Update go modules (main) (patch) by renovate[bot] · Pull Request #3130 · conforma/cli

renovate · 2026-02-27T01:15:43Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
cuelang.org/go	`v0.16.0` → `v0.16.1`
github.com/conforma/crds/api	`v0.1.7` → `v0.1.11`
github.com/cucumber/godog	`v0.15.0` → `v0.15.1`
github.com/gkampitakis/go-snaps	`v0.5.19` → `v0.5.22`
github.com/go-openapi/runtime	`v0.29.2` → `v0.29.5`
github.com/go-openapi/strfmt	`v0.26.1` → `v0.26.3`
github.com/google/go-containerregistry	`v0.21.5` → `v0.21.6`
github.com/mattn/go-isatty	`v0.0.20` → `v0.0.22`
github.com/otiai10/copy	`v1.14.0` → `v1.14.1`
github.com/package-url/packageurl-go	`v0.1.3` → `v0.1.6`
github.com/sigstore/cosign/v3	`v3.0.4` → `v3.0.6`
github.com/sigstore/rekor	`v1.5.0` → `v1.5.2`
github.com/sigstore/sigstore	`v1.10.5` → `v1.10.8`
github.com/tektoncd/chains	`v0.26.2` → `v0.26.4`
github.com/testcontainers/testcontainers-go	`v0.34.0` → `v0.34.1`
gotest.tools/gotestsum	`v1.12.1` → `v1.12.3`
k8s.io/api	`v0.35.4` → `v0.35.5`
k8s.io/apiextensions-apiserver	`v0.35.4` → `v0.35.5`
k8s.io/apimachinery	`v0.35.4` → `v0.35.5`
k8s.io/client-go	`v0.35.4` → `v0.35.5`
k8s.io/kubernetes	`v1.34.2` → `v1.34.8`

Release Notes

cue-lang/cue (cuelang.org/go)

`v0.16.1`

Compare Source

Language

The fallback keyword in the aliasv2 experiment is replaced by otherwise, which is clearer. cue fmt or cue fix can be used to rewrite existing code.

Evaluator

Fix a regression where the compiler could add comments to the input AST value, which could lead to increased memory usage.

Fix a bug where exporting certain schemas could result in "cannot have both alias and field in same scope" errors.

`cmd/cue`

Fix a panic which could occur when using non-label expressions in the --path flag.

Teach cue login to give helpful errors when used with OCI registries which don't support the OAuth2 device flow.

Go API

Fix a regression where cue.Context.Encode could panic on custom marshaler types with pointer receivers.

Full list of changes since v0.16.0

internal/cueversion: bump to v0.16.1 by @mvdan in 6d609d7
internal/ci: build releases with Go 1.26.2 by @mvdan in cedf4c8
update all golang.org/x/... dependencies by @mvdan in b4efeef
all: rename fallback keyword to otherwise by @mpvl in f813811
lsp/cache: improve rename by @cuematthew in 8e47027
integration/workspace: add test showing bad behaviour by @cuematthew in a5e0ef5
cmd/cue: suggest docker/podman login when OAuth2 device flow is unsupported by @mvdan in c169605
cmd/cue: add testscript for cue login when device code endpoint is unsupported by @mvdan in d7c882a
cmd/cue: clarify how to authenticate with standard OCI registries by @mvdan in 2613edf
internal/core/compile: avoid mutating AST by @rogpeppe in e4b0516
internal/core/export: fix alias/field name conflict in pattern constraints by @mvdan in 1e46409
internal/core/export: add regression test for alias/field name conflict by @mvdan in 1654f66
pkg: fix godoc mistakes across several packages by @mvdan in eae9aaf
internal/core/convert: fix panic when encoding pointer-receiver marshalers by @mvdan in 8e39aec
cmd/cue: return an error for non-label --path expressions instead of panicking by @mvdan in 5a55849
encoding: add godoc hints for cue/ast result types by @mvdan in 682c663

cucumber/godog (github.com/cucumber/godog)

