Skip to content

chore(deps): bump the go_modules group across 1 directory with 8 updates#9938

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/go_modules/go_modules-d3709b9688
Open

chore(deps): bump the go_modules group across 1 directory with 8 updates#9938
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/go_modules/go_modules-d3709b9688

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 21, 2026

Bumps the go_modules group with 7 updates in the / directory:

Package From To
github.com/containerd/containerd 1.7.31 1.7.32
github.com/in-toto/in-toto-golang 0.9.0 0.11.0
github.com/sigstore/rekor 1.4.3 1.5.0
github.com/sigstore/timestamp-authority/v2 2.0.3 2.0.6
github.com/theupdateframework/go-tuf/v2 2.3.0 2.4.1
github.com/go-git/go-git/v5 5.19.0 5.19.1
github.com/slack-go/slack 0.17.3 0.23.1

Updates github.com/containerd/containerd from 1.7.31 to 1.7.32

Release notes

Sourced from github.com/containerd/containerd's releases.

containerd 1.7.32

Welcome to the v1.7.32 release of containerd!


The thirty-second patch release for containerd 1.7 contains various fixes and updates including a security patch.

  • containerd

  • Allow hosts.toml to contain only root-level fields without an explicit [host] section (#10028)

  • Fix handling of out-of-range USER values in OCI spec to avoid unexpected username/group lookups (#13450)

  • Apply hardening to block AF_ALG in default socket policy (#13406)

  • Support both "volatile" and "fsync=volatile" mount options for volatile snapshotter (#13299)

  • Set AppArmor abi conditionally to support versions < 3.0 (#13273)

Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues.

  • Maksym Pavlenko
  • Chris Henzie
  • Derek McGowan
  • Paweł Gronowski
  • Samuel Karp
  • Wei Fu
  • Brad Davidson
  • Brian Goff
  • LEI WANG
  • Phil Estes
  • bc87d865c Prepare release notes for v1.7.32
  • oci: return explicit error for out-of-range USER values (#13450)
    • 503f47946 oci: return explicit error for out-of-range USER values
  • seccomp: Block AF_ALG in default socket policy (#13406)
    • e55b747d3 seccomp: Block AF_ALG in default socket policy
    • 4627a65f8 seccomp: Document socket rule scope and socketcall limitation
  • Fix issue with empty host tree in hosts.toml (#10028)
    • 24007441d Fix error parsing hosts.toml without any host tree
  • Support both styles of volatile mount option (#13299)
    • 940733149 Support both styles of volatile mount option
  • apparmor: Set abi conditionally (#13273)
  • Add GitHub Action for k8s node e2e tests (#13258)
    • 0db1e143a Add GitHub Action for k8s node e2e tests
  • Update release process after 1.7 (#13236)
    • 3223a75c2 Update for latest updates to release tool

... (truncated)

Commits
  • 180a7b7 Merge pull request #13452 from samuelkarp/prepare-1.7.32
  • bc87d86 Prepare release notes for v1.7.32
  • 6a05ddd Merge pull request #13450 from samuelkarp/oci-withuser-errrange-1.7
  • 9c3d01b Merge pull request #13406 from k8s-infra-cherrypick-robot/cherry-pick-13327-t...
  • e55b747 seccomp: Block AF_ALG in default socket policy
  • 4627a65 seccomp: Document socket rule scope and socketcall limitation
  • 33d9e24 Merge pull request #10028 from brandond/fix-hosts-toml
  • 503f479 oci: return explicit error for out-of-range USER values
  • 4393e22 Merge pull request #13299 from chrishenzie/release/1.7-volatile
  • 9407331 Support both styles of volatile mount option
  • Additional commits viewable in compare view

Updates github.com/in-toto/in-toto-golang from 0.9.0 to 0.11.0

Release notes

Sourced from github.com/in-toto/in-toto-golang's releases.

v0.11.0

What's Changed

Full Changelog: in-toto/in-toto-golang@v0.10.0...v0.11.0

v0.10.0

What's Changed

... (truncated)

Commits
  • 36d782f Merge pull request #462 from in-toto/fix-negation-character
  • 4a09e3b match: Replace ^ with ! for negation in character classes
  • c3302e8 Merge pull request #459 from in-toto/dependabot/go_modules/github.com/go-jose...
  • 016e87e chore(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4
  • 5b9df76 Merge pull request #457 from in-toto/dependabot/go_modules/google.golang.org/...
  • 595b3fe chore(deps): bump google.golang.org/grpc from 1.79.1 to 1.79.3
  • e396d24 Merge pull request #452 from in-toto/dependabot/github_actions/all-502588e1ca
  • 142b779 Merge pull request #453 from in-toto/dependabot/go_modules/all-d8ef5820aa
  • f741bcc chore(deps): bump the all group with 2 updates
  • c374dc9 chore(deps): bump the all group across 1 directory with 2 updates
  • Additional commits viewable in compare view

Updates github.com/sigstore/rekor from 1.4.3 to 1.5.0

Release notes

Sourced from github.com/sigstore/rekor's releases.

v1.5.0

This release fixes GHSA-273p-m2cw-6833 and GHSA-4c4x-jm2x-pf9j. Note that this drops support for fetching public keys via URL when querying the search API.

Vulnerability Fixes

  • Handle malformed COSE and DSSE entries (#2729)
  • Drop support for fetching public keys by URL in the search index (#2731)

Features

  • Add support for a custom TLS config for clients (#2709)
Changelog

Sourced from github.com/sigstore/rekor's changelog.

v1.5.0

This release fixes GHSA-273p-m2cw-6833 and GHSA-4c4x-jm2x-pf9j. Note that this drops support for fetching public keys via URL when querying the search API.

Vulnerability Fixes

  • Handle malformed COSE and DSSE entries (#2729)
  • Drop support for fetching public keys by URL in the search index (#2731)

Features

  • Add support for a custom TLS config for clients (#2709)
Commits
  • fe9717f Changelog for v1.5.0 (#2730)
  • 60ef2bc Drop support for fetching public keys by URL in the search index (#2731)
  • ca625dc build(deps): Bump github.com/redis/go-redis/v9 from 9.14.1 to 9.17.2 (#2706)
  • 39bae3d Merge commit from fork (#2729)
  • 812e699 build(deps): Bump google.golang.org/api from 0.256.0 to 0.259.0 (#2723)
  • 4596e4e build(deps): Bump golang.org/x/net from 0.47.0 to 0.48.0 (#2722)
  • a3e73cd build(deps): Bump github.com/sigstore/sigstore from 1.9.5 to 1.10.3 (#2724)
  • 94d259c build(deps): Bump the all group across 1 directory with 3 updates (#2727)
  • a5329c9 build(deps): Bump the all group with 2 updates (#2728)
  • 5e6bdcd build(deps): Bump google.com/cloudsdktool/google-cloud-cli (#2726)
  • Additional commits viewable in compare view

Updates github.com/sigstore/sigstore from 1.10.0 to 1.10.3

Release notes

Sourced from github.com/sigstore/sigstore's releases.

v1.10.3

What's Changed

v1.10.3 adds ValidatePubKey back to the cryptoutils package to avoid a breaking API change.

Full Changelog: sigstore/sigstore@v1.10.2...v1.10.3

v1.10.2

Functionally equivalent to v1.10.0. v1.10.1 has been retracted to remove copied code.

v1.10.0

Breaking change

sigstore/sigstore#2194 moves cryptoutils.ValidatePubKey to goodkey.ValidatePubKey to minimize the dependency tree for clients using the cryptoutils package.

Features

Refactoring

Commits
  • 72f0ed7 build(deps): Bump github.com/aws/aws-sdk-go-v2/config (#2230)
  • b257168 build(deps): Bump github.com/aws/aws-sdk-go-v2 in /pkg/signature/kms/aws (#2226)
  • 84f57b8 build(deps): Bump github.com/sigstore/sigstore (#2221)
  • bdc1a86 build(deps): Bump actions/checkout from 5.0.1 to 6.0.0 (#2220)
  • 11dfe81 build(deps): Bump golang.org/x/crypto in /pkg/signature/kms/aws (#2236)
  • 0214948 Add back ValidatePubKey as a deprecated, minimal function (#2235)
  • cc26bb8 build(deps): Bump localstack/localstack in /test/e2e in the all group (#2227)
  • 63ab8d8 build(deps): Bump github.com/aws/aws-sdk-go-v2/service/kms (#2229)
  • 9e629f0 build(deps): Bump the all group with 2 updates (#2219)
  • 234b99d build(deps): Bump github.com/coreos/go-oidc/v3 from 3.16.0 to 3.17.0 (#2223)
  • Additional commits viewable in compare view

Updates github.com/sigstore/timestamp-authority/v2 from 2.0.3 to 2.0.6

Release notes

Sourced from github.com/sigstore/timestamp-authority/v2's releases.

v2.0.6

What's Changed

Full Changelog: sigstore/timestamp-authority@v2.0.5...v2.0.6

v2.0.5

What's Changed

This release updates the chi middleware to resolve a panic.

Full Changelog: sigstore/timestamp-authority@v2.0.4...v2.0.5

v2.0.4

Changelog

  • 5ddd4e6ad32117ae431eca6299ed9d29a6d33f5a update changelog for v2.0.4 (#1258)

What's Changed

Full Changelog: sigstore/timestamp-authority@v2.0.3...v2.0.4

Changelog

Sourced from github.com/sigstore/timestamp-authority/v2's changelog.

v2.0.5

This release updates the chi middleware to resolve a panic.

Bug Fixes

  • Upgrade chi middleware v4 -> v5 (#1307)

Docs

  • Update the semantics of the NTP monitoring so its clear in the README (#1276)
  • docs: note that CRL/OCSP checks are not performed (#1277)

Misc

  • Increase default HTTP idle timeout (#1287)

v2.0.4

Only contains dependency updates, but fixes #1252 due to breaking API change in sigstore/sigstore

Commits
  • 9583b61 Ensure correct certificate is used for TSA auth checks (GHSA-xm5m-wgh2-rrg3) ...
  • 7aab8b4 chore(deps): bump golang.org/x/net from 0.51.0 to 0.52.0 (#1322)
  • 48c7b2c chore(deps): bump codecov/codecov-action from 5.5.3 to 6.0.0 (#1327)
  • 49ca4e4 chore(deps): bump the gomod group with 2 updates (#1326)
  • 5812ba0 chore(deps): bump go.step.sm/crypto from 0.76.2 to 0.77.2 (#1328)
  • 6a334a8 chore(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#1329)
  • d799204 chore(deps): bump actions/upload-artifact in the actions group (#1332)
  • b9ce102 chore(deps): bump golang from 1.26.0 to 1.26.2 in the docker group (#1331)
  • 54bc0c1 chore(deps): bump the gomod group across 1 directory with 6 updates (#1324)
  • ffb897a chore(deps): bump the actions group across 1 directory with 4 updates (#1325)
  • Additional commits viewable in compare view

Updates github.com/theupdateframework/go-tuf/v2 from 2.3.0 to 2.4.1

Release notes

Sourced from github.com/theupdateframework/go-tuf/v2's releases.

v2.4.1

What's Changed

Full Changelog: theupdateframework/go-tuf@v2.4.0...v2.4.1

v2.4.0

What's Changed

Full Changelog: theupdateframework/go-tuf@v2.3.1...v2.4.0

v2.3.1

What's Changed

Full Changelog: theupdateframework/go-tuf@v2.3.0...v2.3.1

Commits
  • d361e2e Enforce a stricter validation on the repo name for TAP 4 (#720)
  • 29aae36 chore(deps): bump github.com/sigstore/sigstore from 1.10.3 to 1.10.4 (#718)
  • bde5f18 Replace panic with error return in Key.ID() (#713)
  • f400bf4 Use restrictive permissions (0700) for cache directories (#714)
  • d2dbc18 Add thread safety documentation for key types (#715)
  • 846cd4e Add BitLength validation for SuccinctRoles (#716)
  • b38d91f Verify threshold is valid (#712)
  • 876cf2a Add tests for failing type assertions (#711)
  • 73345ab Perform type assertion (#710)
  • d3cdc4b chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.9....
  • Additional commits viewable in compare view

Updates github.com/go-git/go-git/v5 from 5.19.0 to 5.19.1

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.19.1

What's Changed

Full Changelog: go-git/go-git@v5.19.0...v5.19.1

Commits
  • 3c3be60 Merge pull request #2137 from go-git/validate-v5
  • 3fba897 plumbing: format/packfile, cap delta chain depth in parser
  • a97d660 Merge pull request #2125 from hiddeco/v5/format-input-bounds
  • aeaa125 plumbing: format/objfile, require Header before Read
  • 1f38e17 plumbing: format/packfile, bound inflate size
  • f7545a0 plumbing: format/idxfile, bound nr by file size
  • 170b881 Merge pull request #2116 from pjbgf/symlink-v5
  • 7b6d994 Merge pull request #2117 from hiddeco/v5/worktree-fs-mkdirall-root-noop
  • f0709b3 git: Stop validating symlink target paths
  • 776d00f git: Allow MkdirAll on worktree-root paths
  • Additional commits viewable in compare view

Updates github.com/slack-go/slack from 0.17.3 to 0.23.1

Release notes

Sourced from github.com/slack-go/slack's releases.

v0.23.1

[!IMPORTANT] Even though this is a [security] patch release, if you were using an empty secret, this is a breaking change due to a change in behaviour. That's on purpose, to ensure you fix your approach so that there are no footguns.

Fixed

  • NewSecretsVerifier now rejects empty signing secrets to avoid accepting forged request signatures when applications are misconfigured.

Full Changelog: slack-go/slack@v0.23.0...v0.23.1

v0.23.0

Added

New Contributors

Full Changelog: slack-go/slack@v0.22.0...v0.23.0

v0.22.0

What's Changed

Added

  • OAuth PKCE support - OAuthOptionCodeVerifier option for GetOAuthV2Response, plus GenerateCodeVerifier() and GenerateCodeChallenge() helpers (RFC 7636). client_secret is now conditionally omitted when empty in both GetOAuthV2ResponseContext and RefreshOAuthV2TokenContext.
  • Manifest scope fields - BotOptional and UserOptional on OAuthScopes.
  • Rich text styles - Underline, Highlight, ClientHighlight, and Unlink on RichTextSectionTextStyle. Style field on RichTextSectionUserGroupElement.
  • Assistant search context - Sort, SortDir, Before, After, Highlight, IncludeContextMessages, IncludeDeletedUsers, IncludeMessageBlocks, IncludeArchivedChannels, DisableSemanticSearch, Modifiers, TermClauses parameters and new response types (AssistantSearchContextFile, AssistantSearchContextChannel, AssistantSearchContextMessageContext).

Fixed

  • socketmode: malformed JSON no longer forces reconnect - json.SyntaxError and json.UnmarshalTypeError now emit an EventTypeIncomingError event and continue reading instead of killing the WebSocket connection.
  • socketmode: debug_reconnects query param applied correctly - the parameter was silently discarded due to a missing url.RawQuery assignment.
  • ChannelTypes and ContentTypes now send comma-separated values instead of repeated form keys, matching the convention used by every other method in the library.

Docs

  • assistant:write scope marked as deprecated in favour of chat:write.

Full Changelog: v0.21.1...v0.22.0

v0.21.1

Added

  • MessageEvent channel type helpers — New ChannelTypeChannel, ChannelTypeGroup,

... (truncated)

Changelog

Sourced from github.com/slack-go/slack's changelog.

[0.23.1] - 2026-05-10

Fixed

  • NewSecretsVerifier now rejects empty signing secrets to avoid accepting forged request signatures when applications are misconfigured.

[0.23.0] - 2026-04-22

Added

  • Block Kit: CardBlock and CarouselBlock — Support for two of the new agent-UI blocks announced in the April 16 Slack changelog. CardBlock is constructed via NewCardBlock with a functional-options pattern and fluent With* builders (WithTitle, WithSubtitle, WithBody, WithIcon, WithHeroImage, WithActions). CarouselBlock is constructed via NewCarouselBlock with a variadic *CardBlock list plus WithBlockID and AddCard helpers. Both blocks wire into Blocks.UnmarshalJSON for round-trip fidelity, and reuse existing ImageBlockElement / ButtonBlockElement / BlockElements types rather than introducing new composition objects.
  • Block Kit: AlertBlock — Support for the third of the new agent-UI blocks from the April 16 Slack changelog. AlertBlock is constructed via NewAlertBlock with a *TextBlockObject body and a functional-options pattern. Severity is set via AlertBlockOptionLevel (AlertLevelDefault, AlertLevelInfo, AlertLevelWarning, AlertLevelError, AlertLevelSuccess) and the block ID via AlertBlockOptionBlockID. Wires into Blocks.UnmarshalJSON for round-trip fidelity. Must be delivered via the streaming chunks API — chat.postMessage rejects it as an unsupported block type.
  • Streaming-message chunks APIchat.startStream / chat.appendStream / chat.stopStream now accept a chunks parameter. Added MsgOptionChunks along with a StreamChunk interface and four chunk types: MarkdownTextChunk, TaskUpdateChunk, PlanUpdateChunk, and BlocksChunk (each with a New*Chunk constructor). This is the supported transport for streaming Block Kit content and the new agent-UI blocks in particular (which chat.postMessage rejects as Unsupported block type).
  • MsgOptionTaskDisplayMode — New option for chat.startStream controlling whether task chunks render as a sequential timeline or a grouped plan. Accepts TaskDisplayModeTimeline or TaskDisplayModePlan.
  • Added Username, IconURL, and IconEmoji fields to AssistantThreadsSetStatusParameters, forwarded by SetAssistantThreadsStatusContext, matching the new optional parameters on assistant.threads.setStatus for customising the status-update presentation.
  • Exposed SocketmodeHandler.DispatchEvent (previously the unexported dispatcher), enabling integration tests to exercise registered handlers without a live WebSocket connection. ...

    Description has been truncated

@dependabot
chore(deps): bump the go_modules group across 1 directory with 8 updates
fd80c9b 
Bumps the go_modules group with 7 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [github.com/containerd/containerd](https://github.com/containerd/containerd) | `1.7.31` | `1.7.32` |
| [github.com/in-toto/in-toto-golang](https://github.com/in-toto/in-toto-golang) | `0.9.0` | `0.11.0` |
| [github.com/sigstore/rekor](https://github.com/sigstore/rekor) | `1.4.3` | `1.5.0` |
| [github.com/sigstore/timestamp-authority/v2](https://github.com/sigstore/timestamp-authority) | `2.0.3` | `2.0.6` |
| [github.com/theupdateframework/go-tuf/v2](https://github.com/theupdateframework/go-tuf) | `2.3.0` | `2.4.1` |
| [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) | `5.19.0` | `5.19.1` |
| [github.com/slack-go/slack](https://github.com/slack-go/slack) | `0.17.3` | `0.23.1` |



Updates `github.com/containerd/containerd` from 1.7.31 to 1.7.32
- [Release notes](https://github.com/containerd/containerd/releases)
- [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md)
- [Commits](containerd/containerd@v1.7.31...v1.7.32)

Updates `github.com/in-toto/in-toto-golang` from 0.9.0 to 0.11.0
- [Release notes](https://github.com/in-toto/in-toto-golang/releases)
- [Changelog](https://github.com/in-toto/in-toto-golang/blob/master/CHANGELOG.md)
- [Commits](in-toto/in-toto-golang@v0.9.0...v0.11.0)

Updates `github.com/sigstore/rekor` from 1.4.3 to 1.5.0
- [Release notes](https://github.com/sigstore/rekor/releases)
- [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md)
- [Commits](sigstore/rekor@v1.4.3...v1.5.0)

Updates `github.com/sigstore/sigstore` from 1.10.0 to 1.10.3
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](sigstore/sigstore@v1.10.0...v1.10.3)

Updates `github.com/sigstore/timestamp-authority/v2` from 2.0.3 to 2.0.6
- [Release notes](https://github.com/sigstore/timestamp-authority/releases)
- [Changelog](https://github.com/sigstore/timestamp-authority/blob/main/CHANGELOG.md)
- [Commits](sigstore/timestamp-authority@v2.0.3...v2.0.6)

Updates `github.com/theupdateframework/go-tuf/v2` from 2.3.0 to 2.4.1
- [Release notes](https://github.com/theupdateframework/go-tuf/releases)
- [Commits](theupdateframework/go-tuf@v2.3.0...v2.4.1)

Updates `github.com/go-git/go-git/v5` from 5.19.0 to 5.19.1
- [Release notes](https://github.com/go-git/go-git/releases)
- [Changelog](https://github.com/go-git/go-git/blob/main/HISTORY.md)
- [Commits](go-git/go-git@v5.19.0...v5.19.1)

Updates `github.com/slack-go/slack` from 0.17.3 to 0.23.1
- [Release notes](https://github.com/slack-go/slack/releases)
- [Changelog](https://github.com/slack-go/slack/blob/master/CHANGELOG.md)
- [Commits](slack-go/slack@v0.17.3...v0.23.1)

---
updated-dependencies:
- dependency-name: github.com/containerd/containerd
  dependency-version: 1.7.32
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: github.com/in-toto/in-toto-golang
  dependency-version: 0.11.0
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/sigstore/rekor
  dependency-version: 1.5.0
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/sigstore/sigstore
  dependency-version: 1.10.3
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/sigstore/timestamp-authority/v2
  dependency-version: 2.0.6
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/theupdateframework/go-tuf/v2
  dependency-version: 2.4.1
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/go-git/go-git/v5
  dependency-version: 5.19.1
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/slack-go/slack
  dependency-version: 0.23.1
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies go Pull requests that update Go code labels May 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies go Pull requests that update Go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants