Log message:
curl/libcurl-gnutls: fix build with nettle 4.0; support Darwin

Log message:
curl: document the circular dependency

We have it in the CVS history, but let's document it as an "XXX" \ 
comment too so
possible future hands are less tempted to just uncomment them!

Thanks <ryoon> and Marc Baudoin!

Log message:
www/curl: Remove http3 option

nghttp3, cmake and curl cause circular dependency.
Reported by Marc Baudoin. Thank you.

Log message:
www/curl: Add http3 option

Log message:
curl: apply patch to fix wakeup consumption

Log message:
*: Recursive revbump from security/nettle-4.0

Log message:
curl: update to 8.20.0.

This release includes the following changes:

 o async-thrdd: use thread queue for resolving [144]
 o build: make NTLM disabled by default [90]
 o cmake: drop support for CMake 3.17 and older [108]
 o lib: add thread pool and queue [74]
 o lib: drop support for < c-ares 1.16.0 [64]
 o lib: make SMB support opt-in [18]
 o multi.h: add CURLMNWC_CLEAR_ALL [127]
 o rtmp: drop support [91]

This release includes the following bugfixes:

 o altsvc: cap the list at 5,000 entries [183]
 o altsvc: drop the prio field from the struct [185]
 o altsvc: skip expired entries read from file [187]
 o asyn-ares: connect async [220]
 o asyn-ares: drop orphaned variable references [86]
 o asyn-ares: fix HTTPS-lookup when not on port 443 [100]
 o asyn-thrdd: drop redundant `result` check [291]
 o asyn-thrdd: fix clang-tidy unused value warning [125]
 o async-ares: fix query counter handling [195]
 o autotools: limit checksrc target to ignore non-repo test sources [12]
 o badwords-all: exit with correct code on errors [50]
 o badwords: combine the whitelisting into a single regex [1]
 o badwords: detect the the and with with [51]
 o badwords: only check comments and strings in source code [61]
 o badwords: rework exceptions, fix many of them [15]
 o boringssl: fix more coexist cases with Schannel/WinCrypt [170]
 o build: adjust/add casts to fix `-Wformat-signedness` [218]
 o build: assume `snprintf()` in `mprintf`, drop feature check [107]
 o build: compiler warning silencing tidy-ups [4]
 o build: drop `openssl` module dependency for BoringSSL from `libcurl.pc` [33]
 o build: drop duplicate `pthread.h` includes [158]
 o build: drop redundant `USE_QUICHE` guards [159]
 o build: enable `-Wimplicit-int-enum-cast` compiler warning, fix issues [84]
 o build: fix `-Wformat-signedness` by adjusting printf masks [226]
 o build: link `bcrypt.lib` via vcxproj files [239]
 o build: skip detecting `pipe2()` for Apple targets [227]
 o build: stop building and installing `runtests.1` and `testcurl.1` [235]
 o cf-https-connect: silence `-Wimplicit-int-enum-cast` with HTTPS-RR [132]
 o cf-https-connect: silence `-Wimplicit-int-enum-cast` with HTTPS-RR [63]
 o cf-ip-happy: limit concurrent attempts [191]
 o cf-socket: avoid low risk integer overflow on ancient Solaris [56]
 o cfilters: fix Curl_pollset_poll() return code mixup [206]
 o clang-tidy: avoid assignments in `if` expressions [175]
 o clang-tidy: enable more checks, fix fallouts [254]
 o cmake: add CMake Config-based dependency detection [87]
 o cmake: add CMake Config-based dependency detection for c-ares, wolfSSL [134]
 o cmake: do not install `wcurl` when `BUILD_CURL_EXE=OFF` [265]
 o cmake: do not install shell completions when `BUILD_CURL_EXE=OFF` [263]
 o cmake: document functions used from Windows system DLLs [103]
 o cmake: enable pthreads for BoringSSL/AWS-LC [196]
 o cmake: resolve targets recursively when generating `libcurl.pc` [45]
 o cmake: rework binutils ld hack to not read `LOCATION` property [41]
 o cmake: silence bad library `Threads::Threads` warning [131]
 o cmake: use `AIX` built-in variable (with CMake 4.0+) [163]
 o config2setopts: make --capath work in proxy disabled builds [113]
 o configure: fix `--with-ngtcp2=<path>` option for crypto libs [26]
 o configure: fix LibreSSL ngtcp2 1.15.0+ crypto lib selection logic [3]
 o configure: prefer dependency-specific variables over `$withval` [35]
 o configure: remove superfluous experimental warning for HTTP/3 [169]
 o configure: silence useless clang warnings in C89 builds [156]
 o configure: tidy up comments [202]
 o connect: fix typo on error message
