Crossplane
v1.20.6Orchestration & Managementv1.20.6 is a security-focused patch release fixing multiple dependency CVEs and hardening CI workflows against script injection attacks.
securityUpgrade to v1.20.6 immediately — multiple dependency CVEs patched
Five separate security dependency updates landed in this release, covering cryptography (circl), git operations (go-git), HTTP/2 streaming (spdystream), and telemetry export (otelhttp). Any Crossplane v1.20.x deployment is exposed until upgraded. This isn't a theoretical risk — go-git had two separate security fixes within this single patch release, which signals active exploitation concern. Run your upgrade now.
securityCI/CD supply chain hardening — audit your own pipelines
The Crossplane team mitigated script injection in their release promotion workflow and tightened GitHub Actions job permissions. If you're running Crossplane forks, mirrors, or custom automation that builds on top of Crossplane's CI patterns, audit your own workflows for similar issues: untrusted input in run steps and overly broad GITHUB_TOKEN permissions are the two patterns to check.
enhancementTrivy scanning dropped from CI — don't let it drop from yours
Crossplane dropped Trivy from their CI pipeline in this release. This is an internal CI decision, but if your team was relying on Crossplane's upstream scan results as a proxy for your own security posture, that signal is now gone. Make sure you have independent vulnerability scanning on your Crossplane images and provider images in your own pipelines.
主な変更 (5)
- go-git/go-git updated twice (v5.17.1 → v5.18.0) to address security vulnerabilities in git operations
- cloudflare/circl updated to v1.6.3 for cryptographic library security fixes
- moby/spdystream updated to v0.5.1 to patch a security issue in HTTP/2 stream handling
- OpenTelemetry OTLP trace exporter updated to v1.43.0 with security fixes
- CI workflow hardened against script injection and permission escalation vulnerabilities