GitLab is changing how FIPS packages handle the curl dependency starting with Omnibus-GitLab version 19.0. Previously, FIPS packages included a GitLab-built version of curl. However, newer curl versions deprecate compilation against older OpenSSL versions, necessitating this shift. Consequently, FIPS packages will now utilize the curl version provided by the customer's Linux distribution. This mirrors the existing practice of using the distribution's OpenSSL for FIPS packages. This change affects all FIPS customers, regardless of their OpenSSL version. For GitLab Self-Managed users, this transition will occur with the 19.0 release on May 21, 2026. No immediate action is required from customers; their GitLab instance will continue to function. The implication is that GitLab will no longer provide security updates specifically for curl within FIPS packages. Customers are now responsible for ensuring their operating system's curl package is updated. Scanner findings related to curl will now reflect the host OS package. For any problems, customers should open an issue in the omnibus-gitlab issue tracker.