Release 2026-07: aria (develop → main) #11
Reference in New Issue
Block a user
Delete Branch "develop"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
2026-07 production release — Phase A (safe batch: no migration).
Ships
ariatomainfor tonight's cut. Includes hiveops-bom 1.0.8 (log4j-api CVE-2026-34479, fleet-wide fix).SOC2 flow: Johannes approves in the Gitea UI → Claude merges via API → PAUSE → hand-build (
registry.bcos.cloud, immutable:sha) + deploy, gated perRELEASE-RUNBOOK-TONIGHT.md. Merge does not trigger a prod deploy.Changes (12 commits ahead of main):
OWASP now fails builds on three HIGH CVEs in transitive deps. bom 1.0.7 takes the upstream patches (no suppressions): postgresql 42.7.11 -> 42.7.13 CVE-2026-54291 (CVSS4 8.2) — channelBinding=require could be silently downgraded from SCRAM-SHA-256-PLUS, defeating MITM protection. Affects 42.7.4-42.7.11. httpcore5 5.3.6 -> 5.4.3 CVE-2026-54399 (7.5) HTTP/1.1 parser DoS CVE-2026-54428 (7.5) HTTP/2 HPACK unbounded allocation httpcore5 arrives transitively via httpclient5, and Apache ships them as a matched pair, so bom 1.0.7 bumps httpclient5 5.5.2 -> 5.6.2 which pulls the fixed core 5.4.3. Verified locally on this service: builds and tests pass on 1.0.7, and it resolves the patched versions. Refs bom#6 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>