search

pomerium / ingress-controller

Pomerium Kubernetes Ingress Controller
https://pomerium.com
Apache License 2.0
22 stars 11 forks source link

build(deps): bump the go group with 8 updates #922

Closed dependabot[bot] closed 5 months ago

dependabot[bot] commented 5 months ago

Bumps the go group with 8 updates:

Package From To
github.com/go-playground/validator/v10 10.18.0 10.19.0
github.com/open-policy-agent/opa 0.62.0 0.62.1
google.golang.org/grpc 1.62.0 1.62.1
k8s.io/api 0.29.0 0.29.2
k8s.io/apiextensions-apiserver 0.29.0 0.29.2
k8s.io/apiserver 0.29.0 0.29.2
k8s.io/client-go 0.29.0 0.29.2
sigs.k8s.io/controller-tools 0.11.4 0.14.0

Updates github.com/go-playground/validator/v10 from 10.18.0 to 10.19.0

Release notes

Sourced from github.com/go-playground/validator/v10's releases.

Release 10.19.0

What was added?

Added opt-in ability to validate private fields in PR, thanks @​nikolaianohyn via the new WithPrivateFieldValidation option when initializing validator.

Commits


Updates github.com/open-policy-agent/opa from 0.62.0 to 0.62.1

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v0.62.1

This is a security fix release for the fixes published in Go 1.22.1.

OPA servers using --authentication=tls would be affected: crafted malicious client certificates could cause a panic in the server.

Also, crafted server certificates could panic OPA's HTTP clients, in bundle plugin, status and decision logs; and http.send calls that verify TLS.

This is CVE-2024-24783 (https://pkg.go.dev/vuln/GO-2024-2598).

Note that there are other security fixes in this Golang release, but whether or not OPA is affected is harder to assess. An update is advised.

Miscellaneous

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

0.62.1

This is a security fix release for the fixes published in Golang 1.22.1.

OPA servers using --authentication=tls would be affected: crafted malicious client certificates could cause a panic in the server.

Also, crafted server certificates could panic OPA's HTTP clients, in bundle plugin, status and decision logs; and http.send calls that verify TLS.

This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates.

This is CVE-2024-24783 (https://pkg.go.dev/vuln/GO-2024-2598).

Note that there are other security fixes in this Golang release, but whether or not OPA is affected is harder to tell. An update is advised.

Miscellaneous

Commits


Updates google.golang.org/grpc from 1.62.0 to 1.62.1

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.62.1

Bug Fixes

  • xds: fix a bug that results in no matching virtual host found RPC errors due to a difference between the target and LDS resource names (#6997)
  • server: fixed stats handler data InPayload.Length for unary RPC calls (#6766)
  • grpc: the experimental RecvBufferPool DialOption and ServerOption are now active during unary RPCs with compression (#6766)
  • grpc: trim whitespaces in accept-encoding header before determining compressors
Commits


Updates k8s.io/api from 0.29.0 to 0.29.2

Commits
  • d473130 Update dependencies to v0.29.2 tag
  • f5eca04 Merge pull request #122959RomanBednar/automated-cherry-pick-of-#122728
  • fd1786f flag PersistentVolumeLastPhaseTransitionTime field as beta
  • a48c0a4 Merge pull request #122429 from MadhavJivrajani/tools-bump-129
  • 656e18f .*: bump golang.org/x/tools to v0.16.1
  • See full diff in compare view


Updates k8s.io/apiextensions-apiserver from 0.29.0 to 0.29.2

Commits
  • e1d6769 Update dependencies to v0.29.2 tag
  • f14ac67 Merge pull request #122369cici37/automated-cherry-pick-of-#122193
  • eccd921 Merge pull request #122429 from MadhavJivrajani/tools-bump-129
  • 06c0a98 Merge pull request #122343jpbetz/automated-cherry-pick-of-#122329
  • 4a82ea0 .*: bump golang.org/x/tools to v0.16.1
  • 2d320bc Wire in field dropping for CRDs
  • 510e9f2 Keep presence cost to 0 to ensure backward compatibility.
  • See full diff in compare view


Updates k8s.io/apiserver from 0.29.0 to 0.29.2

Commits


Updates k8s.io/client-go from 0.29.0 to 0.29.2

Commits


Updates sigs.k8s.io/controller-tools from 0.11.4 to 0.14.0

Release notes

Sourced from sigs.k8s.io/controller-tools's releases.

v0.14.0

What's Changed

Dependency bumps

New Contributors

Full Changelog: https://github.com/kubernetes-sigs/controller-tools/compare/v0.13.0...v0.14.0

v0.13.0

What's Changed

Dependency bumps

... (truncated)

Commits
  • 5ac2d0e Merge pull request #872 from Neo2308/feature/master/bump-to-k8s-0.29.0
  • 6177f44 Bump k8s deps to v0.29.0
  • 419500a Merge pull request #870 from qinqon/crd-description-respect-multiline-comment...
  • 7488021 crd: Respect multiline comments at godocs
  • 943de6e Merge pull request #869 from kubernetes-sigs/dependabot/go_modules/golang.org...
  • ef54a04 :seedling: Bump golang.org/x/tools from 0.16.0 to 0.16.1
  • 8e85f22 Merge pull request #867 from kubernetes-sigs/dependabot/github_actions/kubern...
  • e184937 :seedling: Bump kubernetes-sigs/kubebuilder-release-tools
  • 72d3440 Merge pull request #863 from Danil-Grigorev/support-empty-maps-lists
  • 498f1db Merge pull request #866 from kubernetes-sigs/dependabot/go_modules/golang.org...
  • Additional commits viewable in compare view


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
dependabot[bot] commented 5 months ago

Looks like these dependencies are updatable in another way, so this is no longer needed.