Releases
AI-analyzed release notes for CNCF graduated and incubating projects.
Argo CD v3.3.6 is a focused bug-fix patch addressing a false-positive diff detection during app normalization and a wrong installation ID returned from cache.
breakingCheck for ghost sync loops before upgrading
If your ArgoCD controller has been triggering unexpected syncs or showing phantom diffs on apps that haven't changed, this patch fixes that normalization bug. Upgrade to 3.3.6 promptly if you're seeing this — it's a common source of noisy alerts and wasted reconciliation cycles.
enhancementRoutine patch — safe to apply quickly
This is a two-bug patch with no schema changes, no API changes, and no migration steps. If you're already on 3.3.x, roll this out through your normal process. No special precautions needed.
Key changes (3)
- Fixed controller incorrectly detecting diffs during application normalization, which caused spurious sync triggers
- Fixed wrong installation ID being returned from cache, which could affect telemetry or identity tracking
- All container images remain cosign-signed with SLSA Level 3 provenance
A targeted patch release fixing a gRPC CVE, a false-diff bug in app normalization, and a UI glitch in RollingSync — upgrade promptly for the security fix alone.
securityPatch CVE-2026-33186 by upgrading to v3.2.8 now
The grpc-go CVE-2026-33186 fix is the primary reason to move quickly on this release. If you're running any 3.2.x version, upgrade to 3.2.8. Verify your container images using cosign against the published provenance — the Argo CD docs cover the exact verification steps. Don't wait on this one.
breakingCheck for spurious sync operations before and after upgrade
The normalization diff bug could have been silently triggering syncs on apps that were actually in-sync. After upgrading, review your sync history for apps that synced frequently without visible config changes — those were likely false positives. The fix should stop them, but any automation or alerts built around sync frequency may need recalibration.
enhancementRollingSync UI fix improves progressive delivery visibility
If you use ApplicationSets with RollingSync and have ever wondered why a step appeared blank or unclear in the UI, this fix addresses that. No action needed beyond upgrading, but it's worth re-examining your RollingSync step configurations in the UI post-upgrade to confirm everything displays as expected.
Key changes (4)
- Mitigates grpc-go CVE-2026-33186, a security vulnerability in the gRPC library used by Argo CD
- Fixes controller incorrectly detecting diffs during app normalization, which could cause unnecessary sync operations
- Fixes UI not clearly displaying RollingSync steps when labels match no step
- All container images remain cosign-signed with SLSA Level 3 provenance
Patch release fixing a gRPC CVE and a UI bug in RollingSync. Low operational risk, but the security fix warrants prompt upgrade.
securityUpgrade now to mitigate CVE-2026-33186 in grpc-go
CVE-2026-33186 affects the grpc-go library used by Argo CD's internal and external gRPC communication. The fix is a mitigation backport to the 3.1 branch. Any Argo CD 3.1.x instance prior to 3.1.13 is exposed. Upgrade to 3.1.13 promptly — this should be treated as a priority patch, not a routine update. After upgrading, verify image signatures with cosign against the published provenance if your supply chain policy requires it.
securitylodash bumped to 4.17.23 — check if your own apps pin this version
The lodash bump in the UI bundle closes known issues in 4.17.21/4.17.22. If your team also pins lodash in application code or CI pipelines referencing Argo CD's frontend assets, audit those pinned versions independently. This change only covers the Argo CD UI bundle itself.
enhancementRollingSync UI fix helps diagnose misconfigured sync waves
If you use ApplicationSets with RollingSync and label-based step matching, the previous UI would silently hide steps that matched no labels — making it hard to spot misconfigured rollout waves. The fix surfaces these unmatched steps visibly. After upgrading, review any RollingSync-heavy ApplicationSets to confirm step labels are actually matching the intended clusters or apps.
Key changes (4)
- Mitigated CVE-2026-33186 in grpc-go — affects all deployments using gRPC communication
- Fixed UI display issue where RollingSync steps with no matching labels were not shown clearly
- Bumped lodash from 4.17.21 to 4.17.23 to address known vulnerabilities in the dependency
- All container images remain cosign-signed with SLSA Level 3 provenance
Argo CD v3.3.5 is a patch release fixing a stack overflow bug, hook ordering issues, and UI improvements — low risk, high value to upgrade.
breakingCircular ownerRef crash is now fixed — upgrade if you hit mysterious crashes
If your cluster has resources with circular ownership references (common in some operators or misconfigured CRDs), Argo CD could stack overflow and crash during graph processing. This is now fixed. If you've seen unexplained application-controller crashes, this is almost certainly the cause. Patch immediately.
breakingPostSync hooks silently skipped when PreDelete/PostDelete hooks coexist — fixed
Workflows relying on PostSync hooks for notifications, cleanup, or validation were silently broken if the same app also defined PreDelete or PostDelete hooks. Verify your hook-based pipelines after upgrading to confirm they now execute correctly.
enhancementgrpc dependency bumped to 1.79.3
The grpc library was bumped from 1.77.0 to 1.79.3. This picks up several upstream fixes. No action required beyond upgrading, but if you run Argo CD in a security-sensitive environment, review the grpc changelog for any CVEs addressed in that range.
Key changes (5)
- Fixed stack overflow when processing circular ownerRefs in the resource graph — a potential crash vector
- Fixed PostSync hooks not being created when PreDelete/PostDelete hooks are also configured
- Fixed terminal container-find logic on the server side
- UI improvements: clearer RollingSync step display and better self-healing disable messaging
- Bumped grpc from 1.77.0 to 1.79.3 as a dependency update
Backstage v1.49.1 is a patch release cleaning up new frontend system rough edges, fixing UI issues in TechDocs/Scaffolder, and adding small DX improvements to the create-app template.
enhancementUnprocessed entities DevTools tab is now on by default
If you're debugging entity ingestion issues, you no longer need to configure the DevTools unprocessed entities tab manually. Upgrade and it's there. Useful for catching catalog processing failures faster in development and staging environments.
enhancementNew frontend system adopters: pick up layout fixes now
If your team is migrating to or testing the new Backstage frontend system, this patch fixes concrete layout problems in both the Scaffolder and Catalog entity pages. Skip 1.49.0 and go straight to 1.49.1 to avoid dealing with those visual regressions.
enhancementPlugin headers can now carry navigation links
The new titleLink prop on PageLayoutProps lets plugin header titles act as navigation anchors back to the plugin root. Worth adopting if you're building or maintaining custom plugins — it aligns with the expected UX pattern for Backstage's evolving plugin header system.
Key changes (5)
- TechDocs alpha plugin pages migrated to BUI header system, resolving the double scrollbar bug
- Scaffolder plugin page layout fixed for the new frontend system
- Catalog entity page header disabled in new frontend system to avoid layout conflicts
- Unprocessed entities now appear as a DevTools tab by default — no manual wiring needed
- titleLink prop added to PageLayoutProps so plugin headers can link back to the plugin root
v1.49.0 is a landmark release: the New Frontend System hits 1.0 RC, the CLI becomes extensible via modules, and there are multiple breaking changes in UI components, integrations, and entity cards requiring migration work.
breakingMigrate entity cards and BUI components before upgrading `@backstage/plugin-catalog`
The major version bump on `@backstage/plugin-catalog` means direct action is required. Remove all `variant` prop usage from EntityAboutCard, EntityLinksCard, EntityLabelsCard, GroupProfileCard, and UserProfileCard. Wrap your app in a `BUIProvider` inside a React Router context — without it, Link, ButtonLink, Tabs, Menu, and Table lose client-side navigation. Also rename any CSS selectors using old `bui-HeaderPage` class patterns and camelCase data attributes. Audit custom components that implement the old `Checkbox` `selected`/`indeterminate` props and switch to `isSelected`/`isIndeterminate`.
breakingRemove all deprecated Bitbucket and legacy integration config immediately
The old `bitbucket` config key and Azure DevOps `token`/`credential` fields are gone — not deprecated, gone. If your `app-config.yaml` still references these, your backend will fail to start after upgrading. Replace `bitbucket` with `bitbucketCloud` or `bitbucketServer`, migrate Azure DevOps to the `credentials` array, and update any Gerrit URL utility calls. Check scaffolder templates too, as `parseRepoUrl` no longer handles `bitbucket`.
enhancementAdd `@backstage/cli-defaults` as a devDependency now, not later
The CLI module system is live, and the fallback to built-in commands already emits a deprecation warning. Add `@backstage/cli-defaults` to your root `devDependencies` today to silence the warning and future-proof your setup before the fallback is removed entirely. If you maintain custom CLI tooling, look at `createCliModule` in `@backstage/cli-node` to package it properly as a first-class CLI extension.
Key changes (7)
- New Frontend System reaches 1.0 RC — new apps use it by default, `--next` flag replaced by `--legacy`
- Multiple breaking UI changes in Backstage UI (BUI): Checkbox props renamed, CSS classes renamed, `BUIProvider` now required for routing, deprecated types removed
- Entity cards (`EntityAboutCard`, `EntityLinksCard`, etc.) migrated from MUI to BUI with `variant` prop removed — `@backstage/plugin-catalog` receives a major version bump
- Deprecated Bitbucket integration and legacy fields fully removed from `@backstage/integration`, `@backstage/backend-defaults`, and scaffolder packages
- CLI refactored into modular `cli-module` packages — add `@backstage/cli-defaults` as a devDependency now to avoid future fallback removal warning
- Predicate-based catalog filtering added to `queryEntities()`, `getEntitiesByRefs()`, and `getEntityFacets()` via new POST endpoints
- Permission checks batched per tick for better performance on permission-heavy pages
Flux v2.8.3 fixes a critical helm-controller regression that broke templating for charts containing YAML separators or embedded content.
breakingUpgrade immediately if using Helm charts with YAML separators
The regression in v2.8.2 breaks templating for common chart patterns like multi-document YAML files and embedded scripts. Review your Helm deployments for failures and upgrade to v2.8.3 now. Follow the official upgrade procedure for Flux v2.7+ to avoid migration issues.
enhancementValidate Helm chart deployments after upgrade
After upgrading, check that previously failing Helm releases now deploy successfully. Pay special attention to charts that embed certificates, scripts, or use multiple YAML documents. This fix restores functionality that may have silently failed in recent versions.
Key changes (4)
- Fixed helm-controller templating errors when charts contain '---' separators
- Resolved issues with embedded scripts and CA certificates in ConfigMaps
- Added target branch name functionality to CLI update operations
- Updated toolkit components for improved compatibility
Argo CD 3.3.4 delivers critical bug fixes for token refresh handling and git-lfs support, plus enhanced security documentation - a maintenance release that improves operational stability.
securityVerify signed release assets
All container images now include cosign signatures and SLSA Level 3 provenance. Use the official verification documentation to validate your container images before deployment, particularly in security-sensitive environments.
breakingReview token refresh configurations
The token refresh fix resolves parsing errors that could affect component behavior. Check your existing token configurations and monitor for any authentication issues after upgrading, especially in multi-component setups.
enhancementUpgrade for ppc64le architecture support
If running on ppc64le systems, this release fixes git-lfs functionality that was previously broken due to missing checksums. Plan your upgrade to restore full git-lfs capabilities on these architectures.
Key changes (5)
- Fixed token refresh threshold parsing errors affecting unrelated components
- Added missing git-lfs installer checksum for ppc64le architecture support
- Updated OpenTelemetry SDK dependencies for better observability
- Enhanced documentation for cluster version changes and migration guidance
- Maintained SLSA Level 3 compliance with signed container images and provenance
Flux v2.8.2 delivers critical fixes for reconciliation loops, Azure Container Registry authentication, and includes a security patch for CVE-2026-27138. The release focuses on operational stability improvements.
securityApply CVE-2026-27138 patch immediately
This release fixes a potential Denial of Service vulnerability during TLS handshakes. Schedule your upgrade to v2.8.2 as soon as possible, especially if your Flux installation handles external TLS connections or operates in environments with security compliance requirements.
enhancementEnable DefaultToRetryOnFailure for better HelmRelease reliability
If you use CancelHealthCheckOnNewRevision and have experienced stuck HelmReleases, enable the new DefaultToRetryOnFailure feature gate. This prevents canceled releases without retry strategies from hanging indefinitely, improving deployment reliability.
enhancementVerify Azure Container Registry authentication after upgrade
The ACR authentication scope fix may resolve intermittent authentication failures you've experienced with Azure registries. After upgrading, monitor your image pulls and source operations to confirm improved reliability with ACR repositories.
Key changes (5)
- Fixed unnecessary reconciliation requests when source objects are already processing the current revision
- Resolved Helm template YAML separator bug by upgrading to Helm 4.1.3
- Added DefaultToRetryOnFailure feature gate to prevent HelmReleases from getting stuck when canceled
- Corrected Azure Container Registry authentication scope for proper access
- Patched CVE-2026-27138 TLS handshake DoS vulnerability by building with Go 1.26.1
Argo CD v3.3.3 delivers targeted bug fixes for CNPG actions, hook annotations, and resource health checks, maintaining stability without introducing breaking changes.
enhancementUpdate CNPG Integration Configuration
Teams using CloudNativePG with Argo CD should verify their suspend/resume actions work correctly after upgrading. The annotation fix ensures proper CNPG cluster lifecycle management through Argo CD workflows.
enhancementReview Multi-Hook Resource Configurations
Applications using multiple PreDelete or PostDelete hooks with comma-separated annotations will now execute properly. Audit existing applications with complex hook configurations to ensure expected behavior.
enhancementValidate Cross-Namespace Resource Dependencies
Complex applications with multi-level cross-namespace dependencies involving cluster-scoped resources should now traverse correctly. Test existing applications that previously showed incomplete resource trees or sync issues.
Key changes (6)
- Fixed CNPG suspend/resume actions using correct annotations
- Corrected comma-separated hook annotations for PreDelete/PostDelete hooks
- Improved resource health checks with proper drySha handling
- Fixed standard resource icon display issues in UI
- Enhanced kubeversion consistency with Helm version 3.3
- Resolved multi-level cross-namespace hierarchy traversal for cluster-scoped resources