Skip to content

chore(deps): bump github.com/open-policy-agent/opa from 1.12.3 to 1.13.1 in /policy/opa in the opa-deps group#69

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/go_modules/policy/opa/opa-deps-e340e851ef
Open

chore(deps): bump github.com/open-policy-agent/opa from 1.12.3 to 1.13.1 in /policy/opa in the opa-deps group#69
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/go_modules/policy/opa/opa-deps-e340e851ef

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 9, 2026
edited
Loading

Bumps the opa-deps group in /policy/opa with 1 update: github.com/open-policy-agent/opa.

Updates github.com/open-policy-agent/opa from 1.12.3 to 1.13.1

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v1.13.1

This bug fix release addresses an issue found in the new array.flatten built-in function

v1.13.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • A new immediate upload trigger mode in the Decision Logger
  • A new array.flatten built-in function
  • Numerous performance improvements

Immediate Upload Trigger Mode in Decision Logger (#8110)

An immediate trigger mode has been added to the Decision Logger; enabled by setting the decision_logs.reporting.trigger configuration option to immediate. When enabled, log events are pushed to the log service as soon as the configured upload chunk size criteria is met; or, at latest, when the configured upload delay is reached.

Authored by @​sspaink

Runtime, SDK, Tooling

Compiler, Topdown and Rego

  • ast: Body.String() doesn't panic on empty body (#8244) authored by @​srenatus
  • ast: Improve type error message when referencing functions (#6840) authored by @​sspaink
  • ast: Type Checker recognizes when a variable has multiple assignments but is an undefined function (#7463) authored by @​sspaink reported by @​anderseknert
  • ast/parser: Avoid duplicate loc copies (#8142) authored by @​srenatus
  • topdown: Add array.flatten built-in function (#8226) authored by @​anderseknert
  • topdown: Fix issue where numbers.range_step built-in could erroneously return undefined value (#8194) authored by @​thevilledev
  • topdown: Remove hard-coded missing key error in strings.render_template built-in (#7931) authored by @​colinjlacy reported by @​anderseknert
  • topdown: Re-introduce cancellation-awareness for regex.replace built-in (#8179) authored by @​srenatus
    from having been reverted in v1.12.1
  • topdown: Support arrays as input for json.match_schema (#6615) authored by @​sspaink reported by @​mscudlik

Performance

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

1.13.1

This bug fix release addresses an issue found in the new array.flatten built-in function

1.13.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • A new immediate upload trigger mode
  • A new array.flatten built-in function
  • Numerous performance improvements

Immediate Upload Trigger Mode in Decision Logger (#8110)

An immediate trigger mode has been added to the Decision Logger; enabled by setting the decision_logs.reporting.trigger configuration option to immediate. When enabled, log events are pushed to the log service as soon as the configured upload chunk size criteria is met; or, at latest, when the configured upload delay is reached.

Authored by @​sspaink

Runtime, SDK, Tooling

Compiler, Topdown and Rego

  • ast: Body.String() doesn't panic on empty body (#8244) authored by @​srenatus
  • ast: Improve type error message when referencing functions (#6840) authored by @​sspaink
  • ast: Type Checker recognizes when a variable has multiple assignments but is an undefined function (#7463) authored by @​sspaink reported by @​anderseknert
  • ast/parser: Avoid duplicate loc copies (#8142) authored by @​srenatus
  • topdown: Add array.flatten built-in function (#8226) authored by @​anderseknert
  • topdown: Fix issue where numbers.range_step built-in could erroneously return undefined value (#8194) authored by @​thevilledev
  • topdown: Remove hard-coded missing key error in strings.render_template built-in (#7931) authored by @​colinjlacy reported by @​anderseknert
  • topdown: Re-introduce cancellation-awareness for regex.replace built-in (#8179) authored by @​srenatus
    from having been reverted in v1.12.1
  • topdown: Support arrays as input for json.match_schema (#6615) authored by @​sspaink reported by @​mscudlik

Performance

... (truncated)

Commits
  • 9c3bb90 capabilities file
  • 92637c5 Prepare v1.13.1 release
  • 5442885 Fix issue in array.flatten handling of single item arrays (#8273)
  • a232916 Prepare v1.13.0 release (#8268)
  • e2acece website: Display 2025 survey results on the website (#8258)
  • 0fed5e8 ast: Improve type error message when referencing functions (#8253)
  • a87219e Enable sorting JSON test results by duration (#8260)
  • 262c4f1 Add redirect section for immutable referrers (#8265)
  • 0f48904 Support arrays as input for json.match_schema (#8264)
  • cb92be6 build(deps): bump the dependencies group across 2 directories with 8 updates ...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps): bump github.com/open-policy-agent/opa
bee6373 
Bumps the opa-deps group in /policy/opa with 1 update: [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa).


Updates `github.com/open-policy-agent/opa` from 1.12.3 to 1.13.1
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](open-policy-agent/opa@v1.12.3...v1.13.1)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-version: 1.13.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: opa-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Feb 9, 2026

Labels

The following labels could not be found: policy. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Feb 9, 2026
@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Feb 9, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 blob bee6373 Commit Preview URL

Branch Preview URL		 Feb 09 2026, 10:14 AM

@kusari-inspector
Copy link

kusari-inspector bot commented Feb 9, 2026

Kusari Inspector

Kusari Analysis Results:

Do not proceed without addressing issues

Caution

Flagged Issues Detected
These changes contain flagged issues that may introduce security risks.

While the OPA dependency upgrade from v1.12.3 to v1.13.1 is safe with no vulnerabilities in the updated packages themselves, this PR cannot be merged due to 3 critical vulnerabilities in the Go standard library (v1.25.5). The affected components include crypto/tls (CVE-2025-68121: unexpected session resumption, CVE-2025-61730: handshake messages at incorrect encryption level) and net/url (CVE-2025-61726: memory exhaustion in query parsing). These vulnerabilities directly compromise secure communications and system stability. Action required: Update the Go version in go.mod to a patched release that addresses GO-2026-4337, GO-2026-4340, and GO-2026-4341, then run 'go mod tidy'. The OPA upgrade itself is sound and should be retained once the Go stdlib is patched.

Note

View full detailed analysis result for more information on the output and the checks that were run.

Required Code Mitigations

Update the Go version to address the three critical vulnerabilities in the standard library. The current version (v1.25.5) has known security issues in crypto/tls and net/url packages. Upgrade to the latest patched Go version that addresses CVE-2025-68121, CVE-2025-61730, and CVE-2025-61726.

  • Potential Code Fix:
Update the go directive in go.mod to use a patched version of Go that addresses these vulnerabilities, then run 'go mod tidy' to update dependencies.

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: bee6373, performed at: 2026-02-09T10:13:31Z

Found this helpful? Give it a 👍 or 👎 reaction!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants