Haraka

v3.1.6 Breaking

This release includes 4 breaking changes for platform teams planning a safe upgrade.

Published 19d Communication & Email

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

dkim haraka javascript mta nodejs smtp

+1 more

spf

Affected surfaces

deps auth

ReleasePort's take

Moderate signal

editorial:auto 9d

Release v3.1.6 removes several dependencies (ocsp fork, npid, sockaddr, daemon) and optional plugins.

Why it matters: If your application uses the removed ocsp fork, npid, sockaddr, or daemon libraries, update imports before upgrading to avoid runtime failures.

Summary

AI summary

Removed several dependencies (ocsp fork, npid, sockaddr, daemon) and optional plugins.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Added threat model documentation in SECURITY doc #3557 Added threat model documentation in SECURITY doc #3557 Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Added additional SECURITY documentation #3550 Added additional SECURITY documentation #3550 Source: llm_adapter@2026-05-21 Confidence: low	—
Feature
Feature	Medium	Removed optional lesser used plugins from package.json #3550 Removed optional lesser used plugins from package.json #3550 Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Added tests for outbound, conn, endpoint, server, tls_socket #3552 Added tests for outbound, conn, endpoint, server, tls_socket #3552 Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Documented 15 undocumented methods in Connection Documented 15 undocumented methods in Connection Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Medium	Updated various dependencies to latest versions Updated various dependencies to latest versions Source: llm_adapter@2026-05-21 Confidence: low	—
Deprecation	Medium	Removed npid and sockaddr dependencies #3550 Removed npid and sockaddr dependencies #3550 Source: llm_adapter@2026-05-21 Confidence: high	—
Deprecation	Medium	Removed unmaintained daemon dependency #3550 Removed unmaintained daemon dependency #3550 Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix
Bugfix	Medium	Fix release queue slot when qfile unreadable #3561 Fix release queue slot when qfile unreadable #3561 Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Add `unpipe` for pipe cleanup after errors in message-stream Add `unpipe` for pipe cleanup after errors in message-stream Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Guard against error emit after listeners removed in outbound #3554 Guard against error emit after listeners removed in outbound #3554 Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Yield before delivery attempts in outbound #3552 Yield before delivery attempts in outbound #3552 Source: llm_adapter@2026-05-21 Confidence: high	—
Refactor	Medium	Replaced fork with local (more maintained) fork for ocsp #3550 Replaced fork with local (more maintained) fork for ocsp #3550 Source: llm_adapter@2026-05-21 Confidence: high	—
Other	Medium	Refreshed README and docs with missing properties, sync, inaccuracies fixed, examples added, formatting improved Refreshed README and docs with missing properties, sync, inaccuracies fixed, examples added, formatting improved Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

fix(outbound): release queue slot when qfile unreadable #3561
fix(message-stream): add unpipe for pipe cleanup after errors
fix(outbound): guard against error emit after listeners removed #3554
fix(outbound): yield before delivery attempts #3552
test(outbound,conn,endpoint,server,tls_socket): added tests #3552
deps(various): updated to latest
dep(ocsp): replaced fork with local (more maintained) fork #3550
dep(npid, sockaddr): removed #3550
dep(daemon): removed, unmaintained #3550
doc(SECURITY): added threat model #3557
doc(SECURITY): added #3550
doc(Connection): added 15 undocumented methods
doc: add a fresh coat of paint to README and docs/*
- add missing properties and functions
- sync with codebase, fix inaccuracies, and add examples
- improve formatting and readability
package.json: remove optional lesser used plugins #3550
- avg, elasticsearch, esets, p0f, recip-routes, watch

Breaking Changes

Removed dep: ocsp (replaced with local maintained fork)
Removed deps: npid and sockaddr
Removed dep: daemon (unmaintained)
Removed optional plugins from package.json: avg, elasticsearch, esets, p0f, recip-routes, watch

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Haraka

Get notified when new releases ship.

About Haraka

Fast, highly extensible, and event driven SMTP server.

All releases →

Related context

Related tools

Earlier breaking changes

v3.2.0 Replaces address-rfc2821 and address-rfc2822 dependencies with @haraka/email-address.