chore: update dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

Update Request | Renovate Bot

This PR contains the following updates:

Package	Type	Update	Change	Age	Adoption	Passing	Confidence
awslabs/soci-snapshotter		patch	v0.14.0 → v0.14.1
cgr.dev/chainguard/wolfi-base		digest	441d670 → e161445
cloudflare/cloudflared		minor	2026.5.2 → 2026.6.1
fosrl/newt		minor	1.12.5 → 1.13.0
github.com/anchore/grype	indirect	minor	v0.111.0 → v0.114.0
github.com/anchore/syft	indirect	minor	v1.42.4 → v1.45.1
github.com/dsseng/syft	replace	patch	v1.42.4-0.20260415171054-31b9430f030f → v1.42.4
google/gvisor		minor	20260525.0 → 20260615.0
https://github.com/containerd/runwasi.git		patch	v0.6.0 → v0.6.1
https://github.com/spinkube/containerd-shim-spin.git		minor	v0.24.0 → v0.25.1
kata-containers/kata-containers		minor	3.31.0 → 3.32.0
netbirdio/netbird		minor	0.71.4 → 0.73.1
sqlite/sqlite		patch	3.53.1 → 3.53.2
systemd/systemd		major	260.2 → 261
tailscale/tailscale		patch	1.98.3 → 1.98.5

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

awslabs/soci-snapshotter (awslabs/soci-snapshotter)

v0.14.1

Compare Source

Changelog

• Update x/net dependency to 0.55.0 (#​1938)

Full Changelog: awslabs/soci-snapshotter@v0.14.0...v0.14.1

These binaries were compiled using glibc 2.34.

cloudflare/cloudflared (cloudflare/cloudflared)

v2026.6.1

Compare Source

SHA256 Checksums:

cloudflared-amd64.pkg: 1c939cee0a953b30c91854fba114dc3a46f79570110fc5168703cd62afb65d82
cloudflared-arm64.pkg: acfcd577408f504254b4a207fbe6883d4c45fc1f9ae3b883bb3a493f412a1f8d
cloudflared-darwin-amd64.tgz: 3f74d697045ecf56dd2fbeb42f59767ecdf4067c409d55f080563923e8a1bb32
cloudflared-darwin-arm64.tgz: ae6ee90188ae5833c687ce937c3693e28403677607c06c65a2ff2b6a022f50e4
cloudflared-fips-linux-amd64: a22276b23500f75763604fd9bff7ece607f705ad62469344606bd662dbd3793d
cloudflared-fips-linux-amd64.deb: 4d8eb632229cec4df97d9cb03c23517f4bdada7189be3fd76a604233526b9b86
cloudflared-fips-linux-x86_64.rpm: dedcba9c1fed53fded13114c0ed968fbfa93eccc8d14b1ed147e5fdbebdee21e
cloudflared-linux-386: a9ded87fef4bbe2da6d44c8159f6e97df5811c24e4cf082d5426cefc1eb9a5aa
cloudflared-linux-386.deb: 7ef10a9544a5cba8025ac0f8ddf3c368e9c98f0160354017f62b4ad21237449c
cloudflared-linux-386.rpm: 27d5c887bee8071bf70c33955427adf40c6aed16074950f36988a269a392c1fe
cloudflared-linux-aarch64.rpm: 3291e4f9a7b65f97f318b0ac5d542148a3eb2a0b59a98a74d88e7777ef75f3ff
cloudflared-linux-amd64: 5861a10a438fe8ddcfebb3b830f83966cbf193edafce0fe2eeb198fbae1f7a22
cloudflared-linux-amd64.deb: ccd02ec216c62bfa573395d8f72cb2e91e95cbdf8726a8acc06b3e2d9aa31526
cloudflared-linux-arm: c07674eb6e13172d031e3ddc55c8817ed2a36ce00b0d42693e178c4317f9c1b8
cloudflared-linux-arm.deb: b10df091a66704198932a1563e2403cd71edf2bb0278d517bf5a8263b0732912
cloudflared-linux-arm.rpm: 934a2c6819056047dcd7475ffc3e8fcd64917f2977c418d39bc00532a7be61e6
cloudflared-linux-arm64: 59816ce9b16db71f5bc2a86d59b3632a96c8c3ee934bde2bc8641ee83a6070eb
cloudflared-linux-arm64.deb: bd03edd14de32ff38230ec9356e7fad0f32455558b2052d693bf51b7814f3ad4
cloudflared-linux-armhf: c742494eb1f90f6d43bbb07ef660e565e0baae15e49e4041626ac4d413d39072
cloudflared-linux-armhf.deb: a5242ccd0ee70d247eb70a161f6dd6fe5ddff0c6a5e4ea537202b7e9432755c8
cloudflared-linux-armhf.rpm: ff25adfd0aedb32ad5aa5a2efc343caf21b5137d6a5a8761d5f379df4238f853
cloudflared-linux-x86_64.rpm: 9690d870856b4396c8071ee7082acfc340b701013bc498635522e50889e49aa4
cloudflared-windows-386.exe: 52f63fb7055e5797e79585b0e1dbfb397046b1ed5edee29901d433dc16b94042
cloudflared-windows-386.msi: 4d3ff388a19c85bfe6de2f04b037963f7aee9dca6223ebb37b885d4d50762ecd
cloudflared-windows-amd64.exe: 5253e66f1f493c4e13539749f1aa86fd0c61e3072900fec29a44ba046a6d97e2
cloudflared-windows-amd64.msi: f20f932b6c0ddab4db18f7fa596d0a76cbd77bf3fa4572ade0b99d42c85f8a84

v2026.6.0

Compare Source

SHA256 Checksums:

cloudflared-amd64.pkg: 586c5f1dfe211605809a2ac6408040f29e823672145e63eaedb941feec889268
cloudflared-arm64.pkg: 378c169dc2320044de35e5f757a84832e7e7298ca5537ecaf2e75f4a38e02d88
cloudflared-darwin-amd64.tgz: 2d620f9e7b2ddf5e6f5fe1ed4eee308d8dc4c338bc936bfb18e0022a344daa66
cloudflared-darwin-arm64.tgz: 1b66920a280235b0180e935c6fb2adcf91fceeeaf66c4365e606bd37d6c587ef
cloudflared-fips-linux-amd64: caedf94b6eee476313ee564db53ec345f9184ce973350ebafbba735a6f74aaf7
cloudflared-fips-linux-amd64.deb: 9f8e82bc3ba48d043380e4c3f170c2412d3bded5f838600e935c73deeac2f1cf
cloudflared-fips-linux-x86_64.rpm: bc2fb78ed2760e33bec8cc3cc6867c1794151cf70ce84013aaaccfb8d33cf8a5
cloudflared-linux-386: dd6a63c418f87dfd51596aac00cf9613cd633aa10282faef1f46afdce813f476
cloudflared-linux-386.deb: 4bc0761da704b1bf9a1496c1928667ba04b7712fe84a0ad43513f448916356ba
cloudflared-linux-386.rpm: 54a37bd65e501b9b36d9dec55a57b00fe8a821f5ab5406ca52fcf035c81e5c0e
cloudflared-linux-aarch64.rpm: 317630351839fc6e1f05bc3e725dd775b9312d8ba7be657c7df0fd129af977ca
cloudflared-linux-amd64: 08d27c4c5d3ed73ee3e98ef2ddceb4ad09fd4cfc28e243565a189538e8ccd706
cloudflared-linux-amd64.deb: 0f8d62a84cdf9474409a486d62c9269d9a4b28665d2c4e675cb87c062395d3f7
cloudflared-linux-arm: 87b7e7dcc376a57d268eb9beea6e761f6d0ff11796ed88cc8c9a9ad1f13fd66c
cloudflared-linux-arm.deb: 48cd7dc35d88029521b392959af809dc81fb336c5526631defe311a8cf6f38c4
cloudflared-linux-arm.rpm: 8a0246247a56bcaad816074e27ac0bac164f8072779cac7e5c4d772289bd250b
cloudflared-linux-arm64: 8482ebf1e74a2a4a1a9f1e090e17e3de08423f94100ece6789287cb26fb9480f
cloudflared-linux-arm64.deb: b0bcc293670cafd150380efebea85073424e332f136003ae9fdf99b2c83a0231
cloudflared-linux-armhf: 7d854dedec8fc043554d468a29abe1217890b670a00fd29898c0fc39ef1e071c
cloudflared-linux-armhf.deb: 8cffc7e6e951e2cb03e303bbb430d4d2b7caf1ea155a09369db8b3781c765581
cloudflared-linux-armhf.rpm: 649138c7ea238495a317f1f31246247a3da1537eb207ee7b51e701fe6a89a8ba
cloudflared-linux-x86_64.rpm: 572aa1fe3db64bcfa1c1765f2139f137e0933a41fdb2e4f3068b1b293f6100f9
cloudflared-windows-386.exe: f55b4cd770ce6fddacc2acd4ce849112acf2e998fdca9483cbe7c1d99d4a7f6a
cloudflared-windows-386.msi: 624e081b4b21d748fcb3c9b11c36079d34eaa405f996eade72673787b19fff54
cloudflared-windows-amd64.exe: 03e322598e84d77406fa55b93f59e8e54636c5d8501d9dce36697fcf080ed8cc
cloudflared-windows-amd64.msi: 9da1c0631705fff32dc380534931865046aabc1bab127a661507c982e9b558e7

fosrl/newt (fosrl/newt)

v1.13.0

Compare Source

Container Images

• GHCR: ghcr.io/fosrl/newt@sha256:63d956c8fdee889255e441ec405193b47b1fd2d975b505492ec848a8007f4fc3
• Docker Hub: docker.io/fosrl/newt@sha256:63d956c8fdee889255e441ec405193b47b1fd2d975b505492ec848a8007f4fc3
  Tag: 1.13.0

What's Changed

• Add browser gateway support for VNC, RDP, and SSH
• Add native internal ssh server for easier ssh private resources
• Add --disable-ssh flag to replace --auth-daemon which is now enabled by default
• Add auto update newt support when running as binary
• Add advantech router app
• Add sighup to reload config
• Add block flag to block all connections to config
• Add restart endpoint
• Fix X-Forwarded-Proto always set to "http" for TLS connections
• Fix remove duplicate wrong error log in socket/fetch and dead code in reliablePing
• Dependency security updates

New Contributors

• @​rinseaid made their first contribution in #​353
• @​cwiggs made their first contribution in #​358
• @​immanuwell made their first contribution in #​370
• @​eleboucher made their first contribution in #​272

Full Changelog: fosrl/newt@1.12.5...1.13.0

anchore/grype (github.com/anchore/grype)

v0.114.0

Compare Source

Added Features

• Add ability to scan zarf packages [#​3329 #​3366 @​brandtkeller]

Additional Changes

• respect withdrawn status of Go Vuln DB OSV records [#​3495 @​willmurphyscode]
• Govulndb OSV transformer [#​3485 @​willmurphyscode]

(Full Changelog)

v0.113.0

Compare Source

Added Features

• Include Ubuntu 26.04 "resolute" in distro codenames [#​3397 @​anchore-oss-update-bot]
• source RPM filtering on Hummingbird [#​3410 @​willmurphyscode]

Bug Fixes

• use relatedVulnerabilities description as fallback in SARIF output [#​3271 @​axidex]
• improve platform CPE determination logic [#​3470 @​westonsteimel]
• normalize uppercase V in semantic version comparison [#​3461 @​immanuwell]
• purl handling in cgr maven libs [#​3420 @​willmurphyscode]
• Treat uppercase V prefixes the same as lowercase v prefixes in fuzzy version comparison [#​3037 #​3089 @​wasup-yash]
• Add Runtime Warnings When TLS Verification Is Disabled or HTTP Is Enabled [#​3101 #​3396 @​Dashtid]
• Add support for the aarch64 architecture when parsing the version of Ruby gems in lockfiles [#​3442 #​3475 @​msnandhis]
• zsh completion fails [#​2933 #​3433 @​brandtkeller]

(Full Changelog)

v0.112.0

Compare Source

Added Features

• Expand ignore rules to owned sub packages of distro packages [#​3368 #​3326 @​kzantow]

Additional Changes

• update anchore dependencies [#​3391 @​anchore-oss-update-bot]

(Full Changelog)

v0.111.1

Compare Source

Bug Fixes

• apply overlap by ownership removal to dynamically created relationships [#​3363 @​kzantow]
• compare mismatched package / db versions [#​3372 @​kzantow]
• Grype doesn't recognize debian component when "group" : "debian" is specified [#​2967]
• HelpURI missing information in SARIF output [#​2874 #​3351 @​will-bates11]

(Full Changelog)

anchore/syft (github.com/anchore/syft)

v1.45.1

Compare Source

Bug Fixes

• bump stereoscope to pull in fix for registry client hanging [#​4934 @​anchore-oss-update-bot]

(Full Changelog)

v1.45.0

Compare Source

Added Features

• Add support for ZapAddOns as jar files [#​4654 #​4932 @​douglasclarke]
• MySQL binary classifier should distinguish between MySQL Cluster (ndb) and MySQL [#​3297 #​4907 @​witchcraze]
• Catalog ingress-nginx binary [#​4818 #​4857 @​witchcraze]

Bug Fixes

• Support helm binary various versions [#​4820 #​4922 @​witchcraze]
• Support julia binary various versions [#​4867 #​4945 @​witchcraze]
• Support deno binary old versions [#​4865 #​4939 @​witchcraze]
• Compressed kernel modules are not scanned by the linux-kernel-cataloger [#​4721 #​4740 @​will-bates11]
• Yarn Berry lockfile parser incorrectly deduplicates packages with multiple resolutions [#​4691 #​4838 @​calumleslie]
• Possible misdetection of AWS-LC as OpenSSL 1.1.1 [#​4539 #​4882 @​witchcraze]
• Support elixir binary rc versions [#​4819 #​4851 @​ChrisJr404]
• Exclude path ending with a slash are discarded [#​4839 #​4892 @​ChrisJr404]
• Incorrect CPE for .NET Runtime [#​4738 #​4743 @​PGrayCS]
• fix parsing of debian/copyright files [#​4708 #​4754 @​Bahtya]
• Grype ignores python requirements in arbitrary equality (===) format [#​4834 #​4835 @​cyphercodes]
• valkey is detected as both of valkey and redis [#​4591 #​4619 @​witchcraze]
• TypeByName missing "nuget" case causes UnknownPkg when reading SPDX SBOMs [#​4837 #​4848 @​ChrisJr404]

Additional Changes

• hoist name normalization regexp to package level [#​4926 @​matiasinsaurralde]
• bump the actions-minor-patch group across 1 directory with 6 updates [#​4946 @​dependabot]
• bump the actions-minor-patch group across 2 directories with 2 updates [#​4936 @​dependabot]
• bump the actions-minor-patch group across 1 directory with 4 updates [#​4927 @​dependabot]
• bump the actions-minor-patch group across 1 directory with 2 updates [#​4920 @​dependabot]
• bump the actions-minor-patch group across 1 directory with 2 updates [#​4897 @​dependabot]
• update CPE dictionary index [#​4831 @​anchore-oss-update-bot]

(Full Changelog)

v1.44.0

Compare Source

Added Features

• Add support for linux-riscv64 [#​4757 @​luhenry]

Bug Fixes

• Yarn lockfile cataloguing does not handle aliases [#​4833 #​4836 @​cyphercodes]
• Some snippet files are saved in the previous test directory [#​4829 #​4830 @​witchcraze]
• empty rockspec causes index out of range [#​4824 #​4827 @​aki1770-del]
• PE cataloger shows asp.net core ref assemblies using fileversion build stamp instead of productversion [#​4813 #​4814 @​rezmoss]
• Syft safeCopy silently swallows archive decompression errors [#​4806 #​4807 @​SAY-5]

(Full Changelog)

v1.43.0

Compare Source

Added Features

• added deno bin classifiers [#​4677 @​rezmoss]
• Support haskell old versions [#​3237 #​4793 @​witchcraze]
• Add support for OpenLDAP binary detection [#​4768 #​4755 @​nadimz]
• Support erlang ols versions [#​3235 #​4766 @​witchcraze]

Bug Fixes

• improve redhat-release parsing fallback for RHEL clones [#​4808 @​westonsteimel]
• fix format string in search results struct [#​4775 @​willmurphyscode]
• prevent infinite recursion in Document.UnmarshalJSON with encoding/json/v2 [#​4748 @​benja-M-1]
• Syft can not complete scanning golang image [#​4686]
• javascript-package-cataloger drops entire package.json when authors/contributors/maintainers is a single string [#​4778 #​4779 @​yoav-orca]
• pnpm lock file cataloger produces unstable output [#​4648 #​4765 @​lawrence3699]
• Linux Kernel bzImage and zImage not cataloged by linux-kernel-cataloger [#​4769 #​4751 @​nadimz]
• Support istio binary (pilot-discovery, pilot-agent) alpha,beta,rc,dev version [#​4546 #​4645 @​witchcraze]
• Scanning mounted ISO: duplicate entries [#​4759]

Additional Changes

• update CPE dictionary index [#​4767 @​anchore-oss-update-bot]

(Full Changelog)

dsseng/syft (github.com/dsseng/syft)

v1.42.4

Compare Source

google/gvisor (google/gvisor)

v20260615.0

Compare Source

v20260608.0

Compare Source

v20260601.0

Compare Source

containerd/runwasi (https://github.com/containerd/runwasi.git)

v0.6.1

Compare Source

spinkube/containerd-shim-spin (https://github.com/spinkube/containerd-shim-spin.git)

v0.25.1

Compare Source

Fixed

• bump to containerd-shim-wasm v1.0.1 for security improvements (#​447)

v0.25.0

Compare Source

Changed

• arm64 compilation for developer (#​425)
• Create Runtime Class Manager Shim resources in releases (#​443)
• use Kind instead of k3d for tests and released image (#​441)
• Bump to Spin 4.0.1 dependencies and triggers (#​437)

kata-containers/kata-containers (kata-containers/kata-containers)

v3.32.0: Kata Containers 3.32.0

Compare Source

Survey

Please take the Kata Containers survey:

• https://openinfrafoundation.formstack.com/forms/kata_containers_user_survey

This will help the Kata Containers community understand:

• how you use Kata Containers
• what features and improvements you would like to see in Kata Containers

Libseccomp Notices

The kata-agent binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.

• libseccomp

The kata-agent uses the libseccomp v2.6.0 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.

Kata Containers builder images

• agent (on all its different flavours): quay.io/kata-containers/builders:agent-3840e64e3-e407c7ee9-1.94-x86_64
• Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-91d6c39f0-x86_64
• OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-a708316c0-x86_64
• QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-3be370d2d-x86_64
• shim-v2: quay.io/kata-containers/builders:shim-v2-go-1.25.11-rust-1.94-b44e56d3d-x86_64
• tools: quay.io/kata-containers/builders:tools-531877f28-d09d1959c-9550a323a-67e33c3cd-x86_64
• virtiofsd: quay.io/kata-containers/builders:virtiofsd-1.85.1-musl-1c23f6ec0-x86_64

Installation

Follow the Kata installation instructions.

What's Changed

• dragonball: Add basic ACPI implementation for TDX boot by @​RainaYL in #​13063
• dragonball: Add implementation for KVM-managed guest memfd by @​RainaYL in #​13066
• kata-deploy: always add HEAD commit SHA tag to all builds by @​stevenhorsman in #​13081
• runtime: drop host time namespace from OCI spec by @​fidencio in #​13082
• kata-deploy: only install what will actually be used by @​fidencio in #​13055
• build(deps): bump github.com/containerd/containerd from 1.7.29 to 1.7.32 in /src/runtime by @​dependabot[bot] in #​13091
• kata-deploy: verify kata-runtime label remains stable on rke2/k3s by @​fidencio in #​13089
• runtime-rs: Fix sandbox-api lifecycle and CRI status handling by @​Apokleos in #​12957
• packaging: fix parallel kernel build race and kata-deploy script bugs by @​hdp617 in #​13077
• runtime-rs: qemu: pass -bios for non-confidential guests by @​fidencio in #​13106
• kata-monitor: use full URI for connecting to containerd by @​fvichot in #​13086
• runtime (go): agent: Add NUMA support for QEMU by @​fidencio in #​12948
• build: Validate measured-rootfs root hashes all shims by @​fidencio in #​13109
• runtime-rs: Support erofs snapshotter with gpt vmdk mode by @​Apokleos in #​13085
• kata-deploy: prebuild payload-specific component artifacts by @​fidencio in #​13104
• agent: use rtnetlink to add ARP neighbour by @​burgerdev in #​13064
• tests: nvidia: No policy for runtime-rs path by @​manuelh-dev in #​13114
• build: add nvgpu-tarball target by @​zvonkok in #​12955
• containerd: use /etc/containerd/conf.d/ drop-in for containerd >= 2.2.0 by @​thebigbone in #​13108
• agent: compact EROFS overlay lowerdirs by @​manuelh-dev in #​13119
• agent: restore process CWD auto-creation by @​PiotrProkop in #​13118
• kernel: Enable landlock LSM by @​bpradipt in #​13087
• runtime: Configure network num_queues properly for CLH by @​Camelron in #​13047
• runtime / agent / kernel: fix cold-plug VFIO guest-kernel mode for SR-IOV RoCE/InfiniBand by @​fidencio in #​13103
• build: add kata-deploy-publish target by @​zvonkok in #​12956
• Revert "runtime: Enforce >= 1 queue pairs for tapNetworkPair" by @​Camelron in #​13133
• runtime-rs/agent: support EROFS snapshots without a rwlayer by @​manuelh-dev in #​12979
• kata-deploy: Add a version annotation to runtimeclass by @​jojimt in #​13134
• ci: Refactor boot-image-se build and update shim components by @​BbolroC in #​13097
• runtime: oci: Only derive sandbox CPUs from shares when quota is unconstrained by @​fidencio in #​13140
• kata-deploy: scrub stale containerd import on conf.d migration by @​fidencio in #​13141
• runtime/runtime-rs: introduce Azure specific configs by @​fidencio in #​13126
• Bump rust to 1.94 by @​stevenhorsman in #​13144
• runtime(-rs): tdx: use TDX QGS via unix-domain-socket by default by @​mythi in #​12436
• bump golang.org/x/dependencies by @​stevenhorsman in #​13143
• Disable CPU hotplug when confidential guest setting enabled by @​mythi in #​12539
• ci: Remove kata-monitor test from required by @​stevenhorsman in #​13166
• runtime-rs: shut down shim daemon on a failed create by @​fidencio in #​13156
• versions: bump golang to 1.25.11 by @​stevenhorsman in #​13165
• build(deps): bump openssl from 0.10.79 to 0.10.80 by @​dependabot[bot] in #​13088
• build(deps): bump tar from 0.4.45 to 0.4.46 by @​dependabot[bot] in #​13135
• trace-forwarder: migrate from Jaeger to OTLP exporter by @​stevenhorsman in #​13036
• kata-deploy: inherit custom RuntimeClass overhead from baseConfig by @​fidencio in #​13170
• ci: remove Mariner annotations and use new config by @​sprt in #​13161
• kata-deploy: add the imports directive explicitly if expected but not found by @​Amulyam24 in #​13176
• tests: fix TDX runtime-rs and initdata tests by @​mythi in #​12931
• tests: unskip hard-coded policy tests on qemu-tdx-runtime-rs by @​fidencio in #​13182
• runtime: ignore false positive CRI-O vulnerabilities by @​stevenhorsman in #​13174
• docs: add composable VM images design proposal by @​fidencio in #​13029
• runtime-rs: default static sizing-related config flags to true by @​fidencio in #​13171
• kata-deploy: support drop-in configs for default runtimes by @​fidencio in #​13183
• dragonball: Add steps to boot TDX VM by @​RainaYL in #​13093
• kata-deploy: log more info when debug is enabled by @​fidencio in #​13178
• versions: Bump containerd to 2.3 by @​fidencio in #​13004
• cri-containerd: fix v1 sanity-check config generation by @​fidencio in #​13192
• kata-monitor: ship as a standalone multi-arch image starting with 3.32.0 by @​fidencio in #​13107
• runtime*: use static_sandbox_resource_mgmt defaults for qemu-se by @​BbolroC in #​13188
• tests: align kata-monitor containerd version selector by @​fidencio in #​13197
• tests: fix k8s-number-cpus expectation by @​manuelh-dev in #​13190
• runtime-rs: Honor enable_debug for logs and adjust debugging documentation by @​manuelh-dev in #​13147
• ci: Update required tests by @​stevenhorsman in #​13206
• runtime-rs: Add support Independent iothreads by @​Apokleos in #​12832
• Metrics: Add support for monitoring disk usage via statfs by @​Apokleos in #​13111
• runtime-rs: Nydus standalone mode support in runtime-rs by @​Apokleos in #​12772
• GHA: Set nightly/dev builds for qemu-coco-dev-runtime-rs on s390x by @​BbolroC in #​13193
• tests: launch kata-monitor runc workload with explicit runtime by @​fidencio in #​13209
• tests: raise k8s memory/QoS pod limits for TEE runtime-rs CI by @​fidencio in #​13198
• generate_vendor: Fix heavily broken logic by @​gkurz in #​13202
• workflows: refactor osv-scanner workflows by @​stevenhorsman in #​13189
• runtime(-rs): remove file_mem_backend config option by @​manuelh-dev in #​13138
• versions: Bump QEMU to 11.0.1 by @​fidencio in #​13204
• versions: Bump kernel to 6.18.35 by @​fidencio in #​13203
• fix: pin idna and pymdown-extensions to remediate CVEs by @​stevenhorsman in #​13215
• genpolicy: add missing probe fields by @​burgerdev in #​13213
• kata-deploy: add a Job-based deployment mode (alternative to the privileged DaemonSet) by @​fidencio in #​13155
• chore(docs): Clarify dropIn runtime configuration by @​LandonTClipp in #​13120
• runtime-rs: Fix queue_size of zero in block_rootfs by @​glingy in #​13211
• runtime-rs: don't fail VM start when guest protection detection errors by @​nikolasgkou in #​13128
• kata-deploy: export nydus snapshotter root by @​manuelh-dev in #​13221
• agent: fix get_oom_event deadlock after connection restart by @​thejasn in #​13116
• packaging: Optimize kata-deploy build export using tar output by @​BbolroC in #​13225
• release: do not publish a kata-monitor-job-dispatcher manifest by @​fidencio in #​13226
• tests: add runtime config drop-in helpers by @​manuelh-dev in #​13223
• runtime(-rs): Propagate host block device read-only flag to the VMM by @​fidencio in #​13214
• tests: skip Guaranteed QoS test for SNP/TDX runtime-rs by @​hgowda-amd in #​13229
• runtime-rs: make OOM watcher and signal handling lifecycle-aware by @​Apokleos in #​12293
• genpolicy: support pod-level resources by @​davidweisse in #​13142
• runtime-rs: fix default_memory annonation processing by @​pmores in #​13129
• feat(agent): translate KATA_VISIBLE_DEVICES into CDI GPU requests by @​LandonTClipp in #​13160
• osbuilder: Simplify version fetching by @​gkurz in #​13237
• runtime-rs: Remove unused msize_9p totally from configurations by @​Apokleos in #​13239
• GHA: Use IBM ActionsPZ runners for publish jobs on s390x by @​BbolroC in #​13244
• runtime-rs: change safe-path dependency from crates.io to workspace by @​charludo in [#​13242](https://redirect.github.c

