Merge pull request #284 from grafana/283-update-go-module-and-docker-dependencies

Update Go Module and Docker Dependencies

Author: szkiba

Dockerfile

@@ -1,6 +1,6 @@
-ARG GO_VERSION=1.24.7
+ARG GO_VERSION=1.24.8
 ARG VARIANT=alpine3.22
-ARG GOSEC_VERSION=2.22.8
+ARG GOSEC_VERSION=2.22.9
 
 FROM securego/gosec:${GOSEC_VERSION} AS gosec
 

Dockerfile.goreleaser

@@ -1,6 +1,6 @@
-ARG GO_VERSION=1.24.7
+ARG GO_VERSION=1.24.8
 ARG VARIANT=alpine3.22
-ARG GOSEC_VERSION=2.22.8
+ARG GOSEC_VERSION=2.22.9
 
 FROM securego/gosec:${GOSEC_VERSION} AS gosec
 

go.mod

@@ -7,7 +7,7 @@ require (
 	github.com/chainguard-dev/git-urls v1.0.2
 	github.com/fatih/color v1.18.0
 	github.com/go-enry/go-license-detector/v4 v4.3.1
-	github.com/go-git/go-git/v5 v5.16.2
+	github.com/go-git/go-git/v5 v5.16.3
 	github.com/grafana/k6foundry v0.4.7
 	github.com/lmittmann/tint v1.1.2
 	github.com/mattn/go-colorable v0.1.14
@@ -16,7 +16,7 @@ require (
 	github.com/spf13/pflag v1.0.10
 	github.com/szkiba/docsme v0.2.0
 	github.com/szkiba/efa v0.1.0
-	golang.org/x/mod v0.28.0
+	golang.org/x/mod v0.29.0
 )
 
 require (

go.sum

@@ -47,8 +47,8 @@ github.com/go-git/go-billy/v5 v5.6.2 h1:6Q86EsPXMa7c3YZ3aLAQsMA0VlWmy43r6FHqa/UN
 github.com/go-git/go-billy/v5 v5.6.2/go.mod h1:rcFC2rAsp/erv7CMz9GczHcuD0D32fWzH+MJAU+jaUU=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
-github.com/go-git/go-git/v5 v5.16.2 h1:fT6ZIOjE5iEnkzKyxTHK1W4HGAsPhqEqiSAssSO77hM=
-github.com/go-git/go-git/v5 v5.16.2/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8=
+github.com/go-git/go-git/v5 v5.16.3 h1:Z8BtvxZ09bYm/yYNgPKCzgWtaRqDTgIKRgIRHBfU6Z8=
+github.com/go-git/go-git/v5 v5.16.3/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8=
 github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw=
@@ -131,8 +131,8 @@ golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
 golang.org/x/image v0.0.0-20180708004352-c73c2afc3b81/go.mod h1:ux5Hcp/YLpHSI86hEcLt0YII63i6oz57MZXIpbrjZUs=
-golang.org/x/mod v0.28.0 h1:gQBtGhjxykdjY9YhZpSlZIsbnaE2+PgjfLWUQTnoZ1U=
-golang.org/x/mod v0.28.0/go.mod h1:yfB/L0NOf/kmEbXjzCPOx1iK1fRutOydrCMsqRhEBxI=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
 golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=

releases/v1.1.6.md

@@ -0,0 +1,25 @@
+Grafana **xk6** `v1.1.6` is here! 🎉
+
+This release focuses on essential updates to core Go modules and Docker images to enhance security, stability, and maintain compatibility.
+
+### Security and Maintenance Updates
+
+Several dependencies have been updated to their latest patch versions, which includes critical security fixes and stability improvements.
+
+#### Go Module Updates
+
+The following Go module dependencies are updated:
+
+* `github.com/go-git/go-git/v5`: Updated to `v5.16.3`.
+* `golang.org/x/mod`: Updated to `v0.29.0`.
+
+#### Docker and CI Tooling Updates
+
+The Docker images used in the build and security processes are updated:
+
+* **Build Base Image**: Updated to `golang:1.24.8-alpine3.22`.
+* **Security Scanner**: Updated `securego/gosec` to `2.22.9`.
+
+### Rationale
+
+These dependency updates are crucial for maintaining the security posture of `xk6`. Applying these updates was prioritized before the **planned refactoring** of the `xk6 lint` subcommand to ensure a stable and secure foundation for future development efforts.

vendor/github.com/go-git/go-git/v5/plumbing/object/commit.go

@@ -97,7 +97,7 @@ github.com/go-git/go-billy/v5/helper/polyfill
 github.com/go-git/go-billy/v5/memfs
 github.com/go-git/go-billy/v5/osfs
 github.com/go-git/go-billy/v5/util
-# github.com/go-git/go-git/v5 v5.16.2
+# github.com/go-git/go-git/v5 v5.16.3
 ## explicit; go 1.23.0
 github.com/go-git/go-git/v5
 github.com/go-git/go-git/v5/config
@@ -238,7 +238,7 @@ golang.org/x/crypto/ssh/knownhosts
 # golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56
 ## explicit; go 1.20
 golang.org/x/exp/rand
-# golang.org/x/mod v0.28.0
+# golang.org/x/mod v0.29.0
 ## explicit; go 1.24.0
 golang.org/x/mod/internal/lazyregexp
 golang.org/x/mod/modfile