deps: update module github.com/open-policy-agent/opa to v1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/open-policy-agent/opa	v0.70.0 → v1.4.0

GitHub Vulnerability Alerts

CVE-2025-46569

Impact

When run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API entails policy evaluation, where a Rego query containing a single data document reference is constructed from the requested path. This query is then used for policy evaluation.

A HTTP request path can be crafted in a way that injects Rego code into the constructed query. The evaluation result cannot be made to return any other data than what is generated by the requested path, but this path can be misdirected, and the injected Rego code can be crafted to make the query succeed or fail; opening up for oracle attacks or, given the right circumstances, erroneous policy decision results. Furthermore, the injected code can be crafted to be computationally expensive, resulting in a Denial Of Service (DoS) attack.

Users are only impacted if all of the following apply:

• OPA is deployed as a standalone server (rather than being used as a Go library)
• The OPA server is exposed outside of the local host in an untrusted environment.
• The configured authorization policy does not do exact matching of the input.path attribute when deciding if the request should be allowed.

or, if all of the following apply:

• OPA is deployed as a standalone server.
• The service connecting to OPA allows 3rd parties to insert unsanitised text into the path of the HTTP request to OPA’s Data API.

Note: With no Authorization Policy configured for restricting API access (the default configuration), the RESTful Data API provides access for managing Rego policies; and the RESTful Query API facilitates advanced queries. Full access to these APIs provides both simpler, and broader access than what the security issue describes here can facilitate. As such, OPA servers exposed to a network are not considered affected by the attack described here if they are knowingly not restricting access through an Authorization Policy.

Patches

Fixed in OPA v1.4.0.

Workarounds

Don’t publicly expose OPA’s RESTful APIs

Unless necessary for production reasons, network access to OPA’s RESTful APIs should be limited to localhost and/or trusted networks.
Since OPA v1.0, unless otherwise configured, the server listener defaults to localhost.

Enable Authentication to Only Allow Access to Trusted Clients

A configured authentication scheme is a requirement when OPA is exposed in an untrusted environment. While requiring authentication alone doesn’t mitigate this attack, it effectively reduces the scope from untrusted clients to trusted clients.

Perform Path Validation Using OPA’s Authorization Policy Functionality

OPA can be configured to use an Authorization Policy to validate all incoming requests.
By authoring the Authorization Policy to only accept paths corresponding to expected Rego package references, this attack can be fully mitigated.

The HTTP path in a Data API request is of the format /v1/data/{path:.+} (/v0/data/{path:.+}, for the v0 Data API), where data/{path:.+} directly corresponds to a reference to a virtual document, and a prefix of {path:.+} corresponds to a Rego package declaration.
E.g. the HTTP path v1/data/do/re/mi corresponds to the data reference data.do.re.mi, where do.re is the package and mi is the rule in the following Rego module:

package do.re

mi if {
	...
}

Unless otherwise configured, OPA will use the rule at data.system.authz.allow as Authorization Policy. Authorization is enabled by starting OPA with the --authorization=basic flag, and the Authorization policy must be made available to the OPA runtime either through a bundle (via the --bundle flag or through discovery) or as an individual module via the command-line.

A trivial Authorization Policy example:

package system.authz

allowed_paths := [
	["v1", "data", "policy1", "allow"],
	["v1", "data", "policy2", "allow"],
	...
]

allow if {
	input.path in allowed_paths
}

Note: configuring an Authorization Policy in OPA isn't the only way to protect against malicious request paths. Path validation and sanitisation can also be performed by connecting clients and 3rd party intermediaries, such as API gateways, reverse proxies, etc.

---

Release Notes

open-policy-agent/opa (github.com/open-policy-agent/opa)

v1.4.0

Compare Source

This release contains a security fix addressing CVE-2025-46569.
It also includes a mix of new features, bugfixes, and dependency updates.

Security Fix: CVE-2025-46569 - OPA server Data API HTTP path injection of Rego (GHSA-6m8w-jc87-6cr7)

A vulnerability in the OPA server's Data API allows an attacker to craft the HTTP path in a way that injects Rego code into the query that is evaluated.
The evaluation result cannot be made to return any other data than what is generated by the requested path, but this path can be misdirected, and the injected Rego code can be crafted to make the query succeed or fail; opening up for oracle attacks or, given the right circumstances, erroneous policy decision results.
Furthermore, the injected code can be crafted to be computationally expensive, resulting in a Denial Of Service (DoS) attack.

