Dapr
v1.16.10Orchestration & ManagementDapr 1.16.10 fixes critical WASM component registration failures on production architectures and patches security vulnerabilities in Go runtime and OpenTelemetry SDK.
breakingUpgrade immediately if using WASM components
WASM binding and middleware components have been completely broken on production architectures since v1.16.0. If you're using these components and running v1.16.0-v1.16.9, upgrade to v1.16.10 immediately as your WASM components are silently failing to register.
securityUpdate for Go runtime and OpenTelemetry security patches
This release patches vulnerabilities in Go 1.25.7 (crypto/tls, go command) and OpenTelemetry SDK (arbitrary code execution via PATH hijacking). Plan your upgrade within your normal security patching window, prioritizing environments where PATH manipulation is possible.
enhancementReview Pulsar Avro message publishing for early error detection
Pulsar PubSub now validates JSON messages against Avro schemas before publishing, catching malformed data earlier. Test your Pulsar publishing workflows to ensure they handle the new validation errors gracefully and benefit from faster codec performance.
Key changes (5)
- Fixed WASM binding and middleware components failing to register on amd64/arm64 architectures due to filename collision with Go build constraints
- Added Pulsar PubSub Avro schema validation to prevent malformed messages from being published without error feedback
- Updated Go runtime to 1.25.7 with security fixes for crypto/tls and go command vulnerabilities
- Upgraded OpenTelemetry SDK to v1.40.0 to patch arbitrary code execution vulnerability (GO-2026-4394)
- Cached Pulsar Avro codec compilation at initialization for improved publishing performance