Skip to content

build(deps): bump the go-deps group across 1 directory with 9 updates#2006

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/go-deps-1af347fba8
Open

build(deps): bump the go-deps group across 1 directory with 9 updates#2006
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/go-deps-1af347fba8

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 12, 2026

Bumps the go-deps group with 7 updates in the / directory:

Package From To
github.com/elazarl/goproxy 1.8.1 1.8.2
github.com/go-git/go-billy/v5 5.7.0 5.8.0
github.com/go-git/go-git/v5 5.16.5 5.17.0
github.com/minio/minio-go/v7 7.0.98 7.0.99
github.com/sigstore/cosign/v3 3.0.4 3.0.5
golang.org/x/crypto 0.48.0 0.49.0
golang.org/x/oauth2 0.35.0 0.36.0

Updates github.com/elazarl/goproxy from 1.8.1 to 1.8.2

Release notes

Sourced from github.com/elazarl/goproxy's releases.

v1.8.2

What's Changed

New Contributors

Full Changelog: elazarl/goproxy@v1.8.1...v1.8.2

Commits

Updates github.com/go-git/go-billy/v5 from 5.7.0 to 5.8.0

Release notes

Sourced from github.com/go-git/go-billy/v5's releases.

v5.8.0

What's Changed

Full Changelog: go-git/go-billy@v5.7.0...v5.8.0

Commits
  • 8662784 Merge pull request #187 from pjbgf/windows-rename
  • f387d62 build: Update test workflow to rely on oldstable/stable
  • 915dae9 polyfill: Add support for Chmod
  • f3d5600 osfs: Create dir for BoundOS Tempfiles
  • 247a741 Merge pull request #183 from go-git/renovate/releases/v5.x-go-golang.org-x-ne...
  • 1c0c9d5 build: Update module golang.org/x/net to v0.45.0 [SECURITY]
  • See full diff in compare view

Updates github.com/go-git/go-git/v5 from 5.16.5 to 5.17.0

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.17.0

What's Changed

Full Changelog: go-git/go-git@v5.16.5...v5.17.0

Commits
  • bdf0688 Merge pull request #1864 from pjbgf/v5-issue-55
  • 5290e52 storage: filesystem, Avoid overwriting loose obj files. Fixes #55
  • 5d20a62 storage: filesystem, Fix permissions for loose and packed objs
  • 8ed442c backport, git: Improve Status() speed with new index.ModTime check (#1862)
  • c7b5960 build: Align test workflow with main
  • 8e71edf git: Add strict checks for supported extensions
  • 438a37f git: worktree, optimize infiles function for very large repos (#1853)
  • 67c7006 Merge pull request #1839 from go-git/renovate/releases/v5.x-go-github.com-go-...
  • 4ca3f02 build: Update module github.com/go-git/go-git/v5 to v5.16.5 [SECURITY]
  • See full diff in compare view

Updates github.com/minio/minio-go/v7 from 7.0.98 to 7.0.99

Commits
  • c44cb2a Fix PutObject and ConcurrentStreamParts error handling for empty stream (#2207)
  • 1451162 Fix object ReadAt performs seek (#2197)
  • ffb7ec0 Implement support for new UpdateObjectEncryption API & bump Go to 1.25 (#2204)
  • See full diff in compare view

Updates github.com/sigstore/cosign/v3 from 3.0.4 to 3.0.5

Release notes

Sourced from github.com/sigstore/cosign/v3's releases.

v3.0.5

v3.0.5 resolves a low-severity advisory for private PKIs.

Deprecations

  • Deprecate rekor-entry-type flag (#4691)
  • Deprecate cosign triangulate (#4676)
  • Deprecate cosign copy (#4681)

Features

  • Automatically require signed timestamp with Rekor v2 entries (#4666)
  • Allow --local-image with --new-bundle-format for v2 and v3 signatures (#4626)
  • Add mTLS support for TSA client connections when signing with a signing config (#4620)
  • Enforce TSA requirement for Rekor v2, Fuclio signing (#4683)

Bug Fixes

  • Add empty predicate to cosign sign when payload type is application/vnd.in-toto+json (#4635)
  • fix: avoid panic on malformed attestation payload (#4651)
  • fix: avoid panic on malformed tlog entries (#4649)
  • fix: avoid panic on malformed replace payload (#4653)
  • Gracefully fail if bundle payload body is not a string (#4648)
  • Verify validity of chain rather than just certificate (#4663)
  • fix: avoid panic on malformed tlog entry body (#4652)

Documentation

  • docs(cosign): clarify RFC3161 revocation semantics (#4642)
  • Fix typo in CLI help (#4701)

Full Changelog: sigstore/cosign@v3.0.4...v3.0.5

New Contributors

Changelog

Sourced from github.com/sigstore/cosign/v3's changelog.

v3.0.5

Deprecations

  • Deprecate rekor-entry-type flag (#4691)
  • Deprecate cosign triangulate (#4676)
  • Deprecate cosign copy (#4681)

Features

  • Automatically require signed timestamp with Rekor v2 entries (#4666)
  • Allow --local-image with --new-bundle-format for v2 and v3 signatures (#4626)
  • Add mTLS support for TSA client connections when signing with a signing config (#4620)
  • Enforce TSA requirement for Rekor v2, Fuclio signing (#4683)

Bug Fixes

  • Add empty predicate to cosign sign when payload type is application/vnd.in-toto+json (#4635)
  • fix: avoid panic on malformed attestation payload (#4651)
  • fix: avoid panic on malformed tlog entries (#4649)
  • fix: avoid panic on malformed replace payload (#4653)
  • Gracefully fail if bundle payload body is not a string (#4648)
  • Verify validity of chain rather than just certificate (#4663)
  • fix: avoid panic on malformed tlog entry body (#4652)

Documentation

  • docs(cosign): clarify RFC3161 revocation semantics (#4642)
  • Fix typo in CLI help (#4701)
Commits
  • 479147a chore(deps): bump google.golang.org/api from 0.260.0 to 0.264.0 (#4679)
  • e0ba0c9 chore(deps): bump github.com/sigstore/rekor-tiles/v2 from 2.0.1 to 2.1.0 (#4670)
  • db5ab21 chore(deps): bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 (#4712)
  • 6634258 chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4680)
  • 02edc59 chore(deps): bump the gomod group across 1 directory with 4 updates (#4702)
  • 3dd16b8 chore(deps): bump the actions group with 3 updates (#4703)
  • b7fd27d update golang builder to use go1.25.7 (#4687)
  • 8f1cd80 update golangci-lint to v2.8.x (#4688)
  • e949e21 Fix typo in CLI help (#4701)
  • 39f05cd Support DSSE signing conformance test (#4685)
  • Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.48.0 to 0.49.0

Commits
  • 982eaa6 go.mod: update golang.org/x dependencies
  • 159944f ssh,acme: clean up tautological/impossible nil conditions
  • a408498 acme: only require prompt if server has terms of service
  • cab0f71 all: upgrade go directive to at least 1.25.0 [generated]
  • 2f26647 x509roots/fallback: update bundle
  • See full diff in compare view

Updates golang.org/x/oauth2 from 0.35.0 to 0.36.0

Commits
  • 4d954e6 all: upgrade go directive to at least 1.25.0 [generated]
  • See full diff in compare view

Updates golang.org/x/sync from 0.19.0 to 0.20.0

Commits
  • ec11c4a errgroup: fix a typo in the documentation
  • 1a58307 all: modernize interface{} -> any
  • 3172ca5 all: upgrade go directive to at least 1.25.0 [generated]
  • See full diff in compare view

Updates google.golang.org/api from 0.265.0 to 0.267.0

Release notes

Sourced from google.golang.org/api's releases.

v0.267.0

0.267.0 (2026-02-17)

Features

v0.266.0

0.266.0 (2026-02-10)

Features

Changelog

Sourced from google.golang.org/api's changelog.

0.267.0 (2026-02-17)

Features

0.266.0 (2026-02-10)

Features

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
build(deps): bump the go-deps group across 1 directory with 9 updates
5520f2d 
Bumps the go-deps group with 7 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [github.com/elazarl/goproxy](https://github.com/elazarl/goproxy) | `1.8.1` | `1.8.2` |
| [github.com/go-git/go-billy/v5](https://github.com/go-git/go-billy) | `5.7.0` | `5.8.0` |
| [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) | `5.16.5` | `5.17.0` |
| [github.com/minio/minio-go/v7](https://github.com/minio/minio-go) | `7.0.98` | `7.0.99` |
| [github.com/sigstore/cosign/v3](https://github.com/sigstore/cosign) | `3.0.4` | `3.0.5` |
| [golang.org/x/crypto](https://github.com/golang/crypto) | `0.48.0` | `0.49.0` |
| [golang.org/x/oauth2](https://github.com/golang/oauth2) | `0.35.0` | `0.36.0` |



Updates `github.com/elazarl/goproxy` from 1.8.1 to 1.8.2
- [Release notes](https://github.com/elazarl/goproxy/releases)
- [Commits](elazarl/goproxy@v1.8.1...v1.8.2)

Updates `github.com/go-git/go-billy/v5` from 5.7.0 to 5.8.0
- [Release notes](https://github.com/go-git/go-billy/releases)
- [Commits](go-git/go-billy@v5.7.0...v5.8.0)

Updates `github.com/go-git/go-git/v5` from 5.16.5 to 5.17.0
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](go-git/go-git@v5.16.5...v5.17.0)

Updates `github.com/minio/minio-go/v7` from 7.0.98 to 7.0.99
- [Release notes](https://github.com/minio/minio-go/releases)
- [Commits](minio/minio-go@v7.0.98...v7.0.99)

Updates `github.com/sigstore/cosign/v3` from 3.0.4 to 3.0.5
- [Release notes](https://github.com/sigstore/cosign/releases)
- [Changelog](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md)
- [Commits](sigstore/cosign@v3.0.4...v3.0.5)

Updates `golang.org/x/crypto` from 0.48.0 to 0.49.0
- [Commits](golang/crypto@v0.48.0...v0.49.0)

Updates `golang.org/x/oauth2` from 0.35.0 to 0.36.0
- [Commits](golang/oauth2@v0.35.0...v0.36.0)

Updates `golang.org/x/sync` from 0.19.0 to 0.20.0
- [Commits](golang/sync@v0.19.0...v0.20.0)

Updates `google.golang.org/api` from 0.265.0 to 0.267.0
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](googleapis/google-api-go-client@v0.265.0...v0.267.0)

---
updated-dependencies:
- dependency-name: github.com/elazarl/goproxy
  dependency-version: 1.8.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-deps
- dependency-name: github.com/go-git/go-billy/v5
  dependency-version: 5.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-deps
- dependency-name: github.com/go-git/go-git/v5
  dependency-version: 5.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-deps
- dependency-name: github.com/minio/minio-go/v7
  dependency-version: 7.0.99
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-deps
- dependency-name: github.com/sigstore/cosign/v3
  dependency-version: 3.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-deps
- dependency-name: golang.org/x/crypto
  dependency-version: 0.49.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-deps
- dependency-name: golang.org/x/oauth2
  dependency-version: 0.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-deps
- dependency-name: golang.org/x/sync
  dependency-version: 0.20.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-deps
- dependency-name: google.golang.org/api
  dependency-version: 0.267.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency label Mar 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants