Releases · agronholm/cbor2

MAJOR REWRITE: The Python and C implementations of the encoder and decoder were replaced with a single, Rust-based implementation in the interest of maintainability.

Here are some of the highlights:
- Improved memory safety (100% safe-mode Rust)
- Complete elimination of reference leaks
- Support for free-threading and subinterpreters
- Substantially improved performance
- Improved decoder error handling where any non-base exception gets wrapped in a CBORDecodeError
- Iterative, rather than recursive decoding, meaning the container nesting depth is limited only by the available memory, rather than the C stack size
BACKWARD INCOMPATIBLE Changed the signature of the tag_hook decoder callables to accept (CBORTag, immutable as arguments instead of CBORDecoder, CBORTag)
BACKWARD INCOMPATIBLE Changed the signature of the object_hook decoder callables to accept (Mapping[Any, Any], bool) instead of (CBORDecoder, dict[Any, Any])
BACKWARD INCOMPATIBLE Removed the break_marker singleton as no longer necessary
BACKWARD INCOMPATIBLE Removed the CBORDecodeValueError exception, instead chaining ValueError or TypeError to a CBORDecodeError
BACKWARD INCOMPATIBLE Changed the decoding of semantic tag 261 to yield an IPv4Interface or IPv6Interface if the address contains host bits
BACKWARD INCOMPATIBLE Removed the individual decoding functions from the API as they were mistakenly called directly by users. Please open an issue if you need them back.
BACKWARD INCOMPATIBLE Changed the encoding of IP addresses to use the semantic tags 52 and 54 instead of the deprecated 260 and 261 (#232)
BACKWARD INCOMPATIBLE Dropped the deprecated cbor2.decoder and cbor2.encoder modules – everything in the API is now importable directly from cbor2
BACKWARD INCOMPATIBLE The cbor2.FrozenDict class has now been renamed frozendict and is not available on Python 3.15 where the built-in frozendict class must be used instead
Added the semantic_decoders decoder option to add or override decoders for specific semantic tags
Added the immutable decoder flag to always use immutable containers where possible when decoding a CBOR stream
Added the allow_indefinite decoder option to optionally disallow indefinite-length strings and containers
Dropped support for Python 3.9
Fixed the decoder not rejecting invalid two-byte simple value sequences (0xF800 - 0xF81F)

@andreer

Added the max_depth decoder parameter to limit the maximum allowed nesting level of containers, with a default value of 400 levels (CVE-2026-26209)
Changed the default read_size from 4096 to 1 for backwards compatibility. The buffered reads introduced in 5.8.0 could cause issues when code needs to access the stream position after decoding. Users can opt-in to faster decoding by passing read_size=4096 when they don't need to access the stream directly after decoding. Added a direct read path for read_size=1 to avoid buffer management overhead. (#275; PR by @andreer)
Fixed C encoder not respecting string referencing when encoding string-type datetimes (tag 0) (#254)
Fixed a missed check for an exception in the C implementation of CBOREncoder.encode_shared() (#287)
Fixed two reference/memory leaks in the C extension's long string decoder (#290 PR by @killiancowan82)
Fixed C decoder ignoring the str_errors setting when decoding strings, and improved string decoding performance by using stack allocation for small strings and eliminating unnecessary conditionals. Benchmarks show 9-17% faster deserialization. (#255; PR by @andreer)

@andreer

Added readahead buffering to C decoder for improved performance. The decoder now uses a 4 KB buffer by default to reduce the number of read calls. Benchmarks show 20-140% performance improvements for decoding operations. (#268; PR by @andreer)
Fixed Python decoder not preserving share index when decoding array items containing nested shareable tags, causing shared references to resolve to wrong objects (#267; PR by @andreer)
Reset shared reference state at the start of each top-level encode/decode operation (#266; PR by @andreer)

@dwpaley

Improved performance on decoding large definite bytestrings (#240 <#240>_; PR by @dwpaley)
Fixed a read(-1) vulnerability caused by boundary handling error (#264 <#264>_; PR by @tylzh97)

@hugovk

Added support for Python 3.14 (no free-threading support yet, sorry)
Dropped support for Python 3.8 (#247 <#247>_; PR by @hugovk)
Added support for encoding indefinite containers (#256 <#256>_; PR by @CZDanol)
Added complex number support (tag 43000) (#249 <#249>_; PR by @chillenb)

Published binary wheels for Python 3.13

Fixed compilation of C extension failing on GCC 14
Fixed compiler warnings when building C extension

Fixed decoding of epoch-based dates being affected by the local time zone in the C extension

Fixed __hash__() of the C version of the CBORTag type crashing when there's a recursive reference cycle
Fixed type annotation for the file object in cbor2.dump(), cbor2.load(), CBOREncoder and CBORDecoder to be IO[bytes] instead of BytesIO
Worked around a CPython bug that caused a SystemError to be raised, or even a buffer overflow to occur when decoding a long text string that contained only ASCII characters
Changed the return type annotations of cbor2.load() and cbor2.load() to return Any instead of object so as not to force users to make type casts

Fixed use-after-free in the decoder's C version when prematurely encountering the end of stream
Fixed the C version of the decoder improperly raising CBORDecodeEOF when decoding a text string longer than 65536 bytes

Uh oh!

Releases: agronholm/cbor2

6.0.0rc1

Uh oh!

5.9.0

Contributors

Uh oh!

5.8.0

Contributors

Uh oh!

5.7.1

Contributors

Uh oh!

5.7.0

Contributors

Uh oh!

5.6.5

Uh oh!

5.6.4

Uh oh!

5.6.3

Uh oh!

5.6.2

Uh oh!

5.6.1

Uh oh!