Skip to content

🚨 Update module github.com/open-policy-agent/opa to v1 (release-v0.7) #1601

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: release-v0.7
Choose a base branch
from
Open

🚨 Update module github.com/open-policy-agent/opa to v1 (release-v0.7) #1601

renovate wants to merge 1 commit into from
+21 −4

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Dec 8, 2025
edited
Loading

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/open-policy-agent/opa v0.68.0v1.12.2 age adoption passing confidence

Release Notes

open-policy-agent/opa (github.com/open-policy-agent/opa)

v1.12.2

Compare Source

v1.12.2

This bug fix release address issues found in the new string interpolation feature

v1.12.1

Compare Source

This bug fix release reverts a change to regex.replace that unintentionally changed its behaviour for anchored regular expressions.

  • Revert "topdown: make regex.replace respect cancellation" (authored by @​srenatus)

v1.12.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • Support for String Interpolation in the Rego language
  • Faster compilation and runtime
  • Fixes published in the v1.11.1 release
String Interpolation (#​4733)

The Rego language has been extended to support String Interpolation,
which provides a readable means to compose strings containing dynamic values determined at evaluation time.

An interpolated string is composed of a template-string containing zero or more template-expressions that evaluates to a value at evaluation time.
The $ character prefix identifies a template-string, and template-expressions are declared by being enclosed in curly-braces ({, }).

Additionally, undefined template-expression values don't halt evaluation; instead, <undefined> will be injected into the generated string.

package interpolation

allowed_roles := ["admin", "employee"]

default role := "guest"
role := input.role

deny contains $"User {input.username}'s role was '{role}', but must be one of {allowed_roles}" if {
  not role in allowed_roles
}
{
  "deny": [
    "User <undefined>'s role was 'guest', but must be one of [\"admin\", \"employee\"]"
  ],
}

String interpolation is a more readable and less error-prone substitute for the sprintf built-in function.

Authored by @​johanfylling reported by @​anderseknert

[!TIP]
Help us out!

New Rego language features are exciting, and we want to maximize their usefulness. If you come across tools and integrations in the community where string interpolation isn't properly handled, such as syntax highlighting, please reach out and let us know.

Runtime, SDK, Tooling
Compiler, Topdown and Rego
Docs, Website, Ecosystem
Miscellaneous

v1.11.1

Compare Source

This is a bugfix release:

Memory exhaustion via forged gzip header

A crafted HTTP request any of OPA's HTTP endpoints would lead OPA to use a large amount of memory, triggering
an out-of-memory process exit.

This weakness in OPA's HTTP API gzip handling is as old as the gzip handling itself. A configurable limit was introduced in v0.67.0, but it has been shown that this security measure wasn't sufficient to avoid running out of memory in memory-constrained setups.

Thanks to @​thevilledev for reporting and fixing this issue.

It only applies to OPA running as server (as a binary or in a container, as "sidecar"). To trigger an OOM process exit using this weakness, an adversary must be able to send an HTTP request directly to OPA. This would be the case if they are in the same network, there is no proxy in front of OPA, or if OPA was exposed to the internet, which is advised against.

By the nature of HTTP encodings, this would be effective before token-based authentication and authorization policies, so these measures do not protect against the attack vector.

If all OPA endpoints are using TLS-based authentication (mutual TLS, "mTLS"), then an adversary cannot do harm with this method.

Please note that while we're taking all of these issues seriously, OPA isn't designed for adversary environments. It's strongly advised not to expose any of its endpoints to the public internet. Furthermore, available security measures should be applied regardless, for a defense in depth approach. See the documentation for the available means of authentication and authorization in OPA.

Please also check out our Security Policy for reporting critical issues and bugs.

Decision Logs dropped (introduced in OPA v1.9.0)

When the decision logs buffer was uploaded, the buffer limit inadvertently got reset to the default upload limit (32kb).
This causes logs to be dropped that shouldn't have been dropped.

This default is overridden by the configuration value decision_logs.reporting.upload_size_limit_bytes, see the docs on decision logs.

There's a Prometheus metric for dropped events, counter_decision_logs_dropped_buffer_size_limit_bytes_exceeded,
and you can check that for unexpectedly high counts.

Reported by @​johanneslarsson #​8123, fixed by @​sspaink.

The release is otherwise identical to v1.11.0.

v1.11.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • More efficient connection management in the http.send built-in function
  • More performant loading of large bundles containing multiple Rego files
Immutable Releases

Starting with this release, OPA releases are immutable for increased security.

Runtime, SDK, Tooling
Compiler, Topdown and Rego
Docs, Website, Ecosystem
Miscellaneous
  • Bump golangci-lint, more gocritic linters (#​8052) authored by @​anderseknert
  • Tidy up and unify sync pool handling (#​8068) authored by @​anderseknert
  • builtins: Add StringOperandByteSlice helper (#​8048) authored by @​anderseknert
  • test: Add test cases for consistent cache behavior (#​8015) authored by @​DFrenkel
  • util/performance: Remove math.Log10, remove unused KeysCount (#​8041) authored by @​srenatus
  • workflow: Add Benchmarks workflow (#​8072) authored by @​srenatus
  • workflows/pull-request: Update macos versions (#​8030) authored by @​srenatus
  • Dependency updates; notably:
    • build: golang 1.25.3 -> 1.25.4 (#​8051) authored by @​srenatus
    • build(deps): Bump github.com/bytecodealliance/wasmtime-go from v37.0.0 to v39.0.1 (#​8075) authored by @​srenatus
    • build(deps): Bump github.com/containerd/containerd/v2 from 2.1.4 to 2.2.0
    • build(deps): Bump github.com/huandu/go-sqlbuilder from 1.37.0 to 1.38.1
    • build(deps): Bump github.com/lestrrat-go/jwx/v3 from 3.0.11 to 3.0.12
    • build(deps): Bump github.com/vektah/gqlparser/v2 from 2.5.30 to 2.5.31 (#​8027) authored by @​johanfylling
    • build(deps): Bump golang.org/x/crypto from 0.43.0 to 0.45.0
    • build(deps): Bump golang.org/x/net from 0.44.0 to 0.45.0
    • build(deps): Bump golang.org/x/time from 0.13.0 to 0.14.0
    • build(deps): Bump google.golang.org/grpc from 1.75.1 to 1.76.0
    • build(deps): Bump google.golang.org/protobuf from 1.36.9 to 1.36.10

v1.10.1

Compare Source

This is a bugfix release for the split builtin: In v1.10.0, it was looping infinitely when used with an empty-string delimiter.

Reported by @​SignalRichard, authored by @​srenatus

The release is otherwise identical to v1.10.0.

v1.10.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • Non-static arm64 executables for linux and darwin, supporting Wasm evaluation
  • Performance improvements to the formatter, compiler, and runtime
  • A new --fail-on-empty flag for opa test
  • Support for IS NOT NULL query statements in the Compile API
Non-static OPA binaries for linux/arm64 and darwin/arm64

Starting with this release, OPA will ship non-static arm64 executables for linux and darwin.
These binaries have support for Wasm evaluation.
Furthermore, the openpolicyagent/opa:latest docker image is a multi-platform image with arm64 support.

Runtime, Tooling
Compiler, Topdown and Rego
Docs, Website, Ecosystem
Miscellaneous

v1.9.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • Compile API extensions ported from EOPA
  • Improved rule indexing
Compile Rego Queries Into SQL Filters (#​7887)

Compile API extensions with support for SQL filter generation previously exclusive to EOPA has been ported into OPA.

Example

With OPA running with this policy, we'll compile the query data.filters.include into SQL filters:

package filters

### METADATA
### scope: document

### compile:
###   unknowns: [input.fruits]
include if input.fruits.name == input.favorite
Example Request
POST /v1/compile/filters/include HTTP/1.1
Content-Type: application/json
Accept: application/vnd.opa.sql.postgresql+json

{
  "input": {
    "favorite": "pineapple"
  }
}
Example Response
HTTP/1.1 200 OK
Content-Type: application/vnd.opa.sql.postgresql+json

{
  "result": {
    "query": "WHERE fruits.name = E'pineapple'"
  }
}

See the documentation for more details.

Authored by @​srenatus and @​philipaconrad

Improved Rule Indexing For "Naked" Refs (#​7897)

OPA's rule indexer is a means by which OPA can optimize evaluation performance.
Briefly, the indexer can in some cases determine that a rule won't successfully evaluate before it's evaluated based on the query input.
The indexer previously only considered terms in certain compound expressions, ignoring single terms; e.g. an expression containing a sole "naked" ref. This has now changed!

Example

Given a policy with an allow rule containing two "naked" refs: input.foo and input.bar:

package example

allow if {
    input.foo
    input.bar
}

and the input document:

{
    "foo": 1
}

before this improvement, when evaluating the query data.example.allow, we get the trace log:

query:1           Enter data.example.allow = _
query:1           | Eval data.example.allow = _
query:1           | Index data.example.allow (matched 1 rule, early exit)
policy.rego:3     | Enter data.example.allow
policy.rego:5     | | Eval input.foo
policy.rego:6     | | Eval input.bar
policy.rego:6     | | Fail input.bar
policy.rego:5     | | Redo input.foo
query:1           | Fail data.example.allow = _

Here, we can see that the allow rule is evaluated, but fails on the input.bar expression, as it's referencing an undefined value.

With the improvement to the indexer, we instead get:

query:1     Enter data.example.allow = _
query:1     | Eval data.example.allow = _
query:1     | Index data.example.allow (matched 0 rules, early exit)
query:1     | Fail data.example.allow = _

Where we can see that the allow rule was never evaluated, since the input doesn't meet the conditions established by the indexer; i.e. both input.foo and input.bar must have defined values.

Authored by @​srenatus

Runtime, Tooling
Compiler, Topdown and Rego
Docs, Website
Miscellaneous
  • Bump golangci-lint to v2.4.0 (#​7878) authored by @​sspaink
  • Community Guidelines: update email list (#​7900) authored by @​srenatus
  • ci: port binary tests to testscript (#​7865) authored by @​srenatus
  • dependabot: Updating e2e go deps together with core OPA deps (#​7923) authored by @​johanfylling
  • github_actions: Add working directory in arguments for Link Checker (#​7883) authored by @​sspaink
  • rego: Add comprehensive WASM performance benchmarks (#​7841) authored by @​anivar
  • Dependency updates; notably:
    • build: Bump go to 1.25.1
    • build(deps): Add github.com/huandu/go-sqlbuilder 1.37.0
    • build(deps): Bump github.com/lestrrat-go/jwx/v3 from 3.0.10 to 3.0.11
    • build(deps): Bump github.com/prometheus/client_golang from 1.23.0 to 1.23.2
    • build(deps): Bump golang.org/x/net from 0.43.0 to 0.44.0
    • build(deps): Bump golang.org/x/time from 0.12.0 to 0.13.0
    • build(deps): Bump google.golang.org/grpc from 1.75.0 to 1.75.1
    • build(deps): Bump google.golang.org/protobuf from 1.36.8 to 1.36.9
    • build(deps): bump go.opentelemetry.io deps from 1.37.0/0.62.0 to 1.38.0/0.63.0

v1.8.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • Support for EdDSA signatures in io.jwt built-ins, including a new io.jwt.verify_eddsa built-in.
EdDSA Support in built-ins (#​7824)

Support for the EdDSA signing algorithm has been added to built-in functions in the io.jwt namespace.

This introduces the new io.jwt.verify_eddsa built-in function, and adds EdDSA support for the following built-ins:

This feature benefited greatly from the groundwork laid by @​lestrrat in (#​7638). 👏 🎉 🥳

Authored by @​johanfylling reported by @​aromeyer

Runtime
Topdown
  • perf: Performance greatly improved for Object.Insert on existing key (#​7820) authored by @​anderseknert
  • topdown,bundle,plugins: Upgrade interned jwx (0.9.x) with github.com/lestrrat-go/jwx/v3 (#​7638) authored by @​lestrrat
Docs, Website
Miscellaneous

v1.7.1

Compare Source

This is a bug fix release addressing two issues for users that include OPA's CLI in their own application's CLI:

  • A missing symbol in the cmd package (cmd.RootCommand)
  • A possible panic in the opa parse command

v1.7.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • Improved OPA SDK/API for better extensibility
SDK Improvements

The OPA SDK/API has been improved to provide better extensibility an more points of integration for developers.

Runtime, Tooling

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/release-v0.7-major-go-modules branch from 45d30a3 to 8592b98 Compare December 17, 2025 00:07
@renovate renovate bot force-pushed the renovate/release-v0.7-major-go-modules branch 2 times, most recently from c084c48 to df676cc Compare December 19, 2025 02:13
@renovate renovate bot force-pushed the renovate/release-v0.7-major-go-modules branch from df676cc to 2afdcd8 Compare January 6, 2026 16:47
@renovate
Copy link
Contributor Author

renovate bot commented Jan 6, 2026

ℹ️ Artifact update notice

File name: docs/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 2 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.24.2 -> 1.24.6
github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 -> v0.0.0-20250401214520-65e299d6c5c9
sigs.k8s.io/yaml v1.4.0 -> v1.6.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

major release-v0.7 renovate size: XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants