chore(deps): bump the go-minor-and-patch group across 1 directory with 30 updates by dependabot[bot] · Pull Request #3231 · chainloop-dev/chainloop

dependabot · 2026-06-22T13:46:22Z

Bumps the go-minor-and-patch group with 19 updates in the / directory:

Package	From	To
code.cloudfoundry.org/bytefmt	`0.75.0`	`0.76.0`
github.com/aws/aws-sdk-go-v2	`1.41.11`	`1.42.0`
github.com/aws/aws-sdk-go-v2/config	`1.32.22`	`1.32.25`
github.com/aws/aws-sdk-go-v2/service/secretsmanager	`1.42.1`	`1.42.3`
github.com/jedib0t/go-pretty/v6	`6.8.0`	`6.8.1`
github.com/testcontainers/testcontainers-go	`0.40.0`	`0.42.0`
golang.org/x/term	`0.43.0`	`0.44.0`
google.golang.org/api	`0.280.0`	`0.284.0`
github.com/Azure/azure-sdk-for-go/sdk/azcore	`1.21.1`	`1.22.0`
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob	`1.7.0`	`1.8.0`
github.com/aws/aws-sdk-go-v2/feature/s3/manager	`1.22.24`	`1.22.27`
github.com/nats-io/nats.go	`1.51.0`	`1.52.0`
github.com/open-policy-agent/opa	`1.17.0`	`1.17.1`
github.com/posthog/posthog-go	`1.14.0`	`1.15.0`
github.com/sigstore/cosign/v3	`3.0.6`	`3.1.1`
github.com/sigstore/sigstore-go	`1.2.0`	`1.2.1`
go.step.sm/crypto	`0.81.0`	`0.83.0`
github.com/vektah/gqlparser/v2	`2.5.33`	`2.5.34`
github.com/minio/minio-go/v7	`7.0.98`	`7.2.0`

Updates code.cloudfoundry.org/bytefmt from 0.75.0 to 0.76.0

Commits

b8e3c6d Update go.mod dependencies
See full diff in compare view

Updates github.com/aws/aws-sdk-go-v2 from 1.41.11 to 1.42.0

Commits

9a3190f Release 2026-06-08
b20dd5b Regenerated Clients
75a45ea Update API model
e736f55 Add preview of changes for standard retry mode behind flag (#3400)
ba08dc9 Release 2026-06-05.2
9a67e21 Revert schema serde (#3442)
51692f8 s3/transfermanager: avoid double-closing concurrentReader channel after read ...
f696d5b Release 2026-06-05
7efb8fd Regenerated Clients
1a420c5 Update endpoints model
Additional commits viewable in compare view

Updates github.com/aws/aws-sdk-go-v2/config from 1.32.22 to 1.32.25

Commits

0016334 Release 2026-06-10
396a182 Regenerated Clients
3eb8533 Update API model
7bbea79 Release 2026-06-09
1fefa6c Regenerated Clients
a2cf49f Update endpoints model
d87be68 Update API model
9a3190f Release 2026-06-08
b20dd5b Regenerated Clients
75a45ea Update API model
Additional commits viewable in compare view

Updates github.com/aws/aws-sdk-go-v2/credentials from 1.19.21 to 1.19.24

Commits

0016334 Release 2026-06-10
396a182 Regenerated Clients
3eb8533 Update API model
7bbea79 Release 2026-06-09
1fefa6c Regenerated Clients
a2cf49f Update endpoints model
d87be68 Update API model
9a3190f Release 2026-06-08
b20dd5b Regenerated Clients
75a45ea Update API model
Additional commits viewable in compare view

Updates github.com/aws/aws-sdk-go-v2/service/secretsmanager from 1.42.1 to 1.42.3

Commits

09a5817 Release 2025-12-02
58d1759 Regenerated Clients
16ba34e Update endpoints model
7873bf4 Update API model
9b55b02 bump smithy-go to v1.24.0 (#3242)
d8b0179 Release 2025-12-01
e4405f0 Regenerated Clients
65d08b0 Update API model
f6cc036 Release 2025-11-26
deb353f Regenerated Clients
Additional commits viewable in compare view

Updates github.com/aws/aws-sdk-go-v2/service/sso from 1.31.1 to 1.31.3

Commits

e1909a5 Release 2025-08-26
2dead49 Regenerated Clients
8f87507 Update endpoints model
9f13166 Update API model
92833dd drop opsworks and opsworkscm (#3172)
50d1314 Release 2025-08-25.2
d163c8c Deprecate opsworks/opsworkscm (#3171)
f0a97a7 Release 2025-08-25
3b73a3b Regenerated Clients
9c6a548 Update endpoints model
Additional commits viewable in compare view

Updates github.com/aws/smithy-go from 1.27.0 to 1.27.1

Changelog

Sourced from github.com/aws/smithy-go's changelog.

Release (2026-06-05)

General Highlights

Dependency Update: Updated to the latest SDK module versions

Module Highlights

github.com/aws/smithy-go: v1.27.2

Bug Fix: Fix incorrect serialization of unions in CBOR-based protocols.

Release (2026-06-04)

General Highlights

Dependency Update: Updated to the latest SDK module versions

Module Highlights

github.com/aws/smithy-go: v1.27.1

Bug Fix: Fixed a deserialization failure in all protocols when encountering a union with explicit null members.

Bug Fix: Fixed a panic when deserializing nested unions in JSON- and CBOR-based protocols.

Release (2026-06-02)

General Highlights

Dependency Update: Updated to the latest SDK module versions

Module Highlights

github.com/aws/smithy-go: v1.27.0

Feature: Add APIs for schema-based serialization.

Feature: Add support for all current AWS and Smithy protocols.

Bug Fix: Enforce max nesting depth of 128 on CBOR payloads.

github.com/aws/smithy-go/aws-http-auth: v1.2.0

Feature: Add event stream signer.

Release (2026-05-27)

General Highlights

Dependency Update: Updated to the latest SDK module versions

Module Highlights

github.com/aws/smithy-go: v1.26.0

Feature: Add StringSlice to endpoint rulesfn.

Release (2026-04-23)

General Highlights

Dependency Update: Updated to the latest SDK module versions

Module Highlights

github.com/aws/smithy-go: v1.25.1

Bug Fix: Fixed a memory leak in the LRU cache implementation used by some AWS services.

... (truncated)

Commits

6a1dd2f Release 2026-06-04
ec26415 fix nested union json ctx break/smithy.ReadUnion contract issue (#673)
See full diff in compare view

Updates github.com/jedib0t/go-pretty/v6 from 6.8.0 to 6.8.1

Release notes

Sourced from github.com/jedib0t/go-pretty/v6's releases.

v6.8.1

What's Changed

A hardening pass across the table, list, progress, and text packages, fixing security issues, crash/race bugs, and performance problems in the render hot paths, with benchmarks added to back the optimizations.

Security

table/list (HTML): escape the title, caption, and CSS class names in RenderHTML() to prevent HTML/attribute injection.

table (CSV): make RenderCSV() output RFC 4180 compliant, and add an opt-in Style().CSV.FieldProtection option that neutralizes spreadsheet formula-injection fields (=, +, -, @, tab, CR).

text: sanitize hyperlink URLs and bound the escape-sequence parser buffer so adversarial input can't grow it without limit.

Correctness

progress: fix a render panic on tiny tracker lengths, data races on tracker/indicator state, and a leaked time.Ticker in the terminal-size watcher.

table: guard auto-index rendering against empty maxColumnLengths.

text: prevent a panic in VAlign.Apply on negative maxLines.

Performance

table: compile regex filters once per render; pre-size render builders.

list: hoist repeated width math out of the render loops.

text: speed up Align.Apply and StringWidthWithoutEscSequences.

progress: build PacManChomp frames with a strings.Builder.

Tooling

Moved root-level benchmarks into their packages and wired up make bench; added benchmarks for the table/text/list/progress render hot paths and tests covering the retained-done-tracker render paths.

Full Changelog: jedib0t/go-pretty@v6.8.0...v6.8.1

Commits

22c68f6 fix panics, races, and injection vectors; speed up render hot paths (#409)
See full diff in compare view

Updates github.com/testcontainers/testcontainers-go from 0.40.0 to 0.42.0

Release notes

Sourced from github.com/testcontainers/testcontainers-go's releases.

v0.42.0

What's Changed

⚠️ Breaking Changes

chore!: migrate to moby modules (#3591) @thaJeztah

🔒 Security

chore(deps): bump moby/client v0.4.0, moby/api v1.54.1 (#3634) @thaJeztah

🐛 Bug Fixes

fix: return an error when docker host cannot be retrieved (#3613) @ash2k

🧹 Housekeeping

chore: gitignore Gas Town agent artifacts (#3633) @mdelapenya

fix(usage-metrics): include last release in the legend pop over (#3630) @mdelapenya

chore: update usage metrics (2026-04) (#3621) @github-actions[bot]

fix(usage-metrics): order of actions matters (#3623) @mdelapenya

fix(usage-metrics): reduce rate-limit cascade errors (#3622) @mdelapenya

fix(usage-metrics): replace the per-version inline retry with a multi-pass approach (#3620) @mdelapenya

📦 Dependency updates

chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp from 1.28.0 to 1.43.0 in /modules/grafana-lgtm (#3639) @dependabot[bot]

chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp from 1.42.0 to 1.43.0 in /modules/compose (#3641) @dependabot[bot]

chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.42.0 to 1.43.0 in /modules/compose (#3645) @dependabot[bot]

chore(deps): bump mkdocs-include-markdown-plugin from 7.2.1 to 7.2.2 (#3626) @dependabot[bot]

chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.51.2 to 1.97.3 in /modules/localstack (#3638) @dependabot[bot]

chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.41.0 to 1.43.0 in /modules/grafana-lgtm (#3643) @dependabot[bot]

chore(deps): bump go.opentelemetry.io/otel/sdk from 1.41.0 to 1.43.0 in /modules/milvus (#3644) @dependabot[bot]

chore: update to Go 1.25.9, 1.26.9 (#3647) @thaJeztah

chore(deps): bump bump github.com/klauspost/compress v1.18.5, github.com/docker/compose v5.1.2 (#3646) @thaJeztah

chore(deps): bump moby/client v0.4.0, moby/api v1.54.1 (#3634) @thaJeztah

chore(deps): bump golang.org/x/sys from 0.41.0 to 0.42.0 (#3629) @dependabot[bot]

chore(deps): bump github.com/moby/patternmatcher from 0.6.0 to 0.6.1 (#3628) @dependabot[bot]

chore(deps): bump github.com/shirou/gopsutil/v4 from 4.26.2 to 4.26.3 (#3627) @dependabot[bot]

fix(localstack): accept community-archive as a valid tag (#3601) @johnduhart

chore(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 in /modules/gcloud (#3632) @dependabot[bot]

chore(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0 (#3625) @dependabot[bot]

chore(deps): bump pygments from 2.19.2 to 2.20.0 (#3615) @dependabot[bot]

chore(deps): bump google.golang.org/grpc from 1.67.0 to 1.79.3 in /modules/milvus (#3612) @dependabot[bot]

chore(deps): bump google.golang.org/grpc from 1.67.0 to 1.79.3 in /modules/etcd (#3611) @dependabot[bot]

chore(deps): bump google.golang.org/grpc from 1.79.1 to 1.79.3 in /modules/ollama (#3610) @dependabot[bot]

chore(deps): bump google.golang.org/grpc from 1.67.0 to 1.79.3 in /modules/pinecone (#3609) @dependabot[bot]

chore(deps): bump google.golang.org/grpc from 1.67.0 to 1.79.3 in /modules/couchbase (#3608) @dependabot[bot]

chore(deps): bump requests from 2.32.4 to 2.33.0 (#3604) @dependabot[bot]

chore(deps): bump google.golang.org/grpc from 1.79.1 to 1.79.3 in /modules/meilisearch (#3607) @dependabot[bot]

chore(deps): bump github.com/moby/buildkit from 0.27.1 to 0.28.1 in /modules/compose (#3605) @dependabot[bot]

... (truncated)

Commits

6e58418 chore: use new version (v0.42.0) in modules and examples
f713dc0 chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetr...
300827a chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetr...
7a15ac1 chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptrace...
5bae3d2 fix: return an error when docker host cannot be retrieved (#3613)
fc19484 chore(deps): bump mkdocs-include-markdown-plugin from 7.2.1 to 7.2.2 (#3626)
95bdc0c chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 (#3638)
75aa226 chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptrace...
2f59938 chore(deps): bump go.opentelemetry.io/otel/sdk in /modules/milvus (#3644)
580abf6 chore: update to Go 1.25.9, 1.26.9 (#3647)
Additional commits viewable in compare view

Updates golang.org/x/term from 0.43.0 to 0.44.0

Commits

3b43943 go.mod: update golang.org/x dependencies
See full diff in compare view

Updates google.golang.org/api from 0.280.0 to 0.284.0

Release notes

Sourced from google.golang.org/api's releases.

v0.284.0

0.284.0 (2026-06-09)

Features

all: Auto-regenerate discovery clients (#3613) (5f02153)

all: Auto-regenerate discovery clients (#3616) (25b429a)

all: Auto-regenerate discovery clients (#3617) (1ef3625)

v0.283.0

0.283.0 (2026-06-01)

Features

all: Auto-regenerate discovery clients (#3609) (ed84bb8)

all: Auto-regenerate discovery clients (#3611) (3855346)

all: Auto-regenerate discovery clients (#3612) (32624d3)

v0.282.0

0.282.0 (2026-05-27)

Features

all: Auto-regenerate discovery clients (#3607) (3c139a0)

v0.281.0

0.281.0 (2026-05-26)

Features

all: Auto-regenerate discovery clients (#3600) (bcaee85)

all: Auto-regenerate discovery clients (#3602) (f0071d3)

all: Auto-regenerate discovery clients (#3603) (b1aa9de)

all: Auto-regenerate discovery clients (#3604) (711e008)

all: Auto-regenerate discovery clients (#3606) (3ad8e8e)

Changelog

Sourced from google.golang.org/api's changelog.

0.284.0 (2026-06-09)

Features

all: Auto-regenerate discovery clients (#3613) (5f02153)

all: Auto-regenerate discovery clients (#3616) (25b429a)

all: Auto-regenerate discovery clients (#3617) (1ef3625)

0.283.0 (2026-06-01)

Features

all: Auto-regenerate discovery clients (#3609) (ed84bb8)

all: Auto-regenerate discovery clients (#3611) (3855346)

all: Auto-regenerate discovery clients (#3612) (32624d3)

0.282.0 (2026-05-27)

Features

all: Auto-regenerate discovery clients (#3607) (3c139a0)

0.281.0 (2026-05-26)

Features

all: Auto-regenerate discovery clients (#3600) (bcaee85)

all: Auto-regenerate discovery clients (#3602) (f0071d3)

all: Auto-regenerate discovery clients (#3603) (b1aa9de)

all: Auto-regenerate discovery clients (#3604) (711e008)

all: Auto-regenerate discovery clients (#3606) (3ad8e8e)

Commits

5c6a0b0 chore(main): release 0.284.0 (#3614)
1ef3625 feat(all): auto-regenerate discovery clients (#3617)
4dd580d chore(all): update all (#3615)
25b429a feat(all): auto-regenerate discovery clients (#3616)
5f02153 feat(all): auto-regenerate discovery clients (#3613)
f672636 chore(main): release 0.283.0 (#3610)
32624d3 feat(all): auto-regenerate discovery clients (#3612)
3855346 feat(all): auto-regenerate discovery clients (#3611)
ed84bb8 feat(all): auto-regenerate discovery clients (#3609)
60aebbd chore(main): release 0.282.0 (#3608)
Additional commits viewable in compare view

Updates github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.21.1 to 1.22.0

Release notes

Sourced from github.com/Azure/azure-sdk-for-go/sdk/azcore's releases.

sdk/azcore/v1.22.0

1.22.0 (2026-06-04)

Features Added

Added type datetime.RFC7231 for date/time values in RFC 1123 format with a fixed GMT timezone.

Other Changes

Upgraded dependencies.

Commits

a19f613 Prep azcore@v1.22.0 for release (#26926)
5803c0e Increment package version after release of storage/azblob (#26935) (#26943)
9a979ff [Automation] Regenerate SDK based on typespec-go branch main 【batch 6】 (#26939)
711094d eng/tools/generator: release v0.4.14 (#26934)
20bd677 Deprecate Change Analysis SDK (#26913)
92a31ec [Automation] Regenerate SDK based on typespec-go branch main 【batch 5】 (#26932)
768459d azcertificates: live recording for PlatformManaged + review fixes (follow-up ...
e845f72 Update codeowners (#26918)
118bb35 eng/tools/internal/exports: handle untyped const with selector expr value (#2...
2b3767b Configurations: 'specification/containerservice/resource-manager/Microsoft.C...
Additional commits viewable in compare view

Updates github.com/Azure/azure-sdk-for-go/sdk/storage/azblob from 1.7.0 to 1.8.0

Release notes

Sourced from github.com/Azure/azure-sdk-for-go/sdk/storage/azblob's releases.

sdk/storage/azblob/v1.8.0

1.8.0 (2026-06-15)

Features Added

Includes all features from 1.8.0-beta.1 and 1.8.0-beta.2

sdk/storage/azblob/v1.8.0-beta.2

1.8.0-beta.2 (2026-06-03)

Features Added

Added support for the Expect: 100-continue HTTP header on requests with a body. The new ExpectContinueBehavior field on ClientOptions configures the behavior via ExpectContinueOptions. By default (ExpectContinueModeApplyOnThrottle) the header is sent for one minute after a 429, 500, or 503 response is received; the interval can be overridden via ExpectContinueOptions.ThrottleInterval. Other modes are ExpectContinueModeOn (always send) and ExpectContinueModeOff (never send). Set the environment variable AZURE_STORAGE_DISABLE_EXPECT_CONTINUE_HEADER=true to disable the feature regardless of ClientOptions.

Commits

42def97 Add breaking changes to release notes (#21696)
112db83 Azcore v1.8.0 (#21694)
204a3c4 Prep azcore v1.7.2 for release (#21506)
89497f5 Add changelog entry for WASM fix (#21493)
0414a4b Transport dialer: setting nil for wasm build (#21451)
b1db0be Enable TLS renegotiation (#21182)
See full diff in compare view

Updates github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.22.24 to 1.22.27

Commits

0016334 Release 2026-06-10
396a182 Regenerated Clients
3eb8533 Update API model
7bbea79 Release 2026-06-09
1fefa6c Regenerated Clients
a2cf49f Update endpoints model
d87be68 Update API model
9a3190f Release 2026-06-08
b20dd5b Regenerated Clients
75a45ea Update API model
Additional commits viewable in compare view

Updates github.com/aws/aws-sdk-go-v2/service/s3 from 1.103.1 to 1.103.3

Commits

9a3190f Release 2026-06-08
b20dd5b Regenerated Clients
75a45ea Update API model
e736f55 Add preview of changes for standard retry mode behind flag (#3400)
ba08dc9 Release 2026-06-05.2
9a67e21 Revert schema serde (#3442)
51692f8 s3/transfermanager: avoid double-closing concurrentReader channel after read ...
f696d5b Release 2026-06-05
7efb8fd Regenerated Clients
1a420c5 Update endpoints model
Additional commits viewable in compare view

Updates github.com/nats-io/nats.go from 1.51.0 to 1.52.0

Release notes

Sourced from github.com/nats-io/nats.go's releases.

Release v1.52.0

Changelog

This release focuses on 2.14 nats-server features support.

ADDED

JetStream:

Added fast batch stream config field (#2052)

Added message scheduling headers and publish opts (#2051)

Updated StreamConfig with Consumer field and added AckFlowControlPolicy (#2070)

Added reset consumer API (#2069)

FIXED

Core NATS:

Fix Subscription.StatusChanged channel closure on Closed Subscription. Thanks @nithimani38-prog for the contribution (#2034)

IMPROVED

Fixed Flaky JS cluster tests (#2062)

Complete Changes

nats-io/nats.go@v1.51.0...v1.52.0

Commits

e9f2a36 Release v1.52.0 (#2074)
609274f [FIXED] Subscription.StatusChanged channel closure on Closed Subscription (#2...
f7cde74 [IMPROVED] Use latest release build for badge in README (#2064)
c7476ea [IMPROVED] Reject empty consumer info in CONSUMER.RESET response (#2072)
8fde36f [ADDED] ResetConsumer JetStream API (#2069)
dcfd0fc [ADDED] StreamSource.Consumer config field and AckFlowControlPolicy (#2070)
7a28503 [ADDED] Publish options and consts for message scheduling (#2051)
6c91a51 [ADDED] AllowBatchPublish stream config field (#2052)
a614d0b [FIXED] Flaky JS cluster tests due to race in setupJSClusterWithSize (#2062)
See full diff in compare view

Updates github.com/open-policy-agent/opa from 1.17.0 to 1.17.1

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v1.17.1

This release uses the latest version of Go (1.26.4) to build OPA, fixing stdlib vulnerabilities in code that OPA's HTTP handler and crypto builtins use:

https://pkg.go.dev/vuln/GO-2026-5039

https://pkg.go.dev/vuln/GO-2026-5037

It is otherwise the same code as v1.17.0.

Note that users building their own OPA binaries and images already control the Golang version, so this is not relevant for them.

Miscellaneous

build: bump go 1.26.3 -> 1.26.4 (authored by @srenatus)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

1.17.1

This release uses the latest version of Go (1.26.4) to build OPA, fixing stdlib vulnerabilities in code that OPA's HTTP handler and crypto builtins use:

https://pkg.go.dev/vuln/GO-2026-5039

https://pkg.go.dev/vuln/GO-2026-5037

It is otherwise the same code as v1.17.0.

Note that users building their own OPA binaries and images already control the Golang version, so this is not relevant for them.

Miscellaneous

build: bump go 1.26.3 -> 1.26.4 (authored by @srenatus)

Commits

187c696 Release v1.17.1
a0c116e build: bump go 1.26.3 -> 1.26.4
See full diff in compare view

Updates github.com/posthog/posthog-go from 1.14.0 to 1.15.0

Release notes

Sourced from github.com/posthog/posthog-go's releases.

1.15.0

Unreleased

Changelog

Sourced from github.com/posthog/posthog-go's changelog.

1.15.0

Minor Changes

64ad172: Support the early_exit flag filter in local evaluation. When a flag's filters.early_exit is true and a condition group's property filters match (or there are none) but the rollout percentage excludes the user, evaluation now stops and returns false immediately instead of falling through to later groups. Mirrors the server-side (Rust) evaluation engine. A property-filter mismatch still falls through as before, and behaviour is unchanged when early_exit is unset or false.

Minor Changes

Support the early_exit option on feature flag filters during local evaluation. When a flag has filters.early_exit set to true and a condition group matches its property filters (or has none) but the rollout percentage excludes the user, local evaluation now returns a definitive disabled result immediately instead of falling through to later condition groups, mirroring the server-side evaluation engine. Property-filter mismatches continue to fall through as before, and behaviour is unchanged when early_exit is absent or false.

Commits

1a54557 chore: release v1.15.0 [version bump] [skip ci]
64ad172 feat(feature-flags): support early_exit in local evaluation (#217)
See full diff in compare view

Updates github.com/sigstore/cosign/v3 from 3.0.6 to 3.1.1

Release notes

Sourced from github.com/sigstore/cosign/v3's releases.

v3.1.1

What's Changed

Note: v3.1.0 was skipped due to a bug in our release pipeline. v3.1.1 is identical to v3.1.0

This release deprecates a number of flags related to verification material input for trust root material, as well as the bundle format, standardized across Sigstore SDKs, which is now the default output and input for signing and verifying respectively. You may continue to use the deprecated flags with Cosign v3.x releases. The deprecated flags will be removed in a future Cosign v4 release.

This release also updates the signing path for logging to Rekor v2. DSSE attestations will be logged as hashed entries, using the DSSE's pre-auth encoding (PAE). This should unblock developers who want to upload large signed DSSEs such as SBOMs.

Initialize PKCS11 slots Before Getting Token Info in sigstore/cosign#4803

Sign exclusively via sigstore-go in sigstore/cosign#4618

bundle create: Prevent IgnoreTlog when bundle contains SET in sigstore/cosign#4829

Require bundle output or registry upload in sigstore/cosign#4785

fix(load): pass NameOptions to name.ParseReference in sigstore/cosign#4786

fix: honor --digestAlg when hashing a blob in verify-blob-attestation in sigstore/cosign#4813

Deprecate Flags for v4: Certificates in sigstore/cosign#4822

Deprecate flags signing config in sigstore/cosign#4844

Deprecate flags bundle in sigstore/cosign#4838

Fix typo in map of verify command fields unsupported for new bundle format in sigstore/cosign#4853

Add bundle upgrade command in sigstore/cosign#4820

Deprecate Flags for v4 in sigstore/cosign#4854

fix: close file descriptor leaked in WriteSignedImageIndexImages loop in sigstore/cosign#4869

fix: use Header.Set to prevent duplicate Authorization on retry in sigstore/cosign#4870

feat(cli): add Rekor v2 flag to cosign signing-config create in sigstore/cosign#4868

Fix crash verifying timestamps when no timestamp was verified in sigstore/cosign#4881

Deprecate Flags for v4: OCI Referrers in sigstore/cosign#4804

Use the configured Target Repository more consistently in sigstore/cosign#4836

fix: check HTTP status code in LoadFileOrURL in sigstore/cosign#4877

Fix unsafe type assertion in Rego policy evaluation by in sigstore/cosign#4882

Fix Ed25519ph check to respect custom signing configs in sign-blob in sigstore/cosign#4880

Enable initialize command output in conformance in sigstore/cosign#4892

ve...
Description has been truncated

…h 30 updates Bumps the go-minor-and-patch group with 19 updates in the / directory: | Package | From | To | | --- | --- | --- | | [code.cloudfoundry.org/bytefmt](https://github.com/cloudfoundry/bytefmt) | `0.75.0` | `0.76.0` | | [github.com/aws/aws-sdk-go-v2](https://github.com/aws/aws-sdk-go-v2) | `1.41.11` | `1.42.0` | | [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) | `1.32.22` | `1.32.25` | | [github.com/aws/aws-sdk-go-v2/service/secretsmanager](https://github.com/aws/aws-sdk-go-v2) | `1.42.1` | `1.42.3` | | [github.com/jedib0t/go-pretty/v6](https://github.com/jedib0t/go-pretty) | `6.8.0` | `6.8.1` | | [github.com/testcontainers/testcontainers-go](https://github.com/testcontainers/testcontainers-go) | `0.40.0` | `0.42.0` | | [golang.org/x/term](https://github.com/golang/term) | `0.43.0` | `0.44.0` | | [google.golang.org/api](https://github.com/googleapis/google-api-go-client) | `0.280.0` | `0.284.0` | | [github.com/Azure/azure-sdk-for-go/sdk/azcore](https://github.com/Azure/azure-sdk-for-go) | `1.21.1` | `1.22.0` | | [github.com/Azure/azure-sdk-for-go/sdk/storage/azblob](https://github.com/Azure/azure-sdk-for-go) | `1.7.0` | `1.8.0` | | [github.com/aws/aws-sdk-go-v2/feature/s3/manager](https://github.com/aws/aws-sdk-go-v2) | `1.22.24` | `1.22.27` | | [github.com/nats-io/nats.go](https://github.com/nats-io/nats.go) | `1.51.0` | `1.52.0` | | [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) | `1.17.0` | `1.17.1` | | [github.com/posthog/posthog-go](https://github.com/posthog/posthog-go) | `1.14.0` | `1.15.0` | | [github.com/sigstore/cosign/v3](https://github.com/sigstore/cosign) | `3.0.6` | `3.1.1` | | [github.com/sigstore/sigstore-go](https://github.com/sigstore/sigstore-go) | `1.2.0` | `1.2.1` | | [go.step.sm/crypto](https://github.com/smallstep/crypto) | `0.81.0` | `0.83.0` | | [github.com/vektah/gqlparser/v2](https://github.com/vektah/gqlparser) | `2.5.33` | `2.5.34` | | [github.com/minio/minio-go/v7](https://github.com/minio/minio-go) | `7.0.98` | `7.2.0` | Updates `code.cloudfoundry.org/bytefmt` from 0.75.0 to 0.76.0 - [Release notes](https://github.com/cloudfoundry/bytefmt/releases) - [Commits](cloudfoundry/bytefmt@v0.75.0...v0.76.0) Updates `github.com/aws/aws-sdk-go-v2` from 1.41.11 to 1.42.0 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@v1.41.11...v1.42.0) Updates `github.com/aws/aws-sdk-go-v2/config` from 1.32.22 to 1.32.25 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@config/v1.32.22...config/v1.32.25) Updates `github.com/aws/aws-sdk-go-v2/credentials` from 1.19.21 to 1.19.24 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@credentials/v1.19.21...credentials/v1.19.24) Updates `github.com/aws/aws-sdk-go-v2/service/secretsmanager` from 1.42.1 to 1.42.3 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@service/s3/v1.42.1...service/amp/v1.42.3) Updates `github.com/aws/aws-sdk-go-v2/service/sso` from 1.31.1 to 1.31.3 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@config/v1.31.1...config/v1.31.3) Updates `github.com/aws/smithy-go` from 1.27.0 to 1.27.1 - [Release notes](https://github.com/aws/smithy-go/releases) - [Changelog](https://github.com/aws/smithy-go/blob/main/CHANGELOG.md) - [Commits](aws/smithy-go@v1.27.0...v1.27.1) Updates `github.com/jedib0t/go-pretty/v6` from 6.8.0 to 6.8.1 - [Release notes](https://github.com/jedib0t/go-pretty/releases) - [Commits](jedib0t/go-pretty@v6.8.0...v6.8.1) Updates `github.com/testcontainers/testcontainers-go` from 0.40.0 to 0.42.0 - [Release notes](https://github.com/testcontainers/testcontainers-go/releases) - [Commits](testcontainers/testcontainers-go@v0.40.0...v0.42.0) Updates `golang.org/x/term` from 0.43.0 to 0.44.0 - [Commits](golang/term@v0.43.0...v0.44.0) Updates `google.golang.org/api` from 0.280.0 to 0.284.0 - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.280.0...v0.284.0) Updates `github.com/Azure/azure-sdk-for-go/sdk/azcore` from 1.21.1 to 1.22.0 - [Release notes](https://github.com/Azure/azure-sdk-for-go/releases) - [Commits](Azure/azure-sdk-for-go@sdk/azcore/v1.21.1...sdk/azcore/v1.22.0) Updates `github.com/Azure/azure-sdk-for-go/sdk/storage/azblob` from 1.7.0 to 1.8.0 - [Release notes](https://github.com/Azure/azure-sdk-for-go/releases) - [Commits](Azure/azure-sdk-for-go@sdk/azcore/v1.7.0...sdk/azcore/v1.8.0) Updates `github.com/aws/aws-sdk-go-v2/feature/s3/manager` from 1.22.24 to 1.22.27 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@feature/s3/manager/v1.22.24...feature/s3/manager/v1.22.27) Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.103.1 to 1.103.3 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@service/s3/v1.103.1...service/s3/v1.103.3) Updates `github.com/nats-io/nats.go` from 1.51.0 to 1.52.0 - [Release notes](https://github.com/nats-io/nats.go/releases) - [Commits](nats-io/nats.go@v1.51.0...v1.52.0) Updates `github.com/open-policy-agent/opa` from 1.17.0 to 1.17.1 - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](open-policy-agent/opa@v1.17.0...v1.17.1) Updates `github.com/posthog/posthog-go` from 1.14.0 to 1.15.0 - [Release notes](https://github.com/posthog/posthog-go/releases) - [Changelog](https://github.com/PostHog/posthog-go/blob/main/CHANGELOG.md) - [Commits](PostHog/posthog-go@v1.14.0...v1.15.0) Updates `github.com/sigstore/cosign/v3` from 3.0.6 to 3.1.1 - [Release notes](https://github.com/sigstore/cosign/releases) - [Changelog](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md) - [Commits](sigstore/cosign@v3.0.6...v3.1.1) Updates `github.com/sigstore/sigstore-go` from 1.2.0 to 1.2.1 - [Release notes](https://github.com/sigstore/sigstore-go/releases) - [Commits](sigstore/sigstore-go@v1.2.0...v1.2.1) Updates `go.step.sm/crypto` from 0.81.0 to 0.83.0 - [Release notes](https://github.com/smallstep/crypto/releases) - [Commits](smallstep/crypto@v0.81.0...v0.83.0) Updates `google.golang.org/genproto/googleapis/bytestream` from 0.0.0-20260511170946-3700d4141b60 to 0.0.0-20260526163538-3dc84a4a5aaa - [Commits](https://github.com/googleapis/go-genproto/commits) Updates `github.com/vektah/gqlparser/v2` from 2.5.33 to 2.5.34 - [Release notes](https://github.com/vektah/gqlparser/releases) - [Commits](vektah/gqlparser@v2.5.33...v2.5.34) Updates `go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc` from 0.67.0 to 0.68.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go-contrib@zpages/v0.67.0...zpages/v0.68.0) Updates `github.com/aws/aws-sdk-go-v2/service/sts` from 1.43.1 to 1.43.3 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@service/s3/v1.43.1...service/amp/v1.43.3) Updates `github.com/minio/minio-go/v7` from 7.0.98 to 7.2.0 - [Release notes](https://github.com/minio/minio-go/releases) - [Commits](minio/minio-go@v7.0.98...v7.2.0) Updates `golang.org/x/crypto` from 0.52.0 to 0.53.0 - [Commits](golang/crypto@v0.52.0...v0.53.0) Updates `golang.org/x/sync` from 0.20.0 to 0.21.0 - [Commits](golang/sync@v0.20.0...v0.21.0) Updates `golang.org/x/text` from 0.37.0 to 0.38.0 - [Release notes](https://github.com/golang/text/releases) - [Commits](golang/text@v0.37.0...v0.38.0) Updates `k8s.io/apimachinery` from 0.35.3 to 0.36.1 - [Commits](kubernetes/apimachinery@v0.35.3...v0.36.1) --- updated-dependencies: - dependency-name: code.cloudfoundry.org/bytefmt dependency-version: 0.76.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-and-patch - dependency-name: github.com/aws/aws-sdk-go-v2 dependency-version: 1.42.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-and-patch - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-version: 1.32.25 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-minor-and-patch - dependency-name: github.com/aws/aws-sdk-go-v2/credentials dependency-version: 1.19.24 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-minor-and-patch - dependency-name: github.com/aws/aws-sdk-go-v2/service/secretsmanager dependency-version: 1.42.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-minor-and-patch - dependency-name: github.com/aws/aws-sdk-go-v2/service/sso dependency-version: 1.31.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-minor-and-patch - dependency-name: github.com/aws/smithy-go dependency-version: 1.27.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-minor-and-patch - dependency-name: github.com/jedib0t/go-pretty/v6 dependency-version: 6.8.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-minor-and-patch - dependency-name: github.com/testcontainers/testcontainers-go dependency-version: 0.42.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-and-patch - dependency-name: golang.org/x/term dependency-version: 0.44.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-and-patch - dependency-name: google.golang.org/api dependency-version: 0.284.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-and-patch - dependency-name: github.com/Azure/azure-sdk-for-go/sdk/azcore dependency-version: 1.22.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-and-patch - dependency-name: github.com/Azure/azure-sdk-for-go/sdk/storage/azblob dependency-version: 1.8.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-and-patch - dependency-name: github.com/aws/aws-sdk-go-v2/feature/s3/manager dependency-version: 1.22.27 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-minor-and-patch - dependency-name: github.com/aws/aws-sdk-go-v2/service/s3 dependency-version: 1.103.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-minor-and-patch - dependency-name: github.com/nats-io/nats.go dependency-version: 1.52.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-and-patch - dependency-name: github.com/open-policy-agent/opa dependency-version: 1.17.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-minor-and-patch - dependency-name: github.com/posthog/posthog-go dependency-version: 1.15.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-and-patch - dependency-name: github.com/sigstore/cosign/v3 dependency-version: 3.1.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-and-patch - dependency-name: github.com/sigstore/sigstore-go dependency-version: 1.2.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-minor-and-patch - dependency-name: go.step.sm/crypto dependency-version: 0.83.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-and-patch - dependency-name: google.golang.org/genproto/googleapis/bytestream dependency-version: 0.0.0-20260526163538-3dc84a4a5aaa dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-minor-and-patch - dependency-name: github.com/vektah/gqlparser/v2 dependency-version: 2.5.34 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-minor-and-patch - dependency-name: go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc dependency-version: 0.68.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-and-patch - dependency-name: github.com/aws/aws-sdk-go-v2/service/sts dependency-version: 1.43.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-minor-and-patch - dependency-name: github.com/minio/minio-go/v7 dependency-version: 7.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-and-patch - dependency-name: golang.org/x/crypto dependency-version: 0.53.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-and-patch - dependency-name: golang.org/x/sync dependency-version: 0.21.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-and-patch - dependency-name: golang.org/x/text dependency-version: 0.38.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-and-patch - dependency-name: k8s.io/apimachinery dependency-version: 0.36.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-and-patch ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jun 22, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the go-minor-and-patch group across 1 directory with 30 updates#3231

chore(deps): bump the go-minor-and-patch group across 1 directory with 30 updates#3231
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/go-minor-and-patch-c998763cee

dependabot Bot commented on behalf of github Jun 22, 2026 •

edited by cubic-dev-ai Bot

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Jun 22, 2026 • edited by cubic-dev-ai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release (2026-06-05)

General Highlights

Module Highlights

Release (2026-06-04)

General Highlights

Module Highlights

Release (2026-06-02)

General Highlights

Module Highlights

Release (2026-05-27)

General Highlights

Module Highlights

Release (2026-04-23)

General Highlights

Module Highlights

v6.8.1

What's Changed

Security

Correctness

Performance

Tooling

v0.42.0

What's Changed

⚠️ Breaking Changes

🔒 Security

🐛 Bug Fixes

🧹 Housekeeping

📦 Dependency updates

v0.284.0

0.284.0 (2026-06-09)

Features

v0.283.0

0.283.0 (2026-06-01)

Features

v0.282.0

0.282.0 (2026-05-27)

Features

v0.281.0

0.281.0 (2026-05-26)

Features

0.284.0 (2026-06-09)

Features

0.283.0 (2026-06-01)

Features

0.282.0 (2026-05-27)

Features

0.281.0 (2026-05-26)

Features

sdk/azcore/v1.22.0

1.22.0 (2026-06-04)

Features Added

Other Changes

sdk/storage/azblob/v1.8.0

1.8.0 (2026-06-15)

Features Added

sdk/storage/azblob/v1.8.0-beta.2

1.8.0-beta.2 (2026-06-03)

Features Added

Release v1.52.0

Changelog

ADDED

FIXED

IMPROVED

Complete Changes

v1.17.1

Miscellaneous

1.17.1

Miscellaneous

1.15.0

Unreleased

1.15.0

Minor Changes

Minor Changes

v3.1.1

What's Changed

Uh oh!

Reviewers

dependabot Bot commented on behalf of github Jun 22, 2026 •

edited by cubic-dev-ai Bot

Loading