This release makes some minor improvements to SecureJoin:
Some changes were made to how lexical components are handled during
resolution. There is no change in behaviour, and both implementations
are safe, however the newer implementation is much easier to reason
about.
The error returned when a symlink loop has been detected will now
reference the correct path. #10
build(deps): bump apache/skywalking-eyes from a790ab8dd23a7f861c18bd6aaa9b012e3a234bce to cd7b195c51fd3d6ad52afceb760719ddc6b3ee91 by @dependabot in notaryproject/notation-core-go#197
build(deps): Bump github.com/aws/aws-sdk-go from 1.53.10 to 1.53.14 in /pkg/signature/kms/aws in the all group by @dependabot in sigstore/sigstore#1740
build(deps): Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.5.2 to 1.6.0 in /pkg/signature/kms/azure in the all group by @dependabot in sigstore/sigstore#1755
build(deps): Bump github.com/hashicorp/go-retryablehttp from 0.7.6 to 0.7.7 in /pkg/signature/kms/hashivault by @dependabot in sigstore/sigstore#1766
build(deps): Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.6.0 to 1.7.0 in /pkg/signature/kms/azure in the all group by @dependabot in sigstore/sigstore#1762
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
dependabot[bot]
commented
1 week ago
Bumps the go-deps group with 8 updates in the / directory:
0.2.40.2.50.37.10.38.07.0.707.0.721.0.21.0.31.1.01.1.11.19.01.19.11.8.31.8.50.177.00.186.0Updates
github.com/cyphar/filepath-securejoinfrom 0.2.4 to 0.2.5Release notes
Sourced from github.com/cyphar/filepath-securejoin's releases.
Commits
d861a11VERSION: release v0.2.587bc53ajoin: fix ELOOP error pathe9be397join: don't allow .. and . in working path during resolution75cdbeagha: update Go versionsb69b737VERSION: back to developmentUpdates
github.com/fluxcd/pkg/ocifrom 0.37.1 to 0.38.0Commits
328e8e9Merge pull request #776 from fluxcd/cache-authnbb65fa7Addapting testsb743354cache authenticator retrieved when login to a providere79914fMerge pull request #782 from fluxcd/dependabot/github_actions/ci-840fb89e3c5ea6862build(deps): bump the ci group with 2 updates61276f4Merge pull request #766 from fluxcd/enable-cachin-auth-tokensd838d8aAdd a store interface with default implementationsd5e16a5Merge pull request #780 from fluxcd/dependabot/github_actions/ci-4193280b194593823build(deps): bump github/codeql-action in the ci group1bfad58Merge pull request #779 from fluxcd/dependabot/github_actions/ci-af70b21c0fUpdates
github.com/minio/minio-go/v7from 7.0.70 to 7.0.72Release notes
Sourced from github.com/minio/minio-go/v7's releases.
Commits
0b004e3add support for '*' in etag matchfa174cbKeep all x-minio- headers as-is (#1970)b952833Update version to next release14b3aa6Add ListMultipartUploads mint tests (#1963)7d712b5feat: support tags for postPolicy Upload (#1967)95db455Add support for DelMarkerExpiration element (#1959)88c389dUpdate version to next releaseUpdates
github.com/notaryproject/notation-core-gofrom 1.0.2 to 1.0.3Release notes
Sourced from github.com/notaryproject/notation-core-go's releases.
Commits
4211b09build(deps): bump golang.org/x/crypto from 0.22.0 to 0.23.0 (#204)6f8b75cbuild(deps): bump actions/stale from 8 to 9 (#195)ff5e5b8build(deps): bump apache/skywalking-eyes from a790ab8dd23a7f861c18bd6aaa9b012...f624dfdbuild(deps): bump golang.org/x/crypto from 0.21.0 to 0.22.0 (#200)356b30efix: leaf certificate validation (#202)9f13c9efix(ci): update codecov token (#199)66ff8c2chore: org maintainers update (#196)807a338bump: bump up golang version to v1.21 (#194)9a2ff9echore: add GitHub action for stale issues and PRs (#174)93218d9build(deps): bump golang.org/x/crypto from 0.18.0 to 0.21.0 (#193)Updates
github.com/notaryproject/notation-gofrom 1.1.0 to 1.1.1Release notes
Sourced from github.com/notaryproject/notation-go's releases.
Commits
94a0e13revert: "feat: add support for signing blob (#379)" (#411)1a5b3e3ci: enable ci for release branch (#409)254dfcdbump: bump up notation-core-go v1.0.3 (#407)b7fde51fix: error message for dangling reference index (#402)b8508d0test: improve test coverage to 80% (#405)5e98995build(deps): bump golang.org/x/crypto from 0.22.0 to 0.23.0 (#403)378ee83build(deps): bump golang.org/x/crypto from 0.21.0 to 0.22.0 (#396)a901939build(deps): bump github.com/go-ldap/ldap/v3 from 3.4.7 to 3.4.8 (#399)97a5a86build(deps): bump github.com/go-ldap/ldap/v3 from 3.4.6 to 3.4.7 (#395)442ece7build(deps): bump golang.org/x/mod from 0.16.0 to 0.17.0 (#397)Updates
github.com/prometheus/client_golangfrom 1.19.0 to 1.19.1Release notes
Sourced from github.com/prometheus/client_golang's releases.
Changelog
Sourced from github.com/prometheus/client_golang's changelog.
Commits
6e3f4b1Cut 1.19.1 (#1494)cad1bfaMerge pull request #1454 from prometheus/small-nits0aa8c9fRephrase incompatibility with common v0.48.0Updates
github.com/sigstore/sigstorefrom 1.8.3 to 1.8.5Release notes
Sourced from github.com/sigstore/sigstore's releases.
Commits
63cab17sync go mod115c2b2build(deps): Bump the all group across 1 directory with 6 updates8503e22build(deps): Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity39973a8build(deps): Bump the all group in /pkg/signature/kms/gcp with 2 updates58a8301build(deps): Bump the all group in /pkg/signature/kms/aws with 4 updates71ace11build(deps): Bump github.com/hashicorp/go-retryablehttpb777e4bbuild(deps): Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity5ea648cbuild(deps): Bump the all group in /pkg/signature/kms/gcp with 2 updatesa3666d9build(deps): Bump the all group in /test/e2e with 2 updates2e4753abuild(deps): Bump the all group in /pkg/signature/kms/aws with 2 updatesUpdates
golang.org/x/cryptofrom 0.22.0 to 0.24.0Commits
332fd65go.mod: update golang.org/x dependencies0b431c7x509roots/fallback: update bundle349231fssh: implement CryptoPublicKey on sk keys44c9b0fssh: allow server auth callbacks to send additional banners67b1361sha3: reenable s390x assembly477a5b4sha3: make APIs usable with zero allocations59b5a86sha3: disable s390x assembly10f366esha3: simplify XOR functions905d78ago.mod: update golang.org/x dependenciesebb717dssh: validate key type in SSH_MSG_USERAUTH_PK_OK responseUpdates
google.golang.org/apifrom 0.177.0 to 0.186.0Release notes
Sourced from google.golang.org/api's releases.
... (truncated)
Changelog
Sourced from google.golang.org/api's changelog.
... (truncated)
Commits
89bc0dcchore(main): release 0.186.0 (#2642)6c8b3b9chore: bump auth lib dep (#2654)bc370a7feat(all): auto-regenerate discovery clients (#2653)ddb2d15chore(all): update module github.com/googleapis/gax-go/v2 to v2.12.5 (#2651)10c47f3feat(all): auto-regenerate discovery clients (#2652)695484bfeat(all): auto-regenerate discovery clients (#2649)1bac79dfeat(all): auto-regenerate discovery clients (#2648)c1a7681feat(all): auto-regenerate discovery clients (#2645)1fcd83dchore: add simple readme for generator (#2633)20ffdd8feat(all): auto-regenerate discovery clients (#2644)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show