v1.18.1 is a routine patch that fixes CIDR matching behavior and serialization determinism while extending an experimental flag to BatchCheck. No breaking changes or CVEs are reported, though the in_cidr fix does change matching behavior for IPv4-mapped IPv6 addresses.
breakingin_cidr now matches IPv4-mapped IPv6 addresses against IPv4 CIDRs
Applies unconditionally: the in_cidr condition now normalizes IPv4-mapped IPv6 addresses (e.g. ::ffff:192.168.1.1) to their IPv4 form before matching, so they can now match IPv4 CIDRs like 192.168.1.0/24. Review any authorization models relying on in_cidr if you expect these addresses to be excluded from IPv4 ranges.
主な変更 (4)
- in_cidr condition now normalizes IPv4-mapped IPv6 addresses (RFC 4291 §2.5.5.2) to their IPv4 equivalent, so ::ffff:192.168.1.1 matches 192.168.1.0/24
- Adds diagnostic logging in weighted_graph_check, Expand, and ListUsers to flag models where a future v2 Check resolution might diverge from v1; no operator action required now
- Experimental weighted_graph_check flag now extends to BatchCheck, evaluating each item with the weighted graph algorithm and falling back per-item to the standard algorithm on non-terminal errors
- Authorization model serialization to serialized_protobuf now uses deterministic proto marshaling, fixing inconsistent stored bytes for models with map-keyed type definitions