Update dependency open-policy-agent/opa to v1.14.0

[renovate]

This PR contains the following updates:

Package	Update	Change
open-policy-agent/opa	minor	v1.11.0 → v1.14.0

---

Release Notes

open-policy-agent/opa (open-policy-agent/opa)

v1.14.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• Improved rule indexing of variable assignments and x in {...} expressions
• Support for --h2c with unix domain socket for opa run
• A new glossary tooltip for technical terms in the docs
• Fixes published in the v1.13.1 and v1.13.2 releases

Improved rule indexing of variable assignments and x in {...} expressions (#​1841)

With this change, the rule indexer will index expressions like:

allow if input.role in {"admin", "user"}

On lookup, the rule body will only be returned if input.role is either one of "admin" or "user".

The reverse case is also indexed:

allow if "admin" in input.roles

in which the searched collection is unknown.

Authored by @​srenatus reported by @​nischalsheth

Runtime, SDK, Tooling

• cmd,run: Support --h2c with unix domain socket (UDS) (#​8282) authored by @​srenatus reported by @​theJC
• cmd,tester: Add line number next to test file in pretty format (#​8328) authored by @​sspaink reported by @​anderseknert
• plugins: Fix race accessing registeredTriggers (#​8363) reported and authored by @​szuecs
• rego: Add ResultValue[T]() helper method (#​8320) authored by @​srenatus
• runtime: Add custom storage backend registration API (#​8277) authored and reported by @​alex60217101990
• topdown: Add config option to disable named inter-query built-in cache (#​7519) authored by @​sspaink reported by @​johanfylling

Compiler, Topdown and Rego

• ast: Add index else == nil test, fix it (#​8348) authored by @​srenatus

• ast: Add scaffolding to introspect and skip compiler stages (#​8304) (authored by @​srenatus)

• ast: Ensure term values implement ast.StringLengther (#​8374) authored by @​charlieegan3

• ast: Fix double-fix for refs["with-a"].dash as package (#​8286) authored by @​srenatus

• ast: Optimized template-expression handling of values known to be defined (#​8310) authored by @​anderseknert

• ast: Put rule indices into rule tree, change Values to []*Rule (#​8298) authored by @​srenatus

• ast: Replace true expr when appending to empty body (#​8299) authored by @​anderseknert

• ast: Return correct location of unsafe var in object (#​7935) authored by @​sspaink reported by @​anderseknert

• ast: Use StageID in WithStageAfterID, also for QueryCompiler (follow-up) (#​8306) authored by @​srenatus

• compile: Add StringLength to lazy object (#​8369) authored by @​charlieegan3 reported by @​robmyersrobmyers

• parser: Add test to verify filename interning in Location (#​8322) authored by @​anderseknert

• perf: Allocate less in array unification (#​8351) authored by @​anderseknert

• perf: Various minor eval performance tweaks (#​8290) authored by @​anderseknert

• perf: json.patch + interning improvements (#​8289) authored by @​anderseknert

• topdown: Optimize bindings allocation with dynamic pre-sizing (#​7266) authored by @​alex60217101990

• topdown: Preserve original package name with special characters in optimized builds (#​8284) authored by @​sspaink reported by @​at50989

• wasm: Updates (LLVM+tools) (#​8295) authored by @​srenatus

Docs, Website, Ecosystem

• docs: Add examples to glob.match built-in documentation (#​8252) authored by @​sibasispadhi reported by @​anderseknert
• docs: Add workflow to auto update Regal docs (#​8318) authored by @​charlieegan3
• docs: Document metrics for http.send, regex, and glob built-ins (#​6730) authored by @​anivar reported by @​rudrakhp
• docs: Fix json.patch target description (#​8271) authored by @​anderseknert
• docs: Update broken links (#​8285) authored by @​charlieegan3
• docs: Update bundle signing docs to clarify key config (#​8307) authored by @​charlieegan3
• docs: Update faulty example using bundle optimize (#​5379) authored by @​sspaink reported by @​bluebrown
• docs: Update interface{} -> any in golang snippets (#​8373) authored by @​srenatus
• docs/website: Add a new KubeCon event page (#​8311) authored by @​charlieegan3
• docs/website: Add formatting and linting checks (#​8288) authored by @​charlieegan3
• docs/website: Allow Regal import to use local dir (#​8312) authored by @​charlieegan3
• docs/website: Implement new GlossaryTooltip component (#​8367) authored by @​charlieegan3
• docs/website: Markdown linting and spell checking for documentation (#​8292) authored by @​charlieegan3
• docs/website: Redirect /docs/latest/ecosystem (#​8315) authored by @​charlieegan3 reported by @​tweekSun1

Miscellaneous

• maintainers: Moving nilekhc to emeritus, and renew maintainer terms (#​8276) authored by @​JaydipGabani
• ast: Add public method to extend the compliance test cases with IR plans (#​7556) authored by @​sspaink reported by @​shomron
• ast: Tiny nitpicky cleanup (#​8309) authored by @​srenatus
• chore: Clean up bundle storage tests (#​8267) authored by @​anderseknert
• chore: Remove unnecessary comment from bundle JWT verification impl (#​8354) authored by @​johanfylling
• ci: Bump golangci-lint (v2.9.0), fix issues (#​8314) authored by @​srenatus
• ci: Harden and update all GH Actions workflows (#​8356, #​8377, #​8368 authored by @​philipaconrad and @​srenatus
• go: Cleanup old build flags (#​8314) authored by @​srenatus
• rego: Remove superfluous package import of plugins (#​6754) authored by @​srenatus reported by @​oxisto
• tests: Extract runtime Info to new package (#​8362) authored by @​charlieegan3
• tests: Fix BenchmarkFunctionArgumentCounts query (#​8327) authored by @​alex60217101990
• tests: Disable rule indexing for benchmark (#​8375) authored by @​srenatus
• workflows: Add nightly vuln checks for released versions/images (#​8336 #​8339) authored by @​srenatus
• Dependency updates; notably:
  • build: bump golang from 1.25.6 to 1.26.0
  • build(deps): build(deps): bump go.opentelemetry.io deps from 1.39.0/0.64.0 to 1.40.0/0.65.0
    Applying fix for GHSA-9h8m-3fm2-qjrq
  • build(deps): bump github.com/dgraph-io/badger/v4 from 4.9.0 to 4.9.1
  • build(deps): bump github.com/huandu/go-sqlbuilder from 1.39.0 to 1.39.1
  • build(deps): bump golang.org/x/net from 0.49.0 to 0.50.0
  • build(deps): bump golang.org/x/text from 0.33.0 to 0.34.0
  • build(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.1
  • build(deps): bump go.opentelemetry.io deps from 1.39.0/0.64.0 to 1.40.0/0.65.0

v1.13.2

Compare Source

This release updates the version of Go used to build the OPA binaries and images to 1.25.7.
That version of the Go standard library contains a fix for GO-2026-4337.

Full Changelog: open-policy-agent/opa@v1.13.1...v1.13.2

v1.13.1

Compare Source

v1.13.1

This bug fix release addresses an issue found in the new array.flatten built-in function

• Fix issue in array.flatten handling of single item arrays (#​8273) (#​8272) authored by @​anderseknert

v1.13.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• A new immediate upload trigger mode in the Decision Logger
• A new array.flatten built-in function
• Numerous performance improvements

Immediate Upload Trigger Mode in Decision Logger (#​8110)

An immediate trigger mode has been added to the Decision Logger; enabled by setting the decision_logs.reporting.trigger configuration option to immediate.
When enabled, log events are pushed to the log service as soon as the configured upload chunk size criteria is met; or, at latest, when the configured upload delay is reached.

Authored by @​sspaink

Runtime, SDK, Tooling

• cmd/fmt: Do not overwrite file on fmt without changes (#​8222) authored by @​Loic-R
• cmd/test: Enable sorting JSON test results by duration (#​7444) authored by @​sspaink
• profiler: nil *Profiler should not report Enabled() (#​8256) authored by @​anderseknert
• rego: Add Data function to simplify adding data from map (#​5961) authored by @​majiayu000 reported by @​anderseknert
• runtime: Correct naming & docs for version checking (#​8191) authored by @​charlieegan3

Compiler, Topdown and Rego

• ast: Body.String() doesn't panic on empty body (#​8244) authored by @​srenatus
• ast: Improve type error message when referencing functions (#​6840) authored by @​sspaink
• ast: Type Checker recognizes when a variable has multiple assignments but is an undefined function (#​7463) authored by @​sspaink reported by @​anderseknert
• ast/parser: Avoid duplicate loc copies (#​8142) authored by @​srenatus
• topdown: Add array.flatten built-in function (#​8226) authored by @​anderseknert
• topdown: Fix issue where numbers.range_step built-in could erroneously return undefined value (#​8194) authored by @​thevilledev
• topdown: Remove hard-coded missing key error in strings.render_template built-in (#​7931) authored by @​colinjlacy reported by @​anderseknert
• topdown: Re-introduce cancellation-awareness for regex.replace built-in (#​8179) authored by @​srenatus
  from having been reverted in v1.12.1
• topdown: Support arrays as input for json.match_schema (#​6615) authored by @​sspaink reported by @​mscudlik

Performance

• ast: Improved annotations parsing (#​8210) authored by @​anderseknert
• ast: Reinstate zero-alloc paths in Ref.String() (#​8202) authored by @​anderseknert
• ast: Replace regex implementation in IsVarCompatibleString (#​8164) authored by @​anderseknert
• ast: Optimize Set.Intersect and Set.Diff (#​8167) authored by @​thevilledev
• ast: Optimize Set.Union (#​8172) authored by @​thevilledev
• ast: Reduce allocations in Expr.MarshalJSON (#​8204) authored by @​thevilledev
• ast: Reduce allocations in Rule.MarshalJSON (#​8205) authored by @​thevilledev
• ast: Reduce allocations in Term.MarshalJSON (#​8200) authored by @​thevilledev
• ast: Reduce allocations in With.MarshalJSON (#​8206) authored by @​thevilledev
• perf: String() implementations using appenders (#​8192) authored by @​anderseknert
• topdown: Avoid redundancy in builtinTrim (#​8237) authored by @​thevilledev
• topdown: Eliminate closure allocations in Set and virtual doc enumeration (#​8242) authored by @​alex60217101990
• topdown: Fast paths for array.reverse (#​8177) authored by @​thevilledev
• topdown: Optimize json.remove and json.filter (#​8193) authored by @​thevilledev
• topdown: Optimize object built-ins (#​8175) authored by @​thevilledev
• topdown: Optimize union built-in (#​8173) authored by @​thevilledev
• topdown: Pre-alloc in various built-ins (#​8198) authored by @​thevilledev
• topdown: Reduce allocs in float sum/product (#​8235) authored by @​thevilledev
• topdown: Skip set copy in getObjectKeysParam (#​8176) authored by @​thevilledev

Docs, Website, Ecosystem

• docs: Add authz-spring-boot-starter to Spring Security API ecosystem entry (#​8234) authored by @​francois-eckert
• docs: Add header for crypto example to make (#​8259) authored by @​charlieegan3
• docs: Add notes for automated agents (#​8147, #​8203) authored by @​charlieegan3
• docs: Add opa-wasm-zig to the ecosystem (#​8163) authored by @​burdzwastaken
• docs: Add scripts to import docs from source (#​8148) authored by @​charlieegan3
• docs: Explain how to use the SDK without a initialising a server (#​8248) authored by @​andrewcameronsims
• docs: Fix a number of redirecting links (#​8165 authored by @​charlieegan3
• docs: Fix template-expression examples (#​8199) authored by @​johanfylling
• docs/ocp: Mention source prefix/path options (#​8238) authored by @​srenatus
• website: Add redirect section for immutable referrers (#​8262) authored by @​charlieegan3 reported by @​KraLeoD
• website: Display 2025 survey results on the website (#​8258) authored by @​charlieegan3
• website: Show breadcrumbs in search results (#​8207) authored by @​charlieegan3

