What's Changed

• Fix/audit jan 2026 by @humancto in #3

Full Changelog: v0.4.2...v0.4.3

v0.4.2 — Quality Pass

Six critical fixes that improve correctness, error reporting, and developer trust.

Fixes

1. REPL version strings — Dynamic version from Cargo.toml instead of hardcoded v0.3.0. Expanded tab-completion builtins (~28 → ~100). Updated help to list all 17+ modules.

2. HTML script stripping — crawl() now properly removes <script> and <style> content instead of leaking JavaScript/CSS into crawled text.

3. CSV RFC 4180 parser — Handles quoted fields with commas ("Smith, John",42), escaped quotes ("He said ""hello"""), and CRLF line endings.

4. push/pop mutation — push(arr, x) and pop(arr) now mutate let mut arrays in-place. Immutable arrays still return new copies (correct behavior preserved).

5. Mutable closure capture — make_counter() pattern now works correctly. Closures share mutable state via Arc<Mutex<HashMap>> instead of copy-on-write Arc<HashMap>.

6. Runtime error source locations — Runtime errors now display the offending source line with ariadne-powered error formatting. SpannedStmt wrapper tracks line numbers through execution.

Test Coverage

• 626 Rust tests + 631 Forge tests = 1,257 total (all passing)
• New tests/v042_fixes_test.fg with 31 targeted tests for all fixes
• New unit tests in csv.rs (12 tests) and http.rs (10 tests)

Install

# Homebrew
brew upgrade forge

# Cargo
cargo install forge-lang

# From source
git clone https://github.com/humancto/forge-lang && cd forge-lang && cargo install --path .

What's New in v0.4.1

Parameterized SQL Queries (all DB modules)

All three database modules now support parameterized queries to prevent SQL injection:

• SQLite (db): db.query("SELECT * FROM users WHERE age > ?", [21])
• PostgreSQL (pg): pg.query("SELECT * FROM users WHERE age > $1", [21])
• MySQL (mysql): mysql.query(conn, "SELECT * FROM users WHERE age > ?", [21])

PostgreSQL TLS Support

pg.connect() now supports SSL/TLS connections via rustls — connect securely to cloud-hosted PostgreSQL instances.

CORS Security

HTTP servers now default to restrictive CORS. Opt in to permissive CORS with @server(cors: "permissive").

Interpreter Refactor

• call_builtin() extracted from interpreter/mod.rs to interpreter/builtins.rs
• call_native() extracted from vm/machine.rs to vm/builtins.rs
• Improved maintainability with no behavior changes

Bug Fixes

• split() with empty delimiter now correctly splits into characters
• 5 language bugs fixed (BUG-001 through BUG-005)
• 4 additional safety/correctness fixes

Testing

• 577 Rust tests (up from 528)
• 442 Forge tests (comprehensive new test suites added)
• 18 example files, all passing

HTTP Benchmark Examples

New bench_server.fg and bench_client.fg examples. Forge achieves ~28,000 req/sec on localhost — on par with raw Rust/Axum and 10x faster than Python/Flask.

What's New

JWT Authentication Module (jwt)

Stateless JSON Web Token support with 4 functions:

• jwt.sign(claims, secret, options?) — Create signed tokens (HS256/384/512, RS256, ES256)
• jwt.verify(token, secret) — Verify signature + expiration, return decoded claims
• jwt.decode(token) — Decode without verification (for debugging)
• jwt.valid(token, secret) — Boolean validity check (never throws)

Options: expires (duration strings like "1h", "7d"), issuer, audience, subject, algorithm, not_before.

MySQL/MariaDB Module (mysql)

Full MySQL support with connection pooling and parameterized queries:

• mysql.connect(url) or mysql.connect(host, user, pass, db) — Connect and get connection ID
• mysql.query(conn, sql, params?) — SELECT with parameterized ? placeholders
• mysql.execute(conn, sql, params?) — INSERT/UPDATE/DELETE, returns affected rows
• mysql.close(conn) — Close connection pool

Supports multiple simultaneous connections, automatic TLS via rustls, and safe parameterized queries.

By the Numbers

• 21 stdlib modules (up from 19)
• 280+ built-in functions (up from 270+)
• 528 Rust tests passing
• 862 total tests (Rust + Forge)

Full Changelog

• Added jsonwebtoken v9 crate for JWT support
• Added mysql_async v0.34 crate with rustls-tls for MySQL
• New language spec pages for jwt and mysql modules
• New book chapters (Ch. 32: JWT, Ch. 33: MySQL)
• Updated README, CLAUDE.md, and all documentation
• Rebuilt PDF book

Full Changelog: v0.3.2...v0.3.3

Full Changelog: v0.3.1...v0.3.2

Full Changelog: v0.3.0...v0.3.1

Full Changelog: v0.2.0...v0.3.0

Full Changelog: https://github.com/humancto/forge-lang/commits/v0.2.0