diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 14726d1213..6d2daeaf4e 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -4,8 +4,8 @@ curl and libcurl 8.21.0
  Command line options:         274
  curl_easy_setopt() options:   308
  Public functions in libcurl:  100
- Authors:                      1479
- Contributors:                 3691
+ Authors:                      1481
+ Contributors:                 3696
 
 This release includes the following changes:
 
@@ -19,10 +19,12 @@ This release includes the following changes:
 This release includes the following bugfixes:
 
  o asyn-thrdd: fix result processing without wakeup socketpair [2]
+ o autotools: mbedtls detection fixes [163]
  o BUFQ.md: re-sync with source code [111]
  o build: omit zlib pkg-config reference for Android [130]
  o cf-h2-prox: fix peer leak [132]
  o cf-h2-proxy: drop interim responses [47]
+ o cf-socket: set scope_id for IPv6 link-local addresses [150]
  o cfilters: fix busy loop on blocked transfers [72]
  o CIPHERS.md: fix the example that uses only TLS 1.3 [137]
  o cmake: auto-select static nghttp2/nghttp3/ngtcp2 Config [8]
@@ -32,21 +34,26 @@ This release includes the following bugfixes:
  o cmake: opt in `MSVC_VERSION` 1951 to picky warnings [55]
  o cmake: quote `COMPONENTS` string in `curl-config.in.cmake` [80]
  o connect: remove deref of freed pointer in trace call [128]
+ o content_encoding: fix limit failure message [171]
+ o content_encoding: timeout during slow decoding [170]
  o cookie: compare path case sensitively [52]
  o cookie: simplify strstore(), remove outdated comment [12]
  o cookie: trim trailing dots when checking PSL [39]
  o creds: add sasl service name [75]
  o creds: mask OAuth bearer token in trace logs [117]
+ o creds: remove two unused functions [158]
  o curl_easy_pause.md: rephrase the stream cache when pause clause [120]
  o curl_easy_setopt.md: change options when no transfer runs [122]
  o curl_ntlm_core: fix nettle 4+ builds in certain MultiSSL combos [87]
  o curl_ntlm_core: propagate DES `CryptEncrypt()` error [84]
+ o curl_sha512_256: fix result code on error [166]
  o CURLOPT_ECH.md: simplify the description language [18]
  o CURLOPT_HAPROXYPROTOCOL.md: only sent for newly setup connections [32]
  o CURLOPT_MAXFILESIZE: clarify this also works for on-going transfers [78]
  o CURLOPT_SHARE: warn about early remove [51]
  o CURLOPT_SSH_HOSTKEYFUNCTION.md: for new connections only [48]
  o delta: harden external command invocations [98]
+ o dnscache: remove Curl_dns_entry_link [160]
  o docs/libcurl: fix the version for curl_multi_socket_action
  o docs: end "...can be used several times..." sentences with period [34]
  o docs: fix --follow doc typo [97]
@@ -65,7 +72,10 @@ This release includes the following bugfixes:
  o gsasl: fix potential double free [56]
  o gtls: fix ignored return and uninitialized status in OCSP check [49]
  o gtls: fix some typos [15]
+ o gtls: use the correct return code in trace output [173]
+ o h3-proxy: fix callback return values, and a typo in tests [139]
  o hostip: remove unused MAX_HOSTCACHE_LEN and MAX_DNS_CACHE_SIZE [101]
+ o http: don't pass on set cookies to new origins [140]
  o idn: replace header guards with forward declaration [100]
  o KNOWN_BUGS.md: remove fixed GnuTLS <-> OpenSSL incompat bug [41]
  o KNOWN_BUGS: remove stale Threads::Threads entry [135]
@@ -77,6 +87,7 @@ This release includes the following bugfixes:
  o lib: two minor typos [16]
  o libcurl-easy.md: minor clarifications [19]
  o libssh: map SSH_KNOWN_HOSTS_OTHER to CURLKHMATCH_MISMATCH [125]
+ o m4: drop redundant conditions in TLS library detections [155]
  o managen: apply minor fixes and improvements [115]
  o mbedtls: null-terminate the private key blob [36]
  o mk-unity.pl: `#include`, and not concatenate input headers [124]
@@ -85,11 +96,13 @@ This release includes the following bugfixes:
  o multi: silence gcc 16 `-Wnull-dereference`, bump CI job to test [54]
  o netrc: scanner refactor [121]
  o ngtcp2: fail handshake directly [138]
+ o pytest: re-enable test test_05_01 and test_05_02 for quiche 0.29.0+ [154]
  o pythonlint.sh: make it fail on error, fix ruff warnings in pytest [67]
  o rtsp: bump buf after rtsp_filter_rtp() [88]
  o runner.pm: apply minor correctness fix [105]
  o runner.pm: set `CURL_TESTNUM` for `precheck` commands [13]
  o rustls: error on CURLOPT_CRLFILE with native CA store [59]
+ o schannel: check `schannel_sha256sum()` success, and more [165]
  o schannel: enforce Extended Key Usage for custom CA roots [29]
  o schannel: error on TLS 1.3-only with cipher list [136]
  o schannel: fix revoke_best_effort setting for proxy [70]
@@ -101,8 +114,8 @@ This release includes the following bugfixes:
  o setopt: gate a few proxy TLS options by checking backend support [35]
  o setopt: more careful cleanup of the HSTS cache [45]
  o show-headers.md: mention bold headers and --no-styled-output [17]
- o spnego_sspi: preserve distinction btw policy-only and uncond delegation [74]
  o spnego_sspi: honor CURLOPT_GSSAPI_DELEGATION for Windows SSPI [89]
+ o spnego_sspi: preserve distinction btw policy-only and uncond delegation [74]
  o src: fix comment typos [83]
  o SSLCERTS: document 8.19.0 default Native CA builds (Windows) [14]
  o sspi: clear SSPI credentials on AcquireCredentialsHandle failure [76]
@@ -110,9 +123,13 @@ This release includes the following bugfixes:
  o test1981: explicitly set the locale [85]
  o tests: add an assert to avoid IPC blocking [69]
  o tests: fix unit1636 with --disable-progress-meter [37]
+ o tftp: avoid the timeout calc if the timeout is crazy [151]
  o tftp: stricter option name checks [90]
+ o tidy-up: add space around operators, where missing [147]
+ o tidy-up: apply clang-format fixes [153]
  o tidy-up: miscellaneous [106]
  o tls: fix incomplete mTLS config in conn reuse and session cache [108]
+ o tool: add a retry delay for transfers to same origin on 429 [61]
  o tool_formparse.c: fix two minor comment typos [25]
  o tool_formparse: polish error message + make two functions static [1]
  o tool_formparse: tool2curlparts is no longer recursive [33]
@@ -122,21 +139,28 @@ This release includes the following bugfixes:
  o transfer: clear referer when set to NULL [112]
  o unix-sockets: ignore proxy settings [6]
  o url: compare full origin when setting credentials [42]
+ o url: connection reuse fixes for starttls [68]
  o url: detect proxy changes read from environment [110]
  o url: fix connection reuse for starttls protocols [27]
  o url: keep the question mark for empty queries [73]
  o url: remove ssh_config_matches [31]
  o url: remove superfluous check [131]
  o url: url_match_destination fix [43]
+ o urlapi: accept 0X prefix in IPv4 address as well [63]
  o urlapi: change more lowercase percent-encoded to uppercase [71]
  o urlapi: compare zone-id in Curl_url_same_origin() [95]
  o urlapi: consume trailing dots after IPv4 numerical addresses [50]
  o urlapi: deny hostnames with more than one trailing dot [58]
+ o urlapi: drop base fragment on empty redirect [64]
+ o urlapi: fix an issue parsing file URLs [149]
  o urlapi: fix redirect handling if CURLU_NO_GUESS_SCHEME is set [46]
+ o urlapi: forbid '|' in host [172]
  o urlapi: handle redirect without set scheme with default-scheme [38]
  o user-agent.md: mention double quotes too [3]
+ o vtls: more large buffer support and error checks for SHA-256 [164]
  o vtls: use Curl_safecmp for CRLfile and pinned_key comparison [116]
  o vtls_scache: include signature_algorithms in the SSL peer cache key [123]
+ o vtls_spack: drop redundant macro fallbacks [167]
  o VULN-DISCLOSURE-POLICY.md: emphasize the no email thank you part [113]
  o VULN-DISCLOSURE-POLICY.md: test code is not secure [119]
  o websockets: auto-tunnel through http proxy [102]
@@ -164,17 +188,19 @@ Planned upcoming removals include:
 This release would not have looked like this without help, code, reports and
 advice from friends like these:
 
-  0xN3R3K3, 11soda11, Alan De Smet, amitbidlan, Andrei Rybak, Andrew Nesbitt,
-  Aritra Basu, Bastian Jesuiter, Bill Mill, chrizilla on github,
-  co-authors in libssh2, Dan Fandrich, Daniel Gustafsson, Daniel Stenberg,
-  Dario Vinella, dependabot[bot], Earnestly on github, Elise Vance,
-  Emanuel Krollmann, Fabian Keil, Harry Sintonen, jeffhuang, Jeremy Nicoll,
+  0xN3R3K3, 11soda11, Alan De Smet, ambikeesshh, amitbidlan, Andrei Rybak,
+  Andrew Nesbitt, Aritra Basu, azraelxuemo on hackerone, Bartel Sielski,
+  Bastian Jesuiter, Bill Mill, chrizilla on github, co-authors in libssh2,
+  Dan Fandrich, Daniel Gustafsson, Daniel Stenberg, Dario Vinella,
+  dependabot[bot], Earnestly on github, Elise Vance, Emanuel Krollmann,
+  Fabian Keil, Harry Sintonen, htasta, jeffhuang, Jeremy Nicoll,
   Johannes Schlatow, Joshua Rogers, Kai Pastor, Mark Esler, Max Dymond, mik,
-  mulan_dh on hackerone, parasol-aser, penpal, Peter Krefting, Raymond Steen,
-  Ray Satiro, renovate[bot], Sergio Correia, sfan5 on github, Shintomon Mathew,
-  Sollace on github, Song X. Gao, Stefan Eissing, Tim Martin, Viktor Szakats,
+  Mike-menny on github, mulan_dh on hackerone, parasol-aser, penpal,
+  Peter Krefting, Raymond Steen, Ray Satiro, renovate[bot], Ross Burton,
+  Sergio Correia, sfan5 on github, Shintomon Mathew, Sollace on github,
+  Song X. Gao, Stefan Eissing, Tim Martin, tiymat, Viktor Szakats,
   Will Cosgrove, Xi Ruoyao, x-xiang on github
-  (47 contributors)
+  (54 contributors)
 
 References to bug reports and discussions on issues:
 
@@ -238,10 +264,14 @@ References to bug reports and discussions on issues:
  [58] = https://curl.se/bug/?i=21622
  [59] = https://curl.se/bug/?i=21614
  [60] = https://curl.se/bug/?i=21621
+ [61] = https://curl.se/bug/?i=21355
  [62] = https://curl.se/bug/?i=21617
+ [63] = https://curl.se/bug/?i=21820
+ [64] = https://curl.se/bug/?i=21745
  [65] = https://curl.se/bug/?i=21682
  [66] = https://curl.se/bug/?i=21593
  [67] = https://curl.se/bug/?i=21597
+ [68] = https://curl.se/bug/?i=21665
  [69] = https://curl.se/bug/?i=21688
  [70] = https://curl.se/bug/?i=21683
  [71] = https://curl.se/bug/?i=21592
@@ -307,3 +337,23 @@ References to bug reports and discussions on issues:
  [136] = https://curl.se/bug/?i=21702
  [137] = https://curl.se/bug/?i=21719
  [138] = https://curl.se/bug/?i=21712
+ [139] = https://curl.se/bug/?i=21802
+ [140] = https://curl.se/bug/?i=21794
+ [147] = https://curl.se/bug/?i=21793
+ [149] = https://curl.se/bug/?i=21743
+ [150] = https://curl.se/bug/?i=21669
+ [151] = https://curl.se/bug/?i=21782
+ [153] = https://curl.se/bug/?i=21786
+ [154] = https://curl.se/bug/?i=21784
+ [155] = https://curl.se/bug/?i=21781
+ [158] = https://curl.se/bug/?i=21776
+ [160] = https://curl.se/bug/?i=21774
+ [163] = https://curl.se/bug/?i=21727
+ [164] = https://curl.se/bug/?i=21771
+ [165] = https://curl.se/bug/?i=21739
+ [166] = https://curl.se/bug/?i=21767
+ [167] = https://curl.se/bug/?i=21768
+ [170] = https://curl.se/bug/?i=21603
+ [171] = https://curl.se/bug/?i=21756
+ [172] = https://curl.se/bug/?i=21762
+ [173] = https://curl.se/bug/?i=21766