Security release. Resolves four open Dependabot advisories on the default branch by upgrading the affected dependency and dropping the legacy github.com/docker/docker indirect module in favor of the new github.com/moby/moby/{api,client} modules.

No source changes — go.mod / go.sum only. CLI flags, config formats, on-disk layout, cache keys, and registry scheme strings are all unchanged.

Security (#454)

• slack-go/slack 0.23.0 → 0.23.1 — Fixes GHSA-gxhx-2686-5h9g: SecretsVerifier accepted an empty signing secret without precondition, allowing a forged Slack request to pass verification when the secret was misconfigured.
• Legacy github.com/docker/docker removed from the dependency graph. The legacy module still has no patched release for these three advisories; the fixes ship in the renamed github.com/moby/moby/v2 (and split-out moby/moby/api + moby/moby/client) modules instead. Dewy never imported docker/docker directly — it came in transitively via google/go-containerregistry and bufbuild/buf. Bumping those upstreams (see below) drops it entirely:
  • GHSA-rg2x-37c3-w2rh — docker cp race condition allows bind-mount redirection to a host path.
  • GHSA-vp62-88p7-qqf5 — docker cp race condition allows creation of arbitrary empty files on the host via symlink swap.
  • GHSA-x86f-5xw2-fm2r — PUT /containers/{id}/archive executes a container binary on the host.

Dependencies

• github.com/slack-go/slack 0.23.0 → 0.23.1
• github.com/google/go-containerregistry 0.20.7 → 0.21.6
• github.com/bufbuild/buf 1.55.1 → 1.69.0
• Removed: github.com/docker/docker
• Added (indirect, via upstream upgrades): github.com/moby/moby/api, github.com/moby/moby/client

Full changelog: v2.17.0...v2.17.1

Container -- passthrough now accepts user-supplied labels under any namespace except the reserved dewy. prefix, unblocking integrations like Traefik's Docker provider. Follow-ups close several bypass routes that surfaced during review, and the auto-label workflow now functions for PRs from external forks.

CLI flags, config formats, on-disk layout, cache keys, and registry scheme strings are all unchanged.

Features

• User labels in the container command — -l / --label are no longer rejected outright. Any label is accepted unless it starts with the reserved dewy. prefix, which Dewy uses for managed-container discovery. This enables hand-off to label-driven tooling such as Traefik's Docker provider. (#441)

Hardening (#453)

• --label-file is now forbidden — its file contents would otherwise bypass the dewy. prefix check.
• Short-flag detection now rejects bundled boolean forms (-dit) and value-attached forms (-p8080:80), in addition to the standalone (-d) and equals (-d=true) forms previously caught.
• The concatenated label short form (-ldewy.foo=bar) is also caught by the reserved-prefix check.
• The reserved-prefix error message now includes the offending label value.
• auto-label.yml switched to pull_request_target so labeling works on PRs from external forks. GitHub strips GITHUB_TOKEN write permissions on pull_request for fork PRs regardless of the permissions: block. This workflow is safe under pull_request_target because it does not check out PR code.

Docs

• README, reference (en/ja), and the container-command design doc now enumerate the full forbidden-option set (-d, -i, -t, -it, -p, --label-file, --privileged, --pid, --cap-add, --security-opt, --device, --userns, --cgroupns).

Thanks

Huge thanks to @RyoMasumura1201 for proposing and implementing the user-label support in #441, which is the headline change of this release.

Full changelog: v2.16.0...v2.17.0

Comprehensive refactoring of the dewy core, plus a follow-up bug-fix pass and Go 1.26 syntax modernization.

CLI flags, config formats, on-disk layout, cache keys, and registry scheme strings are all unchanged.

Refactoring (no behavior change)

• DI seam for time / env / exec — new internal/sysdeps package with Clock, Env, and CommandRunner interfaces (real + fake). registry.NewCached gains WithClock / WithEnv options. (#425, #436)
• PortMapping consolidated into container.PortMapping; the dewy.PortMapping shim is gone. (#426)
• Run() / RunContainer() decomposed into 5 testable phases each in lifecycle.go. The two entry points are now 25-line orchestrators with 12 new phase-level tests. (#428)
• BackendCallback struct -> BackendUpdater interface with noopBackendUpdater for nil-safety. A new proxyBackendUpdater defined type adapts *Dewy with zero indirection. (#429)
• Scheme constants centralized in internal/scheme; SlotMatcher extracted; registry.New / artifact.New switched to map-based factory dispatch. (#427)
• File splits: dewy.go 1495 -> 313 lines (8 files), container/runtime.go 1181 -> 222 lines (5 files); inspect structs renamed to noun form (inspection, imageInspection); lifecycle.go chosen over phases.go. (#433, #435)
• Magic numbers centralized in defaults.go (grace period, health-check timing, admin server timeouts) and container/defaults.go (startup grace, stop timeouts). (#432)
• Dead code removed: GHR.DisableRecordShipping test flag (#430); cache.Consul/cache.Redis/cache.Memory stubs (#431).
• Logger handoff tightened: logging.Logger.Slog() accessor replaces d.logger.Logger field accesses. (#431)

Bug fixes (#437)

• /api/containers and /api/status now derive the dewy.app filter and reported name the same way the deploy path does, so they work when --name is omitted.
• /api/containers no longer panics when hit before the first RunContainer tick has initialized d.containerRuntime.
• extractRegistry now correctly handles localhost:5000/myimage (no tag) — previously fell back to docker.io and broke local-registry auth.
• deployContainer reuses the runtime created by resolveContainerState instead of constructing a duplicate (login state was being lost between pull and deploy).
• keepReleases sort comparator no longer violates strict weak ordering on DirEntry.Info() failure under concurrent deletion.

Modernization (#438)

• go fix applied for Go 1.26 idioms: strings.Cut, range-over-int, built-in new(value) form.
• Removed silently-ineffective ,omitempty from a time.Time field.

Other

• A 9-PR refactoring sequence (#425–#436) merged through an integration branch with full CI green at every step. The corresponding commit-by-commit history is available below.

Full changelog: v2.15.0...v2.16.0

What's Changed

Features

• Shared cache backends for cross-instance artifact sharing — Point multiple Dewy instances at the same S3 or GCS bucket to deduplicate artifact downloads. The cloud bucket is the source of truth across nodes, while each instance keeps a local staging copy so that archive extraction works the same way as the file backend. Authentication reuses the credential chain already configured for S3/GCS registry sources. (#422)

  dewy server --registry ghr://owner/repo \
    --cache s3://ap-northeast-1/dewy-cache/myapp -- /opt/myapp/current/myapp

• Cluster-wide registry result cache — Add ?registry-ttl=<duration> to the cache URL to also share the upstream registry response across instances. Only one instance per TTL window calls the upstream registry; the rest read the cached response from the shared cache via a single-flight refresh lock built on S3 If-Match / GCS ifGenerationMatch. On upstream failure the cache continues to serve the last known response (stale-but-usable). (#424)

  dewy server --registry ghr://owner/repo \
    --cache 's3://ap-northeast-1/dewy-cache/myapp?registry-ttl=30s' \
    -- /opt/myapp/current/myapp

• cache package replaces kvs — The package has always been used as a cache; the type and package names now align with how callers think about and reference them. (#424)

Fixes

• Use nanosecond timestamps in audit asset filenames so multiple instances on the same host that complete deploys in the same second do not collide on shipped_to_<host>_<command>_at_<timestamp>.txt. (#422)
• Fix deploy logic so that when the artifact is already in the shared cache, instances reuse it instead of redownloading from upstream. (#422)
• Reduce E2E log noise on success: podman container verify no longer dumps the dewy log when all checks pass, and Create release no longer echoes the release URL on success. (#423)
• Return a clearer "planned but not yet implemented" error from cache.New when an operator passes a consul://, redis://, or memory:// URL. (#424)

Dependencies

• build(deps): bump github.com/aws/aws-sdk-go-v2 from 1.41.5 to 1.41.7
• build(deps): bump github.com/aws/aws-sdk-go-v2/config
• build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 to 1.100.0
• build(deps): bump cloud.google.com/go/storage from 1.61.3 to 1.62.1
• build(deps): bump github.com/slack-go/slack from 0.22.0 to 0.23.0
• build(deps): bump next from 16.2.3 to 16.2.4 in /docs
• build(deps): bump autoprefixer from 10.4.27 to 10.5.0 in /docs
• build(deps): bump @docsearch/css and @docsearch/react from 4.6.2 to 4.6.3 in /docs
• build(deps-dev): bump typescript from 6.0.2 to 6.0.3 in /docs

Full Changelog: v2.14.1...v2.15.0

What's Changed

Security

• Bump OpenTelemetry packages to v1.43.0 / v0.65.0 to address CVE-2026-39883 (PATH hijacking via BSD kenv in otel/sdk host_id detector)
• build(deps): bump github.com/go-jose/go-jose/v4 (security)

Community

• Add SECURITY.md and CONTRIBUTING.md

Fixes

• Fix flaky E2E tests by serializing all runs into a single concurrency group
• Fix target: ES5 deprecation error for TypeScript 6 (/docs)
• Fix moduleResolution deprecation error for TypeScript 6 (/docs)
• Add type declaration for @docsearch/css to fix GitHub Pages build (/docs)

Dependencies

• build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 to 1.98.0
• build(deps): bump github.com/slack-go/slack to 0.21.0
• build(deps): bump github.com/k1LoW/grpcstub to 0.26.3
• build(deps): bump github.com/fatih/color to 1.19.0
• build(deps): bump next to 16.2.3 in /docs
• build(deps): bump react and react-dom to 19.2.5 in /docs
• build(deps): bump mermaid to 11.14.0 in /docs
• build(deps): bump @markdoc/markdoc to 0.5.7 in /docs
• build(deps): bump @docsearch/react and @docsearch/css to 4.6.2 in /docs
• build(deps-dev): bump @types/node to 25.6.0 in /docs

Full Changelog: v2.14.0...v2.14.1

What's Changed

• refactor: delegate OCI artifact pull to container.Runtime.Pull by @linyows in #389
• refactor: extract container orchestration into container package by @linyows in #390

Full Changelog: v2.13.0...v2.14.0

Bug Fixes

• fix: support podman runtime for container image pulling by @linyows in #388

Refactoring

• refactor: move E2E test files from testdata/ to e2e/ by @linyows in #386

Dependency Updates

• build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.96.4 to 1.97.1 by @dependabot[bot] in #374
• build(deps): bump google.golang.org/api from 0.271.0 to 0.272.0 by @dependabot[bot] in #375
• build(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.32.11 to 1.32.12 by @dependabot[bot] in #376
• build(deps): bump cloud.google.com/go/storage from 1.60.0 to 1.61.3 by @dependabot[bot] in #378

Full Changelog: v2.12.0...v2.13.0

Bug Fixes

• fix: normalize Docker Hub hostname for OCI tag listing by @linyows in #385

Security Fixes

• build(deps): bump google.golang.org/grpc from 1.79.2 to 1.79.3 in the go_modules group across 1 directory by @dependabot[bot] in #381

Dependency Updates for Docs

• build(deps): bump @markdoc/markdoc from 0.5.5 to 0.5.6 in /docs by @dependabot[bot] in #380
• build(deps-dev): bump @types/node from 25.4.0 to 25.5.0 in /docs by @dependabot[bot] in #379
• build(deps-dev): bump typescript from 5.9.3 to 6.0.2 in /docs by @dependabot[bot] in #384
• build(deps): bump next from 16.1.6 to 16.2.1 in /docs by @dependabot[bot] in #383

Full Changelog: v2.11.0...v2.12.0

Features

• Support thread notification for Slack by @linyows in #372
• Update E2E, restrict reply_broadcast, and improve notifier abstraction by @linyows in #373

Full Changelog: v2.10.0...v2.11.0

Features

• feat: add OpenTelemetry-based telemetry for container mode by @linyows in #371

Documents

• docs: add chat:write.customize to required Slack OAuth scopes by @linyows in #362

Dependencies

• build(deps): bump github.com/docker/cli from 29.2.0-rc.1.0.20251223174200-874b831c0e49+incompatible to 29.2.0+incompatible in the go_modules group across 1 directory by @dependabot[bot] in #361
• build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.96.2 to 1.96.4 by @dependabot[bot] in #363
• build(deps): bump mermaid from 11.12.3 to 11.13.0 in /docs by @dependabot[bot] in #370
• build(deps): bump @markdoc/markdoc from 0.5.4 to 0.5.5 in /docs by @dependabot[bot] in #369
• build(deps-dev): bump @types/node from 25.3.3 to 25.4.0 in /docs by @dependabot[bot] in #368
• build(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.32.10 to 1.32.11 by @dependabot[bot] in #364
• build(deps): bump google.golang.org/api from 0.269.0 to 0.270.0 by @dependabot[bot] in #366

Full Changelog: v2.9.0...v2.10.0