Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump the backend group across 1 directory with 8 updates #3976

Closed
wants to merge 1 commit into from
Closed

Bump the backend group across 1 directory with 8 updates #3976

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Aug 12, 2024
edited
Loading

Bumps the backend group with 7 updates in the / directory:

Package From To
github.com/aquasecurity/trivy 0.53.0 0.54.1
github.com/google/go-containerregistry 0.20.1 0.20.2
github.com/open-policy-agent/opa 0.67.0 0.67.1
github.com/tektoncd/pipeline 0.62.0 0.62.1
golang.org/x/crypto 0.25.0 0.26.0
golang.org/x/oauth2 0.21.0 0.22.0
google.golang.org/api 0.189.0 0.191.0

Updates github.com/aquasecurity/trivy from 0.53.0 to 0.54.1

Release notes

Sourced from github.com/aquasecurity/trivy's releases.

v0.54.1

Changelog

  • 854c61d34a550a9fcbab3bc59e55b868c15d1962 release: v0.54.1 [release/v0.54] (#7282)
  • 334a1c293bb3d490af2a6d80732f399efaac22f7 fix(flag): incorrect behavior for deprected flag --clear-cache [backport: release/v0.54] (#7285)
  • f61725c28b56d80fb46395479842a2ab0c517c5f fix(java): Return error when trying to find a remote pom to avoid segfault [backport: release/v0.54] (#7283)
  • a7b7117fe2c9608e990b42e702cc83675c48f888 fix(plugin): do not call GitHub content API for releases and tags [backport: release/v0.54] (#7279)

v0.54.0

⚡Release highlights and summary⚡

👉 aquasecurity/trivy#7268

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0540-2024-07-30

Changelog

Sourced from github.com/aquasecurity/trivy's changelog.

0.54.1 (2024-07-31)

Bug Fixes

  • flag: incorrect behavior for deprected flag --clear-cache [backport: release/v0.54] (#7285) (334a1c2)
  • java: Return error when trying to find a remote pom to avoid segfault [backport: release/v0.54] (#7283) (f61725c)
  • plugin: do not call GitHub content API for releases and tags [backport: release/v0.54] (#7279) (a7b7117)

0.54.0 (2024-07-30)

Features

Bug Fixes

  • Add dependencyManagement exclusions to the child exclusions (#6969) (dc68a66)
  • add missing platform and type to spec (#7149) (c8a7abd)
  • cli: error on missing config file (#7154) (7fa5e7d)
  • close file when failed to open gzip (#7164) (2a577a7)
  • dotnet: don't include non-runtime libraries into report for *.deps.json files (#7039) (5bc662b)
  • dotnet: show nuget package dir not found log only when checking nuget packages (#7194) (d76feba)
  • ignore nodes when listing permission is not allowed (#7107) (25f8143)
  • java: avoid panic if deps from pom in it dir are not found (#7245) (4e54a7e)
  • java: use go-mvn-version to remove Package duplicates (#7088) (a7a304d)
  • misconf: do not evaluate TF when a load error occurs (#7109) (f27c236)
  • nodejs: detect direct dependencies when using latest version for files yarn.lock + package.json (#7110) (54bb8bd)
  • report: hide empty table when all secrets/license/misconfigs are ignored (#7171) (c3036de)
  • secret: skip regular strings contain secret patterns (#7182) (174b1e3)
  • secret: trim excessively long lines (#7192) (92b13be)
  • secret: update length of hugging-face-access-token (#7216) (8c87194)
  • server: pass license categories to options (#7203) (9d52018)

Performance Improvements

... (truncated)

Commits
  • 854c61d release: v0.54.1 [release/v0.54] (#7282)
  • 334a1c2 fix(flag): incorrect behavior for deprected flag --clear-cache [backport: r...
  • f61725c fix(java): Return error when trying to find a remote pom to avoid segfault [b...
  • a7b7117 fix(plugin): do not call GitHub content API for releases and tags [backport: ...
  • ff403a3 release: v0.54.0 [main] (#7075)
  • b3ee4bc docs: update ecosystem page reporting with plopsec.com app (#7262)
  • 3b7aad3 chore(deps): bump google.golang.org/grpc from 1.64.0 to 1.64.1 (#7136)
  • c2fd2e0 feat(vex): retrieve VEX attestations from OCI registries (#7249)
  • 4a2f492 feat(sbom): add image labels into SPDX and CycloneDX reports (#7257)
  • f198cf8 refactor(flag): return error if both --download-db-only and `--download-jav...
  • Additional commits viewable in compare view

Updates github.com/google/go-containerregistry from 0.20.1 to 0.20.2

Release notes

Sourced from github.com/google/go-containerregistry's releases.

v0.20.2

What's Changed

Full Changelog: google/go-containerregistry@v0.20.1...v0.20.2

Commits

Updates github.com/open-policy-agent/opa from 0.67.0 to 0.67.1

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v0.67.1

This is a bug fix release addressing the following issue:

  • util+server: Fix bug around chunked request handling (#6906) authored by @​philipaconrad, reported by @​David-Wobrock. A request handling bug was introduced in (#6868), which caused OPA to treat all incoming chunked requests as if they had zero-length request bodies.
Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

0.67.1

This is a bug fix release addressing the following issue:

  • util+server: Fix bug around chunked request handling (#6906) authored by @​philipaconrad, reported by @​David-Wobrock. A request handling bug was introduced in (#6868), which caused OPA to treat all incoming chunked requests as if they had zero-length request bodies.
Commits

Updates github.com/tektoncd/pipeline from 0.62.0 to 0.62.1

Release notes

Sourced from github.com/tektoncd/pipeline's releases.

Tekton Pipeline release v0.62.1 "Birman HAL LTS"

-Docs @ v0.62.1 -Examples @ v0.62.1

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.62.1/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77a888f88120c037b3b7b9b3be97d8dd4ea1950235f44033f29dce4a1123992a3d9

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77a888f88120c037b3b7b9b3be97d8dd4ea1950235f44033f29dce4a1123992a3d9
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.62.1/release.yaml
REKOR_UUID=24296fb24b8ad77a888f88120c037b3b7b9b3be97d8dd4ea1950235f44033f29dce4a1123992a3d9
Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.62.1@sha256:" + .digest.sha256')
Download the release file
curl "$RELEASE_FILE" > release.yaml
For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

... (truncated)

Commits

Updates golang.org/x/crypto from 0.25.0 to 0.26.0

Commits
  • 5bcd010 go.mod: update golang.org/x dependencies
  • 3375612 ssh: add support for unpadded RSA signatures
  • bb80217 ssh: don't use dsa keys in integration tests
  • 6879722 ssh: remove go 1.21+ dependency on slices
  • e983fa2 sha3: Avo port of keccakf_amd64.s
  • 80fd972 LICENSE: update per Google Legal
  • f2bc3a6 x509roots/fallback/internal/goissue52287: delete
  • d66d9c3 x509roots/fallback: update bundle
  • See full diff in compare view

Updates golang.org/x/oauth2 from 0.21.0 to 0.22.0

Commits

Updates golang.org/x/text from 0.16.0 to 0.17.0

Commits

Updates google.golang.org/api from 0.189.0 to 0.191.0

Release notes

Sourced from google.golang.org/api's releases.

v0.191.0

0.191.0 (2024-08-07)

Features

Bug Fixes

  • Reference gax import in storage libs (#2720) (fffff7f)
  • transport: Disable automatic universe domain check (#2717) (f5b0bb5)

v0.190.0

0.190.0 (2024-08-01)

Features

Reverts

Changelog

Sourced from google.golang.org/api's changelog.

0.191.0 (2024-08-07)

Features

Bug Fixes

  • Reference gax import in storage libs (#2720) (fffff7f)
  • transport: Disable automatic universe domain check (#2717) (f5b0bb5)

0.190.0 (2024-08-01)

Features

Reverts

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the backend group across 1 directory with 8 updates
54a939f 
Bumps the backend group with 7 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [github.com/aquasecurity/trivy](https://github.com/aquasecurity/trivy) | `0.53.0` | `0.54.1` |
| [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) | `0.20.1` | `0.20.2` |
| [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) | `0.67.0` | `0.67.1` |
| [github.com/tektoncd/pipeline](https://github.com/tektoncd/pipeline) | `0.62.0` | `0.62.1` |
| [golang.org/x/crypto](https://github.com/golang/crypto) | `0.25.0` | `0.26.0` |
| [golang.org/x/oauth2](https://github.com/golang/oauth2) | `0.21.0` | `0.22.0` |
| [google.golang.org/api](https://github.com/googleapis/google-api-go-client) | `0.189.0` | `0.191.0` |



Updates `github.com/aquasecurity/trivy` from 0.53.0 to 0.54.1
- [Release notes](https://github.com/aquasecurity/trivy/releases)
- [Changelog](https://github.com/aquasecurity/trivy/blob/v0.54.1/CHANGELOG.md)
- [Commits](aquasecurity/trivy@v0.53.0...v0.54.1)

Updates `github.com/google/go-containerregistry` from 0.20.1 to 0.20.2
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](google/go-containerregistry@v0.20.1...v0.20.2)

Updates `github.com/open-policy-agent/opa` from 0.67.0 to 0.67.1
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](open-policy-agent/opa@v0.67.0...v0.67.1)

Updates `github.com/tektoncd/pipeline` from 0.62.0 to 0.62.1
- [Release notes](https://github.com/tektoncd/pipeline/releases)
- [Changelog](https://github.com/tektoncd/pipeline/blob/main/releases.md)
- [Commits](tektoncd/pipeline@v0.62.0...v0.62.1)

Updates `golang.org/x/crypto` from 0.25.0 to 0.26.0
- [Commits](golang/crypto@v0.25.0...v0.26.0)

Updates `golang.org/x/oauth2` from 0.21.0 to 0.22.0
- [Commits](golang/oauth2@v0.21.0...v0.22.0)

Updates `golang.org/x/text` from 0.16.0 to 0.17.0
- [Release notes](https://github.com/golang/text/releases)
- [Commits](golang/text@v0.16.0...v0.17.0)

Updates `google.golang.org/api` from 0.189.0 to 0.191.0
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](googleapis/google-api-go-client@v0.189.0...v0.191.0)

---
updated-dependencies:
- dependency-name: github.com/aquasecurity/trivy
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: backend
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: backend
- dependency-name: github.com/open-policy-agent/opa
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: backend
- dependency-name: github.com/tektoncd/pipeline
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: backend
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: backend
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: backend
- dependency-name: golang.org/x/text
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: backend
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: backend
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Aug 12, 2024
@dependabot Dependabot
Copy link
Contributor Author

dependabot bot commented on behalf of github Aug 19, 2024

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot bot closed this Aug 19, 2024
@dependabot dependabot bot deleted the dependabot/go_modules/backend-2104ae7c14 branch August 19, 2024 05:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file go Pull requests that update Go code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants