Skip to content

🌱 Bump the gomod group across 2 directories with 20 updates#5107

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/gomod-09c5bc72bb
Open

🌱 Bump the gomod group across 2 directories with 20 updates#5107
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/gomod-09c5bc72bb

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps the gomod group with 11 updates in the / directory:

Package From To
cloud.google.com/go/bigquery 1.73.1 1.77.0
cloud.google.com/go/pubsub 1.50.1 1.50.2
github.com/bradleyfalzon/ghinstallation/v2 2.17.0 2.19.0
github.com/google/go-containerregistry 0.21.0 0.21.7
github.com/moby/buildkit 0.26.3 0.31.1
github.com/onsi/gomega 1.39.1 1.42.1
gocloud.dev 0.44.0 0.46.0
mvdan.cc/sh/v3 3.12.0 3.13.1
github.com/google/osv-scanner/v2 2.3.2 2.4.0
github.com/onsi/ginkgo/v2 2.28.0 2.32.0
gitlab.com/gitlab-org/api/client-go 1.41.0 1.46.0

Bumps the gomod group with 4 updates in the /tools directory: github.com/onsi/ginkgo/v2, github.com/golangci/golangci-lint/v2, github.com/google/ko and github.com/goreleaser/goreleaser/v2.

Updates cloud.google.com/go/bigquery from 1.73.1 to 1.77.0

Commits
  • 7cd2512 chore(main): release spanner 1.77.0 (#11634)
  • 28f0030 chore(all): fix out-of-sync version.go files (#11684)
  • 655de36 feat(spanner): Support REPEATABLE_READ for RW transaction (#11654)
  • 60dc167 fix(aiplatform): remove VertexAISearch.engine option (#11681)
  • 3f23a91 fix(aiplatform): An existing google.api.http annotation http_uri is changed...
  • e87cedc chore: remove resourcesettings (#11678)
  • d662a45 feat(spanner): add option for LastStatement in transaction (#11638)
  • 9e508d0 chore: release main (#11623)
  • 601e742 feat(bigquery/reservation): Add a new field replication_status to `.google....
  • 1eb601e chore(firestore): expose the Firestore.executePipeline API to the preview bra...
  • Additional commits viewable in compare view

Updates cloud.google.com/go/pubsub from 1.50.1 to 1.50.2

Commits
  • e2bbf19 chore: librarian release pull request: 20260331T202405Z (#14314)
  • 4e6350f chore: librarian release pull request: 20260331T201226Z (#14312)
  • 7c26e42 chore(deps): bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 in /interna...
  • e5b2057 chore(deps): bump google.golang.org/grpc from 1.79.2 to 1.79.3 in /internal/g...
  • 97d824d feat(firestore): add WithAlwaysUseImplicitOrderBy option (#14260)
  • eb1fe4c chore: librarian release pull request: 20260331T193117Z (#14310)
  • 8a34364 feat(bigtable): check alts if we return permission denied for pingandwarm (#...
  • 98a546d chore: update version.go template (#14307)
  • efb8c17 chore: add biglake and hive (#14306)
  • 4c0232a fix(pubsub): check for nil concurrency control span (#14303)
  • Additional commits viewable in compare view

Updates github.com/bradleyfalzon/ghinstallation/v2 from 2.17.0 to 2.19.0

Release notes

Sourced from github.com/bradleyfalzon/ghinstallation/v2's releases.

v2.19.0

What's Changed

Full Changelog: bradleyfalzon/ghinstallation@v2.18.0...v2.19.0

v2.18.0

What's Changed

Full Changelog: bradleyfalzon/ghinstallation@v2.17.0...v2.18.0

Commits
  • c8d44a3 Merge pull request #190 from bradleyfalzon/dependabot/github_actions/actions-...
  • 258bb5f Merge pull request #192 from asvoboda/as/upgrade-88
  • 2e06ce4 Update go-github to v88
  • 7d6dce6 Bump the actions group across 1 directory with 2 updates
  • 749b4c6 Update go-github to v85
  • 1237274 Bump golangci/golangci-lint-action from 8.0.0 to 9.2.0
  • c9c5e67 Bump actions/checkout from 5.0.0 to 6.0.2
  • f5640e5 Update google/go-github to v84
  • 6e26acb drop deprecated go versions
  • 0e0f2d4 fix lints
  • Additional commits viewable in compare view

Updates github.com/google/go-containerregistry from 0.21.0 to 0.21.7

Release notes

Sourced from github.com/google/go-containerregistry's releases.

v0.21.7

What's Changed

New Contributors

Full Changelog: google/go-containerregistry@v0.21.6...v0.21.7

v0.21.6

What's Changed

... (truncated)

Commits
  • c68d899 Bump go version to 1.26.4 (#2350)
  • da61d86 transport: do not re-attach bearer token after cross-host redirect (#2349)
  • 09fe1e5 fix(tarball): normalize paths when matching files (#2334)
  • 5baa399 build(deps): bump the go-deps group across 3 directories with 4 updates (#2348)
  • 97a8a17 fix(transport): apply refreshed bearer token after cross-host redirect (#2337)
  • e963497 internal/gzip: fix goroutine leak in ReadCloserLevel (#2347)
  • 02649ea fix: prevent SSRF in google.List() pagination (#2332)
  • 7204b40 build(deps): bump the actions group across 1 directory with 2 updates (#2344)
  • 4cfaa93 build(deps): bump the go-deps group across 1 directory with 2 updates (#2343)
  • 6849394 pkg/registry: export RedirectError (#2177)
  • Additional commits viewable in compare view

Updates github.com/moby/buildkit from 0.26.3 to 0.31.1

Release notes

Sourced from github.com/moby/buildkit's releases.

v0.31.1

buildkit 0.31.1

Welcome to the v0.31.1 release of buildkit!

This is a security patch release with two low severity security fixes.

Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues.

Contributors

  • Tõnis Tiigi

Notable Changes

Dependency Changes

This release has no dependency changes

Previous release can be found at v0.31.0

v0.31.0

buildkit 0.31.0

Welcome to the v0.31.0 release of buildkit!

Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues.

Contributors

  • Tõnis Tiigi
  • CrazyMax
  • Sebastiaan van Stijn
  • Bjorn Neergaard
  • Jonathan A. Sternberg
  • Akihiro Suda
  • Bryce Gibson
  • Ava Barron
  • Brian Goff
  • Jiří Moravčík
  • ZRHann
  • Kevin NZUGUEM

... (truncated)

Commits
  • 673b7e0 Merge pull request #6896 from tonistiigi/v0.31.1-picks
  • 81ce1c6 ci: tolerate empty test matrix includes
  • 69a3924 user: limit size of parsed passwd/group files
  • 3ea6dd0 security: validate exec security modes
  • c411f0a Merge pull request #6876 from thaJeztah/bump_runc
  • f292e5c Dockerfile: update runc binary to v1.3.6
  • d31ba4a Merge pull request #6867 from okhowang/fix/platforms-data-race
  • e819928 Merge pull request #6869 from crazy-max/update-policy-helpers
  • e4d0dba chore: update generated files
  • c13539b vendor: update policy-helpers to d5411a945cfc
  • Additional commits viewable in compare view

Updates github.com/onsi/gomega from 1.39.1 to 1.42.1

Release notes

Sourced from github.com/onsi/gomega's releases.

v1.42.1

1.42.1

Bump Dependencies

v1.42.0

1.42.0

Add a set of Claude skill as a marketplace plugin

v1.41.0

No release notes provided.

v1.40.0

1.40.0

We're adopting a new release strategy to minimize dependency bloat in projects that consume Gomega. It is a limitation of the go mod toolchain that test subdependencies of your project's direct dependencies get pulled in as indirect dependencies. In the case of Gomega, this ends up pulling in all of Ginkgo into your go.mod even if you are only using Gomega (Gomega uses Ginkgo for its own tests).

Going forward, releases will strip out all tests, tidy up the go.mod and then push this stripped down version to a new master-lite branch. These stripped-down versions will receive the vx.y.z git tag and will be picked up by the go toolchain.

Please open an issue if this new release process causes unexpected changes for your projects.

Changelog

Sourced from github.com/onsi/gomega's changelog.

1.42.1

Bump Dependencies

1.42.0

Add a set of Claude skill as a marketplace plugin

1.41.0

Features

Add BeASlice and BeAnArray matchers

Fixes

Object formatting now detects pointer cycles to avoid runaway formatting output.

1.40.0

We're adopting a new release strategy to minimize dependency bloat in projects that consume Gomega. It is a limitation of the go mod toolchain that test subdependencies of your project's direct dependencies get pulled in as indirect dependencies. In the case of Gomega, this ends up pulling in all of Ginkgo into your go.mod even if you are only using Gomega (Gomega uses Ginkgo for its own tests).

Going forward, releases will strip out all tests, tidy up the go.mod and then push this stripped down version to a new master-lite branch. These stripped-down versions will receive the vx.y.z git tag and will be picked up by the go toolchain.

Please open an issue if this new release process causes unexpected changes for your projects.

Commits

Updates go.yaml.in/yaml/v2 from 2.4.3 to 2.4.4

Commits
  • 43b627a Replace gopkg.in/check.v1 with the standard testing library
  • See full diff in compare view

Updates gocloud.dev from 0.44.0 to 0.46.0

Release notes

Sourced from gocloud.dev's releases.

v0.46.0

BREAKING_CHANGE:

  • blob/s3blob: migrate from deprecated s3/manager to s3/transfermanager by @​vangent in google/go-cloud#3717
    • Only breaking if you're using As to access specific AWS types from the old manager.

What's Changed

all

blob:

runtimevar:

pubsub

docstore

secrets

postgres

New Contributors

Full Changelog: google/go-cloud@v0.45.0...v0.46.0

v0.45.0

What's Changed

... (truncated)

Commits
  • 60f0d74 all: prerelease
  • a1725f0 blob/s3blob: migrate from deprecated s3/manager to s3/transfermanager (#3717)
  • 7eadd65 aws: add AWS IAM Role assumption support (#3716)
  • 054c82e postgres/awspostgres: add IAM authentication support (#3713)
  • 2b85c85 docs: fix Pub/Sub subscribe wording (#3714)
  • b9dee8d build: add top-level permissions restriction to tests workflow (#3711)
  • 45a8cfc docstore: support unwrapping ActionListError for use with errors.Is (#3705)
  • 78b5976 all: support typed errors and errors.Is for error codes (#3708)
  • 595f8b6 all: update another otel dep (#3701)
  • c903aef all: update otel deps (#3699)
  • Additional commits viewable in compare view

Updates golang.org/x/text from 0.36.0 to 0.38.0

Commits

Updates mvdan.cc/sh/v3 from 3.12.0 to 3.13.1

Release notes

Sourced from mvdan.cc/sh/v3's releases.

v3.13.1

  • cmd/shfmt
    • Add support for [[zsh]] in EditorConfig files
    • Detect the shell variant from filenames like .zshrc and .bash_profile
    • Fix --apply-ignore when used with explicit args - #1310
  • syntax
    • Revert an accidental change to how array subscripts are formatted - #1314
    • Never join ;; with the previous line when formatting - #1289
    • Fix a bug where $1[foo] was parsed as a subscript in Zsh - #1288
    • Correctly parse $! in double quotes in Zsh - #1298
    • Allow indexing into special parameters in Zsh - #1299
    • Allow parameter expansions with empty names in Zsh - #1280
  • interp
    • Test against Bash 5.3 and fix three new discrepancies
    • Fix a few bugs related to nameref variables
    • Avoid panics when user input encounters unimplemented features

Consider becoming a sponsor if you benefit from the work that went into this release!

Binaries built on go version go1.26.1 linux/amd64 with:

CGO_ENABLED=0 go build -trimpath -ldflags="-w -s"

v3.13.0

This release introduces support for Zsh in the parser and formatter, which was tracked in issue #120 alongside the label https://github.com/mvdan/sh/labels/zsh. While support is not complete, it should be far enough for many use cases.

This release also drops support for Go 1.24 and includes many other enhancements:

  • cmd/shfmt
    • Exit with a non-zero status when -l prints any filenames
    • shfmt -version is now derived from the git current tag, dropping the -ldflags workaround
  • syntax
    • New nodes types and node fields are introduced alongside LangZsh
    • LangVariant is now a bitset, allowing the use of sets like "Bash-like"
    • Add InteractiveSeq and StmtsSeq iterator methods for Parser
    • Stop exposing the internal buffer in Printer via struct embedding
    • Support the use of brace expansions like declare {a,b}_c=value
    • Fix a bug where POSIX and Bash incorrectly allowed empty command lists
  • interp
    • Add support for shopt -s dotglob and shopt -s extglob
    • Add support for simple uses of !(expr) extended glob patterns
    • Support more builtin flags for declare, type, read
    • Fix various bugs relating to nulls, errors, and arrays
  • expand
    • Add Config.DotGlob and Config.ExtGlob for the interpreter
    • Add Variable.Flags to get the one-character declare flags
    • Do not force env vars on Windows to be uppercase
    • Fix various bugs relating to glob pattern matching
  • pattern
    • Add GlobLeadingDot and ExtendedOperators for the interpreter

... (truncated)

Changelog

Sourced from mvdan.cc/sh/v3's changelog.

[3.13.1] - 2026-03-09

  • cmd/shfmt
    • Add support for [[zsh]] in EditorConfig files
    • Detect the shell variant from filenames like .zshrc and .bash_profile
    • Fix --apply-ignore when used with explicit args - #1310
  • syntax
    • Revert an accidental change to how array subscripts are formatted - #1314
    • Never join ;; with the previous line when formatting - #1289
    • Fix a bug where $1[foo] was parsed as a subscript in Zsh - #1288
    • Correctly parse $! in double quotes in Zsh - #1298
    • Allow indexing into special parameters in Zsh - #1299
    • Allow parameter expansions with empty names in Zsh - #1280
  • interp
    • Test against Bash 5.3 and fix three new discrepancies
    • Fix a few bugs related to nameref variables
    • Avoid panics when user input encounters unimplemented features

[3.13.0] - 2026-03-09

This release introduces support for Zsh in the parser and formatter, which was tracked in issue #120 alongside the label https://github.com/mvdan/sh/labels/zsh. While support is not complete, it should be far enough for many use cases.

This release also drops support for Go 1.24 and includes many other enhancements:

  • cmd/shfmt
    • Exit with a non-zero status when -l prints any filenames
    • shfmt -version is now derived from the git current tag, dropping the -ldflags workaround
  • syntax
    • New nodes types and node fields are introduced alongside LangZsh
    • LangVariant is now a bitset, allowing the use of sets like "Bash-like"
    • Add InteractiveSeq and StmtsSeq iterator methods for Parser
    • Stop exposing the internal buffer in Printer via struct embedding
    • Support the use of brace expansions like declare {a,b}_c=value
    • Fix a bug where POSIX and Bash incorrectly allowed empty command lists
  • interp
    • Add support for shopt -s dotglob and shopt -s extglob
    • Add support for simple uses of !(expr) extended glob patterns
    • Support more builtin flags for declare, type, read
    • Fix various bugs relating to nulls, errors, and arrays
  • expand
    • Add Config.DotGlob and Config.ExtGlob for the interpreter
    • Add Variable.Flags to get the one-character declare flags
    • Do not force env vars on Windows to be uppercase
    • Fix various bugs relating to glob pattern matching
  • pattern
    • Add GlobLeadingDot and ExtendedOperators for the interpreter
    • Add NegExtGlobError to mark the use of !(expr) negation patterns
Commits
  • 2f3f5e3 CHANGELOG: add entry for v3.13.1
  • 1b77144 CHANGELOG: add late entry for v3.13.0
  • 4fe0cc2 README: bring output in caveats examples up to date
  • d2b044b syntax: only make index expressions compact when it's a comma
  • 1569230 syntax: add test cases for issue #1314
  • e97b2b0 interp: avoid the last panics which can be triggered by users
  • f299f47 cmd/shfmt: --apply-ignore should not skip explicit args based on extension
  • 2315483 interp: fix a few nameref bugs
  • 7e3be04 interp: test with Bash 5.3 and fix three bugs uncovered by it
  • 8852860 pattern: tokenize patterns rune by rune
  • Additional commits viewable in compare view

Updates github.com/google/osv-scanner/v2 from 2.3.2 to 2.4.0

Release notes

Sourced from github.com/google/osv-scanner/v2's releases.

v2.4.0

Features:

  • [Feature #2815](google/osv-scanner#2815) Add support for the CycloneDX 1.7 specification (bumps cyclonedx-go to v0.11.0).
  • [Feature #2799](google/osv-scanner#2799) Enable .csproj and Central Package Management (nugetcpm) source scanning plugins by default.
  • [Feature #2871](google/osv-scanner#2871) Extract and parse Alpine OS distro version (e.g. Alpine:v3.17, Alpine:edge) from PURL distro qualifiers to scan packages under their respective Alpine ecosystems.
  • [Feature #2801](google/osv-scanner#2801) Enable the swift/packageresolved plugin by default to support SwiftURL vulnerability scans.
  • [Feature #2666](google/osv-scanner#2666) Add a Docker-based variant of the pre-commit hook in .pre-commit-hooks.yaml to avoid local compilation.
  • [Feature #2637](google/osv-scanner#2637) Add a new configuration setting ScanGoModVersion (disabled by default) to avoid parsing toolchain version directives directly from go.mod, preventing misleading warnings.
  • [Feature #2772](google/osv-scanner#2772) Scan container images built with Canonical Chisel by enabling the os/chisel extractor plugin.

Fixes:

  • [Bug #2807](google/osv-scanner#2807) Sanitize package name, source, and version fields in the vertical output format to prevent GitHub Actions workflow command injection vulnerabilities from crafted lock files.
  • [Bug #2876](google/osv-scanner#2876) Improve HTML scan report usability by supporting standard click modifiers (Ctrl/Cmd/middle click) to open vulnerabilities in new tabs, and preserving scroll position when switching tabs.
  • [Bug #2783](google/osv-scanner#2783) Keep transitive dependency scanning enabled when specifying the --offline-vulnerabilities flag.
  • [Bug #2808](google/osv-scanner#2808) Deduplicate equivalent OSV matcher requests before executing bulk queries to reduce API overhead.
  • [Bug #2837](google/osv-scanner#2837) Prevent panics during offline matcher scans (e.g. on unsupported GitHub Actions ecosystem) by avoiding parsing errors when checking version ranges.
  • [Bug #2836](google/osv-scanner#2836) Ensure the scanner returns an exit code of 0 when --help or -h is explicitly requested.

Misc:

  • Update Go version to 1.26.4.
  • Update osv-scalibr to v0.4.6-0.20260612031204-164402d9140e.
  • Tag built Docker and GitHub Action images with the major version (e.g. :v2) to allow users to pin to a major version (#2857).

New Contributors

Full Changelog: google/osv-scanner@v2.3.8...v2.4.0

v2.3.8

Fixes:

Misc:

  • Update osv-scalibr to v0.4.6-0.20260504042738-9293bfa4f86f.

v2.3.6

... (truncated)

Changelog

Sourced from github.com/google/osv-scanner/v2's changelog.

v2.4.0

Features:

  • [Feature #2815](google/osv-scanner#2815) Add support for the CycloneDX 1.7 specification (bumps cyclonedx-go to v0.11.0).
  • [Feature #2799](google/osv-scanner#2799) Enable .csproj and Central Package Management (nugetcpm) source scanning plugins by default.
  • [Feature #2871](google/osv-scanner#2871) Extract and parse Alpine OS distro version (e.g. Alpine:v3.17, Alpine:edge) from PURL distro qualifiers to scan packages under their respective Alpine ecosystems.
  • [Feature #2801](google/osv-scanner#2801) Enable the swift/packageresolved plugin by default to support SwiftURL vulnerability scans.
  • [Feature #2666](google/osv-scanner#2666) Add a Docker-based variant of the pre-commit hook in .pre-commit-hooks.yaml to avoid local compilation.
  • [Feature #2637](google/osv-scanner#2637) Add a new configuration setting ScanGoModVersion (disabled by default) to avoid parsing toolchain version directives directly from go.mod, preventing misleading warnings.
  • [Feature #2772](google/osv-scanner#2772) Scan container images built with Canonical Chisel by enabling the os/chisel extractor plugin.

