All Versions
Latest Version
Avg Release Cycle
195 days
Latest Release
681 days ago

Changelog History
Page 1

  • v2.8.5 Changes

    June 09, 2022

    ๐Ÿ”’ Security

    ๐Ÿ›  Fixes low-severity CVE-2022-31033, "Authorization header leak on port redirect." See GHSA-64qm-hrgp-pgr9 for more details.

  • v2.8.4 Changes

    January 17, 2022

    ๐Ÿ›  Fix

    • Mechanize::CookieJar#load calls Psych.safe_load when using Psych >= 3.1
  • v2.8.3 Changes

    November 11, 2021

    โšก๏ธ Update

    • โšก๏ธ Update the "Linux Firefox" user agent string to rev94 (#587) Thank you, @ncs1!
  • v2.8.2 Changes

    August 06, 2021


    • โšก๏ธ Update dependency on Addressable from ~>2.7 to ~>2.8. (#584) @yidingww
  • v2.8.1 Changes

    May 09, 2021

    ๐Ÿ›  Fix

    • ๐Ÿ“œ Gracefully handle parsing errors that contain an invalid byte sequence. Previously, if libxml2 registered a parsing error that itself contained invalid encoding, an exception might be raised. (#553)
  • v2.8.0 Changes

    April 01, 2021
    • Requirements

      • Mechanize now requires Ruby 2.5 or newer.
      • Move from ntlm-http to rubyntlm gem. (#495, #574)
    • ๐Ÿ†• New Features

      • Page::Link#uri now handles non-ASCII hrefs. (#569) @terryyin
      • FileConnection supports Windows drive letters (#483)
      • Credential headers 'Authorization' and 'Cookie' are deleted on cross-origin redirects. (#538) @kyoshidajp
      • ContentDispositionParser handles ISO8601 date headers, to be robust with websites that ignore RFC2183. (#554) @reitermarkus
    • ๐Ÿ› Bug fix

      • POST headers 'Content-Length', 'Content-MD5', and 'Content-Type' are deleted in a case-insensitive manner on redirects. Previously these headers were treated as case-sensitive.
  • v2.7.7 Changes

    February 01, 2021
    • ๐Ÿ”’ Security fixes for CVE-2021-21289

    Mechanize >= v2.0, < v2.7.7 allows for OS commands to be injected into several classes' methods via implicit use of Ruby's method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls:

    • Mechanize::CookieJar#load: since v2.0 (see 208e3ed)
    • Mechanize::CookieJar#save_as: since v2.0 (see 5b776a4)
    • Mechanize#download: since v2.2 (see dc91667)
    • Mechanize::Download#save and #save! since v2.1 (see 98b2f51, bd62ff0)
    • Mechanize::File#save and #save_as: since v2.1 (see 2bf7519)
    • Mechanize::FileResponse#read_body: since v2.0 (see 01039f5)

    See for more information.

    Also see #547, #548. Thank you, @kyoshidajp!

    • ๐Ÿ†• New Features

      • Support for Ruby 3.0 by adding webrick as a runtime dependency. (#557) @pvalena
    • ๐Ÿ› Bug fix

      • Ignore input fields with blank names (#542, #536)
  • v2.7.6 Changes

    June 02, 2018
    • ๐Ÿ†• New Features

      • Mechanize#set_proxy accepts an HTTP URL/URI. (#513)
    • ๐Ÿ› Bug fix

      • Fix element(s)_with(search: selector) methods not working for forms, form fields and frames. (#444)
      • Improve the filename parser for the Content-Disposition header. (#496, #517)
      • Accept Content-Encoding: identity. (#515)
      • Mechanize::Page#title no longer picks a title in an embeded SVG/RDF element. (#503)
      • Make Mechanize::Form#has_field? boolean. (#501)
  • v2.7.5 Changes

    August 22, 2016
    • ๐Ÿ†• New Features

      • All 4xx responses and RedirectLimitReachedError when fetching robots.txt are treated as full allow just like Googlebot does.
      • Enable support for mime-types > 3.
    • ๐Ÿ› Bug fix

      • Don't cause infinite loop when GET /robots.txt redirects. (#457)
      • Fix basic authentication for a realm that contains uppercase characters. (#458, #459)
      • Fix encoding error when uploading a file which name is non-ASCII. (#333)
  • v2.7.4 Changes

    December 31, 2015
    • ๐Ÿ†• New Features

      • Accept array-like and hash-like values as query/parameter value. A new utility method Mechanize::Util.each_parameter is added, and Mechanize::Util.build_query_string is enhanced for this feature.
      • Allow passing a Form::FileUpload instance to #post. #350 by Sam Rawlins.
      • Capture link when scheme is unsupported. #362 by Jon Rowe.
      • Pre-defined User-Agent stings are updated to those of more recent versions, and new aliases for IE 10/11 and Edge are added.
      • Support for mime-types 1.x is restored while keeping compatible with mime-types 2.x.
      • Mechanize::Page now responds to #xpath, #css, #at_xpath, #at_css, and #%.
      • element(s)_with methods now accept :xpath and :css options for doing xpath/css selector searching.
      • Pass URI information to Nokogiri where applicable. #405 @lulalala
    • ๐Ÿ› Bug fix

      • Don't raise an exception if a connection has set a {read,open}_timeout and a file:// request is made. (#397)
      • Fix whitespace bug in WWW-Authenticate. #451, #450, by Rasmus Bergholdt
      • Don't allow redirect from a non-file URL to a file URL for security reasons. (#455)