Sourced from github.com/coredns/coredns's releases.

v1.12.4

This release improves stability and security, fixing context propagation in DoH, label offset handling in the file plugin, and connection leaks in gRPC and transfer. It also adds support for the prefer option in loadbalance, introduces timeouts to the metrics server, and fixes several security vulnerabilities (see details in related security advisories).

Brought to You By

Archy Ilya Kulakov Olli Janatuinen Qasim Sarfraz Syed Azeez Ville Vesilehto wencyu Yong Tang

Noteworthy Changes

• core: Improve caddy.GracefulServer conformance checks (coredns/coredns#7416)
• core: Propagate HTTP request context in DoH (coredns/coredns#7491)
• plugin/file: Fix label offset problem in ClosestEncloser (coredns/coredns#7465)
• plugin/grpc: Check proxy list length in policies (coredns/coredns#7512)
• plugin/grpc: Fix span leak and deadline on error attempt (coredns/coredns#7487)
• plugin/header: Remove deprecated syntax (coredns/coredns#7436)
• plugin/loadbalance: Support prefer option (coredns/coredns#7433)
• plugin/metrics: Add timeouts to metrics HTTP server (coredns/coredns#7469)
• plugin/trace: Migrate dd-trace-go v1 to v2 (coredns/coredns#7466)
• plugin/transfer: Fix goroutine leak on axfr err (coredns/coredns#7516)

v1.12.3

This release improves plugin reliability and standards compliance, adding startup timeout to the Kubernetes plugin, fallthrough to gRPC, and EDNS0 unset to rewrite. The file plugin now preserves SRV record case per RFC 6763, route53 is updated to AWS SDK v2, and multiple race conditions in cache and connection handling in forward are fixed.

Brought to You By

blakebarnett Brennan Kinney Cameron Steel Dave Brown Dennis Simmons Guillaume Jacquet harshith-2411-2002 houpo-bob Oleg Guba Sebastian Mayr

... (truncated)

• f323295 build(deps): bump github/codeql-action from 3.30.0 to 3.30.1 (#7528)
• 3fc046f build(deps): bump codecov/codecov-action from 5.5.0 to 5.5.1 (#7525)
• 1b35ba1 build(deps): bump softprops/action-gh-release from 2.3.2 to 2.3.3 (#7527)
• 8f76d6f build(deps): bump actions/stale from 9.1.0 to 10.0.0 (#7526)
• ddc1878 build(deps): bump actions/setup-go from 5.5.0 to 6.0.0 (#7524)
• f74bf9c build(deps): bump aquasecurity/trivy-action from 0.33.0 to 0.33.1 (#7523)
• cbc32d2 build(deps): bump github.com/aws/aws-sdk-go-v2/service/route53 (#7521)
• 51d59e5 build(deps): bump golang.org/x/sys from 0.35.0 to 0.36.0 (#7520)
• a62ef5d build(deps): bump github.com/DataDog/dd-trace-go/v2 from 2.2.2 to 2.2.3 (#7519)
• 96819ed Update note and versioon for 1.12.4 release (#7518)
• Additional commits viewable in compare view

Sourced from github.com/golang-jwt/jwt/v4's releases.

v4.5.2

See GHSA-mh63-6h87-95cp

Full Changelog: golang-jwt/jwt@v4.5.1...v4.5.2

v4.5.1

Security

Unclear documentation of the error behavior in ParseWithClaims in <= 4.5.0 could lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by ParseWithClaims return both error codes. If users only check for the jwt.ErrTokenExpired using error.Is, they will ignore the embedded jwt.ErrTokenSignatureInvalid and thus potentially accept invalid tokens.

This issue was documented in GHSA-29wx-vh33-7x7r and fixed in this release.

Note: v5 was not affected by this issue. So upgrading to this release version is also recommended.

What's Changed

• Back-ported error-handling logic in ParseWithClaims from v5 branch. This fixes GHSA-29wx-vh33-7x7r.

Full Changelog: golang-jwt/jwt@v4.5.0...v4.5.1

v4.5.0

What's Changed

• Allow strict base64 decoding by @​AlexanderYastrebov in golang-jwt/jwt#259

Full Changelog: golang-jwt/jwt@v4.4.3...v4.5.0

v4.4.3

What's Changed

• fix: link update for README.md for v4 by @​krokite in golang-jwt/jwt#217
• Implement a BearerExtractor by @​WhyNotHugo in golang-jwt/jwt#226
• Bump matrix to support latest go version (go1.19) by @​mfridman in golang-jwt/jwt#231
• Include https://github.com/golang-jwt/jwe in README by @​oxisto in golang-jwt/jwt#229
• Add doc comment to ParseWithClaims by @​jkopczyn in golang-jwt/jwt#232
• Refactor: removed the unneeded if statement by @​Krout0n in golang-jwt/jwt#241
• No pointer embedding in the example by @​oxisto in golang-jwt/jwt#255

New Contributors

• @​krokite made their first contribution in golang-jwt/jwt#217
• @​WhyNotHugo made their first contribution in golang-jwt/jwt#226
• @​jkopczyn made their first contribution in golang-jwt/jwt#232
• @​Krout0n made their first contribution in golang-jwt/jwt#241

Full Changelog: golang-jwt/jwt@v4.4.2...v4.4.3

v4.4.2

What's Changed

• Added MicahParks/keyfunc to extensions by @​oxisto in golang-jwt/jwt#194
• Update link to v4 on pkg.go.dev page by @​polRk in golang-jwt/jwt#195

... (truncated)

• 2f0e9ad Backporting 0951d18 to v4
• 7b1c1c0 Merge commit from fork
• 9358574 Allow strict base64 decoding (#259)
• 2f0984a Using tparse for nicer CI test display (#251)
• 2101c1f No pointer embedding in the example (#255)
• 35053d4 Removed unneeded if statement (#241)
• 0c4e387 Add doc comment to ParseWithClaims (#232)
• bfea432 Include https://github.com/golang-jwt/jwe in README (#229)
• d81acbf Bump matrix to support latest go version (go1.19) (#231)
• fdaf0eb Implement a BearerExtractor (#226)
• Additional commits viewable in compare view

Sourced from github.com/minio/console's releases.

Release version v0.28.0

Changelog

• fc9319e55 Added identifier field to Event destinations page & migrated to mds (#2816)
• beed4895c Apply permission check for create accesskey button (#2822)
• dc90db659 Changed SSO Login screen to hide login form by default (#2807)
• 7a9b775b0 Changed Share Object logic to use Access Keys (#2827)
• 920fc7d93 Fix Subpath behavior (#2818)
• 629dd669c Fix anonymous access rule not displayed due to style (#2820)
• 6e314a2fa Fix crash when backend has no rrSCParity property (#2826)
• d93537261 Fix download of large files in Console (#2773)
• 58b64a573 Fixed an issue with allowResources & KeyBar (#2817)
• 028570279 Migrated Access Keys page components to mds (#2834)
• 57bfe97d0 Release v0.28.0 (#2831)
• 17e791afb Replace RIGHT-TO-LEFT OVERRIDE unicode (#2828)
• 22ec87d00 improve playwright tests with refactoring and clean up (#2809)
• bda1cd1f2 mds-released-V0.4.3 (#2830)
• b87b4156e mds-released-v0.4.2 (#2815)

Release version v0.27.0

Changelog

• cde6d1b0e Added Disable login animation with env variable (#2799)
• be60569a1 Changed Object Browser components to use new mds components (#2796)
• 1583b69fb Made Service Account creation consistent with mc (#2801)
• 93f010b88 Release v0.27.0 (#2813)
• c117601e5 Update madmin-go to 2.1.1 (#2810)
• c5d4cdf1b fix to show or hide show deleted objects option based on versioning status (#2780)
• f78f838ed mds-released-v0.4.1 (#2808)