Fixes:

Bumps the gomod group with 11 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) | `1.73.1` | `1.77.0` |
| [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) | `1.50.1` | `1.50.2` |
| [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) | `2.17.0` | `2.19.0` |
| [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) | `0.21.0` | `0.21.7` |
| [github.com/moby/buildkit](https://github.com/moby/buildkit) | `0.26.3` | `0.31.1` |
| [github.com/onsi/gomega](https://github.com/onsi/gomega) | `1.39.1` | `1.42.1` |
| [gocloud.dev](https://github.com/google/go-cloud) | `0.44.0` | `0.46.0` |
| [mvdan.cc/sh/v3](https://github.com/mvdan/sh) | `3.12.0` | `3.13.1` |
| [github.com/google/osv-scanner/v2](https://github.com/google/osv-scanner) | `2.3.2` | `2.4.0` |
| [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) | `2.28.0` | `2.32.0` |
| [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) | `1.41.0` | `1.46.0` |

Bumps the gomod group with 4 updates in the /tools directory: [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo), [github.com/golangci/golangci-lint/v2](https://github.com/golangci/golangci-lint), [github.com/google/ko](https://github.com/google/ko) and [github.com/goreleaser/goreleaser/v2](https://github.com/goreleaser/goreleaser).


Updates `cloud.google.com/go/bigquery` from 1.73.1 to 1.77.0
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](googleapis/google-cloud-go@bigquery/v1.73.1...spanner/v1.77.0)

Updates `cloud.google.com/go/pubsub` from 1.50.1 to 1.50.2
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](googleapis/google-cloud-go@pubsub/v1.50.1...pubsub/v1.50.2)

Updates `github.com/bradleyfalzon/ghinstallation/v2` from 2.17.0 to 2.19.0
- [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases)
- [Commits](bradleyfalzon/ghinstallation@v2.17.0...v2.19.0)

Updates `github.com/google/go-containerregistry` from 0.21.0 to 0.21.7
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Commits](google/go-containerregistry@v0.21.0...v0.21.7)

Updates `github.com/moby/buildkit` from 0.26.3 to 0.31.1
- [Release notes](https://github.com/moby/buildkit/releases)
- [Commits](moby/buildkit@v0.26.3...v0.31.1)

Updates `github.com/onsi/gomega` from 1.39.1 to 1.42.1
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.39.1...v1.42.1)

Updates `go.yaml.in/yaml/v2` from 2.4.3 to 2.4.4
- [Commits](yaml/go-yaml@v2.4.3...v2.4.4)

Updates `gocloud.dev` from 0.44.0 to 0.46.0
- [Release notes](https://github.com/google/go-cloud/releases)
- [Commits](google/go-cloud@v0.44.0...v0.46.0)

Updates `golang.org/x/text` from 0.36.0 to 0.38.0
- [Release notes](https://github.com/golang/text/releases)
- [Commits](golang/text@v0.36.0...v0.38.0)

Updates `mvdan.cc/sh/v3` from 3.12.0 to 3.13.1
- [Release notes](https://github.com/mvdan/sh/releases)
- [Changelog](https://github.com/mvdan/sh/blob/master/CHANGELOG.md)
- [Commits](mvdan/sh@v3.12.0...v3.13.1)

Updates `github.com/google/osv-scanner/v2` from 2.3.2 to 2.4.0
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](google/osv-scanner@v2.3.2...v2.4.0)

Updates `github.com/in-toto/attestation` from 1.1.2 to 1.2.0
- [Release notes](https://github.com/in-toto/attestation/releases)
- [Commits](in-toto/attestation@v1.1.2...v1.2.0)

