This is an automated email from the ASF dual-hosted git repository.

shreemaan-abhishek pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git


The following commit(s) were added to refs/heads/master by this push:
     new 24511776e chore: release 3.17.0 (#13503)
24511776e is described below

commit 24511776e322a735cd98b5a43c24b79ef1fdc527
Author: Shreemaan Abhishek <[email protected]>
AuthorDate: Tue Jun 16 15:22:25 2026 +0800

    chore: release 3.17.0 (#13503)
    
    Signed-off-by: Abhishek Choudhary <[email protected]>
---
 .github/workflows/check-changelog.yml |   8 +--
 .requirements                         |   2 +-
 CHANGELOG.md                          | 130 ++++++++++++++++++++++++++++++++++
 apisix/core/version.lua               |   2 +-
 ci/check_changelog_prs.ts             |  10 ++-
 docs/en/latest/config.json            |   2 +-
 docs/zh/latest/config.json            |   2 +-
 7 files changed, 147 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/check-changelog.yml 
b/.github/workflows/check-changelog.yml
index 4f3592ff1..08d19b639 100644
--- a/.github/workflows/check-changelog.yml
+++ b/.github/workflows/check-changelog.yml
@@ -1,10 +1,6 @@
 name: Check Changelog
 
 on:
-  push:
-    paths:
-      - 'CHANGELOG.md'
-      - 'ci/check_changelog_prs.ts'
   pull_request:
     paths:
       - 'CHANGELOG.md'
@@ -21,6 +17,10 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 
v6.0.2
         with:
           fetch-depth: 0
+          # Check out the PR branch head itself, not the default 
merge-with-base
+          # commit, so the changelog is validated against the release branch's
+          # own scope (since-last-release) rather than a moving target base.
+          ref: ${{ github.event.pull_request.head.sha }}
 
 
       - name: Run check_changelog_prs script
diff --git a/.requirements b/.requirements
index b599f80cd..75e381cbc 100644
--- a/.requirements
+++ b/.requirements
@@ -18,4 +18,4 @@
 APISIX_PACKAGE_NAME=apisix
 
 APISIX_RUNTIME=1.3.6
-APISIX_DASHBOARD_COMMIT=bbe05ad95396f90db03d831660f454c2844d906e
+APISIX_DASHBOARD_COMMIT=c8d3466d3c36386d3888efbc8250cd8183c77298
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 941c95881..1e0e1e60c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -23,6 +23,7 @@ title: Changelog
 
 ## Table of Contents
 
+- [3.17.0](#3170)
 - [3.16.0](#3160)
 - [3.15.0](#3150)
 - [3.14.1](#3141)
@@ -84,6 +85,135 @@ title: Changelog
 - [0.7.0](#070)
 - [0.6.0](#060)
 
+## 3.17.0
+
+**The changes marked with :warning: are not backward compatible.**
+
+### Change
+
+- :warning: change(auth): require configured jwt claims, harden empty 
claims_to_verify and key-auth anonymous fallback 
[#13468](https://github.com/apache/apisix/pull/13468)
+- :warning: enforce algorithm match before signature verification in jwt-auth 
plugin [#13182](https://github.com/apache/apisix/pull/13182)
+- :warning: remove server-side token generation endpoint 
(`/apisix/plugin/jwe/encrypt`) from jwe-decrypt plugin 
[#13464](https://github.com/apache/apisix/pull/13464)
+- :warning: require admin key for the schema validate endpoint 
[#13328](https://github.com/apache/apisix/pull/13328)
+- :warning: bound batch-requests pipeline item count, timeout, and tighten 
request schema [#13492](https://github.com/apache/apisix/pull/13492)
+- :warning: default signed_headers to ["date"] in hmac-auth plugin 
[#13388](https://github.com/apache/apisix/pull/13388)
+- :warning: sign request URI cookie and tighten cookie attributes in cas-auth 
plugin (new required `cookie.secret`) 
[#13331](https://github.com/apache/apisix/pull/13331)
+- :warning: add consumer_isolation (default true) and cache_set_cookie options 
to proxy-cache plugin [#13350](https://github.com/apache/apisix/pull/13350)
+- :warning: add ssl_verify option (default true) and fix shared state in 
tencent-cloud-cls plugin [#13194](https://github.com/apache/apisix/pull/13194)
+- :warning: address TLS ssl_verify hardcoding and credential encryption issues 
(ai-rag ssl_verify now defaults to true) 
[#13203](https://github.com/apache/apisix/pull/13203)
+- :warning: resolve env vars before YAML parsing to preserve types in 
standalone mode [#13078](https://github.com/apache/apisix/pull/13078)
+
+### Core
+
+- feat: support batch TCP/UDP port ranges in stream_proxy config 
[#13153](https://github.com/apache/apisix/pull/13153)
+- feat(admin): make /configs/validate available in all modes 
[#13220](https://github.com/apache/apisix/pull/13220)
+- feat: add core.response.get_response_source() API for response origin 
classification [#13224](https://github.com/apache/apisix/pull/13224)
+- feat: add rate-limiting-info variable 
[#13155](https://github.com/apache/apisix/pull/13155)
+- feat: enhance encrypt_fields to support nested structures 
[#13192](https://github.com/apache/apisix/pull/13192)
+- feat: extend secret references to all plugins with central resolution 
[#13312](https://github.com/apache/apisix/pull/13312)
+- perf(core): cache parsed JSON request body to avoid redundant decoding 
[#13377](https://github.com/apache/apisix/pull/13377)
+- perf(ctx): cache parsed request body to avoid repeated decode for post_arg.* 
[#13356](https://github.com/apache/apisix/pull/13356)
+- refactor: extract reusable building blocks from K8s and Nacos discovery 
[#13201](https://github.com/apache/apisix/pull/13201)
+- refactor: extract reusable building blocks from Consul discovery 
[#13230](https://github.com/apache/apisix/pull/13230)
+- fix: replace module-level mutable tables with per-call allocation 
[#13369](https://github.com/apache/apisix/pull/13369)
+- fix: add null_as_nil option to core.json.decode for AI plugins 
[#13231](https://github.com/apache/apisix/pull/13231)
+- fix: add schema compatibility for consumer and credential resources 
[#13154](https://github.com/apache/apisix/pull/13154)
+- fix(admin): use local config to fetch global rules in standalone mode 
[#13122](https://github.com/apache/apisix/pull/13122)
+- fix(admin): strip SSL private keys array in GET single and list responses 
[#13227](https://github.com/apache/apisix/pull/13227)
+- fix: split global rules phase execution for client-control compatibility 
[#13345](https://github.com/apache/apisix/pull/13345)
+- fix: preserve stream service plugin context 
[#13402](https://github.com/apache/apisix/pull/13402)
+- fix(stream/traffic-split): handle upstream_id set by plugin in stream 
context [#13285](https://github.com/apache/apisix/pull/13285)
+- fix(stream/traffic-split): set route_id in stream preread phase 
[#13284](https://github.com/apache/apisix/pull/13284)
+- fix: rebuild stream router when services change 
[#13318](https://github.com/apache/apisix/pull/13318)
+- fix: remove stale HTTP2 body guard 
[#13428](https://github.com/apache/apisix/pull/13428)
+- fix: isolate logger response body buffers 
[#13450](https://github.com/apache/apisix/pull/13450)
+- fix: batch-processor infinite timer loop prevents graceful shutdown 
[#13288](https://github.com/apache/apisix/pull/13288)
+- fix(tracer): prevent stale ctx.tracing crash on HTTPS keepalive connections 
[#13232](https://github.com/apache/apisix/pull/13232)
+- fix: handle missing X-Etcd-Index header gracefully in config_etcd 
[#13364](https://github.com/apache/apisix/pull/13364)
+- fix(core/etcd): nil-deref on response without header field 
[#13361](https://github.com/apache/apisix/pull/13361)
+- fix(consul): tolerate null Service.Meta in fetch_services_from_server 
[#13258](https://github.com/apache/apisix/pull/13258)
+- fix: address TLS security vulnerabilities in SSL log, OIDC encryption, and 
K8s ssl_verify [#13190](https://github.com/apache/apisix/pull/13190)
+- fix: avoid logging plaintext value when encrypt/decrypt fails in ssl.lua 
[#13298](https://github.com/apache/apisix/pull/13298)
+- fix: downgrade decrypt failure log from warn to info 
[#13324](https://github.com/apache/apisix/pull/13324)
+- fix(xrpc): bound redis command-line preallocation size 
[#13483](https://github.com/apache/apisix/pull/13483)
+
+### Plugins
+
+- feat: add acl plugin [#13349](https://github.com/apache/apisix/pull/13349)
+- feat: add data-mask plugin 
[#13347](https://github.com/apache/apisix/pull/13347)
+- feat: add saml-auth plugin 
[#13346](https://github.com/apache/apisix/pull/13346)
+- feat: add dingtalk-auth plugin 
[#13381](https://github.com/apache/apisix/pull/13381)
+- feat: add feishu-auth plugin 
[#13382](https://github.com/apache/apisix/pull/13382)
+- feat(plugin): add error-page plugin 
[#13380](https://github.com/apache/apisix/pull/13380)
+- feat(plugin): add graphql-limit-count plugin 
[#13372](https://github.com/apache/apisix/pull/13372)
+- feat(plugin): add graphql-proxy-cache plugin 
[#13435](https://github.com/apache/apisix/pull/13435)
+- feat: add proxy-buffering plugin 
[#13446](https://github.com/apache/apisix/pull/13446)
+- feat: add oas-validator plugin 
[#13344](https://github.com/apache/apisix/pull/13344)
+- feat: add traffic-label plugin 
[#13342](https://github.com/apache/apisix/pull/13342)
+- feat: add exit-transformer plugin 
[#13343](https://github.com/apache/apisix/pull/13343)
+- feat(request-id): add UUID v7 generation support 
[#13152](https://github.com/apache/apisix/pull/13152)
+- feat(ai-proxy): support aws bedrock 
[#13249](https://github.com/apache/apisix/pull/13249)
+- feat(ai-proxy): support Bedrock ConverseStream streaming 
[#13307](https://github.com/apache/apisix/pull/13307)
+- feat(ai-proxy): add native Anthropic Messages API protocol support 
[#13181](https://github.com/apache/apisix/pull/13181)
+- feat(ai): add OpenAI Responses API (/v1/responses) support 
[#13186](https://github.com/apache/apisix/pull/13186)
+- feat(ai-proxy): add passthrough protocol for unrecognized API formats 
[#13320](https://github.com/apache/apisix/pull/13320)
+- feat(ai-proxy): rewrite Anthropic-to-OpenAI converter with whitelist body 
construction [#13321](https://github.com/apache/apisix/pull/13321)
+- feat(ai-proxy): add provider-aware max_tokens override with priority control 
[#13251](https://github.com/apache/apisix/pull/13251)
+- feat(ai-proxy): add per-protocol request_body override and rename max_tokens 
mapping to llm_options [#13269](https://github.com/apache/apisix/pull/13269)
+- feat(ai-proxy): add max_stream_duration_ms and max_response_bytes safeguards 
[#13250](https://github.com/apache/apisix/pull/13250)
+- feat(ai-proxy): abort upstream read on client disconnect during streaming 
[#13254](https://github.com/apache/apisix/pull/13254)
+- feat: populate upstream nginx variables when ai-proxy uses cosocket 
transport [#13317](https://github.com/apache/apisix/pull/13317)
+- feat(ai-rate-limiting): add expression-based limit strategy 
[#13191](https://github.com/apache/apisix/pull/13191)
+- feat(ai-proxy-multi): add max_retries and retry_on_failure_within_ms for 
fallback [#13495](https://github.com/apache/apisix/pull/13495)
+- feat(elasticsearch-logger): support dynamic index with time and variable 
resolution [#13334](https://github.com/apache/apisix/pull/13334)
+- feat(limit-count): upgrade lua-resty-limit-traffic to v1.2.0 
[#13212](https://github.com/apache/apisix/pull/13212)
+- feat(proxy-cache): honor Vary header for memory strategy 
[#13376](https://github.com/apache/apisix/pull/13376)
+- feat(cas-auth): support configuring an absolute callback URL 
[#13413](https://github.com/apache/apisix/pull/13413)
+- feat(openid-connect): make client_secret optional for local JWT verification 
modes [#13472](https://github.com/apache/apisix/pull/13472)
+- feat(openid-connect): update session config to support lua-resty-session, 
fixes deprecated session.cookie.lifetime 
[#13178](https://github.com/apache/apisix/pull/13178)
+- feat(hmac-auth): add max_req_body_size to bound request body during 
validation [#13478](https://github.com/apache/apisix/pull/13478)
+- feat: add max_req_body_size to bound client request body in forward-auth and 
ai-proxy [#13466](https://github.com/apache/apisix/pull/13466)
+- refactor: three-layer AI proxy architecture (protocols/providers/transport) 
[#13170](https://github.com/apache/apisix/pull/13170)
+- perf(ai-proxy): optimize SSE decoder - remove PCRE, add decode_buf, fix 
comment lines [#13391](https://github.com/apache/apisix/pull/13391)
+- perf(ai): reuse raw request body when unchanged 
[#13406](https://github.com/apache/apisix/pull/13406)
+- perf(limit-count): use evalsha with NOSCRIPT fallback for Redis script 
execution [#13363](https://github.com/apache/apisix/pull/13363)
+- fix: sort AI proxy upstream request JSON keys 
[#13461](https://github.com/apache/apisix/pull/13461)
+- fix(ai-proxy-multi): stabilize domain health checks 
[#13441](https://github.com/apache/apisix/pull/13441)
+- fix(ai-proxy-multi): resolve _dns_value in construct_upstream when nil 
[#13322](https://github.com/apache/apisix/pull/13322)
+- fix(ai-proxy): map upstream LLM timeouts to 504 instead of 500 
[#13481](https://github.com/apache/apisix/pull/13481)
+- fix(ai-proxy): return 502 when streaming converter receives mismatched 
response format [#13229](https://github.com/apache/apisix/pull/13229)
+- fix(ai-proxy): yield to scheduler in streaming SSE loop to avoid worker CPU 
starvation [#13255](https://github.com/apache/apisix/pull/13255)
+- fix(ai-proxy): populate $upstream_response_length for cosocket transport 
[#13323](https://github.com/apache/apisix/pull/13323)
+- fix(ai-request-rewrite): return 400 when request body is missing 
[#13097](https://github.com/apache/apisix/pull/13097)
+- fix(ai-prompt-template): fix malformed JSON error message 
[#13096](https://github.com/apache/apisix/pull/13096)
+- fix(ai-prompt-*): handle nil err in JSON body parse path 
[#13314](https://github.com/apache/apisix/pull/13314)
+- fix: remove llm related metrics for non llm requests 
[#13088](https://github.com/apache/apisix/pull/13088)
+- fix(limit): atomic redis commits and resolved-var validation 
[#13467](https://github.com/apache/apisix/pull/13467)
+- fix(security): encrypt missing secret-like plugin fields at rest 
[#13389](https://github.com/apache/apisix/pull/13389)
+- fix: redact sensitive data from plugin log output 
[#13123](https://github.com/apache/apisix/pull/13123)
+- fix: remove credential-leaking log statements in sls-logger, hmac-auth, 
tcp-logger, udp-logger [#13205](https://github.com/apache/apisix/pull/13205)
+- fix(gcp): report auth_file path instead of file contents in parse error 
[#13409](https://github.com/apache/apisix/pull/13409)
+- fix(authz-keycloak): copy permissions before appending http_method_as_scope 
[#13410](https://github.com/apache/apisix/pull/13410)
+- fix(authz-casdoor): scope session cookie per Casdoor client 
[#13387](https://github.com/apache/apisix/pull/13387)
+- fix(opa): apply send_headers_upstream for headers absent from OPA response 
[#13433](https://github.com/apache/apisix/pull/13433)
+- fix(cas-auth): harden session and callback handling 
[#13427](https://github.com/apache/apisix/pull/13427)
+- fix(cas-auth): return 400 instead of 500 for SLO POST with empty body 
[#13471](https://github.com/apache/apisix/pull/13471)
+- fix(jwe-decrypt): reject tokens that fail to decrypt 
[#13404](https://github.com/apache/apisix/pull/13404)
+- fix(openidc): include request port in `redirect_uri` 
[#13081](https://github.com/apache/apisix/pull/13081)
+- fix(openid-connect): ensure identity headers reflect validated tokens 
[#13330](https://github.com/apache/apisix/pull/13330)
+- fix(forward-auth): clear configured upstream headers not present in auth 
response [#13183](https://github.com/apache/apisix/pull/13183)
+- fix(wolf-rbac): use trusted client IP source for access_check 
[#13329](https://github.com/apache/apisix/pull/13329)
+- fix(chaitin-waf): use trusted client IP source for WAF backend 
[#13339](https://github.com/apache/apisix/pull/13339)
+- fix(file-logger): incorrectly attempts to decompress uncompressed response 
body [#13100](https://github.com/apache/apisix/pull/13100)
+- fix: preserve processed_entries during stale buffer cleanup 
[#13094](https://github.com/apache/apisix/pull/13094)
+- fix(opentelemetry): inject additional_attributes in log phase 
[#13265](https://github.com/apache/apisix/pull/13265)
+- fix(opentelemetry): coerce additional_attributes values to string 
[#13146](https://github.com/apache/apisix/pull/13146)
+- fix(opentelemetry): preserve booleans, handle multi-value headers, tighten 
test [#13315](https://github.com/apache/apisix/pull/13315)
+- fix(brotli): preserve ETag and Last-Modified headers in Brotli-compressed 
response [#12853](https://github.com/apache/apisix/pull/12853)
+- fix: harden cors, multi-auth and body-transformer plugins against malformed 
requests [#13469](https://github.com/apache/apisix/pull/13469)
+- fix(proxy-mirror): keep the original method path when mirroring gRPC 
requests [#13499](https://github.com/apache/apisix/pull/13499)
+- fix(dingtalk-auth): clear client-supplied X-Userinfo before authentication 
[#13491](https://github.com/apache/apisix/pull/13491)
+
 ## 3.16.0
 
 **The changes marked with :warning: are not backward compatible.**
diff --git a/apisix/core/version.lua b/apisix/core/version.lua
index b3a151244..326e22e8b 100644
--- a/apisix/core/version.lua
+++ b/apisix/core/version.lua
@@ -20,5 +20,5 @@
 -- @module core.version
 
 return {
-    VERSION = "3.16.0"
+    VERSION = "3.17.0"
 }
diff --git a/ci/check_changelog_prs.ts b/ci/check_changelog_prs.ts
index 0c5bfa24a..50dd25d1f 100755
--- a/ci/check_changelog_prs.ts
+++ b/ci/check_changelog_prs.ts
@@ -55,7 +55,15 @@ const IGNORE_PRS = [
     // 3.15.0
     12761, 12805, 12844, 12863, 12829, 12725, 12948,
     // 3.16.0
-    12958, 13053, 13148, 13100, 13094, 13081,
+    12958, 13053, 13148,
+    // 3.17.0
+    // 13386 (add configurable request JSON library) + 13407 (qjson error fix) 
were
+    // fully reverted by 13449 within this release, so they net to a no-op and 
are
+    // not user-facing. The rest are test-only / CI-only / docs-only changes 
whose
+    // subject prefix (e.g. "fix ", "fix(ci)", "feat(seo)", "feat(test)") 
dodges the
+    // docs/chore/test/ci type filter but which do not belong in a user 
changelog.
+    13386, 13407, 13449, 13485,
+    13139, 13156, 13157, 13158, 13222, 13234,
 ];
 
 
diff --git a/docs/en/latest/config.json b/docs/en/latest/config.json
index 1dc91c6b3..7691e4580 100644
--- a/docs/en/latest/config.json
+++ b/docs/en/latest/config.json
@@ -1,5 +1,5 @@
 {
-  "version": "3.16.0",
+  "version": "3.17.0",
   "sidebar": [
     {
       "type": "category",
diff --git a/docs/zh/latest/config.json b/docs/zh/latest/config.json
index 6240fe6e4..78ab8ad88 100644
--- a/docs/zh/latest/config.json
+++ b/docs/zh/latest/config.json
@@ -1,5 +1,5 @@
 {
-  "version": "3.16.0",
+  "version": "3.17.0",
   "sidebar": [
     {
       "type": "category",

Reply via email to