search

paketo-buildpacks / go-dist

A Cloud Native Buildpack for Go
Apache License 2.0
25 stars 12 forks source link

Bump the go-modules group across 1 directory with 27 updates #852

Closed dependabot[bot] closed 3 months ago

dependabot[bot] commented 3 months ago

Bumps the go-modules group with 15 updates in the / directory:

Package From To
github.com/onsi/gomega 1.33.1 1.34.1
github.com/DataDog/zstd 1.5.5 1.5.6
github.com/cyphar/filepath-securejoin 0.2.5 0.3.1
github.com/gabriel-vasile/mimetype 1.4.4 1.4.5
github.com/go-logr/logr 1.4.1 1.4.2
github.com/google/go-containerregistry 0.19.2 0.20.1
github.com/mattn/go-runewidth 0.0.15 0.0.16
github.com/moby/sys/sequential 0.5.0 0.6.0
github.com/moby/sys/user 0.1.0 0.2.0
github.com/shirou/gopsutil/v3 3.23.12 3.24.5
github.com/skeema/knownhosts 1.2.2 1.3.0
github.com/spdx/tools-golang 0.5.4 0.5.5
github.com/sylabs/sif/v2 2.17.0 2.18.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp 0.49.0 0.53.0
google.golang.org/grpc 1.62.0 1.65.0

Updates github.com/onsi/gomega from 1.33.1 to 1.34.1

Release notes

Sourced from github.com/onsi/gomega's releases.

v1.34.1

1.34.1

Maintenance

  • Use slices from exp/slices to keep golang 1.20 compat [5e71dcd]

v1.34.0

1.34.0

Features

  • Add RoundTripper method to ghttp.Server [c549e0d]

Fixes

  • fix incorrect handling of nil slices in HaveExactElements (fixes #771) [878940c]
  • issue_765 - fixed bug in Hopcroft-Karp algorithm [ebadb67]

Maintenance

  • bump ginkgo [8af2ece]
  • Fix typo in docs [123a071]
  • Bump github.com/onsi/ginkgo/v2 from 2.17.2 to 2.17.3 (#756) [0e69083]
  • Bump google.golang.org/protobuf from 1.33.0 to 1.34.1 (#755) [2675796]
  • Bump golang.org/x/net from 0.24.0 to 0.25.0 (#754) [4160c0f]
  • Bump github-pages from 230 to 231 in /docs (#748) [892c303]
Changelog

Sourced from github.com/onsi/gomega's changelog.

1.34.1

Maintenance

  • Use slices from exp/slices to keep golang 1.20 compat [5e71dcd]

1.34.0

Features

  • Add RoundTripper method to ghttp.Server [c549e0d]

Fixes

  • fix incorrect handling of nil slices in HaveExactElements (fixes #771) [878940c]
  • issue_765 - fixed bug in Hopcroft-Karp algorithm [ebadb67]

Maintenance

  • bump ginkgo [8af2ece]
  • Fix typo in docs [123a071]
  • Bump github.com/onsi/ginkgo/v2 from 2.17.2 to 2.17.3 (#756) [0e69083]
  • Bump google.golang.org/protobuf from 1.33.0 to 1.34.1 (#755) [2675796]
  • Bump golang.org/x/net from 0.24.0 to 0.25.0 (#754) [4160c0f]
  • Bump github-pages from 230 to 231 in /docs (#748) [892c303]
Commits
  • fa057b8 v1.34.1
  • 5e71dcd Use slices from exp/slices to keep golang 1.20 compat
  • 32e5498 v1.34.0
  • cb3fa6a run go mod tidy and wonder why go get doesnt just run it for me in the first ...
  • 8af2ece bump ginkgo
  • 878940c fix incorrect handling of nil slices in HaveExactElements (fixes #771)
  • f5bec80 clean up bipartitegraph tests
  • ebadb67 issue_765 - fixed bug in Hopcroft-Karp algorithm
  • 123a071 Fix typo in docs
  • c549e0d Add RoundTripper method to ghttp.Server
  • Additional commits viewable in compare view


Updates github.com/DataDog/zstd from 1.5.5 to 1.5.6

Release notes

Sourced from github.com/DataDog/zstd's releases.

zstd 1.5.6

What's Changed

Full Changelog: https://github.com/DataDog/zstd/compare/v1.5.5+patch1...v1.5.6

Commits
  • b52f603 Merge pull request #143 from DataDog/viq111/1.5.6
  • cf4778e Update Readme for 1.5.6
  • ed87d43 Update vendored zstd to 1.5.6
  • dd7b332 Merge pull request #136 from colinlyguo/fix-readme
  • beb4dfd Merge pull request #141 from DataDog/sfluor-patch-1
  • e75a26a Update upperBound ratio when guessing the required decompression buffer size
  • c9a5141 fix readme
  • 869dae0 Merge pull request #132 from DataDog/viq111/bulk-fix-highlycompressed-payloads
  • bf7b920 [bulk] Add extra empty payload decompression test
  • 9c0d33f [bulk] Fix naming
  • Additional commits viewable in compare view


Updates github.com/Microsoft/hcsshim from 0.12.4 to 0.11.7

Commits
  • 6749c2f Fix process handle leak when launching a job container (#2187)
  • e59d3d2 Adding state attribute to the HNSEndpoint struct to support hyperv containers...
  • 1495e9f Adding support for loadbalancer policy update in hns. (#2085)
  • eefee26 Changes for checking the global version for modify policy version support. (#...
  • cd46569 OutBoundNATPolicy Schema changes (#2106)
  • 6678d78 Update to go-winio v0.6.2 + fix lint errors
  • 4249a60 Upgrade to golang 1.21
  • 4dc03f1 Add spans and drop large size high volume trace logs
  • b16edf6 Remove log package dependency
  • b5725e5 Create container subdirectories for process dumps
  • Additional commits viewable in compare view


Updates github.com/cyphar/filepath-securejoin from 0.2.5 to 0.3.1

Release notes

Sourced from github.com/cyphar/filepath-securejoin's releases.

v0.3.1

  • By allowing Open(at)InRoot to opt-out of the extra work done by MkdirAll to do the necessary "partial lookups", Open(at)InRoot now does less work for both implementations (resulting in a many-fold decrease in the number of operations for openat2, and a modest improvement for non-openat2) and is far more guaranteed to match the correct openat2(RESOLVE_IN_ROOT) behaviour.

  • We now use readlinkat(fd, "") where possible. For Open(at)InRoot this effectively just means that we no longer risk getting spurious errors during rename races. However, for our hardened procfs handler, this in theory should prevent mount attacks from tricking us when doing magic-link readlinks (even when using the unsafe host /proc handle). Unfortunately Reopen is still potentially vulnerable to those kinds of somewhat-esoteric attacks.

    Technically this will only work on post-2.6.39 kernels but it seems incredibly unlikely anyone is using filepath-securejoin on a pre-2011 kernel.

  • Several improvements were made to the errors returned by Open(at)InRoot and MkdirAll when dealing with invalid paths under the emulated (ie. non-openat2) implementation. Previously, some paths would return the wrong error (ENOENT when the last component was a non-directory), and other paths would be returned as though they were acceptable (trailing-slash components after a non-directory would be ignored by Open(at)InRoot).

    These changes were done to match openat2's behaviour and purely is a consistency fix (most users are going to be using openat2 anyway).

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

v0.3.0

This release contains no changes to SecureJoin.

However, it does introduce a new *os.File-based API which is much safer to use for most usecases. These are adapted from [libpathrs][1] and are the bare minimum to be able to operate more safely on an untrusted rootfs where an attacker has write access (something that SecureJoin cannot protect against). The new APIs are:

  • OpenInRoot, which resolves a path inside a rootfs and returns an *os.File handle to the path. Note that the file handle returned by OpenInRoot is an O_PATH handle, which cannot be used for reading or writing (as well as some other operations -- see open(2) for more details).

  • Reopen, which takes an O_PATH file handle and safely re-opens it to "upgrade" it to a regular handle.

... (truncated)

Changelog

Sourced from github.com/cyphar/filepath-securejoin's changelog.

[0.3.1] - 2024-07-23

Changed

  • By allowing Open(at)InRoot to opt-out of the extra work done by MkdirAll to do the necessary "partial lookups", Open(at)InRoot now does less work for both implementations (resulting in a many-fold decrease in the number of operations for openat2, and a modest improvement for non-openat2) and is far more guaranteed to match the correct openat2(RESOLVE_IN_ROOT) behaviour.

  • We now use readlinkat(fd, "") where possible. For Open(at)InRoot this effectively just means that we no longer risk getting spurious errors during rename races. However, for our hardened procfs handler, this in theory should prevent mount attacks from tricking us when doing magic-link readlinks (even when using the unsafe host /proc handle). Unfortunately Reopen is still potentially vulnerable to those kinds of somewhat-esoteric attacks.

    Technically this will only work on post-2.6.39 kernels but it seems incredibly unlikely anyone is using filepath-securejoin on a pre-2011 kernel.

Fixed

  • Several improvements were made to the errors returned by Open(at)InRoot and MkdirAll when dealing with invalid paths under the emulated (ie. non-openat2) implementation. Previously, some paths would return the wrong error (ENOENT when the last component was a non-directory), and other paths would be returned as though they were acceptable (trailing-slash components after a non-directory would be ignored by Open(at)InRoot).

    These changes were done to match openat2's behaviour and purely is a consistency fix (most users are going to be using openat2 anyway).

[0.3.0] - 2024-07-11

Added

  • A new set of *os.File-based APIs have been added. These are adapted from [libpathrs][] and we strongly suggest using them if possible (as they provide far more protection against attacks than SecureJoin):

    • Open(at)InRoot resolves a path inside a rootfs and returns an *os.File handle to the path. Note that the handle returned is an O_PATH handle, which cannot be used for reading or writing (as well as some other operations -- [see open(2) for more details][open.2])

    • Reopen takes an O_PATH file handle and safely re-opens it to upgrade it to a regular handle. This can also be used with non-O_PATH handles, but O_PATH is the most obvious application.

    • MkdirAll is an implementation of os.MkdirAll that is safe to use to

... (truncated)

Commits
  • ce7b28a VERSION: release v0.3.1
  • a2c14f8 CHANGELOG: add readlinkat(fd, "") shout-out
  • 4ea279f merge #22 into cyphar/filepath-securejoin:main
  • 16e1bec CHANGELOG: add initial changelog with current history
  • 2404ffb merge #21 into cyphar/filepath-securejoin:main
  • f29b7a4 lookup: handle // and trailing slash components correctly
  • ecd61ca merge #19 into cyphar/filepath-securejoin:main
  • 38b1220 procfs: refactor statx mnt_id logic
  • 45c4415 procfs: use readlink(fd, "") for magic-links
  • edab538 merge #17 into cyphar/filepath-securejoin:main
  • Additional commits viewable in compare view


Updates github.com/gabriel-vasile/mimetype from 1.4.4 to 1.4.5

Release notes

Sourced from github.com/gabriel-vasile/mimetype's releases.

v1.4.5

What's Changed

New Contributors

Full Changelog: https://github.com/gabriel-vasile/mimetype/compare/v1.4.4...v1.4.5

Commits


Updates github.com/go-logr/logr from 1.4.1 to 1.4.2

Release notes

Sourced from github.com/go-logr/logr's releases.

v1.4.2

What's Changed

Dependencies:

Full Changelog: https://github.com/go-logr/logr/compare/v1.4.1...v1.4.2

Commits
  • 1205f42 Merge pull request #295 from go-logr/dependabot/github_actions/actions/checko...
  • ccedcbd Merge pull request #294 from go-logr/dependabot/github_actions/github/codeql-...
  • bead577 build(deps): bump actions/checkout from 4.1.5 to 4.1.6
  • a492d95 build(deps): bump github/codeql-action from 3.25.4 to 3.25.5
  • 19ad07c build(deps): bump ossf/scorecard-action from 2.3.1 to 2.3.3
  • 1c97a21 build(deps): bump actions/checkout from 4.1.4 to 4.1.5
  • f70c5b5 build(deps): bump github/codeql-action from 3.25.3 to 3.25.4
  • 4ade8d3 build(deps): bump golangci/golangci-lint-action from 5.3.0 to 6.0.1
  • 88d98bd Merge pull request #289 from go-logr/dependabot/github_actions/golangci/golan...
  • 432cd86 Merge pull request #288 from go-logr/dependabot/github_actions/actions/setup-...
  • Additional commits viewable in compare view


Updates github.com/go-ole/go-ole from 1.3.0 to 1.2.6

Commits
  • 9f1c1d0 Revert 1144933ebbad56211c67c56fd60da6a684550dc6
  • d467d80 Merge pull request #206 from oXis/master
  • 1144933 oleutil: fix ForEach no working as intented
  • b5bef18 Clear EXCEPINFO handling IDispatch.Invoke errors
  • abfd2bd Clear VT_VARIANT inside a SafeArray .ToValueArray() conversion
  • 3a1b425 btnGがbtnKに名前が変わっていました。
  • 14974a1 Merge pull request #192 from andrewkroh/master
  • fc4e2cd Use NewLazySystemDLL
  • e7f687f safeArrayGetElement error when type is VT_BSTR
  • 938323a Create FUNDING.yml
  • Additional commits viewable in compare view


Updates github.com/google/go-containerregistry from 0.19.2 to 0.20.1

Release notes

Sourced from github.com/google/go-containerregistry's releases.

v0.20.1

What's Changed

Full Changelog: https://github.com/google/go-containerregistry/compare/v0.20.0...v0.20.1

v0.20.0

What's Changed

New Contributors

Full Changelog: https://github.com/google/go-containerregistry/compare/v0.19.2...v0.20.0

Commits


Updates github.com/mattn/go-runewidth from 0.0.15 to 0.0.16

Commits


Updates github.com/moby/sys/sequential from 0.5.0 to 0.6.0

Release notes

Sourced from github.com/moby/sys/sequential's releases.

signal/v0.6.0

What's Changed

New Contributors

Full Changelog: https://github.com/moby/sys/compare/signal/v0.5.0...signal/v0.6.0

mountinfo v0.6.0

New functionality

  • Add MountedFast by @​kolyshkin in moby/sys#100 Note: most users should keep using Mounted, which already incorporates all optimizations from MountedFast

Full changelog: https://github.com/moby/sys/compare/mountinfo/v0.5.0...mountinfo/v0.6.0

sequential v0.6.0

What's Changed

  • sequential: remove fileFlagSequentialScan const
  • sequential: consistently use x/sys/windows for consts
  • sequential: open(File)Sequential: remove unused arg
  • sequential: move error-handling to openFileSequential
  • sequential: simplify docs for non-Windows implementations
  • sequential: update docs for Windows-implementation
  • bump golang.org/x/sys to v0.1.0

Full Changelog: https://github.com/moby/sys/compare/sequential/v0.5.0...sequential/v0.6.0

Commits
  • 03b9f8d Merge pull request #94 from thaJeztah/bump_mountinfo
  • bdd898e mount: update github.com/moby/sys/mountinfo v0.5.0
  • fbd276c Merge pull request #93 from kolyshkin/ci-f35
  • afb7f50 Merge pull request #92 from kolyshkin/more-linters
  • 9372d68 ci: bump Fedora to 35
  • 9a90d6d Format code with gofumpt, enable linter
  • 85e4bfd Makefile: update golangci-lint to 1.43.0
  • f0fb439 .gitattributes: add
  • b016007 ci: add unconvert and errorlint linters to golanci
  • 6056970 Fix errorlint warnings
  • Additional commits viewable in compare view


Updates github.com/moby/sys/user from 0.1.0 to 0.2.0

Release notes

Sourced from github.com/moby/sys/user's releases.

mountinfo v0.2.0

Bug fixes:

  • Fix path unescaping for paths with double quotes (#16)

Improvements:

  • Mounted: speed up by adding fast paths using openat2 (Linux-only, #29) and stat (#20)
  • Mounted: relax path requirements (allow relative, non-cleaned paths, symlinks) (fixes #27)
  • Unescape fstype and source fields (#16)
  • Documentation improvements (#15)

Testing/CI:

  • Unit tests: exclude darwin (#13)
  • CI: run tests under Fedora 32 to test openat2 (#29)
  • TestGetMounts: fix for Ubuntu build system (#18)
  • Makefile: fix ignoring test failures (#19)
  • CI: add cross build (#23)

Thanks to:

  • Aleksa Sarai
  • Shengjing Zhu

mount v0.2.0

Breaking changes:

  • Remove stub-implementations for Windows for Mount(), Unmount(), RecursiveUnmount(), MergeTmpfsOptions() (#311)

Fixes and improvements:

  • go.mod: update github.com/moby/sys/mountinfo to v0.4.0 (#443, #564)
  • use MNT_* flags from golang.org/x/sys/unix on freebsd (#365)
  • add support for OpenBSD in addition to FreeBSD (#326)
  • fix package overview documentation not showing (#437)
  • RecursiveUnmount(): minor improvements (#468)

Thanks to:

  • Tobias Klauser

symlink/v0.2.0

What's Changed

... (truncated)

Commits
  • 86870e7 Merge pull request #140 from thaJeztah/integrate_libcontainer_userns
  • 5cd502c user: require go1.21 or higher
  • a40602b user/userns: add godoc for package
  • bc3a8a5 libct/userns: implement RunningInUserNS with sync.OnceValue
  • bc0de32 libct/userns: make fuzzer Linux-only, and remove stub for uidMapInUserNS
  • 333fe31 libct/userns: change RunningInUserNS to a wrapper instead of an alias
  • bb72464 remove pre-go1.17 build-tags
  • 87e38c8 libcontainer/userns: simplify, and separate from "user" package.
  • b19e084 *: add go-1.17+ go:build tags
  • db243e2 *: rm redundant linux build tag
  • Additional commits viewable in compare view


Updates github.com/shirou/gopsutil/v3 from 3.23.12 to 3.24.5

Release notes

Sourced from github.com/shirou/gopsutil/v3's releases.

v3.24.5

What's Changed

cpu

process

Other Changes

New Contributors

Full Changelog: https://github.com/shirou/gopsutil/compare/v3.24.4...v3.24.5

v3.24.4

What's Changed

net

New Contributors

Full Changelog: https://github.com/shirou/gopsutil/compare/v3.24.3...v3.24.4

v3.24.3

What's Changed

disk

host

load

process

New Contributors

... (truncated)

Commits
  • 4336530 Merge pull request #1649 from shirou/feat/add_process_cwd_openbsd
  • cb52f7a Merge pull request #1651 from Dylan-M/aix_support
  • 125da53 Update the README charts with the AIX information
  • ff4ae36 Remove extraneous development note comments
  • df9c9bf Update min version in the readme to match new required min version.
  • 1d7b4a3 Revert accidental change of go version in go.mod (wasn't supposed to commit).
  • 9bf502f Fix logic errors, syntax errors, and typos
  • b133d60 Ignore host_aix_ppc64 for now
  • b4d95a4 Raise minimum go version to 1.18 (required by changes) and run go mod tidy
  • 0917790 Remove inappropriate package addition
  • Additional commits viewable in compare view


Updates github.com/skeema/knownhosts from 1.2.2 to 1.3.0

Commits
  • 9485bde docs: add PR template and CONTRIBUTING.md guide; minor README tweaks
  • 8b8ca37 host matching: handle wildcards with non-standard port (#10)
  • 7c797a4 Merge pull request #9 from skeema/certs-backwards-compat
  • 53a26cc Minor adjustments based on initial PR feedback
  • 69b4a62 certs: reimplement previous commit to maintain backwards compat
  • d314bf3 Support cert authorities
  • 5832aa8 ci: send coverage to Coveralls; upgrade action versions
  • 7acc57b go.mod: update golang.org/x dependencies
  • See full diff in compare view


Updates github.com/spdx/tools-golang from 0.5.4 to 0.5.5

Release notes

Sourced from github.com/spdx/tools-golang's releases.

v0.5.5

What's Changed

New Contributors

Full Changelog: https://github.com/spdx/tools-golang/compare/v0.5.4...v0.5.5

Commits
  • 9db247b fix: provide a clearer error when using an invalid originator (#246)
  • 57d4b8e fix: panic if JSON relationship array contains null (#239)
  • 606f188 chore: update makefile to include bootstrap and go mod tidy (#243)
  • 282609e fix: properly normalize Windows paths (#242)
  • See full diff in
    dependabot[bot] commented 3 months ago

    Looks like these dependencies are updatable in another way, so this is no longer needed.