Updates `github.com/onsi/ginkgo/v2` from 2.28.0 to 2.32.0
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.28.0...v2.32.0)

Updates `gitlab.com/gitlab-org/api/client-go` from 1.41.0 to 1.46.0
- [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags)
- [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md)
- [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v1.41.0...v1.46.0)

Updates `cloud.google.com/go/storage` from 1.59.0 to 1.62.0
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](googleapis/google-cloud-go@compute/v1.59.0...compute/v1.62.0)

Updates `golang.org/x/oauth2` from 0.35.0 to 0.36.0
- [Commits](golang/oauth2@v0.35.0...v0.36.0)

Updates `github.com/onsi/ginkgo/v2` from 2.28.0 to 2.32.0
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.28.0...v2.32.0)

Updates `github.com/onsi/ginkgo/v2` from 2.28.1 to 2.32.0
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.28.0...v2.32.0)

Updates `github.com/golangci/golangci-lint/v2` from 2.10.1 to 2.12.2
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/main/CHANGELOG.md)
- [Commits](golangci/golangci-lint@v2.10.1...v2.12.2)

Updates `github.com/google/ko` from 0.18.1 to 0.19.0
- [Release notes](https://github.com/google/ko/releases)
- [Commits](ko-build/ko@v0.18.1...v0.19.0)

Updates `github.com/goreleaser/goreleaser/v2` from 2.12.2 to 2.16.0
- [Release notes](https://github.com/goreleaser/goreleaser/releases)
- [Commits](goreleaser/goreleaser@v2.12.2...v2.16.0)

Updates `github.com/onsi/ginkgo/v2` from 2.28.1 to 2.32.0
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.28.0...v2.32.0)

Updates `google.golang.org/protobuf` from 1.36.11 to 1.36.12-0.20260120151049-f2248ac996af

---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
  dependency-version: 1.77.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
- dependency-name: cloud.google.com/go/pubsub
  dependency-version: 1.50.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: github.com/bradleyfalzon/ghinstallation/v2
  dependency-version: 2.19.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
- dependency-name: github.com/google/go-containerregistry
  dependency-version: 0.21.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: github.com/moby/buildkit
  dependency-version: 0.31.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
- dependency-name: github.com/onsi/gomega
  dependency-version: 1.42.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
- dependency-name: go.yaml.in/yaml/v2
  dependency-version: 2.4.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: gocloud.dev
  dependency-version: 0.46.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
- dependency-name: golang.org/x/text
  dependency-version: 0.38.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
- dependency-name: mvdan.cc/sh/v3
  dependency-version: 3.13.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
- dependency-name: github.com/google/osv-scanner/v2
  dependency-version: 2.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
- dependency-name: github.com/in-toto/attestation
  dependency-version: 1.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-version: 2.32.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
- dependency-name: gitlab.com/gitlab-org/api/client-go
  dependency-version: 1.46.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
- dependency-name: cloud.google.com/go/storage
  dependency-version: 1.62.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
- dependency-name: golang.org/x/oauth2
  dependency-version: 0.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-version: 2.32.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-version: 2.32.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
- dependency-name: github.com/golangci/golangci-lint/v2
  dependency-version: 2.12.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
- dependency-name: github.com/google/ko
  dependency-version: 0.19.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
- dependency-name: github.com/goreleaser/goreleaser/v2
  dependency-version: 2.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-version: 2.32.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
- dependency-name: google.golang.org/protobuf
  dependency-version: 1.36.12-0.20260120151049-f2248ac996af
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jun 29, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 29, 2026 08:26
@dependabot dependabot Bot requested review from jeffmendoza and justaugustus and removed request for a team June 29, 2026 08:26
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jun 29, 2026
@dependabot dependabot Bot had a problem deploying to integration-test June 29, 2026 08:26 Failure
@dosubot dosubot Bot added the size:XL This PR changes 500-999 lines, ignoring generated files. label Jun 29, 2026
@kusari-inspector

Copy link
Copy Markdown

Kusari Inspector

Kusari Analysis Results:

Do not proceed without addressing issues

Caution

Flagged Issues Detected
These changes contain flagged issues that may introduce security risks.

The code analysis returned zero findings, confirming no secrets, logic flaws, or workflow issues in the changed files. However, the dependency analysis identified critical vulnerabilities that we strongly recommend addressing before merging. First, github.com/sigstore/rekor v1.5.1 (CVE-2026-48702) contains an unbounded gzip decompression flaw in Alpine APK parsing that is remotely exploitable with no authentication, causing OOM/DoS (CVSS High). A fix is available: upgrade to v1.5.2 in tools/go.mod. Second, software.sslmate.com/src/go-pkcs12 v0.7.1 (GO-2026-5052) allows attackers to bypass password-based authentication when decoding PKCS#12 files from untrusted sources. A fix is available: upgrade to v0.7.3 in tools/go.mod. Third, github.com/aws/aws-sdk-go v1.55.8 (CVE-2020-8911, CVE-2020-8912) remains vulnerable to a CBC padding oracle attack and in-band key negotiation weakness; this package is also deprecated. Remediation requires updating github.com/goreleaser/goreleaser/v2 to a version that pulls in a corrected gocloud.dev, though this involves 100+ transitive dependency bumps that should be carefully validated for build compatibility and new vulnerabilities before applying. Action items: (1) Run 'go get github.com/sigstore/rekor@v1.5.2' in tools/go.mod, (2) Run 'go get software.sslmate.com/src/go-pkcs12@v0.7.3' in tools/go.mod, (3) Evaluate upgrading goreleaser to resolve the aws-sdk-go transitive dependency, validating all transitive bumps. The two actively exploitable vulnerabilities with available fixes represent meaningful supply-chain and runtime risk and should be resolved prior to merging.

Note

View full detailed analysis result for more information on the output and the checks that were run.

Required Dependency Mitigations

  • CRITICAL: github.com/sigstore/rekor v1.5.1 has an active HIGH severity vulnerability (CVE-2026-48702 / GHSA-47q9-m4ww-924m): unbounded gzip decompression in Alpine APK parsing causes OOM/DoS. This is remotely exploitable with no authentication required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Dependency path: github.com/goreleaser/goreleaser/v2 -> github.com/sigstore/rekor. Fix: upgrade github.com/sigstore/rekor to v1.5.2 in tools/go.mod: go get github.com/sigstore/rekor@v1.5.2
  • CRITICAL: software.sslmate.com/src/go-pkcs12 v0.7.1 has an active vulnerability (GO-2026-5052 / GHSA-mpwr-8vm7-h73f): users who decode PKCS#12 files from untrusted sources relying on password for authentication can be tricked into accepting malicious PKCS#12 files. Dependency path: github.com/goreleaser/goreleaser/v2 -> software.sslmate.com/src/go-pkcs12. Fix: upgrade to v0.7.3 in tools/go.mod: go get software.sslmate.com/src/go-pkcs12@v0.7.3
  • HIGH: github.com/aws/aws-sdk-go v1.55.8 (indirect, tools/go.mod) remains vulnerable to CVE-2020-8911 (CBC padding oracle, CVSS High: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N) and CVE-2020-8912 (in-band key negotiation). The package is also deprecated. Dependency path: github.com/ossf/scorecard/v5 -> gocloud.dev -> github.com/aws/aws-sdk-go. The vulnerabilityFixReport recommends updating github.com/goreleaser/goreleaser/v2 to a version that resolves this via gocloud.dev upgrade. WARNING: This fix involves a large number of transitive dependency bumps (100+ packages including cloud.google.com/go/storage, google.golang.org/grpc, golang.org/x/crypto, github.com/go-git/go-git/v5, and others). Verify that none of these bumps introduce build incompatibilities or new vulnerabilities before applying.

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: 7dee1a7, performed at: 2026-06-29T08:31:29Z

Found this helpful? Give it a 👍 or 👎 reaction!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code size:XL This PR changes 500-999 lines, ignoring generated files.

Projects

Status: No status

Development

Successfully merging this pull request may close these issues.

0 participants