chore(deps): update module github.com/theupdateframework/go-tuf to v2 (main)

[elastic-renovate-prod]

This PR contains the following updates:

Package	Type	Update	Change
github.com/theupdateframework/go-tuf	indirect	major	v0.7.0 -> v2.4.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

theupdateframework/go-tuf (github.com/theupdateframework/go-tuf)

v2.4.1

Compare Source

What's Changed

• chore(deps): bump github.com/sigstore/sigstore from 1.10.3 to 1.10.4 by @​dependabot[bot] inhttps://github.com/theupdateframework/go-tuf/pull/7188
• Enforce a stricter validation on the repo name for TAP 4 by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/720

Full Changelog: theupdateframework/go-tuf@v2.4.0...v2.4.1

v2.4.0

Compare Source

What's Changed

• Add BitLength validation for SuccinctRoles by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/716
• Add thread safety documentation for key types by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/715
• Use restrictive permissions (0700) for cache directories by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/714
• Breaking change: Replace panic with error return in Key.ID() by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/713

Full Changelog: theupdateframework/go-tuf@v2.3.1...v2.4.0

v2.3.1

Compare Source

What's Changed

• chore(deps): bump golang.org/x/crypto from 0.40.0 to 0.45.0 by @​dependabot[bot] inhttps://github.com/theupdateframework/go-tuf/pull/7022
• Resolve govulncheck errors by bumping go to 1.24.11 by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/707
• chore(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2 by @​dependabot[bot] inhttps://github.com/theupdateframework/go-tuf/pull/7044
• modern go (1.20+) improvements by @​udf2457 in https://github.com/theupdateframework/go-tuf/pull/705
• chore(deps): bump github.com/sigstore/sigstore from 1.9.5 to 1.10.3 by @​dependabot[bot] inhttps://github.com/theupdateframework/go-tuf/pull/7066
• chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.9.1 to 0.10.0 by @​dependabot[bot] inhttps://github.com/theupdateframework/go-tuf/pull/7088
• Perform type assertion by @​kommendorkapten in https://github.com/theupdateframework/go-tuf/pull/710
• Add tests for failing type assertions by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/711
• Verify threshold is valid by @​kommendorkapten in https://github.com/theupdateframework/go-tuf/pull/712

Full Changelog: theupdateframework/go-tuf@v2.3.0...v2.3.1

v2.3.0

Compare Source

What's Changed

• Update the config for govulncheck by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/697
• Bump Go to 1.24.9 by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/698

Full Changelog: theupdateframework/go-tuf@v2.2.0...v2.3.0

v2.2.0

Compare Source

What's Changed

• fix: treat http 403 as an updater error by @​MDr164 in https://github.com/theupdateframework/go-tuf/pull/687
• chore(deps): bump github.com/sigstore/sigstore from 1.8.4 to 1.8.7 by @​dependabot[bot] inhttps://github.com/theupdateframework/go-tuf/pull/6466
• chore(deps): bump github.com/cenkalti/backoff/v5 from 5.0.2 to 5.0.3 by @​dependabot[bot] inhttps://github.com/theupdateframework/go-tuf/pull/6900
• chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.9.0 to 0.9.1 by @​dependabot[bot] inhttps://github.com/theupdateframework/go-tuf/pull/6911
• chore(deps): bump github.com/stretchr/testify from 1.10.0 to 1.11.0 by @​dependabot[bot] inhttps://github.com/theupdateframework/go-tuf/pull/6922
• chore(deps): bump github.com/stretchr/testify from 1.11.0 to 1.11.1 by @​dependabot[bot] inhttps://github.com/theupdateframework/go-tuf/pull/6933
• chore(deps): bump github.com/spf13/cobra from 1.9.1 to 1.10.1 by @​dependabot[bot] inhttps://github.com/theupdateframework/go-tuf/pull/6944

Full Changelog: theupdateframework/go-tuf@v2.1.1...v2.2.0

v2.1.1

Compare Source

What's Changed

Fixed a regression that can fail clients using the DefaultFetcher{} directly without using the constructor.

