github jqlang/jq jq-1.8.2
jq 1.8.2
on GitHub

8 hours ago

This is a patch release with security fixes and bug fixes since 1.8.1, along with new builds for Windows arm64 and Docker arm/v7.
Full commit log can be found at jq-1.8.1...jq-1.8.2.

Security fixes

  • CVE-2026-32316: Fix heap buffer overflow in jvp_string_append and jvp_string_copy_replace_bad. @itchyny e47e56d
  • CVE-2026-33947: Limit path depth to prevent stack overflow in jv_setpath, jv_getpath, jv_delpaths. @itchyny fb59f14
  • CVE-2026-33948: Fix NUL truncation in the JSON parser. @itchyny 6374ae0
  • CVE-2026-39956: Fix _strindices missing runtime type checks. @tlsbollei fdf8ef0
  • CVE-2026-39979: Fix out-of-bounds read in jv_parse_sized(). @wader 2f09060
  • CVE-2026-40164: Randomize hash seed to mitigate hash collision DoS attacks. @AsafMeizner @itchyny 0c7d133
  • CVE-2026-40612: Limit containment check depth to prevent stack overflow in contains. @itchyny d1a1256
  • CVE-2026-41256: Fix NUL truncation in program files loaded with -f. @itchyny 5a015de
  • CVE-2026-41257: Fix signed-int overflow in stack_reallocate. @itchyny 01b3cde
  • CVE-2026-43894: Reject numeric literals longer than DEC_MAX_DIGITS (999999999). @itchyny 9761ceb
  • CVE-2026-43895: Reject embedded NUL bytes in module import paths. @itchyny 9d223f1
  • CVE-2026-43896: Limit recursive object merge depth to prevent stack overflow. @itchyny 532ccea
  • CVE-2026-44777: Detect circular module imports to prevent stack overflow. @itchyny f58787c
  • CVE-2026-47770: Guard deep structural equality and comparison recursion. @fuyu0425 7122866
  • CVE-2026-49839: Fix heap-buffer-overflow in raw file loading. @itchyny e987df0
  • CVE-2026-54679: Tighten string length bounds and propagate invalid jv in implode. @itchyny 46d1da3
  • GHSA-gf4g-95wj-4q4r: Fix use-after-free in args2obj() array argument path. @sseal #3498
  • GHSA-hj52-j2c9-r8r4: Fix signed-int overflow in tokenadd to prevent buffer overflow. @itchyny 63751f8
  • Limit the number of function parameters and definitions to prevent SEGV. @OwenSanzas #3460
  • Pre-allocate tokenbuf for string parser to avoid undefined behavior. @fab1ano #3485
  • Avoid stack overflow when freeing deeply nested values. @itchyny 33d7bce
  • Fix memory leaks and double frees. @itchyny #3487

Releasing

  • Add builds for Windows arm64. @dennisameling #3376
  • Support arm/v7 architecture in Docker images. @itchyny #3463
  • Update GPG signing key. @itchyny 0ff997f
  • Add artifact-metadata permission for actions/attest. @itchyny #3530
  • Upload attestation bundle as a release artifact, allowing unauthenticated verification
    via gh attestation verify --bundle jq-attestation.json. @itchyny #3563

CLI changes

  • Improve error message truncation with closing delimiters. @itchyny #3478
  • Remove extra space from die function output. @krtk6160 #3391
  • Fix raw input flag not to corrupt multi-byte characters. @itchyny #3421
  • Fix crash when importing a module with errors twice. @itchyny #3497
  • Increase the maximum printing depth from 256 to 10000. @ishnagy #3414

Changes to existing functions

  • Fix rtrimstr("") always outputting "". @A4-Tacks #3415
  • Fix infinite loop and undefined behavior in del(.[nan]). @itchyny #3490
  • Refactor @uri and @urid to fix multi-byte UTF-8 corruption. @itchyny #3495
  • Fix tonumber and toboolean to reject strings with embedded null bytes. @itchyny #3496
  • Fix undefined behavior in modulo operator. @fab1ano #3486
  • Fix reversed pointer subtraction in f_env bounds check. @itchyny #3465
  • Fix missing validity check in f_strflocaltime after f_localtime. @itchyny #3491
  • Fix year 2038 problem on 32-bit platforms. @itchyny #3407
  • Use // instead of //= in from_entries definition. @itchyny #3516

Build and test changes

Documentation changes

Check out latest releases or
releases around jqlang/jq jq-1.8.2

Don't miss a new jq release

NewReleases is sending notifications on new releases.

Get notifications