Crossplane
v2.0.8Orchestration & Managementv2.0.8 fixes two user-reported bugs (ImageConfig prefix rewrite upgrades, ResourceSelector with no match field) and patches multiple security vulnerabilities in upstream dependencies.
securityUpgrade to v2.0.8 immediately for dependency security patches
Multiple upstream dependencies received security-tagged fixes in this release — go-git (two separate bumps to v5.17.1 then v5.18.0), go-jose, cloudflare/circl, and others. These aren't just routine bumps; they carry CVE-related fixes. If you're running any v2.0.x release prior to v2.0.8, upgrade now. There are no API changes, so the upgrade path is straightforward.
breakingAudit packages installed via ImageConfig prefix rewrites for stale dependencies
If your environment uses ImageConfig prefix rewrites to redirect package pulls (e.g., to a private registry), dependent packages may have been silently stuck on outdated versions since you adopted that configuration. After upgrading to v2.0.8, force a reconciliation and verify that all package dependencies are on their expected versions — don't assume the upgrade alone will catch everything already in a stuck state.
enhancementUse bare ResourceSelector (apiVersion+kind only) for 'select all' semantics in composition functions
Previously, omitting matchName and matchLabels from a ResourceSelector caused Crossplane to reject the request outright. That's now fixed — a bare selector correctly means 'all resources of this kind'. If you worked around this limitation by enumerating resources explicitly or adding dummy match conditions, clean up those workarounds after upgrading.
Key changes (5)
- ImageConfig prefix rewrite: dependency upgrades now propagate correctly — packages were silently stuck on stale versions before this fix
- ResourceSelector with only apiVersion+kind (no matchName/matchLabels) now correctly selects all resources of that kind instead of being rejected
- Go runtime bumped to 1.25.9 with security fixes
- Security patches across go-git, go-jose, cloudflare/circl, moby/spdystream, sigstore/timestamp-authority, docker/cli, and the OTLP HTTP trace exporter
- CI workflow hardened against potential script injection in the promote pipeline