diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 386f0b01f9..8c3a69c531 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -4,8 +4,8 @@ curl and libcurl 8.21.0
  Command line options:         274
  curl_easy_setopt() options:   308
  Public functions in libcurl:  100
- Authors:                      1486
- Contributors:                 3719
+ Authors:                      1489
+ Contributors:                 3728
 
 This release includes the following changes:
 
@@ -19,14 +19,19 @@ This release includes the following changes:
 This release includes the following bugfixes:
 
  o _ENVIRONMENT.md. Windows does case insensitive env variables [214]
+ o _URL.md: remove the zone-id mention [227]
+ o AmigaOS: curl_setup.h avoid explicit_bzero with clib2 [283]
+ o AmigaOS: fix build fallouts, re-add to CI [279]
  o asyn-thrdd: add IPv6 guards [195]
  o asyn-thrdd: fix result processing without wakeup socketpair [2]
  o autotools: mbedtls detection fixes [163]
  o BINDINGS: Update Hollywood link [181]
  o BUFQ.md: re-sync with source code [111]
+ o build: enable `-Wlogical-op` picky warning for GCC 4.4+ [277]
  o build: omit zlib pkg-config reference for Android [130]
  o cf-h2-prox: fix peer leak [132]
  o cf-h2-proxy: drop interim responses [47]
+ o cf-https-connect: do not engage on proxy origin [236]
  o cf-ip-happy.c: minor comment typo
  o cf-ip-happy: update documentation [223]
  o cf-socket: make Curl_addr2string static [224]
@@ -35,12 +40,15 @@ This release includes the following bugfixes:
  o cfilters: fix busy loop on blocked transfers [72]
  o chunked: reject invalid bytes in trailer [210]
  o CIPHERS.md: fix the example that uses only TLS 1.3 [137]
+ o cmake/FindGSS: fix comment, adjust custom flavor property name [261]
+ o cmake/FindGSS: prioritize MIT over GNU in pkg-config detection [196]
  o cmake: auto-select static nghttp2/nghttp3/ngtcp2 Config [8]
  o cmake: export/forward `NGTCP2_CRYPTO_BACKEND` [99]
  o cmake: fix three issues generating lib options in config files [126]
  o cmake: fix zstd CMake config name [5]
  o cmake: opt in `MSVC_VERSION` 1951 to picky warnings [55]
  o cmake: quote `COMPONENTS` string in `curl-config.in.cmake` [80]
+ o config2setopts: use default protocol properly [286]
  o connect: remove deref of freed pointer in trace call [128]
  o content_encoding: fix limit failure message [171]
  o content_encoding: fix non-last chunked rejection [209]
@@ -54,6 +62,7 @@ This release includes the following bugfixes:
  o creds: remove two unused functions [158]
  o curl_easy_pause.md: rephrase the stream cache when pause clause [120]
  o curl_easy_setopt.md: change options when no transfer runs [122]
+ o curl_formdata: fix to pass long where missing, document `CURLFORM_NAMELENGTH` [243]
  o curl_ntlm_core: fix nettle 4+ builds in certain MultiSSL combos [87]
  o curl_ntlm_core: propagate DES `CryptEncrypt()` error [84]
  o curl_sha512_256: fix result code on error [166]
@@ -91,7 +100,7 @@ This release includes the following bugfixes:
  o ftplistparser: clear strings.target if not symlink [148]
  o gnutls: allow building with nettle 4.0 [96]
  o gnutls: fix more nettle 4+ compatibility issues [94]
- o GnuTLS: require 3.7.2 for earlydata [103]
+ o gnutls: require 3.7.2 for earlydata [103]
  o gsasl: fix potential double free [56]
  o gtls: fix ignored return and uninitialized status in OCSP check [49]
  o gtls: fix some typos [15]
