13.0.1

13.0.1: 2024-10-02

• IDL core version: 3.0
• C++ version: 13.0.1
• C# NuGet version: 13.0.1
• Java version: 13.0.1
• gbc & compiler library: 0.13.0.0

Java

• There were no Java changes in this release.

C++

• InputBuffer throws a StreamException when trying to skip beyond the
  end of the stream. This mitigates a CPU DoS vulnerability.
• Deserialization from JSON payloads will no longer process very deeply
  nested structures. Instead, a bond::CoreException will be thrown in
  order to protect against stack overflows. The depth limit may be changed
  by calling the function bond::SetDeserializeMaxDepth(uint32_t).
• Breaking change: Protocols must now implement CanReadArray method and
  Buffers must implement CanRead method. These are used to perform checks that
  mitigate memory allocation vulnerabilities.
• Breaking change: Custom containers must implement reset_list and list_insert.
  Standard implementations are provided. This API is used to incrementally fill
  containers of complex types when preallocation may be unsafe. Expected container
  size is provided in reset_list, where client code can perform sanity checks before
  any memory is allocated by Bond.
• bond::CoreException is thrown when the payload has a greater declared size
  than the backing buffer.
• Known issue: Debug builds with MSVC 14.0 (Visual Studio 2015) may fail at
  runtime if custom allocators for containers are used. Newer MSVC versions and
  other compilers are not affected, neither are Release builds with MSVC 14.0. This
  can be worked around by using newer MSVC version or building in Release configuration.
• Added support for Boost 1.83.

C#

• Fixed compatibility with .NET 9.

11.0.1

11.0.1: 2024-06-26

• IDL core version: 3.0
• C++ version: 11.0.1
• C# NuGet version: 11.0.1
• Java version: 11.0.1
• gbc & compiler library: 0.13.0.0

gbc and Bond compiler library

• Breaking change: Codegen for Bond-over-gRPC has been removed: the
  --grpc switch is no longer supported. Service definitions are still
  parsed, but codegen can no longer be done for C++ or C#. See issue
  #1131, Bond-over-gRPC will be deprecated February
  2022, for the full
  announcement.

C++

• Breaking change: All Bond-over-gRPC code has been removed. This is
  everything under the bond::ext:grpc namespace. Service definitions can
  still appear in .bond files, but no C++ code will be generated for them.
  See issue #1131, Bond-over-gRPC will be deprecated February
  2022, for the full
  announcement.
• By default, deserialization will no longer process very deeply nested
  structures. Instead, an bond::CoreException will be thrown in order to
  protect against stack overflows. The depth limit may be changed by calling
  the function bond::SetDeserializeMaxDepth(uint32_t).
• Fixed handling of large containers of invalid types that could cause
  excessive CPU use when deserializing some payloads.

C#

• Breaking change: Update of Newtonsoft.Json library to version 13.3.0.
  (Issue #1156)

  This update fixes depth check in input JSON string (by default: 64).
  Depth check is necessary to prevent stack overflow issue with long payloads.

• Breaking change: The minimum supported version of .NET Framework is
  4.6.2. Support for .NET Framework 4.5 has been dropped.

• Breaking change: All Bond-over-gRPC code has been removed. This is
  everything under the Bond.Grpc namespace and the Bond.Grpc.CSharp NuGet
  package. Service definitions can still appear in .bond files, but no C#
  code will be generated for them. See issue #1131, Bond-over-gRPC will be
  deprecated February 2022,
  for the full announcement.

• Added codegen and deserialization support for container type aliases to
  use
  System.Collections.Immutable
  collections. (Pull request
  #1161)

• By default, deserialization will no longer process very deeply nested
  structures. Instead, an InvalidOperationException will be thrown in
  order to protect against stack overflows. The depth limit may be changed
  by setting the property Bond.DeserializerControls.Active.MaxDepth.

Java

• By default, deserialization will no longer process very deeply nested
  structures. Instead, a org.bondlib.InvalidBondDataException exception
  will be thrown in order to protect against stack overflows. The depth
  limit may be changed by calling the method
  org.bondlib.bond.DeserializerControls.setMaxDepth.

10.0

10.0: 2022-03-07

• IDL core version: 3.0
• C++ version: 10.0
• C# NuGet version: 10.0
• gbc & compiler library: 0.12.1.0

C++

• Breaking change: Bond-over-gRPC has been marked deprecated.
  Bond-over-gRPC will be removed in the next major version of Bond. See
  issue #1131, Bond-over-gRPC will be deprecated February
  2022, for the full
  announcement.
  • The [[deprecated]] attribute has been added to the bond::ext::grpc
    namespace in every top-level Bond-over-gRPC++ header. This will cause
    compiler warnings/errors for uses of Bond-over-gRPC++ that you may need
    to handle.
• Fixed multiple symbol definition for Win32Exception in
  grpc/win_thread_pool.h. (Issue
  #1129)
• Add forward declaration for GenericWriteVariableUnsigned to fix "C3861:
  'GenericWriteVariableUnsigned': identifier not found" when using custom
  streams that do not have their own implementation of
  WriteVariableUnsigned. (Issue
  #1115)
• Fixed bond::DynamicParser that may not emit transform's OmittedField
  for compile-time schema and an omitted optional field in the payload.
  (Issue #1120)
• Fixed missing include directives.
• Removed bond::blob's unnecessary _content member, reducing its size
  by 1 pointer.
• Added an ability to apply transform to a schema.
• Added noexcept to bond::blob's non-throwing functions.

C#

• Breaking change: Bond-over-gRPC code has been marked deprecated.
  Bond-over-gRPC will be removed in the next major version of Bond. See
  issue #1131, Bond-over-gRPC will be deprecated February
  2022, for the full
  announcement.
  • The [Obsolete] attribute has been added to every public type in the
    Bond.Grpc assembly. This will cause compiler warnings/errors for uses
    of Bond-over-gRPC# that you may need to handle.
• Added virtual method OutputBuffer.ResizeBuffer that can be overridden to
  use buffer allocators other than new byte[] (e.g.
  ArrayPool<byte>.Rent()). (Pull request
  #1128)
• The error message emitted when duplicate .bond items are detected by the
  MSBuild codegen now correctly refers to $(EnableDefaultItems) as the
  switch that controls this behavior. (Issue
  #1110)

9.0.5

9.0.5: 2021-04-14

• IDL core version: 3.0
• C++ version: 9.0.5
• C# NuGet version: 9.0.5
• gbc & compiler library: 0.12.1.0

C++/Python

• Added CMake variable BOND_FIND_GRPC to allow for external gRPC
  installations. The search for external GRPC installations is only done
  when BOND_ENABLE_GRPC is TRUE.
• Removed use of deprecated std::ptr_fun in the Python library. (Issue
  #1080)

C#

• Implicit codegen now excludes any .bond files in the project's output
  directories (e.g., bin/, obj/debug/netstandard1.0). This behavior
  matches the implicit compilation behavior for .cs files.

9.0.4

9.0.4: 2020-11-23

• IDL core version: 3.0
• C++ version: 9.0.4
• C# NuGet version: 9.0.3
• gbc & compiler library: 0.12.1.0

C++

• Bond now uses the [[noreturn]] attribute to annotate functions that do
  not return. Previously, it used compiler-specific annotations.

C#

• There were no C# changes in this release.

9.0.3

9.0.3: 2020-08-06

• IDL core version: 3.0
• C++ version: 9.0.2
• C# NuGet version: 9.0.3
• gbc & compiler library: 0.12.1.0

C++

• There were no C++ changes in this release.

C#

• Fixed a performance regression in OutputBuffer.Grow: it was incorrectly
  growing the buffer by one byte at a time instead of geometrically. (Issue
  #1065, Pull request
  #1066)

9.0.2

9.0.2: 2020-08-03

• IDL core version: 3.0
• C++ version: 9.0.2
• C# NuGet version: 9.0.2
• gbc & compiler library: 0.12.1.0

C++

• gbc is now installed with 555 (r-xr-xr-x) permissions. (Issue
  #1062)

C#

• Fixed a regression writing to non-seekable streams using
  CompactBinaryWriter. The fix in commit
  b0fd4a1
  inadvertently added a call to Stream.Position in the Release
  configuration. This call is only indented to be made when Bond is built in
  the Debug configuration.

9.0.1

9.0.1: 2020-07-14

• IDL core version: 3.0
• C++ version: 9.0.1
• C# NuGet version: 9.0.1
• gbc & compiler library: 0.12.1.0

C++

• The RapidJSON submodule now points to commit
  8f4c021.
  This addresses some aliasing warnings in recent versions of Clang and GCC.
  • The RapidJSON submodule now uses its new home under the Tencent
    organization.

C#

• Fixed MSB3105/CS2002 error about duplicate Compile items when a directory
  contains multiple .bond files and --gprc is in $BondOptions. (Issue
  #1050)
• Fix handling of large container lengths that could cause an infinite loop
  when deserializing some payloads. This fix addresses
  CVE-2020-1469.

9.0.0

9.0: 2020-05-26

• IDL core version: 3.0
• C++ version: 9.0.0
• C# NuGet version: 9.0.0
• gbc & compiler library: 0.12.1.0

C++

• Breaking change MSVC 2013 support has been removed. (Issue
  #851)
• Breaking change bond/core/warning.h has been deleted. Since the
  5.3.0 release, Bond hasn't needed global warning
  suppressions for any compiler except MSVC 2013. This file was only used
  for MSVC 2013, which is no longer a supported compiler.
• Fixed MSVC warning for deprecation of std::result_of_t in /std:c++17.
  (Issue #1007)
• Fixed MSVC warning C5208: unnamed class used in typedef name cannot
  declare members other than non-static data members, member enumerations,
  or member classes. (Issue
  #1027)
• Fixed Boost 1.73 warning "The practice of declaring the Bind placeholders
  (_1, _2, ...) in the global namespace is deprecated." (Pull request
  #1036)

C#

• Fixed creation of duplicate default constructor when defining an empty struct
  and using --preview-constructor-parameters.
  (Issue #963)
• The .NET assemblies are now only Authenticode signed with SHA-2. Legacy
  Windows OS versions may need updates to work with SHA-2
  signatures.

gbc and Bond compiler library

• C++ codegen no longer supports MSVC 2013.
• gbc is now only Authenticode signed with SHA-2. Legacy Windows OS versions
  may need updates to work with SHA-2
  signatures.

8.2.0

8.2.0: 2019-11-18

• IDL core version: 3.0
• C++ version: 8.2.0
• C# NuGet version: 8.2.0
• gbc & compiler library: 0.12.0.0

C++

• gRPC v1.17.1 is now required to use Bond-over-gRPC.
• Fixed an ambigious HexDigit overload compilation error when
  compiling with some versions of GCC. (Pull request
  #954)
• Fixed ambiguous call to maybe::operator== that breaks GCC 9
  build. (Pull request
  #975)
• Fixed MSVC warning C4296: "'<': expression is always false" in protocol.h.
  (Issue
  #981)

C#

• Added .NET 4.6 target framework to Bond.IO.dll so that it can use
  MemoryStream.TryGetBuffer() when cloning streams like is done when
  targeting .NET Standard 1.3+.

Bond compiler library

• Breaking change The bond compiler library (the Haskell library) and
  gbc have been switched to build with stackage snapshot lts-14.4. This
  snapshot uses megaparsec 7 and aeson 1.4.4, both of which had breaking
  changes that are reflected in the library, e.g., the parseBond signature
  has changed. There is no impact to users of the gbc command line tool or
  changes to C++ and C# code generation.