Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Changes: ## 0.44.0 This release contains a number of fixes, two new builtins, a few new features, and several performance improvements. ### Security Fixes This release includes the security fixes present in the recent v0.43.1 release, which mitigate CVE-2022-36085. See the Release Notes for v0.43.1 for more details. ### Set Element Addition Optimization Rego Set element addition operations did not scale linearly in the past, and like the Object type before v0.43.0, experienced noticeable reallocation/memory movement overheads once the Set grew past 120k-150k elements in size. This release introduces different handling of Set internals during element addition operations to avoid pathological reallocation behavior, and allows linear performance scaling up into the 500k key range and beyond. ### Set `union` Built-in Optimization The Set `union` builtin allows applying the union operation to a set of sets. However, as discovered in <open-policy-agent/opa#4979>, its implementation generated unnecessary intermediate copies, which resulted in poor performance; in many cases, worse than writing the equivalent operation in pure Rego. This release improves the `union` builtin's implementation, such that only the final result set is ever modified, reducing memory allocations and GC pressure. The `union` builtin is now about 15-30% faster than the equivalent operation in pure Rego. ### New Built-in Functions: `strings.any_prefix_match` and `strings.any_suffix_match` This release introduces two new builtins, optimized for bulk matching of string prefixes and suffixes: `strings.any_prefix_match`, and `strings.any_suffix_match`. It works with sets and arrays of strings, allowing efficient matching of collections of prefixes or suffixes against a target string. See the built-in functions docs for all the details: <https://www.openpolicyagent.org/docs/v0.42.0/policy-reference/#builtin-strings-stringsany_prefix_match> ## 0.43.1 This is a security release fixing the following vulnerabilities: - CVE-2022-36085: Respect unsafeBuiltinMap for 'with' replacements in the compiler See <GHSA-f524-rf33-2jjr> for all details.
- Loading branch information