Skip to content

Add UXP release notes for v2.3.3-up.1, v2.2.3-up.1, v2.1.7-up.1, v2.0.8-up.3, v1.20.10-up.1 #1205

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lsviben merged 2 commits into from
Jun 24, 2026
+59 −3
Merged

Add UXP release notes for v2.3.3-up.1, v2.2.3-up.1, v2.1.7-up.1, v2.0.8-up.3, v1.20.10-up.1 #1205

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
318a575
docs: add UXP release notes for v2.3.3-up.1, v2.2.3-up.1, v2.1.7-up.1…
lsviben Jun 24, 2026
3ec05ec
docs: refresh helm chart values reference for v2.3.3-up.1
lsviben Jun 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 58 additions & 0 deletions docs/reference/release-notes/uxp.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,64 @@ Any important warnings or necessary information
- User-facing changes
-->

## v2.3.3-up.1

### Release Date: 2026-06-24

#### What's Changed

Based on Crossplane [v2.3.3](https://github.com/crossplane/crossplane/releases/tag/v2.3.3).

- **Fixed package signature verification TOCTOU** (GHSA-mf7q-r4rv-jv94): A time-of-check-to-time-of-use flaw could let a malicious OCI registry pass signature verification with a signed image and then serve unsigned content for installation. Fixed via crossplane-runtime v2.3.3.
- **Fixed `crossplane render` regressions**: Render now honors input XR schema, returns requirements even on fatal errors, and sets the namespace only for cluster-scoped XRs.
- Security dep bumps: Go 1.25.11, `golang.org/x/net`, `golang.org/x/sys`, `containerd` → v1.7.33

## v2.2.3-up.1

### Release Date: 2026-06-24

#### What's Changed

Based on Crossplane [v2.2.3](https://github.com/crossplane/crossplane/releases/tag/v2.2.3).

- **Fixed package signature verification TOCTOU** (GHSA-wfqx-gjrf-g28r): A time-of-check-to-time-of-use flaw could let a malicious OCI registry pass signature verification with a signed image and then serve unsigned content for installation.
- Security dep bumps: Go 1.25.11, `golang.org/x/net` → v0.55.0, `crossplane-runtime` → v2.2.3, `containerd` → v1.7.33

## v2.1.7-up.1

### Release Date: 2026-06-24

#### What's Changed

Based on Crossplane [v2.1.7](https://github.com/crossplane/crossplane/releases/tag/v2.1.7).

- Security dep bumps: Go 1.25.11, `golang.org/x/net` → v0.55.0, `quic-go` → v0.59.1, `crossplane-runtime` → v2.1.7, `containerd` → v1.7.33
- Bumped `uxp-apollo` to v0.2.18 for security fixes in `golang.org/x/crypto`, `x/net`, `x/sys`, `go-chi/chi`

## v2.0.8-up.3

### Release Date: 2026-06-24

#### What's Changed

UXP-only security patch (upstream Crossplane has ended support for the v2.0 line, but UXP continues to support it).

- Bumped Go to 1.25.11 and `golang.org/x/crypto`, `x/net` for CVEs
- Bumped `crossplane-runtime` to v2.0.9 for security fixes in `golang.org/x/net`, `x/sys`, `go.opentelemetry.io/otel`
- Bumped `uxp-apollo` to v0.2.18 for security fixes in `golang.org/x/crypto`, `x/net`, `x/sys`, `go-chi/chi`
- Security: bumped `containerd` → v1.7.33

## v1.20.10-up.1

### Release Date: 2026-06-24

#### What's Changed

Based on Crossplane [v1.20.10](https://github.com/crossplane/crossplane/releases/tag/v1.20.10).

- Security dep bumps: Go 1.25.11, `golang.org/x/net` → v0.55.0, `crossplane-runtime` → v1.20.10, `mongo-driver` → v1.17.7
- Fixed UXP "-up.N" suffix being treated as semver prerelease in the binary's internal version

## v2.3.1-up.1

### Release Date: 2026-06-05
Expand Down
4 changes: 1 addition & 3 deletions docs/reference/uxp-helm-reference.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,7 @@ This reference provides detailed documentation on the UXP Helm chart. This Helm
| image.ignoreTag | bool | `false` | Do not use the {{ .image.tag }} value to compute the image uri. |
| image.pullPolicy | string | `"IfNotPresent"` | The image pull policy used for Crossplane and RBAC Manager pods. |
| image.repository | string | `"xpkg.upbound.io/upbound/crossplane"` | Repository for the Crossplane pod image. |
| image.tag | string | `"v2.3.1-up.1"` | The Crossplane image tag. Defaults to the value of `appVersion` in `Chart.yaml`. |
| image.tag | string | `"v2.3.3-up.1"` | The Crossplane image tag. Defaults to the value of `appVersion` in `Chart.yaml`. |
| imagePullSecrets | list | `[]` | The imagePullSecret names to add to the Crossplane ServiceAccount. |
| leaderElection | bool | `true` | Enable [leader election](https://docs.crossplane.io/latest/guides/pods/#leader-election) for the Crossplane pod. |
| metrics.enabled | bool | `true` | Enable Prometheus path, port and scrape annotations and expose port 8080 for both the Crossplane and RBAC Manager pods. |
Expand Down Expand Up @@ -336,10 +336,8 @@ This reference provides detailed documentation on the UXP Helm chart. This Helm
| webui.topologySpreadConstraints | list | `[]` | Add `topologySpreadConstraints` to the webui pod deployment. |



</div>

<!-- vale on -->

<!-- end-table-no -->

Loading