v0.41.0

- SVR3 bridge, all clients
- CDSI bridge for FFI
- libsignal-net bridge for Node
- Retire old SVR2 enclaves
- Message backup:
	- Expose message backup purpose as an argument
	- Disallow messages that are expiring soon
- Usernames: Fix missing Cargo feature for curve25519-dalek
- Implement 3HashSDHI-based "passes" in zkcredential
- Java bridging layer changes:
	- Mark all bridge_fns that return Result as `throws Exception`
	- Add the FilterExceptions helper
- Node bridging layer changes:
	- Use JsBigInt for u64 bridging instead of a Buffer
	- Update to Neon 1.0
- General bridging layer changes:
	- Filter out log messages that aren't from libsignal
	- Make ProtocolAddress's getters infallible
	- Improve error messages

v0.40.1

- Android: run tests that rely on test-only library code
- Java: internal changes to fix Java object construction on Android
- Fixed message backup validation bug, added tests

v0.40.0

- Multiple improvements to libsignal-net (no client impact).
- Introduce processMinidumpBuffer for Desktop.
- Updated error handling in the bridging layer.
- Java APIs breaking changes:
  - DecryptionErrorMessage deserialization can throw InvalidKeyException
  - HsmEnclaveClient can fail at any point during the protocol
  - Aes256GcmSiv.encrypt can't fail
- Message backup validator is now available on all client platforms.
- Fix Java error handling for CDSI lookup.

v0.39.3

- zkgroup: Add GroupSendCredentialResponse::receive_with_ciphertexts,
  which is exposed as an overload of receive() for Java and Swift, and
  as receiveWithCiphertexts() for TypeScript. This is more efficient
  if the client already has ciphertexts for the group members.

- Java: Expose ServerCertificate and SenderCertificate creation APIs,
  and add them to libsignal-server as well as libsignal-client.

- Update Cargo dependencies again.

v0.39.2

- Java: Mp4Sanitizer and WebpSanitizer now support InputStreams that
  don't provide a good skip() operation.

- Java and Swift: Remove the length parameter for WebpSanitizer.
  (The old overload has been deprecated.)

- Node: Expose SealedSenderMultiRecipientMessage parsing
  (for @signalapp/mock-server).

- Rust: Update pinned nightly toolchain, as well as dependencies.

v0.39.1

Node: Pins the version of prebuildify used for releases, otherwise the
same as v0.39.0.

v0.39.0

- Add Username.from_parts() method

- Refuse to generate username hashes for nicknames over 48 chars long

- Split up BadDiscriminator username error into more specific errors:

  - Rust: UsernameError now has more cases. ProofVerificationFailure is
    also split off into its own error type, separate from structural
    username errors.

  - Java: Subclasses of BadDiscriminatorException have been added.

  - Swift: Some error codes have been renamed and others have been added.

  - TypeScript: Some error codes have been renamed and others have been
    added. Discriminator errors are now proper LibSignalErrors.

- Java: Expose non-copying method on SealedSenderMultiRecipientMessage to
  get message size for a recipient

v0.38.0

- Update to pqcrypto-kyber 0.7.9

- Rust: Allow mixed comparisons (PartialEq) between ServiceId and
  Aci/Pni. This is convenient but is also a breaking change: call
  sites that compared `service_id == aci.into()` will now be
  ambiguous; the fix is to remove the `.into()`.

- Rust: Expose ServiceId::kind as pub

- Restore compatibility with Rust 1.72 (and possibly earlier if you
  only use certain crates), and clarifies that updating this minimum
  version counts as a "breaking change" (i.e. v0.39.0 rather than
  v0.38.x).

- Belatedly note that git is a compilation dependency (via boring-sys)

- Start of libsignal-message-backup crate, which validates the backup
  files generated by the apps. Not ready for general use.

- Continued work on SVR3

v0.37.0

- Use compact device list encoding when sending SSv2 messages. This is
  a client->server format change; the receiving side was added in
  v0.35.0.

- Add support for excluded recipients for SSv2 messages.

- Add GroupSendCredential.

- Speed up SSv2 message encryption by generating key material on
  multiple threads.

- Android+iOS: Fix SenderKeyDistributionMessage.getDistributionId(),
  which was producing garbage output. (Thanks for the report,
  @imb591!)

- Rust: Move ServiceId + ProtocolAddress to new libsignal-core crate
  (but re-exported through libsignal-protocol, so this is a
  non-breaking change). zkgroup no longer depends on
  libsignal-protocol.

- Fuzz test fixes related to pre_key_id and archived sessions count
  (thanks, @moodyjon!)

v0.36.1

- Update curve25519-dalek to 4.1.1
- Fix the server push response format in libsignal-net (no client
  impact)
- Java: Take in session list for sealed sender multiRecipientEncrypt