Skip to content

Packer Plugin for VMware vSphere v2.1.2 and Packer Plugin for VMware Desktop Hypervisors v2.1.1

As the maintainer of both the Packer Plugin for VMware vSphere and the Packer Plugin for VMware Desktop Hypervisors, I wanted to share news of two new releases that went out on March 24, 2026: vmware/packer-plugin-vsphere v2.1.2 and vmware/packer-plugin-vmware v2.1.1.

CVE-2026-33186 and These Plugins

Both releases bump google.golang.org/grpc to v1.79.3, which addresses CVE-2026-33186 (CVSS 9.1), an authorization bypass in gRPC-Go. Neither plugin is directly affected: both include google.golang.org/grpc only as a transitive dependency through hashicorp/packer-plugin-sdk and use it exclusively as a local IPC channel between Packer core and the plugin binary, without path-based gRPC authorization. The dependency is bumped as standard security hygiene.

Packer Plugin for VMware vSphere v2.1.2

Release Information

Release date: March 24, 2026

Release notes: github.com/vmware/packer-plugin-vsphere/releases/tag/v2.1.2

Full changelog: v2.1.1...v2.1.2

In addition to bumping the gRPC dependency, v2.1.2 includes the following changes.

Bug Fixes

  • Fixed null pointer handling in several resource configurations to prevent panics when optional values are not set.

Refactoring

  • Refactored resource pool resolution to improve handling of nested and standalone resource pools.

Documentation

  • Updated CONTRIBUTING.md and README.md with revised guidance.
  • Updated example URLs to reflect current repository structure.
  • Fixed miscellaneous typos and grammar in the documentation.

Chores

  • Bumped google.golang.org/grpc to v1.79.3 (CVE-2026-33186).
  • Bumped hashicorp/packer-plugin-sdk to v0.6.6.
  • Bumped hashicorp/hcl/v2 to v2.24.0.
  • Bumped vmware/govmomi to v0.53.0.
  • Bumped goreleaser/goreleaser-action from 6.4.0 to 7.0.0.
  • Bumped actions/setup-go from 6.2.0 to 6.3.0.
  • Bumped crazy-max/ghaction-import-gpg from 6.3.0 to 7.0.0.
  • Renamed GNUmakefile to Makefile.
  • Removed .go-version in favor of the Go version defined in the module toolchain directive.

Packer Plugin for VMware Desktop Hypervisors v2.1.1

Release Information

Release date: March 24, 2026

Release notes: github.com/vmware/packer-plugin-vmware/releases/tag/v2.1.1

Full changelog: v2.1.0...v2.1.1

v2.1.1 is a focused dependency update release.

Chores

  • Bumped google.golang.org/grpc to v1.79.3 (CVE-2026-33186).
  • Bumped hashicorp/packer-plugin-sdk to v0.6.6.
  • Bumped golang.org/x/net to v0.52.0.
  • Bumped goreleaser/goreleaser-action from 6.4.0 to 7.0.0.
  • Bumped actions/setup-go from 6.2.0 to 6.3.0.
  • Bumped crazy-max/ghaction-import-gpg from 6.3.0 to 7.0.0.
  • Renamed GNUmakefile to Makefile.

How to Update

Update your Packer configuration to reference the latest version of the plugin you are using.

packer {
  required_plugins {
    vsphere = {
      source  = "github.com/vmware/vsphere"
      version = ">= 2.1.2"
    }
  }
}

Then run:

packer init -upgrade .

packer {
  required_plugins {
    vmware = {
      source  = "github.com/vmware/vmware"
      version = ">= 2.1.1"
    }
  }
}

Then run:

packer init -upgrade .

Disclaimer

This is not an official VMware by Broadcom document. This is a personal blog post. The information is provided as-is with no warranties and confers no rights. It is not intended to replace official documentation. Please, refer to official documentation for the most up-to-date information.