Release version v0.26.4

Changelog

• 4d783c5e4 Added Object Version read-only field in Edit Lifecycle Modal (#2772)
• 81e0c82fe Changed GitHub labels (#2768)
• 0dacc4d49 Changed breadcrumbs back button behavior (#2776)
• 211ab3fd9 Fix incorrect logo appearing for Standard License holders (#2797)
• 8882f1da0 Fix yaml vulnerability (#2785)
• 75b3a6bea Fixed Object Version selector visibility in Add Lifecycle Rule modal (#2769)
• f7a7f01d7 Fixed issue while getting locking status of a bucket (#2790)
• 6020590b2 Make playwright run faster (#2737)
• 51226a74d Release v0.26.4 (#2798)
• 0e0f5030d Remove health diagnostic warning (#2779)
• 056d487f1 Show progress bar when loading Usage Info (#2784)
• b8083215b Update Dev Docs with MinIO naming conventions (#2783)
• 61c864e74 Update Dev Documentation (#2781)
• 1477def4f Updated Console UI dependencies (#2787)
• fb5193d89 Updated mds to v0.4.0 (#2794)
• 29507cda7 Updated xml2js library (#2770)
• e983473a5 Upgrade Go Dependencies (#2786)
• 2c84a5293 Use FormLayout from mds (#2788)
• 90c8ea7f0 Use PageLayout from mds (#2789)

... (truncated)

• 57bfe97 Release v0.28.0 (#2831)
• 0285702 Migrated Access Keys page components to mds (#2834)
• bda1cd1 mds-released-V0.4.3 (#2830)
• 7a9b775 Changed Share Object logic to use Access Keys (#2827)
• 17e791a Replace RIGHT-TO-LEFT OVERRIDE unicode (#2828)
• 920fc7d Fix Subpath behavior (#2818)
• 6e314a2 Fix crash when backend has no rrSCParity property (#2826)
• dc90db6 Changed SSO Login screen to hide login form by default (#2807)
• beed489 Apply permission check for create accesskey button (#2822)
• 629dd66 Fix anonymous access rule not displayed due to style (#2820)
• Additional commits viewable in compare view

Sourced from github.com/nats-io/nats-server/v2's releases.

Release v2.10.27

Changelog

Go Version

• 1.24.1

CVEs

• This release contains fixes for CVE-2025-30215, a CRITICAL severity vulnerability affecting all NATS Server versions from v2.2.0, prior to v2.11.1 or v2.10.27.

Fixed

JetStream

• Correctly validate the calling account on a number of system API calls
• Check system and account limits when processing a stream restore
• Fixed a performance regression when using max messages per subject of 1 (#6688)

Complete Changes

nats-io/nats-server@v2.10.26...v2.10.27

Release v2.10.27-binary

Changelog

Go Version

• 1.24.1

CVEs

• This is a binary-only release containing fixes for CVE-2025-30215, a CRITICAL severity vulnerability affecting all NATS Server versions from v2.2.0, prior to v2.11.1 or v2.10.27. Public disclosure of the details, including the source code, will be made available no sooner than a week from the release date. All environments should update as soon as possible. For workflows that rely on building from source, we recommend using the binary in the interim.

Release v2.10.26

Changelog

Refer to the 2.10 Upgrade Guide for backwards compatibility notes with 2.9.x.

Go Version

• 1.23.6 (#6452)

Dependencies

• github.com/nats-io/nats.go v1.39.1 (#6574)
• golang.org/x/crypto v0.34.0 (#6574)
• golang.org/x/sys v0.30.0 (#6487)
• golang.org/x/time v0.10.0 (#6487)
• github.com/nats-io/nkeys v0.4.10 (#6494)

... (truncated)

• 6b830a9 Release v2.10.27
• c6bbff7 Release v2.10.27-binary
• 4b0e2ca Test subject state optimization
• d984613 Optimize removeSeqPerSubject() for MaxMsgPerSubject == 1
• 406f836 Improved request account validation
• 372d7c5 Check server and account limits on stream restore
• 20019bf Import GitHub Actions, goreleaser and golangci-lint workflow changes from main
• 14fa949 Release v2.10.26
• 50ee75c Release v2.10.26-RC.7
• 723dca8 Fix for data race for c.out
• Additional commits viewable in compare view

• See full diff in compare view

Sourced from github.com/lestrrat-go/jwx's releases.

v1.2.25

v1.2.25 23 May 2022
[Bug Fixes][Security]
  * [jwe] An old bug from at least 7 years ago existed in handling AES-CBC unpadding,
    where the unpad operation might remove more bytes than necessary ([#744](https://github.com/lestrrat-go/jwx/issues/744))
    This affects all jwx code that is available before v2.0.2 and v1.2.25.

