Skip to content

build(deps): Bump github.com/open-policy-agent/opa from 1.4.2 to 1.18.2 in /authbridge/authlib#640

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/authbridge/authlib/github.com/open-policy-agent/opa-1.18.2
Open

build(deps): Bump github.com/open-policy-agent/opa from 1.4.2 to 1.18.2 in /authbridge/authlib#640
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/authbridge/authlib/github.com/open-policy-agent/opa-1.18.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor

Bumps github.com/open-policy-agent/opa from 1.4.2 to 1.18.2.

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v1.18.2

This release includes a bug fix for a opa fmt regression introduced in v1.18.0.

The original fix for #8557 had the formatter enforce newlines in single-item collections (arrays, objects, sets) rather than merely honoring existing ones. As a result, running opa fmt on already-formatted policies could introduce a large number of unwanted changes. This patch release restores the intended behavior: only newlines already present in the source determine whether a single-item collection is formatted on one line or across multiple lines.

Fixes

v1.18.1

This release fixes a memory leak introduced in OPA v1.17.0. It is advised to update if you notice excess memory usage when running OPA server.

Fixes

v1.18.0

This release contains a mix of bugfixes and small features. Notably:

  • A breaking fix to the outbound User-Agent header so it conforms to RFC 9110 (see below)
  • Container-aware resource limits: automatic GOMAXPROCS is restored and automatic GOMEMLIMIT is now supported
  • Several opa fmt correctness fixes
  • Improvements to opa test --coverage (ranges in report, inline rule head tracking, conjunction-expression coverage)

Breaking: Fix User-Agent according to RFC9110 (#8792)

OPA's outbound HTTP requests (bundle, discovery, decision log, status, http.send, AWS KMS/ECR) previously sent User-Agent: Open Policy Agent/<version> (<os>, <arch>), which is not a valid RFC 9110 User-Agent value because the product token cannot contain spaces. The header is now Open-Policy-Agent/<version> (<os>, <arch>). Server-side log filters or WAF rules that exact-match the old string will need to be updated.

Authored by @​sspaink, reported by @​SpecLad

Runtime, SDK, Tooling

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

1.18.2

This release includes a bug fix for a opa fmt regression introduced in v1.18.0.

The original fix for #8557 had the formatter enforce newlines in single-item collections (arrays, objects, sets) rather than merely honoring existing ones. As a result, running opa fmt on already-formatted policies could introduce a large number of unwanted changes. This patch release restores the intended behavior: only newlines already present in the source determine whether a single-item collection is formatted on one line or across multiple lines.

Fixes

1.18.1

This release fixes a memory leak introduced in OPA v1.17.0. It is advised to update if you notice excess memory usage when running OPA server.

Fixes

1.18.0

This release contains a mix of bugfixes and small features. Notably:

  • A breaking fix to the outbound User-Agent header so it conforms to RFC 9110 (see below)
  • Container-aware resource limits: automatic GOMAXPROCS is restored and automatic GOMEMLIMIT is now supported
  • Several opa fmt correctness fixes
  • Improvements to opa test --coverage (ranges in report, inline rule head tracking, conjunction-expression coverage)

Breaking: Fix User-Agent according to RFC9110 (#8792)

OPA's outbound HTTP requests (bundle, discovery, decision log, status, http.send, AWS KMS/ECR) previously sent User-Agent: Open Policy Agent/<version> (<os>, <arch>), which is not a valid RFC 9110 User-Agent value because the product token cannot contain spaces. The header is now Open-Policy-Agent/<version> (<os>, <arch>). Server-side log filters or WAF rules that exact-match the old string will need to be updated.

Authored by @​sspaink, reported by @​SpecLad

Runtime, SDK, Tooling

... (truncated)

Commits
  • e695c9e Patch release v1.18.2
  • d473969 Fix regression in fix of #8557 (#8845)
  • acc8bf9 Release v1.18.1
  • 713dc6a ast: fix AnnotationSet memory leak via runtime.AddCleanup cycle
  • cc2c5c6 Prepare v1.18 release (#8820)
  • e72a98f format: keep lone with on the closing-bracket line of multi-line expression...
  • 03646dd topdown: Fix PE not namespacing vars in comprehensions nested inside every ...
  • bf2bb52 benchmarks: split off script, emit markdown table
  • 02ce276 version: fix ill-formed User-Agent header (#8796)
  • 1fdbb77 build(deps): bump the dependencies group across 2 directories with 6 updates
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jul 6, 2026
@dependabot dependabot Bot requested a review from a team as a code owner July 6, 2026 23:15
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jul 6, 2026
@dependabot dependabot Bot force-pushed the dependabot/go_modules/authbridge/authlib/github.com/open-policy-agent/opa-1.18.2 branch from 22d68df to d97e9b4 Compare July 13, 2026 19:10
@pdettori

Copy link
Copy Markdown
Member

Holding this one — triaged as high-risk.

Bumping opa 1.4.2 → 1.18.2 transitively pulls in oras.land/oras-go/v2@2.6.1, which carries a high-severity advisory:

  • GHSA-fxhp-mv3v-67qporas-go tar extraction: hardlink entry with relative Linkname escapes the extract dir via process CWD resolution.

This is why the Dependency Review check fails (fail-on-severity: moderate), on top of the shared dependent-module go mod tidy issue that affected the other authlib bumps (now resolved in #673).

Recommended options before merging:

  1. Wait for an opa release whose transitive oras-go is >= 2.6.2 (the patched version), then let Dependabot re-open, or
  2. Manually bundle this bump with an explicit oras.land/oras-go/v2 bump to the patched version + go mod tidy in authlib/envoy/proxy (same pattern as build(deps): Bump authlib deps and tidy dependent modules #673).

Leaving open for now rather than merging.

@pdettori

Copy link
Copy Markdown
Member

Superseded by #674, which applies option 2 above: the opa 1.4.2 → 1.18.2 bump bundled with an explicit oras.land/oras-go/v2 v2.6.2 pin (patches GHSA-fxhp-mv3v-67qp) plus go mod tidy across authlib/envoy/proxy/abctl. #674 will close this PR on merge.

Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.4.2 to 1.18.2.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](open-policy-agent/opa@v1.4.2...v1.18.2)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-version: 1.18.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/authbridge/authlib/github.com/open-policy-agent/opa-1.18.2 branch from d97e9b4 to 11c6da2 Compare July 16, 2026 00:18
pdettori added a commit to pdettori/kagenti-extensions that referenced this pull request Jul 16, 2026
Bundles Dependabot's opa 1.4.2 -> 1.18.2 bump (kagenti#640) with an explicit
oras.land/oras-go/v2 v2.6.2 pin to avoid the high-severity transitive
advisory GHSA-fxhp-mv3v-67qp (oras-go tar hardlink extraction escape),
which opa 1.18.2 otherwise pulls in via oras-go 2.6.1 and which fails
the Dependency Review check (fail-on-severity: moderate).

Applies the bump in authlib and runs `go mod tidy` (GOWORK=off) in
authlib and every module that `replace`s it (authbridge-envoy,
authbridge-proxy, abctl) so their go.mod/go.sum stay in sync. Same
pattern as kagenti#673.

Verified locally (GOWORK=off): go vet, go build, and go test -race pass
in authlib/envoy/proxy; the proxy lite variant (exclude_plugin_* tags)
builds and tests; abctl vets clean. oras-go resolves to 2.6.2 in all
modules with no residual 2.5.0/2.6.1.

Supersedes and closes kagenti#640.

Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com>
Signed-off-by: Paolo Dettori <dettori@us.ibm.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

Status: New/ToDo

Development

Successfully merging this pull request may close these issues.

2 participants