Skip to content

deps: bump the go_modules group across 1 directory with 7 updates#2077

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/go_modules-8007c11bfb
Open

deps: bump the go_modules group across 1 directory with 7 updates#2077
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/go_modules-8007c11bfb

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 25, 2026

Bumps the go_modules group with 4 updates in the / directory: golang.org/x/crypto, helm.sh/helm/v3, github.com/go-git/go-git/v5 and github.com/sigstore/cosign/v2.

Updates golang.org/x/crypto from 0.41.0 to 0.45.0

Commits
  • 4e0068c go.mod: update golang.org/x dependencies
  • e79546e ssh: curb GSSAPI DoS risk by limiting number of specified OIDs
  • f91f7a7 ssh/agent: prevent panic on malformed constraint
  • 2df4153 acme/autocert: let automatic renewal work with short lifetime certs
  • bcf6a84 acme: pass context to request
  • b4f2b62 ssh: fix error message on unsupported cipher
  • 79ec3a5 ssh: allow to bind to a hostname in remote forwarding
  • 122a78f go.mod: update golang.org/x dependencies
  • c0531f9 all: eliminate vet diagnostics
  • 0997000 all: fix some comments
  • Additional commits viewable in compare view

Updates helm.sh/helm/v3 from 3.17.4 to 3.18.5

Release notes

Sourced from helm.sh/helm/v3's releases.

Helm v3.18.5 is a security release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages

Security Advisories

Installation and Upgrading

Download Helm v3.18.5. The common platform binaries are here:

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

  • 3.19.0 is the next minor release and will be on September 11, 2025

Changelog

  • fix Chart.yaml handling 7799b483f52ceb665264a4056da3d2569d60f910 (Matt Farina)
  • Handle messy index files dd8502f7b4fd5824a696c99909babd0fbed77e9e (Matt Farina)
  • json schema fix cb8595bc650e2ec7459427d2b0430599431a3dbe (Robert Sirchia)

Helm v3.18.4 is a security release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs

... (truncated)

Commits

Updates github.com/go-git/go-git/v5 from 5.13.0 to 5.16.5

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.16.5

What's Changed

Full Changelog: go-git/go-git@v5.16.4...v5.16.5

v5.16.4

What's Changed

Full Changelog: go-git/go-git@v5.16.3...v5.16.4

v5.16.3

What's Changed

Full Changelog: go-git/go-git@v5.16.2...v5.16.3

v5.16.2

What's Changed

Full Changelog: go-git/go-git@v5.16.1...v5.16.2

v5.16.1

What's Changed

New Contributors

Full Changelog: go-git/go-git@v5.16.0...v5.16.1

v5.16.0

What's Changed

... (truncated)

Commits
  • 48a1ae0 Merge pull request #1836 from go-git/check-v5
  • 42bdf1f storage: filesystem, Verify idx matches pack file
  • 4146a56 plumbing: format/idxfile, Verify idxfile's checksum
  • 63d78ec plumbing: format/packfile, Add new ErrMalformedPackFile
  • 25f1624 Merge pull request #1800 from Ch00k/no-delete-untracked-v5
  • 600fb13 git: worktree, Don't delete local untracked files when resetting worktree
  • 390a569 Merge pull request #1746 from pjbgf/bump-go
  • 61c8b85 build: Bump Go test versions to 1.23-1.25 (v5)
  • e5a05ec Merge pull request #1744 from go-git/renovate/releases/v5.x-go-golang.org-x-c...
  • 1495930 plumbing: Remove use of non-constant format strings
  • Additional commits viewable in compare view

Updates github.com/sigstore/cosign/v2 from 2.2.4 to 2.6.2

Release notes

Sourced from github.com/sigstore/cosign/v2's releases.

v2.6.2

Changelog

v2.6.2 contains a fix for GHSA-whqx-f9j3-ch6m

  • 3ade80c5f77cefc904f8c994e88618e5892e8f1c Fix bundle verify path for old bundle/trusted root (#4624)
  • c4e6a783ce9b6ad08bb545b79a3277f1aaa16add v2.6 branch - bump sigstore deps (#4619)

Thanks to all contributors!

v2.6.1

Changelog

  • 634fabe54f9fbbab55d821a83ba93b2d25bdba5f Bump sigstore-go, move conformance back to tagged release
  • c5545eda23d770180880c245bf0d8f78c354ecc4 Partially populate the output of cosign verify when working with new bundles (#4416)
  • e191024a636883b4e6b7de8db2f5cfb85a1fcd0c bump go builder to use 1.25.1 and cosign (#4417)

Thanks to all contributors!

v2.6.0 introduces a number of new features, including:

  • Signing an in-toto statement rather than Cosign constructing one from a predicate, along with verifying a statement's subject using a digest and digest algorithm rather than providing a file reference (#4306)
  • Uploading a signature and its verification material (a "bundle") as an OCI Image 1.1 referring artifact, completing #3927 (#4316)
  • Providing service URLs for signing and attesting using a SigningConfig. Note that this is required when using a Rekor v2 instance (#4319)

Example generation and verification of a signed in-toto statement:

cosign attest-blob --new-bundle-format=true --bundle="digest-key-test.sigstore.json" --key="cosign.key" --statement="../sigstore-go/examples/sigstore-go-signing/intoto.txt"
cosign verify-blob-attestation --bundle="digest-key-test.sigstore.json" --key=cosign.pub --type=unused --digest="b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9" --digestAlg="sha256"

Example container signing and verification using the new bundle format and referring artifacts:

cosign sign --new-bundle-format=true ghcr.io/user/alpine@sha256:a19367999603840546b8612572e338ec076c6d1f2fec61760a9e11410f546733
cosign verify --new-bundle-format=true ghcr.io/user/alpine@sha256:a19367999603840546b8612572e338ec076c6d1f2fec61760a9e11410f546733

Example usage of a signing config provided by the public good instance's TUF repository:

cosign sign-blob --use-signing-config --bundle sigstore.json README.md
cosign verify-blob --new-bundle-format --bundle sigstore.json --certificate-identity $EMAIL --certificate-oidc-issuer $ISSUER --use-signed-timestamps README.md

v2.6.0 leverages sigstore-go's signing and verification APIs gated behind these new flags. In an upcoming major release, we will be updating Cosign to default to producing and consuming bundles to align with all other Sigstore SDKs.

... (truncated)

Changelog

Sourced from github.com/sigstore/cosign/v2's changelog.

v2.6.2

v2.6.2 resolves GHSA-whqx-f9j3-ch6m.

Changes

v3.0.3

Thank you for all of your feedback on Cosign v3! v3.0.3 fixes a number of bugs reported by the community along with adding compatibility for the new bundle format and attestation storage in OCI to additional commands. We're continuing to work on compatibility with the remaining commands and will have a new release shortly. If you run into any problems, please file an issue

Changes

  • 4554: Closes 4554 - Add warning when --output* is used (#4556)
  • Protobuf bundle support for subcommand clean (#4539)
  • Add staging flag to initialize with staging TUF metadata
  • Updating sign-blob to also support signing with a certificate (#4547)
  • Protobuf bundle support for subcommands save and load (#4538)
  • Fix cert attachment for new bundle with signing config
  • Fix OCI verification with local cert - old bundle
  • Deprecate tlog-upload flag (#4458)
  • fix: Use signal context for sign cli package.
  • update offline verification directions (#4526)
  • Fix signing/verifying annotations for new bundle
  • Add support to download and attach for protobuf bundles (#4477)
  • Add --signing-algorithm flag (#3497)
  • Refactor signcommon bundle helpers
  • Add --bundle and fix --upload for new bundle
  • Pass insecure registry flags through to referrers
  • Add protobuf bundle support for tree subcommand (#4491)
  • Remove stale embed import (#4492)
  • Support multiple container identities
  • Fix segfault when no attestations are found (#4472)
  • Use overridden repository for new bundle format (#4473)
  • Remove --out flag from cosign initialize (#4462)
  • Deprecate offline flag (#4457)
  • Deduplicate code in sign/attest* and verify* commands (#4449)
  • Cache signing config when calling initialize (#4456)

v3.0.2

v3.0.2 is a functionally equivalent release to v3.0.0 and v3.0.1, with a fix for CI to publish signed releases in the new bundle format.

  • Note that the --bundle flag specifying an output file to write the Sigstore bundle (which contains all relevant verification material) has moved from optional to required in v3.

... (truncated)

Commits
  • 3ade80c Fix bundle verify path for old bundle/trusted root (#4624)
  • c4e6a78 v2.6 branch - bump sigstore deps (#4619)
  • 634fabe Bump sigstore-go, move conformance back to tagged release
  • c5545ed Partially populate the output of cosign verify when working with new bundles ...
  • e191024 bump go builder to use 1.25.1 and cosign (#4417)
  • 37fbfc7 Require exclusively a SigningConfig or service URLs when signing (#4403)
  • b1acaeb Add a terminal spinner while signing with sigstore-go (#4402)
  • 2581dfd chore(deps): bump the gomod group across 1 directory with 8 updates (#4401)
  • 11163ae Bump sigstore-go, support alternative hash algorithms with keys (#4386)
  • 153df46 chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.42.0 (#4391)
  • Additional commits viewable in compare view

Updates github.com/sigstore/rekor from 1.3.6 to 1.4.3

Release notes

Sourced from github.com/sigstore/rekor's releases.

v1.4.3

This release reduces dependencies for a number of exported packages.

This release also changes the format of the binary and container signature, which is now a Sigstore bundle. To verify a release, use the latest Cosign 3.x, verifying with cosign verify-blob --bundle <artifact>-keyless.sigstore.json <artifact>.

Improvements

  • use interruptable context to elegantly handle signals in rekor-cli (#2681)
  • restapi: Don't log client errors as errors (#2680)
  • pkg: separate pki types from implementations (#2668)
  • e2e: don't mix e2e and regular utilities (#2672)
  • pkg: remove viper config from spec definitions (#2669)
  • log: remove zap & go-chi dependecy from pkg/types (#2667)
  • chore: update go-openapi/runtime to v0.29.0 (#2670)
  • chore: remove double imported mapstructure pkg (#2671)
  • remove archived dependency and use stdlib slices (#2650)

Documentation

  • (docs): guard unsafe int/uint conversions flagged by gosec (#2679)

Contributors

  • AdamKorcz
  • Bob Callaway
  • Jussi Kukkonen
  • Sachin Sampras M
  • Tõnis Tiigi

v1.4.2

What's Changed

Full Changelog: sigstore/rekor@v1.4.1...v1.4.2

v1.4.1

... (truncated)

Changelog

Sourced from github.com/sigstore/rekor's changelog.

v1.4.3

This release reduces dependencies for a number of exported packages.

This release also changes the format of the binary and container signature, which is now a Sigstore bundle. To verify a release, use the latest Cosign 3.x, verifying with cosign verify-blob --bundle <artifact>-keyless.sigstore.json <artifact>.

Improvements

  • use interruptable context to elegantly handle signals in rekor-cli (#2681)
  • restapi: Don't log client errors as errors (#2680)
  • pkg: separate pki types from implementations (#2668)
  • e2e: don't mix e2e and regular utilities (#2672)
  • pkg: remove viper config from spec definitions (#2669)
  • log: remove zap & go-chi dependecy from pkg/types (#2667)
  • chore: update go-openapi/runtime to v0.29.0 (#2670)
  • chore: remove double imported mapstructure pkg (#2671)
  • remove archived dependency and use stdlib slices (#2650)

Documentation

  • (docs): guard unsafe int/uint conversions flagged by gosec (#2679)

Contributors

  • AdamKorcz
  • Bob Callaway
  • Jussi Kukkonen
  • Sachin Sampras M
  • Tõnis Tiigi

v1.4.2

This release includes some performance optimizations and a bug fix for publishing events to a pub/sub topic.

Fixes

  • use pubsub client to check IAM permissions (#2605)
  • process type contents serially (#2604)
  • move to direct decoding instead of mapstructure (#2598)
  • optimize performance of regex operations (#2603)

Contributors

  • Bob Callaway

v1.4.1

... (truncated)

Commits
  • cb5b1d5 Changelog for v1.4.3, fix goreleaser for Cosign v3 (#2682)
  • b34d99d fix remaining zizmor fixes (#2617)
  • e032725 use interruptable context to elegantly handle signals in rekor-cli (#2681)
  • 2d4e985 (docs): guard unsafe int/uint conversions flagged by gosec (#2679)
  • fdde6ec build(deps): Bump sigstore/scaffolding/trillian_log_signer (#2677)
  • 5ecf774 build(deps): Bump sigstore/scaffolding/trillian_log_server (#2678)
  • 381f351 build(deps): Bump go.step.sm/crypto from 0.73.0 to 0.74.0 (#2674)
  • e7bf948 build(deps): Bump golang.org/x/mod from 0.28.0 to 0.29.0 (#2665)
  • e8b7b7f build(deps): Bump github/codeql-action in the all group (#2663)
  • 9589399 build(deps): Bump the all group with 7 updates (#2673)
  • Additional commits viewable in compare view

Updates github.com/sigstore/sigstore from 1.8.3 to 1.10.3

Release notes

Sourced from github.com/sigstore/sigstore's releases.

v1.10.3

What's Changed

v1.10.3 adds ValidatePubKey back to the cryptoutils package to avoid a breaking API change.

Full Changelog: sigstore/sigstore@v1.10.2...v1.10.3

v1.10.2

Functionally equivalent to v1.10.0. v1.10.1 has been retracted to remove copied code.

v1.10.0

Breaking change

sigstore/sigstore#2194 moves cryptoutils.ValidatePubKey to goodkey.ValidatePubKey to minimize the dependency tree for clients using the cryptoutils package.

Features

Refactoring

v1.10.0

Breaking change

sigstore/sigstore#2194 moves cryptoutils.ValidatePubKey to goodkey.ValidatePubKey to minimize the dependency tree for clients using the cryptoutils package.

Features

Refactoring

... (truncated)

Commits
  • 72f0ed7 build(deps): Bump github.com/aws/aws-sdk-go-v2/config (#2230)
  • b257168 build(deps): Bump github.com/aws/aws-sdk-go-v2 in /pkg/signature/kms/aws (#2226)
  • 84f57b8 build(deps): Bump github.com/sigstore/sigstore (#2221)
  • bdc1a86 build(deps): Bump actions/checkout from 5.0.1 to 6.0.0 (#2220)
  • 11dfe81 build(deps): Bump golang.org/x/crypto in /pkg/signature/kms/aws (#2236)
  • 0214948 Add back ValidatePubKey as a deprecated, minimal function (#2235)
  • cc26bb8 build(deps): Bump localstack/localstack in /test/e2e in the all group (#2227)
  • 63ab8d8 build(deps): Bump github.com/aws/aws-sdk-go-v2/service/kms (#2229)
  • 9e629f0 build(deps): Bump the all group with 2 updates (#2219)
  • 234b99d build(deps): Bump github.com/coreos/go-oidc/v3 from 3.16.0 to 3.17.0 (#2223)
  • Additional commits viewable in compare view

Updates github.com/ulikunitz/xz from 0.5.12 to 0.5.14

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
deps: bump the go_modules group across 1 directory with 7 updates
0b78cea 
Bumps the go_modules group with 4 updates in the / directory: [golang.org/x/crypto](https://github.com/golang/crypto), [helm.sh/helm/v3](https://github.com/helm/helm), [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) and [github.com/sigstore/cosign/v2](https://github.com/sigstore/cosign).


Updates `golang.org/x/crypto` from 0.41.0 to 0.45.0
- [Commits](golang/crypto@v0.41.0...v0.45.0)

Updates `helm.sh/helm/v3` from 3.17.4 to 3.18.5
- [Release notes](https://github.com/helm/helm/releases)
- [Commits](helm/helm@v3.17.4...v3.18.5)

Updates `github.com/go-git/go-git/v5` from 5.13.0 to 5.16.5
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](go-git/go-git@v5.13.0...v5.16.5)

Updates `github.com/sigstore/cosign/v2` from 2.2.4 to 2.6.2
- [Release notes](https://github.com/sigstore/cosign/releases)
- [Changelog](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md)
- [Commits](sigstore/cosign@v2.2.4...v2.6.2)

Updates `github.com/sigstore/rekor` from 1.3.6 to 1.4.3
- [Release notes](https://github.com/sigstore/rekor/releases)
- [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md)
- [Commits](sigstore/rekor@v1.3.6...v1.4.3)

Updates `github.com/sigstore/sigstore` from 1.8.3 to 1.10.3
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](sigstore/sigstore@v1.8.3...v1.10.3)

Updates `github.com/ulikunitz/xz` from 0.5.12 to 0.5.14
- [Commits](ulikunitz/xz@v0.5.12...v0.5.14)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.45.0
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: helm.sh/helm/v3
  dependency-version: 3.18.5
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: github.com/go-git/go-git/v5
  dependency-version: 5.16.5
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/sigstore/cosign/v2
  dependency-version: 2.6.2
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/sigstore/rekor
  dependency-version: 1.4.3
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/sigstore/sigstore
  dependency-version: 1.10.3
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/ulikunitz/xz
  dependency-version: 0.5.14
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the area/dependencies Pull requests that update a dependency file label Feb 25, 2026
@dependabot dependabot bot requested a review from a team as a code owner February 25, 2026 12:38
@dependabot dependabot bot added the lang/go The Go Programming Language label Feb 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xiaozhiche320 xiaozhiche320 Awaiting requested review from xiaozhiche320 xiaozhiche320 is a code owner automatically assigned from microsoft/retina

@karina-ranadive karina-ranadive Awaiting requested review from karina-ranadive karina-ranadive is a code owner automatically assigned from microsoft/retina

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area/dependencies Pull requests that update a dependency file lang/go The Go Programming Language

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants