Releases
AI-analyzed release notes for CNCF graduated and incubating projects.
Flux v2.9.1 is a patch release fixing a CRD schema corruption bug where post-build variable substitution could rewrite Flux's own CRD definitions, plus smaller fixes for SOPS .ini decryption and a dry-run strategic merge patch error. No new breaking changes or CVEs are disclosed.
breakingCRD schema corruption from variable substitution fixed
If you run Kustomizations with post-build variable substitution enabled and your manifests contain ${...} sequences that happen to match Flux CRD schema fields, earlier versions could corrupt the CRD schemas. v2.9.1 fixes this by annotating Flux's own CRDs with kustomize.toolkit.fluxcd.io/substitute: disabled, so substitution no longer touches them. Upgrade if you use post-build substitution.
Key changes (4)
- Fixed CRD schema corruption: Flux's own CRDs are now annotated kustomize.toolkit.fluxcd.io/substitute: disabled to stop post-build substitution from rewriting their schemas
- Fixed SOPS .ini file decryption
- Fixed a dry-run error in strategic merge patch handling
- No new breaking changes, deprecations, or CVEs disclosed
Flux v2.9.0 is a feature release adding capabilities across most controllers, with one breaking change: the end-of-life image.toolkit.fluxcd.io/v1beta2 and notification.toolkit.fluxcd.io/v1beta2 APIs have been removed from the CRDs.
breakingv1beta2 image and notification APIs removed
Applies to any cluster still running resources on image.toolkit.fluxcd.io/v1beta2 or notification.toolkit.fluxcd.io/v1beta2. Both APIs have reached end-of-life and were dropped from the CRDs in v2.9.0. Migrate ImagePolicy, ImageRepository, ImageUpdateAutomation, Alert, Provider, and Receiver resources to their current API version before upgrading, or the controllers will fail to reconcile them.
Key changes (8)
- Breaking: image.toolkit.fluxcd.io/v1beta2 and notification.toolkit.fluxcd.io/v1beta2 are end-of-life and removed from the CRDs; migrate affected resources before upgrading.
- New Flux CLI Plugin System (`flux plugin`) with Mirror and Schema plugins.
- Kustomization gains Server-Side Apply field ignore rules for finer drift control, and SOPS decryption via the Age post-quantum cipher.
- New Workload Identity authentication paths: OpenBao/Vault in Kustomization, and AWS CodeCommit in GitRepository.
- HelmRelease adds post-render strategies (including chart hooks) and a literal mode for values matching `helm --set-literal`.
- Git commit signing/verification with SSH keys added for GitRepository and ImageUpdateAutomation; OCIRepository supports custom Sigstore trusted roots for air-gapped keyless verification.
- Secret-less, OIDC-secured webhook Receivers added, plus path pattern directory discovery for monorepos in ArtifactGenerator.
- Component controllers bumped (source-controller v1.9.1, kustomize-controller v1.9.1, notification-controller v1.9.1, helm-controller v1.6.1, image-reflector/automation-controller v1.2.1); CLI now builds against Kubernetes 1.36 and Go 1.26, plus assorted CLI additions and small bugfixes.
pack v0.40.7 is a routine patch: a registry-message text fix, an internal dependency cleanup, and an updated builder suggestion. No breaking or security changes for operators.
Key changes (3)
- Fixed the yank registry issue body text: added `yank = true` and a code fence for clarity
- Removed the direct dependency on github.com/docker/docker
- CLI now suggests `heroku/builder:26` instead of `heroku/builder:24` as the recommended builder
OpenKruise v1.9.0 adds several useful workload features and fixes a pile of stability bugs — including CPU-spike and panic fixes that affect anyone running ImagePullJobs or SidecarSets in production.
breakingString-formatted maxUnavailable/maxSurge values now rejected by webhook
Values like maxUnavailable: '5' (a quoted integer string) are now rejected at admission. If your manifests or Helm charts set these as strings instead of integers, the webhook will block them after upgrade. Audit your CloneSet and related workload specs before upgrading to v1.9.0.
enhancementFix ImagePullJob high CPU before upgrading large clusters
A cascading reconcile amplification bug was causing ImagePullJob controllers to spike CPU. If you've been seeing unexpected controller-manager CPU pressure, this is likely the cause. Upgrading to v1.9.0 should resolve it — no config changes needed.
enhancementCloneSet progressDeadlineSeconds and OnDelete strategy now available
CloneSet now supports progressDeadlineSeconds to surface stalled rollouts, and an OnDelete update strategy for manual upgrade control. Teams doing canary or phased rollouts with CloneSet should evaluate both options — progressDeadlineSeconds in particular fills a gap that previously required external monitoring to detect stuck updates.
Key changes (5)
- ImagePullJob: fixes high CPU caused by cascading reconcile amplification, and adds node-side concurrency control — critical for clusters with large image pull workloads
- SidecarSet: fixes panics on pod deletion and during null pointer access; adds ordered container injection and shareVolumeDevicePolicy support
- CloneSet: adds progressDeadlineSeconds, OnDelete update strategy, and fixes lifecycle hook bugs when CloneSetEventHandlerOptimization is enabled
- UnitedDeployment: new ReserveUnschedulablePods feature keeps unschedulable pods reserved instead of replaced
- PodUnavailableBudget now protects Pod RESIZE actions, useful when using in-place vertical scaling
Argo CD 3.4.4 is a patch release focused on stability fixes for health checks, RBAC, diffs, and template rendering. Update if you run multi-namespace setups or use Dex authentication.
breakingRBAC regression fix for multi-namespace setups
A prior release introduced a regression in RBAC enforcement for project-scoped resources in multi-namespace architectures. This patch restores correct behavior. If you use project-level RBAC restrictions across multiple namespaces, verify that access controls work as expected after upgrading, particularly around project-scoped resource visibility.
enhancementHealth check reliability improvement
The PromotionStrategy health check was incorrectly reporting Progressing after no-op re-hydration, blocking deployments. This is now fixed. If you use PromotionStrategy with ArgoCD, upgrade to avoid stalled health states that require manual intervention to clear.
enhancementServer-side diff regression resolved
A recent change broke server-side diffs on new objects, causing errors. This patch restores diff functionality. If you rely on server-side diffs in your deployment pipeline (especially for new resources), apply this update to restore normal diff behavior.
Key changes (5)
- Fixed PromotionStrategy health check regression that left resources stuck in Progressing state
- Resolved RBAC regression affecting project-scoped resources in multi-namespace deployments
- Fixed diff error on new objects in server-side diffs
- Patched Dex password parsing to handle dollar signs correctly
- Resolved cross-generator Values template resolution in ApplicationSet RenderGeneratorParams
Argo CD v3.3.12 is a maintenance release fixing sync state tracking, cluster observer locking, configuration parsing, and git repository depth handling—no breaking changes.
securityDex authentication now handles special characters in passwords
Dex password parsing previously failed if passwords contained dollar signs, potentially locking users out. If you use Dex for OIDC and recently added or updated passwords with special characters, upgrade to v3.3.12 immediately to restore access. Test Dex login after updating.
enhancementFix PromotionStrategy stuck state if using Argo Rollouts
If you run Argo CD with Argo Rollouts and use PromotionStrategy, applications may have remained stuck in Progressing after configuration reloads even when nothing changed. Update to v3.3.12 to resolve this. Check your application health status post-upgrade to confirm recovery.
Key changes (5)
- PromotionStrategy health status no longer stuck in Progressing after no-op re-hydration
- Cluster informer now protected by lock to prevent concurrent access issues
- Dex password parsing fixed to handle dollar signs correctly
- Git repository depth setting now honored in change detection and fetch operations
- Live status excluded from normalization to improve accuracy
v1.52.0 has three breaking changes (discovery API default, immediate stitching removed, BUI union types) alongside significant catalog PostgreSQL performance fixes and a batch of UX and reliability improvements.
breakingCheck discovery.endpoints and remove immediate stitching config
Two breaking changes need attention before upgrading. First, if you use `discovery.endpoints` with internal-only string targets, convert them to object form with `target.internal` set to the internal URL and `target.external` set to a browser-reachable URL — otherwise the frontend will try to reach internal addresses directly. Second, remove `catalog.stitchingStrategy.mode: 'immediate'` from your config; it's now a no-op and will log deprecation warnings. Both changes are straightforward config edits.
breakingMigrate ComboboxProps and SelectProps extensions before upgrading
`ComboboxProps` and `SelectProps` are now union types. If your codebase has interfaces that extend either type, they will fail to compile — switch them to type intersections. Also audit CSS selectors that target list content as a direct child of `.bui-SelectPopover`, as that structure changed. These are frontend component-layer changes with no runtime fallback.
enhancementCatalog query performance improvements for PostgreSQL — no action needed, just upgrade
Several PostgreSQL-specific query planner fixes ship in this release: multi-column statistics on the search table, a dropped redundant index, tuned vacuum thresholds, and a split count/list query. If your catalog list views are slow with large entity counts, this upgrade is worth prioritizing. No config changes needed — the improvements apply automatically via migration. Teams on MySQL/SQLite won't see the same gains.
