This release keeps dependencies and maintenance posture current for teams operating this tool.
✓ No known CVEs patched in this version
Summary
AI summaryUpdates deps, maven, and docker across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Dependency | Medium |
Bumps actions group dependencies across 1 directory with 2 updates. Bumps actions group dependencies across 1 directory with 2 updates. Source: llm_adapter@2026-05-25 Confidence: low |
— |
| Dependency | Medium |
Updates go-git/v5 from 5.18.0 to 5.19.1. Updates go-git/v5 from 5.18.0 to 5.19.1. Source: llm_adapter@2026-05-25 Confidence: low |
— |
| Dependency | Medium |
Bumps gomod group dependencies across 1 directory with 11 updates. Bumps gomod group dependencies across 1 directory with 11 updates. Source: llm_adapter@2026-05-25 Confidence: low |
— |
| Bugfix | Medium |
Mirrors Maven Central only, no longer all repositories. Mirrors Maven Central only, no longer all repositories. Source: llm_adapter@2026-05-25 Confidence: high |
— |
| Bugfix | Medium |
Uses per-invocation unique Docker image tag to avoid concurrent race. Uses per-invocation unique Docker image tag to avoid concurrent race. Source: llm_adapter@2026-05-25 Confidence: high |
— |
| Bugfix | Medium |
Skips ELF stripping for non‑native platforms in pipelines/strip. Skips ELF stripping for non‑native platforms in pipelines/strip. Source: llm_adapter@2026-05-25 Confidence: high |
— |
Full changelog
What's Changed
- fix(maven): mirror only Maven Central, not all repositories by @xnox in https://github.com/chainguard-dev/melange/pull/2524
- build(deps): bump the actions group across 1 directory with 2 updates by @dependabot[bot] in https://github.com/chainguard-dev/melange/pull/2534
- build(deps): bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.1 by @dependabot[bot] in https://github.com/chainguard-dev/melange/pull/2536
- fix(docker): use per-invocation unique image tag to avoid concurrent race by @dustinkirkland in https://github.com/chainguard-dev/melange/pull/2532
- build(deps): bump the gomod group across 1 directory with 11 updates by @dependabot[bot] in https://github.com/chainguard-dev/melange/pull/2541
- fix(pipelines/strip): Don't try to strip ELFs for non-native platforms by @EyeCantCU in https://github.com/chainguard-dev/melange/pull/2542
New Contributors
- @dustinkirkland made their first contribution in https://github.com/chainguard-dev/melange/pull/2532
Full Changelog: https://github.com/chainguard-dev/melange/compare/v0.50.7...v0.50.8
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Related context
Beta — feedback welcome: [email protected]