doco-cd

v0.90.1 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 10h Deployment Automation

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

ci-cd devops docker docker-swarm doco-cd gitops

+2 more

swarm-mode webhook

Affected surfaces

auth rbac

ReleasePort's take

Moderate signal

editorial:auto 7h

Release v0.90.1 fixes an OCI artifact signature verification bypass vulnerability (GHSA-5rv3-qpp3-6jp5).

Why it matters: The critical CVE resolves a signature‑verification bypass; operators using the OCI deployment pipeline must upgrade immediately.

Summary

AI summary

Updates 🐛 Bug Fixes, 📦 Dependencies, and 📚 Miscellaneous across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Fixes OCI artifact signature verification bypass vulnerability (GHSA-5rv3-qpp3-6jp5). Fixes OCI artifact signature verification bypass vulnerability (GHSA-5rv3-qpp3-6jp5). Source: llm_adapter@2026-06-03 Confidence: high	—
Dependency	Low	Updates github.com/bitwarden/sdk-go/v2 to version 2.1.0. Updates github.com/bitwarden/sdk-go/v2 to version 2.1.0. Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix	Medium	Prevents policy downgrades when global OCI trust policy is enabled. Prevents policy downgrades when global OCI trust policy is enabled. Source: llm_adapter@2026-06-03 Confidence: low	—

Full changelog

What's Changed

Fixed OCI Artifact security vulnerability

When global OCI signature verification was enabled via OCI_TRUST_POLICY (enabled: true), an attacker with write access to the configured OCI tag could publish an unsigned or improperly signed artifact containing .doco-cd.yml with oci.verify: false. This could cause signature verification to be bypassed and untrusted deployment content to be applied.

This primarily impacts users deploying from OCI artifacts where deployment config is read from artifact contents (for example, poll/webhook flows without trusted inline deployment overrides).

This release fixes the vulnerability by enforcing a strict trust boundary and no-downgrade behavior:

Artifact-contained .doco-cd.yml is treated as untrusted for OCI trust-policy override decisions.
If global OCI_TRUST_POLICY.enabled is true, per-deployment oci.verify: false cannot disable verification.

Thanks to @strayer for finding and reporting the vulnerability! :heart:

🐛 Bug Fixes

fix(oci): prevent policy downgrades when trust policy is enabled globally by @kimdre in https://github.com/kimdre/doco-cd/pull/1407

📦 Dependencies

fix(deps): update module github.com/bitwarden/sdk-go/v2 to v2.1.0 by @renovate[bot] in https://github.com/kimdre/doco-cd/pull/1404

📚 Miscellaneous

feat(docs): add test to verify documentation by @kimdre in https://github.com/kimdre/doco-cd/pull/1406

Full Changelog: https://github.com/kimdre/doco-cd/compare/v0.90.0...v0.90.1

Security Fixes

GHSA-5rv3-qpp3-6jp5 — Prevents bypass of OCI signature verification when `OCI_TRUST_POLICY.enabled: true` and per-deployment `oci.verify: false` is set.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track doco-cd

Get notified when new releases ship.

About doco-cd

Docker Compose Continuous Deployment

All releases →

Related context

Related tools

Earlier breaking changes

v0.89.0 Deployment now requires a .doco-cd.yml config file.