Key changes (7)
- Default discovery API in @backstage/plugin-app changed to FrontendHostDiscovery; internal-only string targets in discovery.endpoints must be migrated to object form
- catalog.stitchingStrategy.mode: 'immediate' removed — configs still using it will be silently ignored with a warning
- ComboboxProps and SelectProps changed to union types, breaking any interface that extended them directly
- Catalog backend gets multiple PostgreSQL query planner fixes — extended statistics, dropped legacy index, split count query — targeting 10-40x slower list views
- @backstage/connections experimental package added as a preview of the future integrations replacement; not for production use
- Lazy-loading of react-syntax-highlighter and @dagrejs/dagre cuts ~10 MB from the initial module load of @backstage/core-components
- Newly scaffolded apps now use Yarn 4.13.0 with npmMinimalAgeGate: 3d enabled as a supply-chain defense
flagd core v0.16.0 changes disabled flag evaluation from an error response to a successful resolution with reason=DISABLED, affecting gRPC/OFREP callers and code that inspects evaluation metadata.
breakingAudit any code that checks errorCode or reason on flag evaluations
If your code branches on FLAG_DISABLED error codes or checks the reason field from direct gRPC/OFREP responses, it will no longer receive that error path for disabled flags — it'll get a success with reason=DISABLED instead. Search your codebase for FLAG_DISABLED string matches, error-code switch statements, and reason-field conditionals before upgrading. SDK users who only consume the resolved value are unaffected and can upgrade without changes.
enhancementUse reason=DISABLED for observability and audit logging
The new behavior is actually cleaner for telemetry. Since disabled flags now resolve successfully, you can distinguish 'flag disabled' from 'evaluation error' in your metrics and logs without special-casing error codes. Update your dashboards and alerting rules to treat reason=DISABLED as an expected, non-error signal rather than filtering it out as noise.
Key changes (4)
- Disabled flags now return reason=DISABLED with a successful evaluation instead of a FLAG_DISABLED error code
- Resolved values are unchanged — SDKs still surface the caller-provided default, so end-user behavior is identical
- Breaking impact is scoped: affects direct gRPC/OFREP callers, code checking errorCode/reason fields, and importers of core/pkg/model
- An Architecture Decision Record (ADR) documents the rationale for this semantic change
flagd v0.16.0 changes disabled flag evaluation from an error to a successful resolution with reason=DISABLED, affecting direct gRPC/OFREP callers and code that inspects evaluation metadata.
breakingAudit error-handling code that checks FLAG_DISABLED or errorCode
If your application checks the evaluation reason or error code after a flag resolution — whether through direct gRPC calls, OFREP HTTP calls, or Go imports of core/pkg/model — you need to update that logic. FLAG_DISABLED errors will no longer appear; instead expect a successful response with reason=DISABLED. SDK users who only read the resolved value are unaffected, but any monitoring, alerting, or branching logic that keys off FLAG_DISABLED will silently stop triggering. Grep your codebase for FLAG_DISABLED and errorCode checks before upgrading.
Key changes (4)
- Disabled flags now return reason=DISABLED with a successful resolution instead of a FLAG_DISABLED error code
- Resolved values are unchanged — SDKs still surface the caller-provided default, so end-user behavior is identical
- Breaking impact is narrow: only affects consumers inspecting reason/errorCode, direct gRPC/OFREP callers, or code importing core/pkg/model
- An Architecture Decision Record (ADR) documents the rationale for this semantic change
OpenFeature core/v0.15.8 was released, but the published notes are too brief to summarize. See the original release notes for details.
Source ↗OpenFeature flagd/v0.15.7 was released, but the published notes are too brief to summarize. See the original release notes for details.
Source ↗OpenFeature core/v0.15.7 was released, but the published notes are too brief to summarize. See the original release notes for details.
Source ↗OpenFeature flagd-proxy/v0.9.6 was released, but the published notes are too brief to summarize. See the original release notes for details.
Source ↗OpenFeature flagd/v0.15.6 was released, but the published notes are too brief to summarize. See the original release notes for details.
Source ↗Argo CD v3.3.11 is a routine patch release on the 3.3 branch, bundling six bug fixes and one dependency security update (CVE-2026-41240).
securityPatch dompurify CVE in Argo CD UI
This patch bumps redoc/dompurify to v3.4.0 in the UI to fix CVE-2026-41240. If you run the Argo CD UI, upgrade to v3.3.11 to close this XSS-related dependency vulnerability.
enhancementFixes for controller startup race and nil pointer crash
A race condition could raise an InvalidSpecError during application controller startup, and a nil pointer dereference existed in removeWebookMutation() from gitops-engine. Both are fixed here; upgrade if you've seen spurious spec errors or controller crashes on startup.
Key changes (5)
- Fixed a race condition causing InvalidSpecError during application controller startup
- Fixed a nil pointer dereference in gitops-engine's removeWebookMutation()
- Fixed label truncation for deletion hook resources
- Bumped redoc/dompurify to v3.4.0 in the UI, fixing CVE-2026-41240
- Removed resourceVersion from server-side diff (ssd) handling
Argo CD 3.4.3 is a patch release fixing a UI XSS CVE (CVE-2026-41240 via dompurify), a controller startup race, a webhook nil-pointer crash, and several CLI/UI bugs.
securityPatch CVE-2026-41240 in the UI (dompurify bump)
dompurify was bumped to v3.4.0 to fix CVE-2026-41240. If you're running Argo CD 3.4.x with the web UI exposed — especially to less-trusted users — upgrade to 3.4.3 promptly. Check whether your current version is behind 3.4.3 and roll it out during your next maintenance window or sooner if the UI is internet-facing.
enhancementFix startup race condition and nil-pointer crash in webhook mutation
A race condition in application controller startup could trigger InvalidSpecError incorrectly, and a nil pointer dereference in removeWebhookMutation() could cause crashes. Both are fixed here. If you've seen spurious errors at controller startup or webhook-related panics, 3.4.3 addresses them directly.
enhancement'app wait' no longer hangs when app is already synced
'app wait' now returns immediately when the app is already in the desired state, instead of blocking. If you use 'app wait' in CI/CD pipelines or scripts as a sync gate, this means faster pipeline runs when apps are already healthy — no code changes needed, just upgrade.
Key changes (6)
- CVE-2026-41240 patched: dompurify bumped to v3.4.0 in the UI
- Fixed race condition causing InvalidSpecError during application controller startup
- Fixed nil pointer dereference in removeWebhookMutation() in gitops-engine
- CLI: 'app wait' now exits immediately if app is already in desired state
- UI: Parameters tab now returns the full source for non-hydrator apps
- Repo depth setting now honored in gitSourceHasChanges and fetch functions
OpenFeature core/v0.15.6 was released, but the published notes are too brief to summarize. See the original release notes for details.
Source ↗Flux v2.8.8 patches two go-git CVEs in source and image-automation controllers, fixes a memory leak in helm-controller, and adds GCP sovereign cloud registry support.
securityUpgrade immediately to patch two go-git CVEs
CVE-2026-45571 and CVE-2026-45570 affect source-controller and image-automation-controller. Both are fixed in go-git v5.19.1 bundled with this release. If you run either of these controllers — and most Flux installations do — upgrade to v2.8.8 now. There's no workaround short of disabling those controllers.
breakingReview charts that place non-CRD resources under crds/ directory
Helm-controller previously force-applied any object found under a chart's crds/ directory, not just actual CRDs. That behavior is now corrected. If you have Helm charts (especially community or third-party ones) that bundle non-CRD manifests under crds/ as a workaround for install ordering, those objects will no longer be force-applied. Audit your HelmRelease resources and test in a non-production environment before rolling this out broadly.
enhancementInvestigate artifact fetch timeouts if reconciliations have been stalling
The new configurable HTTP timeout for artifact fetching directly addresses indefinite blocking during fetches. If you've seen helm-controller or source-controller reconciliations hang without clear errors, this fix likely explains it. After upgrading, configure the timeout explicitly rather than relying on defaults — check the helm-controller v1.5.5 changelog for the specific field name. Also worth auditing memory usage before and after upgrade if your helm-controller pods have been growing steadily in memory.
Key changes (5)
- go-git updated to v5.19.1 to address CVE-2026-45571 and CVE-2026-45570 in source-controller and image-automation-controller
- helm-controller fix: unbounded memory growth from Kubernetes client transport retry wrapper accumulating on every reconcile cycle
- New configurable HTTP timeout for artifact fetching prevents indefinite blocking and stalled reconciliations in helm-controller
- helm-controller no longer force-applies non-CRD objects placed under a chart's crds/ directory — a behavioral correction that could affect existing charts
- GCP sovereign cloud artifact registry support added to source-controller and image-reflector-controller
v1.51.0 lands six breaking changes alongside major catalog performance wins, a new AiResource entity kind, and MCP/OIDC hardening. Plan migration time before upgrading.
breakingRun catalog DB migration SQL before deploying to large installs
The new catalog migration adds covering indices and a UNIQUE constraint on the search table, which can be slow on large datasets. The release notes explicitly recommend running the provided SQL commands manually before deploying v1.51.0. Skipping this turns a controlled maintenance window into an uncontrolled deployment stall. Check the changelog for the exact SQL before you upgrade.
breakingAudit six breaking changes before upgrading — OIDC and MsgGraph need immediate config review
The OIDC CIMD/DCR patterns changed from wildcard '*' to specific MCP client defaults — any custom MCP clients will silently stop working unless you explicitly add their patterns to the allow list. Separately, Microsoft Graph now excludes disabled user accounts; if your org tracks disabled users in Backstage, add an explicit filter before upgrading. Also migrate NavItemBlueprint usages to PageBlueprint title/icon params, and update PolicyQueryUser code to use credentials instead of the removed token/expiresInSeconds fields.
enhancementAdopt incremental Microsoft Graph ingestion for large orgs
The new msgraph-incremental module processes users and groups one page at a time and persists cursor state, meaning a pod restart no longer forces a full re-ingest. For orgs with tens of thousands of users, this is a practical operational improvement worth switching to. Install the new module and migrate your provider config — the old MicrosoftGraphOrgEntityProvider remains available but holds the full dataset in memory.
Key changes (6)
- Six breaking changes: NavItemBlueprint removed, PortableSchema.schema now method-only, OIDC/CIMD/DCR patterns hardened, PolicyQueryUser cleaned up, catalog pagination excludes null-sort entities, Microsoft Graph now filters disabled users by default
- Catalog backend gets substantial query performance improvements — paginated entity lists drop from seconds to milliseconds via index-aware PostgreSQL queries; large installs should run provided SQL migration commands before deploying
- New AiResource catalog entity kind and mcp-server API subtype added, expanding Backstage's model for AI workloads
- Microsoft Graph incremental ingestion module added — memory-efficient cursor-based ingestion that resumes from last page after pod restarts
- Scaffolder form decorators promoted to stable (public API); always() and failure() step control functions added
- TechDocs gains disableExternalFonts option for air-gapped environments; scheduler fixed for tasks longer than ~24.8 days
pack v0.40.6 is a small patch fixing a trust detection bug in 'builder inspect' and adding Heroku's builder:26 to the trusted builders list.
breakingAudit pipelines that worked around the trust detection bug
If your CI scripts or automation added extra flags or workarounds because 'builder inspect' was misreporting trusted builders as untrusted, remove those workarounds now. Running with unnecessary trust overrides is a security smell worth cleaning up.
enhancementUse heroku/builder:26 without manual trust configuration
Teams targeting Heroku's stack 26 no longer need to manually mark the builder as trusted via '--trust-builder' or config file entries. Upgrade to v0.40.6 and clean up any explicit trust overrides you've added for this builder.
Key changes (3)
- Fixed 'builder inspect' incorrectly showing known/trusted builders as untrusted
- Added 'heroku/builder:26' to the built-in trusted builders list
- Bundles lifecycle v0.21.0 by default in builders created with this release
v3.2.12 is a minor patch fixing a lint nesting issue, URL validation export, and a log line overflow bug in the UI. Low risk, safe to apply.
enhancementApply patch if UI log wrapping is causing visual issues
If your team uses Argo CD's log viewer with line-wrapping enabled, lines were overflowing their container — a fairly annoying UX bug. This patch resolves it cleanly. No config changes needed; just upgrade.
enhancementRoutine patch — schedule upgrade at your next maintenance window
No breaking changes, no CVEs. The spdystream dependency bump is a minor upstream fix. This is a straightforward patch release; there's no urgency, but keeping current on 3.2.x is good hygiene before any future minor version jump.
Key changes (5)
- Fixed log lines overflowing their container when the wrap-lines toggle is enabled (Issue #27586)
- Exported the URL validation function for external use (#27816)
- Fixed unnecessary nesting in lint logic (#27815)
- Bumped github.com/moby/spdystream from 0.5.0 to 0.5.1
- All container images remain cosign-signed with SLSA Level 3 provenance
Argo CD v3.3.10 is a patch release fixing a nil-pointer panic in permission validation, a log line UI overflow bug, and bumping Go to 1.25.9 to address CVEs.
securityUpgrade immediately — Go 1.25.9 fixes CVEs in the runtime
The Go runtime was bumped from a prior version to 1.25.9 specifically to resolve CVEs. The release notes don't enumerate the CVE IDs, but any patch that upgrades the runtime for security reasons on a stable branch deserves prompt action. If you're running 3.3.x, upgrade to 3.3.10 now rather than waiting for your next maintenance window.
breakingServer-side diff now correctly hides secrets — verify diff outputs if you rely on them
The fix to apply HideSecretData to server-side diff results means that previously exposed secret values in diff views will now be redacted. If any automation, alerting, or audit tooling parses diff output expecting raw secret values, it will break. Review your diff-dependent workflows before upgrading.
enhancementNil APIResource panic fix prevents unexpected controller crashes
The permission validator could panic when an APIResource was nil — a condition that can occur with certain custom or non-standard API groups. If you've seen intermittent ArgoCD controller restarts without clear cause, this is a likely culprit. Upgrade to 3.3.10 to stabilize those environments.
Key changes (5)
- Go runtime updated to 1.25.9 to resolve unspecified CVEs affecting the 3.3 branch
- Panic fix in permission validator when APIResource is nil — previously could crash the controller
- Log viewer wrap-lines toggle no longer causes lines to overflow the container
- HideSecretData now correctly applied to server-side diff results in gitops-engine
- OpenTelemetry SDK bumped to 1.43.0
Argo CD v3.4.2 is a patch release fixing a panic in the permission validator, reverting a problematic revision update optimization, and patching secret data exposure in server-side diffs.
securitySecret values could appear in diff output — patch now
Server-side diff results for Secret resources were not having HideSecretData applied, meaning secret values could be exposed in diff views through the UI or API. If you use server-side apply or server-side diff previews, upgrade to 3.4.2 immediately. Audit your ArgoCD API access logs if you suspect exposure.
breakingUpdateRevisionForPaths revert may re-introduce previous behavior
The optimization that avoided unnecessary UpdateRevisionForPaths calls (merged in 3.4.x) caused regressions and has been reverted. If you were relying on that behavior for performance or correctness, expect the pre-fix behavior to return. Monitor sync operations after upgrading, especially for path-filtered applications.
enhancementPermission validator panic fix improves stability
A nil APIResource in the permission validator could crash the ArgoCD server process. This is now guarded. If you've seen unexpected pod restarts on the ArgoCD server, especially in environments with non-standard CRDs or API aggregation, this patch likely addresses it.
Key changes (5)
- Reverted the 'avoid calling UpdateRevisionForPaths unnecessarily' fix from v3.4.x due to regressions it introduced
- Fixed nil pointer panic in permission validator when APIResource is nil — a stability fix for edge-case RBAC scenarios
- HideSecretData now correctly applied to server-side diff results for Secrets, preventing potential secret leakage in UI/API diff views
- OpenTelemetry SDK bumped to 1.43.0 and moby/spdystream updated to 0.5.1
- CI pipeline image pinning added for supply chain integrity
Flux v2.8.7 patches a CVE in go-git and fixes a destructive reconciliation bug where non-namespaced resources with ssa:IfNotPresent were being deleted and recreated every cycle.
securityPatch CVE-2026-45022 by upgrading now
go-git v5.19.0 fixes CVE-2026-45022, which affects source-controller and image-automation-controller — two components that actively clone and interact with Git repos. If your Flux installation pulls from any external or semi-trusted Git source, treat this as a priority upgrade. Run 'flux install' or update your Helm release to v2.8.7 immediately.
