Skip to content

v1.5.1-rc.3

Pre-release
Pre-release

Choose a tag to compare

View all tags
@github-actions github-actions released this 28 Jun 20:01
v1.5.1-rc.3
1819478
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

v1.5.1-rc.3

Full Changelog: v1.5.1-rc.2...v1.5.1-rc.3

[1.5.1-rc.3] — 2026-06-28

Added

  • Intermediate release notes between the running and target version. When a container is several versions behind, drydock now fetches the releases between the running tag (exclusive) and the update target (inclusive) and shows them in the release-notes popover. Best-effort and semver-only — date tags and rolling tags (latest, stable) fall back to the standard two-panel view. Cap the range with DD_RELEASE_NOTES_MAX_INTERMEDIATE (default 20; set to 0 to disable). When the range exceeds the cap, the popover shows a non-silent "N older releases not shown" notice. Supports the __FILE secret-file convention (DD_RELEASE_NOTES_MAX_INTERMEDIATE__FILE). (#453)

  • New GET /api/containers/{id}/intermediate-release-notes endpoint. Lazy-loads the intermediate release list on demand when the release-notes popover opens; not embedded in the container model or agent snapshot, so it adds no ongoing payload weight. Accepts from (required) and to (defaults to the container's pending update tag) query parameters. (#453)

  • Warn log when a dd.source.repo container label shadows a trusted OCI image source label. Adding a dd.source.repo label to a running container when the image already carries a trusted org.opencontainers.image.source (or org.opencontainers.image.url) OCI label silently downgrades source resolution from trusted to untrusted, which drops the GHCR token fallback for release-notes lookups. Drydock now logs a warn-level line each watch cycle when it detects this conflict, naming both repos. (#452)

Changed

  • DD_RELEASE_NOTES_GITHUB_TOKEN is now forwarded to release-notes lookups for repos resolved from a dd.source.repo container label or a persisted container.sourceRepo value. Previously these sources were always fetched anonymously. The GHCR token fallback stays restricted to trusted sources (OCI image labels and GHCR image paths) and is never sent to a container-label source. Because the dedicated token can be sent to a repo named by a container label, scope it narrowly: a classic PAT with public_repo scope only, or a fine-grained PAT with read-only Contents permission limited to public repositories and no write or account permissions. (#452)

  • Re-synced the UI translation catalogs from Crowdin. The 16 target-locale containerComponents.json files were regenerated from the Crowdin project so their key order tracks the English source catalog, keeping the on-disk catalogs and the translation platform in lockstep as community translations land.

Warning

Upgrade notes: behavioral changes, please read before updating. Three security-hardening fixes that change runtime behavior first shipped in 1.4.6 and carry through the entire 1.5 line. Anyone updating from a release older than 1.4.6 is affected, whatever version you land on (1.4.6, any 1.5.x, or later), because these changes sit across the 1.4.6 boundary rather than in one specific version. These are not deprecations: there is no compatibility shim or grace period, so a previously-working deployment can change behavior on upgrade.

  1. OIDC login now requires authorization_endpoint in your provider's discovery metadata. The authorization-redirect allowlist no longer falls back to a broad same-origin match. Mainstream identity providers (Keycloak, Authentik, Authelia, Okta, Google, Entra/Azure AD, Zitadel, …) publish this field and are unaffected. If your /.well-known/openid-configuration does not advertise authorization_endpoint, OIDC sign-in will now fail closed — make sure the discovery document exposes it.
  2. Unauthenticated rate-limit buckets now key on the TCP peer address instead of X-Forwarded-For. Behind a reverse proxy (nginx / Traefik / Caddy), all unauthenticated clients now share a single bucket (the proxy's address), regardless of DD_SERVER_TRUSTPROXY. Internet-facing or multi-user instances may begin to see unexpected 429 Too Many Requests on unauthenticated endpoints. Authenticated requests are keyed per session and are unaffected.
  3. HTTP-trigger proxy URLs must now use the http:// or https:// scheme. Any other scheme (e.g. socks5://) is rejected at config load. Such values were previously accepted but only ever treated as an HTTP proxy — switch to an http(s):// proxy URL.
Assets 9
Loading