Update go modules (main) (patch)

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
cuelang.org/go	v0.16.0 → v0.16.1
github.com/conforma/crds/api	v0.1.7 → v0.1.10
github.com/conforma/go-gather	v1.1.0 → v1.1.4
github.com/cucumber/godog	v0.15.0 → v0.15.1
github.com/daixiang0/gci	v0.13.5 → v0.13.7
github.com/gkampitakis/go-snaps	v0.5.19 → v0.5.21
github.com/go-git/go-git/v5	v5.17.1 → v5.17.2
github.com/go-openapi/runtime	v0.29.2 → v0.29.3
github.com/google/go-containerregistry	v0.21.0 → v0.21.5
github.com/mattn/go-isatty	v0.0.20 → v0.0.21
github.com/otiai10/copy	v1.14.0 → v1.14.1
github.com/package-url/packageurl-go	v0.1.3 → v0.1.5
github.com/sigstore/cosign/v3	v3.0.4 → v3.0.6
github.com/sigstore/rekor	v1.5.0 → v1.5.1
github.com/sigstore/sigstore	v1.10.4 → v1.10.5
github.com/testcontainers/testcontainers-go	v0.34.0 → v0.34.1
gotest.tools/gotestsum	v1.12.1 → v1.12.3
k8s.io/api	v0.35.0 → v0.35.4
k8s.io/api	v0.35.3 → v0.35.4
k8s.io/apiextensions-apiserver	v0.34.3 → v0.34.7
k8s.io/apimachinery	v0.35.0 → v0.35.4
k8s.io/apimachinery	v0.35.3 → v0.35.4
k8s.io/client-go	v0.35.0 → v0.35.4
k8s.io/client-go	v0.35.3 → v0.35.4
k8s.io/kubernetes	v1.34.2 → v1.34.7

---

Release Notes

cue-lang/cue (cuelang.org/go)

v0.16.1

Compare Source

Language

The fallback keyword in the aliasv2 experiment is replaced by otherwise, which is clearer. cue fmt or cue fix can be used to rewrite existing code.

Evaluator

Fix a regression where the compiler could add comments to the input AST value, which could lead to increased memory usage.

Fix a bug where exporting certain schemas could result in "cannot have both alias and field in same scope" errors.

cmd/cue

Fix a panic which could occur when using non-label expressions in the --path flag.

Teach cue login to give helpful errors when used with OCI registries which don't support the OAuth2 device flow.

Go API

Fix a regression where cue.Context.Encode could panic on custom marshaler types with pointer receivers.

Full list of changes since v0.16.0

• internal/cueversion: bump to v0.16.1 by @​mvdan in 6d609d7
• internal/ci: build releases with Go 1.26.2 by @​mvdan in cedf4c8
• update all golang.org/x/... dependencies by @​mvdan in b4efeef
• all: rename fallback keyword to otherwise by @​mpvl in f813811
• lsp/cache: improve rename by @​cuematthew in 8e47027
• integration/workspace: add test showing bad behaviour by @​cuematthew in a5e0ef5
• cmd/cue: suggest docker/podman login when OAuth2 device flow is unsupported by @​mvdan in c169605
• cmd/cue: add testscript for cue login when device code endpoint is unsupported by @​mvdan in d7c882a
• cmd/cue: clarify how to authenticate with standard OCI registries by @​mvdan in 2613edf
• internal/core/compile: avoid mutating AST by @​rogpeppe in e4b0516
• internal/core/export: fix alias/field name conflict in pattern constraints by @​mvdan in 1e46409
• internal/core/export: add regression test for alias/field name conflict by @​mvdan in 1654f66
• pkg: fix godoc mistakes across several packages by @​mvdan in eae9aaf
• internal/core/convert: fix panic when encoding pointer-receiver marshalers by @​mvdan in 8e39aec
• cmd/cue: return an error for non-label --path expressions instead of panicking by @​mvdan in 5a55849
• encoding: add godoc hints for cue/ast result types by @​mvdan in 682c663

conforma/go-gather (github.com/conforma/go-gather)

v1.1.4

Compare Source

Bug Fixes

• deps: update module github.com/go-git/go-git/v5 to v5.17.2 (c5f27d8)

v1.1.3

Compare Source

Bug Fixes

• ci: add gomodTidy to Renovate postUpdateOptions (222184f)

v1.1.2

Compare Source

Bug Fixes

• deps: update actions/upload-artifact action to v7.0.1 (3e6fec5)
• deps: update github actions (b2496c3)

v1.1.1

Compare Source

Bug Fixes

• ci: add local Renovate overrides for semantic-release compatibility (9626eab)

cucumber/godog (github.com/cucumber/godog)

v0.15.1

Compare Source

Added

• Step text is added to "step is undefined" error - (669 - vearutop)
• Localisation support by @​MegaGrindStone in #​665
• feat: support uint types by @​chengxilo in #​695

Changed

• Replace deprecated ::set-output - (681 - nodeg)

Fixed

• fix(errors): fix(errors): Fix expected Step argument count for steps with context.Context (679 - tigh-latte)
• fix(formatter): On concurrent execution, execute formatter at end of Scenario - (645 - tigh-latte)
• Pretty printing results now prints the line where the step is declared instead of the line where the handler is declared. (668 - spencerc)
• Update honnef.co/go/tools/cmd/staticcheck version in Makefile by @​RezaZareiii in #​670
• fix: verify dogT exists in the context before using it by @​cakoolen in #​692
• fix: change bang to being in README by @​nahomEagleLion in #​687
• Mark junit test cases as skipped if no pickle step results available by @​mrsheepuk in #​597
• Print step declaration line instead of handler declaration line by @​SpencerC in #​668

daixiang0/gci (github.com/daixiang0/gci)

v0.13.7

Compare Source

What's Changed

• fix: scrape all goos/goarch pair for stdlib by @​Zxilly in #​208
• chore: get module info from pass by @​ldez in #​221
• chore: remove analyzer by @​ldez in #​222
• feat: update standard list to go1.25 by @​ldez in #​233
• bump up version by @​daixiang0 in #​234

New Contributors

• @​Zxilly made their first contribution in #​208

Full Changelog: daixiang0/gci@v0.13.6...v0.13.7

v0.13.6

Compare Source

What's Changed

• fix: update standard list to go1.24 by @​ldez in #​227
• bump up version by @​daixiang0 in #​229

Full Changelog: daixiang0/gci@v0.13.5...v0.13.6

gkampitakis/go-snaps (github.com/gkampitakis/go-snaps)

v0.5.21

Compare Source

What's Changed

• support nested arrays in json matchers by @​gkampitakis in #​145

Full Changelog: gkampitakis/go-snaps@v0.5.20...v0.5.21

v0.5.20

Compare Source

What's Changed

• feat: support setting serializer on config by @​gkampitakis in #​154

Full Changelog: gkampitakis/go-snaps@v0.5.19...v0.5.20

go-git/go-git (github.com/go-git/go-git/v5)

v5.17.2

Compare Source

What's Changed

• build: Update module github.com/go-git/go-git/v5 to v5.17.1 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in #​1941
• dotgit: skip writing pack files that already exist on disk by @​pjbgf in #​1944

⚠️ This release fixes a bug (#​1942) that blocked some users from upgrading to v5.17.1. Thanks @​pskrbasu for reporting it. 🙇

Full Changelog: go-git/go-git@v5.17.1...v5.17.2

go-openapi/runtime (github.com/go-openapi/runtime)

v0.29.3

Compare Source

0.29.3 - 2026-03-08

Full Changelog: go-openapi/runtime@v0.29.2...v0.29.3

27 commits in this release.

---

Fixed bugs

• fix: Content-Type of 404 & 405 responses by @​maxatome in #​373 ...

