Merge branch 'main' into beck/ci-test-k8s-134

Signed-off-by: kkk777-7 <[email protected]>

Author: kkk777-7

release-notes/v1.6.1.yaml

@@ -1,5 +1,32 @@
-date: December 4, 2025
+date: December 5, 2025
+
+# Changes that are expected to cause an incompatibility with previous versions, such as deletions or modifications to existing APIs.
+breaking changes: |
 
 # Updates addressing vulnerabilities, security flaws, or compliance requirements.
 security updates: |
-  Patches for EnvoyProxy CVE-2025-64527, CVE-2025-66220, and CVE-2025-64763. Ref https://github.com/envoyproxy/envoy/releases/tag/v1.36.3
+  Bumped Envoy to 1.36.3 to incorporate security patches, CVE-2025-64527, CVE-2025-66220, and CVE-2025-64763. Ref https://github.com/envoyproxy/envoy/releases/tag/v1.36.3
+
+# New features or capabilities added in this release.
+new features: |
+
+bug fixes: |
+  Fixed xDS snapshot cache to clear snapshots when streams close, preventing proxies from receiving stale configuration after reconnection.
+  Fixed configured OIDC authorization endpoint being overridden by discovered endpoints from issuer's well-known URL.
+  Fixed an issue with gateway ownership tracking when running multiple controllers.
+  Fixed default namespace handling when namespace is unset.
+  Fixed a bug where HTTPRoutes referencing gateways with multiple different GatewayClasses would have incomplete status conditions.
+  Fixed gateway status to treat too many addresses as programmed.
+  Fix 500 errors caused by partially invalid BackendRefs; traffic is now correctly routed between valid backends and 500 responses according to their configured weights.
+
+# Enhancements that improve performance.
+performance improvements: |
+
+# Deprecated features or APIs.
+deprecations: |
+
+# Other notable changes not covered by the above sections.
+Other changes: |
+  Bumped Gateway API to v1.4.1.
+  Bumped golang.org/x/crypto dependency.
+  Added disk space reclamation script for CI runners to prevent out-of-disk errors.

site/content/en/news/releases/notes/v1.5.6.md

@@ -0,0 +1,34 @@
+---
+title: "v1.5.6"
+publishdate: 2025-12-05
+---
+
+Date: December 05, 2025
+
+## Breaking changes
+-
+
+## Security updates
+- Patches for EnvoyProxy CVE-2025-64527, CVE-2025-66220, and CVE-2025-64763. Ref https://github.com/envoyproxy/envoy/releases/tag/v1.35.7
+
+
+## New features
+-
+
+## Bug fixes
+- Fixed xDS snapshot cache to clear snapshots when streams close, preventing proxies from receiving stale configuration after reconnection.
+- Fixed configured OIDC authorization endpoint being overridden by discovered endpoints from issuer's well-known URL.
+- Fixed an issue with gateway ownership tracking when running multiple controllers.
+- Fixed default namespace handling when namespace is unset.
+- Fixed a bug where HTTPRoutes referencing gateways with multiple different GatewayClasses would have incomplete status conditions.
+- Fixed gateway status to treat too many addresses as programmed.
+
+## Performance improvements
+-
+
+## Deprecations
+-
+
+## Other changes
+- Added disk space reclamation script for CI runners to prevent out-of-disk errors.
+- Bumped golang.org/x/crypto dependency.

site/content/en/news/releases/notes/v1.6.1.md

@@ -0,0 +1,39 @@
+---
+title: "v1.6.1"
+publishdate: 2025-12-05
+---
+
+Date: December 05, 2025
+
+## Breaking changes
+-
+
+## Security updates
+- Bumped Envoy to 1.36.3 to incorporate security patches, CVE-2025-64527, CVE-2025-66220, and CVE-2025-64763. Ref https://github.com/envoyproxy/envoy/releases/tag/v1.36.3
+
+
+
+## New features
+-
+
+## Bug fixes
+- Fixed xDS snapshot cache to clear snapshots when streams close, preventing proxies from receiving stale configuration after reconnection.
+- Fixed configured OIDC authorization endpoint being overridden by discovered endpoints from issuer's well-known URL.
+- Fixed an issue with gateway ownership tracking when running multiple controllers.
+- Fixed default namespace handling when namespace is unset.
+- Fixed a bug where HTTPRoutes referencing gateways with multiple different GatewayClasses would have incomplete status conditions.
+- Fixed gateway status to treat too many addresses as programmed.
+- Fix 500 errors caused by partially invalid BackendRefs; traffic is now correctly routed between valid backends and 500 responses according to their configured weights.
+
+
+
+## Performance improvements
+-
+
+## Deprecations
+-
+
+## Other changes
+- Bumped Gateway API to v1.4.1.
+- Bumped golang.org/x/crypto dependency.
+- Added disk space reclamation script for CI runners to prevent out-of-disk errors.

tools/osv-scanner/license-scan-config.toml

@@ -38,3 +38,10 @@ version = "1.0.0"
 ecosystem = "Go"
 license.override = ["Apache-2.0"]
 reason = "This package is dual-licensed: the code under the Apache 2.0 license and the documentation under the CC-BY-SA-4.0 license"
+
+# Remove this once OSV image updated
+[[PackageOverrides]]
+name = "stdlib"
+ecosystem = "Go"
+license.override = ["BSD-3-Clause"]
+reason = "Go stdlib is licensed under BSD-3-Clause, see https://go.dev/LICENSE"