breakingCheck non-namespaced resources using ssa:IfNotPresent for unintended churn
If you're managing ClusterRoles, CRDs, or other cluster-scoped resources with the kustomize.toolkit.fluxcd.io/ssa: IfNotPresent annotation, those resources were being silently deleted and recreated on every reconciliation loop before this fix. Audit your Kustomization objects and verify resource state after upgrading to confirm the churn has stopped. Any dependent workloads may have experienced disruptions you weren't aware of.
enhancementFollow the v2.7+ upgrade procedure if coming from v2.6
The Flux team has a specific upgrade discussion thread for v2.7+ migrations. Skipping it when jumping from v2.6 to v2.8.7 can cause issues. Review the linked procedure before applying this update in environments running older Flux versions.
Key changes (4)
- CVE-2026-45022 fixed via go-git v5.19.0 in source-controller and image-automation-controller
- kustomize-controller no longer deletes and recreates non-namespaced resources annotated with ssa:IfNotPresent on every reconciliation
- fluxcd/pkg dependency updates across source-controller, kustomize-controller, and image-automation-controller
- helm-controller v1.5.4, kustomize-controller v1.8.5, source-controller v1.8.4 component bumps
Argo CD 3.4.1 is the first 3.4 release (skipping 3.4.0), bringing a breaking cluster version format change for ApplicationSets, plus a large wave of bug fixes, performance improvements, and UI enhancements.
securityAdd X-Frame-Options/CSP headers and JWT logout invalidation
Two security fixes landed: Swagger UI endpoints now return X-Frame-Options and Content-Security-Policy headers (mitigates clickjacking), and JWT tokens are invalidated server-side on logout (prevents session reuse after logout). Both are passive — no config changes needed — but if you run Argo CD behind a reverse proxy that strips security headers, verify the headers reach clients after upgrading.
breakingUpdate ApplicationSet cluster version labels before upgrading
The kubernetes-version label format changed from Major.Minor (e.g., '1.29') to vMajor.Minor.Patch (e.g., 'v1.29.3') to match Helm 3.19.0. If you use ApplicationSet Cluster Generators with argocd.argoproj.io/auto-label-cluster-info, your existing cluster secrets carry the old format. After upgrading, update those secrets to use argocd.argoproj.io/kubernetes-version with the new format, or your cluster-version-based filters will stop matching. Check the 3.3-3.4 upgrade guide before rolling out.
enhancementAppSet controller and repo-server performance improvements worth monitoring
Several perf fixes shipped: optimized parentUIDToChildren data structure, reduced secret deep-copies in the controller, parallel batching in CLI server-side diff, and optimized repoLock on checkout. If you've been seeing slow reconciliation or high CPU in the appset controller on large clusters, this upgrade should show measurable improvement. Monitor controller CPU and reconciliation latency metrics after rollout.
Key changes (5)
- Breaking: Kubernetes cluster version format changed from Major.Minor to vMajor.Minor.Patch to align with Helm 3.19.0 behavior — ApplicationSet Cluster Generators using auto-label-cluster-info must update their label key
- JWT tokens are now invalidated on logout, closing a session persistence gap
- X-Frame-Options and CSP headers added to Swagger UI endpoints
- Stack overflow fix for circular ownerRef processing in resource graphs — affects anyone with complex resource hierarchies
- AppSet controller performance improved: optimized cluster secret fetching, application cache synchronization, and reduced secret deep-copies
Argo CD v3.1.16 is a minor patch fixing a server-side double-delete error and bumping the SonarQube scan action dependency.
securityVerify cosign signatures after upgrading
Every release is a good reminder to validate image provenance in your admission pipeline. Argo CD images meet SLSA Level 3 — if you're not yet enforcing signature verification at deploy time, now is a practical moment to wire that into your policy engine (e.g., Kyverno or OPA Gatekeeper).
enhancementApply patch if double-delete errors are hitting your workflows
If your GitOps pipelines or operators occasionally retry delete operations (e.g., during cascade deletes or reconciliation loops), the previous behavior could surface spurious errors that confused alerting or caused retries to fail loudly. This fix cleans that up. Upgrade is low-risk given the narrow scope of changes.