Documentation

• docs: add FAQ from resolved GitHub issues by @​fredbi in #​403 ...
• doc: fixup README (pending CI update for a complete rendering) by @​fredbi ...
• doc: announced new discord channel by @​fredbi in #​390 ...
• Chore/attribute original code by @​fredbi in #​384 ...

Code quality

• chore: updated dependencies (removed mongodb indirect dependency) by @​fredbi in #​399 ...

Miscellaneous tasks

• chore: prepare release v0.29.3 by @​bot-go-openapi[bot] in #​404 ...
• ci: fixed dropped trivy release - updated shared workflow by @​fredbi ...
• chore(code quality): replace TODO comments with issue references by @​fredbi in #​388 ...
• chore(licensing): added correct code attribution for the denco middleware by @​fredbi ...
• chore: fixed code quality issues in shells used for preparing releases by @​fredbi in #​383 ...

Updates

• build(deps): bump the development-dependencies group across 2 directories with 7 updates by @​dependabot[bot] in #​402 ...
• build(deps): bump the other-dependencies group with 3 updates by @​dependabot[bot] in #​394 ...
• build(deps): bump the go-openapi-dependencies group with 6 updates by @​dependabot[bot] in #​398 ...
• build(deps): bump the go-openapi-dependencies group with 2 updates by @​dependabot[bot] in #​396 ...
• build(deps): bump the go-openapi-dependencies group with 2 updates by @​dependabot[bot] in #​395 ...
• build(deps): bump the go-openapi-dependencies group with 2 updates by @​dependabot[bot] in #​393 ...
• build(deps): bump the go-openapi-dependencies group with 2 updates by @​dependabot[bot] in #​392 ...
• build(deps): bump the go-openapi-dependencies group with 2 updates by @​dependabot[bot] in #​391 ...
• build(deps): bump github.com/go-openapi/analysis from 0.24.1 to 0.24.2 in the go-openapi-dependencies group by @​dependabot[bot] in #​389 ...
• build(deps): bump the other-dependencies group with 3 updates by @​dependabot[bot] in #​382 ...
• build(deps): bump golang.org/x/sync from 0.18.0 to 0.19.0 in the golang-org-dependencies group by @​dependabot[bot] in #​380 ...
• build(deps): bump the go-openapi-dependencies group with 2 updates by @​dependabot[bot] in #​381 ...
• build(deps): bump the go-openapi-dependencies group with 4 updates by @​dependabot[bot] in #​379 ...
• build(deps): bump the go-openapi-dependencies group with 4 updates by @​dependabot[bot] in #​377 ...
• build(deps): bump actions/checkout from 5 to 6 in the development-dependencies group by @​dependabot[bot] in #​378 ...
• build(deps): bump golangci/golangci-lint-action from 8 to 9 in the development-dependencies group by @​dependabot[bot] in #​374 ...

---

People who contributed to this release

• @​fredbi
• @​maxatome

---

New Contributors

• @​maxatome made their first contribution
  in #​373

---

runtime license terms

Per-module changes

---

client-middleware/opentracing (0.29.3)

Documentation

• Chore/attribute original code by @​fredbi in #​384 ...

Code quality

• chore: updated dependencies (removed mongodb indirect dependency) by @​fredbi in #​399 ...

Miscellaneous tasks

• chore: prepare release v0.29.3 by @​bot-go-openapi[bot] in #​404 ...

google/go-containerregistry (github.com/google/go-containerregistry)

v0.21.5

Compare Source

What's Changed

• Bump docker/cli v29.4.0, moby/api v1.54.1, moby/client v0.4.0 by @​thaJeztah in #​2254
• update to Go 1.26.2 by @​thaJeztah in #​2255
• Bump aws-actions/configure-aws-credentials from 6.0.0 to 6.1.0 in the actions group across 1 directory by @​dependabot[bot] in #​2257
• build(deps): bump golang.org/x/tools from 0.43.0 to 0.44.0 in the go-deps group across 1 directory by @​dependabot[bot] in #​2260

Full Changelog: google/go-containerregistry@v0.21.4...v0.21.5

v0.21.4

Compare Source

What's Changed

• go.mod: do not make a viral minimum go version by @​howardjohn in #​2237
• Avoid pruning absolute links from extracted and flattened images by @​Subserial in #​2241
• Bump the go-deps group across 3 directories with 5 updates by @​dependabot[bot] in #​2245
• fix: update to go1.25.8, and use separate .go-version file by @​thaJeztah in #​2246
• Bump CI go version to 1.26.1 by @​Subserial in #​2242
• Bump codecov/codecov-action from 5.5.2 to 5.5.3 in the actions group by @​dependabot[bot] in #​2240
• fork distribution client v3 auth-challenge as an internal package (squashed) by @​thaJeztah in #​2248
• transport: validate Bearer realm URL to prevent SSRF by @​evilgensec in #​2243
• revert path traversal and symlink escape from #​2227 by @​Subserial in #​2250
• Fix pkg/v1/google/auth tests for arm64 by @​Subserial in #​2085
• goreleaser: Update goreleaser config and GH action by @​Subserial in #​2253

New Contributors

• @​evilgensec made their first contribution in #​2243

Full Changelog: google/go-containerregistry@v0.21.3...v0.21.4

v0.21.3

Compare Source

What's Changed

• Adds local file support to the crane index subcommand by @​edwardthiele in #​2223
• migrate to github.com/moby/moby modules by @​thaJeztah in #​2228
• Bump the go-deps group across 4 directories with 7 updates by @​dependabot[bot] in #​2233
• Bump goreleaser/goreleaser-action from 6.4.0 to 7.0.0 in the actions group by @​dependabot[bot] in #​2220
• mutate: reject path traversal and symlink escape in Extract by @​KevinZhao in #​2227
• tarball: detect symlink cycles in extractFileFromTar by @​vnykmshr in #​2232
• bump golang to 1.25.7 by @​Subserial in #​2236

New Contributors

• @​edwardthiele made their first contribution in #​2223
• @​thaJeztah made their first contribution in #​2228
• @​KevinZhao made their first contribution in #​2227
• @​vnykmshr made their first contribution in #​2232

Full Changelog: google/go-containerregistry@v0.21.2...v0.21.3

v0.21.2

Compare Source

What's Changed

• Better handle redirects to https in ping by @​jonjohnsonjr in #​2225

Full Changelog: google/go-containerregistry@v0.21.1...v0.21.2

v0.21.1

Compare Source

This release fixes a regression in crane introduced in the previous release.

What's Changed

• Add WithFileBufferedOpener for file-backed daemon image buffering by @​twdamhore in #​2214
• crane: fix case in auth response json by @​aelindeman in #​2218

New Contributors

• @​twdamhore made their first contribution in #​2214
• @​aelindeman made their first contribution in #​2218

Full Changelog: google/go-containerregistry@v0.21.0...v0.21.1

mattn/go-isatty (github.com/mattn/go-isatty)

v0.0.21

Compare Source

otiai10/copy (github.com/otiai10/copy)

v1.14.1

Compare Source

package-url/packageurl-go (github.com/package-url/packageurl-go)

v0.1.5

Compare Source

What's Changed

• Remove version requirement for TypeSwift by @​Talgarr in #​90
• Handle non-canonical input purls a bit more gracefully by @​petergardfjall in #​89

New Contributors

• @​Talgarr made their first contribution in #​90

Full Changelog: package-url/packageurl-go@v0.1.4...v0.1.5

v0.1.4

Compare Source

What's Changed

• Fix golangci and update versions by @​shibumi in #​76
• Allow npm names to be case sensitive by @​PFCM in #​73
• add custom validation for pkg:cpan by @​petergardfjall in #​79
• move cpan to known types by @​nikpivkin in #​71
• Run tests using reference data from purl-spec by @​keshav-space in #​80
• update code to honor the canonical purl encoding by @​petergardfjall in #​83

