We are delighted to announce the availability of version 5.0.41 of Chef Supermarket.
Upgrade Requiremements
Database Upgrade
Supermarket 5 includes a large upgrade of the underlying PostgreSQL database. An automated upgrade will need to be run post package install. See Upgrade Supermarket for details.
Allowed Host Attribute
In order to prevent potential host header attacks, users will need to specify the FQDN of the Supermarket with the node['supermarket']['allowed_host'] attribute. For example, the public supermarket at https://supermarket.chef.io would set this value to supermarket.chef.io.
Bug Fixes
- Updated links to the Chef Blog to use the latest URL.
- Updated links to the Chef Documentation to use the latest URL.
- Removed unused attributes for New Relic monitoring.
Enhancements
PostgreSQL 13.4
The embedded PostgreSQL 9.3 installation used by Supermarket to store cookbook information has been upgraded to 13.4. This new release of PostgreSQL improves performance, includes new functionality that will be utilized in future Supermarket releases, and resolves multiple security vulnerabilities. See Upgrade Supermarket for more information on completing this upgrade.
Cookstyle Cookbook Quality Metrics
The Cookbook Quality Metrics evaluation in Supermarket now uses our Cookstyle engine to evaluate cookbook quality. This greatly improves the breadth of evaluation we provide with ~250 Cookstyle cops being used for each cookbook. This also aligns the quality metrics with the same tools used in local development and CI processes. Stay tuned for exciting new improvements to the Cookbook Quality Metrics using these new capabilities.
Log Directory Permissions
Users can now set the permissions of the Supermarket log directory with a new default['supermarket']['log_mode'] configuration option. This configuration option defaults to the previous directory default of 0700.
Versioned Universe API Endpoint
The universe API endpoint is now available under the v1 API endpoint. There are no current plans to introduce breaking changes to the existing universe API endpoint, but we highly recommend using the new versioned API endpoint for future compatibility.
Security
HTTP Headers
Supermarket now includes a more secure Permissions-Policy HTTP header by default.
Puma 5.6.2
Puma upgraded from 5.6.1 to 5.6.2 to resolve CVE-2022-23633
Sidekiq 6.4.1
The Sidekiq job processing system used by Supermarket has been updated from 6.3.1 to 6.4.1 to resolve CVE-2021-30151.
Ruby on Rails 6.1.4.6
The Ruby on Rails framework used by Supermarket has been updated from 6.1.4.4 to 6.1.4.6 to resolve CVE-2021-22904.
Get the Build
You can download binaries directly from chef.io/downloads.