• 90650dd Release 2026-03-26
• dd88818 Regenerated Clients
• b662c50 Update endpoints model
• 500a9cb Update API model
• 6221102 fix stale skew and delayed skew healing (#3359)
• 0a39373 fix order of generated event header handlers (#3361)
• 098f389 Only generate resolveAccountID when it's required (#3360)
• 6ebab66 Release 2026-03-25
• b2ec3be Regenerated Clients
• abc126f Update API model
• Additional commits viewable in compare view

Sourced from github.com/google/go-containerregistry's releases.

v0.21.5

What's Changed

• Bump docker/cli v29.4.0, moby/api v1.54.1, moby/client v0.4.0 by @​thaJeztah in google/go-containerregistry#2254
• update to Go 1.26.2 by @​thaJeztah in google/go-containerregistry#2255
• Bump aws-actions/configure-aws-credentials from 6.0.0 to 6.1.0 in the actions group across 1 directory by @​dependabot[bot] in google/go-containerregistry#2257
• build(deps): bump golang.org/x/tools from 0.43.0 to 0.44.0 in the go-deps group across 1 directory by @​dependabot[bot] in google/go-containerregistry#2260

Full Changelog: google/go-containerregistry@v0.21.4...v0.21.5

v0.21.4

What's Changed

• go.mod: do not make a viral minimum go version by @​howardjohn in google/go-containerregistry#2237
• Avoid pruning absolute links from extracted and flattened images by @​Subserial in google/go-containerregistry#2241
• Bump the go-deps group across 3 directories with 5 updates by @​dependabot[bot] in google/go-containerregistry#2245
• fix: update to go1.25.8, and use separate .go-version file by @​thaJeztah in google/go-containerregistry#2246
• Bump CI go version to 1.26.1 by @​Subserial in google/go-containerregistry#2242
• Bump codecov/codecov-action from 5.5.2 to 5.5.3 in the actions group by @​dependabot[bot] in google/go-containerregistry#2240
• fork distribution client v3 auth-challenge as an internal package (squashed) by @​thaJeztah in google/go-containerregistry#2248
• transport: validate Bearer realm URL to prevent SSRF by @​evilgensec in google/go-containerregistry#2243
• revert path traversal and symlink escape from #2227 by @​Subserial in google/go-containerregistry#2250
• Fix pkg/v1/google/auth tests for arm64 by @​Subserial in google/go-containerregistry#2085
• goreleaser: Update goreleaser config and GH action by @​Subserial in google/go-containerregistry#2253

New Contributors

• @​evilgensec made their first contribution in google/go-containerregistry#2243

Full Changelog: google/go-containerregistry@v0.21.3...v0.21.4

• 5b80281 build(deps): bump golang.org/x/tools from 0.43.0 to 0.44.0 in the go-deps gro...
• b99bca2 build(deps): bump aws-actions/configure-aws-credentials (#2257)
• f8be1d4 update to Go 1.26.2 (#2255)
• 87ad88b Bump docker/cli v29.4.0, moby/api v1.54.1, moby/client v0.4.0 (#2254)
• e8813dd goreleaser: Update goreleaser config and GH action for releases (#2253)
• e90447d replace gcloud in binary calls in pkg/v1/google tests (#2085)
• 0d0368c revert path traversal and symlink escape changes (#2250)
• a2f47d4 transport: validate Bearer realm URL to prevent SSRF (#2243)
• 19a36cd fork distribution client v3 auth-challenge as an internal package (squashed) ...
• c612a9b Bump codecov/codecov-action from 5.5.2 to 5.5.3 in the actions group (#2240)
• Additional commits viewable in compare view

Sourced from github.com/letsencrypt/boulder's releases.

v0.20260406.0

What's Changed

• test: Upgrade consul to 1.22.6 by @​inahga in letsencrypt/boulder#8696
• Remove registrations.LockCol by @​aarongable in letsencrypt/boulder#8698
• bad-key-revoker: Require maxExpectedReplicationLag by @​jprenken in letsencrypt/boulder#8693
• deps: update pkcs11 and pkcs11key by @​jsha in letsencrypt/boulder#8692
• build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 by @​dependabot[bot] in letsencrypt/boulder#8699

Full Changelog: letsencrypt/boulder@v0.20260331.0...v0.20260406.0

v0.20260331.0

What's Changed

• grpc: implement OnHealthy by @​jsha in letsencrypt/boulder#8686
• deps: update grpc to 1.79.3 by @​jsha in letsencrypt/boulder#8685
• Remove deprecated flags by @​jsha in letsencrypt/boulder#8684
• test: make nonce-srv-v2 / noncev2 the default by @​jsha in letsencrypt/boulder#8689
• va: Add experimental VA for testing Hickory by @​beautifulentropy in letsencrypt/boulder#8688
• ra: remove MaxNames config field by @​jsha in letsencrypt/boulder#8691
• grpc: Advertise h2 support in ALPN by @​inahga in letsencrypt/boulder#8697

New Contributors

• @​inahga made their first contribution in letsencrypt/boulder#8697

Full Changelog: letsencrypt/boulder@v0.20260324.0...v0.20260331.0

v0.20260324.0

What's Changed

• test: add health check for bvitess by @​jsha in letsencrypt/boulder#8658
• crl/va/test: Let the bodies hit the Close() by @​beautifulentropy in letsencrypt/boulder#8682
• noncebalancer: use endpointsharding, ignore ready status by @​jsha in letsencrypt/boulder#8679
• wfe/ra/va/pa: Add support for draft-ietf-acme-dns-persist-00 by @​beautifulentropy in letsencrypt/boulder#8660
• CTPolicy: always try to get SCTs from a tiled log first by @​aarongable in letsencrypt/boulder#8676

Full Changelog: letsencrypt/boulder@v0.20260317.0...v0.20260324.0

v0.20260317.0

What's Changed

• test: Remove badNonce retries and increase nonce maxConnectionAge by @​beautifulentropy in letsencrypt/boulder#8661
• Remove ra.validateContacts because it is unused by @​aarongable in letsencrypt/boulder#8666
• Remove TODOs from challenge.RecordsSane by @​aarongable in letsencrypt/boulder#8670
• Remove sa.Count[Pending|Invalid]Authorizations2 by @​aarongable in letsencrypt/boulder#8669
• observer: add CCADB CRL prober by @​jsha in letsencrypt/boulder#8644
• test: make health-checker quieter by @​jsha in letsencrypt/boulder#8671
• CI: Drop go1.25.x by @​beautifulentropy in letsencrypt/boulder#8675
• vitess: add vschemas with vindexes by @​jsha in letsencrypt/boulder#8634
• Update publicsuffix-go (PSL) from v0.50.2 to v0.50.3 by @​jprenken in letsencrypt/boulder#8678
• ratelimits: stricter() should always prefer denied decisions by @​beautifulentropy in letsencrypt/boulder#8674

... (truncated)

• e139723 build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#8699)
• 4065776 deps: update pkcs11 and pkcs11key (#8692)
• dd8ce81 bad-key-revoker: Require maxExpectedReplicationLag (#8693)
• daf80ee Remove registrations.LockCol (#8698)
• 1958cc9 test: Upgrade consul to 1.22.6 (#8696)
• 3495c8b grpc: Advertise h2 support in ALPN (#8697)
• 5af6580 ra: remove MaxNames config field (#8691)
• d51bd6a va: Add experimental VA for testing Hickory (#8688)
• 9872323 test: make nonce-srv-v2 / noncev2 the default (#8689)
• 329e63d Remove deprecated flags (#8684)
• Additional commits viewable in compare view

Sourced from github.com/sigstore/cosign/v3's releases.

v3.0.6

Changelog

v3.0.6 resolves GHSA-w6c6-c85g-mmv6. This release also adds support for signing with OpenBao-managed keys.

• f1ad3ee952313be5d74a49d67ba0aa8d0d5e351f Fix DSSE predicate check (GHSA-w6c6-c85g-mmv6) (#4801)
• a09afa97480a0a4a20ad6314600598b7bddc8c0c Handle whitespace-only certificate annotation (#4760)
• 5a38a6d3368f0286ef214c3fd81388c99b3444b8 fix(sign): closing SignerVerifier too early when signing with a security key (#4761)
• 2290a593c9f5b300322b83e1f2a632953aeb840c Disallow --new-bundle-format and --rfc3161-timestamp (#4762)
• 36f40082f3c507e131cb9d926b75b36606160483 support managed keys in conformance testing (#4728)
• 3274cf98c6a2c2fc12618edfa26612e8a071820a Add support for GCE metadata server env var (#4732)
• 2e9754aa80a54fe7062a63debe12ae2b11b87e5a fix: preserve per-layer annotations in WriteAttestationsReferrer (#4709)
• dece2753067e2da18c5e0a0060e0de59fedee0b0 Fix parsing of in-toto for string predicates
• bd4f0fde48c16d2c55ad82acf34166a39be262a8 Mark batch of flags for deprecation (#4698)
• 9b259ff6b690c0f0844893016cd23c2c250124f2 disallow key and cert identity being used together during verification (#4636)
• 95eb1c3155b7ad11cc443c5a26f37eeede244e66 support key creation in GitLab group (#4704)

Thanks to all contributors!

• f1ad3ee Fix DSSE predicate check (GHSA-w6c6-c85g-mmv6) (#4801)
• 2b396bd chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4757)
• eb5b147 chore(deps): bump the gomod group across 1 directory with 18 updates (#4789)
• fb66c28 fix(deps): CVE-2026-2303 / CVE-2026-2303 (#4764)
• f3d74d4 Fix 'the' typo in copyright name (#4788)
• f4766a9 chore(deps): bump the actions group across 1 directory with 5 updates (#4784)
• 4c9ba21 chore(deps): bump chainguard-dev/actions in the actions group (#4772)
• af30fe6 chore(deps): bump github.com/awslabs/amazon-ecr-credential-helper/ecr-login
• 92084d8 chore(deps): bump cuelang.org/go from 0.15.4 to 0.16.0
• 43a9682 chore(deps): bump github.com/open-policy-agent/opa from 1.13.2 to 1.14.1
• Additional commits viewable in compare view

Sourced from github.com/sigstore/rekor's releases.

v1.5.1

Changelog

• 2d46808ce98c3dd26158364ae28f4c49921c9b0d optimize memory for DSSE v0.0.1 processing (#2766)
• 6de110d1deb7fa2d9145584fd9446608ce1a777c return correct errors in rare failure situations (#2753)
• 7ff7c692f51d6060c6eebba0480536f5ba28abb5 raise error if decoding hash fails during inclusion proof (#2754)

Thanks for all contributors!

Sourced from github.com/sigstore/rekor's changelog.

v1.5.1

Features

• optimize memory for DSSE v0.0.1 processing (#2766)

Bug Fixes

• Type assert the entry bundle when verifying inclusion proof (#2755)
• return correct errors in rare failure situations (#2753)
• raise error if decoding hash fails during inclusion proof (#2754)

• bb573aa build(deps): Bump actions/upload-artifact from 6.0.0 to 7.0.0 (#2773)
• 6188957 build(deps): Bump google.golang.org/api from 0.264.0 to 0.269.0 (#2770)
• f76fb2a build(deps): Bump github/codeql-action in the all group (#2772)
• ae85b80 build(deps): Bump github.com/redis/go-redis/v9 from 9.17.3 to 9.18.0 (#2769)
• 9836e32 build(deps): Bump the all group with 11 updates (#2768)
• b81ecd3 build(deps): Bump gocloud.dev from 0.40.0 to 0.44.0 (#2757)
• 2d46808 optimize memory for DSSE v0.0.1 processing (#2766)
• bd11cb9 build(deps): Bump go.step.sm/crypto from 0.74.0 to 0.76.2 (#2760)
• c302fdb build(deps): Bump github.com/secure-systems-lab/go-securesystemslib (#2758)
• 3444350 build(deps): Bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0 (#2763)
• Additional commits viewable in compare view

Sourced from github.com/sigstore/sigstore's releases.

v1.10.5

What's Changed

• (kms/hashivault): add openbao support in sigstore/sigstore#2303
• Fix typo in RSA PSS 4096 signature identifier in sigstore/sigstore#2270
• fix: eliminate usage of text/template in sigstore/sigstore#2288
• chore: mention openbao being supported as well (#2303) in sigstore/sigstore#2313

Full Changelog: sigstore/sigstore@v1.10.4...v1.10.5

• c90de3e chore: mention openbao being supported as well (#2313) (#2313)
• b377f8f chore: Project-wide linting (#2310)
• 295d656 build(deps): Bump the all group across 1 directory with 3 updates (#2296)
• c731032 (kms/hashivault): add openbao support (#2303)
• b56c866 fix: eliminate usage of text/template (#2288)
• 1d8faff build(deps): Bump github.com/aws/aws-sdk-go-v2/config (#2286)
• 4ac5776 build(deps): Bump github.com/letsencrypt/boulder (#2282)
• 36276e8 build(deps): Bump golang.org/x/crypto from 0.44.0 to 0.47.0 (#2258)
• 59887c9 build(deps): Bump the all group across 1 directory with 2 updates (#2278)
• 1e85403 build(deps): Bump dexidp/dex in /test/e2e in the all group (#2279)
• Additional commits viewable in compare view

• 03ca0dc go.mod: update golang.org/x dependencies
• 8400f4a ssh: respect signer's algorithm preference in pickSignatureAlgorithm
• 81c6cb3 ssh: swap cbcMinPaddingSize to cbcMinPacketSize to get encLength
• See full diff in compare view

• a8d1fc1 go.mod: update golang.org/x dependencies
• 056ac74 quic: avoid depending on golang.org/x/sys/unix
• c85f611 http3: add http3 package for testing in std
• 805fc81 http2: add transport API tests
• e63b894 http2: support testing via net/http.Transport.RoundTrip
• 9ee1e48 http2/hpack: prevent HeaderField from escaping during encoding
• 1e71bd8 http2: prevent hanging Transport due to bad SETTINGS frame
• 7bca150 internal/http3: respect net/http Server Shutdown context when shutting down
• 44c41be internal/http3: prevent server from holding mutex when sleeping during shutdown
• 228a67a internal/http3: add CloseIdleConnections support in transport
• Additional commits viewable in compare view

• 812b343 all: upgrade go directive to at least 1.25.0 [generated]
• See full diff in compare view

Sourced from google.golang.org/grpc's releases.

Release 1.80.0

Behavior Changes

• balancer: log a warning if a balancer is registered with uppercase letters, as balancer names should be lowercase. In a future release, balancer names will be treated as case-insensitive; see #5288 for details. (#8837)
• xds: update resource error handling and re-resolution logic (#8907)
  • Re-resolve all LOGICAL_DNS clusters simultaneously when re-resolution is requested.
  • Fail all in-flight RPCs immediately upon receipt of listener or route resource errors, instead of allowing them to complete.

Bug Fixes

• xds: support the LB policy configured in LOGICAL_DNS cluster resources instead of defaulting to pick_first. (#8733)
• credentials/tls: perform per-RPC authority validation against the leaf certificate instead of the entire peer certificate chain. (#8831)
• xds: enabling A76 ring hash endpoint keys no longer causes EDS resources with invalid proxy metadata to be NACKed when HTTP CONNECT (gRFC A86) is disabled. (#8875)
• xds: validate that the sum of endpoint weights in a locality does not exceed the maximum uint32 value. (#8899)
  • Special Thanks: @​RAVEYUS
• xds: fix incorrect proto field access in the weighted round robin (WRR) configuration where blackout_period was used instead of weight_expiration_period. (#8915)
  • Special Thanks: @​gregbarasch
• xds/rbac: handle addresses with ports in IP matchers. (#8990)

New Features

• ringhash: enable gRFC A76 (endpoint hash keys and request hash headers) by default. (#8922)

Performance Improvements

• credentials/alts: pool write buffers to reduce memory allocations and usage. (#8919)
• grpc: enable the use of pooled write buffers for buffering HTTP/2 frame writes by default. This reduces memory usage when connections are idle. Use the WithSharedWriteBuffer dial option or the SharedWriteBuffer server option to disable this feature. (#8957)
• xds/priority: stop caching child LB policies removed from the configuration. This will help reduce memory and cpu usage when localities are constantly switching between priorities. (#8997)
• mem: add a faster tiered buffer pool; use the experimental mem.NewBinaryTieredBufferPool function to create such pools. (#8775)

• 397e45e Change version to 1.80.0 (#8948)
• 64ebf0a Cherry-pick #8997 to v1.80.x (#9027)
• e45ed24 xds/rbac: add additional handling for addresses with ports (#8990) (#9022)
• c78d26e Cherry-pick #8957 to v1.80.x (#9007)
• bd7cd3c grpc: enforce strict path checking for incoming requests on the server (#8987)
• b6597b3 xds/clusterimpl: use xdsConfig for updates and remove redundant fields from L...
• 1d4fa8a xds: change cdsbalancer to use update from dependency manager (#8907)
• 8f47d36 attributes: Replace internal map with linked list (#8933)
• 22e1ee8 xds: add panic recovery in xdsclient resource unmarshalling. (#8895)
• 7136e99 credentials/alts: Pool write buffers (#8919)
• Additional commits viewable in compare view

• 3897036 Update dependencies to v0.35.3 tag
• See full diff in compare view

• See full diff in compare view

• 4f1f0a2 Update dependencies to v0.35.3 tag
• f80003c Merge pull request #136903pohly/automated-cherry-pick-of-#136455
• 8b41556 fake client-go: un-deprecate NewSimpleClientset
• See full diff in compare view

Sourced from sigs.k8s.io/release-utils's releases.

v0.12.4

Changes by Kind

Bug

• Fix shared default options mutation across http agents. NewAgent() previously returned agents all pointing to the same options struct, so calling any With*() method on one agent would mutate all agents. (#182, @​saschagrunert) [SIG Release]

Feature

• The http.Agent now supports setting custom clients with WithClient() (#169, @​puerco) [SIG Release]

Other (Cleanup or Flake)

• Bump cosign and golangci-lint (#179, @​cpanato) [SIG Release]

Dependencies

Added

• github.com/cespare/xxhash/v2: v2.3.0

Changed

• github.com/clipperhouse/displaywidth: v0.6.2 → v0.10.0
• github.com/clipperhouse/uax29/v2: v2.3.0 → v2.6.0
• github.com/olekukonko/errors: v1.1.0 → v1.2.0
• github.com/olekukonko/ll: 9e59c22 → v0.1.6
• github.com/olekukonko/tablewriter: v1.1.3 → v1.1.4

Removed

Nothing has changed.

• c5ec679 Merge pull request #182 from saschagrunert/fix/agent-shared-options
• e3734a4 Fix shared default options mutation across agents
• 96f97ba Merge pull request #181 from kubernetes-sigs/dependabot/github_actions/action...
• 6f678e3 build(deps): bump the actions group with 2 updates
• c2cdc95 Merge pull request #179 from cpanato/updates
• d5a73e4 fix lints
• a4f2787 bump cosign and golangci-lint
• d1b29d9 Merge pull request #177 from kubernetes-sigs/dependabot/docker/all-9adf8b7ea7
• ffec3c4 build(deps): bump golang from 1.26.0 to 1.26.1 in the all group
• ae59572 Merge pull request #178 from kubernetes-sigs/dependabot/go_modules/all-c0a0eb...
• Additional commits viewable in compare view

Sourced from github.com/go-jose/go-jose/v4's releases.

v4.1.4

What's Changed

Fixes Panic in JWE decryption. See GHSA-78h2-9frx-2jm8

Full Changelog: go-jose/go-jose@v4.1.3...v4.1.4

• 0e59876 Merge commit from fork
• ddffdbc Bump actions/checkout from 5 to 6 (#213)
• See full diff in compare view

• d430306 Merge remote-tracking branch 'remotes/from/ce/main'
• a3bc0a3 (enos): Add LDAP secrets engine blackbox tests to Plugin Scenario (#13072) (#...
• f8df539 Merge remote-tracking branch 'remotes/from/ce/main'
• 2b0ec25 VAULT-43444 Addressed races in tests (#13278) (#13285)
• a097d1f Merge remote-tracking branch 'remotes/from/ce/main'
• 7e587fd Update vault-plugin-auth-kubernetes to v0.24.1 (#13259) (#13287)
• 1331818 UI: Fix namespace search showing empty state when namespaces exist (#13257) (...
• 7b12feb Merge remote-tracking branch 'remotes/from/ce/main'
• 7d4395c Update vault-plugin-auth-jwt to v0.26.1 (#13242) (#13283)
• 6d4b615 adds flag to fix chrome in ci (#13279) (#13282)
• Additional commits viewable in compare view

Sourced from github.com/sigstore/protobuf-specs's changelog.

v0.5.1

• Add ML-DSA-44 algorithm identifier (#860)

• 3001afe Bump ts to v0.5.1 for new release (#874)
• f68ef15 build(deps): bump the actions-deps group with 2 updates (#873)
• 9859358 build(deps): bump gradle-wrapper in /java in the java-deps group (#866)
• 51546ad build(deps): bump ts-proto from 2.11.2 to 2.11.5 in /protoc-builder/hack in t...
• 8bb3cb3 build(deps): bump the docker-refs group (#867)
• 9dfb871 Update GRPC_GATEWAY_COMMIT in versions.mk (#864)
• 80abc3f build(deps): bump the rust-deps group across 1 directory with 3 updates (#869)
• c24db24 build(deps): bump homebrew/core/protobuf from 33.4 to 34.1 in /protoc-builder...
• 6a50d86 Update GOOGLEAPIS_COMMIT in versions.mk (#863)
• a2cbebd Bump packages for 0.5.1, bump deps (#862)
• Additional commits viewable in compare view

Sourced from github.com/sigstore/scaffolding's releases.

v0.7.31

What's Changed

• Add namespace to tesseract images in sigstore/scaffolding#1792

Full Changelog: sigstore/scaffolding@v0.7.30...v0.7.31

v0.7.30

What's Changed

• Build and publish GCP & POSIX TesseraCT in sigstore/scaffolding#1789

Full Changelog: sigstore/scaffolding@v0.7.29...v0.7.30

v0.7.29

What's Changed

This release reverts a previous change to the prober to allow for insecure gRPC connections, in favor of allowing for gRPC testing to be disabled.

• Allow disabling Fulcio gRPC testing via flag in sigstore/scaffolding#1787

Full Changelog: sigstore/scaffolding@v0.7.28...v0.7.29

v0.7.28

What's Changed

• Allow insecure transport for Fulcio gRPC requests to be configured by flag in sigstore/scaffolding#1786

Full Changelog: sigstore/scaffolding@v0.7.27...v0.7.28

v0.7.27

What's Changed

• fix: Adjust Fulcio gRPC URL handling for internal services in sigstore/scaffolding#1774

Full Changelog: sigstore/scaffolding@v0.7.26...v0.7.27

v0.7.26

What's Changed

• Build GCP omniwitness on release in sigstore/scaffolding#1775

Full Changelog: sigstore/scaffolding@v0.7.25...v0.7.26

v0.7.25

What's Changed

• Bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 by @​dependabot[bot] in sigstore/scaffolding#1617
• update docs and clean up scripts by @​cpanato in sigstore/scaffolding#1624
• Parallelize service setup by @​cmurphy in sigstore/scaffolding#1618

... (truncated)

• 8bd6867 Fix TUF workflow file (#1842)
• 62e684c Fix goreleaser hook (#1841)
• 6c76ec3 Bump tesseract (#1835)
• 28cccde Move commands to separate modules (#1814)
• 9d6e1a3 Bump the docker-deps group across 3 directories with 3 updates (#1832)
• 4fb9911 Bump github.com/sigstore/timestamp-authority/v2 in the go-deps group (#1831)
• 08da4a8 Bump github.com/sigstore/fulcio from 1.8.2 to 1.8.3 (#1830)
• f3ca261 Bump the go-deps group across 1 directory with 2 updates (#1828)
• 5f2eae0 Bump sigstore deps (#1826)
• cb48a63 Add unit test job (#1823)
• Additional commits viewable in compare view

Sourced from github.com/sigstore/sigstore/pkg/signature/kms/aws's releases.

v1.10.5

What's Changed

• (kms/hashivault): add openbao support in sigstore/sigstore#2303
• Fix typo in RSA PSS 4096 signature identifier in sigstore/sigstore#2270
• fix: eliminate usage of text/template in sigstore/sigstore#2288
• chore: mention openbao being supported as well (#2303<...

  Description has been truncated