v0.4.20

[nevans]

What's Changed

🔒 Security

This release backports two features to prevent unbounded memory use: the response_handlers keyword argument to Net::IMAP.new so response handlers can be added before the server can send any responses (#427), and the max_response_size config attribute (#445, GHSA-j3g3-5qv5-52mj, CVE-2025-43857, reported by @Masamuneee).

Note

The default max_response_size is nil (unlimited), to avoid backward compatibility issues with secure connections to trusted servers that are well-behaved. It can be configured more conservatively to guard against untrusted servers (for example, connecting to user-provided hostnames). It is the responsibility of net-imap users to configure their client appropriately for the server they are connecting to.

Known Issues

Fixed in v0.4.22: Older versions of Ruby 3.0 on Mac OS crash when net/imap is required (#471).

Important

Ruby 3.0.7 is unaffected by #471 and was released on 2024-04-23. Ruby 3.0 has reached its EOL.

If you are affected by #471, upgrading Ruby is much more important than upgrading net-imap!

Added

• ✨ Add response_handlers kwarg to Net::IMAP.new by @nevans in ✨ Add response_handlers kwarg to Net::IMAP.new (backport #419 to 0.4) #427
  • Backports ✨ Add response_handlers kwarg to Net::IMAP.new #419
• ✨ Limit max_response_size by @nevans in ✨ Limit max_response_size (backport 0.4) #445
  • Backports ✨ Limit max_response_size #444

Documentation

• 📚 Backport documentation to v0.4 by @nevans in 📚 Backport documentation to v0.4 #426
  • Backports 📚 Improve docs for unbounded memory use and thread safety #418, 📚 Impove SequenceSet docs #420, documentation only from ✨ Track IMAP connection state #416, and 📚 Doc improvements for open_timeout, etc #424

Other Changes

• ♻️ Update versioned default configs by @nevans in ♻️ Update versioned default configs (backports #412) #413
  • Backports ♻️ Reorganize Config.version_defaults creation #412
• ♻️ Refactor get_response by @nevans in ♻️ Refactor get_response (backports #422 to 0.4) #431
  • Backports ♻️ Refactor Net::IMAP#get_response (internal) #422
• ♻️ Rational config versions by @nevans in ♻️ Rational config versions (backport #429 to v0.4) #430
  • Backports ♻️ Rational config versions #429
• ♻️ Extract ResponseReader from get_response by @nevans in ♻️ Extract ResponseReader from get_response (backport #433) #434
  • Backports ♻️ Extract ResponseReader from get_response #433
• ♻️ Refactoring by @nevans in ♻️ Refactoring (backports) #436
  • Backports ♻️ Refactor Config attr type coercion #417 and ♻️ Refactor ResponseReader #435

Miscellaneous

• ✅ Various test improvements to v0.4 by @nevans in ✅ Backport various test improvements to v0.4 #425
  • Backports ✅ Make FakeServer more robust against disconnect #414, ✅ Improvements to FakeServer (tests only) #415, ✅ Ignore more IO errors in some FakeServer tests #421, and assert_pattern from minitest (originally in ✨ Add basic ESearch support #333)

Full Changelog: v0.4.19...v0.4.20

---

This discussion was created from the release v0.4.20.