The easiest, most secure way to use WireGuard and 2FA http://git.waynecole.info/tailscale/atom?h=dependabot%2Fgithub_actions%2Fslackapi%2Fslack-github-action-3.0.1 2026-03-16T11:30:40Z 2026-03-16T11:30:40Z dependabot[bot] 49699333+dependabot[bot]@users.noreply.github.com 2026-03-16T11:30:40Z urn:sha1:16c54e363f8ff00dfc5ecc98db873433491d7f18 Bumps [slackapi/slack-github-action](https://github.com/slackapi/slack-github-action) from 2.1.1 to 3.0.1. - [Release notes](https://github.com/slackapi/slack-github-action/releases) - [Commits](https://github.com/slackapi/slack-github-action/compare/91efab103c0de0a537f72a35f6b8cda0ee76bf0a...af78098f536edbc4de71162a307590698245be95) --- updated-dependencies: - dependency-name: slackapi/slack-github-action dependency-version: 3.0.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> 2026-03-14T02:41:30Z Brad Fitzpatrick bradfitz@tailscale.com 2026-03-13T20:51:22Z urn:sha1:54606a0a89bc5e90b5295179e5b776f6a2df8cfa Fixes #18991 Change-Id: I29a609dcd401854026aef4a5ad8d5806c3249ea6 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2026-03-13T22:01:31Z Brad Fitzpatrick bradfitz@tailscale.com 2026-03-13T20:51:22Z urn:sha1:4c91f90776317bcfa5fa7fa3995d5a3376b09999 Before sending a fix for #18991, this adds an integration test that locks in that the proxymap WhoIs code works with two nodes running as different users, with the second node running a localhost service and able to use its local tailscaled to identify a Tailscale connection from the other tailscaled. Updates #18991 Change-Id: I6fbb0810204d77d2ac558f0cc786b73e3248d031 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2026-03-13T21:27:03Z Jordan Whited jordan@tailscale.com 2026-03-11T20:02:09Z urn:sha1:96dde53b43fc3b6b1c7aa254a10914347199cd2e For the purpose of improved observability of UDP socket receive buffer overflows on Linux. Updates tailscale/corp#37679 Signed-off-by: Jordan Whited <jordan@tailscale.com> 2026-03-13T17:26:08Z George Jones george@tailscale.com 2026-03-13T17:26:08Z urn:sha1:660a4608d2ccb4508af71d888454b333e5eb501f Changed the mapping to store the transit IPs to be indexed by peer IP rather than NodeID because the data path only has access to the peer's IP. This change means that IPv4 transit IPs need to be indexed by the peer's IPv4 address, and IPv6 transit IPs need to be indexed by the peer's IPv6 address. It is an error if the peer does not have an address of the same family as the transit IP. It is also an error if the transit and destination IP families do not match. Added a check to ensure that the TransitIPRequest.App matches a configured app on the connector. Added additional TransitIPResponse codes to identify the new errors and change the exsting use of the Other code to use it's own specific code. Added logging for the error cases, since they generally indicate that a peer has constructed a bad request or that there is a config mismatch between the peer and the local netmap. Added a test framework for handleConnectorTransitIPRequest and moved the existing tests into the framework and added new tests. Fixes tailscale/corp#37143 Signed-off-by: George Jones <george@tailscale.com> 2026-03-13T14:31:16Z Tom Proctor tomhjp@users.noreply.github.com 2026-03-13T14:31:16Z urn:sha1:621f71981cf05e5ea6c6accbd92123f40b531f45 The e2e ingress test was very occasionally flaky. On looking at operator logs from one failure, you can see the default ProxyClass was not ready before the first reconcile loop for the exposed Service. The ProxyClass became ready soon after, but no additional reconciles were triggered for the exposed Service because we only triggered reconciles for Services that explicitly named their ProxyClass. This change adds additional list API calls for when it's the default ProxyClass that's been updated in order to catch Services that use it by default. It also adds indexes for the fields we need to search on to ensure the list is efficient. Fixes tailscale/corp#37533 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com> 2026-03-12T18:25:31Z Brad Fitzpatrick bradfitz@tailscale.com 2026-03-10T22:52:49Z urn:sha1:dd480f0fb931bb971f01336c820f960aa858171f Updates #1866 Change-Id: Ica73ae8268b08a04ae97bc570869a04180585e75 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2026-03-12T14:42:41Z Mike O'Driscoll mikeo@tailscale.com 2026-03-12T14:42:41Z urn:sha1:7412fc00acbd3434c57f20f685a3273e8fe75e57 Updates #fixup Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com> 2026-03-12T12:06:55Z Kristoffer Dalby kristoffer@dalby.cc 2026-03-11T20:17:05Z urn:sha1:be62e6dc68650c986c76c69df2d75ad204034e14 This commit adds a "fallback" mechanism to tsnet to allow the consumer to set "TS_CONTROL_URL" to override the control server. This allows tsnet applications to gain support for an alternative control server by just updating without explicitly exposing the ControlURL option. Updates #16934 Signed-off-by: Kristoffer Dalby <kristoffer@dalby.cc> 2026-03-12T04:13:04Z dependabot[bot] 49699333+dependabot[bot]@users.noreply.github.com 2026-03-09T11:47:36Z urn:sha1:0a4e0e2940c0938697305d1c87a38f53b5aefefd Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.32.5 to 4.32.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/c793b717bc78562f491db7b0e93a3a178b099162...0d579ffd059c29b07949a3cce3983f0780820c98) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.32.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>