From 13f5ff4eaf25614e43a54807cf67c8dd64c87a91 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 11 May 2026 14:12:02 +0000 Subject: [PATCH] chore(release): bump versions and update changelogs --- .changeset/sigv4-path-encoding.md | 12 ------------ packages/storage/CHANGELOG.md | 13 +++++++++++++ packages/storage/package.json | 2 +- 3 files changed, 14 insertions(+), 13 deletions(-) delete mode 100644 .changeset/sigv4-path-encoding.md diff --git a/.changeset/sigv4-path-encoding.md b/.changeset/sigv4-path-encoding.md deleted file mode 100644 index 38ab155..0000000 --- a/.changeset/sigv4-path-encoding.md +++ /dev/null @@ -1,12 +0,0 @@ ---- -'@tigrisdata/storage': patch ---- - -Fix `403 SignatureDoesNotMatch` from `copy`, `move`, and `updateObject` when the object key contains `/` or any other character that requires percent-encoding (space, `?`, `=`, etc.) and the request is signed with access-key SigV4. - -Two related fixes: - -- Custom HTTP client now constructs `SignatureV4` with `uriEscapePath: false`, matching S3's single-encoding canonical-path scheme. The default `true` (AWS-standard double-encoding) caused the signer to re-escape any percent sequence in the path during canonicalization, while Tigris gateway uses S3 single-encoding — producing the mismatch for every key with a special char. -- Object keys in the request path and `X-Amz-Copy-Source` header are URL-encoded per-segment via the new `encodeObjectKey` helper, preserving `/` as a separator so the wire URL stays valid. - -OAuth/session-token callers were unaffected because that auth path skips SigV4 signing entirely. diff --git a/packages/storage/CHANGELOG.md b/packages/storage/CHANGELOG.md index 1cf6f70..bdfbb28 100644 --- a/packages/storage/CHANGELOG.md +++ b/packages/storage/CHANGELOG.md @@ -1,5 +1,18 @@ # @tigrisdata/storage +## 3.5.2 + +### Patch Changes + +- [#101](https://github.com/tigrisdata/storage/pull/101) [`6306356`](https://github.com/tigrisdata/storage/commit/6306356b6203c5d02cf90bb2ce566bcfdf9fa110) Thanks [@designcode](https://github.com/designcode)! - Fix `403 SignatureDoesNotMatch` from `copy`, `move`, and `updateObject` when the object key contains `/` or any other character that requires percent-encoding (space, `?`, `=`, etc.) and the request is signed with access-key SigV4. + + Two related fixes: + + - Custom HTTP client now constructs `SignatureV4` with `uriEscapePath: false`, matching S3's single-encoding canonical-path scheme. The default `true` (AWS-standard double-encoding) caused the signer to re-escape any percent sequence in the path during canonicalization, while Tigris gateway uses S3 single-encoding — producing the mismatch for every key with a special char. + - Object keys in the request path and `X-Amz-Copy-Source` header are URL-encoded per-segment via the new `encodeObjectKey` helper, preserving `/` as a separator so the wire URL stays valid. + + OAuth/session-token callers were unaffected because that auth path skips SigV4 signing entirely. + ## 3.5.1 ### Patch Changes diff --git a/packages/storage/package.json b/packages/storage/package.json index 3af626b..03eb545 100644 --- a/packages/storage/package.json +++ b/packages/storage/package.json @@ -1,6 +1,6 @@ { "name": "@tigrisdata/storage", - "version": "3.5.1", + "version": "3.5.2", "description": "Tigris is a high-performance object storage system designed for multi-cloud", "type": "module", "main": "./dist/server.js",