Important
This release addresses a low severity security issue (CVE-2026-20613) in the containerization library whereby a poorly assembled or maliciously crafted image tar archive can write files to locations other than the extraction directory. The issue is present when a user runs the container image load command (or the `cctl image load command in containerization)
No privilege escalation is possible by exploiting the issue; the archive extractor can only write files that the user could write themselves.
Highlights
⌨️ denotes breaking CLI changes.
👩💻 denotes breaking API changes.
- Core
- Prevent
container image loadfrom writing files outside the extraction directory - Fixed panics filesystem data integrity errors when stressing containers
- Numerous stability fixes for container start and stop.
container system versionshows version info- `--read-only command for container create/run mounts root filesystem read-only
- Add platform architecture aliases for amd64 and arm64
- 👩💻 Reorganized client APIs and numerous other API changes
- Prevent
- Network
- Storage
What's Changed
- fix(TerminalProgress): make the progress bar respect locale-specific decimal separator by @TTtie in #936
- Fix broken image integration tests. by @jglogan in #944
- Update CONTRIBUTORS to MAINTAINERS and point at containerization by @katiewasnothere in #942
- [volumes]: refactor prune command by @saehejkang in #940
- Lowercase error messages by @dkovba in #945
- Deps: Bump Containerization to 0.16.2 by @dcantah in #947
- feat: implement version sub command by @fatelei in #911
- CLI: Fix -it not being able to pipe stdout by @dcantah in #951
- [images]: refactor prune command by @saehejkang in #941
- Feat: customize console output with env variable by @karenheckel in #952
- Upgrade GitHub Actions for Node 24 compatibility by @salmanmkc in #958
- Add Dependabot for GitHub Actions updates by @salmanmkc in #960
- Upgrade GitHub Actions to latest versions by @salmanmkc in #959
- Use new IP/CIDR types from Containerization. by @jglogan in #957
- [networks]: add prune command by @saehejkang in #914
- Fix: Kubes Cluster in Container Crashing Container (IS#923) by @Michaelgathara in #930
- Turn on oops=panic kernel cmdline by @dcantah in #971
- Add support for reading env from named pipes by @Bortnyak in #974
- Adds network IPv6 configuration. by @jglogan in #975
- Fix container auto-delete on rapid stop/start by @realrajaryan in #841
- Fix MAC address option typo in how-to documentation by @claudeaceae in #980
- Fix bash completion source path in documentation by @claudeaceae in #981
- CLI: Fix stop not signalling waiters by @dcantah in #972
- Fix grammar in tutorial.md by @claudeaceae in #985
- Clarify uninstall script location in README by @claudeaceae in #982
- Use full path for uninstall script in upgrade instructions by @claudeaceae in #983
- Fix OSS header dates that break CI checks. by @jglogan in #1009
- Update OSS header in Package.swift. by @jglogan in #1010
- Fix port validation to allow same port for different protocols (#992) by @iko1 in #1000
- CLI: Small fixups for implicit envvars by @dcantah in #1014
- Deps: Bump Containerization to 0.19.0 by @dcantah in #1015
- Parser: Support relative paths for --volume by @dcantah in #1013
- Update license header on all files to include the current year by @katiewasnothere in #1024
- makefile: Add cli target by @dcantah in #1022
- Reorganize client libraries. by @jglogan in #1020
- Update to containerization 0.20.0. by @jglogan in #1027
- Tests: Fix relative path mount tests by @dcantah in #1028
- CLI: Add read-only flag to run/create by @dcantah in #999
- Resolve IPv6 address queries for container names. by @jglogan in #1016
- [container]: add startedDate field by @saehejkang in #1018
- Adds IPv6 port forwarding. by @jglogan in #1029
- ProgressBar: Various fixes by @dcantah in #1025
- Add instructions for using locally built init filesystem. by @jglogan in #1032
- fix: improve error message when binding to privileged ports (fixes #978) by @Ronitsabhaya75 in #1031
- fix: extract hostname from FQDN (#1011) by @iko1 in #1017
- Fix: Support x86_64 architecture alias to prevent silent pull failure… by @Ronitsabhaya75 in #1036
- Fix relative path resolution in entrypoint by @ParkSeongGeun in #987
- Fix the FS error when using Virtualization by @JaewonHur in #1041
- Add support for aarch64 architecture alias by @Ronitsabhaya75 in #1040
- fix: use pax instead of tar for pkg payload extraction by @manuschillerdev in #1038
- Fix unstable integration tests. by @jglogan in #1060
- Adds opt-in pre-commit hook for format and header checks. by @jglogan in #1062
- Update for containerization 0.21.0. by @jglogan in #1056
- fix: performance warning should not output ANSI codes if stderr redirected by @iko1 in #1059
- ContainerSvc: Handle unexpected sandbox svc exits by @dcantah in #1065
- Throw error when starting a container with invalid virtiofs source by @JaewonHur in #1051
- Change behavior of the default arguments in the plugin config by @katiewasnothere in #1063
- Use configuration subnet and fallback to default subnet in allocation only plugin by @katiewasnothere in #1057
- Update to containerization 0.21.1. by @jglogan in #1064
- Use StderrLogHandler for rich logging features. by @jglogan in #1066
- Select macOS 26 CI runners. by @jglogan in #1074
New Contributors
- @TTtie made their first contribution in #936
- @fatelei made their first contribution in #911
- @karenheckel made their first contribution in #952
- @salmanmkc made their first contribution in #958
- @Michaelgathara made their first contribution in #930
- @Bortnyak made their first contribution in #974
- @claudeaceae made their first contribution in #980
- @iko1 made their first contribution in #1000
- @ParkSeongGeun made their first contribution in #987
- @JaewonHur made their first contribution in #1041
- @manuschillerdev made their first contribution in #1038
Full Changelog: 0.7.1...0.8.0