Bot releases are visible (Hide)

pomerium - v0.26.0 Latest Release

Published by wasaga 5 months ago

v0.26.0 Changes

v0.26.0 includes improved support for the Pomerium Zero beta.

Breaking

Changes that are expected to cause an incompatibility.

config: remove deprecated client_ca option by @kenjenkins in https://github.com/pomerium/pomerium/pull/4918
envoy: set explicit hostname on cluster endpoints by @kenjenkins in https://github.com/pomerium/pomerium/pull/5018

New

authenticate: apply branding to sign out pages by @kenjenkins in https://github.com/pomerium/pomerium/pull/5044
authorize: return non-html errors on denied by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4904
authorize: log service account user ID by @kenjenkins in https://github.com/pomerium/pomerium/pull/4964
authorize: add support for rego print statements by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5049
config: implement direct response by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4960
config: add runtime flags by @wasaga in https://github.com/pomerium/pomerium/pull/5050
config: disable gRPC ingress when address is the empty string by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5058
config: add support for TCP proxy chaining by @kenjenkins in https://github.com/pomerium/pomerium/pull/5053
config: add support for stripping the port for matching routes by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5085
databroker: disable identity manager user refresh when hosted authenticate is used by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4905
envoy: only enable port reuse on linux by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5066
envoy: format envoy local replies by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5067
envoy: clean up temporary directory on start by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4914
identity: add enabler by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5084
identity: refactor identity manager by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5091
logging: less verbose logs by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5040
identity: dynamic authenticator registration by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5105
ppl: add client cert SAN match criteria by @kenjenkins in https://github.com/pomerium/pomerium/pull/4913
ppl: add groups criterion by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4916
ui: fix page title by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4957
zero: add storage health check by @wasaga in https://github.com/pomerium/pomerium/pull/5074
zero: upgrade oapi-codegen by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4953
zero: add service accounts support by @wasaga in https://github.com/pomerium/pomerium/pull/5031
zero: lower log level by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5065
zero: add route reachability health check by @wasaga in https://github.com/pomerium/pomerium/pull/5093
zero: health check building config from databroker source by @wasaga in https://github.com/pomerium/pomerium/pull/5104

Fixes

authenticate: redirect to /.pomerium/signed_out when no signout redirect url is defined by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5060
envoy: exclude unauthorized access from local replies by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5108
kubernetes: fix impersonate group header by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5090
zero: add gRPC keep-alive by @wasaga in https://github.com/pomerium/pomerium/pull/4961
zero: fix ticker usage by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4969
zero: fix bootstrap config path by @wasaga in https://github.com/pomerium/pomerium/pull/5035

Changed

authenticate: rework CORS headers log entry by @kenjenkins in https://github.com/pomerium/pomerium/pull/4900
authorize: result denied improvements by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4952
core: use context.WithoutCancel by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4959
core: switch to uber mock by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5073
core: move telemetry requestid to pkg directory by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4911
config: remove cookie secure option by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4907
config: fix typo by @wasaga in https://github.com/pomerium/pomerium/pull/4963
envoy: enable TCP keepalive for internal clusters by @kenjenkins in https://github.com/pomerium/pomerium/pull/4902
envoy: upgrade to v1.30.1 by @kenjenkins in https://github.com/pomerium/pomerium/pull/5080
envoy: migrate deprecated overload setting by @kenjenkins in https://github.com/pomerium/pomerium/pull/5082
envoy: address strconv.Atoi warnings by @kenjenkins in https://github.com/pomerium/pomerium/pull/5076
envoy: preserve Go's max file limit for Envoy by @kenjenkins in https://github.com/pomerium/pomerium/pull/5102
logging: use standard logger by @wasaga in https://github.com/pomerium/pomerium/pull/5096
opa: update for rego 1.0 by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4895
ui: improve frontend build size by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5109
ui: adds upstream error page by @nhayfield in https://github.com/pomerium/pomerium/pull/5113
zero: update oapi-codegen by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4898
zero: remove unused changeset code by @wasaga in https://github.com/pomerium/pomerium/pull/4915
zero: simplify control loop lease retry code by @wasaga in https://github.com/pomerium/pomerium/pull/4979
zero: reset back to inmem databroker if connection string is empty by @wasaga in https://github.com/pomerium/pomerium/pull/4955
zero: add shared secret to the cluster bootstrap params by @wasaga in https://github.com/pomerium/pomerium/pull/5030
zero: add common healthcheck package, zero reporter and first xds check by @wasaga in https://github.com/pomerium/pomerium/pull/5059
zero: add checks for ability to save bootstrap parameter and bundle status reporting by @wasaga in https://github.com/pomerium/pomerium/pull/5064
zero: only report healthcheck transitions by @wasaga in https://github.com/pomerium/pomerium/pull/5068
zero: add user-agent to requests by @wasaga in https://github.com/pomerium/pomerium/pull/5078
zero: add connect health check by @wasaga in https://github.com/pomerium/pomerium/pull/5086

Dependency Updates

chore(deps): bump github.com/opencontainers/runc from 1.1.5 to 1.1.12 by @dependabot in https://github.com/pomerium/pomerium/pull/4919
chore(deps): bump node from 8d0f16f to fd01154 by @dependabot in https://github.com/pomerium/pomerium/pull/4921
chore(deps): bump golang from 1.21.5-bookworm to 1.21.6-bookworm by @dependabot in https://github.com/pomerium/pomerium/pull/4920
chore(deps): bump google.golang.org/api from 0.154.0 to 0.161.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4938
chore(deps): bump google.golang.org/grpc from 1.60.1 to 1.61.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4948
chore(deps): bump actions/upload-artifact from 4.0.0 to 4.3.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4922
chore(deps): bump docker/metadata-action from 5.4.0 to 5.5.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4923
chore(deps): bump google-github-actions/setup-gcloud from 2.0.1 to 2.1.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4924
chore(deps): bump google-github-actions/auth from 2.0.0 to 2.1.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4925
chore(deps): bump github.com/klauspost/compress from 1.17.4 to 1.17.5 by @dependabot in https://github.com/pomerium/pomerium/pull/4940
chore(deps): bump busybox from ba76950 to 6d9ac92 in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4950
chore(deps): bump github.com/prometheus/common from 0.45.0 to 0.46.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4949
chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc from 0.44.0 to 0.45.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4947
chore(deps): bump go.opentelemetry.io/otel/sdk/metric from 1.21.0 to 1.22.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4946
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.12 to 3.24.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4928
chore(deps): bump github.com/google/uuid from 1.5.0 to 1.6.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4933
chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.24.0 to 1.24.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4930
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.47.7 to 1.48.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4939
chore(deps): bump github.com/open-policy-agent/opa from 0.60.0 to 0.61.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4937
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.26.2 to 1.26.6 by @dependabot in https://github.com/pomerium/pomerium/pull/4932
chore(deps): bump github.com/jackc/pgx/v5 from 5.5.1 to 5.5.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4944
chore(deps): bump github.com/envoyproxy/go-control-plane from 0.11.1 to 0.12.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4935
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 1.0.2 to 1.0.4 by @dependabot in https://github.com/pomerium/pomerium/pull/4945
chore(deps): bump cloud.google.com/go/storage from 1.36.0 to 1.37.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4926
chore(deps): bump github.com/docker/docker from 24.0.7+incompatible to 25.0.2+incompatible by @dependabot in https://github.com/pomerium/pomerium/pull/4942
ci: upgrade to Go 1.22 by @wasaga in https://github.com/pomerium/pomerium/pull/4967
chore(deps): bump distroless/base-debian12 from 0a93daa to 5eae9ef in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4970
chore(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 by @kenjenkins in https://github.com/pomerium/pomerium/pull/5009
chore(deps): bump distroless/base from 6c1e34e to 9d4e568 in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4971
chore(deps): bump distroless/base-debian12 from 996c583 to 1d91d5f by @dependabot in https://github.com/pomerium/pomerium/pull/4980
chore(deps): bump github.com/prometheus/client_golang from 1.18.0 to 1.19.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4999
chore(deps): bump actions/upload-artifact from 4.3.0 to 4.3.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4972
chore(deps): bump actions/setup-node from 4.0.1 to 4.0.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4974
chore(deps): bump google-github-actions/auth from 2.1.0 to 2.1.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4976
chore(deps): bump google.golang.org/grpc from 1.61.0 to 1.62.1 by @dependabot in https://github.com/pomerium/pomerium/pull/5011
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.24.1 to 3.24.2 by @dependabot in https://github.com/pomerium/pomerium/pull/5001
chore(deps): bump github.com/jackc/pgx/v5 from 5.5.2 to 5.5.3 by @dependabot in https://github.com/pomerium/pomerium/pull/5000
chore(deps): bump docker/setup-buildx-action from 3.0.0 to 3.1.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4978
chore(deps): bump node from fd01154 to f3299f1 by @dependabot in https://github.com/pomerium/pomerium/pull/4981
chore(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4975
chore(deps): bump go.uber.org/zap from 1.26.0 to 1.27.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4987
chore(deps): bump github.com/rs/zerolog from 1.31.0 to 1.32.0 by @dependabot in https://github.com/pomerium/pomerium/pull/5004
chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.24.1 to 1.25.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4992
chore(deps): bump mikefarah/yq from 4.40.5 to 4.42.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4977
chore(deps): bump github.com/go-chi/chi/v5 from 5.0.11 to 5.0.12 by @dependabot in https://github.com/pomerium/pomerium/pull/4986
chore(deps): bump github.com/minio/minio-go/v7 from 7.0.66 to 7.0.67 by @dependabot in https://github.com/pomerium/pomerium/pull/4996
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.48.1 to 1.51.3 by @dependabot in https://github.com/pomerium/pomerium/pull/5016
chore(deps): bump golang.org/x/crypto from 0.18.0 to 0.21.0 by @dependabot in https://github.com/pomerium/pomerium/pull/5013
chore(deps): bump golang.org/x/oauth2 from 0.16.0 to 0.18.0 by @dependabot in https://github.com/pomerium/pomerium/pull/5012
chore(deps): bump github.com/open-policy-agent/opa from 0.61.0 to 0.62.1 by @dependabot in https://github.com/pomerium/pomerium/pull/5017
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.26.6 to 1.27.6 by @dependabot in https://github.com/pomerium/pomerium/pull/5015
chore(deps): bump google.golang.org/api from 0.161.0 to 0.168.0 by @dependabot in https://github.com/pomerium/pomerium/pull/5010
chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4984
chore(deps): bump github.com/prometheus/common from 0.46.0 to 0.49.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4998
chore(deps): bump go.opentelemetry.io/otel/sdk/metric from 1.22.0 to 1.24.0 by @dependabot in https://github.com/pomerium/pomerium/pull/5003
chore(deps): bump cloud.google.com/go/storage from 1.37.0 to 1.39.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4989
chore(deps): bump pre-commit/action from 3.0.0 to 3.0.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4973
chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc from 0.45.0 to 1.24.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4983
chore(deps): bump github.com/klauspost/compress from 1.17.5 to 1.17.7 by @dependabot in https://github.com/pomerium/pomerium/pull/4995
chore(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4990
chore(deps): bump the docker group with 2 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5024
chore(deps): bump the go group with 10 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5026
chore(deps): bump the github-actions group with 1 update by @dependabot in https://github.com/pomerium/pomerium/pull/5025
chore(deps): bump the docker group in /.github with 2 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5023
chore(deps): bump github.com/docker/docker from 25.0.4+incompatible to 25.0.5+incompatible by @dependabot in https://github.com/pomerium/pomerium/pull/5032
envoy: set to v1.29.2 by @wasaga in https://github.com/pomerium/pomerium/pull/5042
chore(deps): bump the docker group with 3 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5045
chore(deps): bump the github-actions group with 6 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5047
chore(deps): bump the docker group in /.github with 3 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5046
chore(deps): bump the go group with 15 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5048
chore(deps): bump @trivago/prettier-plugin-sort-imports from 2.0.4 to 4.3.0 by @kenjenkins in https://github.com/pomerium/pomerium/pull/5054
envoy: upgrade to v1.29.3 by @wasaga in https://github.com/pomerium/pomerium/pull/5056
chore(deps): bump @babel/traverse from 7.16.10 to 7.23.2 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/5055
update dev Dockerfiles to use Go 1.22.2 by @kenjenkins in https://github.com/pomerium/pomerium/pull/5063
chore(deps): bump github.com/docker/docker from 26.0.0+incompatible to 26.0.2+incompatible by @dependabot in https://github.com/pomerium/pomerium/pull/5075
chore(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 by @dependabot in https://github.com/pomerium/pomerium/pull/5077
chore(deps): update UI dependencies by @kenjenkins in https://github.com/pomerium/pomerium/pull/5088
chore(deps): bump the docker group in /.github with 3 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5095
chore(deps): bump the docker group with 3 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5098
core/lint: upgrade golangci-lint, replace interface{} with any by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5099
chore(deps): bump the go group with 29 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5097
chore(deps): bump the github-actions group with 5 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5094

pomerium - v0.25.2

Published by wasaga 7 months ago

What's Changed

envoy: upgrade to v1.28.2 by @wasaga in https://github.com/pomerium/pomerium/pull/5057

Full Changelog: https://github.com/pomerium/pomerium/compare/v0.25.1...v0.25.2

pomerium - v0.25.1

Published by wasaga 7 months ago

What's Changed

Changed

connect: add gRPC keep-alive by @wasaga in https://github.com/pomerium/pomerium/pull/4962
core/zero: fix ticker usage by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5019
core/ci: check docker base images by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5028
ci: bump Go to 1.21.8 in docker by @wasaga in https://github.com/pomerium/pomerium/pull/5027

Full Changelog: https://github.com/pomerium/pomerium/compare/v0.25.0...v0.25.1

pomerium - v0.25.0

Published by wasaga 9 months ago

v0.25.0 Changes

Breaking

Changes that are expected to cause an incompatibility.

config: remove support for base64 encoded certificates in the certificates field. It may only contain file locations. See https://github.com/pomerium/pomerium/pull/4718 by @calebdoxsey for details.
config: remove debug option, always use json logs by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4857

New

Initial support for the Pomerium Zero closed beta is included in this release.
authenticate: Refactoring identity authenticators to initiate redirect. For AWS Cognito, please allow the following sign out https://{AUTHENTICATE_DOMAIN}/.pomerium/signed_out URL. See more details in https://github.com/pomerium/pomerium/pull/4858 by @calebdoxsey.

Fixes

config: add support for maps in environments, i.e. env IDP_REQUEST_PARAMS='{"x":"y"}' ... by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4717
core: fix graceful stop by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4865
databroker: prevent nil data in the databroker deleted records by @wasaga in https://github.com/pomerium/pomerium/pull/4736
databroker: fix nil data unmarshal by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4734
databroker: hijack connections for notification listeners by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4806
databroker: REDIS backend has been removed in the previous release, https://github.com/pomerium/pomerium/pull/4768 by @calebdoxsey cleans up some remaining references.
databroker: fix Patch() error handling for in-memory databroker backend by @kenjenkins in https://github.com/pomerium/pomerium/pull/4838
envoy: Rewrite the remove_pomerium_cookie lua function to handle = inside of cookie values. by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4641
metrics: enforce text/plain metric format by @kenjenkins in https://github.com/pomerium/pomerium/pull/4774
zero: group funcs that need run within a lease by @wasaga in https://github.com/pomerium/pomerium/pull/4862

Changed

authenticate: Update the initialization logic for the authenticate, authorize, and proxy services to automatically select between the stateful authentication flow and the stateless authentication flow, depending on whether Pomerium is configured to use the hosted authenticate service. This change ensures a single IdP session is maintained for all user visits, enabling a single sign out behaviour for installations with IdP configured. @kenjenkins in https://github.com/pomerium/pomerium/pull/4765
authenticate: move events.go out of internal/authenticateflow by @kenjenkins in https://github.com/pomerium/pomerium/pull/4852
authenticate: remove extra UpdateUserInfo() call by @kenjenkins in https://github.com/pomerium/pomerium/pull/4813
authenticate: getUserInfoData() cleanup by @kenjenkins in https://github.com/pomerium/pomerium/pull/4818
authenticate: move stateless flow logic by @kenjenkins in https://github.com/pomerium/pomerium/pull/4820
authenticate: move logAuthenticateEvent by @kenjenkins in https://github.com/pomerium/pomerium/pull/4821
authenticate: add stateful flow by @kenjenkins in https://github.com/pomerium/pomerium/pull/4822
authenticate: change how sessions are deleted by @kenjenkins in https://github.com/pomerium/pomerium/pull/4893
authenticate: verify redirect in Callback test by @kenjenkins in https://github.com/pomerium/pomerium/pull/4894
config: remove unnecessary authenticate route when using hosted authenticate (authenticate.pomerium.app) by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4719
config: Add a global config option for pass_identity_headers, in addition to existing per-route option by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4720
config: disable strict-transport-security header with staging autocert by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4741
config: no longer stub out HPKE public key fetch by @kenjenkins in https://github.com/pomerium/pomerium/pull/4853
runtime: update to Go 1.21.4 by @kenjenkins in https://github.com/pomerium/pomerium/pull/4770
runtime: automatically determine goroutine max cap by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4766
session: add unit tests for gRPC wrapper methods by @kenjenkins in https://github.com/pomerium/pomerium/pull/4713
tests: renew test certs by @kenjenkins in https://github.com/pomerium/pomerium/pull/4738
tests: add tool for renewing test certs by @kenjenkins in https://github.com/pomerium/pomerium/pull/4742
tests: re-generate test configurations by @kenjenkins in https://github.com/pomerium/pomerium/pull/4816
tests: check for profile cookies by @kenjenkins in https://github.com/pomerium/pomerium/pull/4847
zero: rebase and merge feature/zero branch by @kenjenkins in https://github.com/pomerium/pomerium/pull/4745
zero: fix restart behavior by @kenjenkins in https://github.com/pomerium/pomerium/pull/4753
zero: use os.UserCacheDir for boostrap config path by @kenjenkins in https://github.com/pomerium/pomerium/pull/4744
zero: better code reuse by @wasaga in https://github.com/pomerium/pomerium/pull/4758
zero: set drwx------ for cache dir by @wasaga in https://github.com/pomerium/pomerium/pull/4764
zero: support gzipped blobs by @wasaga in https://github.com/pomerium/pomerium/pull/4767
zero: add linear probabilistic counter for MAU estimation by @wasaga in https://github.com/pomerium/pomerium/pull/4776
zero: use production urls by default by @wasaga in https://github.com/pomerium/pomerium/pull/4814
zero: add more verbose logging about background control loops by @wasaga in https://github.com/pomerium/pomerium/pull/4815
zero: calculate DAU and MAU by @wasaga in https://github.com/pomerium/pomerium/pull/4810
zero: add reporter by @wasaga in https://github.com/pomerium/pomerium/pull/4855
zero: add support for managed mode from config file by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4756

Dependency Updates

bump github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4760
bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.40.0 to 1.42.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4751
bump github.com/google/go-cmp from 0.5.9 to 0.6.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4685
bump github.com/google/uuid from 1.3.1 to 1.4.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4677
bump golang.org/x/time from 0.3.0 to 0.5.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4796
bump github.com/mattn/go-isatty from 0.0.19 to 0.0.20 by @dependabot in https://github.com/pomerium/pomerium/pull/4801
bump golang.org/x/net from 0.17.0 to 0.19.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4792
bump mikefarah/yq from 4.35.2 to 4.40.3 by @dependabot in https://github.com/pomerium/pomerium/pull/4780
bump docker/build-push-action from 5.0.0 to 5.1.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4777
bump golang.org/x/sync from 0.3.0 to 0.5.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4748
bump distroless/base-debian12 from d2890b2 to 5e24c7a by @dependabot in https://github.com/pomerium/pomerium/pull/4658
bump github.com/minio/minio-go/v7 from 7.0.63 to 7.0.65 by @dependabot in https://github.com/pomerium/pomerium/pull/4812
bump google-github-actions/auth from 1.1.1 to 2.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4778
bump node from 42a4d97 to 5f21943 by @dependabot in https://github.com/pomerium/pomerium/pull/4659
bump google.golang.org/api from 0.143.0 to 0.153.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4835
bump actions/setup-go from 4.1.0 to 5.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4830
bump golang from 1.21.4-bookworm to 1.21.5-bookworm by @dependabot in https://github.com/pomerium/pomerium/pull/4828
bump mikefarah/yq from 4.40.3 to 4.40.4 by @dependabot in https://github.com/pomerium/pomerium/pull/4829
bump github.com/caddyserver/certmagic from 0.19.2 to 0.20.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4836
bump github.com/yuin/gopher-lua from 1.1.0 to 1.1.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4832
bump docker/metadata-action from 5.0.0 to 5.3.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4826
bump actions/setup-python from 4.7.0 to 5.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4827
bump github.com/VictoriaMetrics/fastcache from 1.12.1 to 1.12.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4802
bump github.com/shirou/gopsutil/v3 from 3.23.9 to 3.23.11 by @dependabot in https://github.com/pomerium/pomerium/pull/4794
bump github.com/gorilla/mux from 1.8.0 to 1.8.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4790
bump busybox from 3fbc632 to 1ceb872 in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4824
bump actions/stale from 8.0.0 to 9.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4825
bump github.com/klauspost/compress from 1.17.0 to 1.17.4 by @dependabot in https://github.com/pomerium/pomerium/pull/4798
bump github.com/open-policy-agent/opa from 0.57.0 to 0.59.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4799
bump golang.org/x/oauth2 from 0.12.0 to 0.15.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4797
bump actions/setup-node from 3.8.1 to 4.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4694
bump github.com/fsnotify/fsnotify from 1.6.0 to 1.7.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4680
bump cloud.google.com/go/storage from 1.33.0 to 1.35.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4750
bump stefanzweifel/git-auto-commit-action from 4.16.0 to 5.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4693
bump distroless/base-debian12 from d64f548 to 1dfdb5e in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4671
bump github.com/prometheus/client_model from 0.4.1-0.20230718164431-9a2bf3000d16 to 0.5.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4672
bump github.com/cloudflare/circl from 1.3.3 to 1.3.6 by @dependabot in https://github.com/pomerium/pomerium/pull/4674
bump sigs.k8s.io/yaml from 1.3.0 to 1.4.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4688
bump github.com/gorilla/websocket from 1.5.0 to 1.5.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4793
bump github.com/jackc/pgx/v5 from 5.4.3 to 5.5.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4803
bump github.com/coreos/go-oidc/v3 from 3.6.0 to 3.8.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4791
bump actions/checkout from 4.1.0 to 4.1.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4692
bump github.com/prometheus/common from 0.44.0 to 0.45.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4686
bump distroless/base from 46c5b9b to b31a6e0 in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4670
zero/openapi: pin v1.0.0 of a runtime by @wasaga in https://github.com/pomerium/pomerium/pull/4851
bump golang.org/x/crypto from 0.16.0 to 0.17.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4860. This includes a patch for GO-2023-2402 / CVE-2023-48795 (Terrapin). Note that Pomerium does not use the affected golang.org/x/crypto/ssh package from this module.
bump github.com/spf13/viper from 1.16.0 to 1.18.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4861
bump github.com/aws/aws-sdk-go-v2 from 1.22.2 to 1.24.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4840
bump docker/metadata-action from 5.3.0 to 5.4.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4891
bump google-github-actions/setup-gcloud from 1.1.1 to 2.0.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4890
bump actions/upload-artifact from 3.1.3 to 4.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4889
bump actions/setup-node from 4.0.0 to 4.0.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4888
bump mikefarah/yq from 4.40.4 to 4.40.5 by @dependabot in https://github.com/pomerium/pomerium/pull/4887
bump distroless/base from b31a6e0 to 6c1e34e in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4885
bump busybox from 1ceb872 to ba76950 in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4884
bump distroless/base-debian12 from 1dfdb5e to 0a93daa in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4886
bump github.com/google/uuid from 1.4.0 to 1.5.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4878
bump github.com/coreos/go-oidc/v3 from 3.8.0 to 3.9.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4880
bump github.com/open-policy-agent/opa from 0.59.0 to 0.60.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4879
bump github.com/shirou/gopsutil/v3 from 3.23.11 to 3.23.12 by @dependabot in https://github.com/pomerium/pomerium/pull/4874
bump github.com/bits-and-blooms/bitset from 1.11.0 to 1.13.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4876
bump github.com/go-chi/chi/v5 from 5.0.10 to 5.0.11 by @dependabot in https://github.com/pomerium/pomerium/pull/4875
bump cloud.google.com/go/storage from 1.35.1 to 1.36.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4873
bump github.com/oapi-codegen/runtime from 1.0.0 to 1.1.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4870
bump golang from a6b787c to 1415bb0 by @dependabot in https://github.com/pomerium/pomerium/pull/4883
bump distroless/base-debian12 from 5e24c7a to 996c583 by @dependabot in https://github.com/pomerium/pomerium/pull/4882
bump node from 445acd9 to 8d0f16f by @dependabot in https://github.com/pomerium/pomerium/pull/4881
bump google.golang.org/protobuf from 1.31.1-0.20231027082548-f4a6c1f6e5c1 to 1.32.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4877
bump github.com/prometheus/client_golang from 1.17.0 to 1.18.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4872
bump google.golang.org/api from 0.153.0 to 0.154.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4867
bump github.com/minio/minio-go/v7 from 7.0.65 to 7.0.66 by @dependabot in https://github.com/pomerium/pomerium/pull/4868
bump github.com/jackc/pgx/v5 from 5.5.0 to 5.5.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4871

pomerium - v0.24.0

Published by wasaga 11 months ago

What's Changed

Breaking

config: remove set_authorization_header option by @kenjenkins in https://github.com/pomerium/pomerium/pull/4489
databroker: remove redis storage backend by @kenjenkins in https://github.com/pomerium/pomerium/pull/4699
core/config: remove support for base64 encoded certificates by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4725

New

databroker: build config concurrently, option to bypass validation by @wasaga in https://github.com/pomerium/pomerium/pull/4655

Fixes

core/identity: fix slow restart by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4542
core/authenticate: validate the identity profile by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4545
core/authorize: check for expired tokens by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4543
core/authenticate: refactor idp sign out by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4582
core/storage: fix nil data unmarshal by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4739

Changed

cryptutil: remove unused functions by @kenjenkins in https://github.com/pomerium/pomerium/pull/4541
Add metric request error in log by @sylr in https://github.com/pomerium/pomerium/pull/4585
Docs: remove tcp example by @ZPain8464 in https://github.com/pomerium/pomerium/pull/4616
config: do not add route headers to global map by @kenjenkins in https://github.com/pomerium/pomerium/pull/4629
identity: override TokenSource expiry behavior by @kenjenkins in https://github.com/pomerium/pomerium/pull/4632
upgrade envoy to v1.28.0 by @kenjenkins in https://github.com/pomerium/pomerium/pull/4635
identity: preserve session refresh schedule by @kenjenkins in https://github.com/pomerium/pomerium/pull/4633
identity: rework session refresh error handling by @kenjenkins in https://github.com/pomerium/pomerium/pull/4638
core/config: add config version, additional telemetry by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4645
protoutil: add OverwriteMasked method by @kenjenkins in https://github.com/pomerium/pomerium/pull/4651
core/hpke: reduce memory usage from zstd by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4650
core/controlplane: apply configuration changes in a background thread by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4649
core/config: remove version by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4653
core/config: refactor change dispatcher by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4657
core/filemgr: use xxhash instead of sha512 for filenames by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4697
xds: add type url to log by @wasaga in https://github.com/pomerium/pomerium/pull/4696
core/events: refactor the events.Target to use mutexes instead of a background goroutine by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4700
storage/inmemory: implement patch operation by @kenjenkins in https://github.com/pomerium/pomerium/pull/4654
storage/postgres: implement patch operation by @kenjenkins in https://github.com/pomerium/pomerium/pull/4656
databroker: add patch method by @kenjenkins in https://github.com/pomerium/pomerium/pull/4704
proto: add id to certificate by @wasaga in https://github.com/pomerium/pomerium/pull/4706
databroker: add utility recordset and changeset by @wasaga in https://github.com/pomerium/pomerium/pull/4701
databroker: add reconciler by @wasaga in https://github.com/pomerium/pomerium/pull/4709
core/config: refactor file watcher by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4702
rework session updates to use new patch method by @kenjenkins in https://github.com/pomerium/pomerium/pull/4705
authorize: reuse policy evaluators where possible by @kenjenkins in https://github.com/pomerium/pomerium/pull/4710
reconciler: allow custom comparison function by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4727
core/config: add support for maps in environments by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4728
authorize: build evaluators cache in parallel by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4731
core/envoy: fix remove cookie lua script by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4732
databroker: changeset: prevent nil data in the deleted records by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4737
integration: renew test certs by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4740

Dependency Updates

chore(deps): bump node from 850d8e1 to f41231b by @dependabot in https://github.com/pomerium/pomerium/pull/4533
chore(deps): bump google.golang.org/api from 0.134.0 to 0.138.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4532
chore(deps): bump github.com/jackc/pgx/v5 from 5.4.2 to 5.4.3 by @dependabot in https://github.com/pomerium/pomerium/pull/4531
chore(deps): bump github.com/open-policy-agent/opa from 0.55.0 to 0.56.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4530
chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.4 to 2.0.6 by @dependabot in https://github.com/pomerium/pomerium/pull/4528
chore(deps): bump github.com/minio/minio-go/v7 from 7.0.61 to 7.0.63 by @dependabot in https://github.com/pomerium/pomerium/pull/4527
chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.20.0 to 1.21.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4524
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.7 to 3.23.8 by @dependabot in https://github.com/pomerium/pomerium/pull/4519
chore(deps): bump github.com/google/uuid from 1.3.0 to 1.3.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4517
chore(deps): bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4499
chore(deps): bump actions/checkout from 3.5.3 to 3.6.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4496
chore(deps): bump github.com/caddyserver/certmagic from 0.19.1 to 0.19.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4526
chore(deps): bump github.com/openzipkin/zipkin-go from 0.4.1 to 0.4.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4523
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.32 to 1.18.38 by @dependabot in https://github.com/pomerium/pomerium/pull/4522
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.38.1 to 1.38.5 by @dependabot in https://github.com/pomerium/pomerium/pull/4521
chore(deps): bump actions/setup-go from 4.0.1 to 4.1.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4497
chore(deps): bump docker/setup-buildx-action from 2.9.1 to 2.10.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4498
chore(deps): bump go.uber.org/zap from 1.24.0 to 1.25.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4516
chore(deps): bump cloud.google.com/go/storage from 1.31.0 to 1.32.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4518
chore(deps): bump tibdex/github-app-token from 1.8.0 to 1.8.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4505
chore(deps): bump mikefarah/yq from 4.34.2 to 4.35.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4503
chore(deps): bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4502
chore(deps): bump actions/setup-node from 3.7.0 to 3.8.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4501
chore(deps): bump @fontsource/dm-mono from 4.5.2 to 5.0.11 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/4515
chore(deps-dev): bump ts-node from 10.4.0 to 10.9.1 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/4279
chore(deps): bump @fontsource/dm-sans from 5.0.3 to 5.0.11 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/4508
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.38 to 1.18.40 by @dependabot in https://github.com/pomerium/pomerium/pull/4581
chore(deps): bump golang.org/x/oauth2 from 0.11.0 to 0.12.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4580
chore(deps): bump cloud.google.com/go/storage from 1.32.0 to 1.33.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4579
chore(deps): bump busybox from caa382c to 3fbc632 in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4549
chore(deps): bump node from f41231b to 7923c64 by @dependabot in https://github.com/pomerium/pomerium/pull/4551
chore(deps): bump docker/login-action from 2.2.0 to 3.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4552
chore(deps): bump docker/metadata-action from 4.6.0 to 5.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4553
chore(deps): bump docker/build-push-action from 4.1.1 to 5.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4554
chore(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 by @dependabot in https://github.com/pomerium/pomerium/pull/4557
chore(deps): bump coverallsapp/github-action from 2.2.1 to 2.2.3 by @dependabot in https://github.com/pomerium/pomerium/pull/4560
chore(deps): bump docker/setup-qemu-action from 2.2.0 to 3.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4559
chore(deps): bump tibdex/github-app-token from 1.8.2 to 2.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4556
chore(deps): bump goreleaser/goreleaser-action from 4.4.0 to 5.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4563
chore(deps): bump @fontsource/dm-mono from 5.0.11 to 5.0.12 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/4573
chore(deps): bump github.com/klauspost/compress from 1.16.7 to 1.17.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4566
chore(deps): bump google.golang.org/api from 0.138.0 to 0.141.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4578
chore(deps): bump go.uber.org/zap from 1.25.0 to 1.26.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4577
chore(deps): bump google.golang.org/grpc from 1.57.0 to 1.58.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4575
chore(deps): bump github.com/CAFxX/httpcompression from 0.0.8 to 0.0.9 by @dependabot in https://github.com/pomerium/pomerium/pull/4572
chore(deps): bump github.com/rs/cors from 1.9.0 to 1.10.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4574
chore(deps): bump github.com/docker/docker from 24.0.2+incompatible to 24.0.6+incompatible by @dependabot in https://github.com/pomerium/pomerium/pull/4570
chore(deps): bump actions/checkout from 3.6.0 to 4.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4562
chore(deps): bump docker/setup-buildx-action from 2.10.0 to 3.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4555
chore(deps): bump distroless/base from b0216a3 to 46c5b9b in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4550
chore(deps): bump @mui/icons-material from 5.3.1 to 5.14.9 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/4567
chore(deps): bump @fontsource/dm-sans from 5.0.11 to 5.0.12 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/4561
chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.6 to 2.0.7 by @dependabot in https://github.com/pomerium/pomerium/pull/4607
chore(deps): bump node from 7923c64 to 2daec43 by @dependabot in https://github.com/pomerium/pomerium/pull/4609
chore(deps): bump github.com/open-policy-agent/opa from 0.56.0 to 0.57.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4606
chore(deps): bump actions/checkout from 4.0.0 to 4.1.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4611
chore(deps): bump tibdex/github-app-token from 2.0.0 to 2.1.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4612
chore(deps): bump mikefarah/yq from 4.35.1 to 4.35.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4610
chore(deps): bump google.golang.org/api from 0.141.0 to 0.143.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4608
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.8 to 3.23.9 by @dependabot in https://github.com/pomerium/pomerium/pull/4605
chore(deps): bump github.com/prometheus/client_golang from 1.16.0 to 1.17.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4603
chore(deps): bump github.com/prometheus/procfs from 0.11.1 to 0.12.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4602
chore(deps): bump @fontsource/dm-sans from 5.0.12 to 5.0.13 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/4593
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.40 to 1.18.42 by @dependabot in https://github.com/pomerium/pomerium/pull/4599
chore(deps): bump github.com/rs/zerolog from 1.30.0 to 1.31.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4598
chore(deps): bump @fontsource/dm-mono from 5.0.12 to 5.0.14 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/4619
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.38.5 to 1.40.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4600
chore(deps): bump github.com/rs/cors from 1.10.0 to 1.10.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4601
chore(deps): bump golang.org/x/net from 0.15.0 to 0.17.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4626
chore(deps): bump google.golang.org/grpc from 1.58.2 to 1.58.3 by @dependabot in https://github.com/pomerium/pomerium/pull/4640
chore(deps): bump github.com/docker/docker from 24.0.6+incompatible to 24.0.7+incompatible by @dependabot in https://github.com/pomerium/pomerium/pull/4646
core/go: upgrade go.mod by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4711

Full Changelog: https://github.com/pomerium/pomerium/compare/v0.23.0...v0.24.0

pomerium - v0.23.0

Published by wasaga about 1 year ago

Changelog

v0.23.0 (2023-08-24)

Full Changelog

New

authorize: log id token claims separately from id token #4394 (@calebdoxsey)
adds success colors for statuses in the 200 range #4314 (@nhayfield)
config: add cookie_same_site option #4148 (@calebdoxsey)
hpke: compress query string #4147 (@calebdoxsey)
authenticate: add aws cognito #4137 (@wasaga)

Fixed

autocert: suppress OCSP stapling errors #4371 (@calebdoxsey)
config: validate log levels #4367 (@calebdoxsey)
config: update logic for checking overlapping certificates #4216 (@calebdoxsey)
databroker: fix fast forward #4192 (@calebdoxsey)
databroker: sort configs #4190 (@calebdoxsey)
envoy: set re2 limits very high #4187 (@calebdoxsey)
fix WillHaveCertificateForServerName check to be strict match for derived cert name #4167 (@wasaga)
envoyconfig: disable validation context when no client certificates are required #4151 (@calebdoxsey)

Dependency

chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.27 to 1.18.32 #4436 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.36.0 to 1.38.1 #4435 (@dependabot[bot])
chore(deps): bump docker/setup-buildx-action from 2.8.0 to 2.9.1 #4433 (@dependabot[bot])
chore(deps): bump actions/setup-node from 3.6.0 to 3.7.0 #4432 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.34.1 to 4.34.2 #4431 (@dependabot[bot])
chore(deps): bump coverallsapp/github-action from 2.2.0 to 2.2.1 #4430 (@dependabot[bot])
chore(deps): bump actions/setup-python from 4.6.1 to 4.7.0 #4429 (@dependabot[bot])
chore(deps): bump node from 3801c22 to 850d8e1 #4416 (@dependabot[bot])
chore(deps): bump github.com/minio/minio-go/v7 from 7.0.59 to 7.0.61 #4415 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.56.1 to 1.57.0 #4411 (@dependabot[bot])
chore(deps): bump github.com/jackc/pgx/v5 from 5.4.1 to 5.4.2 #4409 (@dependabot[bot])
chore(deps): bump github.com/go-chi/chi/v5 from 5.0.8 to 5.0.10 #4407 (@dependabot[bot])
chore(deps): bump github.com/rs/zerolog from 1.29.1 to 1.30.0 #4406 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.54.0 to 0.55.0 #4404 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.130.0 to 0.134.0 #4403 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.6 to 3.23.7 #4402 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.18.2 to 0.19.1 #4401 (@dependabot[bot])
chore(deps): bump github.com/prometheus/procfs from 0.11.0 to 0.11.1 #4400 (@dependabot[bot])
chore(deps): bump github.com/peterbourgon/ff/v3 from 3.3.2 to 3.4.0 #4399 (@dependabot[bot])
dependencies: upgrade otel #4395 (@calebdoxsey)
chore(deps): bump word-wrap from 1.2.3 to 1.2.4 in /ui #4369 (@dependabot[bot])
chore(deps): bump semver from 6.3.0 to 6.3.1 in /ui #4350 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.128.0 to 0.130.0 #4348 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.18.0 to 0.18.2 #4334 (@dependabot[bot])
chore(deps): bump github.com/minio/minio-go/v7 from 7.0.57 to 7.0.59 #4333 (@dependabot[bot])
chore(deps): bump cloud.google.com/go/storage from 1.30.1 to 1.31.0 #4332 (@dependabot[bot])
chore(deps): bump docker/setup-buildx-action from 2.7.0 to 2.8.0 #4330 (@dependabot[bot])
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 1.0.1 to 1.0.2 #4329 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.5 to 3.23.6 #4328 (@dependabot[bot])
chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.3 to 2.0.4 #4327 (@dependabot[bot])
chore(deps): bump google.golang.org/protobuf from 1.30.0 to 1.31.0 #4325 (@dependabot[bot])
chore(deps): bump github.com/jackc/pgx/v5 from 5.4.0 to 5.4.1 #4324 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.34.1 to 1.36.0 #4323 (@dependabot[bot])
chore(deps): bump node from 05824f7 to 3801c22 #4322 (@dependabot[bot])
chore(deps): bump @fontsource/dm-sans from 4.5.1 to 5.0.3 in /ui #4307 (@dependabot[bot])
chore(deps): bump react-feather from 2.0.9 to 2.0.10 in /ui #4306 (@dependabot[bot])
chore(deps): bump markdown-to-jsx from 7.1.7 to 7.2.1 in /ui #4297 (@dependabot[bot])
chore(deps): bump github.com/spf13/viper from 1.15.0 to 1.16.0 #4296 (@dependabot[bot])
chore(deps): bump golang.org/x/sync from 0.2.0 to 0.3.0 #4294 (@dependabot[bot])
chore(deps): bump github.com/jackc/pgx/v5 from 5.3.1 to 5.4.0 #4293 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.17.2 to 0.18.0 #4291 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.34.0 to 1.34.1 #4290 (@dependabot[bot])
chore(deps-dev): bump typescript from 4.5.5 to 5.1.3 in /ui #4289 (@dependabot[bot])
chore(deps): bump golang.org/x/oauth2 from 0.8.0 to 0.9.0 #4287 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.25 to 1.18.27 #4286 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.126.0 to 0.128.0 #4283 (@dependabot[bot])
chore(deps-dev): bump @typescript-eslint/parser from 5.10.2 to 5.59.11 in /ui #4282 (@dependabot[bot])
chore(deps): bump github.com/klauspost/compress from 1.16.5 to 1.16.6 #4281 (@dependabot[bot])
chore(deps): bump github.com/minio/minio-go/v7 from 7.0.56 to 7.0.57 #4280 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.55.0 to 1.56.0 #4278 (@dependabot[bot])
chore(deps): bump @emotion/styled from 11.6.0 to 11.11.0 in /ui #4277 (@dependabot[bot])
chore(deps): bump github.com/prometheus/procfs from 0.10.1 to 0.11.0 #4276 (@dependabot[bot])
chore(deps): bump docker/login-action from 2.1.0 to 2.2.0 #4274 (@dependabot[bot])
chore(deps): bump docker/metadata-action from 4.5.0 to 4.6.0 #4273 (@dependabot[bot])
chore(deps): bump node from f658ece to 05824f7 #4272 (@dependabot[bot])
chore(deps): bump golang from b0f97bf to eb3f9ac #4271 (@dependabot[bot])
chore(deps): bump github.com/prometheus/client_golang from 1.15.1 to 1.16.0 #4268 (@dependabot[bot])
chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.2 to 2.0.3 #4267 (@dependabot[bot])
chore(deps): bump golang.org/x/crypto from 0.9.0 to 0.10.0 #4266 (@dependabot[bot])
chore(deps): bump docker/build-push-action from 4.0.0 to 4.1.1 #4264 (@dependabot[bot])
chore(deps): bump docker/setup-qemu-action from 2.1.0 to 2.2.0 #4263 (@dependabot[bot])
chore(deps): bump docker/setup-buildx-action from 2.5.0 to 2.7.0 #4262 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.33.0 to 1.34.0 #4260 (@dependabot[bot])
chore(deps): bump node from df5a66e to f658ece #4252 (@dependabot[bot])
chore(deps): bump github.com/peterbourgon/ff/v3 from 3.3.1 to 3.3.2 #4248 (@dependabot[bot])
chore(deps): bump github.com/envoyproxy/go-control-plane from 0.11.0 to 0.11.1 #4247 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.43.0 to 0.44.0 #4244 (@dependabot[bot])
chore(deps): bump github.com/minio/minio-go/v7 from 7.0.55 to 7.0.56 #4243 (@dependabot[bot])
chore(deps): bump docker/metadata-action from 4.4.0 to 4.5.0 #4242 (@dependabot[bot])
chore(deps): bump coverallsapp/github-action from 2.1.2 to 2.2.0 #4241 (@dependabot[bot])
chore(deps): bump goreleaser/goreleaser-action from 4.2.0 to 4.3.0 #4240 (@dependabot[bot])
chore(deps): bump actions/checkout from 3.5.2 to 3.5.3 #4239 (@dependabot[bot])
chore(deps): bump golangci/golangci-lint-action from 3.5.0 to 3.6.0 #4238 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.121.0 to 0.126.0 #4236 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.52.0 to 0.53.1 #4235 (@dependabot[bot])
chore(deps): bump golang from 1.20.4-buster to 1.20.5-buster #4227 (@dependabot[bot])
chore(deps): bump github.com/coreos/go-oidc/v3 from 3.5.0 to 3.6.0 #4226 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.4 to 3.23.5 #4225 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.121.0 to 0.125.0 #4222 (@dependabot[bot])
chore(deps): bump cloud.google.com/go/storage from 1.29.0 to 1.30.1 #4221 (@dependabot[bot])
dependencies: pin node to lts #4218 (@wasaga)
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.21 to 1.18.25 #4208 (@dependabot[bot])
chore(deps): bump golang from 4cf6dc4 to 6be6011 #4207 (@dependabot[bot])
chore(deps): bump debian from 4291be2 to cd9b6e7 #4206 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 24.0.1+incompatible to 24.0.2+incompatible #4205 (@dependabot[bot])
chore(deps): bump github.com/peterbourgon/ff/v3 from 3.3.0 to 3.3.1 #4204 (@dependabot[bot])
chore(deps): bump actions/setup-python from 4.6.0 to 4.6.1 #4203 (@dependabot[bot])
chore(deps): bump github.com/minio/minio-go/v7 from 7.0.52 to 7.0.55 #4202 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.33.3 to 4.34.1 #4201 (@dependabot[bot])
chore(deps): bump github.com/stretchr/testify from 1.8.2 to 1.8.3 #4200 (@dependabot[bot])
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 1.0.0 to 1.0.1 #4185 (@dependabot[bot])
chore(deps): bump github.com/mholt/acmez from 1.1.0 to 1.1.1 #4184 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 23.0.6+incompatible to 24.0.1+incompatible #4183 (@dependabot[bot])
chore(deps): bump golang.org/x/crypto from 0.8.0 to 0.9.0 #4182 (@dependabot[bot])
chore(deps): bump github.com/rs/cors from 1.8.3 to 1.9.0 #4179 (@dependabot[bot])
chore(deps): bump golang.org/x/oauth2 from 0.7.0 to 0.8.0 #4178 (@dependabot[bot])
chore(deps): bump github.com/klauspost/compress from 1.16.0 to 1.16.5 #4177 (@dependabot[bot])
chore(deps): bump actions/setup-go from 4.0.0 to 4.0.1 #4176 (@dependabot[bot])
chore(deps): bump google-github-actions/setup-gcloud from 1.1.0 to 1.1.1 #4175 (@dependabot[bot])
chore(deps): bump golang.org/x/net from 0.9.0 to 0.10.0 #4174 (@dependabot[bot])
chore(deps): bump google-github-actions/auth from 1.1.0 to 1.1.1 #4173 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.42.0 to 0.43.0 #4172 (@dependabot[bot])
chore(deps): bump github.com/docker/distribution from 2.8.1+incompatible to 2.8.2+incompatible #4170 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.54.0 to 1.55.0 #4166 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.3 to 3.23.4 #4165 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 23.0.5+incompatible to 23.0.6+incompatible #4164 (@dependabot[bot])
chore(deps): bump golang.org/x/sync from 0.1.0 to 0.2.0 #4163 (@dependabot[bot])
chore(deps): bump github.com/prometheus/client_model from 0.3.0 to 0.4.0 #4162 (@dependabot[bot])
chore(deps): bump golang from 1.20.3-buster to 1.20.4-buster #4161 (@dependabot[bot])
chore(deps): bump debian from 1fbdbcf to 4291be2 #4160 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.120.0 to 0.121.0 #4159 (@dependabot[bot])
chore(deps): bump github.com/cloudflare/circl from 1.3.2 to 1.3.3 #4158 (@dependabot[bot])
chore(deps): bump github.com/prometheus/client_golang from 1.15.0 to 1.15.1 #4157 (@dependabot[bot])
chore(deps): bump github.com/cenkalti/backoff/v4 from 4.2.0 to 4.2.1 #4156 (@dependabot[bot])
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.10.1 to 1.0.0 #4155 (@dependabot[bot])
chore(deps): bump docker/setup-buildx-action from 2.4.1 to 2.5.0 #4154 (@dependabot[bot])
chore(deps): bump actions/checkout from 3.5.0 to 3.5.2 #4153 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.118.0 to 0.120.0 #4143 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.51.0 to 0.52.0 #4142 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 23.0.3+incompatible to 23.0.5+incompatible #4141 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.31.2 to 1.33.0 #4139 (@dependabot[bot])

Changed

config: validate cookie_secure option #4484 (@kenjenkins)
authorize: check CRLs only for leaf certificates #4480 (@kenjenkins)
storage: add indexes for postgres #4479 (@calebdoxsey)
add integration test for https IP address route #4476 (@kenjenkins)
add integration test for Pomerium JWT #4472 (@kenjenkins)
authorize: remove incorrect "valid-client-certificate" reason #4470 (@kenjenkins)
envoy: check for nil ssl() in client cert script #4466 (@kenjenkins)
config: add decode hook for the SANMatcher type #4464 (@kenjenkins)
config: deprecate tls_downstream_client_ca #4461 (@kenjenkins)
upgrade main #4457 (@wasaga)
authorize: rework token substitution in headers #4456 (@kenjenkins)
cryptutil: update CRL parsing #4454 (@kenjenkins)
config: support client certificate SAN match #4453 (@kenjenkins)
authorize: allow client certificate intermediates #4451 (@kenjenkins)
config: support arbitrary nested config structs #4440 (@kenjenkins)
authorize: implement client certificate CRL check #4439 (@kenjenkins)
authorize: do not rely on Envoy client cert validation #4438 (@kenjenkins)
autocert: use new OCSP error type #4437 (@kenjenkins)
authorize: add support for logging id token #4392 (@calebdoxsey)
logs: add ip address to access logs #4391 (@calebdoxsey)
authorize: fix policy numbers in evaluator test #4387 (@kenjenkins)
add integration test for client_crl setting #4384 (@kenjenkins)
envoy: configure upstream IP SAN match as needed #4380 (@kenjenkins)
authorize: remove a nolint directive #4375 (@kenjenkins)
authorize: incorporate mTLS validation from Envoy #4374 (@kenjenkins)
envoy: add a filter to store client cert info #4372 (@kenjenkins)
envoy: separate gRPC listener configuration #4365 (@kenjenkins)
stub out HPKE public key fetch for self-hosted authenticate #4360 (@kenjenkins)
replace docker publish action ::set-output usage #4359 (@kenjenkins)
chore: unnecessary use of fmt.Sprintf #4349 (@testwill)
authorize: do not redirect if invalid client cert #4344 (@kenjenkins)
authorize: remove JWT timestamp format workaround #4321 (@kenjenkins)
organize go.mod #4320 (@kenjenkins)
authenticate: remove extraneous error log #4319 (@kenjenkins)
add JWT timestamp formatting workaround #4270 (@kenjenkins)
ci: updates #4269 (@calebdoxsey)
dependabot: improvements #4261 (@calebdoxsey)
pin to a debian:latest image for casource base image #4250 (@kenjenkins)
add downstream mTLS integration test cases (main) #4234 (@kenjenkins)
config: simplify default set response headers #4196 (@calebdoxsey)
improve certificate matching performance #4186 (@calebdoxsey)
fix lint warning in pkg/envoy #4181 (@kenjenkins)
Update README.md #4146 (@desimone)
Update SECURITY.md #4144 (@desimone)

pomerium - v0.22.3

Published by wasaga about 1 year ago

Changelog

v0.22.3 (2023-08-21)

Full Changelog

Changed

add integration test for https IP address route #4477 (@kenjenkins)
github-actions: remove license check #4475 (@kenjenkins)
add integration test for Pomerium JWT #4473 (@kenjenkins)
envoy: configure upstream IP SAN match as needed #4382 (@backport-actions-token[bot])
autocert: suppress OCSP stapling errors #4373 (@backport-actions-token[bot])
backport #4368 (@calebdoxsey)
ci: fix lint workflow (#4229) #4311 (@kenjenkins)
pin to a debian:latest image for casource base image (#4250) #4310 (@kenjenkins)
add JWT timestamp formatting workaround #4309 (@backport-actions-token[bot])
config: update logic for checking overlapping certificates (#4216) #4217 (@calebdoxsey)
authorize: populate issuer even when policy is nil #4213 (@backport-actions-token[bot])
config: simplify default set response headers #4212 (@backport-actions-token[bot])

pomerium - v0.21.4

Published by desimone over 1 year ago

Security

This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.

What's Changed

autocert: fix certmagic cache logging by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4135
authorize: fix IsInternal check by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4199

Full Changelog: https://github.com/pomerium/pomerium/compare/v0.21.3...v0.21.4

pomerium - v0.22.2

Published by desimone over 1 year ago

Security

This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.

What's Changed

fix WillHaveCertificateForServerName check to be strict match for derived cert name by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4169
improve certificate matching performance by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4188
envoy: set re2 limits very high by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4189
databroker: sort configs by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4191
databroker: fix fast forward by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4194

Full Changelog: https://github.com/pomerium/pomerium/compare/v0.22.1...v0.22.2

pomerium - v0.20.1

Published by desimone over 1 year ago

Security

This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.

What's Changed

storage: ignore removed fields when deserializing the data by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3772
jwt: require logged in user to return .pomerium/jwt by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3809
oidc: fix token revocation by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3818
autocert: use atomic pointer to allow nil by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3817
identity: fix expired session deletion by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3857
postgres: return unknown records instead of skipping them (#3876) by @calebdoxsey in https://github.com/pomerium/pomerium/pull/3877
identity: fix nil reference error when there is no authenticator by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3932

Full Changelog: https://github.com/pomerium/pomerium/compare/v0.20.0...v0.20.1

pomerium - v0.19.2

Published by desimone over 1 year ago

Security

This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.

What's Changed

postgres: return an empty list of addresses on dns errors by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3638
ppl: support special characters in claim keys by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3640
authorize: enforce service account expiration by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3662
config: disable envoy admin by default, expose stats via envoy route by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3684
fileutil: update watcher to use fsnotify and polling (#3663) by @calebdoxsey in https://github.com/pomerium/pomerium/pull/3685
httputil: remove error details by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3705

Full Changelog: https://github.com/pomerium/pomerium/compare/v0.19.1...v0.19.2

pomerium - v0.18.1

Published by desimone over 1 year ago

Security

This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.

What's Changed

publish to any-distro (#3570) by @calebdoxsey in https://github.com/pomerium/pomerium/pull/3571
postgres: remove not null constraint on data column of record changes table by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3595

Full Changelog: https://github.com/pomerium/pomerium/compare/v0.18.0...v0.18.1

pomerium - v0.17.4

Published by desimone over 1 year ago

Security

This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.

Full Changelog: https://github.com/pomerium/pomerium/compare/v0.17.3...v0.17.4

pomerium - v0.22.1

Published by desimone over 1 year ago

What's Changed

envoyconfig: disable validation context when no client certificates are required by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4152

Full Changelog: https://github.com/pomerium/pomerium/compare/v0.22.0...v0.22.1

pomerium - v0.22.0

Published by wasaga over 1 year ago

Changelog

v0.22.0 (2023-05-01)

Full Changelog

New

config: default to authenticate.pomerium.app when authenticate url is not specified #4132 (@calebdoxsey)
support loading route configuration via rds #4098 (@calebdoxsey)
authenticate: have an option to trim the contents of the callback #4090 (@wasaga)
urlutil: add version to query string #4028 (@calebdoxsey)
authenticate: fix authenticate_internal_service_url for all in one #4003 (@wasaga)
cryptutil: generate certificates from deriveca #3992 (@calebdoxsey)
authenticate: only use csrf none for apple #3979 (@calebdoxsey)
envoyconfig: preserve case of HTTP headers when using HTTP/1 #3956 (@calebdoxsey)

Fixed

autocert: fix certmagic cache logging #4134 (@calebdoxsey)
tls: wildcard catch-all cert must be at the end of cert list #4119 (@wasaga)
store authenticate state on creation #4064 (@wasaga)
authorize: move sign out and jwks urls to route, update issuer for JWT #4046 (@calebdoxsey)
hpke: move published public keys to a new endpoint #4044 (@calebdoxsey)
config: fix set_response_headers #4026 (@calebdoxsey)
authorize: allow access to /.pomerium/webauthn when policy denies access #4015 (@calebdoxsey)
authenticate: don't require a session for sign_out #4007 (@calebdoxsey)
authenticate: fix identity provider id in encrypted query string #4006 (@calebdoxsey)
derivecert: fix ecdsa code to be deterministic #3989 (@calebdoxsey)
fix webauthn url #3983 (@calebdoxsey)
lua: fix rewrite response headers to handle dashes in URLs #3980 (@calebdoxsey)
authenticate: save the session cookie with a different name #3978 (@calebdoxsey)
identity: fix nil reference error when there is no authenticator #3930 (@calebdoxsey)
authenticate: always trust the passed in idp #3917 (@calebdoxsey)

Dependency

chore(deps): bump github.com/google/go-jsonnet from 0.19.1 to 0.20.0 #4140 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.49.2 to 0.51.0 #4130 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.2 to 3.23.3 #4129 (@dependabot[bot])
chore(deps): bump github.com/minio/minio-go/v7 from 7.0.50 to 7.0.52 #4128 (@dependabot[bot])
chore(deps): bump github.com/rs/zerolog from 1.29.0 to 1.29.1 #4127 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.19 to 1.18.21 #4126 (@dependabot[bot])
chore(deps): bump coverallsapp/github-action from 2.1.0 to 2.1.2 #4124 (@dependabot[bot])
chore(deps): bump actions/setup-python from 4.5.0 to 4.6.0 #4123 (@dependabot[bot])
chore(deps): bump docker/metadata-action from 4.3.0 to 4.4.0 #4122 (@dependabot[bot])
chore(deps): bump google-github-actions/auth from 1.0.0 to 1.1.0 #4121 (@dependabot[bot])
dependencies: upgrade go and envoy #4116 (@calebdoxsey)
chore(deps): bump debian from d4bbca2 to 1fbdbcf #4115 (@dependabot[bot])
chore(deps): bump golang from 413cd9e to 73c225b #4114 (@dependabot[bot])
chore(deps): bump golang.org/x/oauth2 from 0.6.0 to 0.7.0 #4113 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.116.0 to 0.118.0 #4112 (@dependabot[bot])
chore(deps): bump github.com/ory/dockertest/v3 from 3.9.1 to 3.10.0 #4111 (@dependabot[bot])
chore(deps): bump github.com/prometheus/client_golang from 1.14.0 to 1.15.0 #4110 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.33.1 to 4.33.3 #4109 (@dependabot[bot])
chore(deps): bump actions/checkout from 3.5.0 to 3.5.2 #4108 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.30.5 to 1.31.2 #4106 (@dependabot[bot])
chore(deps): bump golang.org/x/crypto from 0.7.0 to 0.8.0 #4105 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.114.0 to 0.116.0 #4104 (@dependabot[bot])
chore(deps): bump golang from 1.20.2-buster to 1.20.3-buster #4103 (@dependabot[bot])
chore(deps): bump distroless/base from 5812871 to 357bc96 #4102 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 23.0.1+incompatible to 23.0.3+incompatible #4101 (@dependabot[bot])
chore(deps): bump coverallsapp/github-action from 2.0.0 to 2.1.0 #4100 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.112.0 to 0.114.0 #4096 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.50.1 to 0.51.0 #4093 (@dependabot[bot])
chore(deps): bump github.com/opencontainers/runc from 1.1.2 to 1.1.5 #4088 (@dependabot[bot])
chore(deps): bump debian from c1c4bb9 to d4bbca2 #4085 (@dependabot[bot])
chore(deps): bump golang from 57dbdd5 to 97c3e1d #4084 (@dependabot[bot])
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.10.0 to 0.10.1 #4083 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.53.0 to 1.54.0 #4082 (@dependabot[bot])
chore(deps): bump github.com/minio/minio-go/v7 from 7.0.47 to 7.0.50 #4081 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.18 to 1.18.19 #4080 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.32.2 to 4.33.1 #4079 (@dependabot[bot])
chore(deps): bump actions/stale from 7.0.0 to 8.0.0 #4077 (@dependabot[bot])
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.9.1 to 0.10.0 #4074 (@dependabot[bot])
chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.1 to 2.0.2 #4073 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.50.0 to 0.50.1 #4072 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.15 to 1.18.18 #4070 (@dependabot[bot])
chore(deps): bump coverallsapp/github-action from 1.2.4 to 2.0.0 #4069 (@dependabot[bot])
chore(deps): bump actions/checkout from 3.3.0 to 3.4.0 #4068 (@dependabot[bot])
chore(deps): bump actions/setup-go from 3.5.0 to 4.0.0 #4067 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.31.2 to 4.32.2 #4066 (@dependabot[bot])
chore(deps): bump golang from 1.20.1-buster to 1.20.2-buster #4060 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.17.5 to 1.17.6 #4059 (@dependabot[bot])
chore(deps): bump github.com/VictoriaMetrics/fastcache from 1.12.0 to 1.12.1 #4057 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.49.2 to 0.50.0 #4056 (@dependabot[bot])
chore(deps): bump docker/setup-buildx-action from 2.4.1 to 2.5.0 #4055 (@dependabot[bot])
chore(deps): bump actions/cache from 3.2.6 to 3.3.1 #4054 (@dependabot[bot])
chore(deps): bump golang from d99d361 to 9628a1a #4043 (@dependabot[bot])
chore(deps): bump debian from 7b16406 to c1c4bb9 #4042 (@dependabot[bot])
chore(deps): bump coverallsapp/github-action from 1.2.2 to 1.2.4 #4041 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.31.1 to 4.31.2 #4040 (@dependabot[bot])
chore(deps): bump github.com/jackc/pgx/v5 from 5.3.0 to 5.3.1 #4039 (@dependabot[bot])
chore(deps): bump golang.org/x/crypto from 0.6.0 to 0.7.0 #4038 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.1 to 3.23.2 #4037 (@dependabot[bot])
chore(deps): bump golang.org/x/oauth2 from 0.5.0 to 0.6.0 #4036 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.39.0 to 0.41.0 #4035 (@dependabot[bot])
chore(deps): bump distroless/base from 8e770ae to 5812871 #4025 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.30.3 to 1.30.5 #4024 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.48.0 to 0.49.2 #4023 (@dependabot[bot])
chore(deps): bump github.com/yuin/gopher-lua from 0.0.0-20200816102855-ee81675732da to 1.1.0 #4022 (@dependabot[bot])
chore(deps): bump github.com/natefinch/atomic from 0.0.0-20200526193002-18c0533a5b09 to 1.0.1 #4021 (@dependabot[bot])
chore(deps): bump github.com/golangci/golangci-lint from 1.50.1 to 1.51.2 #4020 (@dependabot[bot])
chore(deps): bump actions/cache from 3.2.5 to 3.2.6 #4019 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.14 to 1.18.15 #4018 (@dependabot[bot])
chore(deps): bump coverallsapp/github-action from 1.1.3 to 1.2.2 #4017 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.10 to 1.18.14 #4002 (@dependabot[bot])
chore(deps): bump github.com/mholt/acmez from 1.0.4 to 1.1.0 #4000 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.109.0 to 0.110.0 #3999 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.30.2 to 1.30.3 #3998 (@dependabot[bot])
chore(deps): bump golang from 1.20.0-buster to 1.20.1-buster #3997 (@dependabot[bot])
chore(deps): bump distroless/base from 9687cd3 to 8e770ae #3995 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.30.8 to 4.31.1 #3994 (@dependabot[bot])
chore(deps): bump golang.org/x/net from 0.6.0 to 0.7.0 #3993 (@dependabot[bot])
chore(deps): bump debian from 50cf570 to 7b16406 #3970 (@dependabot[bot])
chore(deps): bump golang from 4447a7f to f8fbd74 #3969 (@dependabot[bot])
chore(deps): bump distroless/base from 4f9fe94 to 9687cd3 #3968 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 20.10.23+incompatible to 23.0.1+incompatible #3967 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.52.3 to 1.53.0 #3965 (@dependabot[bot])
chore(deps): bump github.com/jackc/pgx/v5 from 5.2.0 to 5.3.0 #3964 (@dependabot[bot])
chore(deps): bump golang.org/x/oauth2 from 0.4.0 to 0.5.0 #3963 (@dependabot[bot])
chore(deps): bump actions/cache from 3.2.4 to 3.2.5 #3962 (@dependabot[bot])
chore(deps): bump fossa-contrib/fossa-action from 1.2.0 to 2.0.0 #3961 (@dependabot[bot])
chore(deps): bump debian from 12931ad to 50cf570 #3950 (@dependabot[bot])
chore(deps): bump golang from 1.19.5-buster to 1.20.0-buster #3949 (@dependabot[bot])
chore(deps): bump distroless/base from 76b0529 to 4f9fe94 #3948 (@dependabot[bot])
chore(deps): bump github.com/cloudflare/circl from 1.3.1 to 1.3.2 #3947 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.17.3 to 1.17.4 #3946 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.30.1 to 1.30.2 #3944 (@dependabot[bot])
chore(deps): bump google-github-actions/setup-gcloud from 1.0.1 to 1.1.0 #3943 (@dependabot[bot])
chore(deps): bump docker/build-push-action from 3.3.0 to 4.0.0 #3942 (@dependabot[bot])
chore(deps): bump docker/setup-buildx-action from 2.4.0 to 2.4.1 #3941 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.108.0 to 0.109.0 #3940 (@dependabot[bot])
chore(deps): bump distroless/base from 9eeffdc to 76b0529 #3928 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.8 to 1.18.10 #3927 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.52.0 to 1.52.3 #3926 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.30.0 to 1.30.1 #3925 (@dependabot[bot])
chore(deps): bump actions/cache from 3.2.3 to 3.2.4 #3923 (@dependabot[bot])
chore(deps): bump tibdex/github-app-token from 1.7.0 to 1.8.0 #3922 (@dependabot[bot])
chore(deps): bump goreleaser/goreleaser-action from 4.1.1 to 4.2.0 #3921 (@dependabot[bot])
chore(deps): bump github.com/rs/zerolog from 1.28.0 to 1.29.0 #3920 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.107.0 to 0.108.0 #3913 (@dependabot[bot])
chore(deps): bump cloud.google.com/go/storage from 1.28.1 to 1.29.0 #3912 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 20.10.22+incompatible to 20.10.23+incompatible #3911 (@dependabot[bot])
chore(deps): bump github.com/spf13/viper from 1.14.0 to 1.15.0 #3910 (@dependabot[bot])

Changed

Update SECURITY.md #4145 (@backport-actions-token[bot])
config: remove source, remove deadcode, fix linting issues #4118 (@calebdoxsey)
chore(deps): bump actions/checkout from 3.4.0 to 3.5.0 #4078 (@dependabot[bot])
move hpke public key handler out of internal #4065 (@wasaga)
authenticate: add events #4051 (@wasaga)
authenticate: don't require a session for sign_out #4009 (@backport-actions-token[bot])
authenticate: fix callback handler for split mode #4008 (@wasaga)
webauthn: only return known device credentials that match the given type #3981 (@calebdoxsey)
apple: fix userinfo #3974 (@calebdoxsey)
Appleid #3959 (@mnestor)
envoy: optimize listener #3952 (@wasaga)
databroker: add list types method #3937 (@calebdoxsey)
remove log message when no provider defined #3936 (@calebdoxsey)
maybe fix flaky test #3929 (@calebdoxsey)
chore(deps): bump docker/setup-buildx-action from 2.2.1 to 2.4.0 #3924 (@dependabot[bot])
add google cloud creds to ignore #3906 (@wasaga)

pomerium - v0.21.3

Published by wasaga over 1 year ago

Changelog

v0.21.3 (2023-03-23)

Full Changelog

Changed

ci: build version branch images #4062 (@backport-actions-token[bot])
authorize: move sign out and jwks urls to route, update issuer for JWT #4049 (@backport-actions-token[bot])
hpke: move published public keys to a new endpoint #4048 (@backport-actions-token[bot])

pomerium - v0.21.2

Published by wasaga over 1 year ago

Changelog

v0.21.2 (2023-02-23)

Full Changelog

Changed

authenticate: fix identity provider id in encrypted query string #4011 (@backport-actions-token[bot])
authenticate: fix callback handler for split mode #4010 (@backport-actions-token[bot])
authenticate: don't require a session for sign_out #4009 (@backport-actions-token[bot])
authenticate: fix authenticate_internal_service_url for all in one #4005 (@backport-actions-token[bot])
derivecert: fix ecdsa code to be deterministic #3991 (@backport-actions-token[bot])
fix webauthn url #3988 (@backport-actions-token[bot])
webauthn: only return known device credentials that match the given type #3987 (@backport-actions-token[bot])

pomerium - v0.21.1

Published by wasaga over 1 year ago

What's Changed

authenticate: save the session cookie with a different name by @calebdoxsey in https://github.com/pomerium/pomerium/pull/3984
lua: fix rewrite response headers to handle dashes in URLs by @calebdoxsey in https://github.com/pomerium/pomerium/pull/3986

Full Changelog: https://github.com/pomerium/pomerium/compare/v0.21.0...v0.21.1

pomerium - v0.21.0

Published by wasaga over 1 year ago

Changelog

v0.21.0 (2023-02-09)

Full Changelog

Changed

docker: switch to debian #3939 (@backport-actions-token[bot])
identity: fix nil reference error when there is no authenticator #3933 (@backport-actions-token[bot])
authenticate: always trust the passed in idp #3931 (@backport-actions-token[bot])
add google cloud creds to ignore #3907 (@backport-actions-token[bot])
tls_derive: rename for consistency #3905 (@wasaga)
envoyconfig: clean up filter chain construction #3844 (@calebdoxsey)
use tlsClientConfig instead of custom dialer #3830 (@wasaga)
controlplane: remove gorilla handlers dependency #3813 (@calebdoxsey)
events: remove xds configuraton update #3792 (@wasaga)

Breaking

proxy: add userinfo and webauthn endpoints #3755 (@calebdoxsey)
remove forward auth #3628 (@calebdoxsey)

New

scripts: update get-envoy script to download all binaries #3886 (@calebdoxsey)
explicitly list gRPC services accessible via the gRPC listener #3879 (@wasaga)
authenticate: add additional error details for hmac errors #3878 (@calebdoxsey)
auto tls #3856 (@wasaga)
mTLS: allow gRPC TLS for all in one #3854 (@wasaga)
authorize: log check() error #3846 (@wasaga)
config: add support for extended TCP route URLs #3845 (@calebdoxsey)
derive CA from pre-shared key #3815 (@wasaga)
httputil: ignore errors < 400 #3781 (@calebdoxsey)
authenticate: implement hpke-based login flow #3779 (@calebdoxsey)
identity: add identity profile #3777 (@calebdoxsey)
urlutil: add time validation functions #3776 (@calebdoxsey)
httputil: add cookie chunker #3775 (@calebdoxsey)
config: add option for tls renegotiation #3773 (@calebdoxsey)
hpke: add HPKE key to JWKS endpoint #3762 (@calebdoxsey)
hpke: add hpke package #3761 (@calebdoxsey)

Fixed

config: add missing options #3882 (@calebdoxsey)
postgres: return unknown records instead of skipping them #3876 (@calebdoxsey)
config: use insecure skip verify if derived certificates are not used #3861 (@calebdoxsey)
config: generate derived certificates instead of self-signed certificates #3860 (@calebdoxsey)
identity: fix expired session deletion #3855 (@calebdoxsey)
proxy: fix sign out redirect #3827 (@calebdoxsey)
dashboard: fix missing avatar and logout menu #3819 (@calebdoxsey)
autocert: use atomic pointer to allow nil #3816 (@calebdoxsey)
webauthn: require session when accessing /.pomerium/webauthn #3814 (@calebdoxsey)
oidc: fix token revocation #3810 (@calebdoxsey)
jwt: require logged in user to return .pomerium/jwt #3807 (@calebdoxsey)
storage: ignore removed fields when deserializing the data #3768 (@wasaga)

Dependency

chore(deps): bump debian from 7ca0fec to 12931ad #3904 (@dependabot[bot])
chore(deps): bump distroless/base from 8ee3d86 to 9eeffdc #3903 (@dependabot[bot])
chore(deps): bump golang from 1.19.4-buster to 1.19.5-buster #3902 (@dependabot[bot])
chore(deps): bump alpine from 8914eb5 to f271e74 #3901 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.7 to 1.18.8 #3900 (@dependabot[bot])
chore(deps): bump github.com/minio/minio-go/v7 from 7.0.46 to 7.0.47 #3899 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.47.4 to 0.48.0 #3898 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.105.0 to 0.107.0 #3897 (@dependabot[bot])
chore(deps): bump actions/setup-python from 4.4.0 to 4.5.0 #3896 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.30.6 to 4.30.8 #3895 (@dependabot[bot])
chore(deps): bump docker/build-push-action from 3.2.0 to 3.3.0 #3894 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.51.0 to 1.52.0 #3893 (@dependabot[bot])
chore(deps): bump distroless/base from 8848703 to 8ee3d86 #3874 (@dependabot[bot])
chore(deps): bump golang.org/x/crypto from 0.4.0 to 0.5.0 #3873 (@dependabot[bot])
chore(deps): bump actions/download-artifact from 3.0.1 to 3.0.2 #3872 (@dependabot[bot])
chore(deps): bump actions/upload-artifact from 3.1.1 to 3.1.2 #3871 (@dependabot[bot])
chore(deps): bump actions/cache from 3.2.2 to 3.2.3 #3870 (@dependabot[bot])
chore(deps): bump actions/setup-node from 3.5.1 to 3.6.0 #3869 (@dependabot[bot])
chore(deps): bump github.com/coreos/go-oidc/v3 from 3.4.0 to 3.5.0 #3868 (@dependabot[bot])
chore(deps): bump actions/checkout from 3.2.0 to 3.3.0 #3867 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.29.6 to 1.30.0 #3866 (@dependabot[bot])
chore(deps): bump golang.org/x/oauth2 from 0.3.0 to 0.4.0 #3865 (@dependabot[bot])
chore(deps): bump github.com/minio/minio-go/v7 from 7.0.45 to 7.0.46 #3864 (@dependabot[bot])
chore(deps): bump golang.org/x/net from 0.4.0 to 0.5.0 #3863 (@dependabot[bot])
chore(deps): bump luxon from 2.3.0 to 2.5.2 in /ui #3862 (@dependabot[bot])
chore(deps): bump json5 from 2.2.0 to 2.2.3 in /ui #3853 (@dependabot[bot])
chore(deps): bump actions/stale from 6.0.1 to 7.0.0 #3852 (@dependabot[bot])
chore(deps): bump actions/cache from 3.0.11 to 3.2.2 #3851 (@dependabot[bot])
chore(deps): bump github.com/prometheus/procfs from 0.8.0 to 0.9.0 #3850 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.11 to 3.22.12 #3849 (@dependabot[bot])
chore(deps): bump github.com/rs/cors from 1.8.2 to 1.8.3 #3848 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.29.5 to 1.29.6 #3847 (@dependabot[bot])
chore(deps): bump golang from e464bb0 to 7c97bae #3843 (@dependabot[bot])
chore(deps): bump distroless/base from 9283685 to 8848703 #3842 (@dependabot[bot])
chore(deps): bump debian from 880aa5f to 7ca0fec #3841 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.104.0 to 0.105.0 #3840 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 20.10.21+incompatible to 20.10.22+incompatible #3839 (@dependabot[bot])
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.5 to 1.18.7 #3838 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.30.5 to 4.30.6 #3837 (@dependabot[bot])
chore(deps): bump actions/setup-go from 3.4.0 to 3.5.0 #3836 (@dependabot[bot])
chore(deps): bump actions/setup-python from 4.3.1 to 4.4.0 #3834 (@dependabot[bot])
chore(deps): bump actions/checkout from 3.1.0 to 3.2.0 #3833 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.47.3 to 0.47.4 #3832 (@dependabot[bot])
chore(deps): bump github.com/cloudflare/circl from 1.3.0 to 1.3.1 #3831 (@dependabot[bot])
postgres: upgrade to pgx v5 #3826 (@calebdoxsey)
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.4 to 1.18.5 #3825 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.47.0 to 0.47.3 #3824 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.37.0 to 0.39.0 #3823 (@dependabot[bot])
chore(deps): bump golang.org/x/crypto from 0.3.0 to 0.4.0 #3822 (@dependabot[bot])
chore(deps): bump distroless/base from cd1bf87 to 9283685 #3804 (@dependabot[bot])
chore(deps): bump debian from 9583740 to 880aa5f #3803 (@dependabot[bot])
chore(deps): bump alpine from b95359c to 8914eb5 #3802 (@dependabot[bot])
chore(deps): bump golang from 1.19.3-buster to 1.19.4-buster #3801 (@dependabot[bot])
chore(deps): bump actions/setup-python from 4.3.0 to 4.3.1 #3800 (@dependabot[bot])
chore(deps): bump golang.org/x/net from 0.2.0 to 0.4.0 #3799 (@dependabot[bot])
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.9.0 to 0.9.1 #3798 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.103.0 to 0.104.0 #3797 (@dependabot[bot])
chore(deps): bump github.com/minio/minio-go/v7 from 7.0.39 to 7.0.45 #3796 (@dependabot[bot])
chore(deps): bump github.com/go-chi/chi/v5 from 5.0.7 to 5.0.8 #3795 (@dependabot[bot])
chore(deps): bump stefanzweifel/git-auto-commit-action from 4.15.4 to 4.16.0 #3791 (@dependabot[bot])
chore(deps): bump actions/stale from 5.1.1 to 6.0.1 #3790 (@dependabot[bot])
chore(deps): bump tibdex/github-app-token from 1.6.0 to 1.7.0 #3789 (@dependabot[bot])
chore(deps): bump actions/setup-go from 3.3.1 to 3.4.0 #3788 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.30.2 to 4.30.5 #3787 (@dependabot[bot])
chore(deps): bump github.com/cespare/xxhash/v2 from 2.1.2 to 2.2.0 #3786 (@dependabot[bot])
chore(deps): bump go.uber.org/zap from 1.23.0 to 1.24.0 #3785 (@dependabot[bot])
chore(deps): bump github.com/jackc/pgtype from 1.12.0 to 1.13.0 #3784 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.10 to 3.22.11 #3783 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.46.1 to 0.47.0 #3782 (@dependabot[bot])
upgrade to golang-lru v2 #3771 (@calebdoxsey)
chore(deps): bump azure/docker-login from 81744f9799e7eaa418697cb168452a2882ae844a to 1.0.1 #3770 (@dependabot[bot])
chore(deps): bump minimatch from 3.0.4 to 3.1.2 in /ui #3760 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.50.1 to 1.51.0 #3759 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.102.0 to 0.103.0 #3758 (@dependabot[bot])
chore(deps): bump golang.org/x/crypto from 0.2.0 to 0.3.0 #3757 (@dependabot[bot])
chore(deps): bump github.com/cenkalti/backoff/v4 from 4.1.3 to 4.2.0 #3756 (@dependabot[bot])
chore(deps): bump alpine from bc41182 to b95359c #3751 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.29.2 to 4.30.2 #3749 (@dependabot[bot])
chore(deps): bump golang.org/x/net from 0.1.0 to 0.2.0 #3748 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.9 to 3.22.10 #3747 (@dependabot[bot])
chore(deps): bump golang.org/x/crypto from 0.1.0 to 0.2.0 #3746 (@dependabot[bot])
chore(deps): bump github.com/prometheus/client_golang from 1.13.1 to 1.14.0 #3745 (@dependabot[bot])
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.8.0 to 0.9.0 #3744 (@dependabot[bot])
bump goreleaser to v4.1.1 #3919 (@backport-actions-token[bot])