canary

This is a "canary" release of the most recent commits on our main branch. Canary is not stable.
It is only intended for developers wishing to try out the latest features in Spin, some of which may not be fully implemented.

v3.5.1

What's Changed

• [Backport v3.5] Pull in wac fix that was breaking deps by @fibonacci1729 in #3353
• Bump version for patch release by @fibonacci1729 in #3354

Full Changelog: v3.5.0...v3.5.1

v3.5.0

Support for the WASI Preview 3 release candidate (wasi@0.3.0-rc-2025-09-16) has landed in Spin v3.5.0! 🚀 This means folks can take advantage of first class composable concurrency and other underlying advancements to the Component Model, a whole host of simplified APIs, and better integration with language ecosystem libraries and frameworks. Read more in depth on advancements with WASIp3 here.

Please note this is an unstable feature in Spin and to start experimenting with WASIp3, opt-in by adding executor = { type = "wasip3-unstable" } to the appropriate [[trigger.http]] section of your spin.toml file. The latest Spin Rust SDK also has support for WASIp3. See examples of WASIp3 in action here.

Other notable changes:

• Limit max number of concurrent outbound requests a guest can make via runtime config #3285
• Satisfy dependencies by component ID references #3290.
• Pass file content as a value to spin up —variable: spin up --variable foo=@bar.txt #3319
• Define static HTTP responses for http triggers in spin.toml. #3250
• Many quality of life and housekeeping improvements

As always, a big thank you to contributors old and new for helping improve Spin on a daily basis! 🎉

Verifying the Release Signature

After downloading the v3.5.0 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/spinframework/spin/.github/workflows/release.yml@refs/tags/v3.5.0 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-sha 0ca21ceaa8c1eeef00bd8ccf3cc4359e777f818e \
    --certificate-github-workflow-repository spinframework/spin \
    spin

If the verification passed, you should see:

Verified OK

What's Changed

• Bump version for next release by @fibonacci1729 in #3245
• cli: Resolve clap/deprecated warnings by @lann in #3228
• Update to Wasmtime 36.0.2 by @lann in #3252
• Bump spin-sdk version in rust templates to 5.0.0 by @ThorstenHans in #3251
• Workflow to bump rust templates sdk dependency by @fibonacci1729 in #3255
• Add spin-trigger-cron to release notes for tracking by @fibonacci1729 in #3257
• trigger-http: Fix otel context propagation by @calebschoepp in #3260
• Allow non-kebab-case names in component ai_models by @seun-ja in #3259
• outbound-http: Improve test assertion logging by @lann in #3247
• chore: bump redis to v0.32.5 by @kate-goldenring in #3261
• Make KeyValueRedis type public by @kate-goldenring in #3262
• trigger-http: Don't panic on unknown service chaining component ID by @lann in #3263
• factor-outbound-http: Refactor wasi impls by @lann in #3268
• factor-outbound-http: Add InterceptRequest::override_connect_host by @lann in #3269
• Expand wildcard service chaining during spin up by @itowlson in #3266
• Static HTTP responses by @itowlson in #3250
• chore(examples): Update Spin Rust SDK and other dependencies by @tschneidereit in #3276
• factor-outbound-http: Update override_connect_host by @lann in #3279
• Spin up checks required variables for some Providers by @seun-ja in #3265
• Implement open ai api llm backend by @seun-ja in #3238
• chore(ci): Restrict use of rust-cache to longest-running jobs by @tschneidereit in #3277
• Ignore flaky test on Mac by @itowlson in #3286
• Add WASIp3 support by @dicej in #3272
• variables: Refactor Provider::kind into ::may_resolve by @lann in #3282
• Fix dead code warnings by @itowlson in #3288
• Skip load_instance_pre for components not referenced by the trigger by @itowlson in #3280
• MacOS 13 retirement by @itowlson in #3287
• Ignore the flaky private IPs test on all platforms by @itowlson in #3289
• Sort builds if dependency relation between manifest components by @itowlson in #3284
• Fix Ubuntu tests often failing first time... by @itowlson in #3297
• Workflow for publishing spin:up WIT package by @fibonacci1729 in #3300
• Make spin deploy breaking change warning more emphatic by @itowlson in #3299
• Dependencies by component ID reference by @itowlson in #3290
• Try Rust 1.90 to fix CI woe by @itowlson in #3304
• Fix the publish-wit ci workflow by @fibonacci1729 in #3305
• Version the docker/login-action, er, action by @itowlson in #3306
• Update WIT world to WASI P3 RC by @itowlson in #3295
• Use temporary GITHUB_TOKEN for publishing to ghcr by @fibonacci1729 in #3308
• ignore Trap::AsyncDeadlock when running WASIp3 handlers by @dicej in #3309
• Another attempt to fix the publish-wit workflow by @fibonacci1729 in #3310
• Another attempt now that toggles have been toggled by @fibonacci1729 in #3311
• Revert "Another attempt now that toggles have been toggled" by @fibonacci1729 in #3312
• Set a limit on max number of concurrent outbound http requests by @rylev in #3285
• Use forked wkg to publish WITs for now by @itowlson in #3316
• Install wasm-tools in publish-wit by @fibonacci1729 in #3317
• Revise Spin Project Meeting details in README by @mikkelhegn in #3314
• Allow spin up --variable to pass file content as a value by @itowlson in #3319
• bump deps with cargo audit fix by @dicej in #3320
• Environment definitions starter pack by @itowlson in #3301
• outbound-networking: More BlockedNetworks integration by @lann in #3324
• Rename the DNS resolver types by @rylev in #3327
• Add opt-in to unstable wasip3 and warn when in use by @fibonacci1729 in #3322
• Bump version for v3.5 release by @fibonacci1729 in #3329

Full Changelog: v3.4.1...v3.5.0

v3.4.1

This is a patch release to pull in Wasmtime v36.0.2 which fixes an OOM panic.

Verifying the Release Signature

After downloading the v3.4.1 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/spinframework/spin/.github/workflows/release.yml@refs/tags/v3.4.1 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-sha 3ab5404bcb573ba1ea2e1c366e2ff63a90d307b2 \
    --certificate-github-workflow-repository spinframework/spin \
    spin

If the verification passed, you should see:

Verified OK

What's Changed

• [Backport v3.4] Update to Wasmtime 36.0.2 by @fibonacci1729 in #3253
• Bump version for patch release by @fibonacci1729 in #3254

Full Changelog: v3.4.0...v3.4.1

v3.4.0

Spin 3.4 is here with some great quality-of-life enhancements! You can now make outgoing HTTP/2 requests, opening the door to faster APIs and gRPC backends with no extra setup. Postgres got a big boost too: connections are now pooled automatically for better performance under load, and you can use more data types like UUID, JSONB, ranges, arrays, decimals, and INTERVAL. On top of that, Spin templates now include a schema directive in spin.toml, so you’ll get instant validation and code completion right in your editor when scaffolding new applications!

As always, thanks to contributors old and new for helping improve Spin on a daily basis! Special thanks to new contributors @seun-ja and @gdamjan, welcome to the project!

Verifying the Release Signature

After downloading the v3.4.0 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/spinframework/spin/.github/workflows/release.yml@refs/tags/v3.4.0 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-sha 4f671bea25f17dea6d9e494bc918469043a75366 \
    --certificate-github-workflow-repository spinframework/spin \
    spin

If the verification passed, you should see:

Verified OK

What's Changed

• Bump version for next anticipated release by @fibonacci1729 in #3157
• fix: enable compiling when unsafe-aot-compilation feat enabled by @kate-goldenring in #3159
• Move outbound networking config to new crate by @rylev in #3167
• Move router to its own separate crate by @rylev in #3169
• Update wasm-pkg-common so we can build some crates for wasm target by @rylev in #3171
• Update to Wasmtime 34.0.0 by @alexcrichton in #3172
• Don't mark outbound http spans as errors. by @rylev in #3158
• Clippy 1.88 fixes by @itowlson in #3178
• Selective error spans in variables and key-value by @rylev in #3176
• Warn if spin deploy rather than spin cloud deploy by @itowlson in #3173
• The, er, rest of the Clippy 1.88 lints by @itowlson in #3181
• Fuller and more explicit docs in manifest schema by @itowlson in #3179
• fix(templates/http-go): enable GC on builds by @adamreese in #3131
• Enable HTTP2 for outgoing requests by @fibonacci1729 in #3174
• chore: dedup send_request_handler by @fibonacci1729 in #3184
• Bump rustc version to 1.86.0 in CI by @fibonacci1729 in #3187
• Fix spin-factor-outbound-http tests by @lann in #3190
• Refactor configuration env vars for pooling by @alexcrichton in #3191
• adding custom port in cli opt-in by @seun-ja in #3182
• outbound-http: Remove host header with http2 by @lann in #3194
• Pin Zig CI to the version against which the template was written by @itowlson in #3195
• isolate and handle unix error by @seun-ja in #3192
• ref(templates/go): use spinframework import path by @adamreese in #3116
• fix(templates/http-go): fix go.mod in go templates by @adamreese in #3198
• Initialise git repo in new app by @itowlson in #3197
• Remove WASI P1 compatibility check tooling by @itowlson in #3200
• Smoke test local templates as well as remote ones by @itowlson in #3199
• cargo: update onig and onig_sys by @gdamjan in #3204
• Ensure valid wasms when publishing app by @fibonacci1729 in #3206
• chore(crates/core): fix typo by @vdice in #3209
• Upgrade wasmtime to v35.0.0 by @fibonacci1729 in #3186
• added flag for clearing log files at restart by @seun-ja in #3203
• Pool Postgres connections by @itowlson in #3043
• Add schema directive to template manifests by @itowlson in #3180
• Factor out variable azure/vault providers into separate crates by @fibonacci1729 in #3215
• Allow providing static variables via the cli by @fibonacci1729 in #3216
• Allow optional description for manifest variables by @fibonacci1729 in #3219
• expressions: Fix Display for Template escaping by @lann in #3223
• outbound-networking refactoring by @lann in #3168
• PostgreSQL UUID and JSONB support by @itowlson in #3175
• Link language SDKs in the readme by @itowlson in #3225
• Validate allowed_outbound_hosts template with defaults by @lann in #3224
• enable connection pooling and reuse for outbound wasi-http by @dicej in #3229
• fix compiler warnings in nightly by @bacongobbler in #3208
• Appease clippy 0.1.89 by @lann in #3232
• Rev conformance-tests back to official by @itowlson in #3236
• enables incoming http2 stream by @seun-ja in #3227
• selects only id when checking existence of data by @seun-ja in #3233
• move the nginx HTTP2 bug workaround by @dicej in #3239
• share WASI outbound HTTP connection pool across instances by @dicej in #3240
• Validate target environments by @itowlson in #2806
• Update to Wasmtime 36.0.1 by @alexcrichton in #3237
• Bump versions for v3.4 release by @fibonacci1729 in #3243

New Contributors

• @seun-ja made their first contribution in #3182
• @gdamjan made their first contribution in #3204

Full Changelog: v3.3.1...v3.4.0

v3.3.1

What's Changed

• [Backport v3.3] fix: enable compiling when unsafe-aot-compilation feat enabled by @fibonacci1729 in #3160
• Bump version for 3.3.1 release by @fibonacci1729 in #3162

Full Changelog: v3.3.0...v3.3.1

v3.3.0

Verifying the Release Signature

After downloading the v3.3.0 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/spinframework/spin/.github/workflows/release.yml@refs/tags/v3.3.0 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-sha 9dadd8c4bf347e5703f9488a7ec7eb4239cd083c \
    --certificate-github-workflow-repository spinframework/spin \
    spin

If the verification passed, you should see:

Verified OK

What's Changed

• Bump version for next release by @fibonacci1729 in #3057
• Update wasm-tools dependencies to 0.227.* by @alexcrichton in #3058
• Clippies for Rust 1.85 by @itowlson in #3059
• app: Use an Arc for App::id by @lann in #3064
• Update otel dependencies by @rylev in #3062
• Optimize per-request work dispatching to wasm by @alexcrichton in #3063
• Allow external configuration of "keep resident" options by @alexcrichton in #3065
• Fixes a 1.85 clippy in examples by @itowlson in #3066
• docs(README): slack channel updates by @vdice in #3071
• Update release notes template to reflect new docs site by @fibonacci1729 in #3069
• Update contributing link to point to spinframework.dev by @kate-goldenring in #3076
• ci(.github): bump ubuntu runners to 22.04 by @vdice in #3074
• docs(release-process): org, slack and other updates by @vdice in #3072
• Update readme after move to spinframework org by @fibonacci1729 in #3070
• chore(*): spinframework.dev docs URL updates by @vdice in #3080
• chore(docs): remove triage-guide.md by @vdice in #3081
• Add OpenSSF best practices badge by @kate-goldenring in #3079
• chore(*): more spinframework org/url updates by @vdice in #3078
• chore: add SECURITY.md file by @kate-goldenring in #3084
• Generate CLI reference by @itowlson in #3083
• chore: update SECURITY.md with supported versions section by @kate-goldenring in #3085
• Fix cache warning in GH actions by @itowlson in #3089
• Update dependencies that are broken on rustc v1.86 by @rylev in #3096
• Fix spin new list offset error in the presence of add-only templates by @itowlson in #3101
• Do less allocation when building routes. by @rylev in #3100
• Run cargo update on timer example by @rylev in #3103
• Fix the failing integration tests by @itowlson in #3114
• Less allocations in router by @rylev in #3107
• Update wasmtime/wasm-tools dependencies by @alexcrichton in #3119
• Update dependencies by @rylev in #3097
• chore(governance): propose adding spin-deps-plugin by @vdice in #3121
• chore(governance): propose adding spin-redirect by @vdice in #3120
• Support Liquid partials in templates by @itowlson in #3111
• SQLite affected row count and last_insert_rowid by @itowlson in #3095
• Generate schema for v2 manifest by @itowlson in #2997
• When looking for upgradeable installed plugins, check only on name by @itowlson in #3125
• Chore(governance): Propose adding js-wasi-ext by @karthik2804 in #3122
• Add support for limiting instance memory usage in spin up by @fibonacci1729 in #3135
• Refactor how InitContext works with factors by @alexcrichton in #3134
• Update to Wasmtime 33.0.0 by @alexcrichton in #3141
• Warn or error on dubious-looking file mount by @itowlson in #3143
• outbound-networking: Add error.type to tracing::error! by @lann in #3146
• Fix subsets inheriting service chaining requirement from whole app by @itowlson in #3136
• Add runtime config for blocking outbound connections by CIDR by @lann in #3150
• Provide more guidance on invalid allowed_outbound_hosts by @itowlson in #3152
• Warn when max memory is exceeded by @fibonacci1729 in #3147
• Bump version for v3.3 by @fibonacci1729 in #3156

Full Changelog: v3.2.0...v3.3.0

v3.2.0

This is the first release of Spin since it's donation to CNCF 🎉 This release brings various fixes and UX/DX improvements (See the changelog for a glimpse into what's changed). One notable fix is the added ability for Spin to push to a registry components that are composed with their dependencies to fix an issue with running in various Spin runtimes like runwasi.

Thank you to all of the contributors!

Verifying the Release Signature

After downloading the v3.2.0 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/spinframework/spin/.github/workflows/release.yml@refs/tags/v3.2.0 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-sha c9be6d8feafc15cf1e1ef17bd9f6cb72988fa350 \
    --certificate-github-workflow-repository spinframework/spin \
    spin

If the verification passed, you should see:

Verified OK

What's Changed

• fix(.github): pin tailscale to 1.78.1 for deploy by @vdice in #2967
• bump ver on main to v3.2.0-pre0 by @michelleN in #2968
• Fix deny-all adapter for socket imports by @fibonacci1729 in #2971
• fix #2974 -- use redis::aio::ConnectionManager by @fibonacci1729 in #2976
• Azure Cosmos multiple stores per container by @rylev in #2953
• Update TinyGo templates to address static init problems by @itowlson in #2977
• fix(oci): update oci-distribution crate to get jwt fix by @vdice in #2983
• fix(templates/http-go): Remove scheduler flag from http-go build command by @adamreese in #2981
• In spin new/add, display only templates compatible with current command by @itowlson in #2984
• Warn if application uses a reserved route by @itowlson in #2986
• Fix spin watch Ctrl+C not working before first successful build by @itowlson in #2991
• Clearer progress info for multi-command builds by @itowlson in #2994
• remove CachingStoreManager from factor-key-value by @dicej in #2995
• alias spin plugin uninstall -> rm by @michelleN in #2999
• New clippies and rust-analyzer chores for Rust 1.84 by @itowlson in #3001
• Include guidance in error for non-matching HTTP component export by @itowlson in #3002
• Update wit-bindgen used in tests by @alexcrichton in #3006
• Update Wasmtime to 29.0.1 by @alexcrichton in #3005
• docs(sips/006-spin-plugins): Fix typo in package.os field definition: osx -> macos by @PetarKirov in #3011
• Add spin fileserver to project governance by @michelleN in #3012
• Allow self.alt host for self-requests by @itowlson in #3003
• rm Fermyon heading in README by @michelleN in #3013
• flake: update for newer rust by @endocrimes in #3015
• Check allowed hosts before checking the request_interceptor by @alexcrichton in #3016
• feat(push): allow pushing composed components to registry by @fibonacci1729 in #2996
• Use connection pooling when querying CosmosDB by @kate-goldenring in #3017
• fix: support empty files directories by @kate-goldenring in #3020
• Update workflows to remove most fermyon refs by @fibonacci1729 in #3024
• factors-executor: Add ComponentLoader::load_instance_pre by @lann in #3036
• componentize: Tweak clang version parsing by @lann in #3031
• fix: remove unneeded spin-core dep from key-value-azure factor by @kate-goldenring in #3022
• Don't upload release artifacts to s3 by @fibonacci1729 in #3027
• Change Homebrew data dir from fermyon-spin to spinframework-spin by @kate-goldenring in #3039
• chore: update homebrew workflow step to use new tap by @fibonacci1729 in #3029
• rm Fermyon from template output and examples by @michelleN in #3034
• update Copyright to The Spin Framework Contributors by @michelleN in #3037
• Fixes and enhancements to Cosmos KV host implementation by @kate-goldenring in #3032
• Revert expected test output for legacy apps by @itowlson in #3046
• app: Wrap inner LockedApp in Arc by @lann in #3047
• Fix concurrent HTTP component downloads race condition by @itowlson in #3050
• Allow "choose from list" parameters in templates by @itowlson in #3052
• If a component errors after starting the response, show that error by @itowlson in #3041
• Validate keys before persisting items in Azure CosmosDB key-value store by @ThorstenHans in #3054
• Pull in last changes for v3.2 release by @fibonacci1729 in #3056
• Bump version for v3.2 by @fibonacci1729 in #3055

New Contributors

• @PetarKirov made their first contribution in #3011

Full Changelog: v3.1.2...v3.2.0

v3.1.2

Spin 3.1.2

This is a patch release to fix a bug that was found in the redis key-value implementation where connections became stale after a service disruption instead of automatically reconnecting.

Verifying the Release Signature

After downloading the v3.1.2 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v3.1.2 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-sha 3d37bd8cdd1ddbfc94b9670540fbf9eb09687c2a \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

Full Changelog: v3.1.1...v3.1.2

v3.1.1

Spin 3.1.1

This is a patch release to fix a bug that was found in the deny-all adapter used to implement configuration inheritance for component dependencies.

Verifying the Release Signature

After downloading the v3.1.1 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v3.1.1 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-sha aa919ce36a5f6c45e6c9b66bcd94657281f44bf3 \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

Full Changelog: v3.1.0...v3.1.1