Bump the common group across 1 directory with 30 updates

[dependabot]

Bumps the common group with 23 updates in the / directory:

Package	From	To
github.com/CycloneDX/cyclonedx-go	0.9.1	0.9.2
github.com/alicebob/miniredis/v2	2.33.0	2.34.0
github.com/antchfx/htmlquery	1.3.3	1.3.4
github.com/aws/aws-sdk-go-v2	1.32.5	1.32.7
github.com/aws/aws-sdk-go-v2/config	1.28.5	1.28.7
github.com/aws/aws-sdk-go-v2/service/ec2	1.193.0	1.198.1
github.com/aws/aws-sdk-go-v2/service/ecr	1.36.6	1.36.8
github.com/aws/aws-sdk-go-v2/service/s3	1.68.0	1.71.1
github.com/containerd/containerd/v2	2.0.0	2.0.1
github.com/docker/cli	27.3.1+incompatible	27.4.1+incompatible
github.com/docker/docker	27.3.1+incompatible	27.4.1+incompatible
github.com/gocsaf/csaf/v3	3.1.0	3.1.1
github.com/moby/buildkit	0.17.2	0.18.2
github.com/open-policy-agent/opa	0.70.0	1.0.0
github.com/secure-systems-lab/go-securesystemslib	0.8.0	0.9.0
github.com/sigstore/rekor	1.3.6	1.3.7
github.com/spf13/cast	1.7.0	1.7.1
github.com/tetratelabs/wazero	1.8.1	1.8.2
github.com/zclconf/go-cty	1.15.0	1.15.1
google.golang.org/protobuf	1.35.2	1.36.0
helm.sh/helm/v3	3.16.3	3.16.4
k8s.io/api	0.31.3	0.32.0
modernc.org/sqlite	1.34.1	1.34.4

Updates github.com/CycloneDX/cyclonedx-go from 0.9.1 to 0.9.2

Release notes

Sourced from github.com/CycloneDX/cyclonedx-go's releases.

v0.9.2

Changelog

Features

• 39ede217f126cfbc80eabf880f6643be3d392a4f: feat: add MarshalXML and UnmarshalXML (@​DmitriyLewen)
• e9191ed11a269fcb6b3fb54e000ed6d81b5bf9db: feat: add UnmarshalJSON (@​DmitriyLewen)

Fixes

• 80fede1f13a956d35eb14696cd2ca9d2d943f809: fix: add json tag for Identity (@​DmitriyLewen)
• 24e9503293f0837e6e7ea3ff670ef958e6075b87: fix: tests (@​DmitriyLewen)
• d68a199bc1747e5d6a7d4196c2f270535bbf6e3e: fix: use identity as array in valid-evidence.json (@​DmitriyLewen)
• ff9cc28f9c9554328bd6c1ad56098be5a692d5e9: fix: use componentEvidence array for Evidence.Identity field (@​DmitriyLewen)

Building and Packaging

• 016ee293d464d6383be3a714f7fb0debebef8ad5: build(deps): bump actions/checkout from 4.1.7 to 4.2.0 (@​dependabot[bot])
• 77153ab5fe005f6484ac1e1225e7152df00db3f1: build(deps): bump actions/checkout from 4.2.0 to 4.2.1 (@​dependabot[bot])
• 4f50d02c1282ac1d0d7448502b231a0e84a1e529: build(deps): bump actions/checkout from 4.2.1 to 4.2.2 (@​dependabot[bot])
• b84451219e77e0fbbe7d5ba054bcf25dbc7aaea4: build(deps): bump actions/setup-go from 5.0.2 to 5.1.0 (@​dependabot[bot])
• 238cbea3479fed9fdfcbfa5f1751828390a05211: build(deps): bump actions/setup-go from 5.1.0 to 5.2.0 (@​dependabot[bot])
• bbe8f3c2c7c4567514ae966c69bf93fc1b3dba2a: build(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (@​dependabot[bot])
• 05f8930fe918a31941ebf90eec627e5e6e908d1c: build(deps): bump github.com/terminalstatic/go-xsd-validate (@​dependabot[bot])
• 082f87791a5e290c9d4c6e8126dc0cc987028a60: build(deps): bump gitpod/workspace-go from 2a9e01c to 9c95281 (@​dependabot[bot])
• 093b1c15164dad5d46768db0e3f6ee43eb60ca20: build(deps): bump gitpod/workspace-go from 9c95281 to 6932342 (@​dependabot[bot])
• 47b7e01ce8f8209894065e9656217b8c00a3c8ea: build(deps): bump golangci/golangci-lint-action from 6.1.0 to 6.1.1 (@​dependabot[bot])
• ce6eb841cb1e21aa28efbccd9eb8fe5eea0555c9: build(deps): bump goreleaser/goreleaser-action from 6.0.0 to 6.1.0 (@​dependabot[bot])

Others

• 4d3aff9fab9ae78bd6fbbc9fd0912fab14c8fb64: UPDATE_SNAPSHOTS=true make test (@​DmitriyLewen)
• 31d954443e6563aeee69d82bdfb82aee83e07df1: refactor (@​DmitriyLewen)
• 0170729e313a681fc8659643601410ae10ffe803: refactor: update convert package (@​DmitriyLewen)

Commits

• cba06ff Merge pull request #205 from CycloneDX/dependabot/go_modules/github.com/termi...
• 5c81749 Merge pull request #211 from CycloneDX/dependabot/github_actions/actions/setu...
• 753526c Merge pull request #204 from DmitriyLewen/fix/componentEvidence-as-array
• 4d3aff9 UPDATE_SNAPSHOTS=true make test
• d68a199 fix: use identity as array in valid-evidence.json
• 24e9503 fix: tests
• 238cbea build(deps): bump actions/setup-go from 5.1.0 to 5.2.0
• a7f7415 Merge branch 'master' of github.com:DmitriyLewen/cyclonedx-go into fix/compon...
• 05f8930 build(deps): bump github.com/terminalstatic/go-xsd-validate
• 464d426 Merge pull request #202 from CycloneDX/dependabot/github_actions/actions/chec...
• Additional commits viewable in compare view

Updates github.com/alicebob/miniredis/v2 from 2.33.0 to 2.34.0

Release notes

Sourced from github.com/alicebob/miniredis/v2's releases.

add ZRANK/ZREVRANK, fix ZINTERSTORE and XTRIM

• fix ZINTERSTORE where target is one of the source sets
• added support for ZRank and ZRevRank with score (thanks Jeff Howell)
• fix MEMORY subcommand casing (thanks @​joshaber)
• use streamCmp in Xtrim (thanks @​daniel-cohere)

Changelog

Sourced from github.com/alicebob/miniredis/v2's changelog.

v2.34.0

• fix ZINTERSTORE where target is one of the source sets
• added support for ZRank and ZRevRank with score (thanks Jeff Howell)
• fix MEMORY subcommand casing (thanks @​joshaber)
• use streamCmp in Xtrim (thanks @​daniel-cohere)

Commits

• c5669ae changelog for v2.34.0
• 5320c5c Merge pull request #391 from daniel-cohere/streamCmp-in-xtrim
• e4791b5 use streamCmp in Xtrim
• ef93126 Fix MEMORY subcommand casing (#389)
• 1863d22 inttest and fix some returns
• 5056952 added support for ZRank and ZRevRank with score
• 08e664a update dependency
• 12d2a70 CI against go 1.23
• 8225546 fix ZINTERSTORE where target is one of the source sets
• See full diff in compare view

Updates github.com/antchfx/htmlquery from 1.3.3 to 1.3.4

Release notes

Sourced from github.com/antchfx/htmlquery's releases.

v1.3.4

Update packages:

• update golang.org/x/net from v0.7.0 to v0.33.0
• update github.com/antchfx/xpath from v1.3.2 to v1.3.3

Commits

• 8189c48 Bump golang.org/x/net from 0.7.0 to 0.33.0
• 23f943c update github.com/antchfx/xpath to v1.3.3
• See full diff in compare view

Updates github.com/aws/aws-sdk-go-v2 from 1.32.5 to 1.32.7

Commits

• 5a96470 Release 2024-12-19
• 653aa80 Regenerated Clients
• d02b239 Update endpoints model
• 698d709 Update API model
• 885de40 Fix improper use of Printf-style functions (#2934)
• 858298a Release 2024-12-18
• f58264a Regenerated Clients
• df31082 Update endpoints model
• 346690e Update API model
• 4515454 Release 2024-12-17
• Additional commits viewable in compare view

Updates github.com/aws/aws-sdk-go-v2/config from 1.28.5 to 1.28.7

Commits

• 5a96470 Release 2024-12-19
• 653aa80 Regenerated Clients
• d02b239 Update endpoints model
• 698d709 Update API model
• 885de40 Fix improper use of Printf-style functions (#2934)
• 858298a Release 2024-12-18
• f58264a Regenerated Clients
• df31082 Update endpoints model
• 346690e Update API model
• 4515454 Release 2024-12-17
• Additional commits viewable in compare view

Updates github.com/aws/aws-sdk-go-v2/credentials from 1.17.46 to 1.17.48

Commits

• 5a96470 Release 2024-12-19
• 653aa80 Regenerated Clients
• d02b239 Update endpoints model
• 698d709 Update API model
• 885de40 Fix improper use of Printf-style functions (#2934)
• 858298a Release 2024-12-18
• f58264a Regenerated Clients
• df31082 Update endpoints model
• 346690e Update API model
• 4515454 Release 2024-12-17
• Additional commits viewable in compare view

Updates github.com/aws/aws-sdk-go-v2/service/ec2 from 1.193.0 to 1.198.1

Commits

• 5a96470 Release 2024-12-19
• 653aa80 Regenerated Clients
• d02b239 Update endpoints model
• 698d709 Update API model
• 885de40 Fix improper use of Printf-style functions (#2934)
• 858298a Release 2024-12-18
• f58264a Regenerated Clients
• df31082 Update endpoints model
• 346690e Update API model
• 4515454 Release 2024-12-17
• Additional commits viewable in compare view

Updates github.com/aws/aws-sdk-go-v2/service/ecr from 1.36.6 to 1.36.8

Commits

• 5a96470 Release 2024-12-19
• 653aa80 Regenerated Clients
• d02b239 Update endpoints model
• 698d709 Update API model
• 885de40 Fix improper use of Printf-style functions (#2934)
• 858298a Release 2024-12-18
• f58264a Regenerated Clients
• df31082 Update endpoints model
• 346690e Update API model
• 4515454 Release 2024-12-17
• Additional commits viewable in compare view

Updates github.com/aws/aws-sdk-go-v2/service/s3 from 1.68.0 to 1.71.1

Commits

• 5a96470 Release 2024-12-19
• 653aa80 Regenerated Clients
• d02b239 Update endpoints model
• 698d709 Update API model
• 885de40 Fix improper use of Printf-style functions (#2934)
• 858298a Release 2024-12-18
• f58264a Regenerated Clients
• df31082 Update endpoints model
• 346690e Update API model
• 4515454 Release 2024-12-17
• Additional commits viewable in compare view

Updates github.com/containerd/containerd/v2 from 2.0.0 to 2.0.1

Release notes

Sourced from github.com/containerd/containerd/v2's releases.

containerd 2.0.1

Welcome to the v2.0.1 release of containerd!

The first patch release for containerd 2.0 includes a number of bug fixes and improvements.

Highlights

Container Runtime Interface (CRI)

• Fix apply IoOwner options when not in user namespace (#11151)
• Fix cri grpc plugin config migration (#11140)
• Support CNI STATUS Verb (containerd/go-cni#123)

Image Distribution

• Update differ to handle zstd media types (#11068)

Runtime

• Update runc binary to v1.2.3 (#11142)
• Fix panic due to nil dereference cgroups v2 (#11098)

Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Wei Fu
• Archit Kulkarni
• Jin Dong
• Phil Estes
• Akhil Mohan
• Akihiro Suda
• Alexey Lunev
• Austin Vazquez
• Maksym Pavlenko
• Mike Brown
• Michael Zappa
• Samuel Karp
• Sebastiaan van Stijn
• Andrey Smirnov
• Davanum Srinivas

Changes

• Prepare release notes for v2.0.1 (#11158)
  • b0ece5dc5 Prepare release notes for v2.0.1

... (truncated)

Commits

• 88aa2f5 Merge pull request #11158 from dmcgowan/prepare-v2.0.1
• b0ece5d Prepare release notes for v2.0.1
• e206c07 Merge pull request #11154 from k8s-infra-cherrypick-robot/cherry-pick-11122-t...
• fe69570 build(deps): bump actions/attest-build-provenance from 1.4.4 to 2.1.0
• eb2d0c4 Merge pull request #11153 from k8s-infra-cherrypick-robot/cherry-pick-11130-t...
• eb2ce68 update xx to v1.6.1 for compatibility with alpine 3.21 and file 5.46+
• c11f124 Merge pull request #11139 from k8s-infra-cherrypick-robot/cherry-pick-11086-t...
• 8c6dd50 Merge pull request #11151 from k8s-infra-cherrypick-robot/cherry-pick-11104-t...
• e9004f0 Merge pull request #11146 from k8s-infra-cherrypick-robot/cherry-pick-11135-t...
• c403b64 Merge pull request #11140 from k8s-infra-cherrypick-robot/cherry-pick-11061-t...
• Additional commits viewable in compare view

Updates github.com/docker/cli from 27.3.1+incompatible to 27.4.1+incompatible

Commits

• b9d17ea Merge pull request #5700 from thaJeztah/27.x_backport_remove_use_of_netfilter...
• a08a120 cli/command/system: remove BridgeNfIptables, BridgeNfIp6tables in tests
• 4870b3d Merge pull request #5699 from thaJeztah/27.x_backport_remove_system_isabs
• d3b59fb cli/command/container: use local copy of pkg/system.IsAbs
• ac40240 Merge pull request #5685 from thaJeztah/27.x_backport_bump_xx
• 3fa9480 Merge pull request #5690 from thaJeztah/27.x_backport_bump_gomd2man
• fce7c04 Merge pull request #5692 from thaJeztah/27.x_backport_remove_netfilter_warnings
• 70815c1 cli/command/system: remove netfilter warnings from tests
• 12d98b0 update go-md2man to v2.0.5
• f9783ec update xx to v1.6.1 for compatibility with alpine 3.21
• Additional commits viewable in compare view

Updates github.com/docker/docker from 27.3.1+incompatible to 27.4.1+incompatible

Release notes

Sourced from github.com/docker/docker's releases.

v27.4.1

27.4.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 27.4.1 milestone
• moby/moby, 27.4.1 milestone

Bug fixes and enhancements

• Fix excessive memory allocations when OTel is not configured. moby/moby#49079
• The docker info command and the corresponding GET /info API endpoint no longer include warnings when bridge-nf-call-iptables or bridge-nf-call-ip6tables are disabled at the daemon is started. The br_netfilter kernel module is now attempted to be loaded when needed, which made those warnings inaccurate. moby/moby#49090
• Attempt to load kernel modules, including ip6_tables and br_netfilter when required, using a method that is likely to succeed inside a Docker-in-Docker container. moby/moby#49043
• Fix a bug that could result in an iptables DOCKER FILTER chain not being cleaned up on failure. moby/moby#49110

Deprecations

• pkg/system: Deprecate Lstat(), Mkdev(), Mknod(), FromStatT() and Stat() functions, and related StatT types. These were only used internally, and will be removed in the next release. moby/moby#49100
• libnetwork/iptables: Deprecate IPV, Iptables and IP6Tables types in favor of IPVersion, IPv4, and IPv6. This type and consts will be removed in the next release. moby/moby#49093
• libnetwork/iptables: Deprecate Passthrough. This function was only used internally, and will be removed in the next release. moby/moby#49119

Packaging updates

• Update Compose to v2.32.1. docker/docker-ce-packaging#1130
• Update Buildx to v0.19.3. docker/docker-ce-packaging#1132
• Update runc to v1.2.3 (static packages only). moby/moby#49085

v27.4.0

27.4.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 27.4.0 milestone
• moby/moby, 27.4.0 milestone

API

• GET /images/json with the manifests option enabled now preserves the original order in which manifests appeared in the manifest-index. moby/moby#48712

Bug fixes and enhancements

• When reading logs with the jsonfile or local log drivers, any errors while trying to read or parse underlying log files will cause the rest of the file to be skipped and move to the next log file (if one exists) rather than returning an error to the client and closing the stream. The errors are viewable in the Docker Daemon logs and exported to traces when tracing is configured. moby/moby#48842
• When reading log files, compressed log files are now only decompressed when needed rather than decompressing all files before starting the log stream. moby/moby#48842
• Fix an issue that meant published ports from one container on a bridge network were not accessible from another container on the same network with userland-proxy disabled, if the kernel's br_netfilter module was not loaded and enabled. The daemon will now attempt to load the module and enable bridge-nf-call-iptables or bridge-nf-call-ip6tables when creating a network with the userland proxy disabled. moby/moby#48685
• Fix loading of bridge and br_netfilter kernel modules. moby/moby#48966
• containerd image store: Fix Docker daemon failing to fully start with a "context deadline exceeded error" with containerd snapshotter and many builds/images. moby/moby#48954
• containerd image-store: Fix partially pulled images not being garbage-collected. moby#48910, moby/moby#48957
• containerd image store: Fix docker image inspect outputting duplicate references in RepoDigests. moby/moby#48785

... (truncated)

Commits

• c710b88 Merge pull request #49119 from thaJeztah/27.x_backport_libnetwork_deprecate_P...
• eda0a20 libnetwork/iptables: deprecate Passthrough
• b51622d libnet/iptables: deprecate type IPV
• 829ac83 Merge pull request #49104 from thaJeztah/27.x_backport_update_swagger_headers
• bd7da11 Merge pull request #49110 from thaJeztah/27.x_backport_fix_setupIPChains_defer
• 135b144 Merge pull request #49105 from thaJeztah/27.x_backport_testing-suse-apparmor
• 08de719 libnetwork/drivers/bridge: setupIPChains: fix defer checking wrong err
• 2a62319 Merge pull request #49100 from thaJeztah/27.x_backport_deprecate_pkg_system
• 6855ca1 integration-cli: don't skip AppArmor tests on SLES
• 224b305 docs/api: document correct case for Api-Version header
• Additional commits viewable in compare view

Updates github.com/gocsaf/csaf/v3 from 3.1.0 to 3.1.1

Release notes

Sourced from github.com/gocsaf/csaf/v3's releases.

v3.1.1

Release 3.1.1

• ensure HTTP requests use proxy env vars (Thanks to @​ncsc-ie-devs)

Commits

• 1daaed2 ensure HTTP requests use proxy env vars (#597)
• 18af28f Merge pull request #600 from gocsaf/docs-proxy-for-2
• b8a9803 fix docs link to standard
• 678f232 Merge pull request #593 from gocsaf/add-upload-permission
• 2435abe Merge pull request #594 from gocsaf/update_go_3rd_party_libs_2024_11_22
• 3dc84f3 Merge pull request #598 from gocsaf/docs-readme-12
• b218084 Update README.md that go paths can be adjusted
• 9495d8b Update Go 3rd party libs
• f6d7589 Add required upload permissions
• See full diff in compare view

Updates github.com/moby/buildkit from 0.17.2 to 0.18.2

Release notes

Sourced from github.com/moby/buildkit's releases.

v0.18.2

buildkit 0.18.2

Welcome to the v0.18.2 release of buildkit!

Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues.

Notable Changes

• Builtin Dockerfile frontend has been updated to v1.12.1 changelog
• Fix possible concurrent map write error #5577
• Update Runc to v1.2.3 to fix possible build error when using parallel cache mounts #5588 #5590

Dependency Changes

This release has no dependency changes

Previous release can be found at v0.18.1

v0.18.1

Welcome to the v0.18.1 release of buildkit!

Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues.

Notable Changes

• Fix issue where builds from older versions of clients/frontends could result in missing "no-cache" behavior or original Dockerfile commands could be missing in progress output #5563

Dependency Changes

This release has no dependency changes

Previous release can be found at v0.18.0

v0.18.0

Welcome to the v0.18.0 release of buildkit!

Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues.

... (truncated)

Commits

• e4da654 Merge pull request #5601 from tonistiigi/v0.18.2-picks
• 987b409 dockerfile: fix named context replacement for child stages
• 873382b dockerfile: fix onbuild propagation for child stages
• 6614837 dockerfile: add regression test for parallel cache mounts
• 25649b3 Dockerfile: update runc binary to v1.2.3
• 36a6e05 llb: avoid concurrent map write on parallel marshal
• 4241ae2 update xx to v1.6.1
• 715418b hack: remove loong64 validation in archutil
• eb68885 Merge pull request #5564 from tonistiigi/v0.18.1-picks
• ec39add llbsolver: fix recompute test and avoid struct copy
• Additional commits viewable in compare view

Updates github.com/open-policy-agent/opa from 0.70.0 to 1.0.0

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v1.0.0

NOTES:

• The minimum version of Go required to build the OPA module is 1.22

We are excited to announce OPA 1.0, a milestone release consolidating an improved developer experience for the future of Policy as Code. The release makes new functionality designed to simplify policy writing and improve the language's consistency the default.

Changes to Rego in OPA 1.0

Below we highlight some key changes to the defaults in OPA 1.0:

• Using if for all rule definitions and contains for multi-value rules is now mandatory, not just when using the rego.v1 import.
• Other new keywords (every, in) are available without any imports.
• Previously requirements that were only run in "strict mode" (like opa check --strict) are now the default. Duplicate imports and imports which shadow each other are no longer allowed.
• OPA 1.0 comes with a range of backwards compatibility features to aid your migrations, please see the v0 compatibility guide if you must continue to support v0 Rego.

Read more about the OPA 1.0 announcement here on our blog.

Following are other changes that are included in OPA 1.0.

Improvements to memory allocations

PRs #7172, #7190, #7193, #7165, #7168, #7191 & #7222 together improve the memory performance of OPA. Key strategies include reusing pointers and optimizing array and object operations, minimizing intermediate object creation, and using sync.Pool to manage memory-heavy operations. These changes cumulatively greatly reduced the number of allocations and improved evaluation speed by 10-20%. Additional benchmarks highlighted significant memory and speed improvements in custom function evaluation.

Authored by @​anderseknert.

Wrap http.RoundTripper for SDK users

PR #7180 adds an EvalHTTPRoundTrip EvalOption and query-level WithHTTPRoundTrip option. Both use a new function type which converts an http.Transport configured by topdown to an http.RoundTripper. This supports use cases requiring the customization of the http.send built in behavior.

Authored by @​evankanderson.

Improvements to scientific notation parsing in units.parse

PR #7147 extends the behaviour of extractNumAndUnit to support scientific notation values. This means values such as 1e3KB can now be handled by this function.

Authored by @​berdanA.

Support customized buckets bundle_loading_duration_ns metric

PR #7156 extends OPA’s Prometheus configuration to allow the setting of user defined buckets for metrics. This aids when debugging the loading of slow bundles.

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

1.0.0

NOTES:

• The minimum version of Go required to build the OPA module is 1.22

We are excited to announce OPA 1.0, a milestone release consolidating an improved developer experience for the future of Policy as Code. The release makes new functionality designed to simplify policy writing and improve the language's consistency the default.

Changes to Rego in OPA 1.0

Below we highlight some key changes to the defaults in OPA 1.0:

• Using if for all rule definitions and contains for multi-value rules is now mandatory, not just when using the rego.v1 import.
• Other new keywords (every, in) are available without any imports.
• Previously requirements that were only run in "strict mode" (like opa check --strict) are now the default. Duplicate imports and imports which shadow each other are no longer allowed.
• OPA 1.0 comes with a range of backwards compatibility features to aid your migrations, please see the v0 compatibility guide if you must continue to support v0 Rego.

Read more about the OPA 1.0 announcement on the OPA blog.

Following are other changes that are included in OPA 1.0.

Improvements to memory allocations

PRs #7172, #7190, #7193, #7165, #7168, #7191 & #7222 together improve the memory performance of OPA. Key strategies include reusing pointers and optimizing array and object operations, minimizing intermediate object creation, and using sync.Pool to manage memory-heavy operations. These changes cumulatively greatly reduced the number of allocations and improved evaluation speed by 10-20%. Additional benchmarks highlighted significant memory and speed improvements in custom function evaluation.

Authored by @​anderseknert.

Wrap http.RoundTripper for SDK users

PR #7180 adds an EvalHTTPRoundTrip EvalOption and query-level WithHTTPRoundTrip option. Both use a new function type which converts an http.Transport configured by topdown to an http.RoundTripper. This supports use cases requiring the customization of the http.send built in behavior.

Authored by @​evankanderson.

Improvements to scientific notation parsing in units.parse

PR #7147 extends the behaviour of extractNumAndUnit to support scientific notation values. This means values such as 1e3KB can now be handled by this function.

Authored by @​berdanA.

... (truncated)

Commits

• 00cc7ae Prepare v1.0.0 release
• 94118ac docs/website/scripts: Control eval behavior via the rego.v1 import rather tha...
• bb10c56 docs/website/scripts: Eval pre-1.0 policies in v0 compatibility mode
• c91c895 go.mod: require go 1.22.7
• b8a1376 build(deps): bump the go-opentelemetry-io group with 6 updates (#7217)
• a190ea3 Fixing optimized numbers.range builtin reversed range bug (#7230)
• 9a7d920 Update docs and server binding addr per OPA v1.0 specs (#7140)
• c5757a5 build(deps): bump google.golang.org/grpc from 1.69.0 to 1.69.2
• c97b640 build(deps): bump golang.org/x/net from 0.32.0 to 0.33.0
• 50b5ee5 Reduce allocations, chapter III (#7222)
• Additional commits viewable in compare view

Updates github.com/secure-systems-lab/go-securesystemslib from 0.8.0 to 0.9.0

Commits

• 7d19192 Merge pull request #103 from secure-systems-lab/dependabot/go_modules/golang....
• 21102fa chore(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0
• 1fb13ff Merge pull request #102 from secure-systems-lab/dependabot/github_actions/act...
• 4e1c22d chore(deps): bump actions/setup-go from 5.1.0 to 5.2.0
• 847cabc Merge pull request #101 from secure-systems-lab/dependabot/go_modules/golang....
• 06fac2f chore(deps): bump golang.org/x/crypto from 0.29.0 to 0.30.0
• c1aadb2 Merge pull request #100 from secure-systems-lab/dependabot/go_modules/github....
• 8fef2d7 chore(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0
• c65f6c8 Merge pull request #99 from secure-systems-lab/dependabot/go_modules/golang.o...
• 35b687d chore(deps): bump golang.org/x/crypto from 0.27.0 to 0.29.0
• Additional commits viewable in compare view

Updates github.com/sigstore/rekor from 1.3.6 to 1.3.7

Release notes

Sourced from github.com/sigstore/rekor's releases.

v1.3.7

Changelog

Please see https://github.com/sigstore/rekor/blob/main/CHANGELOG.md for changes included in this release.

Thanks for all contributors!

Changelog

Sourced from github.com/sigstore/rekor's changelog.

v1.3.7

New Features

• log request body on 500 error to aid debugging (#2283)
• Add support for signing with Tink keyset (#2228)
• Add public key hash check in Signed Note verification (#2214)
• update Trillian TLS configuration (#2202)
• Add TLS support for Trillian server (#2164)
• Replace docker-compose with plugin if available (#2153)
• Add flags to backfill script (#2146)
• Unset DisableKeepalive for backfill HTTP client (#2137)
• Add script to delete indexes from Redis (#2120)
• Run CREATE statement in backfill script (#2109)
• Add MySQL support to backfill script (#2081)
• Run e2e tests on mysql and redis index backends (#2079)

Bug Fixes

• remove unneeded value in log message (#2282)
• Add error message when computing consistency proof (#2278)
• fix validation error handling on API (#2217)
• fix error in pretty-printed inclusion proof from verify subcommand (#2210)
• Fix index scripts (#2203)
• fix failing sharding test
• Better error handling in backfill script (#2148)
• Batch entries in cleanup script (#2158)
• Add missing workflow for index cleanup test (#2121)
• hashedrekord: fix schema $id (#2092)

Contributors

• Aditya Sirish
• Bob Callaway
• Colleen Murphy
• cpanato
• Firas Ghanmi
• Hayden B
• Hojoung (Brian) Jang
• William Woodruff

Commits

• 4caadbc changelog for v1.3.7 (#2284)
• 9fddf00 log request body on 500 error to aid debugging (#2283)
• 92584b7 remove unneeded va...

  Description has been truncated

  Summary by Sourcery

  Update various dependencies across the project.

  Enhancements:

  • Bumped github.com/open-policy-agent/opa from 0.70.0 to 1.0.0 which includes improvements to memory allocations, support for customized http.RoundTripper for SDK users, improvements to scientific notation parsing, support for customized buckets bundle_loading_duration_ns metric, and changes to Rego.
  • Bumped github.com/moby/buildkit from 0.17.2 to 0.18.2 which includes updating the built-in Dockerfile frontend to v1.12.1, fixing a possible concurrent map write error, and updating Runc to v1.2.3.
  • Bumped github.com/containerd/containerd/v2 from 2.0.0 to 2.0.1 which includes fixes for CRI, image distribution, and runtime.
  • Bumped github.com/docker/docker from 27.3.1+incompatible to 27.4.1+incompatible which includes bug fixes and enhancements for memory allocation, log reading, kernel module loading, image garbage collection, and image inspection output.
  • Bumped github.com/aws/aws-sdk-go-v2/service/ec2 from 1.193.0 to 1.198.1.
  • Bumped github.com/aws/aws-sdk-go-v2/service/s3 from 1.68.0 to 1.71.1.

[sourcery-ai]

Reviewer's Guide by Sourcery

This pull request updates the common group of dependencies across one directory, with 30 updates in total. The most significant change is the upgrade of github.com/open-policy-agent/opa from 0.70.0 to 1.0.0. This major version bump introduces several breaking changes to the Rego language, including mandatory use of if for rule definitions and contains for multi-value rules. Other notable updates include github.com/moby/buildkit from 0.17.2 to 0.18.2, github.com/aws/aws-sdk-go-v2/service/ec2 from 1.193.0 to 1.198.1, and github.com/aws/aws-sdk-go-v2/service/s3 from 1.68.0 to 1.71.1.

Class diagram showing major dependency version updates

classDiagram
    class OPA {
        +version: string
        +changes: string[]
    }
    class Buildkit {
        +version: string
        +changes: string[]
    }
    class AWSSDK {
        +version: string
        +services: string[]
    }

    OPA --> OPA : v0.70.0 -> v1.0.0
    note for OPA "Major changes:\n- Mandatory 'if' for rules\n- Mandatory 'contains' for multi-value rules\n- New keywords available without imports"

    Buildkit --> Buildkit : v0.17.2 -> v0.18.2
    note for Buildkit "Updates include:\n- Dockerfile frontend v1.12.1\n- Fix concurrent map write error\n- Update Runc to v1.2.3"

    AWSSDK --> AWSSDK : Multiple service updates
    note for AWSSDK "Service updates:\n- EC2: v1.193.0 -> v1.198.1\n- S3: v1.68.0 -> v1.71.1\n- ECR: v1.36.6 -> v1.36.8"

Loading

File-Level Changes

Change	Details	Files
Updated github.com/open-policy-agent/opa from 0.70.0 to 1.0.0	Mandatory use of if for all rule definitions Mandatory use of contains for multi-value rules New keywords every and in are available without imports Requirements previously only enforced in strict mode are now the default Duplicate and shadowing imports are no longer allowed Minimum Go version to build OPA module is now 1.22 Improvements to memory allocations and evaluation speed Added EvalHTTPRoundTrip EvalOption and query-level WithHTTPRoundTrip option Support for scientific notation in units.parse Support for customized buckets in bundle_loading_duration_ns metric	go.mod go.sum
Updated github.com/moby/buildkit from 0.17.2 to 0.18.2	Builtin Dockerfile frontend updated to v1.12.1 Fix for possible concurrent map write error Runc updated to v1.2.3 to fix possible build error with parallel cache mounts	go.mod go.sum
Updated github.com/aws/aws-sdk-go-v2/service/ec2 from 1.193.0 to 1.198.1	Includes several client updates and bug fixes.	go.mod go.sum
Updated github.com/aws/aws-sdk-go-v2/service/s3 from 1.68.0 to 1.71.1	Includes several client updates and bug fixes.	go.mod go.sum
Numerous other dependency updates	See the full list of updated dependencies in the PR description.	go.mod go.sum

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time. You can also use
  this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[sourcery-ai]

We have skipped reviewing this pull request. It seems to have been created by a bot (hey, dependabot[bot]!). We assume it knows what it's doing!

[codiumai-pr-agent-free]

CI Failure Feedback 🧐

(Checks updated until commit fef936e)

Action: Validate PR title

Failed stage: Run amannn/action-semantic-pull-request@v5 [❌]

Failed test name: ""

Failure summary: The action failed because the pull request title "Bump the common group across 1 directory with 30 updates" does not contain a conventional commit type prefix. The title needs to start with a type (e.g., 'feat:', 'fix:', 'chore:', etc.) following the Conventional Commits specification.

Relevant error logs: 1: ##[group]Operating System 2: Ubuntu ... 123: db 124: parser 125: deps 126: 127: githubBaseUrl: https://api.github.com 128: env: 129: GITHUB_TOKEN: *** 130: ##[endgroup] 131: ##[error]No release type found in pull request title "Bump the common group across 1 directory with 30 updates". Add a prefix to indicate what kind of release this pull request corresponds to. For reference, see https://www.conventionalcommits.org/

---

✨ CI feedback usage guide:

---

The CI feedback tool (/checks) automatically triggers when a PR has a failed check.
The tool analyzes the failed checks and provides several feedbacks:

• Failed stage
• Failed test name
• Failure summary
• Relevant error logs

In addition to being automatically triggered, the tool can also be invoked manually by commenting on a PR:

/checks "https://github.com/{repo_name}/actions/runs/{run_number}/job/{job_number}"

where {repo_name} is the name of the repository, {run_number} is the run number of the failed check, and {job_number} is the job number of the failed check.

Configuration options

• enable_auto_checks_feedback - if set to true, the tool will automatically provide feedback when a check is failed. Default is true.
• excluded_checks_list - a list of checks to exclude from the feedback, for example: ["check1", "check2"]. Default is an empty list.
• enable_help_text - if set to true, the tool will provide a help message with the feedback. Default is true.
• persistent_comment - if set to true, the tool will overwrite a previous checks comment with the new feedback. Default is true.
• final_update_message - if persistent_comment is true and updating a previous checks message, the tool will also create a new message: "Persistent checks updated to latest commit". Default is true.

See more information about the checks tool in the docs.

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.