart.rb & launcher.rb to work with ARM64 macOS JRuby ([#3467])

• Performance

  • Avoid checking if all workers reached timeout unless idle timeout is configured ([#3341])
  • Request body - increase read size to 64 kB ([#3548])
  • single mode skip wait_for_less_busy_worker ([#3325])

• Refactor

  • A ton of CI/test improvements by @MSP-Greg, as usual.
  • Add ThreadPool#stats and adjust Server#stats to use it ([#3527])
  • normalize whitespace in worker stats string ([#3513])
  • rack/handler/puma.rb - ssl - use start_with?, add test ([#3510])
  • extconf.rb - add logging for OpenSSL versions ([#3370])
  • Lazily require Puma::Rack::Builder ([#3340])
  • Refactor: Constantize worker pipe request types ([#3318])

• Docs

  • stats.md improvements ([#3514])
  • control_cli.rb: Harmonize help message with bin/puma ([#3434])
  • dsl.rb: Clarify a callback's argument ([#3435])
  • lib/rack/handler/puma.rb - relocate and fixup module comment ([#3495])

• Security
  • Discards any headers using underscores if the non-underscore version also exists. Without this, an attacker could overwrite values set by intermediate proxies (e.g. X-Forwarded-For). (CVE-2024-45614/GHSA-9hf4-67fc-4vf4)

• Security
  • Limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. (GHSA-c2f4-cvqm-65w2)

• Bugfixes

  • DSL#warn_if_in_single_mode - fixup when workers set via CLI ([#3256])
  • Fix idle-timeout not working in cluster mode ([#3235], [#3228], [#3282], [#3283])
  • Fix worker 0 timing out during phased restart ([#3225], [#2786])
  • context_builder.rb - require openssl if verify_mode != 'none' ([#3179])
  • Make puma cluster process suitable as PID 1 ([#3255])
  • Improve Puma::NullIO consistency with real IO ([#3276])
  • extconf.rb - fixup to detect openssl info in Ruby build ([#3271], [#3266])
  • MiniSSL.java - set serialVersionUID, fix RaiseException deprecation ([#3270])
  • dsl.rb - fix warn_if_in_single_mode when WEB_CONCURRENCY is set ([#3265], [#3264])

• Maintenance

  • LOTS of test refactoring to make tests more stable and easier to write - thanks to @MSP-Greg!
  • Fix bug in tests re: TestPuma::HOST4 ([#3254])
  • Dockerfile for minimal repros: use Ruby 3.2, expect bundler installed ([#3245])
  • fix define_method calls, use Symbol parameter instead of String ([#3293])

• Docs

  • README.md - add the puma-acme plugin ([#3301])
  • Remove --keep-file-descriptors flag from systemd docs ([#3248])
  • Note symlink mechanism in restart documentation for hot restart ([#3298])

America is #1 in professional cycling, baby!

• Features

  • on_thread_exit hook ([#2920])
  • on_thread_start_hook ([#3195])
  • Shutdown on idle ([#3209], [#2580])
  • New error message when control server port taken ([#3204])

• Refactor

  • Remove Forwardable dependency ([#3191], #3190)
  • Update URLMap Regexp usage for Ruby v3.3 ([#3165])

• Bugfixes

  • Bring the cert_pem: parameter into parity with the cert: parameter to ssl_bind. ([#3174])
  • Fix using control server with IPv6 host ([#3181])
  • control_cli.rb - add require_relative 'log_writer' ([#3187])
  • Fix cases where fallback Rack response wasn't sent to the client ([#3094])

• Security
  • Address HTTP request smuggling vulnerabilities with zero-length Content Length header and trailer fields (GHSA-68xg-gqqm-vgj8)

Security
Address HTTP request smuggling vulnerabilities with zero-length Content Length header and trailer fields (GHSA-68xg-gqqm-vgj8)

Japan has 72 traditional microseasons. May 31 is the first day of 麦秋至, which means the time of the wheat/barley harvest.

• Features

  • Add dsl method supported_http_methods ([#3106], [#3014])
  • Puma error responses no longer have any fingerprints to indicate Puma ([#3161], [#3037])
  • Support decryption of SSL key ([#3133], [#3132])

• Bugfixes

  • Don't send 103 early hints response when only invalid headers are used ([#3163])
  • Handle malformed request path ([#3155], [#3148])
  • Misc lib file fixes - trapping additional errors, CI helper ([#3129])
  • Fixup req form data file upload with "r\n" line endings ([#3137])
  • Restore rack 1.6 compatibility ([#3156])

• Refactor

  • const.rb - Update Puma::HTTP_STATUS_CODES ([#3162])
  • Clarify Reactor#initialize ([#3151])

New Contributors

• @severin made their first contribution in #3156

Full Changelog: v6.2.2...v6.3.0

• Bugfixes
  • Fix Rack-related NameError by adding :: operator ([#3118], [#3117])

6.2.1 / 2023-03-31

• Bugfixes
  • Fix java 8 compatibility ([#3109], [#3108])
  • Always write io_buffer when in "enum bodies" branch. ([#3113], [#3112])
  • Fix warn_if_in_single_mode incorrect message ([#3111])