Skip to content

Bump the gomod group across 1 directory with 10 updates#784

Merged
adityasaky merged 1 commit intomainfrom
dependabot/go_modules/gomod-3e964c6fb6
Apr 8, 2026
Merged

Bump the gomod group across 1 directory with 10 updates#784
adityasaky merged 1 commit intomainfrom
dependabot/go_modules/gomod-3e964c6fb6

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 7, 2026

Bumps the gomod group with 4 updates in the / directory: github.com/go-git/go-git/v5, github.com/go-openapi/runtime, github.com/sigstore/cosign/v3 and github.com/sigstore/protobuf-specs.

Updates github.com/go-git/go-git/v5 from 5.17.1 to 5.17.2

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.17.2

What's Changed

⚠️ This release fixes a bug (go-git/go-git#1942) that blocked some users from upgrading to v5.17.1. Thanks @​pskrbasu for reporting it. 🙇

Full Changelog: go-git/go-git@v5.17.1...v5.17.2

Commits
  • 45ae193 Merge pull request #1944 from go-git/fix-perms
  • fda4f74 storage: filesystem/dotgit, Skip writing pack files that already exist on disk
  • 2212dc7 Merge pull request #1941 from go-git/renovate/releases/v5.x-go-github.qkg1.top-go-...
  • ebb2d7d build: Update module github.com/go-git/go-git/v5 to v5.17.1 [SECURITY]
  • See full diff in compare view

Updates github.com/go-openapi/runtime from 0.29.2 to 0.29.3

Release notes

Sourced from github.com/go-openapi/runtime's releases.

v0.29.3

0.29.3 - 2026-03-08

Full Changelog: go-openapi/runtime@v0.29.2...v0.29.3

27 commits in this release.

Fixed bugs

Documentation

Code quality

  • chore: updated dependencies (removed mongodb indirect dependency) by @​fredbi in #399 ...

Miscellaneous tasks

Updates

... (truncated)

Commits
  • b00b2f1 chore: prepare release v0.29.3
  • b5088b8 ci: fixed dropped trivy release - updated shared workflow
  • c9809a6 docs: add FAQ from resolved GitHub issues (#403)
  • 3d599d6 build(deps): bump the development-dependencies group across 2 directories wit...
  • 3b063c0 chore: updated dependencies (removed mongodb indirect dependency) (#399)
  • f9c40d3 build(deps): bump the other-dependencies group with 3 updates
  • adabde2 build(deps): bump the go-openapi-dependencies group with 6 updates
  • 2e68776 build(deps): bump the go-openapi-dependencies group with 2 updates
  • bb7e2f0 build(deps): bump the go-openapi-dependencies group with 2 updates
  • b3119ae build(deps): bump the go-openapi-dependencies group with 2 updates
  • Additional commits viewable in compare view

Updates github.com/go-openapi/strfmt from 0.25.0 to 0.26.0

Release notes

Sourced from github.com/go-openapi/strfmt's releases.

v0.26.0

0.26.0 - 2026-03-07

Dropped mongodb dependency - Kept backward-compatibility

Full Changelog: go-openapi/strfmt@v0.25.0...v0.26.0

43 commits in this release.

Documentation

Code quality

Testing

Miscellaneous tasks

Updates

... (truncated)

Commits
  • 189f0cc chore: prepare release v0.26.0
  • 8d2d66c test: updated testify/v2 (#226)
  • 397a475 build(deps): bump filippo.io/edwards25519 in /internal/testintegration (#221)
  • 56a7663 ci: fix coverage reporting for integration tests (#225)
  • f309793 build(deps): bump the development-dependencies group across 2 directories wit...
  • 435a1e4 refactor: decouple mongodb driver from root module (#222)
  • 7304ce1 Test/integration mariadb (#220)
  • 8b27f48 chore: reverted go requirement back to go1.24 (#219)
  • 6a4afe0 chore: doc, lint, test (#218)
  • cd99722 doc: updated contributors file
  • Additional commits viewable in compare view

Updates github.com/go-openapi/swag/conv from 0.25.4 to 0.25.5

Release notes

Sourced from github.com/go-openapi/swag/conv's releases.

v0.25.5

0.25.5 - 2026-03-02

Full Changelog: go-openapi/swag@v0.25.4...v0.25.5

16 commits in this release.

Documentation

Code quality

Testing

Miscellaneous tasks

Updates

People who contributed to this release

... (truncated)

Commits
  • 86905cc chore: prepare release v0.25.5
  • 345f85b doc: updated docs, links (#180)
  • 01b074b ci: updated ci workflows (#179)
  • 607decd build(deps): bump the go-openapi-dependencies group across 15 directories wit...
  • 4924f95 doc: updated contributors file
  • 281942d test: upgraded tests to use generics (#176)
  • b9f9e45 test: upgraded to go-openapi/testify@v2.3.0 (#175)
  • b7e96e1 ci: upgraded shared workflows (fixed secret propagation, fuzz matrix) (#174)
  • 236d975 ci: upgraded shared workflows (fixes mono-repo releases) (#173)
  • fd4d373 build(deps): bump the development-dependencies group across 2 directories wit...
  • Additional commits viewable in compare view

Updates github.com/sigstore/cosign/v3 from 3.0.4 to 3.0.6

Release notes

Sourced from github.com/sigstore/cosign/v3's releases.

v3.0.6

Changelog

v3.0.6 resolves GHSA-w6c6-c85g-mmv6. This release also adds support for signing with OpenBao-managed keys.

  • f1ad3ee952313be5d74a49d67ba0aa8d0d5e351f Fix DSSE predicate check (GHSA-w6c6-c85g-mmv6) (#4801)
  • a09afa97480a0a4a20ad6314600598b7bddc8c0c Handle whitespace-only certificate annotation (#4760)
  • 5a38a6d3368f0286ef214c3fd81388c99b3444b8 fix(sign): closing SignerVerifier too early when signing with a security key (#4761)
  • 2290a593c9f5b300322b83e1f2a632953aeb840c Disallow --new-bundle-format and --rfc3161-timestamp (#4762)
  • 36f40082f3c507e131cb9d926b75b36606160483 support managed keys in conformance testing (#4728)
  • 3274cf98c6a2c2fc12618edfa26612e8a071820a Add support for GCE metadata server env var (#4732)
  • 2e9754aa80a54fe7062a63debe12ae2b11b87e5a fix: preserve per-layer annotations in WriteAttestationsReferrer (#4709)
  • dece2753067e2da18c5e0a0060e0de59fedee0b0 Fix parsing of in-toto for string predicates
  • bd4f0fde48c16d2c55ad82acf34166a39be262a8 Mark batch of flags for deprecation (#4698)
  • 9b259ff6b690c0f0844893016cd23c2c250124f2 disallow key and cert identity being used together during verification (#4636)
  • 95eb1c3155b7ad11cc443c5a26f37eeede244e66 support key creation in GitLab group (#4704)

Thanks to all contributors!

v3.0.5

v3.0.5 resolves a low-severity advisory for private PKIs.

Deprecations

  • Deprecate rekor-entry-type flag (#4691)
  • Deprecate cosign triangulate (#4676)
  • Deprecate cosign copy (#4681)

Features

  • Automatically require signed timestamp with Rekor v2 entries (#4666)
  • Allow --local-image with --new-bundle-format for v2 and v3 signatures (#4626)
  • Add mTLS support for TSA client connections when signing with a signing config (#4620)
  • Enforce TSA requirement for Rekor v2, Fuclio signing (#4683)

Bug Fixes

  • Add empty predicate to cosign sign when payload type is application/vnd.in-toto+json (#4635)
  • fix: avoid panic on malformed attestation payload (#4651)
  • fix: avoid panic on malformed tlog entries (#4649)
  • fix: avoid panic on malformed replace payload (#4653)
  • Gracefully fail if bundle payload body is not a string (#4648)
  • Verify validity of chain rather than just certificate (#4663)
  • fix: avoid panic on malformed tlog entry body (#4652)

Documentation

  • docs(cosign): clarify RFC3161 revocation semantics (#4642)

... (truncated)

Changelog

Sourced from github.com/sigstore/cosign/v3's changelog.

v3.0.5

Deprecations

  • Deprecate rekor-entry-type flag (#4691)
  • Deprecate cosign triangulate (#4676)
  • Deprecate cosign copy (#4681)

Features

  • Automatically require signed timestamp with Rekor v2 entries (#4666)
  • Allow --local-image with --new-bundle-format for v2 and v3 signatures (#4626)
  • Add mTLS support for TSA client connections when signing with a signing config (#4620)
  • Enforce TSA requirement for Rekor v2, Fuclio signing (#4683)

Bug Fixes

  • Add empty predicate to cosign sign when payload type is application/vnd.in-toto+json (#4635)
  • fix: avoid panic on malformed attestation payload (#4651)
  • fix: avoid panic on malformed tlog entries (#4649)
  • fix: avoid panic on malformed replace payload (#4653)
  • Gracefully fail if bundle payload body is not a string (#4648)
  • Verify validity of chain rather than just certificate (#4663)
  • fix: avoid panic on malformed tlog entry body (#4652)

Documentation

  • docs(cosign): clarify RFC3161 revocation semantics (#4642)
  • Fix typo in CLI help (#4701)
Commits

Updates github.com/sigstore/protobuf-specs from 0.5.0 to 0.5.1

Changelog

Sourced from github.com/sigstore/protobuf-specs's changelog.

v0.5.1

  • Add ML-DSA-44 algorithm identifier (#860)
Commits
  • 3001afe Bump ts to v0.5.1 for new release (#874)
  • f68ef15 build(deps): bump the actions-deps group with 2 updates (#873)
  • 9859358 build(deps): bump gradle-wrapper in /java in the java-deps group (#866)
  • 51546ad build(deps): bump ts-proto from 2.11.2 to 2.11.5 in /protoc-builder/hack in t...
  • 8bb3cb3 build(deps): bump the docker-refs group (#867)
  • 9dfb871 Update GRPC_GATEWAY_COMMIT in versions.mk (#864)
  • 80abc3f build(deps): bump the rust-deps group across 1 directory with 3 updates (#869)
  • c24db24 build(deps): bump homebrew/core/protobuf from 33.4 to 34.1 in /protoc-builder...
  • 6a50d86 Update GOOGLEAPIS_COMMIT in versions.mk (#863)
  • a2cbebd Bump packages for 0.5.1, bump deps (#862)
  • Additional commits viewable in compare view

Updates github.com/sigstore/rekor from 1.5.0 to 1.5.1

Release notes

Sourced from github.com/sigstore/rekor's releases.

v1.5.1

Changelog

  • 2d46808ce98c3dd26158364ae28f4c49921c9b0d optimize memory for DSSE v0.0.1 processing (#2766)
  • 6de110d1deb7fa2d9145584fd9446608ce1a777c return correct errors in rare failure situations (#2753)
  • 7ff7c692f51d6060c6eebba0480536f5ba28abb5 raise error if decoding hash fails during inclusion proof (#2754)

Thanks for all contributors!

Changelog

Sourced from github.com/sigstore/rekor's changelog.

v1.5.1

Features

  • optimize memory for DSSE v0.0.1 processing (#2766)

Bug Fixes

  • Type assert the entry bundle when verifying inclusion proof (#2755)
  • return correct errors in rare failure situations (#2753)
  • raise error if decoding hash fails during inclusion proof (#2754)
Commits
  • bb573aa build(deps): Bump actions/upload-artifact from 6.0.0 to 7.0.0 (#2773)
  • 6188957 build(deps): Bump google.golang.org/api from 0.264.0 to 0.269.0 (#2770)
  • f76fb2a build(deps): Bump github/codeql-action in the all group (#2772)
  • ae85b80 build(deps): Bump github.com/redis/go-redis/v9 from 9.17.3 to 9.18.0 (#2769)
  • 9836e32 build(deps): Bump the all group with 11 updates (#2768)
  • b81ecd3 build(deps): Bump gocloud.dev from 0.40.0 to 0.44.0 (#2757)
  • 2d46808 optimize memory for DSSE v0.0.1 processing (#2766)
  • bd11cb9 build(deps): Bump go.step.sm/crypto from 0.74.0 to 0.76.2 (#2760)
  • c302fdb build(deps): Bump github.com/secure-systems-lab/go-securesystemslib (#2758)
  • 3444350 build(deps): Bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0 (#2763)
  • Additional commits viewable in compare view

Updates github.com/sigstore/sigstore from 1.10.4 to 1.10.5

Release notes

Sourced from github.com/sigstore/sigstore's releases.

v1.10.5

What's Changed

Full Changelog: sigstore/sigstore@v1.10.4...v1.10.5

Commits
  • c90de3e chore: mention openbao being supported as well (#2313) (#2313)
  • b377f8f chore: Project-wide linting (#2310)
  • 295d656 build(deps): Bump the all group across 1 directory with 3 updates (#2296)
  • c731032 (kms/hashivault): add openbao support (#2303)
  • b56c866 fix: eliminate usage of text/template (#2288)
  • 1d8faff build(deps): Bump github.com/aws/aws-sdk-go-v2/config (#2286)
  • 4ac5776 build(deps): Bump github.com/letsencrypt/boulder (#2282)
  • 36276e8 build(deps): Bump golang.org/x/crypto from 0.44.0 to 0.47.0 (#2258)
  • 59887c9 build(deps): Bump the all group across 1 directory with 2 updates (#2278)
  • 1e85403 build(deps): Bump dexidp/dex in /test/e2e in the all group (#2279)
  • Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.47.0 to 0.49.0

Commits
  • 982eaa6 go.mod: update golang.org/x dependencies
  • 159944f ssh,acme: clean up tautological/impossible nil conditions
  • a408498 acme: only require prompt if server has terms of service
  • cab0f71 all: upgrade go directive to at least 1.25.0 [generated]
  • 2f26647 x509roots/fallback: update bundle
  • e08b067 go.mod: update golang.org/x dependencies
  • 7d0074c scrypt: fix panic on parameters <= 0
  • See full diff in compare view

Updates golang.org/x/oauth2 from 0.35.0 to 0.36.0

Commits
  • 4d954e6 all: upgrade go directive to at least 1.25.0 [generated]
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the gomod group across 1 directory with 10 updates
2fa561c 
Bumps the gomod group with 4 updates in the / directory: [github.com/go-git/go-git/v5](https://github.com/go-git/go-git), [github.com/go-openapi/runtime](https://github.com/go-openapi/runtime), [github.com/sigstore/cosign/v3](https://github.com/sigstore/cosign) and [github.com/sigstore/protobuf-specs](https://github.com/sigstore/protobuf-specs).


Updates `github.com/go-git/go-git/v5` from 5.17.1 to 5.17.2
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](go-git/go-git@v5.17.1...v5.17.2)

Updates `github.com/go-openapi/runtime` from 0.29.2 to 0.29.3
- [Release notes](https://github.com/go-openapi/runtime/releases)
- [Commits](go-openapi/runtime@v0.29.2...v0.29.3)

Updates `github.com/go-openapi/strfmt` from 0.25.0 to 0.26.0
- [Release notes](https://github.com/go-openapi/strfmt/releases)
- [Commits](go-openapi/strfmt@v0.25.0...v0.26.0)

Updates `github.com/go-openapi/swag/conv` from 0.25.4 to 0.25.5
- [Release notes](https://github.com/go-openapi/swag/releases)
- [Commits](go-openapi/swag@v0.25.4...v0.25.5)

Updates `github.com/sigstore/cosign/v3` from 3.0.4 to 3.0.6
- [Release notes](https://github.com/sigstore/cosign/releases)
- [Changelog](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md)
- [Commits](sigstore/cosign@v3.0.4...v3.0.6)

Updates `github.com/sigstore/protobuf-specs` from 0.5.0 to 0.5.1
- [Release notes](https://github.com/sigstore/protobuf-specs/releases)
- [Changelog](https://github.com/sigstore/protobuf-specs/blob/main/CHANGELOG.md)
- [Commits](sigstore/protobuf-specs@v0.5.0...v0.5.1)

Updates `github.com/sigstore/rekor` from 1.5.0 to 1.5.1
- [Release notes](https://github.com/sigstore/rekor/releases)
- [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md)
- [Commits](sigstore/rekor@v1.5.0...v1.5.1)

Updates `github.com/sigstore/sigstore` from 1.10.4 to 1.10.5
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](sigstore/sigstore@v1.10.4...v1.10.5)

Updates `golang.org/x/crypto` from 0.47.0 to 0.49.0
- [Commits](golang/crypto@v0.47.0...v0.49.0)

Updates `golang.org/x/oauth2` from 0.35.0 to 0.36.0
- [Commits](golang/oauth2@v0.35.0...v0.36.0)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-version: 5.17.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: github.com/go-openapi/runtime
  dependency-version: 0.29.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: github.com/go-openapi/strfmt
  dependency-version: 0.26.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
- dependency-name: github.com/go-openapi/swag/conv
  dependency-version: 0.25.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: github.com/sigstore/cosign/v3
  dependency-version: 3.0.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: github.com/sigstore/protobuf-specs
  dependency-version: 0.5.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: github.com/sigstore/rekor
  dependency-version: 1.5.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: github.com/sigstore/sigstore
  dependency-version: 1.10.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod
- dependency-name: golang.org/x/crypto
  dependency-version: 0.49.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
- dependency-name: golang.org/x/oauth2
  dependency-version: 0.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Apr 7, 2026
@gittuf-app-beta
Copy link
Copy Markdown

gittuf-app-beta bot commented Apr 8, 2026

Observed review from adityasaky+8928778 (@adityasaky)

@adityasaky adityasaky merged commit 666efd5 into main Apr 8, 2026
8 checks passed
@adityasaky adityasaky deleted the dependabot/go_modules/gomod-3e964c6fb6 branch April 8, 2026 13:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adityasaky adityasaky adityasaky approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@adityasaky