This is a patch release scoped to fixing issues reported by users of Crossplane v1.17 and fixing security related issues in Crossplane's dependencies.

Users of v1.18.x reported that they were no longer able to downgrade a Crossplane installation from v1.18.x to a previous v1.17.x version. This was fixed in #6157 and we expect downgrades from v1.18.2 to be working once again.

The way Usage objects are managed within a Composition has been updated in #6155 to prevent orphaned Usage objects from remaining in the control plane when a Composition that creates a Usage is updated. The change is described below:

• When the Usage itself deleted, the usage controller will wait for using resource before removing the finalizer, only if the Usage is part of a composite (i.e has crossplane.io/composite label).
• When a resource removed from a composition (i.e. decomposed), the composition controllers (both PT and function) will remove the composed resource labels before deleting the resource.
• This behavior is visually summarized in #5880 (comment)

What's Changed

• [Backport release-1.18] fix(environmentConfigs): revert to v1alpha1 as storageversion to fix rollback issues by @github-actions in #6168
• [Backport release-1.18] Usages: decomposed usages should be deleted properly by @github-actions in #6169
• chore(deps): update module golang.org/x/crypto to v0.31.0 [security] (release-1.18) by @crossplane-renovate in #6180

Full Changelog: v1.18.1...v1.18.2