Skip to content

build(deps): bump the go-dependencies group across 1 directory with 7 updates#2643

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/go-dependencies-edabd947b3
Closed

build(deps): bump the go-dependencies group across 1 directory with 7 updates#2643
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/go-dependencies-edabd947b3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 23, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps the go-dependencies group with 6 updates in the / directory:

Package From To
github.com/docker/cli 29.4.3+incompatible 29.6.0+incompatible
github.com/gdamore/tcell/v2 2.13.9 2.13.10
github.com/google/go-containerregistry 0.21.5 0.21.7
github.com/moby/moby/api 1.54.2 1.55.0
github.com/moby/moby/client 0.4.1 0.5.0
github.com/onsi/gomega 1.40.0 1.42.0

Updates github.com/docker/cli from 29.4.3+incompatible to 29.6.0+incompatible

Commits
  • fb59821 Merge pull request #7062 from vvoland/update-docker
  • ee2f737 vendor: github.com/moby/moby/client v0.5.0
  • 1f80e23 vendor: github.com/moby/moby/api v1.55.0
  • 1d1562e Merge pull request #7029 from agirault/login-password-dash-stdin
  • 8c2e800 Merge pull request #7051 from thaJeztah/bump_moby
  • 233cd4a vendor: github.com/moby/moby/api v1.55.0-rc.1, moby/client v0.5.0-rc.1
  • 5b600d0 Merge pull request #7047 from thaJeztah/bump_go_events
  • e6decf4 Merge pull request #7048 from thaJeztah/bump_compress
  • a9284d1 Merge pull request #7049 from thaJeztah/bump_x_net
  • e7319c7 Merge pull request #7050 from thaJeztah/update_authors_mailmap
  • Additional commits viewable in compare view

Updates github.com/gdamore/tcell/v2 from 2.13.9 to 2.13.10

Commits
  • 7c37ddd revert: "refactor(simscreen): reuse drawCell encode buffers"
  • 6d9f5cf refactor(cell): hoist string(r) out of Fill loop
  • c42ac3b refactor(simscreen): reuse drawCell encode buffers
  • 520446f test: add SimulationScreen benchmarks
  • 0424b95 fix: possible panic in getConsoleInput if no event returned
  • 11d6323 fix: backport OSC 8 sanitizer to v2
  • See full diff in compare view

Updates github.com/google/go-containerregistry from 0.21.5 to 0.21.7

Release notes

Sourced from github.com/google/go-containerregistry's releases.

v0.21.7

What's Changed

New Contributors

Full Changelog: google/go-containerregistry@v0.21.6...v0.21.7

v0.21.6

What's Changed

... (truncated)

Commits
  • c68d899 Bump go version to 1.26.4 (#2350)
  • da61d86 transport: do not re-attach bearer token after cross-host redirect (#2349)
  • 09fe1e5 fix(tarball): normalize paths when matching files (#2334)
  • 5baa399 build(deps): bump the go-deps group across 3 directories with 4 updates (#2348)
  • 97a8a17 fix(transport): apply refreshed bearer token after cross-host redirect (#2337)
  • e963497 internal/gzip: fix goroutine leak in ReadCloserLevel (#2347)
  • 02649ea fix: prevent SSRF in google.List() pagination (#2332)
  • 7204b40 build(deps): bump the actions group across 1 directory with 2 updates (#2344)
  • 4cfaa93 build(deps): bump the go-deps group across 1 directory with 2 updates (#2343)
  • 6849394 pkg/registry: export RedirectError (#2177)
  • Additional commits viewable in compare view

Updates github.com/moby/moby/api from 1.54.2 to 1.55.0

Release notes

Sourced from github.com/moby/moby/api's releases.

api/v1.55.0

1.55.0

Changelog

  • POST /containers/{id}/update now supports per-device blkio resource settingss. moby/moby#52651
  • The new GET /images/{name}/attestations endpoint returns in-toto attestation statements (such as SLSA provenance and SPDX SBOM) attached to an image, with optional platform selection, predicate type filtering, and an opt-in statement query parameter for retrieving the verbatim statement bodies. Tools can now retrieve attestation metadata and content directly from the daemon instead of performing additional registry round-trips. moby/moby#52636
  • docs: clarify swarm join required fields. moby/moby#52763

api/v1.55.0-rc.1

1.55.0-rc.1

Changelog

  • POST /containers/{id}/update now supports per-device blkio resource settingss. moby/moby#52651
  • The new GET /images/{name}/attestations endpoint returns in-toto attestation statements (such as SLSA provenance and SPDX SBOM) attached to an image, with optional platform selection, predicate type filtering, and an opt-in statement query parameter for retrieving the verbatim statement bodies. Tools can now retrieve attestation metadata and content directly from the daemon instead of performing additional registry round-trips. moby/moby#52636
  • docs: clarify swarm join required fields. moby/moby#52763
Commits
  • b6c53c2 Merge pull request #52773 from vvoland/c8d-amd64-variants
  • 01115e8 Merge pull request #52906 from vvoland/fix-TestContainerWithConflictingNoneNe...
  • b36296f Merge pull request #52913 from thaJeztah/windows_does_stats
  • a81aa78 TestContainerWithConflictingNoneNetwork: Extend Windows timeout
  • 908a35a Merge pull request #52914 from thaJeztah/no_stderr
  • 04d33b5 Merge pull request #52912 from thaJeztah/cleanup_GenerateRandomAlphaOnlyString
  • 3b2f557 Merge pull request #52722 from notandruu/integration/migrate-TestInspectAPIIm...
  • 62b3aae Merge pull request #52901 from vvoland/c8d-imageusage
  • 11d3342 integration-cli: un-skip stats tests on Windows
  • a47b1b2 Merge pull request #52891 from smerkviladze/attestations-clearer-blob-missing...
  • Additional commits viewable in compare view

Updates github.com/moby/moby/client from 0.4.1 to 0.5.0

Release notes

Sourced from github.com/moby/moby/client's releases.

client/0.5.0

0.5.0

Changelog

  • The new GET /images/{name}/attestations endpoint returns in-toto attestation statements (such as SLSA provenance and SPDX SBOM) attached to an image, with optional platform selection, predicate type filtering, and an opt-in statement query parameter for retrieving the verbatim statement bodies. Tools can now retrieve attestation metadata and content directly from the daemon instead of performing additional registry round-trips. moby/moby#52636

client/v0.5.0-rc.1

0.5.0-rc.1

Changelog

  • The new GET /images/{name}/attestations endpoint returns in-toto attestation statements (such as SLSA provenance and SPDX SBOM) attached to an image, with optional platform selection, predicate type filtering, and an opt-in statement query parameter for retrieving the verbatim statement bodies. Tools can now retrieve attestation metadata and content directly from the daemon instead of performing additional registry round-trips. moby/moby#52636
Changelog

Sourced from github.com/moby/moby/client's changelog.

0.5.0 (2013-07-17)

  • Runtime: List all processes running inside a container with 'docker top'
  • Runtime: Host directories can be mounted as volumes with 'docker run -v'
  • Runtime: Containers can expose public UDP ports (eg, '-p 123/udp')
  • Runtime: Optionally specify an exact public port (eg. '-p 80:4500')
  • Registry: New image naming scheme inspired by Go packaging convention allows arbitrary combinations of registries
  • Builder: ENTRYPOINT instruction sets a default binary entry point to a container
  • Builder: VOLUME instruction marks a part of the container as persistent data
  • Builder: 'docker build' displays the full output of a build by default
  • Runtime: 'docker login' supports additional options
  • Runtime: Dont save a container's hostname when committing an image.
  • Registry: Fix issues when uploading images to a private registry

0.4.8 (2013-07-01)

  • Builder: New build operation ENTRYPOINT adds an executable entry point to the container.
  • Runtime: Fix a bug which caused 'docker run -d' to no longer print the container ID.
  • Tests: Fix issues in the test suite

0.4.7 (2013-06-28)

  • Registry: easier push/pull to a custom registry
  • Remote API: the progress bar updates faster when downloading and uploading large files
  • Remote API: fix a bug in the optional unix socket transport
  • Runtime: improve detection of kernel version
  • Runtime: host directories can be mounted as volumes with 'docker run -b'
  • Runtime: fix an issue when only attaching to stdin
  • Runtime: use 'tar --numeric-owner' to avoid uid mismatch across multiple hosts
  • Hack: improve test suite and dev environment
  • Hack: remove dependency on unit tests on 'os/user'
  • Documentation: add terminology section

0.4.6 (2013-06-22)

  • Runtime: fix a bug which caused creation of empty images (and volumes) to crash.

0.4.5 (2013-06-21)

  • Builder: 'docker build git://URL' fetches and builds a remote git repository
  • Runtime: 'docker ps -s' optionally prints container size
  • Tests: Improved and simplified
  • Runtime: fix a regression introduced in 0.4.3 which caused the logs command to fail.
  • Builder: fix a regression when using ADD with single regular file.

0.4.4 (2013-06-19)

  • Builder: fix a regression introduced in 0.4.3 which caused builds to fail on new clients.

0.4.3 (2013-06-19)

  • Builder: ADD of a local file will detect tar archives and unpack them
  • Runtime: Remove bsdtar dependency
  • Runtime: Add unix socket and multiple -H support
  • Runtime: Prevent rm of running containers
  • Runtime: Use go1.1 cookiejar
  • Builder: ADD improvements: use tar for copy + automatically unpack local archives

... (truncated)

Commits
  • 51f6c4a Merge pull request #1227 from dotcloud/bump_0.5.0
  • f4eaec3 Merge pull request #1226 from metalivedev/easydockerfile
  • b083418 change -b -> -v and add udp example
  • 5794857 Merge pull request #1169 from crosbymichael/buildfile-tests
  • e7f3f6f Add unit tests for buildfile config instructions
  • aa56714 Make dockerfile docs easier to find. Clean up formatting.
  • f8dfd0a Merge pull request #1225 from dotcloud/hotfix_docker_rmi
  • 3dbf9c6 Merge pull request #1219 from metalivedev/docs-repoupdate
  • de563a3 Merge pull request #1194 from crosbymichael/build-verbose
  • 9cf2b41 change rm usage in docs
  • Additional commits viewable in compare view

Updates github.com/onsi/gomega from 1.40.0 to 1.42.0

Release notes

Sourced from github.com/onsi/gomega's releases.

v1.42.0

1.42.0

Add a set of Claude skill as a marketplace plugin

v1.41.0

No release notes provided.

Changelog

Sourced from github.com/onsi/gomega's changelog.

1.42.0

Add a set of Claude skill as a marketplace plugin

1.41.0

Features

Add BeASlice and BeAnArray matchers

Fixes

Object formatting now detects pointer cycles to avoid runaway formatting output.

Commits
  • 35ca084 v1.42.0
  • d72697b v1.42.0 (full)
  • 1f95d86 add a set of claude skills as a marketplace plugin
  • af2bccb v1.41.0
  • 73e81f6 v1.41.0 (full)
  • e35a84f feat: devcontainer configuration with local pkgsite and GH pages
  • f12e5e1 fix(format): detect pointer cycles to avoid runaway formatting output
  • e14831f Add optionalDescription docs to AsyncAssertion and Assertion interfaces
  • 344b94d Add BeASlice and BeAnArray matchers
  • See full diff in compare view

Updates golang.org/x/mod from 0.36.0 to 0.37.0

Commits
  • deb1dfc go.mod: update golang.org/x dependencies
  • 087f651 modfile: use slices.Backward
  • 343ee60 x/mod: allow for aggressively conslidating requires
  • See full diff in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code type/chore Issue that requests non-user facing changes. labels Jun 23, 2026
@dependabot dependabot Bot requested review from a team as code owners June 23, 2026 15:49
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jun 23, 2026
@github-actions github-actions Bot added this to the 0.41.0 milestone Jun 23, 2026
@dependabot
build(deps): bump the go-dependencies group across 1 directory with 7…
f3b3b83 
… updates

Bumps the go-dependencies group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [github.com/docker/cli](https://github.com/docker/cli) | `29.4.3+incompatible` | `29.6.0+incompatible` |
| [github.com/gdamore/tcell/v2](https://github.com/gdamore/tcell) | `2.13.9` | `2.13.10` |
| [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) | `0.21.5` | `0.21.7` |
| [github.com/moby/moby/api](https://github.com/moby/moby) | `1.54.2` | `1.55.0` |
| [github.com/moby/moby/client](https://github.com/moby/moby) | `0.4.1` | `0.5.0` |
| [github.com/onsi/gomega](https://github.com/onsi/gomega) | `1.40.0` | `1.42.0` |



Updates `github.com/docker/cli` from 29.4.3+incompatible to 29.6.0+incompatible
- [Commits](docker/cli@v29.4.3...v29.6.0)

Updates `github.com/gdamore/tcell/v2` from 2.13.9 to 2.13.10
- [Release notes](https://github.com/gdamore/tcell/releases)
- [Changelog](https://github.com/gdamore/tcell/blob/main/CHANGESv3.md)
- [Commits](gdamore/tcell@v2.13.9...v2.13.10)

Updates `github.com/google/go-containerregistry` from 0.21.5 to 0.21.7
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Commits](google/go-containerregistry@v0.21.5...v0.21.7)

Updates `github.com/moby/moby/api` from 1.54.2 to 1.55.0
- [Release notes](https://github.com/moby/moby/releases)
- [Commits](moby/moby@api/v1.54.2...api/v1.55.0)

Updates `github.com/moby/moby/client` from 0.4.1 to 0.5.0
- [Release notes](https://github.com/moby/moby/releases)
- [Changelog](https://github.com/moby/moby/blob/v0.5.0/CHANGELOG.md)
- [Commits](moby/moby@v0.4.1...v0.5.0)

Updates `github.com/onsi/gomega` from 1.40.0 to 1.42.0
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.40.0...v1.42.0)

Updates `golang.org/x/mod` from 0.36.0 to 0.37.0
- [Commits](golang/mod@v0.36.0...v0.37.0)

---
updated-dependencies:
- dependency-name: github.com/docker/cli
  dependency-version: 29.6.0+incompatible
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-dependencies
- dependency-name: github.com/gdamore/tcell/v2
  dependency-version: 2.13.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-dependencies
- dependency-name: github.com/google/go-containerregistry
  dependency-version: 0.21.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-dependencies
- dependency-name: github.com/moby/moby/api
  dependency-version: 1.55.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-dependencies
- dependency-name: github.com/moby/moby/client
  dependency-version: 0.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-dependencies
- dependency-name: github.com/onsi/gomega
  dependency-version: 1.42.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-dependencies
- dependency-name: golang.org/x/mod
  dependency-version: 0.37.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-dependencies
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/go-dependencies-edabd947b3 branch from 1cf31f2 to f3b3b83 Compare June 23, 2026 16:19
@jjbustamante jjbustamante mentioned this pull request Jun 23, 2026
Merged
2 tasks
@jjbustamante

jjbustamante commented Jun 23, 2026

Copy link
Copy Markdown
Member

Closing this one. It doesn't resolve the CVEs we're tracking and it reintroduces a known acceptance break:

  • It doesn't touch github.com/docker/docker, which owns 5 of our 6 remaining grype findings (the daemon-side AuthZ/plugin/docker cp/decompression advisories). Those have no fixed version in the docker/docker module — only in moby/moby/v2, which we don't consume. And docker/cli GO-2026-4610 is already remediated (we ship 29.4.3 > fixed 29.2.0). So there's no CVE benefit here.
  • The moby/moby/client 0.4.1 → 0.5.0 + moby/moby/api 1.54.2 → 1.55.0 jump is ahead of imgutil (still pinned to moby/moby/client 0.2.x even on its main branch) and breaks daemon rebase (rebase app image: could not find base layer in image). The go-containerregistry 0.21.5 → 0.21.7 bump breaks manifest annotate. Both fail acceptance.

The security-relevant pieces have already landed separately (x/crypto, x/net, go-git in #2641; Go 1.25.11 in #2642), and the remaining docker findings are handled as documented non-impactful suppressions in #2644. We'll revisit the moby/docker/ggcr bumps once imgutil supports moby/moby/client 0.5.0.

@dependabot @github

dependabot Bot commented on behalf of github Jun 23, 2026

Copy link
Copy Markdown
Contributor Author

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot dependabot Bot deleted the dependabot/go_modules/go-dependencies-edabd947b3 branch June 23, 2026 16:34
@jjbustamante jjbustamante removed this from the 0.41.0 milestone Jun 23, 2026
@jjbustamante jjbustamante mentioned this pull request Jun 23, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code type/chore Issue that requests non-user facing changes.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jjbustamante