v0.46.0

⚠️ CVE Mitigation ⚠️

This release is to mitigate critical severity GHSA-pppg-cpfq-h7wr which allows remote code execution. Pepr is not vulnerable to RCE due to having no attack service area to expose the library and being that Pepr talks to kube-apiserver to accept AdmissionReview objects and Kubernetes events. None the less, it is our practice to do a release when we see a high severity CVE.

What's Changed

• chore: test matrix with unicorn flavor by @cmwylie19 in #1837
• chore: rename api-token to api-path by @cmwylie19 in #1830
• chore: remove version from build by @cmwylie19 in #1842
• chore: override jsonpath-plus cve by @cmwylie19 in #1847

Full Changelog: v0.45.1...v0.46.0

v0.45.1

Deprecations 🚧

Deprecation Announcement

The version flag in npx pepr build -v flag is a flag to set a specific controller image version during the build. This flag has been deprecated and will be removed in the next release after discovering that it can potentially create conflicts. Should you want to set a specific version then update the image tag manually in the yaml files.

What's Changed ♻️

• fix: remove hardcoding from upgrade journey test by @samayer12 in #1767
• chore: add more testing around asset class by @cmwylie19 in #1753
• chore: deprecate build version command in cli and docs before release by @cmwylie19 in #1762
• chore: chainguard image to ghcr by @cmwylie19 in #1832
• chore: add test coverage for loading capabilities into controller by @cmwylie19 in #1828
• chore: increase unit test coverage in store through constructor by @cmwylie19 in #1819
• chore: controller constructor calls store on ready by @cmwylie19 in #1825
• chore: extract shared types from unrelated file by @samayer12 in #1759
• fix: update grype configuration by @samayer12 in #1777
• chore: resolve max statement in watch-processor by @cmwylie19 in #1770
• chore: require explicit-function-return-type by @samayer12 in #1781
• chore: refactor watch processor test to reduce redundancy by @tamirazrab in #1763
• chore: max-params warning for src/sdk/sdk.ts by @tamirazrab in #1787
• chore: use it.each() in related test cases by @cmwylie19 in #1784
• chore: error on max-params by @cmwylie19 in #1782
• chore: tidy up docs by @samayer12 in #1802
• chore: reduce duplication between pepr-build and pepr-build-wasm in journey tests by @cmwylie19 in #1804
• chore: improve test coverage for webhook generation by @samayer12 in #1815
• chore: prefer it() over test() for BDD-style test names by @samayer12 in #1818
• chore: remove write to repo access for sbom and container scan by @cmwylie19 in #1808
• chore: pin hash on Dockerfiles by @cmwylie19 in #1810
• chore: bump esbuild version by @samayer12 in #1807

Dependabot 🤖

• chore: bump library/node from 5145c88 to 0bcc32c by @dependabot in #1813
• chore: bump trufflesecurity/trufflehog from 3.88.6 to 3.88.7 by @dependabot in #1821
• chore: bump library/node from 0bcc32c to a182b9b by @dependabot in #1836
• chore: bump nick-fields/retry from 3.0.0 to 3.0.1 by @dependabot in #1841
• chore: bump trufflesecurity/trufflehog from 3.88.8 to 3.88.9 by @dependabot in #1840
• chore: bump step-security/harden-runner from 2.10.4 to 2.11.0 by @dependabot in #1839
• chore: bump trufflesecurity/trufflehog from 3.88.7 to 3.88.8 by @dependabot in #1831
• chore: bump @types/node from 22.13.1 to 22.13.4 in the development-dependencies group by @dependabot in #1833
• chore: bump trufflesecurity/trufflehog from 3.88.4 to 3.88.5 by @dependabot in #1773
• chore: bump docker/setup-buildx-action from 3.8.0 to 3.9.0 by @dependabot in #1775
• chore: bump @types/node from 22.13.0 to 22.13.1 in the development-dependencies group by @dependabot in #1769
• chore: bump the production-dependencies group across 1 directory with 2 updates by @dependabot in #1771
• chore: bump distroless/nodejs22-debian12 from 5e248b9 to 894873f by @dependabot in #1820
• chore: bump github/codeql-action from 3.28.8 to 3.28.9 by @dependabot in #1786
• chore: bump trufflesecurity/trufflehog from 3.88.5 to 3.88.6 by @dependabot in #1806

Full Changelog: v0.45.0...v0.45.1

v0.45.0

Features 🆕

• feat: nightly releases of pepr cli and controller image by @cmwylie19 in #1738

Introducing Nightlies 🌃

Wanna test new CLI or Controller features before they are release? How's how!

> npx pepr@nightly -V
0.44.0-nightly.7

What's Changed ♻️

• chore: update peer deps by @samayer12 in #1757
• chore: override glob and remove inflight which were deprecated by @cmwylie19 in #1749
• test: demonstrate that 'pepr build' outputs comparable config-derived values by @btlghrants in #1688
• chore: restore early exit on build no-embed by @cmwylie19 in #1731
• fix: tolerate optional fields from external pepr module definitions by @samayer12 in #1732
• chore: rename npm version command for nightlies to work by @cmwylie19 in #1742
• chore: quick fix on npm install and npm build for nightly by @cmwylie19 in #1743
• fix: show customLabels in helm chart after build by @samayer12 in #1736
• chore: max-params warning for src/lib/telemetry/metrics.ts by @tamirazrab in #1735
• chore: add unit test for webhooks by @cmwylie19 in #1744
• chore: add shellcheck to lint .sh files by @tamirazrab in #1730
• chore: clarify some rhetoric in the readme by @cmwylie19 in #1741
• chore: resolve max params for controller constructor by @tamirazrab in #1747

Dependabot 🤖

• chore: bump trufflesecurity/trufflehog from 3.88.3 to 3.88.4 by @dependabot in #1751
• chore: bump the development-dependencies group with 2 updates by @dependabot in #1755
• chore: bump the development-dependencies group with 2 updates by @dependabot in #1760
• chore: bump codecov/codecov-action from 5.3.0 to 5.3.1 by @dependabot in #1726
• chore: bump github/codeql-action from 3.28.4 to 3.28.5 by @dependabot in #1727
• chore: bump actions/setup-node from 4.1.0 to 4.2.0 by @dependabot in #1733
• chore: bump github/codeql-action from 3.28.6 to 3.28.8 by @dependabot in #1745
• chore: bump trufflesecurity/trufflehog from 3.88.2 to 3.88.3 by @dependabot in #1746
• chore: bump @types/node from 22.10.10 to 22.12.0 in the development-dependencies group by @dependabot in #1737
• chore: bump github/codeql-action from 3.28.5 to 3.28.6 by @dependabot in #1739
• chore: bump peter-murray/workflow-application-token-action from 4.0.0 to 4.0.1 by @dependabot in #1740

Next Release Theme: Testing!

Full Changelog: v0.44.0...v0.45.0

v0.44.0

What's Changed

• feat: webhook analytics timeouts by @cmwylie19 in #1717
• fix: local integration testing setup/timeouts by @samayer12 in #1705
• chore: remove soak-interrupts.yaml by @cmwylie19 in #1714
• chore: docs refresher by @cmwylie19 in #1683
• chore: backwards compat - open to team ideas! by @cmwylie19 in #1707
• chore: bump undici from 7.2.3 to 7.3.0 in the development-dependencies group by @dependabot in #1710
• chore: bump github/codeql-action from 3.28.2 to 3.28.3 by @dependabot in #1711
• chore: bump codecov/codecov-action from 5.1.2 to 5.2.0 by @dependabot in #1712
• chore: bump anchore/sbom-action from 0.17.9 to 0.18.0 by @dependabot in #1720
• chore: bump codecov/codecov-action from 5.2.0 to 5.3.0 by @dependabot in #1721
• chore: bump github/codeql-action from 3.28.3 to 3.28.4 by @dependabot in #1722
• chore: bump @types/node from 22.10.7 to 22.10.10 in the development-dependencies group by @dependabot in #1718
• chore: bump anchore/scan-action from 6.0.0 to 6.1.0 by @dependabot in #1719

Full Changelog: v0.43.0...v0.44.0

v0.43.0

Features 🤓

• feat: additionalIgnoredNamespaces at runtime through helm by @cmwylie19 in #1641

Allows additional ignored namespaces to be set in the helm chart in addition to the namespaces set in pepr section of package.json.

Watch Out 🚧

• chore: chainguard node23 is a no, so... distroless? by @btlghrants in #1684

Rebuild required (npx pepr build) - The distroless image has a smaller footprint with less CVEs, however, it does not have node in the same path on the container. Therefore, we needed to switch the commands on the deployments for args. Make sure you do a rebuild and this will be done for you.

