-
Notifications
You must be signed in to change notification settings - Fork 59
Update go modules (release-v0.7) (patch) #3146
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: release-v0.7
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -3,37 +3,37 @@ module github.com/conforma/cli | |
| go 1.25.9 | ||
|
|
||
| require ( | ||
| cuelang.org/go v0.16.0 | ||
| cuelang.org/go v0.16.1 | ||
| github.com/CycloneDX/cyclonedx-go v0.10.0 | ||
| github.com/MakeNowJust/heredoc v1.0.0 | ||
| github.com/Maldris/go-billy-afero v0.0.0-20200815120323-e9d3de59c99a | ||
| github.com/conforma/go-gather v1.0.2 | ||
| github.com/docker/docker v28.5.2+incompatible | ||
| github.com/enterprise-contract/enterprise-contract-controller/api v0.1.257 | ||
| github.com/enterprise-contract/enterprise-contract-controller/api v0.1.281 | ||
| github.com/evanphx/json-patch v5.9.11+incompatible | ||
| github.com/gkampitakis/go-snaps v0.5.19 | ||
| github.com/go-git/go-git/v5 v5.17.1 | ||
| github.com/gkampitakis/go-snaps v0.5.22 | ||
| github.com/go-git/go-git/v5 v5.17.2 | ||
| github.com/go-logr/logr v1.4.3 | ||
| github.com/go-openapi/strfmt v0.26.1 | ||
| github.com/go-openapi/strfmt v0.26.4 | ||
| github.com/google/go-cmp v0.7.0 | ||
| github.com/google/go-containerregistry v0.21.5 | ||
| github.com/google/go-containerregistry v0.21.7 | ||
| github.com/google/safearchive v0.0.0-20241025131057-f7ce9d7b6f9c | ||
| github.com/hako/durafmt v0.0.0-20210608085754-5c1018a4e16b | ||
| github.com/in-toto/in-toto-golang v0.10.0 | ||
| github.com/jstemmer/go-junit-report/v2 v2.1.0 | ||
| github.com/konflux-ci/application-api v0.0.0-20240812090716-e7eb2ecfb409 | ||
| github.com/leanovate/gopter v0.2.11 | ||
| github.com/mattn/go-isatty v0.0.20 | ||
| github.com/mattn/go-isatty v0.0.22 | ||
| github.com/mitchellh/go-wordwrap v1.0.1 | ||
| github.com/open-policy-agent/conftest v0.66.0 | ||
| github.com/open-policy-agent/opa v1.15.2 | ||
| github.com/package-url/packageurl-go v0.1.3 | ||
| github.com/package-url/packageurl-go v0.1.6 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [info] API contract / breaking change risk The package-url/packageurl-go upgrade from v0.1.3 to v0.1.6 is a patch-level increment within the v0.1.x line. The codebase uses stable PURL specification primitives in internal/rego/purl/purl.go. Very low risk. |
||
| github.com/qri-io/jsonpointer v0.1.1 | ||
| github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 | ||
| github.com/secure-systems-lab/go-securesystemslib v0.10.0 | ||
| github.com/sigstore/cosign/v2 v2.4.1 | ||
| github.com/secure-systems-lab/go-securesystemslib v0.11.0 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [low] api-contract go-securesystemslib bumped from v0.10.0 to v0.11.0 (minor version in 0.x range). This library is used directly for DSSE envelope handling and encrypted key operations in signature verification paths. Minor 0.x bumps may include breaking API changes. CI should catch compilation failures, but behavioral changes in signature verification would not be caught by compilation alone. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [low] API contract / breaking change risk The PR bumps secure-systems-lab/go-securesystemslib from v0.10.0 to v0.11.0, which is a minor version bump under pre-v1 semver. The dsse subpackage is imported in 13 Go source files and the encrypted subpackage in acceptance/rekor/rekor.go. If v0.11.0 introduced breaking changes to these packages, compilation or runtime failures could result. Suggested fix: Verify CI builds and tests pass with this version. Check go-securesystemslib v0.11.0 changelog for breaking changes in dsse and encrypted packages. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [low] API contract / version skew The PR updates go-securesystemslib from v0.10.0 to v0.11.0 in the root go.mod but leaves acceptance/go.mod at v0.10.0. The two modules import different sub-packages (root uses dsse, acceptance uses only encrypted), so the type-mismatch risk across module boundaries is minimal. For consistency, consider updating acceptance/go.mod to v0.11.0 as well. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [low] API contract / breaking change risk The PR title states (patch) but secure-systems-lab/go-securesystemslib is being bumped from v0.10.0 to v0.11.0, which is a minor version increment (pre-v1 semver). This librarys dsse subpackage is directly imported in 13 source files. Verify the v0.11.0 changelog does not contain breaking changes to the dsse or encrypted subpackages. Suggested fix: Verify that the go-securesystemslib v0.11.0 changelog does not contain breaking changes to the dsse or encrypted subpackages. CI passing is sufficient evidence. |
||
| github.com/sigstore/cosign/v2 v2.4.3 | ||
| github.com/sigstore/rekor v1.5.0 | ||
| github.com/sigstore/sigstore v1.10.5 | ||
| github.com/sigstore/sigstore v1.10.8 | ||
| github.com/sirupsen/logrus v1.9.4 | ||
| github.com/smarty/cproxy/v2 v2.1.1 | ||
| github.com/spdx/tools-golang v0.5.7 | ||
|
|
@@ -48,19 +48,19 @@ require ( | |
| github.com/testcontainers/testcontainers-go/modules/registry v0.34.0 | ||
| golang.org/x/benchmarks v0.0.0-20241115175113-a2b48b605b42 | ||
| golang.org/x/exp v0.0.0-20260312153236-7ab1446f8b90 | ||
| golang.org/x/net v0.53.0 | ||
| golang.org/x/sync v0.20.0 | ||
| k8s.io/apiextensions-apiserver v0.35.4 | ||
| k8s.io/apimachinery v0.35.4 | ||
| k8s.io/client-go v0.35.4 | ||
| golang.org/x/net v0.56.0 | ||
| golang.org/x/sync v0.21.0 | ||
| k8s.io/apiextensions-apiserver v0.35.6 | ||
| k8s.io/apimachinery v0.35.6 | ||
| k8s.io/client-go v0.35.6 | ||
| k8s.io/klog/v2 v2.130.1 | ||
| k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 | ||
| oras.land/oras-go/v2 v2.6.0 | ||
| sigs.k8s.io/yaml v1.6.0 | ||
| ) | ||
|
|
||
| // use forked version until we can get the fixes merged see https://github.com/conforma/go-containerregistry/blob/main/hack/ec-patches.sh for a list of patches we carry | ||
| replace github.com/google/go-containerregistry => github.com/conforma/go-containerregistry v0.20.7-0.20250703195040-6f40a3734728 | ||
| replace github.com/google/go-containerregistry => github.com/conforma/go-containerregistry v0.20.7 | ||
|
|
||
| // Force moby/go-archive to v0.1.0 for compatibility with docker/docker v28.5.2 | ||
| // v0.2.0 removed archive.Compression type which docker still uses | ||
|
|
@@ -76,7 +76,6 @@ require ( | |
| cloud.google.com/go/monitoring v1.24.3 // indirect | ||
| cloud.google.com/go/storage v1.61.3 // indirect | ||
| dario.cat/mergo v1.0.2 // indirect | ||
| filippo.io/edwards25519 v1.1.0 // indirect | ||
| github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.15.0 // indirect | ||
| github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect | ||
| github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect | ||
|
|
@@ -191,7 +190,7 @@ require ( | |
| github.com/felixge/httpsnoop v1.0.4 // indirect | ||
| github.com/fsnotify/fsnotify v1.9.0 // indirect | ||
| github.com/fxamacker/cbor/v2 v2.9.0 // indirect | ||
| github.com/gkampitakis/ciinfo v0.3.2 // indirect | ||
| github.com/gkampitakis/ciinfo v0.3.4 // indirect | ||
| github.com/go-akka/configuration v0.0.0-20200606091224-a002c0330665 // indirect | ||
| github.com/go-chi/chi/v5 v5.2.4 // indirect | ||
| github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect | ||
|
|
@@ -202,7 +201,7 @@ require ( | |
| github.com/go-logr/stdr v1.2.2 // indirect | ||
| github.com/go-ole/go-ole v1.2.6 // indirect | ||
| github.com/go-openapi/analysis v0.24.3 // indirect | ||
| github.com/go-openapi/errors v0.22.7 // indirect | ||
| github.com/go-openapi/errors v0.22.8 // indirect | ||
| github.com/go-openapi/jsonpointer v0.22.5 // indirect | ||
| github.com/go-openapi/jsonreference v0.21.5 // indirect | ||
| github.com/go-openapi/loads v0.23.3 // indirect | ||
|
|
@@ -221,10 +220,11 @@ require ( | |
| github.com/go-openapi/swag/typeutils v0.25.5 // indirect | ||
| github.com/go-openapi/swag/yamlutils v0.25.5 // indirect | ||
| github.com/go-openapi/validate v0.25.2 // indirect | ||
| github.com/go-piv/piv-go/v2 v2.4.0 // indirect | ||
| github.com/go-viper/mapstructure/v2 v2.5.0 // indirect | ||
| github.com/gobwas/glob v0.2.3 // indirect | ||
| github.com/goccy/go-json v0.10.5 // indirect | ||
| github.com/goccy/go-yaml v1.18.0 // indirect | ||
| github.com/goccy/go-yaml v1.19.2 // indirect | ||
| github.com/gogo/protobuf v1.3.2 // indirect | ||
| github.com/golang-jwt/jwt/v4 v4.5.2 // indirect | ||
| github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect | ||
|
|
@@ -272,7 +272,7 @@ require ( | |
| github.com/logrusorgru/aurora v2.0.3+incompatible // indirect | ||
| github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect | ||
| github.com/magiconair/properties v1.8.10 // indirect | ||
| github.com/maruel/natural v1.1.1 // indirect | ||
| github.com/maruel/natural v1.3.0 // indirect | ||
| github.com/mattn/go-colorable v0.1.14 // indirect | ||
| github.com/mattn/go-runewidth v0.0.19 // indirect | ||
| github.com/miekg/dns v1.1.61 // indirect | ||
|
|
@@ -327,9 +327,12 @@ require ( | |
| github.com/shirou/gopsutil/v3 v3.23.12 // indirect | ||
| github.com/shoenig/go-m1cpu v0.1.6 // indirect | ||
| github.com/shteou/go-ignore v0.3.1 // indirect | ||
| github.com/sigstore/fulcio v1.6.3 // indirect | ||
| github.com/sigstore/fulcio v1.6.6 // indirect | ||
| github.com/sigstore/protobuf-specs v0.5.0 // indirect | ||
| github.com/sigstore/timestamp-authority v1.2.2 // indirect | ||
| github.com/sigstore/rekor-tiles/v2 v2.0.1 // indirect | ||
| github.com/sigstore/sigstore-go v1.1.4 // indirect | ||
| github.com/sigstore/timestamp-authority v1.2.9 // indirect | ||
| github.com/sigstore/timestamp-authority/v2 v2.0.3 // indirect | ||
| github.com/skeema/knownhosts v1.3.1 // indirect | ||
| github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect | ||
| github.com/spf13/cast v1.10.0 // indirect | ||
|
|
@@ -340,7 +343,8 @@ require ( | |
| github.com/tchap/go-patricia/v2 v2.3.3 // indirect | ||
| github.com/thales-e-security/pool v0.0.2 // indirect | ||
| github.com/theupdateframework/go-tuf v0.7.0 // indirect | ||
| github.com/tidwall/gjson v1.18.0 // indirect | ||
| github.com/theupdateframework/go-tuf/v2 v2.4.1 // indirect | ||
| github.com/tidwall/gjson v1.19.0 // indirect | ||
| github.com/tidwall/match v1.1.1 // indirect | ||
| github.com/tidwall/pretty v1.2.1 // indirect | ||
| github.com/tidwall/sjson v1.2.5 // indirect | ||
|
|
@@ -349,19 +353,21 @@ require ( | |
| github.com/tklauser/numcpus v0.6.1 // indirect | ||
| github.com/tmccombs/hcl2json v0.6.7 // indirect | ||
| github.com/tonistiigi/go-csvvalue v0.0.0-20240814133006-030d3b2625d0 // indirect | ||
| github.com/transparency-dev/formats v0.0.0-20251017110053-404c0d5b696c // indirect | ||
| github.com/transparency-dev/merkle v0.0.2 // indirect | ||
| github.com/ulikunitz/xz v0.5.15 // indirect | ||
| github.com/valyala/fastjson v1.6.7 // indirect | ||
| github.com/vbatts/tar-split v0.12.2 // indirect | ||
| github.com/vektah/gqlparser/v2 v2.5.32 // indirect | ||
| github.com/x448/float16 v0.8.4 // indirect | ||
| github.com/xanzy/go-gitlab v0.109.0 // indirect | ||
| github.com/xanzy/ssh-agent v0.3.3 // indirect | ||
| github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect | ||
| github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect | ||
| github.com/yashtewari/glob-intersection v0.2.0 // indirect | ||
| github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect | ||
| github.com/yusufpapurcu/wmi v1.2.3 // indirect | ||
| github.com/zclconf/go-cty v1.16.2 // indirect | ||
| gitlab.com/gitlab-org/api/client-go v0.123.0 // indirect | ||
| go.opentelemetry.io/auto/sdk v1.2.1 // indirect | ||
| go.opentelemetry.io/contrib/detectors/gcp v1.39.0 // indirect | ||
| go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 // indirect | ||
|
|
@@ -379,20 +385,19 @@ require ( | |
| go.opentelemetry.io/otel/sdk/metric v1.43.0 // indirect | ||
| go.opentelemetry.io/otel/trace v1.43.0 // indirect | ||
| go.opentelemetry.io/proto/otlp v1.10.0 // indirect | ||
| go.step.sm/crypto v0.74.0 // indirect | ||
| go.uber.org/automaxprocs v1.6.0 // indirect | ||
| go.uber.org/multierr v1.11.0 // indirect | ||
| go.uber.org/zap v1.28.0 // indirect | ||
| go.yaml.in/yaml/v2 v2.4.3 // indirect | ||
| go.yaml.in/yaml/v3 v3.0.4 // indirect | ||
| golang.org/x/crypto v0.50.0 // indirect | ||
| golang.org/x/mod v0.35.0 // indirect | ||
| golang.org/x/crypto v0.53.0 // indirect | ||
| golang.org/x/mod v0.36.0 // indirect | ||
| golang.org/x/oauth2 v0.36.0 // indirect | ||
| golang.org/x/sys v0.43.0 // indirect | ||
| golang.org/x/term v0.42.0 // indirect | ||
| golang.org/x/text v0.36.0 // indirect | ||
| golang.org/x/sys v0.46.0 // indirect | ||
| golang.org/x/term v0.44.0 // indirect | ||
| golang.org/x/text v0.38.0 // indirect | ||
| golang.org/x/time v0.15.0 // indirect | ||
| golang.org/x/tools v0.44.0 // indirect | ||
| golang.org/x/tools v0.45.0 // indirect | ||
| gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect | ||
| google.golang.org/api v0.271.0 // indirect | ||
| google.golang.org/genproto v0.0.0-20260128011058-8636f8732409 // indirect | ||
|
|
@@ -405,7 +410,7 @@ require ( | |
| gopkg.in/ini.v1 v1.67.1 // indirect | ||
| gopkg.in/warnings.v0 v0.1.2 // indirect | ||
| gopkg.in/yaml.v3 v3.0.1 // indirect | ||
| k8s.io/api v0.35.4 // indirect | ||
| k8s.io/api v0.35.6 // indirect | ||
| k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect | ||
| knative.dev/pkg v0.0.0-20260318013857-98d5a706d4fd // indirect | ||
| olympos.io/encoding/edn v0.0.0-20201019073823-d3554ca0b0a3 // indirect | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[low] api-contract
packageurl-go bumped from v0.1.3 to v0.1.6 (multiple releases in 0.x range). This is a direct dependency used for PURL parsing in policy evaluation. Changes to PURL parsing behavior could affect policy evaluation results without causing build failures.