Release created at Mon Sep 29 11:46:22 CST 2025
Synchronize Alpha branch code updates, keeping only the latest version


我应该下载哪个文件? / Which file should I download?
二进制文件筛选 / Binary file selector
查看文档 / Docs

What's Changed

• 0ced98d feat: support sending ping requests via direct in tun mode by @wwqgtxx

• 0dc5e30 feat: add mTLS support for client & server (certificate and private-key for proxies, client-auth-type and client-auth-cert for listeners( by @wwqgtxx

• 571be85 feat: support mieru 0-RTT handshake (#2261) by @enfein

• 6786705 feat: remove ca and ca-str in hy1/hy2/tuic outbound, using fingerprint instead by @wwqgtxx

• 80a90f0 feat: support AmneziaWG v2.0 by @wwqgtxx

• 9a124a3 feat: add disable-icmp-forwarding option to tun (#2248) by @Nuofang

• abe6c3b feat: support kcptun plugin for ss client/server by @wwqgtxx

• For macOS users: According to the Go wiki, Go 1.25 no longer supports macOS 11. macOS 11 users are advised to download the binary with the go124 tag, macOS 10.15 users are advised to download the binary with the go122 tag, and macOS 10.13 users are advised to download the binary with the go120 tag.

• Note: For amd64 platform, -amd64 and -amd64-compatible versions have been deprecated. -amd64-v1, -amd64-v2 and -amd64-v3 will be used to mark the CPU level. Please adapt the automatic update script in time for downstream projects.

BUG & Fix

• 02d954b fix: server mux conn not close by @wwqgtxx
• 1b99759 fix: ntp time method not passing to ss2022 client by @wwqgtxx
• 23448ec fix: incomplete read filter in vision by @wwqgtxx
• 30bead4 fix: ntp not apply to reality client by @wwqgtxx
• 4188277 fix: tuic server goroutine leak by @wwqgtxx
• 455f213 fix: xudp server source addr losing by @wwqgtxx
• 472cefb fix: snat key in packet listener by @wwqgtxx
• 6c527f8 fix: panic when wintun dll fails to load by @wwqgtxx
• 7061c5a fix: possible data location errors in vision read by @wwqgtxx
• 74e64d3 fix: maybe "invalid cross-device link" in update ui by @wwqgtxx
• 7e9e12c fix: SyscallVectorisedPacketWriter not handle inet type in address processing by @wwqgtxx
• 8cdfd87 fix: ip4p port not apply in resolveUDPAddr by @wwqgtxx
• 909729c fix: allow use vision on vless encryption over ws by @wwqgtxx
• 92ecdfc fix: data race on darwin by @wwqgtxx
• 9cc208b fix: reality shouldn't check chacha by @wwqgtxx
• a8f7e25 fix: backticks cannot be used to separate multiple regular expressions in the exclude-filter of proxy-providers by @wwqgtxx
• c4449a9 fix: ntp not apply to reality server by @wwqgtxx
• ccff003 fix: get localAddr error by @wwqgtxx
• dd7b3c2 fix: race codes by @wwqgtxx
• f02766a fix: reshaping buffer maybe too long in vision by @wwqgtxx
• fed4b36 fix: auto update local file provider (#2245) by @nunu6689

Maintenance

• 00638f3 chore: don't test sing-mux over grpc by @wwqgtxx
• 0336d64 chore: cleanup vision code by @wwqgtxx
• 08fc100 chore: cleanup ntp code by @wwqgtxx
• 0992ee8 chore: remove depend of gopsutil by @wwqgtxx
• 0c25831 chore: replace HasAESGCMHardwareSupport in vless encryption by @wwqgtxx
• 0c556bc chore: replace hashicorp/yamux to our forked libp2p/go-yamux by @wwqgtxx
• 0d3d31d chore: ready for handwritten addons parsing by @wwqgtxx
• 108bf64 chore: merge the server-side and client-side vision implementations by @wwqgtxx
• 1b1f95a chore: consolidate mieru port configuration (#2277) by @enfein
• 1d09ed8 chore: simplify resolveUDPAddr by @wwqgtxx
• 2222d0e chore: update gvisor by @wwqgtxx
• 2987200 chore: sync vless encryption code by @wwqgtxx
• 29eaa4d chore: add test for memory module by @wwqgtxx
• 318b352 chore: better handwritten addons parsing by @wwqgtxx
• 33cde65 chore: sync vless encryption code by @wwqgtxx
• 3a1caf1 chore: better batchConn handle in kcp-go by @wwqgtxx
• 3b63fef chore: better defensive programming by @wwqgtxx
• 40b2cde chore: cleanup dns client code by @wwqgtxx
• 45cb45a chore: simplify randBetween by @wwqgtxx
• 50e1afd chore: cleanup vless code by @wwqgtxx
• 545d9b8 chore: sync vless encryption code by @wwqgtxx
• 57b527d chore: simplify GetMemoryInfo in darwin by @wwqgtxx
• 57e14e5 chore: cleanup internal ca using by @wwqgtxx
• 5c73025 chore: change vless encryption code to our style by @wwqgtxx
• 5e17d6f chore: simplify N.Relay by @wwqgtxx
• 63781b3 chore: decrease memory using by @wwqgtxx
• 65d3920 chore: update dependencies by @wwqgtxx
• 74a86f1 chore: update dependencies by @wwqgtxx
• 7917f24 chore: more check in listeners start by @wwqgtxx
• 7e71d21 chore: improve fingerprint verifier handle non-leaf certificate by @wwqgtxx
• 8a9300d chore: better WriteBuffers support in smux by @wwqgtxx
• 8eba1c8 chore: sync vless encryption code by @wwqgtxx
• a0f1ac4 chore: apply ntp time function more place by @wwqgtxx
• ad69ee8 chore: cleanup ntp code by @wwqgtxx
• b27325e chore: update dependencies by @wwqgtxx
• b57f305 chore: speedup convid generation by @wwqgtxx
• c6e596f chore: full reset buffer after directRead by @wwqgtxx
• c98f5f4 chore: sync vless encryption code by @wwqgtxx
• cdd02a9 chore: sync vless encryption code by @wwqgtxx
• cea29e2 chore: sync code style by @wwqgtxx
• d6f1af5 chore: cleanup queue code by @wwqgtxx
• e28c8e6 chore: sync anytls v0.0.11 (#2276) by @anytls
• f3ebd5c chore: clarify function descriptions and variable names by @wwqgtxx
• f8ee5c1 chore: sync vless encryption code by @wwqgtxx
• fdc46f0 chore: update utls to tag version by @wwqgtxx

Full Changelog: v1.19.13...v1.19.14

⚠️⚠️ Warning: Any GUI client with the word mihomo in its name is not related to this project and violates the license agreement. Please do not use these malicious software. ⚠️⚠️

What's Changed

• 1b0c72b feat: support vless encryption by @wwqgtxx client doc server doc

• 5f09db2 feat: support AmneziaWG v1.5 by @wwqgtxx doc

• dc52c38 fix: ? in DOMAIN-WILDCARD should match exactly one character #2204 by @wwqgtxx

• For macOS users: According to the Go wiki, Go 1.25 no longer supports macOS 11. macOS 11 users are advised to download the binary with the go124 tag, macOS 10.15 users are advised to download the binary with the go122 tag, and macOS 10.13 users are advised to download the binary with the go120 tag.

• Note: For amd64 platform, -amd64 and -amd64-compatible versions have been deprecated. -amd64-v1, -amd64-v2 and -amd64-v3 will be used to mark the CPU level. Please adapt the automatic update script in time for downstream projects.

BUG & Fix

• 0f1baeb fix: updater may not be able to overwrite files directly by @wwqgtxx
• 0f76fdf fix: vision on vless encryption by @wwqgtxx
• 2605bf7 fix: add code signing for macOS executables during file copy by @xishang0128
• 26f6030 fix: 335d54e sync mistake by @wwqgtxx
• 2a915a5 fix: vless server close by @wwqgtxx
• 375e160 fix: data loss in vision server read by @wwqgtxx
• 48f3ea8 fix: buffer handle in vision server read by @wwqgtxx
• 8e6be19 fix: h2mux client closed by @wwqgtxx
• 99e888c fix: missing WriterReplaceable for deadline.Conn by @wwqgtxx
• adf553a fix: generate doc by @wwqgtxx
• d2395fb fix: allow disabling ALPN by setting an empty array (#2225) by @eWloYW8
• e3d9a8e fix: vision on vless encryption by @wwqgtxx
• e89af72 fix: auto redirect panic by @wwqgtxx
• e8fddd8 fix: vless packetaddr not working by @wwqgtxx
• eca5a27 fix: mlkem768 logging by @wwqgtxx

Maintenance

• 0003530 chore: let /upgrade support channel and force as parameters in restful api by @wwqgtxx
• 03f4513 chore: sync vless encryption code by @wwqgtxx
• 0408da2 chore: sync vless encryption code by @wwqgtxx
• 0836ec6 chore: change time.Duration atomic using by @wwqgtxx
• 089766b chore: update TypedValue in sing by @wwqgtxx
• 0e9102d chore: don't test h2mux for the inbound by @wwqgtxx
• 10174d2 chore: update wireguard-go by @wwqgtxx
• 12c30ac chore: cleanup vision code by @wwqgtxx
• 16d95df chore: better wildcard test by @wwqgtxx
• 16ff9e8 chore: code cleanup by @wwqgtxx
• 182f60d chore: sync vless encryption code by @wwqgtxx
• 1ae050c chore: sync vless encryption code by @wwqgtxx
• 2790481 chore: update cast using in sing-vmess by @wwqgtxx
• 2a8831b chore: sync vless encryption code by @wwqgtxx
• 335d54e chore: sync vless encryption code by @wwqgtxx
• 41b321d chore: sync vless encryption code by @wwqgtxx
• 438be2d chore: update mieru version (#2215) by @enfein
• 443200a chore: sync vless encryption code by @wwqgtxx
• 46dccf2 chore: sync vless encryption code by @wwqgtxx
• 48c1b1c chore: remove depend on lunixbochs/struc by @wwqgtxx
• 4e20ed6 chore: sync vless encryption code by @wwqgtxx
• 578e659 chore: keep original file permissions when unpack in updater by @wwqgtxx
• 664ddb8 chore: simplifying generator code by @wwqgtxx
• 6c726d6 chore: test different http data size for inbound by @wwqgtxx
• 71290b0 chore: reimplement TypedValue by atomic.Pointer by @wwqgtxx
• 7392529 chore: add a confused benchmark for wildcard by @wwqgtxx
• 76e40ba chore: sync vless encryption code by @wwqgtxx
• 7960bca chore: code cleanup by @wwqgtxx
• 7e0a77c chore: sync vless encryption code by @wwqgtxx
• 7f38763 chore: update hkdf using by @wwqgtxx
• 84086a6 chore: update dependencies by @wwqgtxx
• 854c6a1 chore: sync vless encryption code by @wwqgtxx
• 873d0de chore: make XorConn replaceable for splice by @wwqgtxx
• 946b402 chore: code cleanup by @wwqgtxx
• a0bdb86 chore: rebuild vless encryption string parsing by @wwqgtxx
• a18e99f chore: update dependencies by @wwqgtxx
• aca0d97 chore: sync vless encryption code by @wwqgtxx
• b31664b chore: sync vless encryption code by @wwqgtxx
• b41ea05 chore: add encryption to converter by @wwqgtxx
• b481eca chore: allow vision with vless encryption by @wwqgtxx
• b4c3bbf chore: sync vless encryption code by @wwqgtxx
• b56068e chore: make vision server support splice by @wwqgtxx
• b643388 chore: sync vless encryption code by @wwqgtxx
• cdf5e0c chore: rewrite vision client write by @wwqgtxx
• ce82d49 chore: update golang to 1.25 by @wwqgtxx
• d11f9c8 chore: sync vless encryption code by @wwqgtxx
• d7999a3 chore: using named const value by @wwqgtxx
• e4dfe09 chore: output vless hash11 in generater by @wwqgtxx
• e54ca7c chore: sync vless encryption code by @wwqgtxx
• e6fe895 chore: sync code by @wwqgtxx
• eb028b6 chore: better reflect using in vision by @wwqgtxx
• eeb2ad8 chore: add more test for TypedValue by @wwqgtxx
• f04af73 chore: update quic-go to 0.54.0 by @wwqgtxx
• f90d0b9 chore: using atomic.Pointer in anytls by @wwqgtxx
• fc61715 chore: add handshake-mode for mieru by @wwqgtxx

Full Changelog: v1.19.12...v1.19.13

What's Changed

• 241ae92 feat: support DOMAIN-WILDCARD rule (#2124) by @ayanamist
• Note: For amd64 platform, -amd64 and -amd64-compatible versions have been deprecated. -amd64-v1, -amd64-v2 and -amd64-v3 will be used to mark the CPU level. Please adapt the automatic update script in time for downstream projects.

BUG & Fix

• 0d92b67 fix: add base64 decoding for VLESS host in ConvertsV2Ray function (#2125) by @jianguo Wang
• 2b84dd3 fix: regex in logic rules by @wwqgtxx
• 3050201 fix: darwin system stack problem by @wwqgtxx
• 407c13b fix: hy2 server crash by @wwqgtxx
• 63ad95e fix: remove unconventional bits when unpacking for update_ui (#2178) by @白日梦主义
• 765cbbc fix: miss config in patch by @wwqgtxx
• 79decdc fix: vision server crash by @wwqgtxx
• a37440c fix: some downstream dependencies on the upgrader's output fields by @wwqgtxx
• b06ec5b fix: add path safety check in file type providers (#2177) by @白日梦主义
• ba3e718 chore: update mieru to v3.16.1 (#2138) by @enfein
• d84b182 fix: darwin tun mixed stack not working by @wwqgtxx

Maintenance

• 01cd7e2 chore: improve backup and replace logic in updater by @xishang0128
• 1a84153 chore: code cleanup by @wwqgtxx
• 300eb8b chore: rebuild rule parsing code by @wwqgtxx
• 349b773 chore: upgrade and embed the xsync.Map to v4 by @wwqgtxx
• 56c3462 chore: update quic-go to 0.53.0 by @wwqgtxx
• 5f1f296 chore: add /cache/dns/flush to restful api by @wwqgtxx
• 6337151 chore: upgrade bbolt to 1.4.2 by @wwqgtxx
• 66fd5c9 chore: allow setting cache-max-size in dns section by @wwqgtxx
• 6a620ba chore: revert "chore: better dns batchExchange" by @wwqgtxx
• 6a9d428 chore: remove unused code (#2126) by @leo
• 6f4fe71 chore: update dependencies by @wwqgtxx
• 748b5df chore: keep original file permissions after update by @xishang0128
• 8cbae59 chore: upgrade bbolt by @wwqgtxx
• 8f18d3f chore: add recvmsgx and sendmsgx config to tun by @wwqgtxx
• 91985c1 chore: typo (#2127) by @Phanium
• 9f1da11 chore: use the compile-time GOAMD64 flag in the updater by @wwqgtxx
• a9b7e70 chore: optimizing copyFile in updater by @wwqgtxx
• aa555ce chore: allow embedded xsync.Map to be lazily initialized by @wwqgtxx
• b9260e0 chore: improve darwin tun performance by @wwqgtxx
• ba3e718 chore: update mieru to v3.16.1 (#2138) by @enfein
• c3a3009 chore: keep original file permissions when copyFile in updater by @wwqgtxx
• d4fbffd chore: update utls to 1.8.0 by @wwqgtxx
• deec7aa chore: optimizing download in updater by @wwqgtxx
• dfe6e05 chore: rebuild core updater by @wwqgtxx
• fb043df chore: use canonical return value order by @xishang0128

Full Changelog: v1.19.11...v1.19.12

What's Changed

• 29a37f4 feat: all dns client support disable-ipv4 and disable-ipv6 params by @wwqgtxx
• 40587b6 feat: all dns client support skip-cert-verify params by @wwqgtxx
• 617fef8 feat: converter support anytls/socks/http (#2100) by @beck
• 85e6d25 feat: all dns client support ecs and ecs-override params by @wwqgtxx
• 9283cb0 feat: add loopback-address support for tun by @wwqgtxx
• Other incompatible updates are the same as v1.19.6~v1.19.10:

• For security reasons, all paths appearing in the configuration file will be limited to workdir (regardless of whether they are relative or absolute). If there is a specific need, please specify additional safe paths by setting the SAFE_PATHS environment variable while ensuring safety. The syntax of this environment variable is the same as the PATH environment variable parsing rules of this operating system (i.e., semicolon-separated under Windows and colon-separated under other systems)
• For security reasons, the "path" parameter of /configs in the restful api has been restricted, and its directory also needs to be in workdir or SAFE_PATHS.
• In addition, support for specifying routing-mark and interface-name for proxy-groups has been removed. Please specify the relevant parameters in proxies directly.
• Note: The workdir mentioned above is specified by the -d parameter when the program is started or the CLASH_HOME_DIR environment variable. If neither of the above is specified, the default is:
  • on Unix systems, $HOME/.config/mihomo.
  • on Windows, %USERPROFILE%/.config/mihomo.
• The DNS resolution of the overall UDP part has been delayed to the connection initiation stage. It will be triggered only when the IP rule without no-resolve is matched during the rule matching process.
  • For direct and wireguard outbound, the same logic as the TCP part will be followed, that is, when direct-nameserver (or DNS configured by wireguard) exists, the resolution result in the rule matching process will be discarded and the domain name will be re-resolved. This re-resolution logic is only effective for fakeip.
  • For reject and DNS outbound, no resolution is required.
  • For other outbound, resolution will still be performed when the UDP connection is initiated, and the domain name will not be sent directly to the remote server.

BUG & Fix

• 31f0060 fix: chacha20 counter overflow by @wwqgtxx
• 32d447c fix: convert https (#2102) by @beck
• 40ea0ba fix: correct constructor for 2022-blake3-chacha8-poly1305 by @wwqgtxx
• 5344e86 fix: ssr uri decode (#2116) by @Restia-Ashbell
• 5b97527 fix: incorrect checking of strings.Split return value by @wwqgtxx
• 6cfaf15 fix: missing error return by @wwqgtxx
• 71a8705 fix: remote dst parse by @wwqgtxx
• 8d7f947 fix: TypedValue.CompareAndSwap by @wwqgtxx
• ebf5918 fix: v2ray-plugin mux maybe not close underlay connection by @wwqgtxx

Maintenance

• 01f8f2d chore: cleanup allocator code by @wwqgtxx
• 082bcec chore: apply find process mode in direct/global mode by @wwqgtxx
• 166392f chore: sniffer replace domain only if domain is valid (#2122) by @ayanamist
• 255ff5e chore: add rate limiting support for reality listener by @wwqgtxx
• 2f9a3b3 chore: cleanup code by @wwqgtxx
• 5c6aa43 chore: unconditionally allow clients with passwords for password-free socks5 inbound (#2123) by @ayanamist
• 85bb40a chore: add Int32Enum for common/atomic by @wwqgtxx
• 87795e3 chore: add yaml marshal for common/atomic by @wwqgtxx
• 939e410 chore: write dns reply in single syscall by @wwqgtxx
• 93ca185 chore: converter support fingerprint for anytls by @riolurs
• ae7967f chore: the resolve and findProcess behaviors of Logic and SubRules follow the order and needs of the internal rules by @wwqgtxx
• c60750d chore: allow tun to skip the system ipv6 check when starting by environment variable SKIP_SYSTEM_IPV6_CHECK by @wwqgtxx

Full Changelog: v1.19.10...v1.19.11

What's Changed

• The DNS resolution of the overall UDP part has been delayed to the connection initiation stage. It will be triggered only when the IP rule without no-resolve is matched during the rule matching process.
  • For direct and wireguard outbound, the same logic as the TCP part will be followed, that is, when direct-nameserver (or DNS configured by wireguard) exists, the resolution result in the rule matching process will be discarded and the domain name will be re-resolved. This re-resolution logic is only effective for fakeip.
  • For reject and DNS outbound, no resolution is required.
  • For other outbound, resolution will still be performed when the UDP connection is initiated, and the domain name will not be sent directly to the remote server.
• In addition, the memory usage of the UDP part of tun inbound has also been optimized in this version.
• Other incompatible updates are the same as v1.19.6~v1.19.8:

• For security reasons, all paths appearing in the configuration file will be limited to workdir (regardless of whether they are relative or absolute). If there is a specific need, please specify additional safe paths by setting the SAFE_PATHS environment variable while ensuring safety. The syntax of this environment variable is the same as the PATH environment variable parsing rules of this operating system (i.e., semicolon-separated under Windows and colon-separated under other systems)
• For security reasons, the "path" parameter of /configs in the restful api has been restricted, and its directory also needs to be in workdir or SAFE_PATHS.
• In addition, support for specifying routing-mark and interface-name for proxy-groups has been removed. Please specify the relevant parameters in proxies directly.
• Note: The workdir mentioned above is specified by the -d parameter when the program is started or the CLASH_HOME_DIR environment variable. If neither of the above is specified, the default is:
  • on Unix systems, $HOME/.config/mihomo.
  • on Windows, %USERPROFILE%/.config/mihomo.

BUG & Fix

• 15eda70 fix: hysteria2 panic by @wwqgtxx
• 1db89da fix: quic sniffer should not replace domain when no valid host is read by @wwqgtxx
• 213d80c fix: quic sniffer should consider skipDomain by @wwqgtxx
• 33590c4 fix: destination should unmap before find interface by @wwqgtxx
• 4741ac6 fix: in-port not work with shadowsocks listener by @wwqgtxx
• 5a21bf3 fix: listener close panic by @wwqgtxx
• 6c9abe1 fix: vmess listener error by @wwqgtxx
• d2e255f fix: some error in tun by @wwqgtxx

Maintenance

• 12e3952 chore: code cleanup by @wwqgtxx
• 199fb8f chore: update quic-go to 0.52.0 by @wwqgtxx
• 28c387a chore: restore break change in sing-tun by @wwqgtxx
• 34de62d chore: better get localAddr by @wwqgtxx
• 3ed6ff9 chore: export pipeDeadline by @wwqgtxx
• 4ed8303 chore: remove confused code by @wwqgtxx
• 60ae9dc chore: recover log leval for preHandleMetadata by @wwqgtxx
• 689c58f chore: clear dstIP when overrideDest in sniffer by @wwqgtxx
• 88419cb chore: better parse remote dst by @wwqgtxx
• 9e3bf14 chore: handle two interfaces have the same prefix but different address by @wwqgtxx
• a0c46bb chore: remove the redundant layer of udpnat in sing-tun to reduce resource usage when processing udp by @wwqgtxx
• a1c7881 chore: rebuild udp dns resolve by @wwqgtxx
• b1d12a1 chore: proxy's ech should fetch from proxy-nameserver by @wwqgtxx
• c0f452b chore: more unmap for 4in6 address by @wwqgtxx
• ef3d7e4 chore: remove unneeded dns resolve when proxydialer dial udp by @wwqgtxx

Full Changelog: v1.19.9...v1.19.10

What's Changed

• 188372c feat: add tls.ech-key for external-controller-tls by @wwqgtxx
• 5cf0f18 feat: reality add support-x25519mlkem768, it only works with new version server by @wwqgtxx
• a1350d4 feat: add ech-key for listeners by @wwqgtxx
• c6d7ef8 feat: add ech-opts for anytls/shadowsocks/trojan/vmess/vless outbound by @wwqgtxx
• dc958e6 feat: add ech-opts for hysteria/hysteria2/tuic outbound by @wwqgtxx
• Other incompatible updates are the same as v1.19.6~v1.19.8:

• For security reasons, all paths appearing in the configuration file will be limited to workdir (regardless of whether they are relative or absolute). If there is a specific need, please specify additional safe paths by setting the SAFE_PATHS environment variable while ensuring safety. The syntax of this environment variable is the same as the PATH environment variable parsing rules of this operating system (i.e., semicolon-separated under Windows and colon-separated under other systems)
• For security reasons, the "path" parameter of /configs in the restful api has been restricted, and its directory also needs to be in workdir or SAFE_PATHS.
• In addition, support for specifying routing-mark and interface-name for proxy-groups has been removed. Please specify the relevant parameters in proxies directly.
• Note: The workdir mentioned above is specified by the -d parameter when the program is started or the CLASH_HOME_DIR environment variable. If neither of the above is specified, the default is:
  • on Unix systems, $HOME/.config/mihomo.
  • on Windows, %USERPROFILE%/.config/mihomo.

BUG & Fix

• 41b57af fix: grpc deadline implement by @wwqgtxx
• 608ddb1 fix: external-ui-name must in local by @wwqgtxx
• 90ed01e fix: backoff not reset when the file unchanged by @wwqgtxx
• bb8c47d fix: error typo by @wwqgtxx
• c489c52 fix: hysteria2 hop ports init #2056 by @wwqgtxx
• d036d98 fix: http server does not handle http2 logic correctly by @wwqgtxx
• d5a0390 fix: race in close grpc transport by @wwqgtxx
• d900c71 fix: shadowtls v2 not work with X25519MLKEM768 by @wwqgtxx
• f91a586 fix: inline proxy provider's healthcheck not work by @wwqgtxx

Maintenance

• 1672750 chore: simplifying the old fingerprint processing method by @wwqgtxx
• 257fead docs: update config.yaml follow 5cf0f18 by @wwqgtxx
• 83213d4 chore: adjust min backoff from 1s to 10s by @wwqgtxx
• 8a5f3b8 chore: simplify port hop costs by @wwqgtxx
• 8f92b1d chore: simplify the single root decompression process by @wwqgtxx
• 9f7a2a3 chore: unpack externalUI in a separate temporary directory to avoid malicious compressed packages from polluting workdir by @wwqgtxx
• a934791 chore: stricter path checking when unpacking zip/tgz by @wwqgtxx
• ed42c4f chore: disallow symlink in unzip by @wwqgtxx
• fd959fe chore: update dependencies by @wwqgtxx

Full Changelog: v1.19.8...v1.19.9

What's Changed

• For security reasons, the "path" parameter of /configs in the restful api has been restricted, and its directory also needs to be in workdir or SAFE_PATHS.
• Other incompatible updates are the same as v1.19.6:

• For security reasons, all paths appearing in the configuration file will be limited to workdir (regardless of whether they are relative or absolute). If there is a specific need, please specify additional safe paths by setting the SAFE_PATHS environment variable while ensuring safety. The syntax of this environment variable is the same as the PATH environment variable parsing rules of this operating system (i.e., semicolon-separated under Windows and colon-separated under other systems)
• In addition, support for specifying routing-mark and interface-name for proxy-groups has been removed. Please specify the relevant parameters in proxies directly.

• Note: The workdir mentioned above is specified by the -d parameter when the program is started or the CLASH_HOME_DIR environment variable. If neither of the above is specified, the default is:
  • on Unix systems, $HOME/.config/mihomo.
  • on Windows, %USERPROFILE%/.config/mihomo.

BUG & Fix

• 6e35cf9 fix: truncated UDP response in system dns #2031 by @wwqgtxx

Maintenance

• 2116640 chore: the updateConfigs api also adds a check for SAFE_PATHS by @wwqgtxx
• 23e2d3a chore: rebuild provider load by @wwqgtxx
• 266fb03 chore: update dependencies by @wwqgtxx
• 76e9607 chore: move start healthcheck.process() from New to Initial in provider avoid panic cause by build-in proxy have not set to tunnel by @wwqgtxx

Full Changelog: v1.19.7...v1.19.8

What's Changed

• The incompatible updates of the restful api not mentioned in the previous version of the changelog have been rolled back, solving the problem that the related gui cannot refresh the configuration
• Note that for security reasons, we are currently planning to restrict the "path" parameter of /configs in restful api in the next version, and its directory also needs to be in SAFE_PATHS or workdir. It is recommended that downstream clients adapt to this change in advance. (This change has been applied to alpha version 2116640)
• Other incompatible updates are the same as v1.19.6:

• For security reasons, all paths appearing in the configuration file will be limited to workdir (regardless of whether they are relative or absolute). If there is a specific need, please specify additional safe paths by setting the SAFE_PATHS environment variable while ensuring safety. The syntax of this environment variable is the same as the PATH environment variable parsing rules of this operating system (i.e., semicolon-separated under Windows and colon-separated under other systems)
• In addition, support for specifying routing-mark and interface-name for proxy-groups has been removed. Please specify the relevant parameters in proxies directly.

BUG & Fix

• d22a893 fix: hysteria server port hopping compatibility issues by @wwqgtxx

Maintenance

• 00cceba docs: update config.yaml follow 7e7016b (#2022) by @muink
• a4fcd3a chore: rollback incompatible changes to updateConfigs api by @wwqgtxx

Full Changelog: v1.19.6...v1.19.7

Incompatible changes:

• For security reasons, all paths appearing in the configuration file will be limited to workdir (regardless of whether they are relative or absolute). If there is a specific need, please specify additional safe paths by setting the SAFE_PATHS environment variable while ensuring safety. The syntax of this environment variable is the same as the PATH environment variable parsing rules of this operating system (i.e., semicolon-separated under Windows and colon-separated under other systems)
• In addition, support for specifying routing-mark and interface-name for proxy-groups has been removed. Please specify the relevant parameters in proxies directly.

What's Changed

• 5c40a63 feat: not inline rule-provider can also set payload as fallback rules when file/http parsing fails by @wwqgtxx
• 99aa1b0 feat: inbound support shadow-tls by @wwqgtxx
• f328203 feat: not inline proxy-provider can also set payload as fallback proxies when file/http parsing fails by @wwqgtxx

BUG & Fix

• 2b4726b fix: build on go1.24.3 golang/go#73617 by @wwqgtxx
• 2fb9331 fix: some resources are not released in listener by @wwqgtxx
• 468cfc3 fix: set sni to servername if not specified for trojan outbound (#1991) by @WeidiDeng
• 48d8efb fix: do NOT reset the quic-go internal state when only port is different by @wwqgtxx
• 52ad793 fix: shadowtls v1 not work by @wwqgtxx
• 61d6a9a fix: fetcher does not start the pull loop when local file parsing errors occur and the first remote update fails by @wwqgtxx
• 7de4af2 fix: shadowtls test by @wwqgtxx
• 86c127d fix: missing read waiter for cancelers by @wwqgtxx
• e6e7aa5 fix: alpn apply on shadowtls by @wwqgtxx
• f774276 fix: ensure wait group completes by @Larvan2
• febb602 fix: hysteria2 inbound not set UDPTimeout by @wwqgtxx

Maintenance

• 26e6d83 chore: make select display the specified testUrl for #2013 by @xishang0128
• 4ecb49b chore: dynamic fetch remoteAddr in hysteria2 service by @wwqgtxx
• 50d7834 chore: change the separator of the SAFE_PATHS environment variable to the default separator of the operating system platform (i.e., ; in Windows and : in other systems) by @wwqgtxx
• 791ea5e chore: allow setting addition safePaths by environment variable SAFE_PATHS package managers can allow for pre-defined safe paths without disabling the entire security check feature for #2004 by @wwqgtxx
• 793ce45 chore: update quic-go to 0.51.0 by @wwqgtxx
• 7e7016b chore: removed routing-mark and interface-name of the group, please set it directly on the proxy instead by @wwqgtxx
• 936df90 chore: update dependencies by @wwqgtxx
• 9e57b29 chore: update dependencies by @wwqgtxx
• a013ac3 chore: give better error messages for some stupid config files by @wwqgtxx
• aa51b9f chore: replace using internal batch package to x/sync/errgroup by @wwqgtxx
• b4fe669 chore: better path checks by @wwqgtxx
• c2301f6 chore: rebuild fingerprint and keypair handle by @wwqgtxx
• cad26ac chore: fetcher will change duration to achieve fast retry when the update failed with a 2x factor step from 1s to interval by @wwqgtxx
• d55b047 chore: ignore interfaces not with FlagUp in local interface finding by @wwqgtxx
• ee5d77c chore: cleanup tls clientFingerprint code by @wwqgtxx

Full Changelog: v1.19.5...v1.19.6