Change8

v3.17.2

📦 quay-ioView on GitHub →
🐛 22 fixes🔧 6 symbols

Summary

This release for the redhat-3.17 branch primarily focuses on security fixes (including two CVEs), numerous bug fixes across web UI and mirroring functionality, and significant dependency updates. It also includes extensive migration of UI and API tests from Cypress to Playwright.

Migration Steps

  1. If encountering issues with log rotation, review changes related to distributedstorage.py and TypeError.
  2. If using organization mirrors, note that repository state is now reset upon configuration deletion.

🐛 Bug Fixes

  • Isolated search state in the robot account wizard.
  • Fixed a TypeError in LogRotateWorker failing to archive logs due to an issue in distributedstorage.py.
  • Excluded deleted repositories from organization mirror validation.
  • Fixed CVE-2026-29074.
  • Added 10 missing log kinds to the usage logs chart.
  • Removed a malformed struct tag space on DistributedStorageArgs.Signature in config-tool.
  • Fixed invalid detection of artifacts and OCI images.
  • Allowed selecting None in the robot wizard permission dropdown.
  • Reset repository state when deleting organization mirror configuration.
  • Prevented infinite loop when cancelling organization mirror sync.
  • Scheduled cancelled repositories as SYNC_NOW on the next cycle.
  • Fixed authentication logic to accept RFC 9068 at+jwt tokens in is_jwt routing.
  • Fixed manifest track line display on unrelated pages.
  • Treated all 4xx errors as org-mirror-not-configured in the proxy cache UI.
  • Showed empty state instead of a spinner when repository search yields no results.
  • Fixed organization mirror cancellation log showing null and Not applicable.
  • Returned 502 instead of 404 when the Nginx backend is unreachable.
  • Modified OIDCUsers.has_password_set to return False to bypass the fresh-login check.
  • Fixed CVE-2026-33894 (reported twice).
  • Prevented Remote Code Execution (RCE) via unsafe pickle deserialization.
  • Prevented credential wipe during organization mirror configuration update.
  • Restored pinned versions in package-lock.json with resolved URLs.

Affected Symbols