ποΈ What's Changed
Refit 13 is a major release focused on security hardening and a brand-new testing package.
- Security hardening (#2181) β closes issues found in a security audit. XML deserialization is now protected against XXE (external entity) attacks, the Newtonsoft.Json integration no longer honours unsafe
TypeNameHandlingby default (blocking type-confusion/deserialization attacks), and sensitive values (auth headers, tokens) are now redacted from exception and log output. This is the main reason for the major version bump: if you relied on permissive Newtonsoft type handling you may need to opt back in explicitly. - New
Refit.Testingpackage (#2184) β a first-party way to stub and verify Refit clients in tests without spinning up a realHttpClient. Supply canned responses for interface calls and assert which requests your code made, instead of hand-rollingHttpMessageHandlerfakes. - R3 bridge analyzer fix (#2186) β corrects the removal target for the R3 bridge analyzer.
- CI and documentation tidy-ups for SonarCloud on fork pull requests.
β¨ Features
- cc24382 feat: security hardening from audit (XXE, Newtonsoft type handling, redaction) (#2181) @glennawatson
- 339cb8d feat: add Refit.Testing package for stubbing and verifying clients (#2184) @glennawatson
π§Ή General Changes
- 5d272c8 ci: run SonarCloud on fork pull requests @glennawatson
π Documentation
- 533bbbe docs: slim fork-PR SonarCloud wrapper comments @glennawatson
π Other
- c0bbb5a [codex] Fix R3 bridge analyzer removal target (#2186) @ChrisPulman
π Full Changelog: v12.1.0...v13.0.0
π Contributions
π Thanks to all the contributors: @ChrisPulman, @glennawatson