This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• Improvements to the OPA website and documentation
• Allowing keywords in Rego references
• Parallel test execution
• Faster built-in function execution

Modernized OPA Website (#7037)

We're continuing to modernize the OPA website with a new design and improved user experience.

Some highlights:

• Builtins: You can now search them on the docs page!
• Sidebar redesign: Making it easier to find what you're looking for in our docs
• Feedback forms: Closing the feedback loop between docs authors and readers -- Please let us know if you dislike, or like, a docs page.
• Downloads page: Find your OS' installation instructions on a less cluttered page!
• And much more

Authored by @sky3n3t and @charlieegan3

Allowing keywords in Rego references (#7709)

Previously, Rego references could not contain terms that conflict with Rego keywords such as package, if, else, not, etc.
in certain constructs:

package example
allow if {
    input.package.source         # not allowed (before v1.6.0)
    input["package"].destination # allowed
}

The constraints for valid Rego references have been relaxed to allow keywords.
The above example is now valid and will no longer cause a compilation error.

Authored by @johanfylling

Parallel Test Execution (#7442)

By default, OPA will now run tests in parallel (defaulting to one parallel execution thread per available CPU core), significantly speeding up test execution time for large test suites.
The performance boost is closely tied to the number of tests in your project and your selected parallelism level. For larger projects and default settings, 2-3x performance gains have been measured on a MacBook Pro.

Parallelism can be disabled to run tests sequentially by setting the --parallel flag to 1. E.g. opa test . --parallel=1.

Authored by @sspaink reported by @anderseknert

Faster Builtin Function Evaluation

The builtin context, an internal construct of OPA's evaluation engine, was previously provided to every builtin function.
As it turns out, only very few of them actually need it, for caching, cancellation, or lookups.
Those builtins are still provided with a builtin context, but for calls to all other builtins, we save the memory required by it.
The impact is tremendous: Even though the size of a single builtin context is only about 270 bytes, in an example application (Regal), this change brings about 360 MB of reduced memory usage!

Authored by @anderseknert

Runtime, Tooling, SDK

• cmd/check: opa check --bundle report virtual/base doc conflicts (#7701) authored by @anderseknert
  When opa check is used with the --bundle flag, an error will be reported if the provided json/yaml data has a conflicting overlap with the virtual documents generated by Rego rules. Such conflicts are ambiguous and can lead to unexpected evaluation results, and should be resolved.
• cmd/inspect: Fixing missing annotations location in opa inspect with JSON format (#7459) authored by @johanfylling reported by @mostealth
• cmd/parse: Expose --v0-compatible flag (#7668) authored by @tsandall
• cmd/refactor: Fix src:dst parsing to deal with colons (#7648) authored by @tsandall
• metrics: Fix restartable timer bug. (#7669) authored by @philipaconrad
• metrics: Prealloc maps + add benchmark (#7664) authored by @philipaconrad
• oracle: Add support for some and every (#7716) authored by @charlieegan3
• oracle: Support object refs in FindDefinition (#7711) authored by @charlieegan3
• plugin/decision: Check if event is too large after compression (#7526) authored by @sspaink
• runtime,server: Replace gorilla/mux dependency with http.ServeMux (#7676) authored by @anderseknert
  Note: This is a potentially breaking change for go API users directly interfacing with the OPA server's routing.
• server: Fix deferred metrics timers. (#7671) authored by @philipaconrad
• server: Fix query url when opa is served not from root path (#7644) authored by @olegKoshmeliuk
  Note: This is only applicable for the web UI hosted by OPA on its root path (/) and OPA is served at some other path than root.

Compiler, Topdown and Rego

• ast: Ensure surplus leading zeros always error (#7726) authored by @charlieegan3
  Note: Primitive Rego number values with leading zeros (e.g. 0123) are now considered invalid at time of parsing and will generate an error. If you're impacted by this change, please update your policies to not have numbers with leading zeros. E.g. 0123 should be changed to 123.
• ast: Fixing type-checker schema cache race condition for inlined schemas (#7679, 7571) authored by @johanfylling reported by @daniel-petrov-gig
• perf: Improve performance when referencing "global" in loop (#7654) authored by @anderseknert
• topdown: Fix issue where path in walk would get mutated (#7656) authored by @anderseknert reported by @robmyersrobmyers
• topdown/http: Lenient application/json Content-Type header (#6684) authored by @sspaink reported by @mrvanes

Docs, Website, Ecosystem

• adopters: add Pix4D as adopters for its RBAC service (#7645) authored by @marcaurele
• api: Expand docs for RegisterBuiltin — no thread-safety (#7667) authored by @anderseknert reported by @parth-mehta-989
• docs: Added a search function for the builtins section of policy-reference (#7704) authored by @sky3n3t
• docs: Add another OR note in AND section (#7706) authored by @charlieegan3
• docs: Add basic docs covering CI/CD use case (#7703) authored by @charlieegan3
• docs: Add current ecosystem contribution docs (#7678) authored by @charlieegan3
• docs: Add EvergreenCodeBlock for code with version (#7706) authored by @charlieegan3
• docs: Add feedback form for user reported issues (#7662) authored by @charlieegan3
• docs: Address broken links (#7661) authored by @charlieegan3
• docs: Archive explain that only latest patch is shown (#7682) authored by @charlieegan3
• docs: Fix bug where the search match respects case (#7713) authored by @sky3n3t
• docs: Hide feedback pop-up forever if dismissed (#7674) authored by @charlieegan3
• docs: Improve bundle structure documentation (#7683) authored by @charlieegan3
• docs: Improve explanations for initial examples (#7677) authored by @charlieegan3
• docs: Install/Download Instruction Update (#7687) authored by @charlieegan3
• docs: Move code example data inside the PlaygroundComponent (#7724) authored by @sky3n3t
• docs: policy-reference, update sig algs formatting (#7685) authored by @charlieegan3
• docs: Redirect old admission control link (#7730) authored by @charlieegan3
• docs: Refactored Networking Reference docs (#7686) authored by @sky3n3t
• docs: Revise sidebar order and layout (#7731) authored by @charlieegan3
• docs: Reworked existing policy examples to use PlaygroundExample (#7690) authored by @sky3n3t
• docs: Show a feedback popup on the docs site (#7663) authored by @charlieegan3
• docs: Show edge rather than latest release (#7717) authored by @charlieegan3
• docs: Show TOC on CLI page (#7712) authored by @charlieegan3
• docs: Update colors for feedback form in dark mode (#7691) authored by @charlieegan3
• docs: Update...

This is a bug fix release addressing a regression to the walk built-in function, introduced in v1.5.0. See #7656 (authored by @anderseknert reported by @robmyersrobmyers)

This release contains a mix of new features, performance improvements, and bugfixes. Among others:

• Support for AWS SSO credentials provider
• Support for signing client assertions with Azure Keyvault
• Faster object.get, walk and builtin-function evaluation
• Improved guardrails in the parser
• Improvements to decision logging

Modernized OPA Website (#7037)

The OPA website has been modernized with a new design and improved user experience.

The new site is based on Docusaurus and React which makes it easier to build live functionality and add non-documentation resources. This lays the groundwork for even more improvements in the future!

Documentation for older OPA versions are still available in the version archive.

Authored by @charlieegan3

Runtime, Tooling, SDK

• ast: Only use JSON-escaped literal when needed in ref to string convertion (#7550) reported and authored by @xubinzheng
• ast: Parser recursion depth guard (#7568) authored by @thevilledev
• ast: Retaining SomeDecl Location field when compiler resolves refs (#7543) authored by @johanfylling
• bundle: Setting default rego-version in bundle API (#7588) authored by @johanfylling reported by @xubinzheng
• perf: Improved "baseline" metrics of opa bench for trivial queries (#7580) authored by @anderseknert
• plugins/decision: Don't drop adaptive uncompressed size limit on upload (#7562) authored by @sspaink
• plugins/decision: Set config boundaries to upload_size_limit_bytes (#7563) (authored by @sspaink)
• plugins/rest: Add support for AWS SSO credentials provider (#7527) authored by @efiShtain
• plugins/rest: Support signing of client assertions with Azure Keyvault (#7462) reported and authored by @Od1nB
• plugins/status: Support graceful shutdown timeout (#7576) authored by @sspaink
• rego: Don't generate JSON values for wildcard/generated keys in result set (#7567) authored by @anderseknert
• runtime: Don't override user set version commit and timestamp (#7471) reported by @kastl-ars authored by @sspaink

Planner, Topdown and Rego

• planner: Deal with var-for-function replacement in indirect calls (#5311) authored by @srenatus
• topdown: Faster object.get built-in function (#7593) authored by @anderseknert
• topdown: Faster walk built-in function (#7612) authored by @anderseknert
• topdown: Improved default rule value inlining ( (#1418) authored by @johanfylling
• topdown: Improved GraphQL error handling (#7622) reported and authored by @robmyersrobmyers

Docs, Website, Ecosystem

• docs: Fix helm-kubernetes-quickstart bundle (#7606) reported and authored by @nejec
• docs: Add Swift-OPA to the Ecosystem Page (#7610) authored by @charlieegan3
• docs: Add Tutorial Redirects ([#7603]#7603) reported by @nataraj24 authored by @charlieegan3
• Fix links in README (#7633) authored by @ffjlabo

Miscellaneous

• github_actions: Adding monthly check for broken hyperlinks (#7537) authored by @sspaink
• perf: Extended interning (#7636) authored by @anderseknert
• perf: Ref.String() shortcut on single var term ref (#7595) authored by @anderseknert
• refactor: Don't return error from opaTest (#7560) authored by @sspaink
• refactor: Remove internal/gqlparser and use upstream dependency instead. (#7520) authored by @robmyersrobmyers
• test: Fix flaky TestContextErrorHandling (#7587) authored by @sspaink
• Apply modernize linter fixes (#7599) authored by @anderseknert
• Use any in place of interface{} (#7566) authored by @anderseknert
• Dependency updates; notably:
  • build: bump go from 1.24.0 to 1.24.3
  • build(deps): bump containerd to v2.1.1 (#7627) authored by @johanfylling reported by @robmyersrobmyers
  • build(deps): bump github.com/fsnotify/fsnotify from 1.8.0 to 1.9.0
  • build(deps): bump github.com/prometheus/client_golang from 1.21.1 to 1.22.0
  • build(deps): bump github.com/prometheus/client_model from 0.6.1 to 0.6.2
  • build(deps): bump golang.org/x/net from 0.38.0 to 0.39.0
  • build(deps): bump google.golang.org/grpc from 1.71.1 to 1.72.0

This is a bug fix release addressing the missing capabilities/v1.4.1.json in the v1.4.1 release.

⚠️ Please skip this release and go straight to v1.4.2 ⚠️
This release is broken due to a mistake during the release process and the artifacts are missing a crucial capabilities file.
Sorry for any inconvenience.

This is a security fix release for the fixes published in Go 1.24.1 and 1.24.2

• build: bump go to 1.24.2 (#7544) (authored by @sspaink)
  Addressing CVE-2025-22870 and CVE-2025-22871 vulnerabilities in the Go runtime.

This release contains a security fix addressing CVE-2025-46569.
It also includes a mix of new features, bugfixes, and dependency updates.

Security Fix: CVE-2025-46569 - OPA server Data API HTTP path injection of Rego (GHSA-6m8w-jc87-6cr7)

A vulnerability in the OPA server's Data API allows an attacker to craft the HTTP path in a way that injects Rego code into the query that is evaluated.
The evaluation result cannot be made to return any other data than what is generated by the requested path, but this path can be misdirected, and the injected Rego code can be crafted to make the query succeed or fail; opening up for oracle attacks or, given the right circumstances, erroneous policy decision results.
Furthermore, the injected code can be crafted to be computationally expensive, resulting in a Denial Of Service (DoS) attack.

Users are only impacted if all of the following apply:

• OPA is deployed as a standalone server (rather than being used as a Go library)
• The OPA server is exposed outside of the local host in an untrusted environment.
• The configured authorization policy does not do exact matching of the input.path attribute when deciding if the request should be allowed.

or, if all of the following apply:

• OPA is deployed as a standalone server.
• The service connecting to OPA allows 3rd parties to insert unsanitised text into the path of the HTTP request to OPA’s Data API.

Note: With no Authorization Policy configured for restricting API access (the default configuration), the RESTful Data API provides access for managing Rego policies; and the RESTful Query API facilitates advanced queries.
Full access to these APIs provides both simpler, and broader access than what the security issue describes here can facilitate.
As such, OPA servers exposed to a network are not considered affected by the attack described here if they are knowingly not restricting access through an Authorization Policy.

This issue affects all versions of OPA prior to 1.4.0.

See the Security Advisory for more details.

Reported by @GamrayW, @HyouKash, @AdrienIT, authored by @johanfylling

Runtime, Tooling, SDK

• ast: Adding rego_v1 feature to --v0-compatible capabilities (#7474) authored by @johanfylling
• executable: Add version and icon to OPA windows executable (#3171) authored by @sspaink reported by @christophwille
• format: Don't panic on format due to unexpected comments (#6330) authored by @sspaink reported by @sirpi
• format: Avoid modifying strings when formatting (#6220) authored by @sspaink reported by @zregvart
• plugins/status: FIFO buffer channel for status events to prevent slow status API blocking (#7522) authored by @sspaink

Topdown and Rego

• gqlparser: Add JSON annotation in internal/gqlparser/ast to Position fields (#7509) authored by @robmyersrobmyers
• graphql: Cache GraphQL schema parse results (#7457) authored by @robmyersrobmyers
• topdown: Handling default functions in Partial Eval (#7220) authored by @johanfylling
• topdown: Fix wall clock time init for PartialRun() (#7490) authored by @srenatus
• topdown: Zero alloc lower/upper unless changed (#7472) authored by @anderseknert

Docs, Website, Ecosystem

• adopters: Cloudsmith adds support for OPA (#7498) authored by @ndouglas-cloudsmith
• docs: Fixed broken docs link (#7452) reported and authored by @fvarg00
• docs: Update built-in function examples for OPA v1 (#7514) reported and authored by @robmyersrobmyers
• docs: Add link to inline schema annotations (#7496) authored by @kmadan
• docs: Add manual trigger to integration docs (#7473) authored by @charlieegan3
• docs: Point path versioned requests to new sites (#7531) authored by @charlieegan3
• docs: Update community slack inviter link (#7488, #7493) authored by @charlieegan3
• docs: Set versioned docs links to point to archive (#7528) authored by @charlieegan3
• docs: Update helm-kubernetes-quickstart bundle (#7469) authored by @johanfylling
• docs: Update opa-docker-authz example to use ghcr and v0.10 release tag (#7513) authored by @larhauga
• docs: Fix post merge badge (#7532) authored by @sspaink
• docs: Improve request headers documentation in REST APIs (#7524) authored by @ali-jalaal
• docs: Update edge links to use /docs/edge/ path (#7529) authored by @charlieegan3
• ecosystem: Add NACP integration (#7503) authored by @charlieegan3
• ecosystem: Update traefik integration docs (#7506) authored by @charlieegan3
• ecosystem: Add Principled Evolution integration (#7495) authored by @kmadan
• ecosystem: Add tavo to ecosystem integration (#7511) authored by @percyding-tavo

Miscellaneous

• Dependency updates; notably:
  • build(deps): bump github.com/hypermodeinc/badger from v4.6.0 to v4.7.0
  • build(deps): bump github.com/spf13/viper from 1.18.2 to 1.20.1
  • build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0
  • build(deps): bump google.golang.org/grpc from 1.71.0 to 1.71.1
  • build(deps): bump oras.land/oras-go/v2 from 2.3.1 to 2.5.0

This release contains a mix of features, bugfixes, and dependency updates.

New Buffer Option for Decision Logs (#5724)

A new, optional, buffering mechanism has been added to decision logging.
The default buffer is designed around making precise memory footprint guarantees, which can produce lock contention at high loads, negatively impacting query performance.
The new event-based buffer is designed to reduce lock contention and improve performance at high loads, but sacrifices the memory footprint guarantees of the default buffer.

The new event-based buffer is enabled by setting the decision_logs.reporting.buffer_type configuration option to event.

For more details, see the decision log plugin README.

Reported by @mjungsbluth, authored by @sspaink

OpenTelemetry: HTTP Support and Expanded Batch Span Configuration (#7412)

Distributed tracing through OpenTelemetry has been extended to support HTTP collectors (enabled by setting the distributed_tracing.type configuration option to http).
Additionally, configuration has been expanded with fine-grained batch span processor options.

Authored and reported by @sqyang94

Runtime, Tooling, SDK

• compile: Require multi-term entrypoint paths for optimized bundle building (#7321) authored by @johanfylling reported by @nikpivkin
• fmt: Allow one liner rule grouping (#6760) authored by @anderseknert
• fmt: Fix v0-compatible fmt with stdin (#7409) authored and reported by @charlieegan3
• ir: Fix nil pointer deref in Unmarshal() when handling IsSetStmt (#7415) authored and reported by @KrisKennawayDD
• planner: Fix Wasm vs non-Wasm evaluation difference bug related to the overeager optimization of ref head rules (#7439) authored by @srenatus
• sdk: Removing repeat args from sub-func call (#7443) authored by @alingse
• tester: Including parameterized test cases in test report counter (#7407) authored by @johanfylling
• tester: Only including failed sub-test cases in report summary when non-verbose (#7426) authored by @johanfylling

Docs, Website, Ecosystem

• docs: Add some notes about AI assisted patches (#7436) authored by @charlieegan3
• docs: Add query_parameters_to_set (#7405) authored by @sedovmik
• docs: Delete reference to license key in Envoy tutorial (#7466) authored by @joostholslag
• docs: Fix typo in Envoy tutorial (#7464) authored by @joostholslag
• docs: Update slack inviter link (#7450) authored by @charlieegan3
• docs: Update terraform examples (#7429) authored by @charlieegan3
• docs: Simplify kind usage instruction in Envoy tutorial (#7465) authored by @joostholslag

Miscellaneous

• Enable unused-receiver linter (revive) (#7448) authored by @anderseknert
• Dependency updates; notably:
  • build(deps): bump github.com/containerd/containerd from 1.7.26 to 1.7.27
  • build(deps): bump github.com/dgraph-io/badger/v4 from 4.5.1 to 4.6.0
  • build(deps): bump github.com/opencontainers/image-spec from 1.1.0 to 1.1.1
  • build(deps): bump github.com/prometheus/client_golang 1.21.0 to 1.21.1
  • build(deps): bump golang.org/x/net from 0.35.0 to 0.37.0
  • build(deps): bump golang.org/x/time from 0.10.0 to 0.11.0
  • build(deps): bump google.golang.org/grpc from 1.70.0 to 1.71.0
  • build(deps): bump go.opentelemetry.io deps to 1.35.0/0.60.0

This release contains a mix of features, performance improvements, and bugfixes.

Parameterized Rego Tests (#2176)

Rego tests now support parameterization, allowing a single test rule to include multiple, hierarchical, named test cases.
This feature is useful for data-driven testing, where a single test rule can be used for multiple test cases with different inputs and expected outputs.

package example_test
test_concat[note] if {
	some note, tc in {
		"empty + empty": {
			"a": [],
			"b": [],
			"exp": [],
		},
		"empty + filled": {
			"a": [],
			"b": [1, 2],
			"exp": [1, 2],
		},
		"filled + filled": {
			"a": [1, 2],
			"b": [3, 4],
			"exp": [1, 2, 3], # Faulty expectation, this test case will fail
		},
	}
	act := array.concat(tc.a, tc.b)
	act == tc.exp
}

$ opa test example_test.rego
example_test.rego:
data.example_test.test_concat: FAIL (263.375µs)
  empty + empty: PASS
  empty + filled: PASS
  filled + filled: FAIL
--------------------------------------------------------------------------------
FAIL: 1/1

See the documentation for more information.

Authored by @johanfylling, reported by @anderseknert

Performance Improvements

• perf: Add ref.CopyNonGround (#7350) authored by @anderseknert
• perf: opa fmt 3x faster formatting (#7341) authored by @anderseknert
• perf: Cost of indexing greatly reduced (#7370) authored by @anderseknert
• perf: Eval optimizations (#7367) authored by @anderseknert
• perf: Intern annotation terms (#7365) authored by @anderseknert
• perf: Slightly more efficient policy scanning (#7368) authored by @anderseknert
• perf: Switch to a faster xxhash package (7362) authored by @Juneezee
• perf: Use GetByValue to avoid boxing to interface{} (#7372) authored by @anderseknert
• perf: Various small improvements (#7357) authored by @anderseknert
• perf: Improve storage lookup performance (#7336) authored by @anderseknert
• perf: optimize iteration (#7327) authored by @anderseknert

Topdown and Rego

• rego+topdown: Allow providing custom base cache (#7329) authored by @anderseknert

Runtime, Tooling, SDK

• ast: Add missing BuildAnnotationSet to ast v0 (#7347) authored by @anderseknert
• ast: Eliminate allocation in Value.Find, and other improvements (#7319) authored by @anderseknert
• ast: Use byte for RuleKind and DocKind (#7332) authored by @anderseknert
• ast.InterfaceToValue: add test case for []byte (#7379) authored by @dennygursky
• ast: support []string and ast.Value in ast.InterfaceToValue (#7306) authored by @regeda
• bundle: Fixing issue where --v0-compatible isn't respected for custom bundles (#7338) authored by @johanfylling
• cmd: Handle failing tests in opa test --bench (#7205) authored by @anderseknert
• cmd: Add decision ID to opa exec output (#7373) authored by @anderseknert
• oracle: Make oracle public under v1/ast/oracle (#7265) authored by @anderseknert
• oracle: Allow passing own compiler to oracle (#7354) authored by @anderseknert
• plugins/discovery: Enable tracing for discovery plugin (#7299) authored by @mjungsbluth
• plugins/rest: Do not attach authorization header in bearerAuthPlugin if response is a redirect (#7308) authored by @carabasdaniel
• server+distributedtracing: Add Additional Resource Attributes for OpenTelemetry (#7322) authored by @briankahoot reported by @briankahoot
• util: Add util.HasherMap (#7363) authored by @anderseknert

Docs, Website, Ecosystem

• docs: Add support link to README (#7359) (authored by @anderseknert)
• docs: Update example bundle to be v1 compatible (#7342) authored by @ashutosh-narkar
• docs: Add note about v1.0 addr behaviour (#7360) authored by @charlieegan3 reported by @ali-jalaal
• docs: Update homepage examples to drop v1 import (#7391) authored by @charlieegan3
• docs: Updating --v1-compatible mentions outside the v1 upgrade guide and v0 compatibility docs (#7337) authored by @johanfylling
• docs: Fixed invalid links to examples (#7326) authored by @JonathanDeLaCruzEncora
• MAINTAINERS: Add Anders and Charlie as maintainers (#7318) authored by @charlieegan3

Miscellaneous

• build+test: Add make test-short task (#7364) (authored by @anderseknert)
• build: Add gocritic linter (#7377) authored by @anderseknert
• build: Add nilness linter from govet (#7335) authored by @anderseknert
• build: Add perfsprint linter (#7334) authored by @anderseknert
• ci: Tagging release binaries with build version (#7395, #7397, #7400) authored by @johanfylling
• test: fix race in TestIntraQueryCache_ClientError and TestInterQueryCache_ClientError (#7280) authored by @Juneezee
• misc: Use Go 1.22+ int ranges (#7328) authored by @anderseknert
• Dependency updates; notably:
  • build: bump go from 1.23.5 to 1.24.0
  • build(deps): bump github.com/agnivade/levenshtein from 1.2.0 to 1.2.1
  • build(deps): bump github.com/containerd/containerd from 1.7.25 to 1.7.26
  • build(deps): bump github.com/google/go-cmp from 0.6.0 to 0.7.0
  • build(deps): bump github.com/prometheus/client_golang
  • build(deps): bump github.com/spf13/cobra from 1.8.1 to 1.9.1
  • build(deps): bump github.com/spf13/pflag from 1.0.5 to 1.0.6
  • build(deps): bump golang.org/x/net from 0.34.0 to 0.35.0
  • build(deps): bump golang.org/x/time from 0.9.0 to 0.10.0
  • build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1
  • Bump golangci-lint from v1.60.1 to 1.64.5

This release contains a mix of features, performance improvements, and bugfixes.

Performance Improvements

• ast: Remove jsonOptions from AST nodes and terms (#7281) authored by @anderseknert
• ast+plugins: Optimize activation of bundles with no inter-bundle path overlap (#7144) authored and reported by @sqyang94
• bundle: Optimizing rego-version management in bundle activation (#7296) authored by @johanfylling
• cmd: Don't generate JSON from result in opa bench (#7291) authored by @anderseknert
• topdown: Adding configurable token cache to io.jwt token verification built-ins (#7274) authored by @johanfylling
• topdown: Reduce allocations in hot path (#7288) authored by @anderseknert
• perf: Improvements to terms and built-in functions (#7284) authored by @anderseknert
• perf: add Regorus ACI benchmark tests (#7298) authored by @anderseknert
• plugins: Don't use reflect.DeepEqual for errors (#7238) authored by @anderseknert
• testing: replace reflect.DeepEqual where possible (#7286) authored by @anderseknert

Topdown and Rego

• topdown: Fix out of range error in numbers.range built-in (#7269) authored by @anderseknert
• topdown+rego+server: Allow opt-in for evaluating non-det builtins in PE (#6496) authored by @srenatus

Runtime, Tooling, SDK

• bundle: Add info about the correct rego version to parse modules on the store (#7278) co-authored by @ashutosh-narkar and @johanfylling
• bundle+plugins: Fixing issue where bundle plugin could panic on reconfiguration (SDK use) (#7297) authored by @johanfylling reported by @carabasdaniel
• cmd: Fix printed representation of ref head rules in opa repl (#7301) authored by @anderseknert reported by @tsandall
• cmd: Respect --v0-compatible for opa eval partial eval support modules (#7251) authored by @johanfylling
• golangci: fix invalid linter-settings configuration name (#7244) authored by @Juneezee
• plugins/logs: Add support for masking with array keys (#6883) authored by @charlieegan3
• tester: code nitpicks (#7252) authored by @srenatus
• util: Add util.Keys and util.KeysSorted (#7285) authored by @anderseknert

Docs, Website, Ecosystem

• docs: Update docker compose file in HTTP API tutorial and use addr for binding (#7264) authored and reported by @zanliffick
• docs: Make 'ancient' warnings closable (#7253) authored by @srenatus reported by @konradzagozda
• docs: Redirect opa-1 to v0-upgrade (#7259) authored by @charlieegan3
• docs: Use preformatted strings in fmt help (#7263) authored by @charlieegan3
• docs: Fix typo in k8s primer (#7242) authored by @vicentinileonardo
• docs: Formatting and wording fixes (#7268) authored by @kamilturek
• docs: Update output document of Envoy plugin. (#7241) authored by @regeda

Miscellaneous

• ci(nightly): Remove vendor w/o modproxy check (#7292) authored by @srenatus
• Dependency updates; notably:
  • build(go): bump to 1.23.5 (7279) authored by @srenatus
  • build(deps): upgrade github.com/dgraph-io/badger to v4 (4.5.1) (#7239) authored by @Juneezee
  • build(deps): bump github.com/containerd/containerd from 1.7.24 to 1.7.25
  • build(deps): bump github.com/tchap/go-patricia/v2 from 2.3.1 to 2.3.2
  • build(deps): bump golang.org/x/net from 0.33.0 to 0.34.0
  • build(deps): bump golang.org/x/time from 0.8.0 to 0.9.0
  • build(deps): bump google.golang.org/grpc from 1.69.2 to 1.70.0
  • build(deps): bump go.opentelemetry.io deps to 1.34.0/0.59.0

This is a bug fix release addressing the following issues:

• build(go): bump to 1.23.5 (authored by @srenatus).
  Addressing CVE-2024-45341 and CVE-2024-45336 vulnerabilities in the Go runtime.
• bundle: Add info about the correct rego version to parse modules on the store, co-authored by @ashutosh-narkar and @johanfylling in #7278.
  Fixing an issue where the rego-version for individual modules was lost during bundle deactivation (bundle lifecycle) if this version diverged from the active runtime rego-version.
  This could cause reloading of v0 bundles to fail when OPA was not running with the --v0-compatible flag.