commit 076fb2bc5304f183ef7874ecc84d1908c43d2250
Author: Nick Craig-Wood <nick@craig-wood.com>
Date:   Fri May 8 15:15:36 2026 +0100

    Version v1.74.1

commit e1fd3725bc7454f8d7d22c6730115a6b169644a8
Author: Nick Craig-Wood <nick@craig-wood.com>
Date:   Fri May 8 10:59:20 2026 +0100

    build: update golang.org/x/net to v0.53.0 to fix CVE-2026-33814

commit 5780a30c30e587a4b18e71a129ce58b3c64ddcf9
Author: Nick Craig-Wood <nick@craig-wood.com>
Date:   Fri May 8 10:47:04 2026 +0100

    build: fix multiple CVEs by upgrading to go1.26.3
    
    - CVE-2026-42501: cmd/go: malicious module proxy can bypass checksum database
    - CVE-2026-39825: net/http/httputil: ReverseProxy forwards queries with more than urlmaxqueryparams parameters
    - CVE-2026-39836: net: panic in Dial and LookupPort when handling NUL byte on Windows
    - CVE-2026-42499: net/mail: quadratic string concatenation in consumePhrase
    - CVE-2026-39820: net/mail: quadratic string concatentation in consumeComment
    - CVE-2026-39819: cmd/go: "go bug" follows symlinks in predictable temporary filenames
    - CVE-2026-39817: cmd/go: "go tool pack" does not sanitize output paths
    - CVE-2026-33814: net/http: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE
    - CVE-2026-39826: html/template: escaper bypass leads to XSS
    - CVE-2026-33811: net: crash when handling long CNAME response
    - CVE-2026-39823: html/template: bypass of meta content URL escaping causes XSS

commit 17c2db7289c05a68c3428b3b84bec7c39ceb36bc
Author: Nick Craig-Wood <nick@craig-wood.com>
Date:   Tue May 5 15:30:41 2026 +0100

    drime: fix uploads of 100..200M files
    
    At some point Drime recommended 200M for the upload cutoff for
    switching to multipart upload. However uploads have stopped working
    using single part upload for 100..200Mish files.
    
    Their docs now recommend 5M as the cutoff for multipart upload so this
    changes the default.

commit 44c56ed4814cebf4031a8e3d4817135e4a8d12dc
Author: Nick Craig-Wood <nick@craig-wood.com>
Date:   Mon May 4 12:12:50 2026 +0100

    drime: fix large file uploads landing in drive root instead of configured folder
    
    The /s3/multipart/create and /s3/entries endpoints interpret relativePath
    as an absolute path from the drive root, not relative to parent_id. When
    root_folder_id was set to a non-root folder, files larger than
    upload_cutoff ended up at the user's drive root instead of the configured
    folder.
    
    Resolve the absolute path of the Fs root once via GET /folders/{hash}/path
    (cached on first OpenChunkWriter call) and use that to build the correct
    relativePath.
    
    Fixes #9392

commit ebca82f7db402f1fa6fdc8d7d4ee5fad76ee5122
Author: Nick Craig-Wood <nick@craig-wood.com>
Date:   Thu May 7 11:15:10 2026 +0100

    docs: sponsor updates
    
    - Add Data Raven as a silver sponsor
    - Add Impossible Cloud as a bronze sponsor
    - Shuffle silver sponsors once per page load
    - Remove TOC from sponsors page

commit e9d280b79318e839bbd3126feb56f3d6840e280f
Author: Leon Brocard <lbrocard@fastly.com>
Date:   Thu May 7 08:32:36 2026 +0100

    s3: add new Fastly Object Storage regions
    
    Add three new regions and their endpoints for Fastly Object Storage:
    
    - eu-west-1 (Paris)
    - us-east-1 (Virginia)
    - us-west-1 (Oregon)
    
    These are distinct from the existing us-east, us-west and eu-central
    endpoints, which are kept in place.

commit 4f93bd482f2002eda087a40e2829386908cbb965
Author: Nick Craig-Wood <nick@craig-wood.com>
Date:   Wed May 6 15:47:17 2026 +0100

    cloudinary: fix retrying every error and fix pacer sleep units
    
    shouldRetry treated every non-nil error as retryable, so permanent
    failures (auth, 4xx, not-found) burned through the LowLevelRetries
    budget instead of returning fast.
    
    This also fixes the pacer sleeps: pacer.MinSleep(1000) and
    MaxSleep(10000) are time.Duration values, so they were 1µs and 10µs -
    almost certainly intended as 10ms and 2s.

commit b6c68882e508a9252f96e3f9a946e821f83848e4
Author: Nick Craig-Wood <nick@craig-wood.com>
Date:   Sat May 2 21:11:50 2026 +0100

    s3: fix STS call per request by caching AssumeRole credentials
    
    The stscreds.AssumeRoleProvider from AWS SDK Go v2 does not cache
    credentials by itself. The SDK only auto-wraps providers with
    aws.CredentialsCache when they are loaded via
    config.LoadDefaultConfig; when assigned directly to
    aws.Config.Credentials it must be wrapped manually, as documented on
    stscreds.NewAssumeRoleProvider.
    
    Without the cache, configurations using role_arn would call AssumeRole
    once per S3 request, flooding STS and CloudTrail.
    
    See: https://forum.rclone.org/t/aws-iam-roles-credentials-arent-cached/53732

commit 23dc9d0515bee37e6c81f3fa5598d02e432678a7
Author: Nick Craig-Wood <nick@craig-wood.com>
Date:   Tue Apr 28 10:57:02 2026 +0100

    protondrive: fix segfault when copying files missing revision metadata
    
    When a Proton Drive file has no active revision attributes,
    readMetaDataForLink returns a nil FileSystemAttrs and Object.originalSize
    is left as nil. Object.Open then dereferenced this nil pointer when
    calling fs.FixRangeOption, causing a SIGSEGV during copy.
    
    Use Object.Size() instead, which already implements the correct fallback
    to the link size when originalSize is unavailable.
    
    This updates the github.com/rclone/Proton-API-Bridge package to fix a
    segfault when reading files with no metadata.
    
    Fixes #9377
    Fixes #9117

commit be7c0f31a42313eee6cfb7219d5e75e6d1101a98
Author: Nick Craig-Wood <nick@craig-wood.com>
Date:   Mon May 4 18:25:56 2026 +0100

    protondrive: route library logging through rclone's logger
    
    Previously all log output produced by Proton-API-Bridge (stdlib log)
    and go-proton-api (logrus + resty's logger) bypassed rclone's
    logging: it ignored -v / -vv levels and didn't reach --log-file.
    
    Add a small adapter implementing the resty.Logger / bridge Logger
    shape that calls fs.Errorf / fs.Logf / fs.Debugf, and pass it via
    the new Config.Logger hook. The bridge in turn forwards the same
    value to go-proton-api's WithLogger option, so HTTP-layer warnings
    and the formerly-hardcoded logrus warnings inside go-proton-api
    also surface through rclone's log levels.

commit 3ac9b75a834d5405e83e069361ab375ce176b73c
Author: Nick Craig-Wood <nick@craig-wood.com>
Date:   Mon May 4 18:19:10 2026 +0100

    protondrive: route HTTP through rclone's transport
    
    The Proton Drive backend constructed the upstream Proton-API-Bridge
    without ever passing rclone's HTTP transport. As a result none of
    rclone's HTTP flags reached Proton: --dump headers, --dump bodies,
    --no-check-certificate, --user-agent, --bind, --ca-cert, --header,
    --tpslimit etc. all silently did nothing for this remote, and HTTP
    traffic was invisible to -vv.
    
    Pass fshttp.NewTransport(ctx) through the new Config.Transport hook on
    the bridge, which forwards it to the updated go-proton-api's
    WithTransport option and so to the underlying resty client.

commit 5e9cb39084050e09e4690f270cd74bea1db8d5ee
Author: Gustavo V. F. <31892323+Gustavo-V-F@users.noreply.github.com>
Date:   Sat May 2 12:47:07 2026 -0300

    bisync: fix retryable without --resync error message when --resync has a critical failure

commit 87d0b59a512e421a7456956dc705ecf41500f9ac
Author: Leon Brocard <acme@astray.com>
Date:   Sat May 2 12:28:30 2026 +0100

    cmd/serve/s3: return object listings in key order
    
    The S3 ListObjects response from `rclone serve s3` was sorting object
    contents by modification time instead of object key. This made the
    listing order incompatible with S3 clients which expect lexicographic
    key ordering.
    
    In particular, `aws s3 sync` assumes both source and destination
    iterators are ordered by key. With the old modtime ordering it could
    misidentify files as missing or outdated and re-download objects that
    were already up to date.
    
    Change the pager to sort returned objects by key and add a regression
    test which uses keys and modtimes arranged so the old behaviour would
    fail.
    
    Fixes #9002

commit 76596b672767093148ec540c927ef6f90c7840be
Author: Nick Craig-Wood <nick@craig-wood.com>
Date:   Fri May 8 15:06:57 2026 +0100

    Start v1.74.1-DEV development
