RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Argo

CI/CD & App DeliveryJun 18, 2026

Argo CD v3.3.12 is a maintenance release fixing sync state tracking, cluster observer locking, configuration parsing, and git repository depth handling—no breaking changes.

  • securityDex authentication now handles special characters in passwords

    Dex password parsing previously failed if passwords contained dollar signs, potentially locking users out. If you use Dex for OIDC and recently added or updated passwords with special characters, upgrade to v3.3.12 immediately to restore access. Test Dex login after updating.

  • enhancementFix PromotionStrategy stuck state if using Argo Rollouts

    If you run Argo CD with Argo Rollouts and use PromotionStrategy, applications may have remained stuck in Progressing after configuration reloads even when nothing changed. Update to v3.3.12 to resolve this. Check your application health status post-upgrade to confirm recovery.

Key changes (5)
  • PromotionStrategy health status no longer stuck in Progressing after no-op re-hydration
  • Cluster informer now protected by lock to prevent concurrent access issues
  • Dex password parsing fixed to handle dollar signs correctly
  • Git repository depth setting now honored in change detection and fetch operations
  • Live status excluded from normalization to improve accuracy
Source

Argo

CI/CD & App DeliveryMay 28, 2026

Argo CD v3.3.11 is a routine patch release on the 3.3 branch, bundling six bug fixes and one dependency security update (CVE-2026-41240).

  • securityPatch dompurify CVE in Argo CD UI

    This patch bumps redoc/dompurify to v3.4.0 in the UI to fix CVE-2026-41240. If you run the Argo CD UI, upgrade to v3.3.11 to close this XSS-related dependency vulnerability.

  • enhancementFixes for controller startup race and nil pointer crash

    A race condition could raise an InvalidSpecError during application controller startup, and a nil pointer dereference existed in removeWebookMutation() from gitops-engine. Both are fixed here; upgrade if you've seen spurious spec errors or controller crashes on startup.

Key changes (5)
  • Fixed a race condition causing InvalidSpecError during application controller startup
  • Fixed a nil pointer dereference in gitops-engine's removeWebookMutation()
  • Fixed label truncation for deletion hook resources
  • Bumped redoc/dompurify to v3.4.0 in the UI, fixing CVE-2026-41240
  • Removed resourceVersion from server-side diff (ssd) handling
Source

Argo

CI/CD & App DeliveryMay 28, 2026

Argo CD 3.4.3 is a patch release fixing a UI XSS CVE (CVE-2026-41240 via dompurify), a controller startup race, a webhook nil-pointer crash, and several CLI/UI bugs.

  • securityPatch CVE-2026-41240 in the UI (dompurify bump)

    dompurify was bumped to v3.4.0 to fix CVE-2026-41240. If you're running Argo CD 3.4.x with the web UI exposed — especially to less-trusted users — upgrade to 3.4.3 promptly. Check whether your current version is behind 3.4.3 and roll it out during your next maintenance window or sooner if the UI is internet-facing.

  • enhancementFix startup race condition and nil-pointer crash in webhook mutation

    A race condition in application controller startup could trigger InvalidSpecError incorrectly, and a nil pointer dereference in removeWebhookMutation() could cause crashes. Both are fixed here. If you've seen spurious errors at controller startup or webhook-related panics, 3.4.3 addresses them directly.

  • enhancement'app wait' no longer hangs when app is already synced

    'app wait' now returns immediately when the app is already in the desired state, instead of blocking. If you use 'app wait' in CI/CD pipelines or scripts as a sync gate, this means faster pipeline runs when apps are already healthy — no code changes needed, just upgrade.

Key changes (6)
  • CVE-2026-41240 patched: dompurify bumped to v3.4.0 in the UI
  • Fixed race condition causing InvalidSpecError during application controller startup
  • Fixed nil pointer dereference in removeWebhookMutation() in gitops-engine
  • CLI: 'app wait' now exits immediately if app is already in desired state
  • UI: Parameters tab now returns the full source for non-hydrator apps
  • Repo depth setting now honored in gitSourceHasChanges and fetch functions
Source

Flux

CI/CD & App DeliveryMay 20, 2026

Flux v2.8.8 patches two go-git CVEs in source and image-automation controllers, fixes a memory leak in helm-controller, and adds GCP sovereign cloud registry support.

  • securityUpgrade immediately to patch two go-git CVEs

    CVE-2026-45571 and CVE-2026-45570 affect source-controller and image-automation-controller. Both are fixed in go-git v5.19.1 bundled with this release. If you run either of these controllers — and most Flux installations do — upgrade to v2.8.8 now. There's no workaround short of disabling those controllers.

  • breakingReview charts that place non-CRD resources under crds/ directory

    Helm-controller previously force-applied any object found under a chart's crds/ directory, not just actual CRDs. That behavior is now corrected. If you have Helm charts (especially community or third-party ones) that bundle non-CRD manifests under crds/ as a workaround for install ordering, those objects will no longer be force-applied. Audit your HelmRelease resources and test in a non-production environment before rolling this out broadly.

  • enhancementInvestigate artifact fetch timeouts if reconciliations have been stalling

    The new configurable HTTP timeout for artifact fetching directly addresses indefinite blocking during fetches. If you've seen helm-controller or source-controller reconciliations hang without clear errors, this fix likely explains it. After upgrading, configure the timeout explicitly rather than relying on defaults — check the helm-controller v1.5.5 changelog for the specific field name. Also worth auditing memory usage before and after upgrade if your helm-controller pods have been growing steadily in memory.

Key changes (5)
  • go-git updated to v5.19.1 to address CVE-2026-45571 and CVE-2026-45570 in source-controller and image-automation-controller
  • helm-controller fix: unbounded memory growth from Kubernetes client transport retry wrapper accumulating on every reconcile cycle
  • New configurable HTTP timeout for artifact fetching prevents indefinite blocking and stalled reconciliations in helm-controller
  • helm-controller no longer force-applies non-CRD objects placed under a chart's crds/ directory — a behavioral correction that could affect existing charts
  • GCP sovereign cloud artifact registry support added to source-controller and image-reflector-controller
Source

Argo

CI/CD & App DeliveryMay 12, 2026

Argo CD v3.3.10 is a patch release fixing a nil-pointer panic in permission validation, a log line UI overflow bug, and bumping Go to 1.25.9 to address CVEs.

  • securityUpgrade immediately — Go 1.25.9 fixes CVEs in the runtime

    The Go runtime was bumped from a prior version to 1.25.9 specifically to resolve CVEs. The release notes don't enumerate the CVE IDs, but any patch that upgrades the runtime for security reasons on a stable branch deserves prompt action. If you're running 3.3.x, upgrade to 3.3.10 now rather than waiting for your next maintenance window.

  • breakingServer-side diff now correctly hides secrets — verify diff outputs if you rely on them

    The fix to apply HideSecretData to server-side diff results means that previously exposed secret values in diff views will now be redacted. If any automation, alerting, or audit tooling parses diff output expecting raw secret values, it will break. Review your diff-dependent workflows before upgrading.

  • enhancementNil APIResource panic fix prevents unexpected controller crashes

    The permission validator could panic when an APIResource was nil — a condition that can occur with certain custom or non-standard API groups. If you've seen intermittent ArgoCD controller restarts without clear cause, this is a likely culprit. Upgrade to 3.3.10 to stabilize those environments.

Key changes (5)
  • Go runtime updated to 1.25.9 to resolve unspecified CVEs affecting the 3.3 branch
  • Panic fix in permission validator when APIResource is nil — previously could crash the controller
  • Log viewer wrap-lines toggle no longer causes lines to overflow the container
  • HideSecretData now correctly applied to server-side diff results in gitops-engine
  • OpenTelemetry SDK bumped to 1.43.0
Source

Argo

CI/CD & App DeliveryMay 12, 2026

Argo CD v3.4.2 is a patch release fixing a panic in the permission validator, reverting a problematic revision update optimization, and patching secret data exposure in server-side diffs.

  • securitySecret values could appear in diff output — patch now

    Server-side diff results for Secret resources were not having HideSecretData applied, meaning secret values could be exposed in diff views through the UI or API. If you use server-side apply or server-side diff previews, upgrade to 3.4.2 immediately. Audit your ArgoCD API access logs if you suspect exposure.

  • breakingUpdateRevisionForPaths revert may re-introduce previous behavior

    The optimization that avoided unnecessary UpdateRevisionForPaths calls (merged in 3.4.x) caused regressions and has been reverted. If you were relying on that behavior for performance or correctness, expect the pre-fix behavior to return. Monitor sync operations after upgrading, especially for path-filtered applications.

  • enhancementPermission validator panic fix improves stability

    A nil APIResource in the permission validator could crash the ArgoCD server process. This is now guarded. If you've seen unexpected pod restarts on the ArgoCD server, especially in environments with non-standard CRDs or API aggregation, this patch likely addresses it.

Key changes (5)
  • Reverted the 'avoid calling UpdateRevisionForPaths unnecessarily' fix from v3.4.x due to regressions it introduced
  • Fixed nil pointer panic in permission validator when APIResource is nil — a stability fix for edge-case RBAC scenarios
  • HideSecretData now correctly applied to server-side diff results for Secrets, preventing potential secret leakage in UI/API diff views
  • OpenTelemetry SDK bumped to 1.43.0 and moby/spdystream updated to 0.5.1
  • CI pipeline image pinning added for supply chain integrity
Source

Flux

CI/CD & App DeliveryMay 12, 2026

Flux v2.8.7 patches a CVE in go-git and fixes a destructive reconciliation bug where non-namespaced resources with ssa:IfNotPresent were being deleted and recreated every cycle.

  • securityPatch CVE-2026-45022 by upgrading now

    go-git v5.19.0 fixes CVE-2026-45022, which affects source-controller and image-automation-controller — two components that actively clone and interact with Git repos. If your Flux installation pulls from any external or semi-trusted Git source, treat this as a priority upgrade. Run 'flux install' or update your Helm release to v2.8.7 immediately.

  • breakingCheck non-namespaced resources using ssa:IfNotPresent for unintended churn

    If you're managing ClusterRoles, CRDs, or other cluster-scoped resources with the kustomize.toolkit.fluxcd.io/ssa: IfNotPresent annotation, those resources were being silently deleted and recreated on every reconciliation loop before this fix. Audit your Kustomization objects and verify resource state after upgrading to confirm the churn has stopped. Any dependent workloads may have experienced disruptions you weren't aware of.

  • enhancementFollow the v2.7+ upgrade procedure if coming from v2.6

    The Flux team has a specific upgrade discussion thread for v2.7+ migrations. Skipping it when jumping from v2.6 to v2.8.7 can cause issues. Review the linked procedure before applying this update in environments running older Flux versions.

Key changes (4)
  • CVE-2026-45022 fixed via go-git v5.19.0 in source-controller and image-automation-controller
  • kustomize-controller no longer deletes and recreates non-namespaced resources annotated with ssa:IfNotPresent on every reconciliation
  • fluxcd/pkg dependency updates across source-controller, kustomize-controller, and image-automation-controller
  • helm-controller v1.5.4, kustomize-controller v1.8.5, source-controller v1.8.4 component bumps
Source

Argo

CI/CD & App DeliveryMay 6, 2026

Argo CD 3.4.1 is the first 3.4 release (skipping 3.4.0), bringing a breaking cluster version format change for ApplicationSets, plus a large wave of bug fixes, performance improvements, and UI enhancements.

  • securityAdd X-Frame-Options/CSP headers and JWT logout invalidation

    Two security fixes landed: Swagger UI endpoints now return X-Frame-Options and Content-Security-Policy headers (mitigates clickjacking), and JWT tokens are invalidated server-side on logout (prevents session reuse after logout). Both are passive — no config changes needed — but if you run Argo CD behind a reverse proxy that strips security headers, verify the headers reach clients after upgrading.

  • breakingUpdate ApplicationSet cluster version labels before upgrading

    The kubernetes-version label format changed from Major.Minor (e.g., '1.29') to vMajor.Minor.Patch (e.g., 'v1.29.3') to match Helm 3.19.0. If you use ApplicationSet Cluster Generators with argocd.argoproj.io/auto-label-cluster-info, your existing cluster secrets carry the old format. After upgrading, update those secrets to use argocd.argoproj.io/kubernetes-version with the new format, or your cluster-version-based filters will stop matching. Check the 3.3-3.4 upgrade guide before rolling out.

  • enhancementAppSet controller and repo-server performance improvements worth monitoring

    Several perf fixes shipped: optimized parentUIDToChildren data structure, reduced secret deep-copies in the controller, parallel batching in CLI server-side diff, and optimized repoLock on checkout. If you've been seeing slow reconciliation or high CPU in the appset controller on large clusters, this upgrade should show measurable improvement. Monitor controller CPU and reconciliation latency metrics after rollout.

Key changes (5)
  • Breaking: Kubernetes cluster version format changed from Major.Minor to vMajor.Minor.Patch to align with Helm 3.19.0 behavior — ApplicationSet Cluster Generators using auto-label-cluster-info must update their label key
  • JWT tokens are now invalidated on logout, closing a session persistence gap
  • X-Frame-Options and CSP headers added to Swagger UI endpoints
  • Stack overflow fix for circular ownerRef processing in resource graphs — affects anyone with complex resource hierarchies
  • AppSet controller performance improved: optimized cluster secret fetching, application cache synchronization, and reduced secret deep-copies
Source

Argo

CI/CD & App DeliveryMay 5, 2026

Argo CD v3.1.16 is a minor patch fixing a server-side double-delete error and bumping the SonarQube scan action dependency.

  • securityVerify cosign signatures after upgrading

    Every release is a good reminder to validate image provenance in your admission pipeline. Argo CD images meet SLSA Level 3 — if you're not yet enforcing signature verification at deploy time, now is a practical moment to wire that into your policy engine (e.g., Kyverno or OPA Gatekeeper).

  • enhancementApply patch if double-delete errors are hitting your workflows

    If your GitOps pipelines or operators occasionally retry delete operations (e.g., during cascade deletes or reconciliation loops), the previous behavior could surface spurious errors that confused alerting or caused retries to fail loudly. This fix cleans that up. Upgrade is low-risk given the narrow scope of changes.

Key changes (3)
  • Bug fix: server no longer throws an error when a second delete operation is attempted on the same resource
  • SonarQube scan action bumped from 5.2.0 to 8.0.0 in CI pipeline
  • All container images remain cosign-signed with SLSA Level 3 provenance
Source

OpenFeature

CI/CD & App DeliveryApr 30, 2026

flagd core v0.15.5 fixes evaluation correctness bugs in fractional rollouts and JSONLogic and/or operators — teams relying on complex flag targeting rules should upgrade.

  • securityDependency security alerts resolved

    Dependabot security alerts were resolved in this release. No CVEs are called out explicitly, but the dependency updates address known vulnerabilities in transitive deps. Upgrade if you're running flagd in a security-sensitive environment.

  • breakingFractional evaluator fix: upgrade if you use targeting keys

    Null or missing targeting keys in fractional evaluators previously caused undefined behavior. If your flag rules use fractional/percentage rollouts and some users may lack a targeting key (e.g. anonymous users), upgrade to avoid incorrect bucket assignments.

  • breakingJSONLogic and/or bug fix may change evaluation results

    The jsonlogic and/or operator bug could cause flag rules with compound boolean logic to evaluate incorrectly. Review any rules relying on and/or conditions after upgrading — results may change from what you saw in v0.15.4.

Key changes (5)
  • Fractional evaluator now handles missing or null targeting keys without crashing or misbehaving
  • JSONLogic and/or operator bug fixed — compound boolean flag rules evaluate correctly now
  • Custom operator conformance fixes improve spec compliance
  • OTel service name and version can now be overridden correctly
  • Dependabot security alert dependencies updated
Source

Argo

CI/CD & App DeliveryApr 30, 2026

v3.3.9 is a focused patch addressing four bugs — including a panic in ApplicationSet DuckType Generator and a UI crash in pod logs — plus a Go version bump to resolve CVEs.

  • securityUpgrade to patch Go-level CVEs

    The Go runtime was bumped specifically to resolve CVEs. The release notes don't enumerate the exact CVE IDs, but if you're running 3.3.x in production, upgrade to 3.3.9 now rather than waiting for your next maintenance window. All container images are cosign-signed and SLSA Level 3 provenance is available — verify signatures before deploying if your pipeline requires it.

  • breakingApplicationSet DuckType Generator panic is now fixed — review affected ApplicationSets

    If you use DuckType Generators and have clusters with non-string label values, previous versions would silently panic. After upgrading, those ApplicationSets will now process correctly rather than crashing. Do a quick audit of your ApplicationSet resources post-upgrade to confirm they're reconciling as expected — you may see previously-failing sets suddenly become active.

  • enhancementOCI metadata caching restored — expect reduced registry pressure

    The Redis cache for OCI metadata was broken, meaning every OCI source lookup was hitting the registry directly. With this fix, caching works again. If you use OCI-sourced ApplicationSets or Helm charts, you should see reduced latency and fewer registry requests after upgrading. No configuration change needed.

Key changes (5)
  • Fixed panic in ApplicationSet DuckType Generator when encountering non-string values in cluster labels
  • Fixed pod logs viewer UI crash caused by stale container index references
  • Fixed double-delete error on the server side to prevent spurious errors during cleanup operations
  • Fixed OCI metadata put/get to/from Redis cache, restoring proper caching behavior
  • Bumped Go version to patch CVEs in the Go standard library
Source

Microcks

CI/CD & App DeliveryApr 29, 2026

Microcks 1.14.0 adds Kafka request-reply for async mocking and expands Callback/Sync-to-Async support across REST, gRPC, and the UI. A bug fix prevents HTTP method mutation on mocked operations.

  • securityRebuild custom images on updated UBI9 base

    The base image bumps to UBI9 9.7-1776833838. If you build custom Microcks images on top of the official one, rebuild and re-test after upgrading to pick up the upstream OS patches included in this UBI update.

  • breakingVerify REST mock routing after operation method fix

    The fix for issue #2028 prevents the operation HTTP method from being overridden — a subtle bug that could cause mocks to respond incorrectly if the method was being mutated. Verify any existing REST mocks that rely on method-specific routing to confirm they behave as expected after upgrade.

  • enhancementAdopt Kafka request-reply for async testing

    Kafka async mocks now support request-reply semantics. If your team uses Microcks to mock event-driven services over Kafka, this unlocks proper two-way interaction testing without external tooling. Review the updated API for Callback and Sync-to-Async support alongside the new triggers UI before migrating existing Kafka mock setups.

Key changes (5)
  • Kafka async mocks now support request-reply pattern (previously only fire-and-forget was possible)
  • Callback and Sync-to-Async API updated; triggers info now visible in UI and usable as a second artifact
  • gRPC mocks gain triggers support
  • Operation HTTP method is no longer overridable (bug fix, #2028)
  • UBI9 base image updated to 9.7-1776833838; Angular bumped to 19.2.20; context propagation added with X-Trace-Id header support
Source

Argo

CI/CD & App DeliveryApr 16, 2026

Argo CD v3.3.7 is a patch release fixing controller performance regressions, OIDC config handling, and several UI/security header issues.

  • securitySwagger UI endpoints now have clickjacking protection — upgrade if exposed

    X-Frame-Options and Content-Security-Policy headers were missing from Swagger UI endpoints. If your Argo CD API server is reachable from browsers (even internally), those endpoints were frameable. Upgrade to 3.3.7 to close this. No config change needed post-upgrade.

  • breakingOIDC auth may behave differently after upgrade if config was stale

    The fix ensures OIDC config reloads on server restart rather than using a cached/stale version. In practice this is a correctness fix, but if you've been working around stale OIDC behavior with manual pod restarts, verify SSO flows after upgrading to confirm expected behavior.

  • enhancementUpgrade if you're seeing excessive reconciliation or controller CPU spikes

    Two separate fixes address controller overhead: the parentUIDToChildren data structure change reduces memory churn on large clusters, and the informer resync fix stops unnecessary app refreshes that inflate API server load. If your controller is burning CPU or you're seeing constant reconcile loops, this patch is worth prioritizing.

