Skip to content

chore(deps): update hashicorp/consul docker tag to v2#148

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/hashicorp-consul-2.x
Open

chore(deps): update hashicorp/consul docker tag to v2#148
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/hashicorp-consul-2.x

Conversation

@renovate

@renovate renovate Bot commented May 24, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Update Change
hashicorp/consul (source) major 1.11.22.0.2

Release Notes

hashicorp/consul (hashicorp/consul)

v2.0.2

Compare Source

2.0.2 (July 8, 2026)

SECURITY:

  • Upgrade alpine base image version to 3.24 to address [CVE-2026-41989], [ALPINE-CVE-2026-2100]. [GH-23711]
  • dependency: Upgrade Serf and Memberlist to use the latest versions. [GH-23704]
  • xds: Return errors when injecting the L4 intention (RBAC) filter or the mTLS transport socket onto an inbound public listener, so the listener is not served without intention enforcement or mTLS. [GH-23686]

FEATURES:

  • config-entry(api-gateway): (Enterprise only) Add ExtAuthzFilter to HTTPRoute Filters and gateway-wide ExtAuthz toggle to the api-gateway config entry [GH-23703]
  • config-entry: (Enterprise only) Addition of External Processor (ext_proc) Envoy Extension support to api-gateway and connect-proxy [GH-23705]

IMPROVEMENTS:

  • ci: upgrade GitHub Actions that used the deprecated Node 20 runtime to Node 24, and restore GOTOOLCHAIN=auto after setup-go so backward-compatibility and integration test lanes resolve the correct Go toolchain. [GH-23687]
  • connect: update support for nomad and vault version to v2.0.3 [GH-23624]
  • deps: Migrate armon/go-metrics to hashicorp/go-metrics and update Go dependencies across all modules [GH-23635]

BUG FIXES:

  • xds: only emit the client cert SDS block when both CertFile and KeyFile are set. [GH-23679]

v2.0.1

Compare Source

2.0.1 (June 18, 2026)

SECURITY:

IMPROVEMENTS:

  • dockerfile: layer reduction by merging RUN commands and minor changes following best practices. [GH-23650]
  • product-telemetry: product usage reporting now preserves export cadence across restarts and leader re-elections by resuming from the last successful export time, preventing delays
  • server: Auth method TokenNameFormat field accepts OIDC and JWT claim mapping values [GH-23616]
  • ui: Removed block-slot addon dependency [GH-23481]

BUG FIXES:

  • connect: Strip the x-forwarded-client-cert header from inbound HTTP requests before forwarding them to local service instances. [GH-23544]
  • server: Fixed a bug where renaming a server (or wiping and rejoining it with the same IP and Raft node ID) could cause an out-of-order serf event to evict the live leader from the internal server lookup, resulting in Raft leader not found in server lookup mapping (HTTP 500) errors on follower RPCs until the next member event resynced the mapping. [GH-23533]

v2.0.0

Compare Source

2.0.0 (May 22, 2026)

SECURITY:

  • connect: Upgrade envoy version to 1.37.2 and newer versions [GH-23469]
  • go: Upgrade go version to 1.26 [GH-23493]
  • agent: Increased default HTTP server timeouts to prevent breaking long-polling blocking queries. read_timeout and write_timeout are now set to 15 minutes (up from 30 seconds), while read_header_timeout (10s) and idle_timeout (120s) still provide protection against Slowloris attacks. All timeouts remain configurable via the http_config block. [GH-23267]
  • api-gateway, terminating-gateway: Apply HTTP request path normalization on api-gateway and terminating-gateway HTTP listeners to prevent L7 intention RBAC bypass via non-normalized paths (CVE-2024-10005). [GH-23534]
  • docker: update ubi base image to ubi9-minimal:9.7. [GH-23553]
  • docker: Upgrade curl to >= 8.20.0 from Alpine edge in the container image to address
    CVE-2026-6429,
    CVE-2026-4873,
    CVE-2026-5773,
    CVE-2026-6253,
    CVE-2026-6276,
    CVE-2026-7168,
    CVE-2026-5545.
    Alpine 3.23 stable does not yet carry the patched version. [GH-23750]
  • docker: Update to UBI base image to 9.8 for fixing [CVE_2026-2100] [GH-23588]

FEATURES:

  • (Enterprise Only) update to go-licensing/v4 and go-census/v3 inorder to adapt to new licenses of PAO.
  • Global Rate Limiter: (Enterprise Only) a new "rate-limit" config entry kind that enables dynamic, cluster-wide RPC rate limiting stored in Raft and automatically replicated to all servers. This allows operators to apply or adjust global rate limits at runtime without restarting Consul servers — a critical capability for emergency scenarios where the cluster is under excessive load.
  • api-gateway: Added SDS certificate support for API Gateway listeners, including listener-level default TLS certificates and HTTP/TCP route service TLS SDS overrides. Service overrides inherit the listener SDS cluster when omitted, and gateway validation/xDS generation now rejects conflicting override mappings to keep certificate selection deterministic. [GH-23354]
  • api-gateway: add support for gateway-level default upstream limits and route service-level limit overrides for MaxConnections, MaxPendingRequests, and MaxConcurrentRequests. [GH-23396]
  • api: Added new API "/v1/internal/rpc/methods" that lists all RPC method names. Requires an operator:read ACL token. This is useful when users want to configure rate limits that exclude specific RPC endpoints. [GH-23329]
  • ca: (Enterprise Only) Added new Connect CA provider for Cyberark WIM (connect.ca_provider = "pan-distributed-issuer"), enabling Consul to issue certificates through Cyberark WIM.
  • server: (Enterprise Only) add stable cluster identity and leader-gated global registry sync for service summary publishing.
  • telemetry: (Enterprise Only) Product telemetry for self-managed Consul with anonymous, opt-in usage reporting.
  • mesh: (Enterprise Only) Introduce support for multi-port (named port) services in Consul, including the ability to specify and route traffic using port names, as well as to retrieve virtual IPs for specific service ports. It also enforces that certain advanced multi-port features are only available in Consul Enterprise, and includes new utility functions for cluster naming and ALPN protocol generation.

IMPROVEMENTS:

  • agent: (Enterprise Only) Add eventually-consistent background cache for Enterprise usage metrics, reducing GET /v1/operator/usage latency from O(PNK) to O(1) and lowering CPU/memory pressure during high-frequency scraping via a watch-driven maintainer goroutine.
  • mesh: (Enterprise Only) Introduce support for multi-port (named port) services in Consul, including the ability to specify and route traffic using port names, as well as to retrieve virtual IPs for specific service ports. It also enforces that certain advanced multi-port features are only available in Consul Enterprise, and includes new utility functions for cluster naming and ALPN protocol generation.
  • terminating-gateway: Updated the cluster upstream tls to use sds instead of static certs, allowing for dynamic certificate updates without needing to restart the terminating gateway. [GH-23288]
  • telemetry: Add certificate expiry monitoring with Prometheus metrics (labeled with datacenter/partition/namespace), structured logging with configurable severity thresholds, and enhanced Connect CA API to include NotAfter field for root and intermediate certificates. [GH-23147]
  • deps: Upgrade github.com/hashicorp/vault/sdk from v0.7.0 to v0.25.1 and github.com/hashicorp/vault/api from v1.12.2 to v1.16.0. [GH-23574]
  • test-integ: upgrade testcontainers-go (v0.22.0->v0.40.0) and docker/docker (v24.0.5->v28.5.1) in the integration test module. This removes opencontainers/runc as a Go dependency of the test framework. These are test infrastructure dependencies only and have no impact on the consul binary or any consul deployment. [GH-23573]
  • xds: (Enterprise Only) add Consecutive5xx, ConsecutiveGatewayFailure, and EnforcingConsecutiveGatewayFailure fields to PassiveHealthCheck, allowing operators to configure Envoy outlier detection thresholds for 5xx responses and gateway failures (502/503/504) on upstreams defaults.

BUG FIXES:

  • audit-logging: (Enterprise Only) Fixed JSON unmarshall error when array of obj is passed for auditReq body.
  • cli: Enhanced error messages in consul config write command to provide actionable guidance when config entries cannot be modified due to references by gateways or routers. [GH-22921]
  • xds: Fixed XDS package to generate correct endpoints and cluster configurations for API Gateways when peered, and updated the API Gateway update handler to propogate mesh gateway config to its upstreams. [GH-23454]
  • XDS: Fixes issue with mesh-gateway in remote mode on AWS EKS, as DNS hostnames are assigned to AWS NLBs instead of IPs and envoy's EDS endpoint validation expects address to be an IP. Now EDS load assignment is skipped for non-peer remote mesh gateway targets with hostname based gateways keeping CDS/EDS in sync. [GH-23543]
  • api-gateway: resolve service subsets for routes during API gateway discovery chain synthesis. [GH-23294]
  • ui: Fix broken documentation links [GH-23578]

v1.22.7

Compare Source

SECURITY:

  • security: update google.golang.org/grpc to fix CVE-2026-33186 [GH-23379]
  • security: upgrade go.opentelemetry.io/otel to 1.42.0 to remediate CVE-2026-24051 (Path Hijacking / Untrusted Search Paths on macOS). [GH-23387]
  • test-sds-server: bump github.com/hashicorp/consul to v1.22.5 in integration test module to align with the CVE-2026-2808 fixed release line. [GH-23437]
  • ui: (Enterprise only) Backport Rollup update to 2.80.0 for release/1.21.x to address CVE-2026-27606 (SECVULN-38912).

IMPROVEMENTS:

  • acl: Addition of TokenNameFormat field to auth-method and parse the same for token name [GH-23444]
  • discovery-chain: removes the use of hashstructure_v2 ([github.com/mitchellh/hashstructure/v2] from compiled discovery chain hashing and replaces it with explicit custom hash implementations. [GH-23393]
  • ui: removed consul docs website related code as it is being maintained in a separate internal repository. [GH-23398]

BUG FIXES:

  • api-gateway: fix HTTPRoute PathPrefix routing to preserve the original request path when replacePrefixMatch is not configured [GH-23390]

v1.22.6

Compare Source

SECURITY:

  • security: upgrade envoy version to 1.35.9 and 1.34.13 [GH-23372]
  • security: update google.golang.org/grpc to fix CVE-2026-33186 [GH-23379]
  • security: upgrade go version to 1.25.8 [GH-23322]
  • security: bump golang.org/x/* dependencies to align with consul-enterprise and address security vulnerabilities. [GH-23322]

IMPROVEMENTS:

  • api-gateway: Add support to disable traffic with weight 0 in services for HTTPRoute backends, allowing explicit zero-weight backends to be excluded from traffic. [GH-23216]
  • ui: Fixed Consul UI to work in non-secure environments by enabling Ember Data's UUID polyfill for crypto.randomUUID. [GH-23341]
  • ui: Fixed Consul UI services page navigation by ensuring route transitions trigger the expected model hook behavior after Ember upgrade. [GH-23271]
  • ui: Replaced deprecated SideNav component with AppSideNav for improved navigation structure. [GH-23289]

v1.22.5

Compare Source

SECURITY:

  • security: upgrade go version to 1.25.7 [GH-23204]
  • dockerfile: update the Consul build Go base image to alpine3.23 [GH-23194]
  • connect: Migrate to aws-sdk-go-v2 from aws-sdk-go (v1). Also updated consul-awsauth and go-secure-stdlib/awsutil dependencies to their v2 versions. [GH-23109]
  • security: Configure HTTP server timeouts to prevent Slowloris denial-of-service attacks on agent HTTP endpoints and pprof endpoints. [GH-22739]
  • security: Patched Vault CA provider to prevent arbitrary file reads via Kubernetes, JWT, and AppRole methods. [GH-23249]
  • security: Introduced debounce timing for synchronization operations within federationStateAntiEntropySync. [GH-23196]

IMPROVEMENTS:

  • api-gateway: Fixed "duplicate matcher" errors in Envoy when using multiple file-system certificates on a single TLS listener. The certificates are now consolidated into a single filter chain, allowing Envoy to select the correct one. [GH-23212]
  • agent: Fix vault provider failure when signing intermediate CA with isCA=true in CSR [GH-23202]
  • cli: Added --aws-iam-endpoint flag to consul login command for AWS IAM auth method to support custom IAM endpoint configuration [GH-23109]
  • docs: Refreshed the security documentation to include the new HTTP server timeout defaults and relevant configuration options. [GH-23246]
  • api: Cancel context check for watches cache fetch to stop execution when manager deregisters the watch. [GH-23157]

v1.22.3

Compare Source

SECURITY:

  • Update the Consul Build Go base image to alpine3.23.2 [GH-23138]

IMPROVEMENTS:

  • api: Add consul services imported-services and new api(/v1/exported-services) command to list services imported by partitions within a local datacenter [GH-12045]
  • connect: added ability to configure Virtual IP range for t-proxy with CIDRs [GH-23085]

v1.22.2

Compare Source

1.22.2 (December 15, 2025)

SECURITY:

  • security: Upgrade golang to 1.25.4. [GH-23029]
  • security: upgrade internal packages of RHEL builds to include security fixes [GH-23078]

IMPROVEMENTS:

  • ui: upgraded Ember framework from v3.28 to v4.12, improving performance and stability. Upgrades multiple other packages which support Ember v4. [GH-23070]

BUG FIXES:

  • agent: fix bug prevents default TCP checks from being re-added on service reload when they were explicitly disabled or when custom checks were specified during initial registration. [GH-23088]
  • audit-logging: (Enterprise only) Fixed JSON unmarshall error when array of obj is passed for auditReq body. [GH-11546]
  • cli: Enhanced error messages in consul config write command to provide actionable guidance when config entries cannot be modified due to references by gateways or routers. [GH-22921]
  • mesh: router + splitter + failover with retry now correctly failover for external services failover subsets through terminating gateways. [GH-23092]

v1.22.1

Compare Source

SECURITY:

  • connect: Upgrade envoy version to 1.35.6 [GH-23056]
  • security: Updated golang.org/x/crypto from v0.42.0 to v0.44.0. This resolves GO-2025-4116

IMPROVEMENTS:

  • ui: Removed ember-route-action-helper and migrated all {{route-action}} usages to explicit route/controller logic. [GH-23004]
  • ui: Replaced reopen() calls with direct property assignment and subclassing to resolve Ember component reopen deprecation warnings [GH-22971]
  • ui: removed deprecated Route#renderTemplate usage by introducing DebugLayout component and controller-based conditional rendering for docs routes [GH-22978]
  • ui: resolved multiple Ember deprecations:
  • Removed mutation-after-consumption warnings in Outlet by staging state updates outside the render pass
  • Replaced deprecated Route#replaceWith/transitionTo usage with RouterService in affected routes
  • Avoided mutating objects produced by {{hash}} (setting-on-hash) by switching to tracked POJOs [GH-23010]

BUG FIXES:

  • acl: fixed a bug where ACL policy replication in WANfed is impacted when primaryDC is inconsistent [GH-22954]
  • xds: fix RBAC failure in upstream service when there are more than one downstream exported service with same name but different peer [GH-23049]
  • xds: fix bug where Using replacePrefixMatch: "/" results in double slashes (//path) and Using replacePrefixMatch: "" does not strip the prefix at all (e.g., mapping /v1/dashboard → /dashboard) resulting in 301 and 404 errors respectively [GH-23035]

v1.22.0

Compare Source

SECURITY:

  • connect: Upgrade Consul's bundled Envoy version to 1.35.3 and remove support for 1.31.10. This update also includes a fix to prevent Envoy (v1.35+) startup failures by only configuring the TLS transport socket when the CA bundle is present. [GH-22824]
  • security: Adding warning when remote/local script checks are enabled without enabling ACL's [GH-22877]
  • security: Improved validation of the Content-Length header in the Consul KV endpoint to prevent potential denial of service attacksCVE-2025-11374 [GH-22916]
  • security: adding a maximum Content-Length on the event endpoint to fix denial-of-service (DoS) attacks. This resolves CVE-2025-11375. [GH-22836]
  • security: breaking change - adding a key name validation on the key/value endpoint along side with the DisableKVKeyValidation config to disable/enable it to fix path traversal attacks on misconfigured or missing ACL policies. [GH-22850]

FEATURES:

  • Added support to register a service in consul with multiple ports [GH-22769]
  • agent: Added IsDualStack utility function to detect if the agent is configured for both IPv4 and IPv6 (dual-stack mode) based on its bind address retrieved from "agent/self" API. [GH-22741]
  • install: Updated license information displayed during post-install
  • ipv6: addtition of ip6tables changes for ipv6 and dual stack support [GH-22787]
  • oidc: add client authentication using JWT assertion and PKCE. default PKCE is enabled. [GH-22732]

IMPROVEMENTS:

  • security: Upgrade golang to 1.25.3. [GH-22926]
  • ui: Fixes computed property override issues currently occurring and in some cases pre-emptively as this has been deprecated in ember v4 [GH-22947]
  • ui: removes send action instances as part of https://deprecations.emberjs.com/id/ember-component-send-action/ [GH-22938]
  • ui: replaced ember partials with components as an incremental step to upgrade to ember v4 [GH-22888]
  • api: Added a new API (/v1/operator/utilization) to support enterprise API for Manual Snapshot Reporting [GH-22837]
  • cmd: Added new subcommand consul operator utilization [-today-only] [-message] [-y] to generate a bundle with census utilization snapshot. Main flow is implemented in consul-enterprise
    http: Added a new API Handler for /v1/operator/utilization. Core functionality to be implemented in consul-enterprise
    agent: Always enabled census metrics collection with configurable option to export it to Hashicorp Reporting [GH-22843]
  • cli: snapshot agent now supports authenticating to Azure Blob Storage using Azure Managed Service Identities (MSI). [GH-11171]
  • command: connect envoy bootstrap defaults to 127.0.0.1 in IPv4-only environment and to ::1 in IPv6/DualStack environment. [GH-22763]
  • connect: default upstream.local_bind_address to ::1 for IPv6 agent bind address [GH-22773]
  • proxy: default proxy.local_service_address to ::1 for IPv6 agent bind address [GH-22772]
  • ui: Improved accessibility features in the Consul UI to enhance usability for users with disabilities [GH-22770]
  • ui: Replace yarn with pnpm for package management [GH-22790]
  • ui: auth method config values were overflowing. This PR fixes the issue and adds word break for table elements with large content. [GH-22813]

BUG FIXES:

  • ui: Allow FQDN to be displayed in the Consul web interface. [GH-22779]
  • ui: fixes the issue where namespaces where disappearing and Welcome to Namespace screen showed up after tab switching [GH-22789]
  • ui: fixes the issue where when doing deletes of multiple tokens or policies, the three dots on the right hand side stops responding after the first delete. [GH-22752]
  • cmd: Fix consul operator utilization --help to show only available options without extra parameters. [GH-22912]

v1.21.5

Compare Source

SECURITY:

  • Migrate transitive dependency from archived mitchellh/mapstructure to go-viper/mapstructure to v2 to address CVE-2025-52893. [GH-22581]
  • agent: Add the KV Validations to block path traversal allowing access to unauthorized endpoints. [GH-22682]
  • agent: Fix a security vulnerability to filter out anonymous tokens along with empty tokens when setting the Results-Filtered-By-ACLs header [GH-22534]
  • agent: Fix a security vulnerability where the attacker could read agent’s TLS certificate and private key by using the group ID that the Consul agent runs as. [GH-22626]
  • api: add charset in all applicable content-types. [GH-22598]
  • connect: Upgrade envoy version to 1.34.7 [GH-22735]
  • security: Fix GHSA-65rg-554r-9j5x (CVE-2024-48908) by upgrading lycheeverse/lychee-action. [GH-22667]
  • security: Fix a security vulnerability where the attacker could bypass authentication by passing url params as there was no validation on them. [GH-22612]
  • security: perform constant time compare for sensitive values. [GH-22537]
  • security: upgrade go version to 1.25.0 [GH-22652]
  • security:: (Enterprise only) fix nil pointer dereference.
  • security:: (Enterprise only) fix potential race condition in partition CRUD.
  • security:: (Enterprise only) perform constant time compare for sensitive values.

FEATURES:

  • config: Add new parameter max_request_headers_kb to configure maximum header size for requests from downstream to upstream [GH-22604]
  • config: Handle a new parameter max_request_headers_kb to configure maximum header size for requests from downstream to upstream in API Gateway config and proxy-defaults [GH-22679]
  • config: Handle a new parameter max_request_headers_kb to configure maximum header size for requests from downstream to upstream in Mesh Gateway via service-defaults and proxy-defaults [GH-22722]
  • config: Handle a new parameter max_request_headers_kb to configure maximum header size for requests from downstream to upstream in Terminating Gateway service-defaults and proxy-defaults [GH-22680]

IMPROVEMENTS:

  • cli: add troubleshoot ports in debug command. A ports.json file is created, which lists the open or closed ports on the host where the command is executed. [GH-22624]

BUG FIXES:

  • agent: Don't show admin partition during errors [GH-11154]

v1.21.4

Compare Source

SECURITY:

IMPROVEMENTS:

  • ui: Replaced internal code editor with HDS (HashiCorp Design System) code editor and code block components for improved accessibility and maintainability across the Consul UI. [GH-22513]

BUG FIXES:

  • cli: capture pprof when ACL is enabled and a token with operator:read is used, even if enable_debug config is not explicitly set. [GH-22552]

v1.21.3

Compare Source

IMPROVEMENTS:

  • ui: Improved display and handling of IPv6 addresses for better readability and usability in the Consul web interface. [GH-22468]

BUG FIXES:

  • cli: validate IP address in service registration to prevent invalid IPs in service and tagged addresses. [GH-22467]
  • ui: display IPv6 addresses with proper bracketed formatting [GH-22423]

v1.21.2

Compare Source

SECURITY:

IMPROVEMENTS:

  • config: Warn about invalid characters in datacenter resulting in non-generation of X.509 certificates when using external CA for agent TLS communication. [GH-22382]
  • connect: Use net.JoinHostPort for host:port formatting to handle IPv6. [GH-22359]

BUG FIXES:

  • http: return a clear error when both Service.Service and Service.ID are missing during catalog registration [GH-22381]
  • license: (Enterprise only) Fixed issue where usage metrics are not written to the snapshot to export the license data. [GH-10668]
  • wan-federation: Fixed an issue where advertised IPv6 addresses were causing WAN federation to fail. [GH-22226]

v1.21.1

Compare Source

FEATURES:

  • xds: Extend LUA Script support for API Gateway [GH-22321]
  • xds: Added a configurable option to disable XDS session load balancing, intended for scenarios where an external load balancer is used in front of Consul servers, making internal load balancing unnecessary.

IMPROVEMENTS:

  • http: Add peer query param on catalog service API [GH-22189]

v1.21.0

Compare Source

  • Enhancement: Added support for Consul Session to update the state of a Health Check, allowing for more dynamic and responsive health monitoring within the Consul ecosystem. This feature enables sessions to directly influence health check statuses, improving the overall reliability and accuracy of service health assessments.

v1.20.6

Compare Source

1.20.6 (April 25, 2025)

SECURITY:

IMPROVEMENTS:

  • Added support for Consul Session to update the state of a Health Check, allowing for more dynamic and responsive health monitoring within the Consul ecosystem. This feature enables sessions to directly influence health check statuses, improving the overall reliability and accuracy of service health assessments. [GH-22227]

BUG FIXES:

  • agent: Add the missing Service TaggedAddresses and Check Type fields to Txn API. [GH-22220]

v1.20.5

Compare Source

1.20.5 (March 11, 2025)

SECURITY:

BUG FIXES:

  • logging: Fixed compilation error for OS NetBSD. [GH-22184]

v1.20.4

Compare Source

1.20.4 (February 20, 2025)

IMPROVEMENTS:

  • dependency: upgrade consul/api to use Go 1.31.2 [GH-22174]

BUG FIXES:

  • api: Fixed api submodule checksum mismatch issue by retracted 1.31.1 version [GH-22172] [GH-22172]

v1.20.3

Compare Source

SECURITY:

IMPROVEMENTS:

  • connect: update supported envoy versions to 1.33.0, 1.32.3 [GH-22138]
  • metadata: memoize the parsed build versions [GH-22113]

BUG FIXES:

  • Fixed logging error while building for OpenBSD OS [GH-22120] [GH-22120]
  • api-gateway: Fixed TLS configuration to properly enforce listener TLS versions and cipher suites [GH-21984]
  • aws-auth: Fix bug where calls to AWS IAM and STS services error out due to URL with multiple trailing slashes. [GH-22109]

v1.20.2

Compare Source

SECURITY:

  • Removed ability to use bexpr to filter results without ACL read on endpoint [GH-21950]
  • Resolved issue where hcl would allow duplicates of the same key in acl policy configuration. [GH-21908]
  • Update github.com/golang-jwt/jwt/v4 to v4.5.1 to address GHSA-29wx-vh33-7x7r. [GH-21951]
  • Update golang.org/x/crypto to v0.31.0 to address GO-2024-3321. [GH-22001]
  • Update golang.org/x/net to v0.33.0 to address GO-2024-3333. [GH-22021]
  • Update registry.access.redhat.com/ubi9-minimal image to 9.5 to address CVE-2024-3596,CVE-2024-2511,CVE-2024-26458. [GH-22011]
  • api: Enforces strict content-type header validation to protect against XSS vulnerability. [GH-21930]
    FEATURES:
  • docs: added the docs for the grafana dashboards [GH-21795]
    BUG FIXES:
  • proxycfg: fix a bug where peered upstreams watches are canceled even when another target needs it. [GH-21871]
  • state: ensure that identical manual virtual IP updates result in not bumping the modify indexes [GH-21909]

v1.20.1

Compare Source

BREAKING CHANGES:

  • mesh: Enable Envoy HttpConnectionManager.normalize_path by default on inbound traffic to mesh proxies. This resolves CVE-2024-10005. [GH-21816]

SECURITY:

  • mesh: Add contains and ignoreCase to L7 Intentions HTTP header matching criteria to support configuration resilient to variable casing and multiple values. This resolves CVE-2024-10006. [GH-21816]
  • mesh: Add http.incoming.requestNormalization to Mesh configuration entry to support inbound service traffic request normalization. This resolves CVE-2024-10005 and CVE-2024-10006. [GH-21816]

IMPROVEMENTS:

  • api: remove dependency on proto-public, protobuf, and grpc [GH-21780]
  • snapshot agent: (Enterprise only) Implement Service Principal Auth for snapshot agent on azure.
  • xds: configures Envoy to load balance over all instances of an external service configured with hostnames when "envoy_dns_discovery_type" is set to "STRICT_DNS" [GH-21655]

v1.20.0

Compare Source

SECURITY:

  • Explicitly set 'Content-Type' header to mitigate XSS vulnerability. [GH-21704]
  • Implement HTML sanitization for user-generated content to prevent XSS attacks in the UI. [GH-21711]
  • UI: Remove codemirror linting due to package dependency [GH-21726]
  • Upgrade Go to use 1.22.7. This addresses CVE
    CVE-2024-34155 [GH-21705]
  • Upgrade to support aws/aws-sdk-go v1.55.5 or higher. This resolves CVEs
    CVE-2020-8911 and
    CVE-2020-8912. [GH-21684]
  • ui: Pin a newer resolution of Braces [GH-21710]
  • ui: Pin a newer resolution of Codemirror [GH-21715]
  • ui: Pin a newer resolution of Markdown-it [GH-21717]
  • ui: Pin a newer resolution of ansi-html [GH-21735]

FEATURES:

  • grafana: added the dashboards service-to-service dashboard, service dashboard, and consul dataplane dashboard [GH-21806]
  • server: remove v2 tenancy, catalog, and mesh experiments [GH-21592]

IMPROVEMENTS:

  • security: upgrade ubi base image to 9.4 [GH-21750]
  • connect: Add Envoy 1.31 and 1.30 to support matrix [GH-21616]

BUG FIXES:

  • jwt-provider: change dns lookup family from the default of AUTO which would prefer ipv6 to ALL if LOGICAL_DNS is used or PREFER_IPV4 if STRICT_DNS is used to gracefully handle transitions to ipv6. [GH-21703]

v1.19.2

Compare Source

SECURITY:

  • ui: Upgrade modules with d3-color as a dependency to address denial of service issue in d3-color < 3.1.0 [GH-21588]

IMPROVEMENTS:

  • Use Envoy's default for a route's validate_clusters option, which is false. This fixes a case where non-existent clusters could cause a route to no longer route to any of its backends, including existing ones. [GH-21587]

BUG FIXES:

  • api-gateway: (Enterprise only) ensure clusters are properly created for JWT providers with a remote URI for the JWKS endpoint [GH-21604]

v1.19.1

Compare Source

SECURITY:

IMPROVEMENTS:

  • mesh: update supported envoy version 1.29.5 in addition to 1.28.4, 1.27.6. [GH-21277]

BUG FIXES:

  • core: Fix multiple incorrect type conversion for potential overflows [GH-21251]
  • core: Fix panic runtime error on AliasCheck [GH-21339]
  • dns: Fix a regression where DNS SRV questions were returning duplicate hostnames instead of encoded IPs.
    This affected Nomad integrations with Consul. [GH-21361]
  • dns: Fix a regression where DNS tags using the standard lookup syntax, tag.name.service.consul, were being disregarded. [GH-21361]
  • dns: Fixes a spam log message "Failed to parse TTL for prepared query..."
    that was always being logged on each prepared query evaluation. [GH-21381]
  • terminating-gateway: (Enterprise Only) Fixed issue where enterprise metadata applied to linked services was the terminating-gateways enterprise metadata and not the linked services enterprise metadata. [GH-21382]
  • txn: Fix a bug where mismatched Consul server versions could result in undetected data loss for when using newer Transaction verbs. [GH-21519]

v1.19.0

Compare Source

BREAKING CHANGES:

  • telemetry: State store usage metrics with a double consul element in the metric name have been removed. Please use the same metric without the second consul instead. As an example instead of consul.consul.state.config_entries use consul.state.config_entries [GH-20674]

SECURITY:

FEATURES:

  • dns: queries now default to a refactored DNS server that is v1 and v2 Catalog compatible.
    Use v1dns in the experiments agent config to disable.
    The legacy server will be removed in a future release of Consul.
    See the Consul 1.19.x Release Notes for removed DNS features. [GH-20715]
  • gateways: api-gateway can leverage listener TLS certificates available on the gateway's local filesystem by specifying the public certificate and private key path in the new file-system-certificate configuration entry [GH-20873]

IMPROVEMENTS:

  • dns: new version was not supporting partition or namespace being set to 'default' in CE version. [GH-21230]
  • mesh: update supported envoy version 1.29.4 in addition to 1.28.3, 1.27.5, 1.26.8. [GH-21142]
  • upgrade go version to v1.22.4. [GH-21265]
  • Upgrade github.com/envoyproxy/go-control-plane to 0.12.0. [GH-20973]
  • dns: DNS-over-grpc when using consul-dataplane now accepts partition, namespace, token as metadata to default those query parameters.
    consul-dataplane v1.5+ will send this information automatically. [GH-20899]
  • snapshot: Add consul snapshot decode CLI command to output a JSON object stream of all the snapshots data. [GH-20824]
  • telemetry: Add telemetry.disable_per_tenancy_usage_metrics in agent configuration to disable setting tenancy labels on usage metrics. This significantly decreases CPU utilization in clusters with many admin partitions or namespaces.
  • telemetry: Improved the performance usage metrics emission by not outputting redundant metrics. [GH-20674]

DEPRECATIONS:

  • snapshot agent: (Enterprise only) Top level single snapshot destinations local_storage, aws_storage, azure_blob_storage, and google_storage in snapshot agent configuration files are now deprecated. Use the backup_destinations config object instead.

BUG FIXES:

v1.18.2

Compare Source

Enterprise LTS: Consul Enterprise 1.18 is a Long-Term Support (LTS) release.

SECURITY:

  • security: upgrade go version to 1.25.7 [GH-23204]
  • dockerfile: the Consul build Go base image to alpine3.23 [GH-23194]
  • connect: Migrate to aws-sdk-go-v2 from aws-sdk-go (v1). Also updated consul-awsauth and go-secure-stdlib/awsutil dependencies to their v2 versions. [GH-23109]
  • security: Configure HTTP server timeouts to prevent Slowloris denial-of-service attacks on agent HTTP endpoints and pprof endpoints. [GH-22739]
  • security: Patched Vault CA provider to prevent arbitrary file reads via Kubernetes, JWT, and AppRole methods. [GH-23249]
  • security: Introduced debounce timing for synchronization operations within federationStateAntiEntropySync. [GH-23196]

IMPROVEMENTS:

  • api-gateway: Fixed "duplicate matcher" errors in Envoy when using multiple file-system certificates on a single TLS listener. The certificates are now consolidated into a single filter chain, allowing Envoy to select the correct one. [GH-23212]
  • agent: Fix vault provider failure when signing intermediate CA with isCA=true in CSR [GH-23202]
  • cli: Added --aws-iam-endpoint flag to consul login command for AWS IAM auth method to support custom IAM endpoint configuration [GH-23109

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from a team as a code owner May 24, 2026 10:24
@renovate renovate Bot force-pushed the renovate/hashicorp-consul-2.x branch from a764761 to b87dc84 Compare June 19, 2026 10:59
@renovate renovate Bot force-pushed the renovate/hashicorp-consul-2.x branch from b87dc84 to e20f620 Compare July 8, 2026 16:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants