- Strengthened TLS and DNS security: hostname normalization for server identity, case‑sensitive SNI fix, rejecting hostnames with embedded NUL bytes, and binding reusable sessions to authenticated hosts.
- Hardened cryptographic and HTTP modules: added length guard for WebCrypto cipher output, capped HTTP/2 originSet size, redacted proxy credentials in tunnel errors, and fixed response‑queue poisoning in http.Agent.