Bump the backend group across 1 directory with 25 updates

[dependabot]

Bumps the backend group with 11 updates in the / directory:

Package	From	To
github.com/aquasecurity/trivy	0.47.0	0.52.2
github.com/go-chi/chi/v5	5.0.10	5.0.14
github.com/gorilla/feeds	1.1.2	1.2.0
github.com/jackc/pgconn	1.14.1	1.14.3
github.com/jackc/pgx/v4	4.18.1	4.18.3
github.com/operator-framework/api	0.19.0	0.26.0
github.com/rs/cors	1.10.1	1.11.0
github.com/rs/zerolog	1.31.0	1.33.0
github.com/spf13/cobra	1.8.0	1.8.1
github.com/tektoncd/pipeline	0.53.0	0.60.2
github.com/unrolled/secure	1.13.0	1.14.0

Updates github.com/aquasecurity/trivy from 0.47.0 to 0.52.2

Release notes

Sourced from github.com/aquasecurity/trivy's releases.

v0.52.2

Changelog

• 8709d4f9c release: v0.52.2 [release/v0.52] (#6896)
• a4b8ad767 ci: use ubuntu-latest-m runner [backport: release/v0.52] (#6933)
• 2b711bc26 chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.5.2 to 1.6.0 [backport: release/v0.52] (#6919)
• 191d31ef8 test: bump docker API to 1.45 [backport: release/v0.52] (#6922)
• 3f5874c8a ci: bump github.com/goreleaser/goreleaser to v2.0.0 [backport: release/v0.52] (#6893)
• 8f8c76a2a fix(debian): take installed files from the origin layer [backport: release/v0.52] (#6892)

v0.52.1

Changelog

• a3caf0658 release: v0.52.1 [release/v0.52] (#6877)
• 01dbb42ae fix(nodejs): fix infinite loop when package link from package-lock.json file is broken [backport: release/v0.52] (#6888)
• f186d22bf fix(sbom): don't overwrite srcEpoch when decoding SBOM files [backport: release/v0.52] (#6881)
• 093c0ae02 fix(python): compare pkg names from poetry.lock and pyproject.toml in lowercase [backport: release/v0.52] (#6878)
• 6bfda7602 Merge pull request #6879 from aquasecurity/backport-pr-6864-to-release/v0.52
• 53850c8b2 docs: explain how VEX is applied (#6864)
• 221196202 Merge pull request #6875 from aquasecurity/backport-pr-6857-to-release/v0.52
• a614b693d fix(nodejs): fix infinity loops for pnpm with cyclic imports (#6857)

v0.52.0

⚡Release highlights and summary⚡

👉 aquasecurity/trivy#6838

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0520-2024-06-03

v0.51.4

Changelog

• c06f467e6 chore: downgrade trivy-checks and trivy-aws
• df4f7604a build: use main package instead of main.go (#6766)
• bf7a8ede3 chore(deps): bump the common group across 1 directory with 29 updates (#6756)
• acb22c60a chore(deps): bump the aws group with 8 updates (#6738)
• 9a3510ffd chore(deps): bump the docker group with 2 updates (#6739)
• 7806b37e2 ci: add generic dir to deb deploy script (#6636)

v0.51.2

Changelog

• eadc6fb64 fix: node-collector high and critical cves (#6707)
• cc489b1af Merge pull request from GHSA-xcq4-m2r3-cmrj
• 013f71a6a chore: auto-bump golang patch versions (#6711)
• 113a5b216 fix(misconf): don't shift ignore rule related to code (#6708)
• 733e5ac1f fix(go): include only .version|.ver (no prefixes) ldflags for gobinaries (#6705)
• d311e49bc fix(go): add only non-empty root modules for gobinaries (#6710)
• cf1a7bf30 refactor: unify package addition and vulnerability scanning (#6579)
• d465d9d1e fix: Golang version parsing from binaries w/GOEXPERIMENT (#6696)
• 0af225ccf fix(conda): add support pip deps for environment.yml files (#6675)
• 6f64d5518 fix(misconf): skip Rego errors with a nil location (#6666)
• 8c27430a2 fix(misconf): skip Rego errors with a nil location (#6638)

... (truncated)

Changelog

Sourced from github.com/aquasecurity/trivy's changelog.

0.52.2 (2024-06-14)

Bug Fixes

• debian: take installed files from the origin layer [backport: release/v0.52] (#6892) (8f8c76a)

0.52.1 (2024-06-10)

Bug Fixes

• nodejs: fix infinite loop when package link from package-lock.json file is broken [backport: release/v0.52] (#6888) (01dbb42)
• nodejs: fix infinity loops for pnpm with cyclic imports (#6857) (a614b69)
• python: compare pkg names from poetry.lock and pyproject.toml in lowercase [backport: release/v0.52] (#6878) (093c0ae)
• sbom: don't overwrite srcEpoch when decoding SBOM files [backport: release/v0.52] (#6881) (f186d22)

0.52.0 (2024-06-03)

Features

• Add Julia language analyzer support (#5635) (fecafb1)
• add support for plugin index (#6674) (26faf8f)
• misconf: Add support for deprecating a check (#6664) (88702cf)
• misconf: add Terraform 'removed' block to schema (#6640) (b7a0a13)
• misconf: register builtin Rego funcs from trivy-checks (#6616) (7c22ee3)
• misconf: resolve tf module from OpenTofu compatible registry (#6743) (ac74520)
• misconf: support for VPC resources for inbound/outbound rules (#6779) (349caf9)
• misconf: support symlinks inside of Helm archives (#6621) (4eae37c)
• nodejs: add v9 pnpm lock file support (#6617) (1e08648)
• plugin: specify plugin version (#6683) (d6dc567)
• python: add license support for requirement.txt files (#6782) (29615be)
• python: add line number support for requirement.txt files (#6729) (2bc54ad)
• report: Include licenses and secrets filtered by rego to ModifiedFindings (#6483) (fa3cf99)
• vex: improve relationship support in CSAF VEX (#6735) (a447f6b)
• vex: support non-root components for products in OpenVEX (#6728) (9515695)

Bug Fixes

• clean up golangci lint configuration (#6797) (62de6f3)
• cli: always output fatal errors to stderr (#6827) (c2b9132)
• close APKINDEX archive file (#6672) (5caf437)
• close settings.xml (#6768) (9c3e895)
• close testfile (#6830) (aa0c413)
• conda: add support pip deps for environment.yml files (#6675) (150a773)
• go: add only non-empty root modules for gobinaries (#6710) (c96f2a5)
• go: include only .version|.ver (no prefixes) ldflags for gobinaries (#6705) (afb4f9d)
• Golang version parsing from binaries w/GOEXPERIMENT (#6696) (696f2ae)

... (truncated)

Commits

• 8709d4f release: v0.52.2 [release/v0.52] (#6896)
• a4b8ad7 ci: use ubuntu-latest-m runner [backport: release/v0.52] (#6933)
• 2b711bc chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.5.2...
• 191d31e test: bump docker API to 1.45 [backport: release/v0.52] (#6922)
• 3f5874c ci: bump github.com/goreleaser/goreleaser to v2.0.0 [backport: release/v0...
• 8f8c76a fix(debian): take installed files from the origin layer [backport: release/v0...
• a3caf06 release: v0.52.1 [release/v0.52] (#6877)
• 01dbb42 fix(nodejs): fix infinite loop when package link from package-lock.json fil...
• f186d22 fix(sbom): don't overwrite srcEpoch when decoding SBOM files [backport: rel...
• 093c0ae fix(python): compare pkg names from poetry.lock and pyproject.toml in low...
• Additional commits viewable in compare view

Updates github.com/go-chi/chi/v5 from 5.0.10 to 5.0.14

Release notes

Sourced from github.com/go-chi/chi/v5's releases.

v5.0.14

What's Changed

• middleware: fix typo in RealIP doc by @​l2dy in go-chi/chi#903
• reduce size of Context struct from 216 bytes to 208 bytes by @​juburr in go-chi/chi#912
• Avoid possible memory leak in compress middleware by @​Neurostep in go-chi/chi#919
• docs: Update stale links in docs for contributing by @​Lutherwaves in go-chi/chi#904
• Revert "Avoid possible memory leak in compress middleware" by @​VojtechVitek in go-chi/chi#924

New Contributors

• @​l2dy made their first contribution in go-chi/chi#903
• @​juburr made their first contribution in go-chi/chi#912
• @​Neurostep made their first contribution in go-chi/chi#919
• @​Lutherwaves made their first contribution in go-chi/chi#904

Full Changelog: go-chi/chi@v5.0.12...v5.0.14

v5.0.13

What's Changed

• middleware: fix typo in RealIP doc by @​l2dy in go-chi/chi#903
• reduce size of Context struct from 216 bytes to 208 bytes by @​juburr in go-chi/chi#912
• Avoid possible memory leak in compress middleware by @​Neurostep in go-chi/chi#919

New Contributors

• @​l2dy made their first contribution in go-chi/chi#903
• @​juburr made their first contribution in go-chi/chi#912
• @​Neurostep made their first contribution in go-chi/chi#919

Full Changelog: go-chi/chi@v5.0.12...v5.0.13

v5.0.12

Hi everyone, thank you to all contributors + reviewers.

We present chi v5.0.12 which includes support for the new Go 1.22 mux routing features :)

Specifically, this release adds support for:

• Routing methods r.Handle("GET /users/{userID}", handler) and similarly in r.HandlerFunc with a very simple addition to chi, thank you @​Spartan09 and @​angelofallars for their work on the PRs to add support (go-chi/chi#897, go-chi/chi#901)
• Access url path parameters via request.PathValue("xyz") and request.PathValue("*") on *http.Request when using the chi router in Go 1.22+. Of course you may also use chi.URLParam(r, "xyz") and chi.URLParam(r, "*") – these are all equivalent now in Go 1.22+. Thank you @​angelofallars for the PR (go-chi/chi#901)
• For full list of changes, see go-chi/chi@v5.0.11...v5.0.12

v5.0.11

Thank you again to all contributors and reviewers :)

• docs updates
• go 1.21 in ci
• typos in comments
• middleware: Sunset, middleware which can be used to deprecate an endpoint (go-chi/chi#844)
• middleware: use original expvar handler for profiler middleware (go-chi/chi#848)
• updated _examples/httplog to use "log/slog" in go 1.21+
• middleware: new SuppressNotFound
• ensure to reset methodsAllowed between requests (go-chi/chi@9dd8b4a)

... (truncated)

Changelog

Sourced from github.com/go-chi/chi/v5's changelog.

Changelog

v5.0.12 (2024-02-16)

• History of changes: see go-chi/chi@v5.0.11...v5.0.12

v5.0.11 (2023-12-19)

• History of changes: see go-chi/chi@v5.0.10...v5.0.11

Commits

• 7957c0d Revert "fix(middleware): Close created writer in the compressor middleware (#...
• f728a1c docs: Update stale links in docs for contributing (#904)
• f10dc4a fix(middleware): Close created writer in the compressor middleware (#919)
• ef31c0b reduce context struct size from 216 bytes to 208 bytes (#912)
• c1f2a7a middleware: fix typo in RealIP doc (#903)
• 1191921 v5.0.12
• ec67a86 go 1.22, PathValue wildcard test
• fd0ff0e feat(mux): add 1.22-style path value support (#901)
• 60b4f5f feat: update HTTP method parsing in patterns for Handle and HandleFunc (#...
• 9436cc8 go 1.22 ci (#898)
• Additional commits viewable in compare view

Updates github.com/go-git/go-git/v5 from 5.10.0 to 5.12.0

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.12.0

What's Changed

• git: Worktree.AddWithOptions: add skipStatus option when providing a specific path by @​moranCohen26 in go-git/go-git#994
• git: Signer: fix usage of crypto.Signer interface by @​wlynch in go-git/go-git#1029
• git: Remote, fetch, adds the prune option. by @​juliens in go-git/go-git#366
• git: Add crypto.Signer option to CommitOptions. by @​wlynch in go-git/go-git#996
• git: Worktree checkout tag hash id (#959) by @​aymanbagabas in go-git/go-git#966
• git: Worktree, Don't panic on empty or root path when checking if it is valid by @​tim775 in go-git/go-git#1042
• git: Add commit validation for Reset by @​pjbgf in go-git/go-git#1048
• git: worktree_commit, Fix amend commit to apply changes. Fixes #1024 by @​onee-only in go-git/go-git#1045
• git: Implement Merge function with initial FastForwardMerge support by @​pjbgf in go-git/go-git#1044
• plumbing: object, Make first commit visible on logs filtered with filename. Fixes #191 by @​onee-only in go-git/go-git#1036
• plumbing: no panic in printStats function. Fixes #177 by @​nodivbyzero in go-git/go-git#971
• plumbing: object, Optimize logging with file. by @​onee-only in go-git/go-git#1046
• plumbing: object, check legitimacy in (*Tree).Encode by @​niukuo in go-git/go-git#967
• plumbing: format/gitattributes, close file in ReadAttributesFile by @​prskr in go-git/go-git#1018
• plumbing: check setAuth error. Fixes #185 by @​nodivbyzero in go-git/go-git#969
• plumbing: object, fix variable defaultUtf8CommitMessageEncoding name spell error by @​Jerry-yz in go-git/go-git#987
• utils: merkletrie, calculate filesystem node's hash lazily. by @​candid82 in go-git/go-git#825
• utils: update comment in node.go's Hash() by @​codablock in go-git/go-git#992
• _example: fix 404 link and added ssh-agent clone link by @​grinish21 in go-git/go-git#1022
• _example: checkout-branch example by @​dlambda in go-git/go-git#446
• _example: example for git clone using ssh-agent by @​pjbgf in go-git/go-git#998

New Contributors

• @​candid82 made their first contribution in go-git/go-git#825
• @​codablock made their first contribution in go-git/go-git#992
• @​Jerry-yz made their first contribution in go-git/go-git#987
• @​wlynch made their first contribution in go-git/go-git#996
• @​moranCohen26 made their first contribution in go-git/go-git#994
• @​grinish21 made their first contribution in go-git/go-git#1022
• @​prskr made their first contribution in go-git/go-git#1018
• @​dlambda made their first contribution in go-git/go-git#446
• @​juliens made their first contribution in go-git/go-git#366
• @​onee-only made their first contribution in go-git/go-git#1036
• @​tim775 made their first contribution in go-git/go-git#1042
• @​niukuo made their first contribution in go-git/go-git#967
• @​avoidalone made their first contribution in go-git/go-git#1047

Full Changelog: go-git/go-git@v5.11.0...v5.12.0

v5.11.0

What's Changed

• git: validate reference names (#929) by @​aymanbagabas in go-git/go-git#950
• git: stop iterating at oldest shallow when pulling. Fixes #305 by @​dhoizner in go-git/go-git#939
• plumbing: object, enable renames in getFileStatsFromFilePatches by @​djmoch in go-git/go-git#941
• storage: filesystem, Add option to set a specific FS for alternates by @​pjbgf in go-git/go-git#953
• Align worktree validation with upstream and remove build warnings by @​pjbgf in go-git/go-git#958

... (truncated)

Commits

• 302ddde Merge pull request #1060 from go-git/dependabot/go_modules/github.com/gliderl...
• 6bba34d build: bump github.com/gliderlabs/ssh from 0.3.6 to 0.3.7
• feaeb36 Merge pull request #937 from matejrisek/feature/rename-short-fields
• 7959a42 Merge pull request #1052 from go-git/dependabot/go_modules/github.com/skeema/...
• 4c17ce7 build: bump github.com/skeema/knownhosts from 1.2.1 to 1.2.2
• 3f77e6f Merge pull request #1048 from pjbgf/fix-reset-validation
• 6af38e0 Merge pull request #1047 from avoidalone/master
• e6c3e58 Merge pull request #1044 from pjbgf/ff-merge
• 04f7b23 *: fix some comments
• f4f1a87 Merge pull request #971 from nodivbyzero/fix-177-diff-print-file-stats
• Additional commits viewable in compare view

Updates github.com/google/go-containerregistry from 0.16.1 to 0.19.1

Release notes

Sourced from github.com/google/go-containerregistry's releases.

v0.19.1

What's Changed

• Bump golang.org/x/net from 0.10.0 to 0.17.0 in /pkg/authn/k8schain by @​dependabot in google/go-containerregistry#1815
• Bump golang.org/x/ packages by @​jonjohnsonjr in google/go-containerregistry#1892

Full Changelog: google/go-containerregistry@v0.19.0...v0.19.1

v0.19.0

What's Changed

• Work around docker v25 tarballs by @​jonjohnsonjr in google/go-containerregistry#1872

Full Changelog: google/go-containerregistry@v0.18.0...v0.19.0

v0.18.0

What's Changed

• fix: goreleaser config by @​caarlos0 in google/go-containerregistry#1764
• Always print pushed digest in crane push by @​aw185176 in google/go-containerregistry#1860

New Contributors

• @​caarlos0 made their first contribution in google/go-containerregistry#1764

Full Changelog: google/go-containerregistry@v0.17.0...v0.18.0

v0.17.0

What's Changed

• 🦅 Validate index architectures match children 🦅 by @​jonjohnsonjr in google/go-containerregistry#1776
• Set Content-Length for blob uploads by @​jonjohnsonjr in google/go-containerregistry#1781
• Don't wrap DefaultKeychain with refreshes by @​jonjohnsonjr in google/go-containerregistry#1791
• Build releases with Go 1.21 by @​imjasonh in google/go-containerregistry#1840
• fix: mimic oci-layout in diskblobhandler by @​thesayyn in google/go-containerregistry#1810
• tag: add command explanation to the long help by @​abitrolly in google/go-containerregistry#1843
• feat: implement gc command by @​thesayyn in google/go-containerregistry#1811
• feat: allow port and disk path to be overriden by @​thesayyn in google/go-containerregistry#1848

Full Changelog: google/go-containerregistry@v0.16.1...v0.17.0

Commits

• 8b3c303 Bump golang.org/x/ packages (#1892)
• afec664 Bump golang.org/x/net from 0.10.0 to 0.17.0 in /pkg/authn/k8schain (#1815)
• 8dadbe7 Work around docker v25 tarballs (#1872)
• a0658aa Always print pushed digest in crane push (#1860)
• 55ffb00 fix: goreleaser config (#1764)
• 4fdaa32 feat: allow port and disk path to be overriden (#1848)
• ceb0580 feat: implement gc command (#1811)
• 5a53a12 tag: add command explanation to the long help (#1843)
• c722ce9 fix: mimic oci-layout (#1810)
• b2485cb Build releases with Go 1.21 (#1840)
• Additional commits viewable in compare view

Updates github.com/gorilla/feeds from 1.1.2 to 1.2.0

Release notes

Sourced from github.com/gorilla/feeds's releases.

v1.2.0

What's Changed

• Add the isPermaLink attribute to guid in RSS by @​yardenshoham in gorilla/feeds#107

New Contributors

• @​yardenshoham made their first contribution in gorilla/feeds#107

Full Changelog: gorilla/feeds@v1.1.2...v1.2.0

Commits

• eb2fb30 Add the isPermaLink attribute to guid in RSS (#107)
• See full diff in compare view

Updates github.com/jackc/pgconn from 1.14.1 to 1.14.3

Changelog

Sourced from github.com/jackc/pgconn's changelog.

1.14.3 (March 4, 2024)

• Update golang.org/x/crypto and golang.org/x/text

1.14.2 (March 4, 2024)

• Fix CVE-2024-27304. SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control.

Commits

• 1860f4e Update to go 1.17 for golang.org/x/text
• 9b4513f Fix changelog and release 1.14.3
• e78c705 Update golang.org/x/crypto and golang.org/x/text
• cfbc8b2 Update CHANGELOG.md
• c672dff Fix CVE-2024-27304
• See full diff in compare view

Updates github.com/jackc/pgx/v4 from 4.18.1 to 4.18.3

Changelog

Sourced from github.com/jackc/pgx/v4's changelog.

4.18.3 (March 9, 2024)

Use spaces instead of parentheses for SQL sanitization.

This still solves the problem of negative numbers creating a line comment, but this avoids breaking edge cases such as set foo to $1 where the substitution is taking place in a location where an arbitrary expression is not allowed.

4.18.2 (March 4, 2024)

Fix CVE-2024-27289

SQL injection can occur when all of the following conditions are met:

1. The non-default simple protocol is used.
2. A placeholder for a numeric value must be immediately preceded by a minus.
3. There must be a second placeholder for a string value after the first placeholder; both must be on the same line.
4. Both parameter values must be user-controlled.

Thanks to Paul Gerste for reporting this issue.

Fix CVE-2024-27304

SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control.

Thanks to Paul Gerste for reporting this issue.

• Fix *dbTx.Exec not checking if it is already closed

Commits

• 8f05c47 Update changelog
• 69fcb46 Use spaces instead of parentheses for SQL sanitization.
• 14690df Update changelog
• 779548e Update required Go version to 1.17
• 80e9662 Update github.com/jackc/pgconn to v1.14.3
• 0bf9ac3 Fix erroneous test case
• f94eb0e Always wrap arguments in parentheses in the SQL sanitizer
• 826a892 Fix SQL injection via line comment creation in simple protocol
• 7d882f9 Fix *dbTx.Exec not checking if it is already closed
• 1d07b8b go mod tidy
• See full diff in compare view

Updates github.com/open-policy-agent/opa from 0.58.0 to 0.64.1

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v0.64.1

This is a bug fix release addressing the following issues:

• ci: Pin GitHub Actions macos runner version. The architecture of the GitHub Actions Runner macos-latest was changed from amd64 to arm64 and as a result darwin/amd64 binary wasn't released (#6720) authored by @​suzuki-shunsuke
• plugins/discovery: Update comparison logic used in the discovery plugin for handling overrides. This fixes a panic that resulted from the comparison of uncomparable types (#6723) authored by @​ashutosh-narkar

v0.64.0

NOTES:

• The minimum version of Go required to build the OPA module is 1.21

This release contains a mix of features, a new builtin function (json.marshal_with_options()), performance improvements, and bugfixes.

Breaking Change

Bootstrap configuration overrides Discovered configuration

Previously if Discovery was enabled, other features like bundle downloading and status reporting could not be configured manually. The reason for this was to prevent OPAs being deployed that could not be controlled through discovery. It's possible that the system serving the discovered config is unaware of all options locally available in OPA. Hence, we relax the configuration check when discovery is enabled so that the bootstrap configuration can contain plugin configurations. In case of conflicts, the bootstrap configuration for plugins wins. These local configuration overrides from the bootstrap configuration are included in the Status API messages so that management systems can get visibility into the local overrides.

In general, the bootstrap configuration overrides the discovered configuration. Previously this was not the case for all configuration fields. For example, if the discovered configuration changes the labels section, only labels that are additional compared to the bootstrap configuration are used, all other changes are ignored. This implies labels in the bootstrap configuration override those in the discovered configuration. But for fields such as default_decision, default_authorization_decision, nd_builtin_cache, the discovered configuration would override the bootstrap configuration. Now the behavior is more consistent for the entire configuration and helps to avoid accidental configuration errors. (#5722) authored by @​ashutosh-narkar

Add rego_version attribute to the bundle manifest

A new global rego_version attribute is added to the bundle manifest, to inform the OPA runtime about what Rego version (v0/v1) to use while parsing/compiling contained Rego files. There is also a new file_rego_versions attribute which allows individual files to override the global Rego version specified by rego_version.

When the version of the contained Rego is advertised by the bundle through this attribute, it is not required to run OPA with the --v1-compatible (or future --v0-compatible) flag in order to correctly parse, compile and evaluate the bundle's modules.

A bundle's rego_version attribute takes precedence over any applied --v1-compatible/--v0-compatible flag. (#6578) authored by @​johanfylling

Runtime, Tooling, SDK

• compile: Fix panic from CLI + metadata entrypoint overlaps. The panic occurs when opa build was provided an entrypoint from both a CLI flag, and via entrypoint metadata annotation. (#6661) authored by @​philipaconrad
• cmd/deps: Improve memory footprint and execution time of deps command for policies with high dependency connectivity (#6685) authored by @​johanfylling
• server: Keep default decision path in-sync with manager's config (#6697) authored by @​ashutosh-narkar
• server: Remove unnecessary AST-to-JSON conversions (#6665) and (#6669) authored by @​koponen-styra
• sdk: Allow customizations of the plugin manager via SDK (#6662) authored by @​xico42
• sdk: Fix issue where active parser options aren't propagated to module reload during bundle activation resulting in errors while activating bundles with v1 syntax (#6689) authored by @​xico42

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

0.64.1

This is a bug fix release addressing the following issues:

• ci: Pin GitHub Actions macos runner version. The architecture of the GitHub Actions Runner macos-latest was changed from amd64 to arm64 and as a result darwin/amd64 binary wasn't released (#6720) authored by @​suzuki-shunsuke
• plugins/discovery: Update comparison logic used in the discovery plugin for handling overrides. This fixes a panic that resulted from the comparison of uncomparable types (#6723) authored by @​ashutosh-narkar

0.64.0

NOTES:

• The minimum version of Go required to build the OPA module is 1.21

This release contains a mix of features, a new builtin function (json.marshal_with_options()), performance improvements, and bugfixes.

Breaking Change

Bootstrap configuration overrides Discovered configuration

Previously if Discovery was enabled, other features like bundle downloading and status reporting could not be configured manually. The reason for this was to prevent OPAs being deployed that could not be controlled through discovery. It's possible that the system serving the discovered config is unaware of all options locally available in OPA. Hence, we relax the configuration check when discovery is enabled so that the bootstrap configuration can contain plugin configurations. In case of conflicts, the bootstrap configuration for plugins wins. These local configuration overrides from the bootstrap configuration are included in the Status API messages so that management systems can get visibility into the local overrides.

In general, the bootstrap configuration overrides the discovered configuration. Previously this was not the case for all configuration fields. For example, if the discovered configuration changes the labels section, only labels that are additional compared to the bootstrap configuration are used, all other changes are ignored. This implies labels in the bootstrap configuration override those in the discovered configuration. But for fields such as default_decision, default_authorization_decision, nd_builtin_cache, the discovered configuration would override the bootstrap configuration. Now the behavior is more consistent for the entire configuration and helps to avoid accidental configuration errors. (#5722) authored by @​ashutosh-narkar

Add rego_version attribute to the bundle manifest

A new global rego_version attribute is added to the bundle manifest, to inform the OPA runtime about what Rego version (v0/v1) to use while parsing/compiling contained Rego files. There is also a new file_rego_versions attribute which allows individual files to override the global Rego version specified by rego_version.

When the version of the contained Rego is advertised by the bundle through this attribute, it is not required to run OPA with the --v1-compatible (or future --v0-compatible) flag in order to correctly parse, compile and evaluate the bundle's modules.

A bundle's rego_version attribute takes precedence over any applied --v1-compatible/--v0-compatible flag. (#6578) authored by @​johanfylling

Runtime, Tooling, SDK

• compile: Fix panic from CLI + metadata entrypoint overlaps. The panic occurs when opa build was provided an entrypoint from both a CLI flag, and via entrypoint metadata annotation. (#6661) authored by @​philipaconrad
• cmd/deps: Improve memory footprint and execution time of deps command for policies with high dependency connectivity (#6685) authored by @​johanfylling
• server: Keep default decision path in-sync with manager's config (#6697) authored by @​ashutosh-narkar
• server: Remove unnecessary AST-to-JSON conversions (#6665) and (#6669) authored by @​koponen-styra
• sdk: Allow customizations of the plugin manager via SDK (#6662) authored by @​xico42

... (truncated)

Commits

• 298f97d Prepare v0.64.1 release
• faf6382 ci: pin GitHub Actions macos runner version and build for darwin/amd64