Harbor
v2.14.4Storage & DataHarbor v2.14.4 is a patch release fixing session management bugs, scanner API issues, and DockerHub token auth, with Go 1.25.9 and dependency security bumps.
securityUpgrade immediately for go-jose and OTel SDK dependency fixes
The go-jose/go-jose and go.opentelemetry.io/otel/sdk packages were explicitly bumped in this release, which typically signals CVE remediation. If your Harbor instance handles sensitive registry credentials or is exposed to external traffic, this patch should be prioritized. Plan an upgrade from v2.14.3 to v2.14.4 — it's a patch release with no breaking changes, so the risk of upgrading is low.
breakingSession behavior changes — test SSO and long-lived browser sessions before rollout
Two session-related fixes land here: background polling no longer refreshes session TTL, and SessionRegenerate args/lifetime were corrected. If your users rely on the UI staying logged in while background tabs are open, their sessions will now expire as configured rather than being silently extended. Validate your session timeout settings in Harbor's config and communicate expected behavior changes to your users before upgrading in production.
enhancementDockerHub replication broken? This patch fixes the token auth flow
If you've been seeing replication failures from DockerHub registries (especially after DockerHub API changes), the fix to use the /v2/auth/token endpoint should resolve them. After upgrading, verify your DockerHub replication rules by triggering a manual sync and checking the replication job logs. Also retest any distribution instance edits that involve credentials — a separate fix addresses a bug where editing a distribution instance without credentials caused issues.
Key changes (5)
- Session TTL fix: background polling no longer accidentally renews user sessions, preventing unintended session extension
- SessionRegenerate save args and lifetime corrected — sessions were not being stored properly before this fix
- DockerHub replication adapter now uses /v2/auth/token endpoint for bearer token retrieval, fixing broken hub pulls
- Scanner API bug fixed — affects scanner integrations like Trivy configured through Harbor's API
- Go runtime bumped to 1.25.9, base image updated to goharbor/photon:5.0, and go-jose/go-jose + OpenTelemetry SDK updated