Users are only impacted if all of the following apply:

• OPA is deployed as a standalone server (rather than being used as a Go library)
• The OPA server is exposed outside of the local host in an untrusted environment.
• The configured authorization policy does not do exact matching of the input.path attribute when deciding if the request should be allowed.

or, if all of the following apply:

• OPA is deployed as a standalone server.
• The service connecting to OPA allows 3rd parties to insert unsanitised text into the path of the HTTP request to OPA’s Data API.

Note: With no Authorization Policy configured for restricting API access (the default configuration), the RESTful Data API provides access for managing Rego policies; and the RESTful Query API facilitates advanced queries.
Full access to these APIs provides both simpler, and broader access than what the security issue describes here can facilitate.
As such, OPA servers exposed to a network are not considered affected by the attack described here if they are knowingly not restricting access through an Authorization Policy.

This issue affects all versions of OPA prior to 1.4.0.

See the Security Advisory for more details.

Reported by @​GamrayW, @​HyouKash, @​AdrienIT, authored by @​johanfylling

Runtime, Tooling, SDK

• ast: Adding rego_v1 feature to --v0-compatible capabilities (#​7474) authored by @​johanfylling
• executable: Add version and icon to OPA windows executable (#​3171) authored by @​sspaink reported by @​christophwille
• format: Don't panic on format due to unexpected comments (#​6330) authored by @​sspaink reported by @​sirpi
• format: Avoid modifying strings when formatting (#​6220) authored by @​sspaink reported by @​zregvart
• plugins/status: FIFO buffer channel for status events to prevent slow status API blocking (#​7522) authored by @​sspaink

Topdown and Rego

• gqlparser: Add JSON annotation in internal/gqlparser/ast to Position fields (#​7509) authored by @​robmyersrobmyers
• graphql: Cache GraphQL schema parse results (#​7457) authored by @​robmyersrobmyers
• topdown: Handling default functions in Partial Eval (#​7220) authored by @​johanfylling
• topdown: Fix wall clock time init for PartialRun() (#​7490) authored by @​srenatus
• topdown: Zero alloc lower/upper unless changed (#​7472) authored by @​anderseknert

Docs, Website, Ecosystem

• adopters: Cloudsmith adds support for OPA (#​7498) authored by @​ndouglas-cloudsmith
• docs: Fixed broken docs link (#​7452) reported and authored by @​fvarg00
• docs: Update built-in function examples for OPA v1 (#​7514) reported and authored by @​robmyersrobmyers
• docs: Add link to inline schema annotations (#​7496) authored by @​kmadan
• docs: Add manual trigger to integration docs (#​7473) authored by @​charlieegan3
• docs: Point path versioned requests to new sites (#​7531) authored by @​charlieegan3
• docs: Update community slack inviter link (#​7488, #​7493) authored by @​charlieegan3
• docs: Set versioned docs links to point to archive (#​7528) authored by @​charlieegan3
• docs: Update helm-kubernetes-quickstart bundle (#​7469) authored by @​johanfylling
• docs: Update opa-docker-authz example to use ghcr and v0.10 release tag (#​7513) authored by @​larhauga
• docs: Fix post merge badge (#​7532) authored by @​sspaink
• docs: Improve request headers documentation in REST APIs (#​7524) authored by @​ali-jalaal
• docs: Update edge links to use /docs/edge/ path (#​7529) authored by @​charlieegan3
• ecosystem: Add NACP integration (#​7503) authored by @​charlieegan3
• ecosystem: Update traefik integration docs (#​7506) authored by @​charlieegan3
• ecosystem: Add Principled Evolution integration (#​7495) authored by @​kmadan
• ecosystem: Add tavo to ecosystem integration (#​7511) authored by @​percyding-tavo

Miscellaneous

• Dependency updates; notably:
  • build(deps): bump github.com/hypermodeinc/badger from v4.6.0 to v4.7.0
  • build(deps): bump github.com/spf13/viper from 1.18.2 to 1.20.1
  • build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0
  • build(deps): bump google.golang.org/grpc from 1.71.0 to 1.71.1
  • build(deps): bump oras.land/oras-go/v2 from 2.3.1 to 2.5.0

v1.3.0

Compare Source

This release contains a mix of features, bugfixes, and dependency updates.

New Buffer Option for Decision Logs (#​5724)

A new, optional, buffering mechanism has been added to decision logging.
The default buffer is designed around making precise memory footprint guarantees, which can produce lock contention at high loads, negatively impacting query performance.
The new event-based buffer is designed to reduce lock contention and improve performance at high loads, but sacrifices the memory footprint guarantees of the default buffer.

The new event-based buffer is enabled by setting the decision_logs.reporting.buffer_type configuration option to event.

For more details, see the decision log plugin README.

Reported by @​mjungsbluth, authored by @​sspaink

OpenTelemetry: HTTP Support and Expanded Batch Span Configuration (#​7412)

Distributed tracing through OpenTelemetry has been extended to support HTTP collectors (enabled by setting the distributed_tracing.type configuration option to http).
Additionally, configuration has been expanded with fine-grained batch span processor options.

Authored and reported by @​sqyang94

Runtime, Tooling, SDK

• compile: Require multi-term entrypoint paths for optimized bundle building (#​7321) authored by @​johanfylling reported by @​nikpivkin
• fmt: Allow one liner rule grouping (#​6760) authored by @​anderseknert
• fmt: Fix v0-compatible fmt with stdin (#​7409) authored and reported by @​charlieegan3
• ir: Fix nil pointer deref in Unmarshal() when handling IsSetStmt (#​7415) authored and reported by @​KrisKennawayDD
• planner: Fix Wasm vs non-Wasm evaluation difference bug related to the overeager optimization of ref head rules (#​7439) authored by @​srenatus
• sdk: Removing repeat args from sub-func call (#​7443) authored by @​alingse
• tester: Including parameterized test cases in test report counter (#​7407) authored by @​johanfylling
• tester: Only including failed sub-test cases in report summary when non-verbose (#​7426) authored by @​johanfylling

Docs, Website, Ecosystem

• docs: Add some notes about AI assisted patches (#​7436) authored by @​charlieegan3
• docs: Add query_parameters_to_set (#​7405) authored by @​sedovmik
• docs: Delete reference to license key in Envoy tutorial (#​7466) authored by @​joostholslag
• docs: Fix typo in Envoy tutorial (#​7464) authored by @​joostholslag
• docs: Update slack inviter link (#​7450) authored by @​charlieegan3
• docs: Update terraform examples (#​7429) authored by @​charlieegan3
• docs: Simplify kind usage instruction in Envoy tutorial (#​7465) authored by @​joostholslag

Miscellaneous

• Enable unused-receiver linter (revive) (#​7448) authored by @​anderseknert
• Dependency updates; notably:
  • build(deps): bump github.com/containerd/containerd from 1.7.26 to 1.7.27
  • build(deps): bump github.com/dgraph-io/badger/v4 from 4.5.1 to 4.6.0
  • build(deps): bump github.com/opencontainers/image-spec from 1.1.0 to 1.1.1
  • build(deps): bump github.com/prometheus/client_golang 1.21.0 to 1.21.1
  • build(deps): bump golang.org/x/net from 0.35.0 to 0.37.0
  • build(deps): bump golang.org/x/time from 0.10.0 to 0.11.0
  • build(deps): bump google.golang.org/grpc from 1.70.0 to 1.71.0
  • build(deps): bump go.opentelemetry.io deps to 1.35.0/0.60.0

v1.2.0

Compare Source

This release contains a mix of features, performance improvements, and bugfixes.

Parameterized Rego Tests (#​2176)

Rego tests now support parameterization, allowing a single test rule to include multiple, hierarchical, named test cases.
This feature is useful for data-driven testing, where a single test rule can be used for multiple test cases with different inputs and expected outputs.

package example_test

test_concat[note] if {
	some note, tc in {
		"empty + empty": {
			"a": [],
			"b": [],
			"exp": [],
		},
		"empty + filled": {
			"a": [],
			"b": [1, 2],
			"exp": [1, 2],
		},
		"filled + filled": {
			"a": [1, 2],
			"b": [3, 4],
			"exp": [1, 2, 3], # Faulty expectation, this test case will fail
		},
	}

	act := array.concat(tc.a, tc.b)
	act == tc.exp
}

$ opa test example_test.rego
example_test.rego:
data.example_test.test_concat: FAIL (263.375µs)
  empty + empty: PASS
  empty + filled: PASS
  filled + filled: FAIL
--------------------------------------------------------------------------------
FAIL: 1/1

See the documentation for more information.

