Bump the go_modules group across 7 directories with 16 updates

[dependabot]

Bumps the go_modules group with 8 updates in the /clients/go/client directory:

Package	From	To
cosmossdk.io/math	1.0.0-rc.0	1.4.0
filippo.io/edwards25519	1.0.0	1.1.1
github.com/cosmos/ibc-go/v7	7.0.0-rc0	7.10.0
github.com/golang/glog	1.2.0	1.2.4
github.com/ulikunitz/xz	0.5.11	0.5.14
golang.org/x/crypto	0.24.0	0.45.0
golang.org/x/oauth2	0.18.0	0.27.0
google.golang.org/grpc	1.64.0	1.64.1

Bumps the go_modules group with 4 updates in the /starship/cmd/starship directory: golang.org/x/crypto, golang.org/x/oauth2, google.golang.org/grpc and helm.sh/helm/v3.
Bumps the go_modules group with 2 updates in the /starship/exposer directory: golang.org/x/net and google.golang.org/grpc.
Bumps the go_modules group with 2 updates in the /starship/faucet directory: golang.org/x/net and google.golang.org/grpc.
Bumps the go_modules group with 9 updates in the /starship/registry directory:

Package	From	To
cosmossdk.io/math	1.0.0-rc.0	1.4.0
filippo.io/edwards25519	1.0.0	1.1.1
github.com/cosmos/ibc-go/v7	7.0.0-rc0	7.10.0
github.com/golang/glog	1.2.0	1.2.4
github.com/ulikunitz/xz	0.5.11	0.5.14
golang.org/x/crypto	0.24.0	0.45.0
golang.org/x/oauth2	0.18.0	0.27.0
google.golang.org/grpc	1.64.0	1.64.1
github.com/opencontainers/runc	1.1.4	1.2.8

Bumps the go_modules group with 2 updates in the /starship/tests/e2e directory: golang.org/x/net and google.golang.org/grpc.
Bumps the go_modules group with 2 updates in the /starship/tools directory: golang.org/x/crypto and google.golang.org/grpc.

Updates cosmossdk.io/math from 1.0.0-rc.0 to 1.4.0

Release notes

Sourced from cosmossdk.io/math's releases.

Cosmovisor v1.3.0

Release Notes

• Fix failure when installing cosmovisor via go install.

Changelog

For more details, please see the CHANGELOG.

Cosmovisor v1.2.0

Release Notes

New Features

With the cosmovisor init command, all the necessary folders for using cosmovisor are automatically created. You do not need to manually symlink the chain binary anymore.

We've added a new configuration option: DAEMON_RESTART_DELAY (as env variable). When set, Cosmovisor will wait that delay between the node halt and backup. See the README file for more details.

Bug Fixes

• Fix Cosmovisor binary usage for pre-upgrade. Cosmovisor was using the wrong binary when running a pre-upgrade command.

Changelog

For more details, please see the CHANGELOG.

collections/v1.2.0

Improvements

• #24081 Remove cosmossdk.io/core dependency.

schema/v1.1.0

Breaking Changes

cosmossdk.io/schema was previously tagged as v1.0.0, but several stubs were included in this release which were unimplemented. v1.1.0 removes any unimplemented stubs and retracts v1.0.0 so that the schema v1 API is actually reflective of the codebase.

Commits

• 6b4557d chore: prepare log v1.4.0 (#21197)
• 5a08833 build(deps): Bump golang.org/x/crypto from 0.25.0 to 0.26.0 (#21189)
• 655b303 build(deps): Bump github.com/spf13/cast from 1.6.0 to 1.7.0 (#21190)
• cc25f59 ci: add compat check 052 x main (#21174)
• 5b7d8b6 test(stf/mock): Unmarshal with knowing the message type (#21178)
• 641f964 ci: attempt to fix goreleaser (#21194)
• a0fdab2 test(server/v2): Update testdata prune options (#21192)
• 4b4ec47 build(deps): Bump bufbuild/buf-setup-action from 1.35.1 to 1.36.0 (#21191)
• feb0e07 feat: [ADR-071] Cryptography v2 (#18824)
• 111a999 docs: rename v2 to di (#21181)
• Additional commits viewable in compare view

Updates filippo.io/edwards25519 from 1.0.0 to 1.1.1

Commits

• d1c650a extra: initialize receiver in MultiScalarMult
• 325f520 all: update Go version
• c0501e4 all: drop old +build lines
• 23384ff all: use the indefinite article an in comments
• 16197b4 crypto/internal/edwards25519: shorten quick.Check tests in short mode
• 6387a56 all: fix misuses of "a" vs "an"
• c901e5e crypto/internal/edwards25519: reduce Point size by reordering fields
• daffb31 all: fix problematic comments
• 5caf132 all: give nested modules fully-qualified names
• 4bafd0b edwards25519: gofmt scalar_fiat.go
• Additional commits viewable in compare view

Updates github.com/cosmos/ibc-go/v7 from 7.0.0-rc0 to 7.10.0

Release notes

Sourced from github.com/cosmos/ibc-go/v7's releases.

v7.10.0

This release contains a fix for ISA-2025-001.

This version addresses a security vulnerability in IBC-go's deserialisation of acknowledgements and we strongly encourage everyone in the affected versions to update their chain immediately. This patch is not state-breaking, so chains can upgrade in a rolling manner. This does not have to be a co-ordinated upgrade. However, validators should upgrade as soon as possible when the release is made available. If the vulnerability is exploited before 2/3 is patched, the chain will halt.

Full Changelog: cosmos/ibc-go@v7.9.2...v7.10.0

---

To learn more about ibc-go versioning, please read our RELEASES.md.

IMPORTANT: Please read the migration guides for any versions of ibc-go that you might be going through when upgrading to this version. For example: if you upgrade from the IBC module contained in the Cosmos SDK 0.42.0 to SDK v0.50.9 and ibc-go v8.5.1, please follow:

1. The migration from SDK 0.41.x or 0.42.x to the IBC module in the ibc-go repository based on the SDK v0.44.x.
2. The migration from ibc-go v1 to v2.
3. The migration from ibc-go v2 to v3.
4. The migration from ibc-go v3 to v4.
5. The migration from ibc-go v4 to v5.
6. The migration from ibc-go v5 to v6.
7. The migration from ibc-go v6 to v7.
8. The migration from ibc-go v7 to v7.1.
9. The migration from ibc-go v7.2 to v7.3.

v7.9.2

This release contains a fix to ASA-2025-004

It is recommended to upgrade to this version as soon as possible.

Full Changelog: cosmos/ibc-go@v7.8.0...v7.9.2

---

To learn more about ibc-go versioning, please read our RELEASES.md.

IMPORTANT: Please read the migration guides for any versions of ibc-go that you might be going through when upgrading to this version. For example: if you upgrade from the IBC module contained in the Cosmos SDK 0.42.0 to SDK v0.50.9 and ibc-go v8.5.1, please follow:

1. The migration from SDK 0.41.x or 0.42.x to the IBC module in the ibc-go repository based on the SDK v0.44.x.
2. The migration from ibc-go v1 to v2.
3. The migration from ibc-go v2 to v3.
4. The migration from ibc-go v3 to v4.
5. The migration from ibc-go v4 to v5.
6. The migration from ibc-go v5 to v6.
7. The migration from ibc-go v6 to v7.
8. The migration from ibc-go v7 to v7.1.
9. The migration from ibc-go v7.2 to v7.3.

v7.8.0

We present here a summary of the most relevant changes, please see the v7.8.0 changelog for more details. Please note that this release, as indicated in our release versioning policy, is state machine breaking and requires a coordinated upgrade.

core/03-connection

... (truncated)

Changelog

Sourced from github.com/cosmos/ibc-go/v7's changelog.

v7.10.0 - 2025-03-12

• ISA-2025-001 Fix ISA-2025-001

v7.9.1 - 2025-02-27

• ASA-2025-004 Fix ASA-2025-004

Bug Fixes

v7.8.0 - 2024-08-30

State Machine Breaking

• (core/03-connection) #7128 Remove verification of self client and consensus state from connection handshake.

v7.7.0 - 2024-07-29

Dependencies

• #6943 Update Cosmos SDK to v0.47.13.

Features

• (apps/transfer) #6877 Added the possibility to transfer the entire user balance of a particular denomination by using UnboundedSpendLimit as the token amount.

v7.6.0 - 2024-06-20

State Machine Breaking

• (apps/transfer, apps/27-interchain-accounts, app/29-fee) #4992 Set validation for length of string fields.

v7.5.1 - 2024-05-22

Improvements

• (core/ante) #6302 Performance: Skip app callbacks during RecvPacket execution in checkTx within the redundant relay ante handler.
• (core/ante) #6280 Performance: Skip redundant proof checking in RecvPacket execution in reCheckTx within the redundant relay ante handler.
• (core/ante) #6306 Performance: Skip misbehaviour checks in UpdateClient flow and skip signature checks in reCheckTx mode.

v7.5.0 - 2024-05-14

Dependencies

• #6254 Update Cosmos SDK to v0.47.11 and CometBFT to v0.37.5.

State Machine Breaking

• (light-clients/07-tendermint) #6276 Fix: No-op to avoid panicking on UpdateState for invalid misbehaviour submissions.

... (truncated)

Commits

• 4632144 chore: update changelog and retract v7.9.2
• a5b5b92 Merge commit from fork
• f45181b chore: retract 7.9.1
• 9869b3c fix: backport remarshal (#8066)
• 37ab926 Merge branch 'gjermund/redact-v7.0-to-v7.8' into release/v7.9.x
• cc6fe55 Merge commit from fork
• 27bebf3 chore: update changelog and redact
• ff0a82e Update CHANGELOG.md
• de02723 bump goreleaser action
• a5dde80 Update CHANGELOG.md
• Additional commits viewable in compare view

Updates github.com/dvsekhvalnov/jose2go from 1.5.0 to 1.6.0

Commits

• 48ba0b7 Merge pull request #32 from dvsekhvalnov/issue-31-security-tuning
• 05eb007 docs
• e0264a2 added helper matchers: Alg and Eng
• 0f6c7c3 MatchAlg helper
• cf0a53b docs
• 2995762 docs
• 9a18aff docs
• 675bb14 docs
• 8e9e0d1 updated p2c limits with new OWASP numbers, docs
• ed5dd96 Unit tests for custom 'p2c' headers min/max limits
• Additional commits viewable in compare view

Updates github.com/golang/glog from 1.2.0 to 1.2.4

Release notes

Sourced from github.com/golang/glog's releases.

v1.2.4

What's Changed

• Fail if log file already exists by @​chressie in golang/glog#74:
  • glog: Don't try to create/rotate a given syncBuffer twice in the same second
  • glog: introduce createInDir function as in internal version
  • glog: have createInDir fail if the file already exists

Full Changelog: golang/glog@v1.2.3...v1.2.4

v1.2.3

What's Changed

• glog: check that stderr is valid before using it by default by @​chressie in golang/glog#72
• glog: fix typo by @​chressie in golang/glog#73

Full Changelog: golang/glog@v1.2.2...v1.2.3

v1.2.2

What's Changed

• glog: avoid calling user.Current() on windows by @​bentekkie in golang/glog#69

Full Changelog: golang/glog@v1.2.1...v1.2.2

v1.2.1

What's Changed

• glog: don't hold mutex when sync'ing by @​chressie in golang/glog#68

Full Changelog: golang/glog@v1.2.0...v1.2.1

Commits

• a0e3c40 glog: have createInDir fail if the file already exists
• 7139da2 glog: introduce createInDir function as in internal version
• dd58629 glog: Don't try to create/rotate a given syncBuffer twice in the same second
• 04dbec0 glog: fix typo (#73)
• 459cf3b glog: check that stderr is valid before using it by default (#72)
• 9730314 glog: avoid calling user.Current() on windows (#69)
• 861d094 glog: don't hold mutex when sync'ing (#68)
• See full diff in compare view

Updates github.com/hashicorp/go-getter from 1.7.0 to 1.7.5

Release notes

Sourced from github.com/hashicorp/go-getter's releases.

v1.7.5

What's Changed

• Prevent Git Config Alteration on Git Update by @​dduzgun-security in hashicorp/go-getter#497

New Contributors

• @​dduzgun-security made their first contribution in hashicorp/go-getter#497

Full Changelog: hashicorp/go-getter@v1.7.4...v1.7.5

v1.7.4

What's Changed

• Escape user-provided strings in git commands hashicorp/go-getter#483
• Fixed a bug in .netrc handling if the file does not exist hashicorp/go-getter#433

Full Changelog: hashicorp/go-getter@v1.7.3...v1.7.4

v1.7.3

What's Changed

• SEC-090: Automated trusted workflow pinning (2023-04-21) by @​hashicorp-tsccr in hashicorp/go-getter#432
• SEC-090: Automated trusted workflow pinning (2023-09-11) by @​hashicorp-tsccr in hashicorp/go-getter#454
• SEC-090: Automated trusted workflow pinning (2023-09-18) by @​hashicorp-tsccr in hashicorp/go-getter#458
• don't change GIT_SSH_COMMAND when there is no sshKeyFile by @​jbardin in hashicorp/go-getter#459

New Contributors

• @​hashicorp-tsccr made their first contribution in hashicorp/go-getter#432

Full Changelog: hashicorp/go-getter@v1.7.2...v1.7.3

v1.7.2

What's Changed

• Don't override GIT_SSH_COMMAND when not needed by @​nl-brett-stime hashicorp/go-getter#300

Full Changelog: hashicorp/go-getter@v1.7.1...v1.7.2

v1.7.1

No release notes provided.

Commits

• 5a63fd9 Merge pull request #497 from hashicorp/fix-git-update
• 5b7ec5f fetch tags on update and fix tests
• 9906874 recreate git config during update to prevent config alteration
• 268c11c escape user provide string to git (#483)
• 975961f Merge pull request #433 from adrian-bl/netrc-fix
• 0298a22 Merge pull request #459 from hashicorp/jbardin/setup-git-env
• c70d9c9 don't change GIT_SSH_COMMAND if there's no keyfile
• 3d5770f Merge pull request #458 from hashicorp/tsccr-auto-pinning/trusted/2023-09-18
• 0688979 Result of tsccr-helper -log-level=info -pin-all-workflows .
• e66f244 Merge pull request #454 from hashicorp/tsccr-auto-pinning/trusted/2023-09-11
• Additional commits viewable in compare view

Updates github.com/ulikunitz/xz from 0.5.11 to 0.5.14

Commits

• 7184815 Preparation of release v0.5.14
• 88ddf1d Address Security Issue GHSA-jc7w-c686-c4v9
• c8314b8 Add new package xio with WriteCloserStack
• 4f11dce Update README.md and SECURITY.md to address security questions
• f56ebbf TODO.md: fix a typo
• See full diff in compare view

Updates golang.org/x/crypto from 0.24.0 to 0.45.0

Commits

• 4e0068c go.mod: update golang.org/x dependencies
• e79546e ssh: curb GSSAPI DoS risk by limiting number of specified OIDs
• f91f7a7 ssh/agent: prevent panic on malformed constraint
• 2df4153 acme/autocert: let automatic renewal work with short lifetime certs
• bcf6a84 acme: pass context to request
• b4f2b62 ssh: fix error message on unsupported cipher
• 79ec3a5 ssh: allow to bind to a hostname in remote forwarding
• 122a78f go.mod: update golang.org/x dependencies
• c0531f9 all: eliminate vet diagnostics
• 0997000 all: fix some comments
• Additional commits viewable in compare view

Updates golang.org/x/net from 0.26.0 to 0.47.0

Commits

• e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
• ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
• 1f1fa29 publicsuffix: regenerate table
• 1215081 http2: improve error when server sends HTTP/1
• 312450e html: ensure <search> tag closes <p> and update tests
• 09731f9 http2: improve handling of lost PING in Server
• 55989e2 http2/h2c: use ResponseController for hijacking connections
• 2914f46 websocket: re-recommend gorilla/websocket
• 99b3ae0 go.mod: update golang.org/x dependencies
• 85d1d54 go.mod: update golang.org/x dependencies
• Additional commits viewable in compare view

