This is a patch release on top of v0.14.0.

🐛 Bug fixes

• Frontend image: restore /tmp on the published copacetic-frontend image. v0.14.0's FROM scratch rootfs caused every patch run via the BuildKit frontend to fail with stat /tmp: no such file or directory. Switched to gcr.io/distroless/static-debian12:nonroot plus a defense-in-depth ensureTempDir(). E2E now builds the real frontend.Dockerfile so this regression class cannot recur. (#1597)
• Preserve original manifest annotations on patched images. Same-tag patches silently dropped org.opencontainers.image.{source,revision,version,title}. Now captured pre-patch and forwarded to both single-platform and multi-platform export paths, with image.version rewritten consistently. (#1605)

📚 Docs

• Document current app-level patching limitation re: private registries. (#1595)
• Generate v0.14.x docs snapshot. (#1590)

✨ Features

• Go binary patching — patch vulnerable Go binaries by rebuilding from source with updated stdlib/deps (#1388)
• Arch Linux support — pacman package manager (#1467)
• RPM chroot-based patching — patch RPM images that are missing a package manager (#1473)
• Python virtual environment patching — support venv-based site-packages via PkgPath (#1485)
• Bulk patching improvements — skip detection and cross-registry support (#1475)
• Test environment utilities for BuildKit integration tests (#1399)
• Demo recordings + asciinema player added to the website (#1453)
• Patch summary output showing total/patched/skipped vulnerabilities (#1517)
• Fallback source resolution for Go binary patching on stripped/distroless images (#1546)

🔒 Security hardening

• Bump otel/sdk to fix CVE-2026-24051 (#1483)
• Validate RPM package names before distroless shell execution (#1541)
• Validate RPM package names in dnf chroot path (#1529)
• Validate Node.js npm tarballs before extraction (#1533)
• Prevent Node.js shell injection via untrusted package paths (#1538)
• Validate .NET deps.json script inputs to prevent command injection (#1537)
• Prevent Go module flag injection via leading-dash names (#1526)
• Prevent tag-based command injection in release workflow (#1535)
• Codebase audit hardening (#1507)
• Prevent apt option injection from distroless package names (#1540)
• Cap buffered patch layer size to mitigate memory DoS (#1543)
• Block self-hosted build workflow jobs on forked PRs (#1539)
• Replace label-gated trusted-fork workflow with native fork PR approval (#1582, supersedes #1572, #1573)
• Reject whitespace/control chars in Go binary path validation (#1586)

🐛 Bug fixes

• VEX: use installed version in PURLs and add distro qualifier for BOM-VEX correlation (#1552)
• Avoid masking package manager failures as no-updates (#1530)
• Restore strict multi-platform failure behavior when ignore-errors=false (#1532)
• Suppress NU1605 in generated patch.csproj for .NET (#1557)
• Filter App.Runtime images in .NET patching (#1501)
• Replace npm install with direct tarball replacement (#1479)
• Resolve TUI freeze and CLI deadlock on early build errors (#1505)
• Close progress channel when no platforms need patching (#1528)
• Migrate docker/docker to moby/moby/client (#1525)
• Go patching log levels (#1516)
• Keep frontend.Dockerfile Go version aligned with go.mod and harden release pipeline (#1571)

⬆️ Dependency upgrades

• BuildKit 0.28.1 (#1512)
• Trivy v0.69.3 + OpenTelemetry-Go v1.43.0 (#1558)
• google.golang.org/grpc 1.78.0 → 1.79.3 (#1480, #1502)
• github.com/quay/claircore 1.5.45 → 1.5.52 (#1442, #1464, #1518)
• github.com/google/go-containerregistry 0.20.7 → 0.21.3 (#1520)
• k8s.io/apimachinery 0.35.0 → 0.35.2 (#1470, #1487)
• testcontainers-go 0.38.0 → 0.40.0 (#1438)
• Plus dependabot bumps for dependency groups across the project

🧹 Internal / CI

• Refactor: structured rebuildFailure replaces rebuildErrors []string in langmgr (#1560)
• Stabilize CI — golangci-lint alignment, deterministic tests, network retries (#1477)
• Pin BuildKit version and set explicit DNS for podman/container env (#1563)
• Pin scanner-plugin-template dependency in build workflow (#1544)

📚 Docs

• Improve buildkit-frontend examples (#1498)
• Generate v0.13.x docs (#1437)
• Remove Microsoft support policy section from SUPPORT.md (#1455)
• Update website footer to LF Projects Series LLC trademark disclaimer (#1566)
• add Verity to Copa CLI adopters (#1583)

v0.14.0-rc.2

⚠️ Pre-release.

🆕 Changes since v0.14.0-rc.1

✨ Features

• Patch summary output showing total/patched/skipped vulnerabilities (#1517)
• Fallback source resolution for Go binary patching on stripped/distroless images (#1546)

🔒 Security hardening

• Prevent apt option injection from distroless package names (#1540)
• Cap buffered patch layer size to mitigate memory DoS (#1543)
• Block self-hosted build workflow jobs on forked PRs (#1539)
• Replace label-gated trusted-fork workflow with native fork PR approval (#1582, supersedes #1572, #1573)

🐛 Fixes

• Keep frontend.Dockerfile Go version aligned with go.mod and harden release pipeline (#1571)

📚 Docs

• Update website footer to LF Projects Series LLC trademark disclaimer (#1566)

Diff since rc.1: v0.14.0-rc.1...v0.14.0-rc.2

⚠️ Pre-release.

✨ Features

• Go binary patching — patch vulnerable Go binaries by rebuilding from source with updated stdlib/deps (#1388)
• Arch Linux support — pacman package manager (#1467)
• RPM chroot-based patching — patch RPM images that are missing a package manager (#1473)
• Python virtual environment patching — support venv-based site-packages via PkgPath (#1485)
• Bulk patching improvements — skip detection and cross-registry support (#1475)
• Test environment utilities for BuildKit integration tests (#1399)
• Demo recordings + asciinema player added to the website (#1453)

🔒 Security hardening

• Bump otel/sdk to fix CVE-2026-24051 (#1483)
• Validate RPM package names before distroless shell execution (#1541)
• Validate RPM package names in dnf chroot path (#1529)
• Validate Node.js npm tarballs before extraction (#1533)
• Prevent Node.js shell injection via untrusted package paths (#1538)
• Validate .NET deps.json script inputs to prevent command injection (#1537)
• Prevent Go module flag injection via leading-dash names (#1526)
• Prevent tag-based command injection in release workflow (#1535)
• Codebase audit hardening (#1507)

🐛 Bug fixes

• VEX: use installed version in PURLs and add distro qualifier for BOM-VEX correlation (#1552)
• Avoid masking package manager failures as no-updates (#1530)
• Restore strict multi-platform failure behavior when ignore-errors=false (#1532)
• Suppress NU1605 in generated patch.csproj for .NET (#1557)
• Filter App.Runtime images in .NET patching (#1501)
• Replace npm install with direct tarball replacement (#1479)
• Resolve TUI freeze and CLI deadlock on early build errors (#1505)
• Close progress channel when no platforms need patching (#1528)
• Migrate docker/docker to moby/moby/client (#1525)
• Go patching log levels (#1516)

⬆️ Dependency upgrades

• BuildKit 0.28.1 (#1512)
• Trivy v0.69.3 + OpenTelemetry-Go v1.43.0 (#1558)
• google.golang.org/grpc 1.78.0 → 1.79.3 (#1480, #1502)
• github.com/quay/claircore 1.5.45 → 1.5.52 (#1442, #1464, #1518)
• github.com/google/go-containerregistry 0.20.7 → 0.21.3 (#1520)
• k8s.io/apimachinery 0.35.0 → 0.35.2 (#1470, #1487)
• testcontainers-go 0.38.0 → 0.40.0 (#1438)
• Plus dependabot bumps for dependency groups across the project

🧹 Internal / CI

• Refactor: structured rebuildFailure replaces rebuildErrors []string in langmgr (#1560)
• Stabilize CI — golangci-lint alignment, deterministic tests, network retries (#1477)
• Pin BuildKit version and set explicit DNS for podman/container env (#1563)
• Pin scanner-plugin-template dependency in build workflow (#1544)

📚 Docs

• Improve buildkit-frontend examples (#1498)
• Generate v0.13.x docs (#1437)
• Remove Microsoft support policy section from SUPPORT.md (#1455)

Full changelog: v0.13.0...v0.14.0-rc.1

v0.14.0-rc.1

⚠️ Pre-release.

✨ Features

• Go binary patching — patch vulnerable Go binaries by rebuilding from source with updated stdlib/deps (#1388)
• Arch Linux support — pacman package manager (#1467)
• RPM chroot-based patching — patch RPM images that are missing a package manager (#1473)
• Python virtual environment patching — support venv-based site-packages via PkgPath (#1485)
• Bulk patching improvements — skip detection and cross-registry support (#1475)
• Test environment utilities for BuildKit integration tests (#1399)
• Demo recordings + asciinema player added to the website (#1453)

🔒 Security hardening

• Bump otel/sdk to fix CVE-2026-24051 (#1483)
• Validate RPM package names before distroless shell execution (#1541)
• Validate RPM package names in dnf chroot path (#1529)
• Validate Node.js npm tarballs before extraction (#1533)
• Prevent Node.js shell injection via untrusted package paths (#1538)
• Validate .NET deps.json script inputs to prevent command injection (#1537)
• Prevent Go module flag injection via leading-dash names (#1526)
• Prevent tag-based command injection in release workflow (#1535)
• Codebase audit hardening (#1507)

🐛 Bug fixes

• VEX: use installed version in PURLs and add distro qualifier for BOM-VEX correlation (#1552)
• Avoid masking package manager failures as no-updates (#1530)
• Restore strict multi-platform failure behavior when ignore-errors=false (#1532)
• Suppress NU1605 in generated patch.csproj for .NET (#1557)
• Filter App.Runtime images in .NET patching (#1501)
• Replace npm install with direct tarball replacement (#1479)
• Resolve TUI freeze and CLI deadlock on early build errors (#1505)
• Close progress channel when no platforms need patching (#1528)
• Migrate docker/docker to moby/moby/client (#1525)
• Go patching log levels (#1516)

⬆️ Dependency upgrades

• BuildKit 0.28.1 (#1512)
• Trivy v0.69.3 + OpenTelemetry-Go v1.43.0 (#1558)
• google.golang.org/grpc 1.78.0 → 1.79.3 (#1480, #1502)
• github.com/quay/claircore 1.5.45 → 1.5.52 (#1442, #1464, #1518)
• github.com/google/go-containerregistry 0.20.7 → 0.21.3 (#1520)
• k8s.io/apimachinery 0.35.0 → 0.35.2 (#1470, #1487)
• testcontainers-go 0.38.0 → 0.40.0 (#1438)
• Plus dependabot bumps for dependency groups across the project

🧹 Internal / CI

• Refactor: structured rebuildFailure replaces rebuildErrors []string in langmgr (#1560)
• Stabilize CI — golangci-lint alignment, deterministic tests, network retries (#1477)
• Pin BuildKit version and set explicit DNS for podman/container env (#1563)
• Pin scanner-plugin-template dependency in build workflow (#1544)

📚 Docs

• Improve buildkit-frontend examples (#1498)
• Generate v0.13.x docs (#1437)
• Remove Microsoft support policy section from SUPPORT.md (#1455)

Full changelog: v0.13.0...v0.14.0-rc.1

Notable Changes

• ⚙️ Can now use Copa as a Buildkit front end
• 🚚 Bulk Image Patching to patch multiple images from a single declarative config!
• 🧩 .NET app-level patching
• 🦎 SUSE distro support

Changelog

• 28c466e feat: add support to SUSE and openSUSE distros with Zypper (#1294)
• 358b2a9 build: update Go base image to 1.25.5-alpine3.23 (#1432)
• babc08e chore: bump github.com/charmbracelet/lipgloss from 0.7.1 to 0.13.1 (#1435)
• e07a778 chore: bump google.golang.org/grpc from 1.77.0 to 1.78.0 (#1434)
• bbb2395 chore: bump qs from 6.14.0 to 6.14.1 in /website (#1431)
• 92d26c1 docs: Revert "docs: add distroless images support documentation" (#1433)
• 95008df docs: add distroless images support documentation (#1430)
• 9697ce8 chore: bump the all group across 1 directory with 7 updates (#1429)
• 153bd4d docs: update link for trivy installation guide (#1426)
• 5c04112 chore: bump k8s.io/apimachinery from 0.34.3 to 0.35.0 (#1427)
• b4d40f4 chore: bump golang.org/x/term from 0.37.0 to 0.38.0 (#1416)
• 5d9a56a feat: Bulk Image Patching (#1235)
• 509008e fix: add registry authentication for platform discovery (#1420)
• 3747056 chore: bump github.com/moby/buildkit from 0.26.2 to 0.26.3 (#1422)
• 71e55d9 feat: improve tui (#1421)
• 1faa7b9 feat: .NET app-level patching (#1106)
• d715e29 chore: bump the all group with 4 updates (#1418)
• e398be5 chore: bump the all group in /website with 2 updates (#1417)
• 8a72242 chore: bump k8s.io/apimachinery from 0.34.2 to 0.34.3 (#1415)
• 1db23ce chore: bump github.com/moby/buildkit from 0.25.2 to 0.26.2 (#1413)
• 41db4e7 chore: bump the all group across 1 directory with 9 updates (#1412)
• a9dbb76 chore: bump the all group in /website with 2 updates (#1410)
• 6e9ca5a chore: bump github.com/spf13/cobra from 1.10.1 to 1.10.2 (#1407)
• e5edca3 chore: bump mdast-util-to-hast from 13.1.0 to 13.2.1 in /website (#1404)
• 83ba211 fix: exit successfully and fix status for up to date images (#1378)
• aa1b163 chore: bump express from 4.21.2 to 4.22.1 in /website (#1403)
• 71f7c30 chore: bump the all group across 1 directory with 9 updates (#1401)
• b2a2000 chore: bump node-forge from 1.3.1 to 1.3.2 in /website (#1400)
• f03e750 feat: add buildkit frontend (#1221)
• fe9c036 chore: bump google.golang.org/grpc from 1.76.0 to 1.77.0 (#1394)
• b852a63 fix: multi-platform url from docker when patching (#1393)
• beeca06 fix: update test images for CVE fixes (#1398)
• 0301e4f docs: add multi-platform patch summary (#1392)
• c17bd47 chore: bump golang.org/x/crypto from 0.43.0 to 0.45.0 (#1389)
• 44ef770 chore: bump the all group with 2 updates (#1385)
• 0a3c3e0 chore: bump @tsconfig/docusaurus from 2.0.5 to 2.0.7 in /website in the all group (#1384)
• bf7e156 chore: bump golang.org/x/term from 0.36.0 to 0.37.0 (#1381)
• 8941fbd chore: bump k8s.io/apimachinery from 0.34.1 to 0.34.2 (#1380)
• 3c518cc fix: Node.js patching introduces new vulnerabilities through transitive dependencies (#1379)
• b611800 chore: bump github.com/docker/docker from 28.5.1+incompatible to 28.5.2+incompatible (#1372)
• df8d3d6 chore: bump github.com/moby/buildkit from 0.25.1 to 0.25.2 (#1376)
• 04fdf4c chore: bump golang.org/x/sync from 0.17.0 to 0.18.0 (#1375)
• 5b60b0e chore: bump github.com/docker/cli from 28.5.1+incompatible to 28.5.2+incompatible (#1374)
• 6536384 chore: bump github.com/containerd/platforms from 1.0.0-rc.1 to 1.0.0-rc.2 (#1373)
• c801779 chore: bump the all group with 3 updates (#1371)
• 565da19 chore: bump github.com/containerd/containerd/v2 from 2.1.4 to 2.1.5 (#1370)
• d00d085 chore: bump github/codeql-action from 4.31.0 to 4.31.2 in the all group (#1368)
• 8925da4 chore: Generate v0.12.x docs (#1362)
• d488649 chore: bump @tsconfig/docusaurus from 2.0.4 to 2.0.5 in /website in the all group (#1367)
• 5d2dcb4 fix: version validation scripts for release tagging (#1364)
• 0c86ad6 fix: Non Zero Exit code for no upgradable packages causes build fail (#1274)
• 599e0ac fix: Trivy fails with "invalid tar header" when scanning Copa-patched images (#1359)
• b742077 chore: bump github.com/quay/claircore from 1.5.44 to 1.5.45 (#1357)
• 4bee93a chore: bump the all group with 4 updates (#1356)
• d48007a fix: platform filtering (#1354)
• eb4f9e4 fix: handle missing OS field in Trivy report (#1353)
• da2b414 docs: fix eol admonition title (#1351)
• b96894f docs: enhance release process documentation (#1350)
• 7a3dc8e chore: bump the all group with 4 updates (#1347)
• afbaee7 chore: bump the all group in /website with 3 updates (#1348)

Notable Changes

• 🧩 Experimental App-level Patching: Now supports Python and Node.js applications!
• 🐳 Docker Build Integration: Use the new generate command to patch images. This provides support for any Docker CLI flags.
• 📁 Local Output for Multi-Platform Patching: Added support for the --oci-dir flag to store patched artifacts locally when performing multi-platform patching.
• 🛠️ Enhanced End-of-Life (EOL) Checks: Improved support through --exit-on-eol and --eol-api-url flags for customizable EOL validation.

Changelog

• 5b7b435 chore: cherry pick fixes for v0.12.0 and final release (#1366)
• 3efb1aa chore: cherry pick fixes for v0.12.0 rc3 (#1360)
• 134fbc1 chore: cherry pick fixes for v0.12.0 rc2 (#1355)

Notable Changes

• 🧩 Experimental App-level Patching: Now supports Python and Node.js applications!
• 🐳 Docker Build Integration: Use the new generate command to patch images. This provides support for any Docker CLI flags.
• 📁 Local Output for Multi-Platform Patching: Added support for the --oci-dir flag to store patched artifacts locally when performing multi-platform patching.
• 🛠️ Enhanced End-of-Life (EOL) Checks: Improved support through --exit-on-eol and --eol-api-url flags for customizable EOL validation.

Changelog

• 74d57ca Merge branch 'release-0.12' of github.com:project-copacetic/copacetic into release-0.12
• 3efb1aa chore: cherry pick fixes for v0.12.0 rc3 (#1360)

Notable Changes

• 🧩 Experimental App-level Patching: Now supports Python and Node.js applications!
• 🐳 Docker Build Integration: Use the new generate command to patch images. This provides support for any Docker CLI flags.
• 📁 Local Output for Multi-Platform Patching: Added support for the --oci-dir flag to store patched artifacts locally when performing multi-platform patching.
• 🛠️ Enhanced End-of-Life (EOL) Checks: Improved support through --exit-on-eol and --eol-api-url flags for customizable EOL validation.

Changelog

• 6aba8cd Merge branch 'release-0.12' of github.com:project-copacetic/copacetic into release-0.12
• 134fbc1 chore: cherry pick fixes for v0.12.0 rc2 (#1355)
• 17017ff fix: handle missing OS field in Trivy report (#1353)
• c70a108 fix: platform filtering (#1354)

Notable Changes

• 🧩 Experimental App-level Patching: Now supports Python and Node.js applications!
• 🐳 Docker Build Integration: Use the new generate command to patch images. This provides support for any Docker CLI flags.
• 📁 Local Output for Multi-Platform Patching: Added support for the --oci-dir flag to store patched artifacts locally when performing multi-platform patching.
• 🛠️ Enhanced End-of-Life (EOL) Checks: Improved support through --exit-on-eol and --eol-api-url flags for customizable EOL validation.

New Contributors

• @acortelyou made their first contribution in #1253
• @Mossaka made their first contribution in #1276
• @yashgoyal0110 made their first contribution in #1324
• @koksay made their first contribution in #1334

Changelog

• ff6330d fix: add version validation and improve release workflow (#1346)
• 757401a feat: add nodejs patching (#1090)
• e7023b4 chore: Implement automatic release branch creation in GitHub workflow (#1207)
• 156b24f fix: multiplatform emulation failure (#1279)
• 6638dd2 chore: bump google.golang.org/grpc from 1.75.1 to 1.76.0 (#1341)
• 4c8ee71 chore: bump github.com/aquasecurity/trivy from 0.66.0 to 0.67.2 (#1340)
• f9144f3 chore: bump github.com/docker/docker from 28.5.0+incompatible to 28.5.1+incompatible (#1339)
• 926b6b7 chore: bump github.com/docker/cli from 28.4.0+incompatible to 28.5.1+incompatible (#1338)
• 4ec04b5 fix: Inaccurate message for multi-platform patching (#1325)
• 7d33062 feat: group dependabot upgrades (#1335)
• 8999d0d chore: bump the all group with 2 updates (#1337)
• 2b547e6 chore: bump golang.org/x/term from 0.35.0 to 0.36.0 (#1336)
• 485f816 chore: bump github.com/moby/buildkit from 0.24.0 to 0.25.0 (#1330)
• 2667594 chore: bump github.com/docker/docker from 28.4.0+incompatible to 28.5.0+incompatible (#1328)
• ecf0d97 chore(ci): update github runners to oci gh arc runners (#1334)
• ea08432 chore: bump the all group across 1 directory with 6 updates (#1333)
• 19cdcd0 feat: cli hint for renabling emulation (#1324)
• 74171f2 feat: Extend multi platform support for local patching (rebased) (#1321)
• 13198fb feat: add generate command (#1212)
• 8cb4a5c feat: full image references support with --tag (#1322)
• af8b72e chore: bump the all group in /website with 5 updates (#1329)
• ea88e8e chore: bump github.com/quay/claircore from 1.5.43 to 1.5.44 (#1326)
• 02ea0f4 feat: Implement EOL reporting improvements: retry logic, configurable URL, and exit-on-EOL flag (#1247)
• a28f98b chore: bump github.com/openvex/go-vex from 0.2.5 to 0.2.7 (#1312)
• 9393394 chore: bump the all group in /website with 3 updates (#1317)
• 2ec64de chore: bump github.com/quay/claircore from 1.5.39 to 1.5.42 (#1311)
• 41342e7 chore: bump github.com/spf13/cobra from 1.9.1 to 1.10.1 (#1310)
• 466a2df chore: bump google.golang.org/grpc from 1.75.0 to 1.75.1 (#1313)
• 9c85335 chore: bump the all group with 4 updates (#1318)
• 1190f66 feat: langmgr and python (#1091)
• 4f51759 chore: bump k8s.io/apimachinery from 0.34.0 to 0.34.1 (#1309)
• 0eae577 fix: get platform for rpm tooling image (#1275)
• 3c2c6f6 chore: update openvex dependency to v0.2.6 (#1308)
• b67603e chore: bump github.com/spf13/viper from 1.20.1 to 1.21.0 (#1300)
• 6e81904 chore: remove ignore errors for cbl mariner imgs and ignore CVE-2025-3576 (#1306)
• ad024a8 docs: update tsg with lower than required error (#1307)
• 86abb23 chore: bump the all group across 1 directory with 3 updates (#1305)
• dc0d96e chore: bump github.com/stretchr/testify from 1.11.0 to 1.11.1 (#1298)
• 6365768 chore: bump golang.org/x/sync from 0.16.0 to 0.17.0 (#1296)
• c89ff08 chore: bump github.com/docker/cli from 28.3.3+incompatible to 28.4.0+incompatible (#1297)
• a437373 fix: update ignoreErrors to true for Mariner images (#1304)
• f6ef287 docs: modify release docs for more accurate flow (#1250)
• 1a36a9c fix: add fallback for baseImage not found (#1280)
• a8f6e48 fix: create new context for local descriptor lookup (#1295)
• 655f33f chore: bump the all group with 7 updates (#1292)
• 1133081 chore: bump k8s.io/apimachinery from 0.33.4 to 0.34.0 (#1291)
• a69f6a4 chore: bump github.com/docker/docker from 28.3.3+incompatible to 28.4.0+incompatible (#1290)
• 8eb0b06 chore: bump the all group in /website with 2 updates (#1289)
• e69acc6 chore: bump github.com/aquasecurity/trivy from 0.65.0 to 0.66.0 (#1288)
• a7a93f0 chore: bump github.com/docker/buildx from 0.25.0 to 0.28.0 (#1286)
• 0f5ac8e docs: add --image-src to trivy (#1282)
• 3974d9c test: add more unit tests to bump up the test coverage (#1278)
• f706c91 test: Daily Test Coverage Improver: Add comprehensive tests for pkg/types and pkg/utils (#1276)
• bd2116c chore: bump the all group with 2 updates (#1270)
• b87f7b3 chore: bump google.golang.org/grpc from 1.74.2 to 1.75.0 (#1269)
• c631581 chore: bump github.com/stretchr/testify from 1.10.0 to 1.11.0 (#1267)
• 84ba0de ci: add copilot instructions (#1225)
• 6ab6bc4 chore: bump github.com/go-viper/mapstructure/v2 from 2.3.0 to 2.4.0 (#1264)
• 3b53ec4 chore: bump the all group across 1 directory with 2 updates (#1261)
• 9969375 chore: bump k8s.io/apimachinery from 0.33.3 to 0.33.4 (#1259)
• 825451c feat: add gotestsum to workflows (#1257)
• 32d19f4 fix: unit test bug for mac env (#1234)
• 3f1821a chore: bump the all group across 1 directory with 6 updates (#1258)
• e61b53e fix: make GetUniqueLatestUpdates deterministic (#1253)
• 81171db fix: debian tooling image missing platforms (#1256)

Full Changelog: v0.11.1...v0.12.0-rc.1

Changelog

• 9082d32 fix: os version format in tdnf install (#1215)
• e18304c feat: Add Parsable format for buildkit progress output within Copa (#1238)
• fb6b525 chore: bump docker/login-action from 3.4.0 to 3.5.0 in the all group across 1 directory (#1245)
• 526f809 chore: bump github.com/aquasecurity/trivy from 0.64.1 to 0.65.0 (#1244)
• 31af111 chore: bump github.com/docker/cli from 28.3.2+incompatible to 28.3.3+incompatible (#1242)
• 782572f chore: bump typescript from 5.8.3 to 5.9.2 in /website in the all group (#1241)
• 228dd2f chore: bump github/codeql-action from 3.29.4 to 3.29.5 in the all group (#1240)
• e5d2748 feat: modularize patching logic (#1228)
• 9b5f0f6 ci: Fix osv-scanner config: replace [[ignore]] with [[IgnoredVulns]] (#1214)
• cb40f84 fix: Get host platform info in single arch integration test (#1197)
• 0943c57 fix: Add actionable logs and improve UX after buildkit endpoint checks are exhausted (#1186)
• 877400f chore: bump github.com/docker/docker from 28.3.2+incompatible to 28.3.3+incompatible (#1233)
• ae3792d chore: bump the all group in /website with 3 updates (#1231)
• 4f133cf chore: bump google.golang.org/grpc from 1.73.0 to 1.74.2 (#1229)
• 0e8c868 chore: add robbie to codeowners (#1226)
• 36ac193 fix: add almalinux to pkgmanager os type check (#1220)
• 3ca6acf fix: set azurelinux base image tag (#1216)
• f2947d9 chore: bump k8s.io/apimachinery from 0.33.2 to 0.33.3 (#1217)
• 914ee38 chore: bump golang.org/x/sync from 0.15.0 to 0.16.0 (#1205)
• 928dac0 chore: bump github.com/docker/cli from 28.3.1+incompatible to 28.3.2+incompatible (#1204)
• abca618 chore: bump github.com/cpuguy83/go-docker from 0.3.1 to 0.4.0 (#1203)
• dbbd441 chore: bump github.com/docker/docker from 28.3.1+incompatible to 28.3.2+incompatible (#1202)
• 2faa1d4 chore: bump the all group across 1 directory with 3 updates (#1224)
• eedf86f chore: Exempt good first issues from getting stale (#1219)
• df90afb chore: remove fluentbit eol img from tests (#1222)
• 25e58fc fix: Fix landing page dark mode (#1210)
• 143697e fix: Remove excessive token permissions (#1172)
• c0aeadd feat: Add landing page to copa docs (#1206)
• d31d44d chore: bump dotenv from 17.0.1 to 17.2.0 in /website in the all group (#1201)
• 0c629d1 chore: add Robbie Cronin to maintainers (#1200)
• 7060ba6 docs: optimize docs (#1189)
• 3a9d207 feat: patch non-host alpine (#1194)
• 3ede94c feat: add riscv64 to validPlatforms (#1199)
• 514b0f6 chore: bump github.com/docker/cli from 28.3.0+incompatible to 28.3.1+incompatible (#1192)
• 3ed8125 chore: bump github.com/docker/docker from 28.3.0+incompatible to 28.3.1+incompatible (#1191)
• 27960c7 chore: bump github.com/aquasecurity/trivy from 0.64.0 to 0.64.1 (#1190)
• 03523bd docs: update tradeoffs section to reflect scanner independence (#818) (#888)
• b89e7be chore: Generate v0.11.x docs (#1182)
• b3ffe3a docs: add Devtron to adopters list (#1163)
• 529bf86 feat: Add stale bot (#1180)