Skip to content

Bump github.com/openfga/openfga from 1.11.5 to 1.14.1#597

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/github.com/openfga/openfga-1.14.1
Open

Bump github.com/openfga/openfga from 1.11.5 to 1.14.1#597
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/github.com/openfga/openfga-1.14.1

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 22, 2026
edited
Loading

Bumps github.com/openfga/openfga from 1.11.5 to 1.14.1.

Release notes

Sourced from github.com/openfga/openfga's releases.

v1.14.1

Added

  • Added configuration for the server shutdown timeout. #2976

Changed

  • Made some minor changes in ListObjects to reduce heap allocations. Results in minor latency reduction. #3043
  • Improve cache key generation performance by removing fmt usage and extend control-character sanitization to all cache key inputs (tuples, conditions, context). #3006

Fixed

  • Fixed AuthZEN discovery metadata to publish endpoint URLs from the configured authzen.baseURL instead of request-supplied host headers, preventing host-header poisoning of /.well-known/authzen-configuration/{store_id}. Thanks to @​Jvr2022 for reporting this. #3057

Security

  • Removed the vulnerable github.com/docker/docker package (used only in tests) and replaced it with Moby (client & api). #3047

Thanks to @​rafanaskin for #2976 and #3047!

Full Changelog: openfga/openfga@v1.14.0...v1.14.1

v1.14.0

Added

  • Added openfga_iter_query_duration_ms histogram metric to track storage iterator query latency across all storage backends, labeled by success. The metric is recorded in each backend's fetchBuffer after error classification: infrastructure failures are labeled success=false; expected storage outcomes (ErrNotFound, ErrCollision, ErrInvalidWriteInput) are labeled success=true. #3030

Changed

  • Changed the ListObjects pipeline intersection algorithm to improve intersection performance. #3031
  • [BREAKING] The Playground now only supports the none authentication method. Running the Playground with preshared key authentication is no longer supported. The server will error and not start if it detects this combination.

Deprecated

  • The built-in OpenFGA Playground is intended for development purposes only and is deprecated. It will be removed entirely in a future release.
  • The --playground-port flag and OPENFGA_PLAYGROUND_PORT environment variable are deprecated. Use --playground-addr (OPENFGA_PLAYGROUND_ADDR) instead to specify the full host:port address for the Playground server. When --playground-addr is not set, the Playground binds to 127.0.0.1 using the port from --playground-port.

Fixed

  • Fixed Write operations failing with invalid input syntax for type integer (SQLSTATE 22P02) when PostgreSQL is behind PgBouncer or a connection pooler using the simple query protocol. #3014
  • Fixed PostgreSQL HandleSQLError and GetStore returning a wrapped error instead of storage.ErrNotFound when no rows are found. When using pgxpool directly, QueryRow().Scan() returns pgx.ErrNoRows, not sql.ErrNoRows; both are now handled. #3014
  • Fixed the possibility of deadlocks within the ListObjects pipeline algorithm. Also added short-circuit enhancements that will reduce latency and message processing in certain scenarios. Cyclical edges now use as much memory as necessary to process deep and wide data hierarchies without the risk of a deadlock. #3028
  • Fixed issue where BatchCheck calls with multiple checks for the same tuple could result in improper policy enforcement. CVE-2026-34972

Full Changelog: openfga/openfga@v1.13.1...v1.14.0

v1.13.1

What's Changed

Security

  • Fixed a security vulnerability (CVE-2026-33729) where Check requests with conditions and caching enabled could return incorrect cached results.

Full Changelog: openfga/openfga@v1.13.0...v1.13.1

... (truncated)

Changelog

Sourced from github.com/openfga/openfga's changelog.

[1.14.1] - 2026-04-10

Added

  • Added configuration for the server shutdown timeout. #2976
  • Add jitter to internal cache TTLs to spread expirations and reduce thundering herd effects. #3033

Changed

  • Made some minor changes in ListObjects to reduce heap allocations. Results in minor latency reduction. #3043
  • Improve cache key generation performance by removing fmt usage and extend control-character sanitization to all cache key inputs (tuples, conditions, context). #3006
  • Reuse a single PostgreSQL container across tests by replacing the test fixture implementation, improving test performance and reducing resource usage. #3018

Fixed

  • Fixed AuthZEN discovery metadata to publish endpoint URLs from the configured authzen.baseURL instead of request-supplied host headers, preventing host-header poisoning of /.well-known/authzen-configuration/{store_id}. Thanks to @​Jvr2022 for reporting this. #3057

Security

  • Removed the vulnerable github.com/docker/docker package (used only in tests) and replaced it with Moby (client & api). #3047

[1.14.0] - 2026-04-03

Added

  • Added openfga_iter_query_duration_ms histogram metric to track storage iterator query latency across all storage backends, labeled by success. The metric is recorded in each backend's fetchBuffer after error classification: infrastructure failures are labeled success=false; expected storage outcomes (ErrNotFound, ErrCollision, ErrInvalidWriteInput) are labeled success=true. #3030

Changed

  • Changed the ListObjects pipeline intersection algorithm to improve intersection performance. #3031
  • [BREAKING] The Playground now only supports the none authentication method. Running the Playground with preshared key authentication is no longer supported. The server will error and not start if it detects this combination.
  • The Playground is now disabled by default as a result of GHSA-68m9-983m-f3v5

Deprecated

  • The built-in OpenFGA Playground is intended for development purposes only and is deprecated. It will be removed entirely in a future release.
  • The --playground-port flag and OPENFGA_PLAYGROUND_PORT environment variable are deprecated. Use --playground-addr (OPENFGA_PLAYGROUND_ADDR) instead to specify the full host:port address for the Playground server. When --playground-addr is not set, the Playground binds to 127.0.0.1 using the port from --playground-port.

Fixed

  • Fixed Write operations failing with invalid input syntax for type integer (SQLSTATE 22P02) when PostgreSQL is behind PgBouncer or a connection pooler using the simple query protocol. #3014
  • Fixed PostgreSQL HandleSQLError and GetStore returning a wrapped error instead of storage.ErrNotFound when no rows are found. When using pgxpool directly, QueryRow().Scan() returns pgx.ErrNoRows, not sql.ErrNoRows; both are now handled. #3014
  • Fixed the possibility of deadlocks within the ListObjects pipeline algorithm. Also added short-circuit enhancements that will reduce latency and message processing in certain scenarios. Cyclical edges now use as much memory as necessary to process deep and wide data hierarchies without the risk of a deadlock. #3028
  • Fixed issue where BatchCheck calls with multiple checks for the same tuple could result in improper policy enforcement. CVE-2026-34972

[1.13.1] - 2026-03-24

Security

  • Fixed a security vulnerability (CVE-2026-33729) where Check requests with conditions and caching enabled could return incorrect cached results.

[1.13.0] - 2026-03-23

Added

  • Add AuthZen 1.0 experimental support. #2875

Fixed

  • Prevent recoverable panics in list objects from terminating the process. Return an error instead. #2994

[1.12.1] - 2026-03-19

Changed

  • The ListObjects "pipeline" algorithm ditches its custom Pipe implementation and replaces it with Go native channels. #2977
  • Refactor tuple validation and manipulation functions for optimal performance. #2984

... (truncated)

Commits
  • fa57024 release: update changelog for release v1.14.1 (#3060)
  • 529114d chore(deps): bump the dependencies group across 1 directory with 7 updates (#...
  • 65cdbbe fix: use a baseURL for AuthZEN configuration endpoint (#3057)
  • f1fcf41 chore: replace docker with moby (#3047)
  • f68af73 Iterator Cache V2: Storage Wrapper Pattern with Lock-Free Design (#3016)
  • 5e156a0 test: fix flaky condition test (#3058)
  • 405ac40 chore(deps): bump the dependencies group across 1 directory with 6 updates (#...
  • afe250e chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptrace...
  • 463908c feat: add graceful shutdown timeout configuration (#2976)
  • d28f9cf chore: update changelog to reflect playground off-by-default behavior (#3053)
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Apr 22, 2026
@dependabot dependabot Bot mentioned this pull request Apr 22, 2026
Closed
@dependabot
Bump github.com/openfga/openfga from 1.11.5 to 1.14.1
858413e 
Bumps [github.com/openfga/openfga](https://github.com/openfga/openfga) from 1.11.5 to 1.14.1.
- [Release notes](https://github.com/openfga/openfga/releases)
- [Changelog](https://github.com/openfga/openfga/blob/main/CHANGELOG.md)
- [Commits](openfga/openfga@v1.11.5...v1.14.1)

---
updated-dependencies:
- dependency-name: github.com/openfga/openfga
  dependency-version: 1.14.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/github.com/openfga/openfga-1.14.1 branch from fd1aeb1 to 858413e Compare April 23, 2026 05:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants