Skip to content

v3.58.0 Release

Choose a tag to compare

@imroc imroc released this 01 Jul 14:20

New Features

  • Add SetTLSFingerprintSpec for custom ClientHelloSpec support — accepts a *utls.ClientHelloSpec for fine-grained TLS fingerprint customization (JA3/JA4). Closes #477, #478.
  • Add SensitiveHeadersRedirectPolicy — strips custom auth headers (e.g. X-API-Key, X-Auth-Token) on cross-domain redirects to prevent credential leakage (CWE-200). Fixes #489.
  • Port quic-go v0.59.0 — aligns with quic-go v0.59.0 breaking changes: removes deprecated ConnectionTracingID/ConnectionTracingKey, removes stream hijacking API, replaces handleUnidirectionalStreams with per-stream callback, adds RawClientConn for fine-grained stream control, adds HandleBidirectionalStream (closes conn per RFC 9114), fixes SupportsDatagramsSupportsDatagrams.Remote. Fixes #482.

Bug Fixes

  • Unmarshal returns error on error status codes — now checks IsErrorState() before deserializing, preventing 4xx/5xx response bodies from being deserialized into target structs. Closes #465.
  • Retry on GOAWAY errors with cached HTTP/2 connectionsRoundTripOnlyCachedConn now falls through to create a new connection instead of returning errClientConnGotGoAway directly. Closes #491.
  • SetCookieJarFactory returns http.CookieJar interface — changes return type from *cookiejar.Jar to http.CookieJar, allowing custom cookie jar implementations. Closes #415.
  • Add application/json to Chrome impersonate accept header — matches Chrome's actual accept header for API requests expecting JSON. Closes #471.

Dependencies

  • Upgrade utls to v1.8.2 — security update from v1.8.1. Addresses #459.

Tests

  • Add comprehensive unit tests for HTTP/3 frames, headers, transport, and dump.
  • Add automated test gate infrastructure.