v0.5.9

What's Changed

Added

• ✨ Add Net::IMAP::SequenceSet() coercion method by @nevans in #490

Fixed

• 🐛 Fix SequenceSet#include? handling of invalid inputs by @nevans in #479
• 🐛 Always remove idle response handler after done by @nevans in #481
• 🧵 Improve synchronization of connection_state transitions by @nevans in #494

Documentation

• 📚🐛 Fix SequenceSet documentation errors by @nevans in #480
• 📚🐛 Fix doc & error msg for SequenceSet coersion by @nevans in #483
• 📚 RDoc updates for SequenceSet by @nevans in #489

Other Changes

• ♻️ Short-circuit frozen SequenceSet modifications by @nevans in #473
• ♻️ Move SequenceSet autoload by @nevans in #491
• ♻️ Avoid unnecessary allocation in SequenceSet[] by @nevans in #492
• 🧵 Close socket in #disconnect before waiting for lock & thread join by @nevans in #493

Miscellaneous

• ♻️ Generate same stringprep tables with ruby 3.4 by @nevans in #469
• ✅ CI: Mark ruby head on windows as "experimental" by @nevans in #472
• ✅ Update Regexp.linear_time? tests for non-CRuby by @nevans in #477
• ✅ Add timeouts to CI workflow by @nevans in #478
• ✅ Update ResponseReader, UIDFetchData, DeprecatedClientOptions tests by @nevans in #476
• ⏪ Revert #472 (✅ CI: Mark ruby head on windows as "experimental") by @nevans in #482
• ➕ Add benchmark to Gemfile to silence warnings by @nevans in #486
• ⬆️ Bump step-security/harden-runner from 2.12.0 to 2.12.1 by @dependabot in #488

Full Changelog: v0.5.8...v0.5.9

v0.4.22

Important

The regression fixed by this release (#471) appears to only affect Ruby 3.0.0 through 3.0.2, and only on some platforms. It appears to be fixed by ruby 3.0.3, released 2021-11-24. Ruby 3.0.7 was released on 2024-04-23. Ruby 3.0 has reached its EOL.

If you are affected by this issue, upgrading Ruby is much more important than upgrading net-imap!

What's Changed

Fixed

• ⏪ Revert Ractor sharability for config types (v0.4 only) by @nevans in #474
  Fixes a regression in v0.4.20, reported by by @glaszig and @mumkymikey in #471

Full Changelog: v0.4.21...v0.4.22

v0.5.8

What's Changed

Added

• ✨ Add SequenceSet#min(count) and #max(count) by @nevans in #460
• ✨ Add SequenceSet#above and SequenceSet#below by @nevans in #462

Fixed

• 🐛 Check for Ractor (for JRuby, TruffleRuby) by @nevans in #453, reported by @rammpeter in #452
• 🐛 Fix SequenceSet#slice with range (start...0) by @nevans in #456
• 🐛 Fix inconsistently frozen SequenceSet#[] result by @nevans in #458
• 🐛 Fix SequenceSet#xor crash when set is frozen by @nevans in #457
• 🐛 Fix SequenceSet#slice when length > result size by @nevans in #459

Documentation

• 📚 Various SequenceSet rdoc improvements by @nevans in #465

Miscellaneous

• ⬆️ Bump step-security/harden-runner from 2.11.1 to 2.12.0 by @dependabot in #455
• ✅ Test SequenceSet#xor and fuzz test all set operations by @nevans in #464

Full Changelog: v0.5.7...v0.5.8

v0.4.21

What's Changed

Fixes

• 🐛 Backport SequenceSet bugfixes to v0.4 by @nevans in #461
  • Backports 🐛 Fix SequenceSet#slice with range (start...0) by @nevans in #456
  • Backports 🐛 Fix inconsistently frozen SequenceSet#[] result by @nevans in #458
  • Backports 🐛 Fix SequenceSet#xor crash when set is frozen by @nevans in #457
  • Backports 🐛 Fix SequenceSet#slice when length > result size by @nevans in #459

Miscellaneous

• ✅ Backport SequenceSet tests to 0.4 by @nevans in #466
  • Backports #464

Full Changelog: v0.4.20...v0.4.21

v0.5.7

What's Changed

🔒 Security

This release adds two features to prevent unbounded memory use: the response_handlers keyword argument to Net::IMAP.new (#419) so response handlers can be added before the server can send any responses, and the max_response_size config attribute (#444, GHSA-j3g3-5qv5-52mj, CVE-2025-43857, reported by @Masamuneee).

Note

The default max_response_size is extremely high, to avoid issues with secure connections to trusted servers that are well-behaved. It can be configured more conservatively to guard against untrusted servers (for example, connecting to user-provided hostnames). It is the responsibility of net-imap users to configure their client appropriately for the server they are connecting to.

Added

• ✨ Track IMAP connection state by @nevans in #416
• ✨ Add response_handlers kwarg to Net::IMAP.new by @nevans in #419
• ✨ Customize SequenceSet YAML serialization by @nevans in #432
• ✨ Limit max_response_size by @nevans in #444

Documentation

• 📚 Improve docs for unbounded memory use and thread safety by @nevans in #418
• 📚 Impove SequenceSet docs by @nevans in #420
• 📚 Doc improvements for open_timeout, etc by @nevans in #424

Other Changes

• ♻️ Reorganize Config.version_defaults creation by @nevans in #412
• ♻️ Refactor Config attr type coercion by @nevans in #417
• ♻️ Refactor Net::IMAP#get_response (internal) by @nevans in #422
• ♻️ Rational config versions by @nevans in #429
• ♻️ Extract ResponseReader from get_response by @nevans in #433
• ♻️ Refactor ResponseReader by @nevans in #435

Miscellaneous

• Bump step-security/harden-runner from 2.10.4 to 2.11.0 by @dependabot in #409
• ✅ Make FakeServer more robust against disconnect by @nevans in #414
• ✅ Improvements to FakeServer (tests only) by @nevans in #415
• ✅ Ignore more IO errors in some FakeServer tests by @nevans in #421
• ⬆️ Bump step-security/harden-runner from 2.11.0 to 2.11.1 by @dependabot in #423

Full Changelog: v0.5.6...v0.5.7

v0.4.20

What's Changed

🔒 Security

This release backports two features to prevent unbounded memory use: the response_handlers keyword argument to Net::IMAP.new so response handlers can be added before the server can send any responses (#427), and the max_response_size config attribute (#445, GHSA-j3g3-5qv5-52mj, CVE-2025-43857, reported by @Masamuneee).

Note

The default max_response_size is nil (unlimited), to avoid backward compatibility issues with secure connections to trusted servers that are well-behaved. It can be configured more conservatively to guard against untrusted servers (for example, connecting to user-provided hostnames). It is the responsibility of net-imap users to configure their client appropriately for the server they are connecting to.

Known Issues

Fixed in v0.4.22: Ruby 3.0.0 through 3.0.2 on Mac OS crash when net/imap is required (#471).

Important

This is fixed by Ruby 3.0.3, which was released 2021-11-24.
Ruby 3.0.7 was released on 2024-04-23. Ruby 3.0 has reached its EOL.

If you are affected by #471, upgrading Ruby is much more important than upgrading net-imap!

Added

• ✨ Add response_handlers kwarg to Net::IMAP.new by @nevans in #427
  • Backports #419
• ✨ Limit max_response_size by @nevans in #445
  • Backports #444

Documentation

• 📚 Backport documentation to v0.4 by @nevans in #426
  • Backports #418, #420, documentation only from #416, and #424

Other Changes

• ♻️ Update versioned default configs by @nevans in #413
  • Backports #412
• ♻️ Refactor get_response by @nevans in #431
  • Backports #422
• ♻️ Rational config versions by @nevans in #430
  • Backports #429
• ♻️ Extract ResponseReader from get_response by @nevans in #434
  • Backports #433
• ♻️ Refactoring by @nevans in #436
  • Backports #417 and #435

Miscellaneous

• ✅ Various test improvements to v0.4 by @nevans in #425
  • Backports #414, #415, #421, and assert_pattern from minitest (originally in #333)

Full Changelog: v0.4.19...v0.4.20

v0.3.9

Important

The 0.3.x release branch only receives security fixes, and will be unsupported when ruby 3.2 is EOL.
Please upgrade to a newer version.

What's Changed

🔒 Security

This release backports two features to prevent unbounded memory use: the response_handlers keyword argument to Net::IMAP.new so response handlers can be added before the server can send any responses (#438), and the max_response_size config attribute (#446, GHSA-j3g3-5qv5-52mj, CVE-2025-43857, reported by @Masamuneee).

Note

The default max_response_size is nil (unlimited), to avoid backward compatibility issues with secure connections to trusted servers that are well-behaved. It can be configured more conservatively to guard against untrusted servers (for example, connecting to user-provided hostnames). It is the responsibility of net-imap users to configure their client appropriately for the server they are connecting to.

Added

• ✨ Backport response_handlersoption to new by @nevans in #438
  • Backports #419, and #427
• ✨ Limit max_response_size by @nevans in #446
  • Backports #444

Fixed

• 🐛 Use Range#size vs Range#count for uid-set limit by @nevans in #411

Documentation

• 📚 Docs: receiver thread, server responses, connection state by @nevans in #437
  • Backports #418, and only the documentation from #416.

Other Changes

• ♻️ Backport ResponseReader by @nevans in #439
  • Backports #422, #433, #434, and #435

Full Changelog: v0.3.8...v0.3.9

v0.2.5

Important

0.2.5 is the final release for the 0.2.x release series. Please upgrade to a newer version.

What's Changed

🔒 Security

This release backports two features to prevent unbounded memory use: the response_handlers keyword argument to Net::IMAP.new so response handlers can be added before the server can send any responses (#442), and the max_response_size config attribute (#447, GHSA-j3g3-5qv5-52mj, CVE-2025-43857, reported by @Masamuneee).

Note

The default max_response_size is nil (unlimited), to avoid backward compatibility issues with secure connections to trusted servers that are well-behaved. It can be configured more conservatively to guard against untrusted servers (for example, connecting to user-provided hostnames). It is the responsibility of net-imap users to configure their client appropriately for the server they are connecting to.

Added

• ✨ Add response_handlers option to new (backport) by @nevans in #442
  • Backports #419, #427, and #438.
• ✨ Limit max_response_size (backport 0.2) by @nevans in #447
  • Backports #444.

Documentation

• 📚 Add docs for receiver thread & server responses by @nevans in #440
  • Backports #418 and #437.

Other Changes

• ♻️ Backport ResponseReader to v0.2 by @nevans in #443
  • Backports #422, #433, #434, #435, and #439.

Miscellaneous

• ✅ Add modern ruby versions to CI by @nevans in #441

Full Changelog: v0.2.4...v0.2.5

v0.5.6

What's Changed

🔒 Security Fix

Fixes CVE-2025-25186 (GHSA-7fc5-f82f-cx69): A malicious server can exhaust client memory by sending APPENDUID or COPYUID responses with very large uid-set ranges. Net::IMAP::UIDPlusData expands these ranges into arrays of integers.

Fix with minor API changes

Set config.parser_use_deprecated_uidplus_data to false to replace UIDPlusData with AppendUIDData and CopyUIDData. These classes store their UIDs as Net::IMAP::SequenceSet objects (not expanded into arrays of integers). Code that does not handle APPENDUID or COPYUID responses should not see any difference. Code that does handle these responses may need to be updated.

For v0.3.8, this option is not available
For v0.4.19, the default value is true.
For v0.5.6, the default value is :up_to_max_size.
For v0.6.0, the only allowed value will be false (UIDPlusData will be removed from v0.6).

Mitigate with backward compatible API

Adjust config.parser_max_deprecated_uidplus_data_size to limit the maximum UIDPlusData UID set size.
When config.parser_use_deprecated_uidplus_data == true, larger sets will crash.
When config.parser_use_deprecated_uidplus_data == :up_to_max_size, larger sets will use AppendUIDData or CopyUIDData.

For v0.3,8, this limit is hard-coded to 10,000.
For v0.4.19, this limit defaults to 1000.
For v0.5.6, this limit defaults to 100.
For v0.6.0, the only allowed value will be 0 (UIDPlusData will be removed from v0.6).

Please Note: unhandled responses

If the client does not add response handlers to prune unhandled responses, a malicious server can still eventually exhaust all client memory, by repeatedly sending malicious responses. However, net-imap has always retained unhandled responses, and it has always been necessary for long-lived connections to prune these responses. This is not significantly different from connecting to a trusted server with a long-lived connection. To limit the maximum number of retained responses, a simple handler might look something like the following:

limit = 1000
imap.add_response_handler do |resp|
  next unless resp.respond_to?(:name) && resp.respond_to?(:data)
  name = resp.name
  code = resp.data.code&.name if resp.data.is_a?(Net::IMAP::ResponseText)
  imap.responses(name) { _1.slice!(0...-limit) }
  imap.responses(code) { _1.slice!(0...-limit) }
end

Added

• 🔧 Ensure ResponseParser config is mutable and non-global by @nevans in #381
• ✨ Add SequenceSet methods for querying about duplicates by @nevans in #384
• ✨ Add SequenceSet#each_ordered_number by @nevans in #386
• ✨ Add SequenceSet#find_ordered_index by @nevans in #396
• ✨ Add SequenceSet#ordered_at by @nevans in #397
• ✨ Add AppendUIDData and CopyUIDData classes by @nevans in #400
• 🔧 Add parser config for APPENDUID/COPYUID, 🗑️ Deprecate UIDPlusData by @nevans in #401

Fixed

• 🐛 Fix SequenceSet#append when its @string is nil by @nevans in #376
• 🐛 Fix SequenceSet merging in another SequenceSet by @nevans in #377
• 🐛 Fix SequenceSet count dups with multiple "*" by @nevans in #387
• 🥅 Re-raise #starttls error from receiver thread by @nevans in #395

Documentation

• 📚 Fix SequenceSet#cover? documentation by @nevans in #379
• 📚 Document COPYUID in tagged vs untagged responses by @nevans in #398

Other Changes

• 🚚 Move UIDPlusData to its own file by @nevans in #391
• ♻️ Parse uid-set as sequence-set without * by @nevans in #393

Miscellaneous

• ⬆️ Bump step-security/harden-runner from 2.10.2 to 2.10.3 by @dependabot in #375
• ⬆️ Bump step-security/harden-runner from 2.10.3 to 2.10.4 by @dependabot in #380
• ✅ Improve test coverage for SequenceSet enums by @nevans in #383
• ♻️✅ Refactor SequenceSet enumerator tests by @nevans in #385
• ➕ Add "irb" to Gemfile to silence warning by @nevans in #388
• Omit flaky test with macOS platform by @hsbt in #389
• ✅ Improve UIDPlusData test coverage by @nevans in #392
• 🚚 Rename UIDPLUS test file for consistency by @nevans in #399

Full Changelog: v0.5.5...v0.5.6

v0.4.19

What's Changed

🔒 Security Fix

Fixes CVE-2025-25186 (GHSA-7fc5-f82f-cx69): A malicious server can exhaust client memory by sending APPENDUID or COPYUID responses with very large uid-set ranges. Net::IMAP::UIDPlusData expands these ranges into arrays of integers.

Fix with minor API changes

Set config.parser_use_deprecated_uidplus_data to false to replace UIDPlusData with AppendUIDData and CopyUIDData. These classes store their UIDs as Net::IMAP::SequenceSet objects (not expanded into arrays of integers). Code that does not handle APPENDUID or COPYUID responses should not see any difference. Code that does handle these responses may need to be updated.

For v0.3.8, this option is not available
For v0.4.19, the default value is true.
For v0.5.6, the default value is :up_to_max_size.
For v0.6.0, the only allowed value will be false (UIDPlusData will be removed from v0.6).

Mitigate with backward compatible API

Adjust config.parser_max_deprecated_uidplus_data_size to limit the maximum UIDPlusData UID set size.
When config.parser_use_deprecated_uidplus_data == true, larger sets will crash.
When config.parser_use_deprecated_uidplus_data == :up_to_max_size, larger sets will use AppendUIDData or CopyUIDData.

For v0.3,8, this limit is hard-coded to 10,000.
For v0.4.19, this limit defaults to 1000.
For v0.5.6, this limit defaults to 100.
For v0.6.0, the only allowed value will be 0 (UIDPlusData will be removed from v0.6).

Please Note: unhandled responses

If the client does not add response handlers to prune unhandled responses, a malicious server can still eventually exhaust all client memory, by repeatedly sending malicious responses. However, net-imap has always retained unhandled responses, and it has always been necessary for long-lived connections to prune these responses. This is not significantly different from connecting to a trusted server with a long-lived connection. To limit the maximum number of retained responses, a simple handler might look something like the following:

limit = 1000
imap.add_response_handler do |resp|
  next unless resp.respond_to?(:name) && resp.respond_to?(:data)
  name = resp.name
  code = resp.data.code&.name if resp.data.in?(Net::IMAP::ResponseText)
  imap.responses(name) { _1.slice!(0...-limit) }
  imap.responses(code) { _1.slice!(0...-limit) }
end

Added

• 🔧 ResponseParser config is mutable and non-global (backports #381) by @nevans in #382
• ✨ SequenceSet ordered entries methods (backports to v0.4-stable) by @nevans in #402
  Backports the following:
  • ✨ Add SequenceSet methods for querying about duplicates by @nevans in #384
  • ✨ Add SequenceSet#each_ordered_number by @nevans in #386
  • ✨ Add SequenceSet#find_ordered_index by @nevans in #396
  • ✨ Add SequenceSet#ordered_at by @nevans in #397
• ✨ Backport UIDPlusData, AppendUIDData, CopyUIDData to v0.4 by @nevans in #404
  Backports the following:
  • ✨ Add AppendUIDData and CopyUIDData classes by @nevans in #400
  • 🔧 Add parser config for APPENDUID/COPYUID, 🗑️ Deprecate UIDPlusData by @nevans in #401

Fixed

• 🐛 Backport SequenceSet bugfixes (#376, #377) to v0.4 by @nevans in #378
  Backports the following:
  • 🐛 Fix SequenceSet#append when its @string is nil by @nevans in #376
  • 🐛 Fix SequenceSet merging in another SequenceSet by @nevans in #377
• 🥅 Re-raise #starttls error from receiver thread (backport #395 to v0.4) by @nevans in #403

Full Changelog: v0.4.18...v0.4.19