2025.09.05 Release Note

September 5, 2025 · 6 min read

This version is a technical release upgrading most components to reduce CVE and technical debt.
It also includes several bug fixes and performance improvements.

Upgrade risk

warning

Compatibility issue:
Jwt key pair must now be 2048 bits minimum.

Update it in values.yaml and let the cluster restart by itself.
To speed up, external Controllers may be restarted manually (it takes monger for them)

Elastic 9 upgrade: Spider is now running by default with Elasticsearch 9.1.

This requires ECK operator v3
- Which removes support to deprecated Elastic v6 versions
No automatic migration of captured data is implemented in Spider deployment.
- You could do it manually, but is it worth it for ephemeral data?
To upgrade Spider to use Elastic 9, the simplest way is to restart from a fresh install and restore configuration with embedded back-up/restore feature.
- To ensure you have a backup of latest configuration, you may manually restart the maintenance service. It triggers a backup to S3.
To keep Elastic v7 (or when you cannot upgrade ECK to version 3), there is a new flag in helm values: global.elasticsearch.stillUseV7
- Ugly on purpose 😉

Key changes

Technical debt upgrade of all services
- From Moment.js to Luxon.js
- From request.js to undici.js
- All libraries upgraded to latest version
Dependencies upgraded to
- Redis 8.2
- Elasticsearch 9.1 - and ECK 3.1
- Traefik 3.5
Performance improvements
Security improvements
Compatibility to run behind Cloudflare WAF

How to upgrade

Use Helm chart 5.0.0 from repository
- Add global.redis.password key in values to add a password to redis connections
Adjust global.version field value to 2025.09.05 in your values.yaml
Deploy

tip

See Reference documentation for details.

Versions

Spider

New versions of Spider components:

Component	Version	Docker tag
Helm chart	5.0.0	-
Analysis UI	12.3	2025.09.05
Controllers	2.3	2025.09.05
Gossipers	7.6	2025.09.05
Gociphers	1.7	2025.09.05
Back office	-	2025.09.05
Login UI	-	2025.09.05
Monitoring UI	-	2025.09.05

Dependencies

This operator is required on the Kube where Spider is installed.

Dependency	Version
Elastic Cloud for Kubernetes	2 or 3

These components are set up in the correct versions by the Helm chart:

Dependency	Version	Docker tag
Elastic stack	9.1*	9.1
Redis	8.2	8-alpine
Traefik	3.5	v3.5

(*) Version 7 is still available and compatible for clusters still using ECK 2.

Compatibility

Spider has been successfully tested under these versions of dependencies:

3rd party software	Version
Helm	3.14+
Kube	1.24+

List of changes

Helm chart

✨ New features	Redis access may (and should) now be protected by a password
⚙️ Improvements	JWT key pairs must now be 2048 bits minimum (linked to libraries update). Migrated to Traefik 3.5 Migrated to Redis 8.2 Migrated to Elastic 9.1 - with option to keep Elastic 7.17 Added `cache-control: no-transform` header to all responses to avoid cache transformation and issues wit eTag optimistic concurrency control Technical debt upgrade of `restore-backup` and `init-es` jobs From Moment.js to Luxon.js All libraries upgraded to latest version Compatibility with Elastic 9.1
🐞 Bug fixes

Analysis UI

✨ New features	Dump of requests in a file when uploaded a PCAP to reuse in regression testing
⚙️ Improvements	Technical debt upgrade of server From Moment.js to Luxon.js From request.js to undici.js All libraries upgraded to latest version
🐞 Bug fixes

Controllers

✨ New features
⚙️ Improvements	Technical debt upgrade of agent From Moment.js to Luxon.js From request.js to undici.js All libraries upgraded to latest version
🐞 Bug fixes

Gossipers (Whisperers)

✨ New features	Added DNS cache of 1 min for outgoing requests. This loosen the load on Controller.
⚙️ Improvements
🐞 Bug fixes

Gociphers

✨ New features	Added DNS cache of 1 min for outgoing requests. This loosen the load on Controller.
⚙️ Improvements	Introduced randomization of time when Network Usage is sent to distribute the load on the Controller.
🐞 Bug fixes

Back office

✨ New features	API enhancements for automated regression testing
⚙️ Improvements	Technical debt upgrade of all services From Moment.js to Luxon.js From request.js to undici.js All libraries upgraded to latest version Improvement on Tcp-Update to avoid querying Elastic for Whisperers not saving to Elasticsearch. Avoid increasing the search load to Elastic when Redis is saturating and removing streaming data before parsing is complete.
🐞 Bug fixes	Controller owner was not allowed to attach a whisperer when it should be Maintenance job was not removing old whisperers

✨ New features
⚙️ Improvements	Technical debt upgrade of server From Moment.js to Luxon.js From request.js to undici.js All libraries upgraded to latest version
🐞 Bug fixes

Monitoring UI

✨ New features
⚙️ Improvements	Technical debt upgrade of server From Moment.js to Luxon.js From request.js to undici.js All libraries upgraded to latest version
🐞 Bug fixes	Fix access-token refresh that was looping infinitely, generating load on the server

Online documentation

Main updated parts:

reference values.yaml

API impacts

note

This section informs about any impact on Spider API, so you may adjust your scripts.

Data impacts

note

The table below tells if there are data mapping changes in Elasticsearch indices, associated or not with migrations (Yes ✅ / No ❌).
Migration are automated at upgrade time, but they may leave unattended indices that you have to remove manually.

Index	Description	Migration

Upgrade risk​

Key changes​

How to upgrade​

Versions​

Spider​

Dependencies​

Compatibility​

List of changes​

Helm chart​

Analysis UI​

Controllers​

Gossipers (Whisperers)​

Gociphers​

Back office​

Login UI​

Monitoring UI​

Online documentation​

API impacts​

Data impacts​