v1.35.2

What's Changed

• Add an extra source_code field to developer warnings by @josephschorr in #2007
• Add ability to get warnings from the WASM dev interface by @josephschorr in #2008
• Handle functioned arrows in warnings system by @josephschorr in #2009
• Bump the go-mod group with 21 updates by @dependabot in #2011
• Add server version middleware to serve-testing by @josephschorr in #2006
• Fix experimental LookupResources2 to shear the tree earlier on indirect permissions by @josephschorr in #2005

Full Changelog: v1.35.1...v1.35.2

Docker Images

This release is available at authzed/spicedb:v1.35.2, quay.io/authzed/spicedb:v1.35.2, ghcr.io/authzed/spicedb:v1.35.2

v1.35.1

What's Changed

• Switch caching package's interface to be generic and add experimental flag to try different caches by @josephschorr in #1990
• Fix conversion of caveat debug context by @josephschorr in #2000
• bump Docker to address security scanners surfacing CVE by @vroldanbet in #2004

Full Changelog: v1.35.0...v1.35.1

Docker Images

This release is available at authzed/spicedb:v1.35.1, quay.io/authzed/spicedb:v1.35.1, ghcr.io/authzed/spicedb:v1.35.1

v1.35.0

Warning

1.35.0 introduces a bug in the debug information for caveats that make use of time or other custom values, causing an error to be returned when requesting debug information. This will be fixed in 1.35.1

Highlights

💘 Initial support for intersection arrows in SpiceDB schema
📖 Read replica support for Postgres and MySQL
💪 New Experimental implementation of LookupResources: better, faster, stronger
🔍 New Dispatch Chunk Size parameter. Users can tune this parameter to boost performance with wide relations.

Features

• Read replica support for Postgres and MySQL datastores by @josephschorr in #1878
• Initial support for Intersection arrow by @josephschorr in #1937
• Implement a new, experimental variant of LookupResources as LookupResources2 by @josephschorr in #1905
  • LookupResources2 follow-ups by @vroldanbet in #1994
• Start on a steelthread test framework by @josephschorr in #1949
  • Have steelthread tests run in parallel and against all datastores by @josephschorr in #1957
  • Add a steelthread test for intersection arrows by @josephschorr in #1959
  • Add a steelthread test for an indirect permission for LR by @josephschorr in #1960
  • Add additional steelthread tests and fix a memdb bug by @josephschorr in #1956

Enhancements

• Enriches postgres revisions with txID and timestamp by @vroldanbet in #1951
• Adjust pg revision timestamps by @vroldanbet in #1972
• Add ability to toggle off specific warnings via magic comments by @josephschorr in #1984
• Additional dispatch chunk safeguards by @vroldanbet in #1997

Fixes

• Workaround to snapcraft regression by @vroldanbet in #1958
• Move integration test file into the correct directory by @josephschorr in #1961
• Fixed lsp panicing on formatting malformed content by @sabify in #1971
• Ensure that the bootstrap overwrite flag actually fully overwrites by @josephschorr in #1983
• Remove apparently unneeded COALESCE call by @josephschorr in #1991
• Fix debug traces when caveats use the same param name by @josephschorr in #1987

Updated dependencies

• Bump goreleaser/goreleaser-action from 5 to 6 in the github-actions group by @dependabot in #1962
• Move to go 1.22.5 for a reporting go lang vuln by @josephschorr in #1968
• Bump github.com/rs/cors from 1.10.1 to 1.11.0 in /magefiles in the go_modules group across 1 directory by @dependabot in #1977
• Bump the go-mod group with 22 updates by @dependabot in #1963
• Update gRPC to v1.65.0 to fix reported gRPC vuln by @josephschorr in #1978

New Contributors

• @sabify made their first contribution in #1971

Full Changelog: v1.34.0...v1.35.0

v1.34.0

Note

All datastores have a migration to add a new table for the count relationships API

Highlights

🧮 New experimental count relationships API
⏩ Better performance for minimize_latency calls on multi-region Spanner
🚩Better error messages for attempting to write invalid subjects on relationships

What's Changed

• makes it possible to compare datastore-specific revisions with datastore.NoRevision by @vroldanbet in #1907
• Add Experimental Relationship Counter API by @josephschorr in #1901
• goreleaser: refactor brew formula by @jzelinskie in #1912
• Make sure to escape underscores in resource ID prefix matches in filters by @josephschorr in #1911
• goreleaser: use build.head? in install by @jzelinskie in #1913
• Ensure stability of exclusions in validation package by @josephschorr in #1916
• Bump the go-mod group with 21 updates by @dependabot in #1919
• adds automaxprocs and automemlimit by @vroldanbet in #1921
• Update CLA link in CONTRIBUTING.md to point to v2 by @coderbydesign in #1918
• Return a proper error code if a wildcard subject is specified by @josephschorr in #1928
• Bump github.com/mostynb/go-grpc-compression from 1.2.2 to 1.2.3 in the go_modules group by @dependabot in #1932
• spanner: use stale reads for current_timestamp for optimized revision by @ecordell in #1935
• README: fix discord badge by @jzelinskie in #1936
• Add the debug trace to the details of the recursion error by @josephschorr in #1930
• Ensure the object type prefix is used for caveat refs as well by @josephschorr in #1940
• Support credential JSON for Spanner by @lexcao in #1942
• Add a custom linter to find any recursive error marshaling for zerolog by @josephschorr in #1944
• Add better subject error messages on write/delete validation by @josephschorr in #1943
• Export Spanner credential JSON for datastore by @lexcao in #1946
• Fix/bulk loader nullstring by @heissa83 in #1945
• Small optimized revision handling improvements by @josephschorr in #1947
• Move to go 1.22.4 for a reported go vuln by @josephschorr in #1950
• Fix empty value on optional credentialsJSON for Spanner by @lexcao in #1948
• .github: bump to snapcraft 8.x by @jzelinskie in #1952

New Contributors

• @coderbydesign made their first contribution in #1918
• @lexcao made their first contribution in #1942
• @heissa83 made their first contribution in #1945

Full Changelog: v1.33.0...v1.34.0

Docker Images

This release is available at authzed/spicedb:v1.34.0, quay.io/authzed/spicedb:v1.34.0, ghcr.io/authzed/spicedb:v1.34.0

v1.33.1

⚠️ This release has a security fix: GHSA-grjv-gjgr-66g2

Full Changelog: v1.33.0...v1.33.1

Docker Images

This release is available at authzed/spicedb:v1.33.1, quay.io/authzed/spicedb:v1.33.1, ghcr.io/authzed/spicedb:v1.33.1

v1.33.0

Highlights

🪞 Added experimental reflection APIs for reflecting information from SpiceDB schemas
⏩ Improvements in CEL performance

What's Changed

• Bump the go-mod group with 21 updates by @dependabot in #1882
• Improvements around usage of CEL by @josephschorr in #1883
• refactor bulk export relationships logic by @vroldanbet in #1886
• fetch git tags so that trivy sees the right binary version by @vroldanbet in #1887
• expose BulkExportRelationships service controller logic by @vroldanbet in #1888
• .github: pass snap store creds to goreleaser by @jzelinskie in #1889
• Start on experimental reflection apis by @josephschorr in #1885
• pkg/cmd: auto complete otel, log flags by @jzelinskie in #1890
• Update grpc health probe for reported vuln in Go by @josephschorr in #1893
• Add ExperimentalDependentRelations reflection API by @josephschorr in #1891
• Add ExperimentalComputablePermissions API by @josephschorr in #1894
• Switch spanner datastore to use the built-in stats table for estimating rel count by @josephschorr in #1892
• Remove unused datastore config by @josephschorr in #1898
• ROADMAP: init by @jzelinskie in #1902

Full Changelog: v1.32.0...v1.33.0

Docker Images

This release is available at authzed/spicedb:v1.33.0, quay.io/authzed/spicedb:v1.33.0, ghcr.io/authzed/spicedb:v1.33.0

v1.32.0

Highlights

🔐 AWS IAM Authentication for Postgres, MySQL datastores
✅ LSP now supports linting rules
🐧 Linux packages now distribute shell completion

What's Changed

• add support for AWS IAM authentication for postgres by @j-white in #1858
• lsp: implement didChange and fix logging by @jzelinskie in #1868
• Ignore AST nodes without rune positioning information (such as comments) by @josephschorr in #1869
• Include doc comments in resolver generated source by @josephschorr in #1870
• Add configurable limits for all APIs by @josephschorr in #1871
• add aws iam authentication for mysql by @j-white in #1867
• goreleaser: init snap, linux shell completions by @jzelinskie in #1744
• Begin support for warnings and linting in schema by @josephschorr in #1880
• Add warnings to the LSP by @josephschorr in #1881
• generate manpages for releases by @jzelinskie in #1779

New Contributors

• @j-white made their first contribution in #1858

Full Changelog: v1.31.0...v1.32.0

Docker Images

This release is available at authzed/spicedb:v1.32.0, quay.io/authzed/spicedb:v1.32.0, ghcr.io/authzed/spicedb:v1.32.0

v1.31.0

Highlights

🔤 Language Server support via spicedb lsp
🚮 Faster Postgres Garbage Collection, Relationship Touch
🔎 Faster and more memory efficient LookupResources, BulkImport
🐛 Lots of fixes to OpenTelemetry, Prometheus metrics, logging

What's Changed

• adds dependabot configuration to update GitHub Actions by @vroldanbet in #1808
• Bump docker/setup-qemu-action from 1 to 3 by @dependabot in #1811
• Bump actions/labeler from 3 to 5 by @dependabot in #1813
• add github action grouping by @vroldanbet in #1821
• Bump the gomod-version group with 24 updates by @dependabot in #1824
• Bump the gomod-version group with 1 update by @dependabot in #1822
• Bump the gomod-version group with 8 updates by @dependabot in #1823
• Bump github.com/docker/docker from 25.0.4+incompatible to 25.0.5+incompatible in /magefiles by @dependabot in #1827
• Bump the go_modules group group with 1 update by @dependabot in #1828
• report GC stats even in the event of a GC worker error by @vroldanbet in #1830
• Import request ID metadata key from authzed-go by @alecmerdler in #1829
• Update labeler config for labeler action v5 by @josephschorr in #1832
• Bump the go-mod group with 2 updates by @dependabot in #1825
• Use type information to optimize TOUCH operations in the PG datastore by @josephschorr in #1831
• Add some additional unit tests for expected behavior and fix BulkLoad errors by @josephschorr in #1839
• Update OpenTelemetry middlewares by @alecmerdler in #1836
• Early terminate in LookupResources when no limit was specified by @josephschorr in #1835
• Add some additional deletion tests for relationships by @josephschorr in #1841
• Small mem improvements on BulkImport by @josephschorr in #1838
• Fix re-creating deleted relationships by @alecmerdler in #1843
• fixes prometheus bug where count metrics had incorrect suffixes by @vroldanbet in #1844
• Improve request-id propagation by @vroldanbet in #1845
• Bump the go-mod group with 6 updates by @dependabot in #1847
• Bump the github-actions group with 1 update by @dependabot in #1846
• Add license checking lint step to CI by @josephschorr in #1848
• Correct version requirement for datastore repair by @alecmerdler in #1849
• Update README with playground repo link by @samkim in #1852
• LookupResources Postgres query optimization by @alecmerdler in #1850
• Use a specific relation for arrow lookups in LR when applicable by @josephschorr in #1851
• Development package improvements by @josephschorr in #1853
• Initial implementation of a Language Server for SpiceDB schema by @josephschorr in #1854
• bump analyzers go.work to 1.22.2 by @ecordell in #1855
• Disable the repair tests on PG versions that do not support it by @josephschorr in #1857
• LSP improvements by @josephschorr in #1856
• introduces a faster query to tuple GC by @vroldanbet in #1859
• cmd/server: log dispatching at debug level by @jzelinskie in #1864

Full Changelog: v1.30.0...v1.31.0

Docker Images

This release is available at authzed/spicedb:v1.31.0, quay.io/authzed/spicedb:v1.31.0, ghcr.io/authzed/spicedb:v1.31.0

v1.30.1

This is a hotfix release that contains the patch for CVE-2024-32001

Full Changelog: v1.30.0...v1.30.1

Docker Images

This release is available at authzed/spicedb:v1.30.1, quay.io/authzed/spicedb:v1.30.1, ghcr.io/authzed/spicedb:v1.30.1

v1.30.0

Highlights

✨ CheckBulkPermission has now graduated!
⚡ Significantly improved write and delete performance in CockroachDB resulting in a major reduction in serialization errors occurring
⚡ Significantly improve deletion performance on deletions with limits across all datastores
🔍 Filters used for read relationships and delete relationships now have resource_type as optional
✨ WatchRelationships and BulkExportRelationships now support filters
📉 Memory reduction on WriteSchema
🔍 Various improvements in observability
🐛 fixes minimum connection handling for Postgres datastore not working as intended

Note

The CockroachDB datastore has a 2-phase migration in this release, we recommend using the spicedb-operator to automate the process

Warning

BulkExportRelationships cursors have changed and won't be compatible across versions.

What's Changed

• Further fixes to flaky Postgres tests by @josephschorr in #1750
• README: htmlify, update links by @jzelinskie in #1745
• spanner: allow spicedb to run with head or head-1 migration by @ecordell in #1752
• cmd: deprecate root-level head and migrate by @jzelinskie in #1746
• re-enable gosec/G404 by @vroldanbet in #1757
• Fix small TODO in type system with a small code move by @josephschorr in #1753
• Hide a previously deprecated flag by @josephschorr in #1761
• Small improvement in tuple package to remove TODO by @josephschorr in #1754
• skip all steps for matrix jobs when the whole job should be skipped by @ecordell in #1760
• Remove duplicate testing code by @josephschorr in #1762
• VSCode launch config by @alecmerdler in #1756
• reduces chunking allocations for wide relations by @vroldanbet in #1751
• refactor Security related actions and add Snyk by @vroldanbet in #1758
• Use the same default port for the HTTP API across serve and serve-testing by @torbenw in #1749
• Close the parent context in serve_test when complete by @josephschorr in #1763
• disables Snyk checks by @vroldanbet in #1766
• Remove stale TODOs by @josephschorr in #1764
• Fix flake in singleflight test by increasing the run time slightly by @josephschorr in #1767
• enables prometheus exemplars support by @vroldanbet in #1768
• Fix flake on transaction retry test by specifying a longer timeout by @josephschorr in #1769
• Change CRDB driver to use new method for getting transaction timestamp by @josephschorr in #1770
• Delete performance improvements by @josephschorr in #1771
• Bump github.com/prometheus/client_golang from 1.18.0 to 1.19.0 by @dependabot in #1777
• Bump golang.org/x/vuln from 1.0.1 to 1.0.4 by @dependabot in #1775
• Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from 0.47.0 to 0.49.0 by @dependabot in #1774
• Bump github.com/planetscale/vtprotobuf from 0.5.1-0.20231212170721-e7d721933795 to 0.6.0 by @dependabot in #1778
• Bump cloud.google.com/go/spanner from 1.54.0 to 1.57.0 by @dependabot in #1776
• Ensure that invalid versions do not cause a nil panic by @josephschorr in #1781
• Ensure SpiceDB release versions are semver by @josephschorr in #1783
• Follow up changes for recent fixes: remove len downcasts and ensure all other downcasts are validated by @josephschorr in #1780
• fix: delete options not being passed by @ryaneorth in #1784
• Debug migrate command in VSCode by @alecmerdler in #1786
• Update gRPC health probe version for recent Go vulns by @josephschorr in #1787
• adds OpenTelemetry TraceID to logs by @vroldanbet in #1772
• Have caveat diffs properly check if an expression has changed by @josephschorr in #1788
• Extend support for relationship filtering and add relationship filtering to other APIs by @josephschorr in #1739
• Small increase in test coverage for subjects testutil by @josephschorr in #1793
• Add mage test:unitcover to generate coverage reports over all unit tests by @josephschorr in #1794
• CheckBulkPermissions by @alecmerdler in #1792
• Move health check logs to debug level by @vroldanbet in #1773
• dependency updates by @vroldanbet in #1797
• fix codeql by @vroldanbet in #1798
• use the most recent Go version with CodeQL by @vroldanbet in #1799
• fixes merge queue not supporting CodeQL by @vroldanbet in #1800
• Fix race on error member of TaskRunner by @ecordell in #1801
• Move debug traces for CheckPermission into the response by @josephschorr in #1795
• make registration of gRPC prom metrics not fail if already registered by @vroldanbet in #1803
• turns gRPC latency histogram into a toggleable option by @vroldanbet in #1805
• do not return backward incompatible --explain debug info in trailer by @vroldanbet in #1807

New Contributors

• @torbenw made their first contribution in #1749
• @ryaneorth made their first contribution in #1784

Full Changelog: v1.29.5...v1.30.0

Docker Images

This release is available at authzed/spicedb:v1.30.0, quay.io/authzed/spicedb:v1.30.0, ghcr.io/authzed/spicedb:v1.30.0