Skip to content

25.2.0

Choose a tag to compare

View all tags
@fnando fnando released this 11 Mar 16:48
· 46 commits to main since this release
v25.2.0
2848488
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

πŸš€ New Features

  • Auto-build on deploy: stellar contract deploy and stellar contract upload now automatically build your contracts when no WASM is provided β€” no manual build step required. (#2378)
  • Self-describing events: stellar events and contract invoke now display human-readable event descriptions from the contract spec. (#2380)
  • Fee bump for large transactions: Transactions that exceed the base fee threshold are automatically wrapped in a fee bump transaction. (#2382)
  • Pipe secrets from stdin: Key secrets can now be passed via pipe, making it easier to integrate with secret managers in scripts and CI. (#2403)
  • stellar network root-account: New command to retrieve the root account for a given network. (#2402)
  • Network ID in stellar network info: The network ID is now included in the output of stellar network info. (#2413)
  • Auto-convert string arguments in contract invoke: String-typed arguments are now automatically coerced, reducing friction when calling contracts from the CLI. (#2410)
  • --locked passthrough on contract build: The --locked flag is now forwarded when building contracts, ensuring reproducible builds. (#2383)
  • --hd-path propagation: The --hd-path flag now correctly propagates to auth signers and alias resolution. (#2437)
  • Spec shaking (build side): The build pipeline now supports spec shaking, reducing generated output size. (#2353)

πŸ”’ Security

  • Sensitive env vars concealed by default: stellar env now hides sensitive values (secret keys, RPC headers, signing keys) by default, showing # KEY=<concealed> instead of the raw value. (#2440, #2408)
  • Path traversal prevention: Network and contract alias names are now validated to block path traversal attacks. (#2443)
  • Restrictive file permissions: Config directories and key files are now created with tighter permissions on Unix systems. (#2415)
  • RPC headers hidden from output: RPC headers (which may contain auth tokens) are no longer shown in stellar network ls --long or debug trace output. (#2441, #2442)
  • Control character sanitization: Control characters in contract spec display output are now sanitized. (#2433)
  • Keccak vulnerability patched: Updated keccak to address CWE-758. (#2422)

πŸ› Bug Fixes

  • Fixed BytesN parsing when using valid hex values. (#2385)
  • Fixed snapshot create unconditionally adding entries when match result was unused. (#2404)
  • Fixed --asset in trustline commands to accept valid asset codes of any length. (#2405)
  • Fixed an error when fetching ledger entries for trustlines using the native asset. (#2406)

πŸ”§ Developer Experience

  • Warnings are now shown when a contract spec references types that are missing. (#2426)
  • Improved dependency checking in the install script. (#2399)
  • --no-default-features is now honored when using cargo install. (#2416)

πŸ“¦ TypeScript Bindings

  • Updated bindings to the latest JS SDK version. (#2373)

Full Changelog: v25.1.0...v25.2.0

New Contributors: @teddav made their first contribution in #2373 β€” welcome! πŸŽ‰

Contributors

teddav
Assets 10
Loading