Skip to content

Release history

zot releases

zot - A scale-out production-ready vendor-neutral OCI-native container image/artifact registry (purely based on OCI Distribution Specification)

Back to tool Latest release

All releases

4 shown

Review required
v2.1.17 Security relevant
Auth RBAC

OIDC logout + CEL access control

patches CVE-2026-33634
Open
v2.1.16 Mixed
Security fixes
  • Limit manifest PUT body to 4 MiB (INPUT-1)
  • Limit API key creation body to 4 KiB (INPUT-2)
  • Suppress Allow-Credentials on wildcard CORS origin (CORS-1)
Notable features
  • Support pushing multiple tags for a single manifest
  • Add repository quota enforcement middleware
  • Configuration JSON Schema dump command
Full changelog

What's Changed

  • chore: fix dependabot alerts by @rchincha in https://github.com/project-zot/zot/pull/3860
  • fix(search): expose LastPullTimestamp and PushedBy on index ImageSummary by @cainydev in https://github.com/project-zot/zot/pull/3865
  • chore: fix dependabot alerts by @rchincha in https://github.com/project-zot/zot/pull/3880
  • feat(zb): list tests, test regex filter, docs update by @vrajashkr in https://github.com/project-zot/zot/pull/3884
  • ci: use zot localstack image and consolidate on using the setup localstack GH action by @andaaron in https://github.com/project-zot/zot/pull/3899
  • chore: fix dependabot alerts by @rchincha in https://github.com/project-zot/zot/pull/3896
  • chore: pin trivy-action to safe version by @andaaron in https://github.com/project-zot/zot/pull/3897
  • feat(schema): add schema command to dump JSON Schema for zot config by @rchincha in https://github.com/project-zot/zot/pull/3905
  • feat: support pushing multiple tags for a single manifest by @andaaron in https://github.com/project-zot/zot/pull/3885
  • fix(storage/gcs): fix double-prefixed rootdirectory and EOF handling in Walk for GCS by @thees in https://github.com/project-zot/zot/pull/3903
  • test(blackbox): harden zot restart + reachability checks by @andaaron in https://github.com/project-zot/zot/pull/3907
  • chore: fix dependabot alerts by @rchincha in https://github.com/project-zot/zot/pull/3921
  • test: add tests for pushing manifests with non-canonical digests together with tags by @andaaron in https://github.com/project-zot/zot/pull/3920
  • chore: fix dependabot alerts by @rchincha in https://github.com/project-zot/zot/pull/3931
  • build: bump zui version to commit-1c8e5ef by @rchincha in https://github.com/project-zot/zot/pull/3932
  • chore: fix dependabot alerts by @rchincha in https://github.com/project-zot/zot/pull/3940
  • fix: address code review comments by @andaaron in https://github.com/project-zot/zot/pull/3942
  • feat: Add TrivyConfig.VulnSeveritySources (Trivy's --vuln-severity-source) by @andaaron in https://github.com/project-zot/zot/pull/3943
  • chore: fix dependabot alerts by @rchincha in https://github.com/project-zot/zot/pull/3947
  • ci: fix nightly test by @rchincha in https://github.com/project-zot/zot/pull/3948
  • chore: fix dependabot alerts by @rchincha in https://github.com/project-zot/zot/pull/3953
  • Pin actions and tighten workflow permissions by @benoittgt in https://github.com/project-zot/zot/pull/3954
  • fix(ci): pass GITHUB_TOKEN explicitly to oras login in sync-trivy step by @rchincha in https://github.com/project-zot/zot/pull/3961
  • chore: fix dependabot alerts by @rchincha in https://github.com/project-zot/zot/pull/3964
  • feat(api): add repository quota enforcement middleware by @Aluchir in https://github.com/project-zot/zot/pull/3923
  • fix: Updating a repository should not result in a corrupted index.json file if disk is full by @andaaron in https://github.com/project-zot/zot/pull/3963
  • chore: fix dependabot alerts by @rchincha in https://github.com/project-zot/zot/pull/3968
  • fix(auth): add workaround for Docker client auth with mixed anonymous policies by @andaaron in https://github.com/project-zot/zot/pull/3868
  • chore: fix dependabot alerts by @rchincha in https://github.com/project-zot/zot/pull/3971
  • fix(security): limit manifest PUT body to 4 MiB (INPUT-1) by @rchincha in https://github.com/project-zot/zot/pull/3977
  • fix(security): limit API key creation body to 4 KiB (INPUT-2) by @rchincha in https://github.com/project-zot/zot/pull/3978
  • security: suppress Allow-Credentials on wildcard CORS origin (CORS-1) by @rchincha in https://github.com/project-zot/zot/pull/3980
  • fix(security): remove InsecureSkipVerify from metrics client (TLS-1) by @rchincha in https://github.com/project-zot/zot/pull/3982

New Contributors

  • @cainydev made their first contribution in https://github.com/project-zot/zot/pull/3865
  • @thees made their first contribution in https://github.com/project-zot/zot/pull/3903
  • @benoittgt made their first contribution in https://github.com/project-zot/zot/pull/3954
  • @Aluchir made their first contribution in https://github.com/project-zot/zot/pull/3923

Full Changelog: https://github.com/project-zot/zot/compare/v2.1.15...v2.1.16

View release on GitHub
v2.1.15 New feature patches GHSA-85jx-fm8m-x8c6 patches GO-2026-4668
Security fixes
  • Fixed open redirect vulnerability via callback_ui
Notable features
  • Per-issuer CA configuration for OIDC
  • JWT expiration at access entry level
  • AWS Secrets Manager for JWT verification
View release on GitHub
v2.1.14 Security relevant
Security fixes
  • CVE-2025-30204 - golang-jwt DoS vulnerability via excessive memory allocation
Notable features
  • OIDC workload identity federation support
View release on GitHub

Beta — feedback welcome: [email protected]