Prerelease-Alpha

Release created at Thu May 15 15:03:38 CST 2025
Synchronize Alpha branch code updates, keeping only the latest version


我应该下载哪个文件? / Which file should I download?
二进制文件筛选 / Binary file selector
查看文档 / Docs

v1.19.8

What's Changed

• For security reasons, the "path" parameter of /configs in the restful api has been restricted, and its directory also needs to be in workdir or SAFE_PATHS.
• Other incompatible updates are the same as v1.19.6:

• For security reasons, all paths appearing in the configuration file will be limited to workdir (regardless of whether they are relative or absolute). If there is a specific need, please specify additional safe paths by setting the SAFE_PATHS environment variable while ensuring safety. The syntax of this environment variable is the same as the PATH environment variable parsing rules of this operating system (i.e., semicolon-separated under Windows and colon-separated under other systems)
• In addition, support for specifying routing-mark and interface-name for proxy-groups has been removed. Please specify the relevant parameters in proxies directly.

• Note: The workdir mentioned above is specified by the -d parameter when the program is started or the CLASH_HOME_DIR environment variable. If neither of the above is specified, the default is:
  • on Unix systems, $HOME/.config/mihomo.
  • on Windows, %USERPROFILE%/.config/mihomo.

BUG & Fix

• 6e35cf9 fix: truncated UDP response in system dns #2031 by @wwqgtxx

Maintenance

• 2116640 chore: the updateConfigs api also adds a check for SAFE_PATHS by @wwqgtxx
• 23e2d3a chore: rebuild provider load by @wwqgtxx
• 266fb03 chore: update dependencies by @wwqgtxx
• 76e9607 chore: move start healthcheck.process() from New to Initial in provider avoid panic cause by build-in proxy have not set to tunnel by @wwqgtxx

Full Changelog: v1.19.7...v1.19.8

v1.19.7

What's Changed

• The incompatible updates of the restful api not mentioned in the previous version of the changelog have been rolled back, solving the problem that the related gui cannot refresh the configuration
• Note that for security reasons, we are currently planning to restrict the "path" parameter of /configs in restful api in the next version, and its directory also needs to be in SAFE_PATHS or workdir. It is recommended that downstream clients adapt to this change in advance. (This change has been applied to alpha version 2116640)
• Other incompatible updates are the same as v1.19.6:

• For security reasons, all paths appearing in the configuration file will be limited to workdir (regardless of whether they are relative or absolute). If there is a specific need, please specify additional safe paths by setting the SAFE_PATHS environment variable while ensuring safety. The syntax of this environment variable is the same as the PATH environment variable parsing rules of this operating system (i.e., semicolon-separated under Windows and colon-separated under other systems)
• In addition, support for specifying routing-mark and interface-name for proxy-groups has been removed. Please specify the relevant parameters in proxies directly.

BUG & Fix

• d22a893 fix: hysteria server port hopping compatibility issues by @wwqgtxx

Maintenance

• 00cceba docs: update config.yaml follow 7e7016b (#2022) by @muink
• a4fcd3a chore: rollback incompatible changes to updateConfigs api by @wwqgtxx

Full Changelog: v1.19.6...v1.19.7

v1.19.6

Incompatible changes:

• For security reasons, all paths appearing in the configuration file will be limited to workdir (regardless of whether they are relative or absolute). If there is a specific need, please specify additional safe paths by setting the SAFE_PATHS environment variable while ensuring safety. The syntax of this environment variable is the same as the PATH environment variable parsing rules of this operating system (i.e., semicolon-separated under Windows and colon-separated under other systems)
• In addition, support for specifying routing-mark and interface-name for proxy-groups has been removed. Please specify the relevant parameters in proxies directly.

What's Changed

• 5c40a63 feat: not inline rule-provider can also set payload as fallback rules when file/http parsing fails by @wwqgtxx
• 99aa1b0 feat: inbound support shadow-tls by @wwqgtxx
• f328203 feat: not inline proxy-provider can also set payload as fallback proxies when file/http parsing fails by @wwqgtxx

BUG & Fix

• 2b4726b fix: build on go1.24.3 golang/go#73617 by @wwqgtxx
• 2fb9331 fix: some resources are not released in listener by @wwqgtxx
• 468cfc3 fix: set sni to servername if not specified for trojan outbound (#1991) by @WeidiDeng
• 48d8efb fix: do NOT reset the quic-go internal state when only port is different by @wwqgtxx
• 52ad793 fix: shadowtls v1 not work by @wwqgtxx
• 61d6a9a fix: fetcher does not start the pull loop when local file parsing errors occur and the first remote update fails by @wwqgtxx
• 7de4af2 fix: shadowtls test by @wwqgtxx
• 86c127d fix: missing read waiter for cancelers by @wwqgtxx
• e6e7aa5 fix: alpn apply on shadowtls by @wwqgtxx
• f774276 fix: ensure wait group completes by @Larvan2
• febb602 fix: hysteria2 inbound not set UDPTimeout by @wwqgtxx

Maintenance

• 26e6d83 chore: make select display the specified testUrl for #2013 by @xishang0128
• 4ecb49b chore: dynamic fetch remoteAddr in hysteria2 service by @wwqgtxx
• 50d7834 chore: change the separator of the SAFE_PATHS environment variable to the default separator of the operating system platform (i.e., ; in Windows and : in other systems) by @wwqgtxx
• 791ea5e chore: allow setting addition safePaths by environment variable SAFE_PATHS package managers can allow for pre-defined safe paths without disabling the entire security check feature for #2004 by @wwqgtxx
• 793ce45 chore: update quic-go to 0.51.0 by @wwqgtxx
• 7e7016b chore: removed routing-mark and interface-name of the group, please set it directly on the proxy instead by @wwqgtxx
• 936df90 chore: update dependencies by @wwqgtxx
• 9e57b29 chore: update dependencies by @wwqgtxx
• a013ac3 chore: give better error messages for some stupid config files by @wwqgtxx
• aa51b9f chore: replace using internal batch package to x/sync/errgroup by @wwqgtxx
• b4fe669 chore: better path checks by @wwqgtxx
• c2301f6 chore: rebuild fingerprint and keypair handle by @wwqgtxx
• cad26ac chore: fetcher will change duration to achieve fast retry when the update failed with a 2x factor step from 1s to interval by @wwqgtxx
• d55b047 chore: ignore interfaces not with FlagUp in local interface finding by @wwqgtxx
• ee5d77c chore: cleanup tls clientFingerprint code by @wwqgtxx

Full Changelog: v1.19.5...v1.19.6

v1.19.5

What's Changed

• 2a40eba feat: tun add exclude-src-port,exclude-src-port-range,exclude-dst-port and exclude-dst-port-range on linux by @wwqgtxx
• a22efd5 feat: add exclude port and exclude port range options (#1951) by @okhowang

BUG & Fix

• 09c7ee0 fix: grpc server panic by @wwqgtxx
• 190047c fix: grpc transport not apply dial timeout by @wwqgtxx
• 24a9ff6 fix: disallow dialFunc be called after grpc transport has be closed by @wwqgtxx
• 2acb0b7 fix: tun IncludeInterface/ExcludeInterface priority by @wwqgtxx
• 323973f fix: converter judgment conditions by @wwqgtxx
• 3d2cb99 fix: grpc outbound not apply ca fingerprint by @wwqgtxx
• 487d7fa fix: panic under some stupid input config by @wwqgtxx
• 55cbbf7 fix: singledo test by @wwqgtxx
• 577f64a fix: X25519MLKEM768 does not work properly with reality by @wwqgtxx
• 664b134 fix: websocket data losing by @wwqgtxx
• 76052b5 fix: grpc in trojan not apply client-fingerprint by @wwqgtxx
• 7a260f7 fix: udp dial support ip4p (#1377) by @HiMetre
• 7b37fcf fix: auto_redirect should only hijack DNS requests from local addresses by @wwqgtxx
• 7de24e2 fix: StreamGunWithConn not synchronously close the incoming net.Conn by @wwqgtxx
• 7f1225b fix: grpc transport can't be closed by @wwqgtxx
• 8752f80 fix: anytls stream read error (#1970) by @anytls
• 9e0889c fix: observable test by @wwqgtxx
• a75e570 fix: vision conn read short buffer error by @wwqgtxx
• b0bd4f4 fix: resources not released when hysteria2 verification failed by @wwqgtxx
• b21b8ee fix: panic in ssr packet by @wwqgtxx
• b5fcd1d fix: chacha8-ietf-poly1305 not work by @wwqgtxx
• bad61f9 fix: avoid panic in inbound test by @wwqgtxx
• daa592c fix: converter panic by @wwqgtxx
• dbb5b7d fix: SetupContextForConn should return context error to user by @wwqgtxx
• dcb20e2 fix: websocket server upgrade in golang1.20 by @wwqgtxx
• e81f3a9 fix: correctly implement references to proxies by @wwqgtxx
• e8af058 fix: websocketWithEarlyDataConn can't close underlay conn when is dialing or not dialed by @wwqgtxx
• eaaccff fix: race in Single.Do by @wwqgtxx
• efa2243 fix: shut it down more aggressively in grpc transport closing by @wwqgtxx

Maintenance

• 237e2ed chore: tun will add firewall rule for Profile ALL on windows system stack by @wwqgtxx
• 23ffe45 chore: using http/httptrace to get local/remoteAddr for grpc client by @wwqgtxx
• 30d90d4 chore: update option checks to use IsZeroOptions by @wwqgtxx
• 345d3d7 chore: add inbound test for anytls by @wwqgtxx
• 39d6a0d chore: update utls to 1.7.0 by @wwqgtxx
• 3d806b5 chore: add inbound test for shadowsocks/trojan by @wwqgtxx
• 4b15568 chore: cleanup metadata code by @wwqgtxx
• 619c9dc chore: apply the default interface/mark of the dialer in the final stage by @wwqgtxx
• 622d99d chore: rebuild outdated proxy auto close mechanism by @wwqgtxx
• 6236cb1 chore: cleanup trojan code by @wwqgtxx
• 63e66f4 chore: cleanup trojan code by @wwqgtxx
• 69ce4d0 chore: speed up inbound test by @wwqgtxx
• 7551c8a chore: remove unneed code by @wwqgtxx
• 7d7f5c8 chore: add inbound test for tuic by @wwqgtxx
• 8085c68 chore: decrease direct using *net.TCPConn by @wwqgtxx
• 84cd0ef chore: remove internal crypto/tls fork in shadowtls by @wwqgtxx
• 8fa4e81 chore: remove internal crypto/tls fork in reality server by @wwqgtxx
• 9e8f4ad chore: better addr parsing by @wwqgtxx
• a6c0c02 chore: ignore interfaces not in IfOperStatusUp when fetch system dns server on windows by @wwqgtxx
• b2d2890 chore: cleanup resolveUDPAddr code by @wwqgtxx
• b59f11f chore: add singMux inbound test for shadowsocks/trojan/vless/vmess by @wwqgtxx
• ba3c44a chore: code cleanup by @wwqgtxx
• bfd06eb chore: rebuild SetupContextForConn with context.AfterFunc by @wwqgtxx
• cac2bf7 chore: cleanup netip code by @wwqgtxx
• cedb36d chore: using SetupContextForConn to reduce the DialContext cannot be cancelled by @wwqgtxx
• d0d0c39 chore: add inbound test for vmess/vless by @wwqgtxx
• d5243ad chore: better global-client-fingerprint handle by @wwqgtxx
• e79465d chore: add inbound test for hysteria2 by @wwqgtxx
• fe01033 chore: quic sniffer should use the exact length of crypto stream when assembling by @wwqgtxx
• feee9b3 chore: remove unneeded tls timeout in anytls by @wwqgtxx

Full Changelog: v1.19.4...v1.19.5

v1.19.4

What's Changed

• 0f32c05 feat: support UDP over TCP in mieru (#1926) by @enfein
• 801f3c3 feat: support sniff quic fragment data (#1899) by @5aaee9
• ff89bf0 feat: add gost-plugin in which only ws and mws are currently supported. (#1896) by @cesaryuan

BUG & Fix

• 025ff19 fix: wrong conditional judgment in removeExtraHTTPHostPort #1939 by @wwqgtxx
• 4f8b70c fix: buffer in tproxy not recycle (#1923) by @5aaee9
• 7c444a9 fix: correctly handle ipv6 zone by @wwqgtxx
• c0de3c0 fix: some default value in dialer not restore in tun when config reload by @wwqgtxx
• dee5898 fix: memory leak due to unclosed session (#1908) by @cesaryuan
• e3d4ec2 fix: race at interfaceName setting by @wwqgtxx

Maintenance

• 00e6466 chore: update checksum generation step by @Skyxim
• 070eb31 chore: speedup system stack in tun by @wwqgtxx
• 0ed159e chore: code cleanup by @wwqgtxx
• 14217e7 chore: update service capabilities to include CAP_SYS_TIME and CAP_DAC_OVERRIDE by @xishang0128
• 1e22f4d chore: reduce data copying in quic sniffer and better handle data fragmentation and overlap by @wwqgtxx
• 4bd3ae5 chore: dialer will consider the routing of the local interface when auto-detect-interface in tun is enabled for #1881 #1819 by @wwqgtxx
• 68abb13 chore: support longest-prefix matches in local interface finding by @wwqgtxx
• 7b38261 chore: update gvisor by @wwqgtxx
• 7ff046a chore: modify UDPSniff's function signature to prepare for its ability to handle multiple packets. by @wwqgtxx
• a7a796b chore: cleanup quic sniff's code by @wwqgtxx
• c94b442 chore: add checksum generation for production artifacts by @Skyxim
• dcef787 chore: update utls by @wwqgtxx
• f318b80 chore: better cache implement for group's getProxies by @wwqgtxx
• f615346 chore: anytls protocol version 2 (#1936) by @anytls

Full Changelog: v1.19.3...v1.19.4

v1.19.3

What's Changed

• 136d114 feat: socks5/http/mixed inbound support setting tls in listeners by @wwqgtxx
• 1dc4155 feat: inbound's port can use ports format by @wwqgtxx
• 8d783c6 feat: inbound support grpc(lite) by @wwqgtxx
• 91324b7 feat: inbound support trojan by @wwqgtxx
• 9962a0d feat: implement anytls client and server (#1844) by @anytls

BUG & Fix

• 05e8f13 fix: integer overflow in ports iteration by @wwqgtxx
• 1213023 fix: reality not work with vmess+grpc outbound by @wwqgtxx
• 3b40bf7 fix: grpc server's ALPN order by @wwqgtxx
• 8bc6f77 fix DEB packaging (#1868) by @forestl
• 938ab7f fix: syscall packet read waiter for windows by @wwqgtxx
• a00f4f1 fix: vless inbound allow not use flow when request send empty flow by @wwqgtxx
• a7e56f1 fix: anytls client close (#1871) by @anytls
• d1d846f fix: s390x golang1.24 build by @wwqgtxx
• d81c19a fix: grpc server panic by @wwqgtxx
• dc1145a fix: anytls padding send (#1848) by @anytls

Maintenance

• 06b9e6c chore: update dependencies by @wwqgtxx
• 3cc67fd chore: update golang to 1.24 by @wwqgtxx
• 447c416 chore: update quic-go to 0.49.0 by @wwqgtxx
• 5830afc chore: add MinIdleSession option to AnyTLS configuration by @Larvan2
• 808fdcf chore: code cleanup by @wwqgtxx
• 9074b78 chore(dns): increase MaxConnsPerHost (#1834) by @5aaee9
• b151e7d chore: support fingerprint for anytls by @wwqgtxx
• e2140e6 chore: update anytls (#1863) by @anytls
• e23f40a chore: tradition shadowsocks server could handle smux by @wwqgtxx
• e2b75b3 chore: update anytls (#1851) by @anytls
• eaaccbc chore: update dependencies by @wwqgtxx
• ef29e45 chore: complete classical rule parse error log (#1839) by @forestl

Full Changelog: v1.19.2...v1.19.3

v1.19.2

What's Changed

• ccc3f84 license: any downstream projects not affiliated with MetaCubeX shall not contain the word mihomo in their names
• 0ac6c3b feat: inbound support vless by @wwqgtxx
• fc23318 feat: add receive window config for hy2 #1796 by @wwqgtxx

BUG & Fix

• 49d54cc fix: remote conn statistic error (#1776) by @J.K.SAGE
• 56c1288 fix: empty proxy provider subscription info not omitted (#1759) by @mossia
• 9c73b5b fix: the trustcerts not add to globalCerts after ca.ResetCertificate (#1801) support PEM format for custom-certificates too by @wwqgtxx
• c7661d7 fix: initialize error message with cipher (#1760) by @lucidhz

Maintenance

• 0a5ea37 chore: update dependencies by @wwqgtxx
• 192d769 chore: ensure forced domains are always sniffed (#1793) by @tnextday
• 9bfb10d chore: extracting compressed files to correct location (#1823) by @forestl
• a440f64 chore: alignment capability for vmess inbound by @wwqgtxx
• b69e52d chore: deprecated routing-mark and interface-name of the group, please set it directly on the proxy instead by @wwqgtxx
• c99c71a chore: listening tcp together for dns server (#1792) by @wwqgtxx
• f4806b4 chore: update mieru version (#1762) by @enfein

Full Changelog: v1.19.1...v1.19.2

v1.19.1

What's Changed

• 72a126e feat: support inline proxy provider by @wwqgtxx
• bb80324 feat: support inline rule provider (#1731) by @qianlongzt
• f3a43fe feat: support read config file from stdin via -f - by @wwqgtxx

BUG & Fix

• 3f6823b fix: handle invalid values in Decoder's decode method by @wwqgtxx
• 5d9d8f4 fix: check whether the dst port is within the specified range (#1706) by @laburaps
• a9ce5da fix: key missing for tun inbound #1672 by @wwqgtxx
• c7fc93d fix: the TLS Sniffer fails when the length of the ClientHello packet exceeds the TCP MSS (#1711) by @laburaps

Maintenance

• 1c5f4a3 chore: update dependencies by @wwqgtxx
• 20739f5 chore: code cleanup by @wwqgtxx
• 269c525 chore: update gopsutil to v4 by @wwqgtxx
• 301c78f chore: update sing-tun to v0.4.5 by @wwqgtxx
• 368b1e1 chore: rollback tfo-go version by @wwqgtxx
• 5a9ad0e chore: code cleanup by @wwqgtxx
• 89dfabe chore: align time fields in logs (#1704) by @valord577
• 9a95920 chore: support config multiplexing of mieru by @wwqgtxx
• c786b72 chore: update dependencies by @wwqgtxx
• cd23112 chore: remove gRPC dependency from mieru (#1705) by @enfein

Full Changelog: v1.19.0...v1.19.1

v1.19.0

What's Changed

• 613becd feat: support mieru protocol (#1702) by @enfein
• fbead56 feat: add size-limit for provider #1645 by @wwqgtxx

BUG & Fix

• 5a24efd fix: DisableKeepAlive default value of android (#1690) by @forestl
• 792f162 fix: find process panic by @Larvan2
• 80e4eaa fix: process IPv6 Link-Local address (#1657) by @wwqgtxx
• 91d54bd fix: android tun start error by @wwqgtxx
• 9de9f1e fix: don't panic when listen on localhost #1655 by @wwqgtxx

Maintenance

• 1fff34d chore: update quic-go to 0.48.2 by @wwqgtxx
• 215bf09 chore: switch syscall.SyscallN back to syscall.Syscall6 Until the current version, SyscallN always escapes the variadic argument by @wwqgtxx
• 4623435 chore: update sing-tun to v0.4.1 by @wwqgtxx
• 69454b0 chore: allow disabled overrideAndroidVPN by environment variable DISABLE_OVERRIDE_ANDROID_VPN by @wwqgtxx
• a35f712 chore: update gvisor by @wwqgtxx
• a86c562 chore: Increase support for other format of ASN by @xishang0128
• ce52c34 chore: cleaned up some confusing code by @wwqgtxx
• d4478db chore: reduce the performance overhead of not enabling LoopBackDetector by @wwqgtxx
• d6b496d chore: allow upgrade ui in embed mode (#1692) by @hingbong
• de19f92 chore: restful api display smux and mptcp by @chenx Dust
• e6d1c8c chore: update sing-tun to v0.4.0-rc.5 by @wwqgtxx
• eb985b0 chore: restful api displays more information by @xishang0128
• f805a9f chore: cleaned up some weird code by @wwqgtxx
• fabd216 chore: update quic-go to 0.48.1 by @wwqgtxx

Full Changelog: v1.18.10...v1.19.0