Note- We always recommend rebuilding when you bring in new versions.

What's Changed ♻️

• chore: give best practices around mutations by @cmwylie19 in #1672

• chore: add return types to build.ts by @tamirazrab in #1687

• chore: update soak-interrupts test by @cmwylie19 in #1702

• chore: add return types to loader.ts by @samayer12 in #1648

• chore: remove unused property in assets class by @samayer12 in #1647

• chore: encourage return types in function definitions by @samayer12 in #1364

• fix(CI): grant write permission to CI job by @samayer12 in #1658

• chore: remove unused mocking by @samayer12 in #1664

• chore: remove circular dependencies in src/lib/assets/ by @samayer12 in #1652

• test: add cli test to validate multiple manifest generation paths result in comparable output by @btlghrants in #1642

• chore: remove max-statements warning in schedule.test.ts by @samayer12 in #1671

• chore: pass imagePullSecret to helm by @cmwylie19 in #1670

• chore: remove write perms image digest workflow by @cmwylie19 in #1677
  #1680

• chore: removing digestabot update workflow by @btlghrants in #1686

• chore: watch_failure template for reporting watch failures by @cmwylie19 in #1682

• chore: deployments for soak for new image by @cmwylie19 in #1689

• chore: validate build arguments that are used together add docs by @cmwylie19 in #1678

• chore: bump step-security/harden-runner from 2.10.3 to 2.10.4 by @dependabot in #1690

• chore: bump kubernetes-fluent-client from 3.3.7 to 3.3.8 in the production-dependencies group by @dependabot in #1685

• chore: bump trufflesecurity/trufflehog from 3.88.1 to 3.88.2 by @dependabot in #1646

• chore: bump actions/upload-artifact from 4.5.0 to 4.6.0 by @dependabot in #1645

• chore: bump undici from 7.2.0 to 7.2.1 in the development-dependencies group by @dependabot in #1643

• chore: bump step-security/harden-runner from 2.10.2 to 2.10.3 by @dependabot in #1644

• chore: bump github/codeql-action from 3.28.0 to 3.28.1 by @dependabot in #1650

• chore: bump the development-dependencies group with 2 updates by @dependabot in

• chore: bump @types/node from 22.10.5 to 22.10.6 in the development-dependencies group by @dependabot in #1653

• chore: bump undici from 7.2.1 to 7.2.2 in the development-dependencies group by @dependabot in #1673

• chore: bump github/codeql-action from 3.28.1 to 3.28.2 by @dependabot in #1703

• chore: bump distroless/nodejs22-debian12 from 06298f8 to 5e248b9 by @dependabot in #1704

Full Changelog: v0.42.3...v0.43.0

v0.42.3

What's Changed

• chore: remove circular dependency with Assets class by @samayer12 in #1635
• chore: remove matchExpression peprdev key in webhook by @cmwylie19 in #1639

Full Changelog: v0.42.2...v0.42.3

v0.42.2

What's Changed

• chore: roadmap 2025 by @cmwylie19 in #1544
• refactor: resolve eslint warnings (max-depth, complexity) - src/lib/mutate-processor.ts by @btlghrants in #1543
• chore: add typing to untyped functions by @samayer12 in #1572
• chore: return types on module, included-files, and helpers to standardize our typing by @cmwylie19 in #1574
• chore: reduce complexity of helpers.ts by @samayer12 in #1575
• chore: complexity shouldSkipRequest by @cmwylie19 in #1578
• chore: move processors to common directory by @samayer12 in #1576
• chore: return types for files based on issue by @cmwylie19 in #1579
• chore: return types on kfc, root, update, uud, loader by @cmwylie19 in #1580
• refactor: resolve eslint warnings (max-depth, complexity) - src/cli/deploy.ts by @btlghrants in #1577
• chore: warn devs when their feature branches may be too large by @samayer12 in #1571
• chore: reduce complexity in webhooks.ts by @samayer12 in #1587
• chore: increase coverage on util functions to ensure work is thoroughly tested by @cmwylie19 in #1591
• refactor: resolve eslint warnings (complexity) - src/lib/filter/filterNoMatchReason.ts by @btlghrants in #1585
• chore: return types for logger,tls,validate-request by @cmwylie19 in #1588
• chore: organize core pepr files into lib/core/ by @samayer12 in #1594
• chore: return types by @cmwylie19 in #1595
• chore: group logically-related test cases in shared describe blocks by @samayer12 in #1599
• chore: statements in format by @cmwylie19 in #1598
• chore: update typescript dep + peerDeps by @btlghrants in #1607
• chore: pull-back & prep for update of TS (after next pepr release) by @btlghrants in #1611
• chore: add typing to templates.ts by @samayer12 in #1602
• chore: carriedNamespace/carriesIgnoredNamespace account for Namespace object by @cmwylie19 in #1619
• chore: make load tests more resilient to slow metrics-server startup in GH CI by @btlghrants in #1634
• chore: bump trufflesecurity/trufflehog from 3.87.1 to 3.88.0 by @dependabot in #1612
• chore: bump github/codeql-action from 3.27.9 to 3.28.0 by @dependabot in #1613
• chore: bump pino from 9.5.0 to 9.6.0 in the production-dependencies group by @dependabot in #1614
• chore: bump @types/node from 22.10.2 to 22.10.3 in the development-dependencies group by @dependabot in #1615
• chore: bump @types/node from 22.10.3 to 22.10.4 in the development-dependencies group by @dependabot in #1616
• chore: bump @types/node from 22.10.4 to 22.10.5 in the development-dependencies group by @dependabot in #1620
• chore: bump trufflesecurity/trufflehog from 3.88.0 to 3.88.1 by @dependabot in #1636

Full Changelog: v0.42.1...v0.42.2

v0.42.1

Note 🧾

We realized that when doing a setItemAndWait() or removeItemAndWait() with patch values that were the same as the values already in the Pepr store, an error could occur. This release addresses that error and enhances store code.

What's Changed ♻️

• chore: return types on src/lib/assets/index.ts src/lib/controller/index.ts src/lib/mutate-request.ts by @cmwylie19 in #1515
• chore: returns on utils,queue,cosign by @cmwylie19 in #1528
• chore(testing): verify pepr can be deployed with zarf by @samayer12 in #1531
• refactor: resolve eslint warnings (max-depth, complexity) - src/lib/validate-processor.ts by @btlghrants in #1529
• chore(ci): use standard check for helm & zarf installs by @samayer12 in #1541
• chore: complexity of monitor by @cmwylie19 in #1542
• chore: return types on store and capability by @cmwylie19 in #1555
• chore: add return types to untyped functions by @samayer12 in #1560
• chore: complexity in build by @cmwylie19 in #1557
• chore: add return types to watch-processor.ts by @samayer12 in #1562
• chore: different periods between send and receive by @cmwylie19 in #1563
• chore: bump github/codeql-action from 3.27.6 to 3.27.7 by @dependabot in #1558
• chore: bump trufflesecurity/trufflehog from 3.85.0 to 3.86.0 by @dependabot in #1559
• chore: bump @types/node from 22.10.1 to 22.10.2 in the development-dependencies group by @dependabot in #1565
• chore: bump trufflesecurity/trufflehog from 3.86.0 to 3.86.1 by @dependabot in #1564

Full Changelog: v0.42.0...v0.42.1

v0.42.0

Note 🧾

This sprint, the Pepr team focused on enhancing our typing system to improve consistency and address edge cases where types were less robust. We also made significant improvements to our network posture through the KFC, which may impact end users who are strongly typing fetch configurations. These changes extend to all interactions with the Kubernetes API server through CRUD operations that Pepr uses to communicate with the kube-apiserver. While this release has been thoroughly tested and soak, we recommend proceeding with caution, as progress sometimes introduces unforeseen challenges. Check the slack announcement to see metrics related to this release.

oversight, accidentally released 0.42.0 and skipped 0.41.0 - next releases will be pair programmed to avoid this.

Breaking Changes ⚠️

Pepr's fetch is powered by Undici. If you are using a specific RequestInit options on the fetch, you need to migrate to Undici's RequestInit (It is very similar). This probably won't affect you if you are not strongly typing your RequestInit example in journey/pepr-dev.ts.

Here is an example:

let { fetch } = require("pepr");
const { Agent } = require("undici");

const postOpts = {
  method: "POST",
  body: JSON.stringify({
    query: "query { joke {id joke permalink } }",
  }),
  headers: {
    "Content-Type": "application/json; charset=UTF-8",
  },
  dispatcher: new Agent({
    connect: {
      rejectUnauthorized: false,
    },
  }),
};
(async () => {
  let { data, ok } = await fetch(
    "https://icanhazdadjoke.com/graphql",
    postOpts,
  );
  if (ok) {
    console.log(data.data.joke.joke);
  } else {
    console.log("Failed to fetch joke");
  }
})();

This strengthens Pepr's ability to communicate with the Kubernetes Control Plane and reduces transmit bandwidth.

