v0.5.7

What's Changed

🔒 Security

This release adds two features to prevent unbounded memory use: the response_handlers keyword argument to Net::IMAP.new (#419) so response handlers can be added before the server can send any responses, and the max_response_size config attribute (#444, GHSA-j3g3-5qv5-52mj, CVE-2025-43857, reported by @Masamuneee).

Note

The default max_response_size is extremely high, to avoid issues with secure connections to trusted servers that are well-behaved. It can be configured more conservatively to guard against untrusted servers (for example, connecting to user-provided hostnames). It is the responsibility of net-imap users to configure their client appropriately for the server they are connecting to.

Added

• ✨ Track IMAP connection state by @nevans in #416
• ✨ Add response_handlers kwarg to Net::IMAP.new by @nevans in #419
• ✨ Customize SequenceSet YAML serialization by @nevans in #432
• ✨ Limit max_response_size by @nevans in #444

Documentation

• 📚 Improve docs for unbounded memory use and thread safety by @nevans in #418
• 📚 Impove SequenceSet docs by @nevans in #420
• 📚 Doc improvements for open_timeout, etc by @nevans in #424

Other Changes

• ♻️ Reorganize Config.version_defaults creation by @nevans in #412
• ♻️ Refactor Config attr type coercion by @nevans in #417
• ♻️ Refactor Net::IMAP#get_response (internal) by @nevans in #422
• ♻️ Rational config versions by @nevans in #429
• ♻️ Extract ResponseReader from get_response by @nevans in #433
• ♻️ Refactor ResponseReader by @nevans in #435

Miscellaneous

• Bump step-security/harden-runner from 2.10.4 to 2.11.0 by @dependabot in #409
• ✅ Make FakeServer more robust against disconnect by @nevans in #414
• ✅ Improvements to FakeServer (tests only) by @nevans in #415
• ✅ Ignore more IO errors in some FakeServer tests by @nevans in #421
• ⬆️ Bump step-security/harden-runner from 2.11.0 to 2.11.1 by @dependabot in #423

Full Changelog: v0.5.6...v0.5.7