What's Changed

• fix: reuse lint by @h4x3rotab in #316
• Add dstack-sdk-type version in Cargo.toml by @kvinwang in #319
• ra-tls: Add KeyCertSign and CrlSign usages for CA certs by @kvinwang in #320
• IMP: Typing & schema for TcbInfo in SDK by @Leechael in #317
• Fix gateway dockerfile by @kvinwang in #323
• build(deps): bump hono from 4.8.5 to 4.9.6 in /kms/auth-eth-bun by @dependabot[bot] in #322
• build(deps): bump undici in /kms/auth-eth by @dependabot[bot] in #324
• Read qemu path from /etc/dstack/client.conf by @kvinwang in #332
• attestation.md: no rootfs hash in RTMR3 by @kvinwang in #333
• fix: dstack-sdk fails build due to alloy by @DSharifi in #335
• rust-sdk v0.1.1 by @kvinwang in #336
• build(deps): bump hono from 4.9.6 to 4.9.7 in /kms/auth-eth-bun by @dependabot[bot] in #329
• build(deps): bump hono from 4.8.5 to 4.9.6 in /kms/auth-mock by @dependabot[bot] in #327
• Revert the cert subject changes by @kvinwang in #338
• Add init_script in app-compose.json by @kvinwang in #337
• dstack-mr: Add qemu_version in VmConfig by @kvinwang in #340
• Add rust implementation of dstack-verifier by @kvinwang in #341
• Update GH workflow to push images to org by @kvinwang in #342
• Update attestation.md to use latest dstack-mr by @kvinwang in #344
• sdks: set roofs_hash optional in TcbInfo & increase default timeout in Python SDK by @Leechael in #339
• dstack-mr: Fix potential panic due to int overflow by @kvinwang in #345
• Fix deployment.md by @kvinwang in #346
• imp: when formatting app_url, skip port if it's 443 by @Leechael in #326
• Replace kvin.wang with dstack.org by @kvinwang in #343
• vmm: Fix VmConfig decode error by @kvinwang in #347
• cvm: Set max app compose size to 256K by @kvinwang in #349
• cvm: Auto reconnect when wg get stucked by @kvinwang in #350
• Update gatewa/deploy-to-vmm.sh by @kvinwang in #354
• Create crate size-parser by @kvinwang in #355
• vmm: Refactor sys-config generation code by @kvinwang in #351
• User size-parser in vmm config by @kvinwang in #357
• cvm: Support for ext4 by @kvinwang in #348
• Add gateway registration on the KMS by @Evrard-Nil in #359
• cvm: Add built-in swap config by @kvinwang in #358
• dstack v0.5.5 by @kvinwang in #362
• doc for min ver of each compose field by @kvinwang in #363
• fix(sdk): sync all SDKs with protobuf schema by @h4x3rotab in #366
• build(deps): bump esbuild and vitest in /sdk/js by @dependabot[bot] in #367
• chore: python sdk bump to 0.5.3 & js sdk bump to 0.5.7 by @Leechael in #368
• Rust sdk v0.1.2 by @kvinwang in #369
• Add rust sdk release workflow by @kvinwang in #370
• guest-agent: Request demo cert lazily by @kvinwang in #371
• cvm: Remove docker config from app compose by @kvinwang in #374

New Contributors

• @Evrard-Nil made their first contribution in #359

Full Changelog: v0.5.4...v0.5.5

Docker Image Information

Image: docker.io/dstacktee/dstack-verifier:0.5.5

Digest (SHA256): sha256:4f73795d1a8b20d7e168b311f83a1906c28b4610c59dfa74983bf15f28d9aae4

Verification: Verify on Sigstore

Docker Image Information

Image: docker.io/dstacktee/dstack-kms:0.5.5

Digest (SHA256): sha256:11ac59f524a22462ccd2152219b0bec48a28ceb734e32500152d4abefab7a62a

Verification: Verify on Sigstore

Contract ABIs

This release includes the compiled contract ABIs:

• DstackKms.json - Main KMS contract ABI
• DstackApp.json - Application contract ABI

Docker Image Information

Image: docker.io/dstacktee/dstack-gateway:0.5.5

Digest (SHA256): sha256:a7b7e3144371b053ba21d6ac18141afd49e3cd767ca2715599aa0e2703b3a11a

Verification: Verify on Sigstore

Docker Image Information

Image: docker.io/dstacktee/dstack-verifier:0.5.4

Digest (SHA256): sha256:3f36162ca8dd2d4207601a6302881de6b497e610eb44050bb0874776fc8ded07

Verification: Verify on Sigstore

Docker Image Information

Image: docker.io/dstacktee/dstack-gateway:0.5.4

Digest (SHA256): sha256:72973d8dc3577bd325392898681cba2eb727f86db1fecbd8e72134f2b00609f6

Verification: Verify on Sigstore

Docker Image Information

Image: docker.io/dstacktee/dstack-kms:0.5.4

Digest (SHA256): sha256:56dfd86424a3473dc75a11876687aa62ceee03e031e02a9ab1aad494dcabd19c

Verification: Verify on Sigstore

Contract ABIs

This release includes the compiled contract ABIs:

• DstackKms.json - Main KMS contract ABI
• DstackApp.json - Application contract ABI

dstack v0.5.4 Release Notes

Critical Security Update

• Fixed LUKS header validation vulnerability (GHSA-jxq2-hpw3-m5wf)

Major Features & Improvements

Enhanced SDK Support

• sdk/js: browser compatible - JavaScript SDK now works in web browsers without Node.js
• sdk/rust: implement borsh serialization - Added Borsh support and Debug traits for all public types
• sdk/rust: break up dstack-sdk into two crates - Separated client and types for no_std compatibility
• sdk/python - Added async/await support and improved API compatibility

Performance & Infrastructure

• cvm: Support for more than 255 CPUs - Removed hardware CPU count limitations
• vmm: Added one-shot VM mode - VMs automatically terminate after task completion
• gateway: Add gRPC support for TLS termination proxy - Enhanced protocol support
• vmm: Support for using passt as network egress - Alternative to traditional TAP networking

Developer Experience

• Comprehensive documentation updates including:
  • Security audit report and documentation
  • Contributing guidelines (CONTRIBUTING.md)
  • Git-cliff based changelog generation
• Media kit and branding updates
• SPDX license annotations throughout codebase
• GitHub Actions for automated gateway/KMS releases

Technical Improvements

Gateway & Networking

• gateway: Fix reserved ip allocation - Resolved IP address assignment conflicts
• gateway: Add api for evidences - New endpoint for cryptographic evidence collection
• gateway: Add 0.3.x compatibility custom domain dns prefix - Backward compatibility for legacy domains
• gateway: Remove duplicate node IP address - Fixed network configuration redundancy

VM Management

• kms: ACPI Tables Dynamic Generation - Runtime ACPI table creation for better hardware compatibility
• vmm-cli: Add --stopped and --user-config - New CLI options for VM state management
• vmm: Allow updating non-kms VMs - Support for updating VMs without KMS integration
• vmm: remove max disk size limit - Removed artificial storage constraints

Build & Dependencies

• build(deps): bump tokio from 1.44.1 to 1.46.1 - Updated async runtime with performance improvements
• Add reproducible docker image builder for KMS - Deterministic builds for security verification
• build(deps): Security patches - Updated elliptic, axios, sha.js via automated dependency management
• prpc: Move generated files to OUT_DIR - Improved build artifact organization

Project Growth

• 12 new contributors joined the project
• 70+ pull requests merged
• Enhanced testing with comprehensive feature coverage
• Improved documentation and developer guides

New Contributors

Welcome to our new community members:

• @tolak, @ImTei, @DSharifi, @crStiv
• @shelvenzhou, @Olexandr88, @pbeza, @bravesasha

Resources

• Full Changelog: v0.5.3...v0.5.4
• Security Advisory: GHSA-jxq2-hpw3-m5wf
• Documentation: Dstack Docs

⚠️ Upgrade Recommendation: This release contains critical security fixes. All users should upgrade immediately.

Docker Image Information

Image: docker.io/kvin/kms:0.5.3

Digest (SHA256): sha256:0c80eae6bc695fc5ce4239880e8091590e8830fb89a0e7f54116d46a419c6bf4

Verification: Verify on Sigstore

Contract ABIs

This release includes the compiled contract ABIs:

• DstackKms.json - Main KMS contract ABI
• DstackApp.json - Application contract ABI

Docker Image Information

Image: docker.io/kvin/gateway:0.5.3

Digest (SHA256): sha256:9730d87874c16778e39a6fcbb7317d405421cde397a8f7d394983c8a2a2e2f4e

Verification: Verify on Sigstore