paketo-buildpacks / bundle-install

A Cloud Native Buildpack to install gems from a Gemfile
Apache License 2.0
7 stars 6 forks source link

Bump the go-modules group across 1 directory with 47 updates #660

Closed dependabot[bot] closed 3 months ago

dependabot[bot] commented 3 months ago

Bumps the go-modules group with 24 updates in the / directory:

Package From To
github.com/paketo-buildpacks/occam 0.18.2 0.18.7
dario.cat/mergo 1.0.0 1.0.1
github.com/BurntSushi/toml 1.3.2 1.4.0
github.com/DataDog/zstd 1.5.5 1.5.6
github.com/Microsoft/hcsshim 0.11.7 0.12.6
github.com/cloudflare/circl 1.3.7 1.4.0
github.com/cyphar/filepath-securejoin 0.2.4 0.3.1
github.com/docker/docker-credential-helpers 0.8.1 0.8.2
github.com/gabriel-vasile/mimetype 1.4.3 1.4.5
github.com/go-git/go-git/v5 5.11.0 5.12.0
github.com/huandu/xstrings 1.4.0 1.5.0
github.com/klauspost/compress 1.17.7 1.17.9
github.com/knqyf263/go-rpmdb 0.0.0-20230301153543-ba94b245509b 0.1.1
github.com/mattn/go-runewidth 0.0.15 0.0.16
github.com/moby/sys/sequential 0.5.0 0.6.0
github.com/moby/sys/user 0.1.0 0.3.0
github.com/sassoftware/go-rpmutils 0.3.0 0.4.0
github.com/shirou/gopsutil/v3 3.24.1 3.24.5
github.com/shopspring/decimal 1.3.1 1.4.0
github.com/spdx/tools-golang 0.5.3 0.5.5
github.com/spf13/cast 1.6.0 1.7.0
github.com/sylabs/sif/v2 2.15.1 2.19.0
github.com/tklauser/go-sysconf 0.3.13 0.3.14
github.com/vbatts/go-mtree 0.5.3 0.5.4

Updates github.com/paketo-buildpacks/occam from 0.18.2 to 0.18.7

Release notes

Sourced from github.com/paketo-buildpacks/occam's releases.

v0.18.7

What's Changed

Full Changelog: https://github.com/paketo-buildpacks/occam/compare/v0.18.6...v0.18.7

v0.18.6

What's Changed

Full Changelog: https://github.com/paketo-buildpacks/occam/compare/v0.18.5...v0.18.6

v0.18.5

What's Changed

Full Changelog: https://github.com/paketo-buildpacks/occam/compare/v0.18.4...v0.18.5

v0.18.4

What's Changed

Full Changelog: https://github.com/paketo-buildpacks/occam/compare/v0.18.3...v0.18.4

v0.18.3

What's Changed

... (truncated)

Commits
  • aff3030 Buildpack packaging should always target linux
  • 7b8692d Updates go mod toolchain version to 1.22.4
  • ddf2781 Bump github.com/docker/docker
  • e9fee75 Adds support of buildpackages in buildpack store and updates freezer (#302)
  • dda57be Updating github-config
  • f0b937b Use stable go version everywhere.
  • 354d744 Bump to go 1.21
  • 64bc107 Updating github-config
  • d00fe4b Bump github.com/docker/docker
  • 37502e4 Bump github.com/testcontainers/testcontainers-go from 0.30.0 to 0.31.0
  • Additional commits viewable in compare view


Updates github.com/paketo-buildpacks/packit/v2 from 2.12.0 to 2.14.0

Release notes

Sourced from github.com/paketo-buildpacks/packit/v2's releases.

v2.14.0

What's Changed

New Contributors

Full Changelog: https://github.com/paketo-buildpacks/packit/compare/v2.13.0...v2.14.0

v2.13.0

What's Changed

New Contributors

Full Changelog: https://github.com/paketo-buildpacks/packit/compare/v2.12.0...v2.13.0

Commits
  • 13393ec Support reading service bindings from VCAP_SERVICES env var (#566)
  • 35d8f76 Bump github.com/onsi/gomega from 1.33.0 to 1.33.1
  • ce376b7 Fixes mirror bug when originalHost is excluded (#569)
  • 4c9f338 Allows users to set a dependency mirror (#563)
  • 4e9c21d Bump github.com/onsi/gomega from 1.32.0 to 1.33.0
  • dd77ec5 Bump github.com/ulikunitz/xz from 0.5.11 to 0.5.12
  • 95b8056 Bump github.com/onsi/gomega from 1.31.1 to 1.32.0
  • 777a503 Bump github.com/stretchr/testify from 1.8.4 to 1.9.0
  • c1b785b Bump github.com/google/uuid from 1.5.0 to 1.6.0
  • b31dc83 Bump github.com/onsi/gomega from 1.31.0 to 1.31.1
  • Additional commits viewable in compare view


Updates dario.cat/mergo from 1.0.0 to 1.0.1

Release notes

Sourced from dario.cat/mergo's releases.

v1.0.1

What's Changed

New Contributors

Full Changelog: https://github.com/darccio/mergo/compare/v1.0.0...v1.0.1

Commits


Updates github.com/BurntSushi/toml from 1.3.2 to 1.4.0

Release notes

Sourced from github.com/BurntSushi/toml's releases.

v1.4.0

This version requires Go 1.18

  • Add toml.Marshal() (#405)

  • Require 2-digit hour (#320)

  • Wrap UnmarshalTOML() and UnmarshalText() return values in ParseError for position information (#398)

  • Fix inline tables with dotted keys inside inline arrays (e.g. k=[{a.b=1}]) (#400)

Commits
  • 1e2c053 Undeprecate PrimitiveDecode and MetaData.PrimitiveDecode()
  • f8f7e48 Update toml-test
  • 9a80667 Add -json flag to tomlv
  • 3203540 fuzz: move fuzz_targets from oss-fuzz (#406)
  • 77ce858 Add Marshal Function (#405)
  • 0e879cb Fix panic when trying to set subkey for a value that's not a table
  • c299e75 Update toml-test
  • 4223137 Fix inline tables with dotted keys inside inline arrays (#400)
  • 45e7e49 Update toml-test
  • c320c2d Fix utf8.RuneError test
  • Additional commits viewable in compare view


Updates github.com/DataDog/zstd from 1.5.5 to 1.5.6

Release notes

Sourced from github.com/DataDog/zstd's releases.

zstd 1.5.6

What's Changed

Full Changelog: https://github.com/DataDog/zstd/compare/v1.5.5+patch1...v1.5.6

Commits
  • b52f603 Merge pull request #143 from DataDog/viq111/1.5.6
  • cf4778e Update Readme for 1.5.6
  • ed87d43 Update vendored zstd to 1.5.6
  • dd7b332 Merge pull request #136 from colinlyguo/fix-readme
  • beb4dfd Merge pull request #141 from DataDog/sfluor-patch-1
  • e75a26a Update upperBound ratio when guessing the required decompression buffer size
  • c9a5141 fix readme
  • 869dae0 Merge pull request #132 from DataDog/viq111/bulk-fix-highlycompressed-payloads
  • bf7b920 [bulk] Add extra empty payload decompression test
  • 9c0d33f [bulk] Fix naming
  • Additional commits viewable in compare view


Updates github.com/ForestEckhardt/freezer from 0.0.12 to 0.1.0

Release notes

Sourced from github.com/ForestEckhardt/freezer's releases.

v0.1.0

What's Changed

Full Changelog: https://github.com/ForestEckhardt/freezer/compare/v0.0.12...v0.1.0

Commits


Updates github.com/Microsoft/hcsshim from 0.11.7 to 0.12.6

Release notes

Sourced from github.com/Microsoft/hcsshim's releases.

v0.12.6

What's Changed

Full Changelog: https://github.com/microsoft/hcsshim/compare/v0.12.5...v0.12.6

v0.12.5

What's Changed

Full Changelog: https://github.com/microsoft/hcsshim/compare/v0.12.4...v0.12.5

v0.12.4

What's Changed

Full Changelog: https://github.com/microsoft/hcsshim/compare/v0.12.3...v0.12.4

v0.12.3

What's Changed

Full Changelog: https://github.com/microsoft/hcsshim/compare/v0.12.2...v0.12.3

v0.12.2

No release notes provided.

v0.12.1

What's Changed

Full Changelog: https://github.com/microsoft/hcsshim/compare/v0.12.0...v0.12.1

v0.12.0

What's Changed

... (truncated)

Commits
  • f922f2a Omnibus dependency updates (#2051)
  • 7d25ce2 Update module versions
  • 85a5a57 drop usage of deprecated package/methods
  • d4b1cc0 Bump opa/containerd to latest versions
  • 6a5ebd3 Upgrade deps to resolve CVEs (#2225)
  • 4f46058 Omnibus dependency update (#2166)
  • e970943 Modifying network flag EnableIov.
  • 4f77a09 Hcsshim wrapper over HNS API needed for exclusion of management mac addresses...
  • 3b5bd8a [release/0.12] vendor: github.com/containerd/containerd v17.18
  • 40cdbc8 Adding state attribute to the HNSEndpoint struct to support hyperv containers...
  • Additional commits viewable in compare view


Updates github.com/cenkalti/backoff/v4 from 4.2.1 to 4.3.0

Commits
  • 720b789 remove travis badge from readme
  • a83af7f feat(backoff): Add functional options for ExponentialBackOff Closes #136
  • See full diff in compare view


Updates github.com/cloudflare/circl from 1.3.7 to 1.4.0

Release notes

Sourced from github.com/cloudflare/circl's releases.

