Update go modules (release-v0.7) (patch) by renovate[bot] · Pull Request #3146 · conforma/cli

renovate · 2026-03-02T02:08:37Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
cuelang.org/go	`v0.16.0` → `v0.16.1`
cuelang.org/go	`v0.15.1` → `v0.15.4`
github.com/conforma/go-containerregistry	`v0.20.7-0.20250703195040-6f40a3734728` → `v0.20.7`
github.com/enterprise-contract/enterprise-contract-controller/api	`v0.1.257` → `v0.1.281`
github.com/gkampitakis/go-snaps	`v0.5.19` → `v0.5.22`
github.com/go-git/go-git/v5	`v5.17.1` → `v5.17.2`
github.com/go-openapi/strfmt	`v0.26.1` → `v0.26.4`
github.com/google/go-containerregistry	`v0.21.5` → `v0.21.7`
github.com/mattn/go-isatty	`v0.0.20` → `v0.0.22`
github.com/package-url/packageurl-go	`v0.1.3` → `v0.1.6`
github.com/sigstore/cosign/v2	`v2.4.1` → `v2.4.3`
github.com/sigstore/cosign/v2	`v2.6.2` → `v2.6.3`
github.com/sigstore/sigstore	`v1.10.5` → `v1.10.8`
github.com/tektoncd/chains	`v0.26.2` → `v0.26.4`
github.com/tektoncd/cli	`v0.44.1` → `v0.44.2`
github.com/tektoncd/cli	`v0.44.0` → `v0.44.2`
k8s.io/api	`v0.35.4` → `v0.35.6`
k8s.io/apiextensions-apiserver	`v0.35.4` → `v0.35.6`
k8s.io/apimachinery	`v0.35.4` → `v0.35.6`
k8s.io/client-go	`v0.35.4` → `v0.35.6`
k8s.io/kubernetes	`v1.34.3` → `v1.34.9`
oras.land/oras-go/v2	`v2.6.0` → `v2.6.1`

Release Notes

cue-lang/cue (cuelang.org/go)

`v0.16.1`

Compare Source

Language

The fallback keyword in the aliasv2 experiment is replaced by otherwise, which is clearer. cue fmt or cue fix can be used to rewrite existing code.

Evaluator

Fix a regression where the compiler could add comments to the input AST value, which could lead to increased memory usage.

Fix a bug where exporting certain schemas could result in "cannot have both alias and field in same scope" errors.

`cmd/cue`

Fix a panic which could occur when using non-label expressions in the --path flag.

Teach cue login to give helpful errors when used with OCI registries which don't support the OAuth2 device flow.

Go API

Fix a regression where cue.Context.Encode could panic on custom marshaler types with pointer receivers.

Full list of changes since v0.16.0

internal/cueversion: bump to v0.16.1 by @mvdan in 6d609d7
internal/ci: build releases with Go 1.26.2 by @mvdan in cedf4c8
update all golang.org/x/... dependencies by @mvdan in b4efeef
all: rename fallback keyword to otherwise by @mpvl in f813811
lsp/cache: improve rename by @cuematthew in 8e47027
integration/workspace: add test showing bad behaviour by @cuematthew in a5e0ef5
cmd/cue: suggest docker/podman login when OAuth2 device flow is unsupported by @mvdan in c169605
cmd/cue: add testscript for cue login when device code endpoint is unsupported by @mvdan in d7c882a
cmd/cue: clarify how to authenticate with standard OCI registries by @mvdan in 2613edf
internal/core/compile: avoid mutating AST by @rogpeppe in e4b0516
internal/core/export: fix alias/field name conflict in pattern constraints by @mvdan in 1e46409
internal/core/export: add regression test for alias/field name conflict by @mvdan in 1654f66
pkg: fix godoc mistakes across several packages by @mvdan in eae9aaf
internal/core/convert: fix panic when encoding pointer-receiver marshalers by @mvdan in 8e39aec
cmd/cue: return an error for non-label --path expressions instead of panicking by @mvdan in 5a55849
encoding: add godoc hints for cue/ast result types by @mvdan in 682c663

conforma/go-containerregistry (github.com/conforma/go-containerregistry)

`v0.20.7`

Compare Source

gkampitakis/go-snaps (github.com/gkampitakis/go-snaps)

`v0.5.22`

Compare Source

What's Changed

Enhance README with additional Any matcher example by @MoritzHeld in #157
fix: create snapshot files with 0644 instead of os.ModePerm by @gkampitakis in #159

New Contributors

@MoritzHeld made their first contribution in #157

Full Changelog: gkampitakis/go-snaps@v0.5.21...v0.5.22

`v0.5.21`

Compare Source

What's Changed

support nested arrays in json matchers by @gkampitakis in #145

Full Changelog: gkampitakis/go-snaps@v0.5.20...v0.5.21

`v0.5.20`

Compare Source

What's Changed

feat: support setting serializer on config by @gkampitakis in #154

Full Changelog: gkampitakis/go-snaps@v0.5.19...v0.5.20

go-git/go-git (github.com/go-git/go-git/v5)

`v5.17.2`

Compare Source

What's Changed

build: Update module github.com/go-git/go-git/v5 to v5.17.1 [SECURITY] (releases/v5.x) by @go-git-renovate[bot] in #1941
dotgit: skip writing pack files that already exist on disk by @pjbgf in #1944

⚠️ This release fixes a bug (#1942) that blocked some users from upgrading to v5.17.1. Thanks @pskrbasu for reporting it. 🙇

Full Changelog: go-git/go-git@v5.17.1...v5.17.2

go-openapi/strfmt (github.com/go-openapi/strfmt)

`v0.26.4`

Compare Source

0.26.4 - 2026-06-29

Full Changelog: go-openapi/strfmt@v0.26.3...v0.26.4

14 commits in this release.

Fixed bugs

fix: validate "uri" format for absolute URIs with a fragment (#131) by @patchwright in #269 ...

Documentation

ci: post README announcements to discord + bump ci-workflows to v0.4.0 by @fredbi in #272 ...
doc: updated contributors file by @bot-go-openapi[bot] in #264 ...

Code quality

chore: disabled goconst linter by @fredbi in #271 ...

Miscellaneous tasks

chore: prepare release v0.26.4 by @bot-go-openapi[bot] in #274 ...
chore(ci): run contributors workflow monthly instead of weekly by @fredbi in #270 ...

Updates

build(deps): bump the other-dependencies group across 3 directories with 1 update by @dependabot[bot] in #268 ...
build(deps): bump the go-openapi-dependencies group across 2 directories with 1 update by @dependabot[bot] in #273 ...
build(deps): bump the development-dependencies group with 2 updates by @dependabot[bot] in #267 ...
build(deps): bump golang.org/x/net from 0.55.0 to 0.56.0 in the golang-org-dependencies group across 1 directory by @dependabot[bot] in #266 ...
build(deps): bump the development-dependencies group with 9 updates by @dependabot[bot] in #265 ...
build(deps): bump the other-dependencies group across 2 directories with 1 update by @dependabot[bot] in #263 ...
build(deps): bump github.com/go-openapi/errors from 0.22.7 to 0.22.8 in the go-openapi-dependencies group across 1 directory by @dependabot[bot] in #262 ...
build(deps): bump the development-dependencies group with 9 updates by @dependabot[bot] in #261 ...

People who contributed to this release

New Contributors

@patchwright made their first contribution
in #269

strfmt license terms

Per-module changes

enable/mongodb (0.26.4)

Miscellaneous tasks

chore: prepare release v0.26.4 by @bot-go-openapi[bot] in #274 ...

Updates

build(deps): bump the other-dependencies group across 3 directories with 1 update by @dependabot[bot] in #268 ...

internal/testintegration (0.26.4)

Miscellaneous tasks

chore: prepare release v0.26.4 by @bot-go-openapi[bot] in #274 ...

Updates

build(deps): bump the other-dependencies group across 3 directories with 1 update by @dependabot[bot] in #268 ...
build(deps): bump the go-openapi-dependencies group across 2 directories with 1 update by @dependabot[bot] in #273 ...
build(deps): bump golang.org/x/net from 0.55.0 to 0.56.0 in the golang-org-dependencies group across 1 directory by @dependabot[bot] in #266 ...
build(deps): bump the other-dependencies group across 2 directories with 1 update by @dependabot[bot] in #263 ...
build(deps): bump github.com/go-openapi/errors from 0.22.7 to 0.22.8 in the go-openapi-dependencies group across 1 directory by @dependabot[bot] in #262 ...

`v0.26.3`

Compare Source

0.26.3 - 2026-05-31

Full Changelog: go-openapi/strfmt@v0.26.2...v0.26.3

15 commits in this release.

Documentation

fix(ci): typo in sha by @fredbi ...
doc: updated contributors file by @bot-go-openapi[bot] in #258 ...
doc: updated contributors file by @bot-go-openapi[bot] in #251 ...

Miscellaneous tasks

chore: prepare release v0.26.3 by @bot-go-openapi[bot] in #260 ...
fix(ci): monitor - work around dependabot identity requirements by @fredbi ...
fix(ci): updated shared ci worflows (fix monitor-bot identity) by @fredbi ...
fix(ci): updated shared ci worflows (fix monitor-bot permissions) by @fredbi ...
fix(ci): updated shared ci worflows (fix monitor-bot filter) by @fredbi in #259 ...
ci: schedule bot PR monitoring by @fredbi in #257 ...

Updates

build(deps): bump the other-dependencies group across 3 directories with 2 updates by @dependabot[bot] in #252 ...
build(deps): bump golang.org/x/net from 0.54.0 to 0.55.0 in the golang-org-dependencies group across 1 directory by @dependabot[bot] in #255 ...
build(deps): bump the go-openapi-dependencies group across 2 directories with 1 update by @dependabot[bot] in #256 ...
build(deps): bump the development-dependencies group with 8 updates by @dependabot[bot] in #254 ...
build(deps): bump golang.org/x/net from 0.53.0 to 0.54.0 in the golang-org-dependencies group across 1 directory by @dependabot[bot] in #253 ...
build(deps): bump the go-openapi-dependencies group across 2 directories with 1 update by @dependabot[bot] in #249 ...

People who contributed to this release

@fredbi

strfmt license terms

Per-module changes

enable/mongodb (0.26.3)

Miscellaneous tasks

chore: prepare release v0.26.3 by @bot-go-openapi[bot] in #260 ...

Updates

build(deps): bump the other-dependencies group across 3 directories with 2 updates by @dependabot[bot] in #252 ...

internal/testintegration (0.26.3)

Miscellaneous tasks

chore: prepare release v0.26.3 by @bot-go-openapi[bot] in #260 ...

Updates

build(deps): bump the other-dependencies group across 3 directories with 2 updates by @dependabot[bot] in #252 ...
build(deps): bump golang.org/x/net from 0.54.0 to 0.55.0 in the golang-org-dependencies group across 1 directory by @dependabot[bot] in #255 ...
build(deps): bump the go-openapi-dependencies group across 2 directories with 1 update by @dependabot[bot] in #256 ...
build(deps): bump golang.org/x/net from 0.53.0 to 0.54.0 in the golang-org-dependencies group across 1 directory by @dependabot[bot] in #253 ...
build(deps): bump the go-openapi-dependencies group across 2 directories with 1 update by @dependabot[bot] in #249 ...

`v0.26.2`

Compare Source

0.26.2 - 2026-04-29

Full Changelog: go-openapi/strfmt@v0.26.1...v0.26.2

13 commits in this release.

Documentation

doc: aligned docs with org-wide documentation. by @fredbi in #247 ...
doc: updated contributors file by @bot-go-openapi[bot] in #239 ...
doc: add portable agentic instructions by @fredbi in #236 ...
doc: added portable agentic instructions by @fredbi in #235 ...

Performance

perf(duration): faster and stricter ParseDuration. by @fredbi in #246 ...

Miscellaneous tasks

chore: prepare release v0.26.2 by @bot-go-openapi[bot] in #248 ...
chore: bump go directive to 1.25.0 by @fredbi in #237 ...

Updates

build(deps): bump the other-dependencies group across 2 directories with 2 updates by @dependabot[bot] in #245 ...
build(deps): bump the development-dependencies group with 8 updates by @dependabot[bot] in #242 ...
build(deps): bump golang.org/x/net from 0.52.0 to 0.53.0 in the golang-org-dependencies group across 1 directory by @dependabot[bot] in #241 ...
build(deps): bump github.com/jackc/pgx/v5 from 5.8.0 to 5.9.1 in /internal/testintegration in the other-dependencies group across 1 directory by @dependabot[bot] in #240 ...
build(deps): bump the go-openapi-dependencies group across 2 directories with 1 update by @dependabot[bot] in #238 ...
build(deps): bump golang.org/x/net from 0.50.0 to 0.52.0 in the golang-org-dependencies group across 1 directory by @dependabot[bot] in #228 ...

People who contributed to this release

@fredbi

strfmt license terms

Per-module changes

enable/mongodb (0.26.2)

Miscellaneous tasks

chore: prepare release v0.26.2 by @bot-go-openapi[bot] in #248 ...
chore: bump go directive to 1.25.0 by @fredbi in #237 ...

Updates

build(deps): bump the other-dependencies group across 2 directories with 2 updates by @dependabot[bot] in #245 ...

internal/testintegration (0.26.2)

Miscellaneous tasks

chore: prepare release v0.26.2 by @bot-go-openapi[bot] in #248 ...
chore: bump go directive to 1.25.0 by @fredbi in #237 ...

Updates

build(deps): bump the other-dependencies group across 2 directories with 2 updates by @dependabot[bot] in #245 ...
build(deps): bump golang.org/x/net from 0.52.0 to 0.53.0 in the golang-org-dependencies group across 1 directory by @dependabot[bot] in #241 ...
build(deps): bump github.com/jackc/pgx/v5 from 5.8.0 to 5.9.1 in /internal/testintegration in the other-dependencies group across 1 directory by @dependabot[bot] in #240 ...
build(deps): bump the go-openapi-dependencies group across 2 directories with 1 update by @dependabot[bot] in #238 ...
build(deps): bump golang.org/x/net from 0.50.0 to 0.52.0 in the golang-org-dependencies group across 1 directory by @dependabot[bot] in #228 ...

google/go-containerregistry (github.com/google/go-containerregistry)

`v0.21.7`

Compare Source

What's Changed

tarball: return error instead of panicking on missing rootfs.diff_ids by @iahsanGill in #2304
gcrane: honor --platform flag in copy by @iahsanGill in #2307
mutate: verify layer digests in Extract and Time by @momenashrafff in #2303
tarball: close layer readers during Write by @nandbhat in #2308
build(deps): bump the actions group across 1 directory with 2 updates by @dependabot[bot] in #2311
build(deps): bump github.com/docker/cli from 29.4.3+incompatible to 29.5.2+incompatible in the go-deps group across 1 directory by @dependabot[bot] in #2312
BUGFIX: Fail with error when read exceeds maximum by @inteon in #2328
build(deps): bump the actions group across 1 directory with 2 updates by @dependabot[bot] in #2327
fix(name): anchor loopback registry detection by @rohan-patnaik in #2314
Reject symlinks in OCI layout blobs by @mosskappa in #2306
fix(crane): avoid creating export tar on pull failure by @Haihan-Jiang in #2318
feat(kubernetes): allow ignoring pull secrets by @rohan-patnaik in #2315
fix(name): preserve localhost registry references by @rohan-patnaik in #2316
pkg/registry: export ErrNotFound by @malt3 in #2176
pkg/registry: export RedirectError by @malt3 in #2177
build(deps): bump the go-deps group across 1 directory with 2 updates by @dependabot[bot] in #2343
build(deps): bump the actions group across 1 directory with 2 updates by @dependabot[bot] in #2344
fix: prevent SSRF in google.List() pagination by @tufstraka in #2332
internal/gzip: fix goroutine leak in ReadCloserLevel by @amarkdotdev in #2347
fix(transport): apply refreshed bearer token after cross-host redirect by @64johnlee in #2337
build(deps): bump the go-deps group across 3 directories with 4 updates by @dependabot[bot] in #2348
fix(tarball): normalize paths when matching files by @bstoll in #2334
transport: do not re-attach bearer token after cross-host redirect by @evilgensec in #2349
Bump CI go version to 1.26.4 by @Subserial in #2350

New Contributors

@momenashrafff made their first contribution in #2303
@nandbhat made their first contribution in #2308
@inteon made their first contribution in #2328
@rohan-patnaik made their first contribution in #2314
@mosskappa made their first contribution in #2306
@Haihan-Jiang made their first contribution in #2318
@tufstraka made their first contribution in #2332
@amarkdotdev made their first contribution in #2347
@64johnlee made their first contribution in #2337
@bstoll made their first contribution in #2334

Full Changelog: google/go-containerregistry@v0.21.6...v0.21.7

`v0.21.6`

Compare Source

What's Changed

fix: update dependencies to use new azure sdk components by @gaganhr94 in #2262
transport: restore resp.Body in retryError so CheckError can parse it by @alliasgher in #2264
pkg/registry: return 202 Accepted for PATCH chunk uploads by @alliasgher in #2265
Follow OCI distribution spec for artifactType and annotations by @malt3 in #2269
actions: attach Codecov token to coverage tests on main by @Subserial in #2270
remote: use DeleteScope (with "delete" action) for manifest deletion by @alliasgher in #2266
remote: limit concurrent layer pulls by @gnix0 in #2271
pkg/registry: reject corrupt disk blobs by @gnix0 in #2272
mutate: close layer readers during export by @gnix0 in #2277
crane/flatten: preserve image media type when flattening by @alliasgher in #2267
build(deps): bump goreleaser/goreleaser-action from 7.0.0 to 7.2.1 in the actions group across 1 directory by @dependabot[bot] in #2273
build(deps): bump go.opentelemetry.io/otel from 1.36.0 to 1.41.0 by @dependabot[bot] in #2278
build(deps): bump the go-deps group across 3 directories with 6 updates by @dependabot[bot] in #2280
Replace go-homedir with os.UserHomeDir by @jammie-jelly in #2282
pkg/name: only treat .localhost as non-HTTPS, not .local by [@blackwell-systems

✂ Note

PR body was truncated to here.

Configuration

📅 Schedule: (UTC)

Branch creation
- Between 12:00 AM and 03:59 AM (* 0-3 * * *)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate · 2026-03-02T02:08:40Z

ℹ️ Artifact update notice

File name: acceptance/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

45 additional dependencies were updated

Details:

Package	Change
`github.com/go-openapi/strfmt`	`v0.25.0` -> `v0.26.2`
`github.com/secure-systems-lab/go-securesystemslib`	`v0.10.0` -> `v0.11.0`
`github.com/gkampitakis/ciinfo`	`v0.3.2` -> `v0.3.4`
`github.com/go-chi/chi/v5`	`v5.2.4` -> `v5.2.5`
`github.com/go-openapi/analysis`	`v0.24.1` -> `v0.25.0`
`github.com/go-openapi/errors`	`v0.22.6` -> `v0.22.7`
`github.com/go-openapi/jsonpointer`	`v0.22.4` -> `v0.22.5`
`github.com/go-openapi/jsonreference`	`v0.21.4` -> `v0.21.5`
`github.com/go-openapi/loads`	`v0.23.2` -> `v0.23.3`
`github.com/go-openapi/runtime`	`v0.29.2` -> `v0.29.4`
`github.com/go-openapi/spec`	`v0.22.3` -> `v0.22.4`
`github.com/go-openapi/swag`	`v0.25.4` -> `v0.26.0`
`github.com/go-openapi/swag/cmdutils`	`v0.25.4` -> `v0.26.0`
`github.com/go-openapi/swag/conv`	`v0.25.4` -> `v0.26.0`
`github.com/go-openapi/swag/fileutils`	`v0.25.4` -> `v0.26.0`
`github.com/go-openapi/swag/jsonname`	`v0.25.4` -> `v0.26.0`
`github.com/go-openapi/swag/jsonutils`	`v0.25.4` -> `v0.26.0`
`github.com/go-openapi/swag/loading`	`v0.25.4` -> `v0.26.0`
`github.com/go-openapi/swag/mangling`	`v0.25.4` -> `v0.26.0`
`github.com/go-openapi/swag/netutils`	`v0.25.4` -> `v0.26.0`
`github.com/go-openapi/swag/stringutils`	`v0.25.4` -> `v0.26.0`
`github.com/go-openapi/swag/typeutils`	`v0.25.4` -> `v0.26.0`
`github.com/go-openapi/swag/yamlutils`	`v0.25.4` -> `v0.26.0`
`github.com/go-openapi/validate`	`v0.25.1` -> `v0.25.2`
`github.com/go-viper/mapstructure/v2`	`v2.4.0` -> `v2.5.0`
`github.com/goccy/go-yaml`	`v1.18.0` -> `v1.19.2`
`github.com/letsencrypt/boulder`	`v0.20251110.0` -> `v0.20260223.0`
`github.com/maruel/natural`	`v1.1.1` -> `v1.3.0`
`github.com/sigstore/protobuf-specs`	`v0.5.0` -> `v0.5.1`
`github.com/tidwall/gjson`	`v1.18.0` -> `v1.19.0`
`go.opentelemetry.io/otel`	`v1.42.0` -> `v1.43.0`
`go.opentelemetry.io/otel/metric`	`v1.42.0` -> `v1.43.0`
`go.uber.org/zap`	`v1.27.1` -> `v1.28.0`
`golang.org/x/crypto`	`v0.49.0` -> `v0.50.0`
`golang.org/x/net`	`v0.52.0` -> `v0.53.0`
`golang.org/x/oauth2`	`v0.35.0` -> `v0.36.0`
`golang.org/x/sys`	`v0.42.0` -> `v0.43.0`
`golang.org/x/term`	`v0.41.0` -> `v0.42.0`
`golang.org/x/text`	`v0.35.0` -> `v0.36.0`
`golang.org/x/time`	`v0.14.0` -> `v0.15.0`
`google.golang.org/api`	`v0.260.0` -> `v0.274.0`
`google.golang.org/genproto/googleapis/api`	`v0.0.0-20251222181119-0a764e51fe1b` -> `v0.0.0-20260401024825-9d38bb4040a9`
`google.golang.org/genproto/googleapis/rpc`	`v0.0.0-20251222181119-0a764e51fe1b` -> `v0.0.0-20260401024825-9d38bb4040a9`
`google.golang.org/grpc`	`v1.79.3` -> `v1.80.0`
`k8s.io/klog/v2`	`v2.130.1` -> `v2.140.0`

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

67 additional dependencies were updated

Details:

Package	Change
`github.com/secure-systems-lab/go-securesystemslib`	`v0.10.0` -> `v0.11.0`
`golang.org/x/net`	`v0.52.0` -> `v0.53.0`
`k8s.io/klog/v2`	`v2.130.1` -> `v2.140.0`
`cloud.google.com/go/auth`	`v0.18.2` -> `v0.19.0`
`cloud.google.com/go/iam`	`v1.5.3` -> `v1.7.0`
`cloud.google.com/go/storage`	`v1.61.3` -> `v1.62.0`
`github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp`	`v1.30.0` -> `v1.31.0`
`github.com/aws/aws-sdk-go-v2`	`v1.41.4` -> `v1.41.6`
`github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream`	`v1.7.7` -> `v1.7.8`
`github.com/aws/aws-sdk-go-v2/config`	`v1.32.12` -> `v1.32.14`
`github.com/aws/aws-sdk-go-v2/credentials`	`v1.19.12` -> `v1.19.14`
`github.com/aws/aws-sdk-go-v2/feature/ec2/imds`	`v1.18.20` -> `v1.18.21`
`github.com/aws/aws-sdk-go-v2/internal/configsources`	`v1.4.20` -> `v1.4.22`
`github.com/aws/aws-sdk-go-v2/internal/endpoints/v2`	`v2.7.20` -> `v2.7.22`
`github.com/aws/aws-sdk-go-v2/internal/v4a`	`v1.4.21` -> `v1.4.22`
`github.com/aws/aws-sdk-go-v2/service/ecr`	`v1.32.2` -> `v1.40.3`
`github.com/aws/aws-sdk-go-v2/service/ecrpublic`	`v1.25.4` -> `v1.31.2`
`github.com/aws/aws-sdk-go-v2/service/internal/checksum`	`v1.9.12` -> `v1.9.13`
`github.com/aws/aws-sdk-go-v2/service/internal/presigned-url`	`v1.13.20` -> `v1.13.21`
`github.com/aws/aws-sdk-go-v2/service/internal/s3shared`	`v1.19.20` -> `v1.19.21`
`github.com/aws/aws-sdk-go-v2/service/s3`	`v1.97.1` -> `v1.97.3`
`github.com/aws/aws-sdk-go-v2/service/signin`	`v1.0.8` -> `v1.0.9`
`github.com/aws/aws-sdk-go-v2/service/sso`	`v1.30.13` -> `v1.30.15`
`github.com/aws/aws-sdk-go-v2/service/ssooidc`	`v1.35.17` -> `v1.35.19`
`github.com/aws/aws-sdk-go-v2/service/sts`	`v1.41.9` -> `v1.41.10`
`github.com/aws/smithy-go`	`v1.24.2` -> `v1.25.0`
`github.com/awslabs/amazon-ecr-credential-helper/ecr-login`	`v0.0.0-20240826150212-5dc58b6e29f8` -> `v0.9.1`
`github.com/clipperhouse/displaywidth`	`v0.6.0` -> `v0.10.0`
`github.com/clipperhouse/uax29/v2`	`v2.3.0` -> `v2.6.0`
`github.com/gkampitakis/ciinfo`	`v0.3.2` -> `v0.3.4`
`github.com/go-chi/chi/v5`	`v5.2.4` -> `v5.2.5`
`github.com/go-openapi/analysis`	`v0.24.3` -> `v0.25.0`
`github.com/go-openapi/runtime`	`v0.29.2` -> `v0.29.4`
`github.com/go-openapi/swag`	`v0.25.4` -> `v0.26.0`
`github.com/go-openapi/swag/cmdutils`	`v0.25.4` -> `v0.26.0`
`github.com/go-openapi/swag/conv`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/fileutils`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/jsonname`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/jsonutils`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/loading`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/mangling`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/netutils`	`v0.25.4` -> `v0.26.0`
`github.com/go-openapi/swag/stringutils`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/typeutils`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/yamlutils`	`v0.25.5` -> `v0.26.0`
`github.com/goccy/go-yaml`	`v1.18.0` -> `v1.19.2`
`github.com/googleapis/gax-go/v2`	`v2.17.0` -> `v2.22.0`
`github.com/maruel/natural`	`v1.1.1` -> `v1.3.0`
`github.com/olekukonko/errors`	`v1.1.0` -> `v1.2.0`
`github.com/olekukonko/ll`	`v0.1.3` -> `v0.1.6`
`github.com/olekukonko/tablewriter`	`v1.1.2` -> `v1.1.4`
`github.com/sigstore/fulcio`	`v1.6.3` -> `v1.6.6`
`github.com/sigstore/protobuf-specs`	`v0.5.0` -> `v0.5.1`
`github.com/tidwall/gjson`	`v1.18.0` -> `v1.19.0`
`go.uber.org/zap`	`v1.27.1` -> `v1.28.0`
`golang.org/x/crypto`	`v0.49.0` -> `v0.50.0`
`golang.org/x/sys`	`v0.42.0` -> `v0.43.0`
`golang.org/x/term`	`v0.41.0` -> `v0.42.0`
`golang.org/x/text`	`v0.35.0` -> `v0.36.0`
`google.golang.org/api`	`v0.271.0` -> `v0.274.0`
`google.golang.org/genproto`	`v0.0.0-20260128011058-8636f8732409` -> `v0.0.0-20260319201613-d00831a3d3e7`
`google.golang.org/genproto/googleapis/api`	`v0.0.0-20260203192932-546029d2fa20` -> `v0.0.0-20260401024825-9d38bb4040a9`
`google.golang.org/genproto/googleapis/rpc`	`v0.0.0-20260226221140-a57be14db171` -> `v0.0.0-20260401024825-9d38bb4040a9`
`google.golang.org/grpc`	`v1.79.3` -> `v1.80.0`
`gopkg.in/ini.v1`	`v1.67.1` -> `v1.67.2`
`k8s.io/api`	`v0.34.3` -> `v0.34.8`
`sigs.k8s.io/release-utils`	`v0.12.3` -> `v0.12.4`

File name: tools/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

2 additional dependencies were updated

Details:

Package	Change
`github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp`	`v1.30.0` -> `v1.31.0`
`google.golang.org/grpc`	`v1.79.3` -> `v1.80.0`

File name: tools/kubectl/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

2 additional dependencies were updated

Details:

Package	Change
`go.opentelemetry.io/otel`	`v1.35.0` -> `v1.41.0`
`go.opentelemetry.io/otel/trace`	`v1.35.0` -> `v1.41.0`

fullsend-ai-review · 2026-06-12T21:13:14Z

🤖 Finished Review · ✅ Success · Started 9:13 PM UTC · Completed 9:20 PM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review · 2026-06-12T21:20:20Z

-	github.com/sigstore/cosign/v2 v2.4.1
-	github.com/sigstore/rekor v1.5.0
-	github.com/sigstore/sigstore v1.10.5
+	github.com/secure-systems-lab/go-securesystemslib v0.11.0


[low] API contract / version skew

The PR updates go-securesystemslib from v0.10.0 to v0.11.0 in the root go.mod but leaves acceptance/go.mod at v0.10.0. The two modules import different sub-packages (root uses dsse, acceptance uses only encrypted), so the type-mismatch risk across module boundaries is minimal. For consistency, consider updating acceptance/go.mod to v0.11.0 as well.

fullsend-ai-review · 2026-06-17T18:58:46Z

🤖 Finished Review · ✅ Success · Started 6:58 PM UTC · Completed 7:06 PM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review · 2026-06-18T01:02:11Z

🤖 Finished Review · ✅ Success · Started 1:02 AM UTC · Completed 1:07 AM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review · 2026-06-19T12:55:16Z

🤖 Finished Review · ✅ Success · Started 12:55 PM UTC · Completed 1:02 PM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review · 2026-06-19T13:01:55Z

-	k8s.io/client-go v0.35.4
-	oras.land/oras-go/v2 v2.6.0
+	k8s.io/client-go v0.35.6
+	oras.land/oras-go/v2 v2.6.1


[low] dependency version consistency

k8s.io/api and k8s.io/client-go are bumped to v0.35.6 while k8s.io/apimachinery remains at v0.35.4. Go's Minimum Version Selection will resolve apimachinery to v0.35.6 transitively, so the go.mod is cosmetically out of sync with the resolved dependency graph. Running go mod tidy would normalize the declared version.

Suggested fix: Run go mod tidy in the acceptance module directory after the version bumps.

fullsend-ai-review · 2026-06-19T17:16:37Z

🤖 Finished Review · ✅ Success · Started 5:16 PM UTC · Completed 5:23 PM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review · 2026-06-20T14:47:53Z

🤖 Finished Review · ✅ Success · Started 2:47 PM UTC · Completed 2:56 PM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review · 2026-06-21T09:00:47Z

🤖 Finished Review · ✅ Success · Started 9:00 AM UTC · Completed 9:06 AM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review · 2026-06-21T14:17:41Z

🤖 Finished Review · ✅ Success · Started 2:17 PM UTC · Completed 2:22 PM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review · 2026-06-22T15:35:14Z

🤖 Finished Review · ✅ Success · Started 3:35 PM UTC · Completed 3:40 PM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review · 2026-06-22T20:10:00Z

🤖 Finished Review · ✅ Success · Started 8:09 PM UTC · Completed 8:18 PM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review · 2026-06-22T20:18:47Z

-	github.com/sigstore/cosign/v2 v2.4.1
-	github.com/sigstore/rekor v1.5.0
-	github.com/sigstore/sigstore v1.10.5
+	github.com/secure-systems-lab/go-securesystemslib v0.11.0


[low] API contract / breaking change risk

The PR title states (patch) but secure-systems-lab/go-securesystemslib is being bumped from v0.10.0 to v0.11.0, which is a minor version increment (pre-v1 semver). This librarys dsse subpackage is directly imported in 13 source files. Verify the v0.11.0 changelog does not contain breaking changes to the dsse or encrypted subpackages.

Suggested fix: Verify that the go-securesystemslib v0.11.0 changelog does not contain breaking changes to the dsse or encrypted subpackages. CI passing is sufficient evidence.

fullsend-ai-review · 2026-06-22T20:18:47Z

 	github.com/open-policy-agent/conftest v0.66.0
 	github.com/open-policy-agent/opa v1.15.2
-	github.com/package-url/packageurl-go v0.1.3
+	github.com/package-url/packageurl-go v0.1.6


[info] API contract / breaking change risk

The package-url/packageurl-go upgrade from v0.1.3 to v0.1.6 is a patch-level increment within the v0.1.x line. The codebase uses stable PURL specification primitives in internal/rego/purl/purl.go. Very low risk.

fullsend-ai-review · 2026-06-22T20:18:47Z

+	k8s.io/apiextensions-apiserver v0.35.6
+	k8s.io/apimachinery v0.35.6
+	k8s.io/client-go v0.35.6
+	k8s.io/klog/v2 v2.140.0


[info] version consistency

The k8s.io/klog/v2 bump from v2.130.1 to v2.140.0 is a large minor version jump (10 minor versions). klog/v2 follows Kubernetes release cadence where such jumps are normal. Only 2 files import this library.

fullsend-ai-review · 2026-06-26T01:44:13Z

🤖 Review · ⚠️ Cancelled · Started 1:44 AM UTC · Ended 1:47 AM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review · 2026-06-26T01:50:19Z

🤖 Finished Review · ✅ Success · Started 1:50 AM UTC · Completed 1:58 AM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review · 2026-06-26T17:29:27Z

🤖 Finished Review · ✅ Success · Started 5:29 PM UTC · Completed 5:37 PM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review · 2026-06-26T21:00:22Z

🤖 Finished Review · ✅ Success · Started 9:00 PM UTC · Completed 9:06 PM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review · 2026-06-29T21:10:01Z

🤖 Finished Review · ✅ Success · Started 9:10 PM UTC · Completed 9:17 PM UTC
Commit: 47d3320 · View workflow run →

renovate Bot added release-v0.7 renovate labels Mar 2, 2026

renovate Bot enabled auto-merge March 2, 2026 02:08

github-actions Bot added the size: L label Mar 2, 2026

renovate Bot force-pushed the renovate/release-v0.7-patch-go-modules branch 5 times, most recently from bb1e687 to 608b025 Compare March 10, 2026 03:21

renovate Bot force-pushed the renovate/release-v0.7-patch-go-modules branch 4 times, most recently from cb09e7b to 2bdf2b5 Compare March 19, 2026 11:20

renovate Bot force-pushed the renovate/release-v0.7-patch-go-modules branch 4 times, most recently from d17ae93 to 9539d46 Compare April 2, 2026 01:41

renovate Bot force-pushed the renovate/release-v0.7-patch-go-modules branch 9 times, most recently from e56c120 to 31ef858 Compare April 14, 2026 09:15

renovate Bot force-pushed the renovate/release-v0.7-patch-go-modules branch from 31ef858 to a411eb7 Compare April 15, 2026 10:40

github-actions Bot added size: M and removed size: L labels Apr 15, 2026

fullsend-ai-review Bot approved these changes Jun 12, 2026

View reviewed changes

fullsend-ai-review Bot approved these changes Jun 17, 2026

View reviewed changes

fullsend-ai-review Bot approved these changes Jun 18, 2026

View reviewed changes

fullsend-ai-review Bot approved these changes Jun 19, 2026

View reviewed changes

fullsend-ai-review Bot approved these changes Jun 21, 2026

View reviewed changes

fullsend-ai-review Bot approved these changes Jun 22, 2026

View reviewed changes

fullsend-ai-review Bot approved these changes Jun 26, 2026

View reviewed changes

Update go modules

c7395ef

fullsend-ai-review Bot approved these changes Jun 29, 2026

View reviewed changes

Uh oh!

Conversation

renovate Bot commented Mar 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

Language

Evaluator

cmd/cue

Go API

What's Changed

New Contributors

What's Changed

What's Changed

What's Changed

0.26.4 - 2026-06-29

Fixed bugs

Documentation

Code quality

Miscellaneous tasks

Updates

People who contributed to this release

New Contributors

Per-module changes

enable/mongodb (0.26.4)

Miscellaneous tasks

Updates

internal/testintegration (0.26.4)

Miscellaneous tasks

Updates

0.26.3 - 2026-05-31

Documentation

Miscellaneous tasks

Updates

People who contributed to this release

Per-module changes

enable/mongodb (0.26.3)

Miscellaneous tasks

Updates

internal/testintegration (0.26.3)

Miscellaneous tasks

Updates

0.26.2 - 2026-04-29

Documentation

Performance

Miscellaneous tasks

Updates

People who contributed to this release

Per-module changes

enable/mongodb (0.26.2)

Miscellaneous tasks

Updates

internal/testintegration (0.26.2)

Miscellaneous tasks

Updates

What's Changed

New Contributors

What's Changed

Configuration

Uh oh!

renovate Bot commented Mar 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

ℹ️ Artifact update notice

File name: acceptance/go.mod

File name: go.mod

File name: tools/go.mod

File name: tools/kubectl/go.mod

Uh oh!

fullsend-ai-review Bot commented Jun 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

fullsend-ai-review Bot Jun 12, 2026

Choose a reason for hiding this comment

Uh oh!

fullsend-ai-review Bot commented Jun 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

fullsend-ai-review Bot commented Jun 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

fullsend-ai-review Bot commented Jun 19, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

renovate Bot commented Mar 2, 2026 •

edited

Loading

`cmd/cue`

renovate Bot commented Mar 2, 2026 •

edited

Loading

fullsend-ai-review Bot commented Jun 12, 2026 •

edited

Loading

fullsend-ai-review Bot commented Jun 17, 2026 •

edited

Loading

fullsend-ai-review Bot commented Jun 18, 2026 •

edited

Loading

fullsend-ai-review Bot commented Jun 19, 2026 •

edited

Loading

fullsend-ai-review Bot commented Jun 19, 2026 •

edited

Loading

fullsend-ai-review Bot commented Jun 20, 2026 •

edited

Loading

fullsend-ai-review Bot commented Jun 21, 2026 •

edited

Loading

fullsend-ai-review Bot commented Jun 21, 2026 •

edited

Loading

fullsend-ai-review Bot commented Jun 22, 2026 •

edited

Loading

fullsend-ai-review Bot commented Jun 22, 2026 •

edited

Loading

fullsend-ai-review Bot commented Jun 26, 2026 •

edited

Loading

fullsend-ai-review Bot commented Jun 26, 2026 •

edited

Loading

fullsend-ai-review Bot commented Jun 26, 2026 •

edited

Loading

fullsend-ai-review Bot commented Jun 26, 2026 •

edited

Loading

fullsend-ai-review Bot commented Jun 29, 2026 •

edited

Loading