Update module github.com/crossplane/crossplane to v1.11.5 [SECURITY] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/crossplane/crossplane	v1.6.1 -> v1.11.5

GitHub Vulnerability Alerts

CVE-2023-27484

Summary

Fuzz testing, by Ada Logics and sponsored by the CNCF, identified a vulnerability in the fieldpath package from crossplane/crossplane-runtime that an already highly privileged Crossplane user able to create or update Compositions could leverage to cause an out of memory panic in Crossplane.

Details

Compositions allow users to specify patches inserting elements into arrays at an arbitrary index. When a Composition is selected for a Composite Resource, patches are evaluated and if a specified index is greater than the current size of the target slice, that slice's size will be increased to the specified index, which could lead to an excessive amount of memory usage and therefore the Pod being OOM-Killed. The index is already capped to the maximum value for a uint32 (4294967295) when parsed, but that is still an unnecessarily large value.

Workaround

Users can restrict write privileges on Compositions to only admin users as a workaround.

CVE-2023-38495

Impact

Crossplanes image backend does not validate the byte contents of Crossplane packages. As such, Crossplane does not detect if an attacker has tampered with a Package.

Patches

The problem has been fixed in 1.11.5, 1.12.3 and 1.13.0, all the supported versions of Crossplane at the time of writing.

Workarounds

Only using images from trusted sources and keeping Package editing/creating privileges to administrators only, which should be both considered already best practices.

References

See ADA-XP-23-11 in the Security Audit's report.

Credits

This was reported as ADA-XP-23-11 by @​AdamKorcz and @​DavidKorczynski from Ada Logic and facilitated by OSTIF as part of the Security Audit sponsored by CNCF.

CVE-2023-37900

Impact

An high-privileged user could create a Package referencing an arbitrarily large image containing that Crossplane would then parse, possibly resulting in exhausting all the available memory and therefore in the container being OOMKilled.

The impact is low due to the high privileges required to be able to create the Package and the eventually consistency nature of controller.

Patches

The problem has been fixed in 1.11.5, 1.12.3 and 1.13.0, all the supported versions of Crossplane at the time of writing.

Workarounds

Only using images from trusted sources and keeping Package editing/creating privileges to administrators only, which should be both considered already best practices.

References

See ADA-XP-23-16 in the Security Audit's report.

Credits

This was reported as ADA-XP-23-16 by @​AdamKorcz and @​DavidKorczynski from Ada Logic and facilitated by OSTIF as part of the Security Audit sponsored by CNCF.

---

Release Notes

crossplane/crossplane (github.com/crossplane/crossplane)

v1.11.5

Compare Source

v1.11.5 addresses a few security issues shared during the security audit by Ada Logic and facilitated by OSTIF, sponsored by CNCF. See the report for more details.

Notable changes

• Fix composition functions to be able to run with unconfined AppArmor profile.
• Security fixes, see the report for more details.

What's Changed

• [Backport release-1.11] chore(Dockerfile): use COPY instead of ADD by @​github-actions in https://github.com/crossplane/crossplane/pull/4175
• Update debian:bookworm-slim Docker digest to d8f9d38 (release-1.11) by @​renovate in https://github.com/crossplane/crossplane/pull/4195
• [Backport release-1.11] fix: limit xfn stdout and stderr by @​github-actions in https://github.com/crossplane/crossplane/pull/4236
• [Backport release-1.11] fix(xfn): set max layers number limit for images by @​github-actions in https://github.com/crossplane/crossplane/pull/4238
• [Backport release-1.11] fix(crank): copy to tar file one chunk at a time by @​github-actions in https://github.com/crossplane/crossplane/pull/4234
• [Backport release-1.11] Run xfn with unconfined AppArmor profile by @​github-actions in https://github.com/crossplane/crossplane/pull/4247
• Update debian:bookworm-slim Docker digest to 9bd077d (release-1.11) by @​renovate in https://github.com/crossplane/crossplane/pull/4335
• [Backport release-1.11] fix: limit max number of layers for Packages by @​github-actions in https://github.com/crossplane/crossplane/pull/4352
• [Backport release-1.11] fix: stop rbac manager's rule expansion on timeout by @​phisco in https://github.com/crossplane/crossplane/pull/4355
• [Backport release-1.11] chore: bump go-containerregistry to v0.15.3-0.20230625233257-b8504803… by @​phisco in https://github.com/crossplane/crossplane/pull/4356
• [Backport release-1.11] fix: max size of package parsed limited to 200MB by @​github-actions in https://github.com/crossplane/crossplane/pull/4363
• [Backport release-1.11] fix: validate Package images by @​github-actions in https://github.com/crossplane/crossplane/pull/4373
• [Backport release-1.11] composite: fix nil-dereference by @​github-actions in https://github.com/crossplane/crossplane/pull/4381
• Update ci.yml with new hashes by @​ezgidemirel in https://github.com/crossplane/crossplane/pull/4391

Full Changelog: crossplane/crossplane@v1.11.4...v1.11.5

v1.11.4

Compare Source

v1.11.4 addresses a few minor bugs and bumps a few dependencies to address vulnerabilities image scanners might have reported.

Notable changes

• Clarified the ControllerConfig deprecation message, highlighting that it's not going to be removed until a better option is available and a clear migration path has been well documented and publicly shared. Reduced also the number of times the message is shown to reduce noise.
• Bumped a few dependencies to remove the number of HIGH CVEs reported by image scanners.

What's Changed

• Update gcr.io/distroless/static Docker digest to a01d47d (release-1.11) by @​renovate in https://github.com/crossplane/crossplane/pull/3962
• Update gcr.io/distroless/static Docker digest to 7198a35 (release-1.11) by @​renovate in https://github.com/crossplane/crossplane/pull/4059
• Update debian:bookworm-slim Docker digest to e1a80fd (release-1.11) by @​renovate in https://github.com/crossplane/crossplane/pull/3861
• [Backport release-1.11] fix: handle nil deletion policy as not being foreground by @​github-actions in https://github.com/crossplane/crossplane/pull/4122
• [Backport release-1.11] chore: bump go-containerregistry by @​phisco in https://github.com/crossplane/crossplane/pull/4147
• [Backport release-1.11] Clarify ControllerConfig deprecation message to reduce confusion by @​jbw976 in https://github.com/crossplane/crossplane/pull/4154

Full Changelog: crossplane/crossplane@v1.11.3...v1.11.4

v1.11.3

Compare Source

v1.11.3 is a scoped patch release that focuses on an issue that was preventing the alpha feature of Composition Functions from successfully running in certain environments that have a version of crun of 1.8+ (issue #​3807). This release should unblock the general testing and feedback on Composition Functions again. Thank you @​AndrewChubatiuk for contributing this fix!

What's Changed

• [Backport release-1.11] fix: typo in CRDs by @​github-actions in https://github.com/crossplane/crossplane/pull/3888
• Update module github.com/moby/buildkit to v0.11.4 [SECURITY] (release-1.11) - abandoned by @​renovate in https://github.com/crossplane/crossplane/pull/3833
• [Backport release-1.11] fixed crun 1.8.1 support by @​github-actions in https://github.com/crossplane/crossplane/pull/3897
• Update gcr.io/distroless/static Docker digest to 97b762e (release-1.11) by @​renovate in https://github.com/crossplane/crossplane/pull/3913

Full Changelog: crossplane/crossplane@v1.11.2...v1.11.3

v1.11.2

Compare Source

v1.11.2 bumps the crossplane-runtime version, in order to address a Crossplane vulnerability, caused by GHSA-vfvj-3m3g-m532.
These vulnerabilities were discovered thanks to the fuzz tests added to the Crossplane project by Ada Logics as part of a security audit sponsored by the CNCF.

What's Changed

• Update gcr.io/distroless/static Docker digest to 3c57678 (release-1.11) by @​renovate in https://github.com/crossplane/crossplane/pull/3811
• [Backport release-1.11] chore: bump crossplane-runtime to v0.19.2 by @​phisco in https://github.com/crossplane/crossplane/pull/3838

Full Changelog: crossplane/crossplane@v1.11.1...v1.11.2

v1.11.1

Compare Source

v1.11.1 contains a fix for Composition Functions causing extra resources to be created (#​3774), applies the --pollInterval CLI argument to the Claim and Composite reconcilers (#​3773), and adds the Composite Kind and APIVersion information to the kubectl get output columns for Compositions and CompositionRevisions. Additional dependency and CI updates are also included.

What's Changed

• Update gcr.io/distroless/static Docker digest to 450981e (release-1.11) by @​renovate in https://github.com/crossplane/crossplane/pull/3700
• Update debian:bookworm-slim Docker digest to ffd3e96 (release-1.11) by @​renovate in https://github.com/crossplane/crossplane/pull/3727
• Update gcr.io/distroless/static Docker digest to d2e0993 (release-1.11) by @​renovate in https://github.com/crossplane/crossplane/pull/3738
• Update debian:bookworm-slim Docker digest to 199482f (release-1.11) by @​renovate in https://github.com/crossplane/crossplane/pull/3729
• Update debian:bookworm-slim Docker digest to 72cc75f (release-1.11) by @​renovate in https://github.com/crossplane/crossplane/pull/3768
• Update gcr.io/distroless/static Docker digest to d02be0e (release-1.11) by @​renovate in https://github.com/crossplane/crossplane/pull/3769
• [Release 1.11] Bump runtime to v0.19.1 by @​turkenh in https://github.com/crossplane/crossplane/pull/3787
• [Backport release-1.11] Add compositeTypeRef kind and apiVersion to Composition output columns by @​github-actions in https://github.com/crossplane/crossplane/pull/3780
• [release-1.11] Bump Ubuntu version to 22.04 in CI by @​turkenh in https://github.com/crossplane/crossplane/pull/3803
• [Backport release-1.11] Apply pollInterval to Claim and Composite reconcilers by @​github-actions in https://github.com/crossplane/crossplane/pull/3773
• [Backport release-1.11] Use NewAPIPatchingApplicator in PTF composite by @​github-actions in https://github.com/crossplane/crossplane/pull/3797

Full Changelog: crossplane/crossplane@v1.11.0...v1.11.1

v1.11.0

Compare Source

Release v1.11.0 is a regularly scheduled quarterly release that includes many exciting features that have been highly requested by the Crossplane community, such as Composition Functions, EnvironmentConfig, and promoting CompositionRevisions to beta.

Additionally, this v1.11.0 release includes a major documentation rewrite based on direct feedback from Crossplane users, and also focuses on stability fixes and design investigations.

New Features

• Composition Function support introduced in alpha by @​negz in https://github.com/crossplane/crossplane/pull/2886. You are now able to write your own custom composition logic, in any programming language of your choice, to augment Crossplane’s built-in patching and transform capabilities.
• EnvironmentConfig support introduced in alpha by @​MisterMX in https://github.com/crossplane/crossplane/pull/3007. It’s now possible to patch resources within a Composition by using configuration data from the general runtime environment, as opposed to being constrained to information available within a single composite resource.
• Promoted CompositionRevisions to v1beta1 and are now enabled by default by @​ezgidemirel in https://github.com/crossplane/crossplane/pull/3453. CompositionRevisions have been improved with feedback from the community and are now stabilized and ready for general production usage.
• The Crossplane documentation website has been redesigned to give users of Crossplane a better educational experience, whether they are new to the project or more advanced. Check out the new docs site at https://docs.crossplane.io/ and let us know your feedback in the docs repo!

Notable Updates

• This will be the last release to be published to Docker Hub, future releases will use xpkg.upbound.io instead by @​nullable-eth in https://github.com/crossplane/crossplane/pull/3568
• ControllerConfing API has been deprecated by @​hasheddan in https://github.com/crossplane/crossplane/pull/3678
• Lock API v1alpha1 has been dropped by @​negz in https://github.com/crossplane/crossplane/pull/3479
• CompositionRevisions' names are built adding a partial hash suffix by @​ezgidemirel in https://github.com/crossplane/crossplane/pull/3391

What's Changed

• Empty commit for after v1.10 by @​muvaf in https://github.com/crossplane/crossplane/pull/3368
• Add new steps for docs by @​plumbis in https://github.com/crossplane/crossplane/pull/3372
• Add support for deleteCompositePolicy by @​bobh66 in https://github.com/crossplane/crossplane/pull/3321
• Validate docs content in CI and support one-command local dev by @​hasheddan in https://github.com/crossplane/crossplane/pull/3375
• Update documentation with new package repos and links to search by @​hasheddan in https://github.com/crossplane/crossplane/pull/3373
• Fix compositionRevision update conflict by @​ezgidemirel in https://github.com/crossplane/crossplane/pull/3376
• Consume latest crossplane-runtime's fake.Composite to prevent panics caught by CNCF fuzzing tests by @​ulucinar in https://github.com/crossplane/crossplane/pull/3394
• Update crossplane chart README.md with correct pull secret value by @​hasheddan in https://github.com/crossplane/crossplane/pull/3400
• Only match steering committee files in root by @​hasheddan in https://github.com/crossplane/crossplane/pull/3401
• helm tolerations map > list by @​apj0nes in https://github.com/crossplane/crossplane/pull/3412
• More granular comparison of Roles annotations during reconciliation. by @​jmprusi in https://github.com/crossplane/crossplane/pull/3409
• Set crossplane user agent on package requests by @​hasheddan in https://github.com/crossplane/crossplane/pull/3405
• Change 'Compute' to 'Computing' in CNCF by @​nickbeaugie in https://github.com/crossplane/crossplane/pull/3424
• Ensure stable sorting of object references on package revisions by @​hasheddan in https://github.com/crossplane/crossplane/pull/3426
• Updated readme: Added v1.11 and removed v.1.7 from supported releases by @​shazib-summar in https://github.com/crossplane/crossplane/pull/3411
• [helm chart] Set GOMAXPROCS and GOMEMLIMIT based on resource limits by @​epk in https://github.com/crossplane/crossplane/pull/3432
• Change the composition name to production by @​mplzik in https://github.com/crossplane/crossplane/pull/3434
• Explicitly setting release namespace on resources by @​AaronME in https://github.com/crossplane/crossplane/pull/3437
• feat(chart): Allow prepopulating cache from ConfigMap by @​MisterMX in https://github.com/crossplane/crossplane/pull/3438
• Add reference policy concept to documentation by @​sergenyalcin in https://github.com/crossplane/crossplane/pull/3439
• CLI install script: prefix variables by @​pbenas in https://github.com/crossplane/crossplane/pull/3440
• Create composition revision names with partial hash by @​ezgidemirel in https://github.com/crossplane/crossplane/pull/3391
• Add a design document for 'Composition Functions' by @​negz in https://github.com/crossplane/crossplane/pull/2886
• Implement composition revision selector by @​ezgidemirel in https://github.com/crossplane/crossplane/pull/3450
• Docs: Terrajet => Upjet by @​luebken in https://github.com/crossplane/crossplane/pull/3404
• Enable mergeOptions for composition revisions by @​eloo-abi in https://github.com/crossplane/crossplane/pull/3364
• feat(transform): Add match transform by @​MisterMX in https://github.com/crossplane/crossplane/pull/3314
• Only update frontmatter on minor releases by @​hasheddan in https://github.com/crossplane/crossplane/pull/3430
• Update Doc Argo CD Configuration by @​clementblaise in https://github.com/crossplane/crossplane/pull/3428
• Enable the revive and nolintlint linters. by @​negz in https://github.com/crossplane/crossplane/pull/3462
• fix broken link to helm provider by @​csantanapr in https://github.com/crossplane/crossplane/pull/3464
• Promote CompositionRevision to v1beta1 by @​ezgidemirel in https://github.com/crossplane/crossplane/pull/3453
• Correct spelling in Composition Functions design doc by @​tobru in https://github.com/crossplane/crossplane/pull/3473
• fix all broken links in install-configure by @​csantanapr in https://github.com/crossplane/crossplane/pull/3470
• Update build submodule to remove Go check by @​hasheddan in https://github.com/crossplane/crossplane/pull/3488
• Update CompositionRevision guide and remove CURRENT marker by @​ezgidemirel in https://github.com/crossplane/crossplane/pull/3481
• Update master docs content to conform to new docs.crossplane.io by @​plumbis in https://github.com/crossplane/crossplane/pull/3486
• Add missing word by @​plumbis in https://github.com/crossplane/crossplane/pull/3489
• Switch Nathan for Ezgi in reviewers by @​negz in https://github.com/crossplane/crossplane/pull/3496
• Fix enabling external secret stores in guide by @​hasheddan in https://github.com/crossplane/crossplane/pull/3499
• Rename docs repo by @​plumbis in https://github.com/crossplane/crossplane/pull/3502
• Remove notices that Composition Revision related fields are alpha by @​negz in https://github.com/crossplane/crossplane/pull/3471
• Use goverter to automatically generate conversion code by @​negz in https://github.com/crossplane/crossplane/pull/3479
• remove duplicate / partial paragraph in installation docs by @​emilkje in https://github.com/crossplane/crossplane/pull/3474
• Fix out of sync code generation and always run check-diff by @​hasheddan in https://github.com/crossplane/crossplane/pull/3508
• Update build submodule with docs hot reloading by @​hasheddan in https://github.com/crossplane/crossplane/pull/3512
• Update build submodule with fixes for docs generation by @​hasheddan in https://github.com/crossplane/crossplane/pull/3513
• fix(transforms): add match to kubebuilder enum by @​pysysops in https://github.com/crossplane/crossplane/pull/3515
• Update docs styling guidelines for code blocks by @​plumbis in https://github.com/crossplane/crossplane/pull/3497
• Move all Patch and Transform logic to the XR controller by @​negz in https://github.com/crossplane/crossplane/pull/3472
• Docs: Fiz docs about readinessChecks in the MatchInteger code snippet… by @​rafaeldomi in https://github.com/crossplane/crossplane/pull/3524
• Add agent-inject to crossplane itself by @​jonnylangefeld in https://github.com/crossplane/crossplane/pull/3521
• Add a docs issue template to auto tag doc bugs by @​plumbis in https://github.com/crossplane/crossplane/pull/3460
• Ignore Zone.Identifier files. Resolves #​3535 by @​plumbis in https://github.com/crossplane/crossplane/pull/3536
• Add a tutorial doc for composition revisions by @​ezgidemirel in https://github.com/crossplane/crossplane/pull/3501
• feat(compositions): Support patching from Environment by @​MisterMX in https://github.com/crossplane/crossplane/pull/3007
• Update docs guide to cover recent functions by @​plumbis in https://github.com/crossplane/crossplane/pull/3537
• Use serviceAccountName for Service Account creation by @​micnncim in https://github.com/crossplane/crossplane/pull/2880
• Fix get namespace error message by @​hasheddan in https://github.com/crossplane/crossplane/pull/3557
• feat: Added commonLabel to label resources applied via Configuration by @​akesser in https://github.com/crossplane/crossplane/pull/3556
• Add commentary for spec.serviceAccountName in ControllerConfig by @​micnncim in https://github.com/crossplane/crossplane/pull/3559
• docs: fix typo by @​phisco in https://github.com/crossplane/crossplane/pull/3561
• fix: bump dependencies to fix CVEs by @​phisco in https://github.com/crossplane/crossplane/pull/3563
• Infra changes to move docs out by @​plumbis in https://github.com/crossplane/crossplane/pull/3538
• Add links to docs issues, support requests by @​negz in https://github.com/crossplane/crossplane/pull/3564
• Restore packagePullPolicy Always polling behavior by @​hasheddan in https://github.com/crossplane/crossplane/pull/3581
• feat(transform): Add ToJson string conversion by @​MisterMX in https://github.com/crossplane/crossplane/pull/3458
• Update release date for v1.11.0 by @​hasheddan in https://github.com/crossplane/crossplane/pull/3587
• Regenerate Composition CRD by @​hasheddan in https://github.com/crossplane/crossplane/pull/3589
• Fix 404 on Helm chart icon by @​undera in https://github.com/crossplane/crossplane/pull/3588
• Fix constant reconciles on inactive package revisions by @​hasheddan in https://github.com/crossplane/crossplane/pull/3582
• publish to upbound marketplace by @​nullable-eth in https://github.com/crossplane/crossplane/pull/3568
• Remove docs dir and move packages & meta CRDs to cluster dir by @​hasheddan in https://github.com/crossplane/crossplane/pull/3597
• Fix flaky unit test by using approximate time comparison by @​hasheddan in https://github.com/crossplane/crossplane/pull/3599
• Support running Containerized Composition functions by @​negz in https://github.com/crossplane/crossplane/pull/3465
• ci: renovate configuration by @​phisco in https://github.com/crossplane/crossplane/pull/3575
• Update gcr.io/distroless/static Docker digest to 11364b4 (master) by @​renovate in https://github.com/crossplane/crossplane/pull/3610
• Update module github.com/containerd/containerd to v1.6.12 [SECURITY] (master) by @​renovate in https://github.com/crossplane/crossplane/pull/3606
• Pin dependencies (master) by @​renovate in https://github.com/crossplane/crossplane/pull/3607
• Update all non-major github action (master) by @​renovate in https://github.com/crossplane/crossplane/pull/3618
• ci: set renovate to also handle go digests by @​phisco in https://github.com/crossplane/crossplane/pull/3616
• ci: set xfn base image tag too by @​phisco in https://github.com/crossplane/crossplane/pull/3613
• Update actions/cache action to v3 (master) by @​renovate in https://github.com/crossplane/crossplane/pull/3623
• feat(transform): Allow converting string to float as resource.Quantity by @​MisterMX in https://github.com/crossplane/crossplane/pull/3316
• Update actions/checkout action to v3 (master) by @​renovate in https://github.com/crossplane/crossplane/pull/3624
• Update actions/setup-go action to v3 (master) by @​renovate in https://github.com/crossplane/crossplane/pull/3626
• Update actions/stale action to v7 (master) by @​renovate in https://github.com/crossplane/crossplane/pull/3627
• Update codecov/codecov-action action to v3 (master) by @​renovate in https://github.com/crossplane/crossplane/pull/3630
• Update actions/upload-artifact action to v3 (master) by @​renovate in https://github.com/crossplane/crossplane/pull/3629
• Update docker/login-action action to v2 (master) by @​renovate in https://github.com/crossplane/crossplane/pull/3632
• Update docker/setup-buildx-action action to v2 (master) by @​renovate in https://github.com/crossplane/crossplane/pull/3633
• feat(transform): Add hash string conversion by @​MisterMX in https://github.com/crossplane/crossplane/pull/3498
• ci: remove 1.8 from renovate's target branches by @​phisco in https://github.com/crossplane/crossplane/pull/3637
• Add @​phisco to reviewers by @​negz in https://github.com/crossplane/crossplane/pull/3640
• Pin to Go 1.19.5 by @​hasheddan in https://github.com/crossplane/crossplane/pull/3639
• Update docker/setup-qemu-action action to v2 (master) by @​renovate in https://github.com/crossplane/crossplane/pull/3635
• Update fkirc/skip-duplicate-actions action to v5 (master) by @​renovate in https://github.com/crossplane/crossplane/pull/3636
• Update github/codeql-action action to v2 (master) by @​renovate in https://github.com/crossplane/crossplane/pull/3642
• Update gcr.io/distroless/static Docker digest to c79ef2d (master) by @​renovate in https://github.com/crossplane/crossplane/pull/3643
• Resurrect contributing docs and README banner by @​negz in https://github.com/crossplane/crossplane/pull/3634
• Update golangci/golangci-lint-action action to v3 (master) by @​renovate in https://github.com/crossplane/crossplane/pull/3645
• fuzzing: run fuzzers in CI by @​AdamKorcz in https://github.com/crossplane/crossplane/pull/3553
• Make CodeQL part of the CI workflow, reduce Fuzzing to 5 mins from 10 by @​negz in https://github.com/crossplane/crossplane/pull/3644
• Update zeebe-io/backport-action action to v1 (master) by @​renovate in https://github.com/crossplane/crossplane/pull/3647
• Update xt0rted/slash-command-action action to v2 (master) by @​renovate in https://github.com/crossplane/crossplane/pull/3648
• Update google/oss-fuzz digest to 700fd90 (master) by @​renovate in https://github.com/crossplane/crossplane/pull/3649
• Use the same version of upload-artifact everywhere by @​negz in https://github.com/crossplane/crossplane/pull/3650
• Update gcr.io/distroless/static Docker digest to 5bda5a4 (master) by @​renovate in https://github.com/crossplane/crossplane/pull/3652
• Have CodeQL job use the Go dep and build cache by @​negz in https://github.com/crossplane/crossplane/pull/3653
• chore: renovate handling golangci-lint version in makefile by @​phisco in https://github.com/crossplane/crossplane/pull/3651
• Update dependency golangci/golangci-lint to v1.50.1 (master) by @​renovate in https://github.com/crossplane/crossplane/pull/3657
• Tell golangci-lint action not to try to cache by @​negz in https://github.com/crossplane/crossplane/pull/3658
• ci: configure renovate to ignore oss-fuzz action updates by @​phisco in https://github.com/crossplane/crossplane/pull/3663
• ci: add trivy filesystem scan job by @​phisco in https://github.com/crossplane/crossplane/pull/3665
• Add fuzzer in Xcrd package by @​AdamKorcz in https://github.com/crossplane/crossplane/pull/3445
• Bump crossplane-runtime, controller-runtime, and kubernetes deps by @​negz in https://github.com/crossplane/crossplane/pull/3659
• Pin aquasecurity/trivy-action action to 9ab158e (master) by @​renovate in https://github.com/crossplane/crossplane/pull/3672
• Update github/codeql-action digest to 3ebbd71 (master) by @​renovate in https://github.com/crossplane/crossplane/pull/3673
• Mark ControllerConfing API as deprecated by @​hasheddan in https://github.com/crossplane/crossplane/pull/3678

New Contributors

• @​ezgidemirel made their first contribution in https://github.com/crossplane/crossplane/pull/3376
• @​apj0nes made their first contribution in https://github.com/crossplane/crossplane/pull/3412
• @​jmprusi made their first contribution in https://github.com/crossplane/crossplane/pull/3409
• @​nickbeaugie made their first contribution in https://github.com/crossplane/crossplane/pull/3424
• @​shazib-summar made their first contribution in https://github.com/crossplane/crossplane/pull/3411
• @​mplzik made their first contribution in https://github.com/crossplane/crossplane/pull/3434
• @​eloo-abi made their first contribution in https://github.com/crossplane/crossplane/pull/3364
• @​clementblaise made their first contribution in https://github.com/crossplane/crossplane/pull/3428
• @​csantanapr made their first contribution in https://github.com/crossplane/crossplane/pull/3464
• @​emilkje made their first contribution in https://github.com/crossplane/crossplane/pull/3474
• @​pysysops made their first contribution in https://github.com/crossplane/crossplane/pull/3515
• @​rafaeldomi made their first contribution in https://github.com/crossplane/crossplane/pull/3524
• @​jonnylangefeld made their first contribution in https://github.com/crossplane/crossplane/pull/3521
• @​micnncim made their first contribution in https://github.com/crossplane/crossplane/pull/2880
• @​akesser made their first contribution in https://github.com/crossplane/crossplane/pull/3556
• @​undera made their first contribution in https://github.com/crossplane/crossplane/pull/3588
• @​nullable-eth made their first contribution in https://github.com/crossplane/crossplane/pull/3568
• @​AdamKorcz made their first contribution in https://github.com/crossplane/crossplane/pull/3553

Full Changelog: crossplane/crossplane@v1.10.0...v1.11.0

v1.10.4

Compare Source

v1.10.4 bumps a few dependencies to address vulnerabilities image scanners might have reported.

Notable changes

• Bumped a few dependencies to remove the number of HIGH CVEs reported by image scanners.

What's Changed

• Update gcr.io/distroless/static Docker digest to f1e013b (release-1.10) by @​renovate in https://github.com/crossplane/crossplane/pull/3860
• Update gcr.io/distroless/static Docker digest to 97b762e (release-1.10) by @​renovate in https://github.com/crossplane/crossplane/pull/3863
• Update gcr.io/distroless/static Docker digest to a01d47d (release-1.10) by @​renovate in https://github.com/crossplane/crossplane/pull/3961
• Update gcr.io/distroless/static Docker digest to 7198a35 (release-1.10) by @​renovate in https://github.com/crossplane/crossplane/pull/4057
• [Backport release-1.10] chore: bump go-containerregistry by @​phisco in https://github.com/crossplane/crossplane/pull/4161

Full Changelog: crossplane/crossplane@v1.10.3...v1.10.4

v1.10.3

Compare Source

v1.10.3 bumps the crossplane-runtime version, in order to address a Crossplane vulnerability, caused by GHSA-vfvj-3m3g-m532.
These vulnerabilities were discovered thanks to the fuzz tests added to the Crossplane project by Ada Logics as part of a security audit sponsored by the CNCF.

What's Changed

• Update gcr.io/distroless/static Docker digest to 450981e (release-1.10) by @​renovate in https://github.com/crossplane/crossplane/pull/3699
• Update gcr.io/distroless/static Docker digest to d2e0993 (release-1.10) by @​renovate in https://github.com/crossplane/crossplane/pull/3734
• Update gcr.io/distroless/static Docker digest to d02be0e (release-1.10) by @​renovate in https://github.com/crossplane/crossplane/pull/3767
• Update gcr.io/distroless/static Docker digest to 3c57678 (release-1.10) by @​renovate in https://github.com/crossplane/crossplane/pull/3810
• [Release 1.10] Bump crossplane-runtime to v1.19.2 by @​phisco in https://github.com/crossplane/crossplane/pull/3841

Full Changelog: crossplane/crossplane@v1.10.2...v1.10.3

v1.10.2

Compare Source

The v1.10.2 release includes fixes for restoring the documented packagePullPolicy: Always behavior (https://github.com/crossplane/crossplane/pull/3581) as well as a follow-up fix to https://github.com/crossplane/crossplane/pull/3426 for constantly enqueued reconciles for ProviderRevisions marked as Inactive (https://github.com/crossplane/crossplane/pull/3582). There were also numerous documentation fixes and minor dependency updates.

What's Changed

• [Backport release-1.10] CLI install script: prefix variables by @​github-actions in https://github.com/crossplane/crossplane/pull/3446
• [Backport release-1.10] fix broken link to helm provider by @​github-actions in https://github.com/crossplane/crossplane/pull/3469
• [Backport release-1.10] fix all broken links in install-configure by @​github-actions in https://github.com/crossplane/crossplane/pull/3478
• Update v1.10 docs content to conform to new docs.crossplane.io by @​plumbis in https://github.com/crossplane/crossplane/pull/3485
• [Backport release-1.10] Add missing word by @​github-actions in https://github.com/crossplane/crossplane/pull/3495
• [Backport release-1.10] Fix enabling external secret stores in guide by @​github-actions in https://github.com/crossplane/crossplane/pull/3500
• [release-1.10] Rename docs repo (#​3502) by @​hasheddan in https://github.com/crossplane/crossplane/pull/3503
• [Backport release-1.10] remove duplicate / partial paragraph in installation docs by @​github-actions in https://github.com/crossplane/crossplane/pull/3507
• [release-1.10] Fix docs generation and always run check-diff by @​hasheddan in https://github.com/crossplane/crossplane/pull/3510
• [Backport release-1.10] Docs: Fiz docs about readinessChecks in the MatchInteger code snippet… by @​github-actions in https://github.com/crossplane/crossplane/pull/3527
• [Backport release-1.10] Add agent-inject to crossplane itself by @​github-actions in https://github.com/crossplane/crossplane/pull/3528
• chore: bump dependencies due to CVEs by @​phisco in https://github.com/crossplane/crossplane/pull/3572
• [Backport release-1.10] Restore packagePullPolicy Always polling behavior by @​github-actions in [https://github.com/[Backport release-1.10] Restore packagePullPolicy Always polling behavior crossplane/crossplane#3586](https://togi

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.