This is an automated email from the ASF dual-hosted git repository.
shreemaan-abhishek pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 24511776e chore: release 3.17.0 (#13503)
24511776e is described below
commit 24511776e322a735cd98b5a43c24b79ef1fdc527
Author: Shreemaan Abhishek <[email protected]>
AuthorDate: Tue Jun 16 15:22:25 2026 +0800
chore: release 3.17.0 (#13503)
Signed-off-by: Abhishek Choudhary <[email protected]>
---
.github/workflows/check-changelog.yml | 8 +--
.requirements | 2 +-
CHANGELOG.md | 130 ++++++++++++++++++++++++++++++++++
apisix/core/version.lua | 2 +-
ci/check_changelog_prs.ts | 10 ++-
docs/en/latest/config.json | 2 +-
docs/zh/latest/config.json | 2 +-
7 files changed, 147 insertions(+), 9 deletions(-)
diff --git a/.github/workflows/check-changelog.yml
b/.github/workflows/check-changelog.yml
index 4f3592ff1..08d19b639 100644
--- a/.github/workflows/check-changelog.yml
+++ b/.github/workflows/check-changelog.yml
@@ -1,10 +1,6 @@
name: Check Changelog
on:
- push:
- paths:
- - 'CHANGELOG.md'
- - 'ci/check_changelog_prs.ts'
pull_request:
paths:
- 'CHANGELOG.md'
@@ -21,6 +17,10 @@ jobs:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
with:
fetch-depth: 0
+ # Check out the PR branch head itself, not the default
merge-with-base
+ # commit, so the changelog is validated against the release branch's
+ # own scope (since-last-release) rather than a moving target base.
+ ref: ${{ github.event.pull_request.head.sha }}
- name: Run check_changelog_prs script
diff --git a/.requirements b/.requirements
index b599f80cd..75e381cbc 100644
--- a/.requirements
+++ b/.requirements
@@ -18,4 +18,4 @@
APISIX_PACKAGE_NAME=apisix
APISIX_RUNTIME=1.3.6
-APISIX_DASHBOARD_COMMIT=bbe05ad95396f90db03d831660f454c2844d906e
+APISIX_DASHBOARD_COMMIT=c8d3466d3c36386d3888efbc8250cd8183c77298
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 941c95881..1e0e1e60c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -23,6 +23,7 @@ title: Changelog
## Table of Contents
+- [3.17.0](#3170)
- [3.16.0](#3160)
- [3.15.0](#3150)
- [3.14.1](#3141)
@@ -84,6 +85,135 @@ title: Changelog
- [0.7.0](#070)
- [0.6.0](#060)
+## 3.17.0
+
+**The changes marked with :warning: are not backward compatible.**
+
+### Change
+
+- :warning: change(auth): require configured jwt claims, harden empty
claims_to_verify and key-auth anonymous fallback
[#13468](https://github.com/apache/apisix/pull/13468)
+- :warning: enforce algorithm match before signature verification in jwt-auth
plugin [#13182](https://github.com/apache/apisix/pull/13182)
+- :warning: remove server-side token generation endpoint
(`/apisix/plugin/jwe/encrypt`) from jwe-decrypt plugin
[#13464](https://github.com/apache/apisix/pull/13464)
+- :warning: require admin key for the schema validate endpoint
[#13328](https://github.com/apache/apisix/pull/13328)
+- :warning: bound batch-requests pipeline item count, timeout, and tighten
request schema [#13492](https://github.com/apache/apisix/pull/13492)
+- :warning: default signed_headers to ["date"] in hmac-auth plugin
[#13388](https://github.com/apache/apisix/pull/13388)
+- :warning: sign request URI cookie and tighten cookie attributes in cas-auth
plugin (new required `cookie.secret`)
[#13331](https://github.com/apache/apisix/pull/13331)
+- :warning: add consumer_isolation (default true) and cache_set_cookie options
to proxy-cache plugin [#13350](https://github.com/apache/apisix/pull/13350)
+- :warning: add ssl_verify option (default true) and fix shared state in
tencent-cloud-cls plugin [#13194](https://github.com/apache/apisix/pull/13194)
+- :warning: address TLS ssl_verify hardcoding and credential encryption issues
(ai-rag ssl_verify now defaults to true)
[#13203](https://github.com/apache/apisix/pull/13203)
+- :warning: resolve env vars before YAML parsing to preserve types in
standalone mode [#13078](https://github.com/apache/apisix/pull/13078)
+
+### Core
+
+- feat: support batch TCP/UDP port ranges in stream_proxy config
[#13153](https://github.com/apache/apisix/pull/13153)
+- feat(admin): make /configs/validate available in all modes
[#13220](https://github.com/apache/apisix/pull/13220)
+- feat: add core.response.get_response_source() API for response origin
classification [#13224](https://github.com/apache/apisix/pull/13224)
+- feat: add rate-limiting-info variable
[#13155](https://github.com/apache/apisix/pull/13155)
+- feat: enhance encrypt_fields to support nested structures
[#13192](https://github.com/apache/apisix/pull/13192)
+- feat: extend secret references to all plugins with central resolution
[#13312](https://github.com/apache/apisix/pull/13312)
+- perf(core): cache parsed JSON request body to avoid redundant decoding
[#13377](https://github.com/apache/apisix/pull/13377)
+- perf(ctx): cache parsed request body to avoid repeated decode for post_arg.*
[#13356](https://github.com/apache/apisix/pull/13356)
+- refactor: extract reusable building blocks from K8s and Nacos discovery
[#13201](https://github.com/apache/apisix/pull/13201)
+- refactor: extract reusable building blocks from Consul discovery
[#13230](https://github.com/apache/apisix/pull/13230)
+- fix: replace module-level mutable tables with per-call allocation
[#13369](https://github.com/apache/apisix/pull/13369)
+- fix: add null_as_nil option to core.json.decode for AI plugins
[#13231](https://github.com/apache/apisix/pull/13231)
+- fix: add schema compatibility for consumer and credential resources
[#13154](https://github.com/apache/apisix/pull/13154)
+- fix(admin): use local config to fetch global rules in standalone mode
[#13122](https://github.com/apache/apisix/pull/13122)
+- fix(admin): strip SSL private keys array in GET single and list responses
[#13227](https://github.com/apache/apisix/pull/13227)
+- fix: split global rules phase execution for client-control compatibility
[#13345](https://github.com/apache/apisix/pull/13345)
+- fix: preserve stream service plugin context
[#13402](https://github.com/apache/apisix/pull/13402)
+- fix(stream/traffic-split): handle upstream_id set by plugin in stream
context [#13285](https://github.com/apache/apisix/pull/13285)
+- fix(stream/traffic-split): set route_id in stream preread phase
[#13284](https://github.com/apache/apisix/pull/13284)
+- fix: rebuild stream router when services change
[#13318](https://github.com/apache/apisix/pull/13318)
+- fix: remove stale HTTP2 body guard
[#13428](https://github.com/apache/apisix/pull/13428)
+- fix: isolate logger response body buffers
[#13450](https://github.com/apache/apisix/pull/13450)
+- fix: batch-processor infinite timer loop prevents graceful shutdown
[#13288](https://github.com/apache/apisix/pull/13288)
+- fix(tracer): prevent stale ctx.tracing crash on HTTPS keepalive connections
[#13232](https://github.com/apache/apisix/pull/13232)
+- fix: handle missing X-Etcd-Index header gracefully in config_etcd
[#13364](https://github.com/apache/apisix/pull/13364)
+- fix(core/etcd): nil-deref on response without header field
[#13361](https://github.com/apache/apisix/pull/13361)
+- fix(consul): tolerate null Service.Meta in fetch_services_from_server
[#13258](https://github.com/apache/apisix/pull/13258)
+- fix: address TLS security vulnerabilities in SSL log, OIDC encryption, and
K8s ssl_verify [#13190](https://github.com/apache/apisix/pull/13190)
+- fix: avoid logging plaintext value when encrypt/decrypt fails in ssl.lua
[#13298](https://github.com/apache/apisix/pull/13298)
+- fix: downgrade decrypt failure log from warn to info
[#13324](https://github.com/apache/apisix/pull/13324)
+- fix(xrpc): bound redis command-line preallocation size
[#13483](https://github.com/apache/apisix/pull/13483)
+
+### Plugins
+
+- feat: add acl plugin [#13349](https://github.com/apache/apisix/pull/13349)
+- feat: add data-mask plugin
[#13347](https://github.com/apache/apisix/pull/13347)
+- feat: add saml-auth plugin
[#13346](https://github.com/apache/apisix/pull/13346)
+- feat: add dingtalk-auth plugin
[#13381](https://github.com/apache/apisix/pull/13381)
+- feat: add feishu-auth plugin
[#13382](https://github.com/apache/apisix/pull/13382)
+- feat(plugin): add error-page plugin
[#13380](https://github.com/apache/apisix/pull/13380)
+- feat(plugin): add graphql-limit-count plugin
[#13372](https://github.com/apache/apisix/pull/13372)
+- feat(plugin): add graphql-proxy-cache plugin
[#13435](https://github.com/apache/apisix/pull/13435)
+- feat: add proxy-buffering plugin
[#13446](https://github.com/apache/apisix/pull/13446)
+- feat: add oas-validator plugin
[#13344](https://github.com/apache/apisix/pull/13344)
+- feat: add traffic-label plugin
[#13342](https://github.com/apache/apisix/pull/13342)
+- feat: add exit-transformer plugin
[#13343](https://github.com/apache/apisix/pull/13343)
+- feat(request-id): add UUID v7 generation support
[#13152](https://github.com/apache/apisix/pull/13152)
+- feat(ai-proxy): support aws bedrock
[#13249](https://github.com/apache/apisix/pull/13249)
+- feat(ai-proxy): support Bedrock ConverseStream streaming
[#13307](https://github.com/apache/apisix/pull/13307)
+- feat(ai-proxy): add native Anthropic Messages API protocol support
[#13181](https://github.com/apache/apisix/pull/13181)
+- feat(ai): add OpenAI Responses API (/v1/responses) support
[#13186](https://github.com/apache/apisix/pull/13186)
+- feat(ai-proxy): add passthrough protocol for unrecognized API formats
[#13320](https://github.com/apache/apisix/pull/13320)
+- feat(ai-proxy): rewrite Anthropic-to-OpenAI converter with whitelist body
construction [#13321](https://github.com/apache/apisix/pull/13321)
+- feat(ai-proxy): add provider-aware max_tokens override with priority control
[#13251](https://github.com/apache/apisix/pull/13251)
+- feat(ai-proxy): add per-protocol request_body override and rename max_tokens
mapping to llm_options [#13269](https://github.com/apache/apisix/pull/13269)
+- feat(ai-proxy): add max_stream_duration_ms and max_response_bytes safeguards
[#13250](https://github.com/apache/apisix/pull/13250)
+- feat(ai-proxy): abort upstream read on client disconnect during streaming
[#13254](https://github.com/apache/apisix/pull/13254)
+- feat: populate upstream nginx variables when ai-proxy uses cosocket
transport [#13317](https://github.com/apache/apisix/pull/13317)
+- feat(ai-rate-limiting): add expression-based limit strategy
[#13191](https://github.com/apache/apisix/pull/13191)
+- feat(ai-proxy-multi): add max_retries and retry_on_failure_within_ms for
fallback [#13495](https://github.com/apache/apisix/pull/13495)
+- feat(elasticsearch-logger): support dynamic index with time and variable
resolution [#13334](https://github.com/apache/apisix/pull/13334)
+- feat(limit-count): upgrade lua-resty-limit-traffic to v1.2.0
[#13212](https://github.com/apache/apisix/pull/13212)
+- feat(proxy-cache): honor Vary header for memory strategy
[#13376](https://github.com/apache/apisix/pull/13376)
+- feat(cas-auth): support configuring an absolute callback URL
[#13413](https://github.com/apache/apisix/pull/13413)
+- feat(openid-connect): make client_secret optional for local JWT verification
modes [#13472](https://github.com/apache/apisix/pull/13472)
+- feat(openid-connect): update session config to support lua-resty-session,
fixes deprecated session.cookie.lifetime
[#13178](https://github.com/apache/apisix/pull/13178)
+- feat(hmac-auth): add max_req_body_size to bound request body during
validation [#13478](https://github.com/apache/apisix/pull/13478)
+- feat: add max_req_body_size to bound client request body in forward-auth and
ai-proxy [#13466](https://github.com/apache/apisix/pull/13466)
+- refactor: three-layer AI proxy architecture (protocols/providers/transport)
[#13170](https://github.com/apache/apisix/pull/13170)
+- perf(ai-proxy): optimize SSE decoder - remove PCRE, add decode_buf, fix
comment lines [#13391](https://github.com/apache/apisix/pull/13391)
+- perf(ai): reuse raw request body when unchanged
[#13406](https://github.com/apache/apisix/pull/13406)
+- perf(limit-count): use evalsha with NOSCRIPT fallback for Redis script
execution [#13363](https://github.com/apache/apisix/pull/13363)
+- fix: sort AI proxy upstream request JSON keys
[#13461](https://github.com/apache/apisix/pull/13461)
+- fix(ai-proxy-multi): stabilize domain health checks
[#13441](https://github.com/apache/apisix/pull/13441)
+- fix(ai-proxy-multi): resolve _dns_value in construct_upstream when nil
[#13322](https://github.com/apache/apisix/pull/13322)
+- fix(ai-proxy): map upstream LLM timeouts to 504 instead of 500
[#13481](https://github.com/apache/apisix/pull/13481)
+- fix(ai-proxy): return 502 when streaming converter receives mismatched
response format [#13229](https://github.com/apache/apisix/pull/13229)
+- fix(ai-proxy): yield to scheduler in streaming SSE loop to avoid worker CPU
starvation [#13255](https://github.com/apache/apisix/pull/13255)
+- fix(ai-proxy): populate $upstream_response_length for cosocket transport
[#13323](https://github.com/apache/apisix/pull/13323)
+- fix(ai-request-rewrite): return 400 when request body is missing
[#13097](https://github.com/apache/apisix/pull/13097)
+- fix(ai-prompt-template): fix malformed JSON error message
[#13096](https://github.com/apache/apisix/pull/13096)
+- fix(ai-prompt-*): handle nil err in JSON body parse path
[#13314](https://github.com/apache/apisix/pull/13314)
+- fix: remove llm related metrics for non llm requests
[#13088](https://github.com/apache/apisix/pull/13088)
+- fix(limit): atomic redis commits and resolved-var validation
[#13467](https://github.com/apache/apisix/pull/13467)
+- fix(security): encrypt missing secret-like plugin fields at rest
[#13389](https://github.com/apache/apisix/pull/13389)
+- fix: redact sensitive data from plugin log output
[#13123](https://github.com/apache/apisix/pull/13123)
+- fix: remove credential-leaking log statements in sls-logger, hmac-auth,
tcp-logger, udp-logger [#13205](https://github.com/apache/apisix/pull/13205)
+- fix(gcp): report auth_file path instead of file contents in parse error
[#13409](https://github.com/apache/apisix/pull/13409)
+- fix(authz-keycloak): copy permissions before appending http_method_as_scope
[#13410](https://github.com/apache/apisix/pull/13410)
+- fix(authz-casdoor): scope session cookie per Casdoor client
[#13387](https://github.com/apache/apisix/pull/13387)
+- fix(opa): apply send_headers_upstream for headers absent from OPA response
[#13433](https://github.com/apache/apisix/pull/13433)
+- fix(cas-auth): harden session and callback handling
[#13427](https://github.com/apache/apisix/pull/13427)
+- fix(cas-auth): return 400 instead of 500 for SLO POST with empty body
[#13471](https://github.com/apache/apisix/pull/13471)
+- fix(jwe-decrypt): reject tokens that fail to decrypt
[#13404](https://github.com/apache/apisix/pull/13404)
+- fix(openidc): include request port in `redirect_uri`
[#13081](https://github.com/apache/apisix/pull/13081)
+- fix(openid-connect): ensure identity headers reflect validated tokens
[#13330](https://github.com/apache/apisix/pull/13330)
+- fix(forward-auth): clear configured upstream headers not present in auth
response [#13183](https://github.com/apache/apisix/pull/13183)
+- fix(wolf-rbac): use trusted client IP source for access_check
[#13329](https://github.com/apache/apisix/pull/13329)
+- fix(chaitin-waf): use trusted client IP source for WAF backend
[#13339](https://github.com/apache/apisix/pull/13339)
+- fix(file-logger): incorrectly attempts to decompress uncompressed response
body [#13100](https://github.com/apache/apisix/pull/13100)
+- fix: preserve processed_entries during stale buffer cleanup
[#13094](https://github.com/apache/apisix/pull/13094)
+- fix(opentelemetry): inject additional_attributes in log phase
[#13265](https://github.com/apache/apisix/pull/13265)
+- fix(opentelemetry): coerce additional_attributes values to string
[#13146](https://github.com/apache/apisix/pull/13146)
+- fix(opentelemetry): preserve booleans, handle multi-value headers, tighten
test [#13315](https://github.com/apache/apisix/pull/13315)
+- fix(brotli): preserve ETag and Last-Modified headers in Brotli-compressed
response [#12853](https://github.com/apache/apisix/pull/12853)
+- fix: harden cors, multi-auth and body-transformer plugins against malformed
requests [#13469](https://github.com/apache/apisix/pull/13469)
+- fix(proxy-mirror): keep the original method path when mirroring gRPC
requests [#13499](https://github.com/apache/apisix/pull/13499)
+- fix(dingtalk-auth): clear client-supplied X-Userinfo before authentication
[#13491](https://github.com/apache/apisix/pull/13491)
+
## 3.16.0
**The changes marked with :warning: are not backward compatible.**
diff --git a/apisix/core/version.lua b/apisix/core/version.lua
index b3a151244..326e22e8b 100644
--- a/apisix/core/version.lua
+++ b/apisix/core/version.lua
@@ -20,5 +20,5 @@
-- @module core.version
return {
- VERSION = "3.16.0"
+ VERSION = "3.17.0"
}
diff --git a/ci/check_changelog_prs.ts b/ci/check_changelog_prs.ts
index 0c5bfa24a..50dd25d1f 100755
--- a/ci/check_changelog_prs.ts
+++ b/ci/check_changelog_prs.ts
@@ -55,7 +55,15 @@ const IGNORE_PRS = [
// 3.15.0
12761, 12805, 12844, 12863, 12829, 12725, 12948,
// 3.16.0
- 12958, 13053, 13148, 13100, 13094, 13081,
+ 12958, 13053, 13148,
+ // 3.17.0
+ // 13386 (add configurable request JSON library) + 13407 (qjson error fix)
were
+ // fully reverted by 13449 within this release, so they net to a no-op and
are
+ // not user-facing. The rest are test-only / CI-only / docs-only changes
whose
+ // subject prefix (e.g. "fix ", "fix(ci)", "feat(seo)", "feat(test)")
dodges the
+ // docs/chore/test/ci type filter but which do not belong in a user
changelog.
+ 13386, 13407, 13449, 13485,
+ 13139, 13156, 13157, 13158, 13222, 13234,
];
diff --git a/docs/en/latest/config.json b/docs/en/latest/config.json
index 1dc91c6b3..7691e4580 100644
--- a/docs/en/latest/config.json
+++ b/docs/en/latest/config.json
@@ -1,5 +1,5 @@
{
- "version": "3.16.0",
+ "version": "3.17.0",
"sidebar": [
{
"type": "category",
diff --git a/docs/zh/latest/config.json b/docs/zh/latest/config.json
index 6240fe6e4..78ab8ad88 100644
--- a/docs/zh/latest/config.json
+++ b/docs/zh/latest/config.json
@@ -1,5 +1,5 @@
{
- "version": "3.16.0",
+ "version": "3.17.0",
"sidebar": [
{
"type": "category",