This Week in Changelogs: curl

Hey everyone, long time no see! I started TWiC in 2023, and to be honest, mining diffs manually was exhausting, that's why it faded away pretty quick. Today, with a little bit of LLM and automation, it became much easier to find hidden gems in modern OSS and bring it to the audience. There's another problem though: sometimes there's too many of the gems, and I definitely don't want to re-start a series of boring longreads. So today, we're gonna cover recent changes in only one project, (arguably) the most popular libary and command-line tool in the world - curl . Zip bomb protection via delivered-bytes tracking Commit , PR A zip bomb is when you send a relatively small compressed piece of data, which is automatically decompressed on the client side into a giant blob, causing DoS. One of the ways to protect from it - set a limit on the incoming data size. Curl had an option for it, CURLOPT_MAXFILESIZE , since 2003. There was one small problem: before 8.20.0 it only affected the amount o