deps(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
github.com/go-logr/logr	v1.4.2 → v1.4.3			require	patch
github.com/kubescape/kubevuln	v0.3.33 → v0.3.104			require	patch
github.com/kubescape/storage	v0.0.111 → v0.0.237			require	patch
github.com/onsi/ginkgo/v2	v2.20.2 → v2.27.5			require	minor
github.com/onsi/gomega	v1.34.2 → v1.39.0			require	minor
github.com/validator-labs/validator	v0.1.0 → v0.1.16			require	patch
golang	1.23 → 1.25			stage	minor
k8s.io/api	v0.31.0 → v0.35.0			require	minor
k8s.io/apimachinery	v0.31.0 → v0.35.0			require	minor
k8s.io/client-go	v0.31.0 → v0.35.0			require	minor
sigs.k8s.io/cluster-api	v1.8.2 → v1.12.1			require	minor
sigs.k8s.io/controller-runtime	v0.19.0 → v0.23.0			require	minor

---

Release Notes

go-logr/logr (github.com/go-logr/logr)

v1.4.3

Compare Source

Minor release.

What's Changed

• Fix slog tests for 1.25 by @​hoeppi-google in #​361
• Remove one exception from Slog testing by @​thockin in #​362

New Contributors

• @​hoeppi-google made their first contribution in #​361

Full Changelog: go-logr/logr@v1.4.2...v1.4.3

kubescape/kubevuln (github.com/kubescape/kubevuln)

v0.3.104

Compare Source

Use context.WithoutCancel when starting the OpenTelemetry span for GrypeAdapter.UpdateDB so the DB update won't be cancelled if the request context (e.g. a readiness probe) is cancelled

Summary by CodeRabbit

• Bug Fixes
  • Enhanced reliability of vulnerability database updates by preventing update operations from being interrupted by other system requests. This ensures the scanning database remains current and continuously available.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

v0.3.103

Compare Source

Grype DB updates can hang silently during the 24-hour refresh cycle, causing pods to fail readiness probes indefinitely with no recovery mechanism.

Changes

• Add 15-minute timeout to DB update operation using context.WithTimeout
• Execute update in goroutine with buffered channel to enable timeout handling
• Intelligent fallback behavior to prevent crashloop on slow networks:
  • Scheduled updates: On timeout, keeps existing DB and continues operating (retries in 24h)
  • Initial download: On timeout, restarts pod (no fallback available)
• Graceful degradation instead of always crashing on timeout

// Create a context with timeout to prevent stuck updates
// 15 minutes allows for slow network connections while still catching truly stuck downloads
updateCtx, cancel := context.WithTimeout(ctx, 15*time.Minute)
defer cancel()

// Track if we have an existing DB to fall back on
hasExistingDB := g.dbStatus != nil

// Buffered channel (size 1) prevents goroutine from blocking if timeout occurs
resultCh := make(chan updateResult, 1)

go func() {
    store, dbStatus, err := grype.LoadVulnerabilityDB(g.distCfg, g.installCfg, true)
    resultCh <- updateResult{store: store, dbStatus: dbStatus, err: err}
}()

select {
case result := <-resultCh:
    // Handle success/failure
case <-updateCtx.Done():
    if hasExistingDB {
        // Keep using old DB, log warning, stay ready
        logger.L().Ctx(ctx).Warning("grype DB update timed out after 15 minutes, continuing with existing DB")
        return true
    } else {
        // No DB to fall back on, must restart
        logger.L().Ctx(ctx).Error("grype DB initial download timed out after 15 minutes")
        tools.DeleteContents(g.installCfg.DBRootDir)
        os.Exit(0)
    }
}

Note: grype.LoadVulnerabilityDB does not accept context for cancellation, so the goroutine completes in background. The buffered channel ensures it won't block.

Behavior

• Stuck download during scheduled update: Logs warning, continues with existing DB, retries in next 24h cycle
• Stuck download during initial startup: Cleans cache and restarts pod
• Slow but functional network: 15-minute timeout accommodates slow downloads, preventing crashloop
• Update success: Updates DB normally
• Update error: Cleans cache and restarts pod (existing behavior)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Readiness probe fail stuck due to Grype DB unsucessful update</issue_title>
<issue_description># Description
Readiness probe fails and pods get stuck due to Grype DB unsuccessful updates. The issue occurs intermittently during the automatic 24-hour Grype DB refresh cycle. When this happens, no logs are generated indicating “updating grype db” or any retry attempts. The pod remains stuck, causing readiness probe failures.

Environment

OS: <your OS here>
Version: v0.3.82

Steps To Reproduce

1. Deploy Kubescape with Kubevuln integration enabled also custom endpoint we have for listing its a mirror of grype listings endpoint.
2. Let it run for a few days until the scheduled Grype DB update is triggered (every 24 hours).
3. Observe the logs during the DB update window.
4. At random cycles, the update process hangs silently with no retry attempts and Pod readiness probe fails, leaving the pod stuck.

Expected behavior

Grype DB should update successfully every 24 hours. If the update fails or stalls, Kubevuln should log an error and retry downloading the database instead of remaining stuck.

Actual Behavior

• Random failures during DB updates.
• No logs generated showing the update attempt.
• No retry mechanism triggered.
• Pods status is Ready but stuck due to readiness probe failures.
• As soon as deployment is restarted manually it works fine again.

Additional context

The issue was first noticed a few days after deployment when Grype DB updates failed silently. It seems the update process isn’t handling download errors and gets stuck with a lock, preventing the readiness probe from recovering. I tested by intentionally taking down our DB listing endpoint before deployment start, it clearly fails to download, falls back to the previous DB, and restarts gracefully until the endpoint is back. But when the deployment is already running and I take down the endpoint, it fails silently without retries. However, since our endpoints are normally available 24/7, I’m not sure where the issue lies but it should either retry and then restart itself when if readiness fails for a while.
</issue_description>

<agent_instructions>add a context timeout to restart the update or the Pod when it's stuck updating the grype DB</agent_instructions>

Comments on the Issue (you are @​copilot in this section)

@​matthyx actually the readiness probe should fail in that case... but maybe we could add a context timeout to restart the update or the Pod when it's stuck like that do you want to work on that @​Ripeey ?

• Fixes #​303

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Summary by CodeRabbit

• Bug Fixes
  • Vulnerability database updates now run asynchronously with a 15-minute timeout
  • Database gracefully falls back to the previous version if an update times out, ensuring continuous operation
  • Enhanced error handling with automatic restart when needed

_{✏️ Tip: You can customize this high-level summary in your review settings.}

v0.3.98

Compare Source

Bumps golang.org/x/crypto from 0.41.0 to 0.45.0.

Commits

• 4e0068c go.mod: update golang.org/x dependencies
• e79546e ssh: curb GSSAPI DoS risk by limiting number of specified OIDs
• f91f7a7 ssh/agent: prevent panic on malformed constraint
• 2df4153 acme/autocert: let automatic renewal work with short lifetime certs
• bcf6a84 acme: pass context to request
• b4f2b62 ssh: fix error message on unsupported cipher
• 79ec3a5 ssh: allow to bind to a hostname in remote forwarding
• 122a78f go.mod: update golang.org/x dependencies
• c0531f9 all: eliminate vet diagnostics
• 0997000 all: fix some comments
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

v0.3.97

Compare Source

Bumps github.com/opencontainers/selinux from 1.12.0 to 1.13.0.

Release notes

Sourced from github.com/opencontainers/selinux's releases.

v1.13.0

What's Changed

• Switch to golangci-lint v2 by @​​kolyshkin in opencontainers/selinux#230
• build(deps): bump actions/checkout from 4 to 5 by @​​dependabot[bot] in opencontainers/selinux#233
• build(deps): bump actions/setup-go from 5 to 6 by @​​dependabot[bot] in opencontainers/selinux#234
• keyring: fix typo in EACCES check by @​​cyphar in opencontainers/selinux#235
• Add Go 1.25, drop go 1.23, bump golangci-lint by @​​kolyshkin in opencontainers/selinux#236
• selinux: migrate to pathrs-lite procfs API by @​​cyphar in opencontainers/selinux#237

Full Changelog: https://github.com/opencontainers/selinux/compare/v1.12.0...v1.13.0

Commits

• 4be9937 Merge pull request #​237 from cyphar/selinux-safe-procfs
• c8cfa6f selinux: migrate to pathrs-lite procfs API
• f2424d8 Merge pull request #​236 from kolyshkin/modernize-ci
• 648ce7f ci: add go 1.25
• 916cab9 ci: bump golangci-lint to v2.5
• b42e5c8 all: format sources with latest gofumpt
• 74393ea Merge pull request #​235 from cyphar/fix-keyring-err-check
• 6ec194b keyring: fix typo in EACCES check
• 879a755 Merge pull request #​234 from opencontainers/dependabot/github_actions/actions...
• 3c1bd9a build(deps): bump actions/setup-go from 5 to 6
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

v0.3.96

Compare Source

Bumps github.com/containerd/containerd from 1.7.28 to 1.7.29.

Release notes

Sourced from github.com/containerd/containerd's releases.

containerd 1.7.29

Welcome to the v1.7.29 release of containerd!

The twenty-ninth patch release for containerd 1.7 contains various fixes and updates including security patches.

Security Updates

• containerd

  • GHSA-pwhc-rpq9-4c8w
  • GHSA-m6hq-p25p-ffr2

• runc

  • GHSA-qw9x-cqr3-wc7r
  • GHSA-cgrx-mc8f-2prm
  • GHSA-9493-h29p-rfm2

Highlights

Image Distribution

• Update differ to handle zstd media types (#​12018)

Runtime

• Update runc binary to v1.3.3 (#​12480)
• Fix lost container logs from quickly closing io (#​12375)

Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Akihiro Suda
• Phil Estes
• Austin Vazquez
• Sebastiaan van Stijn
• ningmingxiao
• Maksym Pavlenko
• StepSecurity Bot
• wheat2018

Changes

• 442cb34bd Merge commit from fork
• 0450f046e Fix directory permissions
• e5cb6ddb7 Merge commit from fork

... (truncated)

Commits

• 442cb34 Merge commit from fork
• e5cb6dd Merge commit from fork
• 9772966 Merge pull request #​12486 from dmcgowan/prepare-v1.7.29
• 1fc2daa Prepare release notes for v1.7.29
• 93f710a Merge pull request #​12480 from k8s-infra-cherrypick-robot/cherry-pick-12475-t...
• 68d04be Merge pull request #​12471 from austinvazquez/1_7_update_ci_go_and_images
• 3f5f9f8 runc: Update runc binary to v1.3.3
• 667409f ci: bump Go 1.24.9, 1.25.3
• 294f8c0 Update GHA runners to use latest images for basic binaries build
• cf66b41 Update GHA runners to use latest image for most jobs
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

v0.3.95

Compare Source

v0.3.94

Compare Source

Bumps github.com/nwaples/rardecode/v2 from 2.1.1 to 2.2.0.

Commits

• 52fb4e8 allow max dictionary size to be set, with default now at 4GB
• 9f4b0d1 dont let the dictionary be larger than the unpacked file size
• 153fdf5 Merge pull request #​47 from nwaples/bytereader
• 3f140e5 document RarFS methods
• b4fc922 change os.FileMode to fs.FileMode
• edb01e7 add Seek support for uncompressed files
• 710bda2 add initial Seek support for limitedReader
• 9deacfb save offset in packetFileReader
• 4f0a750 change limitedReader to save offset internally
• 1c32663 split volume into readerVolume and fileVolume
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

v0.3.93

Compare Source

v0.3.92

Compare Source

What's Changed

• fix distro in packages before matching vulns by @​matthyx in #​309

Full Changelog: kubescape/kubevuln@v0.3.91...v0.3.92

v0.3.91

Compare Source

v0.3.90

Compare Source

v0.3.89

Compare Source

What's Changed

• add config toggle for partialRelevancy by @​matthyx in #​307

Full Changelog: kubescape/kubevuln@v0.3.88...v0.3.89

v0.3.88

Compare Source

v0.3.87

Compare Source

we should validate this

What's Changed

• fix VEX name (should use filtered CVE one) by @​matthyx in #​304

Full Changelog: kubescape/kubevuln@v0.3.86...v0.3.87

v0.3.86

Compare Source

Bumps github.com/ulikunitz/xz from 0.5.12 to 0.5.14.

Commits

• 7184815 Preparation of release v0.5.14
• 88ddf1d Address Security Issue GHSA-jc7w-c686-c4v9
• c8314b8 Add new package xio with WriteCloserStack
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

v0.3.85

Compare Source

Bumps github.com/hashicorp/go-getter from 1.7.6 to 1.7.9.

Release notes

Sourced from github.com/hashicorp/go-getter's releases.

v1.7.9

What's Changed

• Speed up XZ decompression by 5x with bufio wrapper by @​​vsarunas in hashicorp/go-getter#520
• Fix CI Workflow by @​​mohanmanikanta2299 in hashicorp/go-getter#522
• test: Remove use of "mitchellh/go-testing-interface" for stdlib by @​​jrasell in hashicorp/go-getter#523
• fix: url redact of multiple sshkey by @​​dduzgun-security in hashicorp/go-getter#528
• Publish arm binaries by @​​sethvargo in hashicorp/go-getter#525
• fix errcheck lint errors and run it as part of pr checks by @​​abhijeetviswa in hashicorp/go-getter#530
• fix additional lint errors and increase linter scope by @​​abhijeetviswa in hashicorp/go-getter#531
• IND-3728 enabling dependabot by @​​KaushikiAnand in hashicorp/go-getter#529
• fix: go-getter subdir paths by @​​dduzgun-security in hashicorp/go-getter#540

New Contributors

• @​​vsarunas made their first contribution in hashicorp/go-getter#520
• @​​jrasell made their first contribution in hashicorp/go-getter#523
• @​​sethvargo made their first contribution in hashicorp/go-getter#525
• @​​abhijeetviswa made their first contribution in hashicorp/go-getter#530
• @​​KaushikiAnand made their first contribution in hashicorp/go-getter#529

Full Changelog: https://github.com/hashicorp/go-getter/compare/v1.7.8...v1.7.9

v1.7.8

What's Changed

• sec: fix s3 and gcs host checks by @​​dduzgun-security in hashicorp/go-getter#512

Full Changelog: https://github.com/hashicorp/go-getter/compare/v1.7.7...v1.7.8

v1.7.7

What's Changed

• Clean up git repo on disk when the ref checkout fails by @​​james-warren0 in hashicorp/go-getter#504
• [COMPLIANCE] Add Copyright and License Headers by @​​hashicorp-copywrite in hashicorp/go-getter#409
• Add CODEOWNERS file in .github/CODEOWNERS by @​​mukeshjc in hashicorp/go-getter#505
• IND-1804 Bump up dependencies to remediate vulnerabiities by @​​mohanmanikanta2299 in hashicorp/go-getter#513
• Updating arguments in github release CI by @​​mohanmanikanta2299 in hashicorp/go-getter#514
• Updating .goreleaser.yml file with valid version by @​​mohanmanikanta2299 in hashicorp/go-getter#515

New Contributors

• @​​james-warren0 made their first contribution in hashicorp/go-getter#504
• @​​mukeshjc made their first contribution in hashicorp/go-getter#505
• @​​mohanmanikanta2299 made their first contribution in hashicorp/go-getter#513

Full Changelog: https://github.com/hashicorp/go-getter/compare/v1.7.6...v1.7.7

Commits

• e702211 Merge pull request #​532 from hashicorp/dependabot/github_actions/actions-8948...
• df0a14f [chore] : Bump the actions group with 8 updates
• 87541b2 fix: go-getter subdir paths (#​540)
• 3713030 [Compliance] - PR Template Changes Required
• af2dd3c Merge pull request #​529 from hashicorp/dependabot-intge
• bf52629 updating dependabot.yml
• 1f63e10 changelog added, updated dependabot.yaml
• 45af459 fix additional lint errors and increase linter scope
• c8c6aba fix errcheck lint errors and run it as part of pr checks
• 9b76f98 copywrite header added
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

v0.3.84

Compare Source

Bumps github.com/docker/docker from 27.4.0+incompatible to 28.0.0+incompatible.

Release notes

Sourced from github.com/docker/docker's releases.

v28.0.0

28.0.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.0.0 milestone
• moby/moby, 28.0.0 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

New

• Add ability to mount an image inside a container via --mount type=image. moby/moby#48798
  • You can also specify --mount type=image,image-subpath=[subpath],... option to mount a specific path from the image. docker/cli#5755
• docker images --tree now shows metadata badges. docker/cli#5744
• docker load, docker save, and docker history now support a --platform flag allowing you to choose a specific platform for single-platform operations on multi-platform images. docker/cli#5331
• Add OOMScoreAdj to docker service create and docker stack. docker/cli#5145
• docker buildx prune now supports reserved-space, max-used-space, min-free-space and keep-bytes filters. moby/moby#48720
• Windows: Add support for running containerd as a child process of the daemon, instead of using a system-installed containerd. moby/moby#47955

Networking

• The docker-proxy binary has been updated, older versions will not work with the updated dockerd. moby/moby#48132
  • Close a window in which the userland proxy (docker-proxy) could accept TCP connections, that would then fail after iptables NAT rules were set up.
  • The executable rootlesskit-docker-proxy is no longer used, it has been removed from the build and distribution.
• DNS nameservers read from the host's /etc/resolv.conf are now always accessed from the host's network namespace. moby/moby#48290
  • When the host's /etc/resolv.conf contains no nameservers and there are no --dns overrides, Google's DNS servers are no longer used, apart from by the default bridge network and in build containers.
• Container interfaces in bridge and macvlan networks now use randomly generated MAC addresses. moby/moby#48808
  • Gratuitous ARP / Neighbour Advertisement messages will be sent when the interfaces are started so that, when IP addresses are reused, they're associated with the newly generated MAC address.

  ---

  Configuration

  📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

  🚦 Automerge: Enabled.

  ♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

  👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  ---

  • If you want to rebase/retry this PR, check this box

  ---

  This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 71 additional dependencies were updated

Details:

Package	Change
github.com/anchore/go-logger	v0.0.0-20230725134548-c21dafa1ec5a -> v0.0.0-20241205183533-4fc29b5832e7
github.com/anchore/packageurl-go	v0.1.1-0.20240312213626-055233e539b4 -> v0.1.1-0.20241018175412-5c22e6360c4f
github.com/anchore/stereoscope	v0.0.3-0.20240423181235-8b297badafd5 -> v0.0.11
github.com/anchore/syft	v1.3.0 -> v1.18.1
github.com/armosec/armoapi-go	v0.0.416 -> v0.0.512
github.com/armosec/gojay	v1.2.15 -> v1.2.17
github.com/armosec/utils-go	v0.0.57 -> v0.0.58
github.com/armosec/utils-k8s-go	v0.0.26 -> v0.0.30
github.com/bmatcuk/doublestar/v4	v4.6.1 -> v4.7.1
github.com/briandowns/spinner	v1.23.0 -> v1.23.1
github.com/containerd/errdefs	v0.1.0 -> v1.0.0
github.com/docker/cli	v24.0.7+incompatible -> v27.4.0+incompatible
github.com/docker/docker	v27.1.1+incompatible -> v27.4.0+incompatible
github.com/emicklei/go-restful/v3	v3.12.1 -> v3.12.2
github.com/evanphx/json-patch/v5	v5.9.0 -> v5.9.11
github.com/fatih/color	v1.17.0 -> v1.18.0
github.com/fsnotify/fsnotify	v1.7.0 -> v1.8.0
github.com/gabriel-vasile/mimetype	v1.4.3 -> v1.4.7
github.com/github/go-spdx/v2	v2.2.0 -> v2.3.2
github.com/gobuffalo/flect	v1.0.2 -> v1.0.3
github.com/google/cel-go	v0.20.1 -> v0.22.0
github.com/google/go-cmp	v0.6.0 -> v0.7.0
github.com/google/go-containerregistry	v0.20.1 -> v0.20.2
github.com/google/pprof	v0.0.0-20240827171923-fa2c70bbbfe5 -> v0.0.0-20250403155104-27863c87afa6
github.com/grpc-ecosystem/grpc-gateway/v2	v2.20.0 -> v2.26.1
github.com/klauspost/compress	v1.17.9 -> v1.17.11
github.com/kubescape/go-logger	v0.0.22 -> v0.0.23
github.com/kubescape/k8s-interface	v0.0.162 -> v0.0.191
github.com/pelletier/go-toml/v2	v2.2.2 -> v2.2.3
github.com/pierrec/lz4/v4	v4.1.15 -> v4.1.22
github.com/prometheus/client_golang	v1.19.1 -> v1.20.5
github.com/prometheus/common	v0.55.0 -> v0.61.0
github.com/sagikazarmark/locafero	v0.4.0 -> v0.7.0
github.com/spf13/afero	v1.11.0 -> v1.12.0
github.com/spf13/cast	v1.6.0 -> v1.7.1
github.com/spf13/cobra	v1.8.1 -> v1.9.1
github.com/spf13/pflag	v1.0.5 -> v1.0.6
github.com/spf13/viper	v1.19.0 -> v1.20.0
github.com/stoewer/go-strcase	v1.2.0 -> v1.3.0
github.com/stripe/stripe-go/v74	v74.28.0 -> v74.30.0
github.com/sylabs/squashfs	v0.6.1 -> v1.0.4
github.com/uptrace/opentelemetry-go-extra/otelutil	v0.2.2 -> v0.3.2
github.com/uptrace/opentelemetry-go-extra/otelzap	v0.2.2 -> v0.3.2
github.com/uptrace/uptrace-go	v1.18.0 -> v1.30.1
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	v0.53.0 -> v0.58.0
go.opentelemetry.io/contrib/instrumentation/runtime	v0.44.0 -> v0.55.0
go.opentelemetry.io/otel	v1.28.0 -> v1.35.0
go.opentelemetry.io/otel/exporters/stdout/stdouttrace	v1.18.0 -> v1.30.0
go.opentelemetry.io/otel/metric	v1.28.0 -> v1.35.0
go.opentelemetry.io/otel/sdk	v1.28.0 -> v1.35.0
golang.org/x/crypto	v0.26.0 -> v0.36.0
golang.org/x/exp	v0.0.0-20240719175910-8a7402abbf56 -> v0.0.0-20241217172543-b2144cdd0a67
golang.org/x/net	v0.28.0 -> v0.37.0
golang.org/x/oauth2	v0.21.0 -> v0.28.0
golang.org/x/sync	v0.8.0 -> v0.12.0
golang.org/x/sys	v0.24.0 -> v0.32.0
golang.org/x/term	v0.23.0 -> v0.30.0
golang.org/x/text	v0.17.0 -> v0.23.0
golang.org/x/time	v0.5.0 -> v0.8.0
golang.org/x/tools	v0.24.0 -> v0.31.0
gomodules.xyz/jsonpatch/v2	v2.4.0 -> v2.5.0
google.golang.org/genproto/googleapis/api	v0.0.0-20240528184218-531527333157 -> v0.0.0-20250218202821-56aae31c358a
google.golang.org/genproto/googleapis/rpc	v0.0.0-20240701130421-f6361c86f094 -> v0.0.0-20250218202821-56aae31c358a
k8s.io/apiextensions-apiserver	v0.31.0 -> v0.32.3
k8s.io/apiserver	v0.31.0 -> v0.32.3
k8s.io/component-base	v0.31.0 -> v0.32.3
k8s.io/kube-openapi	v0.0.0-20240228011516-70dd3763d340 -> v0.0.0-20241105132330-32ad38e42d3f
k8s.io/utils	v0.0.0-20240711033017-18e509b52bc8 -> v0.0.0-20241210054802-24370beab758
sigs.k8s.io/apiserver-network-proxy/konnectivity-client	v0.30.3 -> v0.31.0
sigs.k8s.io/json	v0.0.0-20221116044647-bc3834ca7abd -> v0.0.0-20241014173422-cfa47c3a1cc8
sigs.k8s.io/structured-merge-diff/v4	v4.4.1 -> v4.5.0