TL;DR: Chainguard is introducing a policy that will remove older versions of Wolfi packages from Wolfi APK Repositories on an ongoing basis.
Announcement date |
Planned Change date |
Aug 5, 2025 |
Sep 10, 2025 |
This communication includes the following topics:
What is changing?
Starting September 10, 2025, Chainguard will begin removing non-latest versions of Wolfi APK packages older than 12 months on an ongoing basis. Over time, we plan to reduce this retention period to 3 months for non-latest packages in public Wolfi repositories.
We do not have a fixed timeline for implementing the policy goal of 3 month retention for Wolfi as our first and foremost objective is to ensure that no customers are impacted by the introduction of the 12 month retention period. Any future change in the retention period will be announced well in advance.
Additionally, Chainguard will begin removing non-latest versions of Chainguard OS APK packages older than 12 months on an ongoing basis. We are not planning to reduce the retention period for Chainguard OS packages any further than 12 months.
Why is Chainguard making this change?
The Wolfi package manager (apk) uses the APKINDEX — a metadata file listing every available package version in Wolfi — to perform operations such as package installations, upgrades, and searches. Because apk scans the entire index every time it runs, operation performance degrades as the index grows.
Over the past two years, the APKINDEX for public Wolfi package repositories has grown from over 4,600 unique package versions to over 186,000 unique package versions: an increase of over 4000%. This growth is unsustainable without compromising performance.
Removing older package versions limits the ongoing growth of the APKINDEX moving forward. It also aligns with our secure-by-design philosophy, ensuring that older package versions missing security patches are removed.
Most major Linux distributions (like Alpine, Debian, Fedora) retain only the latest version of each package in their primary package repositories, and also update their packages less frequently than Wolfi. By introducing this retention policy (initially 12 months, with a long-term shift towards 3 months), we intend to balance security, performance, and stability.
How will this affect me?
Starting September 10, 2025, package versions older than 12 months will be removed from public Wolfi repositories.
Customers using virtual APK repositories (virtualapk.cgr.dev) will be notified if they have pulled Wolfi APK packages that are impacted by upcoming removals.
Packages available via customer-specific Private APK Repositories will only be affected by the policy change to a 12 month retention period for Chainguard OS. Again, we do not plan to reduce the Chainguard OS retention period any further at this point. If you expect to rely on packages in Wolfi older than 3 months, switch to using Private APK Repositories. Your account team can help navigate this transition.
What do I need to do?
Ensure your Dockerfiles or build configurations use recent package versions (such as those built within the last 12 months). When pinning to a specific package version (through
apk add package=1.2.3-r1 for instance), ensure processes are in place to update that package version within 12 months and preferably 3 months.Use the new default virtual APK repository endpoint (virtualapk.cgr.dev) to ensure Chainguard can notify you if you are using package versions that are scheduled for removal. For more information, please refer to “updating default package repositories for Chainguard Containers.”
Additional Detail / Questions
How frequently will Chainguard remove packages?
Packages will be removed once a month, on the second Wednesday of the month. Package removals will be announced on the wolfi-dev announcement page on GitHub one month prior to removal. The first posting of packages to be removed will occur in August, and the first package removal will occur September 10, 2025. The next posting of packages to be removed in October will occur September 10th, 2025.
Will absolutely every package version more than one year old be removed?
No. The latest version of each package, package versions required for other packages within the index, or package versions used within Chainguard Containers will always be retained in the index.
Will my builds break?
Our goal is not to disrupt your workflows, but customers pinning to specific package versions in their Dockerfiles or build configurations are at risk. Those using the new virtual APK repository will receive notice if they are using packages which will be removed, allowing time to remediate any issues.
Customers who want to self validate the age of packages they are installing can check the build date after installation by either inspecting the SBOM for the package or using apk info:
$ jq .creationInfo.created /var/lib/db/sbom/*.json $ apk info -e -W <package-name> | grep "build date"
Note: apk info checks the build date for the currently installed version of the specified package. Ensure you run this in an environment where the package versions closely match those used in your production environment.
Why is Chainguard moving towards a 3-month retention policy for Wolfi?
A shorter retention window will shrink the APKINDEX further, boost apk operation performance, and align more closely with our secure-by-design philosophy, significantly reducing the risk of using outdated, vulnerable packages. This ensures that you experience the highest possible performance and benefit from the best-in-class security available through Chainguard. Any changes to this policy will be announced in advance, and our priority is to ensure there is no customer impact during future transitions.
What about packages I actively use that are older than 12 months?
We recommend retaining copies of these packages and hosting them internally as necessary.
Need help or have questions?
We're here to help! Visit our support portal at support.chainguard.dev.
- Chainguard Team
Comments
0 comments
Article is closed for comments.