Skip to content

Release 1.7.0#39

Merged
skupriienko merged 9 commits intomainfrom
release/v1.7.0
Apr 30, 2026
Merged

Release 1.7.0#39
skupriienko merged 9 commits intomainfrom
release/v1.7.0

Conversation

@skupriienko
Copy link
Copy Markdown
Collaborator

@skupriienko skupriienko commented Apr 30, 2026
edited
Loading

Actions:

  • Update CHANGELOG.md
  • Update README.md
  • Update _version.py
  • Build the package from the source
  • Fix minor issues and typos

Notes:

  • A simple test:
python3 -m venv test_mailgun1701

source test_mailgun1701/bin/activate

pip3 install -i https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple/ mailgun==1.7.0rc1

python3 -c "from mailgun.client import Client"
python3 -c "from mailgun.client import AsyncClient"
python3 -c "import mailgun; from importlib.metadata import version; print(f'Successfully installed v{version(\"mailgun\")}')

@skupriienko skupriienko self-assigned this Apr 30, 2026
skupriienko added 4 commits May 1, 2026 01:01
@skupriienko
refactor(core): security hardening, routing engine overhaul, and DX i…
3302db7 
…mprovements

Implementing a massive BSSN-aligned refactoring of the Mailgun Python SDK's core architecture and security boundaries.

Security & Defense-in-Depth:
- Blocked Path Traversal (CWE-22) in domain webhooks via strict 'sanitize_path_segment' encoding.
- Fixed Case-Sensitive JSON Header Leak (CWE-17) by enforcing RFC 7230 compliance for 'Content-Type'.
- Applied defensive '.rstrip("/")' and safe '.get("keys", [])' dict lookups across all URL handlers to prevent 404 and KeyError crashes.

Core Architecture & Bug Fixes:
- Fixed 'TypeError: multiple values for keyword argument 'headers'' in all HTTP verbs by safely popping headers from kwargs before argument unpacking.
- Abstracted header merging into 'BaseEndpoint._merge_headers' to eliminate DRY violations across sync and async clients.
- Decoupled routing configuration from engine logic by introducing 'ROUTE_ALIASES' in 'routes.py', fixing the 'domains_webhooks' routing bypass.
- Fixed 'AsyncClient' transport closure logic to allow safe context manager reuse.
- Suppressed internal 'KeyError' stack trace leakage in the dynamic '__getattr__' router using 'raise ... from None'.

Testing & Documentation:
- Achieved 100% pass rate across 318 unit and integration tests.
- Added extensive regression tests for CWE-22, kwargs collisions, and async lifecycle bounds.
- Updated CHANGELOG.md and PERFORMANCE.md to reflect the new architecture.
@skupriienko
chore: Clean up
bcf64c3
@skupriienko
docs: Update the changelog
b782619
@skupriienko
test: Improve tests
4a9846f
@skupriienko skupriienko marked this pull request as ready for review April 30, 2026 22:24
@skupriienko skupriienko merged commit 34a3e6d into main Apr 30, 2026
20 checks passed
@skupriienko skupriienko deleted the release/v1.7.0 branch April 30, 2026 22:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@skupriienko skupriienko

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@skupriienko