build(deps): bump github.com/authzed/spicedb from 1.53.1-0.20260612201921-1d5d2c81ab70 to 1.54.0

[dependabot]

Bumps github.com/authzed/spicedb from 1.53.1-0.20260612201921-1d5d2c81ab70 to 1.54.0.

Release notes

Sourced from github.com/authzed/spicedb's releases.

v1.54.0

Security

• Prevent cache poisoning. The dispatch Check cache key now incorporates check hints. See GHSA-4vrg-r928-h5vv

Added

• Query Planner: fast serialize/deserialize for query plans (authzed/spicedb#3122)

Changed

• Cache: switch to otter as the primary cache implementation (authzed/spicedb#3112)
• Server handles: GRPCDialContext as a handle on the server used deprecated gRPC methods. We modernized it and renamed it to NewClient (authzed/spicedb#3147)

Fixed

• The watching schema cache (--enable-experimental-watchable-schema-cache) no longer enters permanent fallback on transient watch errors. A new supervisor restarts the watch cycle with bounded exponential backoff and only treats caller-driven cancellation or unsupported-watch as terminal (authzed/spicedb#3134)
• Watch consumers that request WatchCheckpoints now eventually observe every revision returned by WriteRelationships as a checkpoint. MemDB regressed this in authzed/spicedb#2578 for no-op writes and MySQL never emitted checkpoints at all prior to now. Both now emit a checkpoint at the new revision. (authzed/spicedb#3114)
• When Query Planner evaluates a union, short-circuit if one of the branches yields a positive un-caveated result (authzed/spicedb#3120)
• DispatchQueryPlan previously did not try to use the singleflight middleware for check calls. (authzed/spicedb#3119)
• Fixed regression introduced in 1.53.0. Postgres HeadRevision no longer allocates a new transaction ID on every call (authzed/spicedb#3127)
• Fixed regression introduced in 1.53.0 for MySQL migration scripts (authzed/spicedb#3129)
• Query Planner: LookupSubjects no longer returns a subject excluded from a wildcard (e.g. viewer:* - banned) when the exclusion feeds an intersection (experimental --experimental-query-plan ls) (authzed/spicedb#3136)
• Tracing: When server is shutting down, flush traces. Also, elide the need for setting OTEL_EXPORTER_OTLP_ENDPOINT. (authzed/spicedb#3108)
• Fixed a LookupSubjects issue in the query planner around the handling of wildcards in compound permissions (authzed/spicedb#3140)
• MySQL: identifiers (object/subject IDs and relationship counter names) are now stored with a case-sensitive (binary) collation, matching the Postgres, CockroachDB, and Spanner datastores. Previously, identifiers differing only in letter case (e.g. Foo and foo) incorrectly collided in unique indexes and lookups. ⚠️ The migration rebuilds the relation_tuple table in place via ALTER TABLE, which can hold a metadata/table lock for a long time on large datasets — run the upgrade in a low-traffic window, or apply it with an online schema-change tool (e.g. gh-ost). (authzed/spicedb#3161)
• server.NewConfigWithOptionsAndDefaults now populates Config and its embedded structs with the same defaults as the CLI flags, fixing zero-value behavior when embedding SpiceDB as a library. (authzed/spicedb#3156)

What's Changed

• feat: add prometheus metrics for DispatchQueryPlan by @​barakmich in authzed/spicedb#3109
• chore: bump grpc-health-probe by @​miparnisari in authzed/spicedb#3111
• docs: fix changelog by @​miparnisari in authzed/spicedb#3113
• fix: Watch checkpointing in memdb and mysql by @​miparnisari in authzed/spicedb#3114
• chore: use otter as the primary cache implementation and get rid of alternative implementations by @​tstirrat15 in authzed/spicedb#3112
• fix(QP): short-circuit unions where applicable by @​miparnisari in authzed/spicedb#3121
• feat: registry for the iterators by @​barakmich in authzed/spicedb#3118
• testing: add benchmarking to compare LocalExecutor vs DispatchExecutor by @​barakmich in authzed/spicedb#3117
• fix: route query plan dispatch checks through singleflight by @​barakmich in authzed/spicedb#3119
• chore: clarify --termination-log-path flag description by @​ivanauth in authzed/spicedb#3126
• fix: postgres implementation of HeadRevision by @​miparnisari in authzed/spicedb#3127
• feat: introduce a hand-written serialize/deserialize for iterators by @​barakmich in authzed/spicedb#3122
• test: include migration scripts for coverage by @​miparnisari in authzed/spicedb#3128
• fix: mysql migrations by @​miparnisari in authzed/spicedb#3129
• refactor: carry schema hash inside ZedTokens by @​josephschorr in authzed/spicedb#3125
• chore: bump go packages for cve by @​miparnisari in authzed/spicedb#3132
• test: Improve code coverage of tests by @​josephschorr in authzed/spicedb#3063
• fix(schemacache): supervisor recovers from transient watch errors by @​vroldanbet in authzed/spicedb#3134
• otel: replace cobraotel with native lifecycle management by @​Jdepp007004 in authzed/spicedb#3108
• refactor(schemacache): post-#3134 cleanup and race fix by @​vroldanbet in authzed/spicedb#3138
• fix(query): respect wildcard ExcludedSubjects in LookupSubjects intersection by @​matte1782 in authzed/spicedb#3136
• feat: use serialized plans in dispatch by @​barakmich in authzed/spicedb#3130
• fix: three correctness bugs surfaced by GRPC consistency cross-check by @​barakmich in authzed/spicedb#3140
• chore: use StopAllGoroutines for otter by @​tstirrat15 in authzed/spicedb#3145
• chore(deps): bump github.com/quic-go/quic-go from 0.59.0 to 0.59.1 in /magefiles by @​dependabot[bot] in authzed/spicedb#3153

... (truncated)

Changelog

Sourced from github.com/authzed/spicedb's changelog.

[1.54.0] - 2026-06-18

Added

• Query Planner: fast serialize/deserialize for query plans (authzed/spicedb#3122)

Changed

• Cache: switch to otter as the primary cache implementation (authzed/spicedb#3112)
• Server handles: GRPCDialContext as a handle on the server used deprecated gRPC methods. We modernized it and renamed it to NewClient (authzed/spicedb#3147)

Fixed

• The watching schema cache (--enable-experimental-watchable-schema-cache) no longer enters permanent fallback on transient watch errors. A new supervisor restarts the watch cycle with bounded exponential backoff and only treats caller-driven cancellation or unsupported-watch as terminal (authzed/spicedb#3134)
• Watch consumers that request WatchCheckpoints now eventually observe every revision returned by WriteRelationships as a checkpoint. MemDB regressed this in authzed/spicedb#2578 for no-op writes and MySQL never emitted checkpoints at all prior to now. Both now emit a checkpoint at the new revision. (authzed/spicedb#3114)
• When Query Planner evaluates a union, short-circuit if one of the branches yields a positive un-caveated result (authzed/spicedb#3120)
• DispatchQueryPlan previously did not try to use the singleflight middleware for check calls. (authzed/spicedb#3119)
• Fixed regression introduced in 1.53.0. Postgres HeadRevision no longer allocates a new transaction ID on every call (authzed/spicedb#3127)
• Fixed regression introduced in 1.53.0 for MySQL migration scripts (authzed/spicedb#3129)
• Query Planner: LookupSubjects no longer returns a subject excluded from a wildcard (e.g. viewer:* - banned) when the exclusion feeds an intersection (experimental --experimental-query-plan ls) (authzed/spicedb#3136)
• Tracing: When server is shutting down, flush traces. Also, elide the need for setting OTEL_EXPORTER_OTLP_ENDPOINT. (authzed/spicedb#3108)
• Fixed a LookupSubjects issue in the query planner around the handling of wildcards in compound permissions (authzed/spicedb#3140)
• MySQL: identifiers (object/subject IDs and relationship counter names) are now stored with a case-sensitive (binary) collation, matching the Postgres, CockroachDB, and Spanner datastores. Previously, identifiers differing only in letter case (e.g. Foo and foo) incorrectly collided in unique indexes and lookups. ⚠️ The migration rebuilds the relation_tuple table in place via ALTER TABLE, which can hold a metadata/table lock for a long time on large datasets — run the upgrade in a low-traffic window, or apply it with an online schema-change tool (e.g. gh-ost). (authzed/spicedb#3161)
• server.NewConfigWithOptionsAndDefaults now populates Config and its embedded structs with the same defaults as the CLI flags, fixing zero-value behavior when embedding SpiceDB as a library. (authzed/spicedb#3156, authzed/spicedb#3170)

Security

• Prevent cache poisoning. The dispatch Check cache key now incorporates check hints. See GHSA-4vrg-r928-h5vv

[1.53.0] - 2026-05-13

Added

• Add DispatchExecutor, a query plan executor that is Dispatch-aware and sends subproblems on Alias boundaries (authzed/spicedb#3074)

• Implement Dispatch caching for query plan execution (authzed/spicedb#3079)

• Add new optimizer to query planner based on set theory laws for simplifications (authzed/spicedb#3051)

• Experimental: Add unified schema storage with ReadStoredSchema/WriteStoredSchema APIs for improved schema read performance (authzed/spicedb#2924)

  This feature stores the entire schema as a single serialized proto rather than reading individual namespace and caveat definitions separately, significantly improving schema read performance.

  Migration to unified schema storage is controlled by the --experimental-schema-mode flag, which supports a 4-phase rolling migration:

  1. read-legacy-write-legacy (default) - No change; reads and writes use legacy per-definition storage.
  2. read-legacy-write-both - Reads from legacy storage, writes to both legacy and unified storage. This is the first migration step and backfills the unified schema table.
  3. read-new-write-both - Reads from unified storage, writes to both. Validates the new read path while maintaining backward compatibility.
  4. read-new-write-new - Reads and writes only unified storage. This is the final migration target.

  Deployment:

  • With the SpiceDB Operator:* Configure the operator to roll through stages 1 through 4 in sequence. The operator handles the rolling update of SpiceDB instances at each stage.
  • Without the operator:* Progress through the stages manually by updating the --experimental-schema-mode flag and performing a rolling restart at each stage. You can also take the system down briefly and move directly from stage 1 to stage 4, which runs the full migration in one step.

Changed

• Build: strip quarantine attribute for MacOS (authzed/spicedb#3082)

Fixed

• Query plan contexts are written to during recursive calls -- for now, disble dispatch inside recursive calls (authzed/spicedb#3078)

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.