Releases: open-policy-agent/opa-envoy-plugin
Releases · open-policy-agent/opa-envoy-plugin
v1.13.2-envoy-2
input.parsed_field Security Vulnerability Fixed (GHSA-9f29-v6mm-pw6w)
This release contains a security fix for a security vulnerability in how the input.parsed_path field is constructed. HTTP request paths are treated as full URIs when parsed; interpreting leading path segments prefixed with double slashes (//) as authority components, and therefore dropping them from the parsed path. This creates a path interpretation mismatch between authorization policies and backend servers, enabling attackers to bypass access controls by crafting requests where the authorization filter evaluates a different path than the one ultimately served.
Please see the Security Advisory for more information.
Authored by @thevilledev
What's Changed
- fix:
input.parsed_fieldSecurity Vulnerability by @thevilledev in 58c44d4e - fix: update Envoy and Rego config in quickstart by @thevilledev in #807
- docs(readme): add note about repository size by @thevilledev in #808
- build: bump go 1.25.5 -> 1.25.7 by @johanfylling in #814
Resolving vulnerability: GO-2026-4337. - build(deps): bump the go-opentelemetry-io group with 6 updates by @dependabot[bot] in #805
- build(deps): bump golang.org/x/tools from 0.41.0 to 0.42.0 by @dependabot[bot] in #810
- build(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.1 by @dependabot[bot] in #811
- build(deps): bump github.com/envoyproxy/go-control-plane/envoy from 1.36.0 to 1.37.0 by @dependabot[bot] in #812
- build(deps): bump github.com/open-policy-agent/opa from 1.13.1 to 1.13.2 by @dependabot[bot] in #813
New Contributors
- @thevilledev made their first contribution in #808
Full Changelog: v1.13.1-envoy...v1.13.2-envoy-2
v1.13.1-envoy
What's Changed
- build(deps): bump github.com/open-policy-agent/opa from 1.13.0 to 1.13.1 by @dependabot[bot] in #804
v1.13.0-envoy
What's Changed
- build(deps): bump golang.org/x/tools from 0.40.0 to 0.41.0 by @dependabot[bot] in #801
- build(deps): bump github.com/open-policy-agent/opa from 1.12.2 to 1.12.3 by @dependabot[bot] in #802
- build(deps): bump github.com/open-policy-agent/opa from 1.12.3 to 1.13.0 by @dependabot[bot] in #803
v1.12.2-envoy
What's Changed
- build(deps): bump google.golang.org/grpc from 1.77.0 to 1.78.0 by @dependabot[bot] in #798
- build: bump golang 1.25.4 -> 1.25.5 by @srenatus in #799
- build(deps): bump github.com/open-policy-agent/opa from 1.12.1 to 1.12.2 by @dependabot[bot] in #800
v1.12.1-envoy
What's Changed
- build(deps): bump github.com/open-policy-agent/opa from 1.12.0 to 1.12.1 by @dependabot[bot] in #796
v1.12.0-envoy
What's Changed
- build(deps): bump github.com/open-policy-agent/opa from 1.11.1 to 1.12.0 by @dependabot[bot] in #795
v1.11.1-envoy
What's Changed
- build(deps): bump google.golang.org/grpc from 1.76.0 to 1.77.0 by @dependabot[bot] in #784
- build(deps): bump actions/checkout from 5 to 6 by @dependabot[bot] in #788
- build(deps): bump github.com/open-policy-agent/opa from 1.11.0 to 1.11.1 by @dependabot[bot] in #794
- build(deps): bump the go-opentelemetry-io group with 6 updates by @dependabot[bot] in #791
- build(deps): bump google.golang.org/protobuf from 1.36.10 to 1.36.11 by @dependabot[bot] in #793
- build(deps): bump golang.org/x/tools from 0.39.0 to 0.40.0 by @dependabot[bot] in #792
Full Changelog: v1.11.0-envoy...v1.11.1-envoy-3
v1.11.0-envoy
Features and Fixes
- Updating expired Istio example certs by @johanfylling in #790
Dependency Updates
- build(deps): bump opa to 1.11.0 by @johanfylling in #789
- build: bump golang to 1.25.4 by @srenatus in #783
- build(deps): bump github.com/envoyproxy/go-control-plane/envoy from 1.35.0 to 1.36.0 by @dependabot[bot] in #779
- build(deps): bump github.com/containerd/containerd/v2 from 2.1.4 to 2.1.5 by @dependabot[bot] in #781
- build(deps): bump golang.org/x/tools from 0.38.0 to 0.39.0 by @dependabot[bot] in #782
- build(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 by @dependabot[bot] in #785
v1.10.0-envoy
Features and Fixes
- Fix/check context cancel logging by @abdullahalrifat in #773
Dependency Updates
- build(deps): bump the go-opentelemetry-io group with 2 updates by @dependabot[bot] in #771
- build(deps): bump google.golang.org/grpc from 1.75.1 to 1.76.0 by @dependabot[bot] in #776
- build(deps): bump github.com/envoyproxy/go-control-plane/envoy from 1.32.4 to 1.35.0 by @dependabot[bot] in #774
- build(deps): bump golang.org/x/tools from 0.37.0 to 0.38.0 by @dependabot[bot] in #777
- build(deps): bump google.golang.org/protobuf from 1.36.9 to 1.36.10 by @dependabot[bot] in #775
- bump opa to v1.10.0 by @sspaink in #778
New Contributors
- @abdullahalrifat made their first contribution in #773
v1.9.0-envoy
Dependency Updates
- build(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in #760
- build(deps): bump golang.org/x/tools from 0.36.0 to 0.37.0 by @dependabot[bot] in #769
- build(deps): bump google.golang.org/grpc from 1.75.0 to 1.75.1 by @dependabot[bot] in #768
- build(deps): bump github.com/prometheus/client_golang from 1.23.0 to 1.23.2 by @dependabot[bot] in #767
- build(deps): bump google.golang.org/protobuf from 1.36.8 to 1.36.9 by @dependabot[bot] in #766
- build(deps): bump github.com/open-policy-agent/opa from 1.8.0 to 1.9.0 by @dependabot[bot] in #770