versitygw

v1.5.0 Feature

This release adds 5 notable features for engineering teams evaluating rollout.

Published 2d Cloud Management

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

filesystem s3 s3-storage

Affected surfaces

auth rbac deps

Summary

AI summary

Add bucket metrics tag when request specifies a bucket.

Changes in this release

Type	Severity	Summary	CVE
Security	High	Reject AWS SigV2 authentication requests. Reject AWS SigV2 authentication requests. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Feature
Feature	Medium	Add bucket metrics tag when request specifies a bucket. Add bucket metrics tag when request specifies a bucket. Source: llm_adapter@2026-06-02 Confidence: high	—
Feature	Medium	Add custom route and middleware options. Add custom route and middleware options. Source: llm_adapter@2026-06-02 Confidence: high	—
Feature	Medium	Introduce ErrNoSpaceLeftOnDevice API error for ENOSPC. Introduce ErrNoSpaceLeftOnDevice API error for ENOSPC. Source: llm_adapter@2026-06-02 Confidence: high	—
Feature	Medium	Extract gateway runtime into embeddable package. Extract gateway runtime into embeddable package. Source: llm_adapter@2026-06-02 Confidence: high	—
Feature	Low	Perform global error refactoring. Perform global error refactoring. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Feature	Low	Replace webUI client‑side name filter with server‑side prefix filter. Replace webUI client‑side name filter with server‑side prefix filter. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Feature	Low	Support SHA512, MD5, XXHash3, XXHash64, and XXHash128 checksums for data integrity. Support SHA512, MD5, XXHash3, XXHash64, and XXHash128 checksums for data integrity. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Dependency
Dependency	Low	Bump azure-sdk-for-go/sdk/storage/azblob dependency. Bump azure-sdk-for-go/sdk/storage/azblob dependency. Source: llm_adapter@2026-06-02 Confidence: high	—
Dependency	Low	Upgrade github.com/Azure/go-ntlmssp from 0.1.0 to 0.1.1. Upgrade github.com/Azure/go-ntlmssp from 0.1.0 to 0.1.1. Source: llm_adapter@2026-06-02 Confidence: high	—
Dependency	Low	Update sigstore/cosign-installer from 4.1.1 to 4.1.2. Update sigstore/cosign-installer from 4.1.1 to 4.1.2. Source: llm_adapter@2026-06-02 Confidence: high	—
Dependency	Low	Refresh dev‑dependencies group with 19 updates. Refresh dev‑dependencies group with 19 updates. Source: llm_adapter@2026-06-02 Confidence: high	—
Dependency	Low	Refresh dev‑dependencies group with 7 updates. Refresh dev‑dependencies group with 7 updates. Source: llm_adapter@2026-06-02 Confidence: high	—
Dependency	Low	Refresh dev‑dependencies group with 9 updates. Refresh dev‑dependencies group with 9 updates. Source: llm_adapter@2026-06-02 Confidence: high	—
Bugfix
Bugfix	Medium	Apply CORS middleware to admin CreateBucket route. Apply CORS middleware to admin CreateBucket route. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Medium	Check PutObjectTagging/LegalHold/Retention permissions on PutObject, CopyObject, and CreateMultipartUpload. Check PutObjectTagging/LegalHold/Retention permissions on PutObject, CopyObject, and CreateMultipartUpload. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Medium	Enforce required SignedHeaders validation for SigV4 requests. Enforce required SignedHeaders validation for SigV4 requests. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Medium	Honor explicit public bucket policy deny rules. Honor explicit public bucket policy deny rules. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Low	Fix connection early termination causing internal errors. Fix connection early termination causing internal errors. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Low	Decode URL hash in webUI before parsing bucket/prefix. Decode URL hash in webUI before parsing bucket/prefix. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Low	Expose x-amz-storage-class in CORS response headers. Expose x-amz-storage-class in CORS response headers. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Low	Fix empty ownership control rules causing panic. Fix empty ownership control rules causing panic. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Low	Handle forward‑slash URL‑encoded characters used as bucket/key separators. Handle forward‑slash URL‑encoded characters used as bucket/key separators. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Low	Ignore implicit directories for Get/HeadObject requests. Ignore implicit directories for Get/HeadObject requests. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Low	Normalize object keys during bucket policy evaluation. Normalize object keys during bucket policy evaluation. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Low	Reject invalid PostObject keys. Reject invalid PostObject keys. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Low	Remove unsigned chunk reader caching. Remove unsigned chunk reader caching. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Low	Replace misleading webUI CORS error toast with generic network error message. Replace misleading webUI CORS error toast with generic network error message. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Low	Fix scoutfs multipart alignment check for the last part. Fix scoutfs multipart alignment check for the last part. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Low	Skip integration tests incompatible with sidecar mode. Skip integration tests incompatible with sidecar mode. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—

Full changelog

Changelog

3cf10d8392d65087213392a0bd4282fe936da330 chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/storage/azblob
cd3f2ffed87085b0f5470cc6eafc90f8d3d64978 chore(deps): bump github.com/Azure/go-ntlmssp from 0.1.0 to 0.1.1
deda805c7d1f5c2b589e2a197553364dc456dfd3 chore(deps): bump sigstore/cosign-installer from 4.1.1 to 4.1.2
325ab6e183eb796adf11140c5baaf7db7d5dc67c chore(deps): bump the dev-dependencies group with 19 updates
fbe2a4ba101bf4eb4d22e2184ef604e27415dc83 chore(deps): bump the dev-dependencies group with 7 updates
2ed8b7873e589c281d0ddc0dcc363d46ff94c50c chore(deps): bump the dev-dependencies group with 9 updates
e4fa31c91d51cf2b8a6f6cbc4fbb6b0a50552603 chore: fix sidecar flag in runtests to correctly pass test option
db3478d8b89b1f172d0a53d2e433a1f90229d0a6 chore: update go package dependencies
861c5f5d9767d1054aa365e74d0c1488fce04621 feat: add bucket metrics tag when request specifies a bucket
d1fba07fe6b9ae9518eaa450f789ac261d4484ac feat: add custom route and middleware options
8ae566d44e1119cff641a9c55d8fa8e4da08bec1 feat: add new ErrNoSpaceLeftOnDevice API error for ENOSPC errors
20939bd7b49b17e44b5f9f2952718321d675a424 feat: extract gateway runtime into embeddable package
9f786b3c2c60e0b3dc0bd2c4a1fb0d90eaec2ff1 feat: global error refactoring
cb609e40a6cc5938547571b4ae230edda97f940e feat: replace webui client-side name filter with server-side prefix filter
d2fa265fb876b84eede9f04fbf470751cae0ceb8 feat: support sha512, md5, xxhash3, xxhash64, xxhash128 data integrity checksums
e6aa9de0528e897055fbefdbfa8320c1597d1d44 fix: apply CORS middleware to admin CreateBucket route
8d5b2be0b2f4ac7f0edcbe943d1df1708b430f8f fix: check PutObjectTagging/LegalHold/Retention permissions on PutObject,CopyObject and CreateMultipartUpload
e137e8d375ae018728a8584f807267714802d794 fix: connection early termination resulting in internal error
a5fc7c1ee5d6f7d79b44203249a0988673734a0d fix: decode URL hash in webui before parsing bucket/prefix
577470214d901b68bc40e0b4f4db08feedfd9db8 fix: enforce required SignedHeaders validation for SigV4 requests
0e165edfb1ffaa3da83aef1df97599b1106abff2 fix: expose x-amz-storage-class in CORS response headers
4ef090dbfc95932de7462d3b572db9c6559170c3 fix: fix empty ownership control rules panic
fe3cfbfce910049719524c47b0cd087de48d249f fix: forward slash url encoded used as bucket/key separator
ed1ad6b623cab9bdba1a8a4b558c5f86f0d276a3 fix: honor explicit public bucket policy deny
2c0844ad88705f28943f531e1608aee6f37e7404 fix: ignore implicit directories for Get/HeadObject
cd0b4e6d9d6018ae3f0fa0ed615f397e0e6ba943 fix: normalize object keys during bucket policy evaluation
e69d07327336d6b74b1491661e3a9d997ae03374 fix: reject SigV2 requests
eecc1a779c2069db756e5d8549c51add9beab2fd fix: reject invalid PostObject keys
27971f2a200a83d8d3d265be2be8686834af7786 fix: remove unsigned chunk reader caching
d498d484973fc0547b06df9469f56cf21906f3e0 fix: replace misleading webui CORS error toast with generic network error message
dd27c6cd274675e563517589c5083ce1e9478c4c fix: scoutfs multipart alignment check for last part
bb3cdd9cb6a986c70cdf7d3605cee281431cdd33 fix: skip integration tests not compatible in sidecar
5cb5541006acc443d59fae8149dd70c66f02b59e fix: store object multipart upload metadata compressed

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track versitygw

Get notified when new releases ship.

About versitygw

versity s3 gateway

All releases →

versitygw

Summary

Changes in this release

Changelog

Related context

Related tools