Skip to content

🌱 Bump the dependencies group across 1 directory with 11 updates #1002

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dependabot wants to merge 1 commit into
base: main
Choose a base branch
from
Open

🌱 Bump the dependencies group across 1 directory with 11 updates #1002

dependabot wants to merge 1 commit into from
+929 −767

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Jan 14, 2026
edited
Loading

Bumps the dependencies group with 10 updates in the /hack/tools directory:

Package From To
github.com/a8m/envsubst 1.4.2 1.4.3
github.com/itchyny/gojq 0.12.17 0.12.18
github.com/joelanford/go-apidiff 0.8.2 0.8.3
github.com/mikefarah/yq/v4 4.44.6 4.50.1
k8s.io/apimachinery 0.31.4 0.31.14
k8s.io/code-generator 0.31.2 0.31.14
sigs.k8s.io/controller-tools 0.16.5 0.20.0
sigs.k8s.io/kind 0.26.0 0.31.0
sigs.k8s.io/kustomize/kustomize/v5 5.5.0 5.8.0
sigs.k8s.io/promo-tools/v4 4.0.5 4.1.0

Updates github.com/a8m/envsubst from 1.4.2 to 1.4.3

Release notes

Sourced from github.com/a8m/envsubst's releases.

v1.4.3

New Contributors

Full Changelog: a8m/envsubst@v1.4.2...v1.4.3

Commits

Updates github.com/itchyny/gojq from 0.12.17 to 0.12.18

Release notes

Sourced from github.com/itchyny/gojq's releases.

Release v0.12.18

  • implement trimstr/1, toboolean/0 function
  • fix last/1 to be included in builtins/0
  • fix --indent 0 to preserve newlines
  • fix string repetition to emit error when the result is too large
  • increase the array index limit to 536870912 (2^29)
  • stop numeric normalization for concurrent execution (see 1ace748d08df)
  • support binding expressions with binary operators (1 + 2 as $x | -$x)
  • improve gojq.NewIter to be a generic function
  • improve logic for getting file contents on JSON parse error
  • improve JSON parsing to preserve the precision of floating-point numbers
  • improve YAML parsing performance and preserve the precision of large integers
  • improve performance and reduce memory allocation of long-running queries
Changelog

Sourced from github.com/itchyny/gojq's changelog.

v0.12.18 (2025-12-02)

  • implement trimstr/1, toboolean/0 function
  • fix last/1 to be included in builtins/0
  • fix --indent 0 to preserve newlines
  • fix string repetition to emit error when the result is too large
  • increase the array index limit to 536870912 (2^29)
  • stop numeric normalization for concurrent execution (see 1ace748d08df)
  • support binding expressions with binary operators (1 + 2 as $x | -$x)
  • improve gojq.NewIter to be a generic function
  • improve logic for getting file contents on JSON parse error
  • improve JSON parsing to preserve the precision of floating-point numbers
  • improve YAML parsing performance and preserve the precision of large integers
  • improve performance and reduce memory allocation of long-running queries
Commits
  • fa534a1 bump up version to 0.12.18
  • d7e1531 update CHANGELOG.md for v0.12.18
  • 672cc79 update dependencies
  • 2263e18 update actions/checkout to v6
  • 5d8a53c add more tests for empty strings and NO_COLOR
  • 97274d3 make use of cmp package for comparisons
  • 3e31863 merge identical cases for getting operator functions
  • e4d456b avoid variable names that shadow built-in functions
  • 19a3975 stop replacing capturing group syntax
  • 5bb6d33 support binding expressions with binary operators (fix #283)
  • Additional commits viewable in compare view

Updates github.com/joelanford/go-apidiff from 0.8.2 to 0.8.3

Release notes

Sourced from github.com/joelanford/go-apidiff's releases.

v0.8.3

What's Changed

Full Changelog: joelanford/go-apidiff@v0.8.2...v0.8.3

Commits
  • 60c4206 bump dependencies (#91)
  • 4a78e82 build(deps): bump github.com/go-git/go-billy/v5 from 5.5.0 to 5.6.0 (#71)
  • f8f3eaa build(deps): bump golang.org/x/sys from 0.26.0 to 0.28.0 (#74)
  • bb5ff5a build(deps): bump github.com/spf13/cobra from 1.8.0 to 1.8.1 (#67)
  • 537ad9c build(deps): bump golang.org/x/sys from 0.18.0 to 0.26.0 (#69)
  • 0b76013 build(deps): bump golang.org/x/net from 0.20.0 to 0.23.0 (#61)
  • 2fa2592 build(deps): bump github.com/go-git/go-git/v5 from 5.11.0 to 5.12.0 (#58)
  • 00f8d2e build(deps): bump golang.org/x/sys from 0.16.0 to 0.17.0 (#53)
  • See full diff in compare view

Updates github.com/mikefarah/yq/v4 from 4.44.6 to 4.50.1

Release notes

Sourced from github.com/mikefarah/yq/v4's releases.

v4.50.1 - HCL!

  • Added HCL Support - First cut - hopefully it works well! (#1844)
  • Fixing handling of CRLF #2352
  • Bumped dependencies

v4.49.2

v4.49.1 - Security Flags and TOML fixes

  • Added --security flags to disable env and file ops #2515
  • Fixing TOML ArrayTable parsing issues #1758
  • Fixing parsing of escaped characters #2506

v4.48.2

v4.48.1 - First and Parents Operators

  • Added 'parents' operator, to return a list of all the hierarchical parents of a node
  • Added 'first(exp)' operator, to return the first entry matching an expression in an array
  • Fixed xml namespace prefixes #1730 (thanks @​baodrate)
  • Fixed out of range panic in yaml decoder #2460 (thanks @​n471d)
  • Bumped dependencies

v4.47.2

v4.47.1 - Merge Anchor fixes (with flag)

  • Fixed merge anchor behaviour (<<); #2404, #2110, #2386, #2178 Huge thanks to @​stevenwdv! Note that you will need to set --yaml-fix-merge-anchor-to-spec to see the fixes
  • Fixed panic for syntax error when creating a map #2423
  • Bumped dependencies

v4.46.1 - INI support + bug fixes

  • Added INI support
  • Fixed 'add' operator when piped in with no data #2378, #2383, #2384
  • Fixed delete after slice problem (bad node path) #2387 Thanks @​antoinedeschenes
  • Fixed yq small build Thanks @​imzue
  • Switched to YAML org supported go-yaml!
  • Bumped dependencies

v4.45.4 - Fixing wrong map() behaviour on empty map

  • Fixing wrong map() behaviour on empty map #2359
  • Bumped dependencies

... (truncated)

Changelog

Sourced from github.com/mikefarah/yq/v4's changelog.

4.50.1:

  • Added HCL support!
  • Fixing handling of CRLF #2352
  • Bumped dependencies

4.49.2:

4.49.1:

  • Added --security flags to disable env and file ops #2515
  • Fixing TOML ArrayTable parsing issues #1758
  • Fixing parsing of escaped characters #2506

4.48.2:

4.48.1:

  • Added 'parents' operator, to return a list of all the hierarchical parents of a node
  • Added 'first(exp)' operator, to return the first entry matching an expression in an array
  • Fixed xml namespace prefixes #1730 (thanks @​baodrate)
  • Fixed out of range panic in yaml decoder #2460 (thanks @​n471d)
  • Bumped dependencies

4.47.2:

4.47.1:

  • Fixed merge anchor behaviour (<<); #2404, #2110, #2386, #2178 Huge thanks to @​stevenwdv! Note that you will need to set --yaml-fix-merge-anchor-to-spec to see the fixes
  • Fixed panic for syntax error when creating a map #2423
  • Bumped dependencies

4.46.1:

  • Added INI support
  • Fixed 'add' operator when piped in with no data #2378, #2383, #2384
  • Fixed delete after slice problem (bad node path) #2387 Thanks @​antoinedeschenes
  • Fixed yq small build Thanks @​imzue
  • Switched to YAML org supported go-yaml!
  • Bumped dependencies

4.45.4:

  • Fixing wrong map() behaviour on empty map #2359

... (truncated)

Commits
  • 065b200 Bumping version
  • 745a7ff Preparing release
  • a305d70 Bump golang.org/x/net from 0.47.0 to 0.48.0
  • 0671ccd Bump github.com/zclconf/go-cty from 1.16.3 to 1.17.0
  • 4d8cd45 Bump golang.org/x/text from 0.31.0 to 0.32.0
  • d2d657e HCL improvements
  • f4fd8c5 Better roundtriping of HCL
  • e4bf8a1 Simplifying HCL decoder
  • fd40574 Add build tag to hcl_test.go to skip tests when HCL is disabled
  • 51ddf8d Update pkg/yqlib/format.go
  • Additional commits viewable in compare view

Updates github.com/spf13/pflag from 1.0.5 to 1.0.10

Release notes

Sourced from github.com/spf13/pflag's releases.

v1.0.10

What's Changed

New Contributors

Full Changelog: spf13/pflag@v1.0.9...v1.0.10

v1.0.9

What's Changed

Full Changelog: spf13/pflag@v1.0.8...v1.0.9

v1.0.8

⚠️ Breaking Change

This version, while only a patch bump, includes a (very minor) breaking change: the flag.ParseErrorsWhitelist struct and corresponding FlagSet.parseErrorsWhitelist field have been renamed to ParseErrorsAllowlist.

This should result in compilation errors in any code that uses these fields, which can be fixed by adjusting the names at call sites. There is no change in semantics or behavior of the struct or field referred to by these names. If your code compiles without errors after bumping to/past v1.0.8, you are not affected by this change.

The breaking change was reverted in v1.0.9, by means of re-introducing the old names with deprecation warnings. The plan is still to remove them in a future release, so if your code does depend on the old names, please change them to use the new names at your earliest convenience.

What's Changed

New Contributors

Full Changelog: spf13/pflag@v1.0.7...v1.0.8

v1.0.7

What's Changed

... (truncated)

Commits
  • 0491e57 Merge pull request #448 from thaJeztah/fix_go_version
  • 72abab1 Merge pull request #447 from thaJeztah/fix_deprecation_comment
  • 7e4dfb1 Test on Go 1.12
  • 18a9d17 move Func, BoolFunc, tests as they require go1.21
  • c5b9e98 remove uses of errors.Is, which requires go1.13
  • 45a4873 fix deprecation comment for (FlagSet.)ParseErrorsWhitelist
  • 1043857 Merge pull request #446 from spf13/fix-backwards-compat
  • 7412009 fix: Restore ParseErrorsWhitelist name for now
  • b9c16fa Merge pull request #444 from spf13/reset-args-even-if-empty
  • 40abc49 Merge pull request #443 from spf13/silence-errhelp
  • Additional commits viewable in compare view

Updates k8s.io/apimachinery from 0.31.4 to 0.31.14

Commits

Updates k8s.io/code-generator from 0.31.2 to 0.31.14

Commits
  • d16750b Update dependencies to v0.31.14 tag
  • 16efc01 Merge pull request #129741bobsongplus/automated-cherry-pick-of-#129629
  • 0ebe3ef Fix: touch /dev/null permission denied on macos
  • See full diff in compare view

Updates sigs.k8s.io/controller-tools from 0.16.5 to 0.20.0

Release notes

Sourced from sigs.k8s.io/controller-tools's releases.

v0.20.0

What's Changed

Misc

envtest

Dependency bumps

New Contributors

... (truncated)

Commits
  • 60c448e Merge pull request #1319 from sbueringer/pr-promo-envtest-1.35
  • b7d3668 Promotion of envtest release for Kubernetes v1.35.0
  • b5f217f Merge pull request #1317 from dongjiang1989/envtest-v1.35.0-rc.1
  • 3cbb76e Merge pull request #1318 from sbueringer/pr-bump-1.35
  • 52f5e83 add envtest version
  • 10c819c Adjust to changes in validation error messages
  • 9f6a8ba Adjust generated ApplyConfigurations to v0.35
  • 1c6de27 Bump to k8s.io/* v0.35.0
  • ed0bc4f Merge pull request #1316 from kubernetes-sigs/dependabot/github_actions/all-g...
  • 17ef504 Merge pull request #1315 from kubernetes-sigs/dependabot/go_modules/all-go-mo...
  • Additional commits viewable in compare view

Updates sigs.k8s.io/kind from 0.26.0 to 0.31.0

Release notes

Sourced from sigs.k8s.io/kind's releases.

v0.31.0

This release contains dependency updates and defaults to Kubernetes 1.35.0.

Please take note of the breaking changes from Kubernetes 1.35, and how to prepare for future changes to move off of the deprecated kubeam v1beta3 in favor of v1beta4. We will include updated reminders for both again in subsequent releases.

The default node image is now kindest/node:v1.35.0@sha256:452d707d4862f52530247495d180205e029056831160e22870e37e3f6c1ac31f

Kubernetes will be removing cgroup v1 support, and therefore kind node images at those versions will also be dropping support.

You can read more about this change in the Kubernetes release blog: https://kubernetes.io/blog/2025/12/17/kubernetes-v1-35-release/#removal-of-cgroup-v1-support

If you must use kind on cgroup v1, we recommend using an older Kubernetes release for the immediate future, but we also strongly recommend migrating to cgroup v2.

In the near future as Kubernetes support dwindles, KIND will also clean up cgroup v1 workarounds and drop support in future kind releases and images, regardless of Kubernetes version.

Most stable linux distros should be on cgroupv2 out of the box.

This is a reminder to use pinned images by digest, see the note below about images for this release.

WARNING: Future kind releases will adopt kubeadm v1beta4 configuration, kubeadm v1beta4 has a breaking change to extraArgs: https://kubernetes.io/blog/2024/08/23/kubernetes-1-31-kubeadm-v1beta4/.

If you use the kubeadmConfigPatches feature then you may need to prepare for this change. We recommend that you use versioned config patches that explicitly match the version required.

KIND uses kubeadm v1beta3 for Kubernetes 1.23+, and will likely use v1beta4 for Kubernetes 1.36+ The exact version is TBD pending work to fix this but expected to be 1.36. It will definitely be an as-of-yet-unreleased Kubernetes version to avoid surprises, and it will not be on a patch-release boundary.

KIND may still work with older Kubernetes versions at v1beta2, but we no longer test or actively support these as Kubernetes only supports 1.32+ currently: https://kubernetes.io/releases/

You likely only need v1beta3 + v1beta4 patches, you can take your existing patches that work with v1beta3, explicitly set apiVersion: kubeadm.k8s.io/v1beta3 in the patch at the top level, and make another copy for v1beta4. The v1beta4 patch will need to move extraArgs from a map to a list, for examples see: https://kubernetes.io/docs/reference/config-api/kubeadm-config.v1beta4/

For a concrete example of kind config with kubeadm config patch targeting both v1beta3 and v1beta4, consider this simple kind config that sets verbosity of the apiserver logs:

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
kubeadmConfigPatches:
# patch for v1beta3 (1.23 ...)
- |
  kind: ClusterConfiguration
  apiVersion: kubeadm.k8s.io/v1beta3
  apiServer:
    extraArgs:
</tr></table>

... (truncated)

Commits

Updates sigs.k8s.io/kustomize/kustomize/v5 from 5.5.0 to 5.8.0

Release notes

Sourced from sigs.k8s.io/kustomize/kustomize/v5's releases.

kustomize/v5.8.0

IMPORTANT NOTICE: REGRESSION

Due to the new features introduced in this release, a regression has occurred in the functionality that propagates namespaces to child kustomizations. We are currently preparing a patch release, so please refrain from making changes to this version.

kubernetes-sigs/kustomize#6031

Highlights

implements to replacements value in the structured data

Now, We can edit yaml/json in yaml manifests with replacements transformer. See #5679

For example

## source
apiVersion: v1
kind: ConfigMap
metadata:
  name: source-configmap
data:
  HOSTNAME: www.example.com
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: target-configmap
data:
  config.json: |-
    {"config": {
      "id": "42",
      "hostname": "REPLACE_TARGET_HOSTNAME"
    }}
## replacement
replacements:
- source:
    kind: ConfigMap
    name: source-configmap
    fieldPath: data.HOSTNAME
  targets:
  - select:
      kind: ConfigMap
      name: target-configmap
    fieldPaths:
</tr></table>

... (truncated)

Commits
  • 0054b5e Merge pull request #6009 from koba1t/pinToApi
  • 16391f3 Update api to v0.21.0
  • 6661fef Merge pull request #6008 from koba1t/pinToCmdConfig
  • 3c59244 Update cmd/config to v0.21.0
  • ade7bd6 Merge pull request #6007 from koba1t/pinToKyaml
  • 0fc7554 Update kyaml to v0.21.0
  • 8761791 fix(kyaml/yaml): minor nil safety fix for RNode.Content etc (#5985)
  • 153a372 Merge pull request #5679 from koba1t/implements_to_replacements_value_in_the_...
  • de01137 Merge pull request #5991 from isarns/fix/labels-without-selector-duplicate-ke...
  • 4d37afe style(cmd-edit-add-label): lint multiple labels without selector test
  • Additional commits viewable in compare view

Updates sigs.k8s.io/promo-tools/v4 from 4.0.5 to 4.1.0

Release notes

Sourced from sigs.k8s.io/promo-tools/v4's releases.

v4.1.0

What's Changed

New Contributors

Full Changelog: kubernetes-sigs/promo-tools@v4.0.5...v4.1.0

Commits
  • 2cce8c6 Merge pull request #1633 from justaugustus/release
  • e6eda12 Release commit: [email protected]
  • 77bb51d go.mod: Update go directive to 1.24.9
  • d64da5a Merge pull request #1632 from kubernetes-sigs/dependabot/go_modules/gomod-18c...
  • a7bb7c2 build(deps): bump sigs.k8s.io/release-sdk in the gomod group
  • b18e879 Merge pull request #1631 from kubernetes-sigs/dependabot/go_modules/golang.or...
  • ad0cd3d build(deps): bump golang.org/x/time from 0.13.0 to 0.14.0
  • 1fb5447 Merge pull request #1630 from kubernetes-sigs/dependabot/go_modules/golang.or...
  • 825b158 Merge pull request #1629 from kubernetes-sigs/dependabot/go_modules/gomod-6f1...
  • b518b82 build(deps): bump golang.org/x/oauth2 from 0.31.0 to 0.32.0
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will...

Description has been truncated

@dependabot
🌱 Bump the dependencies group across 1 directory with 11 updates
8902cb1 
Bumps the dependencies group with 10 updates in the /hack/tools directory:

| Package | From | To |
| --- | --- | --- |
| [github.com/a8m/envsubst](https://github.com/a8m/envsubst) | `1.4.2` | `1.4.3` |
| [github.com/itchyny/gojq](https://github.com/itchyny/gojq) | `0.12.17` | `0.12.18` |
| [github.com/joelanford/go-apidiff](https://github.com/joelanford/go-apidiff) | `0.8.2` | `0.8.3` |
| [github.com/mikefarah/yq/v4](https://github.com/mikefarah/yq) | `4.44.6` | `4.50.1` |
| [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) | `0.31.4` | `0.31.14` |
| [k8s.io/code-generator](https://github.com/kubernetes/code-generator) | `0.31.2` | `0.31.14` |
| [sigs.k8s.io/controller-tools](https://github.com/kubernetes-sigs/controller-tools) | `0.16.5` | `0.20.0` |
| [sigs.k8s.io/kind](https://github.com/kubernetes-sigs/kind) | `0.26.0` | `0.31.0` |
| [sigs.k8s.io/kustomize/kustomize/v5](https://github.com/kubernetes-sigs/kustomize) | `5.5.0` | `5.8.0` |
| [sigs.k8s.io/promo-tools/v4](https://github.com/kubernetes-sigs/promo-tools) | `4.0.5` | `4.1.0` |



Updates `github.com/a8m/envsubst` from 1.4.2 to 1.4.3
- [Release notes](https://github.com/a8m/envsubst/releases)
- [Commits](a8m/envsubst@v1.4.2...v1.4.3)

Updates `github.com/itchyny/gojq` from 0.12.17 to 0.12.18
- [Release notes](https://github.com/itchyny/gojq/releases)
- [Changelog](https://github.com/itchyny/gojq/blob/main/CHANGELOG.md)
- [Commits](itchyny/gojq@v0.12.17...v0.12.18)

Updates `github.com/joelanford/go-apidiff` from 0.8.2 to 0.8.3
- [Release notes](https://github.com/joelanford/go-apidiff/releases)
- [Commits](joelanford/go-apidiff@v0.8.2...v0.8.3)

Updates `github.com/mikefarah/yq/v4` from 4.44.6 to 4.50.1
- [Release notes](https://github.com/mikefarah/yq/releases)
- [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt)
- [Commits](mikefarah/yq@v4.44.6...v4.50.1)

Updates `github.com/spf13/pflag` from 1.0.5 to 1.0.10
- [Release notes](https://github.com/spf13/pflag/releases)
- [Commits](spf13/pflag@v1.0.5...v1.0.10)

Updates `k8s.io/apimachinery` from 0.31.4 to 0.31.14
- [Commits](kubernetes/apimachinery@v0.31.4...v0.31.14)

Updates `k8s.io/code-generator` from 0.31.2 to 0.31.14
- [Commits](kubernetes/code-generator@v0.31.2...v0.31.14)

Updates `sigs.k8s.io/controller-tools` from 0.16.5 to 0.20.0
- [Release notes](https://github.com/kubernetes-sigs/controller-tools/releases)
- [Changelog](https://github.com/kubernetes-sigs/controller-tools/blob/main/RELEASE.md)
- [Commits](kubernetes-sigs/controller-tools@v0.16.5...v0.20.0)

Updates `sigs.k8s.io/kind` from 0.26.0 to 0.31.0
- [Release notes](https://github.com/kubernetes-sigs/kind/releases)
- [Commits](kubernetes-sigs/kind@v0.26.0...v0.31.0)

Updates `sigs.k8s.io/kustomize/kustomize/v5` from 5.5.0 to 5.8.0
- [Release notes](https://github.com/kubernetes-sigs/kustomize/releases)
- [Commits](kubernetes-sigs/kustomize@kustomize/v5.5.0...kustomize/v5.8.0)

Updates `sigs.k8s.io/promo-tools/v4` from 4.0.5 to 4.1.0
- [Release notes](https://github.com/kubernetes-sigs/promo-tools/releases)
- [Changelog](https://github.com/kubernetes-sigs/promo-tools/blob/main/RELEASE.md)
- [Commits](kubernetes-sigs/promo-tools@v4.0.5...v4.1.0)

