Bump the backend group across 1 directory with 26 updates

[dependabot]

Bumps the backend group with 12 updates in the / directory:

Package	From	To
github.com/Masterminds/semver/v3	3.2.1	3.3.0
github.com/aquasecurity/trivy	0.48.3	0.56.1
github.com/go-chi/chi/v5	5.0.11	5.1.0
github.com/gorilla/feeds	1.1.2	1.2.0
github.com/jackc/pgconn	1.14.1	1.14.3
github.com/jackc/pgx/v4	4.18.1	4.18.3
github.com/operator-framework/api	0.21.0	0.27.0
github.com/rs/cors	1.10.1	1.11.1
github.com/rs/zerolog	1.31.0	1.33.0
github.com/sigstore/cosign	1.13.2	1.13.6
github.com/tektoncd/pipeline	0.56.0	0.64.0
github.com/unrolled/secure	1.14.0	1.16.0

Updates github.com/Masterminds/semver/v3 from 3.2.1 to 3.3.0

Release notes

Sourced from github.com/Masterminds/semver/v3's releases.

v3.3.0

What's Changed

• Fix: bad package in README by @​sdelicata in Masterminds/semver#226
• Updating the GitHub Actions and versions of Go used by @​mattfarina in Masterminds/semver#229
• Fix spelling in README by @​robinschneider in Masterminds/semver#222
• Adding go build cache to fuzz output by @​mattfarina in Masterminds/semver#232
• Add caching to fuzz testing by @​mattfarina in Masterminds/semver#234
• updating github actions by @​mattfarina in Masterminds/semver#235
• feat: nil version equality by @​KnutZuidema in Masterminds/semver#213
• add >= and <= by @​grosser in Masterminds/semver#238
• doc: hyphen range constraint without whitespace by @​johnnychen94 in Masterminds/semver#216
• Removing reference to vert by @​mattfarina in Masterminds/semver#245
• simplify StrictNewVersion by @​grosser in Masterminds/semver#241
• Updating the testing version of Go used by @​mattfarina in Masterminds/semver#246
• bumping min version in go.mod based on what's tested by @​mattfarina in Masterminds/semver#248
• Updating changelog for 3.3.0 by @​mattfarina in Masterminds/semver#249

New Contributors

• @​sdelicata made their first contribution in Masterminds/semver#226
• @​robinschneider made their first contribution in Masterminds/semver#222
• @​KnutZuidema made their first contribution in Masterminds/semver#213
• @​grosser made their first contribution in Masterminds/semver#238
• @​johnnychen94 made their first contribution in Masterminds/semver#216

Full Changelog: Masterminds/semver@v3.2.1...v3.3.0

Changelog

Sourced from github.com/Masterminds/semver/v3's changelog.

3.3.0 (2024-08-27)

Added

• #238: Add LessThanEqual and GreaterThanEqual functions (thanks @​grosser)
• #213: nil version equality checking (thanks @​KnutZuidema)

Changed

• #241: Simplify StrictNewVersion parsing (thanks @​grosser)
• Testing support up through Go 1.23
• Minimum version set to 1.21 as this is what's tested now
• Fuzz testing now supports caching

Commits

• e6e3d4d Merge pull request #249 from mattfarina/update-changelog-3.3.0
• e80c4ea Updating changelog for 3.3.0
• 80427ad Merge pull request #248 from mattfarina/bump-min-version
• b610837 bumping min version in go.mod based on what's tested
• a4cccd8 Merge pull request #246 from mattfarina/bump-go-1.23
• 7c178cf Updating the testing version of Go used
• 29f94c1 Merge pull request #241 from grosser/grosser/validate
• 2cf1b16 Merge pull request #245 from mattfarina/remove-vert
• b55476a Removing reference to vert
• d07450b simplify StrictNewVersion
• Additional commits viewable in compare view

Updates github.com/aquasecurity/trivy from 0.48.3 to 0.56.1

Release notes

Sourced from github.com/aquasecurity/trivy's releases.

