Pending RELEASE-NOTES for the upcoming release

This is work in progress and will change before the release goes public on 2025-09-10.

Changes:

• build: bump minimum required mingw-w64 to v3.0 (from v1.0)
• curl: add --follow
• curl: add --out-null
• curl: add --parallel-max-host to limit concurrent connections per host
• curl: make --retry-delay and --retry-max-time accept decimal seconds
• hostip: cache negative name resolves
• ip happy eyeballing: keep attempts running
• mbedtls: bump minimum version required to 3.2.0
• multi: add curl_multi_get_offt
• multi: add CURLMOPT_NETWORK_CHANGED to signal network changed
• netrc: use the NETRC environment variable (first) if set
• smtp: allow suffix behind a mail address for RFC 3461
• tls: make default TLS version be minimum 1.2
• tool_getparam: add support for `--longopt=value`
• vquic: drop msh3
• websocket: support CURLOPT_READFUNCTION
• writeout: add %time{}

Bugfixes:

• _PROTOCOLS.md: mention file:// is only for absolute paths
• acinclude: --with-ca-fallback only works with OpenSSL
• alpn: query filter
• ares: destroy channel on shutdown
• ares: use `ares_strerror()` to retrieve error messages
• asyn-thrdd: fix --disable-socketpair builds
• asyn-thrdd: fix Curl_async_pollset without socketpair
• asyn-thrdd: fix no `HAVE_GETADDRINFO` builds
• asyn-thrdd: manage DEFERRED and locks better
• BINDINGS.md: add LibQurl
• bufq: add integer overflow checks before chunk allocations
• bufq: removed "Useless Assignment"
• bufq: simplify condition
• build: allow libtests/clients to use libcurl dependencies directly
• build: disable `TCP_NODELAY` for emscripten
• build: enable _GNU_SOURCE on GNU/Hurd
• build: extend GNU C guards to clang where applicable, fix fallouts
• build: fix build errors/warnings in rare configurations
• build: fix disable-verbose
• build: fix mingw-w64 version guard for mingw32ce
• build: if no perl, fix to use the pre-built hugehelp, if present
• build: link to Apple frameworks required by static wolfSSL
• build: support LibreSSL native crypto lib with ngtcp2 1.15.0+
• build: tidy up compiler definition for tests
• cf-https-connect: delete unused declaration
• cmake: `CURL_CA_FALLBACK` only works with OpenSSL
• cmake: capitalize 'Rustls' in the config summary
• cmake: defer building `unitprotos.h` till a test target needs it
• cmake: define `WIN32_LEAN_AND_MEAN` for examples
• cmake: drop redundant unity mode for `curlinfo`
• cmake: enable `-Wall` for MSVC 1944
• cmake: fix `ENABLE_UNIX_SOCKETS=OFF` with pre-fill enabled on unix
• cmake: fix to disable Schannel and SSPI for non-Windows targets
• cmake: fix to restrict `SystemConfiguration` to macOS
• cmake: honor `CMAKE_C_FLAGS` in test 1119 and 1167
• cmake: improve error message for invalid HTTP/3 MultiSSL configs
• cmake: keep websockets disabled if HTTP is disabled
• cmake: make `runtests` targets build the curl tool
• cmake: make the ExternalProject test work
• cmake: omit linking duplicate/unnecessary libs to tests & examples
• cmake: re-add simple test target, and name it `tests`
• cmake: set `CURL_DIRSUFFIX` automatically in multi-config builds
• CODE_STYLE: sync with recent `checksrc.pl` updates
• config-win32.h: do not use winsock2 `inet_ntop()`/`inet_pton()`
• configure: if no perl, disable unity and shell completion, related tidy ups
• configure: tidy up internal names in ngtcp2 ossl detection logic
• connectdata: remove primary+secondary ip_quadruple
• connection: terminate after goaway
• contrithanks: fix for BSD `sed` tool
• cookie: don't treat the leading slash as trailing
• cookie: remove expired cookies before listing
• curl-config: remove X prefix use
• curl/system.h: fix for GCC 3.3.x and older
• curl: make the URL indexes 64 bit
• curl: tool_read_cb fix of segfault
• curl_addrinfo: drop workaround for old-mingw
• curl_easy_ssls_export: make the example more clear
• curl_fnmatch, servers: drop local macros in favour of `sizeof()`
• curl_mime_data_cb.md: mention what datasize is for
• curl_ossl: extend callback table for nghttp3 1.11.0
• curl_setup.h: move UWP detection after `config-win32.h` (revert)
• curl_setup.h: move UWP detection after `config-win32.h`
• CURLOPT: bump `CURL_REDIR_*` macros to `long`
• CURLOPT: bump `CURL_SSLVERSION_*` macros to `long`
• CURLOPT: bump `CURLALTSVC_*` macros to `long`
• CURLOPT: bump `CURLFTP*` enums to `long`, drop casts
• CURLOPT: bump `CURLHEADER_*` macros to `long`, drop casts
• CURLOPT: bump `CURLPROTO_*` macros to `long`
• CURLOPT: bump `CURLPROXY_*` enums to `long`, drop casts
• CURLOPT: bump `CURLWS_NOAUTOPONG`, `CURLWS_RAW_MODE` macros to `long`
• CURLOPT: bump remaining macros to `long`
• CURLOPT: drop redundant `long` casts
• CURLOPT: replace `(long)` cast with `L` suffix for `CURLHSTS_*` macros
• CURLOPT_HTTP_VERSION: mention new default value
• CURLOPT_SSL_CTX_*: replace the base64 with XXXX
• delta: fix warnings, fix for non-GNU `date` tool
• DEPRECATE.md: drop support for Windows XP/2003
• DEPRECATE.md: remove leftover "nothing"
• DISTROS.md: add Haiku
• docs/cmdline-opts: the auth types are not mutually exclusive
• docs: add CURLOPT type change history, drop casts where present
• docs: fix link CONTRIBUTE.md link
• docs: fix name in curl_easy_ssls_export man page
• docs: point two broken links to archive.org
• doh: rename symbols to avoid collision with mingw-w64 headers
• easy handle: check validity on external calls
• examples: drop long cast for `CURLALTSVC_*`
• examples: make `CURLPIPE_MULTIPLEX` fallback `long`
• examples: remove base64 encoded chunks from examples
• examples: remove href_extractor.c
• ftp: store dir components as start+len instead of memdup'ing
• ftp: use 'conn' instead of 'data->conn'
• gnutls: fix building with older supported GnuTLS versions
• gnutls: some small cleanups
• hmac: return error if init fails
• hostip: do DNS cache pruning in milliseconds
• http: const up readonly H2_NON_FIELD
• http: silence `-Warray-bounds` with gcc 13+
• inet_pton, inet_ntop: drop declarations when unused
• lib1560: fix memory leak when run without UTF-8 support
• lib1560: replace an `int` with `bool`
• lib2700: use `testnum`
• lib517: use `LL` 64-bit literals & re-enable a test case (`time_t`)
• libcurl: reset rewind flag in curl_easy_reset()
• libssh: Use sftp_aio instead of sftp_async for sftp_recv
• libtests: update format strings to avoid casts, drop some macros
• libtests: use `FMT_SOCKET_T`, drop more casts
• managen: reset text mode at end of table marker
• mbedtls: check for feature macros instead of version
• mdlinkcheck: handle links with a leading slash properly
• memanalyze: fix warnings
• memory: make function overrides work reliably in unity builds
• multi event: remove only announced
• multi: don't insert a node into the splay tree twice
• multi: fix assert in multi_getsock()
• multi: fix bad splay management
• multi: process pending, one by one
• multi: replace remaining EXPIRE_RUN_NOW
• multissl: initialize when requesting a random number
• ngtcp2: extend callback tables for nghttp3 1.11.0 and ngtcp2 1.14.0
• ngtcp2: use custom mem funcs
• openssl: add and use `HAVE_BORINGSSL_LIKE` internal macro
• openssl: add and use `HAVE_OPENSSL3` internal macro
• openssl: assume `OPENSSL_VERSION_NUMBER`
• openssl: auto-pause on verify callback retry
• openssl: check SSL_write() length on retries
• openssl: clear errors after a failed `d2i_X509()`
• openssl: drop more legacy cruft
• openssl: drop redundant `HAVE_OPENSSL_VERSION` macro
• openssl: drop redundant version check
• openssl: drop single-use interim macro `USE_OPENSSL_SRP`
• openssl: enable `HAVE_KEYLOG_CALLBACK` for AWS-LC
• openssl: merge two `#if` blocks
• openssl: output unescaped utf8 x509 issuer/subject DNs
• openssl: remove legacy cruft, document macro guards
• openssl: save and restore OpenSSL error queue in two functions
• openssl: some small cleanups
• openssl: split cert_stuff into smaller sub functions
• openssl: sync an AWS-LC guard with BoringSSL
• openssl: use `RSA_flags()` again with BoringSSL
• parallel-max: bump the max value to 65535
• processhelp.pm: fix to use the correct null device on Windows
• processhelp.pm: use `Win32::Process*` perl modules if available
• projects: drop unused logic from `generate.bat`
• pytest: add SOCKS tests and scoring
• pytest: fix test_17_09_ssl_min_max for BoringSSL
• pytest: increase server KeepAliveTimeout
• pytest: relax error check on test_07_22
• resolving: dns error tracing
• runtests: assume `Time::HiRes`, drop Perl Win32 dependency
• runtests: replace `--ci` with `--buidinfo`, show OS/Perl version again
• runtests: show still running tests when nothing has happened for a while
• schannel: add an error message for client cert not found
• schannel: assume `CERT_CHAIN_REVOCATION_CHECK_CHAIN`
• schannel: drop fallbacks for 4 macros
• schannel: drop fallbacks for unused `BCRYPT_*` macros
• schannel: drop old-mingw special case
• schannel: fix recent update for mingw32ce
• schannel: improve handshake procedure
• schannel: not supported with UWP, drop redundant code
• schannel: use if(result) like the code style says
• scripts: enable strict warnings in Perl where missing, fix fallouts
• scripts: fix two Perl uninitialized value warnings
• sendf: getting less data than "max allowed" is okay
• servers: convert two macros to scoped static const strings
• setopt: refactor out the booleans from setopt_long to setopt_bool
• setopt: split out cookielist() and cookiefile()
• socks: do_SOCKS5: Fix invalid buffer content on short send
• spacecheck.pl: when detecting unicode, mention line number
• spelling: file system
• test1148: drop redundant `LC_NUMBER=` env setting
• test1557: pass `long` type to `multi_setopt()`
• test1560: set locale/codeset with `LC_ALL` (was: `LANG`), test in CI
• test1560: skip some URLs if UTF-8 is not supported
• test1: raise alloc limits
• test428: re-enable for Windows
• test436: fix running on Windows with `_curlrc` present
• test: add `cygwin` feature and use it (test 1056, 1517)
• tests/ech_tests.sh: indent, if/for style, inline ifs
• tests: constify command-line arguments
• tests: delete unused commands
• tests: drop unused `BLANK` envs, unset `CURL_NOT_SET`
• tests: drop unused `CURL_FORCEHOST` envs
• tests: fix perl warnings in http2-server, http3-server
• tests: fix prechecks to call the bundle libtest tool
• tests: fix UTF-8 detection, per-test `LC_*` settings, CI coverage
• tests: merge clients into libtests, drop duplicate code
• tests: set `CURL_ENTROPY` per test, not globally
• tests: unset some envs instead of blanking them
• threaded-resolver: fix shutdown
• tidy-up: `Curl_thread_create()` callback return type
• tidy-up: move literal to the right side of comparisons
• tidy-up: prefer `ifdef`/`ifndef` for single checks
• tls: CURLINFO_TLS_SSL_PTR testing
• TODO: remove session export item
• TODO: remove the expand ~ idea
• tool_cb_wrt: stop alloc/free for every chunk windows console output
• tool_operate: avoid superfluous strdup'ing output
• tool_operate: use stricter curl_multi_setopt() arguments
• tool_operate: use the correct config pointer
• tool_paramhlp: fix secs2ms()
• tool_parsecfg: use dynbuf for quoted arguments
• tool_urlglob: polish, cleanups, improvements
• typecheck-gcc: add type checks for curl_multi_setopt()
• unit-tests: build the unitprotos.h from here
• unit2604: avoid `UNCONST()`
• URL-SYNTAX.md: drop link to codepoints.net to pass linkcheck
• urlapi: allow more path characters "raw" when asked to URL encode
• urldata: reduce two long struct fields to unsigned short
• vquic-tls: fix SSL backend type for QUIC connections using gnutls
• vquic: use curl_getenv
• vtls: set seen http version on successful ALPN
• websocket example: cast print values to unsigned int
• windows: assume `ADDRESS_FAMILY`, drop feature checks
• windows: document toolchain support for `CERT_NAME_SEARCH_ALL_NAMES_FLAG`
• windows: document toolchain support for some macros (cont.)
• windows: document toolchain support for some macros
• windows: drop `CRYPT_E_*` macro fallbacks, limit one to mingw32ce
• windows: drop two interim, single-use macros
• windows: drop unused `curlx/version_win32.h` includes
• windows: fix `if_nametoindex()` detection with autotools, improve with cmake
• windows: include `wincrypt.h` before `iphlpapi.h` for mingw-w64 <6
• windows: target version macro tidy-ups
• wolfssl: rename ML-KEM hybrids to match IETF draft
• ws: avoid NULL pointer deref in curl_ws_recv

Contributors:

adamse on github, Ahmad Gani, Alice Lee Poetics, Ammar Faizi, Anthony Hu, Berthin Torres Callañaupa, BobodevMm on github, Caolán McNamara, Cole Leavitt, d1r3ct0r, Dan Fandrich, Daniel Böhmer, Daniel Engberg, Daniel Stenberg, David Zhuang, devgs on github, Dominik Tomecki, Eshan Kelkar, Gabriel Marin, Gisle Vanem, Google Big Sleep, Harry Sintonen, IoannisGS on github, Jelle Raaijmakers, Jeroen Ooms, Kai Pastor, Karthik Das, kkmuffme on github, kupavcevdenis on github, letshack9707 on hackerone, lf- on github, LoRd_MuldeR, Marcel Raad, Michael Osipov, Michał Petryka, Natris on github, nevakrien on github, Oxan van Leeuwen, Paul Gilmartin, Petar Popovic, Philippe Antoine, Pino Toscano, Qriist, Qriist on github, Ray Satiro, renovate[bot], rm-rmonaghan on github, Roberto Hidalgo, Samuel Henrique, Schrijvers Luc, Sergio Durigan Junior, Simon Dalvai, Stanislav Osipov, Stefan Eissing, sunriseL, Tal Regev, Todd Gamblin, Viktor Szakats, Waldemar Kornewald, xfangfang, yaoy6 on github, ウさん