Key changes (3)
- Bug fix: server no longer throws an error when a second delete operation is attempted on the same resource
- SonarQube scan action bumped from 5.2.0 to 8.0.0 in CI pipeline
- All container images remain cosign-signed with SLSA Level 3 provenance
flagd core v0.15.5 fixes evaluation correctness bugs in fractional rollouts and JSONLogic and/or operators — teams relying on complex flag targeting rules should upgrade.
securityDependency security alerts resolved
Dependabot security alerts were resolved in this release. No CVEs are called out explicitly, but the dependency updates address known vulnerabilities in transitive deps. Upgrade if you're running flagd in a security-sensitive environment.
breakingFractional evaluator fix: upgrade if you use targeting keys
Null or missing targeting keys in fractional evaluators previously caused undefined behavior. If your flag rules use fractional/percentage rollouts and some users may lack a targeting key (e.g. anonymous users), upgrade to avoid incorrect bucket assignments.
breakingJSONLogic and/or bug fix may change evaluation results
The jsonlogic and/or operator bug could cause flag rules with compound boolean logic to evaluate incorrectly. Review any rules relying on and/or conditions after upgrading — results may change from what you saw in v0.15.4.
Key changes (5)
- Fractional evaluator now handles missing or null targeting keys without crashing or misbehaving
- JSONLogic and/or operator bug fixed — compound boolean flag rules evaluate correctly now
- Custom operator conformance fixes improve spec compliance
- OTel service name and version can now be overridden correctly
- Dependabot security alert dependencies updated
OpenFeature flagd-proxy/v0.9.5 was released, but the published notes are too brief to summarize. See the original release notes for details.
Source ↗OpenFeature flagd/v0.15.5 was released, but the published notes are too brief to summarize. See the original release notes for details.
Source ↗v3.3.9 is a focused patch addressing four bugs — including a panic in ApplicationSet DuckType Generator and a UI crash in pod logs — plus a Go version bump to resolve CVEs.
securityUpgrade to patch Go-level CVEs
The Go runtime was bumped specifically to resolve CVEs. The release notes don't enumerate the exact CVE IDs, but if you're running 3.3.x in production, upgrade to 3.3.9 now rather than waiting for your next maintenance window. All container images are cosign-signed and SLSA Level 3 provenance is available — verify signatures before deploying if your pipeline requires it.
breakingApplicationSet DuckType Generator panic is now fixed — review affected ApplicationSets
If you use DuckType Generators and have clusters with non-string label values, previous versions would silently panic. After upgrading, those ApplicationSets will now process correctly rather than crashing. Do a quick audit of your ApplicationSet resources post-upgrade to confirm they're reconciling as expected — you may see previously-failing sets suddenly become active.
enhancementOCI metadata caching restored — expect reduced registry pressure
The Redis cache for OCI metadata was broken, meaning every OCI source lookup was hitting the registry directly. With this fix, caching works again. If you use OCI-sourced ApplicationSets or Helm charts, you should see reduced latency and fewer registry requests after upgrading. No configuration change needed.
Key changes (5)
- Fixed panic in ApplicationSet DuckType Generator when encountering non-string values in cluster labels
- Fixed pod logs viewer UI crash caused by stale container index references
- Fixed double-delete error on the server side to prevent spurious errors during cleanup operations
- Fixed OCI metadata put/get to/from Redis cache, restoring proper caching behavior
- Bumped Go version to patch CVEs in the Go standard library
Argo CD v3.2.11 is a patch release fixing three UI/server bugs — a double-delete error, a 401 stream crash, and a pod logs viewer crash on stale container indices.
enhancementApply this patch if your team uses the pod logs viewer or streaming UI features
Two of the three fixes target UI stability — the pod logs crash on stale container indices and the 401 stream error. Both are silent killers in day-to-day operations: engineers open the logs viewer during an incident and hit a blank screen or crash. Drop this patch into your next maintenance window. No config changes needed.
enhancementDouble-delete server error is fixed — relevant if you use automated cleanup workflows
If your pipelines or operators trigger multiple delete attempts on the same Argo CD resource (common in GitOps reconciliation loops or scripted teardowns), the server previously returned an error on the second attempt. This is now handled gracefully. No action required beyond upgrading.
Key changes (5)
- Fixed server error when a second delete operation is attempted on the same resource
- Fixed UI crash when a 401 unauthorized error occurs in a streaming connection
- Fixed pod logs viewer crash caused by stale container index references
- Bumped SonarQube scan action dependency from 5.3.1 to 8.0.0
- All container images remain cosign-signed with SLSA Level 3 provenance