Skip to content

build(deps): bump the gomod group across 1 directory with 10 updates#2537

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/gomod-88f569212a
Open

build(deps): bump the gomod group across 1 directory with 10 updates#2537
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/gomod-88f569212a

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 19, 2026
edited
Loading

Bumps the gomod group with 5 updates in the / directory:

Package From To
chainguard.dev/apko 1.2.9 1.2.13
github.com/chainguard-dev/yam 0.2.58 0.2.60
github.com/docker/cli 29.4.2+incompatible 29.5.1+incompatible
github.com/github/go-spdx/v2 2.6.0 2.7.0
golang.org/x/crypto 0.50.0 0.51.0

Updates chainguard.dev/apko from 1.2.9 to 1.2.13

Release notes

Sourced from chainguard.dev/apko's releases.

Release v1.2.13

Changelog

  • 22c16a5fb2b63b359f45a94c17c4112f68f106a7 build(deps): bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0 in the go_modules group across 1 directory (#2222)
  • 7effda40c20b09ae48504570795194c03b542084 build(deps): bump github/codeql-action from 4.35.3 to 4.35.4 (#2225)
  • de34d75657937b12c7e68f582b0cd0eede1753bd build(deps): bump go.step.sm/crypto from 0.77.9 to 0.78.0 (#2224)
  • f6032be57bb86dbec007f44c421f756429bf1591 build(deps): bump golang.org/x/sys from 0.43.0 to 0.44.0 (#2221)
  • f85efc5fb8349355e3894a6742d17e0c5a4d4d3f build(deps): bump google.golang.org/api from 0.277.0 to 0.278.0 (#2223)
  • 2483b202dc8c8106dda974a07e3ae6e2013ba37c build(deps): bump gopkg.in/ini.v1 from 1.67.1 to 1.67.2 (#2218)
  • f693e828812fbe8b55c36f44111fff67a982a478 build(deps): bump sigstore/cosign-installer from 4.1.1 to 4.1.2 (#2226)
  • 3e9c1ec21e073b836036fcfd78507a4a7bee2b81 cpio: add FromLayers for multi-layer CPIO archives (#2216)

Release v1.2.12

Changelog

  • b7931baa8cd8aa1718dcea63208eacebb27148d9 build(deps): bump chainguard-dev/actions from 1.6.17 to 1.6.19 (#2219)
  • 34a75306b40ee67508c6ce6ee34e447dd1454fec fix(ci): harden against template injection and credential exposure (#2217)

Release v1.2.11

Changelog

  • bfd6776788292e020d8cbee9928f441781af72c0 Tweak solver's same-origin heuristic (#2208)
  • 1564c07a4aa6a714b54c196e25a5c0f55d3a8f9b build(deps): bump chainguard-dev/actions from 1.6.15 to 1.6.17 (#2215)
  • 4700edf9b270a3941512c3e116ea0377aa33fa69 build(deps): bump github.com/klauspost/compress from 1.18.5 to 1.18.6 (#2211)
  • b593d2c4d2940e227713c026acdb43e6abf93cbd build(deps): bump github/codeql-action from 4.35.2 to 4.35.3 (#2213)
  • 9157b1ab4335afea3c85e62ae5b5a3b02705e83c build(deps): bump google.golang.org/api from 0.276.0 to 0.277.0 (#2212)
  • 0e4728d2007a54b94a0eb415a92018127c69d66f build(deps): bump k8s.io/apimachinery from 0.35.4 to 0.36.0 (#2189)
  • d81a5d4a622db7c1101b991e3ae596cc5ad5944b build(deps): bump step-security/harden-runner from 2.19.0 to 2.19.1 (#2214)
  • 5644a414d21af5d077c96405f749b878699a3405 retry package fetch+expand on transient errors (#2210)

Release v1.2.10

Changelog

  • 0670f2240b7ef2904739fb8ad12580961cf970fd build(deps): bump go.step.sm/crypto from 0.77.2 to 0.77.9 (#2209)
  • eebbe627f86c584c3ff9df826411a2b33dca5ca6 build(deps): bump goreleaser/goreleaser-action from 7.1.0 to 7.2.1 (#2207)
Commits
  • 3e9c1ec cpio: add FromLayers for multi-layer CPIO archives (#2216)
  • de34d75 build(deps): bump go.step.sm/crypto from 0.77.9 to 0.78.0 (#2224)
  • 2483b20 build(deps): bump gopkg.in/ini.v1 from 1.67.1 to 1.67.2 (#2218)
  • f85efc5 build(deps): bump google.golang.org/api from 0.277.0 to 0.278.0 (#2223)
  • 7effda4 build(deps): bump github/codeql-action from 4.35.3 to 4.35.4 (#2225)
  • f693e82 build(deps): bump sigstore/cosign-installer from 4.1.1 to 4.1.2 (#2226)
  • 22c16a5 build(deps): bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0 in the go...
  • f6032be build(deps): bump golang.org/x/sys from 0.43.0 to 0.44.0 (#2221)
  • b7931ba build(deps): bump chainguard-dev/actions from 1.6.17 to 1.6.19 (#2219)
  • 34a7530 fix(ci): harden against template injection and credential exposure (#2217)
  • Additional commits viewable in compare view

Updates github.com/chainguard-dev/yam from 0.2.58 to 0.2.60

Commits
  • 9b5dbb0 build(deps): bump step-security/harden-runner from 2.19.1 to 2.19.3 (#217)
  • 7211cd1 build(deps): bump zizmorcore/zizmor-action from 0.5.3 to 0.5.4 (#218)
  • ce3283c build(deps): bump step-security/harden-runner from 2.19.0 to 2.19.1 (#214)
  • 9a1b2cb build(deps): bump chainguard-dev/actions from 1.6.17 to 1.6.19 (#215)
  • See full diff in compare view

Updates github.com/docker/cli from 29.4.2+incompatible to 29.5.1+incompatible

Commits
  • 2518b52 Merge pull request #6991 from mickael-docker/docs-clarify-authz
  • 9f18a0a docs: clarify authz content type
  • 2944fd1 Merge pull request #6989 from thaJeztah/bump_version
  • c41489a bump VERSION to v29.5.1-dev
  • 98f1464 Merge pull request #6988 from thaJeztah/make_shell
  • 50712c9 README: simplify instructions for using dev container
  • 653dc8f Merge pull request #6485 from paulchen5/6484-update-pull-request-template
  • 1394582 Merge pull request #6987 from thaJeztah/contributing_links
  • f99747b docs: fix stale links in CONTRIBUTING.md
  • ddac061 PR template: remove outdated contributing guide link
  • Additional commits viewable in compare view

Updates github.com/github/go-spdx/v2 from 2.6.0 to 2.7.0

Release notes

Sourced from github.com/github/go-spdx/v2's releases.

Release v2.7.0

Overview

This release makes one changes:

  • new validation function that returns the normalized/deduped list of valid licenses

validate, normalize, and dedup licenses

A new function was added, ValidateAndNormalizeLicensesWithOptions. It is functionally equivalent to ValidateLicensesWithOptions with options:

  • FailComplexExpressions - rejects license that includes a conjunctive (e.g. "MIT AND Apache-2.0")
  • FailDeprecatedLicenses - rejects deprecated SPDX license identifiers (e.g. "eCos-2.0")
  • FailAllLicenseRefs - rejects all SPDX license references (e.g. "LicenseRef-MyLicense")
  • FailAllDocumentRefs - rejects all SPDX document references (e.g. "DocumentRef-MyDocument")

ValidateLicensesWithOptions returns a boolean indicating whether all licenses are valid (i.e. true) or one of more are invalid (i.e. false). It also returns a list of any licenses that were invalid.

ValidateAndNormalizeLicensesWithOptions does not return a boolean. It returns 2 lists. The first is the list of normalized valid licenses that have been deduped. The second is a list of of any licenses that were invalid. If the invalid list is empty, then all licenses are valid.

Normalization and Deduping

licenses: `"mit", "apache-2.0"`
normalized: `"MIT", "Apache-2.0"`

licenses: "mit", "MIT", " MIT ", "apache-2.0"

normalized: MIT, Apache-2.0

What's Changed

  • add function ValidateAndNormalizeLicensesWithOptions (#149) @​elrayle
  • license updates (#146)

Full Changelog: github/go-spdx@v2.6.0...v2.7.0

Commits
  • 3c1ca93 Merge pull request #150 from github/v2.7.0-prep
  • 9a7907a update version in prep to release 2.7.0
  • 810a0d3 Merge pull request #146 from github/auto-update-licenses
  • 13a7257 Merge branch 'main' into auto-update-licenses
  • dbbda01 Merge pull request #149 from github/elr/normalize
  • 74a38f6 no need to test for allValid for ValidateAndNormalize
  • 7d11f4c do not dedup invalid licenses as this represents a behavior change
  • 7c92c07 fix formatting
  • 43cb893 Add ability to get normalized licenses when validating
  • 4508074 add function to reconstruct expressions
  • Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.50.0 to 0.51.0

Commits
  • b8a14a8 go.mod: update golang.org/x dependencies
  • 9d9d507 x509roots/fallback/bundle: fix bundle test with Go 1.27+
  • fd0b90d acme: include Problem in OrderError.Error
  • b9e5359 pbkdf2: turn into a wrapper for crypto/pbkdf2
  • cc0e4fc hkdf: forward Extract to the standard library
  • a8e9237 x509roots/fallback: update bundle
  • See full diff in compare view

Updates golang.org/x/sys from 0.43.0 to 0.44.0

Commits
  • fb1facd windows: avoid uint16 overflow in NewNTUnicodeString
  • 94ad893 windows: add GetIfTable2Ex, GetIpInterface{Entry,Table}, GetUnicastIpAddressT...
  • 54fe89f cpu: use IsProcessorFeaturePresent to calculate ARM64 on windows
  • df7d5d7 unix: automatically remove container created by mkall.sh
  • 68a4a8e unix: avoid nil pointer dereference in Utime
  • 690c91f unix: add CPUSetDynamic for systems with more than 1024 CPUs
  • See full diff in compare view

Updates golang.org/x/term from 0.42.0 to 0.43.0

Commits

Updates golang.org/x/text from 0.36.0 to 0.37.0

Commits

Updates gopkg.in/ini.v1 from 1.67.1 to 1.67.2

Updates google.golang.org/protobuf from 1.36.11 to 1.36.12-0.20260120151049-f2248ac996af

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels May 19, 2026
@dependabot
build(deps): bump the gomod group across 1 directory with 10 updates
f9eefb9 
Bumps the gomod group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [chainguard.dev/apko](https://github.com/chainguard-dev/apko) | `1.2.9` | `1.2.13` |
| [github.com/chainguard-dev/yam](https://github.com/chainguard-dev/yam) | `0.2.58` | `0.2.60` |
| [github.com/docker/cli](https://github.com/docker/cli) | `29.4.2+incompatible` | `29.5.1+incompatible` |
| [github.com/github/go-spdx/v2](https://github.com/github/go-spdx) | `2.6.0` | `2.7.0` |
| [golang.org/x/crypto](https://github.com/golang/crypto) | `0.50.0` | `0.51.0` |



Updates `chainguard.dev/apko` from 1.2.9 to 1.2.13
- [Release notes](https://github.com/chainguard-dev/apko/releases)
- [Changelog](https://github.com/chainguard-dev/apko/blob/main/NEWS.md)
- [Commits](chainguard-dev/apko@v1.2.9...v1.2.13)

Updates `github.com/chainguard-dev/yam` from 0.2.58 to 0.2.60
- [Commits](chainguard-dev/yam@v0.2.58...v0.2.60)

Updates `github.com/docker/cli` from 29.4.2+incompatible to 29.5.1+incompatible
- [Commits](docker/cli@v29.4.2...v29.5.1)

Updates `github.com/github/go-spdx/v2` from 2.6.0 to 2.7.0
- [Release notes](https://github.com/github/go-spdx/releases)
- [Commits](github/go-spdx@v2.6.0...v2.7.0)

Updates `golang.org/x/crypto` from 0.50.0 to 0.51.0
- [Commits](golang/crypto@v0.50.0...v0.51.0)

Updates `golang.org/x/sys` from 0.43.0 to 0.44.0
- [Commits](golang/sys@v0.43.0...v0.44.0)

Updates `golang.org/x/term` from 0.42.0 to 0.43.0
- [Commits](golang/term@v0.42.0...v0.43.0)

Updates `golang.org/x/text` from 0.36.0 to 0.37.0
- [Release notes](https://github.com/golang/text/releases)
- [Commits](golang/text@v0.36.0...v0.37.0)

Updates `gopkg.in/ini.v1` from 1.67.1 to 1.67.2

Updates `google.golang.org/protobuf` from 1.36.11 to 1.36.12-0.20260120151049-f2248ac996af

---
updated-dependencies:
- dependency-name: chainguard.dev/apko
  dependency-version: 1.2.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: github.com/chainguard-dev/yam
  dependency-version: 0.2.60
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: github.com/docker/cli
  dependency-version: 29.5.1+incompatible
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
- dependency-name: github.com/github/go-spdx/v2
  dependency-version: 2.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
- dependency-name: golang.org/x/crypto
  dependency-version: 0.51.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
- dependency-name: golang.org/x/sys
  dependency-version: 0.44.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
- dependency-name: golang.org/x/term
  dependency-version: 0.43.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
- dependency-name: golang.org/x/text
  dependency-version: 0.37.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
- dependency-name: google.golang.org/protobuf
  dependency-version: 1.36.12-0.20260120151049-f2248ac996af
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: gopkg.in/ini.v1
  dependency-version: 1.67.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/gomod-88f569212a branch from aec7bea to f9eefb9 Compare May 20, 2026 20:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants