Bump the go-deps group across 1 directory with 8 updates

[dependabot]

Bumps the go-deps group with 8 updates in the / directory:

Package	From	To
github.com/ProtonMail/go-crypto	1.1.3	1.1.5
github.com/cyphar/filepath-securejoin	0.3.5	0.4.0
github.com/fluxcd/pkg/apis/event	0.13.0	0.15.0
github.com/go-git/go-billy/v5	5.6.0	5.6.2
github.com/go-git/go-git/v5	5.12.0	5.13.1
github.com/google/go-containerregistry	0.20.2	0.20.3
github.com/onsi/gomega	1.36.1	1.36.2
github.com/otiai10/copy	1.14.0	1.14.1

Updates github.com/ProtonMail/go-crypto from 1.1.3 to 1.1.5

Release notes

Sourced from github.com/ProtonMail/go-crypto's releases.

Release v1.1.5

What's Changed

• Check binding signature details against primary key by @​twiss in ProtonMail/go-crypto#264

Full Changelog: ProtonMail/go-crypto@v1.1.4...v1.1.5

Release v1.1.5-proton

What's Changed

This release is v1.1.5 with support for the following non-standardized features:

• Presistent symmetric keys draft-ietf-openpgp-persistent-symmetric-keys-00
• Automatic forwarding draft-wussler-openpgp-forwarding-00
• Post-quantum algorithms draft-ietf-openpgp-pqc

Release v1.1.4

What's Changed

• Emit armor headers in sorted order by @​andrewgdotcom in ProtonMail/go-crypto#255
• Reduce memory usage when AEAD en/decrypting large messages by @​twiss in ProtonMail/go-crypto#259
• Update artifact actions to v4 by @​twiss in ProtonMail/go-crypto#260

Full Changelog: ProtonMail/go-crypto@v1.1.3...v1.1.4

Release v1.1.4-proton

What's Changed

This release is v1.1.4 with support for the following non-standardized features:

• Presistent symmetric keys draft-ietf-openpgp-persistent-symmetric-keys-00
• Automatic forwarding draft-wussler-openpgp-forwarding-00
• Post-quantum algorithms draft-ietf-openpgp-pqc

Commits

• d703f49 Check binding signature details against primary key (#264)
• 72cacd5 ci: Update openpgp-interop-test-analyzer to v2.1.0 (#243)
• 3de0301 Update artifact actions to v4 (#260)
• be3aef0 Merge pull request #259 from ProtonMail/less-memory-large-msgs
• 1fd5ec8 Add tests for reusing buffer in OCB en/decryption
• df3ee02 Buffer decrypted bytes more efficiently
• 04cfaf2 Reuse plaintext slice for ciphertext when encrypting
• fee7824 Reuse ciphertext slice for plaintext when decrypting
• 6fa7f91 Preallocate the chunk size rather than buffering
• add07bd Don't allocate the nonce for each chunk
• Additional commits viewable in compare view

Updates github.com/cyphar/filepath-securejoin from 0.3.5 to 0.4.0

Release notes

Sourced from github.com/cyphar/filepath-securejoin's releases.

v0.4.0

This release primarily includes a few minor breaking changes to make the MkdirAll and SecureJoin interfaces more robust against accidental misuse.

• SecureJoin(VFS) will now return an error if the provided root is not a filepath.Clean'd path.

  While it is ultimately the responsibility of the caller to ensure the root is a safe path to use, passing a path like /symlink/.. as a root would result in the SecureJoin'd path being placed in / even though /symlink/.. might be a different directory, and so we should more strongly discourage such usage.

  All major users of securejoin.SecureJoin already ensure that the paths they provide are safe (and this is ultimately a question of user error), but removing this foot-gun is probably a good idea. Of course, this is necessarily a breaking API change (though we expect no real users to be affected by it).

  Thanks to Erik Sjölund, who initially reported this issue as a possible security issue.

• MkdirAll and MkdirHandle now take an os.FileMode-style mode argument instead of a raw unix.S_*-style mode argument, which may cause compile-time type errors depending on how you use filepath-securejoin. For most users, there will be no change in behaviour aside from the type change (as the bottom 0o777 bits are the same in both formats, and most users are probably only using those bits).

  However, if you were using unix.S_ISVTX to set the sticky bit with MkdirAll(Handle) you will need to switch to os.ModeSticky otherwise you will get a runtime error with this update. In addition, the error message you will get from passing unix.S_ISUID and unix.S_ISGID will be different as they are treated as invalid bits now (note that previously passing said bits was also an error).

Thanks to the following contributors for helping make this release possible:

• Aleksa Sarai [email protected]
• Erik Sjölund [email protected]

Signed-off-by: Aleksa Sarai [email protected]

v0.3.6

This release lowers the minimum Go version to Go 1.18 as well as some library dependencies, in order to make it easier for folks that need to backport patches using the new filepath-securejoin API onto branches

... (truncated)

Changelog

Sourced from github.com/cyphar/filepath-securejoin's changelog.

[0.4.0] - 2025-01-13

Breaking

• SecureJoin(VFS) will now return an error if the provided root is not a filepath.Clean'd path.

  While it is ultimately the responsibility of the caller to ensure the root is a safe path to use, passing a path like /symlink/.. as a root would result in the SecureJoin'd path being placed in / even though /symlink/.. might be a different directory, and so we should more strongly discourage such usage.

  All major users of securejoin.SecureJoin already ensure that the paths they provide are safe (and this is ultimately a question of user error), but removing this foot-gun is probably a good idea. Of course, this is necessarily a breaking API change (though we expect no real users to be affected by it).

  Thanks to Erik Sjölund, who initially reported this issue as a possible security issue.

• MkdirAll and MkdirHandle now take an os.FileMode-style mode argument instead of a raw unix.S_*-style mode argument, which may cause compile-time type errors depending on how you use filepath-securejoin. For most users, there will be no change in behaviour aside from the type change (as the bottom 0o777 bits are the same in both formats, and most users are probably only using those bits).

  However, if you were using unix.S_ISVTX to set the sticky bit with MkdirAll(Handle) you will need to switch to os.ModeSticky otherwise you will get a runtime error with this update. In addition, the error message you will get from passing unix.S_ISUID and unix.S_ISGID will be different as they are treated as invalid bits now (note that previously passing said bits was also an error).

[0.3.6] - 2024-12-17

Compatibility

• The minimum Go version requirement for filepath-securejoin is now Go 1.18 (we use generics internally).

  For reference, [email protected] somewhat-arbitrarily bumped the Go version requirement to 1.21.

  While we did make some use of Go 1.21 stdlib features (and in principle Go versions <= 1.21 are no longer even supported by upstream anymore), some downstreams have complained that the version bump has meant that they have to do workarounds when backporting fixes that use the new filepath-securejoin API onto old branches. This is not an ideal situation, but since using this library is probably better for most downstreams than a hand-rolled

... (truncated)

Commits

• 9a17e6b VERSION: release v0.4.0
• e410d4a merge #44 into cyphar/filepath-securejoin:main
• ea4e5b6 gha: add GOARCH=386 build check
• 0c2fbe6 mkdirall: switch to os.FileMode argument
• f3a512c merge #43 into cyphar/filepath-securejoin:main
• bc750ad join: return an error if root is unclean path
• 1be4136 gha: always check for latest Go release
• b498783 merge #38 into cyphar/filepath-securejoin:main
• 682d3ad VERSION: back to development
• 200008e VERSION: release v0.3.6
• Additional commits viewable in compare view

Updates github.com/fluxcd/pkg/apis/event from 0.13.0 to 0.15.0

Commits

• cc785fa Merge pull request #686 from fluxcd/k8s-1.28
• 1d7d31b all: Group github.com/fluxcd/cli-utils imports
• 09ba5d8 runtime: Add pprof.GetHandlers to help setup the metrics server
• 768085d runtime: Update sigs.k8s.io/controller-runtime to v0.16.3
• 2e007cb ssa: Update Kubernetes to v1.28.4
• e7686cf kustomize: Update Kustomize to v5.2.1
• 3be575d oci: Update sigs.k8s.io/controller-runtime to v0.16.3
• 7f72436 helmtestserver: Update Helm to v3.13.2
• fe543f5 git: Update golang.org/x/crypto to v0.15.0
• 129adfd apis: Update Kubernetes to v1.28
• Additional commits viewable in compare view

Updates github.com/go-git/go-billy/v5 from 5.6.0 to 5.6.2

Release notes

Sourced from github.com/go-git/go-billy/v5's releases.

