Sourced fromgithub.com/open-policy-agent/opa's releases.

v0.58.0

NOTES:

• All published OPA images now run with a non-root uid/gid. Theuid:gid is set to1000:1000 for all images. As a resultthere is no longer a need for the-rootless image variant and hence it will not be published as part of future releases.This change is in line with container security best practices. OPA can still be run with root privileges by explicitly setting the user,either with the--user argument fordocker run, or by specifying thesecurityContext in the Kubernetes Pod specification.

This release contains a mix of performance improvements, bugfixes and security fixes for third-party libraries.

Runtime, Tooling, SDK

• cmd/test: Display lines not covered if code coverage threshold not met in verbose reporting mode (#2562) authored by@​johanfylling
• cmd/test: Don't round up test coverage calculation as it could lead to inaccurate code coverage results (#6307) authored by@​anderseknert
• cmd/fmt: Don't format functions without a value to include= true as it is implied (#6323) authored by@​anderseknert
• server: Remove deprecated partial query parameter from REST API. This option has been deprecated sincev0.23.0 (#2266) authored by@​ashutosh-narkar
• Add support for configurable prometheus buckets for thehttp_request_duration_seconds metric (#6238) authored by@​AdrianArnautu
• plugins/bundle: Update bundle plugin state on a reconfigure operation when existing bundle is not modified (#6311) authored by@​asadk12
• internal/pathwatcher: Fix how paths to watch by a fsnotify watcher are determined to avoid monitoring unintended directories and files (#6277) authored by@​ashutosh-narkar

Topdown and Rego

• topdown: Fix issue with build optimization producing support modules with forbidden characters in first var of rule ref (#6338) authored by@​johanfylling
• topdown: Fix panic in build optimization when policy contains rules with a general ref in the head (#6339) authored by@​johanfylling
• topdown: Avoid unnecessary conversion of small numbers by caching them and thereby helping to speed up some arithmetic operations (#6021) authored by@​ashutosh-narkar
• ast+rego: Disable compiler stages for IR-based eval paths (#6335) authored by@​srenatus
• built-in/walk: Skip path creation if path is assigned a wildcard to achieve fasterwalk-ing (#6267) authored by@​anderseknert
• ast: Add regression test for edge case where partial rule hides recursion cycle (#6318) authored by@​johanfylling

Docs

• Drop EXPERIMENTAL status of reported prom metrics (#6298) authored by@​ashutosh-narkar
• Update documentation on GCS bundles for case where the resource (the object in the GCS bucket) contains slashes (/) or other special characters (#6264) authored by@​dennisg
• Provide a more clear description of negation in the policy language section (#6275) authored by@​gusega

Website + Ecosystem

• Fix un-versioned built-in docs issue so that only the built-ins for a given doc version are displayed (#6269) authored by@​charlieegan3

Miscellaneous

• ci: Removehub tool in GitHub workflows in favor ofGitHub CLI tool (#6326) authored by@​ashutosh-narkar
• Dependency updates; notably:
  • bump go.opentelemetry.io modules (#6292) authored by@​cksidharthan
  • aquasecurity/trivy-action from 0.12.0 to 0.13.0
  • github.com/containerd/containerd from 1.7.6 to 1.7.7
  • github.com/fsnotify/fsnotify from 1.6.0 to 1.7.0
  • golang.org/x/net from 0.15.0 to 0.17.0
  • google.golang.org/grpc from 1.58.2 to 1.59.0 (addresses vulnerabilityGHSA-m425-mq94-257g)
  • oras.land/oras-go/v2 from 2.3.0 to 2.3.1
  • sigs.k8s.io/yaml from 1.3.0 to 1.4.0

v0.57.1

This is a bug fix release addressing the following security issues:

... (truncated)

Sourced fromgithub.com/open-policy-agent/opa's changelog.

0.58.0

NOTES:

• All published OPA images now run with a non-root uid/gid. Theuid:gid is set to1000:1000 for all images. As a resultthere is no longer a need for the-rootless image variant and hence it will not be published as part of future releases.This change is in line with container security best practices. OPA can still be run with root privileges by explicitly setting the user,either with the--user argument fordocker run, or by specifying thesecurityContext in the Kubernetes Pod specification.

This release contains a mix of performance improvements, bugfixes and security fixes for third-party libraries.

Runtime, Tooling, SDK

• cmd/test: Display lines not covered if code coverage threshold not met in verbose reporting mode (#2562) authored by@​johanfylling
• cmd/test: Don't round up test coverage calculation as it could lead to inaccurate code coverage results (#6307) authored by@​anderseknert
• cmd/fmt: Don't format functions without a value to include= true as it is implied (#6323) authored by@​anderseknert
• server: Remove deprecated partial query parameter from REST API. This option has been deprecated sincev0.23.0 (#2266) authored by@​ashutosh-narkar
• Add support for configurable prometheus buckets for thehttp_request_duration_seconds metric (#6238) authored by@​AdrianArnautu
• plugins/bundle: Update bundle plugin state on a reconfigure operation when existing bundle is not modified (#6311) authored by@​asadk12
• internal/pathwatcher: Fix how paths to watch by a fsnotify watcher are determined to avoid monitoring unintended directories and files (#6277) authored by@​ashutosh-narkar

Topdown and Rego

• topdown: Fix issue with build optimization producing support modules with forbidden characters in first var of rule ref (#6338) authored by@​johanfylling
• topdown: Fix panic in build optimization when policy contains rules with a general ref in the head (#6339) authored by@​johanfylling
• topdown: Avoid unnecessary conversion of small numbers by caching them and thereby helping to speed up some arithmetic operations (#6021) authored by@​ashutosh-narkar
• ast+rego: Disable compiler stages for IR-based eval paths (#6335) authored by@​srenatus
• built-in/walk: Skip path creation if path is assigned a wildcard to achieve fasterwalk-ing (#6267) authored by@​anderseknert
• ast: Add regression test for edge case where partial rule hides recursion cycle (#6318) authored by@​johanfylling

Docs

• Drop EXPERIMENTAL status of reported prom metrics (#6298) authored by@​ashutosh-narkar
• Update documentation on GCS bundles for case where the resource (the object in the GCS bucket) contains slashes (/) or other special characters (#6264) authored by@​dennisg
• Provide a more clear description of negation in the policy language section (#6275) authored by@​gusega

Website + Ecosystem

• Fix un-versioned built-in docs issue so that only the built-ins for a given doc version are displayed (#6269) authored by@​charlieegan3

Miscellaneous

• ci: Removehub tool in GitHub workflows in favor ofGitHub CLI tool (#6326) authored by@​ashutosh-narkar
• Dependency updates; notably:
  • bump go.opentelemetry.io modules (#6292) authored by@​cksidharthan
  • aquasecurity/trivy-action from 0.12.0 to 0.13.0
  • github.com/containerd/containerd from 1.7.6 to 1.7.7
  • github.com/fsnotify/fsnotify from 1.6.0 to 1.7.0
  • golang.org/x/net from 0.15.0 to 0.17.0
  • google.golang.org/grpc from 1.58.2 to 1.59.0 (addresses vulnerabilityGHSA-m425-mq94-257g)
  • oras.land/oras-go/v2 from 2.3.0 to 2.3.1
  • sigs.k8s.io/yaml from 1.3.0 to 1.4.0

0.57.1

... (truncated)

• 69a381c Prepare v0.58.0 release
• 132cc4b docs: Update generated CLI docs
• a470a21 Rename --future-compat CLI flag
• d7e9d13 topdown: Fixing issues with optimizing rules with refs in the head
• 98c300c Rename future.compat import
• 483d941 build(deps): bump aquasecurity/trivy-action from 0.12.0 to 0.13.0 (#6347)
• 2bd8d58 build(deps): bump sigs.k8s.io/yaml from 1.3.0 to 1.4.0
• 89e02ef build(deps): bump oras.land/oras-go/v2 from 2.3.0 to 2.3.1 (#6337)
• 1246ad2 build(deps): bump github.com/fsnotify/fsnotify from 1.6.0 to 1.7.0
• 544fd03 ast+rego: disable compiler stages for IR-based eval paths (#6335)
• Additional commits viewable incompare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions