RATATOSKRATATOSK
ログイン

リリース

CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。

プロジェクト: Argo解除 ×

Argo

CI/CD & App Delivery2026年6月18日

Argo CD 3.4.4 is a patch release focused on stability fixes for health checks, RBAC, diffs, and template rendering. Update if you run multi-namespace setups or use Dex authentication.

  • breakingRBAC regression fix for multi-namespace setups

    A prior release introduced a regression in RBAC enforcement for project-scoped resources in multi-namespace architectures. This patch restores correct behavior. If you use project-level RBAC restrictions across multiple namespaces, verify that access controls work as expected after upgrading, particularly around project-scoped resource visibility.

  • enhancementHealth check reliability improvement

    The PromotionStrategy health check was incorrectly reporting Progressing after no-op re-hydration, blocking deployments. This is now fixed. If you use PromotionStrategy with ArgoCD, upgrade to avoid stalled health states that require manual intervention to clear.

  • enhancementServer-side diff regression resolved

    A recent change broke server-side diffs on new objects, causing errors. This patch restores diff functionality. If you rely on server-side diffs in your deployment pipeline (especially for new resources), apply this update to restore normal diff behavior.

主な変更 (5)
  • Fixed PromotionStrategy health check regression that left resources stuck in Progressing state
  • Resolved RBAC regression affecting project-scoped resources in multi-namespace deployments
  • Fixed diff error on new objects in server-side diffs
  • Patched Dex password parsing to handle dollar signs correctly
  • Resolved cross-generator Values template resolution in ApplicationSet RenderGeneratorParams
原文

Argo

CI/CD & App Delivery2026年6月18日

Argo CD v3.3.12 is a maintenance release fixing sync state tracking, cluster observer locking, configuration parsing, and git repository depth handling—no breaking changes.

  • securityDex authentication now handles special characters in passwords

    Dex password parsing previously failed if passwords contained dollar signs, potentially locking users out. If you use Dex for OIDC and recently added or updated passwords with special characters, upgrade to v3.3.12 immediately to restore access. Test Dex login after updating.

  • enhancementFix PromotionStrategy stuck state if using Argo Rollouts

    If you run Argo CD with Argo Rollouts and use PromotionStrategy, applications may have remained stuck in Progressing after configuration reloads even when nothing changed. Update to v3.3.12 to resolve this. Check your application health status post-upgrade to confirm recovery.

主な変更 (5)
  • PromotionStrategy health status no longer stuck in Progressing after no-op re-hydration
  • Cluster informer now protected by lock to prevent concurrent access issues
  • Dex password parsing fixed to handle dollar signs correctly
  • Git repository depth setting now honored in change detection and fetch operations
  • Live status excluded from normalization to improve accuracy
原文

Argo

CI/CD & App Delivery2026年5月28日

Argo CD v3.3.11 is a routine patch release on the 3.3 branch, bundling six bug fixes and one dependency security update (CVE-2026-41240).

  • securityPatch dompurify CVE in Argo CD UI

    This patch bumps redoc/dompurify to v3.4.0 in the UI to fix CVE-2026-41240. If you run the Argo CD UI, upgrade to v3.3.11 to close this XSS-related dependency vulnerability.

  • enhancementFixes for controller startup race and nil pointer crash

    A race condition could raise an InvalidSpecError during application controller startup, and a nil pointer dereference existed in removeWebookMutation() from gitops-engine. Both are fixed here; upgrade if you've seen spurious spec errors or controller crashes on startup.

主な変更 (5)
  • Fixed a race condition causing InvalidSpecError during application controller startup
  • Fixed a nil pointer dereference in gitops-engine's removeWebookMutation()
  • Fixed label truncation for deletion hook resources
  • Bumped redoc/dompurify to v3.4.0 in the UI, fixing CVE-2026-41240
  • Removed resourceVersion from server-side diff (ssd) handling
原文

Argo

CI/CD & App Delivery2026年5月28日

Argo CD 3.4.3 is a patch release fixing a UI XSS CVE (CVE-2026-41240 via dompurify), a controller startup race, a webhook nil-pointer crash, and several CLI/UI bugs.

  • securityPatch CVE-2026-41240 in the UI (dompurify bump)

    dompurify was bumped to v3.4.0 to fix CVE-2026-41240. If you're running Argo CD 3.4.x with the web UI exposed — especially to less-trusted users — upgrade to 3.4.3 promptly. Check whether your current version is behind 3.4.3 and roll it out during your next maintenance window or sooner if the UI is internet-facing.

  • enhancementFix startup race condition and nil-pointer crash in webhook mutation

    A race condition in application controller startup could trigger InvalidSpecError incorrectly, and a nil pointer dereference in removeWebhookMutation() could cause crashes. Both are fixed here. If you've seen spurious errors at controller startup or webhook-related panics, 3.4.3 addresses them directly.

  • enhancement'app wait' no longer hangs when app is already synced

    'app wait' now returns immediately when the app is already in the desired state, instead of blocking. If you use 'app wait' in CI/CD pipelines or scripts as a sync gate, this means faster pipeline runs when apps are already healthy — no code changes needed, just upgrade.

主な変更 (6)
  • CVE-2026-41240 patched: dompurify bumped to v3.4.0 in the UI
  • Fixed race condition causing InvalidSpecError during application controller startup
  • Fixed nil pointer dereference in removeWebhookMutation() in gitops-engine
  • CLI: 'app wait' now exits immediately if app is already in desired state
  • UI: Parameters tab now returns the full source for non-hydrator apps
  • Repo depth setting now honored in gitSourceHasChanges and fetch functions
原文

Argo

CI/CD & App Delivery2026年5月13日

v3.2.12 is a minor patch fixing a lint nesting issue, URL validation export, and a log line overflow bug in the UI. Low risk, safe to apply.

  • enhancementApply patch if UI log wrapping is causing visual issues

    If your team uses Argo CD's log viewer with line-wrapping enabled, lines were overflowing their container — a fairly annoying UX bug. This patch resolves it cleanly. No config changes needed; just upgrade.

  • enhancementRoutine patch — schedule upgrade at your next maintenance window

    No breaking changes, no CVEs. The spdystream dependency bump is a minor upstream fix. This is a straightforward patch release; there's no urgency, but keeping current on 3.2.x is good hygiene before any future minor version jump.

主な変更 (5)
  • Fixed log lines overflowing their container when the wrap-lines toggle is enabled (Issue #27586)
  • Exported the URL validation function for external use (#27816)
  • Fixed unnecessary nesting in lint logic (#27815)
  • Bumped github.com/moby/spdystream from 0.5.0 to 0.5.1
  • All container images remain cosign-signed with SLSA Level 3 provenance
原文

Argo

CI/CD & App Delivery2026年5月13日

Argo CD v3.3.10 is a patch release fixing a nil-pointer panic in permission validation, a log line UI overflow bug, and bumping Go to 1.25.9 to address CVEs.

  • securityUpgrade immediately — Go 1.25.9 fixes CVEs in the runtime

    The Go runtime was bumped from a prior version to 1.25.9 specifically to resolve CVEs. The release notes don't enumerate the CVE IDs, but any patch that upgrades the runtime for security reasons on a stable branch deserves prompt action. If you're running 3.3.x, upgrade to 3.3.10 now rather than waiting for your next maintenance window.

  • breakingServer-side diff now correctly hides secrets — verify diff outputs if you rely on them

    The fix to apply HideSecretData to server-side diff results means that previously exposed secret values in diff views will now be redacted. If any automation, alerting, or audit tooling parses diff output expecting raw secret values, it will break. Review your diff-dependent workflows before upgrading.

  • enhancementNil APIResource panic fix prevents unexpected controller crashes

    The permission validator could panic when an APIResource was nil — a condition that can occur with certain custom or non-standard API groups. If you've seen intermittent ArgoCD controller restarts without clear cause, this is a likely culprit. Upgrade to 3.3.10 to stabilize those environments.

主な変更 (5)
  • Go runtime updated to 1.25.9 to resolve unspecified CVEs affecting the 3.3 branch
  • Panic fix in permission validator when APIResource is nil — previously could crash the controller
  • Log viewer wrap-lines toggle no longer causes lines to overflow the container
  • HideSecretData now correctly applied to server-side diff results in gitops-engine
  • OpenTelemetry SDK bumped to 1.43.0
原文

Argo

CI/CD & App Delivery2026年5月13日

Argo CD v3.4.2 is a patch release fixing a panic in the permission validator, reverting a problematic revision update optimization, and patching secret data exposure in server-side diffs.

  • securitySecret values could appear in diff output — patch now

    Server-side diff results for Secret resources were not having HideSecretData applied, meaning secret values could be exposed in diff views through the UI or API. If you use server-side apply or server-side diff previews, upgrade to 3.4.2 immediately. Audit your ArgoCD API access logs if you suspect exposure.

  • breakingUpdateRevisionForPaths revert may re-introduce previous behavior

    The optimization that avoided unnecessary UpdateRevisionForPaths calls (merged in 3.4.x) caused regressions and has been reverted. If you were relying on that behavior for performance or correctness, expect the pre-fix behavior to return. Monitor sync operations after upgrading, especially for path-filtered applications.

  • enhancementPermission validator panic fix improves stability

    A nil APIResource in the permission validator could crash the ArgoCD server process. This is now guarded. If you've seen unexpected pod restarts on the ArgoCD server, especially in environments with non-standard CRDs or API aggregation, this patch likely addresses it.

主な変更 (5)
  • Reverted the 'avoid calling UpdateRevisionForPaths unnecessarily' fix from v3.4.x due to regressions it introduced
  • Fixed nil pointer panic in permission validator when APIResource is nil — a stability fix for edge-case RBAC scenarios
  • HideSecretData now correctly applied to server-side diff results for Secrets, preventing potential secret leakage in UI/API diff views
  • OpenTelemetry SDK bumped to 1.43.0 and moby/spdystream updated to 0.5.1
  • CI pipeline image pinning added for supply chain integrity
原文

Argo

CI/CD & App Delivery2026年5月6日

Argo CD 3.4.1 is the first 3.4 release (skipping 3.4.0), bringing a breaking cluster version format change for ApplicationSets, plus a large wave of bug fixes, performance improvements, and UI enhancements.

  • securityAdd X-Frame-Options/CSP headers and JWT logout invalidation

    Two security fixes landed: Swagger UI endpoints now return X-Frame-Options and Content-Security-Policy headers (mitigates clickjacking), and JWT tokens are invalidated server-side on logout (prevents session reuse after logout). Both are passive — no config changes needed — but if you run Argo CD behind a reverse proxy that strips security headers, verify the headers reach clients after upgrading.

  • breakingUpdate ApplicationSet cluster version labels before upgrading

    The kubernetes-version label format changed from Major.Minor (e.g., '1.29') to vMajor.Minor.Patch (e.g., 'v1.29.3') to match Helm 3.19.0. If you use ApplicationSet Cluster Generators with argocd.argoproj.io/auto-label-cluster-info, your existing cluster secrets carry the old format. After upgrading, update those secrets to use argocd.argoproj.io/kubernetes-version with the new format, or your cluster-version-based filters will stop matching. Check the 3.3-3.4 upgrade guide before rolling out.

  • enhancementAppSet controller and repo-server performance improvements worth monitoring

    Several perf fixes shipped: optimized parentUIDToChildren data structure, reduced secret deep-copies in the controller, parallel batching in CLI server-side diff, and optimized repoLock on checkout. If you've been seeing slow reconciliation or high CPU in the appset controller on large clusters, this upgrade should show measurable improvement. Monitor controller CPU and reconciliation latency metrics after rollout.

主な変更 (5)
  • Breaking: Kubernetes cluster version format changed from Major.Minor to vMajor.Minor.Patch to align with Helm 3.19.0 behavior — ApplicationSet Cluster Generators using auto-label-cluster-info must update their label key
  • JWT tokens are now invalidated on logout, closing a session persistence gap
  • X-Frame-Options and CSP headers added to Swagger UI endpoints
  • Stack overflow fix for circular ownerRef processing in resource graphs — affects anyone with complex resource hierarchies
  • AppSet controller performance improved: optimized cluster secret fetching, application cache synchronization, and reduced secret deep-copies
原文

Argo

CI/CD & App Delivery2026年5月5日

Argo CD v3.1.16 is a minor patch fixing a server-side double-delete error and bumping the SonarQube scan action dependency.

  • securityVerify cosign signatures after upgrading

    Every release is a good reminder to validate image provenance in your admission pipeline. Argo CD images meet SLSA Level 3 — if you're not yet enforcing signature verification at deploy time, now is a practical moment to wire that into your policy engine (e.g., Kyverno or OPA Gatekeeper).

  • enhancementApply patch if double-delete errors are hitting your workflows

    If your GitOps pipelines or operators occasionally retry delete operations (e.g., during cascade deletes or reconciliation loops), the previous behavior could surface spurious errors that confused alerting or caused retries to fail loudly. This fix cleans that up. Upgrade is low-risk given the narrow scope of changes.

主な変更 (3)
  • Bug fix: server no longer throws an error when a second delete operation is attempted on the same resource
  • SonarQube scan action bumped from 5.2.0 to 8.0.0 in CI pipeline
  • All container images remain cosign-signed with SLSA Level 3 provenance
原文

Argo

CI/CD & App Delivery2026年5月1日

v3.3.9 is a focused patch addressing four bugs — including a panic in ApplicationSet DuckType Generator and a UI crash in pod logs — plus a Go version bump to resolve CVEs.

  • securityUpgrade to patch Go-level CVEs

    The Go runtime was bumped specifically to resolve CVEs. The release notes don't enumerate the exact CVE IDs, but if you're running 3.3.x in production, upgrade to 3.3.9 now rather than waiting for your next maintenance window. All container images are cosign-signed and SLSA Level 3 provenance is available — verify signatures before deploying if your pipeline requires it.

  • breakingApplicationSet DuckType Generator panic is now fixed — review affected ApplicationSets

    If you use DuckType Generators and have clusters with non-string label values, previous versions would silently panic. After upgrading, those ApplicationSets will now process correctly rather than crashing. Do a quick audit of your ApplicationSet resources post-upgrade to confirm they're reconciling as expected — you may see previously-failing sets suddenly become active.

  • enhancementOCI metadata caching restored — expect reduced registry pressure

    The Redis cache for OCI metadata was broken, meaning every OCI source lookup was hitting the registry directly. With this fix, caching works again. If you use OCI-sourced ApplicationSets or Helm charts, you should see reduced latency and fewer registry requests after upgrading. No configuration change needed.

主な変更 (5)
  • Fixed panic in ApplicationSet DuckType Generator when encountering non-string values in cluster labels
  • Fixed pod logs viewer UI crash caused by stale container index references
  • Fixed double-delete error on the server side to prevent spurious errors during cleanup operations
  • Fixed OCI metadata put/get to/from Redis cache, restoring proper caching behavior
  • Bumped Go version to patch CVEs in the Go standard library
原文

Argo

CI/CD & App Delivery2026年5月1日

Argo CD v3.2.11 is a patch release fixing three UI/server bugs — a double-delete error, a 401 stream crash, and a pod logs viewer crash on stale container indices.

  • enhancementApply this patch if your team uses the pod logs viewer or streaming UI features

    Two of the three fixes target UI stability — the pod logs crash on stale container indices and the 401 stream error. Both are silent killers in day-to-day operations: engineers open the logs viewer during an incident and hit a blank screen or crash. Drop this patch into your next maintenance window. No config changes needed.

  • enhancementDouble-delete server error is fixed — relevant if you use automated cleanup workflows

    If your pipelines or operators trigger multiple delete attempts on the same Argo CD resource (common in GitOps reconciliation loops or scripted teardowns), the server previously returned an error on the second attempt. This is now handled gracefully. No action required beyond upgrading.

主な変更 (5)
  • Fixed server error when a second delete operation is attempted on the same resource
  • Fixed UI crash when a 401 unauthorized error occurs in a streaming connection
  • Fixed pod logs viewer crash caused by stale container index references
  • Bumped SonarQube scan action dependency from 5.3.1 to 8.0.0
  • All container images remain cosign-signed with SLSA Level 3 provenance
原文

Argo

CI/CD & App Delivery2026年4月22日

Argo CD v3.3.8 is a patch release with six bug fixes targeting core mode syncs, AppSet resource limits, CLI diff accuracy, and informer cache staleness.

  • breakingRefresh behavior changed again — validate your autosync pipelines

    The revert of the informer resync fix means refresh behavior is back to pre-3.3.7 state. If you tuned anything around reduced refresh frequency after upgrading to 3.3.7, re-examine those assumptions. Check autosync event logs to confirm expected behavior before promoting to production.

  • enhancementCore mode users: upgrade immediately to unblock syncs

    The missing server.secretkey bug caused silent sync failures in core mode deployments — a serious operational gap that's easy to miss in monitoring. If you run Argo CD in core mode, this patch is not optional. Upgrade, then verify sync status across all applications post-upgrade.

  • enhancementLarge ApplicationSets now default to 5,000 resource status entries

    If you manage ApplicationSets with hundreds of apps, you may have hit the old resource status count ceiling without realizing it. After upgrading, review any ApplicationSets that showed truncated or missing resource statuses and confirm they now report correctly.

主な変更 (6)
  • Reverted an earlier fix that prevented automatic refreshes from informer resync and status updates — the revert restores previous refresh behavior
  • App controller in core mode no longer fails to sync when server.secretkey is missing
  • AppSet resource status count ceiling raised to 5,000 by default (up from prior limit)
  • CLI app diff/manifests now correctly use DrySource revision when sourceHydrator is active
  • Stale informer cache in RevisionMetadata handler resolved, reducing phantom diff scenarios
  • Autosync event message format reverted to match pre-regression output
原文

Argo

CI/CD & App Delivery2026年4月22日

Argo CD v3.2.10 is a pure bug-fix patch that resolves five regressions, including a critical core-mode sync failure and a stale cache issue in RevisionMetadata.

  • breakingCore-mode deployments: upgrade immediately if apps are stuck out-of-sync

    If you run Argo CD in core mode (no API server) and recently saw apps failing to sync with secret-related errors, the missing server.secretkey bug was silently blocking all syncs. Upgrade to v3.2.10 and verify affected apps reconcile cleanly afterward.

  • breakingAutosync event message format reverted — re-check any alerting rules you updated

    A message format change introduced recently and then reverted means the autosync event messages are back to their original format. If you updated Prometheus alerting rules, Grafana queries, or log parsers to match the new format, roll those changes back before upgrading to avoid false positives or missed alerts.

  • enhancementsourceHydrator users: upgrade to get correct app diff behavior

    The CLI was using the wrong source revision for app diff and manifests commands when sourceHydrator was in use, meaning you could be reviewing diffs against the wrong state. After upgrading, re-run any diff checks you performed on v3.2.9 to confirm the output is accurate.

主な変更 (5)
  • Reverted an over-aggressive change that blocked automatic refreshes from informer resync and status updates — restoring expected GitOps sync behavior
  • Fixed app controller in core mode failing to sync when the server.secretkey is missing — a silent failure that could leave apps permanently out-of-sync
  • Fixed CLI app diff/manifests using the wrong revision when sourceHydrator is configured
  • Fixed stale informer cache reads in the RevisionMetadata handler, preventing outdated metadata from being served
  • Reverted an autosync event message format change that broke downstream log parsing or alerting rules
原文

Argo

CI/CD & App Delivery2026年4月22日

Patch release with two targeted bug fixes: a revert of a problematic refresh prevention change and a core mode sync failure when server.secretkey is absent.

  • breakingRevert of refresh-prevention fix may re-expose original behavior

    The cherry-picked fix for preventing automatic refreshes from informer resyncs and status updates was reverted because it caused problems in 3.1. If you upgraded to 3.1.x specifically expecting that behavior to be fixed, it's gone again. Watch the upstream issue for a corrected implementation before relying on it. No action needed otherwise, but be aware of potential extra refresh churn in large clusters.

  • enhancementUpgrade immediately if running Argo CD in core mode without server.secretkey

    A bug caused the application controller to fail syncing entirely when running in core mode and the server.secretkey was absent from the cluster secret. If your core-mode installations have ever had intermittent sync failures that were hard to diagnose, this is likely the culprit. Upgrade to 3.1.15 and verify syncs resume normally after rollout.

主な変更 (3)
  • Reverted the automatic refresh prevention fix (#25290) that was cherry-picked into 3.1 — the fix itself caused regressions
  • Fixed app controller core mode failing to sync when server.secretkey is missing from the cluster secret
  • All container images remain cosign-signed with SLSA Level 3 provenance
原文

Argo

CI/CD & App Delivery2026年4月17日

Argo CD v3.3.7 is a patch release fixing controller performance regressions, OIDC config handling, and several UI/security header issues.

  • securitySwagger UI endpoints now have clickjacking protection — upgrade if exposed

    X-Frame-Options and Content-Security-Policy headers were missing from Swagger UI endpoints. If your Argo CD API server is reachable from browsers (even internally), those endpoints were frameable. Upgrade to 3.3.7 to close this. No config change needed post-upgrade.

  • breakingOIDC auth may behave differently after upgrade if config was stale

    The fix ensures OIDC config reloads on server restart rather than using a cached/stale version. In practice this is a correctness fix, but if you've been working around stale OIDC behavior with manual pod restarts, verify SSO flows after upgrading to confirm expected behavior.

  • enhancementUpgrade if you're seeing excessive reconciliation or controller CPU spikes

    Two separate fixes address controller overhead: the parentUIDToChildren data structure change reduces memory churn on large clusters, and the informer resync fix stops unnecessary app refreshes that inflate API server load. If your controller is burning CPU or you're seeing constant reconcile loops, this patch is worth prioritizing.

主な変更 (5)
  • Controller performance improved: switched parentUIDToChildren to map-of-sets and reduced secret deep copies/deserialization overhead
  • OIDC config now properly refreshes on server restart — previously stale config could cause auth failures
  • X-Frame-Options and CSP headers added to Swagger UI endpoints, closing a clickjacking exposure
  • Prevented automatic refreshes triggered by informer resync and status updates, reducing unnecessary reconciliation churn
  • Fixed repo-server crashes caused by symlink handling in copyutil and missing repo.insecure flag propagation to helm dependency build
原文

Argo

CI/CD & App Delivery2026年4月16日

Argo CD v3.1.14 is a small patch fixing unnecessary app refreshes and a CI lockfile issue, plus a dependency bump for fast-xml-parser.

  • securityfast-xml-parser bump closes potential parsing vulnerabilities

    The fast-xml-parser library was bumped three minor versions. These kinds of XML parser updates often address denial-of-service or entity expansion issues. While Argo CD's exposure surface for this library is limited to the UI, staying current here is straightforward — just upgrade and verify UI functionality in your staging environment.

  • enhancementUpgrade if informer resync is flooding your refresh queue

    The fix for automatic refreshes triggered by informer resync and status updates is the real reason to pick up this patch. If you've been seeing excessive app refresh activity or high controller CPU load during resync windows, this addresses the root cause. Deploy this patch during your next maintenance window — it's low risk.

主な変更 (4)
  • Prevents automatic refreshes triggered by informer resync and status updates — a meaningful reduction in unnecessary reconciliation noise
  • Fixes yarn install running without --frozen-lockfile in CI, improving build reproducibility
  • Bumps fast-xml-parser from 4.5.3 to 4.5.6 in the UI dependency tree
  • All container images remain cosign-signed with SLSA Level 3 provenance
原文

Argo

CI/CD & App Delivery2026年4月16日

Argo CD v3.2.9 is a patch release fixing excessive refresh triggers, a UI rendering bug for OCI revisions, and a CI lockfile issue, plus a dependency bump for fast-xml-parser.

  • securityfast-xml-parser bump addresses potential XML parsing issues in the UI

    fast-xml-parser was bumped from 4.5.3 to 4.5.6. While no specific CVE is called out in the release notes, staying current on XML parsing libraries in web UIs is prudent given their attack surface. If your Argo CD UI is exposed to untrusted users or external traffic, this upgrade is worth prioritizing.

  • enhancementUpgrade if informer resync noise is causing excessive reconciliation

    The fix for unintended automatic refreshes from informer resync and status updates (#25290) is the most operationally impactful change here. If you've seen high reconciliation rates or unexplained sync activity in busy clusters, this patch directly addresses that. Upgrade to 3.2.9 and monitor your refresh/sync rate metrics post-upgrade.

  • enhancementOCI users: revision metadata now renders correctly

    If your team uses OCI-based Helm charts or manifests and noticed the revision metadata panel was always blank, that was a guard clause bug — not a config problem. This release fixes it. No action needed beyond upgrading; the UI should display OCI revision info correctly afterward.

主な変更 (5)
  • Fixed automatic refreshes being triggered unnecessarily by informer resync and status updates — a potential performance/noise issue in busy clusters
  • Fixed OCI revision metadata never rendering in the UI due to a conflicting guard clause
  • Bumped fast-xml-parser from 4.5.3 to 4.5.6 (dependency security/stability hygiene)
  • Updated notifications-engine dependency to v0.5.1-0.20260316232552
  • All container images remain cosign-signed with SLSA Level 3 provenance
原文

Argo

CI/CD & App Delivery2026年3月27日

Argo CD v3.3.6 is a focused bug-fix patch addressing a false-positive diff detection during app normalization and a wrong installation ID returned from cache.

  • breakingCheck for ghost sync loops before upgrading

    If your ArgoCD controller has been triggering unexpected syncs or showing phantom diffs on apps that haven't changed, this patch fixes that normalization bug. Upgrade to 3.3.6 promptly if you're seeing this — it's a common source of noisy alerts and wasted reconciliation cycles.

  • enhancementRoutine patch — safe to apply quickly

    This is a two-bug patch with no schema changes, no API changes, and no migration steps. If you're already on 3.3.x, roll this out through your normal process. No special precautions needed.

主な変更 (3)
  • Fixed controller incorrectly detecting diffs during application normalization, which caused spurious sync triggers
  • Fixed wrong installation ID being returned from cache, which could affect telemetry or identity tracking
  • All container images remain cosign-signed with SLSA Level 3 provenance
原文

Argo

CI/CD & App Delivery2026年3月26日

A targeted patch release fixing a gRPC CVE, a false-diff bug in app normalization, and a UI glitch in RollingSync — upgrade promptly for the security fix alone.

  • securityPatch CVE-2026-33186 by upgrading to v3.2.8 now

    The grpc-go CVE-2026-33186 fix is the primary reason to move quickly on this release. If you're running any 3.2.x version, upgrade to 3.2.8. Verify your container images using cosign against the published provenance — the Argo CD docs cover the exact verification steps. Don't wait on this one.

  • breakingCheck for spurious sync operations before and after upgrade

    The normalization diff bug could have been silently triggering syncs on apps that were actually in-sync. After upgrading, review your sync history for apps that synced frequently without visible config changes — those were likely false positives. The fix should stop them, but any automation or alerts built around sync frequency may need recalibration.

  • enhancementRollingSync UI fix improves progressive delivery visibility

    If you use ApplicationSets with RollingSync and have ever wondered why a step appeared blank or unclear in the UI, this fix addresses that. No action needed beyond upgrading, but it's worth re-examining your RollingSync step configurations in the UI post-upgrade to confirm everything displays as expected.

主な変更 (4)
  • Mitigates grpc-go CVE-2026-33186, a security vulnerability in the gRPC library used by Argo CD
  • Fixes controller incorrectly detecting diffs during app normalization, which could cause unnecessary sync operations
  • Fixes UI not clearly displaying RollingSync steps when labels match no step
  • All container images remain cosign-signed with SLSA Level 3 provenance
原文

Argo

CI/CD & App Delivery2026年3月26日

Patch release fixing a gRPC CVE and a UI bug in RollingSync. Low operational risk, but the security fix warrants prompt upgrade.

  • securityUpgrade now to mitigate CVE-2026-33186 in grpc-go

    CVE-2026-33186 affects the grpc-go library used by Argo CD's internal and external gRPC communication. The fix is a mitigation backport to the 3.1 branch. Any Argo CD 3.1.x instance prior to 3.1.13 is exposed. Upgrade to 3.1.13 promptly — this should be treated as a priority patch, not a routine update. After upgrading, verify image signatures with cosign against the published provenance if your supply chain policy requires it.

  • securitylodash bumped to 4.17.23 — check if your own apps pin this version

    The lodash bump in the UI bundle closes known issues in 4.17.21/4.17.22. If your team also pins lodash in application code or CI pipelines referencing Argo CD's frontend assets, audit those pinned versions independently. This change only covers the Argo CD UI bundle itself.

  • enhancementRollingSync UI fix helps diagnose misconfigured sync waves

    If you use ApplicationSets with RollingSync and label-based step matching, the previous UI would silently hide steps that matched no labels — making it hard to spot misconfigured rollout waves. The fix surfaces these unmatched steps visibly. After upgrading, review any RollingSync-heavy ApplicationSets to confirm step labels are actually matching the intended clusters or apps.

主な変更 (4)
  • Mitigated CVE-2026-33186 in grpc-go — affects all deployments using gRPC communication
  • Fixed UI display issue where RollingSync steps with no matching labels were not shown clearly
  • Bumped lodash from 4.17.21 to 4.17.23 to address known vulnerabilities in the dependency
  • All container images remain cosign-signed with SLSA Level 3 provenance
原文

Argo

CI/CD & App Delivery2026年3月25日

Argo CD v3.3.5 is a patch release fixing a stack overflow bug, hook ordering issues, and UI improvements — low risk, high value to upgrade.

  • breakingCircular ownerRef crash is now fixed — upgrade if you hit mysterious crashes

    If your cluster has resources with circular ownership references (common in some operators or misconfigured CRDs), Argo CD could stack overflow and crash during graph processing. This is now fixed. If you've seen unexplained application-controller crashes, this is almost certainly the cause. Patch immediately.

  • breakingPostSync hooks silently skipped when PreDelete/PostDelete hooks coexist — fixed

    Workflows relying on PostSync hooks for notifications, cleanup, or validation were silently broken if the same app also defined PreDelete or PostDelete hooks. Verify your hook-based pipelines after upgrading to confirm they now execute correctly.

  • enhancementgrpc dependency bumped to 1.79.3

    The grpc library was bumped from 1.77.0 to 1.79.3. This picks up several upstream fixes. No action required beyond upgrading, but if you run Argo CD in a security-sensitive environment, review the grpc changelog for any CVEs addressed in that range.

主な変更 (5)
  • Fixed stack overflow when processing circular ownerRefs in the resource graph — a potential crash vector
  • Fixed PostSync hooks not being created when PreDelete/PostDelete hooks are also configured
  • Fixed terminal container-find logic on the server side
  • UI improvements: clearer RollingSync step display and better self-healing disable messaging
  • Bumped grpc from 1.77.0 to 1.79.3 as a dependency update
原文

Argo

CI/CD & App Delivery2026年3月16日

Argo CD 3.3.4 delivers critical bug fixes for token refresh handling and git-lfs support, plus enhanced security documentation - a maintenance release that improves operational stability.

  • securityVerify signed release assets

    All container images now include cosign signatures and SLSA Level 3 provenance. Use the official verification documentation to validate your container images before deployment, particularly in security-sensitive environments.

  • breakingReview token refresh configurations

    The token refresh fix resolves parsing errors that could affect component behavior. Check your existing token configurations and monitor for any authentication issues after upgrading, especially in multi-component setups.

  • enhancementUpgrade for ppc64le architecture support

    If running on ppc64le systems, this release fixes git-lfs functionality that was previously broken due to missing checksums. Plan your upgrade to restore full git-lfs capabilities on these architectures.

主な変更 (5)
  • Fixed token refresh threshold parsing errors affecting unrelated components
  • Added missing git-lfs installer checksum for ppc64le architecture support
  • Updated OpenTelemetry SDK dependencies for better observability
  • Enhanced documentation for cluster version changes and migration guidance
  • Maintained SLSA Level 3 compliance with signed container images and provenance
原文

Argo

CI/CD & App Delivery2026年3月10日

Argo CD v3.3.3 delivers targeted bug fixes for CNPG actions, hook annotations, and resource health checks, maintaining stability without introducing breaking changes.

  • enhancementUpdate CNPG Integration Configuration

    Teams using CloudNativePG with Argo CD should verify their suspend/resume actions work correctly after upgrading. The annotation fix ensures proper CNPG cluster lifecycle management through Argo CD workflows.

  • enhancementReview Multi-Hook Resource Configurations

    Applications using multiple PreDelete or PostDelete hooks with comma-separated annotations will now execute properly. Audit existing applications with complex hook configurations to ensure expected behavior.

  • enhancementValidate Cross-Namespace Resource Dependencies

    Complex applications with multi-level cross-namespace dependencies involving cluster-scoped resources should now traverse correctly. Test existing applications that previously showed incomplete resource trees or sync issues.

主な変更 (6)
  • Fixed CNPG suspend/resume actions using correct annotations
  • Corrected comma-separated hook annotations for PreDelete/PostDelete hooks
  • Improved resource health checks with proper drySha handling
  • Fixed standard resource icon display issues in UI
  • Enhanced kubeversion consistency with Helm version 3.3
  • Resolved multi-level cross-namespace hierarchy traversal for cluster-scoped resources
原文

Argo

CI/CD & App Delivery2026年2月22日

Argo CD v3.3.2 fixes the critical client-side apply migration issue that affected self-managed installations in v3.3.0/v3.3.1, requiring specific upgrade steps for users managing Argo CD with itself.

  • breakingEnable ServerSideApply for Self-Managed Installations

    If you have an Argo CD Application managing your Argo CD installation, you must enable `ServerSideApply=true` sync option on that Application before upgrading to v3.3.2. This is required for the upgrade to succeed and prevents apply migration failures.

  • breakingRemove Temporary ClientSideApplyMigration Setting

    If you previously upgraded to v3.3.0/v3.3.1 and set `ClientSideApplyMigration=false` as a workaround, remove this setting after upgrading to v3.3.2. Keeping it may cause field manager conflicts with other Kubernetes controllers.

  • enhancementSafe Upgrade Path for Previously Affected Users

    Users affected by the v3.3.0/v3.3.1 client-side apply migration bug can now safely upgrade to v3.3.2. Follow the upgrade guide carefully and test the upgrade process in a non-production environment first, especially for self-managed installations.

主な変更 (4)
  • Fixed client-side apply migration failure that prevented successful upgrades in v3.3.0/v3.3.1
  • Resolved conflicts between Argo CD field manager and other Kubernetes field managers
  • Updated documentation to clarify upgrade requirements for self-managed installations
  • Maintained SLSA Level 3 provenance and cosign signatures for all container images
原文