v5.6.2

What's Changed

• Enable the iofs adapter to also return other interfaces from io/fs by @​JAORMX in go-git/go-billy#102
• build: Bump dependencies by @​pjbgf in go-git/go-billy#103

New Contributors

• @​JAORMX made their first contribution in go-git/go-billy#102

Full Changelog: go-git/go-billy@v5.6.1...v5.6.2

v5.6.1

What's Changed

• build: bump github/codeql-action from 3.26.11 to 3.27.0 by @​dependabot in go-git/go-billy#88
• build: bump github/codeql-action from 3.27.0 to 3.27.1 by @​dependabot in go-git/go-billy#89
• build: bump github/codeql-action from 3.27.1 to 3.27.4 by @​dependabot in go-git/go-billy#90
• build: bump github/codeql-action from 3.27.4 to 3.27.5 by @​dependabot in go-git/go-billy#91
• Bump dependencies and build housekeeping by @​pjbgf in go-git/go-billy#95

Full Changelog: go-git/go-billy@v5.6.0...v5.6.1

Commits

• 9f8b16d Merge pull request #103 from pjbgf/bump-deps
• 783f58c build: Bump dependencies
• 0009381 Merge pull request #102 from JAORMX/iofs-extra-interfaces-v5
• 21beb15 Enable the iofs adapter to also return other interfaces from io/fs
• a6c6b50 Merge pull request #95 from pjbgf/pre-release
• f4615d3 build: Remove test_js workflow
• ae8b61b build: Bump workflows Go versions
• b412339 build: Align dependabot settings with go-git
• d982317 build: Bump Go to 1.21 and dependencies
• 9ca623c Merge pull request #91 from go-git/dependabot/github_actions/github/codeql-ac...
• Additional commits viewable in compare view

Updates github.com/go-git/go-git/v5 from 5.12.0 to 5.13.1

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.13.1

What's Changed

• build: bump github.com/go-git/go-billy/v5 from 5.6.0 to 5.6.1 by @​dependabot in go-git/go-git#1327
• build: bump github.com/elazarl/goproxy from 1.2.1 to 1.2.2 by @​dependabot in go-git/go-git#1329
• build: bump github.com/elazarl/goproxy from 1.2.2 to 1.2.3 by @​dependabot in go-git/go-git#1340
• Revert "plumbing: transport/ssh, Add support for SSH @​cert-authority." by @​pjbgf in #1346

