Skip to content

build(deps): bump the go group with 10 updates#220

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/go-350364619e
Open

build(deps): bump the go group with 10 updates#220
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/go-350364619e

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 14, 2026

Copy link
Copy Markdown
Contributor

Bumps the go group with 10 updates:

Package From To
github.com/fluxcd/pkg/apis/meta 1.29.0 1.30.0
github.com/fluxcd/pkg/runtime 0.108.0 0.110.0
github.com/fluxcd/pkg/ssa 0.75.0 0.76.0
github.com/pb33f/libopenapi 0.37.3 0.38.0
helm.sh/helm/v3 3.21.0 3.21.1
k8s.io/api 0.36.1 0.36.2
k8s.io/apiextensions-apiserver 0.36.1 0.36.2
k8s.io/apimachinery 0.36.1 0.36.2
k8s.io/client-go 0.36.1 0.36.2
oras.land/oras-go/v2 2.6.0 2.6.1

Updates github.com/fluxcd/pkg/apis/meta from 1.29.0 to 1.30.0

Commits
  • 3f9f27f Merge pull request #1243 from fluxcd/release-main
  • bc3dd2c Prepare for release
  • d19e060 Merge pull request #1242 from fluxcd/upgrade-deps
  • 5778c6b Upgrade Kubernetes to 1.36.1
  • 5a7f3ce Merge pull request #1240 from fluxcd/release-main
  • ceb5e00 Prepare for release
  • 23ca4f5 Merge pull request #1241 from Iam-Karan-Suresh/impersonator-test
  • 3d21e81 test: adding test cases for impersonator
  • a12b6e8 Merge pull request #1239 from fluxcd/oci-created
  • c635f88 oci: set created timestamp in the config
  • Additional commits viewable in compare view

Updates github.com/fluxcd/pkg/runtime from 0.108.0 to 0.110.0

Commits
  • 3f9f27f Merge pull request #1243 from fluxcd/release-main
  • bc3dd2c Prepare for release
  • d19e060 Merge pull request #1242 from fluxcd/upgrade-deps
  • 5778c6b Upgrade Kubernetes to 1.36.1
  • 5a7f3ce Merge pull request #1240 from fluxcd/release-main
  • ceb5e00 Prepare for release
  • 23ca4f5 Merge pull request #1241 from Iam-Karan-Suresh/impersonator-test
  • 3d21e81 test: adding test cases for impersonator
  • a12b6e8 Merge pull request #1239 from fluxcd/oci-created
  • c635f88 oci: set created timestamp in the config
  • Additional commits viewable in compare view

Updates github.com/fluxcd/pkg/ssa from 0.75.0 to 0.76.0

Commits
  • 3f9f27f Merge pull request #1243 from fluxcd/release-main
  • bc3dd2c Prepare for release
  • d19e060 Merge pull request #1242 from fluxcd/upgrade-deps
  • 5778c6b Upgrade Kubernetes to 1.36.1
  • 5a7f3ce Merge pull request #1240 from fluxcd/release-main
  • ceb5e00 Prepare for release
  • 23ca4f5 Merge pull request #1241 from Iam-Karan-Suresh/impersonator-test
  • 3d21e81 test: adding test cases for impersonator
  • a12b6e8 Merge pull request #1239 from fluxcd/oci-created
  • c635f88 oci: set created timestamp in the config
  • Additional commits viewable in compare view

Updates github.com/pb33f/libopenapi from 0.37.3 to 0.38.0

Release notes

Sourced from github.com/pb33f/libopenapi's releases.

v0.38.0

Improves parse/index performance and memory use with lazy SpecInfo JSON generation, lower-allocation node indexing, faster component-path conversion, and reduced goroutine overhead in small translation/schema paths.

Adds SkipMetadataCollection for consumers that do not need diagnostic index metadata, allowing faster/lighter parsing for large documents.

Tightens YAML handling around duplicate keys, merge/root errors, empty overlays, and YAML v4 rc.5 rendering behavior.

Fixes OpenAPI 3.0 webhooks extraction so same-named scalar values no longer create empty webhook maps.

Improves change detection and generator metadata fidelity, including anchor-insensitive YAML comparisons and preserved/inferred

YAML tags for generated enum/const metadata.

@​asadtariq96

Commits
  • 73ef933 coverage bump
  • bac2b0e upgrade YAML APIs
  • dfe2eb2 update deps
  • 6c72b83 bump coverage on arazzo
  • 68a6d17 fix: hold exclusive lock while building legacy node map
  • 6019ccc fix borked windows test
  • 4a22282 perf: lazy SpecInfo JSON, SkipMetadataCollection, and hot-path allocation cuts
  • ee5ec7c fix(v3): don't inject empty webhooks for OpenAPI 3.0 docs with same-named scalar
  • 29d9ea8 Bump golang.org/x/sync from 0.20.0 to 0.21.0
  • See full diff in compare view

Updates helm.sh/helm/v3 from 3.21.0 to 3.21.1

Release notes

Sourced from helm.sh/helm/v3's releases.

Helm v3.21.1 is a patch release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages

Notable Changes

  • Fixed nil pointer panic that could happen with helm template in ClientOnly flows. Now correctly returns a template error helm/helm#31920
  • Bumped golang.org/x/net to v0.55.0 to address GO-2026-5026 #32152
  • Bumped Go from 1.25 to 1.26 #32168
  • Dependency version updates

Installation and Upgrading

Download Helm v3.21.1. The common platform binaries are here:

This release was signed with 208D D36E D5BB 3745 A167 43A4 C7C6 FBB5 B91C 1155 and can be found at @​scottrigby keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

  • 4.2.2 and 3.21.2 are the next patch releases scheduled for July 8, 2026
  • 4.3.0 and 3.22.0 are the next minor releases scheduled for September 9, 2026

Changelog

  • fix(action): avoid nil REST client getter panic when installing CRDs c56dd0095fd76da5d7b30ecdf506103e7f26745e (sergiochan)
  • fix(registry): keep credentials on plain-HTTP fallback with oras-go v2.6.1 702529f90a0021e4d9df4880d6589198ec0e05f7 (Terry Howe)
  • chore(deps): bump oras.land/oras-go/v2 from 2.6.0 to 2.6.1 178e120e16f5d61f769ee2c56a0d2a45ab7303bd (dependabot[bot])
  • chore(deps): bump golang.org/x/crypto from 0.52.0 to 0.53.0 dcf35f86551322d93c1cb695f08435b3287e5ad0 (dependabot[bot])
  • chore(deps): bump golang.org/x/term from 0.43.0 to 0.44.0 44aff8bf51809ec9f8a906d050818776cd47b264 (dependabot[bot])
  • chore(deps): bump golang.org/x/text from 0.37.0 to 0.38.0 ae2f31f5a7d0cd789ca9fd83a6a2fe5fc7c3a1a3 (dependabot[bot])

... (truncated)

Commits
  • c56dd00 fix(action): avoid nil REST client getter panic when installing CRDs
  • 702529f fix(registry): keep credentials on plain-HTTP fallback with oras-go v2.6.1
  • 178e120 chore(deps): bump oras.land/oras-go/v2 from 2.6.0 to 2.6.1
  • dcf35f8 chore(deps): bump golang.org/x/crypto from 0.52.0 to 0.53.0
  • 44aff8b chore(deps): bump golang.org/x/term from 0.43.0 to 0.44.0
  • ae2f31f chore(deps): bump golang.org/x/text from 0.37.0 to 0.38.0
  • 402225f Update .github/env
  • 00eac21 ci: bump golangci-lint to v2.11.3 for go 1.26
  • bec346a chore: bump go to 1.26
  • 58b6ccf chore(deps): bump github.com/lib/pq from 1.11.2 to 1.12.3
  • Additional commits viewable in compare view

Updates k8s.io/api from 0.36.1 to 0.36.2

Commits

Updates k8s.io/apiextensions-apiserver from 0.36.1 to 0.36.2

Commits

Updates k8s.io/apimachinery from 0.36.1 to 0.36.2

Commits

Updates k8s.io/client-go from 0.36.1 to 0.36.2

Commits

Updates oras.land/oras-go/v2 from 2.6.0 to 2.6.1

Release notes

Sourced from oras.land/oras-go/v2's releases.

v2.6.1

This is a security patch release addressing five advisories in the authentication, remote, and content layers, plus accumulated bug fixes and maintenance since v2.6.0.

Security Fixes

  • Drop the Authorization header on cross-origin redirects to prevent origin credentials leaking to a redirect target on a different scheme/port of the same host (GHSA-vh4v-2xq2-g5cg)
  • Validate the bearer realm host before sending credentials to prevent credential exfiltration to an attacker-controlled token service, including TLS downgrades and IP-literal metadata endpoints; adds TrustedRealmHosts (GHSA-28r5-37g7-p6mp, GHSA-xf85-363p-868w)
  • Validate the Location host before blob upload to prevent credentials being forwarded to a cross-host upload endpoint (SSRF / CWE-918) (#1152, GHSA-jxpm-75mh-9fp7)
  • Reject descriptor sizes exceeding 32 MiB in content.ReadAll to prevent a crafted OCI layout from triggering a makeslice panic and crashing the process (#1153, GHSA-f36w-mj3v-6jqv)
  • Resolve symlinks when enforcing the workingDir write boundary in content/file, blocking writes that escape the boundary via a symlinked path component when AllowPathTraversalOnWrite=false

Bug Fixes

  • graph.Memory should use digest as map key (#1095)
  • Fix credentials key for the Docker registry-1 host (#966)
  • Support an empty credentials file (#959)

Other Changes

  • Add GitOps release workflow with goreleaser (#1161)
  • Shift the Go support window to [1.24, 1.25] (#991)
  • Run go modernize (#1005)
  • Sync CODEOWNERS and OWNERS.md from main to v2 (#1122)
  • Remove scripts reference from the Makefile (#960)
  • Bump golang.org/x/sync 0.14.0 → 0.20.0 (#971, #978, #1001, #1037, #1078, #1121)
  • Bump GitHub Actions: actions/checkout 4→5 (#989), actions/setup-go 5→6 (#998), actions/stale 9→10 (#997), github/codeql-action 3→4 (#1016)
Commits
  • 47b7c80 release: v2.6.1 (#1195)
  • 3c2e884 Merge commit from fork
  • cc323e5 Merge commit from fork
  • 7a9f4b0 Merge commit from fork
  • d593d50 feat: add gitops release workflow with goreleaser (#1161)
  • 5fd67f9 fix(content): reject descriptor sizes exceeding 32 MiB in ReadAll (#1153)
  • 4683c46 fix: validate Location host before blob upload to prevent credential leak (#1...
  • 4a3e611 build(deps): bump golang.org/x/sync from 0.19.0 to 0.20.0 (#1121)
  • 00de1f0 chore: sync CODEOWNERS and OWNERS.md from main to v2 (#1122)
  • d7b6f8e fix: graph.Memory should use digest as map key (#1095)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
build(deps): bump the go group with 10 updates
fd17c07 
Bumps the go group with 10 updates:

| Package | From | To |
| --- | --- | --- |
| [github.com/fluxcd/pkg/apis/meta](https://github.com/fluxcd/pkg) | `1.29.0` | `1.30.0` |
| [github.com/fluxcd/pkg/runtime](https://github.com/fluxcd/pkg) | `0.108.0` | `0.110.0` |
| [github.com/fluxcd/pkg/ssa](https://github.com/fluxcd/pkg) | `0.75.0` | `0.76.0` |
| [github.com/pb33f/libopenapi](https://github.com/pb33f/libopenapi) | `0.37.3` | `0.38.0` |
| [helm.sh/helm/v3](https://github.com/helm/helm) | `3.21.0` | `3.21.1` |
| [k8s.io/api](https://github.com/kubernetes/api) | `0.36.1` | `0.36.2` |
| [k8s.io/apiextensions-apiserver](https://github.com/kubernetes/apiextensions-apiserver) | `0.36.1` | `0.36.2` |
| [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) | `0.36.1` | `0.36.2` |
| [k8s.io/client-go](https://github.com/kubernetes/client-go) | `0.36.1` | `0.36.2` |
| [oras.land/oras-go/v2](https://github.com/oras-project/oras-go) | `2.6.0` | `2.6.1` |


Updates `github.com/fluxcd/pkg/apis/meta` from 1.29.0 to 1.30.0
- [Commits](fluxcd/pkg@apis/meta/v1.29.0...apis/meta/v1.30.0)

Updates `github.com/fluxcd/pkg/runtime` from 0.108.0 to 0.110.0
- [Commits](fluxcd/pkg@runtime/v0.108.0...runtime/v0.110.0)

Updates `github.com/fluxcd/pkg/ssa` from 0.75.0 to 0.76.0
- [Commits](fluxcd/pkg@ssa/v0.75.0...ssa/v0.76.0)

Updates `github.com/pb33f/libopenapi` from 0.37.3 to 0.38.0
- [Release notes](https://github.com/pb33f/libopenapi/releases)
- [Commits](pb33f/libopenapi@v0.37.3...v0.38.0)

Updates `helm.sh/helm/v3` from 3.21.0 to 3.21.1
- [Release notes](https://github.com/helm/helm/releases)
- [Commits](helm/helm@v3.21.0...v3.21.1)

Updates `k8s.io/api` from 0.36.1 to 0.36.2
- [Commits](kubernetes/api@v0.36.1...v0.36.2)

Updates `k8s.io/apiextensions-apiserver` from 0.36.1 to 0.36.2
- [Release notes](https://github.com/kubernetes/apiextensions-apiserver/releases)
- [Commits](kubernetes/apiextensions-apiserver@v0.36.1...v0.36.2)

Updates `k8s.io/apimachinery` from 0.36.1 to 0.36.2
- [Commits](kubernetes/apimachinery@v0.36.1...v0.36.2)

Updates `k8s.io/client-go` from 0.36.1 to 0.36.2
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](kubernetes/client-go@v0.36.1...v0.36.2)

Updates `oras.land/oras-go/v2` from 2.6.0 to 2.6.1
- [Release notes](https://github.com/oras-project/oras-go/releases)
- [Commits](oras-project/oras-go@v2.6.0...v2.6.1)

---
updated-dependencies:
- dependency-name: github.com/fluxcd/pkg/apis/meta
  dependency-version: 1.30.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: github.com/fluxcd/pkg/runtime
  dependency-version: 0.110.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: github.com/fluxcd/pkg/ssa
  dependency-version: 0.76.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: github.com/pb33f/libopenapi
  dependency-version: 0.38.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: helm.sh/helm/v3
  dependency-version: 3.21.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go
- dependency-name: k8s.io/api
  dependency-version: 0.36.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go
- dependency-name: k8s.io/apiextensions-apiserver
  dependency-version: 0.36.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go
- dependency-name: k8s.io/apimachinery
  dependency-version: 0.36.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go
- dependency-name: k8s.io/client-go
  dependency-version: 0.36.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go
- dependency-name: oras.land/oras-go/v2
  dependency-version: 2.6.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jun 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants