Skip to content

download: use oras, not containerd#8639

Merged
srenatus merged 1 commit into
open-policy-agent:mainfrom
srenatus:sr/qkmpkuslnlum
May 11, 2026
Merged

download: use oras, not containerd#8639
srenatus merged 1 commit into
open-policy-agent:mainfrom
srenatus:sr/qkmpkuslnlum

Conversation

@srenatus
Copy link
Copy Markdown
Contributor

@srenatus srenatus commented May 11, 2026

This cuts out a bunch of heavyweight dependencies that are notorious for causing false postive vulnerability findings.

Things we can't verify without running manual integration tests:

Token exchange edge cases: The registry.ParseReference strictness: If users pass references that containerd accepted but ORAS's parser rejects (unusual characters, missing tag, etc.), it would fail at the ParseReference call. In practice, OCI references follow the same grammar everywhere, so this is unlikely.

The best dependency is no dependency.

@srenatus
download: use oras, not containerd
31e1167 
This cuts out a bunch of heavyweight dependencies that are notorious for
causing false postive vulnerability findings.

Things we can't verify without running manual integration tests:

Token exchange edge cases: The `registry.ParseReference` strictness:
If users pass references that containerd accepted but ORAS's parser
rejects (unusual characters, missing tag, etc.), it would fail at the
ParseReference call. In practice, OCI references follow the same grammar
everywhere, so this is unlikely.

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>
@srenatus srenatus merged commit 4fbc0e8 into open-policy-agent:main May 11, 2026
40 checks passed
@srenatus srenatus deleted the sr/qkmpkuslnlum branch May 11, 2026 19:48
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 11, 2026

Benchmark Regression Detected

Commit 4fbc0e8feed77c7b25544796f71f49ce9e0ca87e introduced benchmark regressions (threshold: >25% ns/op increase).

Package Benchmark Regression
v1/types BenchmarkAnyMergeOne/10000-4 +268348684111%
v1/types BenchmarkAnyMergeOne/1000-4 +143499999900%
v1/types BenchmarkAnyMergeOne/5000-4 +133414705782%
v1/types BenchmarkAnyMergeOne/500-4 +110166666567%
v1/types BenchmarkAnyMergeOne/100-4 +87633333233%
v1/types BenchmarkAnyUnionAllUniqueTypes/250x2500-4 +84%
v1/types BenchmarkAnyUnionAllUniqueTypes/1000x100-4 +68%
v1/types BenchmarkAnyUnionAllUniqueTypes/250x100-4 +59%
v1/topdown BenchmarkSplitLenVsStringsCount/split_len-4 +54%
v1/types BenchmarkAnyUnionAllUniqueTypes/100x250-4 +54%
v1/rego BenchmarkPolicyComplexityTargets/10/wasm-4 +42%
v1/ast BenchmarkObjectFind/5000_5000-4 +42%
v1/rego BenchmarkDataSizesTargets/10/wasm-4 +36%
v1/ast BenchmarkTemplateStringToString-4 +32%
v1/rego BenchmarkSimpleAuthzTargets/wasm-4 +32%
v1/ast BenchmarkInterfaceToValueInt/non-interned_int_value-4 +30%
v1/bundle BenchmarkDirectoryLoader/250000-4 +30%
v1/ast BenchmarkGenerateLocalVar-4 +28%
v1/ast BenchmarkTypeName-4 +28%
v1/types BenchmarkAnyUnionAllUniqueTypes/250x1000-4 +27%
v1/bundle BenchmarkDirectoryLoader/500000-4 +27%
v1/util BenchmarkNewPtrSlice-4 +26%
v1/ast BenchmarkFromBuiltinNames/two_parts-4 +26%
v1/util BenchmarkSplitMap/split_map-4 +26%
internal/wasm/sdk/opa BenchmarkWASMVirtualDocs/total=100/hit=100-4 +25%

Benchmarks Dashboard

This comment was automatically generated by the benchmarks workflow.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sspaink sspaink sspaink approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@srenatus @sspaink