RepoJournal
HashiCorp

@hashicorp

Terraform, Vault, Consul — infra-as-code for ops teams

Pick a date

  1. Sun 3 may
  2. Tue 5 may
  3. Wed 6 may
  4. Thu 7 may
  5. Fri 8 may
  6. Sat 9 may
  7. Sun 10 may
  8. Mon 11 may
  9. Tue 12 may
  10. Wed 13 may
  11. Thu 14 may
  12. Fri 15 may
  13. Sat 16 may
  14. Sun 17 may
  15. Tue 19 may
  16. Wed 20 may
  17. Thu 21 may
  18. Sat 23 may
  19. Sun 24 may
  20. Mon 25 may
  21. Tue 26 may
  22. Wed 27 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

CONSUL AND DATAPLANE 2.0 SHIP WITH CRITICAL CRYPTO PATCHES

By RepoJournal · Filed · About HashiCorp

HashiCorp shipped major versions across Consul, Consul-K8s, and Consul Dataplane overnight, all patching the same cryptographic vulnerabilities that hit the Go ecosystem this spring.

Consul v2.0.0 [2] and Consul Dataplane v2.0.0 [1] both land with mandatory upgrades to golang.org/x/crypto and golang.org/x/net, closing the CVEs that forced every Go shop to scramble weeks ago. Consul-K8s follows suit [3] with the same dependency chain remediation across all modules, replacing go-jose/v3 with v4 to fix GHSA-c5q2-7r4c-mv6g. The dataplane release also bumps the UBI base image to 9.8 [1] and suppresses spurious OSV scanner false positives in RHEL RPM paths [4], which matters if you're running supply chain scanning in production. On the breaking changes front: Consul 2.0 increases default HTTP timeouts from 30 seconds to 15 minutes [2], a significant shift for long-polling blocking queries that could affect your connection pooling assumptions. Envoy gets pinned to 1.37.2 and Go to 1.26 [2], so you're looking at a coordinated upgrade across your entire service mesh.

Action items

References

  1. [1] v2.0.0 ↗ hashicorp/consul-dataplane
  2. [2] v2.0.0 ↗ hashicorp/consul
  3. [3] deps: upgrade dependencies to address CVEs in golang.org/x/crypto and golang.org/x/net ↗ hashicorp/consul-k8s
  4. [4] chore: suppress OSV scanner false positives for UBI base RPM paths ↗ hashicorp/consul-dataplane

FAQ

What changed in HashiCorp on May 24, 2026?
HashiCorp shipped major versions across Consul, Consul-K8s, and Consul Dataplane overnight, all patching the same cryptographic vulnerabilities that hit the Go ecosystem this spring.
What should HashiCorp teams do about it?
Upgrade Consul to 2.0.0 before next deploy - blocking query timeouts changed • Patch Consul Dataplane to 2.0.0 in all environments • Update Consul-K8s controllers to pick up crypto patches
Which HashiCorp repositories shipped on May 24, 2026?
hashicorp/consul-dataplane, hashicorp/consul, hashicorp/consul-k8s

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.