Release Date: 29 January, 2025.

## New Features
- Deprecation notice about moving core resource packs to their individual gems after the next major release ([#7219](https://github.com/inspec/inspec/pull/7219))

- Added the `--legacy` flag to the inspec automate upload command. ([#7200](https://github.com/inspec/inspec/pull/7200)) 

  The `inspec automate upload` command runs `inspec check` and `inspec export`, which were updated in Chef InSpec 5.22.36. This update led to a bug with InSpec profiles with `=begin =end`.
 
  Use the `--legacy` flag with profiles where the newer export and check methods may fail to parse older profiles correctly, particularly due to limitations in AST parsing.

## CVEs

- Fixes HTTP Request Smuggling in ruby webrick [CVE-2024-47220](https://nvd.nist.gov/vuln/detail/cve-2024-47220). ([#7214](https://github.com/inspec/inspec/pull/7214))
- Fixes the REXML denial of service vulnerability [CVE-2024-43398](https://nvd.nist.gov/vuln/detail/CVE-2024-43398). ([#7199](https://github.com/inspec/inspec/pull/7199))
- Fixes the REXML ReDoS vulnerability [CVE-2024-49761](https://nvd.nist.gov/vuln/detail/CVE-2024-49761). ([#7199](https://github.com/inspec/inspec/pull/7199))

## Improvements
- Use of a better cryptographic hashing algorithm on sensitive data. ([#7261](https://github.com/inspec/inspec/pull/7261))
- Improvements in the error handling of the plugin installation error. ([#7161](https://github.com/inspec/inspec/pull/7161))
- Fixed the encoding issues with special characters in passwords for Postgres Session resource ([#7277](https://github.com/inspec/inspec/pull/7277))