fix(deps): update module github.com/open-policy-agent/opa to v1.18.1#220
Merged
Merged
Conversation
Contributor
Author
ℹ️ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #220 +/- ##
=======================================
Coverage 76.58% 76.58%
=======================================
Files 81 81
Lines 1930 1930
=======================================
Hits 1478 1478
Misses 318 318
Partials 134 134 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
renovate
Bot
force-pushed
the
renovate/github.com-open-policy-agent-opa-1.x
branch
from
July 6, 2026 17:15
ac5856f to
c17ab2e
Compare
|
timo-reymann
pushed a commit
that referenced
this pull request
Jul 6, 2026
## [2.11.1](v2.11.0...v2.11.1) (2026-07-06) ### Bug Fixes * **deps:** update module github.com/open-policy-agent/opa to v1.18.1 ([#220](#220)) ([56b1e08](56b1e08))
Owner
|
🎉 This PR is included in version 2.11.1 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



This PR contains the following updates:
v1.13.1→v1.18.1Release Notes
open-policy-agent/opa (github.com/open-policy-agent/opa)
v1.18.1Compare Source
This release fixes a memory leak introduced in OPA v1.17.0. It is advised to update if you notice excess memory usage when running OPA server.
Fixes
v1.18.0Compare Source
This release contains a mix of bugfixes and small features. Notably:
User-Agentheader so it conforms to RFC 9110 (see below)GOMAXPROCSis restored and automaticGOMEMLIMITis now supportedopa fmtcorrectness fixesopa test --coverage(ranges in report, inline rule head tracking, conjunction-expression coverage)Breaking: Fix User-Agent according to RFC9110 (#8792)
OPA's outbound HTTP requests (bundle, discovery, decision log, status,
http.send, AWS KMS/ECR)previously sent
User-Agent: Open Policy Agent/<version> (<os>, <arch>), which is not a validRFC 9110
User-Agentvalue because theproducttoken cannot contain spaces. The header is nowOpen-Policy-Agent/<version> (<os>, <arch>). Server-side log filters or WAF rules thatexact-match the old string will need to be updated.
Authored by @sspaink, reported by @SpecLad
Runtime, SDK, Tooling
file_rego_versionspatterns with overlap (#8733) authored by @philipaconradwithon the closing-bracket line of multi-line expressions (#8804) authored by @anneheartrecord, reported by @burnsterast.Notnodes (#8731) authored by @johanfyllingCompiler, Topdown and Rego
ast.Notexpressions (#8717) authored by @johanfylling, reported by @anderseknertfuture.keywords.notnegation insideevery(#8781) authored by @johanfyllingplan/wasmbundle builds (#8732) authored by @philipaconradobject.get(#8729) authored by @anderseknertevery(#8816) authored by @johanfyllingdst.Compare(src)shortcut (#8739) authored by @srenatusDocs, Website, Ecosystem
Miscellaneous
go-version-filewithactions/setup-go(#8751) authored by @srenatusv1.17.1Compare Source
This release uses the latest version of Go (1.26.4) to build OPA, fixing stdlib vulnerabilities in code that OPA's HTTP handler and crypto builtins use:
It is otherwise the same code as v1.17.0.
Note that users building their own OPA binaries and images already control the Golang version, so this is not relevant for them.
Miscellaneous
v1.17.0Compare Source
This release contains a mix of new features, performance improvements, and bugfixes. Notably:
future.keywords.notimport that adds improved semantics to thenotkeyword.Improved Negation Semantics (#8387)
This OPA release introduces a new
future.keywords.notimportthat fixes a long-standing semantic issue with negation in Rego.
Without the import, the compiler expands a negated composite expression like
not f(g(input.x))into a series of sub-expressions evaluated before thenot:If any sub-expression fails — for example,
input.xis undefined orgproduces an undefined result — the entire rule fails rather than the
notsucceeding.This is unintuitive: the user's intent is "the condition does not hold," but
an undefined intermediate value causes a silent failure instead of the expected
notresult.With
import future.keywords.not, composite-expression negation wraps the full compilerexpansion in an implicit body:
Now, if any sub-expression is undefined or fails, the body is unsatisfiable
and the
notexpression succeeds; matching the intuition that "the condition does not hold."Authored by @johanfylling
Rule Labels in Decision Logs (#2089)
Rule annotations now support a
labelsfield. Labels from all successfully evaluatedrules are collected and included in each decision log entry as a top-level
rule_labelsarray. Each element is the merged label map for one successfully evaluated rule, with
inner-scope-wins precedence across the rule's annotation chain
(
subpackages<package<document<rule). Merged maps are deduplicatedacross rules so that identical label sets collapse to a single entry.
The resulting decision log entry will contain:
{"rule_labels": [{"service": "authz", "severity": "low", "team": "platform"}]}Note how
severity: infofrom the package scope is overridden byseverity: lowfromthe rule scope. Queries against
rule_labelscan now rely on each entry carrying thefull label context for a single rule, rather than one entry per contributing scope.
Both the runtime and the Go SDK now process metadata annotations by default.
Authored by @srenatus, reported by @tsandall
Runtime, SDK, Tooling
$refinallOfin JSON schemas (#6523) authored by @deeglaze reported by @mosiac1Compiler, Topdown and Rego
json.verify_schemaandjson.match_schemabuilt-in functions (#6089) authored by @sspaink reported by @ewout8indexfield inMakeNumberRefStmtIR statement (#6266) authored by @sspaink reported by @johanfyllingGenerateJSONfunction (#8690) authored by @anderseknertDocs, Website, Ecosystem
Miscellaneous
inmem.NewFromASTObjectand add missing string case toast.InternedValue(#8707) authored by @anderseknertgo install->go install toolto control checksums (#8646) authored by @srenatusv1.16.2Compare Source
This release updates the version of Go used to build the OPA binaries and images to 1.26.3;
addressing a number of vulnerabilities.
v1.16.1Compare Source
This is a patch release addressing a regression in the plugin manager that may cause the service to hang on shutdown (#8590).
v1.16.0Compare Source
This release contains a mix of new features, performance improvements, and bugfixes. Notably:
uri.parseanduri.is_validbuilt-in functionsNew
uri.parseanduri.is_validbuilt-in functions (#8263)Two new built-in functions have been added:
uri.parsefor parsing a given URI, anduri.is_validfor verifying the structure of a given URI.uri.parse
Parses a URI and returns an object containing its components according to RFC 3986. Empty components are omitted.
uri.is_valid
Returns
trueif the input can be parsed as a URI,falseotherwise.Authored by @charlieegan3 reported by @anivar
Data API Request/Response Metadata (#8570)
Wrapping projects can now attach custom metadata to Data API requests and have evaluation produce response metadata.
Two distinct metadata paths are introduced:
Request metadata: parsed from extra top-level keys in the request body, made available to builtins via
BuiltinContext.RequestMetadata. Logged in the decision log underCustom["request_metadata"].Response metadata: a separate map (
BuiltinContext.ResponseMetadata) that builtins can populate during evaluation. Only included in the API response and decision log if non-empty.In vanilla OPA, no builtins write response metadata, so responses are unchanged. The request metadata map is only allocated when the request carries extra fields; the response map is one empty map per request.
To avoid conflicts with future OPA top-level keys, callers should use a namespaced key:
{"input": {...}, "com.example.opa/md": {...}}.Request with metadata:
Response (response metadata included if, for example, set by a custom builtin):
{ "decision_id": "04789f85-de5a-477b-8aa5-6d59d7742135", "result": true, "com.example.opa/response": { "snapshot_version": "v3" } }Decision log entry:
{ "custom": { "request_metadata": { "com.example.opa/metadata": { "corp-id": "acme-42" } }, "response_metadata": { "com.example.opa/response": { "snapshot_version": "v3" } } }, "decision_id": "04789f85-de5a-477b-8aa5-6d59d7742135", "input": { "user": "alice" }, "msg": "Decision Log", "path": "example/allow", "result": true }Authored by @srenatus
Runtime, SDK, Tooling
--coverage(#8438) authored by @grosserwiths in expression (#8508) authored by @anderseknerteverybody (#8558) authored by @johanfyllingopa fmtfrom formatting single attribute objects with comments (#7565) authored by @sspaink reported by @anderseknert*tls.Config(#8473) authored by @srenatus reported by @ashu2496Note: Experimental.
Compiler, Topdown and Rego
-in front of a ref (#5014) authored by @mmzzuu reported by @philipaconradtime.parse_duration_nsbuilt-in function (#2719) authored by @sspaink reported by @freeseachergraph.reachable_pathsto return all reachable paths (#5871) authored by @davidmarne-wf reported by @ericjkaounits.parse_bytesbuilt-in function to prevent timeout bypass (#8326) authored by @isaiahvita reported by @anderseknertDocs, Website, Ecosystem
countandsumbuilt-in functions (#8566) authored by @alliasgher reported by @srenatusnotundefined example (#8580) authored by @menma1234Miscellaneous
print()logging (#8567) authored by @srenatusv1.15.2Compare Source
This release updates the version of Go used to build the OPA binaries and images to 1.26.2.
This version of Go contains multiple security fixes.
v1.15.1Compare Source
This patch release fixes a backwards-incompatible change in the
v1/logging.Loggerinterface that inadvertently made it into Release v1.15.0.When using OPA as Go module, and when providing custom
Loggerimplementations, this change would break your build.Miscellaneous
v1.15.0Compare Source
This release contains a mix of new features, performance improvements, and bugfixes. Notably:
NewClient()toPrepare()Logger Plugin Support (#8434) (authored by @srenatus)
OPA now supports pluggable logging implementations via the logger plugin interface, which is based on Go's standard
log/slog.Handlerinterface. This allows anyslog.Handlerimplementation to be used as a logger plugin. Loggers can be configured via theserver.logger_pluginconfiguration option and used for both runtime logging and decision logs. OPA includes a built-in file logger plugin (file_logger) that writes structured JSON logs with rotation support using lumberjack. Users can also implement and register custom logger plugins when building OPA.Example configuration for server logging:
Example configuration for decision logs using the same plugin:
Custom HTTPAuthPlugin behavior change (#8376) (authored by @srenatus)
The
HTTPAuthPlugin.NewClient()method is now called once perClientinstance and cached rather than being called forevery request. Custom plugins that performed per-request operations in
NewClient()(such as request counters,per-request transport wrapping, or logging/metrics side effects) will now only execute those operations once. All
per-request authentication logic must be moved from
NewClient()toPrepare(). All plugins included in OPA have beenupdated and are unaffected by this change.
Runtime, SDK, Tooling
@srenatus)
@srenatus)
cert_reread_interval_secondsfield.Defaults to re-reading on every request for backwards compatibility.
The implementation also uses content hashing to detect changes and avoid re-parsing unchanged TLS certificates and
keys. (#8376) (authored by @srenatus)
server. (#8376) (authored by @srenatus)
authored by @tiagogviegas)
Compiler, Topdown and Rego
Bundles
#8388) (#6529) authored by @srenatus
Docs, Website, Ecosystem
Miscellaneous
v1.14.1Compare Source
This is a patch release collecting two bug fixes and various dependency updates for Golang standard library and common package vulnerabilities.
These bug fixes include a revert of the rule indexer tweaks shipped in 1.14.0, which had caused unexpected lookup failures for some users. (We expect to properly fix the issue in 1.15.0, but for now, a revert is the quicker choice.)
Changes
x in {...}(#8341)" (#8410)v1.14.0Compare Source
This release contains a mix of new features, performance improvements, and bugfixes. Notably:
x in {...}expressions--h2cwith unix domain socket foropa runImproved rule indexing of variable assignments and
x in {...}expressions (#1841)With this change, the rule indexer will index expressions like:
On lookup, the rule body will only be returned if
input.roleis either one of"admin"or"user".The reverse case is also indexed:
in which the searched collection is
unknown.Authored by @srenatus reported by @nischalsheth
Runtime, SDK, Tooling
--h2cwith unix domain socket (UDS) (#8282) authored by [@srenConfiguration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.