Skip to content

Releases: static-web-server/static-web-server

v2.43.0

Choose a tag to compare

@github-actions github-actions released this 10 Jun 22:27
v2.43.0
74b0f3c

This new v2.43.0 brings bug fixes, new features and improvements. A fix for unnecessary pre-compressed file lookups, FIPS-capable TLS support via a new Cargo feature and prebuilt binaries, several performance optimizations, hardening across several modules, better byte-range suffix detection and extract normalization coverage, CI workflow updates and other enhancements.

Fixes

Features

Refactorings

Docs

For more details see the v2.43.0 milestone and the full changelog v2.42.0...v2.43.0.

v2.42.0

Choose a tag to compare

@github-actions github-actions released this 27 Mar 15:27
v2.42.0
dd383af

This new v2.42.0 brings bug fixes, new features and improvements. Fix a memory increase regression introduced in v2.40.0. Support for HTTP Prometheus metrics, Local-time for logs by default, support for the POSIX TZ environment variable to configure logs's timezone, as well as other minor improvements.

Fixes

  • 0b128b9 Update dependencies and bump up Rust to 1.88.0. PR #641 by @joseluisq
  • 4124999 Regression: Memory increase for Linux Musl statically-linked binaries introduced in v2.40.0. See PR #640 by @joseluisq
  • 8451cf7 --disable-symlinks option does not work properly if a path contains intermediate symlink components. PR #639 by @joseluisq

Features

Docs

For more details see the v2.42.0 milestone and the full changelog v2.41.0...v2.42.0.

v2.41.0

Choose a tag to compare

@github-actions github-actions released this 20 Feb 02:59
v2.41.0
ffbb23f

This new v2.41.0 release includes important bug fixes, new features, and improvements.
The custom headers, installer scripts and hidden file handling are now more reliable. Dynamic compression encodings have been enhanced with internal priority support based on modern compression algorithms. Default options now help protect hidden files and prevent risky symlink usage. The installer and Docker images have been improved and dependencies are updated for better stability. Also, the documentation features a new showcases page to highlight how SWS is being used in the wild.

Security Patch

This particular release patches a timing-based username enumeration vulnerability in Basic Authentication (CVE-2026-27480) due to early response for invalid usernames which could allow attackers to identify valid users.

Users utilizing the SWS' Basic Authentication feature are primarily impacted.

We encourage to update as soon as possible.

Fixes

Features

  • 735cc79 Add internal priority support for dynamic compression encodings based on modern compression algorithms. (#622) by @msuarezd. See docs.

Refactorings

Docs

For more details see the v2.41.0 milestone and the full changelog v2.40.1...v2.41.0.

v2.40.1

Choose a tag to compare

@github-actions github-actions released this 08 Dec 02:58
v2.40.1
8a930ca

This new patch v2.40.1 release brings important security bug fixes for users serving directories with symbolic links (symlinks) as well as other minor improvements.

Security vulnerability patch

This particular release patches a Symbolic link path traversal vulnerability (GHSA-459f-x8vq-xjjm)
Any web server that runs with elevated privileges (e.g., root/administrator) and handles user-supplied file uploads is primarily impacted.

We encourage users to update as soon as possible.

Fixes

Refactorings

For more details see the v2.40.1 milestone and the full changelog v2.40.0...v2.40.1.

v2.40.0

Choose a tag to compare

@github-actions github-actions released this 30 Nov 22:23
v2.40.0
068d1ea

This new v2.40.0 release introduces important security bug fixes, performance, resource, and binary size optimisations, rootless Debian and Alpine Docker images, support for content negotiation of Markdown files and other enhancements.

For more details about the changes, take a look at the corresponding PR and documentation links.

Fixes

Features

Refactorings

  • c66c791 Docker: Prefer dynamically-linked binaries for Debian Docker images, which reduces containers' memory usage significantly. #588 by @joseluisq
  • afddfd6 Drop jemalloc in favour of mimalloc for MUSL targets, which reduces statically-linked binaries' memory usage. #587 by @joseluisq
  • 557363e Replace regex crate with regex-lite to reduce binary size. #581 by @joseluisq
  • b234984 Docker: Rootless Debian and Alpine Docker images, which reduce the attack surface and improve security. #567 by @joseluisq, read the docs.
    • Update for Docker users: Only if you are using the default /public directory as Docker volume without any --root or SERVER_ROOT env, then change it to point to /var/public instead or provide a custom root directory.
  • d48da4c Simplify the default public directory of Docker image and default error pages, which improves the default index and error pages' responsiveness in the browser. #579 by @joseluisq
  • ce5b4fa Drop lazy_static and prefer fixed text mime types for dynamic compression. #580 by @joseluisq
  • ea9f43f CI: Move perfcheck workflow behind a PR comment trigger. #584 by @joseluisq

For more details see the v2.40.0 milestone and the full changelog v2.39.0...v2.40.0.

v2.39.0

Choose a tag to compare

@github-actions github-actions released this 26 Oct 00:59
v2.39.0
a6b181e

This new v2.39.0 release brings important security bug fixes, updates to project dependencies and Docker images, as well as other improvements.

This release fixes CVE-2025-62518 (a.k.a TARmageddon).

Additionally, the project Minimum Supported Rust Version (MSRV) has been bumped to Rust 1.85.0 (2024 Edition).

Fixes

For more details see the v2.39.0 milestone and the full changelog v2.38.1...v2.39.0.

v2.38.1

Choose a tag to compare

@github-actions github-actions released this 08 Sep 22:19
v2.38.1
71c54dd

This new v2.38.1 release brings several security and bug fixes and improvements for the Cache Control feature.

Fixes

Refactorings

  • 0b55770 Remove public from Cache-Control header value when feature is enabled. This can prevent CDN and Basic Authentication cache issues. PR #562 by @joseluisq

For more details, see the v2.38.1 milestone and the full changelog v2.38.0...v2.38.1.

v2.38.0

Choose a tag to compare

@github-actions github-actions released this 21 Jul 20:53
v2.38.0
e15d42f

This new v2.38.0 release brings several security and bug fixes and support for a less-generic sws.toml default config file as well as other improvements.

Fixes

  • 8c435ad Bugfix/security dependency updates including tokio, rustls, serde, toml, async-compression, clap and other crates. PR #552 by @joseluisq
  • 47ce050 Update Alpine (3.20.7) & Debian (12.11) Docker images. PR #553 by @joseluisq

Features

  • acd8388 Add a less-generic config file sws.toml support as default. PR #551 by @davlgd.
    • Migration: The previous default config.toml file name will be supported for a while, but it's recommended to use sws.toml instead.

For more details see the v2.38.0 milestone and the full changelog v2.37.0...v2.38.0.

v2.37.0

Choose a tag to compare

@github-actions github-actions released this 03 Jun 21:00
v2.37.0
b67202b

This new v2.37.0 release brings several security and bug fixes. New features like the possibility to download directories as tarballs, better control for server log ANSI output, end of support for a few unmaintained Windows platforms and other improvements.

End of support for unmaintained Windows 7, 8, 8.1 platforms

As anticipated in v2.36.1, SWS no longer supports Windows 7, 8, and 8.1 platforms. SWS now requires Rust 1.82.0 or later to build, and the minimum supported Windows platform is Windows 10.

Cargo experimental feature restored

The Cargo experimental feature is part of the binary release again (v2.37.0 and future releases).

Fixes

  • b56e3c4 Bugfix/security dependency updates including tokio, rustls, chrono, flate2, windows-service, serde and other crates. SWS now requires Rust 1.82.0 or later to build. PR #546, #545 by @joseluisq
  • a384d92 Update Alpine 3.20.6 and Debian 12.10 Docker images. PR #539 by @joseluisq
  • cb19995 Generic server log info output even on higher log levels. PR #542 by @joseluisq fixes #541 reported by @Tasssadar.

Features

  • 89f5846 Support for downloading a directory as a compressed tarball (tar.gz) via the new --directory-listing-download=targz option. PR #544 by @ekangmonyet resolves #67 suggested by @shirshak55. See docs.
  • 0236980 Control log ANSI output via new boolean --log-with-ansi=true option (SWS is now no-ANSI by default). PR #543 resolves #540 suggested by @Tasssadar. See docs.

Refactorings

For more details see the v2.37.0 milestone and the full changelog v2.36.1...v2.37.0.

Acknowledgments

Thanks to our new donor @mrkesu for supporting the project.

v2.36.1

Choose a tag to compare

@github-actions github-actions released this 01 Apr 22:16
v2.36.1
ab44158

This new v2.36.1 release brings several security and bug fixes and is the last version supporting legacy Windows 7, 8, 8.1 platforms.

Security patch for RUSTSEC-2024-0437

This release temporarily removes the experimental Cargo feature from the resulting static-web-server binary (but not the Cargo feature itself) to prevent shipping the security vulnerability (RUSTSEC-2024-0437 #530) in this release.

The experimental Cargo feature (that includes experimental features like metrics and in-memory cache) will be restored to be part of the binary again in the next release.

End support for unmaintained Windows 7, 8, 8.1 platforms

As we mentioned a year ago (#447), SWS would not continue supporting legacy Windows 7, 8, and 8.1 platforms for so long as Microsoft stopped support for Windows 7 in 2020 and Rust requires Windows 10 as the minimum supported platform since 1.78.

Today, we announce that v2.36.1 is the last release supporting such legacy platforms and having Rust 1.76.0 as MSRV.
Future releases will bump up the MSRV when convenient and will require Windows 10 as the minimum supported platform.
However, although we will try to provide a patch for users wanting to build SWS manually for those legacy platforms in the future, we cannot fully guarantee that SWS will continue building for the aforementioned platforms.

Fixes

  • ad4c171 Bugfix/security dependency updates including tokio, httparse, ring, rustls, bytes, serde and other crates. PR #532.
  • 5fbd0c5 CORS: Add missing Origin to the Vary header value when CORS feature is enabled. PR #534 resolves #533 reported by @rbozan.

For more details see the v2.36.1 milestone and the full changelog v2.36.0...v2.36.1.