Updates golang.org/x/oauth2 from 0.18.0 to 0.27.0

Commits

• 681b4d8 jws: split token into fixed number of parts
• 3f78298 all: upgrade go directive to at least 1.23.0 [generated]
• 109dabf endpoints: add links/provider for Discord
• ac571fa oauth2: fix docs for Config.DeviceAuth
• 314ee5b endpoints: add patreon endpoint
• b9c813b google: add warning about externally-provided credentials
• 49a531d all: make method and struct comments match the names
• 22134a4 README: don't recommend go get
• 3e64809 x/oauth2: add Token.ExpiresIn
• 16a9973 jwt: rename example to avoid vet error
• Additional commits viewable in compare view

Updates google.golang.org/grpc from 1.64.0 to 1.64.1

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.64.1

Dependencies

• Update x/net/http2 to address CVE-2023-45288 (#7352)
• metadata: remove String method from MD to make printing consistent (#7374)

Commits

• 4d833de Change version to 1.64.1 (#7381)
• e9193a4 *: update deps (#7375)
• ab29241 metadata: remove String method (#7374)
• 355b9a5 Change version to 1.64.1-dev (#7219)
• See full diff in compare view

Updates golang.org/x/crypto from 0.24.0 to 0.45.0

Commits

• 4e0068c go.mod: update golang.org/x dependencies
• e79546e ssh: curb GSSAPI DoS risk by limiting number of specified OIDs
• f91f7a7 ssh/agent: prevent panic on malformed constraint
• 2df4153 acme/autocert: let automatic renewal work with short lifetime certs
• bcf6a84 acme: pass context to request
• b4f2b62 ssh: fix error message on unsupported cipher
• 79ec3a5 ssh: allow to bind to a hostname in remote forwarding
• 122a78f go.mod: update golang.org/x dependencies
• c0531f9 all: eliminate vet diagnostics
• 0997000 all: fix some comments
• Additional commits viewable in compare view

Updates golang.org/x/net from 0.26.0 to 0.47.0

Commits

• e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
• ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
• 1f1fa29 publicsuffix: regenerate table
• 1215081 http2: improve error when server sends HTTP/1
• 312450e html: ensure <search> tag closes <p> and update tests
• 09731f9 http2: improve handling of lost PING in Server
• 55989e2 http2/h2c: use ResponseController for hijacking connections
• 2914f46 websocket: re-recommend gorilla/websocket
• 99b3ae0 go.mod: update golang.org/x dependencies
• 85d1d54 go.mod: update golang.org/x dependencies
• Additional commits viewable in compare view

Updates golang.org/x/oauth2 from 0.18.0 to 0.27.0

Commits

• 681b4d8 jws: split token into fixed number of parts
• 3f78298 all: upgrade go directive to at least 1.23.0 [generated]
• 109dabf endpoints: add links/provider for Discord
• ac571fa oauth2: fix docs for Config.DeviceAuth
• 314ee5b endpoints: add patreon endpoint
• b9c813b google: add warning about externally-provided credentials
• 49a531d all: make method and struct comments match the names
• 22134a4 README: don't recommend go get
• 3e64809 x/oauth2: add Token.ExpiresIn
• 16a9973 jwt: rename example to avoid vet error
• Additional commits viewable in compare view

Updates google.golang.org/grpc from 1.64.0 to 1.64.1

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.64.1

Dependencies

• Update x/net/http2 to address CVE-2023-45288 (#7352)
• metadata: remove String method from MD to make printing consistent (#7374)

Commits

• 4d833de Change version to 1.64.1 (#7381)
• e9193a4 *: update deps (#7375)
• ab29241 metadata: remove String method (#7374)
• 355b9a5 Change version to 1.64.1-dev (#7219)
• See full diff in compare view

Updates helm.sh/helm/v3 from 3.12.0 to 3.18.5

Release notes

Sourced from helm.sh/helm/v3's releases.

Helm v3.18.5 is a security release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

• Join the discussion in Kubernetes Slack:
  • for questions and just to hang out
  • for discussing PRs, code, and bugs
• Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
• Test, debug, and contribute charts: ArtifactHub/packages

Security Advisories

• Helm Charts with Specific JSON Schema Values Can Cause Memory Exhaustion
• Incorrect YAML Content Leads To Panic

Installation and Upgrading

Download Helm v3.18.5. The common platform binaries are here:

• MacOS amd64 (checksum / 3200c32cf19bf69b446e97c0060af39f018d2e441e418ad174ba39052f63fb15)
• MacOS arm64 (checksum / 32ce3f4910d5a96c1170f3f8f230d4c8b8bc007e5d47b085b8416cfe559d7925)
• Linux amd64 (checksum / 9879bf9c471cdecbbee5ee17cf1de1849b0ffd12871ea01f17ede6861d7134f5)
• Linux arm (checksum / 4be47fa77476bfd6416a44853e28983e7c8594156259813ecf35d004044fb17d)
• Linux arm64 (checksum / d25d2c1b1c5a9844755ab5c66e6df4d6b31c25e6d92dd2ce66c137a63ddf9f2c)
• Linux i386 (checksum / 1ee980e47bb37f388abdce3a7e8da64a9b372352c4cb645bda5ddd401973bee3)
• Linux ppc64le (checksum / 9d300e0efced9b244aedcc9d11c49647deb4c5afc8d2298c988498dc530bc932)
• Linux s390x (checksum / c779bb4dea8026294378a9ad6447095fb8f56671a8c49437344dd342de2a3156)
• Linux riscv64 (checksum / f79d06dc5e966c341fc8ad1a0d5e032f7d681e62c4a51a4d22badec4b9857144)
• Windows amd64 (checksum / 464bfd7792d6c682778fc1d5e5bcc9ac5ce83457fe3c4b7a3d0af4dc3ef03eb1)
• Windows arm64 (checksum / 82411e3ee4e349d30221ddf6c26397bb0a41666939b338ccf39f4cd2ec4e4410)

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

• 3.19.0 is the next minor release and will be on September 11, 2025

Changelog

• fix Chart.yaml handling 7799b483f52ceb665264a4056da3d2569d60f910 (Matt Farina)
• Handle messy index files dd8502f7b4fd5824a696c99909babd0fbed77e9e (Matt Farina)
• json schema fix cb8595bc650e2ec7459427d2b0430599431a3dbe (Robert Sirchia)

Helm v3.18.4 is a security release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

• Join the discussion in Kubernetes Slack:
  • for questions and just to hang out
  • for discussing PRs, code, and bugs

... (truncated)

Commits

• b78692c Merge commit from fork
• ec5f59e Merge commit from fork
• 7799b48 fix Chart.yaml handling
• dd8502f Handle messy index files
• cb8595b json schema fix
• d80839c Merge pull request #31037 from mattfarina/disable-goimports-2
• f20a4ad Disabling linter due to unknown issue
• c48c500 Merge commit from fork
• 563b094 build(deps): bump the k8s-io group with 7 updates
• 00de613 Updating link handling
• Additional commits viewable in compare view

Updates github.com/containerd/containerd from 1.7.0 to 1.7.27

Release notes

Sourced from github.com/containerd/containerd's releases.

containerd 1.7.27

Welcome to the v1.7.27 release of containerd!

The twenty-seventh patch release for containerd 1.7 contains various fixes and updates.

Highlights

• Fix integer overflow in User ID handling (GHSA-265r-hfxg-fhmg)
• Update image type checks to avoid unnecessary logs for attestations (#11538)

Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues.

