RepoJournal
HashiCorp

@hashicorp

Terraform, Vault, Consul — infra-as-code for ops teams

Pick a date

  1. Sun 3 may
  2. Tue 5 may
  3. Wed 6 may
  4. Thu 7 may
  5. Fri 8 may
  6. Sat 9 may
  7. Sun 10 may
  8. Mon 11 may
  9. Tue 12 may
  10. Wed 13 may
  11. Thu 14 may
  12. Fri 15 may
  13. Sat 16 may
  14. Sun 17 may
  15. Tue 19 may
  16. Wed 20 may
  17. Thu 21 may
  18. Sat 23 may
  19. Sun 24 may
  20. Mon 25 may
  21. Tue 26 may
  22. Wed 27 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

CONSUL-K8S PATCHES CRITICAL GO VULNERABILITY, RESTORES TEST SUITE

By RepoJournal · Filed · About HashiCorp

Consul-K8s shipped a critical security fix for CVE GO-2026-4918 overnight while simultaneously restoring unit tests that had vanished from the main branch.

The golang.org/x/net dependency got upgraded to v0.53.0 to patch the vulnerability [1][2], a move that closes a known attack surface in any K8s deployment running Consul. Separately, the sync-catalog command test suite that had been stripped from main is now restored and passing [3]—a clean bill of health for a component critical to service mesh synchronization. Meanwhile, the team is moving forward on API Gateway enhancements: SDS support is now available at multiple override levels (default, listener, service route) with a new RouteTLSSdsFilter CRD [4], and scaling logic for the custom gateway rolled in [5], though that PR still needs test coverage and changelog documentation before merge. On the tooling side, VSCode Terraform bumped its GitHub Actions dependency [6], a routine maintenance item with no breaking changes for users.

Action items

References

  1. [1] fix CVE GO-2026-4918 (#5308) hashicorp/consul-k8s
  2. [2] fix CVE GO-2026-4918 ↗ hashicorp/consul-k8s
  3. [3] Unit Test cases fix control-plane/subcommand/sync-catalog- PASS ↗ hashicorp/consul-k8s
  4. [4] [Deprecate Ingress Gateway]sds support for api-gateway ↗ hashicorp/consul-k8s
  5. [5] api-gateway-custom: add scaling support and openshift coverage ↗ hashicorp/consul-k8s
  6. [6] Build(deps): Bump actions/github-script from 8.0.0 to 9.0.0 in the github-actions-breaking group across 1 directory ↗ hashicorp/vscode-terraform

FAQ

What changed in HashiCorp on May 14, 2026?
Consul-K8s shipped a critical security fix for CVE GO-2026-4918 overnight while simultaneously restoring unit tests that had vanished from the main branch.
What should HashiCorp teams do about it?
Upgrade consul-k8s to patch CVE GO-2026-4918 before next production deploy • Plan API Gateway SDS implementation if you're using custom gateways • Monitor custom gateway scaling PR—incomplete checklist, not ready yet
Which HashiCorp repositories shipped on May 14, 2026?
hashicorp/consul-k8s, hashicorp/vscode-terraform

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.