This is an automated email from the ASF dual-hosted git repository.
shreemaan-abhishek pushed a commit to branch release/3.17
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/release/3.17 by this push:
new 06f3037b5 chore: release 3.17.0
06f3037b5 is described below
commit 06f3037b57546a58f5e5c9ad8741c4a881387bac
Author: Abhishek Choudhary <[email protected]>
AuthorDate: Wed Jun 10 16:54:01 2026 +0800
chore: release 3.17.0
Signed-off-by: Abhishek Choudhary <[email protected]>
---
CHANGELOG.md | 60 ++++++++++++++++++++++++++++++++++++++++++++++
apisix/core/version.lua | 2 +-
ci/check_changelog_prs.ts | 6 +++++
docs/en/latest/config.json | 2 +-
docs/zh/latest/config.json | 2 +-
5 files changed, 69 insertions(+), 3 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 941c95881..b6b88f386 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -23,6 +23,7 @@ title: Changelog
## Table of Contents
+- [3.17.0](#3170)
- [3.16.0](#3160)
- [3.15.0](#3150)
- [3.14.1](#3141)
@@ -84,6 +85,65 @@ title: Changelog
- [0.7.0](#070)
- [0.6.0](#060)
+## 3.17.0
+
+**The changes marked with :warning: are not backward compatible.**
+
+### Change
+
+- :warning: change(auth): require configured jwt claims, harden empty
claims_to_verify and key-auth anonymous fallback
[#13468](https://github.com/apache/apisix/pull/13468)
+- :warning: remove server-side token generation endpoint
(`/apisix/plugin/jwe/encrypt`) from jwe-decrypt plugin
[#13464](https://github.com/apache/apisix/pull/13464)
+- :warning: bound batch-requests pipeline item count, timeout, and tighten
request schema [#13492](https://github.com/apache/apisix/pull/13492)
+- :warning: default signed_headers to ["date"] in hmac-auth plugin
[#13388](https://github.com/apache/apisix/pull/13388)
+- :warning: sign request URI cookie and tighten cookie attributes in cas-auth
plugin (new required `cookie.secret`)
[#13331](https://github.com/apache/apisix/pull/13331)
+- :warning: add consumer_isolation (default true) and cache_set_cookie options
to proxy-cache plugin [#13350](https://github.com/apache/apisix/pull/13350)
+
+### Core
+
+- perf(core): cache parsed JSON request body to avoid redundant decoding
[#13377](https://github.com/apache/apisix/pull/13377)
+- fix: replace module-level mutable tables with per-call allocation
[#13369](https://github.com/apache/apisix/pull/13369)
+- fix: preserve stream service plugin context
[#13402](https://github.com/apache/apisix/pull/13402)
+- fix: remove stale HTTP2 body guard
[#13428](https://github.com/apache/apisix/pull/13428)
+- fix: isolate logger response body buffers
[#13450](https://github.com/apache/apisix/pull/13450)
+- fix(xrpc): bound redis command-line preallocation size
[#13483](https://github.com/apache/apisix/pull/13483)
+
+### Plugins
+
+- feat: add acl plugin [#13349](https://github.com/apache/apisix/pull/13349)
+- feat: add data-mask plugin
[#13347](https://github.com/apache/apisix/pull/13347)
+- feat: add saml-auth plugin
[#13346](https://github.com/apache/apisix/pull/13346)
+- feat: add dingtalk-auth plugin
[#13381](https://github.com/apache/apisix/pull/13381)
+- feat: add feishu-auth plugin
[#13382](https://github.com/apache/apisix/pull/13382)
+- feat(plugin): add error-page plugin
[#13380](https://github.com/apache/apisix/pull/13380)
+- feat(plugin): add graphql-limit-count plugin
[#13372](https://github.com/apache/apisix/pull/13372)
+- feat(plugin): add graphql-proxy-cache plugin
[#13435](https://github.com/apache/apisix/pull/13435)
+- feat: add proxy-buffering plugin
[#13446](https://github.com/apache/apisix/pull/13446)
+- feat(proxy-cache): honor Vary header for memory strategy
[#13376](https://github.com/apache/apisix/pull/13376)
+- feat(cas-auth): support configuring an absolute callback URL
[#13413](https://github.com/apache/apisix/pull/13413)
+- feat(openid-connect): make client_secret optional for local JWT verification
modes [#13472](https://github.com/apache/apisix/pull/13472)
+- feat(openid-connect): update session config to support lua-resty-session,
fixes deprecated session.cookie.lifetime
[#13178](https://github.com/apache/apisix/pull/13178)
+- feat(ai-proxy-multi): add max_retries and retry_on_failure_within_ms for
fallback [#13495](https://github.com/apache/apisix/pull/13495)
+- feat(hmac-auth): add max_req_body_size to bound request body during
validation [#13478](https://github.com/apache/apisix/pull/13478)
+- feat: add max_req_body_size to bound client request body in forward-auth and
ai-proxy [#13466](https://github.com/apache/apisix/pull/13466)
+- perf(ai-proxy): optimize SSE decoder - remove PCRE, add decode_buf, fix
comment lines [#13391](https://github.com/apache/apisix/pull/13391)
+- perf(ai): reuse raw request body when unchanged
[#13406](https://github.com/apache/apisix/pull/13406)
+- perf(limit-count): use evalsha with NOSCRIPT fallback for Redis script
execution [#13363](https://github.com/apache/apisix/pull/13363)
+- fix: sort AI proxy upstream request JSON keys
[#13461](https://github.com/apache/apisix/pull/13461)
+- fix(ai-proxy-multi): stabilize domain health checks
[#13441](https://github.com/apache/apisix/pull/13441)
+- fix(ai-proxy): map upstream LLM timeouts to 504 instead of 500
[#13481](https://github.com/apache/apisix/pull/13481)
+- fix(limit): atomic redis commits and resolved-var validation
[#13467](https://github.com/apache/apisix/pull/13467)
+- fix(security): encrypt missing secret-like plugin fields at rest
[#13389](https://github.com/apache/apisix/pull/13389)
+- fix(gcp): report auth_file path instead of file contents in parse error
[#13409](https://github.com/apache/apisix/pull/13409)
+- fix(authz-keycloak): copy permissions before appending http_method_as_scope
[#13410](https://github.com/apache/apisix/pull/13410)
+- fix(authz-casdoor): scope session cookie per Casdoor client
[#13387](https://github.com/apache/apisix/pull/13387)
+- fix(opa): apply send_headers_upstream for headers absent from OPA response
[#13433](https://github.com/apache/apisix/pull/13433)
+- fix(cas-auth): harden session and callback handling
[#13427](https://github.com/apache/apisix/pull/13427)
+- fix(cas-auth): return 400 instead of 500 for SLO POST with empty body
[#13471](https://github.com/apache/apisix/pull/13471)
+- fix(jwe-decrypt): reject tokens that fail to decrypt
[#13404](https://github.com/apache/apisix/pull/13404)
+- fix: harden cors, multi-auth and body-transformer plugins against malformed
requests [#13469](https://github.com/apache/apisix/pull/13469)
+- fix(proxy-mirror): keep the original method path when mirroring gRPC
requests [#13499](https://github.com/apache/apisix/pull/13499)
+- fix(dingtalk-auth): clear client-supplied X-Userinfo before authentication
[#13491](https://github.com/apache/apisix/pull/13491)
+
## 3.16.0
**The changes marked with :warning: are not backward compatible.**
diff --git a/apisix/core/version.lua b/apisix/core/version.lua
index b3a151244..326e22e8b 100644
--- a/apisix/core/version.lua
+++ b/apisix/core/version.lua
@@ -20,5 +20,5 @@
-- @module core.version
return {
- VERSION = "3.16.0"
+ VERSION = "3.17.0"
}
diff --git a/ci/check_changelog_prs.ts b/ci/check_changelog_prs.ts
index 0c5bfa24a..d831ef1b9 100755
--- a/ci/check_changelog_prs.ts
+++ b/ci/check_changelog_prs.ts
@@ -56,6 +56,12 @@ const IGNORE_PRS = [
12761, 12805, 12844, 12863, 12829, 12725, 12948,
// 3.16.0
12958, 13053, 13148, 13100, 13094, 13081,
+ // 3.17.0
+ // 13386 (add configurable request JSON library) + 13407 (qjson error fix)
were
+ // fully reverted by 13449 within this release, so they net to a no-op and
are
+ // not user-facing. 13485 is a test-only change (its "fix " subject dodges
the
+ // type filter).
+ 13386, 13407, 13449, 13485,
];
diff --git a/docs/en/latest/config.json b/docs/en/latest/config.json
index 1dc91c6b3..7691e4580 100644
--- a/docs/en/latest/config.json
+++ b/docs/en/latest/config.json
@@ -1,5 +1,5 @@
{
- "version": "3.16.0",
+ "version": "3.17.0",
"sidebar": [
{
"type": "category",
diff --git a/docs/zh/latest/config.json b/docs/zh/latest/config.json
index 6240fe6e4..78ab8ad88 100644
--- a/docs/zh/latest/config.json
+++ b/docs/zh/latest/config.json
@@ -1,5 +1,5 @@
{
- "version": "3.16.0",
+ "version": "3.17.0",
"sidebar": [
{
"type": "category",
