v0.3.9

Important

The 0.3.x release branch only receives security fixes, and will be unsupported when ruby 3.2 is EOL.
Please upgrade to a newer version.

What's Changed

🔒 Security

This release backports two features to prevent unbounded memory use: the response_handlers keyword argument to Net::IMAP.new so response handlers can be added before the server can send any responses (#438), and the max_response_size config attribute (#446, GHSA-j3g3-5qv5-52mj, CVE-2025-43857, reported by @Masamuneee).

Note

The default max_response_size is nil (unlimited), to avoid backward compatibility issues with secure connections to trusted servers that are well-behaved. It can be configured more conservatively to guard against untrusted servers (for example, connecting to user-provided hostnames). It is the responsibility of net-imap users to configure their client appropriately for the server they are connecting to.

Added

• ✨ Backport response_handlersoption to new by @nevans in #438
  • Backports #419, and #427
• ✨ Limit max_response_size by @nevans in #446
  • Backports #444

Fixed

• 🐛 Use Range#size vs Range#count for uid-set limit by @nevans in #411

Documentation

• 📚 Docs: receiver thread, server responses, connection state by @nevans in #437
  • Backports #418, and only the documentation from #416.

Other Changes

• ♻️ Backport ResponseReader by @nevans in #439
  • Backports #422, #433, #434, and #435

Full Changelog: v0.3.8...v0.3.9