 o cookie: fix rejection when tabs in value [189]
 o curl-wolfssl.m4: fix to use the correct value for pkg-config directory [36]
 o curl.h: replace macros with C++-friendly method to enforce 3 args [110]
 o curl_ctype.h: fix spelling in a couple of locally used macros [28]
 o curl_get_line: error out on read errors [9]
 o curl_get_line: fix potential infinite loop when filename is a directory [46]
 o curl_ngtcp2: extend and update callbacks for 1.22.0+ [165]
 o curl_ntlm_core: drop redundant PP condition [140]
 o curl_ntlm_core: use wolfCrypt DES API with wolfSSL [200]
 o curl_setup.h: drop stray/unused `USE_OPENSSL_QUIC` guard [210]
 o curl_sha512_256: support delegating to wolfSSL API [149]
 o curl_version_info.md: clarify age details [69]
 o CURLOPT_HAPROXY_CLIENT_IP.md: mention assumption on data format [96]
 o CURLOPT_RTSP_SESSION_ID.md: clarify reuse "dangers" [270]
 o CURLOPT_RTSP_SESSION_ID.md: expand the comment [267]
 o CURLOPT_RTSP_SESSION_ID.md: minor language fix
 o CURLOPT_SOCKS5_AUTH.md: an access property [212]
 o CURLOPT_SSL_CTX_FUNCTION.md: expand on effects connection reuse [105]
 o CURLOPT_UPLOAD_FLAGS.md: expand [223]
 o curlx_now(), prevent zero timestamp [93]
 o DEPRECATE: fix minor release number typo
 o digest: pass in the user name quoted (as well) [34]
 o dns: https-eyeballing async [229]
 o dnscache: own source file, improvements [116]
 o docs/cmdline-opts/write-out.md: tls_earlydata was adeded in 8.13.0
 o docs/cmdline-opts: tidy up retry-connrefused [190]
 o docs/lib: fix typos [53]
 o docs/libcurl: improve easy setopt examples [266]
 o docs: clarify retry-max-time timing [294]
 o docs: CURLOPT_LOGIN_OPTIONS is a login property [228]
 o docs: enable more compiler warnings for C snippets, fix 3 finds [71]
 o docs: list more dependencies for running Python HTTP tests [123]
 o docs: mention more zip bomb precautions [166]
 o docs: minor wording tweaks
 o docs: noproxy wants the punycoded hostname version [214]
 o docs: SSH host verification is done at connect time [197]
 o docs: use the correct CURLOPT_WRITEFUNCTION signature [142]
 o doh: fix memory-leak when doing a second DoH resolve [55]
 o doh: remove superfluous doh_req check [222]
 o examples/websocket: fix to sleep more on Windows [92]
 o examples: drop warning silencers no longer hit [14]
 o examples: fix typo in comment [75]
 o file: init fd to -1 to prevent close fd 0 on early failure [40]
 o fopen: for temp files, inherit permissions only for owner [146]
 o ftp: do not strdup DATA hostname [29]
 o ftp: make the MDTM date parser stricter (again) [115]
 o ftp: reject PWD responses containing control characters [95]
 o gcc: guard `#pragma diagnostic` in core code for <4.6 [94]
 o generate.bat: remove extra % from VC11 and VC12 runs
 o genserv.pl: make external calls safe [119]
 o getinfo: initialize `PureInfo` field `used_proxy` [43]
 o getinfo: repair CURLINFO_TLS_SESSION [193]
 o gnutls: fix clang-tidy warning with !verbose [126]
 o gtls: fail for large files in `load_file()` [174]
 o h3: HTTPS-RR use in HTTP/3 [221]
 o Happy Eyeballs: add resolution time delay [238]
 o haproxy: use correct ip version on client supplied address [275]
 o hostip: clear the sockaddr_in6 structure before use [20]
 o hostip: init the curl_jmpenv_lock appropriately [278]
 o hostip: resolve user supplied ip addresses [259]
 o HSTS: cap the list [177]
 o hsts: make the HSTS read callback handle name dupes [141]
 o hsts: skip expired HSTS entries read from file [188]
 o hsts: when a dupe host adds subdomains, use that [130]
 o http2: clear the h2 session at delete [99]
 o http2: prevent secure schemes pushed over insecure connections [181]
 o http2: return error on OOM in push headers [65]
 o HTTP3.md: drop outdated mentions of OpenSSL-QUIC [2]
 o http: clear credentials better on redirect [204]
 o http: clear digest nonce on cross-orgin redirect [269]
 o http: clear the proxy credentials as well on port or scheme change [246]
 o http: fix auth_used and auth_avail [154]
 o http: fix Curl_compareheader for multi value headers [11]
 o http: make Curl_compareheader handle multiple commas in header
 o http: on 303, switch to GET [208]
 o http: use header_has_value() instead of duplicate code [251]
 o imap: reset the UIDVALIDITY state between transfers [7]
 o include: drop 'will' from public headers [73]
 o INSTALL.md: update Cygwin instructions [198]
 o keylog.h: replace literal number with macro in declaration [171]
 o keylog: drop unused/redundant includes and guards [172]
 o ldap: drop duplicate `ldap_set_option()` on Windows [42]
 o ldap: fix to initialize cleartext connection on Windows [49]
 o lib1560: fix comment typo
 o lib1960: fix test failure [255]
 o lib: accept larger input to md5/hmac/sha256/sha512 functions [194]
 o lib: always use Curl_1st_fatal instead of Curl_1st_err [89]
 o lib: fix typos in comments [240]
 o lib: make resolving HTTPS DNS records reliable: [176]
 o lib: minor comment typos [237]
 o lib: move request specific allocations to the request struct [256]
 o lib: replace `PRI*32` printf masks with C89 ones [201]
 o libssh2: allocate libssh2-friendly memory in kbd_callback [225]
 o libssh2: fix error handling on quote errors [21]
 o libssh: fix 64-bit printf mask for mingw-w64 <=6.0.0 [215]
 o libssh: fix `-Wsign-compare` in 32-bit builds [217]
 o libssh: path length precaution [164]
 o libssh: propagate error back in SFTP function [178]
 o libtest: drop duplicate include [111]
 o location/follow: mention netrc [138]
 o man: fix argument type for `CURLSHOPT_[UN]SHARE` options [211]
 o mbedtls: cleanup more without care for 'initialized' [262]
 o mbedtls: fix ECJPAKE matching [135]
 o mbedtls: remove failf() call with first argument as NULL [249]
 o md4, md5: switch to wolfCrypt API in wolfSSL builds [139]
 o mime: only allow 40 levels of calls [241]
 o misc: fix code quality findings [209]
 o mk-ca-bundle.pl: make `ca-bundle.crt` timestamp match `certdata.txt`'s [44]
 o multi: enhance pending handles fairness [284]
 o multi: fix connection retry for non-http [180]
 o multi: improve wakeup and wait code [118]
 o netrc: find login-less password when user is given in URL [6]
 o netrc: remove unused parsenetrc() macro for netrc-disabled [121]
 o netrc: skip malformed macdef lines [67]
 o openssl channel_binding: lookup digest algorithm without NID [117]
 o openssl: drop obsolete SSLv2 logic [27]
 o openssl: fix build with 4.0.0-beta1 no-deprecated [184]
 o openssl: fix memory leaks in ECH code (OpenSSL 3) [78]
 o openssl: fix unused variable warnings in !verbose builds [252]
 o openssl: trace count of found / imported Windows native CA roots [8]
 o OS400: add new definitions to the ILE/RPG binding. [153]
 o os400sys: fix typo in comment (symetry -> symmetry) [58]
 o parsedate: bsearch the time zones [232]
 o parsedate: fix wrong treatment of "military time zones" [182]
 o parsedate: refactor [230]
 o perl: harden external command invocations [133]
 o progress: count amount of data "delivered" to application [66]
 o protocol.h: fix the CURLPROTO_MASK [31]
 o protocol: disable connection reuse for SMB(S) [199]
 o protocol: use scheme names lowercase [38]
 o proxy: chunked response, error code [143]
 o pytest: add additional quiche check for flaky test_05_01 [22]
 o pytest: check 429 handling [268]
 o rand: use `BCryptGenRandom()` in UWP builds [88]
 o ratelimit: reset on start [150]
 o request: reset resp_trailer in new requests [186]
 o runtests: skip setting ed25519 SSH key format [264]
 o rustls: fix memory leak on repeated SSLKEYLOGFILE fails [280]
 o rustls: handle EOF during initial handshake [203]
 o schannel: increase renegotiation timeout to 60 seconds [261]
 o scripts: drop redundant double-quotes: `"$var"` -> `$var` (Perl) \ 
[109]
 o scripts: harden / tidy up more Perl `system()` calls [70]
 o sectrust: fail on missing OCSP stapling [250]
 o sendf: fix CR detection if no LF is in the chunk [219]
 o setopt: clear proxy auth properties when switching [192]
 o setopt: fix typos in comments [257]
 o setopt: move CURLOPT_CURLU [260]
 o setup connection filter: mark as setup [234]
 o sha256, sha512_256: switch to wolfCrypt API [147]
 o sha256: support delegating to wolfSSL API [148]
 o share: concurrency handling, easy updates [104]
 o share: do bitshifts after the type is checked to be valid [216]
 o socks: reject zero-length GSSAPI/SSPI tokens from proxy [157]
 o socks: use dns filter for resolving [244]
 o spelling: fix typos [173]
 o src: use ftruncate() unconditionally [128]
