chore(deps): bump the go group with 26 updates #552

dependabot · 2024-11-10T15:32:23Z

Bumps the go group with 26 updates:

Package	From	To
cuelang.org/go	`0.9.0`	`0.10.1`
github.com/Masterminds/semver/v3	`3.2.1`	`3.3.0`
github.com/containers/image/v5	`5.31.0`	`5.33.0`
github.com/cyphar/filepath-securejoin	`0.2.5`	`0.3.4`
github.com/fluxcd/helm-controller/api	`1.0.1`	`1.1.0`
github.com/fluxcd/kustomize-controller/api	`1.3.0`	`1.4.0`
github.com/fluxcd/pkg/apis/event	`0.9.0`	`0.10.1`
github.com/fluxcd/pkg/apis/meta	`1.5.0`	`1.6.1`
github.com/fluxcd/pkg/http/fetch	`0.11.0`	`0.12.1`
github.com/fluxcd/pkg/kustomize	`1.11.0`	`1.13.0`
github.com/fluxcd/pkg/runtime	`0.47.1`	`0.49.1`
github.com/fluxcd/pkg/tar	`0.7.0`	`0.8.0`
github.com/fluxcd/source-controller/api	`1.3.0`	`1.4.1`
github.com/mandelsoft/vfs	`0.4.3`	`0.4.4`
github.com/onsi/gomega	`1.33.1`	`1.34.2`
github.com/tetratelabs/wazero	`1.7.2`	`1.8.1`
golang.org/x/exp	`0.0.0-20240604190554-fc45aab8b7f8`	`0.0.0-20241009180824-f66d83c29e7c`
helm.sh/helm/v3	`3.15.1`	`3.16.2`
k8s.io/apimachinery	`0.30.1`	`0.31.1`
k8s.io/client-go	`0.30.1`	`0.31.1`
sigs.k8s.io/controller-runtime	`0.18.4`	`0.19.0`
sigs.k8s.io/e2e-framework	`0.2.0`	`0.5.0`
sigs.k8s.io/kustomize/api	`0.17.2`	`0.17.3`
github.com/mikefarah/yq/v4	`4.44.1`	`4.44.3`
k8s.io/api	`0.30.1`	`0.31.1`
k8s.io/apiextensions-apiserver	`0.30.1`	`0.31.1`

Updates cuelang.org/go from 0.9.0 to 0.10.1

Updates github.com/Masterminds/semver/v3 from 3.2.1 to 3.3.0

Release notes

Sourced from github.com/Masterminds/semver/v3's releases.

v3.3.0

What's Changed

Fix: bad package in README by @sdelicata in Masterminds/semver#226

Updating the GitHub Actions and versions of Go used by @mattfarina in Masterminds/semver#229

Fix spelling in README by @robinschneider in Masterminds/semver#222

Adding go build cache to fuzz output by @mattfarina in Masterminds/semver#232

Add caching to fuzz testing by @mattfarina in Masterminds/semver#234

updating github actions by @mattfarina in Masterminds/semver#235

feat: nil version equality by @KnutZuidema in Masterminds/semver#213

add >= and <= by @grosser in Masterminds/semver#238

doc: hyphen range constraint without whitespace by @johnnychen94 in Masterminds/semver#216

Removing reference to vert by @mattfarina in Masterminds/semver#245

simplify StrictNewVersion by @grosser in Masterminds/semver#241

Updating the testing version of Go used by @mattfarina in Masterminds/semver#246

bumping min version in go.mod based on what's tested by @mattfarina in Masterminds/semver#248

Updating changelog for 3.3.0 by @mattfarina in Masterminds/semver#249

New Contributors

@sdelicata made their first contribution in Masterminds/semver#226

@robinschneider made their first contribution in Masterminds/semver#222

@KnutZuidema made their first contribution in Masterminds/semver#213

@grosser made their first contribution in Masterminds/semver#238

@johnnychen94 made their first contribution in Masterminds/semver#216

Full Changelog: Masterminds/semver@v3.2.1...v3.3.0

Changelog

Sourced from github.com/Masterminds/semver/v3's changelog.

3.3.0 (2024-08-27)

Added

#238: Add LessThanEqual and GreaterThanEqual functions (thanks @grosser)

#213: nil version equality checking (thanks @KnutZuidema)

Changed

#241: Simplify StrictNewVersion parsing (thanks @grosser)

Testing support up through Go 1.23

Minimum version set to 1.21 as this is what's tested now

Fuzz testing now supports caching

Commits

e6e3d4d Merge pull request #249 from mattfarina/update-changelog-3.3.0
e80c4ea Updating changelog for 3.3.0
80427ad Merge pull request #248 from mattfarina/bump-min-version
b610837 bumping min version in go.mod based on what's tested
a4cccd8 Merge pull request #246 from mattfarina/bump-go-1.23
7c178cf Updating the testing version of Go used
29f94c1 Merge pull request #241 from grosser/grosser/validate
2cf1b16 Merge pull request #245 from mattfarina/remove-vert
b55476a Removing reference to vert
d07450b simplify StrictNewVersion
Additional commits viewable in compare view

