heise PlusAbo
Anzeige

More security: GitLab 18.0 is being launched in several stages

GitLab 18.0 is the next major release of GitLab. GitLab also provides the appropriate migration tools.

listen Print view
Lead story Git

(Image: erstellt mit Dall-E durch iX)

2 min. read
Developer
By
  • Manuel Masiero

The deployment of GitLab 18.0 follows a precisely timed choreography: It starts with the Breaking Changes, which GitLab rolls out over three time windows. The first ran between April 21 and 23. This will be followed by April 28 to 30 and May 5 to 7.

Parallel to this and without specific dates, upgrades for functions in the Medium and Low-Impact categories will take place. For users of the self-managed version of GitLab, GitLab 18.0 will be available from May 15, according to the announcement in the blog. The managed cloud version GitLab Dedicated will be upgraded to GitLab 18.0 between June 24 and 29.

Read also

High-impact changes

The breaking changes of GitLab 18.0, which are classified as high impact, focus regarding security. This affects the CI/CD job tokens introduced with GitLab 14.4 and the dependency proxy.

Videos by heise

The “Limit access from this project” setting for CI/CD job tokens is now disabled by default for all new projects. In GitLab 16.0 or higher, this setting can no longer be activated once it has been deactivated in a project. To control job token access to their projects, users should use the “Authorized groups and projects” setting instead, which is active by default with GitLab 18.0.

The dependency proxy for containers also receives new security functions with GitLab 18.0. It now requires authentication of both areas read_registry and write_registry. In the future, the dependency proxy will reject authentication attempts that use access tokens without these two scopes.

GitLab provides software helpers to make the changeover easier for users. These include the Advanced Search Deprecations tool, which uses the advanced search API to detect strings in GitLab groups and projects that indicate outdated functions. The Dependency Scanning Build Support Detection Helper can also be used to identify projects that are affected by three outdated dependency scanning functions.

(mack)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten