v0.24.70

Changes

update: Go to 1.26.2 in go.mod (#3963)

Fix all of these below:

make osv-scanner
osv-scanner -r ./
Scanning dir ./
Scanning /home/runner/work/skipper/skipper/ at commit dd457320b4be15d29641eb4d0daed2d188653e80
Scanned /home/runner/work/skipper/skipper/go.mod file and found 321 packages
+------------------------------+------+-----------+---------+---------+--------+
| OSV URL                      | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE |
+------------------------------+------+-----------+---------+---------+--------+
| https://osv.dev/GO-2026-4865 |      | Go        | stdlib  | 1.26.1  | go.mod |
| https://osv.dev/GO-2026-4866 |      | Go        | stdlib  | 1.26.1  | go.mod |
| https://osv.dev/GO-2026-4869 |      | Go        | stdlib  | 1.26.1  | go.mod |
| https://osv.dev/GO-2026-4870 |      | Go        | stdlib  | 1.26.1  | go.mod |
| https://osv.dev/GO-2026-4946 |      | Go        | stdlib  | 1.26.1  | go.mod |
| https://osv.dev/GO-2026-4947 |      | Go        | stdlib  | 1.26.1  | go.mod |
+------------------------------+------+-----------+---------+---------+--------+
| Uncalled vulnerabilities     |      |           |         |         |        |
+------------------------------+------+-----------+---------+---------+--------+
| https://osv.dev/GO-2026-4864 |      | Go        | stdlib  | 1.26.1  | go.mod |
+------------------------------+------+-----------+---------+---------+--------+

Multiarch Docker image

Multiarch Docker image is available in GitHub's docker registry:

docker run -it ghcr.io/zalando/skipper:v0.24.70 skipper --help

Docker image

Docker image is available in Zalando's Open Source registry:

docker run -it registry.opensource.zalan.do/teapot/skipper:v0.24.70 skipper --help

v0.24.69

Changes

build(deps): bump the all-go-mod-patch-and-minor group across 1 directory with 11 updates (#3962)

Bumps the all-go-mod-patch-and-minor group with 9 updates in the /
directory:

Package	From	To
github.com/coreos/go-oidc/v3
3.17.0	3.18.0

|
github.com/testcontainers/testcontainers-go
| 0.41.1-0.20260403163240-359d0dec648b | 0.42.0 |
|
github.com/valkey-io/valkey-go
| 1.0.73 | 1.0.74 |
|
github.com/valkey-io/valkey-go/valkeyhook
| 1.0.73 | 1.0.74 |
|
github.com/valkey-io/valkey-go/valkeyotel
| 1.0.73 | 1.0.74 |
|
go.opentelemetry.io/contrib/exporters/autoexport
| 0.67.0 | 0.68.0 |
|
go.opentelemetry.io/contrib/propagators/autoprop
| 0.67.0 | 0.68.0 |
| golang.org/x/crypto | 0.49.0 |
0.50.0 |
| golang.org/x/net | 0.52.0 |
0.53.0 |

Updates github.com/coreos/go-oidc/v3 from 3.17.0 to 3.18.0

Release notes

Sourced from github.com/coreos/go-oidc/v3's releases.

v3.18.0

What's Changed

• .github: configure dependabot by @​ericchiang in coreos/go-oidc#477
• .github: update go versions in CI by @​ericchiang in coreos/go-oidc#480
• build(deps): bump golang.org/x/oauth2 from 0.28.0 to 0.36.0 by @​dependabot[bot] in coreos/go-oidc#478
• build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 by @​dependabot[bot] in coreos/go-oidc#479

Full Changelog: coreos/go-oidc@v3.17.0...v3.18.0

Commits

• da6b3bf build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4
• 7f80694 build(deps): bump golang.org/x/oauth2 from 0.28.0 to 0.36.0
• 7271de5 .github: update go versions in CI
• 3ccf20f .github: configure dependabot
• See full diff in compare view

Updates github.com/testcontainers/testcontainers-go from
0.41.1-0.20260403163240-359d0dec648b to 0.42.0

Release notes

Sourced from github.com/testcontainers/testcontainers-go's releases.

v0.42.0

What's Changed

⚠️ Breaking Changes

• chore!: migrate to moby modules (#3591) @​thaJeztah

🔒 Security

• chore(deps): bump moby/client v0.4.0, moby/api v1.54.1 (#3634) @​thaJeztah

🐛 Bug Fixes

• fix: return an error when docker host cannot be retrieved (#3613) @​ash2k

🧹 Housekeeping

• chore: gitignore Gas Town agent artifacts (#3633) @​mdelapenya
• fix(usage-metrics): include last release in the legend pop over (#3630) @​mdelapenya
• chore: update usage metrics (2026-04) (#3621) @github-actions[bot]
• fix(usage-metrics): order of actions matters (#3623) @​mdelapenya
• fix(usage-metrics): reduce rate-limit cascade errors (#3622) @​mdelapenya
• fix(usage-metrics): replace the per-version inline retry with a multi-pass approach (#3620) @​mdelapenya

📦 Dependency updates

• chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp from 1.28.0 to 1.43.0 in /modules/grafana-lgtm (#3639) @dependabot[bot]
• chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp from 1.42.0 to 1.43.0 in /modules/compose (#3641) @dependabot[bot]
• chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.42.0 to 1.43.0 in /modules/compose (#3645) @dependabot[bot]
• chore(deps): bump mkdocs-include-markdown-plugin from 7.2.1 to 7.2.2 (#3626) @dependabot[bot]
• chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.51.2 to 1.97.3 in /modules/localstack (#3638) @dependabot[bot]
• chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.41.0 to 1.43.0 in /modules/grafana-lgtm (#3643) @dependabot[bot]
• chore(deps): bump go.opentelemetry.io/otel/sdk from 1.41.0 to 1.43.0 in /modules/milvus (#3644) @dependabot[bot]
• chore: update to Go 1.25.9, 1.26.9 (#3647) @​thaJeztah
• chore(deps): bump bump github.com/klauspost/compress v1.18.5, github.com/docker/compose v5.1.2 (#3646) @​thaJeztah
• chore(deps): bump moby/client v0.4.0, moby/api v1.54.1 (#3634) @​thaJeztah
• chore(deps): bump golang.org/x/sys from 0.41.0 to 0.42.0 (#3629) @dependabot[bot]
• chore(deps): bump github.com/moby/patternmatcher from 0.6.0 to 0.6.1 (#3628) @dependabot[bot]
• chore(deps): bump github.com/shirou/gopsutil/v4 from 4.26.2 to 4.26.3 (#3627) @dependabot[bot]
• fix(localstack): accept community-archive as a valid tag (#3601) @​johnduhart
• chore(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 in /modules/gcloud (#3632) @dependabot[bot]
• chore(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0 (

v0.24.68

Changes

build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp from 0.18.0 to 0.19.0 (#3955)

Bumps
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp
from 0.18.0 to 0.19.0.

Release notes

Sourced from go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp's releases.

Release v0.19.0

Added

• Added Marshaler config option to otlphttp to enable otlp over json or protobufs. (#1586)
• A ForceFlush method to the "go.opentelemetry.io/otel/sdk/trace".TracerProvider to flush all registered SpanProcessors. (#1608)
• Added WithSampler and WithSpanLimits to tracer provider. (#1633, #1702)
• "go.opentelemetry.io/otel/trace".SpanContext now has a remote property, and IsRemote() predicate, that is true when the SpanContext has been extracted from remote context data. (#1701)
• A Valid method to the "go.opentelemetry.io/otel/attribute".KeyValue type. (#1703)

Changed

• trace.SpanContext is now immutable and has no exported fields. (#1573)
  • trace.NewSpanContext() can be used in conjunction with the trace.SpanContextConfig struct to initialize a new SpanContext where all values are known.
• Update the ForceFlush method signature to the "go.opentelemetry.io/otel/sdk/trace".SpanProcessor to accept a context.Context and return an error. (#1608)
• Update the Shutdown method to the "go.opentelemetry.io/otel/sdk/trace".TracerProvider return an error on shutdown failure. (#1608)
• The SimpleSpanProcessor will now shut down the enclosed SpanExporter and gracefully ignore subsequent calls to OnEnd after Shutdown is called. (#1612)
• "go.opentelemetry.io/sdk/metric/controller.basic".WithPusher is replaced with WithExporter to provide consistent naming across project. (#1656)
• Added non-empty string check for trace Attribute keys. (#1659)
• Add description to SpanStatus only when StatusCode is set to error. (#1662)
• Jaeger exporter falls back to resource.Default's service.name if the exported Span does not have one. (#1673)
• Jaeger exporter populates Jaeger's Span Process from Resource. (#1673)
• Renamed the LabelSet method of "go.opentelemetry.io/otel/sdk/resource".Resource to Set. (#1692)
• Changed WithSDK to WithSDKOptions to accept variadic arguments of TracerProviderOption type in go.opentelemetry.io/otel/exporters/trace/jaeger package. (#1693)
• Changed WithSDK to WithSDKOptions to accept variadic arguments of TracerProviderOption type in go.opentelemetry.io/otel/exporters/trace/zipkin package. (#1693)
• "go.opentelemetry.io/otel/sdk/resource".NewWithAttributes will now drop any invalid attributes passed. (#1703)
• "go.opentelemetry.io/otel/sdk/resource".StringDetector will now error if the produced attribute is invalid. (#1703)

Removed

• Removed serviceName parameter from Zipkin exporter and uses resource instead. (#1549)
• Removed WithConfig from tracer provider to avoid overriding configuration. (#1633)
• Removed the exported SimpleSpanProcessor and BatchSpanProcessor structs. These are now returned as a SpanProcessor interface from their respective constructors. (#1638)
• Removed WithRecord() from trace.SpanOption when creating a span. (#1660)
• Removed setting status to Error while recording an error as a span event in RecordError. (#1663)
• Removed jaeger.WithProcess configuration option. (#1673)
• Removed ApplyConfig method from "go.opentelemetry.io/otel/sdk/trace".TracerProvider and the now unneeded Config struct. (#1693)

Fixed

• Jaeger Exporter: Ensure mapping between OTEL and Jaeger span data complies with the specification. (#1626)
• SamplingResult.TraceState is correctly propagated to a newly created span's SpanContext. (#1655)
• The otel-collector example now correctly flushes metric events prior to shutting down the exporter. (#1678)
• Do not set span status message in SpanStatusFromHTTPStatusCode if it can be inferred from http.status_code. (#1681)
• Synchronization issues in global trace delegate implementation. (#1686)
• Reduced excess memory usage by global TracerProvider. (#1687)

---

Raw changes made between v0.18.0 and v0.19.0

... (truncated)

Changelog

Sourced from go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp's changelog.

[1.43.0/0.65.0/0.19.0] 2026-04-02

Added

• Add IsRandom and WithRandom on TraceFlags, and IsRandom on SpanContext in go.opentelemetry.io/otel/trace for W3C Trace Context Level 2 Random Trace ID Flag support. (#8012)
• Add service detection with WithService in go.opentelemetry.io/otel/sdk/resource. (#7642)
• Add DefaultWithContext and EnvironmentWithContext in go.opentelemetry.io/otel/sdk/resource to support plumbing context.Context through default and environment detectors. (#8051)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. (#8038)
• Support attributes with empty value (attribute.EMPTY) in

v0.24.67

Changes

fix: improve bearerinjector logging for missing credentials (#3957)

Summary

When the bearerinjector filter can't find a secret, the error message
now mentions the -credentials-paths flag. Previously it just said
"Secret not found" with no hint about what to configure.

Also updates the bearerinjector docs to link to the egress reference and
note the -credentials-paths requirement.

Changes

• filters/auth/bearer.go: Improved error message at line 56 to mention
  -credentials-paths.
• docs/reference/filters.md: Added note about -credentials-paths and
  link to the egress reference with a complete configuration example.

Testing

• go build ./filters/auth/... passes

Fixes #3507

This contribution was developed with AI assistance (Claude Code).

Multiarch Docker image

Multiarch Docker image is available in GitHub's docker registry:

docker run -it ghcr.io/zalando/skipper:v0.24.67 skipper --help

Docker image

Docker image is available in Zalando's Open Source registry:

docker run -it registry.opensource.zalan.do/teapot/skipper:v0.24.67 skipper --help

v0.24.66

Changes

Fix: OSV scanner docker/docker CVE (#3954)

• testcontainers-go depends on docker/docker
• eopa depends on docker/docker

Both depend only in tests/examples on docker/docker , so CVE is not a
vulnerability in skipper binary.

testcontainers-go was fixed
testcontainers/testcontainers-go#3591
eopa we are working on a fix
open-policy-agent/eopa#370

---

Multiarch Docker image

Multiarch Docker image is available in GitHub's docker registry:

docker run -it ghcr.io/zalando/skipper:v0.24.66 skipper --help

Docker image

Docker image is available in Zalando's Open Source registry:

docker run -it registry.opensource.zalan.do/teapot/skipper:v0.24.66 skipper --help

v0.24.65

Changes

build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.94.0 to 1.99.0 (#3953)

Multiarch Docker image

Multiarch Docker image is available in GitHub's docker registry:

docker run -it ghcr.io/zalando/skipper:v0.24.65 skipper --help

Docker image

Docker image is available in Zalando's Open Source registry:

docker run -it registry.opensource.zalan.do/teapot/skipper:v0.24.65 skipper --help

v0.24.64

Changes

feature: zone aware routing - Option 1 (#3117)

• feature: zone aware eskip.LBEndpoints
• feature: routesrv add zone aware API endpoint /routes/:zone

---

Multiarch Docker image

Multiarch Docker image is available in GitHub's docker registry:

docker run -it ghcr.io/zalando/skipper:v0.24.64 skipper --help

Docker image

Docker image is available in Zalando's Open Source registry:

docker run -it registry.opensource.zalan.do/teapot/skipper:v0.24.64 skipper --help

v0.24.63

Changes

doc: valkey cluster rate limit install, operations guide and tutorial (#3947)

close: #3799

---

Multiarch Docker image

Multiarch Docker image is available in GitHub's docker registry:

docker run -it ghcr.io/zalando/skipper:v0.24.63 skipper --help

Docker image

Docker image is available in Zalando's Open Source registry:

docker run -it registry.opensource.zalan.do/teapot/skipper:v0.24.63 skipper --help

v0.24.62

Changes

build(deps): bump oss-fuzz-base/base-builder-go from e2371d4 to c07cb46 in /.clusterfuzzlite (#3950)

Bumps oss-fuzz-base/base-builder-go from e2371d4 to c07cb46.

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits
  that have been made to it
• @dependabot show <dependency name> ignore conditions will show all
  of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop
  Dependabot creating any more for this major version (unless you reopen
  the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop
  Dependabot creating any more for this minor version (unless you reopen
  the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop
  Dependabot creating any more for this dependency (unless you reopen the
  PR or upgrade to it yourself)

Multiarch Docker image

Multiarch Docker image is available in GitHub's docker registry:

docker run -it ghcr.io/zalando/skipper:v0.24.62 skipper --help

Docker image

Docker image is available in Zalando's Open Source registry:

docker run -it registry.opensource.zalan.do/teapot/skipper:v0.24.62 skipper --help

v0.24.61

Changes

Refactor: dependencies (#3942)

update go-jose because of
GHSA-78h2-9frx-2jm8
removed go-jose.v2
replaced github.com/ghodss/yaml by already imported sigs.k8s.io/yaml

---

Multiarch Docker image

Multiarch Docker image is available in GitHub's docker registry:

docker run -it ghcr.io/zalando/skipper:v0.24.61 skipper --help

Docker image

Docker image is available in Zalando's Open Source registry:

docker run -it registry.opensource.zalan.do/teapot/skipper:v0.24.61 skipper --help