Bump the go-deps group across 1 directory with 13 updates

[dependabot]

Bumps the go-deps group with 11 updates in the / directory:

Package	From	To
github.com/cyphar/filepath-securejoin	0.3.2	0.3.5
github.com/fluxcd/cli-utils	0.36.0-flux.9	0.36.0-flux.10
github.com/fluxcd/pkg/apis/acl	0.3.0	0.4.0
github.com/fluxcd/pkg/apis/event	0.10.1	0.11.0
github.com/fluxcd/pkg/apis/kustomize	1.6.1	1.7.0
github.com/fluxcd/pkg/apis/meta	1.6.1	1.7.0
github.com/fluxcd/pkg/http/fetch	0.12.1	0.13.0
github.com/fluxcd/pkg/kustomize	1.13.0	1.14.0
github.com/fluxcd/pkg/runtime	0.49.1	0.50.0
github.com/fluxcd/pkg/tar	0.8.1	0.9.0
github.com/fluxcd/pkg/testserver	0.7.0	0.8.0

Updates github.com/cyphar/filepath-securejoin from 0.3.2 to 0.3.5

Release notes

Sourced from github.com/cyphar/filepath-securejoin's releases.

v0.3.5

This release primarily includes a fix for an issue involving two programs racing to MkdirAll the same directory, which caused a regression with BuildKit.

• MkdirAll will now no longer return an EEXIST error if two racing processes are creating the same directory. We will still verify that the path is a directory, but this will avoid spurious errors when multiple threads or programs are trying to MkdirAll the same path. opencontainers/runc#4543

Signed-off-by: Aleksa Sarai [email protected]

v0.3.4

This release primarily includes a fix that blocked using filepath-securejoin in Kubernetes.

• Previously, some testing mocks we had resulted in us doing import "testing" in non-_test.go code, which made some downstreams like Kubernetes unhappy. This has been fixed. (#32)

Thanks to all of the contributors who made this release possible:

• Aleksa Sarai [email protected]
• Stephen Kitt [email protected]

Signed-off-by: Aleksa Sarai [email protected]

v0.3.3

This release primarily includes fixes for spurious errors we hit when checking that directories created by MkdirAll "look right". Upon further consideration, these checks were fundamentally buggy and didn't offer any practical protection anyway.

• The mode and owner verification logic in MkdirAll has been removed. This was originally intended to protect against some theoretical attacks but upon further consideration these protections don't actually buy us anything and they were causing spurious errors with more complicated filesystem setups.
• The "is the created directory empty" logic in MkdirAll has also been removed. This was not causing us issues yet, but some pseudofilesystems (such as cgroup) create non-empty directories and so this logic would've been wrong for such cases.

Thanks to all of the contributors who made this release possible:

• Aleksa Sarai [email protected]
• Kir Kolyshkin [email protected]

Signed-off-by: Aleksa Sarai [email protected]

Changelog

Sourced from github.com/cyphar/filepath-securejoin's changelog.

[0.3.5] - 2024-12-06

Fixed

• MkdirAll will now no longer return an EEXIST error if two racing processes are creating the same directory. We will still verify that the path is a directory, but this will avoid spurious errors when multiple threads or programs are trying to MkdirAll the same path. opencontainers/runc#4543

[0.3.4] - 2024-10-09

Fixed

• Previously, some testing mocks we had resulted in us doing import "testing" in non-_test.go code, which made some downstreams like Kubernetes unhappy. This has been fixed. (#32)

[0.3.3] - 2024-09-30

Fixed

• The mode and owner verification logic in MkdirAll has been removed. This was originally intended to protect against some theoretical attacks but upon further consideration these protections don't actually buy us anything and they were causing spurious errors with more complicated filesystem setups.
• The "is the created directory empty" logic in MkdirAll has also been removed. This was not causing us issues yet, but some pseudofilesystems (such as cgroup) create non-empty directories and so this logic would've been wrong for such cases.

Commits

• e60739b VERSION: release v0.3.5
• bf13132 deps: update to golang.org/x/[email protected]
• d9a53cf merge #35 into cyphar/filepath-securejoin:main
• 31cb517 mkdir: add racing MkdirAll test
• 72283a0 mkdir: do not error out with -EEXIST for racing MkdirAlls
• f5bd631 gha: bump go test timeout to 30m
• 17264db merge #33 into cyphar/filepath-securejoin:main
• fb7116a VERSION: back to development
• fd16ade VERSION: release v0.3.4
• 00e0710 godoc: update package documentation
• Additional commits viewable in compare view

Updates github.com/fluxcd/cli-utils from 0.36.0-flux.9 to 0.36.0-flux.10

Commits

• edea475 Merge pull request #11 from fluxcd/kustomize-v5.5
• 8e327e5 Update kustomize to v5.5.0
• See full diff in compare view

Updates github.com/fluxcd/pkg/apis/acl from 0.3.0 to 0.4.0

Commits

• 0d58ef4 Merge pull request #683 from fluxcd/update-deps
• 5505645 Update sigs.k8s.io/controller-runtime to v0.15.3
• 2d41523 Update k8s.io/* to v0.27.7
• 4c3b551 Update github.com/cyphar/filepath-securejoin
• 830e238 Update github.com/docker/docker across packages
• 7c5474c Update golang.org/x/net across packages
• 0b57897 Merge pull request #681 from fluxcd/tweak-file-perms
• 7dac171 *: change default permissions
• 9c506d6 Merge pull request #682 from fluxcd/oci-int-stop-exit-code
• d29d25f oci/tests/int: Set exit code 1 on tf destroy fail
• Additional commits viewable in compare view

Updates github.com/fluxcd/pkg/apis/event from 0.10.1 to 0.11.0

Commits

• a5896a6 git/internal/e2e: update dependencies
• 00f6465 git/gogit: update dependencies
• acf35bd git: update dependencies
• eda77cf ssh: update dependencies
• 41b3167 Merge pull request #504 from fluxcd/misc-update-deps
• 9a579c9 ssa: update dependencies
• 5185f64 http/fetch: update dependencies
• 3caadb0 oci/tests: update dependencies
• 6f300e8 oci: update dependencies
• 527a993 Merge pull request #503 from fluxcd/kustomize-update-deps
• Additional commits viewable in compare view

Updates github.com/fluxcd/pkg/apis/kustomize from 1.6.1 to 1.7.0

Commits

• b83bd25 Merge pull request #817 from fluxcd/refactor-cache
• a29e42f cache: Return ErrNotFound error from Get()
• 72d6f8c oci: Remove cache from auth and int tests code
• 061b9ac cache: Allow setting cache metrics prefix
• a961051 Simplify the cache
• 9e2947d Merge pull request #829 from fluxcd/helm-v3.16.3
• 802b6e3 Update dependencies
• 19c00ad Merge pull request #828 from fluxcd/kustomize-v5.5
• f9cbcaf Add doc to auth pkg
• 33f3829 Update dependencies
• Additional commits viewable in compare view

Updates github.com/fluxcd/pkg/apis/meta from 1.6.1 to 1.7.0

Commits

• b83bd25 Merge pull request #817 from fluxcd/refactor-cache
• a29e42f cache: Return ErrNotFound error from Get()
• 72d6f8c oci: Remove cache from auth and int tests code
• 061b9ac cache: Allow setting cache metrics prefix
• a961051 Simplify the cache
• 9e2947d Merge pull request #829 from fluxcd/helm-v3.16.3
• 802b6e3 Update dependencies
• 19c00ad Merge pull request #828 from fluxcd/kustomize-v5.5
• f9cbcaf Add doc to auth pkg
• 33f3829 Update dependencies
• Additional commits viewable in compare view

Updates github.com/fluxcd/pkg/http/fetch from 0.12.1 to 0.13.0

Commits

• 04a0963 Merge pull request #597 from fluxcd/tag-verification
• 0f40956 git: add support for lightweight tags
• 320d78f git/gogit: add tag info to commit if refname points to an annotated tag
• 5658f3b git/gogit: add tag info to commit when checking out via semver
• 75c942d git/gogit: add tag info to commit when checking out via tag
• fba7100 git: add support for linking a parent tag to a commit
• 540f61e Merge pull request #631 from mihaiandreiratoiu/feature/gov-arm
• 174a5e9 Ops: Update azure cloud token auth
• 5eb935a Merge pull request #632 from fluxcd/disable-azure-ci-jobs
• 1330800 Disable azure CI jobs
• Additional commits viewable in compare view

Updates github.com/fluxcd/pkg/kustomize from 1.13.0 to 1.14.0

Commits

• 3431579 Merge pull request #831 from fluxcd/distribution-v3.0.0-rc.1
• ca4bf2d Update internal Git dependencies
• bd582bc Merge pull request #830 from fluxcd/int-update
• bf70554 Update internal dependencies
• b83bd25 Merge pull request #817 from fluxcd/refactor-cache
• a29e42f cache: Return ErrNotFound error from Get()
• 72d6f8c oci: Remove cache from auth and int tests code
• 061b9ac cache: Allow setting cache metrics prefix
• a961051 Simplify the cache
• 9e2947d Merge pull request #829 from fluxcd/helm-v3.16.3
• Additional commits viewable in compare view

Updates github.com/fluxcd/pkg/runtime from 0.49.1 to 0.50.0

Commits

• 3431579 Merge pull request #831 from fluxcd/distribution-v3.0.0-rc.1
• ca4bf2d Update internal Git dependencies
• bd582bc Merge pull request #830 from fluxcd/int-update
• bf70554 Update internal dependencies
• b83bd25 Merge pull request #817 from fluxcd/refactor-cache
• a29e42f cache: Return ErrNotFound error from Get()
• 72d6f8c oci: Remove cache from auth and int tests code
• 061b9ac cache: Allow setting cache metrics prefix
• a961051 Simplify the cache
• 9e2947d Merge pull request #829 from fluxcd/helm-v3.16.3
• Additional commits viewable in compare view

Updates github.com/fluxcd/pkg/tar from 0.8.1 to 0.9.0

Commits

• 598e74e git: update dependencies
• c28ef00 Merge pull request #463 from fluxcd/go-git-bc-tag
• da9a7b7 go-git: transform revision for last observed tag
• 0009fda Merge pull request #404 from fluxcd/commit-string-fmt
• db0daab git: make LastObservedCommit backwards compatible
• 3fb1b65 git: tidy code around digests
• b097686 git: align tests and code with commit fmt change
• 24a228c git: change Commit#String format
• da2a476 Merge pull request #462 from fluxcd/event-digest-key
• 7053ad7 apis/event: add MetaDigestKey
• Additional commits viewable in compare view

Updates github.com/fluxcd/pkg/testserver from 0.7.0 to 0.8.0

Commits

• 7ef01b0 Merge pull request #442 from blurpy/feature/git_bearer_token
• 659695f Add back support for passphrase protected ssh keys
• 767e771 Validate that basic auth and bearer token cannot be set at the same time
• cbf091c Add test to verify that username from Secret is preferred
• b6c6888 Refactor of NewAuthOptions to only fill the auth options that are relevant
• fef9d6a Add more test scenarios for NewAuthOptions
• 9b9b723 Validate that bearer token is not used over http
• 04d0d48 Add some quick tests of basic auth in client.validateUrl()
• a451505 Support specifying bearerToken for git http token authentication.
• bfb6385 Merge pull request #448 from fluxcd/e2e-ux
• Additional commits viewable in compare view

Updates github.com/onsi/gomega from 1.34.2 to 1.36.0

Release notes

Sourced from github.com/onsi/gomega's releases.

v1.36.0

1.36.0

Features

• new: make collection-related matchers Go 1.23 iterator aware [4c964c6]

Maintenance

• Replace min/max helpers with built-in min/max [ece6872]
• Fix some typos in docs [8e924d7]

v1.35.1

1.35.1

Fixes

• Export EnforceDefaultTimeoutsWhenUsingContexts and DisableDefaultTimeoutsWhenUsingContext [ca36da1]

v1.35.0

1.35.0

Features

• You can now call EnforceDefaultTimeoutsWhenUsingContexts() to have Eventually honor the default timeout when passed a context. (prior to this you had to expclility add a timeout) [e4c4265]
• You can call StopTrying(message).Successfully() to abort a Consistently early without failure [eeca931]

Fixes

• Stop memoizing the result of HaveField to avoid unexpected errors when used with async assertions. [3bdbc4e]

Maintenance

• Bump all dependencies [a05a416]

Changelog

Sourced from github.com/onsi/gomega's changelog.

1.36.0

Features

• new: make collection-related matchers Go 1.23 iterator aware [4c964c6]

Maintenance

• Replace min/max helpers with built-in min/max [ece6872]
• Fix some typos in docs [8e924d7]

1.35.1

Fixes

• Export EnforceDefaultTimeoutsWhenUsingContexts and DisableDefaultTimeoutsWhenUsingContext [ca36da1]

1.35.0

Features

• You can now call EnforceDefaultTimeoutsWhenUsingContexts() to have Eventually honor the default timeout when passed a context. (prior to this you had to expclility add a timeout) [e4c4265]
• You can call StopTrying(message).Successfully() to abort a Consistently early without failure [eeca931]

Fixes

• Stop memoizing the result of HaveField to avoid unexpected errors when used with async assertions. [3bdbc4e]

Maintenance

• Bump all dependencies [a05a416]

Commits

• f1ff459 v1.36.0
• 4c964c6 new: make collection-related matchers Go 1.23 iterator aware
• ece6872 Replace min/max helpers with built-in min/max
• 8e924d7 Fix some typos in docs
• 9f5a208 v1.35.1
• ca36da1 Export EnforceDefaultTimeoutsWhenUsingContexts and DisableDefaultTimeoutsWhen...
• d6331f9 v1.35.0
• 5deaf23 fix tests, but like actually this time
• eeca931 Add Successfully() to StopTrying() to signal that Consistently can end early ...
• 3bdbc4e stop memoizing result of HaveField
• Additional commits viewable in compare view

Updates golang.org/x/net from 0.31.0 to 0.32.0

Commits

• 285e1cf go.mod: update golang.org/x dependencies
• d0a1049 route: remove unused sizeof* consts on freebsd
• 6e41410 http2: fix benchmarks using common frame read/write functions
• 4be1253 route: change from syscall to x/sys/unix
• bc37675 http2: limit number of PINGs bundled with RST_STREAMs
• e9cd716 route: fix parse of zero-length sockaddrs in RIBs
• 9a51899 http2: add SETTINGS_ENABLE_CONNECT_PROTOCOL support
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are no longer updatable, so this is no longer needed.