Releases: project-zot/zot
Releases · project-zot/zot
v2.1.17
What's Changed
- fix(api): return 416 for bad upload range on PUT; fix GET upload Range at size zero by @andaaron in #3983
- feat(zb): Support for TTFB measurement + on-demand sync tests by @vrajashkr in #3929
- fix(api): recognize Docker Compose/Buildx User-Agent in v2 challenge workaround by @gjed in #3992
- chore: fix dependabot alerts by @rchincha in #3990
- feat(auth): support OIDC RP-Initiated Logout by @krjakbrjak in #3975
- fix(security): enhance timeout configurations and body size limits fo… by @rchincha in #3984
- Improve zli CVE diff output by @AkashKumar7902 in #3994
- chore: fix dependabot alerts by @rchincha in #4020
- Support multipart range blob pulls by @AkashKumar7902 in #3995
- fix(sync): apply tag filters before destination mapping by @AkashKumar7902 in #4003
- Multipart download enhancements by @andaaron in #4021
- docs(config): reference generated config schema by @AkashKumar7902 in #4015
- feat(cosign): add support for cosign bundle by @rchincha in #4023
- feat(auth): map OpenID groups claim by @AkashKumar7902 in #3999
- test: refactor countingReader into partialReaderOpenTracker and partialReaderReadCloser by @andaaron in #4027
- fix(auth): refine OIDC identity handling and claim-mapping logs by @andaaron in #4028
- feat(api): log session/audit subject from UserAccessControl by @andaaron in #4029
- refactor(zli): add typed ~/.zot config layer and strict validation by @andaaron in #4030
- refactor(build): move build metadata to pkg/buildinfo by @andaaron in #4045
- feat(zli): add config list/show/get/set/reset and isolate deprecated syntax by @andaaron in #4037
- fix(zli config): print help for missing args by @andaaron in #4046
- feat(authz): introduce conditional access control via CEL by @matheuscscp in #4040
- ci: sync go 1.26 images to ghcr.io/project-zot/golang by @andaaron in #4049
- ci: fix golangci-lint install URL by @andaaron in #4052
- chore: fix dependabot alerts by @rchincha in #4048
- fix: downgrade expected missing-blob HEAD logging from error to debug by @rchincha in #4056
- chore: fix dependabot alerts by @rchincha in #4059
- fix(lint): silence deprecated gomodguard linter warning by @benoittgt in #4070
- feat(metrics): add Prometheus GC metrics by @benoittgt in #3863
- chore: fix dependabot alerts by @rchincha in #4072
- chore: bump zui version by @rchincha in #4074
New Contributors
- @gjed made their first contribution in #3992
- @krjakbrjak made their first contribution in #3975
- @AkashKumar7902 made their first contribution in #3994
Full Changelog: v2.1.16...v2.1.17
Contributors
matheuscscp, benoittgt, and 6 other contributors
Assets 52
- 4.13 KB
2026-05-18T05:48:00Z - 8.21 MB
2026-05-18T05:47:02Z - 7.61 MB
2026-05-18T05:46:33Z - 8 MB
2026-05-18T05:46:32Z - 7.44 MB
2026-05-18T05:46:51Z - 8.89 MB
2026-05-18T05:47:25Z - 8.25 MB
2026-05-18T05:46:56Z - 8.31 MB
2026-05-18T05:46:43Z - 7.55 MB
2026-05-18T05:46:55Z - 12.5 MB
2026-05-18T05:47:01Z -
2026-05-18T05:21:26Z -
2026-05-18T05:21:26Z - Loading
v2.1.16
What's Changed
- chore: fix dependabot alerts by @rchincha in #3860
- fix(search): expose LastPullTimestamp and PushedBy on index ImageSummary by @cainydev in #3865
- chore: fix dependabot alerts by @rchincha in #3880
- feat(zb): list tests, test regex filter, docs update by @vrajashkr in #3884
- ci: use zot localstack image and consolidate on using the setup localstack GH action by @andaaron in #3899
- chore: fix dependabot alerts by @rchincha in #3896
- chore: pin trivy-action to safe version by @andaaron in #3897
- feat(schema): add schema command to dump JSON Schema for zot config by @rchincha in #3905
- feat: support pushing multiple tags for a single manifest by @andaaron in #3885
- fix(storage/gcs): fix double-prefixed rootdirectory and EOF handling in Walk for GCS by @thees in #3903
- test(blackbox): harden zot restart + reachability checks by @andaaron in #3907
- chore: fix dependabot alerts by @rchincha in #3921
- test: add tests for pushing manifests with non-canonical digests together with tags by @andaaron in #3920
- chore: fix dependabot alerts by @rchincha in #3931
- build: bump zui version to commit-1c8e5ef by @rchincha in #3932
- chore: fix dependabot alerts by @rchincha in #3940
- fix: address code review comments by @andaaron in #3942
- feat: Add TrivyConfig.VulnSeveritySources (Trivy's --vuln-severity-source) by @andaaron in #3943
- chore: fix dependabot alerts by @rchincha in #3947
- ci: fix nightly test by @rchincha in #3948
- chore: fix dependabot alerts by @rchincha in #3953
- Pin actions and tighten workflow permissions by @benoittgt in #3954
- fix(ci): pass GITHUB_TOKEN explicitly to oras login in sync-trivy step by @rchincha in #3961
- chore: fix dependabot alerts by @rchincha in #3964
- feat(api): add repository quota enforcement middleware by @Aluchir in #3923
- fix: Updating a repository should not result in a corrupted index.json file if disk is full by @andaaron in #3963
- chore: fix dependabot alerts by @rchincha in #3968
- fix(auth): add workaround for Docker client auth with mixed anonymous policies by @andaaron in #3868
- chore: fix dependabot alerts by @rchincha in #3971
- fix(security): limit manifest PUT body to 4 MiB (INPUT-1) by @rchincha in #3977
- fix(security): limit API key creation body to 4 KiB (INPUT-2) by @rchincha in #3978
- security: suppress Allow-Credentials on wildcard CORS origin (CORS-1) by @rchincha in #3980
- fix(security): remove InsecureSkipVerify from metrics client (TLS-1) by @rchincha in #3982
New Contributors
- @cainydev made their first contribution in #3865
- @thees made their first contribution in #3903
- @benoittgt made their first contribution in #3954
- @Aluchir made their first contribution in #3923
Full Changelog: v2.1.15...v2.1.16
Contributors
thees, benoittgt, and 5 other contributors
Assets 52
v2.1.15
What's Changed
- fix(fips): flaky fips blackbox test and add missing curves by @andaaron in #3732
- feat: add TaggedTimestamp to ImageSummary returned by graphql API by @andaaron in #3731
- chore: fix dependabot alerts by @rchincha in #3751
- feat(oidc): support per-issuer CA by @matheuscscp in #3760
- ci: improvements for the Ecosystem tools job by @andaaron in #3762
- feat(jwt-exp): exp claim at the access entry level by @matheuscscp in #3761
- feat(zui): add Last Tagged timestamp to tag details view by @andaaron in #3772
- feat(jwt-asm): support AWS Secrets Manager for JWT verification by @matheuscscp in #3763
- chore: fix dependabot alerts by @rchincha in #3774
- fix(meta): fixes for LastUpdated and TaggedTimestamp by @andaaron in #3754
- fix(imagestore): normalize paths to prevent panic on Windows by @codyray2015 in #3775
- fix: correct typo var name mirroHostConfig by @rchincha in #3777
- chore: fix dependabot alerts by @rchincha in #3788
- chore: update github.com/sigstore/cosign/v3 from 3.0.2 to 3.0.4 by @andaaron in #3789
- fix(build): upgrade zot runtime base image to distroless debian13 by @muscariello in #3791
- chore: update golang version to 1.25.7 by @rchincha in #3790
- chore: fix dependabot alerts by @rchincha in #3794
- feat(tls): implement dynamic TLS certificate reloading with file watching by @rchincha in #3792
- chore: fix dependabot alerts by @rchincha in #3802
- chore: update zui version by @rchincha in #3803
- GCS storage support by @andaaron in #3798
- chore: bump zui version by @andaaron in #3809
- chore: fix dependabot alerts by @rchincha in #3820
- Skip OCI conversion for already-synced images by @utafrali in #3824
- chore: fix dependabot alerts by @rchincha in #3841
- feat(sync): add SyncLegacyCosignTags config to skip syncing legacy cosign/SBOM tags when disabled by @andaaron in #3842
- fix(auth): prevent open redirect via callback_ui by @andaaron in #3844
- fix: don't skip "latest" tag authz check for update by @rchincha in #3847
New Contributors
- @codyray2015 made their first contribution in #3775
- @utafrali made their first contribution in #3824
Full Changelog: v2.1.14...v2.1.15
Contributors
muscariello, matheuscscp, and 4 other contributors
Assets 51
v2.1.14
What's Changed
- test: fix some coverage issues, refactored some of the pagination logic to accomplish this by @andaaron in #3674
- chore: fix dependabot alerts by @rchincha in #3677
- Fix typos in documentation by @oglok in #3678
- ci: fix nightly due to outdated kind by @rchincha in #3676
- fix: pre-existing dynamodb versions table should be populated with version if it doesn't contain it already by @andaaron in #3699
- fix: CVE-2025-30204 - golang-jwt DoS vulnerability via excessive memory allocation by @asgeirn in #3687
- fix: remove usage of deprecated function aws.EndpointResolverWithOptionsFunc by @andaaron in #3700
- fix: now attempt to bind to the zot server socket to check if the server is running by @andaaron in #3703
- chore: fix dependabot alerts by @rchincha in #3707
- chore: remove direct usage of the github.com/aws/aws-sdk-go package (aws sdk v1) by @andaaron in #3701
- fix: graphql playground documentation was hardcoded to an unrelated example by @andaaron in #3721
- chore: fix dependabot alerts by @rchincha in #3726
- chore: fix dependabot alerts by @rchincha in #3730
- ci: add a upgrade bats test by @rchincha in #3621
- Introduce support for OIDC workload identity federation by @matheuscscp in #3711
New Contributors
- @oglok made their first contribution in #3678
- @matheuscscp made their first contribution in #3711
Full Changelog: v2.1.13...v2.1.14
Contributors
asgeirn, matheuscscp, and 3 other contributors
Assets 51
v2.1.13
What's Changed
- fix: do not reject requests having an Authorization header if basic auth is disabled by @andaaron in #3673
Full Changelog: v2.1.12...v2.1.13
Contributors
andaaron
Assets 51
v2.1.12
What's Changed
- docs: update examples with the sync config example by @andaaron in #3573
- fix: Add HTTP client timeouts to prevent indefinite hangs in sync operations by @andaaron in #3574
- chore: update golangci-lint and fix all issues by @andaaron in #3575
- refactor: optimize code with modern Go patterns and pre-allocation by @andaaron in #3576
- fix: handle zero time values in LastUpdated sorting functions by @andaaron in #3580
- ci: use minio==7.2.18 by @andaaron in #3581
- fix: sync should be disabled when enable is false by @mottetm in #3579
- fix: multiple fixes based on recent test failures by @andaaron in #3582
- chore: sync golang 1.25 by @rchincha in #3596
- fix(storage): enforce standard OCI blob path structure in GetNextDigestWithBlobPaths by @andaaron in #3594
- chore: fix dependabot alerts by @rchincha in #3595
- chore: Enable Go jsonv2 experiment and update the trivy dependency (v0.67.2) by @andaaron in #3572
- feat: explicitly log if each authentication method is enabled by @andaaron in #3599
- fix(meta): handle cases when substores are nested by @andaaron in #3598
- Fix error handling: return nil explicitly on successful completion by @andaaron in #3603
- feat(config): validate storage root directories for path conflicts by @andaaron in #3602
- fix(trivy): cleanup Trivy temporary directory by @andaaron in #3618
- chore: Fix deps by @rchincha in #3620
- refactor(test): new apis for creating temporary files by @andaaron in #3605
- ci: split needsprivileges tests from devmode tests by @andaaron in #3625
- ci: save unified coverage as build artifact by @andaaron in #3626
- fix: remove misleading error messages on successful syncs by @andaaron in #3619
- chore: fix dependabot alerts by @rchincha in #3636
- feat: support mTLS-only authn/authz with AccessControl and allow combining mTLS with other auth mechanisms by @andaaron in #3624
- fix: accept log levels supported by older zot versions, validate configured log level by @andaaron in #3639
- refactor: enhance TLS cert generation and refactor HTTP client architecture by @andaaron in #3638
- docs: fix deadlink and typo by @andaaron in #3641
- fix: more logging for sync extension by @andaaron in #3656
- chore: fix dependabot alerts by @rchincha in #3657
- fix: prevent nil pointer dereference in RemoveImageFromRepoMeta by @M0Rf30 in #3658
- feat: add configurable mTLS identity extraction with fallback chain by @andaaron in #3640
- fix: make sure the function and caller information are added to log messages emitted by 3rd party libraries using slog directly. by @andaaron in #3659
- chore: fix dependabot alerts by @rchincha in #3660
New Contributors
Full Changelog: v2.1.11...v2.1.12
Contributors
M0Rf30, mottetm, and 2 other contributors
Assets 51
v2.1.11
What's Changed
- fix: minor fixes based on intermittent test failures by @andaaron in #3465
- chore: fix dependabot alerts by @rchincha in #3477
- chore: stabilize coverage in specific sync test by @andaaron in #3480
- fix: zot version broken after switching to /v2 by @andaaron in #3479
- refactor: remove usage of goto in the image store by @andaaron in #2969
- fix: configure cookie Secure flag based on TLS configuration by @andaaron in #3482
- feat: add zot subcommand to enable testing retention policy settings by @andaaron in #3449
- chore: fix dependabot alerts by @rchincha in #3496
- chore: fix monitoring goroutine leak in tests by @andaaron in #3500
- docs: update maintainers and codeowners info by @rchincha in #3502
- fix: close file handle before moving file in FullBlobUpload by @andaaron in #3499
- fix(log): ensure func record is correct by @rchamarthy in #3501
- fix: support custom OAuth2 URLs for GitHub Enterprise and self-hosted providers by @analytically in #3513
- chore: fix dependabot alerts by @rchincha in #3514
- chore: fix dependabot alerts by @rchincha in #3517
- fix: re-introduce pagination by @ljakimczuk in #3521
- fix: add support for sha256 and sha512 in htpasswd by @rchincha in #3497
- fix: deduplicate entries in referrers responses by @andaaron in #3524
- fix: separate cipher suites and curve preferences into FIPS and non FIPS, and use them accordingly by @andaaron in #3523
- chore: fix dependabot alerts by @rchincha in #3534
- fix: gracefully handle manifests missing from storage (prepare for sparse indexes) by @andaaron in #3503
- Fix Dockerfiles by moving the BASE_IMAGE arg into the global scope by @lfrancke in #3536
- fix: img-src annotation changes with zui move to vite by @rchincha in #3539
- fix: show relevant error messages in case of images which cannot be scanned by Trivy by @andaaron in #3554
- chore: fix dependabot alerts by @rchincha in #3555
- fix (metadb): make sure metadb statistics are initialized on image download, and minor metadb fixes for Docker v2 manifest compatibility by @andaaron in #3545
- chore: update github.com/olekukonko/tablewriter to v1.1.1 by @andaaron in #3559
- chore: update cosign from v2 to v3 by @andaaron in #3561
- fix(ui): update zui version by @rchincha in #3564
- chore: fix dependabot alerts by @rchincha in #3566
- Sync images with a background context by @lfrancke in #3537
- feat: allow claim mapping for user name with oidc by @rchincha in #3540
- fix(sync): properly handle CommitAll errors in syncImage and skip failed temp sync dirs by @andaaron in #3567
New Contributors
- @analytically made their first contribution in #3513
- @lfrancke made their first contribution in #3536
Full Changelog: v2.1.10...v2.1.11
Contributors
lfrancke, analytically, and 4 other contributors
Assets 51
v2.1.10
What's Changed
- fix: migrate to Go module v2 for proper semantic versioning by @muscariello in #3462
- fix: make config read/write thread safe by @andaaron in #3432
New Contributors
- @muscariello made their first contribution in #3462
Full Changelog: v2.1.9...v2.1.10
Contributors
muscariello and andaaron
Assets 51
v2.1.9
What's Changed
- chore: fix dependabot alerts by @rchincha in #3365
- chore: fix dependabot alerts by @rchincha in #3380
- chore: fix dependabot alerts by @rchincha in #3397
- chore: fix dependabot alerts by @rchincha in #3407
- feat: GC to cleanup untagged manifests by default by @andaaron in #3408
- chore: Update to graphql 5.2.0 by @andaaron in #3410
- chore: update zui version by @andaaron in #3412
- chore: fix dependabot alerts by @rchincha in #3422
- chore: increase/stabilize go test coverage by @andaaron in #3411
- fix: broken CodeQL badge by @rchincha in #3424
- ci: more sync/local driver tests to stabilize/increase coverage by @andaaron in #3425
- ci: fix stale check by @rchincha in #3427
- ci: move workflow to oci runner by @rchincha in #3426
- fix: migrate from github.com/rs/zerolog to golang-native log/slog by @rchincha in #3405
- fix(ci): use fixed ranges for BATS server ports by @vrajashkr in #3428
- feat(sync): enable regclient logs by @ljakimczuk in #3363
- chore: stabilize coverage for specific imagestore case by @andaaron in #3429
- feat(sessions): add support for remote redis session store by @vrajashkr in #3345
- ci: fix nightly by @andaaron in #3431
- chore: fix dependabot alerts by @rchincha in #3444
- ci: update stale checks by @andaaron in #3446
- feat: the default retention delay is not the GC delay by @andaaron in #3447
- ci: fix values in stale comment messages by @andaaron in #3448
- fix: update go-redsync for fips-140 compatibility by @rchincha in #3451
- ci: pre download docker images used in bats tests by @andaaron in #3452
- ci: debugging blackbox failures by @andaaron in #3453
- chore: fix dependabot alerts by @rchincha in #3461
- ci: enable fips140 blackbox test by @rchincha in #3460
Full Changelog: v2.1.8...v2.1.9
Contributors
andaaron, vrajashkr, and 2 other contributors
Assets 51
v2.1.8
What's Changed
- chore: fix dependabot alerts by @rchincha in #3292
- chore(ci): update github runners to oci gh arc runners by @koksay in #3293
- ci: selectively revert this runner by @rchincha in #3297
- chore: fix dependabot alerts by @rchincha in #3312
- chore: update notation version by @rchincha in #3316
- chore: fix dependabot alerts by @rchincha in #3328
- Fix deps by @rchincha in #3343
- fix: gc for untagged docker manifests by @stephanme in #3349
- fix: close the
syncResultchannel by any goroutine that receives the data by @ljakimczuk in #3348
New Contributors
- @koksay made their first contribution in #3293
- @stephanme made their first contribution in #3349
- @ljakimczuk made their first contribution in #3348
Full Changelog: v2.1.7...v2.1.8
Contributors
stephanme, koksay, and 2 other contributors