Core Changelog
Please refer to the upgrade guide before upgrading.
note
Versioning
Pomerium uses Semantic Versioning. In practice, this means for a given version number vMAJOR.MINOR.PATCH (for example, v0.1.0
):
- MAJOR indicates an incompatible API change
- MINOR indicates a new, backwards-compatible functionality
- PATCH indicates a backwards-compatible bug fix
As Pomerium is still pre-v1.0.0
, you should expect breaking changes between releases.
v0.26.0 (2024-05-17)
Breaking
Changes that are expected to cause an incompatibility.
- config: remove deprecated client_ca option by @kenjenkins in https://github.com/pomerium/pomerium/pull/4918
- envoy: set explicit hostname on cluster endpoints by @kenjenkins in https://github.com/pomerium/pomerium/pull/5018
New
- authenticate: apply branding to sign out pages by @kenjenkins in https://github.com/pomerium/pomerium/pull/5044
- authorize: add support for rego print statements by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5049
- authorize: log service account user ID by @kenjenkins in https://github.com/pomerium/pomerium/pull/4964
- authorize: return non-html errors on denied by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4904
- config: add runtime flags by @wasaga in https://github.com/pomerium/pomerium/pull/5050
- config: add support for TCP proxy chaining by @kenjenkins in https://github.com/pomerium/pomerium/pull/5053
- config: add support for stripping the port for matching routes by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5085
- config: disable gRPC ingress when address is the empty string by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5058
- config: implement direct response by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4960
- databroker: disable identity manager user refresh when hosted authenticate is used by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4905
- envoy: clean up temporary directory on start by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4914
- envoy: format envoy local replies by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5067
- envoy: only enable port reuse on linux by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5066
- identity: add enabler by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5084
- identity: dynamic authenticator registration by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5105
- identity: refactor identity manager by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5091
- logging: less verbose logs by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5040
- ppl: add client cert SAN match criteria by @kenjenkins in https://github.com/pomerium/pomerium/pull/4913
- ppl: add groups criterion by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4916
- ui: fix page title by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4957
- zero: add route reachability health check by @wasaga in https://github.com/pomerium/pomerium/pull/5093
- zero: add service accounts support by @wasaga in https://github.com/pomerium/pomerium/pull/5031
- zero: add storage health check by @wasaga in https://github.com/pomerium/pomerium/pull/5074
- zero: health check building config from databroker source by @wasaga in https://github.com/pomerium/pomerium/pull/5104
- zero: lower log level by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5065
- zero: upgrade oapi-codegen by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4953
Fixed
- authenticate: redirect to /.pomerium/signed_out when no signout redirect url is defined by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5060
- envoy: exclude unauthorized access from local replies by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5108
- kubernetes: fix impersonate group header by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5090
- zero: add gRPC keep-alive by @wasaga in https://github.com/pomerium/pomerium/pull/4961
- zero: fix bootstrap config path by @wasaga in https://github.com/pomerium/pomerium/pull/5035
- zero: fix ticker usage by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4969
Changed
- authenticate: rework CORS headers log entry by @kenjenkins in https://github.com/pomerium/pomerium/pull/4900
- authorize: result denied improvements by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4952
- config: remove cookie secure option by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4907
- config: fix typo by @wasaga in https://github.com/pomerium/pomerium/pull/4963
- core: move telemetry requestid to pkg directory by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4911
- core: switch to uber mock by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5073
- core: use context.WithoutCancel by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4959
- envoy: address strconv.Atoi warnings by @kenjenkins in https://github.com/pomerium/pomerium/pull/5076
- envoy: enable TCP keepalive for internal clusters by @kenjenkins in https://github.com/pomerium/pomerium/pull/4902
- envoy: migrate deprecated overload setting by @kenjenkins in https://github.com/pomerium/pomerium/pull/5082
- envoy: preserve Go's max file limit for Envoy by @kenjenkins in https://github.com/pomerium/pomerium/pull/5102
- envoy: upgrade to v1.30.1 by @kenjenkins in https://github.com/pomerium/pomerium/pull/5080
- logging: use standard logger by @wasaga in https://github.com/pomerium/pomerium/pull/5096
- opa: update for rego 1.0 by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4895
- ui: adds upstream error page by @nhayfield in https://github.com/pomerium/pomerium/pull/5113
- ui: improve frontend build size by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5109
- zero: add user-agent to requests by @wasaga in https://github.com/pomerium/pomerium/pull/5078
- zero: add checks for ability to save bootstrap parameter and bundle status reporting by @wasaga in https://github.com/pomerium/pomerium/pull/5064
- zero: add connect health check by @wasaga in https://github.com/pomerium/pomerium/pull/5086
- zero: add common healthcheck package, zero reporter and first xds check by @wasaga in https://github.com/pomerium/pomerium/pull/5059
- zero: add shared secret to the cluster bootstrap params by @wasaga in https://github.com/pomerium/pomerium/pull/5030
- zero: only report healthcheck transitions by @wasaga in https://github.com/pomerium/pomerium/pull/5068
- zero: remove unused changeset code by @wasaga in https://github.com/pomerium/pomerium/pull/4915
- zero: reset back to inmem databroker if connection string is empty by @wasaga in https://github.com/pomerium/pomerium/pull/4955
- zero: simplify control loop lease retry code by @wasaga in https://github.com/pomerium/pomerium/pull/4979
- zero: update oapi-codegen by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4898
Dependency Updates
- chore(deps): bump actions/setup-node from 4.0.1 to 4.0.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4974
- chore(deps): bump actions/upload-artifact from 4.0.0 to 4.3.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4922
- chore(deps): bump actions/upload-artifact from 4.3.0 to 4.3.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4972
- chore(deps): bump busybox from
ba76950
to6d9ac92
in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4950 - chore(deps): bump cloud.google.com/go/storage from 1.36.0 to 1.37.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4926
- chore(deps): bump cloud.google.com/go/storage from 1.37.0 to 1.39.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4989
- chore(deps): bump distroless/base-debian12 from
0a93daa
to5eae9ef
in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4970 - chore(deps): bump distroless/base-debian12 from
996c583
to1d91d5f
by @dependabot in https://github.com/pomerium/pomerium/pull/4980 - chore(deps): bump distroless/base from
6c1e34e
to9d4e568
in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4971 - chore(deps): bump docker/metadata-action from 5.4.0 to 5.5.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4923
- chore(deps): bump docker/setup-buildx-action from 3.0.0 to 3.1.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4978
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.26.2 to 1.26.6 by @dependabot in https://github.com/pomerium/pomerium/pull/4932
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.26.6 to 1.27.6 by @dependabot in https://github.com/pomerium/pomerium/pull/5015
- chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.24.0 to 1.24.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4930
- chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.24.1 to 1.25.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4992
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.48.1 to 1.51.3 by @dependabot in https://github.com/pomerium/pomerium/pull/5016
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.47.7 to 1.48.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4939
- chore(deps): bump github.com/docker/docker from 24.0.7+incompatible to 25.0.2+incompatible by @dependabot in https://github.com/pomerium/pomerium/pull/4942
- chore(deps): bump github.com/docker/docker from 25.0.4+incompatible to 25.0.5+incompatible by @dependabot in https://github.com/pomerium/pomerium/pull/5032
- chore(deps): bump github.com/docker/docker from 26.0.0+incompatible to 26.0.2+incompatible by @dependabot in https://github.com/pomerium/pomerium/pull/5075
- chore(deps): bump github.com/envoyproxy/go-control-plane from 0.11.1 to 0.12.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4935
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 1.0.2 to 1.0.4 by @dependabot in https://github.com/pomerium/pomerium/pull/4945
- chore(deps): bump github.com/google/uuid from 1.5.0 to 1.6.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4933
- chore(deps): bump github.com/go-chi/chi/v5 from 5.0.11 to 5.0.12 by @dependabot in https://github.com/pomerium/pomerium/pull/4986
- chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4984
- chore(deps): bump github.com/jackc/pgx/v5 from 5.5.1 to 5.5.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4944
- chore(deps): bump github.com/jackc/pgx/v5 from 5.5.2 to 5.5.3 by @dependabot in https://github.com/pomerium/pomerium/pull/5000
- chore(deps): bump github.com/klauspost/compress from 1.17.4 to 1.17.5 by @dependabot in https://github.com/pomerium/pomerium/pull/4940
- chore(deps): bump github.com/klauspost/compress from 1.17.5 to 1.17.7 by @dependabot in https://github.com/pomerium/pomerium/pull/4995
- chore(deps): bump github.com/minio/minio-go/v7 from 7.0.66 to 7.0.67 by @dependabot in https://github.com/pomerium/pomerium/pull/4996
- chore(deps): bump github.com/opencontainers/runc from 1.1.5 to 1.1.12 by @dependabot in https://github.com/pomerium/pomerium/pull/4919
- chore(deps): bump github.com/open-policy-agent/opa from 0.60.0 to 0.61.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4937
- chore(deps): bump github.com/open-policy-agent/opa from 0.61.0 to 0.62.1 by @dependabot in https://github.com/pomerium/pomerium/pull/5017
- chore(deps): bump github.com/prometheus/common from 0.45.0 to 0.46.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4949
- chore(deps): bump github.com/prometheus/common from 0.46.0 to 0.49.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4998
- chore(deps): bump github.com/prometheus/client_golang from 1.18.0 to 1.19.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4999
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.12 to 3.24.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4928
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.24.1 to 3.24.2 by @dependabot in https://github.com/pomerium/pomerium/pull/5001
- chore(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4990
- chore(deps): bump github.com/rs/zerolog from 1.31.0 to 1.32.0 by @dependabot in https://github.com/pomerium/pomerium/pull/5004
- chore(deps): bump golang from 1.21.5-bookworm to 1.21.6-bookworm by @dependabot in https://github.com/pomerium/pomerium/pull/4920
- chore(deps): bump golang.org/x/crypto from 0.18.0 to 0.21.0 by @dependabot in https://github.com/pomerium/pomerium/pull/5013
- chore(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 by @dependabot in https://github.com/pomerium/pomerium/pull/5077
- chore(deps): bump golang.org/x/oauth2 from 0.16.0 to 0.18.0 by @dependabot in https://github.com/pomerium/pomerium/pull/5012
- chore(deps): bump google-github-actions/setup-gcloud from 2.0.1 to 2.1.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4924
- chore(deps): bump google-github-actions/auth from 2.0.0 to 2.1.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4925
- chore(deps): bump google-github-actions/auth from 2.1.0 to 2.1.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4976
- chore(deps): bump google.golang.org/api from 0.154.0 to 0.161.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4938
- chore(deps): bump google.golang.org/api from 0.161.0 to 0.168.0 by @dependabot in https://github.com/pomerium/pomerium/pull/5010
- chore(deps): bump google.golang.org/grpc from 1.60.1 to 1.61.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4948
- chore(deps): bump google.golang.org/grpc from 1.61.0 to 1.62.1 by @dependabot in https://github.com/pomerium/pomerium/pull/5011
- chore(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 by @kenjenkins in https://github.com/pomerium/pomerium/pull/5009
- chore(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4975
- chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc from 0.44.0 to 0.45.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4947
- chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc from 0.45.0 to 1.24.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4983
- chore(deps): bump go.opentelemetry.io/otel/sdk/metric from 1.21.0 to 1.22.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4946
- chore(deps): bump go.opentelemetry.io/otel/sdk/metric from 1.22.0 to 1.24.0 by @dependabot in https://github.com/pomerium/pomerium/pull/5003
- chore(deps): bump go.uber.org/zap from 1.26.0 to 1.27.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4987
- chore(deps): bump mikefarah/yq from 4.40.5 to 4.42.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4977
- chore(deps): bump node from
8d0f16f
tofd01154
by @dependabot in https://github.com/pomerium/pomerium/pull/4921 - chore(deps): bump node from
fd01154
tof3299f1
by @dependabot in https://github.com/pomerium/pomerium/pull/4981 - chore(deps): bump pre-commit/action from 3.0.0 to 3.0.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4973
- chore(deps): bump the docker group with 2 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5024
- chore(deps): bump the docker group in /.github with 2 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5023
- chore(deps): bump the docker group with 3 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5045
- chore(deps): bump the docker group in /.github with 3 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5046
- chore(deps): bump the docker group in /.github with 3 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5095
- chore(deps): bump the docker group with 3 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5098
- chore(deps): bump the github-actions group with 1 update by @dependabot in https://github.com/pomerium/pomerium/pull/5025
- chore(deps): bump the github-actions group with 6 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5047
- chore(deps): bump the github-actions group with 5 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5094
- chore(deps): bump the go group with 10 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5026
- chore(deps): bump the go group with 15 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5048
- chore(deps): bump the go group with 29 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5097
- chore(deps): update UI dependencies by @kenjenkins in https://github.com/pomerium/pomerium/pull/5088
- chore(deps): bump @trivago/prettier-plugin-sort-imports from 2.0.4 to 4.3.0 by @kenjenkins in https://github.com/pomerium/pomerium/pull/5054
- chore(deps): bump @babel/traverse from 7.16.10 to 7.23.2 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/5055
- ci: upgrade to Go 1.22 by @wasaga in https://github.com/pomerium/pomerium/pull/4967
- core/lint: upgrade golangci-lint, replace interface with any by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5099
- envoy: set to v1.29.2 by @wasaga in https://github.com/pomerium/pomerium/pull/5042
- envoy: upgrade to v1.29.3 by @wasaga in https://github.com/pomerium/pomerium/pull/5056
- update dev Dockerfiles to use Go 1.22.2 by @kenjenkins in https://github.com/pomerium/pomerium/pull/5063
v0.25.2 (2024-04-05)
Changed
- envoy: upgrade to v1.28.2 by @wasaga in https://github.com/pomerium/pomerium/pull/5057
v0.25.1 (2024-03-13)
Changed
- ci: bump Go to 1.21.8 in docker by @wasaga in https://github.com/pomerium/pomerium/pull/5027
- connect: add gRPC keep-alive by @wasaga in https://github.com/pomerium/pomerium/pull/4962
- core/ci: check docker base images by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5028
- core/zero: fix ticker usage by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5019
v0.25.0 (2024-01-10)
Breaking
- config: remove support for base64 encoded certificates in the
certificates
field. It may only contain file locations. See https://github.com/pomerium/pomerium/pull/4718 by @calebdoxsey for details. - config: remove
debug
option, always use json logs by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4857
New
- authenticate: Refactoring identity authenticators to initiate redirect. For AWS Cognito, please allow the following sign out
https://{AUTHENTICATE_DOMAIN}/.pomerium/signed_out
URL. See more details in https://github.com/pomerium/pomerium/pull/4858 by @calebdoxsey. - Initial support for the Pomerium Zero closed beta is included in this release.
Fixed
- config: add support for maps in environments, i.e.
env IDP_REQUEST_PARAMS='{"x":"y"}' ...
by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4717 - core: fix graceful stop by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4865
- databroker: fix nil data unmarshal by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4734
- databroker: fix Patch() error handling for in-memory databroker backend by @kenjenkins in https://github.com/pomerium/pomerium/pull/4838
- databroker: hijack connections for notification listeners by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4806
- databroker: prevent
nil
data in the databroker deleted records by @wasaga in https://github.com/pomerium/pomerium/pull/4736 - databroker: REDIS backend has been removed in the previous release, https://github.com/pomerium/pomerium/pull/4768 by @calebdoxsey cleans up some remaining references.
- envoy: Rewrite the remove_pomerium_cookie lua function to handle
=
inside of cookie values. by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4641 - metrics: enforce
text/plain
metric format by @kenjenkins in https://github.com/pomerium/pomerium/pull/4774 - zero: group funcs that need run within a lease by @wasaga in https://github.com/pomerium/pomerium/pull/4862
Changed
- authenticate: add stateful flow by @kenjenkins in https://github.com/pomerium/pomerium/pull/4822
- authenticate: change how sessions are deleted by @kenjenkins in https://github.com/pomerium/pomerium/pull/4893
- authenticate: getUserInfoData() cleanup by @kenjenkins in https://github.com/pomerium/pomerium/pull/4818
- authenticate: move events.go out of internal/authenticateflow by @kenjenkins in https://github.com/pomerium/pomerium/pull/4852
- authenticate: move stateless flow logic by @kenjenkins in https://github.com/pomerium/pomerium/pull/4820
- authenticate: move logAuthenticateEvent by @kenjenkins in https://github.com/pomerium/pomerium/pull/4821
- authenticate: remove extra UpdateUserInfo() call by @kenjenkins in https://github.com/pomerium/pomerium/pull/4813
- authenticate: Update the initialization logic for the authenticate, authorize, and proxy services to automatically select between the stateful authentication flow and the stateless authentication flow, depending on whether Pomerium is configured to use the hosted authenticate service. This change ensures a single IdP session is maintained for all user visits, enabling a single sign out behaviour for installations with IdP configured. @kenjenkins in https://github.com/pomerium/pomerium/pull/4765
- authenticate: verify redirect in Callback test by @kenjenkins in https://github.com/pomerium/pomerium/pull/4894
- config: Add a global config option for pass_identity_headers, in addition to existing per-route option by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4720
- config: disable strict-transport-security header with staging autocert by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4741
- config: no longer stub out HPKE public key fetch by @kenjenkins in https://github.com/pomerium/pomerium/pull/4853
- config: remove unnecessary authenticate route when using hosted authenticate (authenticate.pomerium.app) by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4719
- runtime: automatically determine goroutine max cap by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4766
- runtime: update to Go 1.21.4 by @kenjenkins in https://github.com/pomerium/pomerium/pull/4770
- session: add unit tests for gRPC wrapper methods by @kenjenkins in https://github.com/pomerium/pomerium/pull/4713
- tests: add tool for renewing test certs by @kenjenkins in https://github.com/pomerium/pomerium/pull/4742
- tests: check for profile cookies by @kenjenkins in https://github.com/pomerium/pomerium/pull/4847
- tests: renew test certs by @kenjenkins in https://github.com/pomerium/pomerium/pull/4738
- tests: re-generate test configurations by @kenjenkins in https://github.com/pomerium/pomerium/pull/4816
- zero: add linear probabilistic counter for MAU estimation by @wasaga in https://github.com/pomerium/pomerium/pull/4776
- zero: add more verbose logging about background control loops by @wasaga in https://github.com/pomerium/pomerium/pull/4815
- zero: add reporter by @wasaga in https://github.com/pomerium/pomerium/pull/4855
- zero: add support for managed mode from config file by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4756
- zero: better code reuse by @wasaga in https://github.com/pomerium/pomerium/pull/4758
- zero: calculate DAU and MAU by @wasaga in https://github.com/pomerium/pomerium/pull/4810
- zero: fix restart behavior by @kenjenkins in https://github.com/pomerium/pomerium/pull/4753
- zero: rebase and merge feature/zero branch by @kenjenkins in https://github.com/pomerium/pomerium/pull/4745
- zero: set drwx------ for cache dir by @wasaga in https://github.com/pomerium/pomerium/pull/4764
- zero: support gzipped blobs by @wasaga in https://github.com/pomerium/pomerium/pull/4767
- zero: use os.UserCacheDir for boostrap config path by @kenjenkins in https://github.com/pomerium/pomerium/pull/4744
- zero: use production urls by default by @wasaga in https://github.com/pomerium/pomerium/pull/4814
Dependency
- bump actions/checkout from 4.1.0 to 4.1.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4692
- bump actions/setup-go from 4.1.0 to 5.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4830
- bump actions/setup-node from 3.8.1 to 4.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4694
- bump actions/setup-node from 4.0.0 to 4.0.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4888
- bump actions/setup-python from 4.7.0 to 5.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4827
- bump actions/stale from 8.0.0 to 9.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4825
- bump actions/upload-artifact from 3.1.3 to 4.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4889
- bump busybox from
3fbc632
to1ceb872
in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4824 - bump busybox from
1ceb872
toba76950
in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4884 - bump cloud.google.com/go/storage from 1.33.0 to 1.35.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4750
- bump cloud.google.com/go/storage from 1.35.1 to 1.36.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4873
- bump distroless/base from
46c5b9b
tob31a6e0
in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4670 - bump distroless/base from
b31a6e0
to6c1e34e
in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4885 - bump distroless/base-debian12 from
5e24c7a
to996c583
by @dependabot in https://github.com/pomerium/pomerium/pull/4882 - bump distroless/base-debian12 from
d2890b2
to5e24c7a
by @dependabot in https://github.com/pomerium/pomerium/pull/4658 - bump distroless/base-debian12 from
d64f548
to1dfdb5e
in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4671 - bump distroless/base-debian12 from
1dfdb5e
to0a93daa
in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4886 - bump docker/build-push-action from 5.0.0 to 5.1.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4777
- bump docker/metadata-action from 5.0.0 to 5.3.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4826
- bump docker/metadata-action from 5.3.0 to 5.4.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4891
- bump github.com/aws/aws-sdk-go-v2 from 1.22.2 to 1.24.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4840
- bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.40.0 to 1.42.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4751
- bump github.com/bits-and-blooms/bitset from 1.11.0 to 1.13.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4876
- bump github.com/caddyserver/certmagic from 0.19.2 to 0.20.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4836
- bump github.com/cloudflare/circl from 1.3.3 to 1.3.6 by @dependabot in https://github.com/pomerium/pomerium/pull/4674
- bump github.com/coreos/go-oidc/v3 from 3.6.0 to 3.8.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4791
- bump github.com/coreos/go-oidc/v3 from 3.8.0 to 3.9.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4880
- bump github.com/fsnotify/fsnotify from 1.6.0 to 1.7.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4680
- bump github.com/google/go-cmp from 0.5.9 to 0.6.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4685
- bump github.com/google/uuid from 1.3.1 to 1.4.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4677
- bump github.com/google/uuid from 1.4.0 to 1.5.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4878
- bump github.com/gorilla/mux from 1.8.0 to 1.8.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4790
- bump github.com/gorilla/websocket from 1.5.0 to 1.5.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4793
- bump github.com/go-chi/chi/v5 from 5.0.10 to 5.0.11 by @dependabot in https://github.com/pomerium/pomerium/pull/4875
- bump github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4760
- bump github.com/jackc/pgx/v5 from 5.4.3 to 5.5.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4803
- bump github.com/jackc/pgx/v5 from 5.5.0 to 5.5.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4871
- bump github.com/klauspost/compress from 1.17.0 to 1.17.4 by @dependabot in https://github.com/pomerium/pomerium/pull/4798
- bump github.com/mattn/go-isatty from 0.0.19 to 0.0.20 by @dependabot in https://github.com/pomerium/pomerium/pull/4801
- bump github.com/minio/minio-go/v7 from 7.0.63 to 7.0.65 by @dependabot in https://github.com/pomerium/pomerium/pull/4812
- bump github.com/minio/minio-go/v7 from 7.0.65 to 7.0.66 by @dependabot in https://github.com/pomerium/pomerium/pull/4868
- bump github.com/oapi-codegen/runtime from 1.0.0 to 1.1.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4870
- bump github.com/open-policy-agent/opa from 0.57.0 to 0.59.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4799
- bump github.com/open-policy-agent/opa from 0.59.0 to 0.60.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4879
- bump github.com/prometheus/client_golang from 1.17.0 to 1.18.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4872
- bump github.com/prometheus/client_model from 0.4.1-0.20230718164431-9a2bf3000d16 to 0.5.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4672
- bump github.com/prometheus/common from 0.44.0 to 0.45.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4686
- bump github.com/shirou/gopsutil/v3 from 3.23.9 to 3.23.11 by @dependabot in https://github.com/pomerium/pomerium/pull/4794
- bump github.com/shirou/gopsutil/v3 from 3.23.11 to 3.23.12 by @dependabot in https://github.com/pomerium/pomerium/pull/4874
- bump github.com/spf13/viper from 1.16.0 to 1.18.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4861
- bump github.com/VictoriaMetrics/fastcache from 1.12.1 to 1.12.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4802
- bump github.com/yuin/gopher-lua from 1.1.0 to 1.1.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4832
- bump golang from 1.21.4-bookworm to 1.21.5-bookworm by @dependabot in https://github.com/pomerium/pomerium/pull/4828
- bump golang from
a6b787c
to1415bb0
by @dependabot in https://github.com/pomerium/pomerium/pull/4883 - bump golang.org/x/crypto from 0.16.0 to 0.17.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4860. This includes a patch for GO-2023-2402 / CVE-2023-48795 (Terrapin). Note that Pomerium does not use the affected golang.org/x/crypto/ssh package from this module.
- bump golang.org/x/net from 0.17.0 to 0.19.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4792
- bump golang.org/x/oauth2 from 0.12.0 to 0.15.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4797
- bump golang.org/x/sync from 0.3.0 to 0.5.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4748
- bump golang.org/x/time from 0.3.0 to 0.5.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4796
- bump google-github-actions/auth from 1.1.1 to 2.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4778
- bump google-github-actions/setup-gcloud from 1.1.1 to 2.0.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4890
- bump google.golang.org/api from 0.143.0 to 0.153.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4835
- bump google.golang.org/api from 0.153.0 to 0.154.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4867
- bump google.golang.org/protobuf from 1.31.1-0.20231027082548-f4a6c1f6e5c1 to 1.32.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4877
- bump mikefarah/yq from 4.35.2 to 4.40.3 by @dependabot in https://github.com/pomerium/pomerium/pull/4780
- bump mikefarah/yq from 4.40.3 to 4.40.4 by @dependabot in https://github.com/pomerium/pomerium/pull/4829
- bump mikefarah/yq from 4.40.4 to 4.40.5 by @dependabot in https://github.com/pomerium/pomerium/pull/4887
- bump node from
42a4d97
to5f21943
by @dependabot in https://github.com/pomerium/pomerium/pull/4659 - bump node from
445acd9
to8d0f16f
by @dependabot in https://github.com/pomerium/pomerium/pull/4881 - bump sigs.k8s.io/yaml from 1.3.0 to 1.4.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4688
- bump stefanzweifel/git-auto-commit-action from 4.16.0 to 5.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4693
- zero/openapi: pin v1.0.0 of a runtime by @wasaga in https://github.com/pomerium/pomerium/pull/4851
v0.24.0 (2023-11-16)
Breaking
- config: remove set_authorization_header option by @kenjenkins in https://github.com/pomerium/pomerium/pull/4489
- core/config: remove support for base64 encoded certificates by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4725
- databroker: remove redis storage backend by @kenjenkins in https://github.com/pomerium/pomerium/pull/4699
New
- databroker: build config concurrently, option to bypass validation by @wasaga in https://github.com/pomerium/pomerium/pull/4655
Fixed
- core/authenticate: refactor idp sign out by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4582
- core/authenticate: validate the identity profile by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4545
- core/authorize: check for expired tokens by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4543
- core/identity: fix slow restart by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4542
- core/storage: fix nil data unmarshal by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4739
Changed
- Add metric request error in log by @sylr in https://github.com/pomerium/pomerium/pull/4585
- authorize: build evaluators cache in parallel by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4731
- authorize: reuse policy evaluators where possible by @kenjenkins in https://github.com/pomerium/pomerium/pull/4710
- config: do not add route headers to global map by @kenjenkins in https://github.com/pomerium/pomerium/pull/4629
- core/config: add config version, additional telemetry by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4645
- core/config: add support for maps in environments by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4728
- core/config: refactor change dispatcher by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4657
- core/config: refactor file watcher by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4702
- core/config: remove version by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4653
- core/controlplane: apply configuration changes in a background thread by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4649
- core/envoy: fix remove cookie lua script by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4732
- core/events: refactor the events.Target to use mutexes instead of a background goroutine by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4700
- core/filemgr: use xxhash instead of sha512 for filenames by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4697
- core/hpke: reduce memory usage from zstd by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4650
- cryptutil: remove unused functions by @kenjenkins in https://github.com/pomerium/pomerium/pull/4541
- databroker: add patch method by @kenjenkins in https://github.com/pomerium/pomerium/pull/4704
- databroker: add reconciler by @wasaga in https://github.com/pomerium/pomerium/pull/4709
- databroker: add utility recordset and changeset by @wasaga in https://github.com/pomerium/pomerium/pull/4701
- databroker: changeset: prevent nil data in the deleted records by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4737
- Docs: remove tcp example by @ZPain8464 in https://github.com/pomerium/pomerium/pull/4616
- identity: override TokenSource expiry behavior by @kenjenkins in https://github.com/pomerium/pomerium/pull/4632
- identity: preserve session refresh schedule by @kenjenkins in https://github.com/pomerium/pomerium/pull/4633
- identity: rework session refresh error handling by @kenjenkins in https://github.com/pomerium/pomerium/pull/4638
- integration: renew test certs by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4740
- proto: add id to certificate by @wasaga in https://github.com/pomerium/pomerium/pull/4706
- protoutil: add OverwriteMasked method by @kenjenkins in https://github.com/pomerium/pomerium/pull/4651
- reconciler: allow custom comparison function by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4727
- rework session updates to use new patch method by @kenjenkins in https://github.com/pomerium/pomerium/pull/4705
- storage/inmemory: implement patch operation by @kenjenkins in https://github.com/pomerium/pomerium/pull/4654
- storage/postgres: implement patch operation by @kenjenkins in https://github.com/pomerium/pomerium/pull/4656
- upgrade envoy to v1.28.0 by @kenjenkins in https://github.com/pomerium/pomerium/pull/4635
- xds: add type url to log by @wasaga in https://github.com/pomerium/pomerium/pull/4696
Dependency
- chore(deps): bump actions/checkout from 3.5.3 to 3.6.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4496
- chore(deps): bump actions/checkout from 3.6.0 to 4.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4562
- chore(deps): bump actions/checkout from 4.0.0 to 4.1.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4611
- chore(deps): bump actions/setup-go from 4.0.1 to 4.1.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4497
- chore(deps): bump actions/setup-node from 3.7.0 to 3.8.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4501
- chore(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 by @dependabot in https://github.com/pomerium/pomerium/pull/4557
- chore(deps): bump busybox from
caa382c
to3fbc632
in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4549 - chore(deps): bump cloud.google.com/go/storage from 1.31.0 to 1.32.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4518
- chore(deps): bump cloud.google.com/go/storage from 1.32.0 to 1.33.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4579
- chore(deps): bump coverallsapp/github-action from 2.2.1 to 2.2.3 by @dependabot in https://github.com/pomerium/pomerium/pull/4560
- chore(deps): bump distroless/base from
b0216a3
to46c5b9b
in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4550 - chore(deps): bump docker/build-push-action from 4.1.1 to 5.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4554
- chore(deps): bump docker/login-action from 2.2.0 to 3.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4552
- chore(deps): bump docker/metadata-action from 4.6.0 to 5.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4553
- chore(deps): bump docker/setup-buildx-action from 2.9.1 to 2.10.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4498
- chore(deps): bump docker/setup-buildx-action from 2.10.0 to 3.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4555
- chore(deps): bump docker/setup-qemu-action from 2.2.0 to 3.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4559
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.32 to 1.18.38 by @dependabot in https://github.com/pomerium/pomerium/pull/4522
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.38 to 1.18.40 by @dependabot in https://github.com/pomerium/pomerium/pull/4581
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.40 to 1.18.42 by @dependabot in https://github.com/pomerium/pomerium/pull/4599
- chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.20.0 to 1.21.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4524
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.38.1 to 1.38.5 by @dependabot in https://github.com/pomerium/pomerium/pull/4521
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.38.5 to 1.40.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4600
- chore(deps): bump github.com/caddyserver/certmagic from 0.19.1 to 0.19.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4526
- chore(deps): bump github.com/CAFxX/httpcompression from 0.0.8 to 0.0.9 by @dependabot in https://github.com/pomerium/pomerium/pull/4572
- chore(deps): bump github.com/docker/docker from 24.0.2+incompatible to 24.0.6+incompatible by @dependabot in https://github.com/pomerium/pomerium/pull/4570
- chore(deps): bump github.com/docker/docker from 24.0.6+incompatible to 24.0.7+incompatible by @dependabot in https://github.com/pomerium/pomerium/pull/4646
- chore(deps): bump github.com/google/uuid from 1.3.0 to 1.3.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4517
- chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.4 to 2.0.6 by @dependabot in https://github.com/pomerium/pomerium/pull/4528
- chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.6 to 2.0.7 by @dependabot in https://github.com/pomerium/pomerium/pull/4607
- chore(deps): bump github.com/jackc/pgx/v5 from 5.4.2 to 5.4.3 by @dependabot in https://github.com/pomerium/pomerium/pull/4531
- chore(deps): bump github.com/klauspost/compress from 1.16.7 to 1.17.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4566
- chore(deps): bump github.com/minio/minio-go/v7 from 7.0.61 to 7.0.63 by @dependabot in https://github.com/pomerium/pomerium/pull/4527
- chore(deps): bump github.com/open-policy-agent/opa from 0.55.0 to 0.56.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4530
- chore(deps): bump github.com/open-policy-agent/opa from 0.56.0 to 0.57.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4606
- chore(deps): bump github.com/openzipkin/zipkin-go from 0.4.1 to 0.4.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4523
- chore(deps): bump github.com/prometheus/client_golang from 1.16.0 to 1.17.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4603
- chore(deps): bump github.com/prometheus/procfs from 0.11.1 to 0.12.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4602
- chore(deps): bump github.com/rs/cors from 1.9.0 to 1.10.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4574
- chore(deps): bump github.com/rs/cors from 1.10.0 to 1.10.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4601
- chore(deps): bump github.com/rs/zerolog from 1.30.0 to 1.31.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4598
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.7 to 3.23.8 by @dependabot in https://github.com/pomerium/pomerium/pull/4519
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.8 to 3.23.9 by @dependabot in https://github.com/pomerium/pomerium/pull/4605
- chore(deps): bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4499
- chore(deps): bump google.golang.org/api from 0.134.0 to 0.138.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4532
- chore(deps): bump google.golang.org/api from 0.138.0 to 0.141.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4578
- chore(deps): bump google.golang.org/api from 0.141.0 to 0.143.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4608
- chore(deps): bump google.golang.org/grpc from 1.57.0 to 1.58.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4575
- chore(deps): bump google.golang.org/grpc from 1.58.2 to 1.58.3 by @dependabot in https://github.com/pomerium/pomerium/pull/4640
- chore(deps): bump golang.org/x/net from 0.15.0 to 0.17.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4626
- chore(deps): bump golang.org/x/oauth2 from 0.11.0 to 0.12.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4580
- chore(deps): bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4502
- chore(deps): bump goreleaser/goreleaser-action from 4.4.0 to 5.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4563
- chore(deps): bump go.uber.org/zap from 1.24.0 to 1.25.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4516
- chore(deps): bump go.uber.org/zap from 1.25.0 to 1.26.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4577
- chore(deps): bump mikefarah/yq from 4.34.2 to 4.35.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4503
- chore(deps): bump mikefarah/yq from 4.35.1 to 4.35.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4610
- chore(deps): bump node from
f41231b
to7923c64
by @dependabot in https://github.com/pomerium/pomerium/pull/4551 - chore(deps): bump node from
7923c64
to2daec43
by @dependabot in https://github.com/pomerium/pomerium/pull/4609 - chore(deps): bump node from
850d8e1
tof41231b
by @dependabot in https://github.com/pomerium/pomerium/pull/4533 - chore(deps): bump tibdex/github-app-token from 1.8.0 to 1.8.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4505
- chore(deps): bump tibdex/github-app-token from 1.8.2 to 2.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4556
- chore(deps): bump tibdex/github-app-token from 2.0.0 to 2.1.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4612
- chore(deps): bump @fontsource/dm-mono from 4.5.2 to 5.0.11 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/4515
- chore(deps): bump @fontsource/dm-mono from 5.0.11 to 5.0.12 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/4573
- chore(deps): bump @fontsource/dm-mono from 5.0.12 to 5.0.14 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/4619
- chore(deps): bump @fontsource/dm-sans from 5.0.3 to 5.0.11 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/4508
- chore(deps): bump @fontsource/dm-sans from 5.0.11 to 5.0.12 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/4561
- chore(deps): bump @fontsource/dm-sans from 5.0.12 to 5.0.13 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/4593
- chore(deps): bump @mui/icons-material from 5.3.1 to 5.14.9 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/4567
- chore(deps-dev): bump ts-node from 10.4.0 to 10.9.1 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/4279
- core/go: upgrade go.mod by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4711
v0.23.0 (2023-08-24)
New
- adds success colors for statuses in the 200 range #4314 (@nhayfield)
- authenticate: add aws cognito #4137 (@wasaga)
- authorize: log id token claims separately from id token #4394 (@calebdoxsey)
- config: add cookie_same_site option #4148 (@calebdoxsey)
- hpke: compress query string #4147 (@calebdoxsey)
Fixed
- autocert: suppress OCSP stapling errors #4371 (@calebdoxsey)
- config: update logic for checking overlapping certificates #4216 (@calebdoxsey)
- config: validate log levels #4367 (@calebdoxsey)
- databroker: fix fast forward #4192 (@calebdoxsey)
- databroker: sort configs #4190 (@calebdoxsey)
- envoy: set re2 limits very high #4187 (@calebdoxsey)
- envoyconfig: disable validation context when no client certificates are required #4151 (@calebdoxsey)
- fix WillHaveCertificateForServerName check to be strict match for derived cert name #4167 (@wasaga)
Dependency
- chore(deps): bump actions/checkout from 3.5.0 to 3.5.2 #4153 (@dependabot[bot])
- chore(deps): bump actions/checkout from 3.5.2 to 3.5.3 #4239 (@dependabot[bot])
- chore(deps): bump actions/setup-go from 4.0.0 to 4.0.1 #4176 (@dependabot[bot])
- chore(deps): bump actions/setup-node from 3.6.0 to 3.7.0 #4432 (@dependabot[bot])
- chore(deps): bump actions/setup-python from 4.6.0 to 4.6.1 #4203 (@dependabot[bot])
- chore(deps): bump actions/setup-python from 4.6.1 to 4.7.0 #4429 (@dependabot[bot])
- chore(deps): bump cloud.google.com/go/storage from 1.29.0 to 1.30.1 #4221 (@dependabot[bot])
- chore(deps): bump cloud.google.com/go/storage from 1.30.1 to 1.31.0 #4332 (@dependabot[bot])
- chore(deps): bump coverallsapp/github-action from 2.1.2 to 2.2.0 #4241 (@dependabot[bot])
- chore(deps): bump coverallsapp/github-action from 2.2.0 to 2.2.1 #4430 (@dependabot[bot])
- chore(deps): bump debian from
1fbdbcf
to4291be2
#4160 (@dependabot[bot]) - chore(deps): bump debian from
4291be2
tocd9b6e7
#4206 (@dependabot[bot]) - chore(deps): bump docker/build-push-action from 4.0.0 to 4.1.1 #4264 (@dependabot[bot])
- chore(deps): bump docker/login-action from 2.1.0 to 2.2.0 #4274 (@dependabot[bot])
- chore(deps): bump docker/metadata-action from 4.4.0 to 4.5.0 #4242 (@dependabot[bot])
- chore(deps): bump docker/metadata-action from 4.5.0 to 4.6.0 #4273 (@dependabot[bot])
- chore(deps): bump docker/setup-buildx-action from 2.4.1 to 2.5.0 #4154 (@dependabot[bot])
- chore(deps): bump docker/setup-buildx-action from 2.5.0 to 2.7.0 #4262 (@dependabot[bot])
- chore(deps): bump docker/setup-buildx-action from 2.7.0 to 2.8.0 #4330 (@dependabot[bot])
- chore(deps): bump docker/setup-buildx-action from 2.8.0 to 2.9.1 #4433 (@dependabot[bot])
- chore(deps): bump docker/setup-qemu-action from 2.1.0 to 2.2.0 #4263 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.21 to 1.18.25 #4208 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.25 to 1.18.27 #4286 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.27 to 1.18.32 #4436 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.31.2 to 1.33.0 #4139 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.33.0 to 1.34.0 #4260 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.34.0 to 1.34.1 #4290 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.34.1 to 1.36.0 #4323 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.36.0 to 1.38.1 #4435 (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.17.2 to 0.18.0 #4291 (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.18.0 to 0.18.2 #4334 (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.18.2 to 0.19.1 #4401 (@dependabot[bot])
- chore(deps): bump github.com/cenkalti/backoff/v4 from 4.2.0 to 4.2.1 #4156 (@dependabot[bot])
- chore(deps): bump github.com/cloudflare/circl from 1.3.2 to 1.3.3 #4158 (@dependabot[bot])
- chore(deps): bump github.com/coreos/go-oidc/v3 from 3.5.0 to 3.6.0 #4226 (@dependabot[bot])
- chore(deps): bump github.com/docker/distribution from 2.8.1+incompatible to 2.8.2+incompatible #4170 (@dependabot[bot])
- chore(deps): bump github.com/docker/docker from 23.0.3+incompatible to 23.0.5+incompatible #4141 (@dependabot[bot])
- chore(deps): bump github.com/docker/docker from 23.0.5+incompatible to 23.0.6+incompatible #4164 (@dependabot[bot])
- chore(deps): bump github.com/docker/docker from 23.0.6+incompatible to 24.0.1+incompatible #4183 (@dependabot[bot])
- chore(deps): bump github.com/docker/docker from 24.0.1+incompatible to 24.0.2+incompatible #4205 (@dependabot[bot])
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 1.0.0 to 1.0.1 #4185 (@dependabot[bot])
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 1.0.1 to 1.0.2 #4329 (@dependabot[bot])
- chore(deps): bump github.com/envoyproxy/go-control-plane from 0.11.0 to 0.11.1 #4247 (@dependabot[bot])
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.10.1 to 1.0.0 #4155 (@dependabot[bot])
- chore(deps): bump github.com/go-chi/chi/v5 from 5.0.8 to 5.0.10 #4407 (@dependabot[bot])
- chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.2 to 2.0.3 #4267 (@dependabot[bot])
- chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.3 to 2.0.4 #4327 (@dependabot[bot])
- chore(deps): bump github.com/jackc/pgx/v5 from 5.3.1 to 5.4.0 #4293 (@dependabot[bot])
- chore(deps): bump github.com/jackc/pgx/v5 from 5.4.0 to 5.4.1 #4324 (@dependabot[bot])
- chore(deps): bump github.com/jackc/pgx/v5 from 5.4.1 to 5.4.2 #4409 (@dependabot[bot])
- chore(deps): bump github.com/klauspost/compress from 1.16.0 to 1.16.5 #4177 (@dependabot[bot])
- chore(deps): bump github.com/klauspost/compress from 1.16.5 to 1.16.6 #4281 (@dependabot[bot])
- chore(deps): bump github.com/mholt/acmez from 1.1.0 to 1.1.1 #4184 (@dependabot[bot])
- chore(deps): bump github.com/minio/minio-go/v7 from 7.0.52 to 7.0.55 #4202 (@dependabot[bot])
- chore(deps): bump github.com/minio/minio-go/v7 from 7.0.55 to 7.0.56 #4243 (@dependabot[bot])
- chore(deps): bump github.com/minio/minio-go/v7 from 7.0.56 to 7.0.57 #4280 (@dependabot[bot])
- chore(deps): bump github.com/minio/minio-go/v7 from 7.0.57 to 7.0.59 #4333 (@dependabot[bot])
- chore(deps): bump github.com/minio/minio-go/v7 from 7.0.59 to 7.0.61 #4415 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.51.0 to 0.52.0 #4142 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.52.0 to 0.53.1 #4235 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.54.0 to 0.55.0 #4404 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/procfs from 0.10.1 to 0.11.0 #4276 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/procfs from 0.11.0 to 0.11.1 #4400 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/client_golang from 1.15.0 to 1.15.1 #4157 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/client_golang from 1.15.1 to 1.16.0 #4268 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/client_model from 0.3.0 to 0.4.0 #4162 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/common from 0.42.0 to 0.43.0 #4172 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/common from 0.43.0 to 0.44.0 #4244 (@dependabot[bot])
- chore(deps): bump github.com/peterbourgon/ff/v3 from 3.3.0 to 3.3.1 #4204 (@dependabot[bot])
- chore(deps): bump github.com/peterbourgon/ff/v3 from 3.3.1 to 3.3.2 #4248 (@dependabot[bot])
- chore(deps): bump github.com/peterbourgon/ff/v3 from 3.3.2 to 3.4.0 #4399 (@dependabot[bot])
- chore(deps): bump github.com/rs/cors from 1.8.3 to 1.9.0 #4179 (@dependabot[bot])
- chore(deps): bump github.com/rs/zerolog from 1.29.1 to 1.30.0 #4406 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.3 to 3.23.4 #4165 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.4 to 3.23.5 #4225 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.5 to 3.23.6 #4328 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.6 to 3.23.7 #4402 (@dependabot[bot])
- chore(deps): bump github.com/spf13/viper from 1.15.0 to 1.16.0 #4296 (@dependabot[bot])
- chore(deps): bump github.com/stretchr/testify from 1.8.2 to 1.8.3 #4200 (@dependabot[bot])
- chore(deps): bump golangci/golangci-lint-action from 3.5.0 to 3.6.0 #4238 (@dependabot[bot])
- chore(deps): bump golang from 1.20.3-buster to 1.20.4-buster #4161 (@dependabot[bot])
- chore(deps): bump golang from 1.20.4-buster to 1.20.5-buster #4227 (@dependabot[bot])
- chore(deps): bump golang from
b0f97bf
toeb3f9ac
#4271 (@dependabot[bot]) - chore(deps): bump golang from
4cf6dc4
to6be6011
#4207 (@dependabot[bot]) - chore(deps): bump google.golang.org/api from 0.118.0 to 0.120.0 #4143 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.120.0 to 0.121.0 #4159 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.121.0 to 0.125.0 #4222 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.121.0 to 0.126.0 #4236 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.126.0 to 0.128.0 #4283 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.128.0 to 0.130.0 #4348 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.130.0 to 0.134.0 #4403 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.54.0 to 1.55.0 #4166 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.55.0 to 1.56.0 #4278 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.56.1 to 1.57.0 #4411 (@dependabot[bot])
- chore(deps): bump google.golang.org/protobuf from 1.30.0 to 1.31.0 #4325 (@dependabot[bot])
- chore(deps): bump golang.org/x/crypto from 0.8.0 to 0.9.0 #4182 (@dependabot[bot])
- chore(deps): bump golang.org/x/crypto from 0.9.0 to 0.10.0 #4266 (@dependabot[bot])
- chore(deps): bump golang.org/x/net from 0.9.0 to 0.10.0 #4174 (@dependabot[bot])
- chore(deps): bump golang.org/x/oauth2 from 0.7.0 to 0.8.0 #4178 (@dependabot[bot])
- chore(deps): bump golang.org/x/oauth2 from 0.8.0 to 0.9.0 #4287 (@dependabot[bot])
- chore(deps): bump golang.org/x/sync from 0.1.0 to 0.2.0 #4163 (@dependabot[bot])
- chore(deps): bump golang.org/x/sync from 0.2.0 to 0.3.0 #4294 (@dependabot[bot])
- chore(deps): bump google-github-actions/auth from 1.1.0 to 1.1.1 #4173 (@dependabot[bot])
- chore(deps): bump google-github-actions/setup-gcloud from 1.1.0 to 1.1.1 #4175 (@dependabot[bot])
- chore(deps): bump goreleaser/goreleaser-action from 4.2.0 to 4.3.0 #4240 (@dependabot[bot])
- chore(deps): bump markdown-to-jsx from 7.1.7 to 7.2.1 in /ui #4297 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.33.3 to 4.34.1 #4201 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.34.1 to 4.34.2 #4431 (@dependabot[bot])
- chore(deps): bump node from
3801c22
to850d8e1
#4416 (@dependabot[bot]) - chore(deps): bump node from
05824f7
to3801c22
#4322 (@dependabot[bot]) - chore(deps): bump node from
f658ece
to05824f7
#4272 (@dependabot[bot]) - chore(deps): bump node from
df5a66e
tof658ece
#4252 (@dependabot[bot]) - chore(deps): bump react-feather from 2.0.9 to 2.0.10 in /ui #4306 (@dependabot[bot])
- chore(deps): bump semver from 6.3.0 to 6.3.1 in /ui #4350 (@dependabot[bot])
- chore(deps): bump word-wrap from 1.2.3 to 1.2.4 in /ui #4369 (@dependabot[bot])
- chore(deps): bump @emotion/styled from 11.6.0 to 11.11.0 in /ui #4277 (@dependabot[bot])
- chore(deps): bump @fontsource/dm-sans from 4.5.1 to 5.0.3 in /ui #4307 (@dependabot[bot])
- chore(deps-dev): bump typescript from 4.5.5 to 5.1.3 in /ui #4289 (@dependabot[bot])
- chore(deps-dev): bump @typescript-eslint/parser from 5.10.2 to 5.59.11 in /ui #4282 (@dependabot[bot])
- dependencies: pin node to lts #4218 (@wasaga)
- dependencies: upgrade otel #4395 (@calebdoxsey)
Changed
- add downstream mTLS integration test cases (main) #4234 (@kenjenkins)
- add integration test for client_crl setting #4384 (@kenjenkins)
- add integration test for https IP address route #4476 (@kenjenkins)
- add integration test for Pomerium JWT #4472 (@kenjenkins)
- add JWT timestamp formatting workaround #4270 (@kenjenkins)
- authenticate: remove extraneous error log #4319 (@kenjenkins)
- authorize: add support for logging id token #4392 (@calebdoxsey)
- authorize: allow client certificate intermediates #4451 (@kenjenkins)
- authorize: check CRLs only for leaf certificates #4480 (@kenjenkins)
- authorize: do not redirect if invalid client cert #4344 (@kenjenkins)
- authorize: do not rely on Envoy client cert validation #4438 (@kenjenkins)
- authorize: fix policy numbers in evaluator test #4387 (@kenjenkins)
- authorize: implement client certificate CRL check #4439 (@kenjenkins)
- authorize: incorporate mTLS validation from Envoy #4374 (@kenjenkins)
- authorize: remove a nolint directive #4375 (@kenjenkins)
- authorize: remove incorrect "valid-client-certificate" reason #4470 (@kenjenkins)
- authorize: remove JWT timestamp format workaround #4321 (@kenjenkins)
- authorize: rework token substitution in headers #4456 (@kenjenkins)
- autocert: use new OCSP error type #4437 (@kenjenkins)
- chore: unnecessary use of fmt.Sprintf #4349 (@testwill)
- ci: updates #4269 (@calebdoxsey)
- config: add decode hook for the SANMatcher type #4464 (@kenjenkins)
- config: deprecate tls_downstream_client_ca #4461 (@kenjenkins)
- config: simplify default set response headers #4196 (@calebdoxsey)
- config: support client certificate SAN match #4453 (@kenjenkins)
- config: support arbitrary nested config structs #4440 (@kenjenkins)
- config: validate cookie_secure option #4484 (@kenjenkins)
- cryptutil: update CRL parsing #4454 (@kenjenkins)
- dependabot: improvements #4261 (@calebdoxsey)
- envoy: add a filter to store client cert info #4372 (@kenjenkins)
- envoy: check for nil ssl() in client cert script #4466 (@kenjenkins)
- envoy: configure upstream IP SAN match as needed #4380 (@kenjenkins)
- envoy: separate gRPC listener configuration #4365 (@kenjenkins)
- fix lint warning in pkg/envoy #4181 (@kenjenkins)
- improve certificate matching performance #4186 (@calebdoxsey)
- logs: add ip address to access logs #4391 (@calebdoxsey)
- organize go.mod #4320 (@kenjenkins)
- pin to a debian:latest image for casource base image #4250 (@kenjenkins)
- replace docker publish action ::set-output usage #4359 (@kenjenkins)
- storage: add indexes for postgres #4479 (@calebdoxsey)
- stub out HPKE public key fetch for self-hosted authenticate #4360 (@kenjenkins)
- upgrade main #4457 (@wasaga)
- Update README.md #4146 (@desimone)
- Update SECURITY.md #4144 (@desimone)
v0.22.3 (2023-08-21)
Changed
- add integration test for https IP address route #4477 (@kenjenkins)
- add integration test for Pomerium JWT #4473 (@kenjenkins)
- add JWT timestamp formatting workaround #4309 (@backport-actions-token[bot])
- authorize: populate issuer even when policy is nil #4213 (@backport-actions-token[bot])
- autocert: suppress OCSP stapling errors #4373 (@backport-actions-token[bot])
- backport #4368 (@calebdoxsey)
- ci: fix lint workflow (#4229) #4311 (@kenjenkins)
- config: update logic for checking overlapping certificates (#4216) #4217 (@calebdoxsey)
- config: simplify default set response headers #4212 (@backport-actions-token[bot])
- envoy: configure upstream IP SAN match as needed #4382 (@backport-actions-token[bot])
- github-actions: remove license check #4475 (@kenjenkins)
- pin to a debian:latest image for casource base image (#4250) #4310 (@kenjenkins)
v0.22.2 (2023-05-26)
Security
- This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.
Changed
- databroker: sort configs by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4191
- databroker: fix fast forward by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4194
- envoy: set re2 limits very high by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4189
- fix WillHaveCertificateForServerName check to be strict match for derived cert name by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4169
- improve certificate matching performance by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4188
v0.22.1 (2023-05-04)
Changed
- envoyconfig: disable validation context when no client certificates are required by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4152
v0.22.0 (2023-05-01)
Security
- Pomerium upgraded to Go v1.20.3 and Envoy v1.24.5 to address security issues exposed in these packages. See the release notes in the links for more information.
Changed
- add google cloud creds to ignore #3906 (@wasaga)
- apple: fix userinfo #3974 (@calebdoxsey)
- Appleid #3959 (@mnestor)
- authenticate: add events #4051 (@wasaga)
- authenticate: don't require a session for sign_out #4009 (@backport-actions-token[bot])
- authenticate: fix callback handler for split mode #4008 (@wasaga)
- chore(deps): bump actions/checkout from 3.4.0 to 3.5.0 #4078 (@dependabot[bot])
- chore(deps): bump docker/setup-buildx-action from 2.2.1 to 2.4.0 #3924 (@dependabot[bot])
- config: remove source, remove deadcode, fix linting issues #4118 (@calebdoxsey)
- databroker: add list types method #3937 (@calebdoxsey)
- envoy: optimize listener #3952 (@wasaga)
- maybe fix flaky test #3929 (@calebdoxsey)
- move hpke public key handler out of internal #4065 (@wasaga)
- remove log message when no provider defined #3936 (@calebdoxsey)
- Update SECURITY.md #4145 (@backport-actions-token[bot])
- webauthn: only return known device credentials that match the given type #3981 (@calebdoxsey)
New
- authenticate: fix authenticate_internal_service_url for all in one #4003 (@wasaga)
- authenticate: have an option to trim the contents of the callback #4090 (@wasaga)
- authenticate: only use csrf none for apple #3979 (@calebdoxsey)
- config: default to authenticate.pomerium.app when authenticate url is not specified #4132 (@calebdoxsey)
- cryptutil: generate certificates from deriveca #3992 (@calebdoxsey)
- envoyconfig: preserve case of HTTP headers when using HTTP/1 #3956 (@calebdoxsey)
- support loading route configuration via rds #4098 (@calebdoxsey)
- urlutil: add version to query string #4028 (@calebdoxsey)
Fixed
- authenticate: always trust the passed in idp #3917 (@calebdoxsey)
- authenticate: don't require a session for sign_out #4007 (@calebdoxsey)
- authenticate: fix identity provider id in encrypted query string #4006 (@calebdoxsey)
- authenticate: save the session cookie with a different name #3978 (@calebdoxsey)
- authorize: allow access to /.pomerium/webauthn when policy denies access #4015 (@calebdoxsey)
- authorize: move sign out and jwks urls to route, update issuer for JWT #4046 (@calebdoxsey)
- autocert: fix certmagic cache logging #4134 (@calebdoxsey)
- config: fix set_response_headers #4026 (@calebdoxsey)
- derivecert: fix ecdsa code to be deterministic #3989 (@calebdoxsey)
- fix webauthn url #3983 (@calebdoxsey)
- hpke: move published public keys to a new endpoint #4044 (@calebdoxsey)
- identity: fix nil reference error when there is no authenticator #3930 (@calebdoxsey)
- lua: fix rewrite response headers to handle dashes in URLs #3980 (@calebdoxsey)
- store authenticate state on creation #4064 (@wasaga)
- tls: wildcard catch-all cert must be at the end of cert list #4119 (@wasaga)
Dependency
- chore(deps): bump actions/cache from 3.2.3 to 3.2.4 #3923 (@dependabot[bot])
- chore(deps): bump actions/cache from 3.2.4 to 3.2.5 #3962 (@dependabot[bot])
- chore(deps): bump actions/cache from 3.2.5 to 3.2.6 #4019 (@dependabot[bot])
- chore(deps): bump actions/cache from 3.2.6 to 3.3.1 #4054 (@dependabot[bot])
- chore(deps): bump actions/checkout from 3.3.0 to 3.4.0 #4068 (@dependabot[bot])
- chore(deps): bump actions/checkout from 3.5.0 to 3.5.2 #4108 (@dependabot[bot])
- chore(deps): bump actions/setup-go from 3.5.0 to 4.0.0 #4067 (@dependabot[bot])
- chore(deps): bump actions/setup-python from 4.5.0 to 4.6.0 #4123 (@dependabot[bot])
- chore(deps): bump actions/stale from 7.0.0 to 8.0.0 #4077 (@dependabot[bot])
- chore(deps): bump cloud.google.com/go/storage from 1.28.1 to 1.29.0 #3912 (@dependabot[bot])
- chore(deps): bump coverallsapp/github-action from 1.1.3 to 1.2.2 #4017 (@dependabot[bot])
- chore(deps): bump coverallsapp/github-action from 1.2.2 to 1.2.4 #4041 (@dependabot[bot])
- chore(deps): bump coverallsapp/github-action from 1.2.4 to 2.0.0 #4069 (@dependabot[bot])
- chore(deps): bump coverallsapp/github-action from 2.0.0 to 2.1.0 #4100 (@dependabot[bot])
- chore(deps): bump coverallsapp/github-action from 2.1.0 to 2.1.2 #4124 (@dependabot[bot])
- chore(deps): bump debian from
12931ad
to50cf570
#3950 (@dependabot[bot]) - chore(deps): bump debian from
50cf570
to7b16406
#3970 (@dependabot[bot]) - chore(deps): bump debian from
7b16406
toc1c4bb9
#4042 (@dependabot[bot]) - chore(deps): bump debian from
c1c4bb9
tod4bbca2
#4085 (@dependabot[bot]) - chore(deps): bump debian from
d4bbca2
to1fbdbcf
#4115 (@dependabot[bot]) - chore(deps): bump distroless/base from
4f9fe94
to9687cd3
#3968 (@dependabot[bot]) - chore(deps): bump distroless/base from
5812871
to357bc96
#4102 (@dependabot[bot]) - chore(deps): bump distroless/base from
76b0529
to4f9fe94
#3948 (@dependabot[bot]) - chore(deps): bump distroless/base from
8e770ae
to5812871
#4025 (@dependabot[bot]) - chore(deps): bump distroless/base from
9687cd3
to8e770ae
#3995 (@dependabot[bot]) - chore(deps): bump distroless/base from
9eeffdc
to76b0529
#3928 (@dependabot[bot]) - chore(deps): bump docker/build-push-action from 3.3.0 to 4.0.0 #3942 (@dependabot[bot])
- chore(deps): bump docker/metadata-action from 4.3.0 to 4.4.0 #4122 (@dependabot[bot])
- chore(deps): bump docker/setup-buildx-action from 2.4.0 to 2.4.1 #3941 (@dependabot[bot])
- chore(deps): bump docker/setup-buildx-action from 2.4.1 to 2.5.0 #4055 (@dependabot[bot])
- chore(deps): bump fossa-contrib/fossa-action from 1.2.0 to 2.0.0 #3961 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.17.3 to 1.17.4 #3946 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.17.5 to 1.17.6 #4059 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.10 to 1.18.14 #4002 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.14 to 1.18.15 #4018 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.15 to 1.18.18 #4070 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.18 to 1.18.19 #4080 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.19 to 1.18.21 #4126 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.8 to 1.18.10 #3927 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.30.0 to 1.30.1 #3925 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.30.1 to 1.30.2 #3944 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.30.2 to 1.30.3 #3998 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.30.3 to 1.30.5 #4024 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.30.5 to 1.31.2 #4106 (@dependabot[bot])
- chore(deps): bump github.com/cloudflare/circl from 1.3.1 to 1.3.2 #3947 (@dependabot[bot])
- chore(deps): bump github.com/docker/docker from 20.10.22+incompatible to 20.10.23+incompatible #3911 (@dependabot[bot])
- chore(deps): bump github.com/docker/docker from 20.10.23+incompatible to 23.0.1+incompatible #3967 (@dependabot[bot])
- chore(deps): bump github.com/docker/docker from 23.0.1+incompatible to 23.0.3+incompatible #4101 (@dependabot[bot])
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.10.0 to 0.10.1 #4083 (@dependabot[bot])
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.9.1 to 0.10.0 #4074 (@dependabot[bot])
- chore(deps): bump github.com/golangci/golangci-lint from 1.50.1 to 1.51.2 #4020 (@dependabot[bot])
- chore(deps): bump github.com/google/go-jsonnet from 0.19.1 to 0.20.0 #4140 (@dependabot[bot])
- chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.1 to 2.0.2 #4073 (@dependabot[bot])
- chore(deps): bump github.com/jackc/pgx/v5 from 5.2.0 to 5.3.0 #3964 (@dependabot[bot])
- chore(deps): bump github.com/jackc/pgx/v5 from 5.3.0 to 5.3.1 #4039 (@dependabot[bot])
- chore(deps): bump github.com/mholt/acmez from 1.0.4 to 1.1.0 #4000 (@dependabot[bot])
- chore(deps): bump github.com/minio/minio-go/v7 from 7.0.47 to 7.0.50 #4081 (@dependabot[bot])
- chore(deps): bump github.com/minio/minio-go/v7 from 7.0.50 to 7.0.52 #4128 (@dependabot[bot])
- chore(deps): bump github.com/natefinch/atomic from 0.0.0-20200526193002-18c0533a5b09 to 1.0.1 #4021 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.48.0 to 0.49.2 #4023 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.49.2 to 0.50.0 #4056 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.49.2 to 0.51.0 #4130 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.50.0 to 0.50.1 #4072 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.50.1 to 0.51.0 #4093 (@dependabot[bot])
- chore(deps): bump github.com/opencontainers/runc from 1.1.2 to 1.1.5 #4088 (@dependabot[bot])
- chore(deps): bump github.com/ory/dockertest/v3 from 3.9.1 to 3.10.0 #4111 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/client_golang from 1.14.0 to 1.15.0 #4110 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/common from 0.39.0 to 0.41.0 #4035 (@dependabot[bot])
- chore(deps): bump github.com/rs/zerolog from 1.28.0 to 1.29.0 #3920 (@dependabot[bot])
- chore(deps): bump github.com/rs/zerolog from 1.29.0 to 1.29.1 #4127 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.1 to 3.23.2 #4037 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.2 to 3.23.3 #4129 (@dependabot[bot])
- chore(deps): bump github.com/spf13/viper from 1.14.0 to 1.15.0 #3910 (@dependabot[bot])
- chore(deps): bump github.com/VictoriaMetrics/fastcache from 1.12.0 to 1.12.1 #4057 (@dependabot[bot])
- chore(deps): bump github.com/yuin/gopher-lua from 0.0.0-20200816102855-ee81675732da to 1.1.0 #4022 (@dependabot[bot])
- chore(deps): bump golang from
413cd9e
to73c225b
#4114 (@dependabot[bot]) - chore(deps): bump golang from
4447a7f
tof8fbd74
#3969 (@dependabot[bot]) - chore(deps): bump golang from
57dbdd5
to97c3e1d
#4084 (@dependabot[bot]) - chore(deps): bump golang from
d99d361
to9628a1a
#4043 (@dependabot[bot]) - chore(deps): bump golang from 1.19.5-buster to 1.20.0-buster #3949 (@dependabot[bot])
- chore(deps): bump golang from 1.20.0-buster to 1.20.1-buster #3997 (@dependabot[bot])
- chore(deps): bump golang from 1.20.1-buster to 1.20.2-buster #4060 (@dependabot[bot])
- chore(deps): bump golang from 1.20.2-buster to 1.20.3-buster #4103 (@dependabot[bot])
- chore(deps): bump golang.org/x/crypto from 0.6.0 to 0.7.0 #4038 (@dependabot[bot])
- chore(deps): bump golang.org/x/crypto from 0.7.0 to 0.8.0 #4105 (@dependabot[bot])
- chore(deps): bump golang.org/x/net from 0.6.0 to 0.7.0 #3993 (@dependabot[bot])
- chore(deps): bump golang.org/x/oauth2 from 0.4.0 to 0.5.0 #3963 (@dependabot[bot])
- chore(deps): bump golang.org/x/oauth2 from 0.5.0 to 0.6.0 #4036 (@dependabot[bot])
- chore(deps): bump golang.org/x/oauth2 from 0.6.0 to 0.7.0 #4113 (@dependabot[bot])
- chore(deps): bump google-github-actions/auth from 1.0.0 to 1.1.0 #4121 (@dependabot[bot])
- chore(deps): bump google-github-actions/setup-gcloud from 1.0.1 to 1.1.0 #3943 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.107.0 to 0.108.0 #3913 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.108.0 to 0.109.0 #3940 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.109.0 to 0.110.0 #3999 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.112.0 to 0.114.0 #4096 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.114.0 to 0.116.0 #4104 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.116.0 to 0.118.0 #4112 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.52.0 to 1.52.3 #3926 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.52.3 to 1.53.0 #3965 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.53.0 to 1.54.0 #4082 (@dependabot[bot])
- chore(deps): bump goreleaser/goreleaser-action from 4.1.1 to 4.2.0 #3921 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.30.8 to 4.31.1 #3994 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.31.1 to 4.31.2 #4040 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.31.2 to 4.32.2 #4066 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.32.2 to 4.33.1 #4079 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.33.1 to 4.33.3 #4109 (@dependabot[bot])
- chore(deps): bump tibdex/github-app-token from 1.7.0 to 1.8.0 #3922 (@dependabot[bot])
- dependencies: upgrade go and envoy #4116 (@calebdoxsey)
v0.21.4 (2023-05-26)
Security
- This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.
Changed
- authorize: fix IsInternal check by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4199
- autocert: fix certmagic cache logging by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4135