Bump the go-deps group across 1 directory with 8 updates

[dependabot]

Bumps the go-deps group with 6 updates in the / directory:

Package	From	To
github.com/cyphar/filepath-securejoin	0.2.5	0.3.1
github.com/fluxcd/pkg/apis/kustomize	1.5.0	1.6.0
github.com/fluxcd/pkg/apis/meta	1.5.0	1.6.0
github.com/fluxcd/pkg/http/fetch	0.11.0	0.12.0
github.com/fluxcd/pkg/tar	0.7.0	0.8.0
github.com/ory/dockertest/v3	3.10.0	3.11.0

Updates github.com/cyphar/filepath-securejoin from 0.2.5 to 0.3.1

Release notes

Sourced from github.com/cyphar/filepath-securejoin's releases.

v0.3.1

• By allowing Open(at)InRoot to opt-out of the extra work done by MkdirAll to do the necessary "partial lookups", Open(at)InRoot now does less work for both implementations (resulting in a many-fold decrease in the number of operations for openat2, and a modest improvement for non-openat2) and is far more guaranteed to match the correct openat2(RESOLVE_IN_ROOT) behaviour.

• We now use readlinkat(fd, "") where possible. For Open(at)InRoot this effectively just means that we no longer risk getting spurious errors during rename races. However, for our hardened procfs handler, this in theory should prevent mount attacks from tricking us when doing magic-link readlinks (even when using the unsafe host /proc handle). Unfortunately Reopen is still potentially vulnerable to those kinds of somewhat-esoteric attacks.

  Technically this will only work on post-2.6.39 kernels but it seems incredibly unlikely anyone is using filepath-securejoin on a pre-2011 kernel.

• Several improvements were made to the errors returned by Open(at)InRoot and MkdirAll when dealing with invalid paths under the emulated (ie. non-openat2) implementation. Previously, some paths would return the wrong error (ENOENT when the last component was a non-directory), and other paths would be returned as though they were acceptable (trailing-slash components after a non-directory would be ignored by Open(at)InRoot).

  These changes were done to match openat2's behaviour and purely is a consistency fix (most users are going to be using openat2 anyway).

Signed-off-by: Aleksa Sarai [email protected]

v0.3.0

This release contains no changes to SecureJoin.

However, it does introduce a new *os.File-based API which is much safer to use for most usecases. These are adapted from [libpathrs][1] and are the bare minimum to be able to operate more safely on an untrusted rootfs where an attacker has write access (something that SecureJoin cannot protect against). The new APIs are:

• OpenInRoot, which resolves a path inside a rootfs and returns an *os.File handle to the path. Note that the file handle returned by OpenInRoot is an O_PATH handle, which cannot be used for reading or writing (as well as some other operations -- see open(2) for more details).

• Reopen, which takes an O_PATH file handle and safely re-opens it to "upgrade" it to a regular handle.

... (truncated)

Changelog

Sourced from github.com/cyphar/filepath-securejoin's changelog.

[0.3.1] - 2024-07-23

Changed

• By allowing Open(at)InRoot to opt-out of the extra work done by MkdirAll to do the necessary "partial lookups", Open(at)InRoot now does less work for both implementations (resulting in a many-fold decrease in the number of operations for openat2, and a modest improvement for non-openat2) and is far more guaranteed to match the correct openat2(RESOLVE_IN_ROOT) behaviour.

• We now use readlinkat(fd, "") where possible. For Open(at)InRoot this effectively just means that we no longer risk getting spurious errors during rename races. However, for our hardened procfs handler, this in theory should prevent mount attacks from tricking us when doing magic-link readlinks (even when using the unsafe host /proc handle). Unfortunately Reopen is still potentially vulnerable to those kinds of somewhat-esoteric attacks.

  Technically this will only work on post-2.6.39 kernels but it seems incredibly unlikely anyone is using filepath-securejoin on a pre-2011 kernel.

Fixed

• Several improvements were made to the errors returned by Open(at)InRoot and MkdirAll when dealing with invalid paths under the emulated (ie. non-openat2) implementation. Previously, some paths would return the wrong error (ENOENT when the last component was a non-directory), and other paths would be returned as though they were acceptable (trailing-slash components after a non-directory would be ignored by Open(at)InRoot).

  These changes were done to match openat2's behaviour and purely is a consistency fix (most users are going to be using openat2 anyway).

[0.3.0] - 2024-07-11

Added

• A new set of *os.File-based APIs have been added. These are adapted from [libpathrs][] and we strongly suggest using them if possible (as they provide far more protection against attacks than SecureJoin):

  • Open(at)InRoot resolves a path inside a rootfs and returns an *os.File handle to the path. Note that the handle returned is an O_PATH handle, which cannot be used for reading or writing (as well as some other operations -- [see open(2) for more details][open.2])

  • Reopen takes an O_PATH file handle and safely re-opens it to upgrade it to a regular handle. This can also be used with non-O_PATH handles, but O_PATH is the most obvious application.

  • MkdirAll is an implementation of os.MkdirAll that is safe to use to

... (truncated)

Commits

• ce7b28a VERSION: release v0.3.1
• a2c14f8 CHANGELOG: add readlinkat(fd, "") shout-out
• 4ea279f merge #22 into cyphar/filepath-securejoin:main
• 16e1bec CHANGELOG: add initial changelog with current history
• 2404ffb merge #21 into cyphar/filepath-securejoin:main
• f29b7a4 lookup: handle // and trailing slash components correctly
• ecd61ca merge #19 into cyphar/filepath-securejoin:main
• 38b1220 procfs: refactor statx mnt_id logic
• 45c4415 procfs: use readlink(fd, "") for magic-links
• edab538 merge #17 into cyphar/filepath-securejoin:main
• Additional commits viewable in compare view

Updates github.com/fluxcd/pkg/apis/kustomize from 1.5.0 to 1.6.0

Commits

• be8df7e Merge pull request #801 from fluxcd/k8s-1.31
• 76035f8 Update Helm to v3.15.4
• 3f5cf4c Build with Go 1.23
• 4b90241 Update dependencies to Kubernetes v1.31.0
• 0e61a3b Merge pull request #799 from fluxcd/dependabot/github_actions/ci-9f4b007c5b
• 6bf4bad build(deps): bump the ci group with 4 updates
• 968f190 Merge pull request #795 from fluxcd/dependabot/github_actions/ci-8fa51b1870
• bce8cab build(deps): bump the ci group across 1 directory with 8 updates
• 7d033c1 Merge pull request #798 from fluxcd/cleanup-aws-nuke
• e98ccfa workflow: Set aws-nuke region for cleanup
• Additional commits viewable in compare view

Updates github.com/fluxcd/pkg/apis/meta from 1.5.0 to 1.6.0

Commits

• be8df7e Merge pull request #801 from fluxcd/k8s-1.31
• 76035f8 Update Helm to v3.15.4
• 3f5cf4c Build with Go 1.23
• 4b90241 Update dependencies to Kubernetes v1.31.0
• 0e61a3b Merge pull request #799 from fluxcd/dependabot/github_actions/ci-9f4b007c5b
• 6bf4bad build(deps): bump the ci group with 4 updates
• 968f190 Merge pull request #795 from fluxcd/dependabot/github_actions/ci-8fa51b1870
• bce8cab build(deps): bump the ci group across 1 directory with 8 updates
• 7d033c1 Merge pull request #798 from fluxcd/cleanup-aws-nuke
• e98ccfa workflow: Set aws-nuke region for cleanup
• Additional commits viewable in compare view

Updates github.com/fluxcd/pkg/http/fetch from 0.11.0 to 0.12.0

Commits

• bf62fd3 Merge pull request #550 from fluxcd/push-to-ref
• adda160 git: add PushConfig.Force for force pushing
• 39b978a gogit: rename CloneOptions to CloneConfig for consistency
• 88da1a6 git: add support for specifying refspecs for a push
• e0c94db Merge pull request #553 from fluxcd/int-cleanup-gcp
• c87edab Add integration test resource cleanup workflow
• c5096c2 Merge pull request #552 from fluxcd/oci-test-buildx
• 1013011 oci/test: update docker build command for buildx
• b21e269 Merge pull request #551 from fluxcd/cloud-e2e-workflow-secret
• 7f01962 workflows: Update GCP & AZ secret names
• Additional commits viewable in compare view

Updates github.com/fluxcd/pkg/tar from 0.7.0 to 0.8.0

Commits

• 7ef01b0 Merge pull request #442 from blurpy/feature/git_bearer_token
• 659695f Add back support for passphrase protected ssh keys
• 767e771 Validate that basic auth and bearer token cannot be set at the same time
• cbf091c Add test to verify that username from Secret is preferred
• b6c6888 Refactor of NewAuthOptions to only fill the auth options that are relevant
• fef9d6a Add more test scenarios for NewAuthOptions
• 9b9b723 Validate that bearer token is not used over http
• 04d0d48 Add some quick tests of basic auth in client.validateUrl()
• a451505 Support specifying bearerToken for git http token authentication.
• bfb6385 Merge pull request #448 from fluxcd/e2e-ux
• Additional commits viewable in compare view

Updates github.com/onsi/gomega from 1.33.1 to 1.34.1

Release notes

Sourced from github.com/onsi/gomega's releases.

v1.34.1

1.34.1

Maintenance

• Use slices from exp/slices to keep golang 1.20 compat [5e71dcd]

v1.34.0

1.34.0

Features

• Add RoundTripper method to ghttp.Server [c549e0d]

Fixes

• fix incorrect handling of nil slices in HaveExactElements (fixes #771) [878940c]
• issue_765 - fixed bug in Hopcroft-Karp algorithm [ebadb67]

Maintenance

• bump ginkgo [8af2ece]
• Fix typo in docs [123a071]
• Bump github.com/onsi/ginkgo/v2 from 2.17.2 to 2.17.3 (#756) [0e69083]
• Bump google.golang.org/protobuf from 1.33.0 to 1.34.1 (#755) [2675796]
• Bump golang.org/x/net from 0.24.0 to 0.25.0 (#754) [4160c0f]
• Bump github-pages from 230 to 231 in /docs (#748) [892c303]

Changelog

Sourced from github.com/onsi/gomega's changelog.

1.34.1

Maintenance

• Use slices from exp/slices to keep golang 1.20 compat [5e71dcd]

1.34.0

Features

• Add RoundTripper method to ghttp.Server [c549e0d]

Fixes

• fix incorrect handling of nil slices in HaveExactElements (fixes #771) [878940c]
• issue_765 - fixed bug in Hopcroft-Karp algorithm [ebadb67]

Maintenance

• bump ginkgo [8af2ece]
• Fix typo in docs [123a071]
• Bump github.com/onsi/ginkgo/v2 from 2.17.2 to 2.17.3 (#756) [0e69083]
• Bump google.golang.org/protobuf from 1.33.0 to 1.34.1 (#755) [2675796]
• Bump golang.org/x/net from 0.24.0 to 0.25.0 (#754) [4160c0f]
• Bump github-pages from 230 to 231 in /docs (#748) [892c303]

Commits

• fa057b8 v1.34.1
• 5e71dcd Use slices from exp/slices to keep golang 1.20 compat
• 32e5498 v1.34.0
• cb3fa6a run go mod tidy and wonder why go get doesnt just run it for me in the first ...
• 8af2ece bump ginkgo
• 878940c fix incorrect handling of nil slices in HaveExactElements (fixes #771)
• f5bec80 clean up bipartitegraph tests
• ebadb67 issue_765 - fixed bug in Hopcroft-Karp algorithm
• 123a071 Fix typo in docs
• c549e0d Add RoundTripper method to ghttp.Server
• Additional commits viewable in compare view

Updates github.com/ory/dockertest/v3 from 3.10.0 to 3.11.0

Release notes

Sourced from github.com/ory/dockertest/v3's releases.

v3.11.0

What's Changed

• chore(deps): bump github.com/opencontainers/runc from 1.1.5 to 1.1.6 by @​dependabot in ory/dockertest#435
• chore(deps): bump github.com/Microsoft/go-winio from 0.6.0 to 0.6.1 by @​dependabot in ory/dockertest#437
• chore(deps): bump github.com/lib/pq from 0.0.0-20180327071824-d34b9ff171c2 to 1.10.8 by @​dependabot in ory/dockertest#438
• chore(deps): bump github.com/docker/docker from 20.10.7+incompatible to 20.10.24+incompatible by @​dependabot in ory/dockertest#426
• chore(deps): bump actions/checkout from 2 to 3 by @​dependabot in ory/dockertest#427
• chore(deps): bump github.com/sirupsen/logrus from 1.9.0 to 1.9.2 by @​dependabot in ory/dockertest#450
• chore(deps): bump github.com/containerd/continuity from 0.3.0 to 0.4.1 by @​dependabot in ory/dockertest#451
• chore(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.3 by @​dependabot in ory/dockertest#449
• chore(deps): bump github.com/opencontainers/runc from 1.1.6 to 1.1.7 by @​dependabot in ory/dockertest#442
• chore(deps): bump golang.org/x/sys from 0.7.0 to 0.8.0 by @​dependabot in ory/dockertest#445
• chore(deps): bump github.com/moby/term from 0.0.0-20201216013528-df9cb8a40635 to 0.5.0 by @​dependabot in ory/dockertest#446
• chore(deps): bump github.com/docker/cli from 20.10.17+incompatible to 24.0.1+incompatible by @​dependabot in ory/dockertest#448
• chore: bump dependencies and fix some lint by @​alnr in ory/dockertest#499
• chore(deps): bump golang.org/x/sys from 0.19.0 to 0.21.0 by @​dependabot in ory/dockertest#501
• chore(deps): bump actions/checkout from 2 to 4 by @​dependabot in ory/dockertest#475
• feat: fall back to podman if available by @​SoMuchForSubtlety in ory/dockertest#452
• test: refactor asserts by @​alexandear in ory/dockertest#497
• use defer instead of os.Exit(m.Run()) by @​pmenglund in ory/dockertest#493
• docs: remove outdated dep install instruction by @​alexandear in ory/dockertest#505
• chore: remove direct dependency on gotest.tools/v3 by @​alexandear in ory/dockertest#504
• chore: replace deprecated ioutil.TempDir with os.MkdirTemp by @​alexandear in ory/dockertest#506
• chore(deps): bump github.com/opencontainers/runc from 1.1.12 to 1.1.13 by @​dependabot in ory/dockertest#509
• move tests to dockertest_test package by @​siraj-mx51 in ory/dockertest#490
• chore(deps): bump github.com/opencontainers/image-spec from 1.0.2 to 1.1.0 by @​dependabot in ory/dockertest#510
• chore(deps): bump actions/setup-node from 2.pre.beta to 4.0.2 by @​dependabot in ory/dockertest#503
• chore(deps): bump actions/setup-go from 4 to 5 by @​dependabot in ory/dockertest#508
• chore(deps): bump actions/stale from 4 to 9 by @​dependabot in ory/dockertest#507
• feat: introduce cve scanners by @​Demonsthere in ory/dockertest#500
• chore: update docker to v27.1.1 by @​adamwalach in ory/dockertest#522

New Contributors

• @​alnr made their first contribution in ory/dockertest#499
• @​SoMuchForSubtlety made their first contribution in ory/dockertest#452
• @​siraj-mx51 made their first contribution in ory/dockertest#490
• @​Demonsthere made their first contribution in ory/dockertest#500
• @​adamwalach made their first contribution in ory/dockertest#522

Full Changelog: ory/dockertest@v3.10.0...v3.11.0

Commits

• 6110e9a chore: update docker to v27.1.1 (#522)
• d229e74 feat: introduce cve scanners (#500)
• 1b46b29 chore(deps): bump actions/stale from 4 to 9 (#507)
• 44496a3 chore(deps): bump actions/setup-go from 4 to 5 (#508)
• 1aa8cd7 chore(deps): bump actions/setup-node from 2.pre.beta to 4.0.2 (#503)
• 0c91bda chore(deps): bump github.com/opencontainers/image-spec (#510)
• 3328cf9 move tests to dockertest_test package (#490)
• 05f6347 chore(deps): bump github.com/opencontainers/runc from 1.1.12 to 1.1.13 (#509)
• 6539ccd chore: replace deprecated ioutil.TempDir with os.MkdirTemp (#506)
• 84015fd chore: remove direct dependency on gotest.tools/v3 (#504)
• Additional commits viewable in compare view

Updates golang.org/x/net from 0.26.0 to 0.28.0

Commits

• 4542a42 go.mod: update golang.org/x dependencies
• 765c7e8 xsrftoken: create no padding base64 string by RawURLEncoding
• 032e4e4 LICENSE: update per Google Legal
• e2310ae go.mod: update golang.org/x dependencies
• 77708f7 quic: skip tests which depend on unimplemented UDP functions on Plan 9
• 9617c63 http2: avoid Transport hang with Connection: close and AllowHTTP
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are no longer updatable, so this is no longer needed.