Skip to content

fix(deps): update module github.com/open-policy-agent/opa to v1.9.0 #4842

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update module github.com/open-policy-agent/opa to v1.9.0 #4842

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 3, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
github.com/open-policy-agent/opa v1.8.0 -> v1.9.0 age confidence

Release Notes

open-policy-agent/opa (github.com/open-policy-agent/opa)

v1.9.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • Compile API extensions ported from EOPA
  • Improved rule indexing
Compile Rego Queries Into SQL Filters (#​7887)

Compile API extensions with support for SQL filter generation previously exclusive to EOPA has been ported into OPA.

Example

With OPA running with this policy, we'll compile the query data.filters.include into SQL filters:

package filters

### METADATA
### scope: document

### compile:
###   unknowns: [input.fruits]
include if input.fruits.name == input.favorite
Example Request
POST /v1/compile/filters/include HTTP/1.1
Content-Type: application/json
Accept: application/vnd.opa.sql.postgresql+json

{
  "input": {
    "favorite": "pineapple"
  }
}
Example Response
HTTP/1.1 200 OK
Content-Type: application/vnd.opa.sql.postgresql+json

{
  "result": {
    "query": "WHERE fruits.name = E'pineapple'"
  }
}

See the documentation for more details.

Authored by @​srenatus and @​philipaconrad

Improved Rule Indexing For "Naked" Refs (#​7897)

OPA's rule indexer is a means by which OPA can optimize evaluation performance.
Briefly, the indexer can in some cases determine that a rule won't successfully evaluate before it's evaluated based on the query input.
The indexer previously only considered terms in certain compound expressions, ignoring single terms; e.g. an expression containing a sole "naked" ref. This has now changed!

Example

Given a policy with an allow rule containing two "naked" refs: input.foo and input.bar:

package example

allow if {
    input.foo
    input.bar
}

and the input document:

{
    "foo": 1
}

before this improvement, when evaluating the query data.example.allow, we get the trace log:

query:1           Enter data.example.allow = _
query:1           | Eval data.example.allow = _
query:1           | Index data.example.allow (matched 1 rule, early exit)
policy.rego:3     | Enter data.example.allow
policy.rego:5     | | Eval input.foo
policy.rego:6     | | Eval input.bar
policy.rego:6     | | Fail input.bar
policy.rego:5     | | Redo input.foo
query:1           | Fail data.example.allow = _

Here, we can see that the allow rule is evaluated, but fails on the input.bar expression, as it's referencing an undefined value.

With the improvement to the indexer, we instead get:

query:1     Enter data.example.allow = _
query:1     | Eval data.example.allow = _
query:1     | Index data.example.allow (matched 0 rules, early exit)
query:1     | Fail data.example.allow = _

Where we can see that the allow rule was never evaluated, since the input doesn't meet the conditions established by the indexer; i.e. both input.foo and input.bar must have defined values.

Authored by @​srenatus

Runtime, Tooling
Compiler, Topdown and Rego
Docs, Website
Miscellaneous
  • Bump golangci-lint to v2.4.0 (#​7878) authored by @​sspaink
  • Community Guidelines: update email list (#​7900) authored by @​srenatus
  • ci: port binary tests to testscript (#​7865) authored by @​srenatus
  • dependabot: Updating e2e go deps together with core OPA deps (#​7923) authored by @​johanfylling
  • github_actions: Add working directory in arguments for Link Checker (#​7883) authored by @​sspaink
  • rego: Add comprehensive WASM performance benchmarks (#​7841) authored by @​anivar
  • Dependency updates; notably:
    • build: Bump go to 1.25.1
    • build(deps): Add github.com/huandu/go-sqlbuilder 1.37.0
    • build(deps): Bump github.com/lestrrat-go/jwx/v3 from 3.0.10 to 3.0.11
    • build(deps): Bump github.com/prometheus/client_golang from 1.23.0 to 1.23.2
    • build(deps): Bump golang.org/x/net from 0.43.0 to 0.44.0
    • build(deps): Bump golang.org/x/time from 0.12.0 to 0.13.0
    • build(deps): Bump google.golang.org/grpc from 1.75.0 to 1.75.1
    • build(deps): Bump google.golang.org/protobuf from 1.36.8 to 1.36.9
    • build(deps): bump go.opentelemetry.io deps from 1.37.0/0.62.0 to 1.38.0/0.63.0

Configuration

📅 Schedule: Branch creation - "after 10pm every weekday,before 5am every weekday,every weekend" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner October 3, 2025 05:30
@renovate renovate bot added automerge Used by Kodiak bot to automerge PRs dependencies Pull requests that update a dependency file go labels Oct 3, 2025
@renovate Renovate
Copy link
Contributor Author

renovate bot commented Oct 3, 2025

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 14 additional dependencies were updated

Details:

Package Change
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 -> v0.63.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 -> v1.38.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.37.0 -> v1.38.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.37.0 -> v1.38.0
go.opentelemetry.io/otel/sdk v1.37.0 -> v1.38.0
go.opentelemetry.io/otel/sdk/metric v1.37.0 -> v1.38.0
github.com/cenkalti/backoff/v5 v5.0.2 -> v5.0.3
github.com/goccy/go-json v0.10.3 -> v0.10.5
github.com/lestrrat-go/httprc/v3 v3.0.0 -> v3.0.1
github.com/lestrrat-go/jwx/v3 v3.0.10 -> v3.0.11
github.com/prometheus/procfs v0.16.1 -> v0.17.0
github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 -> v0.0.0-20250401214520-65e299d6c5c9
github.com/sirupsen/logrus v1.9.3 -> v1.9.4-0.20230606125235-dd1b4c2e81af
golang.org/x/time v0.12.0 -> v0.13.0

@renovate renovate bot force-pushed the renovate/github.com-open-policy-agent-opa-1.x branch 2 times, most recently from 3331439 to 1354c63 Compare October 3, 2025 06:43
@kodiakhq kodiakhq
Copy link
Contributor

kodiakhq bot commented Oct 3, 2025

This PR currently has a merge conflict. Please resolve this and then re-add the automerge label.

@kodiakhq kodiakhq bot removed the automerge Used by Kodiak bot to automerge PRs label Oct 3, 2025
@renovate renovate bot force-pushed the renovate/github.com-open-policy-agent-opa-1.x branch 12 times, most recently from a0d78fa to 97653cb Compare October 8, 2025 03:17
@renovate renovate bot force-pushed the renovate/github.com-open-policy-agent-opa-1.x branch from 97653cb to 2896a90 Compare October 8, 2025 15:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kodiakhq kodiakhq[bot] kodiakhq[bot] approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file go
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants