Update go modules (release-v0.7) (patch)#3146
Conversation
ℹ️ Artifact update noticeFile name: acceptance/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
File name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
File name: tools/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
File name: tools/kubectl/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
bb1e687 to
608b025
Compare
cb09e7b to
2bdf2b5
Compare
d17ae93 to
9539d46
Compare
e56c120 to
31ef858
Compare
31ef858 to
a411eb7
Compare
|
🤖 Finished Review · ✅ Success · Started 9:13 PM UTC · Completed 9:20 PM UTC |
| github.com/sigstore/cosign/v2 v2.4.1 | ||
| github.com/sigstore/rekor v1.5.0 | ||
| github.com/sigstore/sigstore v1.10.5 | ||
| github.com/secure-systems-lab/go-securesystemslib v0.11.0 |
There was a problem hiding this comment.
[low] API contract / version skew
The PR updates go-securesystemslib from v0.10.0 to v0.11.0 in the root go.mod but leaves acceptance/go.mod at v0.10.0. The two modules import different sub-packages (root uses dsse, acceptance uses only encrypted), so the type-mismatch risk across module boundaries is minimal. For consistency, consider updating acceptance/go.mod to v0.11.0 as well.
|
🤖 Finished Review · ✅ Success · Started 6:58 PM UTC · Completed 7:06 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 1:02 AM UTC · Completed 1:07 AM UTC |
|
🤖 Finished Review · ✅ Success · Started 12:55 PM UTC · Completed 1:02 PM UTC |
| k8s.io/client-go v0.35.4 | ||
| oras.land/oras-go/v2 v2.6.0 | ||
| k8s.io/client-go v0.35.6 | ||
| oras.land/oras-go/v2 v2.6.1 |
There was a problem hiding this comment.
[low] dependency version consistency
k8s.io/api and k8s.io/client-go are bumped to v0.35.6 while k8s.io/apimachinery remains at v0.35.4. Go's Minimum Version Selection will resolve apimachinery to v0.35.6 transitively, so the go.mod is cosmetically out of sync with the resolved dependency graph. Running go mod tidy would normalize the declared version.
Suggested fix: Run go mod tidy in the acceptance module directory after the version bumps.
|
🤖 Finished Review · ✅ Success · Started 5:16 PM UTC · Completed 5:23 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 2:47 PM UTC · Completed 2:56 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 9:00 AM UTC · Completed 9:06 AM UTC |
|
🤖 Finished Review · ✅ Success · Started 2:17 PM UTC · Completed 2:22 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 3:35 PM UTC · Completed 3:40 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 8:09 PM UTC · Completed 8:18 PM UTC |
| github.com/sigstore/cosign/v2 v2.4.1 | ||
| github.com/sigstore/rekor v1.5.0 | ||
| github.com/sigstore/sigstore v1.10.5 | ||
| github.com/secure-systems-lab/go-securesystemslib v0.11.0 |
There was a problem hiding this comment.
[low] API contract / breaking change risk
The PR title states (patch) but secure-systems-lab/go-securesystemslib is being bumped from v0.10.0 to v0.11.0, which is a minor version increment (pre-v1 semver). This librarys dsse subpackage is directly imported in 13 source files. Verify the v0.11.0 changelog does not contain breaking changes to the dsse or encrypted subpackages.
Suggested fix: Verify that the go-securesystemslib v0.11.0 changelog does not contain breaking changes to the dsse or encrypted subpackages. CI passing is sufficient evidence.
| github.com/open-policy-agent/conftest v0.66.0 | ||
| github.com/open-policy-agent/opa v1.15.2 | ||
| github.com/package-url/packageurl-go v0.1.3 | ||
| github.com/package-url/packageurl-go v0.1.6 |
There was a problem hiding this comment.
[info] API contract / breaking change risk
The package-url/packageurl-go upgrade from v0.1.3 to v0.1.6 is a patch-level increment within the v0.1.x line. The codebase uses stable PURL specification primitives in internal/rego/purl/purl.go. Very low risk.
| k8s.io/apiextensions-apiserver v0.35.6 | ||
| k8s.io/apimachinery v0.35.6 | ||
| k8s.io/client-go v0.35.6 | ||
| k8s.io/klog/v2 v2.140.0 |
There was a problem hiding this comment.
[info] version consistency
The k8s.io/klog/v2 bump from v2.130.1 to v2.140.0 is a large minor version jump (10 minor versions). klog/v2 follows Kubernetes release cadence where such jumps are normal. Only 2 files import this library.
|
🤖 Review · |
|
🤖 Finished Review · ✅ Success · Started 1:50 AM UTC · Completed 1:58 AM UTC |
|
🤖 Finished Review · ✅ Success · Started 5:29 PM UTC · Completed 5:37 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 9:00 PM UTC · Completed 9:06 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 9:10 PM UTC · Completed 9:17 PM UTC |
This PR contains the following updates:
v0.16.0→v0.16.1v0.15.1→v0.15.4v0.20.7-0.20250703195040-6f40a3734728→v0.20.7v0.1.257→v0.1.281v0.5.19→v0.5.22v5.17.1→v5.17.2v0.26.1→v0.26.4v0.21.5→v0.21.7v0.0.20→v0.0.22v0.1.3→v0.1.6v2.4.1→v2.4.3v2.6.2→v2.6.3v1.10.5→v1.10.8v0.26.2→v0.26.4v0.44.1→v0.44.2v0.44.0→v0.44.2v0.35.4→v0.35.6v0.35.4→v0.35.6v0.35.4→v0.35.6v0.35.4→v0.35.6v1.34.3→v1.34.9v2.6.0→v2.6.1Release Notes
cue-lang/cue (cuelang.org/go)
v0.16.1Compare Source
Language
The
fallbackkeyword in thealiasv2experiment is replaced byotherwise, which is clearer.cue fmtorcue fixcan be used to rewrite existing code.Evaluator
Fix a regression where the compiler could add comments to the input AST value, which could lead to increased memory usage.
Fix a bug where exporting certain schemas could result in "cannot have both alias and field in same scope" errors.
cmd/cueFix a panic which could occur when using non-label expressions in the
--pathflag.Teach
cue loginto give helpful errors when used with OCI registries which don't support the OAuth2 device flow.Go API
Fix a regression where
cue.Context.Encodecould panic on custom marshaler types with pointer receivers.Full list of changes since v0.16.0
6d609d7cedf4c8b4efeeff8138118e47027a5e0ef5c169605d7c882a2613edfe4b05161e464091654f66eae9aaf8e39aec5a55849682c663conforma/go-containerregistry (github.com/conforma/go-containerregistry)
v0.20.7Compare Source
gkampitakis/go-snaps (github.com/gkampitakis/go-snaps)
v0.5.22Compare Source
What's Changed
New Contributors
Full Changelog: gkampitakis/go-snaps@v0.5.21...v0.5.22
v0.5.21Compare Source
What's Changed
Full Changelog: gkampitakis/go-snaps@v0.5.20...v0.5.21
v0.5.20Compare Source
What's Changed
Full Changelog: gkampitakis/go-snaps@v0.5.19...v0.5.20
go-git/go-git (github.com/go-git/go-git/v5)
v5.17.2Compare Source
What's Changed
v5.17.1. Thanks @pskrbasu for reporting it. 🙇Full Changelog: go-git/go-git@v5.17.1...v5.17.2
go-openapi/strfmt (github.com/go-openapi/strfmt)
v0.26.4Compare Source
0.26.4 - 2026-06-29
Full Changelog: go-openapi/strfmt@v0.26.3...v0.26.4
14 commits in this release.
Fixed bugs
Documentation
Code quality
Miscellaneous tasks
Updates
People who contributed to this release
New Contributors
in #269
strfmt license terms
Per-module changes
enable/mongodb (0.26.4)
Miscellaneous tasks
Updates
internal/testintegration (0.26.4)
Miscellaneous tasks
Updates
v0.26.3Compare Source
0.26.3 - 2026-05-31
Full Changelog: go-openapi/strfmt@v0.26.2...v0.26.3
15 commits in this release.
Documentation
Miscellaneous tasks
Updates
People who contributed to this release
strfmt license terms
Per-module changes
enable/mongodb (0.26.3)
Miscellaneous tasks
Updates
internal/testintegration (0.26.3)
Miscellaneous tasks
Updates
v0.26.2Compare Source
0.26.2 - 2026-04-29
Full Changelog: go-openapi/strfmt@v0.26.1...v0.26.2
13 commits in this release.
Documentation
Performance
Miscellaneous tasks
Updates
People who contributed to this release
strfmt license terms
Per-module changes
enable/mongodb (0.26.2)
Miscellaneous tasks
Updates
internal/testintegration (0.26.2)
Miscellaneous tasks
Updates
google/go-containerregistry (github.com/google/go-containerregistry)
v0.21.7Compare Source
What's Changed
New Contributors
Full Changelog: google/go-containerregistry@v0.21.6...v0.21.7
v0.21.6Compare Source
What's Changed
Configuration
📅 Schedule: (UTC)
* 0-3 * * *)🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.