`v0.15.1`

Compare Source

Added

Step text is added to "step is undefined" error - (669 - vearutop)
Localisation support by @MegaGrindStone in #665
feat: support uint types by @chengxilo in #695

Changed

Replace deprecated ::set-output - (681 - nodeg)

Fixed

fix(errors): fix(errors): Fix expected Step argument count for steps with context.Context (679 - tigh-latte)
fix(formatter): On concurrent execution, execute formatter at end of Scenario - (645 - tigh-latte)
Pretty printing results now prints the line where the step is declared instead of the line where the handler is declared. (668 - spencerc)
Update honnef.co/go/tools/cmd/staticcheck version in Makefile by @RezaZareiii in #670
fix: verify dogT exists in the context before using it by @cakoolen in #692
fix: change bang to being in README by @nahomEagleLion in #687
Mark junit test cases as skipped if no pickle step results available by @mrsheepuk in #597
Print step declaration line instead of handler declaration line by @SpencerC in #668

gkampitakis/go-snaps (github.com/gkampitakis/go-snaps)

`v0.5.22`

Compare Source

What's Changed

Enhance README with additional Any matcher example by @MoritzHeld in #157
fix: create snapshot files with 0644 instead of os.ModePerm by @gkampitakis in #159

New Contributors

@MoritzHeld made their first contribution in #157

Full Changelog: gkampitakis/go-snaps@v0.5.21...v0.5.22

`v0.5.21`

Compare Source

What's Changed

support nested arrays in json matchers by @gkampitakis in #145

Full Changelog: gkampitakis/go-snaps@v0.5.20...v0.5.21

`v0.5.20`

Compare Source

What's Changed

feat: support setting serializer on config by @gkampitakis in #154

Full Changelog: gkampitakis/go-snaps@v0.5.19...v0.5.20

go-openapi/runtime (github.com/go-openapi/runtime)

`v0.29.5`

Compare Source

0.29.5 - 2026-05-04

Full Changelog: go-openapi/runtime@v0.29.4...v0.29.5

10 commits in this release.

Implemented enhancements

feat(client): prefer multipart and support url-encoded file uploads by @fredbi in #428 ...

Fixed bugs

fix(statuses): align http status text with current standard by @fredbi in #427 ...
fix(validation): match content-type with MIME parameters by @fredbi in #426 ...
fix(auth): detect nil interface vs nil interface by @fredbi in #425 ...
fix: handle literal colons in URL paths for denco router by @KuaaMU in #422 ...

Documentation

doc: aligned docs with org-level docs by @fredbi in #424 ...
doc: updated contributors file by @bot-go-openapi[bot] in #423 ...
doc: updated contributors file by @bot-go-openapi[bot] in #420 ...

Miscellaneous tasks

chore: prepare release v0.29.5 by @bot-go-openapi[bot] in #429 ...

Updates

build(deps): bump the go-openapi-dependencies group across 2 directories with 3 updates by @dependabot[bot] in #421 ...

People who contributed to this release

New Contributors

@KuaaMU made their first contribution
in #422

runtime license terms

Per-module changes

client-middleware/opentracing (0.29.5)

Fixed bugs

fix(auth): detect nil interface vs nil interface by @fredbi in #425 ...

Miscellaneous tasks

chore: prepare release v0.29.5 by @bot-go-openapi[bot] in #429 ...

Updates

build(deps): bump the go-openapi-dependencies group across 2 directories with 3 updates by @dependabot[bot] in #421 ...

`v0.29.4`

Compare Source

0.29.4 - 2026-04-18

Security update

Full Changelog: go-openapi/runtime@v0.29.3...v0.29.4

16 commits in this release.

Documentation

doc: updated contributors file by @bot-go-openapi[bot] in #414 ...
doc: updated contributors file by @bot-go-openapi[bot] in #412 ...
doc: add portable agentic instructions by @fredbi in #409 ...
doc: update discord link by @fredbi in #408 ...
doc: updated contributors file by @bot-go-openapi[bot] in #406 ...

