ORAS CLI v1.3.3 is a maintenance release focused on security hardening, dependency updates, and a few user-facing improvements to oras attach.
Highlights
- 🔒 Security: upgraded
oras-goto v2.6.2, which addresses a tar-extraction path-traversal advisory (GHSA-fxhp-mv3v-67qp) affecting hardlink entries duringpull/extract. - ✨
oras attachgains--configsupport, and--annotation $config:*values now flow through to the packed manifest. - 🛡️ Supply-chain hardening: GitHub Actions are now pinned to commit SHAs, SBOMs are attached to release artifacts, and static security scanning (gosec) runs in CI.
- 🐛 Copy/mount fixes: no longer mounts when source and destination credentials differ, and falls back to blob upload when a cross-repo mount fails.
✨ Features
- Add
--configflag support fororas attachby @ogulcanaydogan in #2000 - Pass
--annotation $config:*through toPackManifestOptionsforattachby @SAY-5 in #2037 - Allow setting
org.opencontainers.image.titlein the annotation file by @rafaelgieschke in #1872 - Add SBOMs to the release workflow by @bupd in #1940
🐛 Bug Fixes
cpshould not mount when source and destination credentials differ by @wangxiaoxuan273 in #1903- Fall back to blob upload when cross-repo mount fails by @bupd in #1924
- Redact password values from e2e test execution logs by @TerryHowe in #2042
- Revert Alpine base image to fix multi-arch build by @bupd in #1933
- Set
GOTOOLCHAIN=localinsnapcraft.yamlto prevent auto-download by @TerryHowe in #2012 - Fix typo in
logEntrySeparatorconst by @Ahmad-Faraj in #2087
🔒 Security
- Bump
oras.land/oras-go/v2to 2.6.2 (addresses GHSA-fxhp-mv3v-67qp) by @dependabot in #2105, #2106 - Add static security scanning (gosec) to CI by @bupd in #1934; resolve gosec findings (G703, G117, G704) by @TerryHowe in #1985
- Pin GitHub Actions to commit SHAs by @TerryHowe in #2016; pin to full version comments by @alliasgher in #2038
- Add
golangci-lintconfiguration with additional linters by @bupd in #1936
📖 Documentation
- Add examples to the
logoutcommand help text by @ogulcanaydogan in #2079 - Add multi-repository backup and restore proposal by @shizhMSFT in #1917
🧰 Maintenance
- Upgrade to Go 1.25.7 by @TerryHowe / @adriansali in #1980, #1910
- Migrate from unmaintained
gopkg.in/yaml.v3togo.yaml.in/yaml/v4by @bupd in #1922 - Add
goheader(license headers) andrevivelinters, plusgofmt/go modernizepasses - ~110 dependency updates across Go modules, Docker base images, and GitHub Actions via Dependabot
New Contributors
- @rafaelgieschke made their first contribution in #1872
- @ManishhDev made their first contribution in #1883
- @johnsonshi made their first contribution in #1889
- @vr-varad made their first contribution in #1898
- @adriansali made their first contribution in #1910
- @bupd made their first contribution in #1933
- @alliasgher made their first contribution in #2038
- @ogulcanaydogan made their first contribution in #2000
- @bimakw made their first contribution in #1950
- @SAY-5 made their first contribution in #2037
- @gaoflow made their first contribution in #2093
- @Ahmad-Faraj made their first contribution in #2087
Full Changelog: v1.3.2...v1.3.3