hashicorp · hc-github-team-consul-core · Mar 3, 2025 · Mar 6, 2025 · Mar 6, 2025 · Mar 13, 2025
@@ -1,4 +1,4 @@
 ```release-note:improvement
 raft: allow reloading of raft trailing logs and snapshot timing to allow recovery from some [replication failure modes](https://github.com/hashicorp/consul/issues/9609).
-telemetry: add metrics and documentation for [monitoring for replication issues](https://consul.io/docs/agent/telemetry#raft-replication-capacity-issues).
+telemetry: add metrics and documentation for [monitoring for replication issues](https://developer.hashicorp.com/consul/docs/reference/agent/telemetry#raft-replication-capacity-issues).
 ```
@@ -1,4 +1,4 @@
 ```release-note:feature
 Admin Partitions (Consul Enterprise only) This version adds admin partitions, a new entity defining administrative and networking boundaries within a Consul deployment. For more information refer to the
- [Admin Partition](https://www.consul.io/docs/enterprise/admin-partitions) documentation.
+ [Admin Partition](https://developer.hashicorp.com/docs/enterprise/admin-partitions) documentation.
 ```
@@ -1,3 +1,3 @@
 ```release-note:feature
-cli: Adds new subcommands for `peering` workflows. Refer to the [CLI docs](https://www.consul.io/commands/peering) for more information.
+cli: Adds new subcommands for `peering` workflows. Refer to the [CLI docs](https://developer.hashicorp.com/commands/peering) for more information.
 ```
@@ -1,3 +1,3 @@
 ```release-note:feature
-http: Add new `get-or-empty` operation to the txn api. Refer to the [API docs](https://www.consul.io/api-docs/txn#kv-operations) for more information.
+http: Add new `get-or-empty` operation to the txn api. Refer to the [API docs](https://developer.hashicorp.com/api-docs/txn#kv-operations) for more information.
 ```
@@ -0,0 +1,3 @@
+```release-note:improvement
+http: Add peer query param on catalog service API
+```
@@ -0,0 +1,3 @@
+```release-note:security
+Upgrade Go to 1.23.6.
+```
@@ -0,0 +1,5 @@
+```release-note:security
+Update `golang.org/x/crypto` to v0.35.0 to address [GO-2025-3487](https://pkg.go.dev/vuln/GO-2025-3487).
+Update `golang.org/x/oauth2` to v0.27.0 to address [GO-2025-3488](https://pkg.go.dev/vuln/GO-2025-3488).
+Update `github.com/go-jose/go-jose/v3` to v3.0.4 to address [GO-2025-3485](https://pkg.go.dev/vuln/GO-2025-3485).
+```
@@ -0,0 +1,3 @@
+```release-note:bug
+agent: Add the missing Service TaggedAddresses and Check Type fields to Txn API.
+```
@@ -0,0 +1,3 @@
+```release-note:bug
+wan-federation: Fixed an issue where advertised IPv6 addresses were causing WAN federation to fail.
+```
@@ -0,0 +1,3 @@
+```release-note:enhancement
+Added support for Consul Session to update the state of a Health Check, allowing for more dynamic and responsive health monitoring within the Consul ecosystem. This feature enables sessions to directly influence health check statuses, improving the overall reliability and accuracy of service health assessments.
+```
@@ -0,0 +1,3 @@
+```release-note:security
+Upgrade Go to 1.23.7 and bump X-Repositories to latest.
+```
@@ -0,0 +1,5 @@
+```release-note:security
+Update `golang.org/x/net` to v0.38.0 to address [GHSA-vvgc-356p-c3xw](https://github.com/advisories/GHSA-vvgc-356p-c3xw) and [GO-2025-3595](https://pkg.go.dev/vuln/GO-2025-3595).
+Update `github.com/golang-jwt/jwt/v4` to v4.5.2 to address [GO-2025-3553](https://pkg.go.dev/vuln/GO-2025-3553) and [GHSA-mh63-6h87-95cp](https://github.com/advisories/GHSA-mh63-6h87-95cp).
+Update `Go` to v1.23.8 to address [GO-2025-3563](https://pkg.go.dev/vuln/GO-2025-3563).
+```
@@ -0,0 +1,3 @@
+```release-note:security
+cli: update tls ca and cert create to reduce excessive file perms for generated public files
+```
@@ -0,0 +1,3 @@
+```release-note:feature
+xds: provided a configurable to value to diable XDS session load balancing so that cases where there is a load balancer in front of the consul servers can disable the internal load balancing
+```
@@ -0,0 +1,3 @@
+```release-note: improvement
+connect: Use net.JoinHostPort for host:port formatting to handle IPv6.
+```
@@ -0,0 +1,3 @@
+```release-note:security
+connect: Added non default namespace and partition checks to ConnectCA CSR requests.
+```
@@ -0,0 +1,3 @@
+```release-note:bug
+http: return a clear error when both Service.Service and Service.ID are missing during catalog registration
+```
@@ -0,0 +1,3 @@
+```release-note:improvement
+config: Warn about invalid characters in `datacenter` resulting in non-generation of X.509 certificates when using external CA for agent TLS communication.
+```
@@ -0,0 +1,11 @@
+```release-note:security
+Upgrade UBI base image version to address CVE
+[CVE-2025-4802](https://access.redhat.com/security/cve/cve-2025-4802)
+[CVE-2024-40896](https://access.redhat.com/security/cve/cve-2024-40896)
+[CVE-2024-12243](https://nvd.nist.gov/vuln/detail/CVE-2024-12243)
+[CVE-2025-24528](https://access.redhat.com/security/cve/cve-2025-24528)
+[CVE-2025-3277](https://access.redhat.com/security/cve/cve-2025-3277)
+[CVE-2024-12133](https://access.redhat.com/security/cve/cve-2024-12133)
+[CVE-2024-57970](https://access.redhat.com/security/cve/cve-2024-57970)
+[CVE-2025-31115](https://access.redhat.com/security/cve/cve-2025-31115)
+```
@@ -0,0 +1,3 @@
+```release-note:security
+security: Upgrade Go to 1.23.10.
+```
@@ -0,0 +1,3 @@
+```release-note:bug
+ui: display IPv6 addresses with proper bracketed formatting
+```
@@ -0,0 +1,3 @@
+```release-note:bug
+cli: validate IP address in service registration to prevent invalid IPs in service and tagged addresses.
+```
@@ -0,0 +1,3 @@
+```release-note:enhancement
+ui: Improved display and handling of IPv6 addresses for better readability and usability in the Consul web interface.
+```
@@ -0,0 +1,3 @@
+```release-note:improvement
+ui: Replaced internal code editor with HDS (HashiCorp Design System) code editor and code block components for improved accessibility and maintainability across the Consul UI.
+```
@@ -0,0 +1,3 @@
+```release-note:security
+security: Update Go to 1.23.12 to address CVE-2025-47906
+```
@@ -0,0 +1,3 @@
+```release-note:bug
+cli: capture pprof when ACL is enabled and a token with operator:read is used, even if enable_debug config is not explicitly set.
+```
@@ -0,0 +1,3 @@
+```release-note:security
+api: add charset in all applicable content-types.
+```
@@ -3,18 +3,18 @@
 
 # engineering and web presence get notified of, and can approve changes to web tooling, but not content.
 
-/website/           @hashicorp/web-presence @hashicorp/consul-selfmanage-maintainers
+/website/           @hashicorp/consul-selfmanage-maintainers @hashicorp/web-presence
 /website/data/
 /website/public/
 /website/content/
 
 # education and engineering get notified of, and can approve changes to web content.
 
-/website/data/          @hashicorp/consul-docs @hashicorp/consul-selfmanage-maintainers
-/website/public/        @hashicorp/consul-docs @hashicorp/consul-selfmanage-maintainers
-/website/content/       @hashicorp/consul-docs @hashicorp/consul-selfmanage-maintainers
+/website/data/          @hashicorp/consul-selfmanage-maintainers @hashicorp/consul-docs
+/website/public/        @hashicorp/consul-selfmanage-maintainers @hashicorp/consul-docs
+/website/content/       @hashicorp/consul-selfmanage-maintainers @hashicorp/consul-docs
 
 
 # release configuration
-/.release/                              @hashicorp/team-selfmanaged-releng @hashicorp/consul-selfmanage-maintainers
-/.github/workflows/build.yml            @hashicorp/team-selfmanaged-releng @hashicorp/consul-selfmanage-maintainers
+/.release/                              @hashicorp/consul-selfmanage-maintainers @hashicorp/team-selfmanaged-releng
+/.github/workflows/build.yml            @hashicorp/consul-selfmanage-maintainers @hashicorp/team-selfmanaged-releng
@@ -23,15 +23,13 @@ work on an issue, comment on it first and tell us the approach you want to take.
 * Increase our test coverage.
 * Fix a [bug](https://github.com/hashicorp/consul/labels/type/bug).
 * Implement a requested [enhancement](https://github.com/hashicorp/consul/labels/type/enhancement).
-* Improve our guides and documentation. Consul's [Guides](https://www.consul.io/docs/guides/index.html), [Docs](https://www.consul.io/docs/index.html), and [api godoc](https://godoc.org/github.com/hashicorp/consul/api)
+* Improve our documentation and tutorials. Consul's [Documentation](https://developer.hashicorp.com/consul/docs) and [api godoc](https://godoc.org/github.com/hashicorp/consul/api)
 are deployed from this repo.
 * Respond to questions about usage on the issue tracker or the Consul section of the [HashiCorp forum]: (https://discuss.hashicorp.com/c/consul)
 
 ### Reporting an Issue
 
 >Note: Issues on GitHub for Consul are intended to be related to bugs or feature requests. 
->Questions should be directed to other community resources such as the: [Discuss Forum](https://discuss.hashicorp.com/c/consul/29), [FAQ](https://www.consul.io/docs/faq.html), or [Guides](https://www.consul.io/docs/guides/index.html).
-
 * Make sure you test against the latest released version. It is possible we 
 already fixed the bug you're experiencing. However, if you are on an older 
 version of Consul and feel the issue is critical, do let us know.
@@ -163,7 +161,7 @@ When you're ready to submit a pull request:
    | `pr/no-changelog`    | This PR does not have an intended changelog entry |
    | `pr/no-backport`     | This PR does not have an intended backport target |
    | `pr/no-metrics-test` | This PR does not require any testing for metrics |
-   | `backport/1.12.x`    | Backport the changes in this PR to the targeted release branch. Consult the [Consul Release Notes](https://www.consul.io/docs/release-notes) page and [`versions.hcl`](/.release/versions.hcl) to view active releases. Website documentation merged to the latest release branch is deployed immediately. See [backport policy](#backport-policy) for more information. |
+   | `backport/1.12.x`    | Backport the changes in this PR to the targeted release branch. Consult the [Consul Release Notes](https://developer.hashicorp.com/docs/release-notes) page and [`versions.hcl`](/.release/versions.hcl) to view active releases. Website documentation merged to the latest release branch is deployed immediately. See [backport policy](#backport-policy) for more information. |
    | `backport/all`       | If contributing a bug fix or other change applicable to all branches, use `backport/all` to target all active branches automatically. See [backport policy](#backport-policy) for more information. |
 
 7. After you submit, the Consul maintainers team needs time to carefully review your

@@ -19,7 +19,7 @@ jobs:
   backport:
     if: github.event.pull_request.merged
     runs-on: ubuntu-latest
-    container: hashicorpdev/backport-assistant:0.4.4
+    container: hashicorpdev/backport-assistant:v0.5.8
     steps:
       - name: Run Backport Assistant for release branches
         run: |

@@ -130,25 +130,25 @@ jobs:
     - run: CC=aarch64-linux-gnu-gcc GOARCH=arm64 go build -tags "${{ env.GOTAGS }}"
 
 
-  build-s390x:
-    if: ${{ endsWith(github.repository, '-enterprise') }}
-    needs:
-    - setup
-    - get-go-version
-    - check-go-mod
-    runs-on: ${{ fromJSON(needs.setup.outputs.compute-xl) }}
-    steps:
-    - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
-
-    # NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
-    - name: Setup Git
-      run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com"
-
-    - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
-      with:
-        go-version: ${{ needs.get-go-version.outputs.go-version }}
-    - name: Build
-      run: GOOS=linux GOARCH=s390x CGO_ENABLED=0 go build -tags "${{ env.GOTAGS }}"
+#  build-s390x:
+#    if: ${{ endsWith(github.repository, '-enterprise') }}
+#    needs:
+#    - setup
+#    - get-go-version
+#    - check-go-mod
+#    runs-on: ${{ fromJSON(needs.setup.outputs.compute-xl) }}
+#    steps:
+#    - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+#
+#    # NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
+#    - name: Setup Git
+#      run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com"
+#
+#    - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+#      with:
+#        go-version: ${{ needs.get-go-version.outputs.go-version }}
+#    - name: Build
+#      run: GOOS=linux GOARCH=s390x CGO_ENABLED=0 go build -tags "${{ env.GOTAGS }}"
 
   # This is job is required for branch protection as a required gihub check
   # because GitHub actions show up as checks at the job level and not the
@@ -170,7 +170,7 @@ jobs:
     - build-386
     - build-amd64
     - build-arm
-    - build-s390x
+#    - build-s390x
     runs-on: ${{ fromJSON(needs.setup.outputs.compute-small) }}
     if: ${{ always() }}
     steps:

@@ -111,7 +111,7 @@ jobs:
       - name: Setup with node and yarn
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
-          node-version: '18'
+          node-version: '20'
           cache: 'yarn'
           cache-dependency-path: 'ui/yarn.lock'
 
@@ -134,7 +134,7 @@ jobs:
           PRERELEASE_VERSION: ${{ needs.set-product-version.outputs.pre-version }}
           CGO_ENABLED: "0"
           GOLDFLAGS: "${{needs.set-product-version.outputs.shared-ldflags}}"
-        uses: hashicorp/actions-go-build@make-clean-flag-optional
+        uses: hashicorp/actions-go-build@b9e2cfba3013adccdc112b01cba922d83c78fac5 # v1.1.1
         with:
           product_name: ${{ env.PKG_NAME }}
           product_version: ${{ needs.set-product-version.outputs.product-version }}
@@ -193,60 +193,60 @@ jobs:
           name: ${{ env.DEB_PACKAGE }}
           path: out/${{ env.DEB_PACKAGE }}
 
-  build-s390x:
-    needs:
-    - set-product-version
-    - get-go-version
-    if: ${{ endsWith(github.repository, '-enterprise') }}
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        include:
-          - {goos: "linux", goarch: "s390x"}
-      fail-fast: true
-
-    name: Go ${{ needs.get-go-version.outputs.go-version }} ${{ matrix.goos }} ${{ matrix.goarch }} build
-    steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
-
-      - name: Setup with node and yarn
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
-        with:
-          node-version: '18'
-          cache: 'yarn'
-          cache-dependency-path: 'ui/yarn.lock'
-
-      - name: Build UI
-        run: |
-          CONSUL_VERSION=${{ needs.set-product-version.outputs.product-version }}
-          CONSUL_DATE=${{ needs.set-product-version.outputs.product-date }}
-          CONSUL_BINARY_TYPE=${CONSUL_BINARY_TYPE}
-          CONSUL_COPYRIGHT_YEAR=$(git show -s --format=%cd --date=format:%Y HEAD)
-          echo "consul_version is ${CONSUL_VERSION}"
-          echo "consul_date is ${CONSUL_DATE}"
-          echo "consul binary type is ${CONSUL_BINARY_TYPE}"
-          echo "consul copyright year is ${CONSUL_COPYRIGHT_YEAR}"
-          cd ui && make && cd ..
-          rm -rf agent/uiserver/dist
-          mv ui/packages/consul-ui/dist agent/uiserver/
-      - name: Go Build
-        env:
-          PRODUCT_VERSION: ${{ needs.set-product-version.outputs.product-version }}
-          PRERELEASE_VERSION: ${{ needs.set-product-version.outputs.pre-version }}
-          CGO_ENABLED: "0"
-          GOLDFLAGS: "${{needs.set-product-version.outputs.shared-ldflags}}"
-        uses: hashicorp/actions-go-build@make-clean-flag-optional
-        with:
-          product_name: ${{ env.PKG_NAME }}
-          product_version: ${{ needs.set-product-version.outputs.product-version }}
-          go_version: ${{ needs.get-go-version.outputs.go-version }}
-          os: ${{ matrix.goos }}
-          arch: ${{ matrix.goarch }}
-          reproducible: nope
-          clean: false
-          instructions: |-
-            cp LICENSE $TARGET_DIR/LICENSE.txt
-            go build -ldflags="$GOLDFLAGS" -o "$BIN_PATH" -trimpath -buildvcs=false
+#  build-s390x:
+#    needs:
+#    - set-product-version
+#    - get-go-version
+#    if: ${{ endsWith(github.repository, '-enterprise') }}
+#    runs-on: ubuntu-latest
+#    strategy:
+#      matrix:
+#        include:
+#          - {goos: "linux", goarch: "s390x"}
+#      fail-fast: true
+#
+#    name: Go ${{ needs.get-go-version.outputs.go-version }} ${{ matrix.goos }} ${{ matrix.goarch }} build
+#    steps:
+#      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+#
+#      - name: Setup with node and yarn
+#        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+#        with:
+#          node-version: '18'
+#          cache: 'yarn'
+#          cache-dependency-path: 'ui/yarn.lock'
+#
+#      - name: Build UI
+#        run: |
+#          CONSUL_VERSION=${{ needs.set-product-version.outputs.product-version }}
+#          CONSUL_DATE=${{ needs.set-product-version.outputs.product-date }}
+#          CONSUL_BINARY_TYPE=${CONSUL_BINARY_TYPE}
+#          CONSUL_COPYRIGHT_YEAR=$(git show -s --format=%cd --date=format:%Y HEAD)
+#          echo "consul_version is ${CONSUL_VERSION}"
+#          echo "consul_date is ${CONSUL_DATE}"
+#          echo "consul binary type is ${CONSUL_BINARY_TYPE}"
+#          echo "consul copyright year is ${CONSUL_COPYRIGHT_YEAR}"
+#          cd ui && make && cd ..
+#          rm -rf agent/uiserver/dist
+#          mv ui/packages/consul-ui/dist agent/uiserver/
+#      - name: Go Build
+#        env:
+#          PRODUCT_VERSION: ${{ needs.set-product-version.outputs.product-version }}
+#          PRERELEASE_VERSION: ${{ needs.set-product-version.outputs.pre-version }}
+#          CGO_ENABLED: "0"
+#          GOLDFLAGS: "${{needs.set-product-version.outputs.shared-ldflags}}"
+#        uses: hashicorp/actions-go-build@b9e2cfba3013adccdc112b01cba922d83c78fac5 # v1.1.1
+#        with:
+#          product_name: ${{ env.PKG_NAME }}
+#          product_version: ${{ needs.set-product-version.outputs.product-version }}
+#          go_version: ${{ needs.get-go-version.outputs.go-version }}
+#          os: ${{ matrix.goos }}
+#          arch: ${{ matrix.goarch }}
+#          reproducible: nope
+#          clean: false
+#          instructions: |-
+#            cp LICENSE $TARGET_DIR/LICENSE.txt
+#            go build -ldflags="$GOLDFLAGS" -o "$BIN_PATH" -trimpath -buildvcs=false
 
   build-docker:
     name: Docker ${{ matrix.arch }} build