Merge v3.6 into master

Author: mmatur

.github/workflows/template-webui.yaml

@@ -1,6 +1,8 @@
 name: Build Web UI
 on:
   workflow_call: {}
+env:
+  SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS: 360  # 15 days
 jobs:
 
   build-webui:
@@ -22,6 +24,12 @@ jobs:
           cache: yarn
           cache-dependency-path: webui/yarn.lock
 
+      - name: Setup safe-chain
+        working-directory: ./webui
+        run: |
+          npm i -g @aikidosec/safe-chain
+          safe-chain setup-ci
+
       - name: Build webui
         working-directory: ./webui
         run: |

.github/workflows/test-gateway-api-conformance.yaml

@@ -9,6 +9,7 @@ on:
       - 'pkg/provider/kubernetes/gateway/**'
       - 'integration/fixtures/gateway-api-conformance/**'
       - 'integration/gateway_api_conformance_test.go'
+      - 'integration/integration_test.go'
 
 env:
   GO_VERSION: '1.24'

.github/workflows/test-knative-conformance.yaml

@@ -9,6 +9,7 @@ on:
       - 'pkg/provider/kubernetes/knative/**'
       - 'integration/fixtures/knative/**'
       - 'integration/knative_conformance_test.go'
+      - 'integration/integration_test.go'
 
 env:
   GO_VERSION: '1.24'

.github/workflows/test-unit.yaml

@@ -79,6 +79,11 @@ jobs:
           cache: 'yarn'
           cache-dependency-path: webui/yarn.lock
 
+      - name: Setup safe-chain
+        run: |
+          npm i -g @aikidosec/safe-chain
+          safe-chain setup-ci
+
       - name: UI unit tests
         working-directory: ./webui
         env:

.golangci.yml

@@ -239,6 +239,8 @@ linters:
         text: ' always receives '
         linters:
           - unparam
+      - path: pkg/server/service/bufferpool.go
+        text: 'SA6002: argument should be pointer-like to avoid allocations'
       - path: pkg/server/middleware/middlewares.go
         text: Function 'buildConstructor' has too many statements
         linters:
@@ -314,12 +316,8 @@ linters:
         text: 'the methods of "wasmMiddlewareBuilder" use pointer receiver and non-pointer receiver.'
         linters:
           - recvcheck
-      - path: pkg/server/service/bufferpool.go
-        text: 'SA6002: argument should be pointer-like to avoid allocations'
       - path: pkg/proxy/httputil/bufferpool.go
         text: 'SA6002: argument should be pointer-like to avoid allocations'
-      - path: pkg/udp/conn.go
-        text: 'SA6002: argument should be pointer-like to avoid allocations'
       - path: integration/integration_test.go
         text: 'var (gatewayAPIConformanceRunTest|traefikVersion) is unused'
       - path: pkg/server/router/router.go

CHANGELOG.md

@@ -1,3 +1,29 @@
+## [v3.6.2](https://github.com/traefik/traefik/tree/v3.6.2) (2025-11-18)
+[All Commits](https://github.com/traefik/traefik/compare/v3.6.1...v3.6.2)
+
+**Bug fixes:**
+- **[k8s/ingress-nginx]** Deprecate Kubernetes Ingress NGINX provider experimental flag ([#12286](https://github.com/traefik/traefik/pull/12286) by [rtribotte](https://github.com/rtribotte))
+
+## [v3.6.1](https://github.com/traefik/traefik/tree/v3.6.1) (2025-11-13)
+[All Commits](https://github.com/traefik/traefik/compare/v3.6.0...v3.6.1)
+
+**Bug fixes:**
+- **[docker]** Auto-negotiate Docker API Version ([#12256](https://github.com/traefik/traefik/pull/12256) by [felixbuenemann](https://github.com/felixbuenemann))
+- **[server]** Fix multi-layer routing with models ([#12258](https://github.com/traefik/traefik/pull/12258) by [juliens](https://github.com/juliens))
+- **[udp]** Revert "Avoid allocations in readLoop by using sync.Pool" ([#12267](https://github.com/traefik/traefik/pull/12267) by [kevinpollet](https://github.com/kevinpollet))
+- **[webui]** Fix blocked navigation on Safari ([#12231](https://github.com/traefik/traefik/pull/12231) by [gndz07](https://github.com/gndz07))
+- **[webui]** Restore remote Upgrade to Hub button web component ([#12219](https://github.com/traefik/traefik/pull/12219) by [gndz07](https://github.com/gndz07))
+
+**Documentation:**
+- **[k8s]** Fix Nginx provider documentation ([#12266](https://github.com/traefik/traefik/pull/12266) by [nmengin](https://github.com/nmengin))
+- **[k8s]** Fix Gateway API version and the list of features supported ([#12254](https://github.com/traefik/traefik/pull/12254) by [nmengin](https://github.com/nmengin))
+
+## [v2.11.31](https://github.com/traefik/traefik/tree/v2.11.31) (2025-11-13)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.30...v2.11.31)
+
+**Bug fixes:**
+- **[docker,docker/swarm]** Auto-negotiate Docker API version ([#12262](https://github.com/traefik/traefik/pull/12262) by [kevinpollet](https://github.com/kevinpollet))
+
 ## [v3.6.0](https://github.com/traefik/traefik/tree/v3.6.0) (2025-11-07)
 [All Commits](https://github.com/traefik/traefik/compare/v3.5.0-rc1...v3.6.0)
 

SECURITY.md

@@ -1,10 +1,5 @@
 # Security Policy
 
-You can join our security mailing list to be aware of the latest announcements from our security team.
-You can subscribe by sending an email to [email protected] or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
-
-Reported vulnerabilities can be found on [cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik).
-
 ## Supported Versions
 
 - We usually release 3/4 new versions (e.g. 1.1.0, 1.2.0, 1.3.0) per year.
@@ -17,14 +12,16 @@ We use [Semantic Versioning](https://semver.org/).
 
 | Version   | Supported          |
 |-----------|--------------------|
-| `2.2.x`   | :white_check_mark: |
-| `< 2.2.x` | :x:                |
-| `1.7.x`   | :white_check_mark: |
-| `< 1.7.x` | :x:                |
+| `3.6.x`   | :white_check_mark: |
+| `< 3.6.x` | :x:                |
+| `2.11.x`   | :white_check_mark: |
+| `< 2.11.x` | :x:                |
 
 ## Reporting a Vulnerability
 
 We want to keep Traefik safe for everyone.
 If you've discovered a security vulnerability in Traefik,
 we appreciate your help in disclosing it to us in a responsible manner,
 by creating a [security advisory](https://github.com/traefik/traefik/security/advisories).
+
+Reported vulnerabilities can be found on [cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik).

cmd/traefik/traefik.go

@@ -114,9 +114,7 @@ func runCmd(staticConfiguration *static.Configuration) error {
 		log.Debug().RawJSON("staticConfiguration", []byte(redactedStaticConfiguration)).Msg("Static configuration loaded [json]")
 	}
 
-	if staticConfiguration.Global.CheckNewVersion {
-		checkNewVersion()
-	}
+	checkNewVersion(staticConfiguration)
 
 	stats(staticConfiguration)
 
@@ -614,13 +612,28 @@ func setupTracing(ctx context.Context, conf *static.Tracing) (*tracing.Tracer, i
 	return tracer, closer
 }
 
-func checkNewVersion() {
-	ticker := time.Tick(24 * time.Hour)
-	safe.Go(func() {
-		for time.Sleep(10 * time.Minute); ; <-ticker {
-			version.CheckNewVersion()
-		}
-	})
+func checkNewVersion(staticConfiguration *static.Configuration) {
+	logger := log.With().Logger()
+
+	if staticConfiguration.Global.CheckNewVersion {
+		logger.Info().Msg(`Version check is enabled.`)
+		logger.Info().Msg(`Traefik checks for new releases to notify you if your version is out of date.`)
+		logger.Info().Msg(`It also collects usage data during this process.`)
+		logger.Info().Msg(`Check the documentation to get more info: https://doc.traefik.io/traefik/contributing/data-collection/`)
+
+		ticker := time.Tick(24 * time.Hour)
+		safe.Go(func() {
+			for time.Sleep(10 * time.Minute); ; <-ticker {
+				version.CheckNewVersion()
+			}
+		})
+	} else {
+		logger.Info().Msg(`
+Version check is disabled.
+You will not be notified if a new version is available.
+More details: https://doc.traefik.io/traefik/contributing/data-collection/
+`)
+	}
 }
 
 func stats(staticConfiguration *static.Configuration) {

docs/content/contributing/data-collection.md

@@ -1,17 +1,72 @@
 ---
 title: "Traefik Data Collection Documentation"
-description: "To learn more about how Traefik is being used and improve it, we collect anonymous usage statistics from running instances. Read the technical documentation."
+description: "Learn what data Traefik shares, how it is used, and how you can control it. This documentation explains both version check and anonymous usage statistics data. Read the technical documentation."
 ---
 
 # Data Collection
 
-Understanding How Traefik is Being Used
+Understanding the data Traefik shares and how it is used
 {: .subtitle }
 
-## Configuration Example
+## Introduction
 
-Understanding how you use Traefik is very important to us: it helps us improve the solution in many different ways.
-For this very reason, the sendAnonymousUsage option is mandatory: we want you to take time to consider whether or not you wish to share anonymous data with us, so we can benefit from your experience and use cases.
+Protecting user privacy is essential to Traefik Labs, and we design every data-sharing mechanism with transparency and minimalism in mind.
+This page describes the two types of data exchanged by Traefik and how to configure them.
+
+For more details on how your data is handled, please refer to our [Privacy and Cookie Policy](https://traefik.io/legal/privacy-and-cookie-policy).
+
+## Configuration Overview
+
+Traefik provides two independent mechanisms:
+
+- `checkNewVersion`, enabled by default. You may disable it at any time.
+- `sendAnonymousUsage`, which requires explicit opt‑in.
+
+Examples below show how to activate or deactivate both of them.
+
+```yaml tab="YAML"
+global:
+  checkNewVersion: true      # set to false to disable
+  sendAnonymousUsage: false  # set to true to enable
+```
+
+```toml tab="TOML"
+[global]
+  checkNewVersion = true      # set to false to disable
+  sendAnonymousUsage = false  # set to true to enable
+```
+
+```bash tab="CLI"
+--global.checkNewVersion=true      # set to false to disable
+--global.sendAnonymousUsage=false  # set to true to enable
+```
+
+A log message at startup clearly indicates whether each of those options are enabled or disabled.
+
+## Version Check (`checkNewVersion`) – Opt-out
+
+Traefik periodically contacts `update.traefik.io` to determine whether a newer version is available.
+When this request is made, Traefik shares the **running version** and the **public IP** of the instance.
+The IP is used to build global usage statistics and does not influence the version comparison.
+
+This mechanism helps you stay informed about updates and provides TraefikLabs with a broad view of which versions are deployed in the wild.
+
+The collected IP addresses are also used for marketing purposes, specifically to detect companies running Traefik and offer them adapted support contracts, enterprise features, and tailored services.
+
+If you want to explore the implementation, you can read the version check source code: [version.go](https://github.com/traefik/traefik/blob/master/pkg/version/version.go)
+
+## Anonymous Usage Data (`sendAnonymousUsage`) – Opt‑in
+
+Traefik can also collect anonymous usage statistics once per day, starting 10 minutes after it starts running.  
+These statistics include:
+
+- the Traefik version,
+- a hash of the configuration,
+- an anonymized version of the static configuration (all sensitive fields removed: tokens, passwords, URLs, IP addresses, domains, emails, etc.).
+
+This feature comes from this [public proposal](https://github.com/traefik/traefik/issues/2369).
+
+This information helps TraefikLabs understand how Traefik is used in general and prioritize features and provider support accordingly. Dynamic configuration (routers and services) is never collected.
 
 !!! example "Enabling Data Collection"
 
@@ -32,21 +87,6 @@ For this very reason, the sendAnonymousUsage option is mandatory: we want you to
     --global.sendAnonymousUsage
     ```
 
-## Collected Data
-
-This feature comes from this [public proposal](https://github.com/traefik/traefik/issues/2369).
-
-In order to help us learn more about how Traefik is being used and improve it, we collect anonymous usage statistics from running instances.
-Those data help us prioritize our developments and focus on what's important for our users (for example, which provider is popular, and which is not).
-
-### What's collected / when ?
-
-Once a day (the first call begins 10 minutes after the start of Traefik), we collect:
-
-- the Traefik version number
-- a hash of the configuration
-- an **anonymized version** of the static configuration (token, username, password, URL, IP, domain, email, etc., are removed).
-
 !!! info
 
     - We do not collect the dynamic configuration information (routers & services).
@@ -93,8 +133,9 @@ providers:
       insecureSkipVerify: true
 ```
 
-## The Code for Data Collection
+### The Code for Anonymous Usage Collection
 
-If you want to dig into more details, here is the source code of the collecting system: [collector.go](https://github.com/traefik/traefik/blob/master/pkg/collector/collector.go)
+If you want to explore the implementation, you can read the collector source code:
+[collector.go](https://github.com/traefik/traefik/blob/master/pkg/collector/collector.go)
 
-By default, we anonymize all configuration fields, except fields tagged with `export=true`.
+Traefik anonymizes all configuration fields by default, except those explicitly marked with `export=true`.

docs/content/migrate/v3.md

@@ -525,3 +525,32 @@ To use the new `leasttime` load-balancer algorithm with the Kubernetes CRD provi
 ```shell
 kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.6/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
 ```
+
+## v3.6.2
+
+### Ingress NGINX Provider
+
+The KubernetesIngressNGINX Provider is no longer experimental in v3.6.2 and can be enabled without the `experimental.kubernetesIngressNGINX` option.
+
+**Deprecated Configuration:**
+
+??? example "Experimental kubernetesIngressNGINX option (deprecated)"
+
+    ```yaml tab="File (YAML)"
+    experimental:
+      kubernetesIngressNGINX: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [experimental]
+        kubernetesIngressNGINX=true
+    ```
+
+    ```bash tab="CLI"
+    --experimental.kubernetesIngressNGINX=true
+    ```
+
+**Migration Steps:**
+
+1. Remove the `kubernetesIngressNGINX` option from the experimental section
+2. Configure the provider using the [kubernetesIngressNGINX Provider documentation](../reference/install-configuration/providers/kubernetes/kubernetes-ingress-nginx.md)