Pending RELEASE-NOTES for the upcoming release

This is work in progress and seeing changes before the release goes public on 2026-03-11.

Changes:

• BUG-BOUNTY.md: we stop the bug-bounty end of Jan 2026
• cmake: add `CURL_BUILD_EVERYTHING` option
• mqtt: initial support for MQTTS
• tool: support fractions for --limit-rate and --max-filesize
• tool_cb_hdr: with -J, use the redirect name as a backup
• vquic: drop support for OpenSSL-QUIC
• windows: add build option to use the native CA store
• windows: bump minimum to Vista (from XP)

Bugfixes:

• altsvc: only accept 17 byte dates from files
• asyn-ares: abort with OOM error when Curl_dnscache_mk_entry fails
• build: add missing `GENERATEDCERTS` files
• build: adjust minimum version for some clang picky warnings
• build: check `MSG_NOSIGNAL` directly, drop detection and interim macro
• build: constify `memchr()`/`strchr()`/etc result variables (cont.)
• build: detect and include `inttypes.h` again
• build: do not include wolfSSL header in `curl_setup.h`
• build: drop duplicate C includes
• build: drop global suppression of `-Wformat-nonliteral`, fix fallouts
• build: fix `-Wunused-macros` warnings, and related tidy-ups
• build: fix building rare combinations
• build: fully omit verbose strings and code when disabled
• build: globally suppress DJGPP warnings in `FD_SET()`
• build: merge TrackMemory (`CURLDEBUG`) into debug-enabled option
• build: move curl stat struct type to the curlx namespace
• build: opt-in MSVC to C99-style verbose logging logic
• build: require POSIX `strdup()`
• build: tidy up and dedupe `strdup` functions
• cf-socket: use SOCK_CLOEXEC in socket_open when available
• checksrc-all.pl: skip non-repository files
• checksrc: do not apply `BANNEDFUNC` to struct member functions
• checksrc: warn for leading spaces before the preprocessor hash
• clang-tidy: add missing and delete redundant parentheses
• clang-tidy: add more missing parentheses in macro values
• clang-tidy: avoid/silence `bugprone-not-null-terminated-result`
• clang-tidy: check `bugprone-macro-parentheses`, fix fallouts
• clang-tidy: drop redundant conditions reported by `misc-redundant-expression`
• clang-tidy: enable `bugprone-signed-char-misuse`, fix fallouts
• clang-tidy: enable more checks
• clang-tidy: enable scanning headers
• cmake/FindMbedTLS: add workaround for missing static MSVC `mbedcrypto.lib` 4.0.0
• cmake: add `CURL_DROP_UNUSED` option to reduce binary sizes
• cmake: add native clang-tidy support for tests, with concatenated sources
• cmake: always build curlu and curltool test libs in unity mode
• cmake: always define `CURL::win32_winsock` on Windows in `curl-config.cmake`
• cmake: enable binutils ld workaround for all toolchains at build-time
• cmake: fix confusing error when a dependency is undetected in `curl-config.cmake`
• cmake: fix logic for openssl/zlib binutils ld workaround
• cmake: fix passing system header directories to clang-tidy for tests
• cmake: minor fixes to test targets after prev
• cmake: normalize uppercase hex winver (for display)
• cmake: omit `curl.rc` from curltool lib
• cmake: reference OpenSSL and ZLIB imported targets only when enabled
• cmake: replace internal option with a new `tt` (test tools) target
• cmake: silence potential unused var warnings in C++ test snippet
• cmake: silence silly Apple clang warnings in C89 mode, test in CI
• cmake: silence useless compiler warnings triggered by the FASTBuild generator
• cmake: skip binutils ld hack if zlib/openssl target is not `IMPORTED`
• cmake: warn for invalid `CURL_TARGET_WINDOWS_VERSION` values
• cmke: add `*_USE_STATIC_LIBS` options for 9 dependencies
• config-plan9: set `HAVE_STDINT_H` again
• config2setopts: acknowledge OOM error from CURLOPT_MIMEPOST
• config2setopts: fix for --disable-aws build configuration
• curl: add -I and -i to -h important
• curl: limit Windows-specific code to Windows builds, other tidy-ups
• curl_easy_nextheader.md: a new transfer invalidates 'prev'
• curl_get_line: drop single-use macro
• curl_multi_perform.md: resolve inconsistency
• curl_ntlm_core: merge two `#if` blocks
• curl_setup.h: drop extra header guard for internal include
• curl_setup.h: merge back single-use internal header `curl_setup_once.h`
• curl_setup.h: simplify curl memory macro mappings
• curl_setup_once: allow CURL_DEBUGASSERT for customization
• CURLINFO_CONTENT_LENGTH_DOWNLOAD_T.md: fix available protocols
• curlx: drop unused `curlx_saferealloc()`
• digest: escape double quotes and backslashes in realm and nonce
• digest: handle quotes in the path
• docs/INSTALL: update configure details
• docs/libcurl: unify WARNING use
• docs: add LibreELEC to DISTROS.md
• docs: add reproducible example for generating man page
• docs: clarify --ipv4 and --ipv6
• docs: document the need for a 64-bit type and stdint.h
• docs: explicitly call out Slowloris as not a security flaw
• docs: fix grammar nitpicks
• docs: reword explanation of --variable option
• docs: use dot instead of comma at end of sentences
• easy: reset errorbuf on eyeballing success
• easy: reset pausing when resetting request
• examples/usercertinmem: use modern OpenSSL API, drop mentions of RSA
• examples: omit forward declarations, apply misc fixes
• fopen.h: simplify curl memory macro mappings
• ftp: replace a `curlx_free()` with `curlx_dyn_free()`
• ftp: split ftp_state_use_port into sub functions
• GOVERNANCE.md: Post-Daniel BDFL
• gss: exclude verbose error logic from non-verbose builds
• h2+h3: align stream close handling
• hostip.c: fix leak of addrinfo
• hostip6: remove debug-only code
• hostip: fix unreachable code in rare build configuration
• http/3: add description for known server error codes
• http_aws_sigv4: fix query normalization of %2b
• imap: add a check for Curl_meta_get()
• imap: check `imap_sendf()` printf masks at compile-time
• imap: skip literals inside quoted strings
• include: avoid recursive macros
• include: mask computed auth/proto bitmasks to 32 bits
• INSTALL-CMAKE.md: document Apple framework options
• INSTALL.md: suggest `-Wl,-dead_strip` for Apple targets
• KNOWN_BUGS.md: absolute Unix domain filename for SOCKS on Windows
• ldap: silence potential unused variable warning (OS400)
• lib: delete unused local includes
• lib: disable websockets early if no http
• lib: make sigpipe handling more lazy
• lib: reorder protocol functions to avoid forward declarations (email)
• lib: reorder protocol functions to avoid forward declarations (ftp)
• lib: reorder protocol functions to avoid forward declarations (misc cont.)
• lib: reorder protocol functions to avoid forward declarations (misc)
• lib: reorder protocol functions to avoid forward declarations (ssh)
• lib: separate scheme info from protocol implementation
• lib: skip compiling code with features disabled
• lib: use (u)int64_t instead of long long
• libcurl docs: reduce 'since ...' in descriptions
• libcurl-security.md: fix typos and add a point about URLs
• libtests: drop two redundant `memset()`s
• Makefile.am: delete RPM targets referencing non-existent files
• Makefile.am: drop stray VC project files from dist
• managen: silence Perl warnings
• mbedtls: no pinnedpubkey wo MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
• mbedtls: remove newline from failf() call
• mbedtls: split mbed_connect_step1 into sub functions
• md4, md5: drop redundant forward declarations
• md4, md5: replace custom types with `uint32_t`
• memdebug: include `backtrace.h` as system header
• mime: drop fallback for unused `R_OK` macro
• mimepost: allocate main struct on-demand
• mk-ca-bundle.pl: drop support for obsolete/insecure fingerprint algos
• mod_curltest: silence unused argument compiler warning
• mprintf: drop old sprintf fallback
• mprintf: rename internal enum to avoid collision with AmigaOS symbol
• mqtt: better too-big-message-check
• mqtt: verify Remaining Length for CONNACK and PUBACK
• msvc: drop exception, make `BIT()` a bitfield with Visual Studio
• msvc: VS2026: unlock picky warning in cmake, test in CI
• multi: avoid a theoretical 32-bit wrap
• multi: probe for IPv6 functionality in multi_init()
• multi: split multi_runsingle into sub functions
• multi: update timer unconditionally in multi_remove_handle
• ngtcp2: stabilize recv
• noproxy: simplify, don't mix const non-const in strchr()
• openldap: avoid forward declarations in ldaps code
• OpenSSL: check reuse of sessions for verify status
• openssl: disable local keylog feature if built-in upstream
• openssl: fix compiler warning with OpenSSL master
• openssl: fix potential NULL dereference when loading certs (Windows)
• openssl: fix potential OOB read in debug/verbose logging
• plan9: drop special build and orphaned references
• pytest: remove 03_02
• ratelimit: download finetune
• request.h: rename parameter 'buf' to 'req' in Curl_req_send
• REUSE: drop broken reference to `MAIL-ETIQUETTE`
• rtsp: fix assertion failure on zero-length RTP payload
• rtspd: fix to check `realloc()` result
• runtests: pass config filename to stunnel in native format (Windows)
• schannel: refactor: reduce variable scopes, fix comment, fix indent
• send: drop `CURL_UNCONST()` from buffer argument on most platforms
• setopt: fix checking range for CURLOPT_MAXCONNECTS
• setopt: refuse blobs with zero length
• setup-os400.h: drop no longer used custom type `u_int32_t`
• sigpipe: unset SA_SIGINFO since it is using sa_handler
• silent.md: also mention it shuts off warning messages
• smb: include arpa/inet.h for NonStop
• socket: check result of SO_NOSIGPIPE
• socketpair: set SO_NOSIGPIPE where possible
• src: simplify declaring `curl_ca_embed`
• ssh: dedupe state change function
• sws: prevent "connection monitor" to say disconnect twice
• tests/server/sockfilt: avoid possible endless loop on Windows
• tests/server: fix to clear the complete `srvr_sockaddr_union_t` variable
• tests/server: tidy-up error messages (Windows)
• tests: avoid assignment in `if` conditions in `first.h`
• tests: convert base64 data to %b64[]
• tftp: correct the filename length check
• timeout handling: auto-detect effective timeout
• tls: add new SSLSUPP flags for several options
• tls: remove checks for DEFAULT
• tool: enable header separation for HTTPS proxies
• tool: improve config error messaging
• tool: improve error/warning messages when output filename sanitization fails
• tool: rename curl handle and result variable in `--libcurl`-generated code
• tool: return code variable consistency
• tool_cb_hdr: suppress header output when --out-null
• tool_cb_prg: drop duplicate preprocessor logic
• tool_dirhie: drop superfluous `F_OK` fallback (Windows)
• tool_doswin: avoid Windowsisms in socket code (cont.)
• tool_doswin: avoid Windowsisms in socket code
• tool_doswin: document `ENABLE_VIRTUAL_TERMINAL_PROCESSING` toolchain support
• tool_getparam: avoid `-Wcomma` with Apple clang in C89 mode
• tool_operate: remove 'else' for VMS
• typos: silence false positives found in C code
• unit3205: suppress two clang-tidy false positives
• URL-SYNTAX.md: fix port number mistakes for IMAP and LDAP
• url.c: code/comment cleanup around conn creation
• url.h: fix `-Wdocumentation`
• url: fix reuse of connections using HTTP Negotiate
• urldata.h: remove two forward-declared structs not used
• urldata: change 'keep_post' into three distinct bitfields
• urldata: convert 'long' fields to fixed variable types
• urldata: switch to uint* types
• verbose.md: explain the { and } prefixes
• vquic: fix unused variable warning reported by clang-tidy
• vquic: handle SOCKEMSGSIZE correctly
• vtls: dedupe common on-session-reuse logic
• vtls: use ALPN http/1.0 & http/1.1 for HTTP/1.0 requests
• VULN-DISCLOSURE-POLICY.md: push reports to the web form
• VULN-DISCLOSURE-POLICY.md: use hackerone
• winapi: use FormatMessageA instead of FormatMessageW
• windows: `USE_WINSOCK` to guard winsock2 code (where missing)
• windows: tidy up `wincrypt.h` / BoringSSL/AWS-LC coexist workaround
• wolfssl: fix build without USE_BIO_CHAIN
• ws/tftp: include header file even when protocol disabled

Contributors:

aisle-research-bot, Andrew Kvalheim, Anna Liberty, Arnav Purushotam, Arnav-Purushotam-CUBoulder, Augment code, Billy O'Neal, calm329, Christian Schmitz, Christian Schmitza, cooldadpresident on github, Dag Haavi Finstad, dahmono on github, Dan Fandrich, Daniel Gustafsson, Daniel Lublin, Daniel Stenberg, Daniil Gentili, David Korczynski, dEajL3kA, dependabot[bot], Diogo Correia, Frank Buss, gudyuu on hackerone, Hamza Bensliman, Itay Bookstein, Jacek Migacz, James Fuller, Jan Macku, jhauga, Joshua Vandaële, Juan Belon, Kai Pastor, Maksim Ściepanienka, Marcel Raad, Megamouse on github, Michał Antoniak, Natris on github, nono303 on github, Nuno Goncalves, Patrick Monnerat, Paul Howarth, programmerlexi on github, Randall S. Becker, Ray Satiro, renovate[bot], Rudi Heitbaum, sammydono on github, Samuel Henrique, Sascha Frinken, Spenser Black, Stefan Eissing, tawmoto on github, Tenant HellTower, Thibault de Villèle, Tim Friedrich Brüggemann, Tomáš Malý, tommy, Val S., Viktor Szakats, Wyuer on github, z2_, Zhicheng Chen, Йоте