Updates github.com/containers/image/v5 from 5.31.0 to 5.33.0

Release notes

Sourced from github.com/containers/image/v5's releases.

v5.33.0

What's Changed

Merge 5.32.1 back into main by @mtrmac in containers/image#2510

Update module github.com/docker/docker to v27.1.2+incompatible by @renovate in containers/image#2516

Update module github.com/docker/cli to v27.1.2+incompatible by @renovate in containers/image#2515

pkg/blobcache: simplify test case by @kolyshkin in containers/image#2521

[CI:DOCS] Update dependency golangci/golangci-lint to v1.60.1 by @renovate in containers/image#2517

Update module github.com/vbauerster/mpb/v8 to v8.8.1 by @renovate in containers/image#2525

Introduce/use JSONFormatToInvalidSignatureError by @kolyshkin in containers/image#2518

fix(deps): update module github.com/vbauerster/mpb/v8 to v8.8.2 by @renovate in containers/image#2528

fix(deps): update module dario.cat/mergo to v1.0.1 by @renovate in containers/image#2527

Use %w to wrap errors, enable errorlint by @kolyshkin in containers/image#2519

Add keyPaths, keyDatas to prSigstoreSigned by @mtrmac in containers/image#2524

Add support for accepting multiple Rekor public keys by @mtrmac in containers/image#2526

Release 5.32.2 by @mtrmac in containers/image#2531

[CI:DOCS] Update dependency golangci/golangci-lint to v1.60.2 by @renovate in containers/image#2533

Merge release-5.32 into main by @mtrmac in containers/image#2532

Update module github.com/vbauerster/mpb/v8 to v8.8.3 by @renovate in containers/image#2540

[CI:DOCS] Update dependency golangci/golangci-lint to v1.60.3 by @renovate in containers/image#2535

Support proxy environment for docker client by @PMExtra in containers/image#2424

Update module github.com/docker/docker to v27.2.0+incompatible by @renovate in containers/image#2543

Update module github.com/docker/cli to v27.2.0+incompatible by @renovate in containers/image#2542

Update dependency containers/automation_images to v20240821 by @renovate in containers/image#2545

Update golang.org/x/exp digest to 9b4947d by @renovate in containers/image#2549

Add a workaround for null values in the tag list by @mtrmac in containers/image#2544

Update module github.com/mattn/go-sqlite3 to v1.14.23 by @renovate in containers/image#2554

Update module golang.org/x/oauth2 to v0.23.0 by @renovate in containers/image#2555

Update module golang.org/x/term to v0.24.0 by @renovate in containers/image#2556

Update module golang.org/x/crypto to v0.27.0 by @renovate in containers/image#2561

Assorted clean ups, optimizations, and a small bug fix by @mtrmac in containers/image#2552

Update to Go 1.22 by @mtrmac in containers/image#2550

Update module github.com/sigstore/fulcio to v1.6.4 by @renovate in containers/image#2560

Refactor image deletion in OCI by @mtrmac in containers/image#2551

Update module github.com/docker/docker to v27.2.1+incompatible by @renovate in containers/image#2564

Update module github.com/docker/cli to v27.2.1+incompatible by @renovate in containers/image#2563

Update dependency golangci/golangci-lint to v1.61.0 by @renovate in containers/image#2565

storage: use PrepareStagedLayer instead of ApplyDiffWithDiffer by @giuseppe in containers/image#2570

fix(deps): update module github.com/sigstore/sigstore to v1.8.9 by @renovate in containers/image#2571

copy: Don't print "skipped: 0.0b = 0.00%" by @cgwalters in containers/image#2576

fix(deps): update module github.com/docker/docker to v27.3.0+incompatible by @renovate in containers/image#2575

fix(deps): update module github.com/docker/cli to v27.3.0+incompatible by @renovate in containers/image#2574

fix(deps): update module github.com/docker/cli to v27.3.1+incompatible by @renovate in containers/image#2577

fix(deps): update module github.com/docker/docker to v27.3.1+incompatible by @renovate in containers/image#2578

Fix an incorrect expected MIME type when validating manifests by @mtrmac in containers/image#2572

fix(deps): update module github.com/klauspost/compress to v1.17.10 by @renovate in containers/image#2580

fix(deps): update module github.com/vbatts/tar-split to v0.11.6 by @renovate in containers/image#2584

Fix: Improving error log message for missing policy.json file by @Sativarsainath-26 in containers/image#2582

fix(deps): update github.com/containers/storage digest to 4bf3f07 by @renovate in containers/image#2586

fix(deps): update golang.org/x/exp digest to 701f63a by @renovate in containers/image#2587

registry: remove ping v1 by @carlosrodfern in containers/image#2588

... (truncated)

Commits

c3a2029 Bump to c/image v5.33.0
04d69d5 Bump to c/storage v1.56.0
59417ae Merge pull request #2609 from mtrmac/copy-resolve-destination
6ba898f HACK: Only return an image ID from ReportResolvedReference for c/storage
125f862 Return a precise reference to the created image when writing to containers-st...
91d22b2 Introduce private.ImageDestination.CommitWithOptions
831269d Rename an options variable to imgOptions
ba2a4ae Merge pull request #2616 from containers/renovate/golang.org-x-exp-digest
6bcb929 fix(deps): update golang.org/x/exp digest to f66d83c
228de93 Merge pull request #2615 from containers/renovate/github.com-containers-stora...
Additional commits viewable in compare view

Updates github.com/cyphar/filepath-securejoin from 0.2.5 to 0.3.4

Release notes

Sourced from github.com/cyphar/filepath-securejoin's releases.

v0.3.4

This release primarily includes a fix that blocked using filepath-securejoin in Kubernetes.