v0.56.1

Changelog

• 95dbf1152b2049a6ae2ae90a507630df01798bf1 release: v0.56.1 [release/v0.56] (#7648)
• 5dbdadfe4578288d5c3f2a5b625fff4a3580f8c5 fix(db): fix javadb downloading error handling [backport: release/v0.56] (#7646)

v0.56.0

⚡Release highlights and summary⚡

👉aquasecurity/trivy#7640

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0560-2024-10-03

v0.55.2

Changelog

• 928c7c0f1a5c9432a2ba2daa5268dae53dc8eb7b release: v0.55.2 [release/v0.55] (#7523)
• 14a058f608be403a53019775c8308f4f5718afd7 fix(java): use dependencyManagement from root/child pom's for dependencies from parents [backport: release/v0.55] (#7521)
• 990bc4e8287889a18ebb59332b40db3e4586fed4 chore(deps): bump alpine from 3.20.0 to 3.20.3 [backport: release/v0.55] (#7516)

v0.55.1

⚡Release highlights and summary⚡

👉aquasecurity/trivy#7494

Changelog

https://github.com/aquasecurity/trivy/blob/release/v0.55/CHANGELOG.md#0551-2024-09-12

v0.55.0

⚡Release highlights and summary⚡

👉aquasecurity/trivy#7440

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0550-2024-09-03

v0.54.1

Changelog

• 854c61d34a550a9fcbab3bc59e55b868c15d1962 release: v0.54.1 [release/v0.54] (#7282)
• 334a1c293bb3d490af2a6d80732f399efaac22f7 fix(flag): incorrect behavior for deprected flag --clear-cache [backport: release/v0.54] (#7285)
• f61725c28b56d80fb46395479842a2ab0c517c5f fix(java): Return error when trying to find a remote pom to avoid segfault [backport: release/v0.54] (#7283)
• a7b7117fe2c9608e990b42e702cc83675c48f888 fix(plugin): do not call GitHub content API for releases and tags [backport: release/v0.54] (#7279)

v0.54.0

⚡Release highlights and summary⚡

👉 aquasecurity/trivy#7268

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0540-2024-07-30

... (truncated)

Changelog

Sourced from github.com/aquasecurity/trivy's changelog.

0.56.1 (2024-10-03)

Bug Fixes

• db: fix javadb downloading error handling [backport: release/v0.56] (#7646) (5dbdadf)

0.56.0 (2024-10-03)

Features

• java: add empty versions if pom.xml dependency versions can't be detected (#7520) (b836232)
• license: improve license normalization (#7131) (6472e3c)
• misconf: add ability to disable checks by ID (#7536) (ef0a27d)
• misconf: Register checks only when needed (#7435) (f768d3a)
• misconf: Support --skip-* for all included modules (#7579) (c0e8da3)
• secret: enhance secret scanning for python binary files (#7223) (60725f8)
• support multiple DB repositories for vulnerability and Java DB (#7605) (3562529)
• support RPM archives (#7628) (69bf7e0)
• suse: added SUSE Linux Enterprise Micro support (#7294) (efdb68d)

Bug Fixes

• allow access to '..' in mapfs (#7575) (a8fbe46)
• db: check DownloadedAt for trivy-java-db (#7592) (13ef3e7)
• java: use dependencyManagement from root/child pom's for dependencies from parents (#7497) (5442949)
• license: stop spliting a long license text (#7336) (4926da7)
• misconf: Disable deprecated checks by default (#7632) (82e2adc)
• misconf: disable DS016 check for image history analyzer (#7540) (de40df9)
• misconf: escape all special sequences (#7558) (ea0cf03)
• misconf: Fix logging typo (#7473) (56db43c)
• misconf: Fixed scope for China Cloud (#7560) (37d549e)
• misconf: not to warn about missing selectors of libraries (#7638) (fcaea74)
• oracle: Update EOL date for Oracle 7 (#7480) (dd0a64a)
• report: change a receiver of MarshalJSON (#7483) (927c6e0)
• report: fix error with unmarshal of ExperimentalModifiedFindings (#7463) (7ff9aff)
• sbom: export bom-ref when converting a package to a component (#7340) (5dd94eb)
• sbom: parse type framework as library when unmarshalling CycloneDX files (#7527) (aeb7039)
• secret: change grafana token regex to find them without unquoted (#7627) (3e1fa21)

Performance Improvements

• misconf: use port ranges instead of enumeration (#7549) (1f9fc13)

Reverts

... (truncated)

Commits

• 95dbf11 release: v0.56.1 [release/v0.56] (#7648)
• 5dbdadf fix(db): fix javadb downloading error handling [backport: release/v0.56] (#7646)
• d246401 release: v0.56.0 [main] (#7447)
• fcaea74 fix(misconf): not to warn about missing selectors of libraries (#7638)
• 69bf7e0 feat: support RPM archives (#7628)
• 3e1fa21 fix(secret): change grafana token regex to find them without unquoted (#7627)
• 8735242 chore(deps): Bump trivy-checks to v1.1.0 (#7631)
• 82e2adc fix(misconf): Disable deprecated checks by default (#7632)
• 1faf529 chore: add prefixes to log messages (#7625)
• c0e8da3 feat(misconf): Support --skip-* for all included modules (#7579)
• Additional commits viewable in compare view