New Contributors

• @​PFCM made their first contribution in #​73
• @​nikpivkin made their first contribution in #​71
• @​keshav-space made their first contribution in #​80

Full Changelog: package-url/packageurl-go@v0.1.3...v0.1.4

sigstore/cosign (github.com/sigstore/cosign/v3)

v3.0.6

Compare Source

Changelog

v3.0.6 resolves GHSA-w6c6-c85g-mmv6. This release also adds support for signing with OpenBao-managed keys.

• f1ad3ee Fix DSSE predicate check (GHSA-w6c6-c85g-mmv6) (#​4801)
• a09afa9 Handle whitespace-only certificate annotation (#​4760)
• 5a38a6d fix(sign): closing SignerVerifier too early when signing with a security key (#​4761)
• 2290a59 Disallow --new-bundle-format and --rfc3161-timestamp (#​4762)
• 36f4008 support managed keys in conformance testing (#​4728)
• 3274cf9 Add support for GCE metadata server env var (#​4732)
• 2e9754a fix: preserve per-layer annotations in WriteAttestationsReferrer (#​4709)
• dece275 Fix parsing of in-toto for string predicates
• bd4f0fd Mark batch of flags for deprecation (#​4698)
• 9b259ff disallow key and cert identity being used together during verification (#​4636)
• 95eb1c3 support key creation in GitLab group (#​4704)

Thanks to all contributors!

v3.0.5

Compare Source

Deprecations

• Deprecate rekor-entry-type flag (#​4691)
• Deprecate cosign triangulate (#​4676)
• Deprecate cosign copy (#​4681)

Features

• Automatically require signed timestamp with Rekor v2 entries (#​4666)
• Allow --local-image with --new-bundle-format for v2 and v3 signatures (#​4626)
• Add mTLS support for TSA client connections when signing with a signing config (#​4620)
• Enforce TSA requirement for Rekor v2, Fuclio signing (#​4683)

Bug Fixes

• Add empty predicate to cosign sign when payload type is application/vnd.in-toto+json (#​4635)
• fix: avoid panic on malformed attestation payload (#​4651)
• fix: avoid panic on malformed tlog entries (#​4649)
• fix: avoid panic on malformed replace payload (#​4653)
• Gracefully fail if bundle payload body is not a string (#​4648)
• Verify validity of chain rather than just certificate (#​4663)
• fix: avoid panic on malformed tlog entry body (#​4652)

Documentation

• docs(cosign): clarify RFC3161 revocation semantics (#​4642)
• Fix typo in CLI help (#​4701)

sigstore/rekor (github.com/sigstore/rekor)

v1.5.1

Compare Source

Features

• optimize memory for DSSE v0.0.1 processing (#​2766)

Bug Fixes

• Type assert the entry bundle when verifying inclusion proof (#​2755)
• return correct errors in rare failure situations (#​2753)
• raise error if decoding hash fails during inclusion proof (#​2754)

sigstore/sigstore (github.com/sigstore/sigstore)

v1.10.5

Compare Source

What's Changed

• (kms/hashivault): add openbao support in #​2303
• Fix typo in RSA PSS 4096 signature identifier in #​2270
• fix: eliminate usage of text/template in #​2288
• chore: mention openbao being supported as well (#​2303) in #​2313

Full Changelog: sigstore/sigstore@v1.10.4...v1.10.5

testcontainers/testcontainers-go (github.com/testcontainers/testcontainers-go)

v0.34.1

[Compare Source](https:

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM (* 0-3 * * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: acceptance/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 13 additional dependencies were updated

Details:

Package	Change
golang.org/x/exp	v0.0.0-20250911091902-df9299821621 -> v0.0.0-20251023183803-a4bb9ffd2546
github.com/go-chi/chi/v5	v5.2.4 -> v5.2.5
github.com/go-openapi/runtime	v0.29.2 -> v0.29.3
github.com/go-openapi/swag	v0.25.4 -> v0.25.5
github.com/go-openapi/swag/cmdutils	v0.25.4 -> v0.25.5
github.com/go-openapi/swag/netutils	v0.25.4 -> v0.25.5
github.com/google/certificate-transparency-go	v1.3.2 -> v1.3.3
github.com/letsencrypt/boulder	v0.20251110.0 -> v0.20260223.0
github.com/prometheus/procfs	v0.17.0 -> v0.19.2
github.com/sigstore/rekor-tiles/v2	v2.0.1 -> v2.2.1
github.com/sigstore/timestamp-authority/v2	v2.0.4 -> v2.0.5
golang.org/x/mod	v0.33.0 -> v0.34.0
google.golang.org/grpc	v1.79.3 -> v1.80.0

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 29 additional dependencies were updated

Details:

Package	Change
golang.org/x/exp	v0.0.0-20250911091902-df9299821621 -> v0.0.0-20251023183803-a4bb9ffd2546
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp	v1.30.0 -> v1.31.0
github.com/aws/aws-sdk-go-v2/service/ecr	v1.51.2 -> v1.55.3
github.com/aws/aws-sdk-go-v2/service/ecrpublic	v1.38.2 -> v1.38.10
github.com/awslabs/amazon-ecr-credential-helper/ecr-login	v0.11.0 -> v0.12.0
github.com/clipperhouse/displaywidth	v0.6.0 -> v0.10.0
github.com/clipperhouse/uax29/v2	v2.3.0 -> v2.6.0
github.com/go-chi/chi/v5	v5.2.4 -> v5.2.5
github.com/go-jose/go-jose/v4	v4.1.3 -> v4.1.4
github.com/go-openapi/swag	v0.25.4 -> v0.25.5
github.com/go-openapi/swag/cmdutils	v0.25.4 -> v0.25.5
github.com/go-openapi/swag/netutils	v0.25.4 -> v0.25.5
github.com/google/certificate-transparency-go	v1.3.2 -> v1.3.3
github.com/letsencrypt/boulder	v0.20251110.0 -> v0.20260223.0
github.com/miekg/pkcs11	v1.1.1 -> v1.1.2
github.com/olekukonko/errors	v1.1.0 -> v1.2.0
github.com/olekukonko/ll	v0.1.3 -> v0.1.6
github.com/olekukonko/tablewriter	v1.1.2 -> v1.1.4
github.com/prometheus/common	v0.67.4 -> v0.67.5
github.com/prometheus/procfs	v0.17.0 -> v0.19.2
github.com/sigstore/fulcio	v1.8.4 -> v1.8.5
github.com/sigstore/rekor-tiles/v2	v2.0.1 -> v2.2.1
github.com/sigstore/timestamp-authority/v2	v2.0.4 -> v2.0.5
gitlab.com/gitlab-org/api/client-go	v1.11.0 -> v1.46.0
go.opentelemetry.io/contrib/detectors/gcp	v1.39.0 -> v1.40.0
golang.org/x/mod	v0.33.0 -> v0.34.0
golang.org/x/tools	v0.42.0 -> v0.43.0
google.golang.org/grpc	v1.79.3 -> v1.80.0
sigs.k8s.io/release-utils	v0.12.3 -> v0.12.4

File name: tools/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated

Details:

Package	Change
github.com/moby/spdystream	v0.5.0 -> v0.5.1

File name: tools/kubectl/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 3 additional dependencies were updated

Details:

Package	Change
github.com/moby/spdystream	v0.5.0 -> v0.5.1
go.opentelemetry.io/otel	v1.35.0 -> v1.41.0
go.opentelemetry.io/otel/trace	v1.35.0 -> v1.41.0