chore(deps): update dependency open-policy-agent/opa to v1.5.1 (dockerfile) (main)

[ivankatliarchuk]

This PR contains the following updates:

Package	Update	Change
open-policy-agent/opa	minor	1.0.0 -> 1.5.1

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

open-policy-agent/opa (open-policy-agent/opa)

v1.5.1

Compare Source

This is a bug fix release addressing a regression to the walk built-in function, introduced in v1.5.0. See #​7656 (authored by @​anderseknert reported by @​robmyersrobmyers)

v1.5.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Among others:

• Support for AWS SSO credentials provider
• Support for signing client assertions with Azure Keyvault
• Faster object.get, walk and builtin-function evaluation
• Improved guardrails in the parser
• Improvements to decision logging

Modernized OPA Website (#​7037)

The OPA website has been modernized with a new design and improved user experience.

The new site is based on Docusaurus and React which makes it easier to build live functionality and add non-documentation resources. This lays the groundwork for even more improvements in the future!

Documentation for older OPA versions are still available in the version archive.

Authored by @​charlieegan3

Runtime, Tooling, SDK

• ast: Only use JSON-escaped literal when needed in ref to string convertion (#​7550) reported and authored by @​xubinzheng
• ast: Parser recursion depth guard (#​7568) authored by @​thevilledev
• ast: Retaining SomeDecl Location field when compiler resolves refs (#​7543) authored by @​johanfylling
• bundle: Setting default rego-version in bundle API (#​7588) authored by @​johanfylling reported by @​xubinzheng
• perf: Improved "baseline" metrics of opa bench for trivial queries (#​7580) authored by @​anderseknert
• plugins/decision: Don't drop adaptive uncompressed size limit on upload (#​7562) authored by @​sspaink
• plugins/decision: Set config boundaries to upload_size_limit_bytes (#​7563) (authored by @​sspaink)
• plugins/rest: Add support for AWS SSO credentials provider (#​7527) authored by @​efiShtain
• plugins/rest: Support signing of client assertions with Azure Keyvault (#​7462) reported and authored by @​Od1nB
• plugins/status: Support graceful shutdown timeout (#​7576) authored by @​sspaink
• rego: Don't generate JSON values for wildcard/generated keys in result set (#​7567) authored by @​anderseknert
• runtime: Don't override user set version commit and timestamp (#​7471) reported by @​kastl-ars authored by @​sspaink

Planner, Topdown and Rego

• planner: Deal with var-for-function replacement in indirect calls (#​5311) authored by @​srenatus
• topdown: Faster object.get built-in function (#​7593) authored by @​anderseknert
• topdown: Faster walk built-in function (#​7612) authored by @​anderseknert
• topdown: Improved default rule value inlining ( (#​1418) authored by @​johanfylling
• topdown: Improved GraphQL error handling (#​7622) reported and authored by @​robmyersrobmyers

Docs, Website, Ecosystem

• docs: Fix helm-kubernetes-quickstart bundle (#​7606) reported and authored by @​nejec
• docs: Add Swift-OPA to the Ecosystem Page (#​7610) authored by @​charlieegan3
• docs: Add Tutorial Redirects ([#​7603]https://github.com/open-policy-agent/opa/issues/7603) reported by @​nataraj24 authored by @​charlieegan3
• Fix links in README (#​7633) authored by @​ffjlabo

Miscellaneous

• github_actions: Adding monthly check for broken hyperlinks (#​7537) authored by @​sspaink
• perf: Extended interning (#​7636) authored by @​anderseknert
• perf: Ref.String() shortcut on single var term ref (#​7595) authored by @​anderseknert
• refactor: Don't return error from opaTest (#​7560) authored by @​sspaink
• refactor: Remove internal/gqlparser and use upstream dependency instead. (#​7520) authored by @​robmyersrobmyers
• test: Fix flaky TestContextErrorHandling (#​7587) authored by @​sspaink
• Apply modernize linter fixes (#​7599) authored by @​anderseknert
• Use any in place of interface{} (#​7566) authored by @​anderseknert
• Dependency updates; notably:
  • build: bump go from 1.24.0 to 1.24.3
  • build(deps): bump containerd to v2.1.1 (#​7627) authored by @​johanfylling reported by @​robmyersrobmyers
  • build(deps): bump github.com/fsnotify/fsnotify from 1.8.0 to 1.9.0
  • build(deps): bump github.com/prometheus/client_golang from 1.21.1 to 1.22.0
  • build(deps): bump github.com/prometheus/client_model from 0.6.1 to 0.6.2
  • build(deps): bump golang.org/x/net from 0.38.0 to 0.39.0
  • build(deps): bump google.golang.org/grpc from 1.71.1 to 1.72.0

