This release makes some minor improvements to SecureJoin:
Some changes were made to how lexical components are handled during
resolution. There is no change in behaviour, and both implementations
are safe, however the newer implementation is much easier to reason
about.
The error returned when a symlink loop has been detected will now
reference the correct path. #10
build(deps): bump apache/skywalking-eyes from a790ab8dd23a7f861c18bd6aaa9b012e3a234bce to cd7b195c51fd3d6ad52afceb760719ddc6b3ee91 by @dependabot in notaryproject/notation-core-go#197
build(deps): Bump github.com/aws/aws-sdk-go from 1.53.10 to 1.53.14 in /pkg/signature/kms/aws in the all group by @dependabot in sigstore/sigstore#1740
build(deps): Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.5.2 to 1.6.0 in /pkg/signature/kms/azure in the all group by @dependabot in sigstore/sigstore#1755
build(deps): Bump github.com/hashicorp/go-retryablehttp from 0.7.6 to 0.7.7 in /pkg/signature/kms/hashivault by @dependabot in sigstore/sigstore#1766
build(deps): Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.6.0 to 1.7.0 in /pkg/signature/kms/azure in the all group by @dependabot in sigstore/sigstore#1762
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
Bumps the go-deps group with 8 updates in the / directory:
0.2.4
0.2.5
0.37.1
0.38.1
7.0.70
7.0.73
1.0.2
1.0.3
1.1.0
1.1.1
1.19.0
1.19.1
1.8.3
1.8.6
0.177.0
0.187.0
Updates
github.com/cyphar/filepath-securejoin
from 0.2.4 to 0.2.5Release notes
Sourced from github.com/cyphar/filepath-securejoin's releases.
Commits
d861a11
VERSION: release v0.2.587bc53a
join: fix ELOOP error pathe9be397
join: don't allow .. and . in working path during resolution75cdbea
gha: update Go versionsb69b737
VERSION: back to developmentUpdates
github.com/fluxcd/pkg/oci
from 0.37.1 to 0.38.1Commits
c647aea
Merge pull request #784 from fluxcd/cache-key-fix8a3ba60
Cache credentials tokensc8409c0
Merge pull request #785 from fluxcd/dependabot/github_actions/ci-6034f0241a6be12d4
build(deps): bump github/codeql-action in the ci groupe8251e1
Merge pull request #783 from Skarlso/add-option-to-skip-gzipe6984b4
feat: add un-taring plain, unzipped tar files328e8e9
Merge pull request #776 from fluxcd/cache-authnbb65fa7
Addapting testsb743354
cache authenticator retrieved when login to a providere79914f
Merge pull request #782 from fluxcd/dependabot/github_actions/ci-840fb89e3cUpdates
github.com/minio/minio-go/v7
from 7.0.70 to 7.0.73Release notes
Sourced from github.com/minio/minio-go/v7's releases.
Commits
60eddd7
Fix missing CompleteMultipartUpload SSE-C (#1980)e0ba2df
fix replication validation for Role ARN (#1978)b28095b
Add ca-west-1 endpoint (#1971)86e4405
upgrade all deps and replace gopkg.in for ini with go module (#1977)5d99621
Update version to next release0b004e3
add support for '*' in etag matchfa174cb
Keep all x-minio- headers as-is (#1970)b952833
Update version to next release14b3aa6
Add ListMultipartUploads mint tests (#1963)7d712b5
feat: support tags for postPolicy Upload (#1967)Updates
github.com/notaryproject/notation-core-go
from 1.0.2 to 1.0.3Release notes
Sourced from github.com/notaryproject/notation-core-go's releases.
Commits
4211b09
build(deps): bump golang.org/x/crypto from 0.22.0 to 0.23.0 (#204)6f8b75c
build(deps): bump actions/stale from 8 to 9 (#195)ff5e5b8
build(deps): bump apache/skywalking-eyes from a790ab8dd23a7f861c18bd6aaa9b012...f624dfd
build(deps): bump golang.org/x/crypto from 0.21.0 to 0.22.0 (#200)356b30e
fix: leaf certificate validation (#202)9f13c9e
fix(ci): update codecov token (#199)66ff8c2
chore: org maintainers update (#196)807a338
bump: bump up golang version to v1.21 (#194)9a2ff9e
chore: add GitHub action for stale issues and PRs (#174)93218d9
build(deps): bump golang.org/x/crypto from 0.18.0 to 0.21.0 (#193)Updates
github.com/notaryproject/notation-go
from 1.1.0 to 1.1.1Release notes
Sourced from github.com/notaryproject/notation-go's releases.
Commits
94a0e13
revert: "feat: add support for signing blob (#379)" (#411)1a5b3e3
ci: enable ci for release branch (#409)254dfcd
bump: bump up notation-core-go v1.0.3 (#407)b7fde51
fix: error message for dangling reference index (#402)b8508d0
test: improve test coverage to 80% (#405)5e98995
build(deps): bump golang.org/x/crypto from 0.22.0 to 0.23.0 (#403)378ee83
build(deps): bump golang.org/x/crypto from 0.21.0 to 0.22.0 (#396)a901939
build(deps): bump github.com/go-ldap/ldap/v3 from 3.4.7 to 3.4.8 (#399)97a5a86
build(deps): bump github.com/go-ldap/ldap/v3 from 3.4.6 to 3.4.7 (#395)442ece7
build(deps): bump golang.org/x/mod from 0.16.0 to 0.17.0 (#397)Updates
github.com/prometheus/client_golang
from 1.19.0 to 1.19.1Release notes
Sourced from github.com/prometheus/client_golang's releases.
Changelog
Sourced from github.com/prometheus/client_golang's changelog.
Commits
6e3f4b1
Cut 1.19.1 (#1494)cad1bfa
Merge pull request #1454 from prometheus/small-nits0aa8c9f
Rephrase incompatibility with common v0.48.0Updates
github.com/sigstore/sigstore
from 1.8.3 to 1.8.6Release notes
Sourced from github.com/sigstore/sigstore's releases.
... (truncated)
Commits
5d4e11e
Bump goodkey, fix breakage (#1761)63cab17
sync go mod115c2b2
build(deps): Bump the all group across 1 directory with 6 updates8503e22
build(deps): Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity39973a8
build(deps): Bump the all group in /pkg/signature/kms/gcp with 2 updates58a8301
build(deps): Bump the all group in /pkg/signature/kms/aws with 4 updates71ace11
build(deps): Bump github.com/hashicorp/go-retryablehttpb777e4b
build(deps): Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity5ea648c
build(deps): Bump the all group in /pkg/signature/kms/gcp with 2 updatesa3666d9
build(deps): Bump the all group in /test/e2e with 2 updatesUpdates
golang.org/x/crypto
from 0.22.0 to 0.24.0Commits
332fd65
go.mod: update golang.org/x dependencies0b431c7
x509roots/fallback: update bundle349231f
ssh: implement CryptoPublicKey on sk keys44c9b0f
ssh: allow server auth callbacks to send additional banners67b1361
sha3: reenable s390x assembly477a5b4
sha3: make APIs usable with zero allocations59b5a86
sha3: disable s390x assembly10f366e
sha3: simplify XOR functions905d78a
go.mod: update golang.org/x dependenciesebb717d
ssh: validate key type in SSH_MSG_USERAUTH_PK_OK responseUpdates
google.golang.org/api
from 0.177.0 to 0.187.0Release notes
Sourced from google.golang.org/api's releases.
... (truncated)
Changelog
Sourced from google.golang.org/api's changelog.
... (truncated)
Commits
b6c87f6
chore(main): release 0.187.0 (#2656)e051997
fix: pass through gRPC api key option to new auth lib (#2664)2ea4e07
chore(all): update all to dc46fd2 (#2662)6e061ce
feat(all): auto-regenerate discovery clients (#2663)0a238f5
feat(all): auto-regenerate discovery clients (#2661)3ca2f84
feat(all): auto-regenerate discovery clients (#2660)7cd88da
feat(all): auto-regenerate discovery clients (#2659)a758bc1
fix(gensupport): wrap chunk upload err for retries (#2657)719f988
feat(all): auto-regenerate discovery clients (#2658)1a28e06
feat(all): auto-regenerate discovery clients (#2655)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show