Releases: authzed/spicedb
Releases · authzed/spicedb
v1.44.3
What's Changed
- Remove subject check for deleted definitions in schema by @josephschorr in #2395
- revert PR #2382 by @miparnisari in #2397
- Handle both kinds of cancelation errors in test, part 2 by @miparnisari in #2402
- collect unit test coverage for codecov to work by @miparnisari in #2401
- include integration tests in code coverage by @miparnisari in #2403
- add codecov badge by @miparnisari in #2404
- update codecov.yaml by @miparnisari in #2408
- Add additional unit tests for the development package by @josephschorr in #2407
- Add additional unit tests to preshared key package by @josephschorr in #2406
- Add unit test for running main SpiceDB binary by @josephschorr in #2405
- Add development containers support by @katallaxie in #2379
- Add additional unit tests for the caveat replacer package by @josephschorr in #2409
- Add additional testing for perfinsights middleware by @josephschorr in #2412
- Add additional unit tests for the caveats package by @josephschorr in #2411
- Add tests for the pertoken middleware by @josephschorr in #2413
- Add additional testing for releases package by @josephschorr in #2415
- Add additional testing for telemetry package by @josephschorr in #2414
- Fix the kind of the logical checks telemetry by @josephschorr in #2416
- Rename the telemetry metric back, as fixing its type didn't break anything by @josephschorr in #2417
- Bump golang from 1.24.2-alpine3.20 to 1.24.3-alpine3.20 in the docker group by @dependabot in #2421
- Bump the github-actions group with 4 updates by @dependabot in #2423
- Add an additional unit test for the main function by @josephschorr in #2420
- Implement a typechecking function in schema by @barakmich in #2374
- remove serve-devtools command by @miparnisari in #2424
- improvements to context severing by @vroldanbet in #2370
- Secondary dispatch improvements by @josephschorr in #2389
- move default GOMEMLIMIT to 90% of available memory by @vroldanbet in #2427
- Fix flaky cluster test by @josephschorr in #2428
- Fix the flaky cluster test by @josephschorr in #2429
- Fix flaky reporter test by @josephschorr in #2430
- Quick test fixes for typechecking by @barakmich in #2425
- Add additional unit tests to the indexcheck package by @josephschorr in #2419
- Remove codecov from ALL zz files, which include migrations, which are… by @josephschorr in #2431
- Add unit tests for the dispatcher middleware by @josephschorr in #2432
- revert pgx context cancellation by @vroldanbet in #2434
New Contributors
- @katallaxie made their first contribution in #2379
Full Changelog: v1.44.0...v1.44.3
Docker Images
This release is available at authzed/spicedb:v1.44.3, quay.io/authzed/spicedb:v1.44.3, ghcr.io/authzed/spicedb:v1.44.3
Contributors
barakmich, katallaxie, and 4 other contributors
Assets 15
- sha256:76340b0f5fb11a74cda63479a672a2e6f47d3c03ebf38aa9bf9b5980ec129d80
2025-06-09T19:53:23Z - sha256:4cc85376ab5ee10368ac55d80a8d2545dcaa5671e0b5923ee2fe7e196192b204
2025-06-09T19:53:21Z - sha256:923724d14618c7ef14beed1af58358fb448649bcb83b4a5097e7301e4a406ead
2025-06-09T19:53:20Z - sha256:c5415e501ff62e1de611ec207c12c415d168e102d170207568ff307cd1c7393e
2025-06-09T19:53:22Z - sha256:8e0ff6a5bafec06c6678c70be0c680e3eefb30b87a34e6b8b8ad4501aa7d41a1
2025-06-09T19:53:23Z - sha256:33a6b8859959dc9dad1c7e862471b7d3e05188c31ce9dc09d1294a803a3a5722
2025-06-09T19:53:22Z - sha256:29351d016a825ec25b1ac6635cfa9e3f5ecb5777fc1a80db8fc121ff608090ce
2025-06-09T19:53:20Z - sha256:b0563f7f6f3686f0472faab93bfe1f3aeca28e01b5acf2ccb0fb2a69d1133d29
2025-06-09T19:53:22Z - sha256:c037817b6f9f2526e62f408ba9475a5c263100dbad1ebc6b1dce1afa7a758c9a
2025-06-09T19:53:23Z - sha256:d6fb28cf494ea2b7328a9ade0c4439d20ee1947b60997184974a72cbbf13f3a3
2025-06-09T19:53:22Z -
2025-06-09T16:27:16Z -
2025-06-09T16:27:16Z - Loading
v1.44.2
This is a hotfix release that contains the patch for CVE-2025-49011
Full Changelog: v1.44.0...v1.44.2
Docker Images
This release is available at authzed/spicedb:v1.44.2, quay.io/authzed/spicedb:v1.44.2, ghcr.io/authzed/spicedb:v1.44.2
v1.44.0
Highlights
New Features
- Add new flag that toggles a new performance insights prometheus metric:
--enable-performance-insight-metrics(#2383)
Bug Fixes
- Fix issue with underscore handling when deleting by object prefix (#2393)
What's Changed
- Bump the go-mod group with 14 updates by @dependabot in #2378
- pin github action and dockerfile.release base image by @miparnisari in #2381
- Add additional forced CRDB index in special case of no object IDs by @josephschorr in #2385
- Cache Features call in CRDB and skip outputting the check error by @josephschorr in #2380
- remove direct dependency to aws sdk v1 by @miparnisari in #2382
- add more default linters by @miparnisari in #2387
- Handle both kinds of cancelation errors in test by @josephschorr in #2390
- Add perfinsights middleware which writes the latency of API calls by @josephschorr in #2383
- Bump chainguard-dev/actions from 1.0.4 to 1.0.6 in the github-actions group by @dependabot in #2377
- Add additional steelthread test for an LR of page size 1 by @josephschorr in #2391
- Make sure to escape underscores in delete by object ID prefix by @josephschorr in #2393
- fix(CI): CLA GitHub Action permissions by @squat in #2394
- Refactor slice chunking using slices.Chunk from Go 1.23 and improve test coverage by @redouan-rhazouani in #2392
New Contributors
- @squat made their first contribution in #2394
- @redouan-rhazouani made their first contribution in #2392
Full Changelog: v1.43.0...v1.44.0
Docker Images
This release is available at authzed/spicedb:v1.44.0, quay.io/authzed/spicedb:v1.44.0, ghcr.io/authzed/spicedb:v1.44.0
Contributors
josephschorr, miparnisari, and 3 other contributors
Assets 16
v1.43.0
What's Changed
- introduces depot runners by @vroldanbet in #2297
- feat: make build notification links clickable by @Verolop in #2303
- Bump golang from 1.24.0-alpine3.20 to 1.24.2-alpine3.20 in the docker group by @dependabot in #2298
- Bump the go-mod group with 26 updates by @dependabot in #2299
- fixes incorrect handling of definition deltas via Postgres Watch API by @vroldanbet in #2305
- enable tparallel to keep tests fast by @vroldanbet in #2306
- Add improved caveat filtering to the datastore relationship filter by @josephschorr in #2309
- bug-fix(schema): prevent schema write failures when migrating to caveated relation by @kartikaysaxena in #2308
- Remove panic from devcontext serve in favor of a warning by @josephschorr in #2312
- fix(memdb): check if closed by @miparnisari in #2307
- Fix handling of no columns in Spanner by @josephschorr in #2319
- Update Go to 1.23.8 to fix a reported vuln in Go by @josephschorr in #2318
- [typesystem] Remove
typesystempackage by @barakmich in #2313 - put error checks before accessing return values by @miparnisari in #2317
- Ensure the Postgres read-write tx uses the TX for the reader by @josephschorr in #2321
- Improved indexing part 2 by @josephschorr in #2310
- Add option to disable watch by @josephschorr in #2323
- Force indexes on Postgres and change subject sort order to match index by @josephschorr in #2327
- introduces a flag to relax postgres isolation level by @vroldanbet in #2324
- internal/datastore/pg: server-side loop for repair by @jzelinskie in #2322
- Force indexes on Spanner and change subject sort order to match index by @josephschorr in #2326
- postgres: optimize CheckRevision query by @vroldanbet in #2328
- document packages by @miparnisari in #2316
- Further optimize the cases when transaction metadata is written in CRDB by @josephschorr in #2330
- Add logical checks telemetry by @josephschorr in #2325
- Switch to larger depot instances for datastore consistency tests by @josephschorr in #2331
- Add a concept of a caveat TypeSet to allow overriding the types available to caveat processing by @josephschorr in #2315
- Simplify the registration in the caveats typeset by @josephschorr in #2335
- Add accessors for deserialization of a caveat using a custom typeset by @josephschorr in #2336
- Bump golang.org/x/net from 0.37.0 to 0.38.0 in the go_modules group by @dependabot in #2332
- add mutex analyzer by @miparnisari in #2334
- Bump the go_modules group across 2 directories with 1 update by @dependabot in #2337
- Fix logger for certmanager by @tstirrat15 in #2338
- amend mutex analyzer by @miparnisari in #2339
- amend mutex analyzer by @miparnisari in #2340
- Change PG and CRDB datastore drivers to use PGX cancelation by @josephschorr in #2294
- Add retries to MySQL test DB constructor by @josephschorr in #2343
- Minimal decoupling of validation file parsing and schema compilation by @tstirrat15 in #2342
- Switch the loader to use the passed-in typeset by @josephschorr in #2344
- Add missing type set pass, add test and rename all defaults by @josephschorr in #2346
- remove dependency on github.com/hashicorp/go-multierror by @miparnisari in #2345
- Fix labels on telemetry metric by @josephschorr in #2348
- Switch experimental column optimizations to be enabled by default by @josephschorr in #2349
- Disable test of readonly serve-test, as it is making the test server … by @josephschorr in #2350
- Use golangci-lint v2 for linting by @tstirrat15 in #2301
- add security policy by @miparnisari in #2352
- tighten github workflow scopes by @miparnisari in #2353
- fix regression in #2353 - add PR write permissions to labeler action by @miparnisari in #2355
- pin github actions by @miparnisari in #2356
- pin dockerfile images by @miparnisari in #2357
- add GCI linter for better organization of imports by @miparnisari in #2354
- add ssf badge by @miparnisari in #2359
- fix custom analyzers skipping all files by @miparnisari in #2360
- fix typo in goreleaser.windows.yml by @miparnisari in #2361
- Logging and metrics improvements after recent datastore changes by @josephschorr in #2362
- fix panic when running mage test:all by @miparnisari in #2363
- wires query shape into the datastore QueryRels latency metric by @vroldanbet in #2364
- Allow schema watch in CRDB driver when watch is otherwise disabled by @josephschorr in #2365
- make consistency middleware return invalid revision error as gRPC
InvalidArgumentby @vroldanbet in #2366 - add query shape and fix observe closer in ReverseQueryRelationships by @vroldanbet in #2367
- postgres datastore: do not warn on context cancelation by @vroldanbet in #2368
- Set pgx CancelRequestContextWatcherHandler.CancelRequestDelay to fixcancelation delay by @vroldanbet in #2369
- Improve CRDB index forcing logic to be more fine-grain by @josephschorr in #2376
Full Changelog: v1.42.1...v1.43.0
Docker Images
This release is available at authzed/spicedb:v1.43.0, quay.io/authzed/spicedb:v1.43.0, ghcr.io/authzed/spicedb:v1.43.0
Contributors
barakmich, jzelinskie, and 7 other contributors
Assets 15
v1.42.1
What's Changed
- remove limit in AtRevision in dispatch ResolverMeta by @ecordell in #2296
- support both old and new read replica flag prefixes by @ecordell in #2300
Full Changelog: v1.42.0...v1.42.1
Docker Images
This release is available at authzed/spicedb:v1.42.1, quay.io/authzed/spicedb:v1.42.1, ghcr.io/authzed/spicedb:v1.42.1
Contributors
ecordell
Assets 14
v1.42.0
Warning
1.42.0 introduced a backwards-incompatible change to the --datastore-read-replica-conn-pool-* flags. If you are configuring read replicas, please update your flags or use 1.42.1 instead, which supports both the old and new flags.
What's Changed
- magefile: added combined test coverage support for
mage test:allby @kartikaysaxena in #2235 - feat: add goreleaser job Slack notifications by @Verolop in #2258
- Bump the go-mod group with 14 updates by @dependabot in #2259
- Bump golang from 1.23.6-alpine3.20 to 1.24.0-alpine3.20 in the docker group by @dependabot in #2260
- Create a new schema package and port typesystem to it by @barakmich in #2253
- Add CRDB matrix tests by @josephschorr in #2261
- Require definitions and partials to have distinct names by @tstirrat15 in #2263
- Update the datastore interface to return the number of deleted relationships by @josephschorr in #2265
- Fix default concurrency limit for bulk check API by @josephschorr in #2266
- Fix LR2 secondary dispatch sometimes returning only one result by @ecordell in #2267
- Update DeleteRelationships API to return the number of relationships deleted by @josephschorr in #2269
- Bump golang.org/x/net from 0.35.0 to 0.36.0 in the go_modules group by @dependabot in #2271
- bug-fix: fix typo in flag prefix by @kartikaysaxena in #2276
- Secondary dispatch improvements: Add LookupSubjects support and dynamic hedging by @josephschorr in #2272
- Reattach child contexts to the parent for streaming dispatch by @josephschorr in #2277
- do not log at warn level when setting datastore in read-only by @vroldanbet in #2278
- Bump golang.org/x/net from 0.36.0 to 0.37.0 in /e2e in the go_modules group across 1 directory by @dependabot in #2273
- Convert packages to use the new schema package by @barakmich in #2262
- goreleaser-windows: fix deprecated option and update copyright year by @kartikaysaxena in #2281
- Add additional logging to flakey PG test by @josephschorr in #2280
- Have revision errors only log at debug level by @josephschorr in #2282
- [schema] fix automatic validation if the source is pre-validated by @barakmich in #2279
- Add a metric tracking the selected replica by @josephschorr in #2231
- upload coverage to codecov by @miparnisari in #2286
- add buf format to lint:extra by @miparnisari in #2289
- remove deprecated tenv linter by @miparnisari in #2288
- fixes to secondary dispatch hedger by @vroldanbet in #2283
- amend #2286 by @miparnisari in #2291
- Have dispatch skip hedging delays when dispatching to unsupported relations by @josephschorr in #2290
- Start on better indexing support by @josephschorr in #2223
- Schema Change Events via Watch API by @miparnisari in #2284
- update mysql docs by @miparnisari in #2293
- fix leader election retry interval for revision heartbeat by @vroldanbet in #2295
New Contributors
- @Verolop made their first contribution in #2258
- @miparnisari made their first contribution in #2286
Full Changelog: v1.41.0...v1.42.0
Docker Images
This release is available at authzed/spicedb:v1.42.0, quay.io/authzed/spicedb:v1.42.0, ghcr.io/authzed/spicedb:v1.42.0
Contributors
ecordell, barakmich, and 7 other contributors
Assets 13
v1.41.0
Highlights
🪞Schema Reflection APIs are now GA! Reference information about your schema without computing permissions, making it easier to build features like dynamic admin panels
🩵 Postgres and MySQL interface improvements
Don't miss
🎼 Available in zed v0.27.0, you can now try out composable schemas! Introducing two new concepts, schema import statements and partials, we've made it easier to write concise schemas and for multiple teams to work on separate files. For more info, check out the docs.
Features
- Promote reflection APIs from experimental to V1 schema service by @josephschorr in #2249
- Support follower read delay flag with Postgres and MySQL datastores by @ecordell in #2245
Enhancements
- Port expiration compiler changes into composableschemadsl by @tstirrat15 in #2240
- Import: improve err msg by @kartikaysaxena in #2242
- Improve handling of watch errors by @josephschorr in #2244
- Change Spanner default metrics to go to OTEL by @josephschorr in #2248
- Make pg datastore continuously checkpoint using a revision heartbeat by @vroldanbet in #2252
- Follow ups to #2252 by @vroldanbet in #2254
Fixes
- Move nodeid default calculation to init to avoid race by @josephschorr in #2256
Updated Dependencies
- Bump the go-mod group across 1 directory with 34 updates by @dependabot in #2243
- Update go.mod for vulns in Go libs by @josephschorr in #2251
Full Changelog: v1.40.1...v1.41.0
Docker Images
This release is available at authzed/spicedb:v1.41.0, quay.io/authzed/spicedb:v1.41.0, ghcr.io/authzed/spicedb:v1.41.0
Contributors
ecordell, tstirrat15, and 4 other contributors
Assets 15
v1.40.1
What's Changed
- bug fix: implement flag for spanner by @kartikaysaxena in #2210
- security-fix: upgrade go base image to fix new CVE published by @kartikaysaxena in #2213
- Implement partials syntax parsing by @tstirrat15 in #2211
- Fixes for replicated query iterator by @josephschorr in #2214
- Switch namespace read call in Check to simplify by @josephschorr in #2215
- Have LookupSubjects return Unimplemented if a cursor is used by @josephschorr in #2216
- [mysql] pipe logger into mysql for debug printing (#1055) by @barakmich in #2217
- Change strict reading PG to only return rows when valid by @josephschorr in #2219
- Remove parallel test to reduce flakiness by @josephschorr in #2222
- Implement partials compilation by @tstirrat15 in #2212
- Add metrics for usage of the replication proxies in the datastore by @josephschorr in #2229
- Update tracing logic in authn code by @tstirrat15 in #2230
- Remove the reference for changes being emitted by Watch by @josephschorr in #2232
- fixes pg replica error: "canceling statement due to conflict with recovery by @vroldanbet in #2233
- Change default version for CRDB testing to latest by @josephschorr in #2226
- Move to Go 1.23.6 for a reported Go vuln by @josephschorr in #2237
- Have strictreplicated proxy buffer relationships by @josephschorr in #2236
- crdb pool: handle cases with nil errors by @ecordell in #2238
- Port in expiration parsing into composable schema DSL by @tstirrat15 in #2239
New Contributors
- @barakmich made their first contribution in #2217
Full Changelog: v1.40.0...v1.40.1
Docker Images
This release is available at authzed/spicedb:v1.40.1, quay.io/authzed/spicedb:v1.40.1, ghcr.io/authzed/spicedb:v1.40.1
Contributors
ecordell, barakmich, and 4 other contributors
Assets 15
v1.40.0
Note
All datastores have a migration to add new columns for relationship expiration support
Highlights
⌛ Expiring relationships
⚡ Experimental SQL optimization
🔧 Read replica fixes
Features
Introducing first class support for expiring relationships in SpiceDB! Developers can now define a lifespan for relationships in schema, preventing unintended access through lingering permissions. Relationship expiration terms can also be dynamically defined by application end users, providing them with even more granular control over how they choose to share data.
For more details, refer to SpiceDB documentation: https://authzed.com/docs/spicedb/concepts/expiring-relationships
End to end support for experimental first-class relationship expiration feature by @josephschorr in #2152
Enhancements
Various improvements
- Make index creation idempotent by @josephschorr in #2197
- Implement simpler import syntax by @tstirrat15 in #2207
- Change feature detection for CRDB watch to not require waiting by @josephschorr in #2205
- Delete LookupResources v1, ReachableResources and all helper code by @josephschorr in #2203
- add schemaFile to ValidationFile by @kartikaysaxena in #2206
Garbage collection
- GC improvements: GC only on a single node and add a missing index in PG by @josephschorr in #2159
- Move unlock call to a background context in GC by @josephschorr in #2198
- Change GC test to always call GC directly by @josephschorr in #2165
Datastore tests
- Additional datastore tests by @josephschorr in #2180
- Add some additional datastore tests to improve coverage by @josephschorr in #2173
- Switch datastore tests to use a larger runner by @josephschorr in #2182
- Add basic steelthread tests for bulk import and export of relationships by @josephschorr in #2166
- Add steelthread tests to CI and to mage test:all by @josephschorr in #2167
- Add support for bulk check in steelthread test by @josephschorr in #2171
- Deparallelize the steelthread tests to hopefully remove the flakiness by @josephschorr in #2169
- Increase max number of retries on flaky test by @josephschorr in #2204
- Add additional tests to the datastore consistency test suite by @josephschorr in #2168
- Remove parallel running on datastore consistency tests to reduce flakiness by @josephschorr in #2186
- Disable retries on the serialization test for PG by @josephschorr in #2200
- Remove sleep in stats test unless needed by @josephschorr in #2201
- Improve test coverage of memdb datastore with some new rel tests by @josephschorr in #2172
- Switch postgres tests to run in a matrix of versions by @josephschorr in #2195
- Add caveated bulk load test to datastore tests by @josephschorr in #2176
Observability, Debugging
- Add tracing to the LR2 implementation by @josephschorr in #2174
- Ensure source is returned for all check debug traces by @josephschorr in #2196
- Small changes around node IDs and trace IDs by @josephschorr in #2202
- Add support for debug traces in Check Bulk Permission by @josephschorr in #2193
- Add option to enable query parameters to appear in traces by @josephschorr in #2177
- Add slightly more information to the LR2 dispatch traces by @josephschorr in #2183
- Wire Spanner's logging up to zerolog by @josephschorr in #2181
Caveats
- Move caveat loading into a shared runner to reduce overhead in dispatch by @josephschorr in #2179
- Switch postgres to use a set and return an error if a duplicate caveat name is given by @josephschorr in #2199
- Relationships selected in SQL-based datastores now elide columns that have static values by @josephschorr in #2096
Fixes
- Remove now-unused windows workflow by @tstirrat15 in #2158
- Fix bulk export of relationships with caveats by @josephschorr in #2163
- Ensure datastore containers do not auto-restart by @josephschorr in #2187
- Fix the strict read proxy by @josephschorr in #2188
Updated dependencies
- Update Go crypto to v0.31.0 due to a reported vuln in that lib by @josephschorr in #2162
- Update net lib for reported Go library vulnerability by @josephschorr in #2175
- Bump the go_modules group across 2 directories with 1 update by @dependabot in #2161
- Bump golang from 1.23.3-alpine3.20 to 1.23.4-alpine3.20 in the docker group by @dependabot in #2184
- Bump the go-mod group with 23 updates by @dependabot in #2185
New Contributors
- @kartikaysaxena made their first contribution in #2206!
Full Changelog: v1.39.0...v1.40.0
Docker Images
This release is available at authzed/spicedb:v1.40.0, quay.io/authzed/spicedb:v1.40.0, ghcr.io/authzed/spicedb:v1.40.0
v1.39.1
This patch release includes a fix for a bug where exporting relationships were not including caveats.
What's Changed
- Backport changes from #2163 into 1.39.0 by @josephschorr in #2164
Full Changelog: v1.39.0...v1.39.1
Docker Images
This release is available at authzed/spicedb:v1.39.1, quay.io/authzed/spicedb:v1.39.1, ghcr.io/authzed/spicedb:v1.39.1
Contributors
josephschorr