Update go modules (main) (minor)

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence	Type	Update
github.com/CycloneDX/cyclonedx-go	v0.10.0 → v0.11.0					require	minor
github.com/conforma/go-containerregistry	6f40a37 → 3459088					replace	digest
github.com/daixiang0/gci	v0.13.7 → v0.14.0					require	minor
github.com/go-openapi/runtime	v0.29.2 → v0.32.4					require	minor
github.com/konflux-ci/application-api	e7eb2ec → dd8c9b1					require	digest
github.com/open-policy-agent/opa	v1.15.2 → v1.17.1					require	minor
github.com/pkg/diff	20ebb0f → 4e6772a					require	digest
github.com/secure-systems-lab/go-securesystemslib	v0.10.0 → v0.11.0					require	minor
github.com/sigstore/cosign/v3	v3.0.4 → v3.1.1					require	minor
github.com/sigstore/sigstore-go	v1.1.4 → v1.2.1					require	minor
github.com/tektoncd/chains	v0.26.2 → v0.27.1					require	minor
github.com/tektoncd/cli	v0.44.1 → v0.45.0					require	minor
github.com/testcontainers/testcontainers-go	v0.34.0 → v0.43.0					require	minor
github.com/testcontainers/testcontainers-go/modules/registry	v0.34.0 → v0.43.0					require	minor
github.com/wiremock/go-wiremock	v1.11.0 → v1.16.0					require	minor
golang.org/x/benchmarks	a2b48b6 → 3558132					require	digest
golang.org/x/exp	746e56f → c48552f					require	digest
golang.org/x/sync	v0.20.0 → v0.21.0					require	minor
golang.org/x/text	v0.36.0 → v0.38.0					require	minor
gotest.tools/gotestsum	v1.12.1 → v1.13.0					require	minor
k8s.io/api	v0.35.4 → v0.36.2					require	minor
k8s.io/apiextensions-apiserver	v0.35.4 → v0.36.2					require	minor
k8s.io/apimachinery	v0.35.4 → v0.36.2					require	minor
k8s.io/client-go	v0.35.4 → v0.36.2					require	minor
k8s.io/klog/v2	v2.130.1 → v2.140.0					require	minor
k8s.io/kube-openapi	589584f → bc653b6					require	digest
k8s.io/kubernetes	v1.34.2 → v1.36.2					require	minor
sigs.k8s.io/kind	v0.26.0 → v0.32.0					require	minor
sigs.k8s.io/kustomize/api	v0.20.1 → v0.21.1					require	minor
sigs.k8s.io/kustomize/kustomize/v5	v5.7.1 → v5.8.1					require	minor
sigs.k8s.io/kustomize/kyaml	v0.20.1 → v0.21.1					require	minor

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

CycloneDX/cyclonedx-go (github.com/CycloneDX/cyclonedx-go)

v0.11.0

Compare Source

Changelog

Building and Packaging

• 32221d4: build(deps): bump actions/setup-go from 6.2.0 to 6.4.0 (#​261) (@​dependabot[bot])
• a42a4dd: build(deps): bump gitpod/workspace-go from 08a7c68 to 00059ff (#​255) (@​dependabot[bot])
• 9810ab9: build(deps): bump goreleaser/goreleaser-action from 6.4.0 to 7.2.1 (#​263) (@​dependabot[bot])

Others

• 2cef056: Add comprehensive support for CycloneDX 1.7 specification (#​257) (@​alistair-mclean)
• 3ed34da: Added 5 missing fields to match CycloneDX 1.6 spec: (#​256) (@​alistair-mclean)

daixiang0/gci (github.com/daixiang0/gci)

v0.14.0

Compare Source

AST Support is Coming!

See details in #​241

Other Changes

• chore(deps): migrate from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3 by @​scop in #​240
• Add Go workspace support to LocalModule section by @​krostar in #​236
• feat(*): bump to 0.14 by @​daixiang0 in #​243

New Contributors

• @​scop made their first contribution in #​240
• @​krostar made their first contribution in #​236

Full Changelog: daixiang0/gci@v0.13.7...v0.14.0

go-openapi/runtime (github.com/go-openapi/runtime)

v0.32.4

Compare Source

0.32.4 - 2026-06-19

Full Changelog: go-openapi/runtime@v0.32.3...v0.32.4

10 commits in this release.

