Skip to content

deps(deps): update all non-major dependencies #107

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

deps(deps): update all non-major dependencies #107

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Nov 14, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Confidence Type Update
github.com/go-logr/logr v1.4.2 -> v1.4.3 age confidence require patch
github.com/kubescape/kubevuln v0.3.33 -> v0.3.82 age confidence require patch
github.com/kubescape/storage v0.0.111 -> v0.0.200 age confidence require patch
github.com/onsi/ginkgo/v2 v2.20.2 -> v2.23.4 age confidence require minor
github.com/onsi/gomega v1.34.2 -> v1.37.0 age confidence require minor
github.com/validator-labs/validator v0.1.0 -> v0.1.16 age confidence require patch
golang 1.23 -> 1.24 age confidence stage minor
k8s.io/api v0.31.0 -> v0.33.3 age confidence require minor
k8s.io/apimachinery v0.31.0 -> v0.33.3 age confidence require minor
k8s.io/client-go v0.31.0 -> v0.33.3 age confidence require minor
sigs.k8s.io/cluster-api v1.8.2 -> v1.10.4 age confidence require minor
sigs.k8s.io/controller-runtime v0.19.0 -> v0.21.0 age confidence require minor

Release Notes

go-logr/logr (github.com/go-logr/logr)

v1.4.3

Compare Source

Minor release.

What's Changed

New Contributors

Full Changelog: go-logr/logr@v1.4.2...v1.4.3

kubescape/kubevuln (github.com/kubescape/kubevuln)

v0.3.82

Compare Source

Overview

v0.3.80

Compare Source

v0.3.78

Compare Source

v0.3.77

Compare Source

v0.3.76

Compare Source

Bumps github.com/open-policy-agent/opa from 0.68.0 to 1.4.0.

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v1.4.0

This release contains a security fix addressing CVE-2025-46569. It also includes a mix of new features, bugfixes, and dependency updates.

Security Fix: CVE-2025-46569 - OPA server Data API HTTP path injection of Rego (GHSA-6m8w-jc87-6cr7)

A vulnerability in the OPA server's Data API allows an attacker to craft the HTTP path in a way that injects Rego code into the query that is evaluated.
The evaluation result cannot be made to return any other data than what is generated by the requested path, but this path can be misdirected, and the injected Rego code can be crafted to make the query succeed or fail; opening up for oracle attacks or, given the right circumstances, erroneous policy decision results. Furthermore, the injected code can be crafted to be computationally expensive, resulting in a Denial Of Service (DoS) attack.

Users are only impacted if all of the following apply:

  • OPA is deployed as a standalone server (rather than being used as a Go library)
  • The OPA server is exposed outside of the local host in an untrusted environment.
  • The configured authorization policy does not do exact matching of the input.path attribute when deciding if the request should be allowed.

or, if all of the following apply:

  • OPA is deployed as a standalone server.
  • The service connecting to OPA allows 3rd parties to insert unsanitised text into the path of the HTTP request to OPA’s Data API.

Note: With no Authorization Policy configured for restricting API access (the default configuration), the RESTful Data API provides access for managing Rego policies; and the RESTful Query API facilitates advanced queries. Full access to these APIs provides both simpler, and broader access than what the security issue describes here can facilitate. As such, OPA servers exposed to a network are not considered affected by the attack described here if they are knowingly not restricting access through an Authorization Policy.

This issue affects all versions of OPA prior to 1.4.0.

See the Security Advisory for more details.

Reported by @​​GamrayW, @​​HyouKash, @​​AdrienIT, authored by @​​johanfylling

Runtime, Tooling, SDK

Topdown and Rego

Docs, Website, Ecosystem

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

1.4.0

This release contains a security fix addressing CVE-2025-46569. It also includes a mix of new features, bugfixes, and dependency updates.

Security Fix: CVE-2025-46569 - OPA server Data API HTTP path injection of Rego (GHSA-6m8w-jc87-6cr7)

A vulnerability in the OPA server's Data API allows an attacker to craft the HTTP path in a way that injects Rego code into the query that is evaluated.
The evaluation result cannot be made to return any other data than what is generated by the requested path, but this path can be misdirected, and the injected Rego code can be crafted to make the query succeed or fail; opening up for oracle attacks or, given the right circumstances, erroneous policy decision results. Furthermore, the injected code can be crafted to be computationally expensive, resulting in a Denial Of Service (DoS) attack.

Users are only impacted if all of the following apply:

  • OPA is deployed as a standalone server (rather than being used as a Go library)
  • The OPA server is exposed outside of the local host in an untrusted environment.
  • The configured authorization policy does not do exact matching of the input.path attribute when deciding if the request should be allowed.

or, if all of the following apply:

  • OPA is deployed as a standalone server.
  • The service connecting to OPA allows 3rd parties to insert unsanitised text into the path of the HTTP request to OPA’s Data API.

Note: With no Authorization Policy configured for restricting API access (the default configuration), the RESTful Data API provides access for managing Rego policies; and the RESTful Query API facilitates advanced queries. Full access to these APIs provides both simpler, and broader access than what the security issue describes here can facilitate. As such, OPA servers exposed to a network are not considered affected by the attack described here if they are knowingly not restricting access through an Authorization Policy.

This issue affects all versions of OPA prior to 1.4.0.

See the Security Advisory for more details.

Reported by @​​GamrayW, @​​HyouKash, @​​AdrienIT, authored by @​​johanfylling

Runtime, Tooling, SDK

Topdown and Rego

Docs, Website, Ecosystem

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

v0.3.75

Compare Source

Please see kubescape/kubescape#1834

v0.3.74

Compare Source

Bumps github.com/cilium/cilium from 1.16.8 to 1.16.9.

Release notes

Sourced from github.com/cilium/cilium's releases.

1.16.9

Summary of Changes

Minor Changes:

Bugfixes:

CI Changes:

Misc Changes:

... (truncated)

Changelog

Sourced from github.com/cilium/cilium's changelog.

v1.16.9

Summary of Changes

Minor Changes:

Bugfixes:

CI Changes:

Misc Changes:

... (truncated)

Commits
  • bf7387b Prepare for release v1.16.9
  • b2de936 chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1744305...
  • 6249545 images: update cilium-{runtime,builder}
  • e65cdcf chore(deps): update docker.io/library/golang:1.23.8 docker digest to 4f3bd60
  • 4157586 images: update cilium-{runtime,builder}
  • ff4ea72 chore(deps): update all-dependencies
  • 420eff5 lrp: Add IP family checks
  • 786ed0d docs: clarify hubble flow filter match semantics
  • b35bb43 docs: remove endpointRoutes for aws-cni chaining
  • ad52b68 chore(deps): update stable lvh-images
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

v0.3.72

Compare Source

What's Changed

New Contributors

Full Changelog: kubescape/kubevuln@v0.3.69...v0.3.72

[`v0.3.69

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner November 14, 2024 23:05
@renovate renovate bot requested a review from TylerGillson November 14, 2024 23:05
@renovate Renovate
Copy link
Contributor Author

renovate bot commented Nov 14, 2024
edited
Loading

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 71 additional dependencies were updated

Details:

Package Change
github.com/anchore/go-logger v0.0.0-20230725134548-c21dafa1ec5a -> v0.0.0-20241205183533-4fc29b5832e7
github.com/anchore/packageurl-go v0.1.1-0.20240312213626-055233e539b4 -> v0.1.1-0.20241018175412-5c22e6360c4f
github.com/anchore/stereoscope v0.0.3-0.20240423181235-8b297badafd5 -> v0.0.11
github.com/anchore/syft v1.3.0 -> v1.18.1
github.com/armosec/armoapi-go v0.0.416 -> v0.0.512
github.com/armosec/gojay v1.2.15 -> v1.2.17
github.com/armosec/utils-go v0.0.57 -> v0.0.58
github.com/armosec/utils-k8s-go v0.0.26 -> v0.0.30
github.com/bmatcuk/doublestar/v4 v4.6.1 -> v4.7.1
github.com/briandowns/spinner v1.23.0 -> v1.23.1
github.com/containerd/errdefs v0.1.0 -> v1.0.0
github.com/docker/cli v24.0.7+incompatible -> v27.4.0+incompatible
github.com/docker/docker v27.1.1+incompatible -> v27.4.0+incompatible
github.com/emicklei/go-restful/v3 v3.12.1 -> v3.12.2
github.com/evanphx/json-patch/v5 v5.9.0 -> v5.9.11
github.com/fatih/color v1.17.0 -> v1.18.0
github.com/fsnotify/fsnotify v1.7.0 -> v1.8.0
github.com/gabriel-vasile/mimetype v1.4.3 -> v1.4.7
github.com/github/go-spdx/v2 v2.2.0 -> v2.3.2
github.com/gobuffalo/flect v1.0.2 -> v1.0.3
github.com/google/cel-go v0.20.1 -> v0.22.0
github.com/google/go-cmp v0.6.0 -> v0.7.0
github.com/google/go-containerregistry v0.20.1 -> v0.20.2
github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5 -> v0.0.0-20250403155104-27863c87afa6
github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 -> v2.26.1
github.com/klauspost/compress v1.17.9 -> v1.17.11
github.com/kubescape/go-logger v0.0.22 -> v0.0.23
github.com/kubescape/k8s-interface v0.0.162 -> v0.0.191
github.com/pelletier/go-toml/v2 v2.2.2 -> v2.2.3
github.com/pierrec/lz4/v4 v4.1.15 -> v4.1.22
github.com/prometheus/client_golang v1.19.1 -> v1.20.5
github.com/prometheus/common v0.55.0 -> v0.61.0
github.com/sagikazarmark/locafero v0.4.0 -> v0.7.0
github.com/spf13/afero v1.11.0 -> v1.12.0
github.com/spf13/cast v1.6.0 -> v1.7.1
github.com/spf13/cobra v1.8.1 -> v1.9.1
github.com/spf13/pflag v1.0.5 -> v1.0.6
github.com/spf13/viper v1.19.0 -> v1.20.0
github.com/stoewer/go-strcase v1.2.0 -> v1.3.0
github.com/stripe/stripe-go/v74 v74.28.0 -> v74.30.0
github.com/sylabs/squashfs v0.6.1 -> v1.0.4
github.com/uptrace/opentelemetry-go-extra/otelutil v0.2.2 -> v0.3.2
github.com/uptrace/opentelemetry-go-extra/otelzap v0.2.2 -> v0.3.2
github.com/uptrace/uptrace-go v1.18.0 -> v1.30.1
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 -> v0.58.0
go.opentelemetry.io/contrib/instrumentation/runtime v0.44.0 -> v0.55.0
go.opentelemetry.io/otel v1.28.0 -> v1.35.0
go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.18.0 -> v1.30.0
go.opentelemetry.io/otel/metric v1.28.0 -> v1.35.0
go.opentelemetry.io/otel/sdk v1.28.0 -> v1.35.0
golang.org/x/crypto v0.26.0 -> v0.36.0
golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 -> v0.0.0-20241217172543-b2144cdd0a67
golang.org/x/net v0.28.0 -> v0.37.0
golang.org/x/oauth2 v0.21.0 -> v0.28.0
golang.org/x/sync v0.8.0 -> v0.12.0
golang.org/x/sys v0.24.0 -> v0.32.0
golang.org/x/term v0.23.0 -> v0.30.0
golang.org/x/text v0.17.0 -> v0.23.0
golang.org/x/time v0.5.0 -> v0.8.0
golang.org/x/tools v0.24.0 -> v0.31.0
gomodules.xyz/jsonpatch/v2 v2.4.0 -> v2.5.0
google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157 -> v0.0.0-20250218202821-56aae31c358a
google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 -> v0.0.0-20250218202821-56aae31c358a
k8s.io/apiextensions-apiserver v0.31.0 -> v0.32.3
k8s.io/apiserver v0.31.0 -> v0.32.3
k8s.io/component-base v0.31.0 -> v0.32.3
k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 -> v0.0.0-20241105132330-32ad38e42d3f
k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 -> v0.0.0-20241210054802-24370beab758
sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 -> v0.31.0
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd -> v0.0.0-20241014173422-cfa47c3a1cc8
sigs.k8s.io/structured-merge-diff/v4 v4.4.1 -> v4.5.0

@dosubot dosubot bot added the size:L This PR changes 100-499 lines, ignoring generated files. label Nov 14, 2024
renovate-approve[bot]
renovate-approve bot previously approved these changes Nov 14, 2024
View reviewed changes
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 5cc9c31 to bd3bc24 Compare November 19, 2024 09:38
renovate-approve[bot]
renovate-approve bot previously approved these changes Nov 19, 2024
View reviewed changes
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from bd3bc24 to 0d885fb Compare November 19, 2024 16:52
renovate-approve[bot]
renovate-approve bot previously approved these changes Nov 19, 2024
View reviewed changes
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 0d885fb to 40304de Compare November 21, 2024 03:19
renovate-approve[bot]
renovate-approve bot previously approved these changes Nov 21, 2024
View reviewed changes
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 40304de to 6b0e3a2 Compare November 21, 2024 09:16
renovate-approve[bot]
renovate-approve bot previously approved these changes Nov 21, 2024
View reviewed changes
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 6b0e3a2 to 33bea73 Compare November 21, 2024 17:30
renovate-approve[bot]
renovate-approve bot previously approved these changes Nov 21, 2024
View reviewed changes
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 33bea73 to af5faf3 Compare November 22, 2024 13:52
renovate-approve[bot]
renovate-approve bot previously approved these changes Nov 22, 2024
View reviewed changes
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from af5faf3 to 4cc713e Compare November 22, 2024 17:50
renovate-approve[bot]
renovate-approve bot previously approved these changes Nov 22, 2024
View reviewed changes
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 4cc713e to 58c5f01 Compare November 23, 2024 00:53
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from 0e61490 to c467ab1 Compare April 23, 2025 22:23
@dosubot dosubot bot added size:S This PR changes 10-29 lines, ignoring generated files. and removed size:L This PR changes 100-499 lines, ignoring generated files. labels Apr 23, 2025
@renovate Renovate
Copy link
Contributor Author

renovate bot commented Apr 23, 2025
edited
Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum
Command failed: go get -d -t ./...
go: -d flag is deprecated. -d=true is a no-op
go: module github.com/kubescape/[email protected] requires go >= 1.23.8; switching to go1.23.11
go: downloading go1.23.11 (linux/amd64)
go: download go1.23.11: golang.org/[email protected]: verifying module: checksum database disabled by GOSUMDB=off

@renovate renovate bot force-pushed the renovate/all-minor-patch branch 3 times, most recently from c5beb53 to 9e48e5a Compare April 30, 2025 16:37
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 4 times, most recently from ee238b1 to e514c79 Compare May 8, 2025 16:37
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 6 times, most recently from fa8b4a8 to 55d893e Compare May 21, 2025 06:48
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 3 times, most recently from 894248f to d26d593 Compare May 28, 2025 20:37
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 3 times, most recently from ac9414a to 67ff4cc Compare June 19, 2025 18:10
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 4 times, most recently from 3808706 to 88d5bb5 Compare July 16, 2025 06:15
@renovate
deps(deps): update all non-major dependencies
edf0874 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 88d5bb5 to edf0874 Compare July 16, 2025 11:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@renovate-approve renovate-approve[bot] renovate-approve[bot] left review comments

@TylerGillson TylerGillson Awaiting requested review from TylerGillson TylerGillson is a code owner automatically assigned from validator-labs/validator

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
dependencies go size:S This PR changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants