Crossplane
v2.2.2Orchestration & ManagementPure security patch release: Go runtime bumped to 1.25.10 and several dependencies updated to address stdlib CVEs and git-related vulnerabilities.
securityUpgrade to v2.2.2 immediately if running v2.2.x
This release is entirely security-driven. Go 1.25.10 patches stdlib CVEs, go-git v5.19.1 addresses git-related vulnerabilities, and x/crypto v0.52.0 closes cryptographic issues. No feature or behavioral changes are included, so the upgrade risk is minimal. If your team scans images or has compliance requirements, staying on v2.2.1 or earlier will trigger findings — update now.
securityCheck scanner results against the new image digest
The go-git library was patched twice in quick succession, which suggests active exploitation pressure on that attack surface. After upgrading, re-run your vulnerability scanner against the new Crossplane image digest to confirm all findings are cleared. Pay particular attention to any CVEs tagged against git operations or supply-chain tooling, since in-toto-golang was also updated.
Key changes (5)
- Go runtime bumped to 1.25.10 to fix multiple stdlib CVEs
- go-git/go-git updated twice (v5.19.0 then v5.19.1) for security fixes
- golang.org/x/crypto updated to v0.52.0 for security fixes
- in-toto-golang updated to v0.11.0 for security fix
- crossplane-runtime bumped to v2.2.2 to carry the same fixes downstream