The Wire · Showcase
NOMAD AUTOSCALER PATCHES 14 CVES WHILE AZURE PROVIDER READIES 5.0
By RepoJournal · Filed · About HashiCorp
Nomad Autoscaler shipped security fixes for 14 vulnerabilities across Go toolchain and dependencies overnight, while Azure provider teams finalize deprecated property cleanup ahead of major version release.
The critical patch [1] upgrades Go 1.25.6 to 1.25.10 and golang.org/x/net to v0.53.0, resolving XSS vulnerabilities in html/template, DoS issues in net/mail, and panic conditions on Windows. This one hits immediately if you're running Nomad Autoscaler in production. Separately, the InfluxDB APM plugin landed JWT Bearer authentication support [2] for InfluxDB 1.x deployments using shared-secret signing, a feature request that's been waiting for the right implementation. On the Terraform front, Azure provider continues scaffolding for version 5.0 with keyvault test fixes [3] addressing deprecated properties, while a parallel effort [4] unblocks container app environment names starting with digits, solving a real naming constraint that was frustrating users. The Google Beta provider is undergoing significant test infrastructure refactoring [5][6][7][8][9], migrating from client library patterns to direct HTTP calls and consolidating bootstrap functions into service packages, clearing technical debt before the next major release cycle.
Action items
- → Patch Nomad Autoscaler immediately - 14 CVEs resolved in Go toolchain and net libraries hashicorp/nomad-autoscaler [immediate]
- → Test InfluxDB APM JWT authentication if using InfluxDB 1.x with shared secrets hashicorp/nomad-autoscaler [plan]
- → Review Azure provider 5.0 migration timeline - deprecated keyvault properties being cleaned hashicorp/terraform-provider-azurerm [monitor]
References
- [1] fix(deps): upgrade Go toolchain and dependencies to resolve 14 CVEs (#1298) hashicorp/nomad-autoscaler
- [2] feat(apm/influxdb): add JWT Bearer authentication via shared secret for influxdb 1.x ↗ hashicorp/nomad-autoscaler
- [3] test: `keyvault` - test fixes for 5.0 deprecated properties (#32398) hashicorp/terraform-provider-azurerm
- [4] `azurerm_container_app_environment` - allow names that start with a digit (#32267) hashicorp/terraform-provider-azurerm
- [5] Migrate compute instance `*_test.go.tmpl` test files to use direct HTTP rather than a client library ↗ hashicorp/terraform-provider-google-beta
- [6] Moved SetupProjectsAndGetAccessToken to a dedicated package ↗ hashicorp/terraform-provider-google-beta
- [7] Add migration center report config resource and tests ↗ hashicorp/terraform-provider-google-beta
- [8] Remove test-only Framework resources ↗ hashicorp/terraform-provider-google-beta
- [9] Moved remaining bootstrap functions to service packages ↗ hashicorp/terraform-provider-google-beta
FAQ
- What changed in HashiCorp on May 16, 2026?
- Nomad Autoscaler shipped security fixes for 14 vulnerabilities across Go toolchain and dependencies overnight, while Azure provider teams finalize deprecated property cleanup ahead of major version release.
- What should HashiCorp teams do about it?
- Patch Nomad Autoscaler immediately - 14 CVEs resolved in Go toolchain and net libraries • Test InfluxDB APM JWT authentication if using InfluxDB 1.x with shared secrets • Review Azure provider 5.0 migration timeline - deprecated keyvault properties being cleaned
- Which HashiCorp repositories shipped on May 16, 2026?
- hashicorp/nomad-autoscaler, hashicorp/terraform-provider-azurerm, hashicorp/terraform-provider-google-beta