What's Changed

• fix: enforce JWT alg/key-type binding in OIDC auth (CVE-2026-33322) by @8none1 in #32
• fix: require signature verification in Snowball extract handler (CVE-2026-40344) by @8none1 in #33

Full Changelog: RELEASE.2026-05-20T23-44-52Z...RELEASE.2026-06-04T00-54-11Z

What's Changed

• fix: use go mod tidy -e in check-gen to skip unresolvable packages by @sergiodj in #28
• fix: add timeouts to healing scripts to prevent CI hangs by @sergiodj in #29
• fix: reject path traversal in ReadMultiple msgpack body (CVE-2026-42600) by @8none1 in #27
• fix: require signature verification for query-string creds in unsigned-trailer uploads (CVE-2026-41145) by @8none1 in #26
• Fix CVE-2026-33814 by @sergiodj in #30

Full Changelog: RELEASE.2026-05-12T13-35-34Z...RELEASE.2026-05-20T23-44-52Z

What's Changed

• chore(deps): bump github.com/apache/thrift from 0.21.0 to 0.23.0 by @dependabot[bot] in #24
• chore(deps): bump github.com/prometheus/prometheus to v0.311.3 by @sergiodj in #25

New Contributors

• @sergiodj made their first contribution in #25

Full Changelog: RELEASE.2026-05-04T00-27-21Z...RELEASE.2026-05-12T13-35-34Z

What's Changed

• chore(deps): bump github.com/Azure/go-ntlmssp from 0.0.0-20221128193559-754e69321358 to 0.1.1 by @dependabot[bot] in #22
• fix: normalize LDAP auth errors and add per-IP rate limiting by @tdunlap607 in #18
• fix: guard SSE replication headers against injection (CVE-2026-34204) by @8none1 in #23

New Contributors

• @8none1 made their first contribution in #23

Full Changelog: RELEASE.2026-04-10T21-52-59Z...RELEASE.2026-05-04T00-27-21Z

What's Changed

• chore(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 by @dependabot[bot] in #19
• fix: bound CSV line reads in S3 Select parser by @tdunlap607 in #21
• chore(deps): bump go.opentelemetry.io/otel/sdk from 1.40.0 to 1.43.0 by @dependabot[bot] in #20

Full Changelog: RELEASE.2026-03-30T00-18-45Z...RELEASE.2026-04-10T21-52-59Z

What's Changed

• chore(deps): bump github.com/nats-io/nats-server/v2 from 2.11.12 to 2.11.15 by @dependabot[bot] in #17
• [StepSecurity] Apply security best practices by @stepsecurity-app[bot] in #13

Full Changelog: RELEASE.2026-03-23T00-17-11Z...RELEASE.2026-03-30T00-18-45Z

What's Changed

• chore(deps): bump google.golang.org/grpc from 1.72.0 to 1.79.3 by @dependabot[bot] in #14
• chore(deps): bump github.com/buger/jsonparser from 1.1.1 to 1.1.2 by @dependabot[bot] in #15
• chore: go bump v1.25.8 by @tdunlap607 in #16

Full Changelog: RELEASE.2026-03-04T16-04-53Z...RELEASE.2026-03-23T00-17-11Z

What's Changed

• chore: initial emeritoss ci cleaning and dep bumps by @tdunlap607 in #4
• [StepSecurity] Apply security best practices by @stepsecurity-app[bot] in #5
• chore: rename Go module to github.com/chainguard-forks/minio by @tdunlap607 in #7
• chore: bump go directive and dependencies by @tdunlap607 in #8
• chore(deps): bump github.com/nats-io/nats-server/v2 from 2.11.1 to 2.11.12 by @dependabot[bot] in #10
• ci: add automated release workflow by @tdunlap607 in #9
• fix(ci): remove separate tag step from release workflow by @tdunlap607 in #12

New Contributors

• @tdunlap607 made their first contribution in #4
• @stepsecurity-app[bot] made their first contribution in #5
• @dependabot[bot] made their first contribution in #10

Full Changelog: https://github.com/chainguard-forks/minio/commits/RELEASE.2026-03-04T16-04-53Z