リリース
CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。
日本語 準備中Argo CD v3.3.11 is a routine patch release on the 3.3 branch, bundling six bug fixes and one dependency security update (CVE-2026-41240).
securityPatch dompurify CVE in Argo CD UI
This patch bumps redoc/dompurify to v3.4.0 in the UI to fix CVE-2026-41240. If you run the Argo CD UI, upgrade to v3.3.11 to close this XSS-related dependency vulnerability.
enhancementFixes for controller startup race and nil pointer crash
A race condition could raise an InvalidSpecError during application controller startup, and a nil pointer dereference existed in removeWebookMutation() from gitops-engine. Both are fixed here; upgrade if you've seen spurious spec errors or controller crashes on startup.
主な変更 (5)
- Fixed a race condition causing InvalidSpecError during application controller startup
- Fixed a nil pointer dereference in gitops-engine's removeWebookMutation()
- Fixed label truncation for deletion hook resources
- Bumped redoc/dompurify to v3.4.0 in the UI, fixing CVE-2026-41240
- Removed resourceVersion from server-side diff (ssd) handling
日本語 準備中Argo CD 3.4.3 is a patch release fixing a UI XSS CVE (CVE-2026-41240 via dompurify), a controller startup race, a webhook nil-pointer crash, and several CLI/UI bugs.
securityPatch CVE-2026-41240 in the UI (dompurify bump)
dompurify was bumped to v3.4.0 to fix CVE-2026-41240. If you're running Argo CD 3.4.x with the web UI exposed — especially to less-trusted users — upgrade to 3.4.3 promptly. Check whether your current version is behind 3.4.3 and roll it out during your next maintenance window or sooner if the UI is internet-facing.
enhancementFix startup race condition and nil-pointer crash in webhook mutation
A race condition in application controller startup could trigger InvalidSpecError incorrectly, and a nil pointer dereference in removeWebhookMutation() could cause crashes. Both are fixed here. If you've seen spurious errors at controller startup or webhook-related panics, 3.4.3 addresses them directly.
enhancement'app wait' no longer hangs when app is already synced
'app wait' now returns immediately when the app is already in the desired state, instead of blocking. If you use 'app wait' in CI/CD pipelines or scripts as a sync gate, this means faster pipeline runs when apps are already healthy — no code changes needed, just upgrade.
主な変更 (6)
- CVE-2026-41240 patched: dompurify bumped to v3.4.0 in the UI
- Fixed race condition causing InvalidSpecError during application controller startup
- Fixed nil pointer dereference in removeWebhookMutation() in gitops-engine
- CLI: 'app wait' now exits immediately if app is already in desired state
- UI: Parameters tab now returns the full source for non-hydrator apps
- Repo depth setting now honored in gitSourceHasChanges and fetch functions
日本語 準備中Flux v2.8.8 patches two go-git CVEs in source and image-automation controllers, fixes a memory leak in helm-controller, and adds GCP sovereign cloud registry support.
securityUpgrade immediately to patch two go-git CVEs
CVE-2026-45571 and CVE-2026-45570 affect source-controller and image-automation-controller. Both are fixed in go-git v5.19.1 bundled with this release. If you run either of these controllers — and most Flux installations do — upgrade to v2.8.8 now. There's no workaround short of disabling those controllers.
breakingReview charts that place non-CRD resources under crds/ directory
Helm-controller previously force-applied any object found under a chart's crds/ directory, not just actual CRDs. That behavior is now corrected. If you have Helm charts (especially community or third-party ones) that bundle non-CRD manifests under crds/ as a workaround for install ordering, those objects will no longer be force-applied. Audit your HelmRelease resources and test in a non-production environment before rolling this out broadly.
enhancementInvestigate artifact fetch timeouts if reconciliations have been stalling
The new configurable HTTP timeout for artifact fetching directly addresses indefinite blocking during fetches. If you've seen helm-controller or source-controller reconciliations hang without clear errors, this fix likely explains it. After upgrading, configure the timeout explicitly rather than relying on defaults — check the helm-controller v1.5.5 changelog for the specific field name. Also worth auditing memory usage before and after upgrade if your helm-controller pods have been growing steadily in memory.
主な変更 (5)
- go-git updated to v5.19.1 to address CVE-2026-45571 and CVE-2026-45570 in source-controller and image-automation-controller
- helm-controller fix: unbounded memory growth from Kubernetes client transport retry wrapper accumulating on every reconcile cycle
- New configurable HTTP timeout for artifact fetching prevents indefinite blocking and stalled reconciliations in helm-controller
- helm-controller no longer force-applies non-CRD objects placed under a chart's crds/ directory — a behavioral correction that could affect existing charts
- GCP sovereign cloud artifact registry support added to source-controller and image-reflector-controller
日本語 準備中v1.51.0 lands six breaking changes alongside major catalog performance wins, a new AiResource entity kind, and MCP/OIDC hardening. Plan migration time before upgrading.
breakingRun catalog DB migration SQL before deploying to large installs
The new catalog migration adds covering indices and a UNIQUE constraint on the search table, which can be slow on large datasets. The release notes explicitly recommend running the provided SQL commands manually before deploying v1.51.0. Skipping this turns a controlled maintenance window into an uncontrolled deployment stall. Check the changelog for the exact SQL before you upgrade.
breakingAudit six breaking changes before upgrading — OIDC and MsgGraph need immediate config review
The OIDC CIMD/DCR patterns changed from wildcard '*' to specific MCP client defaults — any custom MCP clients will silently stop working unless you explicitly add their patterns to the allow list. Separately, Microsoft Graph now excludes disabled user accounts; if your org tracks disabled users in Backstage, add an explicit filter before upgrading. Also migrate NavItemBlueprint usages to PageBlueprint title/icon params, and update PolicyQueryUser code to use credentials instead of the removed token/expiresInSeconds fields.
enhancementAdopt incremental Microsoft Graph ingestion for large orgs
The new msgraph-incremental module processes users and groups one page at a time and persists cursor state, meaning a pod restart no longer forces a full re-ingest. For orgs with tens of thousands of users, this is a practical operational improvement worth switching to. Install the new module and migrate your provider config — the old MicrosoftGraphOrgEntityProvider remains available but holds the full dataset in memory.
主な変更 (6)
- Six breaking changes: NavItemBlueprint removed, PortableSchema.schema now method-only, OIDC/CIMD/DCR patterns hardened, PolicyQueryUser cleaned up, catalog pagination excludes null-sort entities, Microsoft Graph now filters disabled users by default
- Catalog backend gets substantial query performance improvements — paginated entity lists drop from seconds to milliseconds via index-aware PostgreSQL queries; large installs should run provided SQL migration commands before deploying
- New AiResource catalog entity kind and mcp-server API subtype added, expanding Backstage's model for AI workloads
- Microsoft Graph incremental ingestion module added — memory-efficient cursor-based ingestion that resumes from last page after pod restarts
- Scaffolder form decorators promoted to stable (public API); always() and failure() step control functions added
- TechDocs gains disableExternalFonts option for air-gapped environments; scheduler fixed for tasks longer than ~24.8 days
日本語 準備中pack v0.40.6 is a small patch fixing a trust detection bug in 'builder inspect' and adding Heroku's builder:26 to the trusted builders list.
breakingAudit pipelines that worked around the trust detection bug
If your CI scripts or automation added extra flags or workarounds because 'builder inspect' was misreporting trusted builders as untrusted, remove those workarounds now. Running with unnecessary trust overrides is a security smell worth cleaning up.
enhancementUse heroku/builder:26 without manual trust configuration
Teams targeting Heroku's stack 26 no longer need to manually mark the builder as trusted via '--trust-builder' or config file entries. Upgrade to v0.40.6 and clean up any explicit trust overrides you've added for this builder.
主な変更 (3)
- Fixed 'builder inspect' incorrectly showing known/trusted builders as untrusted
- Added 'heroku/builder:26' to the built-in trusted builders list
- Bundles lifecycle v0.21.0 by default in builders created with this release
日本語 準備中v3.2.12 is a minor patch fixing a lint nesting issue, URL validation export, and a log line overflow bug in the UI. Low risk, safe to apply.
enhancementApply patch if UI log wrapping is causing visual issues
If your team uses Argo CD's log viewer with line-wrapping enabled, lines were overflowing their container — a fairly annoying UX bug. This patch resolves it cleanly. No config changes needed; just upgrade.
enhancementRoutine patch — schedule upgrade at your next maintenance window
No breaking changes, no CVEs. The spdystream dependency bump is a minor upstream fix. This is a straightforward patch release; there's no urgency, but keeping current on 3.2.x is good hygiene before any future minor version jump.
主な変更 (5)
- Fixed log lines overflowing their container when the wrap-lines toggle is enabled (Issue #27586)
- Exported the URL validation function for external use (#27816)
- Fixed unnecessary nesting in lint logic (#27815)
- Bumped github.com/moby/spdystream from 0.5.0 to 0.5.1
- All container images remain cosign-signed with SLSA Level 3 provenance
日本語 準備中Argo CD v3.3.10 is a patch release fixing a nil-pointer panic in permission validation, a log line UI overflow bug, and bumping Go to 1.25.9 to address CVEs.
securityUpgrade immediately — Go 1.25.9 fixes CVEs in the runtime
The Go runtime was bumped from a prior version to 1.25.9 specifically to resolve CVEs. The release notes don't enumerate the CVE IDs, but any patch that upgrades the runtime for security reasons on a stable branch deserves prompt action. If you're running 3.3.x, upgrade to 3.3.10 now rather than waiting for your next maintenance window.
breakingServer-side diff now correctly hides secrets — verify diff outputs if you rely on them
The fix to apply HideSecretData to server-side diff results means that previously exposed secret values in diff views will now be redacted. If any automation, alerting, or audit tooling parses diff output expecting raw secret values, it will break. Review your diff-dependent workflows before upgrading.
enhancementNil APIResource panic fix prevents unexpected controller crashes
The permission validator could panic when an APIResource was nil — a condition that can occur with certain custom or non-standard API groups. If you've seen intermittent ArgoCD controller restarts without clear cause, this is a likely culprit. Upgrade to 3.3.10 to stabilize those environments.
主な変更 (5)
- Go runtime updated to 1.25.9 to resolve unspecified CVEs affecting the 3.3 branch
- Panic fix in permission validator when APIResource is nil — previously could crash the controller
- Log viewer wrap-lines toggle no longer causes lines to overflow the container
- HideSecretData now correctly applied to server-side diff results in gitops-engine
- OpenTelemetry SDK bumped to 1.43.0
日本語 準備中Argo CD v3.4.2 is a patch release fixing a panic in the permission validator, reverting a problematic revision update optimization, and patching secret data exposure in server-side diffs.
securitySecret values could appear in diff output — patch now
Server-side diff results for Secret resources were not having HideSecretData applied, meaning secret values could be exposed in diff views through the UI or API. If you use server-side apply or server-side diff previews, upgrade to 3.4.2 immediately. Audit your ArgoCD API access logs if you suspect exposure.
breakingUpdateRevisionForPaths revert may re-introduce previous behavior
The optimization that avoided unnecessary UpdateRevisionForPaths calls (merged in 3.4.x) caused regressions and has been reverted. If you were relying on that behavior for performance or correctness, expect the pre-fix behavior to return. Monitor sync operations after upgrading, especially for path-filtered applications.
enhancementPermission validator panic fix improves stability
A nil APIResource in the permission validator could crash the ArgoCD server process. This is now guarded. If you've seen unexpected pod restarts on the ArgoCD server, especially in environments with non-standard CRDs or API aggregation, this patch likely addresses it.
主な変更 (5)
- Reverted the 'avoid calling UpdateRevisionForPaths unnecessarily' fix from v3.4.x due to regressions it introduced
- Fixed nil pointer panic in permission validator when APIResource is nil — a stability fix for edge-case RBAC scenarios
- HideSecretData now correctly applied to server-side diff results for Secrets, preventing potential secret leakage in UI/API diff views
- OpenTelemetry SDK bumped to 1.43.0 and moby/spdystream updated to 0.5.1
- CI pipeline image pinning added for supply chain integrity
日本語 準備中Flux v2.8.7 patches a CVE in go-git and fixes a destructive reconciliation bug where non-namespaced resources with ssa:IfNotPresent were being deleted and recreated every cycle.
securityPatch CVE-2026-45022 by upgrading now
go-git v5.19.0 fixes CVE-2026-45022, which affects source-controller and image-automation-controller — two components that actively clone and interact with Git repos. If your Flux installation pulls from any external or semi-trusted Git source, treat this as a priority upgrade. Run 'flux install' or update your Helm release to v2.8.7 immediately.
breakingCheck non-namespaced resources using ssa:IfNotPresent for unintended churn
If you're managing ClusterRoles, CRDs, or other cluster-scoped resources with the kustomize.toolkit.fluxcd.io/ssa: IfNotPresent annotation, those resources were being silently deleted and recreated on every reconciliation loop before this fix. Audit your Kustomization objects and verify resource state after upgrading to confirm the churn has stopped. Any dependent workloads may have experienced disruptions you weren't aware of.
enhancementFollow the v2.7+ upgrade procedure if coming from v2.6
The Flux team has a specific upgrade discussion thread for v2.7+ migrations. Skipping it when jumping from v2.6 to v2.8.7 can cause issues. Review the linked procedure before applying this update in environments running older Flux versions.
主な変更 (4)
- CVE-2026-45022 fixed via go-git v5.19.0 in source-controller and image-automation-controller
- kustomize-controller no longer deletes and recreates non-namespaced resources annotated with ssa:IfNotPresent on every reconciliation
- fluxcd/pkg dependency updates across source-controller, kustomize-controller, and image-automation-controller
- helm-controller v1.5.4, kustomize-controller v1.8.5, source-controller v1.8.4 component bumps
日本語 準備中Argo CD 3.4.1 is the first 3.4 release (skipping 3.4.0), bringing a breaking cluster version format change for ApplicationSets, plus a large wave of bug fixes, performance improvements, and UI enhancements.
securityAdd X-Frame-Options/CSP headers and JWT logout invalidation
Two security fixes landed: Swagger UI endpoints now return X-Frame-Options and Content-Security-Policy headers (mitigates clickjacking), and JWT tokens are invalidated server-side on logout (prevents session reuse after logout). Both are passive — no config changes needed — but if you run Argo CD behind a reverse proxy that strips security headers, verify the headers reach clients after upgrading.
breakingUpdate ApplicationSet cluster version labels before upgrading
The kubernetes-version label format changed from Major.Minor (e.g., '1.29') to vMajor.Minor.Patch (e.g., 'v1.29.3') to match Helm 3.19.0. If you use ApplicationSet Cluster Generators with argocd.argoproj.io/auto-label-cluster-info, your existing cluster secrets carry the old format. After upgrading, update those secrets to use argocd.argoproj.io/kubernetes-version with the new format, or your cluster-version-based filters will stop matching. Check the 3.3-3.4 upgrade guide before rolling out.
enhancementAppSet controller and repo-server performance improvements worth monitoring
Several perf fixes shipped: optimized parentUIDToChildren data structure, reduced secret deep-copies in the controller, parallel batching in CLI server-side diff, and optimized repoLock on checkout. If you've been seeing slow reconciliation or high CPU in the appset controller on large clusters, this upgrade should show measurable improvement. Monitor controller CPU and reconciliation latency metrics after rollout.
主な変更 (5)
- Breaking: Kubernetes cluster version format changed from Major.Minor to vMajor.Minor.Patch to align with Helm 3.19.0 behavior — ApplicationSet Cluster Generators using auto-label-cluster-info must update their label key
- JWT tokens are now invalidated on logout, closing a session persistence gap
- X-Frame-Options and CSP headers added to Swagger UI endpoints
- Stack overflow fix for circular ownerRef processing in resource graphs — affects anyone with complex resource hierarchies
- AppSet controller performance improved: optimized cluster secret fetching, application cache synchronization, and reduced secret deep-copies
日本語 準備中Argo CD v3.1.16 is a minor patch fixing a server-side double-delete error and bumping the SonarQube scan action dependency.
securityVerify cosign signatures after upgrading
Every release is a good reminder to validate image provenance in your admission pipeline. Argo CD images meet SLSA Level 3 — if you're not yet enforcing signature verification at deploy time, now is a practical moment to wire that into your policy engine (e.g., Kyverno or OPA Gatekeeper).
enhancementApply patch if double-delete errors are hitting your workflows
If your GitOps pipelines or operators occasionally retry delete operations (e.g., during cascade deletes or reconciliation loops), the previous behavior could surface spurious errors that confused alerting or caused retries to fail loudly. This fix cleans that up. Upgrade is low-risk given the narrow scope of changes.
主な変更 (3)
- Bug fix: server no longer throws an error when a second delete operation is attempted on the same resource
- SonarQube scan action bumped from 5.2.0 to 8.0.0 in CI pipeline
- All container images remain cosign-signed with SLSA Level 3 provenance