RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Jul 2026Clear ×

TiKV

Storage & DataJul 9, 2026

TiKV/TiDB v8.5.7 is a mixed release combining several default/behavior changes operators must review (stricter max_ts and NOT NULL validation, auto IndexMerge, TiDB Lightning web UI removal, resource-control metric relabeling) with a security-relevant dependency upgrade and a broad set of new features, performance work, and bug fixes.

  • securityVulnerable TiKV third-party dependencies patched

    This release upgrades vulnerable third-party dependencies used by TiKV 8.5 and aligns required compatibility fixes with upstream, improving stability and security. Upgrade to pick up the patched dependencies.

  • breakingmax_ts invalid-update handling now errors by default

    TiKV now rejects max_ts updates confirmed invalid instead of only logging them. If you rely on the previous log-only behavior, set storage.max-ts.action-on-invalid-update to log before upgrading.

  • breakingFix control 52869 (auto IndexMerge) enabled by default

    TiDB now enables optimizer fix control 52869 by default, letting the optimizer consider IndexMerge automatically when alternative indexes exist. This can change query plans in some cases; review plans for sensitive queries after upgrade.

  • breakingStrict NOT NULL validation on INSERT enabled by default

    tidb_enable_strict_not_null_check now defaults to ON, enforcing strict validation when an INSERT explicitly writes NULL into a NOT NULL column. Statements that previously succeeded may now fail; audit INSERT paths that rely on lenient NULL handling.

  • breakingResource-control background metrics lose resource_group label

    TiKV background resource-control metrics are now aggregated globally via a single rate limiter, dropping the per resource_group label. Update dashboards and alerting rules that filter or group by resource_group for background metrics.

  • breakingTiDB Lightning web interface removed

    TiDB Lightning drops its web interface starting in v8.5.7. Switch to the command-line tools tidb-lightning for import tasks and tidb-lightning-ctl for checkpoint and troubleshooting operations.

Key changes (8)
  • TiKV rejects invalid max_ts updates by default instead of just logging them (revert via storage.max-ts.action-on-invalid-update=log)
  • Optimizer fix control 52869 (auto IndexMerge) is now enabled by default and can shift query plans
  • tidb_enable_strict_not_null_check now defaults to ON, causing stricter INSERT NULL validation
  • TiKV background resource-control metrics are now aggregated without the resource_group label; dashboards/alerts need updating
  • TiDB Lightning web interface removed; use tidb-lightning / tidb-lightning-ctl CLI tools instead
  • Vulnerable third-party dependencies patched across TiKV 8.5 for stability and security
  • New features: CPU-aware hot Region read scheduling in PD/TiKV, partial index support, per-user connection limits, TiCDC table routing
  • Plus various performance work (fail-fast on disk I/O hangs, fairer read-pool scheduling) and bug fixes across TiKV memory usage, PD resource control, BR log backup, and TiCDC stability
Source

Rook

Storage & DataJul 7, 2026

Rook v1.20.2 is a routine patch release for the Ceph operator: it tightens the mgr NetworkPolicy to ingress-only, bumps Ceph to v20.2.2 and ceph-csi-operator to v1.0.4, and ships a batch of smaller bug fixes and enhancements. No breaking changes or CVEs are included.

  • securitymgr NetworkPolicy restricted to ingress-only

    The mgr NetworkPolicy is now restricted to ingress-only traffic, tightening the default network posture for the Ceph manager pod (#17827). Review your NetworkPolicy setup after upgrading if you rely on egress rules for mgr.

Key changes (6)
  • mgr NetworkPolicy tightened to ingress-only, reducing egress exposure for the Ceph manager (#17827)
  • Ceph bumped to v20.2.2 and ceph-csi-operator to v1.0.4
  • Node watcher now reconciles on node label/annotation changes and skips during initial cache sync to avoid spurious loops
  • Stale VolumeAttachment resources are now cleaned up on unmount in external clusters
  • Floating mon reschedule time reduced for faster failover
  • Several smaller fixes: config overrides now end with a trailing newline, OSD raw activate fallback no longer misclassifies rbd devices, realm access keys are now URL-safe, plus example NetworkPolicy CRs and new API support for muting Ceph warnings
Source

Harbor

Storage & DataJul 2, 2026

Harbor v2.15.2 is a maintenance patch backporting the 2.15.0 security hardening set (blob-mount token validation, crypto/SMTP cleanup) plus the Redis-to-Valkey cache backend swap, alongside a large batch of UI/UX fixes following the Angular 21/Clarity v18 upgrade. No critical or high severity issues are involved; upgrade at normal patch cadence, but check external Redis/Valkey compatibility first.

  • securityBlob-mount token validation hardened

    Blob-mount now validates that the source project matches and rejects tokens missing the 'iat' claim, closing a gap that could let a token be replayed or misused across projects during blob mounting. No configuration change is needed, just upgrade.

  • securityCrypto usage hardened, unused SMTP package dropped

    Harbor tightened internal crypto usage and dropped the unused SMTP package, reducing attack surface. Rated low severity; upgrade covers it, no action required beyond that.

  • breakingCache backend switched from Redis to Valkey

    The cache backend moves from Redis to Valkey. If you run external Redis, or reference redis-specific config/images/health checks in your deployment, verify compatibility with Valkey before or during the upgrade.

  • breakingInternal YAML library replaced

    Harbor's YAML library changed from gopkg.in/yaml.v2 to github.com/goccy/go-yaml internally. This is an internal dependency swap with no expected operator-facing change, but flag it if you parse Harbor-generated YAML with strict schema assumptions.

  • breakingRegistry pinned to stable v2.8.3-harbor.1

    The bundled registry component now tracks the stable v2.8.3-harbor.1 tag instead of an rc.5 pre-release build, giving a more predictable registry version in this patch.

Key changes (7)
  • Blob-mount token validation hardened: rejects tokens missing 'iat' and checks source project (medium severity)
  • Crypto usage hardened and unused SMTP package removed (low severity)
  • Cache backend replaced: Redis swapped for Valkey
  • Internal dependency swaps: gopkg.in/yaml.v2 to goccy/go-yaml, registry pinned to stable v2.8.3-harbor.1
  • Harbor UI upgraded to Angular 21, Clarity v18, Node.js v22, with a large batch of accompanying UI/UX fixes (checkboxes, dark theme, i18n, job queue counts, pull command tag selection)
  • Fixed repository update_time not bumping on tag/artifact changes; Cosign verification adjusted to ignore/disable tlog
  • Plus several smaller build and packaging fixes: photon base image rebuild, net-tools removal, configurable openapi-generator/PIP_INDEX_URL, build system decoupling for 2.15
Source

Longhorn

Storage & DataJul 1, 2026

Longhorn v1.11.3 is a bugfix rollup addressing over a dozen stability issues across volume operations, backups, and instance management. One upgrade prerequisite applies: the CSI external provisioner is now v6.3.0, requiring Kubernetes v1.34 or later when upgrading from v1.10.x or v1.11.0.

  • breakingKubernetes v1.34+ required when upgrading from v1.10.x or v1.11.0

    The bundled CSI external provisioner is bumped to v6.3.0, which requires Kubernetes v1.34 or later. If your cluster runs an older Kubernetes version and you are upgrading from Longhorn v1.10.x or v1.11.0, bring Kubernetes to v1.34+ first before applying this upgrade.

Key changes (7)
  • CSI external provisioner bumped to v6.3.0: clusters must run Kubernetes v1.34+ before upgrading from v1.10.x or v1.11.0
  • Fixed iscsid restarts leaving V1 volumes inoperable, blocking PVC resize and other volume operations
  • Fixed nil pointer dereference panic in longhorn-instance-manager during replica rebuild
  • Fixed deadlock causing recurring trim jobs to fail, and separate fixes for volume expansion getting stuck
  • Fixed migration engine being deleted while target node was still transitioning to ready
  • Fixed backup uploads to S3 failing on NetApp appliances, and fixed System Backup RecurringJob incorrectly pruning the newest CR
  • Fixed longhorn-manager panic in BackupController during backup deletion, plus HTTP response body leaks in support bundle and webhook polling; reduced webhook TLS Secret contention at scale
Source
Browse by month