Skip to content

v3.4.0

Latest

Choose a tag to compare

@github-actions github-actions released this 02 Jul 07:39

🚀 New

  • Complete HTTP QUERY method support (#4436, #4456)
    Adds the HTTP QUERY method (RFC 10008): fiber.MethodQuery, app.Query() routing, safe/idempotent handling in csrf, idempotency, earlydata and cache, plus client.Query() shorthands.
    app.Query("/search", func(c fiber.Ctx) error {
        return c.Send(c.Body()) // QUERY carries the query expression in the body
    })
    https://docs.gofiber.io/client/rest#query
  • Add WithContext variants for session storage I/O (#4393)
    SaveWithContext, DestroyWithContext, RegenerateWithContext and ResetWithContext propagate deadlines/cancellation to the session storage backend; the plain methods keep working unchanged.
    sess := session.FromContext(c)
    err := sess.SaveWithContext(ctx) // storage write bounded by ctx
    https://docs.gofiber.io/middleware/session#session-with-context-timeoutscancellation
  • Unify internal and custom constraints into a single interface (#4397)
    Built-in and custom route constraints now share one ConstraintHandler interface; the optional ConstraintAnalyzer precomputes constraint data at route registration, removing per-request parsing. Existing CustomConstraint implementations keep working unchanged.
    app.RegisterCustomConstraint(evenConstraint{}) // implements Name() + Execute()
    app.Get("/items/:id<even>", handler)
    https://docs.gofiber.io/guide/routing#constrainthandler-interface
  • Expose prefork RecoverInterval and ShutdownGracePeriod (#4491)
    New ListenConfig knobs: PreforkRecoverInterval delays respawning a crashed child (default 0) and PreforkShutdownGracePeriod sets how long the master waits after SIGTERM before SIGKILL (default 5s).
    app.Listen(":3000", fiber.ListenConfig{
        EnablePrefork:              true,
        PreforkRecoverInterval:     time.Second,
        PreforkShutdownGracePeriod: 10 * time.Second,
    })
    https://docs.gofiber.io/api/fiber#preforkrecoverinterval

🧹 Updates

  • Reduce avoidable work in the request hot path (#4490)
  • Avoid per-request heap allocation in DefaultErrorHandler (#4446)
  • Use sentinel errors on typed-getter and Range parse failures (#4448)
  • Replace appendLowerBytes with utilsbytes.UnsafeToLower (#4468)
  • Add MIMETextEventStream constant (#4415)
  • Cache binder decoder type metadata across requests (#4447)
  • Eliminate double reflection in binder mergeStruct (-10% allocs) (#4385)
  • Reduce binder data map allocations (#4379)
  • cache: Append canonical key segments into the pooled buffer (#4450)
  • cors: Optimize subdomain origin matching (#4482)
  • cors: Optimize exact-origin lookup to O(1) (#4368)
  • csrf/redirect: Share scheme/host matching and skip url.Parse on the hot path (#4449)
  • Narrow client user hook lock scope safely (#4375)
  • Raise middleware coverage above 90% for timeout, logger, idempotency, limiter, cache (#4466)
  • Cover remaining cors/csrf middleware branches (#4462)
  • Add unit tests for isOriginSerializedOrNull (#4461)
  • Cover session deadline/error paths and delegate Middleware lifecycle methods (#4435)
  • Inject clock to make time-dependent tests deterministic (#4430)
  • Rename benchmark cases (#4383)
  • Remove test-only dead code and add manual deadcode workflow (#4458)
  • Remove dead code flagged by static analysis (#4454)
  • Static analysis cleanups (#4444)
  • Fix modernize lint issues (#4315)

🐛 Fixes

  • Evaluate If-Modified-Since when If-None-Match is absent in Fresh (#4488)
  • Fix open redirect via Redirect().Back() by validating the Referer header origin (#4370)
  • Fix data race on lazy appListKeys generation in Render (#4440)
  • Avoid route fallback errors during server error middleware traversal (#4426)
  • Strip all trusted proxy IPs from X-Forwarded-For chain (#4394)
  • Guard typed-nil errors (#4407)
  • Guard typed-nil Fiber error paths without reflection (#4372)
  • Preserve legacy custom constraint arguments (#4432)
  • Remove unreachable SameSiteDefaultMode case (#4471)
  • Detach quoted filename strings from pooled buffers (#4374)
  • Prevent app.init mutex deadlock on panic (#4366)
  • Enforce CertClientFile for AutoCertManager TLS (#4312)
  • cache: Separate authorization key segment (#4467)
  • cache: Hash QUERY body keys (#4459)
  • cache: Evaluate freshness after locking (#4419)
  • cors: Validate wildcard origins before matching (#4438)
  • cors: Reject empty wildcard labels (#4437)
  • csrf: Validate nested extractor chains (#4439)
  • csrf: Port CORS subdomain match fixes (#4455)
  • etag: Skip Server-Sent Events responses (#4487)
  • Guard extractor introspection cycles (#4453)
  • helmet: Use Scheme() for HTTPS detection and validate HSTS configuration (#4389)
  • hostauthorization: Reject malformed hostnames in wildcard path (#4408)
  • idempotency: Make MemoryLock safe for zero-value use (#4371)
  • limiter: Correct fixed-window hit credit on skipped requests (#4422)
  • logger/cache/storage: Remove unbounded background goroutines (#4378)
  • pprof/proxy: Fix trailing-slash redirect and balancer empty-server panic (#4421)
  • proxy: Bound upstream connections by default (#4369)
  • rewrite/redirect: Anchor rules to the start of the path (#4483)
  • session: Prevent session fixation by preserving successful extractor in chains (#4469)
  • session: Prevent store error disclosure (#4424)
  • session: Restore isFresh field name (#4477)
  • sse: Preserve trailing newlines in event data (#4414)
  • timeout: Isolate default timeout responses (#4442)
  • timeout: Reclaim abandoned fiber.Ctx via ScheduleReclaim latch (#4359, #4400)
  • Fix client config locking races (#4470)
  • Fix client default access race in Replace/C path (#4377)
  • Handle panics in client execFunc without crashing callers (#4365)
  • Address bugs found in codebase audit (#4420)
  • Fix cleanup follow-ups and regression coverage (#4380)

🛠️ Maintenance

22 changes
  • bump github.com/klauspost/compress from 1.18.7 to 1.19.0 (#4489)
  • bump github.com/klauspost/compress from 1.18.6 to 1.18.7 (#4485)
  • bump github.com/andybalholm/brotli from 1.2.1 to 1.2.2 (#4484)
  • bump github.com/valyala/fasthttp from 1.71.0 to 1.72.0 in the fasthttp-modules group (#4481)
  • bump actions/cache/restore from 6.0.0 to 6.1.0 (#4480)
  • bump actions/cache/save from 6.0.0 to 6.1.0 (#4479)
  • bump release-drafter/release-drafter from 7.5.0 to 7.5.1 (#4463)
  • bump release-drafter/release-drafter from 7.4.0 to 7.5.0 (#4457)
  • bump actions/cache from 5.0.5 to 6.0.0 (#4452)
  • bump actions/setup-go from 6.4.0 to 6.5.0 (#4451)
  • bump actions/checkout from 6.0.3 to 7.0.0 (#4441)
  • bump release-drafter/release-drafter from 7.3.1 to 7.4.0 (#4434)
  • bump golang.org/x/net from 0.55.0 to 0.56.0 in the golang-modules group (#4425)
  • bump github.com/gofiber/schema from 1.7.2 to 1.8.0 (#4417)
  • bump the golang-modules group with 2 updates (#4416)
  • bump golang.org/x/sys from 0.45.0 to 0.46.0 in the golang-modules group (#4412)
  • bump codecov/codecov-action from 6.0.1 to 7.0.0 (#4413)
  • bump actions/checkout from 6.0.2 to 6.0.3 (#4398)
  • bump github.com/gofiber/schema from 1.7.1 to 1.7.2 (#4396)
  • bump github.com/mattn/go-colorable from 0.1.14 to 0.1.15 (#4384)
  • bump release-drafter/release-drafter from 7.3.0 to 7.3.1 (#4314)
  • bump the golang-modules group with 3 updates (#4310)

📚 Documentation

  • Restructure routing guide and split handler partials (#4311)
  • Fix Ctx.Scheme/Protocol documentation (#4473, #4474)
  • Clarify client hook concurrency contract (#4386)
  • keyauth: Fix extractor examples (#4409)
  • Add FAQ troubleshooting entry for the "id <= evictCount" (hpack/gRPC) panic (#4475)
  • Replace interface{} with any (Go 1.18+) (#4433)
  • Document thread-safety contracts for mutex-backed public types (#4367)
  • Enhance sponsorship section in README (#4402)

📒 Documentation: https://docs.gofiber.io/next/

💬 Discord: https://gofiber.io/discord

Full Changelog: v3.3.0...v3.4.0

Thank you @0xghost42, @Amirhf1, @DucMinhNe, @Fenny, @MD-Mushfiqur123, @ReneWerner87, @alexandear, @fereidani, @gaby, @james-yusuke, @ksw2000, @nekoworks-magic, @niksis02, @pageton, @sixcolors and @talktokim for making this release possible.