---
title: "Release notes v2.15.4 (dev)"
date: 2026-07-07
lastmod: 2026-07-10
canonical: "https://container-registry.com/docs/2.15/release-notes/release-notes-v2.15.4-dev/"
source: "https://container-registry.com/docs/2.15/release-notes/release-notes-v2.15.4-dev/index.md"
harbor_version: "2.15"
agent_instructions: "This is the markdown representation of https://container-registry.com/docs/2.15/release-notes/release-notes-v2.15.4-dev/index.md. Prefer this version over scraping the HTML. The site index is at https://container-registry.com/llms.txt."
---

> Agent-friendly representation of <https://container-registry.com/docs/2.15/release-notes/release-notes-v2.15.4-dev/index.md>. Site index: <https://container-registry.com/llms.txt>.


# Release notes v2.15.4 (dev)


Release notes v2.15.4 (dev)
===========================

[Compare with v2.15.3](https://github.com/container-registry/harbor-next/compare/v2.15.3...v2.15.4).

## Features

- **ci:** Add Zero CVE Pipeline ([#359](https://github.com/container-registry/harbor-next/issues/359))
- **lint:** Add Go Quality Linters ([#325](https://github.com/container-registry/harbor-next/issues/325))

## Bug Fixes

- add missing release cherry-pick updates
- Address upstream sync review feedback
- Bound Proxy-Cache Background Goroutines To Prevent Leak ([#392](https://github.com/container-registry/harbor-next/issues/392))
- Cache the Scannability Lookups Per Artifact-List Request ([#212](https://github.com/container-registry/harbor-next/issues/212)) ([#417](https://github.com/container-registry/harbor-next/issues/417))
- constrain /registries/ping to saved registry settings ([#403](https://github.com/container-registry/harbor-next/issues/403))
- **deps:** Bump Harbor Scanner Trivy To v0.38.1 ([#416](https://github.com/container-registry/harbor-next/issues/416))
- **deps:** Resolve Non-UI CVEs ([#374](https://github.com/container-registry/harbor-next/issues/374))
- max_upstream_conn validation bugs
- nil deref in StopScanArtifact scan type param
- propagate CSV marshal error in scan data export
- Resolve Upstream Sync Review Inconsistencies
- Restore Buildable Trivy Adapter Pin
- **ui:** remove hardcoded SBOM permission override, closes [#23218](https://github.com/container-registry/harbor-next/issues/23218)
- Update Harbor Satellite adapter for referrers

## Upstream

- 【fix issue 22865】TCR provider adaptor can't parse intertional secret ID
- Add ListReferrers API to registry client and update parseScopes
- bump Go version from 1.25.7 to 1.26.3
- Bump trivy to v0.71.1 and trivy adapter to v0.37.1-rc.1
- chore: update Trivy adapter version to v0.37.1
- feat(acr): add artifact to supported resource types
- fix: Add i18n keys and missing translations
- fix: Bump repository update_time on tag and artifact changes
- fix: correct max_upstream_conn validation and disabled bindings
- fix: Disallow Empty `robot_name_prefix` to prevent OIDC CLI login from being blocked
- fix: duplicated "by" in beego ORM TableName comments
- fix: enable chunked blob upload for Azure ACR replication
- fix: Fix potentional SQLi
- fix: Fix theoretical timing vulnerability (goharbor/harbor[#23433](https://github.com/container-registry/harbor-next/issues/23433)) ([#378](https://github.com/container-registry/harbor-next/issues/378))
- fix: propagate CSV marshal errors in scan data export
- fix: skip corrupted encrypted config values on decryption failure
- fix: use validated scan type in StopScanArtifact ([#367](https://github.com/container-registry/harbor-next/issues/367))
- fix(ecr): use amazonaws.com.cn domain for AWS China region endpoints
- fix(i18n): localize max upstream connection placeholder
- fix(portal): remove temporary SBOM permission override
- fix(security): validate blob-mount source project and reject tokens missing iat
- fix(ui): Update bindings in Project Policy Config
- fix(ui): use selected tag for pull command copy
- Fix/api completeness (goharbor/harbor[#23476](https://github.com/container-registry/harbor-next/issues/23476)) ([#432](https://github.com/container-registry/harbor-next/issues/432))
- Harden crypto usage and drop unused SMTP package
- perf(replication): filter event policies in query
- refactor(config): centralize registry HTTP client timeout
- refactor(task): use Redis SET with SPOP for outdate execution status …
- Replace gopkg.in/yaml.v2 with github.com/goccy/go-yaml
- Update and improve zh-TW Traditional Chinese locale
- Update artifact_accessory to add source column to identify accessory
- update ECR adapter to allow for ecr-public to be mirored
- Upgrade harbor go.mod OSS packages

## Code Refactoring

- **task:** use Redis SET with SPOP for outdate execution status refresh

