Tyk Gateway 5.5 Release Notes
Last updated: 8 minutes read.
Open Source (Mozilla Public License)
This page contains all release notes for version 5.5.X displayed in a reverse chronological order
Support Lifetime
Our minor releases are supported until our next minor comes out.
5.5.2 Release Notes
Release Date 03 October 2024
Release Highlights
This release replaces Tyk Gateway 5.5.1 which was accidentally released as a non-distroless image.
Breaking Changes
There are no breaking changes in this release.
Dependencies
Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
|---|---|---|
| 5.5.2 | MDCB v2.7 | MDCB v2.4.2 |
| Operator v0.18 | Operator v0.17 | |
| Sync v1.5 | Sync v1.4.3 | |
| Helm Chart v2.0.0 | Helm all versions | |
| EDP v1.10 | EDP all versions | |
| Pump v1.11 | Pump all versions | |
| TIB (if using standalone) v1.5.1 | TIB all versions |
3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
|---|---|---|---|
| Go | 1.21 | 1.21 | Go plugins must be built using Go 1.21 |
| Redis | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| OpenAPI Specification | v3.0.x | v3.0.x | Supported by Tyk OAS |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
Deprecations
There are no deprecations in this release.
Upgrade instructions
If you are upgrading to 5.5.2, please follow the detailed upgrade instructions.
Downloads
- Docker image to pull
-
docker pull tykio/tyk-gateway:v5.5.2
-
- Helm charts
- Source code tarball for OSS projects
5.5.1 Release Notes
Release Date 26 September 2024
Release Highlights
This release fixes some issues related to the way that Tyk performs URL path matching, introducing two new Gateway configuration options to control path matching strictness.
For a comprehensive list of changes, please refer to the detailed changelog below.
Breaking Changes
There are no breaking changes in this release.
Dependencies
Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
|---|---|---|
| 5.5.1 | MDCB v2.7 | MDCB v2.4.2 |
| Operator v0.18 | Operator v0.17 | |
| Sync v1.5 | Sync v1.4.3 | |
| Helm Chart v2.0.0 | Helm all versions | |
| EDP v1.10 | EDP all versions | |
| Pump v1.11 | Pump all versions | |
| TIB (if using standalone) v1.5.1 | TIB all versions |
3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
|---|---|---|---|
| Go | 1.21 | 1.21 | Go plugins must be built using Go 1.21 |
| Redis | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| OpenAPI Specification | v3.0.x | v3.0.x | Supported by Tyk OAS |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
Deprecations
There are no deprecations in this release.
Upgrade instructions
If you are upgrading to 5.5.1, please follow the detailed upgrade instructions.
Downloads
- Docker image to pull
-
docker pull tykio/tyk-gateway:v5.5.1
-
- Helm charts
- Source code tarball for OSS projects
Changelog
Added
-
Implemented Gateway configuration options to set URL path matching strictness
We have introduced two new options in the
http_server_optionsGateway configuration that will enforce prefix and/or suffix matching when Tyk performs checks on whether middleware or other logic should be applied to a request:enable_path_prefix_matchingensures that the start of the request path must match the path defined in the API definitionenable_path_suffix_matchingensures that the end of the request path must match the path defined in the API definition- combining
enable_path_prefix_matchingandenable_path_suffix_matchingwill ensure an exact (explicit) match is performed
These configuration options provide control to avoid unintended matching of paths from Tyk’s default wildcard match. Use of regex special characters when declaring the endpoint path in the API definition will automatically override these settings for that endpoint.
Tyk recommends that exact matching is employed, but both options default to
falseto avoid introducing a breaking change for existing users.The example Gateway configuration file
tyk.conf.examplehas been updated to set the recommended exact matching with:http_server_options.enable_path_prefix_matching = truehttp_server_options.enable_path_suffix_matching = truehttp_server_options.enable_strict_routes = true
Fixed
-
Incorrectly configured regex in policy affected Path-Based Permissions authorization
Fixed an issue when using granular Path-Based Permissions in access policies and keys that led to authorization incorrectly being granted to endpoints if an invalid regular expression was configured in the key/policy. Also fixed an issue where path-based parameters were not correctly handled by Path-Based Permissions. Now Tyk’s authorization check correctly handles both of these scenarios granting access only to the expected resources.
-
Missing path parameter can direct to the wrong endpoint
Fixed an issue where a parameterized endpoint URL (e.g.
/user/{id}) would be invoked if a request is made that omits the parameter. For example, a request to/user/will now be interpreted as a request to/userand not to/user/{id}.
5.5.0 Release Notes
Release Date 12 August 2024
Release Highlights
We are thrilled to introduce Tyk Gateway 5.5, bringing advanced rate-limiting capabilities, enhanced certificate authentication, and performance optimizations. For a comprehensive list of changes, please refer to the changelog below.
Per Endpoint Rate Limiting
Now configure rate limits at the endpoint level for both Tyk OAS and Tyk Classic APIs, providing granular protection for upstream services against overloading and abuse.
Root CA Support for Client Certificates
Simplify certificate management with support for root Certificate Authority (CA) certificates, enabling clients to authenticate using certificates signed by the configured root CA.
Optimised AST Document Handling
Experience improved performance with optimised creation and usage of Abstract Syntax Tree (AST) documents in our GQL library, reducing memory usage and enhancing efficiency.
Breaking Changes
Docker images are now based on distroless. No shell is shipped in the image.
Dependencies
Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
|---|---|---|
| 5.5.0 | MDCB v2.7 | MDCB v2.4.2 |
| Operator v0.18 | Operator v0.17 | |
| Sync v1.5 | Sync v1.4.3 | |
| Helm Chart v1.6 | Helm all versions | |
| EDP v1.10 | EDP all versions | |
| Pump v1.11 | Pump all versions | |
| TIB (if using standalone) v1.5.1 | TIB all versions |
3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
|---|---|---|---|
| Go | 1.21 | 1.21 | Go plugins must be built using Go 1.21 |
| Redis | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| OpenAPI Specification | v3.0.x | v3.0.x | Supported by Tyk OAS |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
Deprecations
There are no deprecations in this release.
Upgrade instructions
If you are upgrading to 5.5.0, please follow the detailed upgrade instructions.
Downloads
- Docker image to pull
-
docker pull tykio/tyk-gateway:v5.5.0
-
- Helm charts
- Source code tarball for OSS projects
Changelog
Added
-
Added root CA support for client certificate authentication
We’ve added support for you to register Certificate Authority (CA) certificates in your API definitions when using static mutual TLS (mTLS). Tyk can now authenticate clients presenting certificates signed by the registered root CA, simplifying certificate management for multiple clients sharing a common CA.
-
Optimised creation and usage of AST documents in GQL library
Optimised the creation and usage of AST documents in our GQL library to reduce significant memory allocations caused by pre-allocations during initial creation. These optimizations free up resources more efficiently, minimising performance penalties with increased requests to the Gateway.
-
Implemented upstream endpoint rate limits
Introduced new more granular controls for request rate limiting. Rate limits can now be configured at the endpoint level in Tyk OAS and Tyk Classic API definitions.
-
Improved handling of requests to non-existent versions of APIs when using URL path versioning
When using the URL path to indicate the API version (for example
/v1/my-api) it is common to strip the version identifier (e.g./v1) from the path before proxying the request to the upstream. If the client doesn’t provide any version identifier this could lead to an invalid target URL and failed requests, rather than correctly redirecting to the default version. We have introduced an optional configurationurl_versioning_patternwhere you can specify a regex that Tyk will use to identify if the URL contains a version identifier and avoiding the accidental stripping of valid upstream path.
Fixed
-
Fixed an issue where transformation middleware could incorrectly be applied to Tyk OAS API endpoints with nested paths
Fixed an issue when using Tyk OAS APIs where nested API endpoints, such as ‘/test’ and ‘/test/abc’, might incorrectly apply middleware from the parent path to the nested path. The fix ensures that API endpoint definitions are correctly ordered so that the standard behaviour of Tyk is followed, whereby path matching is performed starting from the longest path, preventing middleware misapplication and ensuring both the HTTP method and URL match accurately.
-
Optimised key creation process to avoid unnecessary Redis `DeleteRawKey` commands
Previously, key creation or reset led to an exponential number of Redis
DeleteRawKeycommands; this was especially problematic for access lists with over 100 entries. The key creation sequence now runs only once, eliminating redundant deletion of non-existent keys in Redis. This optimization significantly reduces deletion events, enhancing performance and stability for larger access lists. -
Resolved SSE streaming issue
Addressed a bug that caused Server Side Event (SSE) streaming responses to be considered for caching, which required buffering the response and prevented SSE from being correctly proxied.
-
Fixed analytics latency reporting for MDCB setups
Resolved an issue where Host and Latency fields (Total and Upstream) were not correctly reported for Tyk Gateways in MDCB data planes. The fix ensures accurate Host values and Latency measurements are now captured and displayed in the generated traffic logs.
Security Fixes
-
High priority CVEs fixed
Fixed the following high priority CVEs identified in the Tyk Gateway, providing increased protection against security vulnerabilities:
Further Information
Upgrading Tyk
Please refer to the upgrading Tyk page for further guidance on the upgrade strategy.
API Documentation
FAQ
Please visit our Developer Support page for further information relating to reporting bugs, upgrading Tyk, technical support and how to contribute.