✂ Note

PR body was truncated to here.

[renovate]

ℹ️ Artifact update notice

File name: internal/grype-scan/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 79 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.26.0 -> 1.26.3
cloud.google.com/go/auth	v0.18.1 -> v0.18.2
cloud.google.com/go/storage	v1.60.0 -> v1.61.3
github.com/CycloneDX/cyclonedx-go	v0.10.0 -> v0.11.0
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp	v1.30.0 -> v1.31.0
github.com/Masterminds/semver/v3	v3.4.0 -> v3.5.0
github.com/Microsoft/go-winio	v0.6.2 -> v0.6.3-0.20251027160822-ad3df93bed29
github.com/Microsoft/hcsshim	v0.14.0-rc.1 -> v0.15.0-rc.1
github.com/anchore/stereoscope	v0.1.22 -> v0.2.1
github.com/aws/aws-sdk-go-v2	v1.41.2 -> v1.41.5
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream	v1.7.4 -> v1.7.8
github.com/aws/aws-sdk-go-v2/config	v1.32.10 -> v1.32.12
github.com/aws/aws-sdk-go-v2/credentials	v1.19.10 -> v1.19.12
github.com/aws/aws-sdk-go-v2/feature/ec2/imds	v1.18.18 -> v1.18.20
github.com/aws/aws-sdk-go-v2/internal/configsources	v1.4.18 -> v1.4.21
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2	v2.7.18 -> v2.7.21
github.com/aws/aws-sdk-go-v2/internal/ini	v1.8.4 -> v1.8.6
github.com/aws/aws-sdk-go-v2/internal/v4a	v1.4.17 -> v1.4.22
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding	v1.13.5 -> v1.13.7
github.com/aws/aws-sdk-go-v2/service/internal/checksum	v1.9.8 -> v1.9.13
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url	v1.13.18 -> v1.13.21
github.com/aws/aws-sdk-go-v2/service/internal/s3shared	v1.19.17 -> v1.19.21
github.com/aws/aws-sdk-go-v2/service/s3	v1.96.0 -> v1.97.3
github.com/aws/aws-sdk-go-v2/service/signin	v1.0.6 -> v1.0.8
github.com/aws/aws-sdk-go-v2/service/sso	v1.30.11 -> v1.30.13
github.com/aws/aws-sdk-go-v2/service/ssooidc	v1.35.15 -> v1.35.17
github.com/aws/aws-sdk-go-v2/service/sts	v1.41.7 -> v1.41.9
github.com/aws/smithy-go	v1.24.1 -> v1.24.2
github.com/containerd/cgroups/v3	v3.1.2 -> v3.1.3
github.com/containerd/containerd/api	v1.10.0 -> v1.11.1
github.com/containerd/containerd/v2	v2.2.1 -> v2.3.1
github.com/containerd/continuity	v0.4.5 -> v0.5.0
github.com/containerd/platforms	v1.0.0-rc.2 -> v1.0.0-rc.4
github.com/containerd/plugin	v1.0.0 -> v1.1.0
github.com/containerd/ttrpc	v1.2.7 -> v1.2.8
github.com/cyphar/filepath-securejoin	v0.6.0 -> v0.6.1
github.com/diskfs/go-diskfs	v1.7.0 -> v1.9.3
github.com/docker/cli	v29.3.0+incompatible -> v29.4.3+incompatible
github.com/docker/go-connections	v0.6.0 -> v0.7.0
github.com/github/go-spdx/v2	v2.4.0 -> v2.7.0
github.com/go-git/go-billy/v5	v5.8.0 -> v5.9.0
github.com/go-git/go-git/v5	v5.17.0 -> v5.19.1
github.com/go-jose/go-jose/v4	v4.1.3 -> v4.1.4
github.com/google/go-containerregistry	v0.21.3 -> v0.21.6
github.com/googleapis/enterprise-certificate-proxy	v0.3.11 -> v0.3.14
github.com/gookit/color	v1.6.0 -> v1.6.1
github.com/gpustack/gguf-parser-go	v0.24.0 -> v0.24.1
github.com/hashicorp/aws-sdk-go-base/v2	v2.0.0-beta.70 -> v2.0.0-beta.72
github.com/hashicorp/go-getter	v1.8.5 -> v1.8.6
github.com/klauspost/compress	v1.18.5 -> v1.18.6
github.com/moby/moby/api	v1.54.0 -> v1.54.2
github.com/moby/moby/client	v0.3.0 -> v0.4.1
github.com/openvex/go-vex	v0.2.7 -> v0.2.8
github.com/package-url/packageurl-go	v0.1.3 -> v0.1.5
github.com/pelletier/go-toml/v2	v2.2.4 -> v2.3.1
github.com/pierrec/lz4/v4	v4.1.22 -> v4.1.26
github.com/pjbgf/sha1cd	v0.4.0 -> v0.6.0
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc	v0.63.0 -> v0.68.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	v0.62.0 -> v0.68.0
go.opentelemetry.io/otel	v1.40.0 -> v1.43.0
go.opentelemetry.io/otel/metric	v1.40.0 -> v1.43.0
go.opentelemetry.io/otel/sdk	v1.40.0 -> v1.43.0
go.opentelemetry.io/otel/sdk/metric	v1.40.0 -> v1.43.0
go.opentelemetry.io/otel/trace	v1.40.0 -> v1.43.0
golang.org/x/crypto	v0.49.0 -> v0.52.0
golang.org/x/exp	v0.0.0-20251023183803-a4bb9ffd2546 -> v0.0.0-20260410095643-746e56fc9e2f
golang.org/x/mod	v0.34.0 -> v0.36.0
golang.org/x/net	v0.52.0 -> v0.55.0
golang.org/x/sys	v0.42.0 -> v0.45.0
golang.org/x/term	v0.41.0 -> v0.43.0
golang.org/x/text	v0.35.0 -> v0.37.0
golang.org/x/tools	v0.43.0 -> v0.45.0
gonum.org/v1/gonum	v0.16.0 -> v0.17.0
google.golang.org/api	v0.267.0 -> v0.271.0
google.golang.org/genproto/googleapis/api	v0.0.0-20260203192932-546029d2fa20 -> v0.0.0-20260401024825-9d38bb4040a9
google.golang.org/genproto/googleapis/rpc	v0.0.0-20260203192932-546029d2fa20 -> v0.0.0-20260406210006-6f92a3bedf2d
google.golang.org/grpc	v1.79.3 -> v1.80.0
google.golang.org/protobuf	v1.36.11 -> v1.36.12-0.20260120151049-f2248ac996af
modernc.org/libc	v1.70.0 -> v1.72.3
modernc.org/sqlite	v1.46.2 -> v1.51.0