github project-copacetic/copacetic v0.14.0-rc.1
on GitHub

pre-release4 hours ago

v0.14.0-rc.1

⚠️ Pre-release.

✨ Features

  • Go binary patching — patch vulnerable Go binaries by rebuilding from source with updated stdlib/deps (#1388)
  • Arch Linux support — pacman package manager (#1467)
  • RPM chroot-based patching — patch RPM images that are missing a package manager (#1473)
  • Python virtual environment patching — support venv-based site-packages via PkgPath (#1485)
  • Bulk patching improvements — skip detection and cross-registry support (#1475)
  • Test environment utilities for BuildKit integration tests (#1399)
  • Demo recordings + asciinema player added to the website (#1453)

🔒 Security hardening

  • Bump otel/sdk to fix CVE-2026-24051 (#1483)
  • Validate RPM package names before distroless shell execution (#1541)
  • Validate RPM package names in dnf chroot path (#1529)
  • Validate Node.js npm tarballs before extraction (#1533)
  • Prevent Node.js shell injection via untrusted package paths (#1538)
  • Validate .NET deps.json script inputs to prevent command injection (#1537)
  • Prevent Go module flag injection via leading-dash names (#1526)
  • Prevent tag-based command injection in release workflow (#1535)
  • Codebase audit hardening (#1507)

🐛 Bug fixes

  • VEX: use installed version in PURLs and add distro qualifier for BOM-VEX correlation (#1552)
  • Avoid masking package manager failures as no-updates (#1530)
  • Restore strict multi-platform failure behavior when ignore-errors=false (#1532)
  • Suppress NU1605 in generated patch.csproj for .NET (#1557)
  • Filter App.Runtime images in .NET patching (#1501)
  • Replace npm install with direct tarball replacement (#1479)
  • Resolve TUI freeze and CLI deadlock on early build errors (#1505)
  • Close progress channel when no platforms need patching (#1528)
  • Migrate docker/docker to moby/moby/client (#1525)
  • Go patching log levels (#1516)

⬆️ Dependency upgrades

  • BuildKit 0.28.1 (#1512)
  • Trivy v0.69.3 + OpenTelemetry-Go v1.43.0 (#1558)
  • google.golang.org/grpc 1.78.0 → 1.79.3 (#1480, #1502)
  • github.com/quay/claircore 1.5.45 → 1.5.52 (#1442, #1464, #1518)
  • github.com/google/go-containerregistry 0.20.7 → 0.21.3 (#1520)
  • k8s.io/apimachinery 0.35.0 → 0.35.2 (#1470, #1487)
  • testcontainers-go 0.38.0 → 0.40.0 (#1438)
  • Plus dependabot bumps for dependency groups across the project

🧹 Internal / CI

  • Refactor: structured rebuildFailure replaces rebuildErrors []string in langmgr (#1560)
  • Stabilize CI — golangci-lint alignment, deterministic tests, network retries (#1477)
  • Pin BuildKit version and set explicit DNS for podman/container env (#1563)
  • Pin scanner-plugin-template dependency in build workflow (#1544)

📚 Docs

  • Improve buildkit-frontend examples (#1498)
  • Generate v0.13.x docs (#1437)
  • Remove Microsoft support policy section from SUPPORT.md (#1455)

Full changelog: v0.13.0...v0.14.0-rc.1

Check out latest releases or
releases around project-copacetic/copacetic v0.14.0-rc.1

Don't miss a new copacetic release

NewReleases is sending notifications on new releases.

Get notifications