Full Changelog: go-git/go-git@v5.13.0...v5.13.1

v5.13.0

What's Changed

• build: bump github.com/go-git/go-git/v5 from 5.11.0 to 5.12.0 in /cli/go-git by @​dependabot in go-git/go-git#1065
• build: bump golang.org/x/net from 0.22.0 to 0.23.0 by @​dependabot in go-git/go-git#1068
• build: bump golang.org/x/net from 0.23.0 to 0.24.0 by @​dependabot in go-git/go-git#1071
• Properly support skipping of non-mandatory extensions by @​codablock in go-git/go-git#1066
• git: Refine some codes in test and non-test. by @​onee-only in go-git/go-git#1077
• plumbing: protocol/packp, client-side filter capability support by @​edigaryev in go-git/go-git#1000
• build: bump golang.org/x/net from 0.22.0 to 0.23.0 in /cli/go-git by @​dependabot in go-git/go-git#1078
• plumbing: fix sideband demux on flush by @​aymanbagabas in go-git/go-git#1084
• storage: dotgit, head reference usually comes first by @​aymanbagabas in go-git/go-git#1085
• build: bump golang.org/x/text from 0.14.0 to 0.15.0 by @​dependabot in go-git/go-git#1091
• build: bump golang.org/x/crypto from 0.22.0 to 0.23.0 by @​dependabot in go-git/go-git#1094
• build: bump golang.org/x/net from 0.24.0 to 0.25.0 by @​dependabot in go-git/go-git#1093
• git: Added an example for Repository.Branches by @​johnmatthiggins in go-git/go-git#1088
• git: worktree_commit, Modify checking empty commit. Fixes #723 by @​onee-only in go-git/go-git#1050
• plumbing: transport/http, Wrap http errors to return reason. Fixes #1097 by @​ggambetti in go-git/go-git#1100
• build: bump golang.org/x/sys from 0.20.0 to 0.21.0 by @​dependabot in go-git/go-git#1106
• build: bump golang.org/x/text from 0.15.0 to 0.16.0 by @​dependabot in go-git/go-git#1107
• Bumps Go versions and go-billy by @​pjbgf in go-git/go-git#1056
• _examples: Fixed a dead link COMPATIBILITY.md by @​gecko655 in go-git/go-git#1109
• build: bump github.com/jessevdk/go-flags from 1.5.0 to 1.6.1 in /cli/go-git by @​dependabot in go-git/go-git#1115
• build: bump github.com/elazarl/goproxy from v0.0.0-20230808193330-2592e75ae04a to v0.0.0-20240618083138-03be62527ccb by @​hbelmiro in go-git/go-git#1124
• build: bump golang.org/x/net from 0.25.0 to 0.26.0 by @​dependabot in go-git/go-git#1104
• Add option approximating git clean -x flag. by @​msuozzo in go-git/go-git#995
• Revert "Add option approximating git clean -x flag." by @​pjbgf in go-git/go-git#1129
• Fix reference updated concurrently error for the filesystem storer by @​Javier-varez in go-git/go-git#1116
• build: bump golang.org/x/net from 0.26.0 to 0.27.0 by @​dependabot in go-git/go-git#1134
• utils: merkletrie, Align error message with upstream by @​pjbgf in go-git/go-git#1142
• plumbing: transport/file, Change paths to absolute by @​pjbgf in go-git/go-git#1141
• plumbing: gitignore, Fix loading of ignored .gitignore files. by @​Achilleshiel in go-git/go-git#1114
• build: bump github.com/skeema/knownhosts from 1.2.2 to 1.3.0 by @​dependabot in go-git/go-git#1147
• plumbing: transport/ssh, Add support for SSH @​cert-authority. by @​Javier-varez in go-git/go-git#1157
• build: run example tests during CI workflow by @​crazybolillo in go-git/go-git#1030
• storage: filesystem, Fix object cache not working due to uninitialised objects being put into cache by @​SatelliteMind in go-git/go-git#1138
• git: Fix fetching missing commits by @​AriehSchneier in go-git/go-git#1032
• plumbing: format/packfile, remove duplicate checks in findMatch() by @​edigaryev in go-git/go-git#1152
• git: worktree, Fix file reported as Untracked while it is committed by @​rodrigocam in go-git/go-git#1023
• build: bump golang.org/x/sys from 0.22.0 to 0.23.0 by @​dependabot in go-git/go-git#1160
• plumbing: filemode, Remove check for setting size of .git/index file by @​nicholasSUSE in go-git/go-git#1159
• build: bump golang.org/x/net from 0.27.0 to 0.28.0 by @​dependabot in go-git/go-git#1163

... (truncated)

Commits

• b6bc0c0 Merge pull request #1346 from go-git/revert-1157-ja/knownHostsDb
• 42f9d6b Revert "plumbing: transport/ssh, Add support for SSH @​cert-authority."
• 88c7471 Merge pull request #1340 from go-git/dependabot/go_modules/github.com/elazarl...
• 2fae180 build: bump github.com/elazarl/goproxy from 1.2.2 to 1.2.3
• a0dfb09 Merge pull request #1329 from go-git/dependabot/go_modules/github.com/elazarl...
• 05ae621 Merge pull request #1327 from go-git/dependabot/go_modules/github.com/go-git/...
• b0d72b3 build: bump github.com/elazarl/goproxy from 1.2.1 to 1.2.2
• b77b83a build: bump github.com/go-git/go-billy/v5 from 5.6.0 to 5.6.1
• 94bd4af Merge pull request #1261 from BeChris/issue680
• 8b7f5ba Merge pull request #1262 from go-git/dependabot/go_modules/github.com/elazarl...
• Additional commits viewable in compare view

Updates github.com/google/go-containerregistry from 0.20.2 to 0.20.3

Release notes

Sourced from github.com/google/go-containerregistry's releases.

v0.20.3

What's Changed

• remote/transport: Make bearer transport go-routine-safe by @​2opremio in google/go-containerregistry#1806
• Expose compare package by @​jonjohnsonjr in google/go-containerregistry#2001
• fix: redact.URL uses (*URL).Redacted to omit basic-auth password by @​bmoylan in google/go-containerregistry#1947
• bump actions to latest by @​ajayk in google/go-containerregistry#2011
• don't pin chainguard-dev/actions by @​imjasonh in google/go-containerregistry#2025
• Check for 406 status code when handling referrers API endpoint response by @​malancas in google/go-containerregistry#2026
• mutate: Create a defensive annotations copy by @​jonjohnsonjr in google/go-containerregistry#2030
• Detect zstd in crane append by @​jonjohnsonjr in google/go-containerregistry#2023
• bump deps using hack/bump-deps.sh by @​imjasonh in google/go-containerregistry#2042

New Contributors

• @​bmoylan made their first contribution in google/go-containerregistry#1947
• @​ajayk made their first contribution in google/go-containerregistry#2011
• @​malancas made their first contribution in google/go-containerregistry#2026

Full Changelog: google/go-containerregistry@v0.20.2...v0.20.3

Commits

• c4dd792 bump deps using hack/bump-deps.sh (#2042)
• 6bce25e Detect zstd in crane append (#2023)
• 06dcd85 mutate: Create a defensive annotations copy (#2030)
• a9a53a8 check for 406 status code when handling referrers endpoint response (#2026)
• 4630c40 don't pin chainguard-dev/actions (#2025)
• 808e354 bump actions to latest (#2011)
• a07d1ca fix: redact.URL uses (*URL).Redacted to omit basic-auth password (#1947)
• 00f182b Expose compare package (#2001)
• b8e87ed remote/transport: Make bearer transport go-routine-safe (#1806)
• See full diff in compare view

Updates github.com/onsi/gomega from 1.36.1 to 1.36.2

Release notes

Sourced from github.com/onsi/gomega's releases.

v1.36.2

Maintenance

• Bump nokogiri from 1.16.3 to 1.16.5 in /docs by @​dependabot in onsi/gomega#757
• Bump github.com/onsi/ginkgo/v2 from 2.20.1 to 2.22.1 by @​dependabot in onsi/gomega#808
• Bump golang.org/x/net from 0.30.0 to 0.33.0 by @​dependabot in onsi/gomega#807
• Bump google.golang.org/protobuf from 1.35.1 to 1.36.1 by @​dependabot in onsi/gomega#810

Changelog

Sourced from github.com/onsi/gomega's changelog.

1.36.2

Maintenance

• Bump google.golang.org/protobuf from 1.35.1 to 1.36.1 (#810) [9a7609d]
• Bump golang.org/x/net from 0.30.0 to 0.33.0 (#807) [b6cb028]
• Bump github.com/onsi/ginkgo/v2 from 2.20.1 to 2.22.1 (#808) [5756529]
• Bump nokogiri from 1.16.3 to 1.16.5 in /docs (#757) [dabc12e]

Commits

• bb0e550 v1.36.2
• 9a7609d Bump google.golang.org/protobuf from 1.35.1 to 1.36.1 (#810)
• b6cb028 Bump golang.org/x/net from 0.30.0 to 0.33.0 (#807)
• 5756529 Bump github.com/onsi/ginkgo/v2 from 2.20.1 to 2.22.1 (#808)
• dabc12e Bump nokogiri from 1.16.3 to 1.16.5 in /docs (#757)
• See full diff in compare view

Updates github.com/otiai10/copy from 1.14.0 to 1.14.1

Commits

• 5ef5923 Revert "CopyMethod" since it's not ready
• 49b0b59 Merge pull request #164 from eth-p/feat-copymethod-api
• f530620 ci: Allow triggering Go workflow manually
• b4dd789 refactor: Split common code out of CopyBytes
• 9205813 feat: Add FileCopyMethod option / API
• 2f93b8f Merge pull request #159 from otiai10/dependabot/go_modules/main/golang.org/x/...
• 87072f3 Bump golang.org/x/sys from 0.23.0 to 0.24.0
• d0690cb Merge pull request #158 from otiai10/dependabot/go_modules/main/golang.org/x/...
• b87119d Bump golang.org/x/sys from 0.22.0 to 0.23.0
• 355527c Merge pull request #157 from otiai10/dependabot/go_modules/main/golang.org/x/...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Superseded by #830.