.. _version_history_1.36.3: 1.36.3 (December 4, 2025) ========================== Incompatible behavior changes ----------------------------- *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required* * **dynamic modules**: The dynamic module ABI has been updated to support streaming body manipulation. This change also fixed potential incorrect behavior when access or modify the request or response body. See https://github.com/envoyproxy/envoy/issues/40918 for more details. * **http**: Added runtime flag ``envoy.reloadable_features.reject_early_connect_data`` to reject ``CONNECT`` requests that receive data before Envoy sent a ``200`` response to the client. While this is not a strictly compliant behavior it is very common as a latency reducing measure. As such the option is disabled by default. Bug fixes --------- *Changes expected to improve the state of the world and are unlikely to have negative effects* * **bootstrap**: Fixed an issue where the custom :ref:`header_prefix ` will result in crash at startup. * **http**: Fixed a remote ``jwt_auth`` token fetch crash with two or more auth headers when ``allow_missing_or_failed`` is set. * **tcp_proxy**: Fixed a connection leak in the TCP proxy when the ``receive_before_connect`` feature is enabled and the downstream connection closes before the upstream connection is established. * **tls**: Fixed an issue where SANs of type ``OTHERNAME`` in a TLS cert were truncated if there was an embedded null octet, leading to incorrect SAN validation. New features ------------ * **dynamic modules**: Added support for loading dynamic modules globally by setting :ref:`load_globally ` to true. * **overload management**: The fixed heap resource monitor can now calculate memory pressure as currently allocated memory divided by maximum heap size, giving more accurate and lower memory pressure values. This can avoid unnecessary load shedding or overload actions. To enable, set ``envoy.reloadable_features.fixed_heap_use_allocated`` to true. The default algorithm (heap_size - pageheap_unmapped - pageheap_free) does not discount for free memory in TCMalloc caches. * **tls_inspector**: Propagate the transport error from the tls_inspector to the DownstreamTransportFailureReason in StreamInfo for access logging prior to the TLS handshake.