RepoJournal
Kubernetes

@kubernetes

Container orchestration — what platform teams ship on

Pick a date

  1. Mon 4 may
  2. Tue 5 may
  3. Wed 6 may
  4. Thu 7 may
  5. Fri 8 may
  6. Sat 9 may
  7. Sun 10 may
  8. Mon 11 may
  9. Tue 12 may
  10. Wed 13 may
  11. Thu 14 may
  12. Fri 15 may
  13. Sat 16 may
  14. Sun 17 may
  15. Tue 19 may
  16. Wed 20 may
  17. Thu 21 may
  18. Sat 23 may
  19. Sun 24 may
  20. Mon 25 may
  21. Tue 26 may
  22. Wed 27 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

GO 1.26.4 PATCHES STANDARD LIBRARY VULNERABILITIES ACROSS THE ECOSYSTEM

By RepoJournal · Filed · About Kubernetes

Cloud-provider-vsphere and distroless-iptables are both shipping Go 1.26.4 to patch multiple critical standard library security flaws.

The most urgent move this cycle: upgrade Go to 1.26.4 across your clusters and operators [1] [3]. Cloud-provider-vsphere just merged the jump to address GO-2026-5039, GO-2026-5038, GO-2026-5037 and others [2], and distroless-iptables is right behind it [3]. This isn't optional. If you're running vSphere integrations or iptables-based networking, patch immediately. In parallel, kube-state-metrics shipped two critical fixes [4] [5]. The first guards against nil pointer dereferences in deployment metrics that would panic under specific configurations [4]. The second fixes a sharding bug where bookmark events weren't propagating correctly after the WatchListClient upgrade [5], which means only one shard would sync properly in multi-shard setups. Both are backported and ready. On the release desk, promo-tools bumped to 4.5.1 [6], YAML library advanced to 4.0.0-rc.5 with a merge tag regression fix [7], and golang.org/x/text moved to 0.38.0 [8]. Documentation cleared backlog with staleness mitigation guidance landing in Chinese [9] and swap memory docs polished [10] .

Action items

References

  1. [1] Update Go version to 1.26.4 to fix standard library vulnerabilities kubernetes/cloud-provider-vsphere
  2. [2] Merge pull request #1782 from zhanggbj/fix_security kubernetes/cloud-provider-vsphere
  3. [3] Bump distroless-iptables to use Go 1.26.4/1.25.11 ↗ kubernetes/release
  4. [4] fix(deployment): guard nil Spec.Replicas before dereference ↗ kubernetes/kube-state-metrics
  5. [5] fix: watch-list bookmarks with sharding ↗ kubernetes/kube-state-metrics
  6. [6] Bump sigs.k8s.io/promo-tools/v4 from 4.5.0 to 4.5.1 in the all group ↗ kubernetes/release
  7. [7] Bump go.yaml.in/yaml/v4 from 4.0.0-rc.4 to 4.0.0-rc.5 ↗ kubernetes/release
  8. [8] Bump golang.org/x/text from 0.37.0 to 0.38.0 ↗ kubernetes/release
  9. [9] [zh-cn] Add blog: staleness-mitigation-for-controllers ↗ kubernetes/website
  10. [10] Fix typo in swap-memory-management kubernetes/website

FAQ

What changed in Kubernetes on June 9, 2026?
Cloud-provider-vsphere and distroless-iptables are both shipping Go 1.26.4 to patch multiple critical standard library security flaws.
What should Kubernetes teams do about it?
Upgrade Go to 1.26.4 in all operators and components before next release • Upgrade kube-state-metrics to pick up nil-guard and sharding fixes if running 2.19.0 with multi-shard • Bump promo-tools to 4.5.1 and update YAML dependency to 4.0.0-rc.5 in release tooling
Which Kubernetes repositories shipped on June 9, 2026?
kubernetes/cloud-provider-vsphere, kubernetes/release, kubernetes/kube-state-metrics, kubernetes/website

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.