 o sshserver.pl: harden more `system()` calls [81]
 o sshserver.pl: pass command-line to `system()` safely [82]
 o strerr: correct the strerror_s() return code condition [25]
 o sws: fix potential OOB write [80]
 o synctime: fix off-by-one read and write to a read-only buffer (Windows) [85]
 o test 766: flag as timing-dependent [136]
 o test1675: unit tests for URL API helper functions [248]
 o test459: switch to mode="warn" for stderr check [5]
 o testcurl.pl: replace shell commands with Perl `rmtree()` [76]
 o tests/unit/README: describe how to unit test static functions [60]
 o tests: avoid infinite recursion for `make check` [253]
 o tests: use %b64[] instead of "raw" base64 [245]
 o tool: check for curlinfo->age when determining if ssh backend [77]
 o tool: fix memory mixups [106]
 o tool: fix retries in parallel mode [137]
 o tool: fix two more allocator mismatches [155]
 o tool_cb_hdr: only truncate etags output when regular file [129]
 o tool_cb_rea: make waitfd() return void [168]
 o tool_cb_wrt: fix no-clobber error handling [39]
 o tool_cfgable: free the SSL signature algorithms [62]
 o tool_dirhie: fix to create drive-relative directory [276]
 o tool_formparse: propagate my_get_line errors when reading headers [102]
 o tool_getparam: use correct free function for libcurl memory [68]
 o tool_ipfs: accept IPFS gateway URL without set port number [13]
 o tool_msgs: avoid null pointer deref for early errors [98]
 o tool_operate: actually apply the --parallel-max-host limit [167]
 o tool_operate: drop the scheme-guessing in the -G handling [54]
 o tool_operate: fix condition for loading `curl-ca-bundle.crt` (Windows) [79]
 o tool_operate: fix memory-leak on failed uploads [124]
 o tool_operate: fix minor memory-leak on early error [23]
 o tool_operate: reset the upload glob counter for next URL [162]
 o tool_operhlp: fix `add_file_name_to_url()` result on OOM [32]
 o tool_operhlp: iterate through all slashes to find name [114]
 o tool_operhlp: propagate low-level OOM in `add_file_name_to_url()` [112]
 o tool_setopt: return error on OOM correctly [152]
 o tool_urlglob: fix memory-leak on glob range overflow [19]
 o top-complexity: prevent filename-based shell injection risk [101]
 o transfer: clear the old autoreferer [236]
 o transfer: clear the URL pointer in OOM to avoid UAF [179]
 o transfer: enable custom methods again on next transfer [30]
 o transfer: enhance secure check [10]
 o unit1675: fix `-Wformat-signedness` [274]
 o url: do not reuse a non-tls starttls connection if new requires TLS [145]
 o url: improve connection reuse on negotiate [160]
 o url: init req.no_body in DO so that it works for h2 push [161]
 o url: set default upload flags to CURLULFLAG_SEEN [224]
 o url: use the socks type for socks proxy [47]
 o url: use URL for url even in comments [52]
 o urlapi: fix handling of "file:///" [122]
 o urlapi: make dedotdotify handle leading dots correctly [97]
 o urlapi: same origin tests [213]
 o urlapi: stop extracting hostname from file:// URLs on Windows [247]
 o urlapi: verify the last letter of a scheme when set explicitly [16]
 o urldata.h: fix typo and lingering backtick [279]
 o urldata: connection bit ipv6_ip is wrong [59]
 o urldata: import port types and conn destination format [57]
 o urldata: make hstslist only present in HSTS builds [120]
 o urldata: make speeder_c uint32 [37]
 o urldata: move cookiehost to struct SingleRequest [242]
 o urldata: remove trailers_state [17]
 o vquic: fix variable name in fallback code [207]
 o vtls: fix comment typos and tidy up a type [285]
 o vtls: log when key logging is enabled. [288]
 o vtls_scache: check reentrancy [243]
 o vtls_scache: include cert_blob independently of verifypeer [231]
 o wolfssl: document v5.0.0 (2021-11-01) as minimum required [151]
 o wolfssl: fix `-Wmissing-prototypes` [233]
 o wolfssl: fix handling of abrupt connection close [24]
 o write-out.md: minor language fix [273]
 o write-out.md: tls_earlydata was adeded in 8.13.0
 o ws: fix a blocking curl_ws_send() to report written length correctly [258]
 o x509asn1: fix to return error in an error case from `encodeOID()` [83]
 o x509asn1: fixed and adapted for ASN1tostr unit testing [48]
 o x509asn1: improve encodeOID [72]

Planned upcoming removals include:

 o local crypto implementations
 o NTLM
 o SMB
 o TLS-SRP support

 See https://curl.se/dev/deprecate.html

Log message:
curl: update to 8.19.0.

curl and libcurl 8.19.0

 Public curl releases:         273
 Command line options:         273
 curl_easy_setopt() options:   308
 Public functions in libcurl:  100
 Contributors:                 3619

This release includes the following changes:

 o we stopped the bug bounty [23]
 o cmake: add `CURL_BUILD_EVERYTHING` option [51]
 o initial support for MQTTS [81]
 o tool: support fractions for --limit-rate and --max-filesize [79]
 o tool_cb_hdr: with -J, use the redirect name as a backup [147]
 o vquic: drop support for OpenSSL-QUIC [80]
 o windows: add build option to use the native CA store [82]
 o windows: bump minimum to Vista (from XP) [12]

This release includes the following bugfixes:

 o altsvc: only accept 17 byte dates from files [22]
 o asyn-ares: abort with OOM error when Curl_dnscache_mk_entry fails [107]
 o async-ares: blocking resolve timeout handling, better [239]
 o badwords: move into ./scripts, speed up [187]
 o build: add missing `GENERATEDCERTS` files [210]
 o build: adjust minimum version for some clang picky warnings [211]
 o build: check `MSG_NOSIGNAL` directly, drop detection and interim macro [26]
 o build: constify `memchr()`/`strchr()`/etc result variables (cont.) [85]
 o build: detect and include `inttypes.h` again [13]
 o build: do not include wolfSSL header in `curl_setup.h` [215]
 o build: drop duplicate C includes [54]
 o build: drop global suppression of `-Wformat-nonliteral`, fix fallouts [19]
 o build: drop unused `snprintf()` feature check on Windows [261]
 o build: fix `-Wunused-macros` warnings, and related tidy-ups [176]
 o build: fix building rare combinations [109]
 o build: fully omit verbose strings and code when disabled [113]
 o build: globally suppress DJGPP warnings in `FD_SET()` [56]
 o build: merge TrackMemory (`CURLDEBUG`) into debug-enabled option [46]
 o build: move curl stat struct type to the curlx namespace [156]
 o build: opt-in MSVC to C99-style verbose logging logic [108]
 o build: require POSIX `strdup()` [159]
 o build: tidy up and dedupe `strdup` functions [162]
 o cf-socket: ignore SOCK_CLOEXEC etc for socktype equality checks [226]
 o cf-socket: use SOCK_CLOEXEC in socket_open when available [130]
 o checksrc-all.pl: skip non-repository files [144]
 o checksrc: do not apply `BANNEDFUNC` to struct member functions [35]
 o checksrc: warn for leading spaces before the preprocessor hash [72]
 o clang-tidy: add missing and delete redundant parentheses [155]
 o clang-tidy: add more missing parentheses in macro values [224]
 o clang-tidy: avoid/silence `bugprone-not-null-terminated-result` [222]
 o clang-tidy: check `bugprone-macro-parentheses`, fix fallouts [212]
 o clang-tidy: drop redundant conditions reported by `misc-redundant-expression` \ 
[217]
 o clang-tidy: enable `bugprone-signed-char-misuse`, fix fallouts [227]
 o clang-tidy: enable more checks [225]
 o clang-tidy: enable scanning headers [205]
 o clang-tidy: fix issues found with build-fuzzing [275]
 o clang-tidy: silence more minor issues found by v22 [276]
 o cmake/FindMbedTLS: add workaround for missing static MSVC `mbedcrypto.lib` \ 
4.0.0 [174]
 o cmake: add `CURL_DROP_UNUSED` option to reduce binary sizes [105]
 o cmake: add native clang-tidy support for tests, with concatenated sources [223]
 o cmake: always build curlu and curltool test libs in unity mode [190]
 o cmake: always define `CURL::win32_winsock` on Windows in `curl-config.cmake` [104]
 o cmake: convert `curl_add_clang_tidy_test_target()` macro to function [281]
 o cmake: enable binutils ld workaround for all toolchains at build-time [57]
 o cmake: fix `LOCATION` property access condition (debug) [241]
 o cmake: fix `LOCATION` property read errors in target debug function [243]
 o cmake: fix building with `CMAKE_FIND_PACKAGE_PREFER_CONFIG=ON` [254]
 o cmake: fix confusing error when a dependency is undetected in \ 
`curl-config.cmake` [169]
 o cmake: fix logic for openssl/zlib binutils ld workaround [71]
 o cmake: fix passing system header directories to clang-tidy for tests [221]
