RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Project: The Update Framework (TUF)Clear ×

The Update Framework (TUF)

SecurityMay 18, 2026

v7.0.0 fixes a Windows-specific security vulnerability in delegation path matching and tightens the ngclient API with one breaking constructor change.

  • securityPatch Windows deployments immediately for GHSA-qp9x-wp8f-qgjj

    Delegation path matching was broken on Windows, meaning a malicious or misconfigured repository could match targets it shouldn't. If any of your TUF clients run on Windows, upgrade to v7.0.0 now. Linux/macOS deployments are unaffected, but upgrading is still the right move before paths diverge further.

  • breakingUpdate all Updater() call sites to use the named bootstrap argument

    The Updater() constructor signature changed: 'bootstrap' is now a required keyword argument. Any code calling Updater() without explicitly passing 'bootstrap' will break. Audit your code for Updater instantiations — if you weren't passing a bootstrap value before, add bootstrap=None to restore the previous behavior. This is a one-line fix per call site, but it will cause an immediate TypeError if missed.

  • enhancementWatch for securesystemslib.hash removal in upcoming releases

    This release starts phasing out the securesystemslib.hash dependency. If your codebase or any custom TUF extensions directly import or rely on securesystemslib.hash, start planning a migration now rather than scrambling when a future release drops it entirely.

Key changes (5)
  • Security fix for GHSA-qp9x-wp8f-qgjj: incorrect delegation path matching on Windows could allow unauthorized targets to be trusted
  • Updater() constructor now requires 'bootstrap' as a named argument — previously it had a default, now you must be explicit
  • To preserve old behavior with no bootstrap, pass bootstrap=None explicitly
  • Preparatory work to drop securesystemslib.hash dependency in a future release
  • Several documentation corrections
Source