This release keeps dependencies and maintenance posture current for teams operating this tool.
✓ No known CVEs patched in this version
Topics
ReleasePort's take
Light signalsource-controller v1.8.5 provides container images for linux/amd64, linux/arm64, and linux/arm/v7. Images are signed with cosign and GitHub OIDC, providing SLSA level 3 provenance.
Why it matters: Container image provenance verification enables compliance validation for flux deployments across platforms; routine upgrade, no immediate action required.
Summary
AI summaryMinor fixes and improvements.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
Container images are signed with cosign and GitHub OIDC, providing SLSA level 3 provenance. Container images are signed with cosign and GitHub OIDC, providing SLSA level 3 provenance. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Other | Medium |
v1.8.5 container images are available for linux/amd64, linux/arm64, and linux/arm/v7. v1.8.5 container images are available for linux/amd64, linux/arm64, and linux/arm/v7. Source: llm_adapter@2026-05-21 Confidence: low |
— |
Full changelog
Changelog
Container images
docker.io/fluxcd/source-controller:v1.8.5ghcr.io/fluxcd/source-controller:v1.8.5
Supported architectures: linux/amd64, linux/arm64 and linux/arm/v7.
The container images are built on GitHub hosted runners and are signed with cosign and GitHub OIDC.
To verify the images and their provenance (SLSA level 3), please see the security documentation.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Related context
Related tools
Beta — feedback welcome: [email protected]