Following is a list of commits (fixes/features only) in this release.
See `:help news` in Nvim for release notes.
FIXES
--------------------------------------------------------------------------------
- b1f2fe46cd lsp.enable() don't work correctly inside FileType event #37538
- 9b13ee041f api: nvim_set_hl crashes when url= key is passed
- 3a94763124 channel: crash on failed sockconnect() (#37811)
- 7281cf883e channel: possible hang after connecting with TCP times out (#37813)
- 7bb3c3068c highlight: setting 'winhl' doesn't work with global ns (#37868)
- cf6660d3c1 mpack: boundary values for negative integer encoding (#38411)
- f9c67c40bc lsp: call `on_list` before reading `loclist` #37645
- 818b97173e process: avoid buffering unnecessary UI event with PTY CWD (#37582)
- 3eef5752b3 terminal: heap UAF if buffer deleted during TermRequest (#37612)
- 37738d5ae0 terminal: reset `w_leftcol` after resizing terminal
- e0ea90070a treesitter: escape hyphen in lua pattern
- 85d4822797 treesitter: normalize language aliases
- 03815969c4 watch: invalid joined path #37973
PERFORMANCE
--------------------------------------------------------------------------------
- 768b624c40 filetype: vim.filetype.get_option cache miss when option value is false #37593
VIM PATCHES
--------------------------------------------------------------------------------
- c7f48e40b8 9.1.2119: tests: Test_language_cmd fails on OpenBSD (#37503)
- d47d317a79 9.1.2128: Heap use after free in buf_check_timestamp()
- 79ed49cc69 9.1.2130: Page scrolling in Insert mode beeps (#37710)
- 4792c29969 9.1.2132: [security]: buffer-overflow in 'helpfile' option handling (#37735)
- 03e68ad5d3 9.1.2133: Another case of buffer overflow with 'helpfile' (#37746)
- 5f6b195402 9.1.2136: :tab sbuffer may close old tabpage (#37765)
- b072f89d1e 9.2.0004: Changing hidden prompt buffer cancels :startinsert/:stopinsert (#37881)
- de20500b40 9.2.0028: matchadd() conceal may use unrelated syntax cchar (#37974)
- 7fc228d94f 9.2.0077: [security]: Crash when recovering a corrupted swap file (#38104)
- b9459fba26 9.2.0078: [security]: stack-buffer-overflow in build_stl_str_hl() (#38102)
- 976db1ba4b 9.2.0137: [security]: crash with composing char in collection range (#38261)
- bea7f3a44e 9.2.0202: [security]: command injection via newline in glob() (#38385)
Problem: The glob() function on Unix-like systems does not escape
newline characters when expanding wildcards. A maliciously
crafted string containing '\n' can be used as a command
separator to execute arbitrary shell commands via
mch_expand_wildcards(). This depends on the user's 'shell'
setting.
Solution: Add the newline character ('\n') to the SHELL_SPECIAL
definition to ensure it is properly escaped before being
passed to the shell (pyllyukko).
closes: vim/vim#19746
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c645ed6597d
Co-authored-by: pyllyukko <pyllyukko@maimed.org>
(cherry picked from commit f577e05522)
fix(mpack): boundary values for negative integer encoding
Problem:
libmpack encodes boundary values -129 and -32769 with wrong integer
sizes:
- -129 as int8 instead of int16
- -32769 as int16 instead of int32
because the boundary checks compare against the wrong values (e.g., lo
< 0xffffff7f instead of lo < 0xffffff80). This caused data corruption:
-129 would decode as 127.
Solution:
Fix off-by-one errors in the two's complement boundary constants:
0xffffff80 (-128, min int8) and 0xffff8000 (-32768, min int16).
Co-authored-by: benarcher2691 <ben.archer2691@gmail.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
If the Nvim session has exited, the nvim_command will fail too.
ERROR test/functional/core/fileio_spec.lua @ 342: tmpdir failure modes
test\functional\testnvim.lua:133: sending request after EOF from Nvim
stack traceback:
test\functional\testnvim.lua:133: in function 'command'
test\functional\testnvim.lua:847: in function 'rmdir'
test/functional/core\fileio_spec.lua:353: in function <test/functional/core\fileio_spec.lua:342>
(cherry picked from commit b027de3a87)
Problem: Using a composing character as the end of a range inside a
collection may corrupt the NFA postfix stack
(Nathan Mills, after v9.1.0011)
Solution: When a character is used as the endpoint of a range, do not emit
its composing characters separately. Range handling only uses
the base codepoint.
supported by AI
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-9phh-423r-778r36d6e87542
Co-authored-by: Christian Brabandt <cb@256bit.org>
(cherry picked from commit e5667b9c15)
Problem: Calling nvim_set_hl() with url= crashes because it tries to
free arena-owned string memory.
Solution: Remove the bad free and return a validation error instead.
(cherry picked from commit d19dc6339d)
Hyphenated language names are silently dropped when used as injections
(see #38132).
This combines the normalization of language aliases into `resolve_lang`,
and also adds the normalization of hyphens to underscores, which allows
for handling of injected language tags with hyphens in their names.
Fixes#38132.
(cherry picked from commit 01817eb6f3)
Problem: memline: a crafted swap files with bogus pe_page_count/pe_bnum
values could cause a multi-GB allocation via mf_get(), and
invalid pe_old_lnum/pe_line_count values could cause a SEGV
when passed to readfile() (ehdgks0627, un3xploitable)
Solution: Add bounds checks on pe_page_count and pe_bnum against
mf_blocknr_max before descending into the block tree, and
validate pe_old_lnum >= 1 and pe_line_count > 0 before calling
readfile().
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-r2gw-2x48-jj5p65c1a143c3
Co-authored-by: Christian Brabandt <cb@256bit.org>
(cherry picked from commit 7e8bdd348c)
Problem: A stack-buffer-overflow occurs when rendering a statusline
with a multi-byte fill character on a very wide terminal.
The size check in build_stl_str_hl() uses the cell width
rather than the byte length, allowing the subsequent fill
loop to write beyond the 4096-byte MAXPATHL buffer
(ehdgks0627, un3xploitable).
Solution: Update the size check to account for the byte length of
the fill character (using MB_CHAR2LEN).
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-gmqx-prf2-8mwf4e5b9e31cb
Co-authored-by: Christian Brabandt <cb@256bit.org>
Problem:
When vim._watch.watch() is used to watch a single file, libuv returns
the basename as the filename argument in the callback. The code joins
this with the watched path, producing a nonsensical path like
"/path/to/file.lua/file.lua", which causes ENOTDIR errors on
subsequent fs_stat calls.
Solution:
Check whether the watched path is a directory before joining the
filename. When watching a file, ignore the filename from libuv and
use the watched path directly.
(cherry picked from commit d9d8c660fd)
Problem: matchadd() conceal may use unrelated syntax cchar.
Solution: Only use syntax cchar when syntax_flags has HL_CONCEAL
(zeertzjq).
closes: vim/vim#19459d01f234ec1
(cherry picked from commit 785ac9f228)
Problem: `install_deps.sh` tries to install `ninja` on macOS, but it is
installed on the runners by default, triggering warnings (and wasting
time) on CI.
Solution: Don't `brew install ninja`.
(cherry picked from commit 4b14ba5258)
After #27620 flags.timeout is no longer used as the minimal timeout for
"intermediate", but the default minimal timeout shouldn't be too small.
(cherry picked from commit d0c699ec7b)
Problem: Setting 'winhighlight' doesn't after setting global namespace
using nvim_win_set_hl_ns().
Solution: Check if using another namespace when setting 'winhighlight'
instead of disabling 'winhighlight' in nvim_win_set_hl_ns().
(cherry picked from commit f8d59cfab9)
Problem: Tests for deprecated highlight API were mixed with current API tests.
Solution: Move them to deprecated_spec.lua and update highlight_spec.lua to use nvim_get_hl.
(cherry picked from commit 31c45f1aa4)
Problem: Crash on failed sockconnect() if a new connection is accepted
while polling for uv events.
Solution: Don't use channel_destroy_early().
Also test "tcp" mode failure properly.
(cherry picked from commit 64ce5382bd)
Problem:
On Windows, writing to a pipe doesn't work if the pipe isn't connected
yet. This causes an RPC request to a session newly created by connect()
to hang, as it's waiting for a response to a request that never reaches
the server.
Solution:
Wait for uv.pipe_connect() callback to be called when using connect().
Sometimes the scheduled :qall can arrive too late, so that EOF isn't
received in the same uv_run() call as the response.
(cherry picked from commit a9454f8511)
Problem: Page scrolling in Insert mode beeps (after 9.1.0211).
Solution: Fix incorrect return value of pagescroll(). Also invert the
return value of scroll_with_sms() to be less confusing and
match comments (zeertzjq).
fixes: vim/vim#19326closes: vim/vim#19327a8ce914db1
(cherry picked from commit bdd886622d)
Problem: :tab sbuffer may close old tabpage if BufLeave autocommand
splits window (after 9.1.0143).
Solution: Only close other windows if the buffer will be unloaded
(zeertzjq).
related: neovim/neovim#37749closes: vim/vim#193526da9f757c4
(cherry picked from commit e704529909)
Problem: windows may scroll horizontally upon resize using the old terminal
size, which may be unnecessary and cause the content to be partially out-of-view.
Solution: reset the horizontal scroll after resizing.
Adjust expected highlights, as commit e946951f6a isn't backported.
(cherry picked from commit ba6440c106)
Problem: Another case of buffer overflow with 'helpfile'.
Solution: Leave room for "tags" in the buffer (zeertzjq).
closes: vim/vim#1934021d591fb12
(cherry picked from commit 15061d322d)
Problem:
Calling os_chdir() to change the child processes' CWD may cause some
unnecessary UI events to be buffered. These UI events don't go anywhere
as execvp() is called before flushing the UI buffer.
Solution:
Use uv_chdir() instead of os_chdir(). Also fix getting error string
incorrectly. Add test for the current behavior.
(cherry picked from commit 6291256868)
Problem: tests: Test_language_cmd fails on OpenBSD because the test
uses an invalid locale name and expects the command to produce
an error. OpenBSD accepts (almost) any locale name as valid by
design, so the :lang command succeeds and the test fails.
Solution: Slightly update the "bad" locale name to make it something
that OpenBSD considers invalid by adding a dot (but not ending
with ".UTF-8"). Maintain the original two underscores in the
name because that ensures Windows will also see it as invalid
(Kevin Goodsell).
closes: vim/vim#19280371583642a
(cherry picked from commit 5e1a3df5ae)
Problem: Heap UAF if a terminal buffer is deleted during TermRequest in
Normal mode.
Solution: Increment terminal refcount before triggering TermRequest, and
destroy the terminal if the buffer is closed during that.
(cherry picked from commit b40880f88f)
Problem: Cursor visibility test may fail if the :sleep lasts too long.
Solution: Wait for the TermLeave autocommand to finish.
(cherry picked from commit b95e0a8d20)
Problem:
Users may be unaware that setting `g:clipboard` after providers are
initialized has no effect, and that `has('clipboard')` initializes
providers, as in #13062.
Solution:
Note the restriction and link to workarounds in FAQ for discoverability.
(cherry picked from commit 2a906bfad6)
Problem:
`on_list` is supposed to replace the default list-handler. With the current order of these `if` statements `on_list` won't be called if `loclist` is true.
Solution:
Change the order of the relevant blocks.
(cherry picked from commit 0501c5fd09)
Problem: when option value is false, it's treated as invalid
then trigger FileType event again
Solution: use cached false value
(cherry picked from commit babdab2f70)
Problem:
Two cases lsp.enable() won't work in the first FileType event
1. lsp.enable luals inside FileType or ftplugin/lua.lua, then:
```
nvim a.lua
```
2. lsp.enable luals inside FileType or ftplugin/lua.lua, then:
```
nvim -> :edit a.lua -> :mksession! | restart +qa! so Session.vim
```
Solution:
Currently `v:vim_did_enter` is used to detected two cases:
1. "maunally enabled" (lsp.enable() or `:lsp enable`)
2. "inside FileType event"
To detect 2. correctly we use did_filetype().
(cherry picked from commit fd45bc8cab)
Following is a list of fix/feature commits in this release.
See `:help news` in Nvim for release notes.
FEATURES
--------------------------------------------------------------------------------
- b92e92b20d lsp: support auto-force escalation in client stop #36430
- 808d973fb0 lsp: warn about unknown filetype #36910
FIXES
--------------------------------------------------------------------------------
- 5e7af0ba01 :ls: check for finished terminal properly (#37303)
- 6ce7b9b851 api: autocmds mess up nvim_get_option_value's dummy buffer
- c124594b22 api: buffer overflow in nvim_buf_get_extmarks overlap #37184
- 7f51431c12 api: crash when moving curwin to other tabpage #35679
- 7896fe2dea api: do not allow opening float to closing buffer
- 91ebbc6c4e api: ignore split_disallowed when opening a float
- 10a1df2789 api: nvim_get_option_value dummy buffer crashes
- da825e5541 api: on_bytes gets stale data on :substitute #36487
- a9ffdca528 api: open_win leak from naughty autocommands
- 92849eacff api: parse_expression crash with ident and curly
- 1db945b584 api: parse_expression crash with unopened ] and node
- 79b67ce331 appimage: wrong $ARCH used by linuxdeploy #36712
- 46011a4e87 autocmd: fire TabClosed after freeing tab page
- a512d43716 autocmd: heap UAF with :bwipe in Syntax autocmd
- bea500dbeb autocmd: parsing of comma-separated buflocal patterns
- 648cf4e586 autocmd: skip empty comma-separated patterns properly
- fa24e045e9 buffer: defer w_buffer clearing to prevent dict watcher crash #36748
- 9fb49aacde buffer: don't allow changedtick watcher to delete buffer (#36764)
- cae3c838a7 buffer: don't reuse 1-line terminal buffer (#37261)
- 6f84ea7c66 buffer: switching buffer should respect jumpoptions+=view (#36969)
- 16ca7ceaed build: disable problematic marktree assert in RelWithDebInfo builds
- c469cba162 channel: unreference list after callback finishes (#37358)
- 43f5297fe3 clipboard: tmux clipboard data may be stale #36787
- 0358f37e3d clipboard: use tmux only in a tmux session (#36603)
- 7e99466a89 eval: 0 should mean current tabpage in gettabvar() (#36891)
- 656ff4c438 events: crash on WinScrolled #35995
- 63c5a101af install: only install "tee" on Windows #36629
- e8c21a8b51 langmap: assert failure on mapping to char >= 256 (#37291)
- 890c257194 lsp: check `nvim.lsp.enable` before `doautoall` #36518
- 275c769f01 lua: don't remove first char of non-file stacktrace source (#37008)
- 83c589d95f lua: relax `vim.wait()` timeout validation (#36907)
- bd2317f17f lua: separate vim.{g,b,w,t} types #37081
- f21c169a02 lua: vim._with() doesn't save boolean options properly (#37354)
- 9acbf5102f lua: vim.wait(math.huge) fails #36885
- 5143419e22 man.lua: :Man slow/hangs if MANPAGER is set #36689
- df9452ea9e man.lua: show_toc condition may cause infinite loop #36979
- 124c18261c marks: wrong line('w$', win) with conceal_lines (#37047)
- 6ef1b655fe normal: assertion failure with "gk" in narrow window (#37444)
- 5ca2eb5e48 remote: remote-ui connect timeout on slow networks #36800
- 2a3cd8dc80 rpc: don't overwrite already received results on error (#37339)
- e0fdfd3d4b scripts: release.sh
- ba600c495f session: window sizes not stored with float windows (#37344)
- 53090ab6a8 statusline: scope truncation bookkeeping
- 800118e204 terminal: :edit should respect 'bufhidden' with exited job (#37301)
- 4b41c284ed terminal: <Ignore> should be no-op (#37494)
- 074d342f63 terminal: avoid multiple terminals writing to same buffer (#37219)
- 2cc78732fc terminal: crash when TermClose deletes other buffers
- ea871923eb terminal: crash when TermClose switches back to terminal buffer
- ceed171485 terminal: crash with race between buffer close and OSC 2 (#37225)
- acc46e1dd7 terminal: handle closing terminal with pending TermRequest (#37227)
- bb31e7b345 terminal: inconsistent mode change when switching buffer (#37215)
- 40c974e689 terminal: restore options properly when switching buffer (#37485)
- 46f569a890 treesitter: use metadata in :EditQuery captures #37116
- 076f7994be trust: :trust command on Windows #36509
- d997c8e344 tutor: escape tutor filename #36539
- fcd0517dee ui.open: use "start" instead of deprecated "rundll32" #36731
- 6a507bad18 vim.fs: abspath(".") returns "/…/." (#36584)
- d974c684da vim.fs: root() should always return absolute path #36466
- 91fd4d127e vim.loader: randomized AppImage path pollutes luac cache #35636
- 45cda1bcf4 vim.loader: randomized AppImage path pollutes luac cache #36944
- d9631c7678 window: crash closing only non-float if autocmds :tabonly (#37218)
- f7e2554bfb window: crash closing split if autocmds close other splits (#37233)
- 7a9bced071 window: disallow closing autocmd window in other tabpage
- 88619e1aaf window: handle closing the only non-float in other tabpage
- d38ba7e2b8 window: restore b_nwindows if win_close_othertab keeps window
- 6338d2d54b window: win_move_after UAF from naughty autocmds (#37065)
- fac7c10eb8 windows: set manifest resource ID to 1 in nvim.rc for MinGW (#36611)
BUILD
--------------------------------------------------------------------------------
- d0ed06dcea haiku os support #36639
- a94647bb08 build(windows): restore "tee" on Windows #36627
- 1f93acc293 build(windows): vendor xxd.c (#36755)
REVERTED CHANGES
--------------------------------------------------------------------------------
- ae25f6942e fix: vim.lsp.omnifunc should not throw away other items
VIM PATCHES
--------------------------------------------------------------------------------
- b3eab00e55 229f79c: runtime(yaml): fix wrong order of undo_ftplugin suboptions
- 89f8e97099 3a324c8: runtime(doc): Fix typo in syntax.txt (#37522)
- d1cd79a4b6 64799a5: runtime(doc): clarify the behavior of CTRL-Z
- 0978d83c6e 7bc9880: runtime(make): do not automatically indent after a special target
- 781da755e8 8.1.0753: printf format not checked for semsg() (#37248)
- 44eae48b75 9.1.0893: No test that undofile format does not regress (#37193)
- 9a50420461 9.1.1872: Cmdline history not updated when mapping <Up> and <CR> (#36334)
- d1604e0f38 9.1.1969: Wrong cursor position after formatting with long 'formatprg' (#36918)
- fda8d2c717 9.1.2028: [security]: Buffer-overflow with incomplete multi-byte chars (#37133)
- f96e401b7e 9.1.2055: Division by zero in :file after failing to wipe buffer (#37268)
- f8961c3878 9.1.2058: b_locked_split is not checked for :sbuffer
- 9f2b991331 9.1.2066: :wqall! doesn't close a terminal like :qall! does (#37314)
- b1fa8f1430 9.1.2068: :bd/bw may try to switch to a closing buffer
- 600d9f35a4 9.1.2086: Memory leak when skipping invalid literal dict
- 0cc15be15d 9.1.2087: Crash when using :tabonly in BufUnload
- d052d22979 9.1.2090: Last buffer not freed with EXITFREE
- 537e8d69f8 9.1.2095: :wqall! doesn't quit when using :quit in BufWritePost
- 0b1f5a1d60 9.1.2105: tests: not enough tests for using plain_vgetc() (#37521)
- 0da1e4b1c5 9.1.2107: :normal may change cmdline history (#37523)
- a66fce6fab 98a0cbf: patch 9.1.1971: crash with invalid positional argument 0 in printf() (#36919)
- 85404d18fe eb732ed: runtime(doc): Wrap overlength lines in uganda.txt (#36550)
- a93b5a7104 fe8c8b1: runtime(doc): fix outdated :function help
- 0706c55ab1 partial:9.1.1955: sort() does not handle large numbers correctly (#36840)
Problem: Not enough tests for using plain_vgetc().
Solution: Add tests for using plain_vgetc() during various commands.
(zeertzjq)
closes: vim/vim#192362b6bdbc697
(cherry picked from commit e0b724de09)
Problem: Cmdline history not updated when mapping both <Up> and <CR>.
Solution: Consider the command typed when in Cmdline mode and there is
no pending input (zeertzjq).
Although the existing behavior technically does match documentation, the
"completely come from mappings" part is a bit ambiguous, because one may
argue that the command doesn't completely come from mappings as long as
the user has typed a key in Cmdline mode. I'm not entirely sure if this
change will cause problems, but it seems unlikely.
fixes: vim/vim#2771
related: neovim/neovim#36256closes: vim/vim#1860797b6e8b424
(cherry picked from commit 2407833ba1)
