🌱 Bump the gomod group across 2 directories with 20 updates#5107
🌱 Bump the gomod group across 2 directories with 20 updates#5107dependabot[bot] wants to merge 1 commit into
Conversation
Bumps the gomod group with 11 updates in the / directory: | Package | From | To | | --- | --- | --- | | [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) | `1.73.1` | `1.77.0` | | [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) | `1.50.1` | `1.50.2` | | [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) | `2.17.0` | `2.19.0` | | [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) | `0.21.0` | `0.21.7` | | [github.com/moby/buildkit](https://github.com/moby/buildkit) | `0.26.3` | `0.31.1` | | [github.com/onsi/gomega](https://github.com/onsi/gomega) | `1.39.1` | `1.42.1` | | [gocloud.dev](https://github.com/google/go-cloud) | `0.44.0` | `0.46.0` | | [mvdan.cc/sh/v3](https://github.com/mvdan/sh) | `3.12.0` | `3.13.1` | | [github.com/google/osv-scanner/v2](https://github.com/google/osv-scanner) | `2.3.2` | `2.4.0` | | [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) | `2.28.0` | `2.32.0` | | [gitlab.com/gitlab-org/api/client-go](https://gitlab.com/gitlab-org/api/client-go) | `1.41.0` | `1.46.0` | Bumps the gomod group with 4 updates in the /tools directory: [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo), [github.com/golangci/golangci-lint/v2](https://github.com/golangci/golangci-lint), [github.com/google/ko](https://github.com/google/ko) and [github.com/goreleaser/goreleaser/v2](https://github.com/goreleaser/goreleaser). Updates `cloud.google.com/go/bigquery` from 1.73.1 to 1.77.0 - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](googleapis/google-cloud-go@bigquery/v1.73.1...spanner/v1.77.0) Updates `cloud.google.com/go/pubsub` from 1.50.1 to 1.50.2 - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](googleapis/google-cloud-go@pubsub/v1.50.1...pubsub/v1.50.2) Updates `github.com/bradleyfalzon/ghinstallation/v2` from 2.17.0 to 2.19.0 - [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases) - [Commits](bradleyfalzon/ghinstallation@v2.17.0...v2.19.0) Updates `github.com/google/go-containerregistry` from 0.21.0 to 0.21.7 - [Release notes](https://github.com/google/go-containerregistry/releases) - [Commits](google/go-containerregistry@v0.21.0...v0.21.7) Updates `github.com/moby/buildkit` from 0.26.3 to 0.31.1 - [Release notes](https://github.com/moby/buildkit/releases) - [Commits](moby/buildkit@v0.26.3...v0.31.1) Updates `github.com/onsi/gomega` from 1.39.1 to 1.42.1 - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.39.1...v1.42.1) Updates `go.yaml.in/yaml/v2` from 2.4.3 to 2.4.4 - [Commits](yaml/go-yaml@v2.4.3...v2.4.4) Updates `gocloud.dev` from 0.44.0 to 0.46.0 - [Release notes](https://github.com/google/go-cloud/releases) - [Commits](google/go-cloud@v0.44.0...v0.46.0) Updates `golang.org/x/text` from 0.36.0 to 0.38.0 - [Release notes](https://github.com/golang/text/releases) - [Commits](golang/text@v0.36.0...v0.38.0) Updates `mvdan.cc/sh/v3` from 3.12.0 to 3.13.1 - [Release notes](https://github.com/mvdan/sh/releases) - [Changelog](https://github.com/mvdan/sh/blob/master/CHANGELOG.md) - [Commits](mvdan/sh@v3.12.0...v3.13.1) Updates `github.com/google/osv-scanner/v2` from 2.3.2 to 2.4.0 - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](google/osv-scanner@v2.3.2...v2.4.0) Updates `github.com/in-toto/attestation` from 1.1.2 to 1.2.0 - [Release notes](https://github.com/in-toto/attestation/releases) - [Commits](in-toto/attestation@v1.1.2...v1.2.0) Updates `github.com/onsi/ginkgo/v2` from 2.28.0 to 2.32.0 - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.28.0...v2.32.0) Updates `gitlab.com/gitlab-org/api/client-go` from 1.41.0 to 1.46.0 - [Release notes](https://gitlab.com/gitlab-org/api/client-go/tags) - [Changelog](https://gitlab.com/gitlab-org/api/client-go/blob/main/CHANGELOG.md) - [Commits](https://gitlab.com/gitlab-org/api/client-go/compare/v1.41.0...v1.46.0) Updates `cloud.google.com/go/storage` from 1.59.0 to 1.62.0 - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](googleapis/google-cloud-go@compute/v1.59.0...compute/v1.62.0) Updates `golang.org/x/oauth2` from 0.35.0 to 0.36.0 - [Commits](golang/oauth2@v0.35.0...v0.36.0) Updates `github.com/onsi/ginkgo/v2` from 2.28.0 to 2.32.0 - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.28.0...v2.32.0) Updates `github.com/onsi/ginkgo/v2` from 2.28.1 to 2.32.0 - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.28.0...v2.32.0) Updates `github.com/golangci/golangci-lint/v2` from 2.10.1 to 2.12.2 - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/main/CHANGELOG.md) - [Commits](golangci/golangci-lint@v2.10.1...v2.12.2) Updates `github.com/google/ko` from 0.18.1 to 0.19.0 - [Release notes](https://github.com/google/ko/releases) - [Commits](ko-build/ko@v0.18.1...v0.19.0) Updates `github.com/goreleaser/goreleaser/v2` from 2.12.2 to 2.16.0 - [Release notes](https://github.com/goreleaser/goreleaser/releases) - [Commits](goreleaser/goreleaser@v2.12.2...v2.16.0) Updates `github.com/onsi/ginkgo/v2` from 2.28.1 to 2.32.0 - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.28.0...v2.32.0) Updates `google.golang.org/protobuf` from 1.36.11 to 1.36.12-0.20260120151049-f2248ac996af --- updated-dependencies: - dependency-name: cloud.google.com/go/bigquery dependency-version: 1.77.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: cloud.google.com/go/pubsub dependency-version: 1.50.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/bradleyfalzon/ghinstallation/v2 dependency-version: 2.19.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: github.com/google/go-containerregistry dependency-version: 0.21.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/moby/buildkit dependency-version: 0.31.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: github.com/onsi/gomega dependency-version: 1.42.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: go.yaml.in/yaml/v2 dependency-version: 2.4.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: gocloud.dev dependency-version: 0.46.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: golang.org/x/text dependency-version: 0.38.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: mvdan.cc/sh/v3 dependency-version: 3.13.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: github.com/google/osv-scanner/v2 dependency-version: 2.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: github.com/in-toto/attestation dependency-version: 1.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: github.com/onsi/ginkgo/v2 dependency-version: 2.32.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: gitlab.com/gitlab-org/api/client-go dependency-version: 1.46.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: cloud.google.com/go/storage dependency-version: 1.62.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: golang.org/x/oauth2 dependency-version: 0.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: github.com/onsi/ginkgo/v2 dependency-version: 2.32.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: github.com/onsi/ginkgo/v2 dependency-version: 2.32.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: github.com/golangci/golangci-lint/v2 dependency-version: 2.12.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: github.com/google/ko dependency-version: 0.19.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: github.com/goreleaser/goreleaser/v2 dependency-version: 2.16.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: github.com/onsi/ginkgo/v2 dependency-version: 2.32.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod - dependency-name: google.golang.org/protobuf dependency-version: 1.36.12-0.20260120151049-f2248ac996af dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com>
Kusari Analysis Results:Caution Flagged Issues Detected The code analysis returned zero findings, confirming no secrets, logic flaws, or workflow issues in the changed files. However, the dependency analysis identified critical vulnerabilities that we strongly recommend addressing before merging. First, github.com/sigstore/rekor v1.5.1 (CVE-2026-48702) contains an unbounded gzip decompression flaw in Alpine APK parsing that is remotely exploitable with no authentication, causing OOM/DoS (CVSS High). A fix is available: upgrade to v1.5.2 in tools/go.mod. Second, software.sslmate.com/src/go-pkcs12 v0.7.1 (GO-2026-5052) allows attackers to bypass password-based authentication when decoding PKCS#12 files from untrusted sources. A fix is available: upgrade to v0.7.3 in tools/go.mod. Third, github.com/aws/aws-sdk-go v1.55.8 (CVE-2020-8911, CVE-2020-8912) remains vulnerable to a CBC padding oracle attack and in-band key negotiation weakness; this package is also deprecated. Remediation requires updating github.com/goreleaser/goreleaser/v2 to a version that pulls in a corrected gocloud.dev, though this involves 100+ transitive dependency bumps that should be carefully validated for build compatibility and new vulnerabilities before applying. Action items: (1) Run 'go get github.com/sigstore/rekor@v1.5.2' in tools/go.mod, (2) Run 'go get software.sslmate.com/src/go-pkcs12@v0.7.3' in tools/go.mod, (3) Evaluate upgrading goreleaser to resolve the aws-sdk-go transitive dependency, validating all transitive bumps. The two actively exploitable vulnerabilities with available fixes represent meaningful supply-chain and runtime risk and should be resolved prior to merging. Note View full detailed analysis result for more information on the output and the checks that were run. Required Dependency Mitigations
Found this helpful? Give it a 👍 or 👎 reaction! |
Bumps the gomod group with 11 updates in the / directory:
1.73.11.77.01.50.11.50.22.17.02.19.00.21.00.21.70.26.30.31.11.39.11.42.10.44.00.46.03.12.03.13.12.3.22.4.02.28.02.32.01.41.01.46.0Bumps the gomod group with 4 updates in the /tools directory: github.com/onsi/ginkgo/v2, github.com/golangci/golangci-lint/v2, github.com/google/ko and github.com/goreleaser/goreleaser/v2.
Updates
cloud.google.com/go/bigqueryfrom 1.73.1 to 1.77.0Commits
7cd2512chore(main): release spanner 1.77.0 (#11634)28f0030chore(all): fix out-of-sync version.go files (#11684)655de36feat(spanner): Support REPEATABLE_READ for RW transaction (#11654)60dc167fix(aiplatform): remove VertexAISearch.engine option (#11681)3f23a91fix(aiplatform): An existing google.api.http annotationhttp_uriis changed...e87cedcchore: remove resourcesettings (#11678)d662a45feat(spanner): add option for LastStatement in transaction (#11638)9e508d0chore: release main (#11623)601e742feat(bigquery/reservation): Add a new fieldreplication_statusto `.google....1eb601echore(firestore): expose the Firestore.executePipeline API to the preview bra...Updates
cloud.google.com/go/pubsubfrom 1.50.1 to 1.50.2Commits
e2bbf19chore: librarian release pull request: 20260331T202405Z (#14314)4e6350fchore: librarian release pull request: 20260331T201226Z (#14312)7c26e42chore(deps): bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 in /interna...e5b2057chore(deps): bump google.golang.org/grpc from 1.79.2 to 1.79.3 in /internal/g...97d824dfeat(firestore): add WithAlwaysUseImplicitOrderBy option (#14260)eb1fe4cchore: librarian release pull request: 20260331T193117Z (#14310)8a34364feat(bigtable): check alts if we return permission denied for pingandwarm (#...98a546dchore: update version.go template (#14307)efb8c17chore: add biglake and hive (#14306)4c0232afix(pubsub): check for nil concurrency control span (#14303)Updates
github.com/bradleyfalzon/ghinstallation/v2from 2.17.0 to 2.19.0Release notes
Sourced from github.com/bradleyfalzon/ghinstallation/v2's releases.
Commits
c8d44a3Merge pull request #190 from bradleyfalzon/dependabot/github_actions/actions-...258bb5fMerge pull request #192 from asvoboda/as/upgrade-882e06ce4Update go-github to v887d6dce6Bump the actions group across 1 directory with 2 updates749b4c6Update go-github to v851237274Bump golangci/golangci-lint-action from 8.0.0 to 9.2.0c9c5e67Bump actions/checkout from 5.0.0 to 6.0.2f5640e5Update google/go-github to v846e26acbdrop deprecated go versions0e0f2d4fix lintsUpdates
github.com/google/go-containerregistryfrom 0.21.0 to 0.21.7Release notes
Sourced from github.com/google/go-containerregistry's releases.
