This is a SECURITY release. All users are encouraged to upgrade immediately.

Changed

• This release bumps the minimum-supported version of laminas/laminas-diactoros to 2.11.2 in order to pick up security updates. Users who are still pinning to Diactoros 1.x versions will need to update to the later release.

• Modifies the Mezzio\Swoole\ServerRequestSwooleFactory such that it checks the container for a Laminas\Diactoros\ServerRequestFilter\FilterServerRequestInterface service, creating one via Laminas\Diactoros\ServerRequestFilter\FilterUsingXForwardedHeaders::trustReservedSubnets() if none is present. This change ensures that X-Forwarded-* request headers are only honored when the request comes from a reserved, private subnet (localhost; classes A, B, and C subnets; and IPv6 private and local-link subnets). If you need to trust from any source, or never want to trust these headers, you may provide an alternate server request filter by registering an alternate implementation of the Laminas\Diactoros\ServerRequestFilter\FilterServerRequestInterface service.