Releases · spiffe/spike

Added

Added more configuration options to SPIKE Nexus.
Updated documentation around security and production hardening.
Updated release instructions, added a series of tests to follow and cutting
a release only after all tests pass. These test are manual for now, but
can be automated later down the line.

Fixed a bug related to policies not recovering after a SPIKE Nexus crash.
Now, both secrets and policies recover without an issue.
Ensured that "in memory" mode works as expected, and we can create policies
and secrets.
Fixed inconsistencies in the audit log format.
Fixed NilPointer exception during certain shard creation paths.
Fixed regressions due to premature memory cleanup. Now the memory is cleaned
up when no longer needed (but not before).
Various bug fixes and improvements.

Moved some common reusable code to spike-sdk-go.
Various changes and improvements in SPIKE Go SDK.
The startup script does not initiate SPIKE Keepers if SPIKE is running in
"in memory" mode.
Renamed AuditCreated enum as AuditEntryCreated to specify its intention
better (i.e., it's not an creation of a an entity or a DAO, but rather it's
the start of an audit trail).
Improved spike policy commands with better UX and error handling.

Added cache invalidation headers to all API responses.
For added security, we strip symbols during the build process now.
Implemented better memory protection with cleaning up memory when no longer needed.
SPIKE Nexus and SPIKE Keepers use mlock to avoid memory swapping when possible.
Fixed CVE-2025-22872: golang.org/x/net vulnerable to Cross-site Scripting
Fixed CVE-2025-22870: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

Below are the generated release notes of every commit since the last release cut:

Full Changelog: v0.3.24...v0.4.0