Crossplane
v2.1.5Orchestration & Managementv2.1.5 patches three behavioral bugs (ImageConfig upgrades, ResourceSelector matching, circuit breaker resets) and pulls in a broad sweep of security dependency updates including Go 1.25.9.
breakingCheck for silently stale packages if you use ImageConfig prefix rewrites
If your environment uses ImageConfig to rewrite registry prefixes, dependent packages may have been silently pinned at outdated versions since the bug was introduced. After upgrading to v2.1.5, verify that your package dependency graph resolves to the expected versions — stale packages won't auto-upgrade retroactively, so you may need to trigger a reinstall or version bump manually.
securityUpgrade to v2.1.5 promptly — this release addresses multiple CVEs in core dependencies
The dependency list here is long: grpc, go-git (patched twice), go-jose, cloudflare/circl, moby/spdystream, docker/cli, and the OTel OTLP trace exporter all received security updates, plus Go itself was bumped to 1.25.9. Any of these could carry CVEs relevant to your threat model. This isn't a routine chore bump — prioritize this upgrade over staying on v2.1.4.
enhancementResourceSelector 'select all of a kind' unlocks cleaner composition function patterns
If you've been working around the previous rejection of bare apiVersion/kind selectors — adding dummy matchLabels or splitting logic — you can now clean that up. A selector with no match fields is treated as 'give me all resources of this kind,' which is the intuitive behavior. Review your composition functions for any workarounds and simplify them after upgrading.
Key changes (5)
- ImageConfig prefix rewrite users were silently stuck on stale dependency versions — now dependency upgrades work correctly through rewrites
- Composition functions can now use a ResourceSelector with only apiVersion/kind (no matchName or matchLabels) to select all resources of a given kind
- Circuit breaker state is now cleared on XR deletion, preventing newly recreated XRs from being blocked by leftover breaker state
- Security dependency bumps across grpc, go-git, go-jose, cloudflare/circl, moby/spdystream, docker/cli, sigstore, and OTel OTLP HTTP exporter
- Go runtime bumped to 1.25.9 for underlying security fixes