Skip to content

build(deps): bump github.com/elastic/package-registry from 1.34.0 to 1.35.0#16916

Merged
jsoriano merged 2 commits intomainfrom
dependabot/go_modules/github.com/elastic/package-registry-1.35.0
Jan 15, 2026
Merged

build(deps): bump github.com/elastic/package-registry from 1.34.0 to 1.35.0#16916
jsoriano merged 2 commits intomainfrom
dependabot/go_modules/github.com/elastic/package-registry-1.35.0

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jan 9, 2026

Bumps github.com/elastic/package-registry from 1.34.0 to 1.35.0.

Release notes

Sourced from github.com/elastic/package-registry's releases.

v1.35.0

v1.35.0

Breaking changes

  • Package registry container image runs by default as a non-root user (UID 1000). #1503

Bugfixes

Added

Deprecated

Known Issues

Changelog

Sourced from github.com/elastic/package-registry's changelog.

v1.35.0

Breaking changes

  • Package registry container image runs by default as a non-root user (UID 1000). #1503

Bugfixes

Added

Deprecated

Known Issues

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
build(deps): bump github.com/elastic/package-registry
7e8c2c0 
Bumps [github.com/elastic/package-registry](https://github.com/elastic/package-registry) from 1.34.0 to 1.35.0.
- [Release notes](https://github.com/elastic/package-registry/releases)
- [Changelog](https://github.com/elastic/package-registry/blob/main/CHANGELOG.md)
- [Commits](elastic/package-registry@v1.34.0...v1.35.0)

---
updated-dependencies:
- dependency-name: github.com/elastic/package-registry
  dependency-version: 1.35.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the automation label Jan 9, 2026
@dependabot dependabot bot requested a review from a team as a code owner January 9, 2026 13:36
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Jan 9, 2026
edited
Loading

🚀 Benchmarks report

Package mimecast 👍(7) 💚(0) 💔(4)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
ttp_url_logs 16393.44 12195.12 -4198.32 (-25.61%) 💔
archive_search_logs 10416.67 6060.61 -4356.06 (-41.82%) 💔
dlp_logs 10869.57 8196.72 -2672.85 (-24.59%) 💔
threat_intel_malware_grid 6410.26 5154.64 -1255.62 (-19.59%) 💔

To see the full report comment with /test benchmark fullreport

@mrodm
Copy link
Collaborator

mrodm commented Jan 13, 2026

qualys_vmdr error would be fixed by #16903

elastic_security error is also happening in the daily CI jobs: https://buildkite.com/elastic/integrations/builds/36334

@jsoriano
Copy link
Member

jsoriano commented Jan 13, 2026

Security builds deploying EPR fail, I think that is because they expect a package that is not readable anymore:
https://buildkite.com/elastic/appex-qa-stateful-security-prebuilt-rules-ftr-oom-testing/builds/450#019ba317-ed69-4786-9178-280b8c68a204/L233

[endpoint] package not found in registry

This package is copied to a GCP instance using scp:

https://github.com/elastic/qaf-tests/blob/06f792e526258dbfe738be1025a9691f7ee8f245/.buildkite/scripts/deploy-epr.sh#L202

Probably the copied package doesn't have enough permissions to be read by the non-root Package Registry instance (what is required since elastic/package-registry#1503).

The copied package is created by elastic-package, which creates the zip files with 0666 mode, so in principle it should be readable by all, though maybe scp is applying a more restrictive file mode on the destination file. We could try to fix this by adding the -p flag to scp in the affected pipelines, what should preserve the mode of the file. @pkoutsovasilis @elastic/ecosystem thoughts?

@lucabelluccini @nimarezainia this might also affect users who deploy their own Package Registry with custom packages, if these packages are not readable by all. I don't think there are many users affected, but it is probably worth to add a knowledge base entry. The symptom would be missing packages, and the solution would be to review the permissions of these packages, they should be readable by all.
Maybe we could also add release notes about this for future versions, in the context of air-gapped deployments (not sure where these notes would be). It is marked as breaking change in the package registry release, but this is likely not exposed to users of distribution images.

@mrodm
Copy link
Collaborator

mrodm commented Jan 13, 2026

Security builds deploying EPR fail, I think that is because they expect a package that is not readable anymore: https://buildkite.com/elastic/appex-qa-stateful-security-prebuilt-rules-ftr-oom-testing/builds/450#019ba317-ed69-4786-9178-280b8c68a204/L233

[endpoint] package not found in registry

This package is copied to a GCP instance using scp:

https://github.com/elastic/qaf-tests/blob/06f792e526258dbfe738be1025a9691f7ee8f245/.buildkite/scripts/deploy-epr.sh#L202

Probably the copied package doesn't have enough permissions to be read by the non-root Package Registry instance (what is required since elastic/package-registry#1503).

The copied package is created by elastic-package, which creates the zip files with 0666 mode, so in principle it should be readable by all, though maybe scp is applying a more restrictive file mode on the destination file. We could try to fix this by adding the -p flag to scp in the affected pipelines, what should preserve the mode of the file. @pkoutsovasilis @elastic/ecosystem thoughts?

@lucabelluccini @nimarezainia this might also affect users who deploy their own Package Registry with custom packages, if these packages are not readable by all. I don't think there are many users affected, but it is probably worth to add a knowledge base entry. The symptom would be missing packages, and the solution would be to review the permissions of these packages, they should be readable by all. Maybe we could also add release notes about this for future versions, in the context of air-gapped deployments (not sure where these notes would be). It is marked as breaking change in the package registry release, but this is likely not exposed to users of distribution images.

cc @maximpn

@pkoutsovasilis
Copy link
Contributor

pkoutsovasilis commented Jan 13, 2026

The copied package is created by elastic-package, which creates the zip files with 0666 mode, so in principle it should be readable by all, though maybe scp is applying a more restrictive file mode on the destination file. We could try to fix this by adding the -p flag to scp in the affected pipelines, what should preserve the mode of the file. @pkoutsovasilis @elastic/ecosystem thoughts?

Hey @jsoriano my thinking aligns with you if the files maintain the 0666 mode there shouldn't be any issues while reading. That said, the change with USER 1000 in the package-registry was only about the uid, the group of the user remains still 0 if that helps.

@maximpn
Copy link
Contributor

maximpn commented Jan 14, 2026

The issue described in #16916 (comment) has been fixed in https://github.com/elastic/qaf-tests/pull/236.

We require endpoint package for the full testing setup. Without it Security Prebuilt Rules bootstrap endpoint fails. endpoint package is hosted separately at https://github.com/elastic/endpoint-package which makes it an additional point of failure. With the recent stack versions release EDR team skipped 9.2 branch in https://github.com/elastic/endpoint-package which caused the issue. EPR deployment script expected 9.2 branch to be available in https://github.com/elastic/endpoint-package repo when testing against 9.2.x stack version. The script falls back to the main branch which results in package not found error as the package main requires Kibana 9.4+.

The issue has been fixed by enabling EPR proxy mode. Technically it may cause flakiness. We observed tests flakiness when using production EPR. With more stats it will be clear if this fix is gonna stay or we require to implement another fix.

@jsoriano
Copy link
Member

jsoriano commented Jan 14, 2026

Thanks @maximpn!

@elasticmachine
Copy link

elasticmachine commented Jan 14, 2026
edited
Loading

💔 Build Failed

Failed CI Steps

History

@jsoriano
Copy link
Member

jsoriano commented Jan 15, 2026

Pending failures are not related. Merging.

@jsoriano jsoriano merged commit 1980236 into main Jan 15, 2026
7 of 8 checks passed
@jsoriano jsoriano deleted the dependabot/go_modules/github.com/elastic/package-registry-1.35.0 branch January 15, 2026 09:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jsoriano jsoriano jsoriano approved these changes

Assignees

No one assigned

Labels

automation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@mrodm @jsoriano @pkoutsovasilis @maximpn @elasticmachine