... (truncated)
Commits
c68d899Bump go version to 1.26.4 (#2350)da61d86transport: do not re-attach bearer token after cross-host redirect (#2349)09fe1e5fix(tarball): normalize paths when matching files (#2334)5baa399build(deps): bump the go-deps group across 3 directories with 4 updates (#2348)97a8a17fix(transport): apply refreshed bearer token after cross-host redirect (#2337)e963497internal/gzip: fix goroutine leak in ReadCloserLevel (#2347)02649eafix: prevent SSRF in google.List() pagination (#2332)7204b40build(deps): bump the actions group across 1 directory with 2 updates (#2344)4cfaa93build(deps): bump the go-deps group across 1 directory with 2 updates (#2343)6849394pkg/registry: export RedirectError (#2177)Updates
github.com/moby/buildkitfrom 0.26.3 to 0.31.1Release notes
Sourced from github.com/moby/buildkit's releases.
... (truncated)
Commits
673b7e0Merge pull request #6896 from tonistiigi/v0.31.1-picks81ce1c6ci: tolerate empty test matrix includes69a3924user: limit size of parsed passwd/group files3ea6dd0security: validate exec security modesc411f0aMerge pull request #6876 from thaJeztah/bump_runcf292e5cDockerfile: update runc binary to v1.3.6d31ba4aMerge pull request #6867 from okhowang/fix/platforms-data-racee819928Merge pull request #6869 from crazy-max/update-policy-helperse4d0dbachore: update generated filesc13539bvendor: update policy-helpers to d5411a945cfcUpdates
github.com/onsi/gomegafrom 1.39.1 to 1.42.1Release notes
Sourced from github.com/onsi/gomega's releases.
Changelog
Sourced from github.com/onsi/gomega's changelog.
Commits
ced6c1cv1.42.12beb9fbv1.42.1 (full)006cd2cbump al lthe things35ca084v1.42.0d72697bv1.42.0 (full)1f95d86add a set of claude skills as a marketplace pluginaf2bccbv1.41.073e81f6v1.41.0 (full)e35a84ffeat: devcontainer configuration with local pkgsite and GH pagesf12e5e1fix(format): detect pointer cycles to avoid runaway formatting outputUpdates
go.yaml.in/yaml/v2from 2.4.3 to 2.4.4Commits
43b627aReplace gopkg.in/check.v1 with the standard testing libraryUpdates
gocloud.devfrom 0.44.0 to 0.46.0Release notes
Sourced from gocloud.dev's releases.
... (truncated)
Commits
60f0d74all: prereleasea1725f0blob/s3blob: migrate from deprecated s3/manager to s3/transfermanager (#3717)7eadd65aws: add AWS IAM Role assumption support (#3716)054c82epostgres/awspostgres: add IAM authentication support (#3713)2b85c85docs: fix Pub/Sub subscribe wording (#3714)b9dee8dbuild: add top-level permissions restriction to tests workflow (#3711)45a8cfcdocstore: support unwrapping ActionListError for use with errors.Is (#3705)78b5976all: support typed errors and errors.Is for error codes (#3708)595f8b6all: update another otel dep (#3701)c903aefall: update otel deps (#3699)Updates
golang.org/x/textfrom 0.36.0 to 0.38.0Commits
f4bb632go.mod: update golang.org/x dependencies3ef517ego.mod: update golang.org/x dependenciesUpdates
mvdan.cc/sh/v3from 3.12.0 to 3.13.1Release notes
Sourced from mvdan.cc/sh/v3's releases.
... (truncated)
Changelog
Sourced from mvdan.cc/sh/v3's changelog.
Commits
2f3f5e3CHANGELOG: add entry for v3.13.11b77144CHANGELOG: add late entry for v3.13.04fe0cc2README: bring output in caveats examples up to dated2b044bsyntax: only make index expressions compact when it's a comma1569230syntax: add test cases for issue #1314e97b2b0interp: avoid the last panics which can be triggered by usersf299f47cmd/shfmt: --apply-ignore should not skip explicit args based on extension2315483interp: fix a few nameref bugs7e3be04interp: test with Bash 5.3 and fix three bugs uncovered by it8852860pattern: tokenize patterns rune by runeUpdates
github.com/google/osv-scanner/v2from 2.3.2 to 2.4.0Release notes
Sourced from github.com/google/osv-scanner/v2's releases.
... (truncated)
Changelog
Sourced from github.com/google/osv-scanner/v2's changelog.