---
updated-dependencies:
- dependency-name: github.com/a8m/envsubst
  dependency-version: 1.4.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: github.com/itchyny/gojq
  dependency-version: 0.12.18
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: github.com/joelanford/go-apidiff
  dependency-version: 0.8.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: github.com/mikefarah/yq/v4
  dependency-version: 4.50.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: github.com/spf13/pflag
  dependency-version: 1.0.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: k8s.io/apimachinery
  dependency-version: 0.31.14
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: k8s.io/code-generator
  dependency-version: 0.31.14
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: sigs.k8s.io/controller-tools
  dependency-version: 0.20.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: sigs.k8s.io/kind
  dependency-version: 0.31.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: sigs.k8s.io/kustomize/kustomize/v5
  dependency-version: 5.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: sigs.k8s.io/promo-tools/v4
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot @github
Copy link
Author

dependabot bot commented on behalf of github Jan 14, 2026

Labels

The following labels could not be found: area/dependency, kind/cleanup, ok-to-test, release-note-none. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot bot mentioned this pull request Jan 14, 2026
Closed
@spectro-prow
Copy link

spectro-prow commented Jan 14, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
To complete the pull request process, please assign after the PR has been reviewed.
You can assign the PR to them by writing /assign in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@spectro-prow
Copy link

spectro-prow commented Jan 14, 2026

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a spectrocloud member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

bulwark-spectrocloud[bot]
bulwark-spectrocloud bot requested changes Jan 14, 2026
View reviewed changes
Copy link

@bulwark-spectrocloud bulwark-spectrocloud bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ GoVulnCheck scan found vulnerabilities:

  1. GO-2025-3754
    • Module: github.com/cloudflare/circl
    • Found in: v1.3.7
    • Fixed in: v1.6.1
    • Example Traces:
      1. test/helpers/kubernetesversions/template.go:37:2: kubernetesversions.init calls framework.init, which eventually calls ecc.init
      2. test/helpers/kubernetesversions/template.go:37:2: kubernetesversions.init calls framework.init, which eventually calls ed448.init
      3. test/helpers/kubernetesversions/template.go:37:2: kubernetesversions.init calls framework.init, which eventually calls x25519.init
      4. test/helpers/kubernetesversions/template.go:37:2: kubernetesversions.init calls framework.init, which eventually calls ed25519.init
      5. test/helpers/kubernetesversions/template.go:37:2: kubernetesversions.init calls framework.init, which eventually calls ecc.init
  2. GO-2025-3553
    • Module: github.com/golang-jwt/jwt/v4
    • Found in: v4.5.1
    • Fixed in: v4.5.2
    • Example Traces:
      1. pkg/rosa/client.go:51:70: rosa.NewOCMClient calls ocm.Build, which eventually calls authentication.Build
  3. GO-2025-3595
    • Module: golang.org/x/net
    • Found in: v0.33.0
    • Fixed in: v0.38.0
    • Example Traces:
      1. pkg/rosa/externalauthproviders.go:52:35: rosa.UpdateExternalAuth calls v1.Send, which eventually calls bluemonday.sanitize
  4. GO-2025-4123
    • Module: github.com/dvsekhvalnov/jose2go
    • Found in: v1.6.0
    • Fixed in: v1.7.0
    • Example Traces:
      1. pkg/rosa/client.go:51:70: rosa.NewOCMClient calls ocm.Build, which eventually calls keyring.Get

Please review these findings and fix the issues before merging.

bulwark-spectrocloud[bot]
bulwark-spectrocloud bot requested changes Jan 14, 2026
View reviewed changes
Copy link

@bulwark-spectrocloud bulwark-spectrocloud bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ GoSec scan found code issues:

  1. G401: Use of weak cryptographic primitive, Severity: MEDIUM
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/cloud/services/eks/iam/iam.go:499:13
  2. G505: Blocklisted import crypto/sha1: weak cryptographic primitive, Severity: MEDIUM
      1. File: /home/runner/work/bulwark/bulwark/target-repo/pkg/cloud/services/eks/iam/iam.go:22:2

Please review these findings and fix the issues before merging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bulwark-spectrocloud bulwark-spectrocloud[bot] bulwark-spectrocloud[bot] requested changes

Assignees

No one assigned

Labels

needs-ok-to-test size/XXL

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@spectro-prow