Thanks to everyone who created feature requests, bug reports and tested fixes. Your help is instrumental to continue to improve Cupdate!
Features
Controlling image updates with labels (e.g. pin tag)
When finding container images in use, Cupdate builds a graph of the image and its dependants.
This graph includes the image itself and any resources directly or indirectly relying on it.
Since v0.17.0, Cupdate can take configuration from labels on any resource in the graph to configure how the image is (or isn't processed). Previously, this functionality could only be used to ignore images. Starting in v0.18.0, Cupdate supports additional configuration:
stay-on-current-major- don't recommend updates from3.21.2->4.0.0, but do recommend3.21.2->3.22.0pin- don't recommend updates to other tags, only check the underlying manifest
These options are especially useful for databases. See the revised and much more detailed label config docs in docs/config.md.
In order to make it easier to undertand what settings are applied, Cupdate now exposes the labels in the UI, showing a small tag on nodes that have labels on them. The labels can be seen in detail by pressing on a node. The labels that affect an image are shown when clicking on an image's node.
Open Source Security Foundation's Scorecard
Cupdate cares for security, with features like checking for reported vulnerabilities. In v0.18.0, Cupdate adds support for the Open Source Security Foundation's Scorecard, providing additional risk insight in open source projects. The scorecard report contains checks to score how well a project is maintained and following best practices such as dependency management tools, having a security policy, running fuzz tests and static code analysis tools, narrowing token permissions and more.
For now, only repositiories scanned by the foundation are supported, which covers the top one million open source projects hosted on GitHub or GitLab. The tool can be run locally to test other repositories. At the time of writing, Cupdate's score is 7.7/10 (low risk), lacking fuzz tests and code reviews (single maintainer).
State store migration framework
As Cupdate is still in active development and hasn't yet reached 1.0, there has been breaking changes and will likely be more breaking changes. In the vast majority of cases, the changes made to the state store have gone unnoticed as they could be handled gracefully.
To lay the foundation for stable updates of Cupdate, a migration framework has been implemented to ensure that changes to the state store can be made without requiring any user intervention when updating. The framework allows for migrating any version of Cupdate to a newer version, with transactional, delta migrations. The framework has already seen use to allow for the new scorecard feature.
Improvements and fixes
- Show details of graph nodes in the UI when the node is clicked
- Improved UI responsiveness
- Wrap tags on small viewports
- Reduce padding of tags in cards
- Improve text wrapping of step durations
- Improved support for private GHCR images
- Propagate workflow job errors to dependencies, ensuring jobs are correctly skipped if a dependency's dependency fails
- Fix sort of semver tags with digest diff
- Improve graph layout
Full Changelog: v0.17.0...v0.18.0