 o cmake: fix system include directory position for clang-tidy in tests [284]
 o cmake: improve clang-tidy test command-line reproduction [242]
 o cmake: minor fixes to test targets after prev [214]
 o cmake: normalize uppercase hex winver (for display) [191]
 o cmake: omit `curl.rc` from curltool lib [209]
 o cmake: reference OpenSSL and ZLIB imported targets only when enabled [41]
 o cmake: replace internal option with a new `tt` (test tools) target [220]
 o cmake: silence potential unused var warnings in C++ test snippet [201]
 o cmake: silence silly Apple clang warnings in C89 mode, test in CI [14]
 o cmake: silence useless compiler warnings triggered by the FASTBuild generator [43]
 o cmake: skip binutils ld hack if zlib/openssl target is not `IMPORTED` [90]
 o cmake: warn for invalid `CURL_TARGET_WINDOWS_VERSION` values [192]
 o cmke: add `*_USE_STATIC_LIBS` options for 9 dependencies [49]
 o config-plan9: set `HAVE_STDINT_H` again [17]
 o config2setopts: acknowledge OOM error from CURLOPT_MIMEPOST [120]
 o config2setopts: fix for --disable-aws build configuration [34]
 o configure: drop always true `if` check (Windows) [250]
 o content_encoding: return 'identity' if none other exists [235]
 o curl: add -I and -i to -h important [135]
 o curl: limit Windows-specific code to Windows builds, other tidy-ups [48]
 o curl_easy_nextheader.md: a new transfer invalidates 'prev' [69]
 o curl_get_line: drop single-use macro [93]
 o curl_multi_perform.md: resolve inconsistency [143]
 o curl_ntlm_core: merge two `#if` blocks [177]
 o curl_setup.h: drop extra header guard for internal include [91]
 o curl_setup.h: merge back single-use internal header `curl_setup_once.h` [78]
 o curl_setup.h: simplify curl memory macro mappings [163]
 o curl_setup_once: allow CURL_DEBUGASSERT for customization [125]
 o CURLINFO_CONTENT_LENGTH_DOWNLOAD_T.md: fix available protocols [97]
 o curlx: drop unused `curlx_saferealloc()` [161]
 o digest: escape double quotes and backslashes in realm and nonce [83]
 o digest: fix memory leak in auth_create_digest_http_message() [263]
 o digest: handle quotes in the path [50]
 o docs/INSTALL: update configure details [45]
 o docs/libcurl: unify WARNING use [89]
 o docs: add LibreELEC to DISTROS.md
 o docs: add reproducible example for generating man page [95]
 o docs: avoid starting sentences with However, [175]
 o docs: avoid using the word 'magic' [256]
 o docs: clarify --ipv4 and --ipv6 [149]
 o docs: document the need for a 64-bit type and stdint.h [118]
 o docs: drop basically [229]
 o docs: explicitly call out Slowloris as not a security flaw [6]
 o docs: fix grammar nitpicks [128]
 o docs: handle error in `curl_global_init*` examples [204]
 o docs: replace instances of the vague qualifier 'quite' [171]
 o docs: reword explanation of --variable option [150]
 o docs: some nitpicks [277]
 o docs: use dot instead of comma at end of sentences [168]
 o easy: reset errorbuf on eyeballing success [179]
 o easy: reset pausing when resetting request [218]
 o examples/usercertinmem: use modern OpenSSL API, drop mentions of RSA [188]
 o examples: improve OpenSSL certificate examples [248]
 o examples: omit forward declarations, apply misc fixes [60]
 o FAQ: syntax improvements [230]
 o fopen.h: simplify curl memory macro mappings [160]
 o ftp: replace a `curlx_free()` with `curlx_dyn_free()` [86]
 o ftp: split ftp_state_use_port into sub functions [172]
 o GOVERNANCE.md: Post-Daniel BDFL [31]
 o gss: exclude verbose error logic from non-verbose builds [122]
 o h2+h3: align stream close handling [131]
 o hostip.c: fix leak of addrinfo [11]
 o hostip6: remove debug-only code [24]
 o hostip: fix unreachable code in rare build configuration [74]
 o http/3: add description for known server error codes [15]
 o http1: fix potential NULL dereference in `Curl_h1_req_parse_read()` [268]
 o http: only send bearer if auth is allowed [228]
 o http_aws_sigv4: fix query normalization of %2b [117]
 o imap: add a check for Curl_meta_get() [157]
 o imap: check `imap_sendf()` printf masks at compile-time [67]
 o imap: skip literals inside quoted strings [30]
 o include: avoid recursive macros [182]
 o include: mask computed auth/proto bitmasks to 32 bits [145]
 o INSTALL-CMAKE.md: document Apple framework options [53]
 o INSTALL.md: fix typo [278]
 o INSTALL.md: suggest `-Wl,-dead_strip` for Apple targets [68]
 o KNOWN_BUGS.md: absolute Unix domain filename for SOCKS on Windows [37]
 o ldap: silence clang-tidy v22 warning [279]
 o ldap: silence potential unused variable warning (OS400) [55]
 o lib: delete unused local includes [181]
 o lib: disable websockets early if no http [140]
 o lib: make sigpipe handling more lazy [52]
 o lib: reorder protocol functions to avoid forward declarations (email) [76]
 o lib: reorder protocol functions to avoid forward declarations (ftp) [75]
 o lib: reorder protocol functions to avoid forward declarations (misc cont.) [66]
 o lib: reorder protocol functions to avoid forward declarations (misc) [77]
 o lib: reorder protocol functions to avoid forward declarations (ssh) [65]
 o lib: separate scheme info from protocol implementation [42]
 o lib: skip compiling code with features disabled [189]
 o lib: use (u)int64_t instead of long long [39]
 o libcurl docs: reduce 'since ...' in descriptions [28]
 o libcurl-security.md: fix typos and add a point about URLs
 o libtests: drop two redundant `memset()`s [110]
 o Makefile.am: delete RPM targets referencing non-existent files [9]
 o Makefile.am: drop stray VC project files from dist [5]
 o managen: silence Perl warnings [141]
 o mbedtls: guard TLS 1.3 + session tickets usage inside ifdef [260]
 o mbedtls: no pinnedpubkey wo MBEDTLS_SSL_KEEP_PEER_CERTIFICATE [29]
 o mbedtls: remove newline from failf() call [25]
 o mbedtls: split mbed_connect_step1 into sub functions [166]
 o md4, md5: drop redundant forward declarations [64]
 o md4, md5: replace custom types with `uint32_t` [111]
 o memdebug: include `backtrace.h` as system header [148]
 o mime: drop fallback for unused `R_OK` macro [58]
 o mimepost: allocate main struct on-demand [20]
 o mk-ca-bundle.pl: drop support for obsolete/insecure fingerprint algos [138]
 o mod_curltest: silence unused argument compiler warning [63]
 o mprintf: drop old sprintf fallback [7]
 o mprintf: rename internal enum to avoid collision with AmigaOS symbol [183]
 o mprintf: silence clang-tidy `readability-suspicious-call-argument` [262]
 o mprintf: use `_snprintf()` when compiled with VS2013 and older [280]
 o mqtt: better too-big-message-check [73]
 o mqtt: fix EOF handling [231]
 o mqtt: verify Remaining Length for CONNACK and PUBACK [153]
 o msvc: drop exception, make `BIT()` a bitfield with Visual Studio [2]
 o msvc: VS2026: unlock picky warning in cmake, test in CI [198]
 o multi: avoid a theoretical 32-bit wrap [186]
 o multi: fix unreachable code compiler warning [264]
 o multi: probe for IPv6 functionality in multi_init() [114]
 o multi: split multi_runsingle into sub functions [197]
 o multi: update timer unconditionally in multi_remove_handle [158]
 o ngtcp2: stabilize recv [18]
 o noproxy: simplify, don't mix const non-const in strchr() [88]
 o openldap: avoid forward declarations in ldaps code [62]
 o openssl+ech: workaround for insecure handshakes [238]
 o openssl: adapt to OpenSSL master adding const to more APIs [253]
 o OpenSSL: check reuse of sessions for verify status [142]
 o openssl: disable local keylog feature if built-in upstream [178]
 o openssl: fix compiler warning with OpenSSL master [193]
 o openssl: fix potential NULL dereference when loading certs (Windows) [165]
 o openssl: fix potential OOB read in debug/verbose logging [216]
 o plan9: drop special build and orphaned references [33]
 o proxy-auth: additional tests [232]
 o pytest: remove 03_02 [127]
 o quiche: use PRIu64 for outputting the stream id [184]
 o rand: drop impossible preprocessor branches (wincrypt) [246]
 o rand: drop scan-build silencer [245]
 o ratelimit: download finetune [16]
 o request.h: rename parameter 'buf' to 'req' in Curl_req_send [219]
 o REUSE: drop broken reference to `MAIL-ETIQUETTE` [59]
 o rtsp: fix assertion failure on zero-length RTP payload [180]
 o rtspd: fix to check `realloc()` result [173]
 o runtests: pass config filename to stunnel in native format (Windows) [94]
 o schannel: refactor: reduce variable scopes, fix comment, fix indent [196]
 o send: drop `CURL_UNCONST()` from buffer argument on most platforms [116]
 o setopt: fix checking range for CURLOPT_MAXCONNECTS [92]
 o setopt: refuse blobs with zero length [167]
 o setup-os400.h: drop no longer used custom type `u_int32_t` [112]
 o sigpipe: unset SA_SIGINFO since it is using sa_handler [40]
 o silent.md: also mention it shuts off warning messages [213]
 o smb: free the path in the request struct properly [137]
 o smb: include arpa/inet.h for NonStop [195]
 o socket: check result of SO_NOSIGPIPE [124]
 o socketpair: clear 'err' when retrying due to EINTR [233]
 o socketpair: set SO_NOSIGPIPE where possible [103]
 o socks: ensure DNS is freed in failure cases. [247]
 o src: simplify declaring `curl_ca_embed` [185]
 o ssh: dedupe state change function [99]
 o stop using the word 'just' [257]
 o sws: prevent "connection monitor" to say disconnect twice
 o synctime: fix use of uninitialized buffer on non-Windows [234]
 o system_win32: replace manual init code with `curlx_now_init()` call [170]
 o tests/server/sockfilt: avoid possible endless loop on Windows [101]
 o tests/server: drop unused `curlx/version_win32.c` [151]
 o tests/server: fix to clear the complete `srvr_sockaddr_union_t` variable [207]
 o tests/server: tidy-up error messages (Windows) [102]
 o tests: avoid assignment in `if` conditions in `first.h` [126]
 o tests: convert base64 data to %b64[] [87]
 o tftp: correct the filename length check [70]
 o timeout handling: auto-detect effective timeout [121]
 o tls: add new SSLSUPP flags for several options [32]
 o tls: remove checks for DEFAULT [136]
 o tool: enable header separation for HTTPS proxies [106]
 o tool: improve config error messaging [208]
 o tool: improve error/warning messages when output filename sanitization fails [36]
 o tool: rename curl handle and result variable in `--libcurl`-generated code [146]
 o tool: return code variable consistency [84]
 o tool_cb_hdr: suppress header output when --out-null [10]
 o tool_cb_prg: drop duplicate preprocessor logic [119]
 o tool_dirhie: drop superfluous `F_OK` fallback (Windows) [8]
 o tool_doswin: avoid memory-leak with CURL_FN_SANITIZE_* [236]
 o tool_doswin: avoid Windowsisms in socket code (cont.) [134]
 o tool_doswin: avoid Windowsisms in socket code [139]
 o tool_doswin: document `ENABLE_VIRTUAL_TERMINAL_PROCESSING` toolchain support [44]
 o tool_getparam: avoid `-Wcomma` with Apple clang in C89 mode [38]
 o tool_operate: remove 'else' for VMS [3]
 o tool_operate: reset the URL --url-query between --next [237]
 o typos: silence false positives found in C code [164]
 o unit3205: suppress two clang-tidy false positives [206]
 o URL-SYNTAX.md: fix port number mistakes for IMAP and LDAP [200]
 o url.c: code/comment cleanup around conn creation [132]
 o url.h: fix `-Wdocumentation` [61]
 o url: fix reuse of connections using HTTP Negotiate [100]
 o urlapi: use U_CURLU_URLDECODE when toggling it off unsigned [255]
 o urldata.h: remove two forward-declared structs not used [4]
 o urldata: byebye `conn->hostname_resolve` [240]
 o urldata: change 'keep_post' into three distinct bitfields [21]
 o urldata: convert 'long' fields to fixed variable types [47]
 o urldata: switch to uint* types [1]
 o usercertinmem: use the correct cert BIO [249]
 o verbose.md: explain the { and } prefixes [96]
 o vquic: fix unused variable warning reported by clang-tidy [152]
 o vquic: handle SOCKEMSGSIZE correctly [129]
 o vtls: dedupe common on-session-reuse logic [98]
 o vtls: use ALPN http/1.0 & http/1.1 for HTTP/1.0 requests [123]
 o VULN-DISCLOSURE-POLICY.md: push reports to the web form [154]
 o VULN-DISCLOSURE-POLICY.md: use hackerone [202]
 o winapi: use FormatMessageA instead of FormatMessageW [115]
 o windows: `USE_WINSOCK` to guard winsock2 code (where missing) [133]
 o windows: determine `RtlVerifyVersionInfo` address on global init [258]
 o windows: tidy up `wincrypt.h` / BoringSSL/AWS-LC coexist workaround [203]
 o wolfssl: fix build without USE_BIO_CHAIN [27]
 o ws/tftp: include header file even when protocol disabled [194]
 o x509asn1: make encodeOID stop on too long input [199]