v1.7.3

  less than a minute  

Date: May 9, 2026

Breaking changes

Security updates

  • Bumped golang to 1.25.10 for including latest security fixes.
  • Bumped google.golang.org/grpc to v1.79.3 to address CVE-2026-33186 (Critical, gRPC-Go authorization bypass via non-canonical HTTP/2 :path header).
  • Bumped go.opentelemetry.io/otel/sdk to v1.40.0 to address CVE-2026-24051 (High, OpenTelemetry Go SDK path hijacking on macOS/Darwin).

New features

Bug fixes

  • Fixed a control plane panic caused by concurrent Status mutation racing with the watchable Map coalesce goroutine.
  • Fixed ws and wss Backend appProtocols to force HTTP/1.1 upstream connections instead of negotiating HTTP/2, avoiding compatibility issues with WebSocket backends that do not support RFC 8441 extended CONNECT.
  • Fixed status conditions not being updated when a route is rejected due to multiple errors.
  • Fixed benchmark JSON report emitting 0 for p99 and p999 percentiles by using the nearest Nighthawk histogram percentiles.
  • Fixed active HTTP health checks to use Backend endpoint hostnames before falling back to the effective Route hostname.

Performance improvements

Other changes


Last modified May 13, 2026: build(deps): bump npm-check-updates from 22.1.0 to 22.2.0 in /site (#8972) (c0aeb21)