v1.4.2

Compare Source

This is a bug fix release addressing the missing capabilities/v1.4.1.json in the v1.4.1 release.

v1.4.1

Compare Source

⚠️ Please skip this release and go straight to v1.4.2 ⚠️
This release is broken due to a mistake during the release process and the artifacts are missing a crucial capabilities file.
Sorry for any inconvenience.

---

This is a security fix release for the fixes published in Go 1.24.1 and 1.24.2

• build: bump go to 1.24.2 (#​7544) (authored by @​sspaink)
  Addressing CVE-2025-22870 and CVE-2025-22871 vulnerabilities in the Go runtime.

v1.4.0

Compare Source

This release contains a security fix addressing CVE-2025-46569.
It also includes a mix of new features, bugfixes, and dependency updates.

Security Fix: CVE-2025-46569 - OPA server Data API HTTP path injection of Rego (GHSA-6m8w-jc87-6cr7)

A vulnerability in the OPA server's Data API allows an attacker to craft the HTTP path in a way that injects Rego code into the query that is evaluated.
The evaluation result cannot be made to return any other data than what is generated by the requested path, but this path can be misdirected, and the injected Rego code can be crafted to make the query succeed or fail; opening up for oracle attacks or, given the right circumstances, erroneous policy decision results.
Furthermore, the injected code can be crafted to be computationally expensive, resulting in a Denial Of Service (DoS) attack.

Users are only impacted if all of the following apply:

• OPA is deployed as a standalone server (rather than being used as a Go library)
• The OPA server is exposed outside of the local host in an untrusted environment.
• The configured authorization policy does not do exact matching of the input.path attribute when deciding if the request should be allowed.

or, if all of the following apply:

• OPA is deployed as a standalone server.
• The service connecting to OPA allows 3rd parties to insert unsanitised text into the path of the HTTP request to OPA’s Data API.

Note: With no Authorization Policy configured for restricting API access (the default configuration), the RESTful Data API provides access for managing Rego policies; and the RESTful Query API facilitates advanced queries.
Full access to these APIs provides both simpler, and broader access than what the security issue describes here can facilitate.
As such, OPA servers exposed to a network are not considered affected by the attack described here if they are knowingly not restricting access through an Authorization Policy.

This issue affects all versions of OPA prior to 1.4.0.

See the Security Advisory for more details.

Reported by @​GamrayW, @​HyouKash, @​AdrienIT, authored by @​johanfylling

Runtime, Tooling, SDK

• ast: Adding rego_v1 feature to --v0-compatible capabilities (#​7474) authored by @​johanfylling
• executable: Add version and icon to OPA windows executable (#​3171) authored by @​sspaink reported by @​christophwille
• format: Don't panic on format due to unexpected comments (#​6330) authored by @​sspaink reported by @​sirpi
• format: Avoid modifying strings when formatting (#​6220) authored by @​sspaink reported by @​zregvart
• plugins/status: FIFO buffer channel for status events to prevent slow status API blocking (#​7522) authored by @​sspaink

Topdown and Rego

• gqlparser: Add JSON annotation in internal/gqlparser/ast to Position fields (#​7509) authored by @​robmyersrobmyers
• graphql: Cache GraphQL schema parse results (#​7457) authored by @​robmyersrobmyers
• topdown: Handling default functions in Partial Eval (#​7220) authored by @​johanfylling
• topdown: Fix wall clock time init for PartialRun() (#​7490) authored by @​srenatus
• topdown: Zero alloc lower/upper unless changed (#​7472) authored by @​anderseknert

Docs, Website, Ecosystem

• adopters: Cloudsmith adds support for OPA (#​7498) authored by @​ndouglas-cloudsmith
• docs: Fixed broken docs link (#​7452) reported and authored by @​fvarg00
• docs: Update built-in function examples for OPA v1 (#​7514) reported and authored by @​robmyersrobmyers
• docs: Add link to inline schema annotations (#​7496) authored by @​kmadan
• docs: Add manual trigger to integration docs (#​7473) authored by @​charlieegan3
• docs: Point path versioned requests to new sites (#​7531) authored by @​charlieegan3
• docs: Update community slack inviter link (#​7488, #​7493) authored by @​charlieegan3
• docs: Set versioned docs links to point to archive (#​7528) authored by @​charlieegan3
• docs: Update helm-kubernetes-quickstart bundle (#​7469) authored by @​johanfylling
• docs: Update opa-docker-authz example to use ghcr and v0.10 release tag (#​7513) authored by @​larhauga
• docs: Fix post merge badge (#​7532) authored by @​sspaink
• docs: Improve request headers documentation in REST APIs (#​7524) authored by @​ali-jalaal
• docs: Update edge links to use /docs/edge/ path (#​7529) authored by @​charlieegan3
• ecosystem: Add NACP integration (#​7503) authored by @​charlieegan3
• ecosystem: Update traefik integration docs (#​7506) authored by @​charlieegan3
• ecosystem: Add Principled Evolution integration (#​7495) authored by @​kmadan
• ecosystem: Add tavo to ecosystem integration (#​7511) authored by @​percyding-tavo

Miscellaneous

• Dependency updates; notably:
  • build(deps): bump github.com/hypermodeinc/badger from v4.6.0 to v4.7.0
  • build(deps): bump github.com/spf13/viper from 1.18.2 to 1.20.1
  • build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0
  • build(deps): bump google.golang.org/grpc from 1.71.0 to 1.71.1
  • build(deps): bump oras.land/oras-go/v2 from 2.3.1 to 2.5.0

v1.3.0

Compare Source

This release contains a mix of features, bugfixes, and dependency updates.

New Buffer Option for Decision Logs (#​5724)

A new, optional, buffering mechanism has been added to decision logging.
The default buffer is designed around making precise memory footprint guarantees, which can produce lock contention at high loads, negatively impacting query performance.
The new event-based buffer is designed to reduce lock contention and improve performance at high loads, but sacrifices the memory footprint guarantees of the default buffer.

The new event-based buffer is enabled by setting the decision_logs.reporting.buffer_type configuration option to event.

For more details, see the decision log plugin README.

Reported by @​mjungsbluth, authored by @​sspaink

OpenTelemetry: HTTP Support and Expanded Batch Span Configuration (#​7412)

Distributed tracing through OpenTelemetry has been extended to support HTTP collectors (enabled by setting the distributed_tracing.type configuration option to http).
Additionally, configuration has been expanded with fine-grained batch span processor options.

Authored and reported by @​sqyang94

Runtime, Tooling, SDK

• compile: Require multi-term entrypoint paths for optimized bundle building (#​7321) authored by @​johanfylling reported by @​nikpivkin
• fmt: Allow one liner rule grouping (#​6760) authored by @​anderseknert
• fmt: Fix v0-compatible fmt with stdin (#​7409) authored and reported by @​charlieegan3
• ir: Fix nil pointer deref in Unmarshal() when handling IsSetStmt (#​7415) authored and reported by @​KrisKennawayDD
• planner: Fix Wasm vs non-Wasm evaluation difference bug related to the overeager optimization of ref head rules (#​7439) authored by @​srenatus
• sdk: Removing repeat args from sub-func call (#​7443) authored by @​alingse
• tester: Including parameterized test cases in test report counter (#​7407) authored by @​johanfylling
• tester: Only including failed sub-test cases in report summary when non-verbose (#​7426) authored by @​johanfylling

Docs, Website, Ecosystem

• docs: Add some notes about AI assisted patches (#​7436) authored by @​charlieegan3
• docs: Add query_parameters_to_set (#​7405) authored by @​sedovmik
• docs: Delete reference to license key in Envoy tutorial (#​7466) authored by @​joostholslag
• docs: Fix typo in Envoy tutorial (#​7464) authored by @​joostholslag
• docs: Update slack inviter link (#​7450) authored by @​charlieegan3
• docs: Update terraform examples (#​7429) authored by @​charlieegan3
• docs: Simplify kind usage instruction in Envoy tutorial (#​7465) authored by @​joostholslag

Miscellaneous

• Enable unused-receiver linter (revive) (#​7448) authored by @​anderseknert
• Dependency updates; notably:
  • build(deps): bump github.com/containerd/containerd from 1.7.26 to 1.7.27
  • build(deps): bump github.com/dgraph-io/badger/v4 from 4.5.1 to 4.6.0
  • build(deps): bump github.com/opencontainers/image-spec from 1.1.0 to 1.1.1
  • build(deps): bump github.com/prometheus/client_golang 1.21.0 to 1.21.1
  • build(deps): bump golang.org/x/net from 0.35.0 to 0.37.0
  • build(deps): bump golang.org/x/time from 0.10.0 to 0.11.0
  • build(deps): bump google.golang.org/grpc from 1.70.0 to 1.71.0
  • build(deps): bump go.opentelemetry.io deps to 1.35.0/0.60.0

v1.2.0

Compare Source

This release contains a mix of features, performance improvements, and bugfixes.

Parameterized Rego Tests (#​2176)

Rego tests now support parameterization, allowing a single test rule to include multiple, hierarchical, named test cases.
This feature is useful for data-driven testing, where a single test rule can be used for multiple test cases with different inputs and expected outputs.

package example_test

test_concat[note] if {
	some note, tc in {
		"empty + empty": {
			"a": [],
			"b": [],
			"exp": [],
		},
		"empty + filled": {
			"a": [],
			"b": [1, 2],
			"exp": [1, 2],
		},
		"filled + filled": {
			"a": [1, 2],
			"b": [3, 4],
			"exp": [1, 2, 3], # Faulty expectation, this test case will fail
		},
	}

	act := array.concat(tc.a, tc.b)
	act == tc.exp
}

$ opa test example_test.rego
example_test.rego:
data.example_test.test_concat: FAIL (263.375µs)
  empty + empty: PASS
  empty + filled: PASS
  filled + filled: FAIL
--------------------------------------------------------------------------------
FAIL: 1/1

See the documentation for more information.

Authored by @​johanfylling, reported by @​anderseknert

Performance Improvements

• perf: Add ref.CopyNonGround (#​7350) authored by @​anderseknert
• perf: opa fmt 3x faster formatting (#​7341) authored by @​anderseknert
• perf: Cost of indexing greatly reduced (#​7370) authored by @​anderseknert
• perf: Eval optimizations (#​7367) authored by @​anderseknert
• perf: Intern annotation terms (#​7365) authored by @​anderseknert
• perf: Slightly more efficient policy scanning (#​7368) authored by @​anderseknert
• perf: Switch to a faster xxhash package (7362) authored by @​Juneezee
• perf: Use GetByValue to avoid boxing to interface{} (#​7372) authored by @​anderseknert
• perf: Various small improvements (#​7357) authored by @​anderseknert
• perf: Improve storage lookup performance (#​7336) authored by @​anderseknert
• perf: optimize iteration (#​7327) authored by @​anderseknert

Topdown and Rego

• rego+topdown: Allow providing custom base cache (#​7329) authored by @​anderseknert

Runtime, Tooling, SDK

• ast: Add missing BuildAnnotationSet to ast v0 (#​7347) authored by @​anderseknert
• ast: Eliminate allocation in Value.Find, and other improvements (#​7319) authored by @​anderseknert
• ast: Use byte for RuleKind and DocKind (#​7332) authored by @​anderseknert
• ast.InterfaceToValue: add test case for []byte (#​7379) authored by @​dennygursky
• ast: support []string and ast.Value in ast.InterfaceToValue (#​7306) authored by @​regeda
• bundle: Fixing issue where --v0-compatible isn't respected for custom bundles (#​7338) authored by @​johanfylling
• cmd: Handle failing tests in opa test --bench (#​7205) authored by @​anderseknert
• cmd: Add decision ID to opa exec output (#​7373) authored by @​anderseknert
• oracle: Make oracle public under v1/ast/oracle (#​7265) authored by @​anderseknert
• oracle: Allow passing own compiler to oracle (#​7354) authored by @​anderseknert
• plugins/discovery: Enable tracing for discovery plugin (#​7299) authored by @​mjungsbluth
• plugins/rest: Do not attach authorization header in bearerAuthPlugin if response is a redirect (#​7308) authored by @​carabasdaniel
• server+distributedtracing: Add Additional Resource Attributes for OpenTelemetry (#​7322) authored by @​briankahoot reported by @​briankahoot
• util: Add util.HasherMap (#​7363) authored by @​anderseknert

Docs, Website, Ecosystem

• docs: Add support link to README (#​7359) (authored by @​anderseknert)
• docs: Update example bundle to be v1 compatible (#​7342) authored by @​ashutosh-narkar
• docs: Add note about v1.0 addr behaviour (#​7360) authored by @​charlieegan3 reported by @​ali-jalaal
• docs: Update homepage examples to drop v1 import (#​7391) authored by @​charlieegan3
• docs: Updating --v1-compatible mentions outside the v1 upgrade guide and v0 compatibility docs (#​7337) authored by @​johanfylling
• docs: Fixed invalid links to examples (#​7326) authored by @​JonathanDeLaCruzEncora
• MAINTAINERS: Add Anders and Charlie as maintainers (#​7318) authored by @​charlieegan3

Miscellaneous

• build+test: Add make test-short task (#​7364) (authored by @​anderseknert)
• build: Add gocritic linter (#​7377) authored by @​anderseknert
• build: Add nilness linter from govet (#​7335) authored by @​anderseknert
• build: Add perfsprint linter (#​7334) authored by @​anderseknert
• ci: Tagging release binaries with build version (#​7395, #​7397, #​7400) authored by @​johanfylling
• test: fix race in TestIntraQueryCache_ClientError and TestInterQueryCache_ClientError (#​7280) authored by @​Juneezee
• misc: Use Go 1.22+ int ranges (#​7328) authored by @​anderseknert
• Dependency updates; notably:
  • build: bump go from 1.23.5 to 1.24.0
  • build(deps): bump github.com/agnivade/levenshtein from 1.2.0 to 1.2.1
  • build(deps): bump github.com/containerd/containerd from 1.7.25 to 1.7.26
  • build(deps): bump github.com/google/go-cmp from 0.6.0 to 0.7.0
  • build(deps): bump github.com/prometheus/client_golang
  • build(deps): bump github.com/spf13/cobra from 1.8.1 to 1.9.1
  • build(deps): bump github.com/spf13/pflag from 1.0.5 to 1.0.6
  • build(deps): bump golang.org/x/net from 0.34.0 to 0.35.0
  • build(deps): bump golang.org/x/time from 0.9.0 to 0.10.0
  • build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1
  • Bump golangci-lint from v1.60.1 to 1.64.5

v1.1.0

Compare Source

This release contains a mix of features, performance improvements, and bugfixes.

Performance Improvements

• ast: Remove jsonOptions from AST nodes and terms (#​7281) authored by @​anderseknert
• ast+plugins: Optimize activation of bundles with no inter-bundle path overlap (#​7144) authored and reported by @​sqyang94
• bundle: Optimizing rego-version management in bundle activation (#​7296) authored by @​johanfylling
• cmd: Don't generate JSON from result in opa bench (#​7291) authored by @​anderseknert
• topdown: Adding configurable token cache to io.jwt token verification built-ins (#​7274) authored by @​johanfylling
• topdown: Reduce allocations in hot path (#​7288) authored by @​anderseknert
• perf: Improvements to terms and built-in functions (#​7284) authored by @​anderseknert
• perf: add Regorus ACI benchmark tests (#​7298) authored by @​anderseknert
• plugins: Don't use reflect.DeepEqual for errors (#​7238) authored by @​anderseknert
• testing: replace reflect.DeepEqual where possible (#​7286) authored by @​anderseknert

Topdown and Rego

• topdown: Fix out of range error in numbers.range built-in (#​7269) authored by @​anderseknert
• topdown+rego+server: Allow opt-in for evaluating non-det builtins in PE (#​6496) authored by @​srenatus

Runtime, Tooling, SDK

• bundle: Add info about the correct rego version to parse modules on the store (#​7278) co-authored by @​ashutosh-narkar and @​johanfylling
• bundle+plugins: Fixing issue where bundle plugin could panic on reconfiguration (SDK use) (#​7297) authored by @​johanfylling reported by @​carabasdaniel
• cmd: Fix printed representation of ref head rules in opa repl (#​7301) authored by @​anderseknert reported by @​tsandall
• cmd: Respect --v0-compatible for opa eval partial eval support modules (#​7251) authored by @​johanfylling
• golangci: fix invalid linter-settings configuration name (#​7244) authored by @​Juneezee
• plugins/logs: Add support for masking with array keys (#​6883) authored by @​charlieegan3
• tester: code nitpicks (#​7252) authored by @​srenatus
• util: Add util.Keys and util.KeysSorted (#​7285) authored by @​anderseknert

Docs, Website, Ecosystem

• docs: Update docker compose file in HTTP API tutorial and use addr for binding (#​7264) authored and reported by @​zanliffick
• docs: Make 'ancient' warnings closable (#​7253) authored by @​srenatus reported by @​konradzagozda
• docs: Redirect opa-1 to v0-upgrade (#​7259) authored by @​charlieegan3
• docs: Use preformatted strings in fmt help (#​7263) authored by @​charlieegan3
• docs: Fix typo in k8s primer (#​7242) authored by @​vicentinileonardo
• docs: Formatting and wording fixes (#​7268) authored by @​kamilturek
• docs: Update output document of Envoy plugin. (#​7241) authored by @​regeda

Miscellaneous

• ci(nightly): Remove vendor w/o modproxy check (#​7292) authored by @​srenatus
• Dependency updates; notably:
  • build(go): bump to 1.23.5 (7279) authored by @​srenatus
  • build(deps): upgrade github.com/dgraph-io/badger to v4 (4.5.1) (#​7239) authored by @​Juneezee
  • build(deps): bump github.com/containerd/containerd from 1.7.24 to 1.7.25
  • build(deps): bump github.com/tchap/go-patricia/v2 from 2.3.1 to 2.3.2
  • build(deps): bump golang.org/x/net from 0.33.0 to 0.34.0
  • build(deps): bump golang.org/x/time from 0.8.0 to 0.9.0
  • build(deps): bump google.golang.org/grpc from 1.69.2 to 1.70.0
  • build(deps): bump go.opentelemetry.io deps to 1.34.0/0.59.0

v1.0.1

Compare Source

This is a bug fix release addressing the following issues:

• build(go): bump to 1.23.5 (authored by @​srenatus).
  Addressing CVE-2024-45341 and CVE-2024-45336 vulnerabilities in the Go runtime.
• bundle: Add info about the correct rego version to parse modules on the store, co-authored by @​ashutosh-narkar and @​johanfylling in #​7278.
  Fixing an issue where the rego-version for individual modules was lost during bundle deactivation (bundle lifecycle) if this version diverged from the active runtime rego-version.
  This could cause reloading of v0 bundles to fail when OPA was not running with the --v0-compatible flag.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[github-actions]

@ivankatliarchuk: There are no 'kind' label on this PR. You need a 'kind' label.
Label can be added by writing in a comment ⬇️

• /kind feature
• /kind fix
• /kind chore
• /kind docs
• /kind refactor
• /kind github
• /kind security
• /kind question

Details

I am a bot created to help the cloudkats developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the DeFiCh/oss-governance-bot repository.