jq

jqlang·jqlang.jq

jq is a lightweight and flexible command-line JSON processor.

winget install --id jqlang.jq --exact --source winget

Latest 1.8.2·June 20, 2026

Release Notes

This is a patch release with security fixes and bug fixes since 1.8.1, along with new builds for Windows arm64 and Docker arm/v7. Security fixes

  • CVE-2026-32316: Fix heap buffer overflow in jvp_string_append and jvp_string_copy_replace_bad. @itchyny e47e56d
  • CVE-2026-33947: Limit path depth to prevent stack overflow in jv_setpath, jv_getpath, jv_delpaths. @itchyny fb59f14
  • CVE-2026-33948: Fix NUL truncation in the JSON parser. @itchyny 6374ae0
  • CVE-2026-39956: Fix _strindices missing runtime type checks. @tlsbollei fdf8ef0
  • CVE-2026-39979: Fix out-of-bounds read in jv_parse_sized(). @wader 2f09060
  • CVE-2026-40164: Randomize hash seed to mitigate hash collision DoS attacks. @AsafMeizner @itchyny 0c7d133
  • CVE-2026-40612: Limit containment check depth to prevent stack overflow in contains. @itchyny d1a1256
  • CVE-2026-41256: Fix NUL truncation in program files loaded with -f. @itchyny 5a015de
  • CVE-2026-41257: Fix signed-int overflow in stack_reallocate. @itchyny 01b3cde
  • CVE-2026-43894: Reject numeric literals longer than DEC_MAX_DIGITS (999999999). @itchyny 9761ceb
  • CVE-2026-43895: Reject embedded NUL bytes in module import paths. @itchyny 9d223f1
  • CVE-2026-43896: Limit recursive object merge depth to prevent stack overflow. @itchyny 532ccea
  • CVE-2026-44777: Detect circular module imports to prevent stack overflow. @itchyny f58787c
  • CVE-2026-47770: Guard deep structural equality and comparison recursion. @fuyu0425 7122866
  • CVE-2026-49839: Fix heap-buffer-overflow in raw file loading. @itchyny e987df0
  • CVE-2026-54679: Tighten string length bounds and propagate invalid jv in implode. @itchyny 46d1da3
  • GHSA-gf4g-95wj-4q4r: Fix use-after-free in args2obj() array argument path. @sseal #3498
  • GHSA-hj52-j2c9-r8r4: Fix signed-int overflow in tokenadd to prevent buffer overflow. @itchyny 63751f8
  • Limit the number of function parameters and definitions to prevent SEGV. @OwenSanzas #3460
  • Pre-allocate tokenbuf for string parser to avoid undefined behavior. @fab1ano #3485
  • Avoid stack overflow when freeing deeply nested values. @itchyny 33d7bce
  • Fix memory leaks and double frees. @itchyny #3487

Releasing

  • Add builds for Windows arm64. @dennisameling #3376
  • Support arm/v7 architecture in Docker images. @itchyny #3463
  • Update GPG signing key. @itchyny 0ff997f
  • Add artifact-metadata permission for actions/attest. @itchyny #3530
  • Upload attestation bundle as a release artifact, allowing unauthenticated verification via gh attestation verify --bundle jq-attestation.json. @itchyny #3563

CLI changes

  • Improve error message truncation with closing delimiters. @itchyny #3478
  • Remove extra space from die function output. @krtk6160 #3391
  • Fix raw input flag not to corrupt multi-byte characters. @itchyny #3421
  • Fix crash when importing a module with errors twice. @itchyny #3497
  • Increase the maximum printing depth from 256 to 10000. @ishnagy #3414

Changes to existing functions

  • Fix rtrimstr("") always outputting "". @A4-Tacks #3415
  • Fix infinite loop and undefined behavior in del(.[nan]). @itchyny #3490
  • Refactor @uri and @urid to fix multi-byte UTF-8 corruption. @itchyny #3495
  • Fix tonumber and toboolean to reject strings with embedded null bytes. @itchyny #3496
  • Fix undefined behavior in modulo operator. @fab1ano #3486
  • Fix reversed pointer subtraction in f_env bounds check. @itchyny #3465
  • Fix missing validity check in f_strflocaltime after f_localtime. @itchyny #3491
  • Fix year 2038 problem on 32-bit platforms. @itchyny #3407
  • Use // instead of //= in from_entries definition. @itchyny #3516

Build and test changes

  • Drop strptime test using non-portable %F. @alyssais #3365
  • Limit oniguruma depth to 1024 in jq_fuzz_execute. @sudhackar #3377
  • Fix localization test for time formatting functions. @itchyny #3409
  • Fix expected value assertion. @itchyny #3431 #3408
  • Fix typo in tests/jq.test. @bigmoonbit #3441
  • Refactor tm2jv to handle fractional seconds. @itchyny #3489
  • Fix jq_fuzz_parse_stream: use iterative parser API for streaming mode. @OwenSanzas #3499
  • Fix crashes and resource leaks in jq_testsuite. @itchyny #3509
  • Support building with --disable-maintainer-mode and source != build dir. @Saur2000 #3518
  • Add Solaris support. @vlmarek #3515
  • Respect SOURCE_DATE_EPOCH while generating man page. @McSinyx #3514
  • Fix undefined pointer arithmetic in UTF-8 helpers. @theyoucheng df924ea
  • Fix one-byte over-read in BASE64_DECODE_TABLE. @itchyny #3547

Documentation changes

  • Add wiki link to navigation bar. @wader #3424
  • Add missing word in manual for rawfile. @jpmens #3434
  • Fix typo "stder" to "stderr". @jjatria #3446
  • Fix buttons in tutorial to toggle labels when clicked on. @itchyny #3493
  • Fix "happened" spelling in tutorial changelog entries. @Rohan5commit #3525

Installer type: portable

ArchitectureScopeDownloadSHA256
x86DownloadA99CB668F95BDD788D9EE20529613B115E5D2A0D7F9127EE6976607E878558BA
x64DownloadA6FC67FEDAF9128A3309A1E2EBB8B986AECCF70122EE46D2CB4849E423F0C627

Details

Homepage
https://github.com/jqlang/jq
License
MIT License
Publisher
jqlang
Support
https://github.com/jqlang/jq/issues
Moniker
jq

Tags

jq

Older versions (5)

1.8.1
ArchitectureScopeDownloadSHA256
x64Download23CB60A1354EED6BCC8D9B9735E8C7B388CD1FDCB75726B93BC299EF22DD9334
x86Download414EC99417830178BD2F6E77FC78B34DE3B12FC6B6C3229F07038C5811307124
1.8.0
ArchitectureScopeDownloadSHA256
x64DownloadB45FCBB27DCB9E9848AC39889A8BF86457B8D9D31E7C56387C6EAB80008FD1F4
1.7.1
ArchitectureScopeDownloadSHA256
x64Download7451FBBF37FEFFB9BF262BD97C54F0DA558C63F0748E64152DD87B0A07B6D6AB
1.7
ArchitectureScopeDownloadSHA256
x64Download2E9CC54D0A5D098E2007DECEC1DBB3C555CA2F5AABDED7AEC907FE0FFE401AAB
1.6
ArchitectureScopeDownloadSHA256
x64DownloadA51D36968DCBDEABB3142C6F5CF9B401A65DC3A095F3144BD0C118D5BB192753