diff --git a/docs/pages/release_notes.rst b/docs/pages/release_notes.rst index ac9c1b36c..2e71e3e30 100644 --- a/docs/pages/release_notes.rst +++ b/docs/pages/release_notes.rst @@ -13,6 +13,16 @@ Unreleased * #4078: Expose the experimental two-VP flow on ``POST /internal/auth/v2/{subjectID}/request-service-access-token`` via the optional ``service_provider_subject_id`` body field by @stevenvegt in https://github.com/nuts-foundation/nuts-node/pull/4228 * #4233: ``request-credential`` API gains an optional ``credential_request_params`` JSON object overlaid on top of the OpenID4VCI Credential Request body sent to the issuer. Lets the wallet talk to issuers that accept additional fields, or to override the credential request entirely. +**************** +Peanut (v6.2.9) +**************** + +Release date: 2026-06-30 + +- Upgrade ``github.com/jackc/pgx/v5`` to v5.9.2 to address `GO-2026-5004 `_ (SQL injection in the non-default simple protocol when a dollar-quoted string literal contains an attacker-controlled value that looks like a placeholder). + +**Full Changelog**: https://github.com/nuts-foundation/nuts-node/compare/v6.2.8...v6.2.9 + **************** Peanut (v6.2.8) **************** @@ -500,6 +510,16 @@ The following features have been deprecated: - Network v1 API, to be removed - VDR v1 API, replaced by VDR v2 +************************* +Hazelnut update (v5.4.36) +************************* + +Release date: 2026-06-30 + +- Upgrade ``github.com/jackc/pgx/v5`` to v5.9.2 to address `GO-2026-5004 `_ (SQL injection in the non-default simple protocol when a dollar-quoted string literal contains an attacker-controlled value that looks like a placeholder). + +**Full Changelog**: https://github.com/nuts-foundation/nuts-node/compare/v5.4.35...v5.4.36 + ************************* Hazelnut update (v5.4.35) *************************