RATATOSKRATATOSK
Sign in

Crossplane

v2.2.1Orchestration & Management
Apr 21, 2026

Crossplane v2.2.1 patches two user-reported bugs — ImageConfig prefix rewrite dependency upgrades and ResourceSelector handling — plus a broad sweep of security dependency updates.

  • securityUpgrade to v2.2.1 immediately for dependency security fixes

    This release pulls in security patches for at least 8 upstream libraries including cosign, go-git, go-jose, and cloudflare/circl. These are not cosmetic bumps — go-git had two separate security-tagged updates in this release alone (v5.17.1 and v5.18.0). If you're running v2.2.0, plan the upgrade now. The patch is a drop-in replacement with no breaking changes.

  • breakingVerify your ImageConfig prefix rewrite setups after upgrading

    If you use ImageConfig prefix rewrites to redirect package pulls (e.g., to a private registry mirror), your packages may have been silently stuck on stale dependency versions before this fix. After upgrading to v2.2.1, expect Crossplane to reconcile and potentially upgrade dependent packages that were previously frozen. Review installed package versions post-upgrade to confirm the expected state.

  • enhancementComposition functions can now use broad ResourceSelectors safely

    Composition functions that need to select all existing resources of a given kind no longer need workarounds. A ResourceSelector with only apiVersion and kind set is now valid. If you patched around this limitation with explicit matchLabels or matchName wildcards, you can simplify those selectors in your function logic.

Key changes (5)

  • Fixed: packages installed via ImageConfig prefix rewrites were silently skipping dependency upgrades, leaving stale versions in place
  • Fixed: composition functions returning a ResourceSelector with only apiVersion/kind (no matchName or matchLabels) now correctly selects all resources of that kind instead of being rejected
  • Go runtime bumped to 1.25.9 with security tag
  • Security updates across: cosign, go-git, go-jose, cloudflare/circl, moby/spdystream, sigstore/timestamp-authority, docker/cli, and the OTel OTLP HTTP trace exporter
  • CI workflow hardening: mitigated potential script injection in the promote workflow and added required job-level permissions