Previously, some testing mocks we had resulted in us doing import "testing" in non-_test.go code, which made some downstreams like Kubernetes unhappy. This has been fixed. (#32)

Thanks to all of the contributors who made this release possible:

Aleksa Sarai [email protected]

Stephen Kitt [email protected]

Signed-off-by: Aleksa Sarai [email protected]

v0.3.3

This release primarily includes fixes for spurious errors we hit when checking that directories created by MkdirAll "look right". Upon further consideration, these checks were fundamentally buggy and didn't offer any practical protection anyway.

The mode and owner verification logic in MkdirAll has been removed. This was originally intended to protect against some theoretical attacks but upon further consideration these protections don't actually buy us anything and they were causing spurious errors with more complicated filesystem setups.

The "is the created directory empty" logic in MkdirAll has also been removed. This was not causing us issues yet, but some pseudofilesystems (such as cgroup) create non-empty directories and so this logic would've been wrong for such cases.

Thanks to all of the contributors who made this release possible:

Aleksa Sarai [email protected]

Kir Kolyshkin [email protected]

Signed-off-by: Aleksa Sarai [email protected]

v0.3.2

This release includes a few fixes for MkdirAll when dealing with S_ISUID and S_ISGID, to solve a regression runc hit when switching to MkdirAll.

Passing the S_ISUID or S_ISGID modes to MkdirAllInRoot will now return an explicit error saying that those bits are ignored by mkdirat(2). In the past a different error was returned, but since the silent ignoring behaviour is codified in the man pages a more explicit error seems apt. While silently ignoring these bits would be the most compatible option, it could lead to users thinking their code sets these bits when it doesn't. Programs that need to deal with compatibility can mask the bits themselves. (#23, #25)

... (truncated)

Changelog

Sourced from github.com/cyphar/filepath-securejoin's changelog.

[0.3.4] - 2024-10-09

Fixed

Previously, some testing mocks we had resulted in us doing import "testing" in non-_test.go code, which made some downstreams like Kubernetes unhappy. This has been fixed. (#32)

[0.3.3] - 2024-09-30

Fixed

The mode and owner verification logic in MkdirAll has been removed. This was originally intended to protect against some theoretical attacks but upon further consideration these protections don't actually buy us anything and they were causing spurious errors with more complicated filesystem setups.

The "is the created directory empty" logic in MkdirAll has also been removed. This was not causing us issues yet, but some pseudofilesystems (such as cgroup) create non-empty directories and so this logic would've been wrong for such cases.

[0.3.2] - 2024-09-13

Changed

Passing the S_ISUID or S_ISGID modes to MkdirAllInRoot will now return an explicit error saying that those bits are ignored by mkdirat(2). In the past a different error was returned, but since the silent ignoring behaviour is codified in the man pages a more explicit error seems apt. While silently ignoring these bits would be the most compatible option, it could lead to users thinking their code sets these bits when it doesn't. Programs that need to deal with compatibility can mask the bits themselves. (#23, #25)

Fixed

If a directory has S_ISGID set, then all child directories will have S_ISGID set when created and a different gid will be used for any inode created under the directory. Previously, the "expected owner and mode" validation in securejoin.MkdirAll did not correctly handle this. We now correctly handle this case. (#24, #25)

[0.3.1] - 2024-07-23

Changed

By allowing Open(at)InRoot to opt-out of the extra work done by MkdirAll to do the necessary "partial lookups", Open(at)InRoot now does less work for both implementations (resulting in a many-fold decrease in the number of operations for openat2, and a modest improvement for non-openat2) and is far more guaranteed to match the correct openat2(RESOLVE_IN_ROOT) behaviour.

We now use readlinkat(fd, "") where possible. For Open(at)InRoot this effectively just means that we no longer risk getting spurious errors during rename races. However, for our hardened procfs handler, this in theory should prevent mount attacks from tricking us when doing magic-link readlinks (even

... (truncated)

Commits

fd16ade VERSION: release v0.3.4
00e0710 godoc: update package documentation
0cd6be1 README: fix reference to open_tree kernel requirements
205046f README: add pkg.go.dev badge
ecb1b8e tests: procfs: clean up mock test hook
3ec6eed CHANGELOG: mention #32 fix
86e6182 merge #32 into cyphar/filepath-securejoin:main
6864912 Isolate the testing import in test code
4348fee openat: remove unused function
d0c7d67 merge #31 into cyphar/filepath-securejoin:main
Additional commits viewable in compare view

Updates github.com/fluxcd/helm-controller/api from 1.0.1 to 1.1.0

Release notes

Sourced from github.com/fluxcd/helm-controller/api's releases.

v1.1.0

Changelog

v1.1.0 changelog

Container images

docker.io/fluxcd/helm-controller:v1.1.0

ghcr.io/fluxcd/helm-controller:v1.1.0

Supported architectures: linux/amd64, linux/arm64 and linux/arm/v7.

The container images are built on GitHub hosted runners and are signed with cosign and GitHub OIDC. To verify the images and their provenance (SLSA level 3), please see the security documentation.

Changelog

Sourced from github.com/fluxcd/helm-controller/api's changelog.

1.1.0

Release date: 2024-09-26

This minor release comes with various bug fixes and improvements.

The chart values schema validation can now be disabled for install and upgrade actions by setting disableSchemaValidation under .spec.install and .spec.upgrade of a HelmRelease object.

HelmReleases that result in failure during uninstall will now be retried until the uninstall succeeds without any error. See handling failed uninstall docs for various remediations based on the cause of the failure.

helm-controller in sharded deployment configuration now supports cross-shard dependency check. This allows a HelmRelease to depend on other HelmReleases managed by different controller shards.

In addition, the Kubernetes dependencies have been updated to v1.31.1, Helm has been updated to v3.16.1 and various other controller dependencies have been updated to their latest version. The controller is now built with Go 1.23.

Fixes:

fix: remove digest check to never ignore helm uninstall errors #1024

Allow overwriting inline values with targetPath #1060

Fix incorrect use of format strings with the conditions package #1025

Re-enable logging json patch on StatusDrifted #1010

Ignore 'v' version prefix in OCI artifact and Helm chart #990

doc: fix HelmRelease default value for .spec.upgrade.crds #986

Improvements:

Allow cross-shard dependency check #1070

Add disableSchemaValidation to Helm install/upgrade actions #1068

Update Helm to v3.16.1 and enable the adoption of existing resources #1062

Build with Go 1.23 #1049

Various dependency updates

... (truncated)

Commits

44247e2 Merge pull request #1074 from fluxcd/release-v1.1.0
d1a931a Release v1.1.0
037bc86 Add changelog entry for v1.1.0
b0010b0 Merge pull request #1070 from fluxcd/deps-api-reader
72ec296 Allow cross-shard dependency check
c71258e Merge pull request #1073 from fluxcd/update-sc
e3ab7ce Update source-controller to v1.4.1
2e3efaf Merge pull request #1072 from fluxcd/dependabot/github_actions/ci-74c3fc3a14
2932347 Bump the ci group across 1 directory with 2 updates
18d2406 Merge pull request #1071 from fluxcd/deps-update
Additional commits viewable in compare view

Updates github.com/fluxcd/kustomize-controller/api from 1.3.0 to 1.4.0

Release notes

Sourced from github.com/fluxcd/kustomize-controller/api's releases.

v1.4.0

Changelog

v1.4.0 changelog

Container images

docker.io/fluxcd/kustomize-controller:v1.4.0

ghcr.io/fluxcd/kustomize-controller:v1.4.0

Supported architectures: linux/amd64, linux/arm64 and linux/arm/v7.

The container images are built on GitHub hosted runners and are signed with cosign and GitHub OIDC. To verify the images and their provenance (SLSA level 3), please see the security documentation.

Changelog

Sourced from github.com/fluxcd/kustomize-controller/api's changelog.

1.4.0

Release date: 2024-09-27

This minor release comes with various bug fixes and improvements.

kustomize-controller in sharded deployment configuration now supports cross-shard dependency check. This allows a Kustomization to depend on other Kustomizations managed by different controller shards.

In addition, the Kubernetes dependencies have been updated to v1.31.1 and various other controller dependencies have been updated to their latest version. The controller is now built with Go 1.23.

Fixes:

Fix incorrect use of format strings with the conditions package. #1198

Improvements:

Update Bucket API to v1 #1253

Allow cross-shard dependency check #1248

docs: Clarify .spec.decryption.secretRef usage #1242

Build with Go 1.23 #1230

Various dependency updates #1165 #1181 #1212 #1228 #1229 #1233 #1239 #1240 #1243 #1249 #1250 #1251

Commits

527ec3e Merge pull request #1254 from fluxcd/release-v1.4.0
cecc445 Release v1.4.0
02ab2eb Add changelog entry for v1.4.0
72ae7db Merge pull request #1253 from fluxcd/update-bucketv1
3d87349 Update Bucket API to v1
1d1a06b Merge pull request #1251 from fluxcd/update-sc
8e39f7b Update source-controller to v1.4.1
0d28f0f Merge pull request #1248 from fluxcd/deps-api-reader
1899e6c Merge pull request #1250 from fluxcd/dependabot/github_actions/ci-74c3fc3a14
0add02b Merge pull request #1249 from fluxcd/deps-update
Additional commits viewable in compare view

Updates github.com/fluxcd/pkg/apis/event from 0.9.0 to 0.10.1

Commits

196a3ba Merge pull request #93 from fluxcd/fix-le
98bdf3b Set leader election Lease duration to 35s
1d56dd8 Merge pull request #92 from fluxcd/leaderelection-options
c294d46 Add leader election config to runtime
8ef4a8f Merge pull request #91 from SomtochiAma/record-deepcopy
9a29a95 Generate deepcopy method for event
276ad93 Merge pull request #90 from SomtochiAma/runtime-suspend
4efd97c Uses suspendGuage
ec8435e Merge pull request #89 from fluxcd/controller-runtime-v0.8.3
f879c7e Update controller-runtime to v0.8.3
Additional commits viewable in compare view

Updates github.com/fluxcd/pkg/apis/meta from 1.5.0 to 1.6.1

Commits

c8165af Merge pull request #809 from fluxcd/k8s-1.31.1
18924bf Update controller-gen to v0.16.1
735a85b Update dependencies
62475f1 Merge pull request #789 from dipti-pai/pkg-azure-git-wi-auth
1686996 Support Azure OIDC authentication
a2a7a01 Merge pull request #808 from matheuscscp/oci-auth-proxy
8b5c43a Add proxy support for oci/auth login
d467d6e Merge pull request #807 from fluxcd/dependabot/github_actions/ci-6f7028051e
a6b58a7 build(deps): bump the ci group with 2 updates
f0eb8aa Merge pull request #806 from fluxcd/dependabot/github_actions/ci-fc48fdf541
Additional commits viewable in compare view

Updates github.com/fluxcd/pkg/http/fetch from 0.11.0 to 0.12.1

Commits

80ab4c3 Merge pull request #564 from fluxcd/update-deps
4759e6d runtime: update dependencies
403e3b1 version: update dependencies
7ff5151 ssh: update dependencies
1e5fbd8 ssa: update dependencies
1dd8df2 oci/tests/integration: update dependencies
31f7fe3 oci: update dependencies
f94edcc kustomize: update dependencies
51f7565 http/fetch: update dependencies
90957c7 helmtestserver: update dependencies
Additional commits viewable in compare view

Updates github.com/fluxcd/pkg/kustomize from 1.11.0 to 1.13.0

Commits

7b3f43c Merge pull request #803 from fluxcd/controller-runtime-v0.19.0
da3ccfe Update sigs.k8s.io/controller-runtime to v0.19.0
bd579fc Merge pull request #802 from fluxcd/k8s-1.31-internal
c06927b Update internal packages
be8df7e Merge pull request #801 from fluxcd/k8s-1.31
76035f8 Update Helm to v3.15.4
3f5cf4c Build with Go 1.23
4b90241 Update dependencies to Kubernetes v1.31.0
0e61a3b Merge pull request #799 from fluxcd/dependabot/github_actions/ci-9f4b007c5b
6bf4bad build(deps): bump the ci group with 4 updates
Additional commits viewable in compare view

Updates github.com/fluxcd/pkg/runtime from 0.47.1 to 0.49.1

Commits

7fe9789 Merge pull request #810 from fluxcd/up-int-deps
f674386 Update internal dependencies
c8165af Merge pull request #809 from fluxcd/k8s-1.31.1
18924bf Update controller-gen to v0.16.1
735a85b Update dependencies
62475f1 Merge pull request #789 from dipti-pai/pkg-azure-git-wi-auth
1686996 Support Azure OIDC authentication
a2a7a01 Merge pull request #808 from matheuscscp/oci-auth-proxy
8b5c43a Add proxy support for oci/auth login
d467d6e Merge pull request #807 from fluxcd/dependabot/github_actions/ci-6f7028051e
Additional commits viewable in compare view

Updates github.com/fluxcd/pkg/tar from 0.7.0 to 0.8.0

Commits

7ef01b0 Merge pull request #442 from blurpy/feature/git_bearer_token
659695f Add back support for passphrase protected ssh keys
767e771 Validate that basic auth and bearer token cannot be set at the same time
cbf091c Add test to verify that username from Secret is preferred
b6c6888 Refactor of NewAuthOptions to only fill the auth options that are relevant
fef9d6a Add more test scenarios for NewAuthOptions
9b9b723 Validate that bearer token is not used over http
04d0d48 Add some quick tests of basic auth in client.validateUrl()
a451505 Support specifying bearerToken for git http token authentication.
bfb6385 Merge pull request #448 from fluxcd/e2e-ux
Additional commits viewable in compare view

Updates github.com/fluxcd/source-controller/api from 1.3.0 to 1.4.1

Release notes

Sourced from github.com/fluxcd/source-controller/api's releases.

v1.4.1

Changelog

v1.4.1 changelog

Container images

docker.io/fluxcd/source-controller:v1.4.1

ghcr.io/fluxcd/source-controller:v1.4.1

Supported architectures: linux/amd64, linux/arm64 and linux/arm/v7.

The container images are built on GitHub hosted runners and are signed with cosign and GitHub OIDC. To verify the images and their provenance (SLSA level 3), please see the security documentation.

v1.4.0

Changelog

v1.4.0 changelog

Container images

docker.io/fluxcd/source-controller:v1.4.0

ghcr.io/fluxcd/source-controller:v1.4.0

Supported architectures: linux/amd64, linux/arm64 and linux/arm/v7.

The container images are built on GitHub hosted runners and are signed with cosign and GitHub OIDC. To verify the images and their provenance (SLSA level 3), please see the security documentation.

Changelog

Sourced from github.com/fluxcd/source-controller/api's changelog.

1.4.1

Release date: 2024-09-26

This patch release comes with a fix to the GitRepository API to keep it backwards compatible by removing the default value for .spec.provider field when not set in the API. The controller will internally consider an empty value for the provider as the generic provider.

Fix:

GitRepo: Remove provider default value from API #1626

1.4.0

Release date: 2024-09-25

This minor release promotes the Bucket API to GA, and comes with new features, improvements and bug fixes.

Bucket

The Bucket API has been promoted from v1beta2 to v1 (GA). The v1 API is backwards compatible with v1beta2.

Bucket API now supports proxy through the field .spec.proxySecretRef and custom TLS client certificate and CA through the field .spec.certSecretRef.

Bucket API now also supports specifying a custom STS configuration through the field .spec.sts. This is currently only supported for the providers generic and aws. When specifying a custom STS configuration one must specify which STS provider to use. For the generic bucket provider we support the ldap STS provider, and for the aws bucket provider we support the aws STS provider. For the aws STS provider, one may use the default main STS endpoint, or the regional STS endpoints, or even an interface endpoint.

OCIRepository

OCIRepository API now supports proxy through the field .spec.proxySecretRef.

Warning: Proxy is not supported for cosign keyless verification.

GitRepository

GitRepository API now supports OIDC authentication for Azure DevOps repositories through the field .spec.provider using the value azure. See the docs for details here.

In addition, the Kubernetes dependencies have been updated to v1.31.1, Helm has been updated to v3.16.1 and various other controller dependencies have been updated to their latest version. The controller is now built with Go 1.23.

Fixes:

helm: Use the default transport pool to preserve proxy settings #1490

Fix incorrect use of format strings with the conditions package. #1529

Fix HelmChart local dependency resolution for name-based path #1539

... (truncated)

Commits

50035c6 Merge pull request #1628 from fluxcd/release-v1.4.1
c2b6b39 Release v1.4.1
a2658ba Add changelog entry for v1.4.1
a485ed4 Merge pull request #1627 from fluxcd/backport-1626-to-release/v1.4.x
0e4f558 GitRepo: Remove provider default value from API
e6e2b15 Merge pull request #1620 from fluxcd/release-v1.4.0
e920838 Release v1.4.0
c796f52 Add changelog entry for v1.4.0
03889fe Merge pull request #1618 from fluxcd/dependabot/go_modules/go-deps-a9e873101f
32bc10cDescription has been truncated

Bumps the go group with 26 updates: | Package | From | To | | --- | --- | --- | | cuelang.org/go | `0.9.0` | `0.10.1` | | [github.com/Masterminds/semver/v3](https://github.com/Masterminds/semver) | `3.2.1` | `3.3.0` | | [github.com/containers/image/v5](https://github.com/containers/image) | `5.31.0` | `5.33.0` | | [github.com/cyphar/filepath-securejoin](https://github.com/cyphar/filepath-securejoin) | `0.2.5` | `0.3.4` | | [github.com/fluxcd/helm-controller/api](https://github.com/fluxcd/helm-controller) | `1.0.1` | `1.1.0` | | [github.com/fluxcd/kustomize-controller/api](https://github.com/fluxcd/kustomize-controller) | `1.3.0` | `1.4.0` | | [github.com/fluxcd/pkg/apis/event](https://github.com/fluxcd/pkg) | `0.9.0` | `0.10.1` | | [github.com/fluxcd/pkg/apis/meta](https://github.com/fluxcd/pkg) | `1.5.0` | `1.6.1` | | [github.com/fluxcd/pkg/http/fetch](https://github.com/fluxcd/pkg) | `0.11.0` | `0.12.1` | | [github.com/fluxcd/pkg/kustomize](https://github.com/fluxcd/pkg) | `1.11.0` | `1.13.0` | | [github.com/fluxcd/pkg/runtime](https://github.com/fluxcd/pkg) | `0.47.1` | `0.49.1` | | [github.com/fluxcd/pkg/tar](https://github.com/fluxcd/pkg) | `0.7.0` | `0.8.0` | | [github.com/fluxcd/source-controller/api](https://github.com/fluxcd/source-controller) | `1.3.0` | `1.4.1` | | [github.com/mandelsoft/vfs](https://github.com/mandelsoft/vfs) | `0.4.3` | `0.4.4` | | [github.com/onsi/gomega](https://github.com/onsi/gomega) | `1.33.1` | `1.34.2` | | [github.com/tetratelabs/wazero](https://github.com/tetratelabs/wazero) | `1.7.2` | `1.8.1` | | [golang.org/x/exp](https://github.com/golang/exp) | `0.0.0-20240604190554-fc45aab8b7f8` | `0.0.0-20241009180824-f66d83c29e7c` | | [helm.sh/helm/v3](https://github.com/helm/helm) | `3.15.1` | `3.16.2` | | [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) | `0.30.1` | `0.31.1` | | [k8s.io/client-go](https://github.com/kubernetes/client-go) | `0.30.1` | `0.31.1` | | [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) | `0.18.4` | `0.19.0` | | [sigs.k8s.io/e2e-framework](https://github.com/kubernetes-sigs/e2e-framework) | `0.2.0` | `0.5.0` | | [sigs.k8s.io/kustomize/api](https://github.com/kubernetes-sigs/kustomize) | `0.17.2` | `0.17.3` | | [github.com/mikefarah/yq/v4](https://github.com/mikefarah/yq) | `4.44.1` | `4.44.3` | | [k8s.io/api](https://github.com/kubernetes/api) | `0.30.1` | `0.31.1` | | [k8s.io/apiextensions-apiserver](https://github.com/kubernetes/apiextensions-apiserver) | `0.30.1` | `0.31.1` | Updates `cuelang.org/go` from 0.9.0 to 0.10.1 Updates `github.com/Masterminds/semver/v3` from 3.2.1 to 3.3.0 - [Release notes](https://github.com/Masterminds/semver/releases) - [Changelog](https://github.com/Masterminds/semver/blob/master/CHANGELOG.md) - [Commits](Masterminds/semver@v3.2.1...v3.3.0) Updates `github.com/containers/image/v5` from 5.31.0 to 5.33.0 - [Release notes](https://github.com/containers/image/releases) - [Commits](containers/image@v5.31.0...v5.33.0) Updates `github.com/cyphar/filepath-securejoin` from 0.2.5 to 0.3.4 - [Release notes](https://github.com/cyphar/filepath-securejoin/releases) - [Changelog](https://github.com/cyphar/filepath-securejoin/blob/main/CHANGELOG.md) - [Commits](cyphar/filepath-securejoin@v0.2.5...v0.3.4) Updates `github.com/fluxcd/helm-controller/api` from 1.0.1 to 1.1.0 - [Release notes](https://github.com/fluxcd/helm-controller/releases) - [Changelog](https://github.com/fluxcd/helm-controller/blob/main/CHANGELOG.md) - [Commits](fluxcd/helm-controller@v1.0.1...v1.1.0) Updates `github.com/fluxcd/kustomize-controller/api` from 1.3.0 to 1.4.0 - [Release notes](https://github.com/fluxcd/kustomize-controller/releases) - [Changelog](https://github.com/fluxcd/kustomize-controller/blob/main/CHANGELOG.md) - [Commits](fluxcd/kustomize-controller@v1.3.0...v1.4.0) Updates `github.com/fluxcd/pkg/apis/event` from 0.9.0 to 0.10.1 - [Commits](fluxcd/pkg@git/v0.9.0...runtime/v0.10.1) Updates `github.com/fluxcd/pkg/apis/meta` from 1.5.0 to 1.6.1 - [Commits](fluxcd/pkg@apis/meta/v1.5.0...apis/meta/v1.6.1) Updates `github.com/fluxcd/pkg/http/fetch` from 0.11.0 to 0.12.1 - [Commits](fluxcd/pkg@git/v0.11.0...git/v0.12.1) Updates `github.com/fluxcd/pkg/kustomize` from 1.11.0 to 1.13.0 - [Commits](fluxcd/pkg@kustomize/v1.11.0...kustomize/v1.13.0) Updates `github.com/fluxcd/pkg/runtime` from 0.47.1 to 0.49.1 - [Commits](fluxcd/pkg@runtime/v0.47.1...runtime/v0.49.1) Updates `github.com/fluxcd/pkg/tar` from 0.7.0 to 0.8.0 - [Commits](fluxcd/pkg@git/v0.7.0...git/v0.8.0) Updates `github.com/fluxcd/source-controller/api` from 1.3.0 to 1.4.1 - [Release notes](https://github.com/fluxcd/source-controller/releases) - [Changelog](https://github.com/fluxcd/source-controller/blob/main/CHANGELOG.md) - [Commits](fluxcd/source-controller@v1.3.0...v1.4.1) Updates `github.com/mandelsoft/vfs` from 0.4.3 to 0.4.4 - [Release notes](https://github.com/mandelsoft/vfs/releases) - [Commits](mandelsoft/vfs@v0.4.3...v0.4.4) Updates `github.com/onsi/gomega` from 1.33.1 to 1.34.2 - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.33.1...v1.34.2) Updates `github.com/tetratelabs/wazero` from 1.7.2 to 1.8.1 - [Release notes](https://github.com/tetratelabs/wazero/releases) - [Commits](tetratelabs/wazero@v1.7.2...v1.8.1) Updates `golang.org/x/exp` from 0.0.0-20240604190554-fc45aab8b7f8 to 0.0.0-20241009180824-f66d83c29e7c - [Commits](https://github.com/golang/exp/commits) Updates `helm.sh/helm/v3` from 3.15.1 to 3.16.2 - [Release notes](https://github.com/helm/helm/releases) - [Commits](helm/helm@v3.15.1...v3.16.2) Updates `k8s.io/apimachinery` from 0.30.1 to 0.31.1 - [Commits](kubernetes/apimachinery@v0.30.1...v0.31.1) Updates `k8s.io/client-go` from 0.30.1 to 0.31.1 - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.30.1...v0.31.1) Updates `sigs.k8s.io/controller-runtime` from 0.18.4 to 0.19.0 - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](kubernetes-sigs/controller-runtime@v0.18.4...v0.19.0) Updates `sigs.k8s.io/e2e-framework` from 0.2.0 to 0.5.0 - [Release notes](https://github.com/kubernetes-sigs/e2e-framework/releases) - [Changelog](https://github.com/kubernetes-sigs/e2e-framework/blob/main/RELEASE.md) - [Commits](kubernetes-sigs/e2e-framework@v0.2.0...v0.5.0) Updates `sigs.k8s.io/kustomize/api` from 0.17.2 to 0.17.3 - [Release notes](https://github.com/kubernetes-sigs/kustomize/releases) - [Commits](kubernetes-sigs/kustomize@api/v0.17.2...api/v0.17.3) Updates `github.com/mikefarah/yq/v4` from 4.44.1 to 4.44.3 - [Release notes](https://github.com/mikefarah/yq/releases) - [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt) - [Commits](mikefarah/yq@v4.44.1...v4.44.3) Updates `k8s.io/api` from 0.30.1 to 0.31.1 - [Commits](kubernetes/api@v0.30.1...v0.31.1) Updates `k8s.io/apiextensions-apiserver` from 0.30.1 to 0.31.1 - [Release notes](https://github.com/kubernetes/apiextensions-apiserver/releases) - [Commits](kubernetes/apiextensions-apiserver@v0.30.1...v0.31.1) --- updated-dependencies: - dependency-name: cuelang.org/go dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/Masterminds/semver/v3 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/containers/image/v5 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/cyphar/filepath-securejoin dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/fluxcd/helm-controller/api dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/fluxcd/kustomize-controller/api dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/fluxcd/pkg/apis/event dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/fluxcd/pkg/apis/meta dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/fluxcd/pkg/http/fetch dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/fluxcd/pkg/kustomize dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/fluxcd/pkg/runtime dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/fluxcd/pkg/tar dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/fluxcd/source-controller/api dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/mandelsoft/vfs dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/tetratelabs/wazero dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: golang.org/x/exp dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: helm.sh/helm/v3 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: k8s.io/apimachinery dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: k8s.io/client-go dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: sigs.k8s.io/controller-runtime dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: sigs.k8s.io/e2e-framework dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: sigs.k8s.io/kustomize/api dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/mikefarah/yq/v4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: k8s.io/api dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: k8s.io/apiextensions-apiserver dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go ... Signed-off-by: dependabot[bot] <[email protected]>

github-actions · 2024-11-10T15:34:12Z

Mend Scan Summary: ❌

Repository: open-component-model/ocm-controller

VIOLATION DESCRIPTION	NUMBER OF VIOLATIONS
HIGH/CRITICAL SECURITY VULNERABILITIES	4
MAJOR UPDATES AVAILABLE	0
LICENSE REQUIRES REVIEW	0
LICENSE RISK HIGH	9
RESTRICTED LICENSE FOR ON-PREMISE DELIVERY	0

Detailed Logs: mend-scan-> Generate Report
Mend UI

dependabot bot requested a review from a team as a code owner November 10, 2024 15:32

dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Nov 10, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the go group with 26 updates #552

chore(deps): bump the go group with 26 updates #552

dependabot bot commented on behalf of github Nov 10, 2024

github-actions bot commented Nov 10, 2024

chore(deps): bump the go group with 26 updates #552

Are you sure you want to change the base?

chore(deps): bump the go group with 26 updates #552

Conversation

dependabot bot commented on behalf of github Nov 10, 2024

v3.3.0

What's Changed

New Contributors

3.3.0 (2024-08-27)

Added

Changed

v5.33.0

What's Changed

v0.3.4

v0.3.3

v0.3.2

[0.3.4] - 2024-10-09

Fixed

[0.3.3] - 2024-09-30

Fixed

[0.3.2] - 2024-09-13

Changed

Fixed

[0.3.1] - 2024-07-23

Changed

v1.1.0

Changelog

Container images

1.1.0

v1.4.0

Changelog

Container images

1.4.0

v1.4.1

Changelog

Container images

v1.4.0

Changelog

Container images

1.4.1

1.4.0

Bucket

OCIRepository

GitRepository

github-actions bot commented Nov 10, 2024

Mend Scan Summary: ❌

Repository: open-component-model/ocm-controller