v1.120.3 patches two Go CVEs and ships a wide range of bug fixes across AWS, Azure, Oracle, and DigitalOcean providers, plus OVH support and cosign image signing.
securityPatch vulnerable Go dependencies — upgrade immediately
A Go dependency update patches GHSA-xmrv-pmrh-hhx2 and CVE-2026-34986. If you're running any v1.120.x release prior to v1.120.3, upgrade now — these are dependency-level vulnerabilities, not just code changes.
breakingMCP server is now opt-in — check your config before upgrading
The MCP server now defaults to disabled (MCP_SERVER_ENABLED=false). If you were relying on it being on by default, set the env var explicitly after upgrading. Check your deployment manifests before rolling out.
enhancementEnable cosign image verification in your admission pipeline
Container images are now signed with cosign keyless signing and include SLSA provenance attestations. If your admission policy requires image signature verification, you can now enforce it against OpenCost images. Update your policy tooling (e.g., Kyverno, Cosign verify) to validate these attestations in CI or at deploy time.
主な変更 (7)
- Security: vulnerable Go dependencies patched (GHSA-xmrv-pmrh-hhx2, CVE-2026-34986)
- MCP server now opt-in via MCP_SERVER_ENABLED=false default
- OVH cloud provider added; DigitalOcean and Oracle/Karpenter pricing fixes
- AWS Spot Price History API now cached; toggle added to disable spot data feed entirely
- Memory leak fixed in scrape target parsing; CPU usage counter overflow protection added
- Container images now signed with cosign and include SLSA provenance attestations
- CUR 2.0 support added for AWS cost data ingestion