Skip to content

Bump github.com/open-policy-agent/opa from 0.70.0 to 1.17.1#2774

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/open-policy-agent/opa-1.17.1
Open

Bump github.com/open-policy-agent/opa from 0.70.0 to 1.17.1#2774
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/open-policy-agent/opa-1.17.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 14, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps github.com/open-policy-agent/opa from 0.70.0 to 1.17.1.

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v1.17.1

This release uses the latest version of Go (1.26.4) to build OPA, fixing stdlib vulnerabilities in code that OPA's HTTP handler and crypto builtins use:

It is otherwise the same code as v1.17.0.

Note that users building their own OPA binaries and images already control the Golang version, so this is not relevant for them.

Miscellaneous

  • build: bump go 1.26.3 -> 1.26.4 (authored by @​srenatus)

v1.17.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • A new future.keywords.not import that adds improved semantics to the not keyword.
  • Rule Labels in Decision Logs
  • Published json schema for IR and bundle manifest
  • Dropped automaxprocs and x/net dependencies

Improved Negation Semantics (#8387)

This OPA release introduces a new future.keywords.not import that fixes a long-standing semantic issue with negation in Rego.

Without the import, the compiler expands a negated composite expression like not f(g(input.x)) into a series of sub-expressions evaluated before the not:

__local0__ = input.x
g(__local0__, __local1__)
not f(__local1__)

If any sub-expression fails — for example, input.x is undefined or g produces an undefined result — the entire rule fails rather than the not succeeding. This is unintuitive: the user's intent is "the condition does not hold," but an undefined intermediate value causes a silent failure instead of the expected not result.

With import future.keywords.not, composite-expression negation wraps the full compiler expansion in an implicit body:

not { __local0__ = input.x; g(__local0__, __local1__); f(__local1__) }

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

1.17.1

This release uses the latest version of Go (1.26.4) to build OPA, fixing stdlib vulnerabilities in code that OPA's HTTP handler and crypto builtins use:

It is otherwise the same code as v1.17.0.

Note that users building their own OPA binaries and images already control the Golang version, so this is not relevant for them.

Miscellaneous

  • build: bump go 1.26.3 -> 1.26.4 (authored by @​srenatus)

1.17.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • A new future.keywords.not import that adds improved semantics to the not keyword.
  • Rule Labels in Decision Logs
  • Published json schema for IR and bundle manifest
  • Dropped automaxprocs and x/net dependencies

Improved Negation Semantics (#8387)

This OPA release introduces a new future.keywords.not import that fixes a long-standing semantic issue with negation in Rego.

Without the import, the compiler expands a negated composite expression like not f(g(input.x)) into a series of sub-expressions evaluated before the not:

__local0__ = input.x
g(__local0__, __local1__)
not f(__local1__)

If any sub-expression fails — for example, input.x is undefined or g produces an undefined result — the entire rule fails rather than the not succeeding. This is unintuitive: the user's intent is "the condition does not hold," but an undefined intermediate value causes a silent failure instead of the expected not result.

With import future.keywords.not, composite-expression negation wraps the full compiler expansion in an implicit body:

... (truncated)

Commits
  • 187c696 Release v1.17.1
  • a0c116e build: bump go 1.26.3 -> 1.26.4
  • 64a3625 Release v1.17.0 (#8710)
  • 68c9de5 benchmarks: tweak per-PR benchmark regression check based on pr-check
  • 7fe3066 server: remove dead code (s.partials) (#8708)
  • 37830be ast,storage/inmem: Add inmem.NewFromASTObject and add missing string case t...
  • 1661f22 ast: add some schema $ref tests
  • 3e22f56 benchmarks: only run for go changes
  • 13aaeab benchmarks: move env vars, remove zizmor-ignore comment
  • 93e1708 benchmarks: fix PR message, skip tests
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jun 14, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 14, 2026 03:53
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jun 14, 2026
@dependabot dependabot Bot mentioned this pull request Jun 14, 2026
Closed
helsaawy added a commit to helsaawy/hcsshim that referenced this pull request Jun 17, 2026
@helsaawy
Omnibus dependency update
2c251d1 
Consolidate dependabot updates (since nested go moduels causes pipeline
failures).
PRs:
 - microsoft#2742
 - microsoft#2749
 - microsoft#2758
 - microsoft#2772
 - microsoft#2773
 - microsoft#2774
 - microsoft#2775
 - microsoft#2776
 - microsoft#2777

Signed-off-by: Hamza El-Saawy <hamzaelsaawy@microsoft.com>
helsaawy added a commit that referenced this pull request Jun 18, 2026
@helsaawy
Omnibus dependency update (#2769)
6290919 
* Omnibus dependency update

Consolidate dependabot updates (since nested go moduels causes pipeline
failures).
PRs:
 - #2742
 - #2749
 - #2758
 - #2772
 - #2773
 - #2774
 - #2775
 - #2776
 - #2777

Signed-off-by: Hamza El-Saawy <hamzaelsaawy@microsoft.com>

* go mod tidy + vendor; regenerate files

Signed-off-by: Hamza El-Saawy <hamzaelsaawy@microsoft.com>

---------

Signed-off-by: Hamza El-Saawy <hamzaelsaawy@microsoft.com>
@dependabot
Bump github.com/open-policy-agent/opa from 0.70.0 to 1.17.1
c53142e 
Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.70.0 to 1.17.1.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](open-policy-agent/opa@v0.70.0...v1.17.1)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-version: 1.17.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/github.com/open-policy-agent/opa-1.17.1 branch from b15c0bc to c53142e Compare June 18, 2026 18:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants