Releases: dapr/dapr
Dapr Runtime v1.13.4
Dapr Runtime v1.13.3
Dapr 1.13.3
This update includes bug fixes:
- App API token forwarded from caller to receiving app
- Upgrade Go version to 1.21.9
- Placement server fails to disseminate placement tables
- Restore dapr_http_server_response_count HTTP metric
App API token forwarded from caller to receiving app
Problem
The caller sidecar is appending the local app API token to the egress request, thereby leaking the API token protecting the local app to the foreign sidecar.
Impact
Receiving app can have access to the calling app's API token and make unauthorized calls directly to the originating app - in case it is listening on 0.0.0.0 or an accessible IP address.
Root cause
A pull request accidentally added this change.
Solution
Fixed the issue and added integration tests to verify and avoid future regressions.
Upgrade Go version to 1.21.9
Problem
Go version 1.21.8 or older are impacted by CVE-2023-45288.
Impact
See https://nvd.nist.gov/vuln/detail/CVE-2023-45288
Root cause
See https://nvd.nist.gov/vuln/detail/CVE-2023-45288
Solution
Update Go version used to build Dapr.
Placement server fails to disseminate placement tables
Problem
In case of an error during dissemination of placement table to a sidecar instance, the dissemination to the remaining instances do not complete. See #7031
Impact
Sidecars can run with an old copy of the dissemination table and cannot invoke the correct Dapr sidecar for a given actor instance.
Root cause
During shutdown, all publish calls to the application where being cancelled.
Solution
Check the return value of performTableDissemination for errors.
Restore dapr_http_server_response_count
HTTP metric
Problem
An existing metrics was removed without deprecation notice, affecting users that relied on it. See #7642
Impact
Users did not have this specific metric available anymore, potentially impacting their alerts and monitoring.
Root cause
Metric removed without deprecation notice.
Solution
Added the metric back.
Dapr Runtime v1.13.2
Dapr 1.13.2
This update includes bug fixes:
- Fix incorrect content-length being sent to HTTP published message
- Fix PubSub in-flight messages from being cancelled during blocked shutdown
- Fix null value handling in AVRO schema validation for Kafka pub/sub
Fix incorrect content-length being sent to HTTP published message
Problem
Published messages to HTTP application server report a content-length error and are not processed.
Impact
PubSub messages from some PubSubs cannot be processed by the application.
Root cause
The content-length reported by the PubSub broker message was copied to the message sent to the application's HTTP server.
This content-length may not match the final message length sent to the application's HTTP server, resulting in the mesage being rejected.
Solution
Filter out the content-length header from the PubSub broker message before sending it to the application's HTTP server.
Fix PubSub in-flight messages from being cancelled during blocked shutdown.
Problem
During a blocked shutdown, all in-flight PubSub messages are cancelled and cannot be processed by the application or the applications processes status discarded.
Impact
During shutdown, in-flight messages which are currently being processed by the application cannot be completed.
Root cause
During shutdown, all publish calls to the application where being cancelled.
Solution
PubSub messages are now published to the application in an isolated routine, which is not cancelled during blocked shutdown.
Fix null value handling in AVRO schema validation for Kafka pub/sub.
Problem
When using Avro schema validation with the Kafka pub/sub component, consuming messages with a null value will fail and not be delivered to the app, and publishing messages with null values will fail.
Impact
Kafka messages with null values for both consumers and publishers are not delivered or published when using the Avro schema validation feature.
Root cause
The Dapr component did not have correct handling of null values in a message.
Solution
Handling of null values was added when serializing and deserializing messages.
Dapr Runtime v1.13.2-rc.1
This is the release candidate 1.13.2-rc.1
Dapr Runtime v1.13.1
Dapr 1.13.1
This update includes bug fixes:
(Hot-Reload) Fix operator client stream re-establishment causing tight loop
Problem
The operator becomes DDoSed by the Dapr runtime, and an extreme amount of logs are generated.
Component hot-reloading no longer functions.
Impact
Users running Dapr 1.13.0 that have the Component Hot-Reloading feature gate enabled.
Root cause
A tight loop in the daprd operator client stream re-establishment causes runtime to constantly create new Component update streams.
Solution
Fix the tight loop by correctly breaking out of retries after a successful re-establishment.
Also ensures daprd will re-reconcile all Components in the event of a stream re-establishment, catching any Components which might have been deleted while the stream was down.
Dapr Runtime v1.13.0
Dapr 1.13
We're happy to announce the release of Dapr 1.13!
We would like to extend our thanks to all the new and existing contributors who helped make this release happen.
If you're new to Dapr, visit the getting started page and familiarize yourself with Dapr.
Docs have been updated with all the new features and changes of this release.
To get started with new capabilities introduced in this release, go to the Concepts and the Developing applications.
Note: This release contains a few breaking changes.
See this section on upgrading Dapr to version 1.13.
Highlights
These are the v1.13 release highlights:
Component hot reloading (preview)
Component "Hot Reloading" is a new preview feature that, when enabled, allows component updates to be picked up automatically, without the need for restarting the Dapr process.
The component spec is reconciled and takes effect when running in both Kubernetes and Self-Hosted modes.
Go and JavaScript/TypeScript SDK support for workflow
You can now use Go and JavaScript/TypeScript to write fault-tolerant, workflow-based apps with durable execution.
See the Go SDK for more details and try the Quickstart or the examples.
See the Javascript SDK for more details and try the Quickstart or the examples
Actor reminders performance improvement
You can now opt-in to make actor reminders data use protobuf serialization instead of JSON, which increases throughput, reduces latency, and improves stability when multiple Dapr instances are operating on the same reminders.
With this feature enabled, we have observed improvements as high as 40% in Actor Reminders and Workflow benchmarks.
This serialization method will become default in v1.14.
Important: Once you enable this feature, you should not downgrade the Dapr control plane to an earlier version, as your reminders data may become unreadable.
To enable protobuf serialization for actor reminders, set the following Helm argument on Kubernetes: dapr_placement.maxActorApiLevel=20
.
On self-hosted mode, run daprd with the flag: --max-api-level=20
Low metrics cardinality for HTTP server
Dapr now includes an optional setting to enable low cardinality for metrics emitted by the HTTP server, which will be enabled by default in Dapr 1.14.
Currently, the Dapr HTTP server emits metrics for each request path, which has been observed to cause significant memory usage and have other negative performance impact.
When low-cardinality metrics are enabled, the HTTP Dapr server behaves more like the gRPC server and groups requests for each Dapr API together, possibly reducing memory consumption significantly.
See additional info here.
Graceful shutdown
Dapr now accepts a dapr.io/block-shutdown-duration
annotation or --dapr-block-shutdown-duration
CLI flag which delays the full shutdown procedure for this duration or until the app reports as unhealthy- whichever is sooner.
During this period, all Subscriptions and input bindings will be closed.
This is useful for applications that need to use the Dapr APIs as part of their own shutdown procedure.
See additional info here.
Standardized error codes
The Dapr PubSub and State APIs now have the appropriate and standardized error codes returned to applications including enriched error details based on gRPC's richer error model.
The remaining APIs are a work in progress, and community contributions towards this effort are greatly appreciated and very impactful.
See additional info on the error codes here.
Check the docs for each SDK for per-SDK error code parsing and handling.
See an example of the Go SDK error parsing and handling here.
Rust SDK support for actors (alpha)
You can now use Rust to run Dapr Actors, a programming model for highly scalable stateful applications.
See the Rust SDK for more details
Components
Local name resolver based on SQLite
You can now use a SQLite based name resolver for service invocation in self-hosted mode.
This is useful for dealing with corporate firewalls and VPNs that filter mDNS.
See additional info here.
PostgreSQL state store v2
PostgreSQL has a new v2 implementation which contains improvements to performance and reliability.
New applications are encouraged to use v2.
The v1 implementation remains supported and is not deprecated.
There is no migration path from v1 to v2.
See additional info here.
Azure Blob Storage state store v2
Azure Blob Storage has a new v2 implementation, which is recommended for all new projects as it fixes a backwards-incompatible bug with key prefixes.
The v1 implementation remains supported and is not deprecated.
There is no migration path from v1 to v2.
See additional info here.
Acknowledgements
Thanks to everyone who made this release possible!
@a-elsheikh, @addjuarez, @AishwaryaBalyaya01, @alfred-mikhael, @amimimor, @andreas-eriksson, @andrew-hillier, @arthbalete, @artursouza, @ASHIQUEMD, @avo-sepp, @baransonmez, @berndverst, @bkc, @bmelbourne, @bruth, @burhan, @cgillum, @chaitanyab2311, @cicoyle, @ckcd, @cscetbon, @danielgerlag, @dasanind, @DeepanshuA, @ejba, @elena-kolevska, @emctl, @eunicecompra, @famarting, @farshaddavoudi, @fazledyn-or, @filintod, @frankbuckley, @frodera, @fvandillen, @fyzact, @georgestevens99, @Gonzoe79, @greenie-msft, @gspadotto, @hauju, @henrikkarstrom, @heunghingwan, @hhunter-ms, @ItalyPaleAle, @jamesmcroft, @jancespivo, @jellis18, @jerinthomas1404, @jhberge, @jigargandhi, @jjcollinge, @jorimvanhove, @JoshVanL, @kaibocai, @KarstenWintermann, @KrylixZA, @litan1106, @lrascao, @lucus-sun, @luigirende, @macel94, @marcduiker, @martbln, @mathieu-benoit, @mikeee, @MregXN, @msfussell, @mukundansundar, @nitroin, @olitomlinson, @paianish62, @passuied, @paulyuk, @philliphoff, @pngan, @prashantrewar, @prateek041, @pravinpushkar, @qustavo, @rabollin, @robertojrojas, @RyanLettieri, @sadath-12, @salaboy, @shivamkm07, @shubham1172, @sicoyle, @siebenluke, @skyao, @srilasya02, @srparupu, @stuartleeks, @Taction, @thapasusheel, @tlund101, @tmacam, @toneill818, @TWEESTY, @twinguy, @vermillionsword, @Viktorsubota, @willvelida, @WhitWaldo, @XavierGeerinck, @xiangpingjiang, @yaron2, @yash-nisar, @ytimocin
New in this release
Dapr Runtime
- ADDED New name-resolver based on SQLite for local development (alternative to mDNS) 3256 7038
- ADDED Option to emit metrics from HTTP server with lower cardinality for reduced memory consumption (disabled by default), and include more information in API logs 6723 6919 7429
- ADDED Metrics for Dapr Workflow 7109 7152 7370
- ADDED Improve Actor Reminders performance by serializing as protobuf (opt-in) 7129 7548 7196
- UPDATED Switched default Docker registry to
ghcr.io
in Helm chart 6413 7176 - UPDATED Enforce Component names to be unique 7195
- ADDED Helm chart option to deploy Placement with zero replicas 7253
- ADDED Support for
priorityClass
in Helm charts 7103 7395 - ADDED Helm option
dapr_sidecar_injector.enableK8sDownwardAPIs
to improve detection of pod IP in certain Kubernetes environments 7511 - ADDED Hot Reloading for components 7239 7260 7286 7433 7441
- ADDED Add Helm chart options to configure the Service resources created 7153
- ADDED Option `--dapr-block-shu...
Dapr Runtime v1.13.0-rc.10
This is the release candidate 1.13.0-rc.10
Dapr Runtime v1.13.0-rc.9
This is the release candidate 1.13.0-rc.9
Dapr Runtime v1.13.0-rc.8
This is the release candidate 1.13.0-rc.8
Dapr Runtime v1.13.0-rc.7
This is the release candidate 1.13.0-rc.7