Release notes v2.15.0

Released 2026-05-12. Compare with v2.14.0.

Features

Compose & Deployment

  • Production compose/images/devenv overhaul with DHI base images and non-root containers

Database

Documentation

  • Add documentation generation tasks for helm-docs and SVGBob diagrams

Portal

User Interface

Bug Fixes

  • [upstream] Add missing AWS ECR regions
  • [upstream] Add User-Agent header to all registry requests
  • [upstream] Append Custom CAs to System CA Pool
  • [upstream] Bump Trivy to v0.69.2 Following Supply Chain Incident
  • [upstream] Check Error First Before Other Checks
  • [upstream] Format version span indentation in about dialog
  • [upstream] Proxy Cache Serve Local on Remote Not Found
  • [upstream] Remove Payload From Config Audit Log
  • [upstream] Swagger Replication Rule Invalid JSON
  • [upstream] Update parent and child artifact pull times
  • [upstream] Update Verify Remote Cert Tooltip for Registry Endpoints
  • [upstream] Wrong Operation Response Name for UpdateRepository
  • add -trimpath to go build flags to prevent local path leaks
  • Add Dockerfile Healthchecks
  • Address Devenv Review Feedback
  • Address PR #119 review feedback
  • Allow Negative Serial Numbers in x509 Certificates
  • Avoid holding pull time lock during async DB flushes
  • Classify BuildKit attestations as accessories (Docs: Types of Artifacts)
  • Clean up unused portal UI components and configuration
  • Expand Global Search Input
  • Handle proxy-cache races in UpdatePullTime and correct artForPullTime construction
  • Honor unauthenticated project redirects (Docs: Restrictions on Switching Between User Authentication Modes)
  • implement cosign signature inheritance for OCI index children
  • Improve CA Pool Test Assertion and Use Typed NotFoundError in Purge API
  • Proxy Cache Fallback Local - Even When Remote Does Not Exist
  • Re-add missing in-toto attestation accessory model import
  • remove unauthorised banner
  • Replace scannable content type skiplist with allowlist and add scan timeout
  • Resolve Lint And Vulnerability Issues
  • Restore Postgres 18 Volume Mount
  • Set Release-Please Manifest to 2.14.0 for Correct 2.15.0 First Release
  • Use fully qualified PostgreSQL image name for Podman compatibility

Container Images

  • Use pre-built binaries in registry and trivy-adapter dockerfiles, fix –load/–push output

Database

  • Remove redundant sql.DB Close in dbpool.Pool.Close()

Dependencies

  • Bump go-jose/go-jose/v4 to v4.1.4 for CVE-2026-34986
  • Bump go.opentelemetry.io/otel/sdk to v1.43.0 for PATH hijack CVE

Development

  • Fix Dev Environment Docker Compose and Trivy Adapter Setup

Development Environment

  • registryctl crashes on startup, missing config file argument

Exporter

  • Bake Harbor version into exporter image at build time
  • Remove redundant database URL field from exporter config

Portal

  • [upstream] UI Statistics Display Are Not Aligned
  • Fix i18n Key Typos and Add Missing zh-TW Translation
  • Fix Proxy Cache Checkbox Visibility, Guard, and i18n Keys
  • stabilize test runner

Proxy Cache

  • [upstream] Preserve URL path prefix during registry auth discovery
  • [upstream] Serve local artifact on remote not found in proxy cache

Security

  • [upstream] Reject Bearer Tokens Issued Before Project Creation
  • reject bearer tokens issued before project creation

Sessions

  • [upstream] Use Correct Maxlifetime in SessionRegenerate

Performance Improvements

CI/CD

  • speed up unit test pipeline

Code Refactoring

  • [upstream] Omit Unnecessary Reassignment