Skip to content

fix(deps): update module github.com/open-policy-agent/opa to v1.18.1#220

Merged
timo-reymann merged 1 commit into
mainfrom
renovate/github.com-open-policy-agent-opa-1.x
Jul 6, 2026
Merged

fix(deps): update module github.com/open-policy-agent/opa to v1.18.1#220
timo-reymann merged 1 commit into
mainfrom
renovate/github.com-open-policy-agent-opa-1.x

Conversation

@renovate

@renovate renovate Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/open-policy-agent/opa v1.13.1v1.18.1 age adoption passing confidence

Release Notes

open-policy-agent/opa (github.com/open-policy-agent/opa)

v1.18.1

Compare Source

This release fixes a memory leak introduced in OPA v1.17.0. It is advised to update if you notice excess memory usage when running OPA server.

Fixes

v1.18.0

Compare Source

This release contains a mix of bugfixes and small features. Notably:

  • A breaking fix to the outbound User-Agent header so it conforms to RFC 9110 (see below)
  • Container-aware resource limits: automatic GOMAXPROCS is restored and automatic GOMEMLIMIT is now supported
  • Several opa fmt correctness fixes
  • Improvements to opa test --coverage (ranges in report, inline rule head tracking, conjunction-expression coverage)
Breaking: Fix User-Agent according to RFC9110 (#​8792)

OPA's outbound HTTP requests (bundle, discovery, decision log, status, http.send, AWS KMS/ECR)
previously sent User-Agent: Open Policy Agent/<version> (<os>, <arch>), which is not a valid
RFC 9110 User-Agent value because the product token cannot contain spaces. The header is now
Open-Policy-Agent/<version> (<os>, <arch>). Server-side log filters or WAF rules that
exact-match the old string will need to be updated.

Authored by @​sspaink, reported by @​SpecLad

Runtime, SDK, Tooling
Compiler, Topdown and Rego
Docs, Website, Ecosystem
Miscellaneous
  • benchmarks: smaller tweaks (#​8759) authored by @​srenatus
  • benchmarks: split off script, emit markdown table (#​8812) authored by @​srenatus
  • benchmarks: use details+summary comments for benchlab results (#​8811) authored by @​srenatus
  • capabilities: Integrate 1.17.1 patch release (#​8798) authored by @​sspaink
  • chore: tidy go.mod to remove untagged versions (#​8791) authored by @​thaJeztah
  • e2e: Add proto schemas for the IR plan and bundle manifest (#​8766) reported and authored by @​sspaink
  • gha: deduplicate change-detection output in pr CI checks (#​8808) authored by @​sspaink
  • nightly: use regal@​main (#​8735) authored by @​srenatus
  • workflow: remove tests from docker (edge) image build (#​8721) authored by @​srenatus
  • workflows: bring back docker edge tags for post-merge (#​8718) authored by @​srenatus
  • workflows: use go-version-file with actions/setup-go (#​8751) authored by @​srenatus
  • Dependency updates; notably:
    • build(deps): Add github.com/KimMachineGun/automemlimit v0.7.5
    • build(deps): Add go.uber.org/automaxprocs v1.6.0
    • build(deps): Bump github.com/dgraph-io/badger/v4 from v4.9.1 to v4.9.2
    • build(deps): Bump github.com/vektah/gqlparser/v2 from v2.5.33 to v2.5.34
    • build(deps): Bump go.opentelemetry.io/contrib/bridges/prometheus from v0.68.0 to v0.69.0
    • build(deps): Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from v0.68.0 to v0.69.0
    • build(deps): Bump go.opentelemetry.io/otel from v1.43.0 to v1.44.0
    • build(deps): Bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc from v1.43.0 to v1.44.0
    • build(deps): Bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp from v1.43.0 to v1.44.0
    • build(deps): Bump go.opentelemetry.io/otel/exporters/otlp/otlptrace from v1.43.0 to v1.44.0
    • build(deps): Bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc from v1.43.0 to v1.44.0
    • build(deps): Bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from v1.43.0 to v1.44.0
    • build(deps): Bump go.opentelemetry.io/otel/sdk from v1.43.0 to v1.44.0
    • build(deps): Bump go.opentelemetry.io/otel/sdk/metric from v1.43.0 to v1.44.0
    • build(deps): Bump go.opentelemetry.io/otel/trace from v1.43.0 to v1.44.0
    • build(deps): Bump golang.org/x/sync from v0.20.0 to v0.21.0
    • build(deps): Bump golang.org/x/text from v0.37.0 to v0.38.0
    • build(deps): Bump google.golang.org/grpc from v1.81.0 to v1.81.1
    • build(deps): Bump gopkg.in/ini.v1 from v1.67.2 to v1.67.3
    • build(deps): Bump oras.land/oras-go/v2 from v2.6.0 to v2.6.1
    • build(deps): bump golang.org/x/crypto to v0.52.0 and golang.org/x/net to v0.55.0 (#​8745) authored by @​BGebken
    • build: bump go 1.26.3 -> 1.26.4 (#​8726) authored by @​srenatus

v1.17.1

Compare Source

This release uses the latest version of Go (1.26.4) to build OPA, fixing stdlib vulnerabilities in code that OPA's HTTP handler and crypto builtins use:

It is otherwise the same code as v1.17.0.

Note that users building their own OPA binaries and images already control the Golang version, so this is not relevant for them.

Miscellaneous
  • build: bump go 1.26.3 -> 1.26.4 (authored by @​srenatus)

v1.17.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • A new future.keywords.not import that adds improved semantics to the not keyword.
  • Rule Labels in Decision Logs
  • Published json schema for IR and bundle manifest
  • Dropped automaxprocs and x/net dependencies
Improved Negation Semantics (#​8387)

This OPA release introduces a new future.keywords.not import
that fixes a long-standing semantic issue with negation in Rego.

Without the import, the compiler expands a negated composite expression like
not f(g(input.x)) into a series of sub-expressions evaluated before the
not:

__local0__ = input.x
g(__local0__, __local1__)
not f(__local1__)

If any sub-expression fails — for example, input.x is undefined or g
produces an undefined result — the entire rule fails rather than the not succeeding.
This is unintuitive: the user's intent is "the condition does not hold," but
an undefined intermediate value causes a silent failure instead of the expected
not result.

With import future.keywords.not, composite-expression negation wraps the full compiler
expansion in an implicit body:

not { __local0__ = input.x; g(__local0__, __local1__); f(__local1__) }

Now, if any sub-expression is undefined or fails, the body is unsatisfiable
and the not expression succeeds; matching the intuition that "the condition does not hold."

NOTE:

Users are recommended to import future.keywords.not whenever the not keyword is used in a policy.

Authored by @​johanfylling

Rule Labels in Decision Logs (#​2089)

Rule annotations now support a labels field. Labels from all successfully evaluated
rules are collected and included in each decision log entry as a top-level rule_labels
array. Each element is the merged label map for one successfully evaluated rule, with
inner-scope-wins precedence across the rule's annotation chain
(subpackages < package < document < rule). Merged maps are deduplicated
across rules so that identical label sets collapse to a single entry.

# METADATA
# scope: package

# labels:
#   service: authz

#   severity: info
package myapp

# METADATA

# labels:
#   severity: low

#   team: platform
allow if input.role == "admin"

The resulting decision log entry will contain:

{"rule_labels": [{"service": "authz", "severity": "low", "team": "platform"}]}

Note how severity: info from the package scope is overridden by severity: low from
the rule scope. Queries against rule_labels can now rely on each entry carrying the
full label context for a single rule, rather than one entry per contributing scope.

Both the runtime and the Go SDK now process metadata annotations by default.

Authored by @​srenatus, reported by @​tsandall

Runtime, SDK, Tooling
Compiler, Topdown and Rego
Docs, Website, Ecosystem
Miscellaneous
  • ast,storage/inmem: Add inmem.NewFromASTObject and add missing string case to ast.InternedValue (#​8707) authored by @​anderseknert
  • build: go install -> go install tool to control checksums (#​8646) authored by @​srenatus
  • build: Push edge binaries to bucket (#​8668) authored by @​charlieegan3
  • workflows: Fix benchmarks workflow (replace action, avoid stackoverflow) (#​8655) authored by @​srenatus
  • workflows: Note improvements in benchmark comments (#​8673) authored by @​srenatus
  • Generate a JSON Schema for the IR plan (#​8662) authored by @​sspaink reported by @​kroekle
  • Generate a JSON Schema for the bundle manifest (#​8661) authored by @​sspaink reported by @​kroekle
  • Dependency updates; notably:
    • build(deps): Remove automaxprocs dependency (#​8696) authored by @​anderseknert
    • build(deps): Remove direct x/net dependency (#​8697) authored by @​anderseknert
    • build(deps): Bump github.com/bytecodealliance/wasmtime-go from 43.0.2 to 44.0.0 (8652) authored by @​srenatus
    • build(deps): Bump github.com/fsnotify/fsnotify from 1.9.0 to 1.10.1
    • build(deps): Bump github.com/huandu/go-sqlbuilder from 1.40.2 to 1.41.0
    • build(deps): Bump github.com/lestrrat-go/jwx/v3 from 3.1.0 to 3.1.1
    • build(deps): Bump github.com/vektah/gqlparser/v2 from 2.5.32 to 2.5.33
    • build(deps): Bump google.golang.org/grpc from 1.80.0 to 1.81.0
    • build(deps): Bump gopkg.in/ini.v1 from 1.67.1 to 1.67.2

v1.16.2

Compare Source

This release updates the version of Go used to build the OPA binaries and images to 1.26.3;
addressing a number of vulnerabilities.

v1.16.1

Compare Source

This is a patch release addressing a regression in the plugin manager that may cause the service to hang on shutdown (#​8590).

v1.16.0

Compare Source

[!WARNING]

A regression has been found in the plugin manager, which may cause the service to hang on shutdown.
Users are advised to go directly to v1.16.1.

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • New uri.parse and uri.is_valid built-in functions
  • Data API Request/Response Metadata
  • Prometheus metrics exported via OTLP
  • Formatter improvements

NOTE:

In v1.15.x, OPA was dropping logs for bundle downloads, print() calls and other plugin-originated logs.
Users are advised to update, v1.16.0 fixes this bug in (#​8544).

New uri.parse and uri.is_valid built-in functions (#​8263)

Two new built-in functions have been added: uri.parse for parsing a given URI, and uri.is_valid for verifying the structure of a given URI.

uri.parse

Parses a URI and returns an object containing its components according to RFC 3986. Empty components are omitted.

package example

test_uri if {
	uri.parse("https://example.com:8080/api?q=1#top") == {
		"scheme": "https",
		"hostname": "example.com",
		"port": "8080",
		"path": "/api",
		"raw_path": "/api",
		"raw_query": "q=1",
		"fragment": "top",
	}
}
uri.is_valid

Returns true if the input can be parsed as a URI, false otherwise.

package example

deny contains "invalid URI" if {
    not uri.is_valid("http://[invalid")
}

Authored by @​charlieegan3 reported by @​anivar

Data API Request/Response Metadata (#​8570)

Wrapping projects can now attach custom metadata to Data API requests and have evaluation produce response metadata.

Two distinct metadata paths are introduced:

  • Request metadata: parsed from extra top-level keys in the request body, made available to builtins via BuiltinContext.RequestMetadata. Logged in the decision log under Custom["request_metadata"].

  • Response metadata: a separate map (BuiltinContext.ResponseMetadata) that builtins can populate during evaluation. Only included in the API response and decision log if non-empty.

In vanilla OPA, no builtins write response metadata, so responses are unchanged. The request metadata map is only allocated when the request carries extra fields; the response map is one empty map per request.

To avoid conflicts with future OPA top-level keys, callers should use a namespaced key: {"input": {...}, "com.example.opa/md": {...}}.

Request with metadata:

curl -H 'Content-Type: application/json' \
  -d '{"input": {"user": "alice"}, "com.example.opa/metadata": {"corp-id": "acme-42"}}' \
  http://localhost:8181/v1/data/example/allow

Response (response metadata included if, for example, set by a custom builtin):

{
  "decision_id": "04789f85-de5a-477b-8aa5-6d59d7742135",
  "result": true,
  "com.example.opa/response": {
    "snapshot_version": "v3"
  }
}

Decision log entry:

{
  "custom": {
    "request_metadata": {
      "com.example.opa/metadata": {
        "corp-id": "acme-42"
      }
    },
    "response_metadata": {
      "com.example.opa/response": {
        "snapshot_version": "v3"
      }
    }
  },
  "decision_id": "04789f85-de5a-477b-8aa5-6d59d7742135",
  "input": { "user": "alice" },
  "msg": "Decision Log",
  "path": "example/allow",
  "result": true
}

Authored by @​srenatus

Runtime, SDK, Tooling
Compiler, Topdown and Rego
Docs, Website, Ecosystem
Miscellaneous
  • build: Exclude domains that cause false positives (#​8533) (#​8495) authored by @​charlieegan3
  • e2e/cli: Add test for debug print() logging (#​8567) authored by @​srenatus
  • e2e/cli: Start CLI E2E tests (#​8545) authored by @​srenatus
  • github: declare formatted rego as rego (#​8564) authored by @​srenatus
  • Security policy update (#​8479) authored by @​anderseknert
  • Dependency updates; notably:
    • build: bump go 1.26.2 (#​8497) authored by @​sspaink
    • build(deps): bump wasmtime-go from v39.0.1 to v43.0.2
    • build(deps): bump go.opentelemetry.io deps from 1.40.0/0.65.0 to 1.43.0/0.68.0
    • build(deps): bump github.com/containerd/containerd/v2 from 2.2.1 to 2.2.3
    • build(deps): bump ithub.com/huandu/go-sqlbuilder from 1.39.1 to 1.40.2
    • build(deps): bump golang.org/x/net from 0.51.0 to 0.53.0
    • build(deps): bump golang.org/x/text from 0.34.0 to 0.36.0

v1.15.2

Compare Source

This release updates the version of Go used to build the OPA binaries and images to 1.26.2.
This version of Go contains multiple security fixes.

v1.15.1

Compare Source

This patch release fixes a backwards-incompatible change in the v1/logging.Logger interface that inadvertently made it into Release v1.15.0.
When using OPA as Go module, and when providing custom Logger implementations, this change would break your build.

[!TIP]
Users of the binaries or Docker images can ignore this, the code is otherwise the same as v1.15.0.

Miscellaneous
  • logging: make WithContext() optional (authored by @​srenatus)

v1.15.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • Add logger plugin interface and file logger implementation with log rotation
  • Custom HTTPAuthPlugin behavior change, all per-request authentication logic must be moved from NewClient() to
    Prepare()
  • AWS signing supports for web identity for assume role credentials
Logger Plugin Support (#​8434) (authored by @​srenatus)

OPA now supports pluggable logging implementations via the logger plugin interface, which is based on Go's standard log/slog.Handler interface. This allows any slog.Handler implementation to be used as a logger plugin. Loggers can be configured via the server.logger_plugin configuration option and used for both runtime logging and decision logs. OPA includes a built-in file logger plugin (file_logger) that writes structured JSON logs with rotation support using lumberjack. Users can also implement and register custom logger plugins when building OPA.

Example configuration for server logging:

server:
  logger_plugin: file_logger

plugins:
  file_logger:
    path: /var/log/opa/server.log
    max_size_mb: 100
    max_age_days: 28
    max_backups: 3
    compress: true
    level: info

Example configuration for decision logs using the same plugin:

server:
  logger_plugin: file_logger

decision_logs:
  plugin: file_logger

plugins:
  file_logger:
    path: /var/log/opa/server.log
    max_size_mb: 100
    max_age_days: 28
    max_backups: 3
    compress: true
    level: info
Custom HTTPAuthPlugin behavior change (#​8376) (authored by @​srenatus)

The HTTPAuthPlugin.NewClient() method is now called once per Client instance and cached rather than being called for
every request. Custom plugins that performed per-request operations in NewClient() (such as request counters,
per-request transport wrapping, or logging/metrics side effects) will now only execute those operations once. All
per-request authentication logic must be moved from NewClient() to Prepare(). All plugins included in OPA have been
updated and are unaffected by this change.

Runtime, SDK, Tooling
  • plugins/logger: Add logger plugin interface and file logger implementation with log rotation (#​8434) (authored by
    @​srenatus)
  • plugins/logs: Decision logs can now use logger plugins for output (#​8434) (authored by @​srenatus)
  • logging: Add BufferedLogger to capture early startup logs before plugins are initialized (#​8434) (authored by
    @​srenatus)
  • plugins/rest: Configurable re-read interval for TLS client certificates via cert_reread_interval_seconds field.
    Defaults to re-reading on every request for backwards compatibility.
    The implementation also uses content hashing to detect changes and avoid re-parsing unchanged TLS certificates and
    keys. (#​8376) (authored by @​srenatus)
  • plugins/rest: All TLS configurations now inherit the minimum version and TLS ciphersuites as configured for the
    server. (#​8376) (authored by @​srenatus)
  • internal/providers/aws: Refactor deprecated crypto/elliptic APIs to crypto/ecdh (#​8395) (authored by @​kanywst)
  • plugins/rest: AWS Signing - Allow Service Account (Web Identity) credentials for Assume Role Credentials (#​8386) (
    authored by @​tiagogviegas)
Compiler, Topdown and Rego
  • ast: fix overlapping array and scalar pattern in rule index (authored by @​srenatus)
Bundles
Docs, Website, Ecosystem
Miscellaneous

v1.14.1

Compare Source

This is a patch release collecting two bug fixes and various dependency updates for Golang standard library and common package vulnerabilities.

These bug fixes include a revert of the rule indexer tweaks shipped in 1.14.0, which had caused unexpected lookup failures for some users. (We expect to properly fix the issue in 1.15.0, but for now, a revert is the quicker choice.)

Changes
  • Fix intermittent plugins manager deadlock on opa.configure (#​8407)
  • Revert "ast: make rule index track var assignments and x in {...} (#​8341)" (#​8410)
  • build: bump deps (go.mod from main)
  • build: bump go 1.26.1 (#​8409)

v1.14.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • Improved rule indexing of variable assignments and x in {...} expressions
  • Support for --h2c with unix domain socket for opa run
  • A new glossary tooltip for technical terms in the docs
  • Fixes published in the v1.13.1 and v1.13.2 releases
Improved rule indexing of variable assignments and x in {...} expressions (#​1841)

With this change, the rule indexer will index expressions like:

allow if input.role in {"admin", "user"}

On lookup, the rule body will only be returned if input.role is either one of "admin" or "user".

The reverse case is also indexed:

allow if "admin" in input.roles

in which the searched collection is unknown.

Authored by @​srenatus reported by @​nischalsheth

Runtime, SDK, Tooling
  • cmd,run: Support --h2c with unix domain socket (UDS) (#​8282) authored by [@​sren

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • "after 10pm every weekday,before 3am every weekday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
renovate Bot requested a review from timo-reymann July 2, 2026 23:30
@renovate

renovate Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 19 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.24.6 -> 1.25.0
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 -> v4.4.1
github.com/goccy/go-json v0.10.5 -> v0.10.6
github.com/lestrrat-go/dsig v1.0.0 -> v1.2.1
github.com/lestrrat-go/httprc/v3 v3.0.2 -> v3.0.5
github.com/lestrrat-go/jwx/v3 v3.0.13 -> v3.1.1
github.com/prometheus/common v0.66.1 -> v0.67.5
github.com/prometheus/procfs v0.17.0 -> v0.20.1
github.com/valyala/fastjson v1.6.7 -> v1.6.10
github.com/vektah/gqlparser/v2 v2.5.31 -> v2.5.34
go.opentelemetry.io/otel v1.39.0 -> v1.44.0
go.opentelemetry.io/otel/metric v1.39.0 -> v1.44.0
go.opentelemetry.io/otel/sdk v1.39.0 -> v1.44.0
go.opentelemetry.io/otel/trace v1.39.0 -> v1.44.0
go.yaml.in/yaml/v2 v2.4.2 -> v2.4.4
golang.org/x/crypto v0.47.0 -> v0.52.0
golang.org/x/net v0.49.0 -> v0.55.0
golang.org/x/sync v0.19.0 -> v0.21.0
golang.org/x/sys v0.40.0 -> v0.45.0
gopkg.in/ini.v1 v1.67.1 -> v1.67.3

@codecov

codecov Bot commented Jul 2, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 76.58%. Comparing base (f34f5d5) to head (c17ab2e).

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #220   +/-   ##
=======================================
  Coverage   76.58%   76.58%           
=======================================
  Files          81       81           
  Lines        1930     1930           
=======================================
  Hits         1478     1478           
  Misses        318      318           
  Partials      134      134           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@renovate
renovate Bot force-pushed the renovate/github.com-open-policy-agent-opa-1.x branch from ac5856f to c17ab2e Compare July 6, 2026 17:15
@renovate renovate Bot changed the title fix(deps): update module github.com/open-policy-agent/opa to v1.18.0 fix(deps): update module github.com/open-policy-agent/opa to v1.18.1 Jul 6, 2026
@sonarqubecloud

sonarqubecloud Bot commented Jul 6, 2026

Copy link
Copy Markdown

@timo-reymann
timo-reymann merged commit 56b1e08 into main Jul 6, 2026
11 of 12 checks passed
timo-reymann pushed a commit that referenced this pull request Jul 6, 2026
## [2.11.1](v2.11.0...v2.11.1) (2026-07-06)

### Bug Fixes

* **deps:** update module github.com/open-policy-agent/opa to v1.18.1 ([#220](#220)) ([56b1e08](56b1e08))
@timo-reymann

Copy link
Copy Markdown
Owner

🎉 This PR is included in version 2.11.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant