@@ -12,6 +12,40 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
1212and this project adheres to
1313[ Semantic Versioning] ( https://semver.org/spec/v2.0.0.html ) .
1414
15+ ## [ v2.5.0] - 2025-07-08
16+
17+ ### Added
18+
19+ - There is a new protection enabled by default called the
20+ ` InvalidEventProtection ` . This protection redacts events that contain
21+ malformed
22+ [ mixins] ( https://github.com/matrix-org/matrix-spec-proposals/blob/main/proposals/1767-extensible-events.md#mixins-specifically-allowed )
23+ that are likely to trip up other Matrix clients, or potentially represent an
24+ attempt to bypass Draupnir protections. For Matrix developers, what qualifies
25+ as a malformed mixin is very conservative, and we only focus on the core
26+ properties of a given mixin.
27+
28+ - The ` WordListProtection ` , and ` MentionLimitProtection ` are updated to use a
29+ new method of parsing Matrix events by extracting
30+ [ mixins] ( https://github.com/matrix-org/matrix-spec-proposals/blob/main/proposals/1767-extensible-events.md#mixins-specifically-allowed )
31+ that is provided by the matrix-protection-suite. This will allow these
32+ protections to continue to function should extensible events ever make it into
33+ a release of the Matrix specification. And generally this is a more robust way
34+ of parsing Matrix events.
35+
36+ ### Fixed
37+
38+ - Draupnir deployed in appservice mode were not being disposed of correctly when
39+ being placed into or restarting from safe mode. This could be a root cause a
40+ variety of issues.
41+
42+ ### Changed
43+
44+ - The JSON reviver used by Draupnir for handling http requests and responses has
45+ been modified to cover more property names found on the ` Object.prototype ` , in
46+ addition to the existing restrictions preventing prototype pollution. This
47+ adds redundancy to code handling objects parsed from untrusted sources.
48+
1549## [ v2.4.1] - 2025-06-23
1650
1751### Fixed
0 commit comments