v3.0.1

🛡️ Security Fix: Buffer Overflow & Payload Limits

v3.0.1 is a security patch release addressing critical vulnerabilities related to integer overflow in buffer allocation and unbounded memory consumption from malicious payloads.

🔒 Security Changes

• Fixed Integer Overflow in growSlice: Corrected size computation logic in pkg/types/buffer.go to prevent panic or unsafe behavior during buffer expansion when len + n exceeds integer limits. (Resolves GitHub CodeQL alerts 8 and 12).
• Added Global Payload Cap: Introduced a strict 128 MiB upper bound (types.MaxPayloadSize) for encoded payloads.
  • Socket Parser: Payloads exceeding the limit are now silently dropped during encoding in parsers/socket/parser/encoder.go.
  • JSONP Transport: Payloads exceeding the limit in JSONP responses now trigger a 500 Internal Server Error instead of attempting allocation, preventing potential Out-Of-Memory (OOM) attacks.

🧹 Chores

• Upgraded dependencies across adapters, clients, servers, and parsers modules.
• Updated internal version constant to v3.0.1.

⚠️ Breaking Changes

None.
This update is fully backward compatible. The new 128 MiB limit is sufficiently large for standard usage; only abnormally large payloads (potential DoS attempts) will be affected.

What's Changed

• Potential fix for code scanning alert no. 8: Size computation for allocation may overflow by @zishang520 in #148
• Potential fix for code scanning alert no. 12: Size computation for allocation may overflow by @zishang520 in #149

Full Changelog: v3.0.0...v3.0.1