# ReleaseCards — full release index Last generated: 2026-06-04T19:12:15.223Z Each entry below is one published release with its AI-generated summary and the top user-impact highlights. Links point to the canonical web page and to a Markdown-only view for direct ingestion. ## KubeVirt v1.8.3 - Repo: https://github.com/kubevirt/kubevirt - Date: 2026-06-03 - Web: https://releasecards.app/release/kubevirt/kubevirt/v1.8.3 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/kubevirt/kubevirt/v1.8.3.md _Hardening hardware passthrough and lifecycle reliability_ KubeVirt v1.8.3 focuses on hardening the platform through critical bug fixes for hardware passthrough, networking, and security. It improves the reliability of VM lifecycle operations like live migrations and snapshots by making health checks more intelligent, while also addressing high-impact issues such as etcd size limits and RBAC authorization truncation. - **Scale memlock rlimit for multi-device VFIO passthrough** — Ensures that VMs using host device passthrough (like GPUs) can start reliably by correctly calculating and setting memory locking limits, preventing 'cannot limit locked memory' errors. - **Resilient GuestAgentPing probes during VM lifecycle events** — Prevents unnecessary pod restarts during maintenance tasks like live migration, snapshots, or VM pauses by making liveness probes more resilient to temporary guest agent unavailability. - **Fix symlink traversal in VMExport and update gRPC for security CVE** — Protects the infrastructure from potential unauthorized file access via VMExport and addresses a critical vulnerability in the gRPC library. - **Prevent etcd object size limit exhaustion in virt-operator** — Prevents the KubeVirt custom resource from growing so large that it crashes the Kubernetes backend (etcd) when resource creation errors occur. - **IPv6 networking and cross-namespace migration fixes** — Fixes cross-namespace live migration for IPv6-only clusters and ensures correct IP reporting for VMs using bridge networking with IPv6. --- ## Jaeger v2.19.0 - Repo: https://github.com/jaegertracing/jaeger - Date: 2026-06-03 - Web: https://releasecards.app/release/jaegertracing/jaeger/v2.19.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/jaegertracing/jaeger/v2.19.0.md _High-Velocity Search and Modernized Visualization_ This release introduces a major shift in how traces are discovered and visualized. The headline feature is the migration to a high-performance Trace Summaries API (V3), which powers a more efficient search experience and a new table-based search layout. Security is bolstered with TLS for ClickHouse, and the UI receives several quality-of-life updates including resizable panels and improved search controls. - **Search migration to V3 Trace Summaries API** — The UI now uses the new V3 Trace Summaries API for searches. While this improves performance, internal tools or custom UI extensions relying on the legacy search endpoints may need verification, and standard search behavior has migrated to a more efficient data model. - **New Table View for search results** — Users can now view search results in a structured table format instead of just the traditional list view. This makes it significantly easier to compare trace metadata (like duration, service count, and start time) across multiple results at a glance. - **Lightweight Trace Summary API for faster searching** — The introduction of the V3 Trace Summaries endpoint allows the UI to fetch lightweight metadata instead of full trace payloads for search results. This reduces backend load, lowers network bandwidth, and makes search result rendering much faster. - **TLS support for ClickHouse storage** — Users operating Jaeger with ClickHouse can now secure the communication between Jaeger components and the database using TLS, ensuring trace data is encrypted in transit. - **Search UI usability improvements** — A new 'reset' button in the UI allows for quickly clearing complex search filters, and the search panel is now resizable and collapsible, giving more screen real estate to the actual trace data during analysis. --- ## jaeger v2.19.0 - Repo: https://github.com/jaegertracing/jaeger - Date: 2026-06-03 - Web: https://releasecards.app/release/jaegertracing/jaeger/v2.19.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/jaegertracing/jaeger/v2.19.0.md _Lighter Search and More Flexible Views_ Jaeger v2.19.0 introduces a major overhaul of the search architecture with the Trace Summaries API, alongside UI improvements like a new table view and ClickHouse TLS support. - **Search Migrated to Trace Summaries API** — The search backend has moved to a new API. While mostly transparent, this is a major architectural shift that improves how search results are fetched and displayed, laying the groundwork for more performant queries. - **New Table View for Trace Search Results** — You can now toggle between a standard list and a structured table view for search results, making it much easier to compare trace durations and metadata at a glance. - **Lightweight Trace Summary API Endpoints** — Search is now significantly faster and lighter on resources. Instead of downloading full trace data just to show a list, Jaeger now only fetches the essential summary information needed for the search view. - **TLS Support for ClickHouse Storage Backend** — You can now secure ClickHouse storage connections using TLS, ensuring that trace data is encrypted in transit between Jaeger and your database. - **Resizable Search Panel and Form Reset** — The search interface is now more flexible. You can resize or collapse the sidebar to focus on results, and use the new reset button to quickly clear complex filters. --- ## wasmCloud v2.3.0 - Repo: https://github.com/wasmCloud/wasmCloud - Date: 2026-06-03 - Web: https://releasecards.app/release/wasmCloud/wasmCloud/v2.3.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/wasmCloud/wasmCloud/v2.3.0.md _Secure Secrets and Scalable Scoping_ This release introduces key management capabilities for workload configurations and secrets, enhances security with Wasmtime v45, and improves Kubernetes deployment flexibility through namespaced RBAC. Developers also benefit from significantly improved observability and tracing for distributed microservices. - **Workload environment variables, configuration, and secrets support** — Developers can now inject environment variables, configuration data, and secrets directly into workloads via wash. This simplifies the management of sensitive data and environment-specific settings for distributed applications. - **Critical Wasmtime security patches and upgrade to v45** — Provides protection against known vulnerabilities in the underlying Wasmtime engine. This ensures the runtime environment stays secure against potential sandbox escape or execution exploits. - **Namespaced RBAC support for Runtime Operator** — Administrators can now scope RBAC permissions to specific namespaces rather than requiring cluster-wide privileges. This enables better multi-tenancy and follows the principle of least privilege in shared Kubernetes environments. - **Enhanced OTel observability and tracing granularity** — Observability is improved with better-structured spans in traces and the recording of HTTP status codes. This makes it significantly easier to debug cross-workload communication and pinpoint failures in distributed traces. - **Improved CLI source detection and Git reference support** — Simplifies project initialization by allowing developers to pin templates to specific commit SHAs, and ensures reliable development workflows by fixing source detection logic. --- ## opensre v2026.6.3 - Repo: https://github.com/Tracer-Cloud/opensre - Date: 2026-06-03 - Web: https://releasecards.app/release/Tracer-Cloud/opensre/v2026.6.3 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/Tracer-Cloud/opensre/v2026.6.3.md _Orchestration expansion and smarter reasoning engines_ This release focuses on enterprise ecosystem expansion with new integrations for Dagster and Jenkins, alongside a significant reasoning engine upgrade to MiniMax M3. - **Integrated Dagster Workflow Orchestration** — You can now manage and trigger OpenSRE data pipelines directly from Dagster, enabling more complex automation and monitoring of your reliability workflows. - **Native Support for Jenkins CI/CD Pipelines** — OpenSRE now fits into your existing Jenkins pipelines, allowing you to automate reliability tests and deployments within the industry's most common CI/CD platform. - **MiniMax Default Model Upgraded to M3** — The default MiniMax model has been upgraded to M3, providing significantly improved reasoning capabilities and more accurate automated decision-making. - **Optimized Benchmark S3 Dataset Uploads** — By shifting bench datasets to S3 instead of local CI downloads, pipeline execution is faster and more reliable, reducing the time you wait for benchmark results. - **New Tool Integration Checklist Guidance** — New standardized guidance helps you integrate and verify third-party tools more quickly, ensuring your custom integrations follow best practices. --- ## datumctl v0.15.0 - Repo: https://github.com/datum-cloud/datumctl - Date: 2026-06-02 - Web: https://releasecards.app/release/datum-cloud/datumctl/v0.15.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/datum-cloud/datumctl/v0.15.0.md _Extensible architecture meets AI-powered cloud management_ This release introduces a major extensibility layer via a new plugin system and integrates AI assistance directly into the CLI and console for natural language resource management. - **Extended CLI with Powerful Plugin System** — You can now customize your CLI by installing official or community-built plugins that feel like native commands. It also includes an SDK for developers to build their own extensions with automatic authentication and security checks. - **Natural Language AI Command Assistant** — Manage your cloud resources using plain English instead of memorizing complex flags. Whether through the CLI or the embedded console chat, you can describe tasks like clearing DNS zones or listing projects, and the AI will generate the required operations for you. - **In-Console Login and Welcome Screen** — First-time setup and re-authentication are now seamless. You no longer have to drop out of the TUI to log in; the console handles the entire device flow and takes you straight to your resources once finished. - **Reliable Credential Storage Fallbacks** — The CLI is now more reliable in restricted or specialized environments. If your system's secure keyring is locked or missing, it automatically uses a local file fallback so you stay logged in. - **Correct Kubeconfig Hostname Formatting** — Prevents connection failures when using generated Kubernetes configurations by ensuring the server URL is always a valid HTTPS address. --- ## containerd v2.1.8 - Repo: https://github.com/containerd/containerd - Date: 2026-06-02 - Web: https://releasecards.app/release/containerd/containerd/v2.1.8 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/containerd/containerd/v2.1.8.md _Hardening the Core: Security and Runtime Refinements_ A security-focused patch release addressing CVE-2026-46680 alongside critical fixes for sandbox management, OCI specification handling, and AppArmor compatibility. - **Critical Security Update (CVE-2026-46680)** — This release addresses a security vulnerability. Users should update to ensure their container environments are protected against potential exploits related to CVE-2026-46680. - **Improved OCI Spec Validation for USER Values** — Prevents unexpected system behavior or incorrect user lookups when a container image specifies an invalid or out-of-range UID/GID in the OCI specification. - **Stability Fixes for Sandbox Services and Events** — Resolves issues where sandbox creation fields weren't forwarded correctly and ensures event topics are accurately published, improving the reliability of pod-level abstractions in Kubernetes and other orchestrators. --- ## Rook v1.20.0 - Repo: https://github.com/rook/rook - Date: 2026-06-02 - Web: https://releasecards.app/release/rook/rook/v1.20.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/rook/rook/v1.20.0.md _Architectural Decoupling and Enhanced Multi-Cluster Scalability_ Rook v1.20 focuses on architectural refinement by decoupling CSI driver configuration into a dedicated operator and stabilizing multi-cluster performance. It also introduces significant object storage enhancements via RGW Accounts and improves automation for encrypted drive management and CRUSH map hygiene. - **CSI Driver Management Decoupled from Rook Operator** — Management of CSI settings has shifted to a dedicated CSI operator. While existing settings persist during upgrades, you must transition to using specific OperatorConfig and Driver CRDs for any future CSI adjustments or new installations. This clarifies the boundary between storage orchestration and driver management but requires a change in your automation workflows. - **Stable Concurrent Multi-Cluster Reconciliation** — Administrators managing multiple Ceph clusters can now leverage stable concurrent reconciliation. This significantly reduces the time it takes for the Rook operator to process changes across large-scale environments with many independent clusters. - **Experimental RGW Account Management via CRDs** — SREs running multi-tenant object storage can now better organize and isolate users through the new RGW Account CRD. This aligns Rook closer to AWS-style IAM structures, though it currently requires experimental Ceph builds for testing. - **Automatic Cleanup of Unused CRUSH Rules** — Reduces manual maintenance and potential confusion by automatically purging CRUSH rules that are no longer associated with any pools. This keeps the Ceph cluster state clean and prevents rule exhaustion in very large, complex environments. - **Auto-Resize for Encrypted Host-Based OSDs** — Simplifies operations for users running encrypted storage on bare-metal (non-PVC) nodes. When you replace a drive with a larger one or expand a hardware volume, Rook now handles the underlying encryption layer expansion automatically. --- ## OpenFGA v1.17.0 - Repo: https://github.com/openfga/openfga - Date: 2026-06-02 - Web: https://releasecards.app/release/openfga/openfga/v1.17.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/openfga/openfga/v1.17.0.md _Fortified Caching and Precision Telemetry_ This release focuses on hardening the internal caching engine for better security and performance while introducing more granular control over observability via industry-standard OpenTelemetry sampling strategies. - **Hardened and Collision-Free Cache Key Generation** — The new TLV binary encoding and per-process seeding protect OpenFGA against hash-flooding attacks while ensuring high-performance cache lookups are zero-collision. This increases the reliability of authorization decisions under high load or adversarial conditions. - **Configurable OpenTelemetry Trace Sampling Strategies** — Teams using distributed tracing can now better control telemetry costs and visibility by aligning OpenFGA sampling with their global OpenTelemetry strategies, including respecting sampling decisions made by upstream services. --- ## NATS v2.14.2 - Repo: https://github.com/nats-io/nats-server - Date: 2026-06-02 - Web: https://releasecards.app/release/nats-io/nats-server/v2.14.2 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/nats-io/nats-server/v2.14.2.md _Hardening the Core: Data Integrity and Clustering Stability_ This maintenance release focuses heavily on the stability and correctness of JetStream clustering and data integrity. It resolves potential protocol corruption issues in WebSockets and JetStream acknowledgments, fixes a runaway CPU usage scenario for filestore streams with high subject counts, and refines Raft leader election and quorum logic. Plus, monitoring for leaf node accounts is now more accurate. - **Critical Protocol and Routing Reliability Fixes** — These fixes prevent rare but critical protocol-level data corruption and race conditions in routing, ensuring that messages and acknowledgments reach their intended destinations reliably without manual intervention or service restarts. - **Resource Optimization for High-Subject Streams** — Users with high-density streams (many unique subjects) will avoid potential CPU spikes that previously occurred during block skip checks, leading to more predictable performance and stable resource utilization at the edge. - **Enhanced JetStream Clustering and Quorum Stability** — By improving Raft peer tracking and quorum calculation for multi-IP gateway resolution, NATS clusters become more resilient to network instability and complex DNS configurations, reducing the risk of split-brain or stalled consensus. - **Improved Monitoring Visibility for Leaf Node Deployments** — Monitoring tools relying on the /accstatz endpoint will now provide a complete view of the system, correctly surfacing accounts that operate exclusively via leaf node connections. --- ## NATS v2.12.10 - Repo: https://github.com/nats-io/nats-server - Date: 2026-06-02 - Web: https://releasecards.app/release/nats-io/nats-server/v2.12.10 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/nats-io/nats-server/v2.12.10.md _Hardening Distributed Consensus and Data Integrity_ This maintenance release focuses on hardening the JetStream consensus layer and fixing critical protocol edge cases. It addresses potential data corruption in WebSockets and JetStream ACKs, stabilizes Raft peer tracking during stalls, and optimizes CPU usage for streams with high subject cardinality. Monitoring for leaf-node environments is also improved. - **Protocol and Buffer Corruption Protection** — Eliminates critical risks of protocol corruption in JetStream acknowledgments and WebSocket communications, ensuring high-performance messaging remains reliable without data integrity issues. - **JetStream Cluster Stability and Quorum Fixes** — Resolves edge-case Raft and quorum calculation bugs that could lead to cluster instability when nodes stall or when gateway URLs resolve to multiple IPs. - **CPU Optimization for High-Subject Streams** — Limits unoptimized block skip checks on streams with massive subject counts, preventing CPU spikes and ensuring resource efficiency for high-cardinality data sets. - **Storage and Scale-Down Consistency Improvements** — Ensures consistent behavior during scale-down operations and purge requests, making JetStream management more predictable across different storage types and consumer configurations. - **Enhanced Client Identity in Authentication API** — Provides developers with better visibility into client identities within custom authentication plugins, facilitating more granular access control. --- ## Longhorn v1.12.0 - Repo: https://github.com/longhorn/longhorn - Date: 2026-06-02 - Web: https://releasecards.app/release/longhorn/longhorn/v1.12.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/longhorn/longhorn/v1.12.0.md _Modern Storage Power: V2 Data Engine Hits GA with Dual-Stack Networking_ The v1.12.0 release is a major milestone centering on the graduation of the V2 Data Engine to General Availability. This version introduces critical networking modernizations like IPv6 and dual-stack support, alongside advanced topology-aware provisioning. Significant focus was placed on operational stability, including fixes for high-scale replica rebuilding and memory optimizations for the Longhorn manager. - **V2 Data Engine graduates to General Availability (GA)** — The V2 Data Engine is now production-ready, offering modern NVMe-based performance and better stability for high-performance stateful applications. - **V2 Backing Image removal and migration requirement** — Existing V2 volumes using backing images must be migrated or recreated before upgrading, or they will fail to attach in the new version. - **Topology-aware PV node affinity control** — Administrators can now precisely control where volumes are provisioned using standard Kubernetes topology keys, ensuring data is located on the correct nodes or zones. - **IPv6 and Dual-Stack cluster support** — Enables Longhorn deployment in modern networking environments, including IPv6-only or dual-stack clusters, provided the IP family order is consistent across nodes. - **Increased default CPU allocation for V2 Data Engine** — The default CPU allocation for the V2 engine has doubled to 2 cores, preventing I/O heavy workloads from starving management tasks and causing timeouts. --- ## Dapr v1.17.9 - Repo: https://github.com/dapr/dapr - Date: 2026-06-01 - Web: https://releasecards.app/release/dapr/dapr/v1.17.9 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/dapr/dapr/v1.17.9.md _Reliable Workflow Cleanup for Cosmos DB Users_ This release focuses on a critical stability fix for Dapr Workflows using Azure Cosmos DB. It resolves a race condition where workflows without a custom status would cause the retention mechanism to fail and retry indefinitely, potentially leading to increased database operations and log noise. - **Fix for stuck Workflow retention purges on Azure Cosmos DB** — If you use Azure Cosmos DB for workflow storage, your completed workflows could become 'undeletable,' causing infinite retries and bloating your database. Updating to this version prevents these stuck purge cycles and automatically cleans up workflows that were previously trapped in the system. --- ## KEDA v2.20.0 - Repo: https://github.com/kedacore/keda - Date: 2026-06-01 - Web: https://releasecards.app/release/kedacore/keda/v2.20.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/kedacore/keda/v2.20.0.md _Enterprise Resilience and Modernized Event Infrastructure_ KEDA v2.20.0 focuses on architectural evolution and enterprise stability. It migrates to the modern Kubernetes Events API, introduces high-performance optimizations for massive clusters (60k+ objects), and adds core architectural enhancements like scaling modifier fallbacks and AWS cross-account support. New scalers for OpenSearch and Elastic Forecast further expand the ecosystem. - **RBAC migration for Kubernetes Events API** — If you use custom RBAC, you must manually grant the operator permissions for the new API group before upgrading to avoid losing visibility into KEDA events. - **New OpenSearch and Elastic Forecast scalers** — Users of Elastic and OpenSearch ecosystems can now natively autoscale their Kubernetes workloads based on search results and forecasted trends. - **AWS External ID support for cross-account scaling** — Simplifies security management for AWS users by allowing KEDA to access resources across different AWS accounts via a trust relationship. - **Large-scale stability improvements for admission webhooks** — Prevents the KEDA operator from crashing or slowing down when managing tens of thousands of ScaledObjects, ensuring stability for enterprise-grade clusters. - **Deprecation and removal of legacy scaler settings** — Existing configurations using subscriptionSize (GCP) or minMetricValue (Huawei) must be updated to the new parameters to avoid scaling failures. --- ## Volcano v1.15.0 - Repo: https://github.com/volcano-sh/volcano - Date: 2026-06-01 - Web: https://releasecards.app/release/volcano-sh/volcano/v1.15.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/volcano-sh/volcano/v1.15.0.md _Smarter Resource Reclamation and Precise Queue Control for AI at Scale_ Volcano v1.15.0 introduces critical enhancements for AI and batch workloads, most notably gang-aware preemption to protect workload integrity during resource contention. It expands resource management with DRA quota support and scheduling gates to prevent unnecessary autoscaling. The release also adds a robust benchmarking framework and pluggable sharding policies, while ensuring compatibility with Kubernetes 1.35. - **Gang-Aware Preemption and Resource Reclamation (Alpha)** — This prevents the "partial eviction" problem where a single training task is killed, rendering the rest of the gang useless while still consuming resources. It ensures that when resources are reclaimed, they are taken in logical job units, preserving the integrity of AI/ML training workloads. - **DRA Queue Quota in Capacity Plugin** — AI engineers using Dynamic Resource Allocation (DRA) can now enforce hardware quotas (like specific GPU types or vGPU partitions) within Volcano queues, preventing one team from consuming all specialized accelerator resources. - **Scheduling Gates for Queue Admission Control (Alpha)** — Cluster operators can now use 'Scheduling Gates' to stop queue-blocked pods from triggering Cluster Autoscaler or Karpenter. This prevents expensive and unnecessary cloud infrastructure scale-ups when the bottleneck is a soft software limit (quota) rather than hard physical capacity. - **New Benchmark Framework and Observability Tooling** — Provides a standardized way to measure scheduling throughput and latency on your specific hardware. This allows data platform teams to identify bottlenecks and optimize Volcano for large-scale, high-concurrency job submission. - **Pluggable Multi-Sharding Policies with Live Reload** — Allows more granular control over multi-scheduler deployments. Operators can apply custom policies (like warmup or allocation rates) to specific shards via ConfigMap without restarting the controller, improving operational flexibility. --- ## openclaw v2026.5.28 - Repo: https://github.com/openclaw/openclaw - Date: 2026-05-30 - Web: https://releasecards.app/release/openclaw/openclaw/v2026.5.28 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/openclaw/openclaw/v2026.5.28.md _Resilient Runtimes and Pro Mobile Experiences_ This release focuses on industrial-grade reliability for Agent runtimes, a significant refresh of the iOS Pro experience, and expanded support for cutting-edge models like Claude Opus 4.8. It also introduces stricter input validation and significant performance optimizations for session management. - **Expanded Model and Media Support** — You can now leverage the latest high-performance models including Claude Opus 4.8, NVIDIA featured models, and GitHub Copilot. Additionally, support for encrypted PDFs and streaming music responses from MiniMax expands the types of data and media your agents can handle. - **Hardened Agent and Codex Runtime Recovery** — The system is now much better at recovering from crashes or timeouts. Subagents stay organized in their own workspaces, session locks clear properly when things hang, and internal server failures no longer crash your entire runtime environment. - **Mobile and Chat UI Refresh** — The iOS app received a major 'Pro' overhaul, featuring better push notifications, realtime Talk playback, and state preservation. This means your chats and agent progress stay visible even if your connection flickers or you perform an empty search. - **Stricter Channel Delivery and Identity Safety** — Messaging reliability is improved across Slack, Discord, WhatsApp, Telegram, and Microsoft Teams. Specific fixes ensure room IDs, reactions, and authentication roots stay consistent, preventing lost messages or disconnected sessions. - **Input Hardening and Validation Stricteness** — The system now proactively rejects bad inputs (like malformed URLs, invalid port numbers, or suspicious timeouts) before they can cause issues. This protects your automation workflows and browser tools from unexpected behavior or exploits. --- ## vLLM v0.22.0 - Repo: https://github.com/vllm-project/vllm - Date: 2026-05-29 - Web: https://releasecards.app/release/vllm-project/vllm/v0.22.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/vllm-project/vllm/v0.22.0.md _DeepSeek Maturity and Performance Gains_ v0.22.0 delivers production-grade maturity for DeepSeek V4, massive inference speedups via Cutlass FP8, and a new multi-tier KV cache system. It also introduces an experimental Rust frontend and full support for next-generation hardware like NVIDIA Blackwell. - **DeepSeek V4 Maturity & Native Optimization** — DeepSeek V4 is now production-ready with optimized kernels, speculative decoding, and native NVFP4 support. You can now run this state-of-the-art model with significantly better performance and lower memory overhead than ever before. - **Latency Improvements with Cutlass FP8** — You can achieve nearly 30% lower end-to-end latency for standard inference and 13.5% faster time-to-first-token. This makes your applications feel much more responsive without needing to change your hardware. - **Multi-Tier KV Cache Offloading Framework** — You can now offload the KV cache to a secondary tier like a local filesystem or disk. This allows you to process significantly longer contexts or handle more concurrent requests than your GPU or CPU RAM would normally allow. - **Model Runner V2 Advancements** — The underlying architecture is shifting to a more modern runner that is now the default for Qwen3 models. It offers better weight reloading and shared memory management, leading to more stable and efficient model serving. - **Experimental Rust Frontend Integration** — Developers can now experiment with a native Rust integration for front-end tasks. This opens the door for higher-performance request handling and better safety for high-concurrency serving environments. --- ## Backstage v1.51.1 - Repo: https://github.com/backstage/backstage - Date: 2026-05-29 - Web: https://releasecards.app/release/backstage/backstage/v1.51.1 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/backstage/backstage/v1.51.1.md _Polishing the Engine: Catalog Performance and Integration Stability_ This patch release focuses on stabilizing core catalog performance and fixing integration issues with GitLab and Microsoft Graph. It resolves a significant performance bottleneck that affected large-scale entity lists and ensures that critical runtime dependencies are correctly packaged. - **Fix CTE materialization bottleneck in Catalog queries** — Large-scale catalogs will see significant performance improvements when listing and filtering entities. By splitting the count and list queries, the database can now optimize execution plans correctly instead of hitting a bottleneck that previously caused slow loading times for platform engineers managing thousands of entities. - **Fix GitLab archive retrieval errors (406)** — GitLab users can once again download repository archives. This fix restores the ability to fetch project templates or documentation stored in GitLab, preventing 406 errors during automated scaffolding or catalog ingestion tasks. - **Resolve Microsoft Graph user/group sync failures** — This ensures that organizations using Microsoft Graph to sync users and groups won't experience integration failures caused by API-side filtering limitations. By moving the filtering of disabled users to the client-side, the sync process becomes more robust against specific backend API errors. --- ## Dapr v1.17.8 - Repo: https://github.com/dapr/dapr - Date: 2026-05-28 - Web: https://releasecards.app/release/dapr/dapr/v1.17.8 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/dapr/dapr/v1.17.8.md _Ensuring Workflow Reliability and Identity Security_ This maintenance release addresses a critical bug in the Workflow engine that caused instances to become unrecoverable after rescheduling, and closes a security vulnerability in Sentry's OIDC discovery endpoint. - **Fix for unrecoverable stuck Dapr Workflows** — If you use Dapr Workflows with stable instance IDs, you may have encountered workflows that get stuck in an endless loop or 'failed to purge' errors in your logs. This update ensures that restarting or rescheduling a completed workflow correctly cleans up old task reminders, preventing the scheduler from entering a permanent retry loop that consumes resources and stops workflow progress. - **Security: Prevent OIDC discovery document poisoning in Sentry** — This addresses a vulnerability where an attacker could manipulate the Sentry OIDC discovery process to point at a malicious server. If you use Sentry to issue JWTs for identity federation (like AWS IAM or Azure AD), this fix prevents attackers from spoofing your identity provider via the X-Forwarded-Host header. --- ## SPIFFE/SPIRE v1.15.1 - Repo: https://github.com/spiffe/spire - Date: 2026-05-28 - Web: https://releasecards.app/release/spiffe/spire/v1.15.1 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/spiffe/spire/v1.15.1.md _Strengthening Azure Node Attestation Security_ This security-focused release addresses a critical vulnerability in the Azure IMDS node attestor and updates foundational Go libraries to maintain a secure environment. - **Critical fix for Azure IMDS node attestation vulnerability** — This prevents a critical security bypass where an attacker could impersonate an arbitrary Azure virtual machine. Without this fix, the server-side node attestor failed to properly link the signature to the trusted certificate chain, potentially allowing unauthorized workloads to obtain SPIFFE IDs based on forged metadata. --- ## SPIFFE/SPIRE v1.14.7 - Repo: https://github.com/spiffe/spire - Date: 2026-05-28 - Web: https://releasecards.app/release/spiffe/spire/v1.14.7 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/spiffe/spire/v1.14.7.md _Hardening Azure Node Attestation and Core Cryptography_ SPIRE v1.14.7 is a critical security maintenance release that addresses a vulnerability in the Azure IMDS node attestor plugin and updates core cryptographic dependencies to their latest secure versions. - **Fix for Azure IMDS node attestation spoofing vulnerability** — This fix prevents potential impersonation attacks where a malicious actor could forge Azure VM metadata to gain unauthorized identity documents. Users running SPIRE on Azure should update immediately to ensure the integrity of their node attestation process. --- ## Contour v1.33.5 - Repo: https://github.com/projectcontour/contour - Date: 2026-05-28 - Web: https://releasecards.app/release/projectcontour/contour/v1.33.5 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/projectcontour/contour/v1.33.5.md _Hardening the perimeter against security bypasses and library vulnerabilities._ This release focuses on critical security hardening, specifically addressing a JWT verification bypass vulnerability related to fallback certificate configurations and updating core dependencies to mitigate downstream security risks. - **Fix JWT verification bypass with fallback certificates** — This addresses a vulnerability where malicious or misconfigured traffic could bypass security checks. By rejecting these invalid configurations, Contour ensures that your JWT-protected services remain secure even when TLS SNI information is missing or incorrect. --- ## Prometheus v3.12.0 - Repo: https://github.com/prometheus/prometheus - Date: 2026-05-28 - Web: https://releasecards.app/release/prometheus/prometheus/v3.12.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/prometheus/prometheus/v3.12.0.md _Faster head chunks, safer configurations, and more accurate rates_ Prometheus v3.12.0 introduces significant performance gains in the TSDB, particularly for head chunk lookups and mmapping, which will be immediately noticeable in high-cardinality environments. This release also focuses on data accuracy with new start-timestamp support for rate calculations and adds long-requested UI tools for series management. Critical security patches and expanded cloud service discovery further solidify its role as the centerpiece of native cloud observability. - **Critical security fixes for Remote-write and STACKIT Service Discovery** — Prevents potential denial-of-service (DoS) attacks from malicious or malformed remote-write requests and ensures sensitive credentials are not exposed through the configuration endpoint. - **Major TSDB performance optimizations for head chunk processing** — Significantly reduces CPU overhead and improves query responsiveness, especially in high-scale environments with many active time series. - **Enhanced accuracy for PromQL rate and increase functions via start timestamps** — You can now use start timestamps to get more accurate results for rate, increase, and resets calculations, specifically helping to handle counter resets more precisely. - **New UI for time series deletion and tombstone management** — Simplifies operational maintenance by allowing users to manage data lifecycle (deleting series and cleaning tombstones) directly from the Prometheus web interface. - **New Service Discovery for DigitalOcean and Outscale** — Expands monitoring coverage for teams using DigitalOcean Managed Databases and Outscale Cloud resources. --- ## OpenFGA v1.16.1 - Repo: https://github.com/openfga/openfga - Date: 2026-05-28 - Web: https://releasecards.app/release/openfga/openfga/v1.16.1 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/openfga/openfga/v1.16.1.md _Refining experimental performance and hardening security_ This patch release focuses on critical bug fixes for the experimental weighted graph evaluation engine, particularly addressing incorrect denials when using contextual tuples. It also includes security infrastructure updates and optimized developer workflows. - **Reliability improvements for experimental weighted graph check** — Users testing the new weighted graph algorithm can now rely on accurate results when using contextual tuples. Previously, a pruning optimization could lead to incorrect access denials. Additionally, timeout and cancellation errors are now correctly reported rather than masked by falling back to the standard algorithm. - **Security patches for grpc-health-probe infrastructure** — This update patches vulnerabilities in the Go standard library by upgrading the health check probe, ensuring the underlying infrastructure components remain secure against known exploits. --- ## Open Policy Agent v1.17.0 - Repo: https://github.com/open-policy-agent/opa - Date: 2026-05-28 - Web: https://releasecards.app/release/open-policy-agent/opa/v1.17.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/open-policy-agent/opa/v1.17.0.md _Intuitive Negation and Observable Decisions_ This release focuses on policy authoring precision and observability. It introduces superior negation semantics via a new keyword import to prevent silent failures, and adds rule-level metadata labels to decision logs for richer auditability. Additionally, the release provides new JSON schemas for core OPA components and various performance optimizations in the Rego compiler. - **Improved Negation Semantics with future.keywords.not** — This fixes a long-standing point of confusion where 'not' would fail silently if part of the expression was undefined. High-integrity policy authoring becomes much easier and more predictable. - **Rule Labels in Decision Logs** — Security and DevOps teams can now see exactly which rules (and their severity/team context) triggered a decision directly in the logs, making audit trails and troubleshooting significantly more powerful. - **Published JSON Schemas for IR and Manifests** — Developers building tooling around OPA can now leverage formal schemas for IR plans and bundle manifests, enabling better validation, auto-completion, and safer automation. - **Optimized Binary Operator Allocations** — Reduces memory churn during policy evaluation, contributing to lower latency for high-throughput authorization services. --- ## Claude Code v2.1.154 - Repo: https://github.com/anthropics/claude-code - Date: 2026-05-28 - Web: https://releasecards.app/release/anthropics/claude-code/v2.1.154 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/anthropics/claude-code/v2.1.154.md _From Assistant to Orchestrator: Opus 4.8 and Multi-Agent Workflows_ This major update introduces the Opus 4.8 model with a high-speed 'Fast mode' and debuts dynamic workflows that orchestrate hundreds of agents for large-scale tasks. It also significantly improves system stability and background task management. - **Massive Multi-Agent Workflows** — You can now automate massive technical projects by letting Claude design and run multi-agent workflows. This transforms the tool from a single-task assistant into an orchestrator capable of managing tens or hundreds of concurrent background tasks. - **Opus 4.8 and Fast Mode Integration** — You get access to a more powerful model that defaults to 'high effort' for complex reasoning. Additionally, a new 'Fast mode' allows you to get results 2.5x faster at only double the cost, significantly improving iteration speed. - **Background Shell Command Sessions** — The new '! ' syntax allows you to launch long-running shell tasks in the background and disconnect. You can check back later to see the results, making it much easier to run tests or builds while you continue other work. - **Improved Decision Logic and Leaner Prompts** — Claude is now less 'talkative' and asks fewer repetitive questions. With a leaner system prompt and smarter decision-making on whether to ask for clarification, you'll experience fewer interruptions and faster overall progress. - **Critical Background Process and Safety Fixes** — Crucial fixes prevent background agents from accidentally overwriting your main workspace files and stop zombie processes from consuming 100% of your CPU on macOS. This makes the system far more stable and reliable for 'set and forget' tasks. --- ## Goose v1.36.0 - Repo: https://github.com/aaif-goose/goose - Date: 2026-05-27 - Web: https://releasecards.app/release/aaif-goose/goose/v1.36.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/aaif-goose/goose/v1.36.0.md _Goose Goes Pro with TUI, Local Reviews, and Universal Provider Support_ Version 1.36.0 introduces a robust Terminal User Interface (TUI), native code review capabilities, and an expansive list of new AI providers, while significantly improving local inference performance on Linux and Windows. - **New TUI Command and Diff Viewer** — You can now interact with Goose through a terminal-based UI and view diffs directly in your console. This provides a more powerful, keyboard-centric workflow for developers who prefer staying in the terminal while managing AI-driven code changes. - **Local Code Review and Agent Self-Evaluation** — The new 'goose review' command allows for local code reviews, while the '/goal' command ensures the agent self-evaluates its progress. This means higher quality code output and fewer 'incomplete' tasks as the agent checks its own work against your requirements. - **Expanded Provider Ecosystem and Universal Thinking Control** — Goose now supports a massive array of new providers including NEAR AI, Scaleway, Vercel AI Gateway, and several declarative OpenAI-compatible engines. You have more freedom than ever to choose your backend based on cost, performance, or privacy needs. - **Extensible Hooks System for Tool Control** — Advanced users and enterprise teams can now implement custom logic to allow or deny tool usage before it happens. This enables better security, custom auditing, and deeper integration into existing workflows. - **Expanded Internationalization Support** — Native support for Russian, Simplified Chinese, and Turkish expands accessibility for global teams, allowing more developers to use Goose in their native language. --- ## Falco 0.44.0 - Repo: https://github.com/falcosecurity/falco - Date: 2026-05-26 - Web: https://releasecards.app/release/falcosecurity/falco/0.44.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/falcosecurity/falco/0.44.0.md _Modernizing the Foundation: Leaner Core and Smarter Rules_ Falco 0.44.0 focuses on modernizing the codebase by removing legacy components (BPF probe, gVisor, gRPC) while significantly enhancing the rule engine with new logical comparators. It also introduces safer capture file management and stricter security defaults for the Web UI. - **Removal of legacy BPF probe, gVisor engine, and gRPC output support** — Legacy components including the original BPF probe, gVisor engine, and gRPC output/server have been removed. Users relying on these features must migrate to modern alternatives like the modern eBPF probe or the Falco gRPC Sidekick. - **Enhanced rule engine with advanced comparators and transformers** — Rule authors gain powerful new logical operators (oneof/allof/anyof) and list transformer exceptions, allowing for more concise and sophisticated threat detection logic. - **Configurable stop conditions for event capture files** — Security teams can now better manage capture file sizes by setting limits on the number of events or total file size, preventing accidental disk exhaustion during high-volume incident logging. - **Restricted falco-webui access to localhost for improved security** — A critical security fix restricts the falco-webui service to local access by default, reducing the attack surface for deployments using the web interface. - **Backslash escaping for YAML key-path parser** — When configuring Falco via the command line, you can now use a backslash to escape dots and brackets in key names. This is essential if your YAML configuration uses keys that contain these special characters. --- ## OpenTelemetry v0.153.0 - Repo: https://github.com/open-telemetry/opentelemetry-collector - Date: 2026-05-25 - Web: https://releasecards.app/release/open-telemetry/opentelemetry-collector/v0.153.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/open-telemetry/opentelemetry-collector/v0.153.0.md _Hardening the Foundation with Improved Stability and Tooling_ This release focuses heavily on internal stability and developer experience improvements. It resolves a critical memory corruption risk in gRPC Snappy compression and stabilizes several long-standing feature gates. Significant enhancements to the mdatagen tool automate documentation and improve configuration validation for component authors. - **Resolved memory corruption in Snappy-compressed gRPC connections** — This prevents potential service crashes and data corruption when using Snappy compression with gRPC, ensuring much higher reliability for high-throughput telemetry pipelines. - **Stabilization of multiple core internal feature gates** — Several feature gates have been stabilized and removed, meaning their behaviors are now permanent. Users who were explicitly toggling these gates in their configuration should review their startup flags. - **Automated README documentation and stricter validation in mdatagen** — Component developers now get automated, accurate documentation tables and better configuration validation, reducing the manual effort required to maintain high-quality collector components. - **Added iteration support for storage extensions via Walker interface** — This provides a standard way for components to inspect their own local storage, facilitating maintenance tasks like data cleanup or migration without external tools. --- ## Crossplane v2.3.1 - Repo: https://github.com/crossplane/crossplane - Date: 2026-05-22 - Web: https://releasecards.app/release/crossplane/crossplane/v2.3.1 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/crossplane/crossplane/v2.3.1.md _Hardening the foundations of universal infrastructure management_ This patch release prioritizes security and stability for Crossplane v2.3. It includes critical updates to underlying cryptographic libraries and synchronizes the crossplane-runtime to ensure the control plane operates reliably across different environments. - **Security updates for core cryptographic dependencies** — Ensures the control plane remains secure by addressing known vulnerabilities in core cryptographic libraries. This is critical for maintaining trust in infrastructure orchestration. --- ## Crossplane v1.20.8 - Repo: https://github.com/crossplane/crossplane - Date: 2026-05-22 - Web: https://releasecards.app/release/crossplane/crossplane/v1.20.8 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/crossplane/crossplane/v1.20.8.md _Strengthening the control plane foundation with vital security patches_ A dedicated security and maintenance patch for Crossplane v1.20 that focuses on hardening the platform against vulnerabilities in the Go runtime and several critical third-party modules. - **Security hardening of Go runtime and standard libraries** — This update addresses several vulnerabilities in the underlying Go standard library and critical third-party networking/cryptography modules. Upgrading ensures your control plane remains resistant to known exploits targeting the Go runtime and transport layers. - **Updated core dependencies for Git and container operations** — These updates fix vulnerabilities in the libraries Crossplane uses to handle Git operations, container CLI interactions, and supply chain metadata. This reduces the risk of malicious input crashing or compromising the control plane when interacting with external repositories. --- ## Crossplane v2.1.6 - Repo: https://github.com/crossplane/crossplane - Date: 2026-05-22 - Web: https://releasecards.app/release/crossplane/crossplane/v2.1.6 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/crossplane/crossplane/v2.1.6.md _Securing the Control Plane Foundation_ Version 2.1.6 is a focused security and maintenance patch for Crossplane. It primarily updates critical underlying libraries and the Go runtime to mitigate several CVEs, ensuring a secure environment for infrastructure orchestration. - **Comprehensive security hardening of core dependencies** — This update addresses multiple security vulnerabilities in core dependencies like golang.org/x/net, go-git, and the Go standard library, ensuring your control plane remains protected against known exploits. --- ## Crossplane v2.2.2 - Repo: https://github.com/crossplane/crossplane - Date: 2026-05-22 - Web: https://releasecards.app/release/crossplane/crossplane/v2.2.2 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/crossplane/crossplane/v2.2.2.md _Fortifying the foundation with security and dependency updates_ Crossplane v2.2.2 is a maintenance release focused on strengthening the security posture of the control plane through critical dependency updates and runtime hardening. - **Security hardening of core dependencies and Go runtime** — This patch addresses several vulnerabilities in the underlying Go standard library and various Go modules. Upgrading ensures your control plane remains compliant and protected against known exploits in the dependency stack. - **Integration of crossplane-runtime v2.2.2 stability updates** — Updates to the crossplane-runtime ensure that the core orchestration engine benefits from the latest stability improvements and bug fixes, leading to more reliable resource management. --- ## Crossplane v2.3.0 - Repo: https://github.com/crossplane/crossplane - Date: 2026-05-21 - Web: https://releasecards.app/release/crossplane/crossplane/v2.3.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/crossplane/crossplane/v2.3.0.md _Precision Control and Production Safety for the Universal Control Plane_ The v2.3.0 release introduces significant upgrades to the Crossplane developer experience and operational safety. Key additions include a high-fidelity rendering engine for perfect local simulations, precise control over resource polling intervals, and alpha-stage deletion protection for Providers. The release also restructures Go modules and moves the CLI to a dedicated repository to streamline independent development. - **High-fidelity local rendering engine** — Local development and CI/CD pipelines can now generate exact replicas of how Crossplane will provision resources in-cluster. This eliminates 'it worked locally' bugs and increases confidence in infrastructure changes before they are applied. - **Fine-grained per-resource reconciliation control** — You can now control the reconciliation frequency for specific resources via annotations. This is critical for reducing provider API costs (by polling less often) or forcing immediate updates for critical resources without waiting for the global sync period. - **Alpha Provider deletion protection** — Prevents accidental deletion of Providers if they are still being used by managed resources. This acts as a safety net to prevent infrastructure drift or 'orphaned' resources that occur when a provider is removed prematurely. - **Go API module separation and CLI repository migration** — If you build custom tools or integrations against Crossplane's Go modules, you must update your import paths. Additionally, the CLI (formerly 'crank') has moved to its own repository, meaning its release cycle and versioning will now differ from the core controller. - **Scale subresource support for XRs** — Users can now use standard Kubernetes tools like 'kubectl scale' to manage workloads or infrastructure counts defined within Composite Resources, making Crossplane resources feel even more native to the Kubernetes ecosystem. --- ## containerd v2.2.4 - Repo: https://github.com/containerd/containerd - Date: 2026-05-20 - Web: https://releasecards.app/release/containerd/containerd/v2.2.4 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/containerd/containerd/v2.2.4.md _Hardening container security and storage compatibility_ containerd v2.2.4 is a critical maintenance update focusing on security and storage reliability. It addresses two CVEs, hardens default security profiles, and improves compatibility with writable block volumes and user namespaces. - **Critical security patches for containerd and go-jose** — This release addresses a direct vulnerability in containerd (CVE-2026-46680) and a vulnerability in the go-jose dependency. Users should upgrade immediately to protect their container infrastructure from potential exploitation. - **Support for writable block volumes in image volume processing** — Ensures compatibility for users utilizing specialized storage technologies like EROFS or block-based snapshotters when containers involve image volume processing. - **Hardened default security policies and OCI spec validation** — Hardens the default security posture by blocking AF_ALG socket creation and preventing potential local privilege escalation or information disclosure via out-of-range OCI user values. - **Improved OverlayFS and AppArmor compatibility** — Resolves issues where layer extraction would fail when using overlayfs within user namespaces, and improves AppArmor compatibility for older distributions (pre-3.0). --- ## wasmCloud v2.2.0 - Repo: https://github.com/wasmCloud/wasmCloud - Date: 2026-05-20 - Web: https://releasecards.app/release/wasmCloud/wasmCloud/v2.2.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/wasmCloud/wasmCloud/v2.2.0.md _Standardizing Security and Streamlining Developer Workflows_ This release focuses on strengthening the security and developer experience of the wasmCloud ecosystem. Key additions include early support for WASI Preview 3 TLS, improved Kubernetes operator reliability, and a more streamlined wash CLI for automated workflows. Additionally, the move to publish WIT interfaces to GHCR simplifies the development lifecycle for component authors. - **WASI Preview 3 wasi:tls support** — This provides a standardized, platform-agnostic way for WebAssembly components to handle encrypted communications, ensuring secure data transport without relying on host-specific workarounds. - **CLI enhancements for wash config and wash new** — Automation and CI/CD pipelines can now bootstrap new projects more reliably without manual intervention, and configuration management is more robust with built-in validation. - **Kubernetes operator networking and permission fixes** — Improves networking reliability for Kubernetes-based deployments by ensuring workloads are reachable via IP, and ensures the operator functions correctly in locked-down multitenant environments. - **Publish WIT interfaces to GHCR** — By hosting WIT interfaces on GHCR, developers can more easily consume and version the definitions required to build wasmCloud-compatible components. - **Customizable OutgoingHandler for HTTP runtime** — Developers building custom providers or specialized extensions can now fully customize how outgoing HTTP requests are processed, providing greater architectural flexibility. --- ## containerd v2.0.9 - Repo: https://github.com/containerd/containerd - Date: 2026-05-20 - Web: https://releasecards.app/release/containerd/containerd/v2.0.9 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/containerd/containerd/v2.0.9.md _Strengthening the core with security hardening and event reliability_ containerd v2.0.9 focuses on reinforcing the runtime's security posture and reliability. Key updates include a fix for CVE-2026-46680, hardening against race conditions during image extraction, and improvements to event handling that ensure container exit states are correctly captured even during daemon restarts. - **Address CVE-2026-46680 security vulnerability** — Protects against a documented security vulnerability (CVE-2026-46680), ensuring the runtime remains a trusted foundation for container orchestration. - **Hardened container security and tar extraction** — Reduces the attack surface by blocking AF_ALG sockets in the default profile and preventing race conditions during image extraction that could lead to file system manipulation. - **Ensure container exit events are preserved during restarts** — Prevents a common edge case where container exit statuses are missed during runtime restarts, which often causes 'ghost' containers or inconsistent states in Kubernetes. - **Fix sandbox service configuration and event publishing** — Improves stability for sandbox-based architectures (like Kata or Firecracker) by ensuring creation fields are correctly handled and events are properly routed. --- ## containerd v1.7.32 - Repo: https://github.com/containerd/containerd - Date: 2026-05-20 - Web: https://releasecards.app/release/containerd/containerd/v1.7.32 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/containerd/containerd/v1.7.32.md _Hardening the Foundation with Enhanced Security and Validation_ This patch release focuses on security hardening and stability. It addresses CVE-2026-46680, improves seccomp defaults by blocking AF_ALG sockets, and fixes several edge cases in OCI spec handling and configuration parsing. - **Security update for CVE-2026-46680** — Fixes a reported vulnerability (CVE-2026-46680) to ensure the runtime remains protected against potential exploits. Maintaining up-to-date security patches is critical for production container environments. - **Block AF_ALG in default socket policy** — Hardens the default seccomp profile to block the AF_ALG (Algorithm) socket family, reducing the kernel attack surface for containers. This prevents potential exploitation of kernel crypto vulnerabilities. - **Explicit error handling for out-of-range USER values** — Prevents unpredictable behavior and potential security bypasses by throwing an explicit error when a container image or runtime spec specifies a UID/GID that is out of range, rather than falling back to incorrect lookups. --- ## containerd v2.3.1 - Repo: https://github.com/containerd/containerd - Date: 2026-05-20 - Web: https://releasecards.app/release/containerd/containerd/v2.3.1 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/containerd/containerd/v2.3.1.md _Security hardening and runtime compatibility refinements_ This first patch release for the 2.3 series focuses on security hardening and stability. It addresses a specific CVE, tightens the default seccomp policy, and fixes several edge cases involving plugin initialization and non-runc runtime compatibility. - **Security vulnerability fix for CVE-2026-46680** — Addresses a security vulnerability (CVE-2026-46680) to ensure the runtime remains protected against known exploits. - **Hardened default seccomp policy by blocking AF_ALG** — Reduces the attack surface of containers by restricting the AF_ALG socket family in the default seccomp profile, preventing potential exploitation of kernel crypto interfaces. - **Improved tolerance for failed gRPC plugins during startup** — Prevents the containerd daemon from failing to start if a specific gRPC plugin encounters an error, increasing the overall robustness of the service startup process. - **Fixed sandbox task API endpoints for non-runc runtimes** — Ensures that sandbox-based runtimes (other than runc) correctly handle task API requests, improving compatibility for alternative container executors. --- ## OpenFGA v1.16.0 - Repo: https://github.com/openfga/openfga - Date: 2026-05-20 - Web: https://releasecards.app/release/openfga/openfga/v1.16.