chore(deps): update dependency carvel-dev/vendir to v0.42.0

[renovate]

This PR contains the following updates:

Package	Update	Change
carvel-dev/vendir	minor	0.41.0 -> 0.42.0

---

Release Notes

carvel-dev/vendir (carvel-dev/vendir)

v0.42.0

Compare Source

Installation and signature verification

Installation

By downloading binary from the release

For instance, if you are using Linux on an AMD64 architecture:

### Download the binary
curl -LO https://github.com/carvel-dev/vendir/releases/download/v0.42.0/vendir-linux-amd64

### Move the binary in to your PATH
mv vendir-linux-amd64 /usr/local/bin/vendir

### Make the binary executable
chmod +x /usr/local/bin/vendir

Via Homebrew (macOS or Linux)

$ brew tap carvel-dev/carvel
$ brew install vendir
$ vendir version  

Verify checksums file signature

Install cosign on your system https://docs.sigstore.dev/system_config/installation/

The checksums file provided within the artifacts attached to this release is signed using Cosign with GitHub OIDC. To validate the signature of this file, run the following commands:

### Download the checksums file, certificate and signature
curl -LO https://github.com/carvel-dev/vendir/releases/download/v0.42.0/checksums.txt
curl -LO https://github.com/carvel-dev/vendir/releases/download/v0.42.0/checksums.txt.pem
curl -LO https://github.com/carvel-dev/vendir/releases/download/v0.42.0/checksums.txt.sig

### Verify the checksums file
cosign verify-blob checksums.txt \
  --certificate checksums.txt.pem \
  --signature checksums.txt.sig \
  --certificate-identity-regexp=https://github.com/carvel-dev \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Verify binary integrity

To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature.

### Verify the binary using the checksums file
sha256sum -c checksums.txt --ignore-missing

Changelog

• 064b9c4 Allow additional CA certs to be supplied via vendir YAML when pulling an imgpkg bundle by @​100mik
• f6eaffe fix: avoid panic by checking response for nil by @​Zebradil

📂 Files Checksum

40afd08db3b1ee96350f1ab09bd9208aa7edec458c4b5f167eb71ac076576571  ./vendir-linux-amd64
683ad9c8174f9f81dc17b2fd81f79a7f83a40a942201ae15a50d97a586fb16be  ./vendir-windows-amd64.exe
a47b6aab79f4fdd66136e8a8434b6d8c8fc16ad4c38c60fcc5e95475fd333e24  ./vendir-darwin-arm64
df7487c414da4425aa682271f236ae2912c828eb8b1aaebbb2f1af010ef5b289  ./vendir-darwin-amd64
fd631a32207efd79d84911186c50d80cbd136a4cddb5dffa3f11c3f7689c6ff0  ./vendir-linux-arm64

v0.41.1

Compare Source

Installation and signature verification

Installation

By downloading binary from the release

For instance, if you are using Linux on an AMD64 architecture:

### Download the binary
curl -LO https://github.com/carvel-dev/vendir/releases/download/v0.41.1/vendir-linux-amd64

### Move the binary in to your PATH
mv vendir-linux-amd64 /usr/local/bin/vendir

### Make the binary executable
chmod +x /usr/local/bin/vendir

Via Homebrew (macOS or Linux)

$ brew tap carvel-dev/carvel
$ brew install vendir
$ vendir version  

Verify checksums file signature

Install cosign on your system https://docs.sigstore.dev/system_config/installation/

The checksums file provided within the artifacts attached to this release is signed using Cosign with GitHub OIDC. To validate the signature of this file, run the following commands:

### Download the checksums file, certificate and signature
curl -LO https://github.com/carvel-dev/vendir/releases/download/v0.41.1/checksums.txt
curl -LO https://github.com/carvel-dev/vendir/releases/download/v0.41.1/checksums.txt.pem
curl -LO https://github.com/carvel-dev/vendir/releases/download/v0.41.1/checksums.txt.sig

### Verify the checksums file
cosign verify-blob checksums.txt \
  --certificate checksums.txt.pem \
  --signature checksums.txt.sig \
  --certificate-identity-regexp=https://github.com/carvel-dev \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Verify binary integrity

To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature.

### Verify the binary using the checksums file
sha256sum -c checksums.txt --ignore-missing

✨ What's new

• Fixing CVE by @​rohitagg2020 in #​394

Full Changelog: carvel-dev/vendir@v0.41.0...v0.41.1

📂 Files Checksum

58facd06bae6ffc858b348da9dcc0b032d030a6a31767fea6f9166658d7a61e2  ./vendir-linux-arm64
67411476ecc322c4b32619b168bf5a7fafc86daa764251be1613bec22c1c1003  ./vendir-windows-amd64.exe
993ae33df2e722c327aff4807eeba0e08b0c9f3bd996e67caa89c503c6a8bcda  ./vendir-darwin-arm64
ad63b667c7756cac7804e080861b3e794fbfc83ba662f5461928c30fe890a828  ./vendir-darwin-amd64
f878f3e16b702c47e42b2215a670d65028bc0158643ed28a2dfaa6f37b1344ac  ./vendir-linux-amd64

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.