Updates github.com/go-chi/chi/v5 from 5.0.11 to 5.1.0

Release notes

Sourced from github.com/go-chi/chi/v5's releases.

v5.1.0

What's Changed

• middleware: add Discard method to WrapResponseWriter by @​patrislav in go-chi/chi#926
  • Adds Discard() method to the middleware.WrapResponseWriter interface. This is technically an API breaking change. However after some discussion at go-chi/chi#926, we decided to move forward, and release as minor version, as we don't expect anyone to rely on this interface / implement it externally.

New Contributors

• @​patrislav made their first contribution in go-chi/chi#926

Full Changelog: go-chi/chi@v5.0.14...v5.1.0

v5.0.14

What's Changed

• middleware: fix typo in RealIP doc by @​l2dy in go-chi/chi#903
• reduce size of Context struct from 216 bytes to 208 bytes by @​juburr in go-chi/chi#912
• Avoid possible memory leak in compress middleware by @​Neurostep in go-chi/chi#919
• docs: Update stale links in docs for contributing by @​Lutherwaves in go-chi/chi#904
• Revert "Avoid possible memory leak in compress middleware" by @​VojtechVitek in go-chi/chi#924

New Contributors

• @​l2dy made their first contribution in go-chi/chi#903
• @​juburr made their first contribution in go-chi/chi#912
• @​Neurostep made their first contribution in go-chi/chi#919
• @​Lutherwaves made their first contribution in go-chi/chi#904

Full Changelog: go-chi/chi@v5.0.12...v5.0.14

v5.0.13

What's Changed

• middleware: fix typo in RealIP doc by @​l2dy in go-chi/chi#903
• reduce size of Context struct from 216 bytes to 208 bytes by @​juburr in go-chi/chi#912
• Avoid possible memory leak in compress middleware by @​Neurostep in go-chi/chi#919

New Contributors

• @​l2dy made their first contribution in go-chi/chi#903
• @​juburr made their first contribution in go-chi/chi#912
• @​Neurostep made their first contribution in go-chi/chi#919

Full Changelog: go-chi/chi@v5.0.12...v5.0.13

v5.0.12

Hi everyone, thank you to all contributors + reviewers.

We present chi v5.0.12 which includes support for the new Go 1.22 mux routing features :)

Specifically, this release adds support for:

• Routing methods r.Handle("GET /users/{userID}", handler) and similarly in r.HandlerFunc with a very simple addition to chi, thank you @​Spartan09 and @​angelofallars for their work on the PRs to add support (go-chi/chi#897, go-chi/chi#901)
• Access url path parameters via request.PathValue("xyz") and request.PathValue("*") on *http.Request when using the chi router in Go 1.22+. Of course you may also use chi.URLParam(r, "xyz") and chi.URLParam(r, "*") – these are all equivalent now in Go 1.22+. Thank you @​angelofallars for the PR (go-chi/chi#901)
• For full list of changes, see go-chi/chi@v5.0.11...v5.0.12

Changelog

Sourced from github.com/go-chi/chi/v5's changelog.

Changelog

v5.0.12 (2024-02-16)

• History of changes: see go-chi/chi@v5.0.11...v5.0.12

Commits

• 67be7d9 middleware: add Discard method to WrapResponseWriter (#926)
• 7957c0d Revert "fix(middleware): Close created writer in the compressor middleware (#...
• f728a1c docs: Update stale links in docs for contributing (#904)
• f10dc4a fix(middleware): Close created writer in the compressor middleware (#919)
• ef31c0b reduce context struct size from 216 bytes to 208 bytes (#912)
• c1f2a7a middleware: fix typo in RealIP doc (#903)
• 1191921 v5.0.12
• ec67a86 go 1.22, PathValue wildcard test
• fd0ff0e feat(mux): add 1.22-style path value support (#901)
• 60b4f5f feat: update HTTP method parsing in patterns for Handle and HandleFunc (#...
• Additional commits viewable in compare view

Updates github.com/go-git/go-git/v5 from 5.11.0 to 5.12.0

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.12.0

What's Changed

• git: Worktree.AddWithOptions: add skipStatus option when providing a specific path by @​moranCohen26 in go-git/go-git#994
• git: Signer: fix usage of crypto.Signer interface by @​wlynch in go-git/go-git#1029
• git: Remote, fetch, adds the prune option. by @​juliens in go-git/go-git#366
• git: Add crypto.Signer option to CommitOptions. by @​wlynch in go-git/go-git#996
• git: Worktree checkout tag hash id (#959) by @​aymanbagabas in go-git/go-git#966
• git: Worktree, Don't panic on empty or root path when checking if it is valid by @​tim775 in go-git/go-git#1042
• git: Add commit validation for Reset by @​pjbgf in go-git/go-git#1048
• git: worktree_commit, Fix amend commit to apply changes. Fixes #1024 by @​onee-only in go-git/go-git#1045
• git: Implement Merge function with initial FastForwardMerge support by @​pjbgf in go-git/go-git#1044
• plumbing: object, Make first commit visible on logs filtered with filename. Fixes #191 by @​onee-only in go-git/go-git#1036
• plumbing: no panic in printStats function. Fixes #177 by @​nodivbyzero in go-git/go-git#971
• plumbing: object, Optimize logging with file. by @​onee-only in go-git/go-git#1046
• plumbing: object, check legitimacy in (*Tree).Encode by @​niukuo in go-git/go-git#967
• plumbing: format/gitattributes, close file in ReadAttributesFile by @​prskr in go-git/go-git#1018
• plumbing: check setAuth error. Fixes #185 by @​nodivbyzero in go-git/go-git#969
• plumbing: object, fix variable defaultUtf8CommitMessageEncoding name spell error by @​Jerry-yz in go-git/go-git#987
• utils: merkletrie, calculate filesystem node's hash lazily. by @​candid82 in go-git/go-git#825
• utils: update comment in node.go's Hash() by @​codablock in go-git/go-git#992
• _example: fix 404 link and added ssh-agent clone link by @​grinish21 in go-git/go-git#1022
• _example: checkout-branch example by @​dlambda in go-git/go-git#446
• _example: example for git clone using ssh-agent by @​pjbgf in go-git/go-git#998

New Contributors

• @​candid82 made their first contribution in go-git/go-git#825
• @​codablock made their first contribution in go-git/go-git#992
• @​Jerry-yz made their first contribution in go-git/go-git#987
• @​wlynch made their first contribution in go-git/go-git#996
• @​moranCohen26 made their first contribution in go-git/go-git#994
• @​grinish21 made their first contribution in go-git/go-git#1022
• @​prskr made their first contribution in go-git/go-git#1018
• @​dlambda made their first contribution in go-git/go-git#446
• @​juliens made their first contribution in go-git/go-git#366
• @​onee-only made their first contribution in go-git/go-git#1036
• @​tim775 made their first contribution in go-git/go-git#1042
• @​niukuo made their first contribution in go-git/go-git#967
• @​avoidalone made their first contribution in go-git/go-git#1047

Full Changelog: go-git/go-git@v5.11.0...v5.12.0

Commits

• 302ddde Merge pull request #1060 from go-git/dependabot/go_modules/github.com/gliderl...
• 6bba34d build: bump github.com/gliderlabs/ssh from 0.3.6 to 0.3.7
• feaeb36 Merge pull request #937 from matejrisek/feature/rename-short-fields
• 7959a42 Merge pull request #1052 from go-git/dependabot/go_modules/github.com/skeema/...
• 4c17ce7 build: bump github.com/skeema/knownhosts from 1.2.1 to 1.2.2
• 3f77e6f Merge pull request #1048 from pjbgf/fix-reset-validation
• 6af38e0 Merge pull request #1047 from avoidalone/master
• e6c3e58 Merge pull request #1044 from pjbgf/ff-merge
• 04f7b23 *: fix some comments
• f4f1a87 Merge pull request #971 from nodivbyzero/fix-177-diff-print-file-stats
• Additional commits viewable in compare view

Updates github.com/google/go-containerregistry from 0.18.0 to 0.20.2

Release notes

Sourced from github.com/google/go-containerregistry's releases.

v0.20.2

What's Changed

• deps: bump docker dep by @​imjasonh in google/go-containerregistry#1991

Full Changelog: google/go-containerregistry@v0.20.1...v0.20.2

v0.20.1

What's Changed

• Create remote.Push by @​mattmoor in google/go-containerregistry#1978

Full Changelog: google/go-containerregistry@v0.20.0...v0.20.1

v0.20.0

What's Changed

• Referrer API must return correct Content-Type by @​GregoireW in google/go-containerregistry#1968
• 🚨 POTENTIALLY BREAKING: Restore blind-write to remote.Put by @​jonjohnsonjr in google/go-containerregistry#1970