v1.2.24

v1.2.24 05 May 2022
[Security]
  * Upgrade golang.org/x/crypto ([#724](https://github.com/lestrrat-go/jwx/issues/724))

v1.2.23

v1.2.23 13 Apr 2022
[Bug fixes]
  * [jwk] jwk.AutoRefresh had a race condition when `Configure()` was
    called concurrently ([#686](https://github.com/lestrrat-go/jwx/issues/686))
    (It has been patched correctly, but we may come back to revisit
     the design choices in the near future)

v1.2.22

v1.2.22 08 Apr 2022
[Bug fixes]
  * [jws] jws.Verify was ignoring the `b64` header when it was present
    in the protected headers ([#681](https://github.com/lestrrat-go/jwx/issues/681)). Now the following should work:
  jws.Sign(..., jws.WithDetachedPayload(payload))
  // previously payload had to be base64 encoded
  jws.Verify(..., jws.WithDetachedPayload(payload))
(note: v2 branch was not affected)

v1.2.21

v1.2.21 30 Mar 2022
[Bug fixes]
  * [jwk] RSA keys without p and q can now be parsed.

v1.2.20

v1.2.20 03 Mar 2022
</tr></table> 

... (truncated)

Sourced from github.com/lestrrat-go/jwx's changelog.

v1.2.25 23 May 2022 [Bug Fixes][Security]

• [jwe] An old bug from at least 7 years ago existed in handling AES-CBC unpadding, where the unpad operation might remove more bytes than necessary (#744) This affects all jwx code that is available before v2.0.2 and v1.2.25.

v1.2.24 05 May 2022 [Security]

• Upgrade golang.org/x/crypto (#724)

v1.2.23 13 Apr 2022 [Bug fixes]

• [jwk] jwk.AutoRefresh had a race condition when Configure() was called concurrently (#686) (It has been patched correctly, but we may come back to revisit the design choices in the near future)

v1.2.22 08 Apr 2022 [Bug fixes]

• [jws] jws.Verify was ignoring the b64 header when it was present in the protected headers (#681). Now the following should work:

  jws.Sign(..., jws.WithDetachedPayload(payload)) // previously payload had to be base64 encoded jws.Verify(..., jws.WithDetachedPayload(payload))

  (note: v2 branch was not affected)

v1.2.21 30 Mar 2022 [Bug fixes]

• [jwk] RSA keys without p and q can now be parsed.

v1.2.20 03 Mar 2022 [Miscellaneous]

• Dependency on golang.org/x/crypto has been upgraded to v0.0.0-20220214200702-86341886e292 to address https://nvd.nist.gov/vuln/detail/CVE-2020-14040 (#598)

• ad8c29d merge develop/v1 (#747)
• e38f677 Merge develop/v1 (#727)
• baba561 Merge branch 'develop/v1' into v1
• 8ff6c75 Update Changes
• ea97e8c Fix race in jwk.AutoRefresh (#686)
• f4701e1 Update Changes
• e831228 Fix jws.Verify not respecting the b64 header in the protected headers (#683)
• b66a2cb backport: Update golangci lint (#679) (#680)
• 4899c32 reword error
• dd9e4c4 Bump github.com/lestrrat-go/httpcc from 1.0.0 to 1.0.1 (#675)
• Additional commits viewable in compare view

• See full diff in compare view

• 425d715 go.mod: update golang.org/x dependencies
• b6d2645 go.mod: update golang.org/x dependencies
• 8072180 go.mod: update golang.org/x dependencies
• 6cacac1 go.mod: update tagx:ignore'd golang.org/x dependencies
• 700cc20 go.mod: update golang.org/x dependencies
• 4890c57 go.mod: update golang.org/x dependencies
• 566b44f go.mod: update golang.org/x dependencies
• d5156da collate/build: do not use println in tests
• 221d88c x/text: fix scientific notation by removing extraneous spaces
• b18c107 internal/export/unicode: change C comment to mention unassigned code points
• Additional commits viewable in compare view

Sourced from google.golang.org/grpc's releases.