@@ -110,11 +119,14 @@ This release includes the following bugfixes:
  o idn: replace header guards with forward declaration [100]
  o KNOWN_BUGS.md: remove fixed GnuTLS <-> OpenSSL incompat bug [41]
  o KNOWN_BUGS: remove stale Threads::Threads entry [135]
+ o krb5_sspi: fix error message on `DecryptMessage()` fail [269]
+ o ldap: base64 encode binary LDIF values with WinLDAP [273]
  o ldap: fix minor leak on write callback error [24]
  o ldap: fix to not leak `attribute` on OOM (WinLDAP) [79]
  o ldap: switch off chasing referrals [114]
  o lib678: fix to not be perma-skipped [10]
  o lib: make `__STDC_VERSION__` literals `L` (where missing)
+ o lib: transfer origin and proxy handling [276]
  o lib: two minor typos [16]
  o libcurl-easy.md: minor clarifications [19]
  o libssh2: do not use deprecated macros when unavailable [177]
@@ -144,6 +156,7 @@ This release includes the following bugfixes:
  o pytest: re-enable test test_05_01 and test_05_02 for quiche 0.29.0+ [154]
  o pythonlint.sh: make it fail on error, fix ruff warnings in pytest [67]
  o quic: count zero length packets against max [179]
+ o ratelimits: use minimal burst rate [245]
  o resolve: mention in error that IP address is expected [205]
  o rtsp: bump buf after rtsp_filter_rtp() [88]
  o runner.pm: apply minor correctness fix [105]
@@ -153,6 +166,7 @@ This release includes the following bugfixes:
  o schannel: check `schannel_sha256sum()` success, and more [165]
  o schannel: enforce Extended Key Usage for custom CA roots [29]
  o schannel: error on TLS 1.3-only with cipher list [136]
+ o schannel: fix https proxy for client cert and certinfo [280]
  o schannel: fix revoke_best_effort setting for proxy [70]
  o schannel: use fopen instead CreateFile [191]
  o schannel_verify: avoid out of blob access [11]
@@ -169,14 +183,23 @@ This release includes the following bugfixes:
  o setopt: more careful cleanup of the HSTS cache [45]
  o show-headers.md: mention bold headers and --no-styled-output [17]
  o sigv4: URL encode the user name in the header [193]
+ o smb: integer overflow proof a size check [263]
  o smbserver: update internal id generation for Python 3 [238]
+ o socket: introduce `SOCK_EAGAIN()` and use it [278]
+ o socket: use name `sockerr` for socket error variables [271]
+ o socks_sspi: invalid response length is a fatal error [272]
+ o socks_sspi: store socks5_gssapi_enctype [262]
  o spnego_sspi: honor CURLOPT_GSSAPI_DELEGATION for Windows SSPI [89]
  o spnego_sspi: preserve distinction btw policy-only and uncond delegation [74]
  o src: fix comment typos [83]
  o ssl native_ca_store: always reinit [211]
  o SSLCERTS: document 8.19.0 default Native CA builds (Windows) [14]
  o sspi: clear SSPI credentials on AcquireCredentialsHandle failure [76]
+ o sspi: free libcurl allocated memory with curlx_free [274]
+ o telnet: drop an `int` cast no longer necessary [270]
+ o telnet: drop redundant interim variables [275]
  o telnet: fix error message typos [186]
+ o telnet: fix old copy-paste typo in variable name [281]
  o telnet: honor CURLOPT_TIMEOUT in send_telnet_data() [104]
  o test1588: use %TESTNUMBER, not hard-coded number [118]
  o test1981: explicitly set the locale [85]
@@ -191,6 +214,7 @@ This release includes the following bugfixes:
  o tidy-up: drop stray casts for allocated pointers [174]
  o tidy-up: miscellaneous [106]
  o tls: fix incomplete mTLS config in conn reuse and session cache [108]
+ o tls: wolfssl: fixes for PQC key shares [239]
  o tool: warn when --ssl and --ftp-ssl-control override each other [129]
  o tool_formparse.c: fix two minor comment typos [25]
  o tool_formparse: polish error message + make two functions static [1]
@@ -200,11 +224,13 @@ This release includes the following bugfixes:
  o tool_urlglob: avoid overflow at end of range [22]
  o tool_urlglob: better 'Duplicate glob name' position [82]
  o tool_urlglob: make globbing error reported for correct position [91]
+ o tool_writeout: fix %time{} output for %s [231]
  o transfer: clear referer when set to NULL [112]
  o unit1675: fix potential memory leak on dynbuf fail path [197]
  o unix-sockets: ignore proxy settings [6]
  o URL-SYNTAX: document more URL parsing details [134]
  o url: compare full origin when setting credentials [42]
+ o url: connection credentials origin [228]
  o url: connection reuse fixes for starttls [68]
  o url: detect proxy changes read from environment [110]
  o url: fix connection reuse for starttls protocols [27]
@@ -225,6 +251,7 @@ This release includes the following bugfixes:
  o urlapi: URL decode hostname before IP address normalization [207]
  o user-agent.md: mention double quotes too [3]
  o var: use a dedicated pointer for the alloc [219]
+ o verify-release: verify more thoroughly with git [249]
  o vquic: drop stray casts for `iovec.iov_len` [162]
  o vtls: more large buffer support and error checks for SHA-256 [164]
  o vtls: use Curl_safecmp for CRLfile and pinned_key comparison [116]
@@ -233,8 +260,10 @@ This release includes the following bugfixes:
  o VULN-DISCLOSURE-POLICY.md: emphasize comm as a human [180]
  o VULN-DISCLOSURE-POLICY.md: emphasize the no email thank you part [113]
  o VULN-DISCLOSURE-POLICY.md: test code is not secure [119]
+ o VULN-DISCLOSURE-POLICY: non-released code [253]
  o websockets: auto-tunnel through http proxy [102]
  o windows: update MS SDK versions in comments [60]
+ o winldap: avoid NULL pointer deref on `ldap_get_dn()` fail [242]
  o ws: make pong sending lazy [201]
  o x509asn1: fix DH public key parameter extraction [44]
  o x509asn1: fix operator order in do_pubkey [21]
@@ -260,25 +289,29 @@ This release would not have looked like this without help, code, reports and
 advice from friends like these:
 
   0xN3R3K3, 11soda11, Ady Elouej, A Johnston, Alan De Smet, alhudz,
-  ambikeesshh, amitbidlan, Andreas Falkenhahn, Andrei Rybak, Andrew Nesbitt,
-  Aritra Basu, azraelxuemo on hackerone, Bartel Sielski, Bastian Jesuiter,
-  BazaarAcc32 on github, Bill Mill, ByteRay on hackerone, chrizilla on github,
-  co-authors in libssh2, correctmost on github, Dan Fandrich,
-  Daniel Gustafsson, Daniel Stenberg, Dario Vinella, dependabot[bot],
-  dyingc on github, Earnestly on github, Elise Vance, Emanuel Krollmann,
-  Eunsoo Kim, evergarden1123 on hackerone, Fabian Keil, Gao Liyou,
-  Guancheng Li, Guannan Wang, Harry Sintonen, Hem Parekh, htasta, jeffhuang,
-  Jeremy Nicoll, Jiashuo Liang, Johannes Schlatow, Josef Cejka, Joshua Rogers,
+  alienowo on hackerone, ambikeesshh, amitbidlan, Andreas Falkenhahn,
+  Andrei Rybak, Andrew Nesbitt, Aritra Basu, azraelxuemo on hackerone,
+  Bartel Sielski, Bastian Jesuiter, BazaarAcc32 on github, Bill Mill,
+  ByteRay on hackerone, chrizilla on github, co-authors in libssh2,
+  correctmost on github, Dan Fandrich, Daniel Gustafsson, Daniel Stenberg,
+  Dario Vinella, Darren Banfi, Dave Walker, daviey on hackerone,
+  dependabot[bot], dyingc on github, Earnestly on github, Elise Vance,
+  Emanuel Krollmann, Eunsoo Kim, evergarden1123 on hackerone, Fabian Keil,
+  Filipe Casal, Gao Liyou, Guancheng Li, Guannan Wang, Harry Sintonen,
+  Hem Parekh, htasta, jeffhuang, Jeremy Nicoll, Jiashuo Liang,
+  jjchuck on hackerone, Johannes Schlatow, Josef Cejka, Joshua Rogers,
   Kai Pastor, Marcel Raad, Mark Esler, Max Dymond, mik, Mike-menny on github,
-  Muhamad Arga Reksapati, mulan_dh on hackerone, parasol-aser, penpal,
-  Peter Krefting, Philip H., Rainer Jung, Randall S. Becker, Raymond Steen,
-  Ray Satiro, renjian on hackerone, renovate[bot], Ross Burton, Sergio Correia,
-  sfan5 on github, Shintomon Mathew, Sollace on github, Song X. Gao,
-  sourceturner, Stefan Eissing, Tim Martin, tiymat, Trail of Bits, Vasiliy-Kkk,
-  vectorqueue on hackerone, vegagent on hackerone, Viktor Szakats,
-  violet12331 on hackerone, Will Cosgrove, Xi Ruoyao, x-xiang on github,
+  Muhamad Arga Reksapati, mulan_dh on hackerone, oreadvanthink on github,
+  parasol-aser, penpal, Peter Krefting, Philip H., Rainer Jung,
+  Randall S. Becker, Raymond Steen, Ray Satiro, renjian on hackerone,
+  renovate[bot], Ross Burton, Saud Alshareef, Sergio Correia, sfan5 on github,
+  Shintomon Mathew, Sollace on github, Song X. Gao, sourceturner,
+  Stefan Eissing, Tatsuhiro Tsujikawa, Tim Martin, tiymat,
+  Tobias Frauenschläger, Trail of Bits, Vasiliy-Kkk, vectorqueue on hackerone,
+  vegagent on hackerone, Viktor Szakats, violet12331 on hackerone,
+  Will Cosgrove, wulin-nudt on github, Xi Ruoyao, x-xiang on github,
   Yedaya Katsman, zhanhb on github, Zhanpeng Liu
-  (85 contributors)
+  (96 contributors)
 
 References to bug reports and discussions on issues:
 
@@ -474,6 +507,7 @@ References to bug reports and discussions on issues:
  [192] = https://curl.se/bug/?i=21927
  [193] = https://curl.se/bug/?i=21923
  [195] = https://curl.se/bug/?i=21881
+ [196] = https://curl.se/bug/?i=22052
  [197] = https://curl.se/bug/?i=21922
  [199] = https://curl.se/bug/?i=21914
  [200] = https://curl.se/bug/?i=21910
@@ -502,6 +536,34 @@ References to bug reports and discussions on issues:
  [224] = https://curl.se/bug/?i=21946
  [225] = https://curl.se/bug/?i=21951
  [226] = https://curl.se/bug/?i=21945
+ [227] = https://curl.se/bug/?i=22048
+ [228] = https://curl.se/bug/?i=22040
  [230] = https://curl.se/bug/?i=21949
+ [231] = https://curl.se/bug/?i=22038
  [235] = https://curl.se/bug/?i=21944
+ [236] = https://curl.se/bug/?i=22033
  [238] = https://curl.se/bug/?i=21937
+ [239] = https://curl.se/bug/?i=22030
+ [242] = https://curl.se/bug/?i=22000
+ [243] = https://curl.se/bug/?i=22017
+ [245] = https://curl.se/bug/?i=22016
+ [249] = https://curl.se/bug/?i=22018
+ [253] = https://curl.se/bug/?i=22025
+ [261] = https://curl.se/bug/?i=22013
+ [262] = https://curl.se/bug/?i=22004
+ [263] = https://curl.se/bug/?i=22001
+ [269] = https://curl.se/bug/?i=22003
+ [270] = https://curl.se/bug/?i=22002
+ [271] = https://curl.se/bug/?i=21998
+ [272] = https://curl.se/bug/?i=21999
+ [273] = https://curl.se/bug/?i=21926
+ [274] = https://curl.se/bug/?i=21990
+ [275] = https://curl.se/bug/?i=21995
+ [276] = https://curl.se/bug/?i=21967
+ [277] = https://curl.se/bug/?i=21893
+ [278] = https://curl.se/bug/?i=21992
+ [279] = https://curl.se/bug/?i=21993
+ [280] = https://curl.se/bug/?i=21986
+ [281] = https://curl.se/bug/?i=21979
+ [283] = https://curl.se/bug/?i=21989
+ [286] = https://curl.se/bug/?i=21983