• Set a default HTTP client for DefaultFetcher in DownloadFile method if none is set by @​malancas in https://github.com/theupdateframework/go-tuf/pull/686

Full Changelog: theupdateframework/go-tuf@v2.1.0...v2.1.1

v2.1.0

Compare Source

What's Changed

• Move the repository package under examples/repository by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/656
• docs: Joshua retiring as a maintainer by @​joshuagl in https://github.com/theupdateframework/go-tuf/pull/657
• fix: multirepo potential nil pointer dereference by @​MrDan4es in https://github.com/theupdateframework/go-tuf/pull/658
• chore(deps): bump golang.org/x/crypto from 0.23.0 to 0.31.0 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/661
• chore(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/662
• chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.8.0 to 0.9.0 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/663
• Use the correct verifier for RSA PSS scheme keys by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/625
• updater.go: replace os.WriteFile with file.Write() by @​udf2457 in https://github.com/theupdateframework/go-tuf/pull/669
• Remove readFile() and reverseSlice() in favour of stdlib by @​udf2457 in https://github.com/theupdateframework/go-tuf/pull/671
• updater.go: replace url.QueryEscape() with url.PathEscape() by @​udf2457 in https://github.com/theupdateframework/go-tuf/pull/675
• Bump Go to 1.22 by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/677
• chore(deps): bump github.com/spf13/cobra from 1.8.1 to 1.9.1 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/679
• chore: make function comment match function name by @​suchsoon in https://github.com/theupdateframework/go-tuf/pull/680
• Update README.md by @​trishankatdatadog in https://github.com/theupdateframework/go-tuf/pull/681
• chore(deps): bump golang.org/x/crypto from 0.31.0 to 0.35.0 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/683
• Allow users to configure custom http.Client or http.RoundTripper in DefaultFetcher by @​malancas in https://github.com/theupdateframework/go-tuf/pull/682
• Allow users to configure retry behavior in DefaultFetcher by @​malancas in https://github.com/theupdateframework/go-tuf/pull/684
• Added back timeout to the fetcher DownloadFile method to avoid a breaking change. by @​kommendorkapten in https://github.com/theupdateframework/go-tuf/pull/685

New Contributors

• @​MrDan4es made their first contribution in https://github.com/theupdateframework/go-tuf/pull/658
• @​suchsoon made their first contribution in https://github.com/theupdateframework/go-tuf/pull/680

Full Changelog: theupdateframework/go-tuf@v2.0.2...v2.1.0

v2.0.2

Compare Source

What's Changed

• Error in case the delegated role is missing from the snapshot by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/652

Full Changelog: theupdateframework/go-tuf@v2.0.1...v2.0.2

v2.0.1

Compare Source

What's Changed

Security

• Fix incorrect delegation lookups that can make go-tuf download the wrong artifact by @​rdimitrov (Thanks to @​AdamKorcz for reporting it). This fixes CVE-2024-47534 GHSA-4f8r-qqr9-fq8j

Other

• Update MAINTAINERS.md by @​trishankatdatadog in https://github.com/theupdateframework/go-tuf/pull/647
• Update the staging TUF repo in the multi-repo example by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/650
• Fix branch name in multi-repo client example by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/651

Full Changelog: theupdateframework/go-tuf@v2.0.0...v2.0.1

v2.0.0

Compare Source

Breaking changes

• This is the first release of go-tuf v2 and it's a complete re-write indicated by the new major version.
• We also decided to leave go-tuf as a library only.

What's Changed

• chore: fixes the CI status badge and updates the README.md file by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/569
• chore(deps): bump securesystemslib from 0.30.0 to 0.31.0 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/570
• docs: add Marvin Drees to the list of go-tuf maintainers by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/571
• chore(deps): bump actions/setup-python from 4.7.1 to 5.0.0 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/572
• chore: enable grouping of minor and patch updates. by @​kommendorkapten in https://github.com/theupdateframework/go-tuf/pull/580
• fix: update tests.yml bumping golangci-lint by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/582
• chore(deps): bump actions/setup-go from 4.1.0 to 5.0.0 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/573
• chore(deps): bump github/codeql-action from 2 to 3 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/574
• chore(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/575
• chore(deps): bump golang.org/x/term from 0.15.0 to 0.16.0 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/577
• chore(deps): bump the minor-patch group with 2 updates by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/581
• feat!: move rdimitrov/go-tuf-metadata to github.com/theupdateframework/go-tuf/v2 by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/583
• Update license from BSD-2-Clause to Apache-2.0 by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/585
• chore(deps): bump github.com/sigstore/sigstore from 1.8.0 to 1.8.1 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/584
• Replace main with master in workflows by @​kipz in https://github.com/theupdateframework/go-tuf/pull/587
• Do not pin to minor Go versions in go.mod by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/588
• Fixes for windows & enable in CI by @​kipz in https://github.com/theupdateframework/go-tuf/pull/586
• Bring back SECURITY.md by @​trishankatdatadog in https://github.com/theupdateframework/go-tuf/pull/591
• remove dependency on golang.org/x/exp by @​mikedanese in https://github.com/theupdateframework/go-tuf/pull/600
• Refactor errors to use pointer receivers by @​codysoyland in https://github.com/theupdateframework/go-tuf/pull/602
• move testutils under an ./internal/ directory by @​mikedanese in https://github.com/theupdateframework/go-tuf/pull/601
• Enable macos and windows runners for examples.yml and tests.yml by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/604
• Do not run CI for all Go versions and use caching by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/606
• chore(deps): bump golang.org/x/crypto from 0.18.0 to 0.19.0 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/610
• Don't rename unless file is in same dir by @​jonnystoten in https://github.com/theupdateframework/go-tuf/pull/603
• Use filepath.Join when combining filesystem components by @​kommendorkapten in https://github.com/theupdateframework/go-tuf/pull/611
• Always use forward slash when splitting target names by @​kommendorkapten in https://github.com/theupdateframework/go-tuf/pull/612
• chore(deps): bump github.com/sigstore/sigstore from 1.8.1 to 1.8.2 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/614
• chore(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/615
• chore(deps): use stdlib ed25519 instead of x by @​MDr164 in https://github.com/theupdateframework/go-tuf/pull/620
• chore(deps): bump golang.org/x/crypto from 0.20.0 to 0.21.0 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/621
• chore(ci): bump action hashes by @​MDr164 in https://github.com/theupdateframework/go-tuf/pull/618
• chore(deps): bump gopkg.in/go-jose/go-jose.v2 from 2.6.1 to 2.6.3 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/622
• Silence govulncheck by @​MDr164 in https://github.com/theupdateframework/go-tuf/pull/619
• feat: replace logrus in sim with slog by @​MDr164 in https://github.com/theupdateframework/go-tuf/pull/617
• repository_simulator_setup.go: Use filepath.Join() instead of concatenation by @​udf2457 in https://github.com/theupdateframework/go-tuf/pull/624
• Fixes README references from rdimitrov/go-tuf-metadata to theupdateframework/go-tuf by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/626
• fix: use SHA384 for ECDSA P384 by @​mrjoelkamp in https://github.com/theupdateframework/go-tuf/pull/629
• chore(deps): bump github.com/sigstore/sigstore from 1.8.2 to 1.8.3 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/627
• Remove nil error from being printed in "persist metadata" error message by @​malancas in https://github.com/theupdateframework/go-tuf/pull/633
• fix: deep targets file path by @​mrjoelkamp in https://github.com/theupdateframework/go-tuf/pull/632
• feat: add missing CODEOWNERS and MAINTAINERS file by @​MDr164 in https://github.com/theupdateframework/go-tuf/pull/635
• Update MAINTAINERS by @​trishankatdatadog in https://github.com/theupdateframework/go-tuf/pull/636
• chore(deps): bump github.com/sigstore/sigstore from 1.8.3 to 1.8.4 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/637
• chore(deps): bump github.com/spf13/cobra from 1.8.0 to 1.8.1 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/640
• fix: configurable temp file directory by @​mrjoelkamp in https://github.com/theupdateframework/go-tuf/pull/638
• export API to set RefTime of Updater by @​AdamKorcz in https://github.com/theupdateframework/go-tuf/pull/641
• Add the ability to customize the HTTP user agent by @​steiza in https://github.com/theupdateframework/go-tuf/pull/642
• Increase the default value for MaxRootRotations by @​kommendorkapten in https://github.com/theupdateframework/go-tuf/pull/645

New Contributors

• @​kipz made their first contribution in https://github.com/theupdateframework/go-tuf/pull/587
• @​mikedanese made their first contribution in https://github.com/theupdateframework/go-tuf/pull/600
• @​codysoyland made their first contribution in https://github.com/theupdateframework/go-tuf/pull/602
• @​jonnystoten made their first contribution in https://github.com/theupdateframework/go-tuf/pull/603
• @​MDr164 made their first contribution in https://github.com/theupdateframework/go-tuf/pull/620
• @​mrjoelkamp made their first contribution in https://github.com/theupdateframework/go-tuf/pull/629
• @​malancas made their first contribution in https://github.com/theupdateframework/go-tuf/pull/633
• @​AdamKorcz made their first contribution in https://github.com/theupdateframework/go-tuf/pull/641
• @​steiza made their first contribution in https://github.com/theupdateframework/go-tuf/pull/642

Full Changelog: theupdateframework/go-tuf@v0.7.0...v2.0.0

---

Configuration

📅 Schedule: Branch creation - "* 1 * * 1-5" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.