Contributors

• Jin Dong
• Akhil Mohan
• Derek McGowan
• Maksym Pavlenko
• Paweł Gronowski
• Phil Estes
• Akihiro Suda
• Craig Ingram
• Krisztian Litkey
• Samuel Karp

Changes

• 05044ec0a Merge commit from fork
• 11504c3fc validate uid/gid
• Prepare release notes for v1.7.27 (#11540)
  • 1be04be6c Prepare release notes for v1.7.27
• Update image type checks to avoid unnecessary logs for attestations (#11538)
  • 82b5c43fe core/remotes: Handle attestations in MakeRefKey
  • 2c670e79b core/images: Ignore attestations when traversing children
• update build to go1.23.7, test go1.24.1 (#11515)
  • a39863c9f update build to go1.23.7, test go1.24.1
• Remove hashicorp/go-multierror dependency and fix CI (#11499)
  • 49537b3a7 e2e: use the shim bundled with containerd artifact
  • fe490b76f Bump up github.com/intel/goresctrl to 0.5.0
  • 13fc9d313 update containerd/project-checks to 1.2.1
  • 585699c94 Remove unnecessary joinError unwrap
  • 4b9df59be Remove hashicorp/go-multierror
• go.{mod,sum}: bump CDI deps to v0.8.1. (#11422)
  • 5ba28f8dc go.{mod,sum}: bump CDI deps to v0.8.1, re-vendor.
• CI: arm64-8core-32gb -> ubuntu-24.04-arm (#11437)
  • 85f10bd92 CI: arm64-8core-32gb -> ubuntu-24.04-arm

... (truncated)

Commits

• 05044ec Merge commit from fork
• 0b7f2a5 Merge pull request #11540 from dmcgowan/prepare-1.7.27
• 574a304 Merge pull request #11538 from dmcgowan/backport-11327
• 1be04be Prepare release notes for v1.7.27
• 82b5c43 core/remotes: Handle attestations in MakeRefKey
• 2c670e7 core/images: Ignore attestations when traversing children
• 11504c3 validate uid/gid
• 576178b Merge pull request #11515 from akhilerm/1.7-updatego1.24.1
• a39863c update build to go1.23.7, test go1.24.1
• 8946aa0 Merge pull request #11499 from djdongjin/1-7-remove-hashi-multierror
• Additional commits viewable in compare view

Updates github.com/cyphar/filepath-securejoin from 0.2.3 to 0.4.1

Release notes

Sourced from github.com/cyphar/filepath-securejoin's releases.

v0.4.1

This release fixes a regression introduced in one of the hardening features added to filepath-securejoin 0.4.0.

• The restrictions added for root paths passed to SecureJoin in 0.4.0 was found to be too strict and caused some regressions when folks tried to update, so this restriction has been relaxed to only return an error if the path contains a .. component. We still recommend users use filepath.Clean (and even filepath.EvalSymlinks) on the root path they are using, but at least you will no longer be punished for "trivial" unclean paths. (#46)

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

v0.4.0

This release primarily includes a few minor breaking changes to make the MkdirAll and SecureJoin interfaces more robust against accidental misuse.

• SecureJoin(VFS) will now return an error if the provided root is not a filepath.Clean'd path.

  While it is ultimately the responsibility of the caller to ensure the root is a safe path to use, passing a path like /symlink/.. as a root would result in the SecureJoin'd path being placed in / even though /symlink/.. might be a different directory, and so we should more strongly discourage such usage.

  All major users of securejoin.SecureJoin already ensure that the paths they provide are safe (and this is ultimately a question of user error), but removing this foot-gun is probably a good idea. Of course, this is necessarily a breaking API change (though we expect no real users to be affected by it).

  Thanks to Erik Sjölund, who initially reported this issue as a possible security issue.

• MkdirAll and MkdirHandle now take an os.FileMode-style mode argument instead of a raw unix.S_*-style mode argument, which may cause compile-time type errors depending on how you use filepath-securejoin. For most users, there will be no change in behaviour aside from the type change (as the bottom 0o777 bits are the same in both formats, and most users are probably only using those bits).

  However, if you were using unix.S_ISVTX to set the sticky bit with MkdirAll(Handle) you will need to switch to os.ModeSticky otherwise you will get a runtime error with this update. In addition, the error message you will get from passing unix.S_ISUID and unix.S_ISGID will be different as they are treated as invalid bits now (note that previously passing s...

  Description has been truncated