Release 1.75.0

Behavior Changes

• xds: Remove support for GRPC_EXPERIMENTAL_XDS_FALLBACK environment variable. Fallback support can no longer be disabled. (#8482)
• stats: Introduce DelayedPickComplete event, a type alias of PickerUpdated. (#8465)
  • This (combined) event will now be emitted only once per call, when a transport is successfully selected for the attempt.
  • OpenTelemetry metrics will no longer have multiple "Delayed LB pick complete" events in Go, matching other gRPC languages.
  • A future release will delete the PickerUpdated symbol.
• credentials: Properly apply grpc.WithAuthority as the highest-priority option for setting authority, above the setting in the credentials themselves. (#8488)
  • Now that this WithAuthority is available, the credentials should not be used to override the authority.
• round_robin: Randomize the order in which addresses are connected to in order to spread out initial RPC load between clients. (#8438)
• server: Return status code INTERNAL when a client sends more than one request in unary and server streaming RPC. (#8385)
  • This is a behavior change but also a bug fix to bring gRPC-Go in line with the gRPC spec.

New Features

• dns: Add an environment variable (GRPC_ENABLE_TXT_SERVICE_CONFIG) to provide a way to disable TXT lookups in the DNS resolver (by setting it to false). By default, TXT lookups are enabled, as they were previously. (#8377)

Bug Fixes

• xds: Fix regression preventing empty node IDs in xDS bootstrap configuration. (#8476)
  • Special Thanks: @​davinci26
• xds: Fix possible panic when certain invalid resources are encountered. (#8412)
  • Special Thanks: @​wooffie
• xdsclient: Fix a rare panic caused by processing a response from a closed server. (#8389)
• stats: Fix metric unit formatting by enclosing non-standard units like call and endpoint in curly braces to comply with UCUM and gRPC OpenTelemetry guidelines. (#8481)
• xds: Fix possible panic when clusters are removed from the xds configuration. (#8428)
• xdsclient: Fix a race causing "resource doesn not exist" when rapidly subscribing and unsubscribing to the same resource. (#8369)
• client: When determining the authority, properly percent-encode (if needed, which is unlikely) when the target string omits the hostname and only specifies a port (grpc.NewClient(":<port-number-or-name>")). (#8488)

Release 1.74.3

Bug Fixes

• xds: Fix a regression preventing empty node IDs in the bootstrap configuration. (#8476 , #8483)
• xdsclient: Fix a data race caused while reporting load to LRS. (#8483)
• server: Fix a regression preventing streams from being cancelled or timed out when blocked on flow control. (#8528)

Release 1.74.2

New Features

• grpc: introduce new DialOptions and ServerOptions (WithStaticStreamWindowSize, WithStaticConnWindowSize, StaticStreamWindowSize, StaticConnWindowSize) that force fixed window sizes for all HTTP/2 connections. By default, gRPC uses dynamic sizing of these windows based upon a BDP estimation algorithm. The existing options (WithInitialWindowSize, etc) also disable BDP estimation, but this behavior will be changed in a following release. (#8283)

API Changes

• balancer: add ExitIdle method to Balancer interface. Earlier, implementing this method was optional. (#8367)

Behavior Changes

• xds: Remove the GRPC_EXPERIMENTAL_ENABLE_LEAST_REQUEST environment variable that allows disabling the least request balancer with xDS. Least request was made available by default with xDS in v1.72.0. (#8248)
  • Special Thanks: @​atollena

... (truncated)

• b9788ef Change version to 1.75.0 (#8493)
• 2bd74b2 credentials: fix behavior of grpc.WithAuthority and credential handshake prec...
• 9fa3267 xds: remove xds client fallback environment variable (#8482)
• 62ec29f grpc: Fix cardinality violations in non-client streaming RPCs. (#8385)
• 85240a5 stats: change non-standard units to annotations (#8481)
• ac13172 update deps (#8478)
• 0a895bc examples/opentelemetry: use experimental metrics in example (#8441)
• 8b61e8f xdsclient: do not process updates from closed server channels (#8389)
• 7238ab1 Allow empty nodeID (#8476)
• 9186ebd cleanup: use slices.Equal to simplify code (#8472)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.