Sourced from @​stellar/stellar-sdk's releases.

v15.1.0

v15.1.0

Fixed

• Security: FederationServer.createForDomain and the FederationServer constructor now validate domains per RFC 1035, rejecting malformed domains before issuing federation or stellar.toml requests. Port numbers are also accepted (#1393).
• RpcServer.pollTransaction off-by-one: the polling loop used < instead of <=, causing one fewer attempt than configured(#1373).
• requestAirdrop error path: fixed incorrect property access (error.response.detail instead of error.response.data.detail) when checking for createAccountAlreadyExist (#1373).
• Spec.typeRef now properly handles scSpecTypeResult by returning the JSON schema for the okType, instead of silently breaking out of the switch (#1373).
• structToJsonSchema now places additionalProperties: false on the schema object itself rather than incorrectly nesting it inside properties (#1373).
• Fixed bigint-to-U32/I32 conversion in Spec using Number(val) instead of val as number (a no-op for bigints) (#1373).
• WASM custom section parser: when a section was skipped (invalid name length), the offset was not advanced, causing an infinite loop or incorrect parsing of subsequent sections (#1373).
• FederationServer URL mutation: resolveAddress, resolveAccountId, and resolveTransactionId mutated the shared serverURL by appending query params on each call. Fixed by cloning the URL before modifying (#1373).
• CallBuilder.stream() URL mutation: stream() mutated the shared this.url by adding query params, corrupting the builder for subsequent calls. Fixed by cloning the URL (#1373).
• AssembledTransaction restore path: when buildWithOp was used and automatic state restoration was needed, the rebuild incorrectly reconstructed the operation via contract.call() instead of reusing the original operation (#1373).
• SERVER_TIME_MAP port collision: the Horizon time-sync cache keyed entries by hostname only, so two servers on different ports of the same host shared a cache entry. Fixed by including the port in the key (#1373).
• Spec.funcResToNative now correctly returns an Err instance when a contract function with a Result return type returns an error, instead of throwing while decoding it as the Ok type (#1373).
• SEP-10: verifyChallengeTxSigners now rejects challenges signed only by the server and client_domain key with no actual client signer, instead of returning an empty signers list (#1372).
• getAssetBalance used incorrect flag bitmask constants (AuthRequiredFlag, AuthRevocableFlag, AuthClawbackEnabledFlag) which are account-level flags, not trustline-level flags. Replaced with the correct trustline flag bitmasks (0x1, 0x2, 0x4) (#1372).
• AssembledTransaction.simulate did not clear this.built before re-simulating after a state restoration rebuild, causing it to assemble stale transaction data (#1372).
• AssembledTransaction.signAndSend mutated the shared this.options.submit flag to prevent double submission. Replaced with a wrapper around signTransaction that injects submit: false without mutating shared state (#1372).
• Fetch HTTP client: async request interceptors were not awaited — the synchronous try/catch loop passed unresolved promise objects as the config. Replaced with a proper .then() chain matching Axios interceptor semantics (#1372).
• Fetch HTTP client: cancellation now preserves custom cancel reasons and isCancel no longer depends on exact error-message text (#1390).
• Fetch HTTP client: instance default headers and params now merge correctly with per-request overrides on the no-axios / minimal builds, including requests that use bounded options (#1390).
• Fetch HTTP client: maxRedirects and maxContentLength were silently ignored on the no-axios / minimal builds, turning SDK-set SSRF and DoS guards (StellarToml.Resolver.resolve, FederationServer) into no-ops. A new bounded adapter activates when either option is set, refusing redirects past maxRedirects and streaming the response body with a running-total check so oversized responses abort mid-stream (#1390).
• Fetch HTTP client: the no-axios bounded path now more closely matches Axios behavior for object request bodies, baseURL, timeout errors, redirect method/body handling, and stripping credential-bearing headers on cross-origin redirects (#1390).
• src/bindings/config.ts imported ../../package.json with a relative path that resolved incorrectly for the lib/no-axios/ and lib/minimal/ build outputs, making those libs unloadable. Replaced with the __PACKAGE_VERSION__ compile-time define (#1390).
• Updated the production axios dependency from 1.14.0 to 1.15.0 (#1381).

Added

• AccountResponse constructor now uses explicit field-by-field assignment instead of Object.entries dynamic assignment for type safety (#1373).
• Added transactions collection to Api.AccountRecord and AccountResponse (#1373).
• Added range checks for U32/I32 values in Spec: bigint values are now validated against min/max bounds before conversion, throwing a RangeError instead of silently truncating (#1373).
• rpc.Server.getLatestLedger() now includes closeTime, headerXdr, and metadataXdr in the typed response, with headerXdr/metadataXdr parsed into XDR objects instead of raw base64 strings (#1389).

Deprecated

• BalanceResponse.revocable is deprecated in favor of authorizedToMaintainLiabilities, which correctly reflects the trustline flag semantics (#1372).

Full Changelog: stellar/js-stellar-sdk@v15.0.1...v15.1.0

v15.0.1: Protocol 26

v15.0.1: Protocol 26

Breaking Changes

• XDR has been upgraded to support Protocol 26, please refer to the @stellar/stellar-base release notes for details and other breaking changes.

Fixed

• Sanitize identifiers and escape string literals in generated TypeScript bindings to prevent code injection via malicious contract spec names. sanitizeIdentifier now strips non-identifier characters, and a new escapeStringLiteral helper escapes quotes and newlines in string contexts (#1345).
• AssembledTransaction.fromXDR() and fromJSON() now validate that the deserialized transaction targets the expected contract, rejecting mismatched contract IDs and non-invokeContract operations. (#1349).
• Pin exact version on axios dependency (#1365)

... (truncated)

Sourced from @​stellar/stellar-sdk's changelog.

v15.1.0

Fixed

• Security: FederationServer.createForDomain and the FederationServer constructor now validate domains per RFC 1035, rejecting malformed domains before issuing federation or stellar.toml requests. Port numbers are also accepted (#1393).
• RpcServer.pollTransaction off-by-one: the polling loop used < instead of <=, causing one fewer attempt than configured(#1373).
• requestAirdrop error path: fixed incorrect property access (error.response.detail instead of error.response.data.detail) when checking for createAccountAlreadyExist (#1373).
• Operator precedence bug in parseSuccessful: sim.results?.length ?? 0 > 0 was parsed as ?? (0 > 0), causing simulation results and state changes to never be included in the parsed response (#1373).
• Spec.typeRef now properly handles scSpecTypeResult by returning the JSON schema for the okType, instead of silently breaking out of the switch (#1373).
• structToJsonSchema now places additionalProperties: false on the schema object itself rather than incorrectly nesting it inside properties (#1373).
• Fixed bigint-to-U32/I32 conversion in Spec using Number(val) instead of val as number (a no-op for bigints) (#1373).
• Fixed missing template literal $ in two Spec error messages that were not interpolated (#1373).
• WASM custom section parser: when a section was skipped (invalid name length), the offset was not advanced, causing an infinite loop or incorrect parsing of subsequent sections (#1373).
• FederationServer URL mutation: resolveAddress, resolveAccountId, and resolveTransactionId mutated the shared serverURL by appending query params on each call. Fixed by cloning the URL before modifying (#1373).
• CallBuilder.stream() URL mutation: stream() mutated the shared this.url by adding query params, corrupting the builder for subsequent calls. Fixed by cloning the URL (#1373).
• AssembledTransaction restore path: when buildWithOp was used and automatic state restoration was needed, the rebuild incorrectly reconstructed the operation via contract.call() instead of reusing the original operation (#1373).
• SERVER_TIME_MAP port collision: the Horizon time-sync cache keyed entries by hostname only, so two servers on different ports of the same host shared a cache entry. Fixed by including the port in the key (#1373).
• Spec.funcResToNative now correctly returns an Err instance when a contract function with a Result return type returns an error, instead of throwing while decoding it as the Ok type (#1373).
• SEP-10: verifyChallengeTxSigners now rejects challenges signed only by the server and client_domain key with no actual client signer, instead of returning an empty signers list (#1372).
• getAssetBalance used incorrect flag bitmask constants (AuthRequiredFlag, AuthRevocableFlag, AuthClawbackEnabledFlag) which are account-level flags, not trustline-level flags. Replaced with the correct trustline flag bitmasks (0x1, 0x2, 0x4) (#1372).
• AssembledTransaction.simulate did not clear this.built before re-simulating after a state restoration rebuild, causing it to assemble stale transaction data (#1372).
• AssembledTransaction.signAndSend mutated the shared this.options.submit flag to prevent double submission. Replaced with a wrapper around signTransaction that injects submit: false without mutating shared state (#1372).
• Fetch HTTP client: async request interceptors were not awaited — the synchronous try/catch loop passed unresolved promise objects as the config. Replaced with a proper .then() chain matching Axios interceptor semantics (#1372).
• Fetch HTTP client: cancellation now preserves custom cancel reasons and isCancel no longer depends on exact error-message text (#1390).
• Fetch HTTP client: instance default headers and params now merge correctly with per-request overrides on the no-axios / minimal builds, including requests that use bounded options (#1390).
• Fetch HTTP client: maxRedirects and maxContentLength were silently ignored on the no-axios / minimal builds, turning SDK-set SSRF and DoS guards (StellarToml.Resolver.resolve, FederationServer) into no-ops. A new bounded adapter activates when either option is set, refusing redirects past maxRedirects and streaming the response body with a running-total check so oversized responses abort mid-stream (#1390).
• Fetch HTTP client: the no-axios bounded path now more closely matches Axios behavior for object request bodies, baseURL, timeout errors, redirect method/body handling, and stripping credential-bearing headers on cross-origin redirects (#1390).
• src/bindings/config.ts imported ../../package.json with a relative path that resolved incorrectly for the lib/no-axios/ and lib/minimal/ build outputs, making those libs unloadable. Replaced with the __PACKAGE_VERSION__ compile-time define (#1390).
• Updated the production axios dependency from 1.14.0 to 1.15.0 (#1381).

Added

• AccountResponse constructor now uses explicit field-by-field assignment instead of Object.entries dynamic assignment for type safety (#1373).
• Added transactions collection to Api.AccountRecord and AccountResponse (#1373).
• Added range checks for U32/I32 values in Spec: bigint values are now validated against min/max bounds before conversion, throwing a RangeError instead of silently truncating (#1373).
• rpc.Server.getLatestLedger() now includes closeTime, headerXdr, and metadataXdr in the typed response, with headerXdr/metadataXdr parsed into XDR objects instead of raw base64 strings (#1389).

Deprecated

• BalanceResponse.revocable is deprecated in favor of authorizedToMaintainLiabilities, which correctly reflects the trustline flag semantics (#1372).

v15.0.1

Fixed

• Pin axios to a specific version.

v15.0.0

Breaking Changes

• XDR has been upgraded to support Protocol 26, please refer to the @stellar/stellar-base release notes for details and other breaking changes.

... (truncated)

• c5eafa2 release v15.1.0 (#1405)
• ee81ed2 Federation domain validation (#1393)
• 7ad2b0a Fix fetch implementation (#1390)
• 8db146e Update Server.getLatestLedger response fields (#1389)
• da2f95b Bump axios from 1.14.0 to 1.15.0 (#1381)
• 9ec7ffd Internal agent bug fixes 2 (#1373)
• cbb53ed Internal agent bug fixes 1 (#1372)
• 2f049ab Stop unpublishing a prior version on every publish run (#1370)
• 00e3c70 Prepare v15.0.1 for release (#1365)
• 5daf44c V15.0.0 (#1362)
• Additional commits viewable in compare view