Fastly Change Log

Fastly Terraform Provider 9.1.1

Fastly — Wed, 22 Apr 2026 00:00:00 GMT

View this release on GitHub.

BUG FIXES:

fix(ngwaf/rules): updated validation to allow the maximum value of rate limit rule thresholds to 1000000 (#1236)

DEPENDENCIES:

build(deps): actions/github-script from 8 to 9 (#1232)
build(deps): github.com/fastly/go-fastly/v14 from 14.0.0 to 14.2.0 (#1231)
build(deps): golang.org/x/net from 0.52.0 to 0.53.0 (#1231)
build(deps): github.com/deckarep/golang-set/v2 from 2.8.0 to 2.9.0 (#1234)

DOCUMENTATION:

docs(state_upgrader_bot_management): add subcategory and header to state upgrade guide (#1230)

Added system lists

Fastly — Tue, 21 Apr 2026 00:00:00 GMT

System lists are now available in the Next-Gen WAF. These are sets of data provided by Fastly that can be referenced in your rules at both the corp (account) and site (workspace) level. System lists cannot be modified.

For an example request rule that uses a system list, check out Blocking attacks from malicious IP addresses.

Next-Gen WAF: Added WAF simulate endpoint

Fastly — Thu, 16 Apr 2026 00:00:00 GMT

We've added the Simulate a WAF request endpoint to the Next-Gen WAF. This endpoint lets you simulate HTTP requests through a workspace's WAF configuration and view the WAF response code and any signals that would be detected, without sending actual traffic. Use it to test and validate WAF rule behavior before deploying changes to production.

Next-Gen WAF agent 4.77.1

Fastly — Tue, 14 Apr 2026 00:00:00 GMT

Fixed issue where if a client IP has a zone/scope attached it cannot be matched by any rules
Upgraded to Golang 1.25.9

CLI v14.3.1

Fastly — Mon, 13 Apr 2026 00:00:00 GMT

View this release on GitHub.

Bug Fixes:

fix(publish_release): add back perms for publishing to npm #1724

CLI v14.3.0

Fastly — Fri, 10 Apr 2026 00:00:00 GMT

View this release on GitHub.

Bug Fixes:

fix(vcl/condition): --comment flag in condition update now correctly sets the comment instead of overwriting the statement #1714
fix(manifest): env_file parsing no longer rejects values containing = characters (e.g. KEY=val=ue) #1715

Enhancements:

feat(auth): add auth revoke subcommand for revoking API tokens via --current, --name, --token-value, --id, or --file (bulk) #1717
feat(service/logging/debug): add support for logging endpoint error streaming via the service logging debug subcommand #1721
feat(stats): accept --json / -j as an alias for --format=json on all stats and help subcommands, matching the flag style used by the rest of the CLI #1719

Dependencies:

build(deps): github.com/andybalholm/brotli from 1.2.0 to 1.2.1 (#1716)
build(deps): github.com/go-jose/go-jose/v3 from 3.0.4 to 3.0.5 (#1716)
build(deps): github.com/mattn/go-runewidth from 0.0.21 to 0.0.22 (#1716)
build(deps): github.com/mattn/go-isatty from 0.0.20 to 0.0.21 (#1720)
build(deps): golang.org/x/sys from 0.42.0 to 0.43.0 (#1720)
build(deps): github.com/coreos/go-oidc/v3 from 3.17.0 to 3.18.0 (#1720)
build(deps): github.com/mattn/go-runewidth from 0.0.22 to 0.0.23 (#1720)
build(deps): github.com/fastly/go-fastly/v14 from 13.1.2 to 14.2.0 (#1722)

Add `compute_handoff` metric to Historical Stats and Real-Time Analytics APIs

Fastly — Thu, 09 Apr 2026 00:00:00 GMT

You can now use the compute_handoff metric in the Historical Stats API and the Real-Time Analytics API to analyze the frequency with which Compute hands off incoming requests to the Fanout proxy or WebSocket proxy.

Added virtual patch for CVE-2026-23869 (React Server Components DoS)

Fastly — Wed, 08 Apr 2026 00:00:00 GMT

A Denial of Service vulnerability has been found in React Server Components and has been assigned CVE-2026-23869. Fastly has created a virtual patch for it that is now available within your account. To activate it and add protection to your services, follow the steps for your control panel below.

Next-Gen WAF control panel

If you're on the Professional or Premier platform or have purchased the Security Core, Security Core Plus, or Security Total packaged offering, complete the following steps:

From the Rules menu, select Templated Rules.
In the search bar, enter CVE-2026-23869 and then click View for the CVE-2026-23869 templated rule.
Click Configure and then Add trigger.
Select the Block requests from an IP immediately if the CVE-2026-23869 signal is observed checkbox.
Click Update rule.

If you're on the Essential platform, complete the following steps:

Click the Signals tab.
In the search bar, enter CVE-2026-23869 and then click View for the CVE-2026-23869 tag.
Click the Detections tab and then Add detection.
Verify the switch is set to Enabled.
Click Create detection.
Click the Alerts tab and then Add alert.
In the Status area, set the switch to Enabled.
Click Save alert.

Fastly control panel

If you're using the Fastly control panel, complete the following steps:

Click Virtual Patches.
In the search bar, enter CVE-2026-23869 and then click the pencil to the right of the CVE-2026-23869 virtual patch.
From the Status menu, select Enabled.
(Optional) If your workspace is in blocking mode, choose whether to Block requests or Log requests if the CVE-2026-23869 signal is observed.
Click Update virtual patch.

JavaScript SDK 3.41.0

Fastly — Wed, 08 Apr 2026 00:00:00 GMT

Added

Add --gc-frequency option to debug-build.sh (#1395) (a6e4a1f)
Allow the use of project-level external config file for js-compute-runtime CLI behavior (#1405) (9749cab)
Support installation in projects that use TypeScript 6 (e4273a3)

Fixed

Allow --aot-cache and --debug-intermediate-files flags to be specified with equals (#1403) (81a75f8)
Double free in convertBodyInit (#1387) (72acfc3)
GC fixes for edge rate limiter (#1397) (fd9e322)
GC issue in handoffs (#1396) (b57fc8f)
Shielding GC (#1401) (6de2f55)

Add Next-Gen WAF agents endpoints

Fastly — Tue, 07 Apr 2026 00:00:00 GMT

The Next-Gen WAF API now includes endpoints for listing and retrieving agents deployed in a workspace. Use GET /ngwaf/v1/workspaces/{workspace_id}/agents to list all agents, and GET /ngwaf/v1/workspaces/{workspace_id}/agents/{agent_id} to retrieve details for a specific agent, including status, version, performance metrics, and host information.

Fastly Terraform Provider 9.1.0

Fastly — Tue, 07 Apr 2026 00:00:00 GMT

View this release on GitHub.

ENHANCEMENTS:

feat(product_enablement): add state upgrader for bot_management schema change from v9.0.0 - automatically migrates existing boolean values to new list structure with contentguard attribute (#1226)

BUG FIXES:

fix(product_enablement/bot_management): fix Optional/MinItems schema conflict (#1228)

Fastly Terraform Provider 9.0.0

Fastly — Sat, 04 Apr 2026 00:00:00 GMT

View this release on GitHub.

BREAKING:

breaking(product_enablement/bot_management): added support for ContentGuard, which is now requires the contentguard and enabled parameters (#1221)

DEPENDENCIES:

build(deps): google.golang.org/grpc from 1.79.2 to 1.79.3 (#1216)
build(deps): github.com/fastly/go-fastly/v14 from 13.1.2 to 14.0.0 (#1220)

DOCUMENTATION:

docs(ngwaf/lists): updated docs to provide important prefix information for usage with a NGWAF rule (#1217)

Add Bot Management metrics to Historical Stats and Real-Time Analytics APIs

Fastly — Tue, 31 Mar 2026 00:00:00 GMT

You can now use the Historical Stats API and the Real-Time Analytics API to investigate bot activity on your services. Sixteen new metrics track bot activity, providing both aggregate totals and breakdowns per bot type.

Add ContentGuard support to bot_management

Fastly — Tue, 31 Mar 2026 00:00:00 GMT

The Product enablement API now supports ContentGuard on our Bot Management product.

Next-Gen WAF agent 4.77.0

Fastly — Tue, 31 Mar 2026 00:00:00 GMT

Added Envoy External Processing Filter support
Added SSTI attack signal (SSTI), part of Fastly Security Labs
Added insecure deserialization attack signal (INSECURE-DESER), part of Fastly Security Labs
Added NoSQLi attack signal (NOSQLI), part of Fastly Security Labs

Rust SDK 0.12.0

Fastly — Tue, 31 Mar 2026 00:00:00 GMT

Surrogate-Control and Surrogate-Key headers are preserved for shielded requests.
Interfaces for reusable sandboxes have been moved from the fastly::experimental::reusable_sessions module to fastly::http::serve.
Added new bot detection methods to Request.
Removed the deprecated write_bytes and write_str methods for HTTP bodies, in favor of std::io::Write trait methods.
Dynamic backends now have a 200 max_connections limit by default (previously unlimited), matching the default limit for static backends.
The following Request methods now return Result, rather than panicking on buffer size or UTF-8 decoding errors:
get_original_header_names
get_tls_raw_client_certificate
get_tls_cipher_openssl_name
get_tls_protocol
Added the fastly::http::body::StreamingBody::abandon method to explicitly abandon a stream.
Dropping an unfinished StreamingBodyHandle will now abandon the stream.
Added a new SendErrorCause::Http2StreamError variant, containing more details about unexpected HTTP/2 error responses.
FastlyStatus is now marked as #[must_use].
Removed the deprecated fastly::cache::core::Found::ttl method.
Clarified how calling Request::set_pass affects other cache override options.
Documented that Request::send_async and Request::send_async_streaming will fail if called after setting a before_send or after_send callback.
Improved the documentation for Image Optimizer functionality.

Add Client-Side Protection API

Fastly — Mon, 30 Mar 2026 00:00:00 GMT

The Client-Side Protection API is now available. Client-Side Protection provides visibility and control over third-party scripts running on your web pages, helping protect against client-side attacks like Magecart and formjacking.

The API includes endpoints for managing:

Websites: Configure domains for Client-Side Protection monitoring
Pages: Define URL paths to monitor within each website and configure notification settings
Scripts: View detected scripts and manage authorization status (authorized or unauthorized)
Policies: Create and manage Content Security Policies with report or enforce modes
Reports: View CSP violation reports for each policy
Headers/Events: Monitor security header changes on your pages

Add Compute Sandbox count metric

Fastly — Mon, 30 Mar 2026 00:00:00 GMT

You can now retrieve the count of WebAssembly (Wasm) sandboxes created via the compute_sandboxes field in both the Historical Stats API and the Real-Time Analytics API.

CLI v14.2.0

Fastly — Tue, 24 Mar 2026 00:00:00 GMT

View this release on GitHub.

Bug Fixes:

fix(auth): fastly profile, fastly sso and fastly auth-token commands now correctly respect the --quiet flag #1710

Enhancements:

feat(vcl/snippet): add support for the '--content' flag, allowing for the raw output of VCL. #1706

Dependencies:

build(deps): github.com/fatih/color from 1.18.0 to 1.19.0 (#1707)
build(deps): github.com/klauspost/compress from 1.18.4 to 1.18.5 (#1707)

On-Prem WAF deployments now use Digital Elements geolocation data

Fastly — Thu, 19 Mar 2026 00:00:00 GMT

On-Prem WAF deployments previously used the MaxMind GeoLite2 database to resolve IP geolocation data. These deployments now use Digital Elements geolocation data, consistent with the data Edge WAF deployments use. No deployment updates or configuration changes are required. Existing deployments will receive the updated database automatically.

CLI v14.1.1

Fastly — Wed, 18 Mar 2026 00:00:00 GMT

View this release on GitHub.

Bug Fixes:

fix(compute): compute pack, compute validate, and install no longer require authentication. #1701

Add KV Store support to Enablement

Fastly — Tue, 17 Mar 2026 00:00:00 GMT

The product enablement API now supports our KV Store product kv_store.

CLI v14.1.0

Fastly — Tue, 17 Mar 2026 00:00:00 GMT

View this release on GitHub.

Bug Fixes:

fix(stats): stats historical now returns write errors instead of silently swallowing them #1678

Deprecations:

deprecated(auth): fastly profile, fastly sso, and fastly auth-token command trees are deprecated and will be removed in a future release. Use fastly auth subcommands instead. #1676
deprecated(auth): --profile and --enable-sso global flags are deprecated. Use --token to select a stored auth token by name, or fastly auth login --sso --token for SSO. #1676

Enhancements:

feat(auth): add auth token subcommand to output the active API token for use in shell substitutions (e.g. $(fastly auth token)).
feat(auth): auth login --sso now requires --token to explicitly name the stored token. This prevents accidentally overwriting tokens in multi-user SSO workflows. #1676
feat(auth): add FASTLY_DISABLE_AUTH_COMMAND env var to hide the fastly auth command tree from help, completions, and invocation. #1676
feat(auth): when FASTLY_DISABLE_AUTH_COMMAND is set, the --token/-t global flag is also disabled. Use FASTLY_API_TOKEN or stored config tokens instead. #1676
feat(stats): add --field flag to stats historical to filter to a single stats field. #1678
feat(stats): add stats aggregate subcommand for cross-service aggregated stats. #1678
feat(stats): add stats usage subcommand for bandwidth/request usage, with --by-service breakdown. #1678
feat(stats): add stats domain-inspector subcommand for domain-level metrics. #1678
feat(stats): add stats origin-inspector subcommand for origin-level metrics. #1678
feat(apisecurity/discoveredoperations): add support for 'list' and 'update' support for 'API discovery'. #1689
feat(apisecurity/operations): add CRUD support for 'API Inventory' operations. #1689
feat(apisecurity/tags): add API Security Operations tag support (#1688)
feat(service/version): add support for service validation. #1695
feat(compute/build): Block version 1.93.0 of Rust to avoid a wasm32-wasip2 bug. (#1653)
feat(service/vcl): escape control characters when displaying VCL content for cleaner terminal output (#1637)

Dependencies:

build(deps): golang.org/x/net from 0.50.0 to 0.51.0 (#1674)
build(deps): actions/upload-artifact from 6 to 7 (#1675)
build(deps): actions/download-artifact from 7 to 8 (#1675)
build(deps): golang.org/x/sys from 0.41.0 to 0.42.0 (#1679)
build(deps): github.com/mattn/go-runewidth from 0.0.20 to 0.0.21 (#1679)
build(deps): github.com/pierrec/lz4/v4 from 4.1.25 to 4.1.26 (#1679)
build(deps): golang.org/x/oauth2 from 0.35.0 to 0.36.0 (#1679)
build(deps): golang.org/x/sync from 0.19.0 to 0.20.0 (#1679)
build(deps): github.com/fastly/go-fastly/v13 from 13.0.0 to 13.0.1 (#1679)
build(deps): golang.org/x/term from 0.40.0 to 0.41.0 (#1687)
build(deps): golang.org/x/mod from 0.33.0 to 0.34.0 (#1687)
build(deps): golang.org/x/text from 0.34.0 to 0.35.0 (#1687)
build(deps): github.com/fastly/go-fastly/v13 from 13.0.1 to 13.1.0 (#1687)
build(deps): golang.org/x/crypto from 0.48.0 to 0.49.0 (#1693)
build(deps): golang.org/x/net from 0.51.0 to 0.52.0 (#1693)
build(deps): github.com/fastly/go-fastly/v13 from 13.1.0 to 13.1.1 (#1693)
build(deps): github.com/fastly/go-fastly/v13 from 13.1.1 to 13.1.2 (#1696)
build(deps): actions/create-github-app-token from 2 to 3 (#1692)

Fastly Terraform Provider 8.8.0

Fastly — Tue, 17 Mar 2026 00:00:00 GMT

View this release on GitHub.

ENHANCEMENTS:

feat(api-security): add support for API Security operations (#1211)

DEPENDENCIES:

build(deps): github.com/fastly/go-fastly/v13 from 13.0.1 to 13.1.0 (#1208)
build(deps): github.com/fastly/go-fastly/v13 from 13.1.0 to 13.1.1 (#1210)
build(deps): github.com/fastly/go-fastly/v13 from 13.1.1 to 13.1.2 (#1214)
build(deps): actions/create-github-app-token from 2 to 3 (#1213)
build(deps): github.com/hashicorp/terraform-plugin-sdk/v2 from 2.39.0 to 2.40.0 (#1212)
build(deps): golang.org/x/net from 0.51.0 to 0.52.0 (#1212)
build(deps): actions/create-github-app-token from 2 to 3 (#1213)

Next-Gen WAF agent 4.76.0

Fastly — Tue, 17 Mar 2026 00:00:00 GMT

Improved support for FIPS 140-3 compliance
Upgraded to Golang 1.25.8
Updated base GeoIP data: March 2026