CIRCL v1.4.0

Changes

New: ML-KEM compatible with FIPS-203.

Commit History

Full Changelog: https://github.com/cloudflare/circl/compare/v1.3.9...v1.4.0

CIRCL v1.3.9

Changes:

  • Fix bug on BLS12381 decoding elements.

Commit History

Full Changelog: https://github.com/cloudflare/circl/compare/v1.3.8...v1.3.9

CIRCL v1.3.8

New

  • BLS Signatures on top of BLS12-381.
  • Adopt faster squaring in pairings.
  • BlindRSA compliant with RFC9474.
  • (Verifiable) Secret Sharing compatible with the Group interface (elliptic curves).

Notice

What's Changed

... (truncated)

Commits
  • c311e46 Preparing for release v1.4.0
  • 62385a8 Add ML-KEM decapsulation key check.
  • 2b4626d Add ML-KEM (FIPS 203).
  • d26845f eddilithium3: fix typos
  • 75b28ed Preparing CIRCL release v1.3.9
  • 9e7c49b Detects invalid encodings of bls12381 elements.
  • 5f94471 Test for invalid encodings of BLS12381.
  • 456fe41 dilithium: fix typo
  • 4bb5601 Serializing ciphertext with 32-bit prefixes.
  • a4252c7 Test functions working with ciphertext.
  • Additional commits viewable in compare view


Updates github.com/cyphar/filepath-securejoin from 0.2.4 to 0.3.1

Release notes

Sourced from github.com/cyphar/filepath-securejoin's releases.

v0.3.1

  • By allowing Open(at)InRoot to opt-out of the extra work done by MkdirAll to do the necessary "partial lookups", Open(at)InRoot now does less work for both implementations (resulting in a many-fold decrease in the number of operations for openat2, and a modest improvement for non-openat2) and is far more guaranteed to match the correct openat2(RESOLVE_IN_ROOT) behaviour.

  • We now use readlinkat(fd, "") where possible. For Open(at)InRoot this effectively just means that we no longer risk getting spurious errors during rename races. However, for our hardened procfs handler, this in theory should prevent mount attacks from tricking us when doing magic-link readlinks (even when using the unsafe host /proc handle). Unfortunately Reopen is still potentially vulnerable to those kinds of somewhat-esoteric attacks.

    Technically this will only work on post-2.6.39 kernels but it seems incredibly unlikely anyone is using filepath-securejoin on a pre-2011 kernel.

  • Several improvements were made to the errors returned by Open(at)InRoot and MkdirAll when dealing with invalid paths under the emulated (ie. non-openat2) implementation. Previously, some paths would return the wrong error (ENOENT when the last component was a non-directory), and other paths would be returned as though they were acceptable (trailing-slash components after a non-directory would be ignored by Open(at)InRoot).

    These changes were done to match openat2's behaviour and purely is a consistency fix (most users are going to be using openat2 anyway).

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

v0.3.0

This release contains no changes to SecureJoin.

However, it does introduce a new *os.File-based API which is much safer to use for most usecases. These are adapted from [libpathrs][1] and are the bare minimum to be able to operate more safely on an untrusted rootfs where an attacker has write access (something that SecureJoin cannot protect against). The new APIs are:

  • OpenInRoot, which resolves a path inside a rootfs and returns an *os.File handle to the path. Note that the file handle returned by OpenInRoot is an O_PATH handle, which cannot be used for reading or writing (as well as some other operations -- see open(2) for more details).

  • Reopen, which takes an O_PATH file handle and safely re-opens it to "upgrade" it to a regular handle.

... (truncated)

Changelog

Sourced from github.com/cyphar/filepath-securejoin's changelog.

[0.3.1] - 2024-07-23

Changed

  • By allowing Open(at)InRoot to opt-out of the extra work done by MkdirAll to do the necessary "partial lookups", Open(at)InRoot now does less work for both implementations (resulting in a many-fold decrease in the number of operations for openat2, and a modest improvement for non-openat2) and is far more guaranteed to match the correct openat2(RESOLVE_IN_ROOT) behaviour.

  • We now use readlinkat(fd, "") where possible. For Open(at)InRoot this effectively just means that we no longer risk getting spurious errors during rename races. However, for our hardened procfs handler, this in theory should prevent mount attacks from tricking us when doing magic-link readlinks (even when using the unsafe host /proc handle). Unfortunately Reopen is still potentially vulnerable to those kinds of somewhat-esoteric attacks.

    Technically this will only work on post-2.6.39 kernels but it seems incredibly unlikely anyone is using filepath-securejoin on a pre-2011 kernel.

Fixed

  • Several improvements were made to the errors returned by Open(at)InRoot and MkdirAll when dealing with invalid paths under the emulated (ie. non-openat2) implementation. Previously, some paths would return the wrong error (ENOENT when the last component was a non-directory), and other paths would be returned as though they were acceptable (trailing-slash components after a non-directory would be ignored by Open(at)InRoot).

    These changes were done to match openat2's behaviour and purely is a consistency fix (most users are going to be using openat2 anyway).

[0.3.0] - 2024-07-11

Added

  • A new set of *os.File-based APIs have been added. These are adapted from [libpathrs][] and we strongly suggest using them if possible (as they provide far more protection against attacks than SecureJoin):

    • Open(at)InRoot resolves a path inside a rootfs and returns an *os.File handle to the path. Note that the handle returned is an O_PATH handle, which cannot be used for reading or writing (as well as some other operations -- [see open(2) for more details][open.2])

    • Reopen takes an O_PATH file handle and safely re-opens it to upgrade it to a regular handle. This can also be used with non-O_PATH handles, but O_PATH is the most obvious application.

    • MkdirAll is an implementation of os.MkdirAll that is safe to use to

... (truncated)

Commits
  • ce7b28a VERSION: release v0.3.1
  • a2c14f8 CHANGELOG: add readlinkat(fd, "") shout-out
  • 4ea279f merge #22 into cyphar/filepath-securejoin:main
  • 16e1bec CHANGELOG: add initial changelog with current history
  • 2404ffb merge #21 into cyphar/filepath-securejoin:main
  • f29b7a4 lookup: handle // and trailing slash components correctly
  • ecd61ca merge #19 into cyphar/filepath-securejoin:main
  • 38b1220 procfs: refactor statx mnt_id logic
  • 45c4415 procfs: use readlink(fd, "") for magic-links
  • edab538 merge #17 into cyphar/filepath-securejoin:main
  • Additional commits viewable in compare view


Updates github.com/docker/docker-credential-helpers from 0.8.1 to 0.8.2

Release notes

Sourced from github.com/docker/docker-credential-helpers's releases.

v0.8.2

What's Changed

Full Changelog: https://github.com/docker/docker-credential-helpers/compare/v0.8.1...v0.8.2

Commits
  • 6b9df3e Merge pull request #323 from thaJeztah/pass_simplify_get
  • dc10c50 Merge pull request #317 from docker/dependabot/github_actions/softprops/actio...
  • 896eb37 build(deps): bump softprops/action-gh-release to 2.0.5
  • a14669f pass: Get: remove redundant stat
  • 74840b3 Merge pull request #322 from thaJeztah/pass_dry
  • d3ef442 pass: add utilities for encoding/decoding serverURL
  • f64d6b1 Merge pull request #321 from thaJeztah/fix_pass_errors
  • 1bb9aa3 pass: return correct error, and ignore empty stores on list
  • 73b9e5d Merge pull request #320 from thaJeztah/update_gha
  • 0c43fed update to go1.21.10
  • Additional commits viewable in compare view


Updates github.com/gabriel-vasile/mimetype from 1.4.3 to 1.4.5

Release notes

Sourced from github.com/gabriel-vasile/mimetype's releases.

v1.4.5

What's Changed

New Contributors

Full Changelog: https://github.com/gabriel-vasile/mimetype/compare/v1.4.4...v1.4.5

v1.4.4

What's Changed

Security fixes:

Update golang.org/x/net to latest. Fixes: CVE-2023-45288

Performance improvements:

Benchmarks:

before:
BenchmarkText/application/x-ndjson-8              663314              2027 ns/op            4306 B/op          6 allocs/op
BenchmarkSliceRand-8                              688160              1690 ns/op             728 B/op         75 allocs/op
BenchmarkSrt-8                                    946042              1089 ns/op            4240 B/op          5 allocs/op
after:
BenchmarkText/application/x-ndjson-8             1930292               678.6 ns/op           160 B/op          4 allocs/op
BenchmarkSliceRand-8                             1232066              1173 ns/op             160 B/op          4 allocs/op
BenchmarkSrt-8                                   3235448               368.8 ns/op            64 B/op          2 allocs/op

New Contributors

Full Changelog: https://github.com/gabriel-vasile/mimetype/compare/v1.4.3...v1.4.4

Commits
dependabot[bot] commented 3 months ago

Looks like these dependencies are updatable in another way, so this is no longer needed.