Fastly Change Log

Fastly Terraform Provider 9.2.1

Fastly — Fri, 05 Jun 2026 00:00:00 GMT

View this release on GitHub.

BUG FIXES:

fix(product_enablement/ngwaf): Restrict traffic_ramp field in ngwaf block to VCL services only (#1282)

DEPENDENCIES:

build(deps): golang.org/x/net from 0.54.0 to 0.55.0 (#1276)
build(deps): github.com/fastly/go-fastly/v15 from 15.0.1 to 15.0.2 (#1280)

Next-Gen WAF for HAProxy 1.5.3

Fastly — Thu, 04 Jun 2026 00:00:00 GMT

Added Ubuntu 26.04 (resolute) support
Added Amazon Linux 2 & 2023 support

Next-Gen WAF for NGINX (Lua) 1.7.2

Fastly — Tue, 02 Jun 2026 00:00:00 GMT

Externalized environment variables for agent host and port configuration.
Added explicit support for AmazonLinux 2, rather than relying on el/7

Next-Gen WAF: Increased custom signal name character limit

Fastly — Tue, 02 Jun 2026 00:00:00 GMT

The maximum character limit for custom signal names has been increased from 25 to 128 characters. This allows you to use more descriptive signal names without abbreviation.

New Traefik plugin integration

Fastly — Fri, 29 May 2026 00:00:00 GMT

The Fastly Next-Gen WAF can now protect traffic routed through Traefik, an open-source application proxy. Our plugin intercepts incoming HTTP requests before they reach your service. It extracts metadata, headers, and the request body and sends that information to the Next-Gen WAF agent for inspection.

This integration is now available for all customers. For setup details, read our install guide.

Added virtual patch for CVE-2026-9082 (Unauthenticated SQL Injection in Drupal)

Fastly — Wed, 27 May 2026 00:00:00 GMT

An SQL injection vulnerability has been found in Drupal core for sites backed by PostgreSQL databases and has been assigned CVE-2026-9082. Fastly has created a virtual patch for it that is now available within your account. To activate it and add protection to your services, follow the steps for your control panel below.

Next-Gen WAF control panel

From the Rules menu, select Templated Rules.
In the search bar, enter CVE-2026-9082 and then click View for the CVE-2026-9082 templated rule.
Click Configure and then Add trigger.
Select the Block requests from an IP immediately if the CVE-2026-9082 signal is observed checkbox.
Click Update rule.

Click the Signals tab.
In the search bar, enter CVE-2026-9082 and then click View for the CVE-2026-9082 tag.
Click the Detections tab and then Add detection.
Verify the switch is set to Enabled.
Click Create detection.
Click the Alerts tab and then Add alert.
In the Status area, set the switch to Enabled.
Click Save alert.

Fastly control panel

Click Virtual Patches.
In the search bar, enter CVE-2026-9082 and then click the pencil to the right of the CVE-2026-9082 virtual patch.
From the Status menu, select Enabled.
(Optional) If your workspace is in blocking mode, choose whether to Block requests or Log requests if the CVE-2026-9082 signal is observed.
Click Update virtual patch.

Added virtual patch for CVE-2026-42945 (NGINX Rift)

Fastly — Wed, 20 May 2026 00:00:00 GMT

A critical heap-based buffer overflow vulnerability has been found in ngx_http_rewrite_module of NGINX Open Source and NGINX Plus and has been assigned CVE-2026-42945. Fastly has created a virtual patch for it that is now available within your account. To activate it and add protection to your services, follow the steps for your control panel below.

Next-Gen WAF control panel

From the Rules menu, select Templated Rules.
In the search bar, enter CVE-2026-42945 and then click View for the CVE-2026-42945 templated rule.
Click Configure and then Add trigger.
Select the Block requests from an IP immediately if the CVE-2026-42945 signal is observed checkbox.
Click Update rule.

Click the Signals tab.
In the search bar, enter CVE-2026-42945 and then click View for the CVE-2026-42945 tag.
Click the Detections tab and then Add detection.
Verify the switch is set to Enabled.
Click Create detection.
Click the Alerts tab and then Add alert.
In the Status area, set the switch to Enabled.
Click Save alert.

Fastly control panel

Click Virtual Patches.
In the search bar, enter CVE-2026-42945 and then click the pencil to the right of the CVE-2026-42945 virtual patch.
From the Status menu, select Enabled.
(Optional) If your workspace is in blocking mode, choose whether to Block requests or Log requests if the CVE-2026-42945 signal is observed.
Click Update virtual patch.

Fastly Terraform Provider 9.2.0

Fastly — Wed, 20 May 2026 00:00:00 GMT

View this release on GitHub.

ENHANCEMENTS:

feat(service/backend): added support for the MaxLifetime and MaxUse attributes (#1233)
feat(dns): added support for DNS Zones and TSIG Keys (#1266)

BUG FIXES:

fix(block_fastly_service_product_enablement): Allow bot_management to be enabled on Compute services (#1270)
fix(resource_fastly_integration): recreate integrations deleted outside of Terraform (#1273)

DEPENDENCIES:

build(deps): github.com/hashicorp/terraform-plugin-sdk/v2 from 2.40.0 to 2.40.1 (#1259)
build(deps): github.com/fastly/go-fastly/v15 from 14.0.2 to 15.0.1(#1260)
build(deps): golang.org/x/net from 0.53.0 to 0.54.0 (#1267)

JavaScript SDK 3.42.1

Fastly — Mon, 18 May 2026 00:00:00 GMT

Fixed

Null body for non-downstream requests with no stream created for them (#1479) (511c667)

Next-Gen WAF API routes now versioned, legacy Security routes removed

Fastly — Mon, 18 May 2026 00:00:00 GMT

As announced, Next-Gen WAF API routes have been updated to versioned paths at /ngwaf/v1/*, and legacy /security/* routes have been permanently removed. The Client-Side Protection API now appears as a standalone top-level page in the documentation. All Next-Gen WAF endpoint documentation (events, redactions, requests, rules, time series, virtual patches, and workspaces) now appears under the Next-Gen WAF API.

New Envoy Gateway integration

Fastly — Thu, 14 May 2026 00:00:00 GMT

The Next-Gen WAF can now protect traffic routed through Envoy Gateway, providing an alternative for customers impacted by the Ingress NGINX controller retirement. This new integration enables real-time inspection and enforcement directly within the Envoy Proxy processing pipeline. For more information, read our install guide.

New Google Cloud Service Extensions integration

Fastly — Thu, 14 May 2026 00:00:00 GMT

The Fastly Next-Gen WAF can now protect traffic routed through Google Cloud Load Balancers. Our integration with Google Cloud Service Extensions enables real-time inspection and enforcement directly within the load balancer's request processing pipeline. The Next-Gen WAF agent operates as a callout backend service, using gRPC and Envoy's external processing protocol to inspect request headers, request bodies, and response headers.

This integration is now available for all customers. For setup details, read our install guide.

Next-Gen WAF agent 4.78.0

Fastly — Thu, 14 May 2026 00:00:00 GMT

Added support for Ubuntu 26.04 (Resolute Raccoon)
Upgraded to Golang 1.25.10
Updated base GeoIP data: May 2026

CLI v15.1.0

Fastly — Wed, 13 May 2026 00:00:00 GMT

View this release on GitHub.

Bug Fixes:

fix(auth): honor deprecated --profile/-o when resolving the API token; an unknown profile name is now a hard error instead of a silent fallback to the default token (#1792)
fix(text): send deprecation warnings to stderr instead of stdout (#1782)

Enhancements:

feat(compute): add file field support for setup.kv_stores bulk import (#1784)
feat(compute): add support for cpp for compute (#1773)

Dependencies:

refactor(deps): migrate from mholt/archiver/v3 to mholt/archives v0.1.5 (#1787)
build(deps): golang.org/x/sys from 0.43.0 to 0.44.0 (#1785)
build(deps): golang.org/x/term from 0.42.0 to 0.43.0 (#1785)
build(deps): golang.org/x/crypto from 0.50.0 to 0.51.0 (#1785)
build(deps): golang.org/x/mod from 0.35.0 to 0.36.0 (#1785)
build(deps): golang.org/x/text from 0.36.0 to 0.37.0 (#1785)

JavaScript SDK 3.42.0

Fastly — Mon, 11 May 2026 00:00:00 GMT

Added

Bail out of reusable sandbox if request fails (#1453) (b6f41b0)

Fixed

Allocation failure checks (#1457) (c882105)
Avoid dereferencing one-past-the-end iterator in host_api (#1461) (acf2b25)
Be more defensive in ip_octets_to_js_string (#1468) (60bbec1)
Cache body range check (#1463) (f38ce55)
Cache override getters for beforeSend and afterSend (#1466) (5261936)
Correct GC guard type in KVStore::put to prevent wasm unreachable crashes and fix some CI issues (#1475) (15f850d)
Ensure nul-termination of string for inet_pton (#1462) (0e3afbe)
Find invalid characters after nul bytes in KV store keys (#1464) (5f0f0f2)
Incorrect catch handler failure check (#1458) (fb3c01a)
Memory leak in get_found_response (#1456) (17559d3)
Memory leak on failed inspect hostcall (#1455) (9b77977)
Protect against GC from validate_bytes (#1447) (be0867b)
Shrinking realloc in KVStorePendingLookup (#1467) (5a72d13)
Throw error on negative ttl and swr (#1465) (7d29650)

CLI v15.0.0

Fastly — Fri, 08 May 2026 00:00:00 GMT

View this release on GitHub.

Breaking:

breaking(ngwaf/workspace): change flag name to match API spec (#1768)

Bug Fixes:

fix(compute/deploy): remove compute trial activation code because trials no longer exist (#1730)
fix(auth): SSO token expiration status now reflects the actual API token lifetime (12 hours) instead of the internal JWT refresh token (30 minutes), preventing spurious warnings and premature re-authentication #1728
fix(argparser): skip ListVersions API call for numeric versions #1774

Enhancements:

feat(service/backend): add support for the max_use and max_lifetime parameters (#1779)

Dependencies:

build(deps): golang.org/x/term from 0.41.0 to 0.42.0 (#1726)
build(deps): golang.org/x/crypto from 0.49.0 to 0.50.0 (#1726)
build(deps): golang.org/x/mod from 0.34.0 to 0.35.0 (#1726)
build(deps): golang.org/x/net from 0.52.0 to 0.53.0 (#1726)
build(deps): golang.org/x/text from 0.35.0 to 0.36.0 (#1726)
build(deps): acifani/setup-tinygo from 2 to 3 (#1729)
build(deps): github.com/mattn/go-isatty from 0.0.21 to 0.0.22 (#1735)
build(deps): github.com/hashicorp/cap from 0.12.0 to 0.13.0 (#1771)
build(deps): github.com/Masterminds/semver/v3 from 3.4.0 to 3.5.0 (#1775)
build(deps): github.com/fsnotify/fsnotify from 1.9.0 to 1.10.1 (#1775)
build(deps): github.com/klauspost/compress from 1.18.5 to 1.18.6 (#1775)
build(deps): github.com/fastly/go-fastly/v15 from 14.2.0 to 15.0.1(#1778)

Next-Gen WAF for Node.js 2.4.2

Fastly — Thu, 07 May 2026 00:00:00 GMT

Prevented uncaughtExceptions by preserving request event listeners.

Add documentation for max_lifetime and max_use backend properties

Fastly — Tue, 05 May 2026 00:00:00 GMT

The backends API now supports max_lifetime and max_use properties for further tuning of connection pooling for service backends.

JavaScript SDK 3.41.2

Fastly — Mon, 04 May 2026 00:00:00 GMT

Fixed

HttpBody::read_all for large bodies (#1444) (99f45b5)
Check pending exceptions between requests in reusable sandbox mode (#1425) (64a6b21)
Memory issues exposed by high GC zeal (#1442) (f406308)
Memory leak in normalize_http_method (#1449) (669b58a)
mislabeled Response::Slots::URL slot (#1445) (6d4d268)
Numeric overflow issue in Core Cache API (#1448) (360c9bf)
Potential buffer size issues in shielding (#1443) (4bf9d72)
Reset StarlingMonkey engine between requests (#1426) (238cf70)
SSL string cipher intersection (#1446) (13ef2d5)
Use length rather than NUL-terminator when copying HostStrings (#1429) (8aa3f4c)

Fastly Terraform Provider 9.1.1

Fastly — Wed, 22 Apr 2026 00:00:00 GMT

View this release on GitHub.

BUG FIXES:

fix(ngwaf/rules): updated validation to allow the maximum value of rate limit rule thresholds to 1000000 (#1236)

DEPENDENCIES:

build(deps): actions/github-script from 8 to 9 (#1232)
build(deps): github.com/fastly/go-fastly/v14 from 14.0.0 to 14.2.0 (#1231)
build(deps): golang.org/x/net from 0.52.0 to 0.53.0 (#1231)
build(deps): github.com/deckarep/golang-set/v2 from 2.8.0 to 2.9.0 (#1234)

DOCUMENTATION:

docs(state_upgrader_bot_management): add subcategory and header to state upgrade guide (#1230)

Added system lists

Fastly — Tue, 21 Apr 2026 00:00:00 GMT

System lists are now available in the Next-Gen WAF. These are sets of data provided by Fastly that can be referenced in your rules at both the corp (account) and site (workspace) level. System lists cannot be modified.

For an example request rule that uses a system list, check out Blocking attacks from malicious IP addresses.

Next-Gen WAF: Added WAF simulate endpoint

Fastly — Thu, 16 Apr 2026 00:00:00 GMT

We've added the Simulate a WAF request endpoint to the Next-Gen WAF. This endpoint lets you simulate HTTP requests through a workspace's WAF configuration and view the WAF response code and any signals that would be detected, without sending actual traffic. Use it to test and validate WAF rule behavior before deploying changes to production.

Next-Gen WAF agent 4.77.1

Fastly — Tue, 14 Apr 2026 00:00:00 GMT

Fixed issue where if a client IP has a zone/scope attached it cannot be matched by any rules
Upgraded to Golang 1.25.9

CLI v14.3.1

Fastly — Mon, 13 Apr 2026 00:00:00 GMT

View this release on GitHub.

Bug Fixes:

fix(publish_release): add back perms for publishing to npm #1724

CLI v14.3.0

Fastly — Fri, 10 Apr 2026 00:00:00 GMT

View this release on GitHub.

Bug Fixes:

fix(vcl/condition): --comment flag in condition update now correctly sets the comment instead of overwriting the statement #1714
fix(manifest): env_file parsing no longer rejects values containing = characters (e.g. KEY=val=ue) #1715

Enhancements:

feat(auth): add auth revoke subcommand for revoking API tokens via --current, --name, --token-value, --id, or --file (bulk) #1717
feat(service/logging/debug): add support for logging endpoint error streaming via the service logging debug subcommand #1721
feat(stats): accept --json / -j as an alias for --format=json on all stats and help subcommands, matching the flag style used by the rest of the CLI #1719

Dependencies:

build(deps): github.com/andybalholm/brotli from 1.2.0 to 1.2.1 (#1716)
build(deps): github.com/go-jose/go-jose/v3 from 3.0.4 to 3.0.5 (#1716)
build(deps): github.com/mattn/go-runewidth from 0.0.21 to 0.0.22 (#1716)
build(deps): github.com/mattn/go-isatty from 0.0.20 to 0.0.21 (#1720)
build(deps): golang.org/x/sys from 0.42.0 to 0.43.0 (#1720)
build(deps): github.com/coreos/go-oidc/v3 from 3.17.0 to 3.18.0 (#1720)
build(deps): github.com/mattn/go-runewidth from 0.0.22 to 0.0.23 (#1720)
build(deps): github.com/fastly/go-fastly/v14 from 13.1.2 to 14.2.0 (#1722)