Flux | v2.8.8

Flux v2.8.8 released on 20-05-2026


Flux v2.8.8 is out now. It delivers security fixes and dependency hygiene—most notably an update to go-git v5.19.1 addressing CVE-2026-45571 and CVE-2026-45570 that affect source-controller and image-automation-controller—and a set of reliability and registry improvements across helm-controller and source-controller.

Read the full changelog on GitHub and follow the Upgrade Procedure for Flux v2.7+ for upgrade guidance: full changelog · Upgrade Procedure for Flux v2.7+

What’s in this release

  • go-git updated to v5.19.1 to address CVE-2026-45571 and CVE-2026-45570 (affects source-controller and image-automation-controller)
  • helm-controller v1.5.5: configurable HTTP timeout for artifact fetching, fix for unbounded memory growth in the Kubernetes client transport retry wrapper, stop force-applying non-CRD objects in a chart’s crds/ directory, fix Helm test failures for release names longer than 53 characters, and Helm moved back to upstream v4.2.0
  • source-controller v1.8.5 and image controllers: improved source reconciler path handling, support for Helm semver build-metadata in OCIRepository tags, support for GCP sovereign cloud artifact registries, and Kubernetes client dependencies upgraded to 1.36.1

Upgrade notes

  • No breaking changes are reported in the release notes; users are strongly encouraged to upgrade to pick up the CVE fixes and dependency updates—see the Upgrade Procedure for Flux v2.7+ for a smooth upgrade from v2.6.
  • Component diffs are available in the full changelog; consult those links for component-level rollback guidance if you need to revert specific controllers: compare v2.8.7…v2.8.8

Share any feedback or reports of issues on the Flux GitHub discussions or issue trackers so others can benefit from your experience.

Related posts

Weekly Tech Digest | 06 Jul 2026

Stay updated with the latest in tech! This digest covers AI ethics, auto industry shifts, and the impact of politics on technology, exploring today's pressing issues.

wolfCOSE zero-allocation parsing in embedded C

wolfCOSE looks sensible only if you care about what your firmware actually has to carry. I like that, because on small targets the wrong crypto feature can cost more than the message itself, and there...

restic | v0.19.1

restic v0 19 1: safer FUSE mounts and mountpoint checks, robust backup source and exclude handling, clearer CLI JSON output, Windows SFTP deletion fixes