Feat ⛰️

• feat: set prometheus cont type for Prometheus 3.0 by @btlghrants in #1501

What's Changed ♻️

• chore: use consistent enum property names between related enums by @samayer12 in #1451
• chore: adr for undici and status corrections by @cmwylie19 in #1461
• chore: merge queues by @cmwylie19 in #1469
• test: overlay requests/second onto load test graph by @btlghrants in #1470
• chore: fix merge group by @cmwylie19 in #1471
• chore: extract deployment check functions to new file for ease of maintenance by @samayer12 in #1472
• test: make load test err msg explicit by @btlghrants in #1478
• chore: move filesystem operations to new file by @samayer12 in #1482
• chore: 24 roadmap update by @cmwylie19 in #1479
• chore: update contributor docs by @soltysh in #1491
• refactor: resolve eslint warnings (max-statements, complexity) - src/lib/controller/index.ts by @btlghrants in #1486
• chore: types in metrics by @cmwylie19 in #1492
• chore: fix all actions links by @soltysh in #1499
• chore: updates for undici fetch by @cmwylie19 in #1496
• chore: storage return types by @cmwylie19 in #1507
• chore: update subscribers every second by @cmwylie19 in #1502
• chore: return types on schedule by @cmwylie19 in #1505
• refactor: resolve eslint warnings (max-statements, complexity) - src/lib/assets/index.ts by @btlghrants in #1497
• chore(ts): add typing to adjudicators used in validation and mutation processing by @samayer12 in #1402
• chore: return types on sdk by @cmwylie19 in #1512
• chore: store adjudicator code in adjudicators/ by @samayer12 in #1517
• chore: reduce verbosity of logs by eliminating for metric and health by @cmwylie19 in #1519
• test: validate pepr build generates a helm install-able chart by @btlghrants in #1520
• chore: move lib/ code related to data collection to lib/telemetry by @samayer12 in #1522
• chore: bump codecov/codecov-action from 5.0.7 to 5.1.1 by @dependabot in #1523
• chore: bump trufflesecurity/trufflehog from 3.84.2 to 3.85.0 by @dependabot in #1524
• chore: bump express from 4.21.1 to 4.21.2 in the production-dependencies group by @dependabot in #1525
• chore: bump actions/dependency-review-action from 4.4.0 to 4.5.0 by @dependabot in #1464
• chore: bump github/codeql-action from 3.27.4 to 3.27.5 by @dependabot in #1463
• chore: bump codecov/codecov-action from 5.0.3 to 5.0.6 by @dependabot in #1462
• chore: bump anchore/scan-action from 5.2.1 to 5.3.0 by @dependabot in #1476
• chore: bump anchore/sbom-action from 0.17.7 to 0.17.8 by @dependabot in #1475
• chore: bump codecov/codecov-action from 5.0.6 to 5.0.7 by @dependabot in #1474
• chore: bump trufflesecurity/trufflehog from 3.83.7 to 3.84.0 by @dependabot in #1473
• chore: bump trufflesecurity/trufflehog from 3.84.0 to 3.84.1 by @dependabot in #1487
• chore: bump @types/node from 22.9.1 to 22.9.4 in the development-dependencies group by @dependabot in #1488
• chore: bump @types/node from 22.9.4 to 22.10.0 in the development-dependencies group by @dependabot in #1489
• chore: bump @types/node from 22.10.0 to 22.10.1 in the development-dependencies group by @dependabot in #1490
• chore: bump trufflesecurity/trufflehog from 3.84.1 to 3.84.2 by @dependabot in #1504
• chore: bump github/codeql-action from 3.27.5 to 3.27.6 by @dependabot in #1503
• chore: bump kubernetes-fluent-client from 3.3.6 to 3.3.7 in the production-dependencies group by @dependabot in #1508

Full Changelog: v0.40.1...v0.42.0

v0.40.1

A brand new high-severity CVE around cross-spawn hit during the release. This release mitigates the CVE.

What's Changed

• chore: bump kubernetes-fluent-client from 3.3.3 to 3.3.4 in the production-dependencies group by @dependabot in #1450

Full Changelog: v0.40.0...v0.40.1