Skip to content

Bump github.com/authzed/spicedb from 1.37.1 to 1.49.1#372

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/github.com/authzed/spicedb-1.49.1
Open

Bump github.com/authzed/spicedb from 1.37.1 to 1.49.1#372
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/github.com/authzed/spicedb-1.49.1

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Mar 9, 2026

Bumps github.com/authzed/spicedb from 1.37.1 to 1.49.1.

Release notes

Sourced from github.com/authzed/spicedb's releases.

v1.49.1

Highlights

What's Changed

Full Changelog: authzed/spicedb@v1.49.0...v1.49.1

Docker Images

This release is available at authzed/spicedb:v1.49.1, quay.io/authzed/spicedb:v1.49.1, ghcr.io/authzed/spicedb:v1.49.1

v1.49.0

Highlights

Support for self keyword added to permissions

Previously, if you wanted to represent something like "a user should be able to view themselves," this required adding a relation to the schema and then writing a relation from the user to itself. We've added support for a self keyword in permissions that represents this directly, which reduces storage requirements, removes the need for a trip to the database, and removes a relationship that needs to be synced. For more information, see the Docs and the PR: #2785

Experimental

Postgres Foreign Data Wrapper

In #2806, we added a new experimental command to SpiceDB that serves a Postgres Foreign Data Wrapper: spicedb postgres-fdw [flags]. If you configure your Postgres instance accordingly, it can speak to SpiceDB through the FDW as a proxy, allowing you to write queries like:

-- Check if user:alice has permission to view document:readme
SELECT has_permission
FROM permissions
WHERE resource_type = 'document'
  AND resource_id = 'readme'
  AND permission = 'view'
  AND subject_type = 'user'
  AND subject_id = 'alice';

You can now express checks and lookups as SELECTs and JOINs in your main application code, and you can read, write, and delete relationships using Postgres as the client. For more information, see the documentation in the repo.

Warnings
  • This feature is experimental. We'd welcome you trying it out and providing feedback, but it will likely change before its final GA'd form.
  • This feature DOES NOT solve the Dual-Write Problem. You can make updates in the context of a Postgres transaction, but Postgres's FDW protocol doesn't support a two-phase commit semantic, which means there are still failure modes where a transactional write will land in SpiceDB but not Postgres or vice-versa.

Query Planner

... (truncated)

Changelog

Sourced from github.com/authzed/spicedb's changelog.

[1.49.1] - 2026-02-06

Added

Changed

Fixed

Security

[1.49.0] - 2026-02-03

Added

  • Support for self keyword added to permissions. Previously, if you wanted to represent something like "a user should be able to view themselves," this required adding a relation to the schema and then writing a relation from the user to itself. We've added support for a self keyword in permissions that represents this directly, which reduces storage requirements, removes the need for a trip to the database, and removes a relationship that needs to be synced. For more information, see the Docs and the PR

  • Experimental Postgres Foreign Data Wrapper.

    In #2806, we added a new experimental command to SpiceDB that serves a Postgres Foreign Data Wrapper: spicedb postgres-fdw [flags]. If you configure your Postgres instance accordingly, it can speak to SpiceDB through the FDW as a proxy, allowing you to write queries like:

    -- Check if user:alice has permission to view document:readme
SELECT has_permission
FROM permissions
WHERE resource_type = 'document'
  AND resource_id = 'readme'
  AND permission = 'view'
  AND subject_type = 'user'
  AND subject_id = 'alice';

    You can now express checks and lookups as SELECTs and JOINs in your main application code, and you can read, write, and delete relationships using Postgres as the client. For more information, see the documentation in the repo.

    NOTE:

    • This feature is experimental. We'd welcome you trying it out and providing feedback, but it will likely change before its final GA'd form.
    • This feature DOES NOT solve the Dual-Write Problem. You can make updates in the context of a Postgres transaction, but Postgres's FDW protocol doesn't support a two-phase commit semantic, which means there are still failure modes where a transactional write will land in SpiceDB but not Postgres or vice-versa.

  • Query Planner

    This release includes the first experimental handle on our new Query Planner. If you run SpiceDB with the new --experimental-query-plan flag, SpiceDB will use the query planner to resolve queries. This is mostly provided for the curious; there's still work to do on statistics sources and optimizations before we expect that it will provide performance benefits across most workloads. We don't yet recommend turning on this flag in your system outside of experiments in your local or development environments. We'll continue work and let you know when it's ready for production.

... (truncated)

Commits
  • d842a97 chore: implement self in schemav2 (#2887)
  • 7f9bd27 build: add new mustcallcheck analyzer and fix instances (#2886)
  • 3b519e8 fix: make sure that use self comes out of formatter when self is used (#2885)
  • 286d6e8 fix: handle self keyword in warnings checks, and check these warnings are e...
  • 03a3a18 feat: finish LR consistency tests with the fix to the recursive iterator (#2881)
  • 208ad95 chore(deps): bump the github-actions group with 5 updates (#2870)
  • 4c9d349 fix: query both subrelation and ellipses on arrows for IterResources (#2879)
  • d753f26 chore: add metrics and tests to all cache implementations (#2874)
  • c2c3bab fix: improve LR consistency and support multiple resourcetypes (#2875)
  • fa1d7f4 fix: prevent panic on malformed cursor (#2878)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump github.com/authzed/spicedb from 1.37.1 to 1.49.1
ba448df 
Bumps [github.com/authzed/spicedb](https://github.com/authzed/spicedb) from 1.37.1 to 1.49.1.
- [Release notes](https://github.com/authzed/spicedb/releases)
- [Changelog](https://github.com/authzed/spicedb/blob/main/CHANGELOG.md)
- [Commits](authzed/spicedb@v1.37.1...v1.49.1)

---
updated-dependencies:
- dependency-name: github.com/authzed/spicedb
  dependency-version: 1.49.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Mar 9, 2026
@dependabot dependabot Bot requested review from a team as code owners March 9, 2026 00:55
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Mar 9, 2026
@dependabot dependabot Bot mentioned this pull request Mar 9, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants