For AI agents: a markdown representation of this page is available at https://container-registry.com/docs/2.15/release-notes/release-notes-v2.15.4-dev/index.md. The site index is at https://container-registry.com/llms.txt.

Release notes v2.15.4 (dev)

Compare with v2.15.3.

Features

  • ci: Add Zero CVE Pipeline (#359)
  • lint: Add Go Quality Linters (#325)

Bug Fixes

  • add missing release cherry-pick updates
  • Address upstream sync review feedback
  • Bound Proxy-Cache Background Goroutines To Prevent Leak (#392)
  • Cache the Scannability Lookups Per Artifact-List Request (#212) (#417)
  • constrain /registries/ping to saved registry settings (#403)
  • deps: Bump Harbor Scanner Trivy To v0.38.1 (#416)
  • deps: Resolve Non-UI CVEs (#374)
  • max_upstream_conn validation bugs
  • nil deref in StopScanArtifact scan type param
  • propagate CSV marshal error in scan data export
  • Resolve Upstream Sync Review Inconsistencies
  • Restore Buildable Trivy Adapter Pin
  • ui: remove hardcoded SBOM permission override, closes #23218
  • Update Harbor Satellite adapter for referrers

Upstream

  • 【fix issue 22865】TCR provider adaptor can’t parse intertional secret ID
  • Add ListReferrers API to registry client and update parseScopes
  • bump Go version from 1.25.7 to 1.26.3
  • Bump trivy to v0.71.1 and trivy adapter to v0.37.1-rc.1
  • chore: update Trivy adapter version to v0.37.1
  • feat(acr): add artifact to supported resource types
  • fix: Add i18n keys and missing translations
  • fix: Bump repository update_time on tag and artifact changes
  • fix: correct max_upstream_conn validation and disabled bindings
  • fix: Disallow Empty robot_name_prefix to prevent OIDC CLI login from being blocked
  • fix: duplicated “by” in beego ORM TableName comments
  • fix: enable chunked blob upload for Azure ACR replication
  • fix: Fix potentional SQLi
  • fix: Fix theoretical timing vulnerability (goharbor/harbor#23433) (#378)
  • fix: propagate CSV marshal errors in scan data export
  • fix: skip corrupted encrypted config values on decryption failure
  • fix: use validated scan type in StopScanArtifact (#367)
  • fix(ecr): use amazonaws.com.cn domain for AWS China region endpoints
  • fix(i18n): localize max upstream connection placeholder
  • fix(portal): remove temporary SBOM permission override
  • fix(security): validate blob-mount source project and reject tokens missing iat
  • fix(ui): Update bindings in Project Policy Config
  • fix(ui): use selected tag for pull command copy
  • Fix/api completeness (goharbor/harbor#23476) (#432)
  • Harden crypto usage and drop unused SMTP package
  • perf(replication): filter event policies in query
  • refactor(config): centralize registry HTTP client timeout
  • refactor(task): use Redis SET with SPOP for outdate execution status …
  • Replace gopkg.in/yaml.v2 with github.com/goccy/go-yaml
  • Update and improve zh-TW Traditional Chinese locale
  • Update artifact_accessory to add source column to identify accessory
  • update ECR adapter to allow for ecr-public to be mirored
  • Upgrade harbor go.mod OSS packages

Code Refactoring

  • task: use Redis SET with SPOP for outdate execution status refresh