Key changes (5)
  • Controller performance improved: switched parentUIDToChildren to map-of-sets and reduced secret deep copies/deserialization overhead
  • OIDC config now properly refreshes on server restart — previously stale config could cause auth failures
  • X-Frame-Options and CSP headers added to Swagger UI endpoints, closing a clickjacking exposure
  • Prevented automatic refreshes triggered by informer resync and status updates, reducing unnecessary reconciliation churn
  • Fixed repo-server crashes caused by symlink handling in copyutil and missing repo.insecure flag propagation to helm dependency build
Source

Argo

CI/CD & App DeliveryApr 16, 2026

Argo CD v3.1.14 is a small patch fixing unnecessary app refreshes and a CI lockfile issue, plus a dependency bump for fast-xml-parser.

  • securityfast-xml-parser bump closes potential parsing vulnerabilities

    The fast-xml-parser library was bumped three minor versions. These kinds of XML parser updates often address denial-of-service or entity expansion issues. While Argo CD's exposure surface for this library is limited to the UI, staying current here is straightforward — just upgrade and verify UI functionality in your staging environment.

  • enhancementUpgrade if informer resync is flooding your refresh queue

    The fix for automatic refreshes triggered by informer resync and status updates is the real reason to pick up this patch. If you've been seeing excessive app refresh activity or high controller CPU load during resync windows, this addresses the root cause. Deploy this patch during your next maintenance window — it's low risk.

Key changes (4)
  • Prevents automatic refreshes triggered by informer resync and status updates — a meaningful reduction in unnecessary reconciliation noise
  • Fixes yarn install running without --frozen-lockfile in CI, improving build reproducibility
  • Bumps fast-xml-parser from 4.5.3 to 4.5.6 in the UI dependency tree
  • All container images remain cosign-signed with SLSA Level 3 provenance
Source

Argo

CI/CD & App DeliveryApr 16, 2026

Argo CD v3.2.9 is a patch release fixing excessive refresh triggers, a UI rendering bug for OCI revisions, and a CI lockfile issue, plus a dependency bump for fast-xml-parser.

  • securityfast-xml-parser bump addresses potential XML parsing issues in the UI

    fast-xml-parser was bumped from 4.5.3 to 4.5.6. While no specific CVE is called out in the release notes, staying current on XML parsing libraries in web UIs is prudent given their attack surface. If your Argo CD UI is exposed to untrusted users or external traffic, this upgrade is worth prioritizing.

  • enhancementUpgrade if informer resync noise is causing excessive reconciliation

    The fix for unintended automatic refreshes from informer resync and status updates (#25290) is the most operationally impactful change here. If you've seen high reconciliation rates or unexplained sync activity in busy clusters, this patch directly addresses that. Upgrade to 3.2.9 and monitor your refresh/sync rate metrics post-upgrade.

  • enhancementOCI users: revision metadata now renders correctly

    If your team uses OCI-based Helm charts or manifests and noticed the revision metadata panel was always blank, that was a guard clause bug — not a config problem. This release fixes it. No action needed beyond upgrading; the UI should display OCI revision info correctly afterward.

Key changes (5)
  • Fixed automatic refreshes being triggered unnecessarily by informer resync and status updates — a potential performance/noise issue in busy clusters
  • Fixed OCI revision metadata never rendering in the UI due to a conflicting guard clause
  • Bumped fast-xml-parser from 4.5.3 to 4.5.6 (dependency security/stability hygiene)
  • Updated notifications-engine dependency to v0.5.1-0.20260316232552
  • All container images remain cosign-signed with SLSA Level 3 provenance
Source

Backstage

CI/CD & App DeliveryApr 14, 2026

v1.50.0 is a wide-ranging release with several breaking changes across auth, frontend APIs, and catalog. Key practical upgrades: AWS RDS IAM auth, Auth0 federated logout, catalog deadlock fixes, and security patches for rollup/glob.

  • securityUpdate CLI and build tooling to pick up rollup path traversal fix

    rollup < v4.59 has a high severity path traversal vulnerability (GHSA-mw96-cpmx-2vgc). The @backstage/cli, repo-tools, and several CLI modules have been updated. Run the upgrade helper and update your lockfile. If you pin rollup versions anywhere in your workspace, update those pins to v4.59+. The glob dependency was also bumped to v13 to address vulnerabilities in v7/v8/v11.