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/openfga/openfga/v1.16.0.md _Hardening authorization reliability and observability_ This release focuses on hardening the experimental high-performance Check engine and improving system resilience. Key updates include critical security patches for the Go runtime, finer control over datastore connectivity timeouts, and more detailed telemetry for authorization traces. - **Go toolchain security update to 1.26.3** — By updating to Go 1.26.3, this release addresses vulnerabilities in the Go standard library, ensuring the authorization engine remains secure against known runtime exploits. - **Reliability improvements for experimental Weighted Graph Check engine** — Users testing the new check engine will experience higher reliability. These fixes prevent incorrect 'false' access results caused by cache collisions and improper handling of cancelled requests, while also adding a fallback to the standard algorithm if errors occur. - **Configurable datastore ping and retry timeouts** — Operators can now define specific timeouts for datastore pings, preventing the application from hanging indefinitely or failing prematurely during transient database connectivity issues. - **Enhanced observability for Check and Trace spans** — Trace spans now include the 'allowed' result and 'tuple_key', making it significantly easier to debug authorization decisions and visualize access flows in external observability tools. --- ## Built on Envoy by Tetrate v0.5.0 - Repo: https://github.com/tetratelabs/built-on-envoy - Date: 2026-05-20 - Web: https://releasecards.app/release/tetratelabs/built-on-envoy/v0.5.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/tetratelabs/built-on-envoy/v0.5.0.md _Enhanced extensibility and smarter configuration with Envoy 1.38.0 support_ This release mandates Envoy 1.38.0 for Composer users to enable advanced configuration-time features. It introduces native filter orchestration, dynamic SAML metadata, and a more robust Go extension build process using c-shared libraries. - **Composer now requires Envoy 1.38.0+** — If you use Go-based extensions (Composer), you must upgrade your Envoy binary to version 1.38.0 or later. This unlock allows extensions to perform smarter actions, like making network calls during the initial configuration phase. - **Orchestrate native Envoy filters from extension manifests** — You can now stitch together native Envoy filters and your custom extensions directly in manifest.yaml. This removes the need for manual, complex Envoy configuration files when your extension relies on standard Envoy features like protocol handling or authentication filters. - **Run custom Envoy binaries via CLI** — You are no longer forced to use the Envoy versions provided by BOE. You can test your extensions against custom, locally-built, or experimental Envoy binaries by simply pointing to the file path. - **Dynamic SAML metadata fetching via URL** — Setting up SAML is now much simpler and more resilient. You can point to a URL for Identity Provider metadata rather than copy-pasting XML into your config. The system will automatically fetch, cache, and retry connection attempts, ensuring your service stays up even if the IdP is momentarily down during startup. - **Improved Go extension build system and macOS support** — Compiling Go extensions is now more stable and faster thanks to a shift to c-shared libraries. This eliminates the 'dependency hell' often found with Go plugins and makes the local development experience on macOS smoother and more reliable. --- ## NATS v2.14.1 - Repo: https://github.com/nats-io/nats-server - Date: 2026-05-20 - Web: https://releasecards.app/release/nats-io/nats-server/v2.14.1 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/nats-io/nats-server/v2.14.1.md _Hardening the Core: Precision Fixes for JetStream and Raft Stability_ V2.14.1 is a stability-focused release addressing critical issues in JetStream state management, data integrity during encryption transitions, and Raft consensus reliability. It also introduces performance optimizations for large-scale subject trees and provides better monitoring granularity for user-facing client traffic. - **Fix for Filestore Encryption Mode Conversion Corruption** — Prevents potential block-level data corruption when changing stream encryption modes, ensuring that the transition between encrypted and unencrypted storage is safe. - **JetStream CPU Optimization and Resource Efficiency** — Reduces CPU overhead on JetStream follower nodes by only calculating pending message counts on the leaders, and improves response times in complex subject matching scenarios. - **JetStream Consumer State and Redelivery Fixes** — Resolves various edge cases where message redelivery counters could drift or fail to flush, ensuring reliable 'exactly once' or 'at least once' delivery semantics. - **New Client-Specific Traffic Metrics via /varz** — Provides granular visibility into standard client traffic versus system/administrative traffic, allowing operators to better monitor actual application throughput. - **Intelligent Compression Negotiation for Leafnodes** — Ensures that leafnode connections over already-compressed WebSockets don't attempt double-compression, saving CPU cycles and preventing protocol overhead. --- ## Flux v2.8.8 - Repo: https://github.com/fluxcd/flux2 - Date: 2026-05-20 - Web: https://releasecards.app/release/fluxcd/flux2/v2.8.8 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/fluxcd/flux2/v2.8.8.md _Hardening the GitOps core with security fixes and controller stability_ Flux v2.8.8 focuses on hardening the platform through critical security updates for go-git and resolving significant stability issues in the helm-controller. It also expands infrastructure compatibility by supporting GCP sovereign cloud registries and updating core dependencies like Kubernetes and Helm. - **Security patches for go-git vulnerabilities** — Addresses critical vulnerabilities in the go-git library that could potentially lead to denial of service or unauthorized access. This is vital for maintaining a secure GitOps supply chain. - **Fixes for memory leaks and reconciliation stalls** — Ensures long-term stability of the helm-controller by fixing a memory leak in the Kubernetes client and introducing timeouts to prevent reconciliation processes from hanging indefinitely. - **Support for GCP sovereign cloud artifact registries** — Enables platform engineers in regulated or specific geographic regions to use GCP sovereign cloud registries for their container images and Helm charts. - **Helm controller reliability and compliance improvements** — Resolves technical debt and bugs in Helm operations, including issues with long release names and the incorrect handling of non-CRD files in the CRDs directory, ensuring more predictable deployments. --- ## Backstage v1.51.0 - Repo: https://github.com/backstage/backstage - Date: 2026-05-19 - Web: https://releasecards.app/release/backstage/backstage/v1.51.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/backstage/backstage/v1.51.0.md _High-Performance Discovery and AI-Ready Infrastructure_ This release delivers a significant performance overhaul to the Catalog backend, especially for large-scale installations, alongside the promotion of Scaffolder form decorators to stable. It also pushes forward the new Backstage UI system with accessible date and selection components, while prepending support for AI/MCP resources to keep the portal at the center of the modern developer stack. - **Major Catalog Performance and Database Optimizations** — Massive performance boosts for large catalogs: paginated listing times drop from seconds to milliseconds, and facet aggregation is up to 7x faster due to database indexing and query optimizations. - **UI System Evolution and New Accessible Components** — The Backstage Design System (BUI) introduces accessible DatePickers and Comboboxes, but also removes several legacy CSS classes and updates React Aria dependencies which may impact custom component styling. - **AI Resource Kind and MCP Server Support** — Developers can now model AI resources and Model Context Protocol (MCP) servers directly in the catalog, enabling better discovery and management of AI-driven capabilities. - **Stable Scaffolder Form Decorators and Experimental UI Theme** — Scaffolder form decorators are now stable, and a new experimental BUI theme allows platform engineers to provide a more modern, consistent creation experience for developers. - **Incremental Microsoft Graph Ingestion** — The new incremental ingestion module for MS Graph prevents out-of-memory errors on large datasets by processing users and groups in chunks while persisting progress. --- ## SPIFFE/SPIRE v1.15.0 - Repo: https://github.com/spiffe/spire - Date: 2026-05-19 - Web: https://releasecards.app/release/spiffe/spire/v1.15.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/spiffe/spire/v1.15.0.md _Hardened Supply Chains and Enhanced Secret Management_ SPIRE v1.15.0 introduces a major breaking change to CLI JSON output and graduates Sigstore support to a stable feature. The release expands the ecosystem with a new HashiCorp Vault Key Manager, adds PROXY protocol support for better traffic management behind load balancers, and includes critical stability fixes for Azure and AWS integrations. - **CLI JSON output format change** — If you use scripts to parse the JSON output of the SPIRE CLI, you will need to update them. Objects are no longer wrapped in single-element arrays (slices), which simplifies the data structure but breaks compatibility with parsers expecting the old format. - **HashiCorp Vault Key Manager plugin added** — This allows users to offload SPIRE Server private key management to HashiCorp Vault, enhancing security posture by ensuring keys are stored in a dedicated, hardened hardware or software security module rather than on the local file system. - **PROXY protocol support for accurate rate limiting** — Operators running SPIRE behind load balancers can now enforce accurate rate limiting. By supporting the PROXY protocol, SPIRE can see the true source IP of the client rather than the load balancer's IP, preventing one aggressive client from triggering a rate limit that affects all users. - **Sigstore support promoted to stable** — Sigstore-based image verification is now a stable feature. This provides a production-ready way to ensure that only cryptographically signed and verified container images are granted identities, significantly hardening the software supply chain for Kubernetes and Docker environments. --- ## Envoy Gateway v1.8.0 - Repo: https://github.com/envoyproxy/gateway - Date: 2026-05-19 - Web: https://releasecards.app/release/envoyproxy/gateway/v1.8.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/envoyproxy/gateway/v1.8.0.md _Extensible Intelligence and Cross-Boundary Control_ Envoy Gateway v1.8.0 introduces significant extensibility with Dynamic Modules and GeoIP support, alongside powerful new traffic management features like bandwidth limiting and cross-namespace policy attachment. The release also focuses on stability with numerous fixes for OIDC, rate limiting, and local load balancing. - **Support for Dynamic Modules** — You can now extend the gateway functionality using Envoy's Dynamic Modules, allowing you to run custom C++ or Rust code within the data plane for specialized traffic processing needs. - **Cross-Namespace Policy Attachment and Merging** — You can now apply traffic policies across namespace boundaries, providing greater flexibility in how you manage and apply security and backend policies in multi-tenant environments. - **GeoIP Support and Location-Based Routing** — You can now perform traffic routing and filtering based on geographic location data, enabling use cases like regional redirection or localized access control. - **Advanced Load Balancing and Locality-Aware Routing** — You now have more granular control over traffic distribution, including the ability to weight traffic based on locality zones and support for client-side weighted round-robin load balancing. - **Enhanced Traffic Management: Bandwidth Limits and Admission Control** — Users can now configure bandwidth limits, admission control, and improved retry budgets within BackendTrafficPolicies to better protect upstream services from overload. --- ## Keycloak 26.6.2 - Repo: https://github.com/keycloak/keycloak - Date: 2026-05-19 - Web: https://releasecards.app/release/keycloak/keycloak/26.6.2 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/keycloak/keycloak/26.6.2.md _Fortifying the IAM Perimeter: Critical Security and Stability Hardening_ Keycloak 26.6.2 is primarily a security-focused maintenance release that patches a significant number of vulnerabilities (including session fixation and DoS vectors). It also provides critical bug fixes for session management and improves the upgrade experience for high-availability clusters. - **Critical Security Patch: 16+ CVEs Resolved** — This release addresses a massive haul of security vulnerabilities including OIDC session fixation, account takeover risks, and Denial of Service (DoS) vectors. For IAM administrators, this is a critical mandatory update to protect user identities and maintain system availability. - **Stability and Session Management Fixes** — Addresses critical stability issues like the user session limit fatal error and failures during realm imports when Admin Permissions are enabled. Administrators can now manage high-traffic environments and complex configurations with fewer runtime crashes. - **Core Platform Upgrade to Quarkus 3.33.1.1** — Upgrading the underlying framework ensures Keycloak benefits from the latest performance optimizations, security patches, and stability improvements inherited from the Quarkus ecosystem. --- ## Istio 1.30.0 - Repo: https://github.com/istio/istio - Date: 2026-05-18 - Web: https://releasecards.app/release/istio/istio/1.30.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/istio/istio/1.30.0.md _Solidifying Ambient Mesh and Gateway API Sovereignty_ Istio 1.30 focuses heavily on maturing the Ambient Mesh architecture and aligning with the latest Kubernetes Gateway API standards. Key changes include the introduction of CIDR support for ztunnel, TLSRoute termination, and a significant bump in the minimum supported Kubernetes version to 1.32. This release also brings stability fixes for AWS environments and better memory management for the control plane agent. - **Foundation for Ambient Mesh CIDR Support and Connection Strategies** — This simplifies mesh adoption by allowing traffic management without sidecar proxies, reducing operational overhead and memory usage across the cluster. - **TLSRoute Termination and Mixed Mode Support** — Users can now use standard Kubernetes Gateway API resources to terminate TLS traffic or use mixed protocol modes, aligning Istio more closely with cloud-native ingress standards. - **Minimum Kubernetes Version Bumped to 1.32** — Users planning to upgrade must ensure their Kubernetes clusters are running at least version 1.32, which may require a platform-level upgrade before Istio 1.30 can be deployed. - **Deterministic Memory Limits for Pilot Agent (gomemlimit)** — Prevents the Pilot Agent from consuming excessive memory, improving the stability of the control plane in high-traffic or resource-constrained environments. - **Fix Kubelet Probe Failures for AWS VPC CNI with Security Groups for Pods** — Ensures that Kubelet health probes function correctly in AWS environments using specific security group configurations, preventing false-positive pod restarts. --- ## Skybridge v1.0.0 - Repo: https://github.com/alpic-ai/skybridge - Date: 2026-05-18 - Web: https://releasecards.app/release/alpic-ai/skybridge/v1.0.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/alpic-ai/skybridge/v1.0.0.md _Skybridge v1: From Local Experiments to Production-Ready Tools_ Skybridge v1.0.0 marks a major milestone with a unified API that merges tools and widgets into a single flow, alongside a powerful new Devtools suite featuring HTTP tunneling and a compliance auditor. This release also introduces production-ready deployment options for Cloudflare and Docker while necessitating several breaking changes to project structure and naming conventions. - **Unified Tooling API and Project Restructure** — The consolidated API reduces boilerplate and makes tool definitions type-safe. However, you must update your code to move widget configurations into tool definitions and rename various imports and project directories to remain functional. - **Revamped Devtools with HTTP Tunneling and LLM Playground** — You can now test your local server directly with ChatGPT or Claude via one-click tunneling, use the LLM playground for debugging, and run compliance audits to ensure your server meets app store guidelines. - **Official Support for Cloudflare Workers and Docker** — You can now deploy Skybridge servers on Cloudflare Workers or via Docker, providing a much clearer path from local development to production-grade hosting. - **Exposed Express Instance for Custom Endpoints** — By exposing the underlying Express instance, you are no longer limited to MCP protocols. You can now build custom endpoints alongside your Skybridge tools on the same server. --- ## Helm v3.21.0 - Repo: https://github.com/helm/helm - Date: 2026-05-14 - Web: https://releasecards.app/release/helm/helm/v3.21.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/helm/helm/v3.21.0.md _Keeping Pace with Kubernetes 1.36 and Strengthening OCI Workflows_ Helm v3.21.0 focuses on ecosystem alignment and reliability, featuring an upgrade to Kubernetes 1.36 client libraries, critical security patches for OpenTelemetry, and improved handling of OCI image indices and chart value merging. - **Support for Kubernetes 1.36 Client Libraries** — Keeping Helm aligned with the latest Kubernetes client libraries ensures compatibility with new API features and maintains the reliability of your deployment pipeline as you upgrade your clusters to newer K8s versions. - **Preserve Nil Values during Chart Coalescence** — This improves the consistency of value merging. Users who need to explicitly nullify keys in their overrides (e.g., to disable a feature or remove a default resource) will find that their nil values are no longer ignored when the base chart defaults involve empty maps. - **Improved OCI Support for Image Indices** — This expands the compatibility of Helm's OCI support, allowing operators to seamlessly pull and install charts stored within multi-architecture or multi-platform container image indices. - **Security Patches for OpenTelemetry Dependencies** — Operators can maintain a more secure posture by upgrading to this version, which mitigates known vulnerabilities in the OpenTelemetry dependencies used by Helm. --- ## Helm v4.2.0 - Repo: https://github.com/helm/helm - Date: 2026-05-14 - Web: https://releasecards.app/release/helm/helm/v4.2.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/helm/helm/v4.2.0.md _Refining Deployment Precision and Ecosystem Compatibility_ Helm v4.2.0 introduces improved validation for server-side dry runs, adds TOML support to the templating engine, and resolves several long-standing issues with value merging and OCI registry interactions. It also updates core dependencies to ensure alignment with the latest Kubernetes ecosystem. - **Dry-run server mode now respects generateName** — Chart developers can now validate resources that use generated names (via generateName) during server-side dry runs, improving the reliability of CI/CD pre-flight checks. - **Enhanced nil value handling in chart coalescing** — Fixes critical issues where nil values in charts could be incorrectly ignored or handled during value merging (coalescing), ensuring more predictable deployment configurations. - **Significant template and post-renderer stability fixes** — Addresses several edge cases in the templating engine, including issues with YAML line endings and post-rendering hook conflicts, leading to more stable deployments. - **Upgrade Kubernetes client libraries to v1.36 and Go to 1.26** — Keeping up with the latest Kubernetes client libraries ensures compatibility with the newest cluster features and security improvements. --- ## Cilium v1.17.16 - Repo: https://github.com/cilium/cilium - Date: 2026-05-13 - Web: https://releasecards.app/release/cilium/cilium/v1.17.16 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/cilium/cilium/v1.17.16.md _Strengthening Security and Policy Integrity in the Networking Layer_ This release addresses a critical security concern regarding traffic hijacking via CiliumLocalRedirectPolicy, improves IPSec stability, and enhances observability for IPAM synchronization. It also provides better flexibility for custom container registries in enterprise environments. - **Prevent cross-namespace traffic hijacking in LocalRedirectPolicy** — Prevents a security vulnerability where a LocalRedirectPolicy could be used to hijack traffic from another namespace. It also ensures service stability by preventing map corruption during policy deletions. - **Critical bugfixes for IPSec stability and static pod identity resolution** — Improves cluster-wide security and stability by preventing potential node crashes when processing malformed IPSec packets and ensuring correct security identity resolution for static pods. --- ## Jaeger v2.18.0 - Repo: https://github.com/jaegertracing/jaeger - Date: 2026-05-13 - Web: https://releasecards.app/release/jaegertracing/jaeger/v2.18.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/jaegertracing/jaeger/v2.18.0.md _AI-Ready Tracing and Storage Modernization_ v2.18.0 focuses on modernizing both the backend and frontend, introducing significant experimental features for AI-assisted tracing via the Model Context Protocol (MCP) and expanded ClickHouse support. While it brings breaking changes to metrics and legacy browser support, it delivers improved usability through auto-path detection, service filtering in the UI, and enhanced header forwarding for secure storage backends. - **Metrics schema changes and Metricstore API reduction** — Upgrading OpenTelemetry collector packages has resulted in changes to exported metrics. Users with monitoring dashboards or alerts based on Jaeger internal metrics should verify their configurations against the new OTel standards. Additionally, the removal of the min_step API from the metricstore may affect custom integrations using this specific endpoint. - **Configurable header forwarding for storage backends** — Users can now forward custom headers to Elasticsearch, OpenSearch, and gRPC storage backends. This is critical for environments where storage backends require specific authentication headers, tenancy IDs, or routing metadata. - **Experimental AI integration and ClickHouse SPM enhancements** — This release introduces foundational support for Model Context Protocol (MCP) and AI-driven analysis, including a Gemini agent for tracing. Experimental ClickHouse storage support is also significantly expanded with Service Performance Monitoring (SPM) capabilities like call rates and latency reporting. - **Auto-detection of UI base path from browser URL** — The UI and Backend can now automatically detect the base URL path. This greatly simplifies deployments behind reverse proxies or in sub-paths (e.g., /jaeger/) by eliminating the need for manual path configuration. - **Improved UI navigation and service filtering** — Users gain better control over large traces with a new service filter in the timeline. Several UI bugs were fixed, including keyboard accessibility for tree navigation, timeline resizing in embedded mode, and alphabetized service sorting. --- ## Argo v3.3.10 - Repo: https://github.com/argoproj/argo-cd - Date: 2026-05-12 - Web: https://releasecards.app/release/argoproj/argo-cd/v3.3.10 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/argoproj/argo-cd/v3.3.10.md _Strengthening Security and Core Stability_ This patch release focuses on strengthening security through Go runtime updates and secret masking, while also addressing stability issues related to permission validation and UI logging. - **Address CVEs with Go 1.25.9 update** — Updating the underlying Go version addresses known vulnerabilities, ensuring the Argo CD control plane remains secure against potential exploits targeting the runtime environment. - **Mask secrets in server-side diff results** — This ensures that sensitive information remains masked when performing server-side diffs, maintaining the confidentiality of your secrets within the GitOps workflow. - **Prevent crash in permission validator** — Prevents unexpected controller crashes during permission validation, which improves the overall availability and reliability of the Argo CD instance. --- ## llm-d v0.7.0 - Repo: https://github.com/llm-d/llm-d - Date: 2026-05-12 - Web: https://releasecards.app/release/llm-d/llm-d/v0.7.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/llm-d/llm-d/v0.7.0.md _Next-Gen Foundations: CUDA 13, Blackwell Support, and Simplified UX_ Release v0.7.0 is a foundational update that shifts the core runtime to CUDA 13, introduces support for NVIDIA Blackwell (GB200) GPUs, and simplifies the initial user experience with a new standalone deployment mode. It also features a massive overhaul of documentation and deployment guides to improve discoverability and ease of use. - **Upgrade to CUDA 13.0.2 and Mandatory Driver Update** — Existing users must upgrade their host NVIDIA drivers to version 580 or later before deploying this version. This change enables the latest CUDA features and performance improvements but will cause deployment failures on older infrastructure. - **Initial Support for NVIDIA Blackwell (GB200) GPUs** — You can now run inference workloads on the latest NVIDIA Blackwell hardware, ensuring your LLM infrastructure is ready for next-generation GPU performance. - **Simplified Default Deployment with Standalone Mode** — Deployment is now easier for new users or non-production environments. You no longer have to struggle with complex gateway configurations to get started; the system now defaults to a simple proxy-based "standalone mode" while keeping the powerful gateway options available for production use. - **Migration of Deployment Guides to Kustomize** — The migration from Helmfile to Kustomize for several core guides makes it easier to manage and customize your deployments using standard Kubernetes native tools, reducing the overhead of managing third-party templating binaries. - **Expanded Hardware Support and Performance Optimizations** — You can now scale and optimize workloads across a broader range of hardware, including new support for Rebellions accelerators and improved tiered prefix caching on TPU and AWS EFS. --- ## Flux v2.8.7 - Repo: https://github.com/fluxcd/flux2 - Date: 2026-05-12 - Web: https://releasecards.app/release/fluxcd/flux2/v2.8.7 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/fluxcd/flux2/v2.8.7.md _Securing GitOps pipelines and stabilizing resource reconciliation_ Flux v2.8.7 focuses on securing the Git transport layer through a go-git update and resolving a specific reconciliation bug that caused churn for cluster-scoped resources using the ssa: IfNotPresent annotation. - **Security patch for go-git (CVE-2026-45022)** — This update addresses CVE-2026-45022 in the go-git library used by both the source and image-automation controllers. Upgrading ensures your GitOps pipelines remain protected against known security vulnerabilities in Git communication. - **Fix reconciliation loop for IfNotPresent resources** — This fixes a bug where cluster-wide (non-namespaced) resources marked with the 'IfNotPresent' annotation were being unnecessarily deleted and recreated every time Flux ran. This improves stability for infrastructure components and prevents potential downtime for shared resources. --- ## OpenTelemetry v0.152.0 - Repo: https://github.com/open-telemetry/opentelemetry-collector - Date: 2026-05-11 - Web: https://releasecards.app/release/open-telemetry/opentelemetry-collector/v0.152.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/open-telemetry/opentelemetry-collector/v0.152.0.md _Hardening Collector Observability and Pipeline Stability_ This release focuses on improving the stability and observability of the collector itself. Key updates include better monitoring for exporter saturation, fixes for configuration regressions that affected Prometheus metric naming, and increased robustness when handling compressed HTTP traffic. It also cleans up significant log noise for gRPC users and ensures data consistency by removing unnecessary HTML escaping in telemetry values. - **New in-flight request metric for exporters** — Operators can now accurately monitor how many requests are being processed by an exporter at any given moment. This is critical for identifying bottlenecks, right-sizing worker pools, and detecting when downstream backends are slowing down. - **Fixed Prometheus metric name consistency in telemetry configuration** — Internal metrics will now remain consistent even if you change the telemetry host. Previously, modifying the telemetry config could unexpectedly change your Prometheus metric names (e.g., adding unit suffixes), which could break existing dashboards and alerts. - **Hardened HTTP decompression and resource management** — The collector is now more resilient against malformed or malicious compressed payloads. By enforcing size limits before allocation and catching library panics, memory exhaustion and service crashes are less likely when processing Snappy-compressed data. --- ## Volcano v1.12.4 - Repo: https://github.com/volcano-sh/volcano - Date: 2026-05-09 - Web: https://releasecards.app/release/volcano-sh/volcano/v1.12.4 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/volcano-sh/volcano/v1.12.4.md _Fortifying Cluster Stability and Scheduling Integrity_ This security-focused update addresses a critical denial-of-service vulnerability in the webhook server while improving the reliability of multi-queue preemption logic and scheduler startup synchronization. - **Prevent Webhook Server OOM via CVE-2026-44247 Mitigation** — Unbounded HTTP request sizes could allow malicious or misconfigured pods to crash the Volcano webhook server via Out-of-Memory (OOM) errors. Fixing this ensures the stability of the cluster admission control process and prevents denial-of-service attacks inside your environment. - **Improved Preemption Logic and Queue Ordering Accuracy** — This fix ensures that the scheduler respects queue priorities and prevents data overwrites when multiple queues are competing for resources. It provides more predictable and reliable preemption behavior for high-priority AI/ML and HPC workloads. - **Synchronized Event Handler and Scheduling Cycle Startup** — By ensuring synchronization between the event handler and the scheduling cycle, this change prevents race conditions where the scheduler might start before the system is fully ready to handle incoming events, leading to more stable job placement. --- ## Volcano v1.13.3 - Repo: https://github.com/volcano-sh/volcano - Date: 2026-05-09 - Web: https://releasecards.app/release/volcano-sh/volcano/v1.13.3 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/volcano-sh/volcano/v1.13.3.md _Fortifying Cluster Stability and Scheduling Integrity_ Volcano v1.13.3 is a critical security and stability update. It addresses a moderate-severity CVE related to webhook server memory exhaustion and resolves several logic errors in the scheduler regarding task preemption and queue ordering. Users running large-scale batch workloads should upgrade to ensure cluster availability and scheduling accuracy. - **Mitigate OOM vulnerability in Webhook Server (CVE-2026-44247)** — This patch closes a vulnerability where large malicious requests could crash the webhook server. For cluster operators, this ensures the stability of the admission control process and prevents denial-of-service attacks that could stall job submission. - **Corrected multi-queue preemption and QueueOrder logic** — This fix ensures that the scheduler respects configured queue priorities during preemption. AI and HPC users sharing clusters can now trust that high-priority queues will correctly reclaim resources from lower-priority ones as expected. - **Reduce memory overhead with optimized snapshot deepcopy** — By removing redundant deepcopy operations during scheduling snapshots, the scheduler reduces memory overhead and CPU cycles. This promotes faster scheduling cycles, especially in large-scale environments with many pods and nodes. --- ## Volcano v1.14.2 - Repo: https://github.com/volcano-sh/volcano - Date: 2026-05-09 - Web: https://releasecards.app/release/volcano-sh/volcano/v1.14.2 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/volcano-sh/volcano/v1.14.2.md _Strengthening the Foundation: Security Hardening and Scheduler Stability_ Volcano v1.14.2 is a critical maintenance release focusing on hardening security and resolving several race conditions that could lead to scheduler panics. Key updates include a fix for a moderate-security vulnerability in the webhook server, improvements to queue validation, and enhanced stability for parallel scheduling in the Agent Scheduler. - **Fix CVE-2026-44247: Webhook Server OOM Vulnerability** — This prevents a network-based denial-of-service attack where an attacker could crash the Volcano webhook server by sending massive request bodies, ensuring the stability and availability of your job submission endpoint. - **Elimination of Scheduler Panics and Concurrent Write Errors** — These changes resolve critical instability issues that could cause the Volcano scheduler to crash or hang due to race conditions during high-concurrency scheduling cycles, ensuring your AI/ML workloads aren't interrupted by scheduler failures. - **Enhanced Queue Validation and Capacity Logic** — Cluster operators can now rely on more accurate resource enforcement for root queues and hierarchical sub-groups, preventing jobs from exceeding resource limits due to validation oversights or missing metadata. - **Refined Preemption and Task Priority Handling** — Ensures that preemption logic correctly respects high-priority tasks and queue ordering, preventing lower-priority jobs from accidentally blocking critical high-performance workloads during resource contention. --- ## wasmCloud v2.1.0 - Repo: https://github.com/wasmCloud/wasmCloud - Date: 2026-05-07 - Web: https://releasecards.app/release/wasmCloud/wasmCloud/v2.1.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/wasmCloud/wasmCloud/v2.1.0.md _Hardened Security and Precise Orchestration_ This release focuses on hardening the platform's security posture and improving the reliability of distributed deployments. Key updates include new plugin support for services, refined workload readiness gating in the operator, and enhanced deployment targeting via host locations and namespaces. Developers also benefit from better HTTP error reporting and streamlined Rust templates. - **Plugin support in services** — Provides greater flexibility and extensibility by allowing services to use plugins, enabling more complex and modular application architectures. - **Improved workload readiness and deployment gating** — Ensures Kubernetes-based deployments are more predictable and stable by preventing workloads from being marked as 'Ready' until the underlying replicas and NATS subscriptions are fully established. - **Host location and namespace deployment support** — Enhanced deployment targeting allows architects to more precisely control where workloads land based on host location and namespaces, improving multi-tenant and geo-distributed configurations. - **Typed RouteError with accurate HTTP status codes** — Developers get more accurate error feedback when debugging HTTP services, as the system now returns specific RouteErrors with the correct HTTP status codes instead of generic failures. - **Software supply chain hardening and security upgrades** — Strengthens the runtime security posture by upgrading Wasmtime and adding automated security auditing tools like Cargo Audit, OpenSSF Scorecard, and CodeQL. --- ## Envoy AI Gateway v0.6.0 - Repo: https://github.com/envoyproxy/ai-gateway - Date: 2026-05-06 - Web: https://releasecards.app/release/envoyproxy/ai-gateway/v0.6.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/envoyproxy/ai-gateway/v0.6.0.md _Production-Ready AI Networking with Universal Provider Translation_ Envoy AI Gateway v0.6.0 achieves production stability with v1beta1 APIs and introduces significant cross-provider translation features, including unified reasoning controls and Anthropic-to-OpenAI compatibility. - **Core APIs Promoted to v1beta1** — The core APIs are now production-ready. You can start building stable production workflows with confidence that the API structure for routes, backends, and security policies is settled. - **Unified Reasoning Control Across Providers** — You can now use a single OpenAI-style 'reasoning_effort' setting to control 'thinking' behaviors across Anthropic, OpenAI, and Gemini. This makes it trivial to switch between top-tier models without rewriting your request logic. - **Anthropic-to-OpenAI Protocol Translation** — If you have tools or apps built for Anthropic's API, you can now point them at OpenAI or Azure OpenAI backends through the gateway without changing a single line of client code. - **Native GKE Workload Identity Support** — Cloud operators on GKE no longer need to manage risky, static service account JSON keys. The gateway now automatically authenticates with Google Cloud using native Workload Identity. - **Expanded OpenAI-Compatible Embeddings Support** — You can now use Gemini and AWS Bedrock (Titan) models for embeddings using the standard OpenAI API format, simplifying multi-cloud AI architectures. --- ## Argo v3.4.1 - Repo: https://github.com/argoproj/argo-cd - Date: 2026-05-06 - Web: https://releasecards.app/release/argoproj/argo-cd/v3.4.1 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/argoproj/argo-cd/v3.4.1.md _Elevating ApplicationSet Visibility and Controller Scale_ This release introduces major UI and API enhancements for ApplicationSets, including a new tree view and health reporting. It also aligns Kubernetes versioning logic with Helm 3.19.0, which requires a manual update to cluster secret labels. Performance optimizations for large-scale cluster management and new security hardening for authentication sessions are also key highlights. - **Strict Kubernetes Version Formatting in ApplicationSets** — If you use ApplicationSets with Cluster Generators that filter clusters by version, you must update your cluster secrets to use the vMajor.Minor.Patch format. Failing to do so will break cluster discovery for these automation sets. - **Comprehensive ApplicationSet Management UI** — Managing large-scale deployments becomes much easier with dedicated list pages, filters, a resource tree view, and health status fields directly for ApplicationSets. - **Per-Cluster Reconciliation Control** — Platform engineers can now pause reconciliation for specific clusters via annotations, providing a safe way to perform maintenance or stop syncs on a single target without affecting the entire Argo CD instance. - **Wildcard Support for Helm valueFiles** — Users of Helm-based applications can now use wildcard patterns for value files, simplifying the management of environments with numerous or dynamic configuration files. - **Enhanced Controller Performance and Scalability** — Large-scale users will notice faster reconciliation and reduced resource consumption thanks to optimizations in how the controller handles cluster secrets and application cache synchronization. --- ## Longhorn v1.11.2 - Repo: https://github.com/longhorn/longhorn - Date: 2026-05-05 - Web: https://releasecards.app/release/longhorn/longhorn/v1.11.2 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/longhorn/longhorn/v1.11.2.md _Strengthening Cluster Scheduling and Control Plane Efficiency_ This maintenance release focuses on stabilizing the scheduling engine and optimizing control plane resource consumption. Key updates include a fix for CSI storage capacity reporting in heterogeneous clusters, memory optimizations for the longhorn-manager, and guards against node exhaustion during slow backup operations. - **Configurable CSI Storage Capacity reporting for compute-only nodes** — Ensures pods using late binding volume scheduling (WaitForFirstConsumer) can still be scheduled on compute-only nodes. This is critical for architectures that separate storage and compute nodes. - **Memory usage optimization for Longhorn Manager pods** — Reduces the resource footprint of the Longhorn control plane, which is especially beneficial in large clusters with many resources where the manager pod might otherwise consume excessive memory. - **Prevention of node exhaustion during high-latency NFS backups** — Prevents system instability and resource exhaustion that previously occurred when slow NFS backup targets caused a buildup of inspection processes. --- ## in-toto v3.1.0 - Repo: https://github.com/in-toto/in-toto - Date: 2026-05-04 - Web: https://releasecards.app/release/in-toto/in-toto/v3.1.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/in-toto/in-toto/v3.1.0.md _Hardening the Foundation of Supply Chain Integrity_ This release focuses on bolstering the security foundation of the in-toto framework through an extensive series of dependency updates, including cryptography and securesystemslib. It also streamlines metadata handling by adopting standardized payload retrieval methods and refreshes the Debian packaging and test infrastructure to ensure better environment compatibility and reliability for core supply chain security tasks. - **Critical Security Dependency Updates** — Updates to cryptography and securesystemslib ensure that in-toto continues to use the most secure and up-to-date cryptographic primitives for signing and verifying metadata, which is the core of your supply chain trust. - **Standardized Metadata Payload Handling** — Replacing manual payload extraction with the standardized Envelope.get_payload method improves the reliability and efficiency of processing signed metadata (DSSE envelopes). - **Improved System Integration and Debian Refresh** — Removing the check for hardcoded return values and refreshing Debian-specific build configurations makes the project more resilient to different environment setups and easier to package for Linux distributions. - **Improved Test Suite Reliability** — Updates to the test suite ensure that the framework can be reliably validated across different Python environments, preventing accidental regressions in production. --- ## containerd v2.3.0 - Repo: https://github.com/containerd/containerd - Date: 2026-04-30 - Web: https://releasecards.app/release/containerd/containerd/v2.3.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/containerd/containerd/v2.3.0.md _Building a Long Term Stable Foundation for the Container Ecosystem_ The containerd 2.3.0 release establishes a new Long Term Stable (LTS) baseline aligned with the Kubernetes release cycle. It introduces significant enhancements to the Node Resource Interface (NRI) for deeper container customization, improves modern image storage formats like EROFS, and provides better observability through integrated tracing. This release prioritizes long-term operational reliability and closer integration with the broader cloud-native ecosystem. - **First annual Long Term Stable (LTS) release and new cadence** — This marks a major shift in maintenance, providing a reliable 2-year support window and tested upgrade paths from previous versions like 1.7, which is critical for enterprise stability. - **Major Node Resource Interface (NRI) enhancements** — Extensions and plugins now have significantly more visibility into container state, including security policies, resource limits, and network device configurations, allowing for more sophisticated node-level customizations. - **Advanced image storage with EROFS and dm-verity support house** — Improved support for EROFS and dm-verity provides better performance and security for read-only container images, which is ideal for immutable infrastructure and edge computing. - **Enhanced observability with Trace ID logging and OpenTelemetry propagation** — Operators gain better visibility into container lifecycles by being able to correlate system logs with request traces across the container runtime stack. - **CRI improvements for User Namespaces and resource tracking** — Kubernetes users can now run containers in isolated user namespaces while still using host networking, and benefit from more accurate CPU usage metrics through the new background stats collector. --- ## Open Policy Agent v1.16.0 - Repo: https://github.com/open-policy-agent/opa - Date: 2026-04-30 - Web: https://releasecards.app/release/open-policy-agent/opa/v1.16.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/open-policy-agent/opa/v1.16.0.md _Enhanced Metadata and Visibility (with a Shutdown Warning)_ v1.16.0 introduces extended metadata capabilities for the Data API and native URI handling, but is marred by a critical shutdown regression. While it fixes a significant logging bug from v1.15.x, users are strongly urged to skip this release for v1.16.1. - **Regression Alert: Service hang on shutdown** — A critical bug was discovered in the plugin manager that can cause OPA to lock up during shutdown. You should avoid this version and move to v1.16.1 immediately to ensure operational stability. - **Data API Request/Response Metadata** — Developers can now pass and receive custom metadata through the Data API. This is powerful for 'wrapping' OPA in other services, allowing you to pass correlation IDs, versioning info, or environment context through to your policies and back into decision logs. - **Fix for missing bundle and print() logs** — Restores visibility into system operations by fixing a bug where bundle download logs and print() statements were being silently dropped. This is essential for debugging and auditing policy distribution. - **Native URI parsing and validation built-ins** — Simplifies Rego logic for validating and slicing URLs. Instead of complex regex or string manipulation, you can now natively verify if a string is a valid URI and extract its scheme, host, or path with high reliability. - **Prometheus metrics via OTLP** — Enables better observability by allowing Prometheus metrics to be exported via the OpenTelemetry Protocol (OTLP), streamlining integration with modern cloud-native monitoring pipelines. --- ## NATS v2.14.0 - Repo: https://github.com/nats-io/nats-server - Date: 2026-04-30 - Web: https://releasecards.app/release/nats-io/nats-server/v2.14.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/nats-io/nats-server/v2.14.0.md _Turbocharged Ingestion and Intelligent Automation_ A major release focused on extreme ingest performance, advanced scheduling capabilities, and operational stability. Key additions include batch publishing optimizations, internal cron-like scheduling for messages, and asynchronous snapshotting to eliminate latency spikes. The release also introduces a Consumer Reset API and more flexible Leafnode management for edge users. - **High-speed fast-ingest batch publishing for JetStream** — High-throughput publishers can now push message batches significantly faster, reducing overhead and increasing the overall ingestion capacity of the server. This is critical for high-volume telemetry or logging use cases. - **Native cron-based and repeating message scheduling** — Users can now natively automate message delivery on a schedule (e.g., '@hourly' or '0 0 * * *') without building external cron services. This enables powerful patterns like scheduled report generation or periodic state sampling directly within the messaging layer. - **Asynchronous stream state snapshots for lower tail latency** — By taking stream snapshots asynchronously, NATS prevents the 'pauses' that typically occur during snapshotting. This results in much smoother tail latencies for replicated streams, especially those with many message deletions. - **New Consumer Reset API for easier message reprocessing** — Operators can now rewind or adjust a consumer's position in a stream without the destructive 'delete and recreate' cycle. This simplifies error recovery and data reprocessing workflows. - **Runtime configuration reloading for Leafnode remotes** — Edge deployments become more flexible as Leafnode remote connections can now be modified or added without restarting the NATS server, reducing downtime in dynamic environments. --- ## Vitess v24.0.0 - Repo: https://github.com/vitessio/vitess - Date: 2026-04-30 - Web: https://releasecards.app/release/vitessio/vitess/v24.0.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/vitessio/vitess/v24.0.0.md _Advanced Analytical Queries meets High-Speed Reliability_ Vitess v24.0.0 delivers major performance and architectural improvements, highlighted by window function pushdown for sharded data and native MySQL CLONE support for rapid replica provisioning. It also introduces critical modernizations, including structured JSON logging, native OpenTelemetry integration, and the ability to stream binlogs directly through VTGate via standard MySQL protocols. Security is also improved by changing how backup decompressors are handled during restores. - **Window function pushdown for sharded keyspaces** — You can now execute window functions on sharded tables as long as the partitioning matches your vindex. This removes a major blocker for complex analytical queries that previously required single-shard routing. - **Native MySQL CLONE support for replica provisioning** — Restoring replicas is now significantly faster using MySQL's native CLONE plugin, which performs physical-level data copies over the network rather than slower logical backup/restore processes. - **VTGate Binlog Streaming support via MySQL Protocol** — You can now stream binlogs directly from VTGate via the standard MySQL protocol or gRPC. This allows external tools and custom clients to consume change data without needing direct access to MySQL masters or writing VStream-specific code. - **Secure restore defaults: MANIFEST decompressors disabled by default** — To prevent potential security vulnerabilities where an attacker could execute arbitrary code via a backup MANIFEST, Vitess now ignores manifest-based decompressors by default. You must explicitly opt-in if your backup recovery process relies on this. - **Standardized Structured JSON Logging** — Vitess has moved to structured JSON logging by default. This makes it much easier to ingest, parse, and analyze logs in modern observability stacks like ELK or Datadog. Note that the legacy glog backend is now deprecated. --- ## Backstage v1.50.4 - Repo: https://github.com/backstage/backstage - Date: 2026-04-29 - Web: https://releasecards.app/release/backstage/backstage/v1.50.4 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/backstage/backstage/v1.50.4.md _Catalog Security Hardening Phase_ This maintenance release focuses exclusively on security hardening for the Backstage Catalog, specifically addressing vulnerabilities within the unprocessed entities plugins and backend modules. - **Critical security patches for Unprocessed Entities plugins** — Vital security updates protect your developer portal from vulnerabilities related to how unprocessed catalog entities are handled. Platform engineers should update immediately to ensure the integrity and security of their catalog backend. --- ## KServe v0.18.0 - Repo: https://github.com/kserve/kserve - Date: 2026-04-29 - Web: https://releasecards.app/release/kserve/kserve/v0.18.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/kserve/kserve/v0.18.0.md _Scaling LLMs to New Heights with Multi-Node Elasticity and Enhanced Security_ v0.18.0 delivers a massive leap in Large Language Model (LLM) capabilities, introducing multi-node autoscaling via KEDA/HPA and LeaderWorkerSet. It also hardens security with Pod Security Standard restricted profiles and expands data processing support for CSV and Parquet formats. - **Scalable Multi-Node LLM Serving with Autoscaling** — You can now deploy LLM workloads across multiple nodes using LeaderWorkerSet (LWS) with full support for KEDA and HPA autoscaling. This enables serving massive models that don't fit on a single machine while maintaining elastic responsiveness to traffic. - **Namespace-Scoped Model Caching and Downloads** — Enhances multi-tenancy by allowing ModelCache and download jobs to be restricted to specific namespaces. This provides better resource isolation and security in shared cluster environments. - **New Data Marshallers and Model Outputs** — Added support for CSV and Parquet data formats in the inference pipeline, as well as new HuggingFace token classification outputs. You can now process tabular data more efficiently without manual conversion. - **Critical Security Hardening and PSS Compliance** — Critical fixes for gRPC authorization bypass and various Python library vulnerabilities (PyJWT, pyasn1). Additionally, the default LLM templates now enforce the Pod Security Standards (PSS) restricted profile to harden your production environment. - **Optimized Build Performance and CI Efficiency** — Significant improvements to Docker build times and CI processes. For users, this means faster development cycles and more reliable container images for KServe components. --- ## Kyverno v1.18.0 - Repo: https://github.com/kyverno/kyverno - Date: 2026-04-29 - Web: https://releasecards.app/release/kyverno/kyverno/v1.18.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/kyverno/kyverno/v1.18.0.md _Hardening Policy Security and Simplifying Local Development Workflow_ Kyverno v1.18.0 focuses on hardening the security posture of policy-driven HTTP calls, expanding local testing capabilities via the CLI, and providing more flexible image registry credential management. This release also introduces memory-based autoscaling for better resource management in large-scale Kubernetes environments. - **Hardened Secure HTTP Calls for External Data Loading** — Administrators can now enforce blocklists and use scoped tokens for external HTTP calls, significantly Reducing the risk of SSRF or unauthorized data egress from the policy engine. - **Flexible Namespaced Image Registry Credentials** — Simplifies complex image verification setups by allowing policies to use secrets within the same namespace or specific pod-level credentials, rather than requiring global registry access. - **Expanded CLI Support for Cleanup and Authz Policies** — Developers and Platform Engineers can now validate cleanup, authz, and existing-resource mutation policies locally, shortening the feedback loop for policy development and CI integration. - **Advanced Event Filtering and Memory-Based Autoscaling** — Provides more granular control over event noise in large clusters and enables automated scaling of the admission controller based on real memory usage to prevent OOM issues. - **Critical Fixes for Image Verification and Policy Bypassing** — Resolves critical edge cases where image verification could be silently bypassed or skip evaluation, ensuring that security signatures are always strictly enforced. --- ## KubeFlow redirect - Repo: https://github.com/kubeflow/kubeflow - Date: 2026-04-29 - Web: https://releasecards.app/release/kubeflow/kubeflow/redirect - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/kubeflow/kubeflow/redirect.md _A Unified Gateway to the Distributed Kubeflow Ecosystem_ This update marks a formal shift in how Kubeflow is managed, moving away from a monolithic repository structure. Users must now look to individual project repositories for specific component updates and installations. - **Decentralized Project Repository Structure** — The central Kubeflow repository has transitioned to a hub that redirects users to individual project releases. This ensures you are always accessing the most up-to-date code and documentation for specific components like Training, Pipelines, or Katib rather than outdated monolith code. --- ## Knative knative-v1.22.0 - Repo: https://github.com/knative/serving - Date: 2026-04-28 - Web: https://releasecards.app/release/knative/serving/knative-v1.22.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/knative/serving/knative-v1.22.0.md _Hardening the Serverless Backbone with Modern Networking and Enhanced Security_ Knative v1.22.0 focuses on maturing the infrastructure by standardizing TLS management, optimizing networking through EndpointSlices, and enhancing the reliability of container health checks and WebSocket connections. These changes collectively improve the stability and observability of serverless workloads in high-scale environments. - **Custom Ports for Liveness Probes** — Provides greater flexibility for applications that manage internal health checks on a different port than the main service traffic, allowing for more complex container architectures without custom sidecars. - **Standardized TLS Configuration Across Components** — Unifies TLS configuration across the Activator, Queue-proxy, and Reconciler. Users benefit from more consistent and secure encrypted communication between core Knative components. - **Graceful Shutdown for WebSocket Connections** — Prevents abrupt connection drops for long-lived socket traffic, ensuring that real-time applications (like chat or streaming) can terminate gracefully during scaling events or updates. - **Migration to EndpointSlices for Autoscaling** — Improves modern Kubernetes compatibility and reduces API overhead by using EndpointSlices for autoscaling decisions, leading to more efficient resource management in large clusters. - **New Granular Revision Request Metrics** — Provides better visibility into how requests are being queued and handled at the revision level, making it easier to debug bottlenecks and fine-tune scaling parameters. --- ## Rook v1.19.5 - Repo: https://github.com/rook/rook - Date: 2026-04-28 - Web: https://releasecards.app/release/rook/rook/v1.19.5 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/rook/rook/v1.19.5.md _Hardening Ceph Reliability and OpenShift Compatibility_ v1.19.5 is a stability-focused patch release that improves the reliability of Ceph monitor drains, fixes OSD device class mapping, and enhances the integration of NVMe-over-Fabrics on OpenShift. It also provides better Helm configurability for node failure tolerances and ensures smoother CSI resource management. - **Grant SCC to rook-ceph-nvmeof service account** — Ensures NVMe-over-Fabrics deployments on OpenShift have the necessary Security Context Constraints to run successfully and securely. - **Improved Monitor drain protection logic** — Prevents potential service disruptions during maintenance by ensuring the operator accurately identifies if any monitors are offline before allowing further node drains. - **Fix OSD CRUSH device class persistence during re-discovery** — Ensures that OSDs retain their specific performance characteristics (like SSD vs HDD) within the CRUSH map even after the operator re-discovers existing drives. - **MDS stability improvements for CephFS** — Corrects a logic error in the Metadata Server (MDS) management that could lead to unexpected behavior in CephFS clusters missing active-standby configurations. --- ## OpenTelemetry v0.151.0 - Repo: https://github.com/open-telemetry/opentelemetry-collector - Date: 2026-04-28 - Web: https://releasecards.app/release/open-telemetry/opentelemetry-collector/v0.151.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/open-telemetry/opentelemetry-collector/v0.151.0.md _Refining Portability and Lifecycle Reliability_ This release focuses on hardening the Collector's core lifecycle and configuration flexibility. Key updates include a shift to relative paths in the builder for better source portability, the introduction of declarative schemas for service telemetry, and critical fixes for gRPC connection issues and memory pooling. Windows users also gain support for Named Pipe transports. - **Relative paths for generated Collector source builds** — Developers building custom Collectors will find that generated Go modules now use relative paths, making the source code portable across different machines. While it simplifies long-term artifact tracking, you may need to adjust your build pipeline or use the 'use_absolute_replace_paths' flag if you rely on absolute paths. - **Declarative schema support for service telemetry resource configuration** — You can now define Collector service telemetry attributes using a structured list format (name/value pairs), aligning with standard OTel resource schemas and improving configuration consistency. - **Support for gRPC resolver schemes in client endpoints** — Users in complex networking environments can now use gRPC resolver schemes like 'passthrough:///' to resolve DNS resolution issues (specifically in dual-stack environments) that appeared in recent versions. - **Synchronized Collector Run and Shutdown lifecycles** — Ensures that the Collector process fully completes its cleanup tasks before the shutdown command returns, preventing race conditions or partial state persistence during restarts. - **Improved memory pooling for gRPC service handlers** — Reduces memory allocation overhead in OTLP gRPC service handlers by ensuring request objects correctly participate in the pdata pooling lifecycle. --- ## Dapr v1.17.6 - Repo: https://github.com/dapr/dapr - Date: 2026-04-28 - Web: https://releasecards.app/release/dapr/dapr/v1.17.6 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/dapr/dapr/v1.17.6.md _Ensuring message reliability during deployment cycles_ This release addresses a critical reliability issue where pub/sub messages were incorrectly routed to dead-letter queues during application restarts or component reloads. By changing how Dapr handles incoming messages during graceful shutdown, the system now ensures message redelivery rather than permanent failure. - **Prevent message loss to dead-letter queues during shutdown** — This fix prevents message loss during routine operations like rolling deployments or sidecar restarts. Previously, messages could be incorrectly sent to dead-letter queues instead of being redelivered, requiring manual intervention to recover data. Now, Dapr ensures these messages remain queued for other active consumers. --- ## Strimzi 1.0.0 - Repo: https://github.com/strimzi/strimzi-kafka-operator - Date: 2026-04-28 - Web: https://releasecards.app/release/strimzi/strimzi-kafka-operator/1.0.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/strimzi/strimzi-kafka-operator/1.0.0.md _A New Era of Stability with v1 APIs and Kafka 4.x Support_ Strimzi 1.0.0 marks a major milestone by fully transitioning to the v1 API across all Custom Resource Definitions. This release also introduces support for the latest Apache Kafka 4.1.2, enhances security with TLS support for the HTTP Bridge, and simplifies rack awareness configuration by removing mandatory ClusterRoleBinding requirements in specific setups. - **Removal of Legacy CRD API Versions (v1beta2, v1beta1, v1alpha1)** — This is a major breaking change. You must convert all your Kafka, KafkaTopic, and KafkaUser resources to the v1 API before upgrading, or the operator will fail to manage your clusters. - **Support for Apache Kafka 4.1.2** — Ensures your Kafka clusters can run on the latest upstream stable release of Apache Kafka, providing access to new Kafka-native features and bug fixes. - **Environment-Variable Based Rack Awareness** — Simplifies multi-zone deployments in restricted environments by allowing rack awareness to be configured via environment variables, removing the need for elevated ClusterRoleBinding permissions. - **TLS/SSL Support for HTTP Bridge** — Enhances the security posture of your Kafka Bridge deployments by enabling encrypted communication via TLS/SSL. - **Force-Renewal of KafkaUser Certificates via Annotation** — Provides a simple mechanism to trigger certificate rotation for Kafka users manually, which is critical for security compliance and incident response. --- ## SPIFFE/SPIRE v1.14.6 - Repo: https://github.com/spiffe/spire - Date: 2026-04-27 - Web: https://releasecards.app/release/spiffe/spire/v1.14.6 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/spiffe/spire/v1.14.6.md _Strengthening the Foundations of Trust Bootstrapping_ This security-focused update addresses two critical vulnerabilities: a identity forgery flaw in the AWS node attestor and a race condition in join token processing. Both fixes ensure that bootstrapping trust remains secure and that workload identities cannot be impersonated or duplicated. - **Fixed EC2 identity forgery in aws_iid node attestor** — This critical fix prevents malicious or compromised EC2 instances from assuming the identity of any other instance. Without this fix, an attacker could bypass AWS-based node attestation constraints and gain unauthorized access to certificates and secrets intended for other workloads. - **Prevented join token reuse via transaction locking** — This prevents a race condition where a single-use join token could be reused by multiple workloads simultaneously. Ensuring tokens are strictly one-time-use maintains the integrity of the trust bootstrapping process, especially in automated scaling scenarios. --- ## SPIFFE/SPIRE v1.13.6 - Repo: https://github.com/spiffe/spire - Date: 2026-04-27 - Web: https://releasecards.app/release/spiffe/spire/v1.13.6 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/spiffe/spire/v1.13.6.md _Hardening Node Attestation and Token Integrity_ This security-focused release addresses two significant vulnerabilities: a high-severity flaw in AWS IID attestation that allowed EC2 instance impersonation and a race condition in the join token data store that permitted token reuse. - **Critical impersonation fix in AWS IID node attestor** — This critical vulnerability allowed an attacker on any EC2 instance to impersonate any other EC2 instance. This completely bypassed the security guarantees of the AWS IID attestor, potentially allowing unauthorized workloads to obtain identities they should not have access to. - **Prevented double-use of join tokens via transaction locking** — This fix prevents a race condition where a single-use join token could be exploited multiple times simultaneously. By ensuring strict row locking and deletion verification, the system now correctly enforces that tokens are consumed exactly once, preventing unauthorized node registration. --- ## Prometheus v3.11.3 - Repo: https://github.com/prometheus/prometheus - Date: 2026-04-27 - Web: https://releasecards.app/release/prometheus/prometheus/v3.11.3 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/prometheus/prometheus/v3.11.3.md _Hardening the observability pipeline against credential leaks and remote exploits_ This security-focused release addresses three distinct vulnerabilities involving credential exposure in configurations, potential resource exhaustion in remote-read operations, and cross-site scripting (XSS) in the legacy user interface. - **Secure AzureAD OAuth credential handling** — This prevents sensitive AzureAD authentication credentials from being leaked to anyone with access to the Prometheus configuration endpoint, significantly reducing the risk of unauthorized access to your cloud infrastructure. - **Remote-read decompression protection** — This protects your Prometheus instance from potential memory exhaustion or crashes triggered by malicious remote-read requests, ensuring the stability of your monitoring pipeline. --- ## Cortex v1.21.0 - Repo: https://github.com/cortexproject/cortex - Date: 2026-04-27 - Web: https://releasecards.app/release/cortexproject/cortex/v1.21.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/cortexproject/cortex/v1.21.0.md _Cortex Matures: Stable APIs, Enhanced Parquet Storage, and Production Hardening_ This release marks a significant milestone in Cortex stability, graduating major APIs (Ruler, Alertmanager, Federation) from experimental to stable status. It introduces a new Parquet storage mode for improved query performance and provides critical reliability fixes for Remote Write v2. Developers and SREs will also benefit from enhanced tenant management via the new Overrides API and expanded alerting integrations. - **Graduation of Experimental APIs and Configuration Changes** — Several long-standing experimental features like the Ruler API, Alertmanager sharding, and Tenant Federation have moved to stable. You must update your configuration flags as the -experimental prefix is now deprecated. Additionally, the bucket index is now enabled by default, which is the recommended way to run Cortex in production. - **Stability Fixes for Remote Write v2 and Redis Cluster** — Critical fixes for Prometheus Remote Write v2 (PRW2) address data corruption and panics. If you were testing or using the new protocol version, these fixes are essential for data integrity and service stability. - **New Parquet Storage Mode and Query Optimizations** — The addition of Parquet mode for the Store Gateway and projection pushdown in the Querier enables more efficient data retrieval and storage patterns, potentially reducing resource consumption for long-term data queries. - **Expanded Tenant Management and Alerting Integrations** — Operators now have more control over tenant limits through a dedicated Overrides API, and Alertmanager has been updated to include native integrations for IncidentIO and Mattermost. - **Internal Performance and Memory Efficiency Tuning** — Memory allocations have been significantly reduced across the Distributor and Ring components through better object recycling and timer reuse. New query priority and fragmentation logic also improve how the system handles complex distributed query execution. --- ## Crossplane v1.20.7 - Repo: https://github.com/crossplane/crossplane - Date: 2026-04-24 - Web: https://releasecards.app/release/crossplane/crossplane/v1.20.7 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/crossplane/crossplane/v1.20.7.md _Security Patch: Strengthening the Control Plane Core_ This patch release focuses exclusively on security by upgrading the underlying Go runtime to resolve multiple vulnerabilities (CVEs). There are no new features or breaking changes included. - **Updated Go runtime to version 1.25.9** — This update addresses several vulnerabilities in the Go runtime, ensuring that your Crossplane control plane remains secure and compliant with modern security standards. Given that Crossplane manages critical infrastructure, maintaining the underlying language security is vital for production environments. --- ## Envoy Proxy v1.38.0 - Repo: https://github.com/envoyproxy/envoy - Date: 2026-04-23 - Web: https://releasecards.app/release/envoyproxy/envoy/v1.38.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/envoyproxy/envoy/v1.38.0.md _The Extensibility Release: Bridging Dynamic Modules and AI Gateways_ Envoy v1.38.0 introduces significant extensibility via Dynamic Modules, robust support for AI/LLM protocols like MCP, and substantial performance optimizations for large-scale cluster management alongside critical security fixes. - **Comprehensive Dynamic Modules and Rust SDK Enhancement** — This is a massive expansion for developers. It allows for advanced custom logic (like Postgres/MySQL protocol negotiation or custom load balancing) to be written in Rust or C++ and loaded as external modules without recompiling Envoy. It also ensures that modules built today remain compatible with future Envoy versions. - **Advanced AI Gateway Support (MCP, SSE, and A2A)** — This positions Envoy as a powerful gateway for AI and LLM workloads. You can now use Envoy to route and manage Model Context Protocol (MCP) traffic, transcode JSON-RPC to REST, and extract LLM token usage metrics directly from Server-Sent Events (SSE) into observability dashboards. - **Strict Validation for TCP Proxy and On-Demand Changes** — Configurations that previously relied on default behaviors for TCP early data or specific on-demand cluster redirects will now fail validation or behave differently. You must review and potentially update your YAML configs to ensure clusters start correctly. - **Optimized Load Balancer Performance for Large Clusters** — In large-scale environments with thousands of hosts, large EDS updates could previously cause CPU spikes that impacted traffic. By coalescing these updates and caching metadata hashes, Envoy significantly reduces the overhead of maintaining big clusters. - **Critical Security Patches and Hardened RBAC** — This release fixes a critical HTTP/2 vulnerability (CVE-2026-27135) and improves security posture by defaulting to strict RSA key usage. It also adds a security guard to RBAC header matching to prevent attackers from bypassing filters using concatenated header values. --- ## Backstage v1.50.3 - Repo: https://github.com/backstage/backstage - Date: 2026-04-22 - Web: https://releasecards.app/release/backstage/backstage/v1.50.3 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/backstage/backstage/v1.50.3.md _Restoring Dashboard Flexibility and Search Speed_ This patch release focuses on restoring essential UI interactions and improving catalog performance. It resolves a critical bug where home page widgets became static after a save operation and addresses a performance bottleneck affecting filtered discovery views. - **Restore home page widget interactivity after saving** — Users customizing their dashboard will no longer be frustrated by locked layouts; widgets now correctly respond to drag-and-drop and resizing actions even after a layout has been saved. - **Address performance regression in discovery facets** — Platform engineers managing large catalogs will see improved responsiveness in the UI when using filtering or permission-based views, preventing UI lag during discovery. --- ## CoreDNS v1.14.3 - Repo: https://github.com/coredns/coredns - Date: 2026-04-22 - Web: https://releasecards.app/release/coredns/coredns/v1.14.3 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/coredns/coredns/v1.14.3.md _Secure Modern Transports and Windows Service Integration_ A major security and stability update that brings CoreDNS to Windows as a native service, implements comprehensive TSIG verification across all modern transport protocols, and addresses a significant number of security vulnerabilities via a Go runtime update. - **Native Windows Service Support** — Windows administrators can now manage CoreDNS using native service management tools, allowing for automatic restarts and better integration with Windows server environments. - **Enhanced TSIG Verification and Critical Security Patches** — This release ensures end-to-end authentication and integrity across modern transports (DoH, DoH3, QUIC, and gRPC) and patches 13 security vulnerabilities in the underlying Go runtime. - **Optimized Cache Prefetching and Connection Handling** — Refined prefetching logic and better connection management in the QUIC and forward plugins result in lower latency and more efficient resource utilization under high load. - **TLS Support for Metrics and Key Logging** — Security-conscious users can now encrypt their telemetry data and troubleshoot TLS issues more effectively using the new keylog option. - **Improved Zone Transfer and DNSSEC Reliability** — Improves reliability for large-scale zone deployments by ensuring correct zone matching, better record batching, and fixing potential data races during transfers. --- ## Kubernetes v1.36.0 - Repo: https://github.com/kubernetes/kubernetes - Date: 2026-04-22 - Web: https://releasecards.app/release/kubernetes/kubernetes/v1.36.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/kubernetes/kubernetes/v1.36.0.md _Kubernetes v1.36: Expanding Hardware Allocation and Scaling to Zero_ Kubernetes v1.36 brings major advancements to workload autoscaling by introducing native HPA scale-to-zero capabilities, alongside substantial improvements in Dynamic Resource Allocation (DRA) for complex hardware management. Storage gets a boost with digest-backed Image Volumes and the graduation of VolumeAttributesClass. For cluster operators and administrators, the continued rollout of Declarative Validation across core APIs simplifies extending the cluster, while several older APIs and in-tree storage plugins have been permanently retired. - **HPA Validation for Scaling to Zero** — Allows the Horizontal Pod Autoscaler to completely scale workloads down to zero replicas based on conditions and custom metrics. This enables true serverless-like application scaling on Kubernetes, severely reducing resource waste for periodically idle workloads. - **Parallel Execution for PreBind Scheduler Plugins** — Accelerates pod scheduling latency in large clusters by running PreBind scheduling plugins concurrently. Cluster administrators utilizing custom scheduler plugins must ensure their custom plugins are concurrency-safe. - **Native Job Controller Integration with Workloads and PodGroups** — Improves batch processing and data-science workloads by natively integrating the Job controller with PodGroup and Workload semantics. This allows for more robust gang-scheduling and quota management during massive parallel job executions. - **DRA Extended Resources Beta Promotion and Fine-Grained Authorization** — DRA continues its graduation, promoting Extended Resources to Beta. Crucially, a new fine-grained authorization model ensures that only specifically authorized callers can update ResourceClaim statuses, protecting cluster hardware allocations from unauthorized tampering or privilege escalation. - **Node-Allocatable Resource Claims Supported in DRA** — Advanced hardware management gets a boost with node-allocatable resource claims. Operators can now dedicate specific hardware components or capacity slices to the entire node rather than individually to single pods, enabling complex topological deployments. --- ## cert-manager v1.19.5 - Repo: https://github.com/cert-manager/cert-manager - Date: 2026-04-21 - Web: https://releasecards.app/release/cert-manager/cert-manager/v1.19.5 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/cert-manager/cert-manager/v1.19.5.md _Fortifying the core with essential security patches_ This patch release focuses exclusively on security hygiene by updating the Go compiler and internal dependencies to resolve reported vulnerabilities. - **Security updates for Go runtime and dependencies** — This update addresses known security vulnerabilities in the underlying Go runtime and third-party dependencies. For SREs and DevOps engineers, applying this patch is essential to maintain the security posture of their Kubernetes clusters and ensure the integrity of the certificate management infrastructure. --- ## Flux v2.8.6 - Repo: https://github.com/fluxcd/flux2 - Date: 2026-04-21 - Web: https://releasecards.app/release/fluxcd/flux2/v2.8.6 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/fluxcd/flux2/v2.8.6.md _Stabilizing GitOps Workflows and Performance_ Flux v2.8.6 is a maintenance release focused on stabilizing Helm deployments, restoring broken notification behavior, and enhancing performance through updated Git libraries. It also introduces security hardening for GCR integrations and internal API management tools. - **Restore generic provider commit status notifications** — This fixes a bug where users of generic notification providers stopped receiving commit status updates, ensuring visibility into deployment success or failure remains reliable. - **Improved Git operation performance via go-git update** — Upgrading to go-git v5.18.0 optimizes Git operations within the source and image-automation controllers, leading to faster synchronization and lower resource consumption for large repositories. - **Helm controller stability improvements** — Reduces deployment failures by resolving conflicts between Helm templates and post-renderers, and prevents unnecessary force-replace operations when server-side apply is active. --- ## Contour v1.33.4 - Repo: https://github.com/projectcontour/contour - Date: 2026-04-20 - Web: https://releasecards.app/release/projectcontour/contour/v1.33.4 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/projectcontour/contour/v1.33.4.md _Hardening the data plane against Lua injection attacks_ This release is a critical security update addressing a Lua code injection vulnerability in the Cookie Rewriting feature. The fix changes how user-provided values are handled by Envoy, transitioning from dynamic template generation to a more secure static Lua script with structured data. This version also mandates an upgrade to Envoy 1.35.0 or later to maintain compatibility with the new security architecture. - **Fix for Lua code injection in Cookie Rewriting feature (CVE-2026-41246)** — This prevents a critical vulnerability where an attacker with internal access could execute malicious code within your Envoy proxy instances, potentially stealing credentials or disrupting traffic for all applications in the cluster. - **Minimum Envoy version requirement increased to 1.35.0** — To apply the security fix, you must update Envoy to at least version 1.35.0. Failure to align your Envoy and Contour versions may lead to misconfigurations in how cookies are handled. - **Upgrade to Envoy v1.35.10** — Ensures your underlying data plane has the latest upstream security and stability improvements from the Envoy project. --- ## Contour v1.32.5 - Repo: https://github.com/projectcontour/contour - Date: 2026-04-20 - Web: https://releasecards.app/release/projectcontour/contour/v1.32.5 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/projectcontour/contour/v1.32.5.md _Plugging the leaks in Lua and Envoy_ This security-focused release addresses a critical Lua injection vulnerability (CVE-2026-41246) within the Cookie Rewriting feature and updates the underlying Envoy proxy to the latest stable patch version. - **Fixed Lua code injection vulnerability in Cookie Rewriting** — This critical fix prevents an attacker with resource creation permissions from executing arbitrary Lua code within the Envoy proxy. Without this update, a malicious user could potentially steal xDS credentials or crash the networking infrastructure for all tenants in the cluster. - **Envoy Proxy upgraded to v1.34.14** — Upgrading to the latest Envoy patch ensures your data plane has the most recent bug fixes and security hardening from the upstream Envoy project, improving the overall stability of your ingress traffic. --- ## Contour v1.31.6 - Repo: https://github.com/projectcontour/contour - Date: 2026-04-20 - Web: https://releasecards.app/release/projectcontour/contour/v1.31.6 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/projectcontour/contour/v1.31.6.md _Essential security hardening for Envoy-based cookie management_ This release primarily addresses a significant security vulnerability in the Cookie Rewriting feature that could allow unauthorized code execution within the Envoy proxy. It also includes an update to the underlying Envoy engine to ensure continued stability and security. - **Fixed Lua code injection vulnerability (CVE-2026-41246)** — This critical fix prevents an attacker with resource creation permissions from executing arbitrary Lua code within your Envoy proxies via the Cookie Rewriting feature. Without this patch, compromised or malicious tenants could steal Envoy credentials or disrupt traffic for every application in the cluster. --- ## Dapr v1.15.14 - Repo: https://github.com/dapr/dapr - Date: 2026-04-16 - Web: https://releasecards.app/release/dapr/dapr/v1.15.14 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/dapr/dapr/v1.15.14.md _Hardening Service Invocation Security_ This security-focused maintenance release addresses a critical vulnerability in service invocation access control and updates the underlying Go runtime to resolve upstream CVEs. - **Fix for Service Invocation Access Control bypass** — This fix prevents malicious actors from using URL-encoded characters or path traversal sequences to bypass your Service Invocation Access Control Lists (ACLs). Without this update, an attacker could potentially execute unauthorized operations on your backend services even if you have explicit deny rules in place. - **Runtime security update to Go v1.25.9** — By moving to the latest Go patch version, the Dapr runtime gains protection against recently discovered vulnerabilities in the Go standard library, ensuring the underlying execution environment remains secure. --- ## Dapr v1.17.5 - Repo: https://github.com/dapr/dapr - Date: 2026-04-16 - Web: https://releasecards.app/release/dapr/dapr/v1.17.5 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/dapr/dapr/v1.17.5.md _Hardening Service-to-Service Authorization_ This release addresses a critical security vulnerability where reserved URL characters and path traversal sequences could be used to bypass service invocation access control policies. The fix ensures that the method path used for authorization matches the path actually dispatched to the target application. - **Prevent Service Invocation Access Control Bypass** — This is a critical security update that ensures your Access Control Lists (ACLs) cannot be bypassed using URL encoding or path traversal tricks. Without this fix, an attacker could potentially access restricted API endpoints (like /admin) by masking them as allowed paths, effectively neutralizing your service-to-service security policies. --- ## Dapr v1.16.14 - Repo: https://github.com/dapr/dapr - Date: 2026-04-16 - Web: https://releasecards.app/release/dapr/dapr/v1.16.14 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/dapr/dapr/v1.16.14.md _Critical Security Fix for Service Invocation Access Controls_ This release addresses a critical security vulnerability in Dapr service invocation. A flaw in how paths were normalized allowed attackers to bypass Access Control List (ACL) policies using path traversal sequences, fragments, or query characters. The fix ensures that the method path is normalized once at the edge, ensuring the same path is used for both policy evaluation and service dispatch. - **Fix service invocation access control bypass via path traversal** — This fix prevents a critical security vulnerability where attackers could bypass your Access Control Lists (ACLs) to execute unauthorized commands. Without this patch, an attacker could use specially crafted URL paths or gRPC method strings to trick Dapr into allowing access to sensitive endpoints that you intended to block. --- ## Cilium v1.19.3 - Repo: https://github.com/cilium/cilium - Date: 2026-04-15 - Web: https://releasecards.app/release/cilium/cilium/v1.19.3 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/cilium/cilium/v1.19.3.md _Hardening Policy Reliability and Dual-Stack Connectivity_ This release focuses on hardening cluster stability through critical memory leak fixes in policy management and reliability improvements for dual-stack and DSR networking. It also addresses performance regressions in Hubble and improves the robustness of the Cilium agent during startup. - **Resolved memory leaks in network policy updates and lifecycle management** — Prevents gradual resource exhaustion and potential node instability in environments with high churn of network policies. - **Improved Dual-Stack and IPv6 stability for WireGuard and NodePort** — Ensures consistent connectivity for dual-stack clusters using WireGuard or IPv6-specific NodePort configurations, preventing traffic drops in complex networking setups. - **Eliminated high CPU usage in hubble observe caused by log coloring** — Reduces unnecessary CPU overhead when monitoring traffic with Hubble, ensuring that observability tools dont impact application performance. - **Fixed NodePort connectivity failures in Direct Server Return (DSR) mode** — Fixes a critical connectivity bug in DSR mode where internal pod-to-nodeport traffic could fail due to missing return path translation. - **Fixed agent initialization when using etcd behind a K8s Service** — Prevents Cilium agent startup failures in clusters where etcd is accessed via a Kubernetes Service, improving bootstrap reliability. --- ## Keycloak 26.6.1 - Repo: https://github.com/keycloak/keycloak - Date: 2026-04-15 - Web: https://releasecards.app/release/keycloak/keycloak/26.6.1 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/keycloak/keycloak/26.6.1.md _Hardening Identity Security and Migration Stability_ Keycloak 26.6.1 is a critical maintenance release focusing on security hardening and stability. It addresses two CVEs (SSRF and user enumeration), fixes a significant bug that corrupted authentication flows during migration, and restores functionality to the JavaScript Admin Client. It also introduces support for database data-at-rest encryption. - **Critical Security Patches for SSRF and User Enumeration** — This patch addresses a Blind SSRF vulnerability and a user enumeration flaw in the identity-first login flow. Administrators should apply this update immediately to prevent attackers from discovering valid usernames or probing internal network resources. - **Fix for Flow Corruption During Migration** — A critical migration bug that accidentally modified custom browser flows has been fixed. This ensures that upgrading to the 26.6.x line no longer risks breaking your existing realm authentication logic. - **Database Data-at-Rest Encryption Support** — Keycloak adds support/enhancements for database data-at-rest encryption. This is vital for organizations with strict compliance requirements (like HIPAA or GDPR) needing to ensure that sensitive identity data is protected even at the storage layer. - **Restoration of Admin Client and UI Tooling** — Resolves a regression where the JavaScript Admin Client failed to install and the Admin UI had invalid package references. Developers using these tools can now resume standard integration and UI customization workflows. --- ## Dapr v1.16.13 - Repo: https://github.com/dapr/dapr - Date: 2026-04-15 - Web: https://releasecards.app/release/dapr/dapr/v1.16.13 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/dapr/dapr/v1.16.13.md _Hardening Scheduler Reliability and Infrastructure Security_ This tactical update addresses a critical bug in the scheduler service that prevented jobs from firing after pod restarts, fixes memory exhaustion and configuration issues in the Pulsar pub/sub component, and patches security vulnerabilities by updating the Go runtime. - **Go Runtime Security Patch to 1.25.9** — Security vulnerabilities in the underlying Go runtime (specifically in cryptography and templating packages) are mitigated, ensuring the Dapr sidecar remains a secure foundation for your microservices. - **Reliability Fix for Scheduler Connectivity and Job Delivery** — This fix prevents a critical failure where scheduled jobs would silently stop running after a scheduler pod restart. It ensures that cron-style tasks and timed triggers remain reliable during infrastructure rollouts or pod maintenance. - **Pulsar Pub/Sub Concurrency and Metadata Fixes** — Users of Apache Pulsar for pub/sub can now correctly configure processing modes via YAML and are protected from memory-related crashes (OOM) caused by previous unbounded concurrency in asynchronous mode. --- ## Backstage v1.50.0 - Repo: https://github.com/backstage/backstage - Date: 2026-04-14 - Web: https://releasecards.app/release/backstage/backstage/v1.50.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/backstage/backstage/v1.50.0.md _Scaling the Catalog and Modernizing the Frontend_ v1.50.0 introduces significant performance optimizations for large-scale catalogs and migrates several core components to React 18 and the Backstage UI (BUI) system. It also standardizes identity token handling and frontend configuration while expanding cloud-native integrations for AWS and major SCM providers. - **Identity token ownership claims removed by default** — This prevents large organizations from hitting HTTP header size limits when using identity tokens. However, you must update your code to use the userInfo core service if you rely on ownership claims in tokens, or manually re-enable the old behavior temporarily. - **Minimum React version raised to 18** — Ensures your portal is running on a modern React runtime. You must upgrade to React 18 to use this version of Backstage. - **Standard Schema adoption for frontend extensions** — Adopts a community standard for schema validation in the new frontend system. You will need to update extensions using Zod to version 3.25.0+ and use the v4 subpath or upgrade to Zod v4. - **Major Catalog performance and reliability boost** — Large internal developer portals will see faster catalog performance and reduced database write churn. It also resolves a critical deadlock issue when running multiple catalog backend replicas. - **Real-time SCM event translation for major providers** — Allows for instant catalog updates when repositories change in Azure DevOps, GitLab, or Bitbucket Cloud, providing developers with a more real-time view of their software ecosystem. --- ## Istio 1.29.2 - Repo: https://github.com/istio/istio - Date: 2026-04-13 - Web: https://releasecards.app/release/istio/istio/1.29.2 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/istio/istio/1.29.2.md _Hardening the Mesh: Security, Stability, and Modern Tooling_ Istio 1.29.2 focuses on hardening security, refining the Ambient mesh experience (Waypoint and zTunnel), and ensuring compatibility with modern Kubernetes features like native sidecars and Helm v4. This release addresses several critical stability issues including a significant correction to default retry budgets. - **Enhanced Control Plane Security and SSRF Protection** — Hardens the control plane against unauthorized access to internal debugging information and protects the mesh from Server-Side Request Forgery attacks. - **Improved Support for Native Sidecar Containers** — Ensures traffic is correctly routed even when native sidecars (a Kubernetes 1.29+ feature) are used, preventing potential traffic drops or routing bypasses. - **Corrected Default Retry Budget to 20%** — Fixes a bug where default retry budgets were incorrectly set to 0.2% instead of 20%, significantly improving the mesh's ability to handle transient failures out-of-the-box. - **Waypoint Support for Multiple VirtualServices per Host** — Allows for more complex routing logic in Ambient mode by enabling multiple VirtualServices to target the same host via a Waypoint proxy. - **Official Support for Helm v4** — Ensures compatibility with the latest Kubernetes package management standards, easing the upgrade path for platform teams using Helm. --- ## OpenTelemetry v0.150.0 - Repo: https://github.com/open-telemetry/opentelemetry-collector - Date: 2026-04-13 - Web: https://releasecards.app/release/open-telemetry/opentelemetry-collector/v0.150.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/open-telemetry/opentelemetry-collector/v0.150.0.md _Clearer Configurations and Stronger Standards_ This release focuses on improving configuration transparency and developer tooling. Key highlights include a more reliable 'print-config' command that retains default values in unredacted mode, enhanced security through telemetry header redaction, and an update to the latest OpenTelemetry semantic conventions. - **Improved unredacted configuration printing** — When troubleshooting, you can now generate full configuration outputs that include both your secrets and default values, making it much easier to verify the final running state of a collector. --- ## Dapr v1.17.4 - Repo: https://github.com/dapr/dapr - Date: 2026-04-10 - Web: https://releasecards.app/release/dapr/dapr/v1.17.4 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/dapr/dapr/v1.17.4.md _Hardening the Core: Eliminating Stalls and Ensuring Workflow Integrity_ This maintenance release focuses heavily on the stability and reliability of Dapr's core distributed primitives. Key fixes address critical 'freeze' scenarios in Actors and Workflows, prevent data loss during high-volume workflow iterations, and ensure that infrastructure events like Scheduler restarts or slow sidecars don't lead to application-wide stalls. Additionally, it brings Pulsar pub/sub into alignment with expected performance behaviors and addresses several Go-related security vulnerabilities. - **Fixed Event Loss and Duplication in Workflows during ContinueAsNew** — Prevents high-volume workflows from losing events or processing them multiple times. This is critical for reliable business logic like payment processing or coordination patterns where state consistency is non-negotiable. - **Fixed Global Actor/Workflow Freezes Caused by Slow Sidecars** — Prevents entire clusters of microservices from 'freezing' when a single sidecar is slow or under load. Actor and workflow operations will now automatically recover and reconnect rather than hanging indefinitely. - **Fixed Blocking PENDING State for Cross-App Workflows** — Ensures cross-app workflows start immediately even if the target service is offline or scaling from zero. This removes a major pain point in rolling deployments and serverless-style architectures. - **Pulsar Pub/Sub: Backpressure Support and Metadata Fixes** — Prevents memory-related crashes (OOM) and massive unacknowledged message backlogs when using Pulsar. It also ensures your 'sync' vs 'async' configuration settings are actually respected. - **Security: Upgraded to Go 1.25.9** — Protects the Dapr runtime against multiple vulnerabilities in the Go standard library, including issues in TLS and core OS packages. --- ## Helm v3.20.2 - Repo: https://github.com/helm/helm - Date: 2026-04-09 - Web: https://releasecards.app/release/helm/helm/v3.20.2 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/helm/helm/v3.20.2.md _Securing the Chart Extraction Pipeline_ Helm v3.20.2 is primarily a security patch release addressing a significant directory traversal vulnerability during chart extraction and hardening the project's internal build workflows. - **Prevent directory traversal during chart extraction** — This fix prevents a critical security vulnerability where a specially crafted Helm chart could use 'dot-segments' (like ../) in the Chart.yaml name to write files outside of the intended directory during extraction. Upgrading ensures your workstation or CI/CD environment is protected from malicious charts attempting to compromise the local file system. --- ## Linkerd edge-26.4.2 - Repo: https://github.com/linkerd/linkerd2 - Date: 2026-04-09 - Web: https://releasecards.app/release/linkerd/linkerd2/edge-26.4.2 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/linkerd/linkerd2/edge-26.4.2.md _Strengthening the foundation through core updates and testing enhancements_ This release primarily focuses on maintenance, featuring an update to the core proxy component and a large sweep of dependency upgrades across the control plane and web dashboard. It also introduces improved testing utilities to ensure API reliability. - **Proxy version bumped to v2.348.0** — The updated proxy dependency brings in the latest performance and security enhancements to the data plane, which is the core component responsible for routing and securing your service mesh traffic. --- ## Helm v4.1.4 - Repo: https://github.com/helm/helm - Date: 2026-04-09 - Web: https://releasecards.app/release/helm/helm/v4.1.4 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/helm/helm/v4.1.4.md _Strengthening the Wall Around Plugins and Packages_ Helm v4.1.4 is a critical security-focused patch addressing vulnerabilities in plugin verification and path-based file manipulation. These fixes close gaps that could have allowed unsigned plugins to run or malicious packages to write files outside of restricted directories. - **Fixed plugin verification bypass when provenance files are missing** — Prevents a critical security bypass where Helm would incorrectly allow the installation of unsigned or unverified plugins if the provenance file was simply missing. This ensures your local environment remains protected against unauthorized extensions. - **Mitigated path traversal vulnerabilities in chart extraction and plugin metadata** — Protects your local filesystem from malicious charts or plugins that attempt to write or overwrite files outside of their intended directories using path traversal (dot-segment) attacks. This is vital for workstations and CI/CD runners handling third-party packages. --- ## SPIFFE/SPIRE v1.13.5 - Repo: https://github.com/spiffe/spire - Date: 2026-04-08 - Web: https://releasecards.app/release/spiffe/spire/v1.13.5 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/spiffe/spire/v1.13.5.md _Hardening the Gateway: Improved Resilience and Security for Node Attestation_ This release focuses on critical security hardening for node attestation mechanisms. It specifically addresses a Denial of Service vulnerability in the x509pop attestor and tightens the security of the HTTP challenge process by preventing unexpected redirects. - **Fix CPU exhaustion in x509pop node attestor** — This fixes a vulnerability where an attacker could send specially crafted, oversized RSA keys to the server during the initial attestation process. This could use up excessive CPU resources, potentially leading to a Denial of Service (DoS) for your identity infrastructure before any authentication even occurs. - **Disable HTTP redirects during node attestation challenges** — By disabling HTTP redirects during the HTTP challenge, SPIRE prevents potential data leakage or redirection to malicious external endpoints. This ensures that node attestation requests stay within the intended network boundaries. --- ## Open Policy Agent v1.15.2 - Repo: https://github.com/open-policy-agent/opa - Date: 2026-04-08 - Web: https://releasecards.app/release/open-policy-agent/opa/v1.15.2 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/open-policy-agent/opa/v1.15.2.md _Hardening the Foundation with Go Security Patches_ This maintenance release focuses exclusively on security by upgrading the underlying Go runtime used to build OPA binaries and container images. This update mitigates several security vulnerabilities discovered in previous versions of the Go language. - **Upgraded Go Runtime to 1.26.2 for Security Fixes** — By updating to Go 1.26.2, OPA addresses multiple known vulnerabilities in the Go runtime. This ensures that your policy enforcement point remains secure against low-level exploits that could compromise the integrity of your cloud-native infrastructure. --- ## Coraza v3.7.0 - Repo: https://github.com/corazawaf/coraza - Date: 2026-04-06 - Web: https://releasecards.app/release/corazawaf/coraza/v3.7.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/corazawaf/coraza/v3.7.0.md _Enhanced Audit Visibility and Engine Performance_ This release improves security observability with file upload auditing, tunes regex engine performance via new directives, and aligns core WAF behaviors more closely with industry standards. - **Audit Logging for Uploaded Files** — You can now track and verify file uploads within your security logs, providing a critical audit trail for investigating potentially malicious file transfers. - **Control Regex Pre-Filtering Behavior** — This adds a new directive to toggle regex pre-filtering, allowing you to tune engine performance vs. match accuracy based on your specific traffic patterns. - **Optimized Rule Memory and Caching** — By reducing memory allocations and optimizing how transformation values are stored, the engine handles high-traffic rule sets with lower latency and CPU overhead. - **Standardized Severity and Actions** — Aligns severity scoring and action chaining with industry-standard ModSecurity behavior, ensuring your existing WAF rules act exactly as expected. - **Updated Core Rule Set Alignment** — The internal Core Rule Set has been updated to the latest version, ensuring you have the most up-to-date protection patterns against modern web vulnerabilities. --- ## OpenFGA v1.14.0 - Repo: https://github.com/openfga/openfga - Date: 2026-04-03 - Web: https://releasecards.app/release/openfga/openfga/v1.14.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/openfga/openfga/v1.14.0.md _Strengthening Security and Core Performance_ This release focuses on critical security and stability improvements. It addresses a security vulnerability in BatchCheck, resolves deadlock risks and performance bottlenecks in the ListObjects algorithm, and fixes PostgreSQL integration issues when using connection poolers. Additionally, it marks the beginning of the deprecation process for the built-in Playground. - **Critical Security Fix for BatchCheck Policy Enforcement (CVE-2026-34972)** — Fixes a critical vulnerability where duplicate tuples in a BatchCheck request could bypass security policies, ensuring consistent and correct authorization results. - **PostgreSQL Compatibility and Error Handling Improvements** — This fix significantly improves reliability for Postgres users, specifically those using connection poolers like PgBouncer, by fixing data type errors and ensuring consistent 'Not Found' error responses. - **Performance Gains and Deadlock Prevention in ListObjects Pipeline** — Users will experience better performance and increased stability when listing objects. The changes eliminate potential deadlocks and use memory more efficiently to handle complex or deep relationship hierarchies. - **Playground Security Constraints and Deprecation** — If you rely on the built-in Playground with shared key authentication, your server will no longer start. You must adjust your configuration to use the 'none' auth method for the Playground or prepare for its eventual removal. - **New Storage Latency Metrics for Improved Observability** — Operators gain better visibility into storage performance. You can now monitor exactly how long database queries take and distinguish between actual infrastructure failures and expected missing data. --- ## Jaeger v2.17.0 - Repo: https://github.com/jaegertracing/jaeger - Date: 2026-03-30 - Web: https://releasecards.app/release/jaegertracing/jaeger/v2.17.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/jaegertracing/jaeger/v2.17.0.md _Enhanced Trace Visibility and AI-Ready Observability_ This release significantly improves the trace analysis experience with a new aggregated logs view and a side-panel span explorer. Backend performance receives a boost for ClickHouse users, while new experimental MCP support paves the way for AI-driven debugging. The UI has also undergone a massive architectural overhaul to modernize its technology stack. - **New Trace Logs view for aggregated span events** — Analyzing complex traces is now easier with a high-level aggregate view of all events across every span, reducing the need to click into individual spans to find log data. - **Side panel for span details and tree-only view mode** — Users can now keep the trace tree visible while inspecting span details in a side panel, significantly improving the workflow for deep-dive analysis. - **ClickHouse storage optimizations for faster trace searching** — If you use ClickHouse as your storage backend, you will see faster trace retrieval and search performance due to schema optimizations and better query filtering. - **UI security hardening against XSS risks** — Protects the Jaeger UI against Cross-Site Scripting (XSS) attacks by ensuring user-provided content is handled safely. - **Experimental Model Context Protocol (MCP) support for LLM integration** — Developers can now use Jaeger as a Model Context Protocol (MCP) server, allowing AI agents (like Claude) to directly interact with tracing data for automated debugging. --- ## Dapr v1.16.12 - Repo: https://github.com/dapr/dapr - Date: 2026-03-30 - Web: https://releasecards.app/release/dapr/dapr/v1.16.12 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/dapr/dapr/v1.16.12.md _Hardening the Backbone: Security Patches and Reliable Scheduling_ This maintenance release addresses a critical security vulnerability in gRPC, resolves a major stability issue in the Scheduler service that caused 20-minute outages during pod restarts, and fixes several schema-breaking bugs in the Pulsar Pub/Sub component. - **Critical Fix for gRPC Authorization Bypass (CVE-2026-33186)** — Critical infrastructure components, like Dapr, must address upstream vulnerabilities to prevent unauthorized access. This fix ensures that your gRPC service communication remains protected against known authorization bypasses. - **Robust Pulsar Pub/Sub Schema Validation and Avro Support** — If you use Pulsar for workflows or eventing, this fix is essential. It resolves a critical bug where Avro-encoded messages would enter an endless retry loop and never reach your application, while also ensuring your JSON schemas are actually enforced during publication. - **Eliminated 20-Minute Scheduler Stalls During Cluster Rebalancing** — High-availability deployments using the Dapr Scheduler can now recover from pod restarts in seconds rather than minutes. This eliminates 20-minute 'blackout' periods where workflows, actor reminders, and scheduled jobs would otherwise stall during routine maintenance or node failures. --- ## Open Policy Agent v1.15.0 - Repo: https://github.com/open-policy-agent/opa - Date: 2026-03-26 - Web: https://releasecards.app/release/open-policy-agent/opa/v1.15.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/open-policy-agent/opa/v1.15.0.md _Flexible Logging and Cloud-Native Identity Improvements_ This release introduces a major overhaul to OPA logging with a new pluggable interface and file rotation support. It also enhances AWS integration for cloud-native environments and introduces a breaking change for developers using custom HTTP authentication plugins. - **Pluggable logging and built-in file rotation support** — You can now use custom logging backends and a built-in file logger with automatic rotation, providing more flexibility for how OPA logs and decision logs are stored. - **HTTPAuthPlugin lifecycle changes for custom plugins** — If you have implemented a custom HTTP authentication plugin, you must move per-request logic to the Prepare method, as NewClient is now only called once and cached. - **AWS Web Identity support for Assume Role credentials** — Enables native support for EKS service accounts and other OIDC-based identities for AWS authentication, simplifying security configurations in Kubernetes environments. - **Optimized TLS certificate re-reading and content hashing** — Reduces unnecessary CPU usage and improves request latency by caching parsed certificates and avoiding re-parsing unless files on disk have actually changed. --- ## Dapr v1.17.3 - Repo: https://github.com/dapr/dapr - Date: 2026-03-26 - Web: https://releasecards.app/release/dapr/dapr/v1.17.3 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/dapr/dapr/v1.17.3.md _Hardening Distributed Reliability and Security_ Dapr v1.17.3 is a critical stability and security update. It addresses two CVEs (gRPC auth bypass and TIFF OOM), resolves significant reliability issues in the Scheduler and Placement services that caused jobs and actor routing to fail, and fixes a data-loss bug affecting actor invocations over h2c. It also restores compatibility for Windows containers on AKS. - **Critical Security Patches for gRPC and Image Processing** — Updating is critical to prevent potential gRPC authorization bypasses and memory-exhaustion attacks when processing TIFF images. - **Resolved Silent Data Loss in Actor Method Calls over h2c** — This fixes a severe bug where actor calls using h2c would return success but contain no data, preventing silent data loss in microservices. - **Fixed Scheduler Hangs During Cluster Scale-up** — Prevents workflows, scheduled jobs, and actor reminders from randomly failing to trigger after infrastructure changes or pod restarts. - **Corrected Stale Content-Length Headers in Service Invocation** — Eliminates 'unexpected EOF' and truncated response errors in Go, Python, and other HTTP clients calling Dapr services. - **Prevented Cascading Failures in Placement Dissemination** — Improves the resilience of actor-based systems by preventing a single slow node from causing a cascading failure across the entire cluster. --- ## Dapr v1.16.11 - Repo: https://github.com/dapr/dapr - Date: 2026-03-26 - Web: https://releasecards.app/release/dapr/dapr/v1.16.11 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/dapr/dapr/v1.16.11.md _Hardening the Scheduler and Restoring Windows Compatibility_ This patch release focuses on critical infrastructure stability, specifically addressing two severe bugs in the Dapr Scheduler that impacted high-availability deployments and workflow reliability. It also restores support for Windows containers on AKS and includes essential security updates via a Go runtime bump. - **Critical stability fixes for Scheduler HA clusters** — This resolves critical race conditions in the Scheduler that could lead to cascading crashes or 'dead' instances that silently stop processing jobs. It is essential for anyone using Workflows, Actors, or Cron bindings in high-availability environments. - **Fix for Windows sidecar container startup on AKS** — Restores functionality for Windows-based workloads on AKS. Without this, Windows containers would fail to start due to OS version mismatches introduced in the previous patch. - **Go runtime updated to 1.25.8 for security patches** — Ensures the Dapr runtime is built with the latest Go security patches, protecting your infrastructure from vulnerabilities in core networking and template libraries. --- ## Chaos Mesh v2.8.2 - Repo: https://github.com/chaos-mesh/chaos-mesh - Date: 2026-03-25 - Web: https://releasecards.app/release/chaos-mesh/chaos-mesh/v2.8.2 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/chaos-mesh/chaos-mesh/v2.8.2.md _Securing the Chaos: Critical Vulnerability Patches and Platform Refinements_ Version 2.8.2 is a critical maintenance release focused on security and stability. It eliminates numerous vulnerabilities through a major dependency overhaul, resolves UI inconsistencies in the dashboard, and formalizes the transition away from legacy installation scripts. - **Comprehensive Security Hardening and Dependency Upgrades** — This update addresses critical security vulnerabilities by upgrading core Go and UI dependencies. For SREs and platform engineers, this ensures the chaos engineering infrastructure itself does not become a security risk within the cluster. - **Deprecation of install.sh in favor of Helm** — The quick-start install script has been removed. Users must transition to recommended installation methods like Helm to manage their Chaos Mesh lifecycle, ensuring more robust and repeatable deployments. --- ## KubeVirt v1.8.0 - Repo: https://github.com/kubevirt/kubevirt - Date: 2026-03-24 - Web: https://releasecards.app/release/kubevirt/kubevirt/v1.8.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/kubevirt/kubevirt/v1.8.0.md _Incremental Reliability and Template-Driven Virtualization_ KubeVirt v1.8.0 introduces native support for incremental VM backups, enhances virtctl with template management capabilities, and improves live migration reliability. It also marks the promotion of several features to Beta and GA while removing outdated network bindings to streamline the codebase. - **Support for Incremental VM Backups** — Users can now perform incremental backups of Virtual Machines, significantly reducing storage usage and backup windows for large disks. - **Enhanced Live Migration and PCIe NUMA-Aware Topology** — Enables updating network references on running VMs and improves performance for GPU/host devices by ensuring they are placed on the correct PCIe buses relative to their NUMA node. - **New virt-template Commands in virtctl** — virtctl now includes commands to process, create, and convert Virtual Machine Templates, making it easier to manage standardized VM configurations. - **Removal of Legacy Network Bindings** — Old core SLIRP and Macvtap bindings have been removed. Users must migrate to supported binding methods. - **Client-Side Rate Limiting for virt-operator** — Reduces the likelihood of virt-operator being throttled by the Kubernetes API server when managing a high volume of objects, leading to faster stabilization of the cluster state. --- ## Knative knative-v1.21.2 - Repo: https://github.com/knative/serving - Date: 2026-03-24 - Web: https://releasecards.app/release/knative/serving/knative-v1.21.2 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/knative/serving/knative-v1.21.2.md _Security Hardening and Preparation for v1.22_ This maintenance release focuses on preparing operators for upcoming security hardening and standardizing internal TLS networking logic. The most critical takeaway is the planned shift to secure-pod-defaults in the next major version. - **Upcoming Change to Secure Pod Defaults** — You must evaluate your workloads now because the upcoming v1.22 release will enforce stricter security defaults (AllowRootBounded) that may break images requiring full root privileges. Explicitly setting this to disabled now will prevent unexpected downtime during future upgrades. --- ## Contour v1.33.3 - Repo: https://github.com/projectcontour/contour - Date: 2026-03-23 - Web: https://releasecards.app/release/projectcontour/contour/v1.33.3 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/projectcontour/contour/v1.33.3.md _Fortifying the Ingress Data Plane_ This maintenance release focuses on strengthening the security posture of the ingress stack by updating core dependencies. It includes essential security patches for Envoy Proxy and proactively addresses vulnerabilities in the gRPC library, alongside minor cleanup of deployment examples. - **Envoy Proxy security update to v1.35.9** — This update includes critical security patches for Envoy Proxy. By upgrading, users protect their edge traffic from known vulnerabilities in the underlying data plane. --- ## Contour v1.31.5 - Repo: https://github.com/projectcontour/contour - Date: 2026-03-23 - Web: https://releasecards.app/release/projectcontour/contour/v1.31.5 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/projectcontour/contour/v1.31.5.md _Strengthening the Data Plane Foundation_ This release focuses on security and stability by upgrading the underlying Envoy Proxy and addressing dependency vulnerabilities. It also includes a minor cleanup to deployment manifests to improve port management on Kubernetes nodes. - **Envoy Proxy security and stability update to v1.34.13** — This update includes critical security patches from the upstream Envoy Proxy. Since Envoy handles all data plane traffic, keeping it updated is essential for protecting your cluster against known vulnerabilities and ensuring traffic stability. --- ## wasmCloud v2.0.0 - Repo: https://github.com/wasmCloud/wasmCloud - Date: 2026-03-22 - Web: https://releasecards.app/release/wasmCloud/wasmCloud/v2.0.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/wasmCloud/wasmCloud/v2.0.0.md _The Road to Production: Observability, Security, and Speed_ wasmCloud v2.0.0 marks a major milestone with the introduction of production-ready metrics, upgraded Wasmtime support, and enhanced networking capabilities including gRPC and fine-grained host controls. The release also focuses on developer experience with a modernized CLI and improved security posture via critical dependency updates. - **Built-in Metrics Support** — This provides deep visibility into your application performance and health, making it easier to monitor production workloads and debug bottlenecks. - **Wasmtime 42 Integration** — Upgrading to the latest Wasmtime engine ensures improved performance, better security isolation, and support for the latest WebAssembly features and proposals. - **HTTP2 and gRPC Support** — This enables high-performance communication for modern microservices, allowing for streaming data and more efficient service-to-service calls. - **CRD Relocation in Helm Charts** — This move improves compatibility with standard Kubernetes tooling like Helm and Argocd, but requires users to update their deployment paths or monitoring scripts. - **Security Patch for RUSTSEC-2026-0007** — This fixes a critical security vulnerability found in your dependencies, ensuring your runtime environment remains protected against known exploits. --- ## Harbor v2.15.0 - Repo: https://github.com/goharbor/harbor - Date: 2026-03-20 - Web: https://releasecards.app/release/goharbor/harbor/v2.15.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/goharbor/harbor/v2.15.0.md _Smarter Storage and Strengthened Supply Chains_ Harbor 2.15.0 introduces smarter storage management with tag-aware garbage collection, enhanced proxy cache controls, and significant security hardening. This release also broadens ecosystem compatibility with support for Cosign v3 and JFrog OCI types while offering performance optimizations for high-traffic registries by allowing selective audit logging. - **Tag deletion option for Garbage Collection** — Users can now better manage storage costs by optionally deleting associated tags during Garbage Collection, preventing the accumulation of orphaned tags in the registry. - **Upstream connection limits for Proxy Caches** — Administrators can now prevent upstream registry exhaustion and improve stability by setting connection limits on proxy cache projects directly through the UI. - **Enhanced supply chain security and token validation** — Critical security updates including a fix for a Bearer token rejection issue and a major Trivy bump to address supply chain incidents. - **Expanded OCI and Cosign v3 support** — Harbor now supports modern OCI artifact types for JFrog registries and Cosign v3 bundle signatures, ensuring compatibility with the latest container ecosystem tools. - **Option to disable database-backed audit logging** — Large-scale deployments can significantly reduce database overhead by disabling audit logging to the database during initialization. --- ## Dapr v1.17.2 - Repo: https://github.com/dapr/dapr - Date: 2026-03-19 - Web: https://releasecards.app/release/dapr/dapr/v1.17.2 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/dapr/dapr/v1.17.2.md _Stabilizing Streams and Scaling Actors_ Dapr v1.17.2 addresses critical stability issues in large-scale actor deployments and high-throughput streaming scenarios. It introduces a safer way to handle pub/sub shutdowns and fixes a memory-intensive buffering issue in service invocation. Users on Kubernetes should pay close attention to a required CRD update for workflow configurations. - **Critical Go Standard Library Security Fixes** — Protects your microservices from potential XSS via HTML templates, file system breakouts, and SSRF attacks originating from malformed URLs by upgrading to the latest Go toolchain. - **Workflow Retention Policy CRD Type Change** — You must manually update your Configuration CRDs before upgrading to v1.17.2; otherwise, Dapr will fail to start on Kubernetes due to a data type mismatch in workflow retention policies. - **Streaming Support for Service Invocation Memory Fix** — Solves 'Out of Memory' (OOM) crashes when handling large file uploads or streaming data by enabling true end-to-end streaming without buffering the entire payload in the sidecar. - **Improved Actor Placement Stability for Large Clusters** — Prevents 'dissemination timeout' errors and unstable actor behavior in large scale deployments (50+ replicas) by optimizing how placement tables are synchronized across the cluster. - **Reliable Pub/Sub Shutdown and DLQ Routing** — Ensures data integrity during rolling updates by holding messages during shutdown rather than incorrectly sending them to Dead-Letter Queues (DLQ). --- ## SPIFFE/SPIRE v1.14.3 - Repo: https://github.com/spiffe/spire - Date: 2026-03-18 - Web: https://releasecards.app/release/spiffe/spire/v1.14.3 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/spiffe/spire/v1.14.3.md _Hardening trust and accelerating policy enforcement_ This release focuses on hardening the SPIRE Server against session-based authentication bypasses and significantly boosting performance for OPA policy evaluations. It also improves operational visibility by reporting agent versions to the server and addresses several stability issues related to AWS attestation, node re-attestation, and trust bundle synchronization. - **Fixed TLS session ticket validation bypass on server endpoint** — This closes a potential security bypass where old, revoked, or rotated certificates could have been reused via TLS session tickets to maintain access to the SPIRE Server. Disabling tickets ensures every connection is verified against the current trust bundle. - **Prevent selector leakage in agent logs** — This prevents internal metadata about your infrastructure (labels, tags, or environment specifics) from appearing in agent logs, reducing the risk of sensitive data exposure during log collection or auditing. - **2x performance boost for OPA policy evaluation** — If you use OPA policies for authorizing workloads or entries, you will see significantly lower CPU overhead on the server, allowing for higher throughput and better scalability in complex environments. - **Agent version reporting to SPIRE Server** — Platform engineers can now easily track which agent versions are running across their fleet using the standard CLI or API, simplifying lifecycle management and upgrade verification. - **Fixed stalled periodic node cache rebuilds** — This ensures that nodes are correctly re-verified at their intended rhythm. If you rely on node re-attestation for security posture checks, this fix ensures those checks actually happen periodically as expected. --- ## Backstage v1.49.0 - Repo: https://github.com/backstage/backstage - Date: 2026-03-17 - Web: https://releasecards.app/release/backstage/backstage/v1.49.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/backstage/backstage/v1.49.0.md _Frontend Maturity and Intelligent Automation_ This release marks the 1.0 Release Candidate for the New Frontend System, making it the default for new applications. It also includes significant breaking changes as core UI components migrate to the native Backstage UI (BUI) library, alongside powerful new catalog filtering capabilities and enhanced AI/MCP integration. - **New Frontend System 1.0 Release Candidate** — This is a major milestone for Backstage. New apps now use this system by default, which simplifies plugin development and provides a more modern, stable framework for building your portal frontend. - **Significant Backstage UI and Entity Card Migration** — Multiple core components and entity cards have moved from Material UI to the new Backstage UI (BUI). You will need to update your code to handle prop changes, renamed CSS classes, and the new centralized routing requirement. - **Removal of Legacy Bitbucket and Azure Integrations** — Code cleanup of long-deprecated features. If you are still using 'bitbucket' instead of 'bitbucketCloud/Server', or if you use specific Azure/Gerrit utility functions, your backend will break until updated. - **Enhanced AI and MCP Integration Capabilities** — Massively expands what AI agents can do with your Backstage instance, including the ability to query the catalog, list scaffolder tasks, and retrieve logs via the Model Context Protocol (MCP). - **CLI Refactored into Extensible Module System** — The CLI is now modular. This makes the tool faster and more extensible, but requires you to add '@backstage/cli-defaults' to your dependencies to avoid future breakage. --- ## Lima v2.1.0 - Repo: https://github.com/lima-vm/lima - Date: 2026-03-17 - Web: https://releasecards.app/release/lima-vm/lima/v2.1.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/lima-vm/lima/v2.1.0.md _Expanding Horizons with macOS Guests and AI Safety_ Lima v2.1.0 introduces experimental support for macOS and FreeBSD guests, significantly broadening its utility. It also adds safety features for AI workloads, optimizes disk and binary sizes, and streamlines the CLI with new commands for watching VMs and enabling nested virtualization. - **Experimental support for macOS and FreeBSD guests** — Expands Lima beyond Linux, allowing users to run and test macOS and FreeBSD environments easily from the command line. - **New sync mode for limactl shell** — Provides a safer way to run AI agents or untrusted scripts by ensuring changes in the shell do not accidentally corrupt or modify host files. - **Improved disk efficiency and reduced binary footprint** — Reduces the overhead of the guest agent and optimizes disk storage by consolidating base and diff disks into a single file. - **New CLI commands and shortcuts for nested virtualization** — Simplifies the process of enabling nested virtualization and monitoring VM status, making complex configurations more accessible. - **Host-to-guest time synchronization** — Ensures that the guest VM clock stays in sync with the host, preventing issues with time-sensitive applications and authentication tokens. --- ## Longhorn v1.11.1 - Repo: https://github.com/longhorn/longhorn - Date: 2026-03-13 - Web: https://releasecards.app/release/longhorn/longhorn/v1.11.1 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/longhorn/longhorn/v1.11.1.md _Hardening Storage Stability and Backup Reliability_ Longhorn v1.11.1 is a critical patch release addressing a major memory leak in the instance manager and resolving S3/GCS backup failures. It also introduces enhancements for CSI topology-aware scheduling and improves the stability of the V2 (SPDK) data engine. - **Critical instance manager memory leak resolution** — This prevents a serious memory leak in the instance manager pods that could otherwise cause node instability or OOM (Out of Memory) kills of critical storage components. Upgrade is highly recommended for users on v1.11.0. - **S3 and GCS backup compatibility fixes** — Restores reliability for backups to S3-compatible sources and GCS. Users will no longer experience premature failures during large data transfers or authorization errors caused by SDK incompatibilities. - **V2 Data Engine (SPDK) stability and speed improvements** — Improves the efficiency and correctness of replica rebuilding and cloning processes when using the new SPDK-based data engine. - **CSI topology-aware PV nodeAffinity control** — Provides finer-grained control over where Persistent Volumes are scheduled based on Kubernetes topology, ensuring better data locality and alignment with cluster architecture. - **Fixed incorrect storage double-counting in scheduler** — Fixes an issue where storage was counted twice during scheduling, which previously led to unnecessary scheduling failures even when nodes had sufficient space. --- ## KubeEdge v1.23.0 - Repo: https://github.com/kubeedge/kubeedge - Date: 2026-03-11 - Web: https://releasecards.app/release/kubeedge/kubeedge/v1.23.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/kubeedge/kubeedge/v1.23.0.md _Empowering Edge Intelligence and Resilience_ KubeEdge 1.23 focuses on production-ready AI at the edge and significant reliability improvements for autonomous node management. This release also prioritizes resource efficiency for low-power devices and provides better tools for developers to simulate edge environments. - **Introduction of Edge AI Framework v1.0.0** — Users can now run complex AI workloads at the edge more efficiently using a standardized framework, reducing the time from development to production deployment for edge intelligence. - **Enhanced Edge Node Autonomy and Self-healing** — Automates the health monitoring and recovery of edge nodes, keeping critical applications running even when network connections to the cloud are unstable. - **Reduced EdgeCore Memory Footprint** — Significantly lowers the hardware requirements for edge devices by decreasing the memory footprint of the edge core components, allowing for smaller, cheaper hardware. - **New Edge-specific Network Simulation Tools** — Developers can now more easily test edge-specific network configurations and behaviors in a controlled environment, speeding up the debugging process. - **Strengthened Cloud-Edge Communication Security** — Protects sensitive data transmission between the cloud and edge nodes by enforcing updated security protocols and cryptographic standards. --- ## cert-manager v1.20.0 - Repo: https://github.com/cert-manager/cert-manager - Date: 2026-03-10 - Web: https://releasecards.app/release/cert-manager/cert-manager/v1.20.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/cert-manager/cert-manager/v1.20.0.md _Expanding DNS Horizons and Strengthening Core Security_ A major update introducing support for Azure Private DNS, the new ListenerSets resource for advanced networking, and significant security hardening including a fix for a potential DNS-based Denial of Service. It also streamlines Gateway API integrations and promotes OtherNames support to Beta. - **Support for Azure Private DNS** — You can now use Azure Private DNS zones for DNS-01 challenges, enabling automated certificate management for internal-only Azure domains. - **Enhanced Helm Customization with Sidecars and NetworkPolicies** — Organizations requiring sidecar containers (e.g., for AWS IAM Roles Anywhere) or specific security network policies can now inject them directly via Helm, offering much better flexibility for enterprise environments. - **Security Patches and DoS Mitigation** — This release addresses two Go vulnerabilities and a potential DNS-related panic that could allow an attacker to crash the cert-manager controller. Upgrading ensures your certificate infrastructure remains stable and secure. - **Gateway API Enhancements and ListenerSets Support** — The introduction of ListenerSets (Alpha) and improved parentRef handling provides more robust and flexible integration with modern Kubernetes networking via the Gateway API. - **Improved Reliability and Error Handling** — The controller now validates certificates against CSRs before saving them, prevents infinite renewal loops if an issuer misbehaves, and improves error reporting for CA and DNS-01 failures. --- ## semantic-router v0.2.0 - Repo: https://github.com/vllm-project/semantic-router - Date: 2026-03-10 - Web: https://releasecards.app/release/vllm-project/semantic-router/v0.2.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/vllm-project/semantic-router/v0.2.0.md _Athena: The Dawn of Signal-Driven Intelligence_ v0.2.0 introduces 'Athena', a massive update that pivots the project toward a signal-driven architecture with a visual DSL, ML-based model selection, and integrated RAG capabilities. - **Advanced Domain Specific Language (DSL) and Visual Builder** — You can now route requests based on a highly complex set of conditions using a full DSL. This includes a visual builder in the dashboard, making it much easier to design sophisticated logic without manually writing JSON configs. - **ML-Driven Model Selection and RL Optimization** — The router can now use Reinforcement Learning and other ML algorithms (like Elo ratings and MLP) to automatically select the best model for a given prompt, ensuring optimal performance and cost-efficiency without manual rule-tweaking. - **Native RAG Support and Vector Store Integration** — You now have built-in support for retrieval-augmented generation (RAG) directly within the router, including a document ingestion pipeline and hybrid search capabilities with backends like Milvus and Llama Stack. - **AMD GPU ROCm Support and Flash Attention Optimization** — Adds support for AMD GPUs via ROCm/ONNX and Flash Attention. This significantly speeds up signal extraction and classification for users running on AMD hardware. - **Agentic Memory and Persistent Context Storage** — The router can now remember past interactions using a configurable agentic memory. It supports advanced features like retention scoring (pruning old memories) and persistent storage via Redis or Milvus. --- ## Dapr v1.17.1 - Repo: https://github.com/dapr/dapr - Date: 2026-03-09 - Web: https://releasecards.app/release/dapr/dapr/v1.17.1 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/dapr/dapr/v1.17.1.md _Stabilizing Actor Placement and Restoring WASM Support_ This maintenance release addresses a critical regression for WASM components and provides significant performance optimizations for the placement service in large-scale actor environments. It also includes important reliability fixes for workflow state cleanup and pub/sub batching logic. - **Restore WASM binding and middleware on standard architectures** — If you rely on WASM-based logic for custom processing or integrations, this fix is critical as these components were previously broken on standard production architectures like amd64 and arm64. - **Eliminate unnecessary placement updates for non-actor sidecars** — This optimization prevents disruptive cluster-wide locks and unnecessary updates whenever a non-actor sidecar connects or disconnects, leading to much better stability and performance for actor-heavy workloads in large clusters. - **Fix state retention for unstalled workflows** — Users managing heavy workflow workloads can now rely on state retention policies to clean up previously stalled workflows, preventing unbounded growth and potential cost/performance issues in the state store. - **Correct bulk subscription dispatch timing** — Bulk pub/sub consumers will see more efficient batching and fewer 'empty' or small calls, as the timer now correctly resets after a message count threshold is met. --- ## Dapr v1.16.10 - Repo: https://github.com/dapr/dapr - Date: 2026-03-06 - Web: https://releasecards.app/release/dapr/dapr/v1.16.10 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/dapr/dapr/v1.16.10.md _Hardening Data Integrity and Restoring WASM Portability_ Dapr v1.16.10 is a critical maintenance release that restores functionality for WASM components, introduces strict schema validation for Pulsar PubSub, and addresses security vulnerabilities by upgrading core dependencies like the Go runtime and OpenTelemetry SDK. - **Strict Avro Schema Validation for Pulsar PubSub** — Prevents silent data corruption and consumer-side crashes by ensuring messages strictly match Pulsar Avro schemas before they are published. This adds a critical safety layer for event-driven architectures. - **Restored WASM Component Support on Standard Architectures** — Restores the ability to use WebAssembly (WASM) components on standard production architectures (amd64/arm64). If your application relies on WASM for custom middleware or logic, this fix is required to prevent startup failures. - **Security Hardening via Go and OpenTelemetry Upgrades** — Protects your Dapr installation against arbitrary code execution risks and other known vulnerabilities by upgrading the underlying Go runtime and OpenTelemetry SDK. - **Pulsar PubSub Performance Optimization** — Reduces latency and CPU overhead during Pulsar message publishing by caching the Avro codec instead of recompiling it for every request. --- ## CoreDNS v1.14.2 - Repo: https://github.com/coredns/coredns - Date: 2026-03-06 - Web: https://releasecards.app/release/coredns/coredns/v1.14.2 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/coredns/coredns/v1.14.2.md _Fortifying the Core: Proxy Support and Security Hardening_ CoreDNS v1.14.2 introduces the proxyproto plugin for improved load balancer integration, addresses several security vulnerabilities (including CVE-2026-26017 and CVE-2026-26018), and provides essential bug fixes for IPv6, CNAME handling, and Kubernetes stability. - **Introduction of Proxy Protocol support via proxyproto plugin** — If you run CoreDNS behind a load balancer, you can now preserve the original client IP addresses, which is critical for logging, ACLs, and routing policies. - **Critical security fixes for ACL bypass and loop detection** — This release fixes a critical ACL bypass and a loop detection vulnerability, while also updating the underlying Go runtime to address several CVEs. Upgrading is highly recommended for any production environment. - **Refined DNS handling for CNAMEs and TLS+IPv6 forwarding** — These improvements ensure that DNS responses are more accurate and reliable, particularly when using complex CNAME configurations or forwarding over IPv6 with TLS. - **Fix for Kubernetes plugin crash** — Prevents unexpected downtime for users running CoreDNS in Kubernetes environments where ListenHosts might be empty. --- ## Strimzi 0.51.0 - Repo: https://github.com/strimzi/strimzi-kafka-operator - Date: 2026-03-06 - Web: https://releasecards.app/release/strimzi/strimzi-kafka-operator/0.51.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/strimzi/strimzi-kafka-operator/0.51.0.md _Securing the Future with Modern Infrastructure and Kafka 4.2.0_ Strimzi 0.51.0 is a significant update focused on security and modernization. It introduces critical security fixes, adds support for Kafka 4.2.0, and mandates a move to Kubernetes 1.30+. It also continues the transition to the v1 API for custom resources and marks the beginning of the end for Ingress-based listeners. - **Critical Security Patches (CVE-2026-27133 and CVE-2026-27134)** — Critical security vulnerabilities are addressed in this version. Users on version 0.47.0 or newer must upgrade immediately to protect their clusters from potential exploits documented in CVE-2026-27133 and CVE-2026-27134. - **Updated Kubernetes and Kafka Version Requirements** — Support for older Kubernetes versions (1.27 through 1.29) and older Kafka versions (4.0.0 and 4.0.1) has been dropped. You must ensure your underlying infrastructure and Kafka workloads are compatible before upgrading. - **Support for Kafka 4.2.0 and Enhanced Listener Configuration** — Allows you to utilize the latest Kafka features and fixes. Additionally, new per-listener configuration options provide more granular control over connection limits and re-authentication settings. - **Mandatory v1 API Migration and CRD Upgrades** — Strimzi is moving toward the v1 API; users must upgrade CRDs and migrate KafkaUser resources to the new ACL operations field. Failure to do so may lead to configuration errors or future upgrade failures. - **ServerSideApplyPhase1 Enabled by Default** — By moving to Beta and being enabled by default, this change improves how the operator manages resource state and conflicts, leading to more reliable resource synchronization. --- ## SPIFFE/SPIRE v1.14.2 - Repo: https://github.com/spiffe/spire - Date: 2026-03-03 - Web: https://releasecards.app/release/spiffe/spire/v1.14.2 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/spiffe/spire/v1.14.2.md _Hardening Node Attestation Security_ This security-focused patch release addresses two vulnerabilities in node attestor plugins: a Server-Side Request Forgery issue in the http_challenge plugin and a CPU exhaustion (DoS) vulnerability in the x509pop plugin. - **SSRF vulnerability fix in http_challenge attestor** — This fix prevents a vulnerability where an attacker could force the SPIRE Server to perform unauthorized network requests (SSRF) and leak data from internal or external endpoints. It is critical for users relying on HTTP-based node attestation to secure their infrastructure. - **DoS mitigation for x509pop node attestation** — This patch mitigates a potential denial-of-service (DoS) attack where a malicious actor could exhaust the SPIRE Server's CPU resources during the attestation process, ensuring the availability and reliability of identity issuance. --- ## SPIFFE/SPIRE v1.13.4 - Repo: https://github.com/spiffe/spire - Date: 2026-03-03 - Web: https://releasecards.app/release/spiffe/spire/v1.13.4 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/spiffe/spire/v1.13.4.md _Hardening Node Attestation Security_ This security-focused patch release addresses two vulnerabilities in node attestor plugins: a data leakage risk via SSRF in the http_challenge plugin and a resource exhaustion risk in the x509pop plugin. - **Fix SSRF vulnerability in http_challenge attestor plugin** — Protects your infrastructure from Server-Side Request Forgery (SSRF) attacks. Without this fix, an attacker could trick the SPIRE Server into making unauthorized requests to internal resources and leaking portions of the response data. - **Mitigate CPU exhaustion vulnerability in x509pop attestor plugin** — Prevents potential denial-of-service (DoS) scenarios where an attacker could exhaust SPIRE Server CPU resources during the attestation process, ensuring the identity issuance service remains available for legitimate workloads. --- ## Dapr v1.17.0 - Repo: https://github.com/dapr/dapr - Date: 2026-02-27 - Web: https://releasecards.app/release/dapr/dapr/v1.17.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/dapr/dapr/v1.17.0.md _Production-Grade Workflows and Stable High-Volume Messaging_ Dapr 1.17 focuses heavily on making Workflows production-ready with new versioning tools, state retention policies, and a 41% increase in throughput. The release also stabilizes Bulk PubSub, adds powerful new CLI management commands, and improves the resilience of the Placement service during scaling events. - **Workflow Versioning and Patching Support** — You can now safely update workflow code without crashing existing, long-running tasks. This solves the 'deterministic replay' problem, making Dapr Workflows much more reliable for complex production business logic. - **Workflow State Retention Policies** — Prevents your state store from being overwhelmed by old workflow data. You can now automatically clean up successful workflows quickly while keeping failed ones longer for debugging. - **Significant Workflow and Actor Performance Boosts** — Your workflows and actors will run faster and handle more load with the same hardware. A 41% jump in workflow throughput is a massive efficiency gain for high-volume users. - **Bulk PubSub APIs Promoted to Stable** — Bulk operations are now reliable and officially supported for production. Swapping to the stable API ensures long-term compatibility and reduces the overhead of processing messages one-by-one. - **New CLI Commands for Workflow and Scheduler Management** — Managing workflows and scheduled jobs is much easier. You can now list, resume, or purge workflows directly from the command line instead of writing custom API calls or querying databases manually. --- ## Flux v2.8.0 - Repo: https://github.com/fluxcd/flux2 - Date: 2026-02-24 - Web: https://releasecards.app/release/fluxcd/flux2/v2.8.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/fluxcd/flux2/v2.8.0.md _Modernizing Helm GitOps and Accelerating Recovery_ Flux v2.8.0 introduces major enhancements to Helm management with Helm v4 support and CEL health checks, alongside significant performance improvements in application recovery times. This release also marks the final removal of legacy beta APIs and expands notification capabilities to include direct Pull Request commenting. - **Removal of deprecated v1beta2 and v2beta2 APIs** — If you are still using the deprecated v1beta2 or v2beta2 APIs, your resources will stop reconciling and you must migrate to the v2 GA APIs immediately. - **Advanced Helm v4 support and CEL health checks** — You can now leverage Helm v4 features like server-side apply, use CEL expressions for highly custom health checks, and better track managed resources via status inventory. - **Faster recovery via CancelHealthCheckOnNewRevision** — New revisions will now preempt stuck or slow health checks, significantly reducing the time it takes for your applications to recover during deployment cycles. - **Direct Pull Request commenting from Flux notifications** — Operations teams can now see deployment status and engage in feedback loops directly within Pull Request comments, streamlining the GitOps workflow. - **Support for Cosign v3 image verification** — Ensures modern security standards and better compatibility for users verifying OCI artifacts and container images using the latest Cosign tooling. --- ## Contour v1.33.2 - Repo: https://github.com/projectcontour/contour - Date: 2026-02-20 - Web: https://releasecards.app/release/projectcontour/contour/v1.33.2 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/projectcontour/contour/v1.33.2.md _Sharpening Status Reporting and Shutdown Reliability_ This patch release focuses on improving the stability of status reporting for HTTPProxy resources and enhancing the reliability of the shutdown process when using the Gateway Provisioner. It also includes an update to the Go runtime. - **Fix HTTPProxy load balancer status update failures** — This fixes an issue where HTTPProxy status updates would fail because of a schema validation error. Ensuring the load balancer status is accurate is critical for automated tooling and visibility into whether your services are correctly exposed. - **Increased CPU limits for shutdown-manager to prevent throttling** — If you use the Contour Gateway Provisioner, this change prevents the shutdown-manager from being throttled during pod termination. This ensures smoother, more reliable connection draining and cleaner shutdowns of Envoy instances. --- ## Thanos v0.41.0 - Repo: https://github.com/thanos-io/thanos - Date: 2026-02-12 - Web: https://releasecards.app/release/thanos-io/thanos/v0.41.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/thanos-io/thanos/v0.41.0.md _High-Efficiency Querying and Scalable Sharding_ This release introduces major performance optimizations through RPC batching and improves architectural stability for large-scale deployments. It also aligns with the latest Prometheus features while introducing a breaking change for Thanos Receive users. - **Batched Series and Query RPCs** — This significantly reduces the network overhead and resource consumption (CPU/RAM) during query execution, leading to faster and more efficient data retrieval. - **Consistent Hashing for Receive Shuffle Sharding** — If you use shuffle sharding in Thanos Receive, upgrading will cause tenant-to-node assignments to change. This ensures better stability at scale but requires planning for the data movement during the transition. - **Enhanced Shipper and Sidecar Configuration Flags** — Gives operators more granular control over disk usage and concurrency during blocks uploading and compaction, allowing for better tuning in high-throughput environments. - **Stability Fixes for Store and Receive Components** — Eliminates several stability issues, including a potential panic in the Store component and an infinite retry loop in Receive replication when using capnproto. --- ## Cilium v1.19.0 - Repo: https://github.com/cilium/cilium - Date: 2026-02-04 - Web: https://releasecards.app/release/cilium/cilium/v1.19.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/cilium/cilium/v1.19.0.md _A Decade of Cloud Native Networking: Hardening Security and Scale_ Cilium 1.19.0 marks a decade of the project with major advancements in encryption, including Ztunnel support and strict encryption modes. It introduces more powerful DNS-based network policies, significant performance gains in policy computation, and shifts its BGP implementation to a more robust v2 API. Substantial focus was also placed on operational ease for multi-cluster environments and enhanced observability via Hubble. - **Multi-Level DNS Match Patterns** — You can now use wildcard prefixes to match entire subdomain trees, significantly simplifying the management of external access policies for complex web services. - **Ztunnel Integration for Service Mesh (Beta)** — Enables a service-mesh-like experience by allowing namespaces to participate in transparent TCP encryption and authentication via Ztunnel. - **Strict Mode for IPsec and WireGuard Encryption** — Ensures that all traffic between nodes is encrypted by dropping any unencrypted packets, providing a higher security guarantee for sensitive environments. - **Network Policy and Connection Tracking Optimizations** — Reduces CPU and memory overhead when managing large numbers of network policies and improves connection tracking efficiency in tunneled environments. - **BGP v2 Migration and Policy Scope Changes** — Users relying on BGP must migrate to the v2 API, and cluster mesh users need to be aware of new default behaviors where policy selectors now limit traffic to the local cluster unless specified otherwise. --- ## Buildpacks v0.40.0 - Repo: https://github.com/buildpacks/pack - Date: 2026-02-03 - Web: https://releasecards.app/release/buildpacks/pack/v0.40.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/buildpacks/pack/v0.40.0.md _Standardizing Environments and Expanding Horizons_ This release introduces the Execution Environment RFC implementation and migrates to the Moby Docker client. It also expands platform compatibility with FreeBSD support and updates the default lifecycle to version 0.21.0. - **Execution Environment RFC Implementation** — This release implements the Execution Environment RFC, providing a more robust and standardized way to manage the environments where builds take place, leading to more predictable build outcomes. - **Default Lifecycle updated to v0.21.0** — Automatically bundling the latest lifecycle version ensures that new builds benefit from the most recent bug fixes and standard improvements in the Cloud Native Buildpacks ecosystem. --- ## KEDA v2.19.0 - Repo: https://github.com/kedacore/keda - Date: 2026-02-02 - Web: https://releasecards.app/release/kedacore/keda/v2.19.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/kedacore/keda/v2.19.0.md _Expanding Native Integration and Deepening Scaler Intelligence_ This release introduces a new Kubernetes Resource scaler and significant security and observability improvements. While it removes the sunsetted NATS Streaming scaler, it adds robust new features for MongoDB, AWS, and Dynatrace users, alongside refined event logging for better troubleshooting. - **New Kubernetes Resource Scaler** — You can now scale workloads based on the status or count of other Kubernetes resources directly, providing a native way to create dependencies between different objects in your cluster without external metrics. - **Removal of NATS Streaming Scaler** — Support for NATS Streaming (STAN) has been removed following its official deprecation. Users still relying on STAN must migrate to JetStream or alternative scalers before upgrading. - **File-based Authentication for ClusterTriggerAuthentication** — Cluster-wide authentication now supports reading credentials from local files, simplifying security setups for platforms that inject secrets or tokens as files rather than environment variables. - **Enhanced Observability and Activity Tracking** — KEDA now emits more detailed Kubernetes events and tracks activity per individual trigger. This makes it significantly easier to debug complex ScaledObjects with multiple triggers and understand exactly why a scale-out or scale-in event occurred. - **Expanded Scaler Capabilities (MongoDB, AWS, Dynatrace)** — Major updates to popular scalers, including TLS support for MongoDB, DQL query support for Dynatrace, cross-account observability for AWS CloudWatch, and FilterExpression support for DynamoDB. --- ## Argo v3.3.0 - Repo: https://github.com/argoproj/argo-cd - Date: 2026-02-02 - Web: https://releasecards.app/release/argoproj/argo-cd/v3.3.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/argoproj/argo-cd/v3.3.0.md _Mastering the Server-Side with Smarter Diffs and Expanded Actions_ Argo CD v3.3.0 introduces deep integration with Kubernetes Server-Side Apply and Server-Side Diffs for more accurate manifest management. It also significantly expands the library of custom actions (CloudNativePG, KEDA) and native health checks, while requiring a specific migration path for self-managed installations. - **Server-Side Apply Migration Requirement for Self-Managed Argo CD** — Updating an Argo CD instance that manages itself now requires specific Server-Side Apply settings to prevent sync failures during the migration. Failure to follow the upgrade guide may break your deployment pipeline. - **Support for Server-Side Diffs and Server-Side Apply (SSA)** — Server-side diffs provide a more accurate representation of what will change on the cluster, reducing 'ghost' diffs and improving confidence before syncing. - **Expanded Custom Actions for CloudNativePG and KEDA** — Users can now perform common database and scaling operations (reload, restart, promote, merge PRs, pause KEDA jobs) directly from the Argo CD interface/CLI, reducing the need to switch tools. - **New Sync Hooks and Wave-Based Pruning** — Provides finer control over resource lifecycles, allowing for cleanup logic before deletion and more efficient resource removal based on sync wave logic. - **New Health Checks for Grafana Operator and Ceph CRDs** — Native health monitoring for more ecosystem tools like Grafana, Ceph, and ServiceBindings ensures your applications show an accurate 'Healthy' status in the dashboard. --- ## Volcano v1.14.0 - Repo: https://github.com/volcano-sh/volcano - Date: 2026-01-31 - Web: https://releasecards.app/release/volcano-sh/volcano/v1.14.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/volcano-sh/volcano/v1.14.0.md _Scaling Intelligence with Multi-Scheduler Synergy and AI-Specific Innovation_ Volcano v1.14.0 transforms into a unified scheduling platform for both high-throughput batch jobs and latency-sensitive AI agents. Key additions include a scalable multi-scheduler architecture, enhanced network topology awareness for LLM training, and expanded colocation capabilities for generic Linux distributions. The release also brings deep integration for Ascend vNPU hardware and multi-cluster training through the new HyperJob API. - **Scalable Multi-Scheduler Architecture (Alpha)** — Enables Volcano to scale across massive clusters by distributing workloads across multiple coordinated schedulers, preventing the single-scheduler bottleneck. - **New High-Speed Agent Scheduler** — Specifically designed for latecy-sensitive AI Agent workloads, this provides ultra-fast scheduling and high throughput that the standard batch scheduler couldn't guarantee. - **Enhanced Network Topology Aware Scheduling** — Optimizes distributed training (like LLMs) by better managing how tasks are placed across network boundaries and subgroups. - **Colocation Support for Generic Operating Systems** — Users can now run resource-sharing (online/offline) workloads on standard Linux distributions like Ubuntu and CentOS with advanced CPU and memory protections. - **Integrated Ascend vNPU Virtualization** — Provides native support for sharing and virtualizing Ascend AI accelerators, maximizing hardware utilization for AI inference and training. --- ## Longhorn v1.11.0 - Repo: https://github.com/longhorn/longhorn - Date: 2026-01-29 - Web: https://releasecards.app/release/longhorn/longhorn/v1.11.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/longhorn/longhorn/v1.11.0.md _High-Performance Evolution and Proactive Proactive Health Management_ Longhorn v1.11.0 advances the V2 Data Engine to Technical Preview with ublk support while introducing significant performance gains for the V1 engine through parallel rebuilding. This release also focuses on cluster operational health with S.M.A.R.T. disk monitoring and intelligent replica balancing, though users must immediately apply hotfixes to resolve critical manager regressions. - **V2 Data Engine Graduates to Technical Preview** — The high-performance V2 engine is now more stable and ready for testing. It includes support for the ublk frontend to improve I/O, though users must detach volumes before upgrading as live upgrades are not yet supported. - **Parallel Replica Rebuilding for V1 Engine** — Volume recovery for the V1 engine is now much faster because data can be streamed from multiple healthy replicas at once instead of just one. - **Advanced Health Monitoring and Balance-Aware Scheduling** — Provides better cluster stability and preventative maintenance by monitoring physical disk health via S.M.A.R.T. data and automating replica placement to prevent uneven storage consumption. - **Support for StorageClass allowedTopologies and RWOP** — Administrators gain finer control over storage placement to comply with high-availability requirements or geographic constraints. - **Critical Regression Hotfixes for v1.11.0 Manager Images** — Users MUST use the specific hotfix-1 images for longhorn-manager and instance-manager to avoid serious issues like memory leaks and deadlocks during node labels updates. --- ## Helm v4.1.0 - Repo: https://github.com/helm/helm - Date: 2026-01-21 - Web: https://releasecards.app/release/helm/helm/v4.1.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/helm/helm/v4.1.0.md _Greasing the Wheels of Automation and Observability_ Helm v4.1.0 introduces significant refinements to the --wait flag, improves logging transparency during deployments, and fixes a critical regression regarding Kubernetes version suffixes. It also adds several automation-friendly features like headerless repo listing and performance improvements for dependency management. - **Enhanced wait strategies and observability logs** — Users can now choose specific wait strategies (like hookOnly) and gain better visibility via chart names and namespaces in logs, making it easier to debug complex deployments. - **Restored Kubernetes vendor-specific version suffixes** — Charts that rely on detecting specific Kubernetes cloud providers (like EKS or GKE) will no longer fail due to missing version suffixes. - **Headerless output for helm repo list** — This enables cleaner output for shell scripting and automation pipelines when managing Helm repositories. - **Fixed environment variable passing to plugins** — Ensures that custom plugins and getter tools receive necessary environment variables to function correctly, resolving a regression from previous versions. - **SDK enhancements for custom status reading and archiving** — Developers building on top of Helm can now use custom kstatus readers and a new LoadArchive utility for more flexible chart handling. --- ## CoreDNS v1.14.1 - Repo: https://github.com/coredns/coredns - Date: 2026-01-16 - Web: https://releasecards.app/release/coredns/coredns/v1.14.1 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/coredns/coredns/v1.14.1.md _Hardening Security and Streamlining Proxy Performance_ CoreDNS v1.14.1 is a critical security and maintenance release that addresses multiple CVEs inherited from the Go runtime. It also introduces performance optimizations for the proxy plugin to improve connection handling. - **Security patches for multiple CVEs via Go runtime update** — This update patches several critical vulnerabilities in the underlying Go runtime, including issues related to certificate validation and memory management. Upgrading is essential to protect your DNS infrastructure from potential exploits. - **Enhanced Proxy performance via multiplexed connections** — By switching to a mutex-based connection pool for the proxy plugin, the server can handle upstream requests more efficiently under load, resulting in better throughput and lower latency. --- ## Dragonfly v2.4.0 - Repo: https://github.com/dragonflyoss/dragonfly - Date: 2026-01-12 - Web: https://releasecards.app/release/dragonflyoss/dragonfly/v2.4.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/dragonflyoss/dragonfly/v2.4.0.md _Turbocharged P2P Transfers and Smarter Scheduling_ This release introduces the high-performance Vortex P2P protocol, a load-aware scheduling algorithm, and a unified Rust client. It brings major improvements to data deduplication, multi-cluster management, and Nydus image reliability while deprecating the older Go client. - **New Vortex P2P Transfer Protocol (TCP/QUIC)** — The new Vortex protocol (based on TLV) significantly reduces download times (up to 50%) and memory pressure, making P2P transfers much faster and more efficient than standard gRPC. - **Two-Stage Load-Aware Scheduling Algorithm** — The load-aware scheduling algorithm optimizes peer selection based on real-time node load, preventing bottlenecks and improving overall P2P network performance. - **Go Client Deprecated in Favor of Rust Client** — Users must transition to the Rust-based client as the Go client will no longer receive updates. This move promises better performance and stability for future deployments. - **Deduplication via SHA256 Task IDs** — By using blob SHA256 instead of URLs to identify tasks, Dragonfly prevents downloading the same data twice if it exists under different registry domains or aliases. - **Simplified Multi-Cluster Kubernetes Deployment** — Simplifies the management of multi-cluster Kubernetes environments by allowing explicit cluster ID assignment, ensuring predictable traffic routing between clusters. --- ## CoreDNS v1.14.0 - Repo: https://github.com/coredns/coredns - Date: 2026-01-08 - Web: https://releasecards.app/release/coredns/coredns/v1.14.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/coredns/coredns/v1.14.0.md _Strengthening the Core: Security Hardening and Smarter Observability_ The v1.14.0 release prioritizes the stability and security of the DNS server. It introduces critical safeguards against resource exhaustion via regex limits and Kubernetes API rate limiting, while also providing developers and operators with better observability through plugin chain tracking and refined error logging. - **Regex Length Limits for Resource Hardening** — By limiting the length of regular expressions, the server is protected against potential ReDoS (Regular Expression Denial of Service) attacks that could otherwise exhaust CPU and memory resources. - **Kubernetes API Rate Limiting** — Rate limiting prevents the CoreDNS Kubernetes plugin from overwhelming the Kubernetes API server during high-load scenarios, ensuring cluster stability and preventing API throttling. - **Enhanced Metrics with Plugin Chain Tracking** — Operators can now gain deeper insights into how requests travel through the plugin middleware, making it significantly easier to debug performance bottlenecks and configuration issues. - **Improved Error Handling and Signal-to-Noise Ratio** — Reduces log noise by allowing users to consolidate error logs while still seeing the first occurrence of a specific error, and fixes misleading warnings in the file and sign plugins. --- ## CRI-O v1.35.0 - Repo: https://github.com/cri-o/cri-o - Date: 2025-12-23 - Web: https://releasecards.app/release/cri-o/cri-o/v1.35.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/cri-o/cri-o/v1.35.0.md _Deep Insight and Standardized Modernization_ CRI-O v1.35.0 focuses on significantly enhancing observability through new metrics families (DiskIO, PSI, and Spec), while standardizing internal annotation structures and hardening security against malicious image parsing. It also introduces breaking changes to metric categories and registry handling that require configuration updates. - **Metric relocation for container memory limits** — The relocation of this metric may break existing monitoring dashboards and alerting rules. You must update your configuration to include the 'spec' family in 'included_pod_metrics' to continue receiving this data. - **Expanded observability with new DiskIO and PSI metrics** — New metrics for DiskIO, PSI (Pressure Stall Information), and file descriptors provide significantly better visibility into container resource bottlenecks and health. - **Standardized annotation naming to kubernetes-recommended format** — While v2 format is now preferred, existing annotations are still supported. This aligns CRI-O with Kubernetes naming standards and simplifies configuration management. - **Fixed memory allocation vulnerability (CVE-2025-58183)** — Protects the system from denial-of-service attacks triggered by malicious container images designed to exhaust memory during parsing. - **Insecure registries option deprecated and disabled** — The --insecure-registries flag no longer functions. Users should transition to using more secure registry communication methods or alternative configuration files. --- ## SPIFFE/SPIRE v1.14.0 - Repo: https://github.com/spiffe/spire - Date: 2025-12-11 - Web: https://releasecards.app/release/spiffe/spire/v1.14.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/spiffe/spire/v1.14.0.md _Cloud-Native Expansion and Configuration Hardening_ This release introduces native Azure node attestation, expands Docker security selectors, and adds server-side plugin validation. It also modernizes cryptographic options with P-384 support and cleans up deprecated agent configurations. - **New Azure IMDS node attestor plugin** — Users running workloads in Azure can now securely verify node identity using the native Azure Instance Metadata Service, simplifying authentication for Azure-based deployments. - **Enhanced Docker image validation selector** — Users can now narrow down container security policies by validating the specific configuration digest of a Docker image, preventing spoofing via tags. - **Configuration validation for server plugins** — Developers can catch syntax and configuration errors in plugins before starting the server, reducing downtime caused by invalid settings. --- ## Operator Framework v1.42.0 - Repo: https://github.com/operator-framework/operator-sdk - Date: 2025-11-13 - Web: https://releasecards.app/release/operator-framework/operator-sdk/v1.42.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/operator-framework/operator-sdk/v1.42.0.md _Modernizing Helm Scaffolding and Streamlining Builds_ This release introduces support for OCI-based Helm registries, updates the Ansible plugin to version 1.42.0, and optimizes Docker build workflows. It also includes critical security bumps for core dependencies like Helm and containerd. - **Support for OCI Helm Registry Scaffolding** — You can now project and scaffold operators using Helm charts stored in OCI registries, aligning with modern container-native distribution patterns and improving flexibility for Helm-based operators. - **Optimized Go Build Process in Dockerfiles** — By utilizing the Go version already present in the builder image, Docker builds are now more efficient and less dependent on external network calls during the build process. - **Ansible Plugin Updated to v1.42.0** — Ansible-based operator developers get access to the latest plugin features and updated dependencies, ensuring compatibility with the newest Ansible ecosystem standards. --- ## Vitess v23.0.0 - Repo: https://github.com/vitessio/vitess - Date: 2025-11-04 - Web: https://releasecards.app/release/vitessio/vitess/v23.0.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/vitessio/vitess/v23.0.0.md _Standardization and Modernization: Aligning with MySQL 8.4 and Evolution of CLI Conventions_ Vitess v23.0.0 marks a major milestone with the move to MySQL 8.4 as the default, a massive standardization of CLI flags (transitioning from underscores to dashes), and the introduction of long-awaited SQL features like Recursive CTEs and Multi-Query execution. It also introduces experimental query throttling and significantly more granular control over Online DDL and VTOrc recoveries. - **Massive CLI Flag Renaming (989 Flags)** — Automation and scripts using underscore-style flags must be updated to use dashes (e.g., --flag-name). While both work in v23, underscore support will be removed in v25. - **Default MySQL Upgraded to 8.4 (LTS)** — The default MySQL version is now 8.4.6. Users on Vitess Operator must perform a manual upgrade sequence involving innodb_fast_shutdown=0 to avoid data corruption or startup issues. - **Support for WITH RECURSIVE CTEs** — You can now perform recursive queries directly in Vitess, which is essential for managing hierarchical data like organizational charts or bill-of-materials. - **Native Multi-Query Execution Support** — Reduces application latency and network overhead by allowing multiple SQL statements to be sent to VTGate in a single network round trip. - **Shard-Specific Online DDL Completion** — Allows safer, gradual schema rollouts by completing Online DDL migrations on a shard-by-shard basis rather than all at once. --- ## Chaos Mesh v2.8.0 - Repo: https://github.com/chaos-mesh/chaos-mesh - Date: 2025-09-30 - Web: https://releasecards.app/release/chaos-mesh/chaos-mesh/v2.8.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/chaos-mesh/chaos-mesh/v2.8.0.md _Modernizing the Core for Faster Chaos_ This release focuses on a major modernization of the internal stack, including a transition to Go 1.24 and a complete overhaul of the Dashboard UI architecture for better performance. It also streamlines the deployment process via Helm and cleans up legacy tools like chaosctl. - **Major Dashboard UI Modernization** — The transition from pnpm, vite, and swc, along with moving from Redux to Zustand, means the web dashboard is much faster to build, lighter to load, and less prone to UI state bugs. - **Updated Base Toolchain to Go 1.24 and K8s 1.33** — Upgrading to Go 1.24 and Kubernetes 1.33 ensures compatibility with the latest container ecosystems and provides performance and security improvements inherited from the updated toolchains. - **Enhanced Helm Chart Customization** — Deployment is more flexible now, allowing users to inject custom Kubernetes objects (like ConfigMaps or Secrets) directly through the Helm chart without manual post-processing. - **Infrastructure and Security Hardening** — Updating the base images from Bullseye to Bookworm and bumping dependencies like Docker and Cosign addresses numerous underlying system vulnerabilities. --- ## Contour v1.33.0 - Repo: https://github.com/projectcontour/contour - Date: 2025-09-09 - Web: https://releasecards.app/release/projectcontour/contour/v1.33.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/projectcontour/contour/v1.33.0.md _Leaner, Greener, and More Secure Ingress_ Contour v1.33.0 prioritizes security and standards compliance by adopting distroless Envoy images and upgrading to Gateway API v1.3.0. The release also includes essential bumps for Envoy and Go. - **Default Envoy image switched to distroless variant** — By switching to distroless images, the attack surface of your data plane is significantly reduced as the containers no longer include a shell, package manager, or other unnecessary OS utilities. - **Gateway API updated to v1.3.0** — Users can now take advantage of the latest Gateway API features and improvements, ensuring compatibility with the standard Kubernetes routing evolution. --- ## Fluentd v1.19.0 - Repo: https://github.com/fluent/fluentd - Date: 2025-07-30 - Web: https://releasecards.app/release/fluent/fluentd/v1.19.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/fluent/fluentd/v1.19.0.md _Faster streams and safer buffers with Zstd and core optimizations_ This release introduces Zstd compression across multiple plugins and includes a significant suite of performance improvements. It also focuses on operational reliability with new buffer evacuation features, enhanced metrics for better observability, and critical bug fixes for data integrity in the tail input and CSV formatter. - **Support for Zstandard (zstd) compression** — Zstd provides a better balance between compression ratio and CPU usage than gzip, allowing for more efficient data transfer and storage across buffers and network forwards. - **Substantial core performance optimizations** — A massive sweep of performance optimizations across the core engine means higher throughput and lower resource overhead for high-volume logging environments. - **Enhanced monitoring and metrics visibility** — You can now better monitor the health of your pipelines with default input metrics and new counters for tracked files, secondary output events, and dropped buffer chunks. - **Critical data corruption fix in in_tail** — Fixes an old but critical bug where certain encoding settings could lead to log data corruption, ensuring higher data integrity for long-running log tailing tasks. - **Buffer chunk evacuation on retry failure** — Prevents data loss during persistent failures by moving problematic buffer chunks to a separate location instead of simply deleting them when retry limits are hit. --- ## KubeFlow v1.10.0 - Repo: https://github.com/kubeflow/kubeflow - Date: 2025-03-25 - Web: https://releasecards.app/release/kubeflow/kubeflow/v1.10.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/kubeflow/kubeflow/v1.10.0.md _Secure Foundations and Enhanced Observability_ Kubeflow 1.10.0 focuses on maturing the platform's security posture through rootless container execution and improved security contexts. It also introduces better observability with Prometheus metrics for core web applications and refreshes the default notebook images for data scientists. - **Updated Notebook Server Images** — Users get access to more recent versions of popular ML frameworks and tools, including an update to Gaudi notebooks (v1.19.2), ensuring compatibility with modern libraries. - **Enhanced Rootless Execution and Security Contexts** — The platform is now significantly more secure by default as critical controllers now run without root privileges and include better security contexts, reducing the attack surface of the cluster. - **Prometheus Monitoring for Web Applications** — Administrators can now better monitor the health and performance of the Central Dashboard and CRUD web apps using industry-standard Prometheus metrics. - **Improved Proxy Support for Code-Server Notebooks** — Fixes connectivity issues when using code-server in restricted network environments, ensuring a smoother development experience for users behind corporate firewalls. --- ## TiKV v8.5.0 - Repo: https://github.com/tikv/tikv - Date: 2024-12-19 - Web: https://releasecards.app/release/tikv/tikv/v8.5.0 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/tikv/tikv/v8.5.0.md _Hardening Distributed Resilience and Performance Scalability_ TiKV v8.5.0 focuses on system resilience and operational stability. The release introduces sophisticated load shedding capabilities to protect clusters from saturation, alongside performance optimizations that improve the efficiency of distributed transactions and internal data management. - **Proactive Overload Protection and Request Throttling** — Your cluster can now automatically handle high-load scenarios by proactively rejecting requests when resources are strained, preventing cascading failures and maintaining overall system stability. - **Enhanced Concurrency and Resource Utilization Efficiency** — Large-scale deployments will see reduced latency and higher throughput due to significant optimizations in hardware resource utilization and background task scheduling. - **Critical Stability and Data Consistency Refinements** — Reliability is improved through multiple fixes addressing edge-case crashes and data inconsistency scenarios, ensuring smoother operations during cluster scaling and maintenance. - **Improved Observability and Diagnostic Tooling** — Operators gain better visibility into internal engine states and performance bottlenecks, making it easier to troubleshoot production issues and tune configuration parameters. --- ## CloudEvents ce@v1.0.2 - Repo: https://github.com/cloudevents/spec - Date: 2022-02-06 - Web: https://releasecards.app/release/cloudevents/spec/ce%40v1.0.2 - Markdown: https://gmrvqvmccuhppxotzrjk.functions.supabase.co/public-feed-api/v1/releases/cloudevents/spec/ce%40v1.0.2.md _Strengthening Standards and Cross-Language Consistency_ This release focuses on hardening the specification and improving cross-platform compatibility. Key changes include a significant update to Webhook header naming to avoid RFC conflicts, new Protobuf batching capabilities, and critical clarifications for Kafka and JSON serialization. - **Rename Webhook-Request-Origin to Webhook-Allowed-Origin** — If you are implementing webhooks, you must update your header logic to avoid collisions with standard browser security headers and ensure compliance with the updated specification. - **Expanded Protobuf support and C# namespace options** — Users of Protobuf can now utilize batch formats for more efficient data transmission, and C# developers gain better code organization via native namespace support. - **Refined JSON serialization and encoding rules** — This clarifies how binary data should be handled within JSON payloads, reducing integration friction and prevents ambiguity when 'datacontenttype' is missing. ---