[0.2-bindings] Merge 0.2.3 into 0.2-bindings

.github/workflows/build.yml

@@ -264,7 +264,11 @@ jobs:
       - name: Pin the syn and regex dependencies
         run: |
           cd fuzz && cargo update -p regex --precise "1.9.6" && cargo update -p syn --precise "2.0.106" && cargo update -p quote --precise "1.0.41"
+          cargo update -p proc-macro2 --precise "1.0.103" --verbose && cargo update -p serde_json --precise "1.0.145" --verbose
+          cargo update -p itoa --precise "1.0.15" --verbose && cargo update -p ryu --precise "1.0.20" --verbose
           cd write-seeds && cargo update -p regex --precise "1.9.6" && cargo update -p syn --precise "2.0.106" && cargo update -p quote --precise "1.0.41"
+          cargo update -p proc-macro2 --precise "1.0.103" --verbose && cargo update -p serde_json --precise "1.0.145" --verbose
+          cargo update -p itoa --precise "1.0.15" --verbose && cargo update -p ryu --precise "1.0.20" --verbose
       - name: Sanity check fuzz targets on Rust ${{ env.TOOLCHAIN }}
         run: |
           cd fuzz

.github/workflows/check_unicode.yml

@@ -0,0 +1,26 @@
+name: Unicode listing up to date
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '42 3 * * *'
+
+jobs:
+  check-unicode:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v4
+      - name: Check unicode file state
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          curl --proto '=https' --tlsv1.2 -fsSL -o /tmp/UnicodeData.txt https://www.unicode.org/Public/UCD/latest/ucd/UnicodeData.txt
+          contrib/gen_unicode_general_category.py /tmp/UnicodeData.txt -o /tmp/unicode.rs
+          if ! diff -u lightning-types/src/unicode.rs /tmp/unicode.rs; then
+            TITLE="Unicode listing out of date: ${{ github.workflow }}"
+            RUN_URL="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+            BODY="The unicode character listing is out of date, see $RUN_URL"
+            gh issue create --title "$TITLE" --body "$BODY"
+          fi

CHANGELOG.md

@@ -1,3 +1,146 @@
+# 0.2.3 - Jun 18, 2026 - "Through the Loupe"
+
+## API Updates
+ * `DefaultMessageRouter` will now always generate blinded message paths that
+   provide no privacy (where our node is the introduction node) for nodes with
+   public channels. This works around an issue which will appear for any nodes
+   with LND peers that enable onion messaging - such peers will refuse to
+   forward BOLT 12 messages from unknown third parties, which most BOLT 12
+   payers rely on today (#4647).
+ * Explicit `amount_msats` of 0 is rejected in BOLT 12 `Offer`s; `OfferBuilder`
+   now maps 0-amounts to an amount of `None` (#4324).
+
+## Bug Fixes
+ * `Features::supports_zero_conf` no longer clears the `ZeroConf` features and
+   `Features::requires_zero_conf` now correctly reports required, rather than
+   supported, status (#4517).
+ * If an MPP payment is claimed but `ChannelMonitorUpdate`s for some parts are
+   still being completed asynchronously, further channel updates (e.g.
+   forwarding another payment) are pending and the node restarts, the channel
+   could have become stuck (#4520).
+ * The presence of unconfirmed transactions actually no longer causes
+   `ElectrumSyncClient` to spuriously fail to sync (#4590).
+ * LSPS1, LSPS2, and LSPS5 persistence will no longer get stuck and refuse to
+   persist again after a single failure from the KVStore (#4597, #4282).
+ * Dropping the future returned by
+   `OutputSweeper::regenerate_and_broadcast_spend_if_necessary` no longer
+   results in future calls to the same method being spuriously ignored (#4598).
+ * Used async-receive offers are no longer refreshed on every timer tick once
+   their refresh time is reached (#4672).
+ * `FilesystemStore::list_all_keys` will no longer fail if there are stale
+   intermediate files lying around from a previous unclean shutdown (#4618).
+ * When forwarding an HTLC while in a blinded path with proportional fees over
+   200%, LDK will no longer spuriously allow a forward that pays us 1 msat too
+   little in fees (#4697).
+ * Fixed a rare case where a channel could get stuck on reconnect when using
+   both async `ChannelMonitorUpdate` persistence and async signing (#4684).
+ * If we had exactly zero balance in a zero-fee-commitment channel, the
+   counterparty was able to splice all of their balance out, violating the
+   reserve requirements they'd otherwise be forced to keep (#4580).
+ * Providing an `Event::HTLCIntercepted` to the `LSPS2ServiceHandler` twice no
+   longer results in spuriously opening a channel early (#4656).
+ * `Event::PaymentSent::fee_paid_msat` is no longer `None` in cases where
+   `ChannelManager::abandon_payment` was called before the payment ultimately
+   completes anyway (#4651).
+ * `AnchorDescriptor::previous_utxo` now provides the correct `script_pubkey`
+   for non-zero-commitment-fee anchor channels (#4669).
+ * Syncing a `ChainMonitor` using the `Confirm` trait will no longer write some
+   full `ChannelMonitor`s to disk several times per block (#4544).
+ * `OMDomainResolver` now correctly accounts for failed queries when rate
+   limiting, ensuring we continue to respond to queries after failures (#4591).
+ * Calling `ChannelManager::send_payment_with_route` without a `route_params`
+   and with an invalid `Route` will no longer panic (#4707).
+ * `LSPS2ServiceHandler::channel_open_failed` now correctly fails intercepted
+   HTLCs rather than allowing them to fail just before expiry (#4677).
+ * `StaticInvoice::is_offer_expired` was corrected to check offer, rather than
+   static invoice, expiry (#4594).
+ * `lightning-custom-message`'s handling of `peer_connected` events now ensures
+   that sub-handlers will see a `peer_disconnected` event if a different
+   sub-handler refused the connection by `Err`ing `peer_connected` (#4595).
+ * Replay protection for LSPS5 signatures now detects replays which are only
+   different in the encoded signature's case (#4701).
+ * When `lightning-liquidity` is configured in the background processor, there
+   is no longer a stream of `Persisting LiquidityManager...` log spam (#4246).
+ * Incomplete MPP keysend payments will no longer see their HTLCs held until
+   expiry (#4558).
+ * `InvoiceRequestBuilder` will no longer accept a `quantity` of `0` for a
+   BOLT 12 `Offer`, allowing any quantity up to a bound (#4667).
+ * `lightning-custom-message` handlers that return `Ok(None)` when asked to
+   deserialize a message in their defined range no longer cause panics (#4709).
+ * Several spurious debug assertions were fixed (#4537, #4618, #4026)
+
+## Security
+0.2.3 fixes several underestimates of the anchor reserves required to ensure we
+can reliably close channels, several denial-of-service vulnerabilities and a
+sanitization issue.
+ * `Bolt11Invoice::recover_payee_pub_key` no longer panics if called on an
+   invoice which set an explicit public key, rather than relying on public key
+   recovery. Note that this method is called from
+   `PaymentParameters::from_bolt11_invoice` (#4717).
+ * Maliciously-crafted unpayable invoices which have overflowing feerates will
+   no longer cause an `unwrap` failure panic (#4716).
+ * Parsing an `LSPSDateTime` which is before 1970 no longer panics. This is
+   reachable when parsing messages from counterparties (#4715).
+ * `possiblyrandom` did not properly generate random data except when it was
+   explicitly configured to. By default this means LDK is vulnerable to various
+   HashDoS attacks (#4719).
+ * `OMNameResolver` will no longer panic when looking up payment instructions
+   which include unicode characters at the start of a TXT record (#4718).
+ * When using the `anchor_channel_reserves` module to calculate reserves
+   required to pay for fees when closing anchor channels, zero-fee-commitment
+   channels were not considered. This could allow a counterparty to open many
+   channels, leaving us unable to properly force-close (#4592).
+ * The `anchor_channel_reserves` module overestimated the value of `Utxo`s in
+   the wallet by ignoring the `TxIn` cost to spend them (#4670).
+ * `PrintableString` did not properly sanitize unicode format characters,
+   allowing an attacker to corrupt the rendering of logs or UI (#4593, #4605).
+ * RGS data is now limited in how large of a graph it is able to cause a client
+   to store in memory. Note that RGS data is still considered a DoS vector in
+   general and you should only use semi-trusted RGS data (#4713).
+ * Counterparty-provided strings in failure messages are no longer logged in
+   full, reducing the ability of such a counterparty to spam our logs (#4714).
+ * Reading a corrupted `ChannelManager` or `ProbabilisticScorer` can no longer
+   cause us to allocate large amounts of memory (#4712).
+
+Thanks to Project Loupe for reporting most of the issues fixed in this release.
+
+
+# 0.2.2 - Feb 6, 2025 - "An Async Splicing Production"
+
+## API Updates
+ * The `SplicePrototype` feature flag has been updated to refer to feature bit
+   63 - the same as `SpliceProduction`. This resolves a compatibility issue with
+   eclair nodes due to the use of the same splicing feature flag (155) they were
+   using for a pre-standardization version of splicing (#4387).
+
+## Bug Fixes
+ * Async `ChannelMonitorUpdate` persistence operations which complete, but are
+   not marked as complete in a persisted `ChannelManager` prior to restart,
+   followed immediately by a block connection and then another restart could
+   result in some channel operations hanging leading for force-closures (#4377).
+ * A debug assertion failure reachable when receiving an invalid splicing
+   message from a peer was fixed (#4383).
+
+
+# 0.2.1 - Jan 29, 2025 - "Electrum Confirmations Logged"
+
+## API Updates
+ * The `AttributionData` struct is now public, correcting an issue where it was
+   accidentally sealed preventing construction of some messages (#4268).
+ * The async background processor now exits even if work remains to be done as
+   soon as the sleeper returns the exit flag (#4259).
+
+## Bug Fixes
+ * The presence of unconfirmed transactions no longer causes
+   `ElectrumSyncClient` to spuriously fail to sync (#4341).
+ * `ChannelManager::splice_channel` now properly fails immediately if the
+   peer does not support splicing (#4262, #4274).
+ * A spurious debug assertion was removed which could fail in cases where an
+   HTLC fails to be forwarded after being accepted (#4312).
+ * Many log calls related to outbound payments were corrected to include a
+   `payment_hash` field (#4342).
+
+
 # 0.2 - Dec 2, 2025 - "Natively Asynchronous Splicing"
 
 ## API Updates
@@ -40,11 +183,13 @@
    pre-signed transactions, relying on anchor bumps instead. They also utilize
    the new TRUC + ephemeral dust policy in Bitcoin Core 29 to substantially
    improve the lightning security model. This requires having a path of Bitcoin
-   Core 29+ nodes between you and a miner for transactions to be mined. This
-   only works with LDK peers, and feature signaling may change in a future
-   version of LDK, breaking compatibility. This is negotiated automatically for
-   manually-accepted inbound channels and negotiated for outbound channels based
-   on `ChannelHandshakeConfig::negotiate_anchor_zero_fee_commitments`.
+   Core 29+ nodes between you and a miner for transactions to be mined. Bitcoin
+   Knots blocks these transactions by default, and is not recommended for use
+   with a lightning node. 0FC channels currently only work with LDK peers, and
+   feature signaling may change in a future version of LDK, breaking
+   compatibility. This is negotiated automatically for manually-accepted inbound
+   channels and negotiated for outbound channels based on
+   `ChannelHandshakeConfig::negotiate_anchor_zero_fee_commitments`.
  * `Event::BumpTransaction` is now always generated even if the transaction has
    sufficient fee. This allows you to manage transaction broadcasting more
    granularly for anchor channels (#4001).
@@ -144,7 +289,9 @@
    `ListProtocols` message (#3785).
  * A rare race which might lead `PeerManager` (and `lightning-net-tokio`) to
    stop reading from a peer until a new message is sent to that peer has been
-   fixed (#4168).
+   fixed. Note that this changed the semantics of the
+   `SocketDescriptor::send_data` method without changing its signature, check
+   that your implementation matches the new documentation (#4168).
  * The fields in `SocketAddress::OnionV3` are now correctly parsed, and the
    `Display` for such addresses is now lowercase (#4090).
  * `PeerManager` is now more conservative about disconnecting peers which aren't

ci/check-lint.sh

@@ -13,6 +13,7 @@ CLIPPY() {
 		-A clippy::unwrap-or-default \
 		-A clippy::upper_case_acronyms \
 		-A clippy::swap-with-temporary \
+		-A clippy::assertions-on-constants \
 		`# Things where we do odd stuff on purpose ` \
 		-A clippy::unusual_byte_groupings \
 		-A clippy::unit_arg \

ci/ci-tests.sh

@@ -17,6 +17,18 @@ function PIN_RELEASE_DEPS {
 	# quote 1.0.42 requires rustc 1.68.0
 	[ "$RUSTC_MINOR_VERSION" -lt 68 ] && cargo update -p quote --precise "1.0.41" --verbose
 
+	# Starting with version 1.0.104, the `proc-macro2` crate has an MSRV of rustc 1.68
+	[ "$RUSTC_MINOR_VERSION" -lt 68 ] && cargo update -p proc-macro2 --precise "1.0.103" --verbose
+
+	# Starting with version 1.0.146, the `serde_json` crate has an MSRV of rustc 1.68
+	[ "$RUSTC_MINOR_VERSION" -lt 68 ] && cargo update -p serde_json --precise "1.0.145" --verbose
+
+	# Starting with version 1.0.16, the `itoa` crate has an MSRV of rustc 1.68
+	[ "$RUSTC_MINOR_VERSION" -lt 68 ] && cargo update -p itoa --precise "1.0.15" --verbose
+
+	# Starting with version 1.0.21, the `ryu` crate has an MSRV of rustc 1.68
+	[ "$RUSTC_MINOR_VERSION" -lt 68 ] && cargo update -p ryu --precise "1.0.20" --verbose
+
 	return 0 # Don't fail the script if our rustc is higher than the last check
 }
 
@@ -58,6 +70,7 @@ pushd lightning-tests
 [ "$RUSTC_MINOR_VERSION" -lt 65 ] && cargo update -p regex --precise "1.9.6" --verbose
 [ "$RUSTC_MINOR_VERSION" -lt 68 ] && cargo update -p syn --precise "2.0.106" --verbose
 [ "$RUSTC_MINOR_VERSION" -lt 68 ] && cargo update -p quote --precise "1.0.41" --verbose
+[ "$RUSTC_MINOR_VERSION" -lt 68 ] && cargo update -p proc-macro2 --precise "1.0.103" --verbose
 cargo test
 popd
 
@@ -130,6 +143,10 @@ echo -e "\n\nTesting no_std build on a downstream no-std crate"
 pushd no-std-check
 [ "$RUSTC_MINOR_VERSION" -lt 68 ] && cargo update -p syn --precise "2.0.106" --verbose
 [ "$RUSTC_MINOR_VERSION" -lt 68 ] && cargo update -p quote --precise "1.0.41" --verbose
+[ "$RUSTC_MINOR_VERSION" -lt 68 ] && cargo update -p proc-macro2 --precise "1.0.103" --verbose
+[ "$RUSTC_MINOR_VERSION" -lt 68 ] && cargo update -p serde_json --precise "1.0.145" --verbose
+[ "$RUSTC_MINOR_VERSION" -lt 68 ] && cargo update -p itoa --precise "1.0.15" --verbose
+[ "$RUSTC_MINOR_VERSION" -lt 68 ] && cargo update -p ryu --precise "1.0.20" --verbose
 cargo check --verbose --color always
 [ "$CI_MINIMIZE_DISK_USAGE" != "" ] && cargo clean
 popd