chore(deps): bump library dependencies (2026-03-23)

[cursor]

Summary of updated dependencies

• Executed go work sync.
• For each Go module in go.work, ran dependency refresh (go get -u ./...), go mod tidy, and go fix ./....
• Updated Docker-pinned dependencies required by the plan:
  • plugins/cloud-costs: CLOUD_SDK_VERSION 560.0.0 -> 561.0.0
  • plugins/trivy: CLOUD_SDK_VERSION 560.0.0 -> 561.0.0
  • plugins/kube-bench: kubectlVersion 1.35.2 -> 1.35.3
  • plugins/kubectl: kubectlVersion 1.35.2 -> 1.35.3
  • plugins/kyverno-policy-sync: kubectlVersion 1.35.2 -> 1.35.3
  • plugins/uploader (downloader module): kubectlVersion 1.35.2 -> 1.35.3
• Confirmed these CI Docker pins were already at latest and left unchanged: trivyVersion=0.69.3, polarisVersion=10.1.6, plutoVersion=5.23.5, helmVersion=4.1.3.
• Direct Go dependency updates include:
  • k8s.io/api, k8s.io/apimachinery, k8s.io/client-go: v0.35.2 -> v0.35.3 across updated modules
  • github.com/google/go-containerregistry: v0.21.2 -> v0.21.3 (plugins/trivy)
  • internal plugin refs bumped to latest pseudo-versions where applicable (plugins/admission, plugins/ci, realtime-reporter)
• Indirect dependency updates were applied where resolved by go get -u/go mod tidy.
• Updated CHANGELOG.md and bumped version.txt minor versions for each affected sub-module:
  • plugins/admission, plugins/ci, plugins/cloud-costs, plugins/event-watcher, plugins/falco-agent, plugins/kube-bench-aggregator, plugins/kube-bench, plugins/kubectl, plugins/kyverno-policy-sync, plugins/kyverno, plugins/on-demand-job-runner, plugins/opa, plugins/prometheus, plugins/rbac-reporter, plugins/right-sizer, plugins/trivy, plugins/uploader, plugins/workloads

Major version bumps

• No major Go module version bumps were introduced in direct dependencies.

Test results

Executed module-by-module go test ./... sweep and stopped at first failure per plan.

• Passed:
  • plugins/admission
  • plugins/ci
  • plugins/event-watcher
  • plugins/falco-agent
  • plugins/kube-bench
  • plugins/kube-bench-aggregator
  • plugins/kyverno
  • plugins/kyverno-policy-sync
  • plugins/on-demand-job-runner
  • plugins/opa
• Failed:
  • plugins/prometheus/pkg/data: TestStorageCapacity
    • expected per-container values around 9.54437177e+08
    • actual values around 2.86331153e+09

Risk notes

• The failing plugins/prometheus storage-capacity test indicates behavior/output changes after dependency updates; this is the primary regression risk to address before merge.
• Because execution stopped at first failure (as requested), remaining modules after plugins/prometheus in the sweep were not executed in this run.
• Internal plugin pseudo-version bumps (cross-module dependencies) may introduce behavioral deltas that are not fully covered until full suite execution is restored after fixing the failing test.

  

[fairwinds-insights]

Fairwinds Insights - Auto-scan job has failed ❌

View the full report at insights.fairwinds.com.

Show Logs

found 1 pods for job repo-scan-job-95125
------------------------------------------------
unable to retrieve container logs
Additional info: Repository scan has reached the specified backoff limit; Repository scan has reached the specified backoff limit; Repository scan has reached the specified backoff limit

[jdesouza]

@cursoragent
Do a patch instead of of minor bump

[vitorvezani]

@cursoragent bump as patch versions instead of minor

[cursor]

Done! I've changed all version bumps from minor to patch versions across all 18 affected plugins:

Changes made:

• Updated all version.txt files to bump patch version instead of minor (e.g., 2.2.13 → 2.2.14 instead of 2.3.0)
• Updated all corresponding CHANGELOG.md files to match the new patch versions
• Committed and pushed the changes

Summary of version updates:

• admission: 2.2.14
• ci: 6.2.14
• cloud-costs: 1.0.9
• event-watcher: 0.2.12
• falco-agent: 0.4.12
• kube-bench-aggregator: 0.4.10
• kube-bench: 0.6.11
• kubectl: 0.21.4
• kyverno-policy-sync: 0.2.12
• kyverno: 0.5.12
• on-demand-job-runner: 0.2.11
• opa: 3.1.13
• prometheus: 1.8.15
• rbac-reporter: 1.4.12
• right-sizer: 0.6.12
• trivy: 0.34.13
• uploader: 0.6.5
• workloads: 2.8.10

  

[fairwinds-insights]

Fairwinds Insights - Auto-scan job has failed ❌

View the full report at insights.fairwinds.com.

Show Logs

found 1 pods for job repo-scan-job-95134
------------------------------------------------
unable to retrieve container logs
Additional info: Repository scan has reached the specified backoff limit; Repository scan has reached the specified backoff limit; Repository scan has reached the specified backoff limit