Authored by @​johanfylling, reported by @​anderseknert

Performance Improvements

• perf: Add ref.CopyNonGround (#​7350) authored by @​anderseknert
• perf: opa fmt 3x faster formatting (#​7341) authored by @​anderseknert
• perf: Cost of indexing greatly reduced (#​7370) authored by @​anderseknert
• perf: Eval optimizations (#​7367) authored by @​anderseknert
• perf: Intern annotation terms (#​7365) authored by @​anderseknert
• perf: Slightly more efficient policy scanning (#​7368) authored by @​anderseknert
• perf: Switch to a faster xxhash package (7362) authored by @​Juneezee
• perf: Use GetByValue to avoid boxing to interface{} (#​7372) authored by @​anderseknert
• perf: Various small improvements (#​7357) authored by @​anderseknert
• perf: Improve storage lookup performance (#​7336) authored by @​anderseknert
• perf: optimize iteration (#​7327) authored by @​anderseknert

Topdown and Rego

• rego+topdown: Allow providing custom base cache (#​7329) authored by @​anderseknert

Runtime, Tooling, SDK

• ast: Add missing BuildAnnotationSet to ast v0 (#​7347) authored by @​anderseknert
• ast: Eliminate allocation in Value.Find, and other improvements (#​7319) authored by @​anderseknert
• ast: Use byte for RuleKind and DocKind (#​7332) authored by @​anderseknert
• ast.InterfaceToValue: add test case for []byte (#​7379) authored by @​dennygursky
• ast: support []string and ast.Value in ast.InterfaceToValue (#​7306) authored by @​regeda
• bundle: Fixing issue where --v0-compatible isn't respected for custom bundles (#​7338) authored by @​johanfylling
• cmd: Handle failing tests in opa test --bench (#​7205) authored by @​anderseknert
• cmd: Add decision ID to opa exec output (#​7373) authored by @​anderseknert
• oracle: Make oracle public under v1/ast/oracle (#​7265) authored by @​anderseknert
• oracle: Allow passing own compiler to oracle (#​7354) authored by @​anderseknert
• plugins/discovery: Enable tracing for discovery plugin (#​7299) authored by @​mjungsbluth
• plugins/rest: Do not attach authorization header in bearerAuthPlugin if response is a redirect (#​7308) authored by @​carabasdaniel
• server+distributedtracing: Add Additional Resource Attributes for OpenTelemetry (#​7322) authored by @​briankahoot reported by @​briankahoot
• util: Add util.HasherMap (#​7363) authored by @​anderseknert

Docs, Website, Ecosystem

• docs: Add support link to README (#​7359) (authored by @​anderseknert)
• docs: Update example bundle to be v1 compatible (#​7342) authored by @​ashutosh-narkar
• docs: Add note about v1.0 addr behaviour (#​7360) authored by @​charlieegan3 reported by @​ali-jalaal
• docs: Update homepage examples to drop v1 import (#​7391) authored by @​charlieegan3
• docs: Updating --v1-compatible mentions outside the v1 upgrade guide and v0 compatibility docs (#​7337) authored by @​johanfylling
• docs: Fixed invalid links to examples (#​7326) authored by @​JonathanDeLaCruzEncora
• MAINTAINERS: Add Anders and Charlie as maintainers (#​7318) authored by @​charlieegan3

Miscellaneous

• build+test: Add make test-short task (#​7364) (authored by @​anderseknert)
• build: Add gocritic linter (#​7377) authored by @​anderseknert
• build: Add nilness linter from govet (#​7335) authored by @​anderseknert
• build: Add perfsprint linter (#​7334) authored by @​anderseknert
• ci: Tagging release binaries with build version (#​7395, #​7397, #​7400) authored by @​johanfylling
• test: fix race in TestIntraQueryCache_ClientError and TestInterQueryCache_ClientError (#​7280) authored by @​Juneezee
• misc: Use Go 1.22+ int ranges (#​7328) authored by @​anderseknert
• Dependency updates; notably:
  • build: bump go from 1.23.5 to 1.24.0
  • build(deps): bump github.com/agnivade/levenshtein from 1.2.0 to 1.2.1
  • build(deps): bump github.com/containerd/containerd from 1.7.25 to 1.7.26
  • build(deps): bump github.com/google/go-cmp from 0.6.0 to 0.7.0
  • build(deps): bump github.com/prometheus/client_golang
  • build(deps): bump github.com/spf13/cobra from 1.8.1 to 1.9.1
  • build(deps): bump github.com/spf13/pflag from 1.0.5 to 1.0.6
  • build(deps): bump golang.org/x/net from 0.34.0 to 0.35.0
  • build(deps): bump golang.org/x/time from 0.9.0 to 0.10.0
  • build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1
  • Bump golangci-lint from v1.60.1 to 1.64.5

v1.1.0

Compare Source

This release contains a mix of features, performance improvements, and bugfixes.

Performance Improvements

• ast: Remove jsonOptions from AST nodes and terms (#​7281) authored by @​anderseknert
• ast+plugins: Optimize activation of bundles with no inter-bundle path overlap (#​7144) authored and reported by @​sqyang94
• bundle: Optimizing rego-version management in bundle activation (#​7296) authored by @​johanfylling
• cmd: Don't generate JSON from result in opa bench (#​7291) authored by @​anderseknert
• topdown: Adding configurable token cache to io.jwt token verification built-ins (#​7274) authored by @​johanfylling
• topdown: Reduce allocations in hot path (#​7288) authored by @​anderseknert
• perf: Improvements to terms and built-in functions (#​7284) authored by @​anderseknert
• perf: add Regorus ACI benchmark tests (#​7298) authored by @​anderseknert
• plugins: Don't use reflect.DeepEqual for errors (#​7238) authored by @​anderseknert
• testing: replace reflect.DeepEqual where possible (#​7286) authored by @​anderseknert

Topdown and Rego

• topdown: Fix out of range error in numbers.range built-in (#​7269) authored by @​anderseknert
• topdown+rego+server: Allow opt-in for evaluating non-det builtins in PE (#​6496) authored by @​srenatus

Runtime, Tooling, SDK

• bundle: Add info about the correct rego version to parse modules on the store (#​7278) co-authored by @​ashutosh-narkar and @​johanfylling
• bundle+plugins: Fixing issue where bundle plugin could panic on reconfiguration (SDK use) (#​7297) authored by @​johanfylling reported by @​carabasdaniel
• cmd: Fix printed representation of ref head rules in opa repl (#​7301) authored by @​anderseknert reported by @​tsandall
• cmd: Respect --v0-compatible for opa eval partial eval support modules (#​7251) authored by @​johanfylling
• golangci: fix invalid linter-settings configuration name (#​7244) authored by @​Juneezee
• plugins/logs: Add support for masking with array keys (#​6883) authored by @​charlieegan3
• tester: code nitpicks (#​7252) authored by @​srenatus
• util: Add util.Keys and util.KeysSorted (#​7285) authored by @​anderseknert

Docs, Website, Ecosystem

• docs: Update docker compose file in HTTP API tutorial and use addr for binding (#​7264) authored and reported by @​zanliffick
• docs: Make 'ancient' warnings closable (#​7253) authored by @​srenatus reported by @​konradzagozda
• docs: Redirect opa-1 to v0-upgrade (#​7259) authored by @​charlieegan3
• docs: Use preformatted strings in fmt help (#​7263) authored by @​charlieegan3
• docs: Fix typo in k8s primer (#​7242) authored by @​vicentinileonardo
• docs: Formatting and wording fixes (#​7268) authored by @​kamilturek
• docs: Update output document of Envoy plugin. (#​7241) authored by @​regeda

Miscellaneous

• ci(nightly): Remove vendor w/o modproxy check (#​7292) authored by @​srenatus
• Dependency updates; notably:
  • build(go): bump to 1.23.5 (7279) authored by @​srenatus
  • build(deps): upgrade github.com/dgraph-io/badger to v4 (4.5.1) (#​7239) authored by @​Juneezee
  • build(deps): bump github.com/containerd/containerd from 1.7.24 to 1.7.25
  • build(deps): bump github.com/tchap/go-patricia/v2 from 2.3.1 to 2.3.2
  • build(deps): bump golang.org/x/net from 0.33.0 to 0.34.0
  • build(deps): bump golang.org/x/time from 0.8.0 to 0.9.0
  • build(deps): bump google.golang.org/grpc from 1.69.2 to 1.70.0
  • build(deps): bump go.opentelemetry.io deps to 1.34.0/0.59.0

v1.0.1

Compare Source

This is a bug fix release addressing the following issues:

• build(go): bump to 1.23.5 (authored by @​srenatus).
  Addressing CVE-2024-45341 and CVE-2024-45336 vulnerabilities in the Go runtime.
• bundle: Add info about the correct rego version to parse modules on the store, co-authored by @​ashutosh-narkar and @​johanfylling in #​7278.
  Fixing an issue where the rego-version for individual modules was lost during bundle deactivation (bundle lifecycle) if this version diverged from the active runtime rego-version.
  This could cause reloading of v0 bundles to fail when OPA was not running with the --v0-compatible flag.

v1.0.0

Compare Source

NOTES:

• The minimum version of Go required to build the OPA module is 1.22

We are excited to announce OPA 1.0, a milestone release consolidating an improved developer experience for the future of Policy as Code. The release makes new functionality designed to simplify policy writing and improve the language's consistency the default.

Changes to Rego in OPA 1.0

Below we highlight some key changes to the defaults in OPA 1.0:

• Using if for all rule definitions and contains for multi-value rules is now mandatory, not just when using the rego.v1 import.
• Other new keywords (every, in) are available without any imports.
• Some requirements that were previously only run in "strict mode" (opa check --strict) are now the default. Duplicate imports and imports which shadow each other are no longer allowed.
• OPA 1.0 comes with a range of backwards compatibility features to aid your migrations, please see the v0 compatibility guide
  if you must continue to support v0 Rego.

Read more about the OPA 1.0 announcement here on our blog.

Following are other changes that are included in OPA 1.0.

Improvements to memory allocations

PRs #​7172, #​7190, #​7193, #​7165, #​7168, #​7191 & #​7222 together improve the memory performance of OPA. Key strategies
include reusing pointers and optimizing array and object operations, minimizing intermediate object creation, and using sync.Pool
to manage memory-heavy operations. These changes cumulatively greatly reduced the number of allocations and improved
evaluation speed by 10-20%. Additional benchmarks highlighted significant memory and speed improvements in custom
function evaluation.

Authored by @​anderseknert.

Wrap http.RoundTripper for SDK users

PR #​7180 adds an EvalHTTPRoundTrip EvalOption and query-level WithHTTPRoundTrip option.
Both use a new function type which converts an http.Transport configured by topdown to an http.RoundTripper.
This supports use cases requiring the customization of the http.send built in behavior.

Authored by @​evankanderson.

Improvements to scientific notation parsing in units.parse

PR #​7147 extends the behaviour of extractNumAndUnit to support
scientific notation values. This means values such as 1e3KB can now be handled by this function.

Authored by @​berdanA.

Support customized buckets bundle_loading_duration_ns metric

PR #​7156 extends OPA’s Prometheus configuration to allow the
setting of user defined buckets for metrics. This aids when debugging the loading of slow bundles.

Authored by @​jwu730-1.

Test suite performance improvements

PR #​7126 updates tests to improve performance. Topdown and storage/disk/
tests now run around 50% and 75% faster respectively.

Authored by @​philipaconrad.

OPA 1.0 Preparation

• Update v1 capabilities by @​johanfylling in #​7216
• v1 API by @​johanfylling in #​7215
• Updating formatter to not drop rego.v1 and future.keywords imports for v1 by @​johanfylling in #​7224
• Update docs and server binding address per OPA 1.0 specs by @​ashutosh-narkar & @​charlieegan3 in #​7140
• Renaming --rego-v1 cmd flag to --v0-v1 by @​johanfylling in #​7225

Topdown and Rego

• Provide a more useful error message when there are conflicting default rules by @​tjons in #​7164
• Fix test flakes in topdown/cache by @​evankanderson in #​7188
• Add description to all built-in function args and return values by @​anderseknert in #​7153
• Built-in function to_number now rejects "Inf", "Infinity" and "NaN" values by @​sikehish in #​7203
• Update eval_cancel_error logic to separate context canceled, timeout errors by @​mchitten in #​7202

Runtime, Tooling, SDK

• Respect runtime rego-version in RESTful policy API by @​johanfylling in #​7183
• Debugger: allow YAML to be used as input by @​anderseknert in #​7178
• opa build: provide an option to preserve print statements for the "wasm" target (#​7194) by @​me-viper in #​7195
• Fix improper formatter behavior when comprehension contains comment by @​tjons in #​7169
• runtime: send version report less often when OPA long-running by @​srenatus in #​7211
• opa eval: Return error if illegal arguments passed with --unknowns flag by @​kd-labs in #​7149
• Enable direct error handling for bundle plugin trigger method by @​torwunder in #​7143

Docs, Website, Ecosystem

• Add VodafoneZiggo as adopters by @​Parsifal-M in #​7154
• Add opa-java-wasm to docs by @​andreaTP in #​7199

Dependency Updates

• (build) golangci-lint: v1.59.1 -> v1.60.1 by @​srenatus in #​7175
• github.com/containerd/containerd: v1.7.23 -> v1.7.24
• github.com/fsnotify/fsnotify: v1.7.0 -> v1.8.0
• golang.org/x/net: v0.30.0 -> v0.33.0
• golang.org/x/time: v0.7.0 -> v0.8.0
• google.golang.org/grpc: v1.67.1 -> v1.69.2
• go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.53.0 -> v0.58.0
• go.opentelemetry.io/otel: v1.28.0 -> v1.33.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.28.0 -> v1.33.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.28.0 -> v1.33.0
• go.opentelemetry.io/otel/sdk: v1.28.0 -> v1.33.0
• go.opentelemetry.io/otel/trace: v1.28.0 -> v1.33.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go get -t ./...
go: module github.com/open-policy-agent/opa@v1.4.0 requires go >= 1.23.8; switching to go1.25.8
go: downloading go1.25.8 (linux/amd64)
go: downloading github.com/BurntSushi/toml v1.4.0
go: downloading github.com/spf13/afero v1.12.0
go: downloading github.com/spf13/cobra v1.9.1
go: downloading golang.org/x/mod v0.22.0
go: downloading github.com/stretchr/testify v1.10.0
go: downloading github.com/aws/aws-sdk-go-v2/config v1.28.6
go: downloading github.com/aws/aws-sdk-go-v2 v1.32.6
go: downloading github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.43
go: downloading github.com/aws/aws-sdk-go-v2/service/ec2 v1.195.0
go: downloading github.com/aws/aws-sdk-go-v2/service/s3 v1.71.0
go: downloading github.com/aws/aws-sdk-go-v2/service/sts v1.33.2
go: downloading github.com/aws/smithy-go v1.22.1
go: downloading github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0
go: downloading github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0
go: downloading github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.1.0
go: downloading github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0
go: downloading github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.5.0
go: downloading dario.cat/mergo v1.0.1
go: downloading github.com/open-policy-agent/opa v1.4.0
go: downloading cloud.google.com/go/compute v1.29.0
go: downloading cloud.google.com/go v0.116.0
go: downloading cloud.google.com/go/storage v1.49.0
go: downloading github.com/googleapis/gax-go/v2 v2.14.1
go: downloading go.uber.org/goleak v1.3.0
go: downloading github.com/foxboron/go-uefi v0.0.0-20241017190036-fab4fdf2f2f3
go: downloading golang.org/x/text v0.23.0
go: downloading github.com/gophercloud/gophercloud v1.14.1
go: downloading github.com/gophercloud/utils v0.0.0-20231010081019-80377eca5d56
go: downloading github.com/inconshreveable/mousetrap v1.1.0
go: downloading github.com/spf13/pflag v1.0.6
go: downloading github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
go: downloading github.com/pmezard/go-difflib v1.0.0
go: downloading github.com/aws/aws-sdk-go-v2/credentials v1.17.47
go: downloading github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.21
go: downloading github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1
go: downloading github.com/aws/aws-sdk-go-v2/service/sso v1.24.7
go: downloading github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.6
go: downloading github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.25
go: downloading github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1
go: downloading github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.6
go: downloading github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.7
go: downloading github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.25
go: downloading github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.4.6
go: downloading github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.6
go: downloading github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0
go: downloading golang.org/x/net v0.38.0
go: downloading github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2
go: downloading golang.org/x/crypto v0.36.0
go: downloading google.golang.org/api v0.215.0
go: downloading google.golang.org/grpc v1.71.1
go: downloading google.golang.org/protobuf v1.36.6
go: downloading google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a
go: downloading google.golang.org/genproto v0.0.0-20241118233622-e639e219e697
go: downloading cloud.google.com/go/compute/metadata v0.6.0
go: downloading cloud.google.com/go/iam v1.2.2
go: downloading github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.48.1
go: downloading github.com/google/uuid v1.6.0
go: downloading go.opentelemetry.io/contrib/detectors/gcp v1.34.0
go: downloading go.opentelemetry.io/otel v1.35.0
go: downloading go.opentelemetry.io/otel/sdk/metric v1.35.0
go: downloading go.opentelemetry.io/otel/sdk v1.35.0
go: downloading golang.org/x/oauth2 v0.25.0
go: downloading google.golang.org/grpc/stats/opentelemetry v0.0.0-20240907200651-3ffb98b2c93a
go: downloading github.com/pkg/errors v0.9.1
go: downloading github.com/hashicorp/go-uuid v1.0.3
go: downloading gopkg.in/yaml.v2 v2.4.0
go: downloading gopkg.in/yaml.v3 v3.0.1
go: downloading github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.25
go: downloading github.com/kylelemons/godebug v1.1.0
go: downloading github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c
go: downloading github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475
go: downloading github.com/gobwas/glob v0.2.3
go: downloading github.com/tchap/go-patricia/v2 v2.3.2
go: downloading github.com/yashtewari/glob-intersection v0.2.0
go: downloading sigs.k8s.io/yaml v1.4.0
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a
go: downloading cloud.google.com/go/auth v0.13.0
go: downloading cloud.google.com/go/auth/oauth2adapt v0.2.6
go: downloading go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0
go: downloading golang.org/x/sys v0.31.0
go: downloading go.opencensus.io v0.24.0
go: downloading go.opentelemetry.io/otel/trace v1.35.0
go: downloading cloud.google.com/go/monitoring v1.21.2
go: downloading github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.48.1
go: downloading github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.25.0
go: downloading go.opentelemetry.io/otel/metric v1.35.0
go: downloading github.com/mitchellh/go-homedir v1.1.0
go: downloading github.com/golang-jwt/jwt/v5 v5.2.1
go: downloading github.com/cespare/xxhash/v2 v2.3.0
go: downloading github.com/gorilla/mux v1.8.1
go: downloading github.com/prometheus/client_golang v1.21.1
go: downloading github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415
go: downloading github.com/agnivade/levenshtein v1.2.1
go: downloading github.com/google/s2a-go v0.1.8
go: downloading github.com/felixge/httpsnoop v1.0.4
go: downloading github.com/googleapis/enterprise-certificate-proxy v0.3.4
go: downloading github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
go: downloading github.com/go-logr/logr v1.4.2
go: downloading go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0
go: downloading golang.org/x/time v0.11.0
go: downloading github.com/go-logr/stdr v1.2.2
go: downloading go.opentelemetry.io/auto/sdk v1.1.0
go: downloading github.com/envoyproxy/go-control-plane v0.13.4
go: downloading github.com/envoyproxy/go-control-plane/envoy v1.32.4
go: downloading github.com/sirupsen/logrus v1.9.3
go: downloading github.com/go-ini/ini v1.67.0
go: downloading github.com/beorn7/perks v1.0.1
go: downloading github.com/prometheus/client_model v0.6.1
go: downloading github.com/prometheus/common v0.62.0
go: downloading github.com/prometheus/procfs v0.15.1
go: downloading github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb
go: downloading github.com/cncf/xds/go v0.0.0-20241223141626-cff3c89139a3
go: downloading github.com/envoyproxy/protoc-gen-validate v1.2.1
go: downloading github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10
go: downloading github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
go: downloading cel.dev/expr v0.19.1
go: downloading golang.org/x/sync v0.12.0
go: downloading google.golang.org/grpc v1.80.0
go: downloading google.golang.org/grpc/stats/opentelemetry v0.0.0-20241028142157-ada6787961b3
go: github.com/edgelesssys/uplosi/gcp imports
	cloud.google.com/go/storage imports
	google.golang.org/grpc/stats/opentelemetry: ambiguous import: found package google.golang.org/grpc/stats/opentelemetry in multiple modules:
	google.golang.org/grpc v1.71.1 (/runner/cache/others/go/pkg/mod/google.golang.org/grpc@v1.71.1/stats/opentelemetry)
	google.golang.org/grpc/stats/opentelemetry v0.0.0-20241028142157-ada6787961b3 (/runner/cache/others/go/pkg/mod/google.golang.org/grpc/stats/opentelemetry@v0.0.0-20241028142157-ada6787961b3)
go: module github.com/aws/aws-sdk-go-v2/feature/s3/manager is deprecated: superceded by feature/s3/transfermanager. See https://github.com/aws/aws-sdk-go-v2/discussions/3306