celeris v1.5.3 — core-engine performance milestone

.github/workflows/ci.yml

@@ -24,7 +24,7 @@ jobs:
     name: Lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - uses: actions/setup-go@v6
         with:
           go-version: "1.26.4"
@@ -64,7 +64,7 @@ jobs:
     name: Unit (root + middleware sub-modules)
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - uses: actions/setup-go@v6
         with:
           go-version: "1.26.4"
@@ -107,7 +107,7 @@ jobs:
     name: Conformance
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - uses: actions/setup-go@v6
         with:
           go-version: "1.26.4"
@@ -144,7 +144,7 @@ jobs:
       CELERIS_PG_DSN: postgres://celeris:celeris@127.0.0.1:5432/celeristest?sslmode=disable
       CELERIS_REDIS_ADDR: 127.0.0.1:6379
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - uses: actions/setup-go@v6
         with:
           go-version: "1.26.4"
@@ -164,7 +164,7 @@ jobs:
       matrix:
         os: [ubuntu-latest, macos-latest]
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - uses: actions/setup-go@v6
         with:
           go-version: "1.26.4"
@@ -187,7 +187,7 @@ jobs:
     name: Vulnerability Check
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - uses: actions/setup-go@v6
         with:
           go-version: "1.26.4"

.github/workflows/drivers.yml

@@ -91,7 +91,7 @@ jobs:
     env:
       CELERIS_PG_DSN: postgres://celeris:celeris@127.0.0.1:5432/celeristest?sslmode=disable
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - uses: actions/setup-go@v6
         with:
           go-version: "1.26.4"
@@ -132,7 +132,7 @@ jobs:
     env:
       CELERIS_REDIS_ADDR: 127.0.0.1:6379
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - uses: actions/setup-go@v6
         with:
           go-version: "1.26.4"
@@ -173,7 +173,7 @@ jobs:
     env:
       CELERIS_REDIS_ADDR: 127.0.0.1:6379
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - uses: actions/setup-go@v6
         with:
           go-version: "1.26.4"
@@ -210,7 +210,7 @@ jobs:
     env:
       CELERIS_MEMCACHED_ADDR: 127.0.0.1:11211
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - uses: actions/setup-go@v6
         with:
           go-version: "1.26.4"
@@ -263,7 +263,7 @@ jobs:
           --health-timeout 5s
           --health-retries 10
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - uses: actions/setup-go@v6
         with:
           go-version: "1.26.4"
@@ -296,7 +296,7 @@ jobs:
       REDIS_IMAGE: redis:${{ matrix.redis }}
       CELERIS_REDIS_CLUSTER_ADDRS: "127.0.0.1:7000,127.0.0.1:7001,127.0.0.1:7002"
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - uses: actions/setup-go@v6
         with:
           go-version: "1.26.4"
@@ -382,7 +382,7 @@ jobs:
       CELERIS_REDIS_SENTINEL_ADDRS: "127.0.0.1:26379,127.0.0.1:26380,127.0.0.1:26381"
       CELERIS_REDIS_SENTINEL_MASTER: mymaster
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - uses: actions/setup-go@v6
         with:
           go-version: "1.26.4"

.github/workflows/release.yml

@@ -31,7 +31,7 @@ jobs:
     needs: [validate-tag, ci]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
         with:
           fetch-depth: 0
       - name: Create sub-module tags
@@ -70,7 +70,7 @@ jobs:
     needs: [validate-tag, ci, tag-submodules]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - uses: actions/setup-go@v6
         with:
           go-version: "1.26.4"

SECURITY.md

@@ -2,14 +2,58 @@
 
 ## Supported Versions
 
-| Version       | Supported |
-|---------------|-----------|
-| >= 1.4.0      | Yes       |
-| < 1.4.0       | No        |
-
-Security updates are issued only for the 1.4.x line. Earlier versions
-(1.3.x and below) no longer receive fixes, including critical ones —
-upgrade to the latest 1.4.x to remain covered.
+| Version  | Supported |
+|----------|-----------|
+| >= 1.5.0 | Yes       |
+| 1.4.x    | No        |
+| < 1.4.0  | No        |
+
+Security updates are issued only for the 1.5.x line. The 1.4.x line and
+earlier (1.3.x and below) no longer receive fixes, including critical
+ones — upgrade to the latest 1.5.x to remain covered.
+
+### v1.5.x Security Improvements
+
+The 1.5.x line is the core-engine performance milestone (io_uring / epoll /
+adaptive). Several of its changes are memory-safety or DoS-posture
+relevant:
+
+- **io_uring use-after-free hardening under churn**: the io_uring engine
+  serializes close behind in-flight completions (cancel-then-release) and
+  tags each completion's `user_data` with a 16-bit per-connection
+  generation counter. A stale CQE arriving after a socket's slot has been
+  recycled is now detected by the generation mismatch and dropped instead
+  of being misrouted to the new connection occupying that slot — closing a
+  gen-collision window that could cross-wire two connections' buffers or
+  corrupt the heap under sustained POST / connection-churn load.
+
+- **H1 parser request-smuggling hardening**: the H1 request parser was
+  hardened against request-smuggling vectors and RFC 9110/9112 framing
+  violations (conflicting / duplicate `Content-Length`, `Transfer-Encoding`
+  vs `Content-Length` ambiguity, malformed chunk framing), so a
+  front-end / back-end desync cannot be induced through celeris.
+
+- **Latent data-race / memory-safety fixes**: two races that are
+  memory-safety bugs under the Go memory model were closed — a
+  `Start` / `Shutdown` race on the server CPU monitor, and the epoll
+  async-detach path's `h1State.Detached` flag, now an `atomic.Bool`
+  published with a release barrier so a detaching connection cannot be
+  observed half-initialized by the engine loop.
+
+- **`middleware/secure` default hardening (behavior change)**:
+  `Cross-Origin-Embedder-Policy` (`require-corp`) and `X-Download-Options`
+  (`noopen`) are now **off by default** and opt-in, matching Helmet's
+  posture. The previous COEP default silently broke cross-origin resources
+  without a corresponding security win for most apps; set
+  `CrossOriginEmbedderPolicy: "require-corp"` (or `"credentialless"`)
+  explicitly where cross-origin isolation is required. The default
+  secure-header count drops from 11 to 9 — **audit your deployment if you
+  relied on the implicit COEP header**.
+
+- **Go toolchain bump (1.26.3 → 1.26.4)**: every `go.mod` in the repo
+  (and the loadgen sub-module) moves to `go 1.26.4` for the stdlib
+  security fixes in that patch release; CI pins the explicit patch version
+  so a stale runner cache cannot regress.
 
 ### v1.4.2 Security Improvements
 
@@ -164,7 +208,7 @@ posture is conservative:
 
 ## Historical (unsupported)
 
-Per-version security notes for the 1.3.x line and earlier are preserved in the git history of this file (`git log SECURITY.md`). Those releases no longer receive fixes — upgrade to the latest 1.4.x to remain covered.
+Per-version security notes for the 1.3.x line and earlier are preserved in the git history of this file (`git log SECURITY.md`). Those releases no longer receive fixes — upgrade to the latest 1.5.x to remain covered.
 
 ## Reporting a Vulnerability