Master: Renovate: Automerge Update dependency without new findings
This MR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| openpolicyagent/opa | ironbank-docker | minor |
0.43.0-static -> 0.44.0-static
|
| openpolicyagent/opa | minor |
0.43.0 -> 0.44.0
|
|
| openpolicyagent/opa | stage | minor |
0.43.0-static -> 0.44.0-static
|
Release Notes
open-policy-agent/opa
v0.44.0
This release contains a number of fixes, two new builtins, a few new features, and several performance improvements.
Security Fixes
This release includes the security fixes present in the recent v0.43.1 release, which mitigate CVE-2022-36085 in OPA itself, and CVE-2022-27664 and CVE-2022-32190 in our Go build tooling.
See the Release Notes for v0.43.1 for more details.
Set Element Addition Optimization
Rego Set element addition operations did not scale linearly (#4999) in the past, and like the Object type before v0.43.0, experienced noticeable reallocation/memory movement overheads once the Set grew past 120k-150k elements in size.
This release introduces different handling of Set internals during element addition operations to avoid pathological reallocation behavior, and allows linear performance scaling up into the 500k key range and beyond.
Set union Built-in Optimization
The Set union builtin allows applying the union operation to a set of sets.
However, as discovered in #4979, its implementation generated unnecessary intermediate copies, which resulted in poor performance; in many cases, worse than writing the equivalent operation in pure Rego.
This release improves the union builtin's implementation, such that only the
final result set is ever modified, reducing memory allocations and GC pressure.
The union builtin is now about 15-30% faster than the equivalent operation in
pure Rego.
New Built-in Functions: strings.any_prefix_match and strings.any_suffix_match
This release introduces two new builtins, optimized for bulk matching of string
prefixes and suffixes: strings.any_prefix_match, and
strings.any_suffix_match.
It works with sets and arrays of strings, allowing efficient matching of
collections of prefixes or suffixes against a target string.
See the built-in functions docs for all the details
This implementation fixes #4994 and was authored by @cube2222.
Tooling, SDK, and Runtime
- Logger: Allow configuration of the timestamp format (#2413)
- loader: Add support for fs.FS (authored by @ear7h)
Bundles
This release includes several bugfixes and improvements around bundle building:
- cmd: Add optimize flag to OPA eval command to allow building optimized bundles
- cmd/build+compile: Allow opt-out of dependents gathering to allow compilation of more bundles into WASM (#5035)
- opa build -t wasm|