  • breakingVerify token decoding code before upgrading — ent claim removed by default

    auth.omitIdentityTokenOwnershipClaim now defaults to true, so Backstage user tokens no longer include the ent ownership claim. Any code that manually decodes tokens and reads ent will silently get nothing. Audit your codebase for raw token decoding and replace it with the userInfo core service. If you need time, set auth.omitIdentityTokenOwnershipClaim: false in your config temporarily, but plan to remove it — the setting will be dropped in a future release.

  • breakingMigrate createSchemaFromZod to configSchema before upgrading frontend-plugin-api

    The deprecated createSchemaFromZod helper is gone in @backstage/[email protected]. Any extension or blueprint using it will fail at runtime. Check the 1.50 migration docs at backstage.io/docs/frontend-system/architecture/migrations#150 and switch to the configSchema option. Note that plain zod v3 schemas are not supported — use import { z } from 'zod/v4' from the zod v3 package or upgrade to zod v4.

Key changes (7)
  • BREAKING: auth.omitIdentityTokenOwnershipClaim now defaults to true — tokens no longer carry the ent claim, which eliminates header size issues in large orgs but may affect code that explicitly decodes Backstage tokens
  • BREAKING: frontend-plugin-api removes deprecated createSchemaFromZod helper; migrate to the new configSchema option with zod v4
  • BREAKING: @backstage/ui drops React 17 support — minimum is now React 18
  • Catalog backend deadlock fix: SELECT ... FOR UPDATE SKIP LOCKED was missing transaction wrapping, causing PostgreSQL deadlocks (40P01) in multi-replica deployments
  • Security: rollup upgraded to v4.59+ (GHSA-mw96-cpmx-2vgc path traversal) and glob bumped to v13 across CLI and repo-tools packages
  • AWS RDS IAM authentication for PostgreSQL now supported in backend-defaults — use short-lived tokens instead of static passwords
  • Auth0 provider now performs federated logout, clearing the Auth0 session on sign-out; set federatedLogout: true to also clear upstream IdP sessions
Source

Argo

CI/CD & App DeliveryMar 26, 2026

A targeted patch release fixing a gRPC CVE, a false-diff bug in app normalization, and a UI glitch in RollingSync — upgrade promptly for the security fix alone.

  • securityPatch CVE-2026-33186 by upgrading to v3.2.8 now

    The grpc-go CVE-2026-33186 fix is the primary reason to move quickly on this release. If you're running any 3.2.x version, upgrade to 3.2.8. Verify your container images using cosign against the published provenance — the Argo CD docs cover the exact verification steps. Don't wait on this one.

  • breakingCheck for spurious sync operations before and after upgrade

    The normalization diff bug could have been silently triggering syncs on apps that were actually in-sync. After upgrading, review your sync history for apps that synced frequently without visible config changes — those were likely false positives. The fix should stop them, but any automation or alerts built around sync frequency may need recalibration.

  • enhancementRollingSync UI fix improves progressive delivery visibility

    If you use ApplicationSets with RollingSync and have ever wondered why a step appeared blank or unclear in the UI, this fix addresses that. No action needed beyond upgrading, but it's worth re-examining your RollingSync step configurations in the UI post-upgrade to confirm everything displays as expected.

Key changes (4)
  • Mitigates grpc-go CVE-2026-33186, a security vulnerability in the gRPC library used by Argo CD
  • Fixes controller incorrectly detecting diffs during app normalization, which could cause unnecessary sync operations
  • Fixes UI not clearly displaying RollingSync steps when labels match no step
  • All container images remain cosign-signed with SLSA Level 3 provenance
Source

Argo

CI/CD & App DeliveryMar 25, 2026

Patch release fixing a gRPC CVE and a UI bug in RollingSync. Low operational risk, but the security fix warrants prompt upgrade.

  • securityUpgrade now to mitigate CVE-2026-33186 in grpc-go

    CVE-2026-33186 affects the grpc-go library used by Argo CD's internal and external gRPC communication. The fix is a mitigation backport to the 3.1 branch. Any Argo CD 3.1.x instance prior to 3.1.13 is exposed. Upgrade to 3.1.13 promptly — this should be treated as a priority patch, not a routine update. After upgrading, verify image signatures with cosign against the published provenance if your supply chain policy requires it.

  • securitylodash bumped to 4.17.23 — check if your own apps pin this version

    The lodash bump in the UI bundle closes known issues in 4.17.21/4.17.22. If your team also pins lodash in application code or CI pipelines referencing Argo CD's frontend assets, audit those pinned versions independently. This change only covers the Argo CD UI bundle itself.

  • enhancementRollingSync UI fix helps diagnose misconfigured sync waves

    If you use ApplicationSets with RollingSync and label-based step matching, the previous UI would silently hide steps that matched no labels — making it hard to spot misconfigured rollout waves. The fix surfaces these unmatched steps visibly. After upgrading, review any RollingSync-heavy ApplicationSets to confirm step labels are actually matching the intended clusters or apps.

Key changes (4)
  • Mitigated CVE-2026-33186 in grpc-go — affects all deployments using gRPC communication
  • Fixed UI display issue where RollingSync steps with no matching labels were not shown clearly
  • Bumped lodash from 4.17.21 to 4.17.23 to address known vulnerabilities in the dependency
  • All container images remain cosign-signed with SLSA Level 3 provenance
Source

Argo

CI/CD & App DeliveryMar 16, 2026

Argo CD 3.3.4 delivers critical bug fixes for token refresh handling and git-lfs support, plus enhanced security documentation - a maintenance release that improves operational stability.

  • securityVerify signed release assets

    All container images now include cosign signatures and SLSA Level 3 provenance. Use the official verification documentation to validate your container images before deployment, particularly in security-sensitive environments.

  • breakingReview token refresh configurations

    The token refresh fix resolves parsing errors that could affect component behavior. Check your existing token configurations and monitor for any authentication issues after upgrading, especially in multi-component setups.

  • enhancementUpgrade for ppc64le architecture support

    If running on ppc64le systems, this release fixes git-lfs functionality that was previously broken due to missing checksums. Plan your upgrade to restore full git-lfs capabilities on these architectures.

Key changes (5)
  • Fixed token refresh threshold parsing errors affecting unrelated components
  • Added missing git-lfs installer checksum for ppc64le architecture support
  • Updated OpenTelemetry SDK dependencies for better observability
  • Enhanced documentation for cluster version changes and migration guidance
  • Maintained SLSA Level 3 compliance with signed container images and provenance
Source

Flux

CI/CD & App DeliveryMar 12, 2026

Flux v2.8.2 delivers critical fixes for reconciliation loops, Azure Container Registry authentication, and includes a security patch for CVE-2026-27138. The release focuses on operational stability improvements.

  • securityApply CVE-2026-27138 patch immediately

    This release fixes a potential Denial of Service vulnerability during TLS handshakes. Schedule your upgrade to v2.8.2 as soon as possible, especially if your Flux installation handles external TLS connections or operates in environments with security compliance requirements.

  • enhancementEnable DefaultToRetryOnFailure for better HelmRelease reliability

    If you use CancelHealthCheckOnNewRevision and have experienced stuck HelmReleases, enable the new DefaultToRetryOnFailure feature gate. This prevents canceled releases without retry strategies from hanging indefinitely, improving deployment reliability.

  • enhancementVerify Azure Container Registry authentication after upgrade

    The ACR authentication scope fix may resolve intermittent authentication failures you've experienced with Azure registries. After upgrading, monitor your image pulls and source operations to confirm improved reliability with ACR repositories.

Key changes (5)
  • Fixed unnecessary reconciliation requests when source objects are already processing the current revision
  • Resolved Helm template YAML separator bug by upgrading to Helm 4.1.3
  • Added DefaultToRetryOnFailure feature gate to prevent HelmReleases from getting stuck when canceled
  • Corrected Azure Container Registry authentication scope for proper access
  • Patched CVE-2026-27138 TLS handshake DoS vulnerability by building with Go 1.26.1
Source