build(deps): bump github.com/containers/image/v5 from 5.21.1 to 5.30.1

dependabot[bot] commented 1 month ago

Bumps github.com/containers/image/v5 from 5.21.1 to 5.30.1.

Release notes

Sourced from github.com/containers/image/v5's releases.

v5.30.1

This fixes CVE-2024-3727 .

Digest values used throughout this library were not always validated. That allowed attackers to trigger, when pulling untrusted images, unexpected authenticated registry accesses on behalf of a victim user.

In less common uses of this library (using other transports or not using the containers/image/v5/copy.Image API), an attacker could also trigger local path traversals or crashes.

v5.30.0

What's Changed

A fair number of improvements when working with zstd and zstd:chunked-compressed images.

Note that make install now installs policy.json and registries.d/default.yaml.

Refuse compression to zstd when using schema1 by @mtrmac in containers/image#2196

Don't expose local account details in oci-archive tar files by @mtrmac in containers/image#2202

Trigger a conversion to OCI when compressing to Zstd by @mtrmac in containers/image#2204

Add buildtags to avoid fulcio and rekor dependencies by @siretart in containers/image#2180

copy: do not fail if digest mismatches by @giuseppe in containers/image#1980

Moving policy.json and default.yaml from containers/skopeo by @rahilarious in containers/image#2215

Embrace codespell: config, workflow (to alert when new typos added) and get typos fixed by @yarikoptic in containers/image#2214

Fix raspberry pi zero cpu variant recognition by @lstolcman in containers/image#2086

storage: validate images converted to zstd:chunked by @giuseppe in containers/image#2243

Make blob reuse choices manifest-format-sensitive, and allow conversions when writing to format-agnostic transports by @mtrmac in containers/image#2213

Edit the manifest when pushing uncompressed data from c/storage by @mtrmac in containers/image#2273

Random storage-related cleanups by @mtrmac in containers/image#2287

Improve storage transport documentation, primarily about locking by @mtrmac in containers/image#2291

Fix c/storage destination with partial pulls by @mtrmac in containers/image#2288

Fix manifest updates when we match a layer by TOC digest by @mtrmac in containers/image#2294

Cleanly fail when trying to obtain a DiffID of a non-OCI image by @mtrmac in containers/image#2295

Beautify TOC-related parts of storageImageSource by @mtrmac in containers/image#2296

storage: use the new ApplyStagedLayer interface by @giuseppe in containers/image#2301

Also annotate image instances using zstd:chunked as using zstd by @mtrmac in containers/image#2302

Support editing ArtifactType, preserve it in lists by @nalind in containers/image#2304

Provide data to correctly report throughput on partial pulls by @mtrmac in containers/image#2308

Add validation error to digesting reader by @saschagrunert in containers/image#2312

Fix handling of errors when fetching layers by URLs by @mtrmac in containers/image#2310

Improve handling of zstd vs. zstd:chunked matching by @mtrmac in containers/image#2317

New Contributors

@rahilarious made their first contribution in containers/image#2215

@yarikoptic made their first contribution in containers/image#2214

@lstolcman made their first contribution in containers/image#2086

@bainsy88 made their first contribution in containers/image#2260

Full Changelog: https://github.com/containers/image/compare/v5.29.2...v5.30.0

v5.29.2

What's Changed

[release-5.29] backport Docker Daemon fix by @TomSweeneyRedHat in containers/image#2270

[release-5.29] Tag 5.29.1 by @mtrmac in containers/image#2253

... (truncated)

Commits

56e750a Release 5.30.1
132678b Merge pull request #2404 from mtrmac/digest-unmarshal-5.30
b724ee7 Validate the tags returned by a registry
a9225e4 Call .Validate() before digest.Digest.String() if necessary
4a3785d Refactor the error handling further
a802d65 Refactor the error handling path of saveStream
39e7c91 Call .Validate() before digest.Hex() / digest.Encoded()
2bcb834 Validate digests before using them
b29bde5 Bump to v5.30.0
3cc0bb4 Merge pull request #2328 from containers/renovate/github.com-containers-stora...
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

ks-ci-bot commented 1 month ago

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot] To complete the pull request process, please assign pixiake after the PR has been reviewed. You can assign the PR to them by writing /assign @pixiake in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files: - **[OWNERS](https://github.com/kubesphere/kubekey/blob/master/OWNERS)** Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment