RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Argo

CI/CD & App DeliveryMar 27, 2026

Argo CD v3.3.6 is a focused bug-fix patch addressing a false-positive diff detection during app normalization and a wrong installation ID returned from cache.

  • breakingCheck for ghost sync loops before upgrading

    If your ArgoCD controller has been triggering unexpected syncs or showing phantom diffs on apps that haven't changed, this patch fixes that normalization bug. Upgrade to 3.3.6 promptly if you're seeing this — it's a common source of noisy alerts and wasted reconciliation cycles.

  • enhancementRoutine patch — safe to apply quickly

    This is a two-bug patch with no schema changes, no API changes, and no migration steps. If you're already on 3.3.x, roll this out through your normal process. No special precautions needed.

Key changes (3)
  • Fixed controller incorrectly detecting diffs during application normalization, which caused spurious sync triggers
  • Fixed wrong installation ID being returned from cache, which could affect telemetry or identity tracking
  • All container images remain cosign-signed with SLSA Level 3 provenance
Source

Argo

CI/CD & App DeliveryMar 26, 2026

A targeted patch release fixing a gRPC CVE, a false-diff bug in app normalization, and a UI glitch in RollingSync — upgrade promptly for the security fix alone.

  • securityPatch CVE-2026-33186 by upgrading to v3.2.8 now

    The grpc-go CVE-2026-33186 fix is the primary reason to move quickly on this release. If you're running any 3.2.x version, upgrade to 3.2.8. Verify your container images using cosign against the published provenance — the Argo CD docs cover the exact verification steps. Don't wait on this one.

  • breakingCheck for spurious sync operations before and after upgrade

    The normalization diff bug could have been silently triggering syncs on apps that were actually in-sync. After upgrading, review your sync history for apps that synced frequently without visible config changes — those were likely false positives. The fix should stop them, but any automation or alerts built around sync frequency may need recalibration.

  • enhancementRollingSync UI fix improves progressive delivery visibility

    If you use ApplicationSets with RollingSync and have ever wondered why a step appeared blank or unclear in the UI, this fix addresses that. No action needed beyond upgrading, but it's worth re-examining your RollingSync step configurations in the UI post-upgrade to confirm everything displays as expected.

Key changes (4)
  • Mitigates grpc-go CVE-2026-33186, a security vulnerability in the gRPC library used by Argo CD
  • Fixes controller incorrectly detecting diffs during app normalization, which could cause unnecessary sync operations
  • Fixes UI not clearly displaying RollingSync steps when labels match no step
  • All container images remain cosign-signed with SLSA Level 3 provenance
Source

Argo

CI/CD & App DeliveryMar 25, 2026

Patch release fixing a gRPC CVE and a UI bug in RollingSync. Low operational risk, but the security fix warrants prompt upgrade.

  • securityUpgrade now to mitigate CVE-2026-33186 in grpc-go

    CVE-2026-33186 affects the grpc-go library used by Argo CD's internal and external gRPC communication. The fix is a mitigation backport to the 3.1 branch. Any Argo CD 3.1.x instance prior to 3.1.13 is exposed. Upgrade to 3.1.13 promptly — this should be treated as a priority patch, not a routine update. After upgrading, verify image signatures with cosign against the published provenance if your supply chain policy requires it.

  • securitylodash bumped to 4.17.23 — check if your own apps pin this version

    The lodash bump in the UI bundle closes known issues in 4.17.21/4.17.22. If your team also pins lodash in application code or CI pipelines referencing Argo CD's frontend assets, audit those pinned versions independently. This change only covers the Argo CD UI bundle itself.

  • enhancementRollingSync UI fix helps diagnose misconfigured sync waves

    If you use ApplicationSets with RollingSync and label-based step matching, the previous UI would silently hide steps that matched no labels — making it hard to spot misconfigured rollout waves. The fix surfaces these unmatched steps visibly. After upgrading, review any RollingSync-heavy ApplicationSets to confirm step labels are actually matching the intended clusters or apps.

Key changes (4)
  • Mitigated CVE-2026-33186 in grpc-go — affects all deployments using gRPC communication
  • Fixed UI display issue where RollingSync steps with no matching labels were not shown clearly
  • Bumped lodash from 4.17.21 to 4.17.23 to address known vulnerabilities in the dependency
  • All container images remain cosign-signed with SLSA Level 3 provenance
Source

Argo

CI/CD & App DeliveryMar 25, 2026

Argo CD v3.3.5 is a patch release fixing a stack overflow bug, hook ordering issues, and UI improvements — low risk, high value to upgrade.

  • breakingCircular ownerRef crash is now fixed — upgrade if you hit mysterious crashes

    If your cluster has resources with circular ownership references (common in some operators or misconfigured CRDs), Argo CD could stack overflow and crash during graph processing. This is now fixed. If you've seen unexplained application-controller crashes, this is almost certainly the cause. Patch immediately.

  • breakingPostSync hooks silently skipped when PreDelete/PostDelete hooks coexist — fixed

    Workflows relying on PostSync hooks for notifications, cleanup, or validation were silently broken if the same app also defined PreDelete or PostDelete hooks. Verify your hook-based pipelines after upgrading to confirm they now execute correctly.

  • enhancementgrpc dependency bumped to 1.79.3

    The grpc library was bumped from 1.77.0 to 1.79.3. This picks up several upstream fixes. No action required beyond upgrading, but if you run Argo CD in a security-sensitive environment, review the grpc changelog for any CVEs addressed in that range.

Key changes (5)
  • Fixed stack overflow when processing circular ownerRefs in the resource graph — a potential crash vector
  • Fixed PostSync hooks not being created when PreDelete/PostDelete hooks are also configured
  • Fixed terminal container-find logic on the server side
  • UI improvements: clearer RollingSync step display and better self-healing disable messaging
  • Bumped grpc from 1.77.0 to 1.79.3 as a dependency update
Source

Backstage

CI/CD & App DeliveryMar 22, 2026

Backstage v1.49.2 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

Backstage

CI/CD & App DeliveryMar 20, 2026

Backstage v1.49.1 is a patch release cleaning up new frontend system rough edges, fixing UI issues in TechDocs/Scaffolder, and adding small DX improvements to the create-app template.

  • enhancementUnprocessed entities DevTools tab is now on by default

    If you're debugging entity ingestion issues, you no longer need to configure the DevTools unprocessed entities tab manually. Upgrade and it's there. Useful for catching catalog processing failures faster in development and staging environments.

  • enhancementNew frontend system adopters: pick up layout fixes now

    If your team is migrating to or testing the new Backstage frontend system, this patch fixes concrete layout problems in both the Scaffolder and Catalog entity pages. Skip 1.49.0 and go straight to 1.49.1 to avoid dealing with those visual regressions.

  • enhancementPlugin headers can now carry navigation links

    The new titleLink prop on PageLayoutProps lets plugin header titles act as navigation anchors back to the plugin root. Worth adopting if you're building or maintaining custom plugins — it aligns with the expected UX pattern for Backstage's evolving plugin header system.

Key changes (5)
  • TechDocs alpha plugin pages migrated to BUI header system, resolving the double scrollbar bug
  • Scaffolder plugin page layout fixed for the new frontend system
  • Catalog entity page header disabled in new frontend system to avoid layout conflicts
  • Unprocessed entities now appear as a DevTools tab by default — no manual wiring needed
  • titleLink prop added to PageLayoutProps so plugin headers can link back to the plugin root
Source

Backstage

CI/CD & App DeliveryMar 17, 2026

v1.49.0 is a landmark release: the New Frontend System hits 1.0 RC, the CLI becomes extensible via modules, and there are multiple breaking changes in UI components, integrations, and entity cards requiring migration work.

  • breakingMigrate entity cards and BUI components before upgrading `@backstage/plugin-catalog`

    The major version bump on `@backstage/plugin-catalog` means direct action is required. Remove all `variant` prop usage from EntityAboutCard, EntityLinksCard, EntityLabelsCard, GroupProfileCard, and UserProfileCard. Wrap your app in a `BUIProvider` inside a React Router context — without it, Link, ButtonLink, Tabs, Menu, and Table lose client-side navigation. Also rename any CSS selectors using old `bui-HeaderPage` class patterns and camelCase data attributes. Audit custom components that implement the old `Checkbox` `selected`/`indeterminate` props and switch to `isSelected`/`isIndeterminate`.

  • breakingRemove all deprecated Bitbucket and legacy integration config immediately

    The old `bitbucket` config key and Azure DevOps `token`/`credential` fields are gone — not deprecated, gone. If your `app-config.yaml` still references these, your backend will fail to start after upgrading. Replace `bitbucket` with `bitbucketCloud` or `bitbucketServer`, migrate Azure DevOps to the `credentials` array, and update any Gerrit URL utility calls. Check scaffolder templates too, as `parseRepoUrl` no longer handles `bitbucket`.

  • enhancementAdd `@backstage/cli-defaults` as a devDependency now, not later

    The CLI module system is live, and the fallback to built-in commands already emits a deprecation warning. Add `@backstage/cli-defaults` to your root `devDependencies` today to silence the warning and future-proof your setup before the fallback is removed entirely. If you maintain custom CLI tooling, look at `createCliModule` in `@backstage/cli-node` to package it properly as a first-class CLI extension.

Key changes (7)
  • New Frontend System reaches 1.0 RC — new apps use it by default, `--next` flag replaced by `--legacy`
  • Multiple breaking UI changes in Backstage UI (BUI): Checkbox props renamed, CSS classes renamed, `BUIProvider` now required for routing, deprecated types removed
  • Entity cards (`EntityAboutCard`, `EntityLinksCard`, etc.) migrated from MUI to BUI with `variant` prop removed — `@backstage/plugin-catalog` receives a major version bump
  • Deprecated Bitbucket integration and legacy fields fully removed from `@backstage/integration`, `@backstage/backend-defaults`, and scaffolder packages
  • CLI refactored into modular `cli-module` packages — add `@backstage/cli-defaults` as a devDependency now to avoid future fallback removal warning
  • Predicate-based catalog filtering added to `queryEntities()`, `getEntitiesByRefs()`, and `getEntityFacets()` via new POST endpoints
  • Permission checks batched per tick for better performance on permission-heavy pages
Source

Flux

CI/CD & App DeliveryMar 16, 2026

Flux v2.8.3 fixes a critical helm-controller regression that broke templating for charts containing YAML separators or embedded content.

  • breakingUpgrade immediately if using Helm charts with YAML separators

    The regression in v2.8.2 breaks templating for common chart patterns like multi-document YAML files and embedded scripts. Review your Helm deployments for failures and upgrade to v2.8.3 now. Follow the official upgrade procedure for Flux v2.7+ to avoid migration issues.

  • enhancementValidate Helm chart deployments after upgrade

    After upgrading, check that previously failing Helm releases now deploy successfully. Pay special attention to charts that embed certificates, scripts, or use multiple YAML documents. This fix restores functionality that may have silently failed in recent versions.

Key changes (4)
  • Fixed helm-controller templating errors when charts contain '---' separators
  • Resolved issues with embedded scripts and CA certificates in ConfigMaps
  • Added target branch name functionality to CLI update operations
  • Updated toolkit components for improved compatibility
Source

Argo

CI/CD & App DeliveryMar 16, 2026

Argo CD 3.3.4 delivers critical bug fixes for token refresh handling and git-lfs support, plus enhanced security documentation - a maintenance release that improves operational stability.

  • securityVerify signed release assets

    All container images now include cosign signatures and SLSA Level 3 provenance. Use the official verification documentation to validate your container images before deployment, particularly in security-sensitive environments.

  • breakingReview token refresh configurations

    The token refresh fix resolves parsing errors that could affect component behavior. Check your existing token configurations and monitor for any authentication issues after upgrading, especially in multi-component setups.

  • enhancementUpgrade for ppc64le architecture support

    If running on ppc64le systems, this release fixes git-lfs functionality that was previously broken due to missing checksums. Plan your upgrade to restore full git-lfs capabilities on these architectures.

Key changes (5)
  • Fixed token refresh threshold parsing errors affecting unrelated components
  • Added missing git-lfs installer checksum for ppc64le architecture support
  • Updated OpenTelemetry SDK dependencies for better observability
  • Enhanced documentation for cluster version changes and migration guidance
  • Maintained SLSA Level 3 compliance with signed container images and provenance
Source

Flux

CI/CD & App DeliveryMar 12, 2026

Flux v2.8.2 delivers critical fixes for reconciliation loops, Azure Container Registry authentication, and includes a security patch for CVE-2026-27138. The release focuses on operational stability improvements.

  • securityApply CVE-2026-27138 patch immediately

    This release fixes a potential Denial of Service vulnerability during TLS handshakes. Schedule your upgrade to v2.8.2 as soon as possible, especially if your Flux installation handles external TLS connections or operates in environments with security compliance requirements.

  • enhancementEnable DefaultToRetryOnFailure for better HelmRelease reliability

    If you use CancelHealthCheckOnNewRevision and have experienced stuck HelmReleases, enable the new DefaultToRetryOnFailure feature gate. This prevents canceled releases without retry strategies from hanging indefinitely, improving deployment reliability.

  • enhancementVerify Azure Container Registry authentication after upgrade

    The ACR authentication scope fix may resolve intermittent authentication failures you've experienced with Azure registries. After upgrading, monitor your image pulls and source operations to confirm improved reliability with ACR repositories.

Key changes (5)
  • Fixed unnecessary reconciliation requests when source objects are already processing the current revision
  • Resolved Helm template YAML separator bug by upgrading to Helm 4.1.3
  • Added DefaultToRetryOnFailure feature gate to prevent HelmReleases from getting stuck when canceled
  • Corrected Azure Container Registry authentication scope for proper access
  • Patched CVE-2026-27138 TLS handshake DoS vulnerability by building with Go 1.26.1
Source

Backstage

CI/CD & App DeliveryMar 11, 2026

Backstage v1.48.5 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

Argo

CI/CD & App DeliveryMar 9, 2026

Argo CD v3.3.3 delivers targeted bug fixes for CNPG actions, hook annotations, and resource health checks, maintaining stability without introducing breaking changes.

  • enhancementUpdate CNPG Integration Configuration

    Teams using CloudNativePG with Argo CD should verify their suspend/resume actions work correctly after upgrading. The annotation fix ensures proper CNPG cluster lifecycle management through Argo CD workflows.

  • enhancementReview Multi-Hook Resource Configurations

    Applications using multiple PreDelete or PostDelete hooks with comma-separated annotations will now execute properly. Audit existing applications with complex hook configurations to ensure expected behavior.

  • enhancementValidate Cross-Namespace Resource Dependencies

    Complex applications with multi-level cross-namespace dependencies involving cluster-scoped resources should now traverse correctly. Test existing applications that previously showed incomplete resource trees or sync issues.

Key changes (6)
  • Fixed CNPG suspend/resume actions using correct annotations
  • Corrected comma-separated hook annotations for PreDelete/PostDelete hooks
  • Improved resource health checks with proper drySha handling
  • Fixed standard resource icon display issues in UI
  • Enhanced kubeversion consistency with Helm version 3.3
  • Resolved multi-level cross-namespace hierarchy traversal for cluster-scoped resources
Source

Backstage

CI/CD & App DeliveryMar 4, 2026

Backstage v1.48.4 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

Flux

CI/CD & App DeliveryFeb 27, 2026

Flux v2.8.1 is a patch release fixing critical issues with Git commit status notifications and StatefulSet health checks during Pod scheduling problems.

  • enhancementUpgrade to fix Git integration issues

    If you're experiencing missing Git commit status updates or notifications, upgrade to v2.8.1. The fix ensures proper Git webhook integration and status reporting for your GitOps workflows. Follow the official upgrade procedure for Flux v2.7+ to avoid disruption.

  • enhancementResolve StatefulSet monitoring problems

    Upgrade if you have StatefulSets that show incorrect health status when Pods are stuck in Pending state due to resource constraints or scheduling issues. This fix provides more accurate deployment status reporting, improving your observability during rollouts.

Key changes (5)
  • Fixed Git commit status events being dropped for Kustomizations in notification-controller
  • Improved StatefulSet health checks when Pods are Pending/Unschedulable during rollouts
  • Updated kustomize-controller, notification-controller, and helm-controller components
  • Removed workarounds that are no longer needed for Flux 2.8
  • Updated fluxcd/pkg dependencies for better stability
Source

Backstage

CI/CD & App DeliveryFeb 26, 2026

Backstage v1.48.3 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

OpenKruise

CI/CD & App DeliveryFeb 25, 2026

OpenKruise v1.8.3 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

OpenKruise

CI/CD & App DeliveryFeb 25, 2026

OpenKruise v1.7.5 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

Flux

CI/CD & App DeliveryFeb 24, 2026

Flux v2.8.0 introduces major GitOps capabilities including Helm v4 support, enhanced observability, faster recovery times, and improved notification features while removing deprecated APIs.

  • breakingMigrate from deprecated v1beta2/v2beta2 APIs immediately

    Deprecated APIs have been removed from CRDs. Follow the official upgrade procedure for Flux v2.7+ to migrate your resources to supported API versions before upgrading to v2.8.0.

  • enhancementEnable faster application recovery with new feature gate

    Activate the CancelHealthCheckOnNewRevision feature gate on your Kustomizations and HelmReleases to reduce recovery time during application failures by canceling health checks when new revisions are detected.

  • enhancementImplement automated PR notifications for GitOps workflows

    Configure Pull Request commenting in your notification providers to enable direct feedback from Flux deployments to development teams, improving visibility and collaboration in GitOps workflows.

Key changes (5)
  • Helm v4 support with server-side apply and improved health checking
  • Reduced mean time to recovery with CancelHealthCheckOnNewRevision feature gate
  • Pull Request commenting support in notification providers
  • Custom SSA apply stages for ordered resource deployment in kustomize-controller
  • Automatic GitHub App installation ID lookup from repository owners
Source

Backstage

CI/CD & App DeliveryFeb 24, 2026

Backstage v1.48.2 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

Argo

CI/CD & App DeliveryFeb 22, 2026

Argo CD v3.3.2 fixes the critical client-side apply migration issue that affected self-managed installations in v3.3.0/v3.3.1, requiring specific upgrade steps for users managing Argo CD with itself.

  • breakingEnable ServerSideApply for Self-Managed Installations

    If you have an Argo CD Application managing your Argo CD installation, you must enable `ServerSideApply=true` sync option on that Application before upgrading to v3.3.2. This is required for the upgrade to succeed and prevents apply migration failures.

  • breakingRemove Temporary ClientSideApplyMigration Setting

    If you previously upgraded to v3.3.0/v3.3.1 and set `ClientSideApplyMigration=false` as a workaround, remove this setting after upgrading to v3.3.2. Keeping it may cause field manager conflicts with other Kubernetes controllers.

  • enhancementSafe Upgrade Path for Previously Affected Users

    Users affected by the v3.3.0/v3.3.1 client-side apply migration bug can now safely upgrade to v3.3.2. Follow the upgrade guide carefully and test the upgrade process in a non-production environment first, especially for self-managed installations.

Key changes (4)
  • Fixed client-side apply migration failure that prevented successful upgrades in v3.3.0/v3.3.1
  • Resolved conflicts between Argo CD field manager and other Kubernetes field managers
  • Updated documentation to clarify upgrade requirements for self-managed installations
  • Maintained SLSA Level 3 provenance and cosign signatures for all container images
Source

Backstage

CI/CD & App DeliveryFeb 18, 2026

Backstage v1.48.1 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source
← Newer