v0.4.20

What's Changed

🔒 Security

This release backports two features to prevent unbounded memory use: the response_handlers keyword argument to Net::IMAP.new so response handlers can be added before the server can send any responses (#427), and the max_response_size config attribute (#445, GHSA-j3g3-5qv5-52mj, CVE-2025-43857, reported by @Masamuneee).

Note

The default max_response_size is nil (unlimited), to avoid backward compatibility issues with secure connections to trusted servers that are well-behaved. It can be configured more conservatively to guard against untrusted servers (for example, connecting to user-provided hostnames). It is the responsibility of net-imap users to configure their client appropriately for the server they are connecting to.

Known Issues

Fixed in v0.4.22: Ruby 3.0.0 through 3.0.2 on Mac OS crash when net/imap is required (#471).

Important

This is fixed by Ruby 3.0.3, which was released 2021-11-24.
Ruby 3.0.7 was released on 2024-04-23. Ruby 3.0 has reached its EOL.

If you are affected by #471, upgrading Ruby is much more important than upgrading net-imap!

Added

• ✨ Add response_handlers kwarg to Net::IMAP.new by @nevans in #427
  • Backports #419
• ✨ Limit max_response_size by @nevans in #445
  • Backports #444

Documentation

• 📚 Backport documentation to v0.4 by @nevans in #426
  • Backports #418, #420, documentation only from #416, and #424

Other Changes

• ♻️ Update versioned default configs by @nevans in #413
  • Backports #412
• ♻️ Refactor get_response by @nevans in #431
  • Backports #422
• ♻️ Rational config versions by @nevans in #430
  • Backports #429
• ♻️ Extract ResponseReader from get_response by @nevans in #434
  • Backports #433
• ♻️ Refactoring by @nevans in #436
  • Backports #417 and #435

Miscellaneous

• ✅ Various test improvements to v0.4 by @nevans in #425
  • Backports #414, #415, #421, and assert_pattern from minitest (originally in #333)

Full Changelog: v0.4.19...v0.4.20