---

Fixed bugs

• fix(middleware): nil-guard param.Schema in UntypedRequestBinder map path by @​Copilot in #​488 ...

Documentation

• doc: updated contributors file by @​bot-go-openapi[bot] in #​483 ...

Miscellaneous tasks

• chore: prepare release v0.32.4 by @​bot-go-openapi[bot] in #​491 ...

Updates

• build(deps): bump github.com/go-openapi/spec from 0.22.5 to 0.22.6 in the go-openapi-dependencies group across 1 directory by @​dependabot[bot] in #​490 ...
• build(deps): bump the development-dependencies group with 2 updates by @​dependabot[bot] in #​489 ...
• build(deps): bump the go-openapi-dependencies group across 2 directories with 7 updates by @​dependabot[bot] in #​486 ...
• build(deps): bump golang.org/x/sync from 0.20.0 to 0.21.0 in the golang-org-dependencies group across 1 directory by @​dependabot[bot] in #​485 ...
• build(deps): bump the development-dependencies group with 9 updates by @​dependabot[bot] in #​484 ...
• build(deps): bump the go-openapi-dependencies group across 2 directories with 2 updates by @​dependabot[bot] in #​482 ...
• build(deps): bump the development-dependencies group with 10 updates by @​dependabot[bot] in #​481 ...

---

People who contributed to this release

• @​Copilot

---

runtime license terms

Per-module changes

---

client-middleware/opentracing (0.32.4)

Miscellaneous tasks

• chore: prepare release v0.32.4 by @​bot-go-openapi[bot] in #​491 ...

Updates

• build(deps): bump github.com/go-openapi/spec from 0.22.5 to 0.22.6 in the go-openapi-dependencies group across 1 directory by @​dependabot[bot] in #​490 ...
• build(deps): bump the go-openapi-dependencies group across 2 directories with 7 updates by @​dependabot[bot] in #​486 ...
• build(deps): bump golang.org/x/sync from 0.20.0 to 0.21.0 in the golang-org-dependencies group across 1 directory by @​dependabot[bot] in #​485 ...
• build(deps): bump the go-openapi-dependencies group across 2 directories with 2 updates by @​dependabot[bot] in #​482 ...

---

docs/examples (0.32.4)

Updates

• build(deps): bump github.com/go-openapi/spec from 0.22.5 to 0.22.6 in the go-openapi-dependencies group across 1 directory by @​dependabot[bot] in #​490 ...
• build(deps): bump the go-openapi-dependencies group across 2 directories with 7 updates by @​dependabot[bot] in #​486 ...
• build(deps): bump golang.org/x/sync from 0.20.0 to 0.21.0 in the golang-org-dependencies group across 1 directory by @​dependabot[bot] in #​485 ...
• build(deps): bump the go-openapi-dependencies group across 2 directories with 2 updates by @​dependabot[bot] in #​482 ...

v0.32.3

Compare Source

0.32.3 - 2026-06-02

Full Changelog: go-openapi/runtime@v0.32.2...v0.32.3

6 commits in this release.

---

Implemented enhancements

• feat(ci): added shared workflow for bot-pr monitoring by @​fredbi ...

Documentation

• doc: updated contributors file by @​bot-go-openapi[bot] in #​478 ...

Miscellaneous tasks

• chore: prepare release v0.32.3 by @​bot-go-openapi[bot] in #​480 ...
• chore: updated dependencies by @​fredbi in #​479 ...

Updates

• build(deps): bump the other-dependencies group across 2 directories with 3 updates by @​dependabot[bot] in #​477 ...
• build(deps): bump the go-openapi-dependencies group across 2 directories with 1 update by @​dependabot[bot] in #​476 ...

---

People who contributed to this release

• @​fredbi

---

runtime license terms

Per-module changes

---

client-middleware/opentracing (0.32.3)

Miscellaneous tasks

• chore: prepare release v0.32.3 by @​bot-go-openapi[bot] in #​480 ...
• chore: updated dependencies by @​fredbi in #​479 ...

Updates

• build(deps): bump the other-dependencies group across 2 directories with 3 updates by @​dependabot[bot] in #​477 ...
• build(deps): bump the go-openapi-dependencies group across 2 directories with 1 update by @​dependabot[bot] in #​476 ...

---

docs/examples (0.32.3)

Miscellaneous tasks

• chore: updated dependencies by @​fredbi in #​479 ...

Updates

• build(deps): bump the other-dependencies group across 2 directories with 3 updates by @​dependabot[bot] in #​477 ...
• build(deps): bump the go-openapi-dependencies group across 2 directories with 1 update by @​dependabot[bot] in #​476 ...

v0.32.2

Compare Source

0.32.2 - 2026-05-27

Full Changelog: go-openapi/runtime@v0.32.1...v0.32.2

2 commits in this release.

---

Fixed bugs

• fix(client): added a guard to avoid the client to panic by @​fredbi in #​474 ...

Miscellaneous tasks

• chore: prepare release v0.32.2 by @​bot-go-openapi[bot] in #​475 ...

---

People who contributed to this release

• @​fredbi

---

runtime license terms

Per-module changes

---

client-middleware/opentracing (0.32.2)

Miscellaneous tasks

• chore: prepare release v0.32.2 by @​bot-go-openapi[bot] in #​475 ...

v0.32.1

Compare Source

0.32.1 - 2026-05-25

Full Changelog: go-openapi/runtime@v0.32.0...v0.32.1

3 commits in this release.

---

Documentation

• doc: documented SkipAuth feature with build tag by @​fredbi in #​472 ...

Code quality

• refactor(client): promote ContextualTransport to runtime package by @​fredbi in #​471 ...

Miscellaneous tasks

• chore: prepare release v0.32.1 by @​bot-go-openapi[bot] in #​473 ...

---

People who contributed to this release

• @​fredbi

---

runtime license terms

Per-module changes

---

client-middleware/opentracing (0.32.1)

Miscellaneous tasks

• chore: prepare release v0.32.1 by @​bot-go-openapi[bot] in #​473 ...

v0.32.0

Compare Source

0.32.0 - 2026-05-25

Full Changelog: go-openapi/runtime@v0.31.0...v0.32.0

8 commits in this release.

---

Fixed bugs

• refactor(client/otel): pivot OpenTelemetry transport to SubmitContext by @​fredbi ...
• fix(middleware): bind formData file params from urlencoded bodies by @​fredbi ...

Documentation

• doc: updated contributors file by @​bot-go-openapi[bot] in #​468 ...

Code quality

• ci: add unsafe-skipauth tagged-build workflow with coverage by @​fredbi ...
• feat(middleware): build-tag-gated SetSkipAuth for dev-mode auth bypass by @​fredbi ...

Miscellaneous tasks

• chore: prepare release v0.32.0 by @​bot-go-openapi[bot] in #​470 ...

Updates

• build(deps): bump the go-openapi-dependencies group across 4 directories with 2 updates by @​dependabot[bot] in #​467 ...

Other (technical)

• Fix/3113 file urlencoded by @​fredbi in #​469 ...

---

People who contributed to this release

• @​fredbi

---

runtime license terms

Per-module changes

---

client-middleware/opentracing (0.32.0)

Miscellaneous tasks

• chore: prepare release v0.32.0 by @​bot-go-openapi[bot] in #​470 ...

Updates

• build(deps): bump the go-openapi-dependencies group across 4 directories with 2 updates by @​dependabot[bot] in #​467 ...

---

docs/examples (0.32.0)

Miscellaneous tasks

• chore: prepare release v0.32.0 by @​bot-go-openapi[bot] in #​470 ...

Updates

• build(deps): bump the go-openapi-dependencies group across 4 directories with 2 updates by @​dependabot[bot] in #​467 ...

---

server-middleware (0.32.0)

Updates

• build(deps): bump the go-openapi-dependencies group across 4 directories with 2 updates by @​dependabot[bot] in #​467 ...

v0.31.0

Compare Source

0.31.0 - 2026-05-17

Full Changelog: go-openapi/runtime@v0.30.0...v0.31.0

33 commits in this release.

---

Implemented enhancements

• feat(client): TLS diagnostic mode for Runtime.Trace by @​fredbi ...
• feat(client): add Runtime.Trace for connection-level diagnostics by @​fredbi ...

Fixed bugs

• fix(client): strip CR/LF from multipart filename and field name by @​fredbi ...
• fix(middleware): cap filename length on untyped formData uploads by @​fredbi ...
• fix: CA cert pool should be cloned not returned as pointer by @​fredbi in #​455 ...
• fix: correct spelling of "Organ trail" to "Oregon Trail" in request tests by @​Copilot in #​449 ...
• fix(client/tls): correct PEM label and add Ed25519 key support by @​fredbi in #​452 ...

Documentation

• doc: fixup module layout by @​fredbi ...
• doc: trimmed deprecated functions from examples by @​fredbi in #​463 ...
• doc: updated contributors file by @​bot-go-openapi[bot] in #​460 ...
• doc: advertised doc site in README.md by @​fredbi in #​454 ...
• fix: correct two comment typos in client/internal/request/request.go by @​Copilot in #​450 ...
• docs(compression): deprecate ContentEncoding, add CAFxX recipe by @​fredbi in #​447 ...
• docs(keep-alive): add a thorough keep-alive primer by @​fredbi in #​445 ...

Code quality

• doc: godoc linting by @​fredbi in #​465 ...
• chore: cleanup linter config, reformat, optimized strings replacer by @​fredbi ...
• Fix/example request by @​fredbi in #​462 ...
• chore(relint): relint code base by @​fredbi in #​461 ...
• doc: doc site on github pages by @​fredbi in #​448 ...

Testing

• test: fix flaky assertion on httptrace by @​fredbi in #​456 ...

Miscellaneous tasks

• chore: prepare release v0.31.0 by @​bot-go-openapi[bot] in #​466 ...
• chore: remove binary by @​fredbi ...
• fix(ci): fix fuzzing workflow by @​fredbi ...

Security

• test(security): fuzz targets for BindForm parse + filename cap by @​fredbi ...
• test(security): fuzz targets for header-parsing surface by @​fredbi ...
• fix(negotiate/header): reject q-values greater than 1 by @​fredbi ...
• docs(security): document constant-time-comparison contract for auth callbacks by @​fredbi in #​457 ...
• feat(runtime): BindForm helper for multipart/urlencoded body binding by @​fredbi in #​446 ...

Updates

• build(deps): bump the development-dependencies group with 4 updates by @​dependabot[bot] in #​458 ...

Other (technical)

• Sec/lens3 multipart by @​fredbi in #​464 ...
• Sec/lens4 headers by @​fredbi in #​459 ...
• middleware/parameter.go: fix comment describing ParseForm fallback by @​Copilot in #​451 ...
• Feat/client httptrace by @​fredbi in #​453 ...

---

People who contributed to this release

• @​Copilot
• @​fredbi

---

New Contributors

• @​Copilot made their first contribution
  in #​451

---

runtime license terms

Per-module changes

---

client-middleware/opentracing (0.31.0)

Code quality

• chore(relint): relint code base by @​fredbi in #​461 ...
• doc: doc site on github pages by @​fredbi in #​448 ...

Miscellaneous tasks

• chore: prepare release v0.31.0 by @​bot-go-openapi[bot] in #​466 ...

---

docs/examples (0.31.0)

Documentation

• doc: fixup module layout by @​fredbi ...
• doc: trimmed deprecated functions from examples by @​fredbi in #​463 ...
• docs(compression): deprecate ContentEncoding, add CAFxX recipe by @​fredbi in #​447 ...

Code quality

• Fix/example request by @​fredbi in #​462 ...
• chore(relint): relint code base by @​fredbi in #​461 ...
• doc: doc site on github pages by @​fredbi in #​448 [...]

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM (* 0-3 * * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: acceptance/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 15 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25.8 -> 1.26.0
github.com/cyphar/filepath-securejoin	v0.6.0 -> v0.6.1
github.com/docker/go-connections	v0.5.0 -> v0.6.0
github.com/lufia/plan9stats	v0.0.0-20240819163618-b1d8f4d146e7 -> v0.0.0-20251013123823-9fd1530e3ec3
github.com/tklauser/go-sysconf	v0.3.14 -> v0.3.16
github.com/tklauser/numcpus	v0.8.0 -> v0.11.0
golang.org/x/crypto	v0.49.0 -> v0.50.0
golang.org/x/mod	v0.33.0 -> v0.36.0
golang.org/x/net	v0.52.0 -> v0.53.0
golang.org/x/sys	v0.42.0 -> v0.43.0
golang.org/x/term	v0.41.0 -> v0.42.0
golang.org/x/text	v0.35.0 -> v0.36.0
google.golang.org/protobuf	v1.36.11 -> v1.36.12-0.20260120151049-f2248ac996af
k8s.io/kube-openapi	v0.0.0-20250910181357-589584f1c912 -> v0.0.0-20260317180543-43fb72c5454a
k8s.io/utils	v0.0.0-20251002143259-bc988d571ff4 -> v0.0.0-20260210185600-b8788abfbbc2
sigs.k8s.io/structured-merge-diff/v6	v6.3.0 -> v6.3.2

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 35 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25.8 -> 1.26.0
golang.org/x/net	v0.52.0 -> v0.54.1-0.20260508232935-23ee2efe81a3
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp	v1.30.0 -> v1.31.0
github.com/containerd/containerd/v2	v2.2.2 -> v2.2.3
github.com/decred/dcrd/dcrec/secp256k1/v4	v4.4.0 -> v4.4.1
github.com/docker/go-connections	v0.5.0 -> v0.6.0
github.com/goccy/go-json	v0.10.5 -> v0.10.6
github.com/grpc-ecosystem/grpc-gateway/v2	v2.27.7 -> v2.28.0
github.com/huandu/go-sqlbuilder	v1.39.1 -> v1.40.2
github.com/lestrrat-go/dsig	v1.0.0 -> v1.2.1
github.com/lestrrat-go/httprc/v3	v3.0.2 -> v3.0.5
github.com/lestrrat-go/jwx/v3	v3.0.13 -> v3.1.0
github.com/power-devops/perfstat	v0.0.0-20210106213030-5aafc221ea8c -> v0.0.0-20240221224432-82ca36839d55
github.com/prometheus/common	v0.67.4 -> v0.67.5
github.com/prometheus/procfs	v0.17.0 -> v0.20.1
github.com/stretchr/objx	v0.5.2 -> v0.5.3
github.com/tklauser/go-sysconf	v0.3.12 -> v0.3.16
github.com/tklauser/numcpus	v0.6.1 -> v0.11.0
github.com/valyala/fastjson	v1.6.7 -> v1.6.10
github.com/yusufpapurcu/wmi	v1.2.3 -> v1.2.4
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc	v0.63.0 -> v0.65.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	v0.65.0 -> v0.68.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace	v1.40.0 -> v1.43.0
go.opentelemetry.io/proto/otlp	v1.9.0 -> v1.10.0
go.yaml.in/yaml/v2	v2.4.3 -> v2.4.4
golang.org/x/crypto	v0.49.0 -> v0.51.0
golang.org/x/mod	v0.33.0 -> v0.36.0
golang.org/x/sys	v0.42.0 -> v0.44.0
golang.org/x/term	v0.41.0 -> v0.43.0
golang.org/x/tools	v0.42.0 -> v0.45.0
google.golang.org/genproto/googleapis/api	v0.0.0-20260203192932-546029d2fa20 -> v0.0.0-20260401024825-9d38bb4040a9
google.golang.org/genproto/googleapis/rpc	v0.0.0-20260226221140-a57be14db171 -> v0.0.0-20260401024825-9d38bb4040a9
google.golang.org/grpc	v1.79.3 -> v1.80.0
google.golang.org/protobuf	v1.36.11 -> v1.36.12-0.20260120151049-f2248ac996af
k8s.io/utils	v0.0.0-20251002143259-bc988d571ff4 -> v0.0.0-20260210185600-b8788abfbbc2
sigs.k8s.io/structured-merge-diff/v6	v6.3.0 -> v6.3.2

File name: tools/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 48 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25.8 -> 1.26.0
github.com/Masterminds/semver/v3	v3.4.0 -> v3.5.0
github.com/alecthomas/chroma/v2	v2.23.1 -> v2.24.1
github.com/ashanbrown/forbidigo/v2	v2.3.0 -> v2.3.1
github.com/ashanbrown/makezero/v2	v2.1.0 -> v2.2.1
github.com/bombsimon/wsl/v5	v5.6.0 -> v5.8.0
github.com/butuzov/ireturn	v0.4.0 -> v0.4.1
github.com/charmbracelet/colorprofile	v0.3.1 -> v0.4.3
github.com/charmbracelet/x/ansi	v0.10.1 -> v0.11.7
github.com/charmbracelet/x/term	v0.2.1 -> v0.2.2
github.com/clipperhouse/displaywidth	v0.6.0 -> v0.11.0
github.com/clipperhouse/uax29/v2	v2.3.0 -> v2.7.0
github.com/cyphar/filepath-securejoin	v0.6.0 -> v0.6.1
github.com/dlclark/regexp2	v1.11.5 -> v1.12.0
github.com/golangci/dupl	v0.0.0-20250308024227-f665c8d69b32 -> v0.0.0-20260401084720-c99c5cf5c202
github.com/hashicorp/go-version	v1.8.0 -> v1.9.0
github.com/jgautheron/goconst	v1.8.2 -> v1.10.0
github.com/lib/pq	v1.11.2 -> v1.12.3
github.com/lucasb-eyer/go-colorful	v1.3.0 -> v1.4.0
github.com/manuelarte/funcorder	v0.5.0 -> v0.6.0
github.com/mattn/go-runewidth	v0.0.19 -> v0.0.23
github.com/moby/spdystream	v0.5.0 -> v0.5.1
github.com/pelletier/go-toml/v2	v2.2.4 -> v2.3.1
github.com/prometheus/procfs	v0.17.0 -> v0.19.2
github.com/securego/gosec/v2	v2.24.8-0.20260309165252-619ce2117e08 -> v2.26.1
github.com/sourcegraph/go-diff	v0.7.0 -> v0.8.0
github.com/tetafro/godot	v1.5.4 -> v1.5.6
github.com/timakin/bodyclose	v0.0.0-20241222091800-1db5c5ca4d67 -> v0.0.0-20260129054331-73d1f95b84b4
github.com/uudashr/iface	v1.4.1 -> v1.4.2
go-simpler.org/sloglint	v0.11.1 -> v0.12.0
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc	v0.63.0 -> v0.65.0
golang.org/x/crypto	v0.49.0 -> v0.50.0
golang.org/x/exp	v0.0.0-20250911091902-df9299821621 -> v0.0.0-20251219203646-944ab1f22d93
golang.org/x/mod	v0.34.0 -> v0.35.0
golang.org/x/net	v0.52.0 -> v0.53.0
golang.org/x/sys	v0.42.0 -> v0.43.0
golang.org/x/term	v0.41.0 -> v0.42.0
golang.org/x/text	v0.35.0 -> v0.36.0
golang.org/x/tools	v0.43.0 -> v0.44.0
google.golang.org/protobuf	v1.36.11 -> v1.36.12-0.20260120151049-f2248ac996af
gopkg.in/evanphx/json-patch.v4	v4.12.0 -> v4.13.0
k8s.io/klog/v2	v2.130.1 -> v2.140.0
k8s.io/kube-openapi	v0.0.0-20250710124328-f3f2b991d03b -> v0.0.0-20260317180543-43fb72c5454a
k8s.io/utils	v0.0.0-20250820121507-0af2bda4dd1d -> v0.0.0-20260210185600-b8788abfbbc2
sigs.k8s.io/json	v0.0.0-20241014173422-cfa47c3a1cc8 -> v0.0.0-20250730193827-2d320260d730
sigs.k8s.io/kustomize/api	v0.20.1 -> v0.21.1
sigs.k8s.io/kustomize/cmd/config	v0.20.1 -> v0.21.1
sigs.k8s.io/kustomize/kyaml	v0.20.1 -> v0.21.1
sigs.k8s.io/structured-merge-diff/v6	v6.3.0 -> v6.3.2

File name: tools/kubectl/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 21 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25.8 -> 1.26.0
github.com/moby/spdystream	v0.5.0 -> v0.5.1
github.com/prometheus/common	v0.66.1 -> v0.67.5
github.com/prometheus/procfs	v0.16.1 -> v0.19.2
github.com/spf13/cobra	v1.9.1 -> v1.10.2
github.com/spf13/pflag	v1.0.6 -> v1.0.9
go.yaml.in/yaml/v2	v2.4.2 -> v2.4.3
golang.org/x/net	v0.43.0 -> v0.49.0
golang.org/x/oauth2	v0.30.0 -> v0.34.0
golang.org/x/sync	v0.17.0 -> v0.19.0
golang.org/x/term	v0.34.0 -> v0.39.0
golang.org/x/text	v0.28.0 -> v0.33.0
google.golang.org/protobuf	v1.36.10 -> v1.36.12-0.20260120151049-f2248ac996af
gopkg.in/evanphx/json-patch.v4	v4.12.0 -> v4.13.0
k8s.io/klog/v2	v2.130.1 -> v2.140.0
k8s.io/kube-openapi	v0.0.0-20250710124328-f3f2b991d03b -> v0.0.0-20260317180543-43fb72c5454a
k8s.io/utils	v0.0.0-20250604170112-4c0f3b243397 -> v0.0.0-20260210185600-b8788abfbbc2
sigs.k8s.io/json	v0.0.0-20241014173422-cfa47c3a1cc8 -> v0.0.0-20250730193827-2d320260d730
sigs.k8s.io/kustomize/api	v0.20.1 -> v0.21.1
sigs.k8s.io/kustomize/kustomize/v5	v5.7.1 -> v5.8.1
sigs.k8s.io/kustomize/kyaml	v0.20.1 -> v0.21.1
sigs.k8s.io/structured-merge-diff/v6	v6.3.0 -> v6.3.2

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[medium] api-contract

Current pseudo-version pin references testcontainers-go PR #2899 fix. Verify this fix is included in v0.42.0 before removing the pin.

[fullsend-ai-review]

[low] pattern-inconsistency

Stale comment: states using unreleased version but v0.42.0 is a released version.

[fullsend-ai-review]

[low] pattern-inconsistency

Go directive remains at 1.25.8 while other three modules bump to 1.26.0. Verify if this inconsistency is intentional.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 4:12 PM UTC · Completed 4:23 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

[low] stale-reference

The comment on testcontainers-go reads using unreleased version but v0.42.0 is a released version. The comment is stale and misleading.

Suggested fix: Remove or update the comment to reflect that v0.42.0 is a released version that includes the fix.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 1:43 PM UTC · Completed 1:50 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

[low] stale-reference

The comment "// using unreleased version that contains the fix in testcontainers/testcontainers-go#2899" is stale. The dependency has been updated to v0.42.0, which is a released version. The comment is now misleading.

[fullsend-ai-review]

[low] api-contract

testcontainers-go jumps from v0.34 to v0.42.0 (8 minor versions). The codebase uses testcontainers.GenericContainer in acceptance/wiremock/wiremock.go, acceptance/git/git.go, and acceptance/registry/registry.go, which was deprecated in v0.35.0. Migration to the Run function should be planned as follow-up.

Suggested fix: After merging, plan migration from testcontainers.GenericContainer to testcontainers.Run in the three acceptance test files.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 7:10 PM UTC · Completed 7:18 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 10:00 PM UTC · Completed 10:10 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[high] API contract violation

The testcontainers-go update from v0.34.x to v0.42.0 is a major version jump. Source code confirms WithConfigModifier is used in benchmark/offliner/offliner.go (line 87) and benchmark/internal/registry/registry.go (line 154), and WithHostConfigModifier is used in benchmark/offliner/offliner.go (line 90) and benchmark/internal/registry/registry.go (line 131). GenericContainer is used in acceptance/registry/registry.go (line 112), acceptance/wiremock/wiremock.go (line 220), and acceptance/git/git.go (line 183). If these APIs were removed or changed in the v0.35-v0.42 range, compilation will fail.

Suggested fix: Verify that WithConfigModifier, WithHostConfigModifier, and GenericContainer still exist in testcontainers-go v0.42.0. Update or remove the stale 'unreleased version' comment. If these APIs were removed, update the Go source files to use the v0.42.0 replacements.

[fullsend-ai-review]

[low] API contract violation

CycloneDX/cyclonedx-go update from v0.10.0 to v0.11.0. Source code in benchmark/offliner/base_images.go uses cyclonedx.BOM, cyclonedx.NewBOMDecoder, cyclonedx.BOMFileFormatJSON, cyclonedx.ComponentTypeContainer, bom.Formulation, and property Name/Value access. Verify compatibility with v0.11.0.

[fullsend-ai-review]

[low] stale reference

The comment on the testcontainers-go line reads 'using unreleased version that contains the fix' but v0.42.0 is a proper release. The comment should be removed.

[fullsend-ai-review]

[low] stale reference

The replace directive forces moby/go-archive v0.2.0 to v0.1.0 with a comment about compatibility with docker/docker v28.5.2. If docker/docker is removed, this replace directive may be stale.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 10:00 PM UTC · Completed 10:08 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 9:18 PM UTC · Completed 9:26 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

[low] stale comment

The comment on testcontainers-go says 'using unreleased version that contains the fix' but the PR updates the version to v0.42.0, which is a proper release. The comment would be misleading after this update.

Suggested fix: Remove the comment or update it to note which release fixed the issue (e.g., '// fix for #2899 landed in v0.35+').

[fullsend-ai-review]

[low] go version inconsistency

The PR updates the go directive from 1.25.8 to 1.26.0 in acceptance, main, and tools/kubectl modules, but tools/go.mod stays at go 1.25.8. This creates a minor inconsistency across modules.

Suggested fix: Verify that tools/go.mod can remain at go 1.25.8 with its updated dependencies. If k8s.io/kubernetes v1.36.1 requires go 1.26.0, update tools/go.mod accordingly.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 5:19 PM UTC · Completed 5:36 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 9:11 PM UTC · Completed 9:18 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 6:56 PM UTC · Completed 7:05 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[low] version-skew

tools/go.mod keeps go 1.25.8 while the other three go.mod files are updated to go 1.26.0. While these are separate Go modules and unlikely to cause immediate issues, it is a hygiene concern.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 11:01 PM UTC · Completed 11:10 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 2:41 AM UTC · Completed 2:49 AM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 12:53 PM UTC · Completed 1:03 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 5:14 PM UTC · Completed 5:25 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 6:17 AM UTC · Completed 6:28 AM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[critical] API contract violation

testcontainers-go updated from v0.34 to v0.43.0. WithConfigModifier and WithHostConfigModifier were removed in v0.37.0. benchmark/offliner/offliner.go (lines 87, 90) and benchmark/internal/registry/registry.go (lines 131, 154) use these functions, causing compilation failures.

Suggested fix: Either keep testcontainers-go at a version < v0.37.0, or update the benchmark code to use testcontainers.CustomizeRequest instead of the removed modifier functions.

[fullsend-ai-review]

[critical] API contract violation

testcontainers-go in acceptance module updated from v0.34.0 to v0.43.0. GenericContainer and GenericContainerRequest removed in v0.37.0. Used in acceptance/git/git.go:183, acceptance/registry/registry.go:112, acceptance/wiremock/wiremock.go:220.

Suggested fix: Either keep testcontainers-go at a version < v0.37.0, or update all acceptance test code to use testcontainers.Run() and the new request builder pattern.

[fullsend-ai-review]

[medium] API contract violation

in-toto-golang updated from v0.10.0 to v0.11.0. For v0.x libraries, minor bumps can contain breaking changes. Codebase directly imports in_toto types across 17+ files including ProvenanceStatementSLSA02, ProvenanceStatementSLSA1, and Statement.

Suggested fix: Review in-toto-golang v0.11.0 changelog. Run go build ./... to confirm compilation succeeds.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 9:59 AM UTC · Completed 10:09 AM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 8:58 AM UTC · Completed 9:07 AM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[medium] stale-reference

The comment on the testcontainers-go dependency says using unreleased version but v0.43.0 is a released version, making the comment misleading.

Suggested fix: Remove or update the comment to reflect that v0.43.0 is a released version that includes the fix from PR #2899.

[fullsend-ai-review]

[low] api-contract

The go-containerregistry fork replace directive is updated to a new digest. Verify the new digest still carries all patches.

Suggested fix: Verify that the new fork digest still includes all patches from hack/ec-patches.sh.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 2:15 PM UTC · Completed 2:26 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 11:23 AM UTC · Completed 11:33 AM UTC
Commit: 47d3320 · View workflow run →