> For the complete documentation index, see [llms.txt](https://docs.inrupt.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.inrupt.com/ess/2.5/releases/changelog.md). # 2.5 Changelogs ## v2.5.1 Released: 2025-07-09 ### **All services** ### **Security Fixes** **CRITICAL**: Removed ingress layer vulnerability that could allow unauthorized access to administrative functions, metrics endpoints, and cluster secrets. This addresses CVE-2021-25742. All users should upgrade immediately. **Updates** Each ESS service makes endpoints available for metrics and health. These endpoints are now available on port 9000 within the cluster. A metrics collector that consumes the prometheus.io metadata annotations will discover the new endpoints automatically. Metrics collectors that are manually configured will need to be adjusted to use the new port. Port 9000 is not accessible from outside the cluster. ## v2.5.0 *Released: 2025-05-13* ## Services ### **All Services** **Updates** * Kafka Encryption configuration has been updated for more clarity, to say Encrypted instead of just Encrypt: * Old Configuration (Deprecated): * Serializer: **`com.inrupt.components.kafka.encryption.EncryptMessageSerializer`** * Deserializer: **`com.inrupt.components.kafka.encryption.DecryptMessageDeserializer`** * New Configuration (Required): * Serializer: **`com.inrupt.components.kafka.encryption.EncryptedMessageSerializer`** * Deserializer: **`com.inrupt.components.kafka.encryption.EncryptedMessageDeserializer`** If these have been set in a custom Kubernetes kustomization then please update your configuration to use these new class names. The new class names improve clarity by reflecting the encrypted message format rather than the action. * The ESS base JVM images are now based on UBI 9, aligning with Red Hat’s supported and hardened base images. ### **Access Grant Service** **Additions** * The Access Grant Service emits Access Request/Access Grant change events. These events will be sent to the Notifications Service which will forward them to subscribers. * The paginated response from the query endpoint now contains a summary that includes a total of all Access Credentials matched. ### **Authorization Service** **Bugs fixed** * Prevent potential recursive call from happening when finding ACRs. * Provisioning and creating ACRs in the Authorization Service is now idempotent. * Updated logging during provisioning and creating ACRs to remove ERROR logs that are no longer considered error scenarios. * Service now returns a 400 response when a client submits a PUT request with empty content. **Additions** * Static authorization allow-list can now be set on the Authorization Service. This is currently only used by the Purger Service to protect its endpoints. **Updates** * The default setting for **`INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST`** is now **`https://inrupt.com`**. This is not a valid client but is used as a placeholder to ensure that the default is not blank (which would leave ESS open to any client being able to update ACRs). ### **Notification Service** **Additions** * The Notification Service adds an HTTPS API where agents can subscribe to events from the Access Grant Service. These subscriptions will direct notifications to client-defined webhook URLs where they can be received. ### **Pod Storage Service** **Updates** * The Pod Storage Service HTTP conditional requests management is now compliant with [**RFC 7232 HTTP Conditional Requests**](https://datatracker.ietf.org/doc/html/rfc7232.html). In particular, `ETag` headers are now prioritized over **`If-Modified-Since`**. **Additions** * New metric for tracking the number of active Storages called: **`` application_com_inrupt_storage_metrics_MetricsCollector_sum{resourceStatus=active)` ``** **Bugs fixed** * The provision endpoint is now configured so it is included in the Solid Discovery Resource on the Pod Storage Service. * Added extra validation to storage URIs on purge. Storage URIs now must end with a `/`. ### **Purger Service** **Additions** * User data and Pods can now be deleted from ESS using the new Purger Service. ### **Solid OIDC Broker Service** **Additions** * Added an allow list to the OpenID configuration that identifies trusted clients. The OpenID Consent screen will not be shown for trusted clients. **Removals** * Responses will no longer serialize null fields in JSON. **Bugs fixed** * The icons on the Consent screen and Application Registration page are now embedded, so they are consistently available. ### **WebID Service** **Additions** * Database connection pool updates to improve graceful backoff under load. ### Deployment **Updates** * **`inrupt-kustomizer`** has been updated to use Kustomize version 5.5. * The Kubernetes bases for **`ess-fragments-ingest`** and **`ess-fragments-query`** have been changed to require TLS v1.3 connections to the Postgres database by default. Setting this as the default helps ensure security. * The stability of the Keycloak Kubernetes deployment used in the standalone overlay has been improved by removing resource constraints. Additionally, the health endpoint port (9000) from the Kubernetes service is now exposed. **Removals** * Suspend **`ess-storage-migrate-system-resource`** Kubernetes CronJobs from running as they were only needed for migrating to ESS 2.2.0. * ESS 2.3 included a set of migration jobs for the Access Grant Service. These jobs, once run, can be removed from a Kubernetes deployment. For new (2.5+) deployments, the migration jobs are not relevant. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.inrupt.com/ess/2.5/releases/changelog.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.