v1.38.1

What's Changed

• backport: Add subject filters in schema relation delete to force use of the index by @vroldanbet in #2136

Full Changelog: v1.38.0...v1.38.1

Docker Images

This release is available at authzed/spicedb:v1.38.1, quay.io/authzed/spicedb:v1.38.1, ghcr.io/authzed/spicedb:v1.38.1

v1.37.2

What's Changed

• backport: Add subject filters in schema relation delete to force use of the index by @vroldanbet in #2132

Full Changelog: v1.37.1...v1.37.2

Docker Images

This release is available at authzed/spicedb:v1.37.2, quay.io/authzed/spicedb:v1.37.2, ghcr.io/authzed/spicedb:v1.37.2

v1.38.0

Note

All datastores have a migration to add new columns (MySQL, Postgres) or new tables (CRDB, Spanner) for transaction metadata

Highlights

ℹ️ Write transactions now support metadata which can be attached to the call and which is then returned by the Watch API

Features

• Implement support for metadata associated with read-write transactions by @josephschorr in #1914
• Add API support for transaction metadata on WriteRels and DeleteRels by @josephschorr in #2084
• Metrics: spicedb_environment_info from telemetry by @jzelinskie in #2093

Enhancements

• Emit memdb checkpoints after changes by @vroldanbet in #2082
• Reduce build times in CI by @vroldanbet in #2085

Fixes

• Fix CI errors on recent merge by @vroldanbet in #2092

Updated Dependencies

• Bump the go-mod group with 15 updates by @dependabot in #2083

Full Changelog: v1.37.0...v1.38.0

Docker Images

This release is available at authzed/spicedb:v1.38.0, quay.io/authzed/spicedb:v1.38.0, ghcr.io/authzed/spicedb:v1.38.0

v1.37.1

Note

1.37.1 fixes a reported issue with LookupResources v2. It is recommended that all users of v1.37.0 upgrade to v1.37.1. See: GHSA-3c32-4hq9-6wgj

Full Changelog: v1.37.0...v1.37.1

Docker Images

This release is available at authzed/spicedb:v1.37.1, quay.io/authzed/spicedb:v1.37.1, ghcr.io/authzed/spicedb:v1.37.1

v1.37.0

Warning

1.37.0 enables LookupResources v2 by default, which was found to not be passing caveat context to dispatches in certain scenarios, causing permissions of CONDITIONAL to be returned instead of determined results. We recommend upgrading to v1.37.1 which fixes this problem. See: GHSA-3c32-4hq9-6wgj

Highlights

⭐ LookupResources v2 now enabled by default!

Features

• Enable LRv2 by default and update the steelthread tests by @josephschorr in #2079

Enhancements

• Add support for secondary dispatching on LR2 by @josephschorr in #2069
• Stop using yaml anchors in release action configuration by @tstirrat15 in #2071
• Make bulk export service functions use read-only datastore by @vroldanbet in #2072
• README: rework sections: zanzibar, contrib, users by @jzelinskie in #2060
• Register common flags with helper by @tstirrat15 in #2074

Fixes

• Fix serve-devtools command and flags by @tstirrat15 in #2073
• Fixes memory leak via HTTP Gateway by @vroldanbet in #2075
• Remove duplicate and redundant code by @cuishuang in #2080

Updated dependencies

• Bump to most recent version of goreleaser by @tstirrat15 in #2067

New Contributors

@cuishuang made their first contribution in #2080

Full Changelog: v1.36.3...v1.37.0

v1.36.2

This fixes a small issue with the spicedb datastore head command but is otherwise the same as https://github.com/authzed/spicedb/releases/tag/v1.36.0

Full Changelog: v1.36.0...v1.36.2

Docker Images

This release is available at authzed/spicedb:v1.36.2, quay.io/authzed/spicedb:v1.36.2, ghcr.io/authzed/spicedb:v1.36.2

v1.36.0

Highlights

🔐  Added relationship integrity: protects authorization data in an underlying SpiceDB datastore from inadvertent modification.
📋 Reorganized spicedb serve flags into logically-related flagsets
🚤 Ensure cursored LRv2 calls are dispatched to LRv2

Features

• Relationship integrity by @josephschorr in #1980
• Implement non-experimental bulk import and export by @tstirrat15 in #2065

Enhancements

• Ensure cursored LRv2 calls are dispatched to LRv2 by @josephschorr in #2040
• Ensure the validationfile loader passes the full caveats to the typesystem by @josephschorr in #2042
• Check data structure improvements by @josephschorr in #2037
• Reorganize serve flags into flagsets by @tstirrat15 in #2023
• Add a default connect timeout for watch in CRDB driver by @josephschorr in #2041
• Have diffexpr handle the case of adding to a single child expression by @josephschorr in #2038
• Add configurable max buffer size for watch change tracker by @josephschorr in #2044
• Add continuous checkpointing to Datastore Features by @vroldanbet in #2064
• Add analyzer to enforce usage of VT versions of marshalling and unmarshalling by @tstirrat15 in #2043
• Make the max size exceeded error public by @josephschorr in #2049
• Add goreleaser configuration to push Windows package to Chocolatey by @josephschorr in #1879

Fixes

• Cleanup handling of internal errors in Check dispatch by @josephschorr in #2029
• Only add the finalizer on iterators when CI testing by @josephschorr in #2034
• Ensure the validationfile loader passes the full caveats to the typesystem by @josephschorr in #2042
• Fix data type for pg_class relcount by @josephschorr in #2046
• Remove unnecessary branch from limit logic by @tstirrat15 in #2030
• Remove duplicate update test by @josephschorr in #2051
• Remove warning for an arrow referencing a relation in its own namespace by @josephschorr in #2062
• Fix security errors in lint steps by @tstirrat15 in #2061

Updated dependencies

• Integrate updates to cobrautil by @tstirrat15 in #2031
• Bump golang from 1.22.5-alpine3.20 to 1.23.0-alpine3.20 in the docker group by @dependabot in #2050
• Bump the go-mod group with 32 updates by @dependabot in #2052
• Bump github.com/opencontainers/runc from 1.1.13 to 1.1.14 in the go_modules group by @dependabot in #2054

What's Changed

Full Changelog: v1.35.3...v1.36.0

Docker Images

This release is available at authzed/spicedb:v1.36.0, quay.io/authzed/spicedb:v1.36.0, ghcr.io/authzed/spicedb:v1.36.0

v1.35.3

What's Changed

• Ensure debug information is returned for recursive checks that dispatch by @josephschorr in #2017
• Add expression diffing library for schema by @josephschorr in #2016
• Change the filter count check to a debug assertions by @josephschorr in #2014
• Fix logging behavior around setting goproc limits by @tstirrat15 in #2018
• Add nicer error if the Postgres primary node has gone readonly by @josephschorr in #2025
• Ensure all resources are returned for relation check when caveats are specified by @josephschorr in #2027
• bump cobrautil for automaxprocs fix by @ecordell in #2028

Full Changelog: v1.35.2...v1.35.3

Docker Images

This release is available at authzed/spicedb:v1.35.3, quay.io/authzed/spicedb:v1.35.3, ghcr.io/authzed/spicedb:v1.35.3

v1.35.2

What's Changed

• Add an extra source_code field to developer warnings by @josephschorr in #2007
• Add ability to get warnings from the WASM dev interface by @josephschorr in #2008
• Handle functioned arrows in warnings system by @josephschorr in #2009
• Bump the go-mod group with 21 updates by @dependabot in #2011
• Add server version middleware to serve-testing by @josephschorr in #2006
• Fix experimental LookupResources2 to shear the tree earlier on indirect permissions by @josephschorr in #2005

Full Changelog: v1.35.1...v1.35.2

Docker Images

This release is available at authzed/spicedb:v1.35.2, quay.io/authzed/spicedb:v1.35.2, ghcr.io/authzed/spicedb:v1.35.2

v1.35.1

What's Changed

• Switch caching package's interface to be generic and add experimental flag to try different caches by @josephschorr in #1990
• Fix conversion of caveat debug context by @josephschorr in #2000
• bump Docker to address security scanners surfacing CVE by @vroldanbet in #2004

Full Changelog: v1.35.0...v1.35.1

Docker Images

This release is available at authzed/spicedb:v1.35.1, quay.io/authzed/spicedb:v1.35.1, ghcr.io/authzed/spicedb:v1.35.1