New Contributors

• @​GregoireW made their first contribution in google/go-containerregistry#1968

Full Changelog: google/go-containerregistry@v0.19.2...v0.20.0

v0.19.2

What's Changed

• Add JSON marshalling funcs for Digest. by @​wlynch in google/go-containerregistry#1915
• registry: Implement Range requests for blobs by @​jonjohnsonjr in google/go-containerregistry#1917
• Support podman auth file REGISTRY_AUTH_FILE. by @​zhaoyonghe in google/go-containerregistry#1914
• feat: crane mutate platform by @​joshwlewis in google/go-containerregistry#1919
• Add Context support to auth methods by @​jonjohnsonjr in google/go-containerregistry#1949
• Fix windows race condition when writing image with duplicate layers by @​dgannon991 in google/go-containerregistry#1921
• Add -O shorthand for --omit-digest-tags to crane. by @​smoser in google/go-containerregistry#1958

New Contributors

• @​wlynch made their first contribution in google/go-containerregistry#1915
• @​zhaoyonghe made their first contribution in google/go-containerregistry#1914
• @​joshwlewis made their first contribution in google/go-containerregistry#1919
• @​dgannon991 made their first contribution in google/go-containerregistry#1921
• @​smoser made their first contribution in google/go-containerregistry#1958

Full Changelog: google/go-containerregistry@v0.19.1...v0.19.2

v0.19.1

What's Changed

• Bump golang.org/x/net from 0.10.0 to 0.17.0 in /pkg/authn/k8schain by @​dependabot in google/go-containerregistry#1815
• Bump golang.org/x/ packages by @​jonjohnsonjr in google/go-containerregistry#1892

Full Changelog: google/go-containerregistry@v0.19.0...v0.19.1

... (truncated)

Commits

• c195f15 deps: bump docker dep (#1991)
• c3d1dcc Create remote.Push (#1978)
• d36047a Restore blind-write to remote.Put (#1970)
• 9915a85 Referrer API must return correct Content-Type (#1968)
• 1b4e407 Add -O shorthand for --omit-digest-tags to crane. (#1958)
• 3764db2 Fix windows race condition when writing image with duplicate layers (#1921)
• 39d1148 Add Context support to auth methods (#1949)
• ff385a9 feat: mutate platform (#1919)
• 98dd3e9 Support podman auth file REGISTRY_AUTH_FILE. (#1914)
• 051d642 registry: Implement Range requests for blobs (#1917)
• Additional commits viewable in compare view

Updates github.com/gorilla/feeds from 1.1.2 to 1.2.0

Release notes

Sourced from github.com/gorilla/feeds's releases.

v1.2.0

What's Changed

• Add the isPermaLink attribute to guid in RSS by @​yardenshoham in gorilla/feeds#107

New Contributors

• @​yardenshoham made their first contribution in gorilla/feeds#107

Full Changelog: gorilla/feeds@v1.1.2...v1.2.0

Commits

• eb2fb30 Add the isPermaLink attribute to guid in RSS (#107)
• See full diff in compare view

Updates github.com/jackc/pgconn from 1.14.1 to 1.14.3

Changelog

Sourced from github.com/jackc/pgconn's changelog.

1.14.3 (March 4, 2024)

• Update golang.org/x/crypto and golang.org/x/text

1.14.2 (March 4, 2024)

• Fix CVE-2024-27304. SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control.

Commits

• 1860f4e Update to go 1.17 for golang.org/x/text
• 9b4513f Fix changelog and release 1.14.3
• e78c705 Update golang.org/x/crypto and golang.org/x/text
• cfbc8b2 Update CHANGELOG.md
• c672dff Fix CVE-2024-27304
• See full diff in compare view

Updates github.com/jackc/pgx/v4 from 4.18.1 to 4.18.3

Changelog

Sourced from github.com/jackc/pgx/v4's changelog.

4.18.3 (March 9, 2024)

Use spaces instead of parentheses for SQL sanitization.

This still solves the problem of negative numbers creating a line comment, but this avoids breaking edge cases such as set foo to $1 where the substitution is taking place in a location where an arbitrary expression is not allowed.

4.18.2 (March 4, 2024)

Fix CVE-2024-27289

SQL injection can occur when all of the following conditions are met:

1. The non-default simple protocol is used.
2. A placeholder for a numeric value must be immediately preceded by a minus.
3. There must be a second placeholder for a string value after the first placeholder; both must be on the same line.
4. Both parameter values must be user-controlled.

Thanks to Paul Gerste for reporting this issue.

Fix CVE-2024-27304

SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control.

Thanks to Paul Gerste for reporting this issue.

• Fix *dbTx.Exec not checking if it is already closed

Commits

• 8f05c47 Update changelog
• 69fcb46 Use spaces instead of parentheses for SQL sanitization.
• 14690df Update changelog
• 779548e Update required Go version to 1.17
• 80e9662 Update github.com/jackc/pgconn to v1.14.3
• 0bf9ac3 Fix erroneous test case
• f94eb0e Always wrap arguments in parentheses in the SQL sanitizer
• 826a892 Fix SQL injection via line comment creation in simple protocol
• 7d882f9 Fix *dbTx.Exec not checking if it is already closed
• 1d07b8b go mod tidy
• See full diff in compare view

Updates github.com/open-policy-agent/opa from 0.60.0 to 0.68.1-0.20240903211041-76f7038ea2d1

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v0.68.0

This release contains a mix of features and bugfixes.

Breaking Changes

entrypoint annotation implies document scope (#6798)

The entrypoint annotation's scope requirement has changed from rule to document (open-policy-agent/opa#6798). Furthermore, if no scope annotation is declared for a METADATA block preceding a rule, the presence of an entrypoint annotation with a true value will assign the block a document scope, where the rule scope is otherwise the default.

In practice, a rule entrypoint always point to the entire document and not a particular rule definition. The previous behavior was a bug, and one we've now addressed.

Authored by @​anderseknert

Topdown and Rego

• ast: Fixing nil-pointer dereference in compiler for partial rule edge case (#6930) authored by @​johanfylling
• ast+parser: Add hint to future-proof imports (6968) authored by @​srenatus
• topdown: Adding unification scope to virtual-cache key. Fixing issue where false positive cache hits can occur when unification "restricts" the scope of ref-head rule evaluation (#6926) authored by @​johanfylling reported by @​anderseknert
• topdown: Marshal JWT encode sign inputs as JSON (#6934) authored by @​charlieegan3

Runtime, Tooling, SDK

• ast: Make type checker copy method copy all values (#6949) authored by @​anderseknert
• ast: Include term locations in rule heads when requested (#6860) authored by @​anderseknert
• debug: Adding experimental debugger SDK (#6876) authored by @​johanfylling
• distributedtracing: allow OpenTelemetry resource attributes to be configured under distributed_tracing config (#6942) authored and reported by @​brettmc
• download: Fixing issue when saving OCI bundles on disk (#6939) authored and reported by @​Sergey-Kizimov
• logging: Always include HTTP request context in incoming req context (#6951) authored by @​ashutosh-narkar reported by @​alvarogomez93
• plugins/bundle: Avoid race-condition during bundle reconfiguration and activation (#6849) authored by @​ashutosh-narkar reported by @​Pushpalanka
• plugins/bundle: Escape reserved chars used in persisted bundle directory name (#6915) authored by @​ashutosh-narkar reported by @​alvarogomez93
• plugins/rest: Support AWS_CONTAINER_CREDENTIALS_FULL_URI metadata endpoint (#6893) authored and reported by @​mbamber
• util+server: Fix bug around chunked request handling. (#6904) authored by @​philipaconrad reported by @​David-Wobrock
• opa exec: This command never supported "pretty" formatting (--format=pretty or -f pretty), only json. Passing pretty is now invalid. (#6923) authored by @​srenatus Note that the flag is now unnecessary, but it's kept so existing calls like opa exec -fjson ... remain valid.

Security Fix: CVE-2024-8260 (#6933)

This release includes a fix where OPA would accept UNC locations on Windows. Reading those could leak NTLM hashes. The attack vector would include an adversary tricking the user in passing an UNC path to OPA, e.g. opa eval -d $FILE. UNC paths are now forbidden. If this is an issue for you, please reach out on Slack or GitHub issues.

Reported by Shelly Raban Authored by @​ashutosh-narkar

Docs, Website, Ecosystem

• docs: Suggest using opa-config.yaml as name for config file (#6966) (

[stackblitz]

Run & review this pull request in StackBlitz Codeflow.