Miscellaneous

• Decoupled the Rego job check from the Go job checks in the Github PR workflow (#​8203) authored by @​SeanLedford
• build: Format pr_check.rego with opa fmt (#​8201) authored by @​thevilledev
• build: Migrate PR check to OPA policy (#​8183) authored by @​SeanLedford
• build: Run go get against main to spot redacted (#​8146) authored by @​charlieegan3
• deps: Switch to maintained go.yaml.in/yaml/v3 yaml library (#​8182) authored by @​mrueg
• test/cases: Increase yaml test coverage for some regex and string builtins (#​8152) authored by @​srenatus
• Dependency updates; notably:
  • build: bump golang from 1.25.5 to 1.25.6 (#​8224) authored by @​srenatus
  • build(deps): bump go.opentelemetry.io deps from 1.38.0/0.63.0 to 1.39.0/0.64.0
  • build(deps): bump klauspost/compress from v1.18.1 to v1.18.2 (#​8184) authored by @​srenatus
    because of redaction warning
  • build(deps): bump github.com/go-ini/ini from v1.67.0 to gopkg.in/ini.v1 v1.67.1 (#​8208) authored by @​gabrpt

v1.12.3

Compare Source

v1.12.3

This is a bug fix release addressing two issues:

Bundle polling is being misconfigured when discovery bundle is updated (#​8215)

This is an issue where the polling interval for discovery (discovery.polling.min_delay_seconds and discovery.polling.max_delay_seconds) were misinterpreted on reconfiguration, causing extremely long update intervals.

Reported by @​loganmiller-chime, authored by @​sspaink

Decision log size buffer buffer_size_limit_bytes misconfigured during reconfiguration (#​8213)

This is a regression in the decision log, where the decision_logs.reporting.buffer_size_limit_bytes was mistakenly assigned the value of decision_logs.reporting.upload_size_limit_bytes during reconfiguration.
This issue is only present when decision_logs.reporting.buffer_type is set to size, which is the default value.

Authored by @​sspaink

v1.12.2

Compare Source

This bug fix release address issues found in the new string interpolation feature

• Add (*TemplateString).Copy() method (#​8159) authored by @​anderseknert
• Fix template string not serialized with escaped { (#​8161)
  authored by @​anderseknert
• fix(ast): skip template string vars in ref safety (#​8174)
  authored by @​thevilledev
• fix(ast): use original var names in template error (#​8180)
  authored by @​thevilledev

v1.12.1

Compare Source

This bug fix release reverts a change to regex.replace that unintentionally changed its behaviour for anchored regular expressions.

• Revert "topdown: make regex.replace respect cancellation" (authored by @​srenatus)

v1.12.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• Support for String Interpolation in the Rego language
• Faster compilation and runtime
• Fixes published in the v1.11.1 release

String Interpolation (#​4733)

The Rego language has been extended to support String Interpolation,
which provides a readable means to compose strings containing dynamic values determined at evaluation time.

An interpolated string is composed of a template-string containing zero or more template-expressions that evaluates to a value at evaluation time.
The $ character prefix identifies a template-string, and template-expressions are declared by being enclosed in curly-braces ({, }).

Additionally, undefined template-expression values don't halt evaluation; instead, <undefined> will be injected into the generated string.

package interpolation

allowed_roles := ["admin", "employee"]

default role := "guest"
role := input.role

deny contains $"User {input.username}'s role was '{role}', but must be one of {allowed_roles}" if {
  not role in allowed_roles
}

{
  "deny": [
    "User <undefined>'s role was 'guest', but must be one of [\"admin\", \"employee\"]"
  ],
}

String interpolation is a more readable and less error-prone substitute for the sprintf built-in function.

Authored by @​johanfylling reported by @​anderseknert

[!TIP]
Help us out!

New Rego language features are exciting, and we want to maximize their usefulness. If you come across tools and integrations in the community where string interpolation isn't properly handled, such as syntax highlighting, please reach out and let us know.

Runtime, SDK, Tooling

• oracle: Refactor Oracle better support some and every (#​8105, #​8131, #​8138) authored by @​charlieegan3
• plugins/bundle: Prevent ns-level polling by validating intervals (#​8082) authored by @​jjhwan-h
• plugins/discovery: Initialize plugins before downloading (#​8071) authored by @​jt28828
• topdown: Introduce sink for context cancellation
  • topdown: Make regex.replace respect cancellation (#​8089) authored by @​srenatus
  • topdown: Make replace and strings.replace_n respect cancellation (#​8089) authored by @​srenatus
  • topdown: Use sink for concat (#​8090) authored by @​srenatus
  • perf: Avoid extra allocation in sink if no cancel (#​8104) authored by @​anderseknert

Compiler, Topdown and Rego

• ast/compile: Deal with error limit without panic/defer (#​8087) authored by @​srenatus
• ast/parser: Check if we need to unescape at all (#​8135) authored by @​srenatus
• perf: Improved visitor implementation (10% faster compilation) (#​8078) authored by @​anderseknert
• perf: Reduce allocations handling terms (#​8116) authored by @​anderseknert
• perf: Type-checker performance improvements (#​8143) authored by @​anderseknert

Docs, Website, Ecosystem

• website: Add support for rego string interpolation syntax highlighting (#​8092) authored by @​charlieegan3
• docs/ocp: Update "concepts" for v0.3.0 (#​8117) authored by @​srenatus
• website: Show playground errors (#​8141) authored by @​charlieegan3
• website: Update a number of links to their new location (#​8100) authored by @​charlieegan3
• docs: Remove link to feedback form (#​8101) authored by @​charlieegan3
• website: Remove survey bar (#​8136) authored by @​charlieegan3
• docs: Update community contacts (#​8108) authored by @​charlieegan3

Miscellaneous

• ast/checks_test: Fix flaky tests (#​8111) authored by @​srenatus
• benchmarks: Install node v24 (#​8122) authored by @​srenatus
• download: Fix when compiling with tag opa_no_oci (#​8070) authored by @​srenatus reported by @​mg0083
• tests: Race in TestStatusUpdateBuffer (#​8133) authored by @​thevilledev
• workflow: Integrate benchmarks notebook (#​8121) authored by @​srenatus
• workflows: Skip all tests in benchmarks run (#​8086) authored by @​srenatus
• Dependency updates; notably:
  • build: Bump golang from 1.25.4 to 1.25.5 (#​8107) authored by @​srenatus
  • build(deps): Bump google.golang.org/grpc from 1.76.0 to 1.77.0

v1.11.1

Compare Source

This is a bugfix release:

Memory exhaustion via forged gzip header

A crafted HTTP request any of OPA's HTTP endpoints would lead OPA to use a large amount of memory, triggering
an out-of-memory process exit.

This weakness in OPA's HTTP API gzip handling is as old as the gzip handling itself. A configurable limit was introduced in v0.67.0, but it has been shown that this security measure wasn't sufficient to avoid running out of memory in memory-constrained setups.

Thanks to @​thevilledev for reporting and fixing this issue.

It only applies to OPA running as server (as a binary or in a container, as "sidecar"). To trigger an OOM process exit using this weakness, an adversary must be able to send an HTTP request directly to OPA. This would be the case if they are in the same network, there is no proxy in front of OPA, or if OPA was exposed to the internet, which is advised against.

By the nature of HTTP encodings, this would be effective before token-based authentication and authorization policies, so these measures do not protect against the attack vector.

If all OPA endpoints are using TLS-based authentication (mutual TLS, "mTLS"), then an adversary cannot do harm with this method.

Please note that while we're taking all of these issues seriously, OPA isn't designed for adversary environments. It's strongly advised not to expose any of its endpoints to the public internet. Furthermore, available security measures should be applied regardless, for a defense in depth approach. See the documentation for the available means of authentication and authorization in OPA.

Please also check out our Security Policy for reporting critical issues and bugs.

Decision Logs dropped (introduced in OPA v1.9.0)

When the decision logs buffer was uploaded, the buffer limit inadvertently got reset to the default upload limit (32kb).
This causes logs to be dropped that shouldn't have been dropped.

This default is overridden by the configuration value decision_logs.reporting.upload_size_limit_bytes, see the docs on decision logs.

There's a Prometheus metric for dropped events, counter_decision_logs_dropped_buffer_size_limit_bytes_exceeded,
and you can check that for unexpectedly high counts.

Reported by @​johanneslarsson #​8123, fixed by @​sspaink.

The release is otherwise identical to v1.11.0.

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.