RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Project: CrossplaneClear ×

Crossplane

Orchestration & ManagementJun 22, 2026

Crossplane v2.3.3 patches a TOCTOU security flaw in OCI package signature verification (GHSA-mf7q-r4rv-jv94) and fixes a namespace injection bug in `crossplane render`. Routine CVE bumps for Go deps included.

  • securityUpgrade immediately to fix OCI signature TOCTOU (GHSA-mf7q-r4rv-jv94)

    The TOCTOU flaw means a compromised or malicious OCI registry could serve unsigned package content after passing signature verification. Any Crossplane deployment that installs packages from OCI registries is exposed. Upgrade to v2.3.3 — this fix lives in crossplane-runtime and is bundled in this release. Review the crossplane-runtime v2.3.3 advisory for full technical details and assess whether any packages installed on affected versions should be reinstalled.

  • securitygolang.org/x/net and x/sys CVE patches — rebuild or upgrade

    The apis module now pulls updated golang.org/x/net and golang.org/x/sys. If you build Crossplane from source or vendor these deps in your own providers/functions, update your dependency pins to pick up the same CVE fixes. Pre-built images in v2.3.3 already include the patched versions.

  • breakingcrossplane render namespace behavior changed for namespaced XRs

    If you use `crossplane render` in CI pipelines or local testing with namespaced XRs, the injected resource refs no longer carry a namespace. This matches real reconciler behavior and fixes breakage with strict-schema functions (e.g., KCL-generated bindings). Re-run your render tests after upgrading to confirm output changes don't mask real issues in your composition logic.

Key changes (4)
  • TOCTOU fix in OCI package signature verification via crossplane-runtime v2.3.3 (GHSA-mf7q-r4rv-jv94): a malicious registry could swap unsigned content after signature check passed
  • Fixed `crossplane render` incorrectly setting namespace on resource refs for namespaced XRs, which broke strict-schema functions like generated KCL bindings
  • Go toolchain bumped to 1.25.11
  • golang.org/x/net and golang.org/x/sys updated in the apis module to pick up CVE fixes
Source

Crossplane

Orchestration & ManagementJun 22, 2026

Crossplane v2.2.3 patches a TOCTOU vulnerability in package signature verification (GHSA-wfqx-gjrf-g28r) and bumps Go toolchain and dependencies for security fixes.

  • securityPatch the TOCTOU signature verification flaw now if you use tag-based installs

    If your team installs Crossplane packages by tag (not digest) from registries you don't fully control, this TOCTOU flaw (GHSA-wfqx-gjrf-g28r) let a malicious registry pass signature verification with one image and then serve a different, unsigned image at install time. Upgrade to v2.2.3 immediately. As a defense-in-depth measure, consider switching package installs to digest references — that would have avoided this issue entirely regardless of the Crossplane version.

  • securityGo 1.25.11 and golang.org/x/net v0.55.0 pick up upstream CVE fixes

    The Go toolchain bump and net package update carry security fixes from upstream. There is no separate action beyond upgrading to v2.2.3, but if you scan container images for CVEs, expect findings against older Crossplane images to include these — use v2.2.3 as your baseline for compliance scans.

Key changes (4)
  • Fixed TOCTOU flaw (GHSA-wfqx-gjrf-g28r): tag references are now resolved to a digest once, used for both verification and pull
  • Go toolchain bumped to 1.25.11 for upstream security fixes
  • golang.org/x/net updated to v0.55.0
  • crossplane-runtime updated to v2.2.3
Source

Crossplane

Orchestration & ManagementJun 22, 2026

Crossplane v2.1.7 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

Crossplane

Orchestration & ManagementJun 22, 2026

Crossplane v1.20.10 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

Crossplane

Orchestration & ManagementJun 9, 2026

Crossplane v2.3.2 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

Crossplane

Orchestration & ManagementJun 5, 2026

Patch release adding a v2 upgrade readiness scanner, a golang.org/x/net security fix, and a runtime bump. The new CLI command is the practical reason to upgrade now.

  • securityUpdate immediately for golang.org/x/net fix

    golang.org/x/net was updated to v0.55.0 to address a security issue. The release notes tag this as a security dependency update, so treat it as mandatory. Upgrade to v1.20.9 before the next planned maintenance window, don't wait for a convenient moment.

  • breakingTreat upgrade check findings as real blockers, not warnings

    The command reports usage of features that are removed or changed in v2 — native patch-and-transform Compositions, ControllerConfig, external secret stores, and unqualified package sources. These are not deprecation warnings; they are hard blockers. If your control plane has any findings, start migration work using the linked guides before attempting any v2 upgrade. Ignoring them and upgrading anyway will break running workloads.

  • enhancementRun upgrade check before any v2 planning work

    If your team is on a v1.x control plane and Crossplane v2 is anywhere on the roadmap, run `crossplane beta upgrade check` against your environment now. It surfaces exactly which Compositions, ControllerConfigs, and package references will block an upgrade — saving hours of manual audit. Pipe it with `-o json` into your CI pipeline to enforce a clean bill of health before any v2 upgrade PR is merged. The non-zero exit code makes gating trivial.

Key changes (5)
  • New `crossplane beta upgrade check` command scans a live control plane for v2 breaking changes before you upgrade
  • Checks cover native P&T Compositions, ControllerConfig usage, external secret stores, unqualified package sources, and connection details
  • Output is human-readable by default, JSON-capable via `-o json`, exits non-zero on blockers — CI-gate friendly
  • Each finding links directly to relevant migration guides and `crossplane beta convert` commands where applicable
  • Security update: golang.org/x/net bumped to v0.55.0; crossplane-runtime updated to v1.20.9
Source

Crossplane

Orchestration & ManagementMay 22, 2026

Crossplane v2.3.1 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

Crossplane

Orchestration & ManagementMay 22, 2026

v1.20.8 is a security-only patch for the v1.20 line, bumping Go to 1.25.10 and patching multiple dependency CVEs across go-git, golang.org/x/net, x/crypto, and docker/cli.

  • securityUpgrade v1.20 clusters to v1.20.8 now — multiple CVEs addressed

    This patch covers a broad sweep of dependency CVEs: go-git (two separate fixes), golang.org/x/net, golang.org/x/crypto, docker/cli, and in-toto-golang, plus Go stdlib CVEs via the 1.25.10 runtime bump. If you're running any v1.20.x version below this, you're exposed. The go-git and x/crypto vulnerabilities are particularly relevant if your Crossplane setup pulls packages from Git repositories. Plan the upgrade soon — this is not a 'schedule it next sprint' situation.

  • enhancementConsider moving to v1.21+ if still on v1.20

    The v1.20 line is receiving security backports, but it won't get feature improvements. If you've been holding on v1.20 for stability reasons, this patch is a good opportunity to audit your upgrade blockers. The v1.21 line has been out long enough to be considered stable, and staying on an older minor version means you'll keep chasing security patches like this one.

Key changes (5)
  • Go runtime bumped to 1.25.10 to address stdlib CVEs
  • go-git/go-git updated to v5.19.1 (two sequential security fixes in this release)
  • golang.org/x/net updated to v0.53.0 for security fixes
  • golang.org/x/crypto updated to v0.52.0 for security fixes
  • docker/cli and in-toto-golang also patched for security issues
Source

Crossplane

Orchestration & ManagementMay 22, 2026

v2.1.6 is a security-focused patch for the v2.1 line, bumping Go to 1.25.10 and patching several vulnerable dependencies including go-git, golang.org/x/crypto, and OpenTelemetry.

  • securityUpgrade to v2.1.6 immediately if running v2.1.x

    This release patches multiple CVEs across Go stdlib, go-git, x/crypto, and x/net. These aren't theoretical risks — go-git vulnerabilities can affect package fetching behavior, and x/crypto/x/net issues can expose TLS and HTTP handling. If you're on any v2.1.x release, upgrade now. No API or behavioral changes are included, so the upgrade is low-risk.

  • securityCheck your provider images for the same vulnerable dependencies

    Crossplane core is patched, but your installed providers (AWS, GCP, Azure, etc.) are separate images with their own dependency trees. Run a container image scan (Trivy, Grype) against your active provider pods to check if they carry the same vulnerable versions of go-git or x/crypto. Provider maintainers will need to release their own patches.

Key changes (5)
  • Go runtime bumped to 1.25.10 to address stdlib CVEs
  • go-git updated twice (v5.19.0 → v5.19.1) to resolve security issues in git operations
  • golang.org/x/crypto and golang.org/x/net updated for security fixes
  • OpenTelemetry otel updated to v1.41.0 with security patches
  • in-toto-golang updated to v0.11.0 for supply chain security fixes
Source

Crossplane

Orchestration & ManagementMay 22, 2026

Pure security patch release: Go runtime bumped to 1.25.10 and several dependencies updated to address stdlib CVEs and git-related vulnerabilities.

  • securityUpgrade to v2.2.2 immediately if running v2.2.x

    This release is entirely security-driven. Go 1.25.10 patches stdlib CVEs, go-git v5.19.1 addresses git-related vulnerabilities, and x/crypto v0.52.0 closes cryptographic issues. No feature or behavioral changes are included, so the upgrade risk is minimal. If your team scans images or has compliance requirements, staying on v2.2.1 or earlier will trigger findings — update now.

  • securityCheck scanner results against the new image digest

    The go-git library was patched twice in quick succession, which suggests active exploitation pressure on that attack surface. After upgrading, re-run your vulnerability scanner against the new Crossplane image digest to confirm all findings are cleared. Pay particular attention to any CVEs tagged against git operations or supply-chain tooling, since in-toto-golang was also updated.

Key changes (5)
  • Go runtime bumped to 1.25.10 to fix multiple stdlib CVEs
  • go-git/go-git updated twice (v5.19.0 then v5.19.1) for security fixes
  • golang.org/x/crypto updated to v0.52.0 for security fixes
  • in-toto-golang updated to v0.11.0 for security fix
  • crossplane-runtime bumped to v2.2.2 to carry the same fixes downstream
Source

Crossplane

Orchestration & ManagementMay 21, 2026

Crossplane v2.3.0 ships a high-fidelity local render engine, per-resource reconciliation control, alpha Provider deletion protection, and multiple security dependency bumps including Go stdlib CVE fixes.

  • securityGo stdlib CVEs fixed — pull the new image

    Go was bumped to 1.25.10 specifically to address stdlib CVEs, on top of several other dependency security patches (grpc, go-git, go-jose, cloudflare/circl, golang.org/x/net). Update your Crossplane deployment to v2.3.0 promptly; if you mirror images internally, make sure the new digest is pulled before rolling out.

  • breakingUpdate API import paths and bookmark the new CLI repo

    If you import Crossplane APIs in Go code, change `github.com/crossplane/crossplane/v2/apis` to `github.com/crossplane/crossplane/apis/v2` and note that `v1.Resource*` types are now `v2.ClusterManagedResource*`. Pin your CLI tooling to the new `github.com/crossplane/cli` repo — version numbers will diverge from core after this release, so update any scripts or CI pipelines that assumed aligned versioning.

  • breakingUpgrade sequentially from v2.2 — do not skip minor versions

    Crossplane migrates CRDs on upgrade, and skipping minor versions can leave the API server in an inconsistent state. If you are on v1.20, that branch receives extended support but you should plan your migration to v2.x. Always follow the sequential upgrade path documented in the Crossplane upgrade guide.

  • enhancementUse per-resource poll annotations to reduce API server load

    Set `crossplane.io/poll-interval: 24h` on stable, infrequently-changing XRs to dramatically cut reconcile frequency. Pair it with `crossplane.io/reconcile-requested-at` to trigger on-demand reconciliation when needed. This is available immediately for XRs; for managed resources, wait for your providers to release versions based on crossplane-runtime v2.3.0 before relying on it.

  • enhancementEnable Provider deletion protection in non-prod first

    The new `--enable-provider-deletion-protection` alpha flag auto-creates `ClusterUsage` resources that block Provider deletion while managed resources exist. Useful safety net in shared clusters. Enable it in staging environments first to validate that your existing `ClusterUsage` webhook setup handles the auto-created resources correctly before rolling to production.

Key changes (6)
  • APIs module split: `github.com/crossplane/crossplane/apis/v2` is now a separate Go module; external consumers must update import paths
  • Crossplane CLI (`crank`) moved to its own repo (`github.com/crossplane/cli`) with an independent release schedule starting after v2.3.0
  • High-fidelity `crossplane render` now runs the real composite reconciler instead of a parallel reimplementation, so local output matches actual cluster behavior
  • New per-resource annotations `crossplane.io/poll-interval` and `crossplane.io/reconcile-requested-at` give fine-grained reconciliation control (XRs immediately; managed resources need provider update to crossplane-runtime v2.3.0)
  • Alpha Provider deletion protection via `--enable-provider-deletion-protection` blocks accidental Provider removal while managed resources still exist
  • Multiple security dependency updates: Go bumped to 1.25.10 fixing stdlib CVEs, plus grpc, go-git, go-jose, cloudflare/circl, and others
Source

Crossplane

Orchestration & ManagementApr 24, 2026

Crossplane v1.20.7 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

Crossplane

Orchestration & ManagementApr 20, 2026

Crossplane v2.2.1 patches two user-reported bugs — ImageConfig prefix rewrite dependency upgrades and ResourceSelector handling — plus a broad sweep of security dependency updates.

  • securityUpgrade to v2.2.1 immediately for dependency security fixes

    This release pulls in security patches for at least 8 upstream libraries including cosign, go-git, go-jose, and cloudflare/circl. These are not cosmetic bumps — go-git had two separate security-tagged updates in this release alone (v5.17.1 and v5.18.0). If you're running v2.2.0, plan the upgrade now. The patch is a drop-in replacement with no breaking changes.

  • breakingVerify your ImageConfig prefix rewrite setups after upgrading

    If you use ImageConfig prefix rewrites to redirect package pulls (e.g., to a private registry mirror), your packages may have been silently stuck on stale dependency versions before this fix. After upgrading to v2.2.1, expect Crossplane to reconcile and potentially upgrade dependent packages that were previously frozen. Review installed package versions post-upgrade to confirm the expected state.

  • enhancementComposition functions can now use broad ResourceSelectors safely

    Composition functions that need to select all existing resources of a given kind no longer need workarounds. A ResourceSelector with only apiVersion and kind set is now valid. If you patched around this limitation with explicit matchLabels or matchName wildcards, you can simplify those selectors in your function logic.

Key changes (5)
  • Fixed: packages installed via ImageConfig prefix rewrites were silently skipping dependency upgrades, leaving stale versions in place
  • Fixed: composition functions returning a ResourceSelector with only apiVersion/kind (no matchName or matchLabels) now correctly selects all resources of that kind instead of being rejected
  • Go runtime bumped to 1.25.9 with security tag
  • Security updates across: cosign, go-git, go-jose, cloudflare/circl, moby/spdystream, sigstore/timestamp-authority, docker/cli, and the OTel OTLP HTTP trace exporter
  • CI workflow hardening: mitigated potential script injection in the promote workflow and added required job-level permissions
Source

Crossplane

Orchestration & ManagementApr 20, 2026

v2.1.5 patches three behavioral bugs (ImageConfig upgrades, ResourceSelector matching, circuit breaker resets) and pulls in a broad sweep of security dependency updates including Go 1.25.9.

  • securityUpgrade to v2.1.5 promptly — this release addresses multiple CVEs in core dependencies

    The dependency list here is long: grpc, go-git (patched twice), go-jose, cloudflare/circl, moby/spdystream, docker/cli, and the OTel OTLP trace exporter all received security updates, plus Go itself was bumped to 1.25.9. Any of these could carry CVEs relevant to your threat model. This isn't a routine chore bump — prioritize this upgrade over staying on v2.1.4.

  • breakingCheck for silently stale packages if you use ImageConfig prefix rewrites

    If your environment uses ImageConfig to rewrite registry prefixes, dependent packages may have been silently pinned at outdated versions since the bug was introduced. After upgrading to v2.1.5, verify that your package dependency graph resolves to the expected versions — stale packages won't auto-upgrade retroactively, so you may need to trigger a reinstall or version bump manually.

  • enhancementResourceSelector 'select all of a kind' unlocks cleaner composition function patterns

    If you've been working around the previous rejection of bare apiVersion/kind selectors — adding dummy matchLabels or splitting logic — you can now clean that up. A selector with no match fields is treated as 'give me all resources of this kind,' which is the intuitive behavior. Review your composition functions for any workarounds and simplify them after upgrading.

Key changes (5)
  • ImageConfig prefix rewrite users were silently stuck on stale dependency versions — now dependency upgrades work correctly through rewrites
  • Composition functions can now use a ResourceSelector with only apiVersion/kind (no matchName or matchLabels) to select all resources of a given kind
  • Circuit breaker state is now cleared on XR deletion, preventing newly recreated XRs from being blocked by leftover breaker state
  • Security dependency bumps across grpc, go-git, go-jose, cloudflare/circl, moby/spdystream, docker/cli, sigstore, and OTel OTLP HTTP exporter
  • Go runtime bumped to 1.25.9 for underlying security fixes
Source

Crossplane

Orchestration & ManagementApr 20, 2026

v2.0.8 fixes two user-reported bugs (ImageConfig prefix rewrite upgrades, ResourceSelector with no match field) and patches multiple security vulnerabilities in upstream dependencies.

  • securityUpgrade to v2.0.8 immediately for dependency security patches

    Multiple upstream dependencies received security-tagged fixes in this release — go-git (two separate bumps to v5.17.1 then v5.18.0), go-jose, cloudflare/circl, and others. These aren't just routine bumps; they carry CVE-related fixes. If you're running any v2.0.x release prior to v2.0.8, upgrade now. There are no API changes, so the upgrade path is straightforward.

  • breakingAudit packages installed via ImageConfig prefix rewrites for stale dependencies

    If your environment uses ImageConfig prefix rewrites to redirect package pulls (e.g., to a private registry), dependent packages may have been silently stuck on outdated versions since you adopted that configuration. After upgrading to v2.0.8, force a reconciliation and verify that all package dependencies are on their expected versions — don't assume the upgrade alone will catch everything already in a stuck state.

  • enhancementUse bare ResourceSelector (apiVersion+kind only) for 'select all' semantics in composition functions

    Previously, omitting matchName and matchLabels from a ResourceSelector caused Crossplane to reject the request outright. That's now fixed — a bare selector correctly means 'all resources of this kind'. If you worked around this limitation by enumerating resources explicitly or adding dummy match conditions, clean up those workarounds after upgrading.

Key changes (5)
  • ImageConfig prefix rewrite: dependency upgrades now propagate correctly — packages were silently stuck on stale versions before this fix
  • ResourceSelector with only apiVersion+kind (no matchName/matchLabels) now correctly selects all resources of that kind instead of being rejected
  • Go runtime bumped to 1.25.9 with security fixes
  • Security patches across go-git, go-jose, cloudflare/circl, moby/spdystream, sigstore/timestamp-authority, docker/cli, and the OTLP HTTP trace exporter
  • CI workflow hardened against potential script injection in the promote pipeline
Source

Crossplane

Orchestration & ManagementApr 20, 2026

v1.20.6 is a security-focused patch release fixing multiple dependency CVEs and hardening CI workflows against script injection attacks.

  • securityUpgrade to v1.20.6 immediately — multiple dependency CVEs patched

    Five separate security dependency updates landed in this release, covering cryptography (circl), git operations (go-git), HTTP/2 streaming (spdystream), and telemetry export (otelhttp). Any Crossplane v1.20.x deployment is exposed until upgraded. This isn't a theoretical risk — go-git had two separate security fixes within this single patch release, which signals active exploitation concern. Run your upgrade now.

  • securityCI/CD supply chain hardening — audit your own pipelines

    The Crossplane team mitigated script injection in their release promotion workflow and tightened GitHub Actions job permissions. If you're running Crossplane forks, mirrors, or custom automation that builds on top of Crossplane's CI patterns, audit your own workflows for similar issues: untrusted input in run steps and overly broad GITHUB_TOKEN permissions are the two patterns to check.

  • enhancementTrivy scanning dropped from CI — don't let it drop from yours

    Crossplane dropped Trivy from their CI pipeline in this release. This is an internal CI decision, but if your team was relying on Crossplane's upstream scan results as a proxy for your own security posture, that signal is now gone. Make sure you have independent vulnerability scanning on your Crossplane images and provider images in your own pipelines.

Key changes (5)
  • go-git/go-git updated twice (v5.17.1 → v5.18.0) to address security vulnerabilities in git operations
  • cloudflare/circl updated to v1.6.3 for cryptographic library security fixes
  • moby/spdystream updated to v0.5.1 to patch a security issue in HTTP/2 stream handling
  • OpenTelemetry OTLP trace exporter updated to v1.43.0 with security fixes
  • CI workflow hardened against script injection and permission escalation vulnerabilities
Source