Testing

test: removed static testing TLS material (replaced by test helper) by @fredbi in #413 ...

Miscellaneous tasks

chore: prepare release v0.29.4 by @bot-go-openapi[bot] in #419 ...
chore: bump go directive to 1.25.0 by @fredbi in #410 ...
ci: fixed dependabot path by @fredbi in #407 ...

Updates

build(deps): bump go.opentelemetry.io/otel/sdk from 1.42.0 to 1.43.0 by @dependabot[bot] in #415 ...
build(deps): bump the go-openapi-dependencies group across 1 directory with 4 updates by @dependabot[bot] in #418 ...
build(deps): bump the development-dependencies group with 7 updates by @dependabot[bot] in #417 ...
build(deps): bump the go-openapi-dependencies group across 2 directories with 4 updates by @dependabot[bot] in #411 ...
build(deps): bump the other-dependencies group across 1 directory with 3 updates by @dependabot[bot] in #401 ...
build(deps): bump golang.org/x/sync from 0.19.0 to 0.20.0 in the golang-org-dependencies group across 1 directory by @dependabot[bot] in #400 ...
build(deps): bump the development-dependencies group across 2 directories with 7 updates by @dependabot[bot] in #405 ...

People who contributed to this release

@fredbi

runtime license terms

Per-module changes

client-middleware/opentracing (0.29.4)

Miscellaneous tasks

chore: prepare release v0.29.4 by @bot-go-openapi[bot] in #419 ...
chore: bump go directive to 1.25.0 by @fredbi in #410 ...

Updates

build(deps): bump the go-openapi-dependencies group across 1 directory with 4 updates by @dependabot[bot] in #418 ...
build(deps): bump the go-openapi-dependencies group across 2 directories with 4 updates by @dependabot[bot] in #411 ...
build(deps): bump the other-dependencies group across 1 directory with 3 updates by @dependabot[bot] in #401 ...
build(deps): bump golang.org/x/sync from 0.19.0 to 0.20.0 in the golang-org-dependencies group across 1 directory by @dependabot[bot] in #400 ...

`v0.29.3`

Compare Source

0.29.3 - 2026-03-08

Full Changelog: go-openapi/runtime@v0.29.2...v0.29.3

27 commits in this release.

Fixed bugs

fix: Content-Type of 404 & 405 responses by @maxatome in #373 ...

Documentation

docs: add FAQ from resolved GitHub issues by @fredbi in #403 ...
doc: fixup README (pending CI update for a complete rendering) by @fredbi ...
doc: announced new discord channel by @fredbi in #390 ...
Chore/attribute original code by @fredbi in #384 ...

Code quality

chore: updated dependencies (removed mongodb indirect dependency) by @fredbi in #399 ...

Miscellaneous tasks

chore: prepare release v0.29.3 by @bot-go-openapi[bot] in #404 ...
ci: fixed dropped trivy release - updated shared workflow by @fredbi ...
chore(code quality): replace TODO comments with issue references by @fredbi in #388 ...
chore(licensing): added correct code attribution for the denco middleware by @fredbi ...
chore: fixed code quality issues in shells used for preparing releases by @fredbi in #383 ...

Updates

build(deps): bump the development-dependencies group across 2 directories with 7 updates by @dependabot[bot] in #402 ...
build(deps): bump the other-dependencies group with 3 updates by @dependabot[bot] in #394 ...
build(deps): bump the go-openapi-dependencies group with 6 updates by @dependabot[bot] in #398 ...
build(deps): bump the go-openapi-dependencies group with 2 updates by @dependabot[bot] in #396 ...
build(deps): bump the go-openapi-dependencies group with 2 updates by @dependabot[bot] in #395 ...
build(deps): bump the go-openapi-dependencies group with 2 updates by @dependabot[bot] in #393 ...
build(deps): bump the go-openapi-dependencies group with 2 updates by @dependabot[bot] in #392 ...
build(deps): bump the go-openapi-dependencies group with 2 updates by @dependabot[bot] in #391 ...
build(deps): bump github.com/go-openapi/analysis from 0.24.1 to 0.24.2 in the go-openapi-dependencies group by @dependabot[bot] in #389 ...
build(deps): bump the other-dependencies group with 3 updates by @dependabot[bot] in #382 ...
build(deps): bump golang.org/x/sync from 0.18.0 to 0.19.0 in the golang-org-dependencies group by @dependabot[bot] in #380 ...
build(deps): bump the go-openapi-dependencies group with 2 updates by @dependabot[bot] in #381 ...
build(deps): bump the go-openapi-dependencies group with 4 updates by @dependabot[bot] in #379 ...
build(deps): bump the go-openapi-dependencies group with 4 updates by @dependabot[bot] in #377 ...
build(deps): bump actions/checkout from 5 to 6 in the development-dependencies group by @dependabot[bot] in #378 ...
build(deps): bump golangci/golangci-lint-action from 8 to 9 in the development-dependencies group by @dependabot[bot] in #374 ...

People who contributed to this release

New Contributors

@maxatome made their first contribution
in #373

runtime license terms

Per-module changes

client-middleware/opentracing (0.29.3)

Documentation

Chore/attribute original code by @fredbi in #384 ...

Code quality

chore: updated dependencies (removed mongodb indirect dependency) by @fredbi in #399 ...

Miscellaneous tasks

chore: prepare release v0.29.3 by @bot-go-openapi[bot] in #404 ...

go-openapi/strfmt (github.com/go-openapi/strfmt)

`v0.26.3`

Compare Source

0.26.3 - 2026-05-31

Full Changelog: go-openapi/strfmt@v0.26.2...v0.26.3

15 commits in this release.

Documentation

fix(ci): typo in sha by @fredbi ...
doc: updated contributors file by @bot-go-openapi[bot] in #258 ...
doc: updated contributors file by @bot-go-openapi[bot] in #251 ...

Miscellaneous tasks

chore: prepare release v0.26.3 by @bot-go-openapi[bot] in #260 ...
fix(ci): monitor - work around dependabot identity requirements by @fredbi ...
fix(ci): updated shared ci worflows (fix monitor-bot identity) by @fredbi ...
fix(ci): updated shared ci worflows (fix monitor-bot permissions) by @fredbi ...
fix(ci): updated shared ci worflows (fix monitor-bot filter) by @fredbi in #259 ...
ci: schedule bot PR monitoring by @fredbi in #257 ...

Updates

build(deps): bump the other-dependencies group across 3 directories with 2 updates by @dependabot[bot] in #252 ...
build(deps): bump golang.org/x/net from 0.54.0 to 0.55.0 in the golang-org-dependencies group across 1 directory by @dependabot[bot] in #255 ...
build(deps): bump the go-openapi-dependencies group across 2 directories with 1 update by @dependabot[bot] in #256 ...
build(deps): bump the development-dependencies group with 8 updates by @dependabot[bot] in #254 ...
build(deps): bump golang.org/x/net from 0.53.0 to 0.54.0 in the golang-org-dependencies group across 1 directory by @dependabot[bot] in #253 ...
build(deps): bump the go-openapi-dependencies group across 2 directories with 1 update by @dependabot[bot] in #249 ...

People who contributed to this release

@fredbi

strfmt license terms

Per-module changes

enable/mongodb (0.26.3)

Miscellaneous tasks

chore: prepare release v0.26.3 by @bot-go-openapi[bot] in #260 ...

Updates

build(deps): bump the other-dependencies group across 3 directories with 2 updates by @dependabot[bot] in #252 ...

internal/testintegration (0.26.3)

Miscellaneous tasks

chore: prepare release v0.26.3 by @bot-go-openapi[bot] in #260 ...

Updates

build(deps): bump the other-dependencies group across 3 directories with 2 updates by @dependabot[bot] in #252 ...
build(deps): bump golang.org/x/net from 0.54.0 to 0.55.0 in the golang-org-dependencies group across 1 directory by @dependabot[bot] in #255 ...
build(deps): bump the go-openapi-dependencies group across 2 directories with 1 update by @dependabot[bot] in #256 ...
build(deps): bump golang.org/x/net from 0.53.0 to 0.54.0 in the golang-org-dependencies group across 1 directory by @dependabot[bot] in #253 ...
build(deps): bump the go-openapi-dependencies group across 2 directories with 1 update by @dependabot[bot] in #249 ...

`v0.26.2`

Compare Source

0.26.2 - 2026-04-29

Full Changelog: go-openapi/strfmt@v0.26.1...v0.26.2

13 commits in this release.

Documentation

doc: aligned docs with org-wide documentation. by @fredbi in #247 ...
doc: updated contributors file by @bot-go-openapi[bot] in #239 ...
doc: add portable agentic instructions by @fredbi in #236 ...
doc: added portable agentic instructions by @fredbi in #235 ...

Performance

perf(duration): faster and stricter ParseDuration. by @fredbi in #246 ...

Miscellaneous tasks

chore: prepare release v0.26.2 by @bot-go-openapi[bot] in #248 ...
chore: bump go directive to 1.25.0 by @fredbi in #237 ...

Updates

build(deps): bump the other-dependencies group across 2 directories with 2 updates by @dependabot[bot] in #245 ...
build(deps): bump the development-dependencies group with 8 updates by @dependabot[bot] in #242 ...
build(deps): bump golang.org/x/net from 0.52.0 to 0.53.0 in the golang-org-dependencies group across 1 directory by @dependabot[bot] in [#241](https://redirect.github.com/go-openapi/strfmt/pull/

✂ Note

PR body was truncated to here.

Configuration

📅 Schedule: (UTC)

Branch creation
- Between 12:00 AM and 03:59 AM (* 0-3 * * *)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate · 2026-02-27T01:15:46Z

ℹ️ Artifact update notice

File name: acceptance/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

39 additional dependencies were updated

Details:

Package	Change
`github.com/secure-systems-lab/go-securesystemslib`	`v0.10.0` -> `v0.11.0`
`golang.org/x/exp`	`v0.0.0-20250911091902-df9299821621` -> `v0.0.0-20251023183803-a4bb9ffd2546`
`k8s.io/klog/v2`	`v2.130.1` -> `v2.140.0`
`github.com/gkampitakis/ciinfo`	`v0.3.2` -> `v0.3.4`
`github.com/go-chi/chi/v5`	`v5.2.4` -> `v5.2.5`
`github.com/go-openapi/analysis`	`v0.24.3` -> `v0.25.0`
`github.com/go-openapi/runtime`	`v0.29.2` -> `v0.29.4`
`github.com/go-openapi/swag`	`v0.25.4` -> `v0.26.0`
`github.com/go-openapi/swag/cmdutils`	`v0.25.4` -> `v0.26.0`
`github.com/go-openapi/swag/conv`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/fileutils`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/jsonname`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/jsonutils`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/loading`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/mangling`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/netutils`	`v0.25.4` -> `v0.26.0`
`github.com/go-openapi/swag/stringutils`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/typeutils`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/yamlutils`	`v0.25.5` -> `v0.26.0`
`github.com/goccy/go-yaml`	`v1.18.0` -> `v1.19.2`
`github.com/google/certificate-transparency-go`	`v1.3.2` -> `v1.3.3`
`github.com/letsencrypt/boulder`	`v0.20251110.0` -> `v0.20260223.0`
`github.com/maruel/natural`	`v1.1.1` -> `v1.3.0`
`github.com/prometheus/procfs`	`v0.17.0` -> `v0.19.2`
`github.com/sigstore/protobuf-specs`	`v0.5.0` -> `v0.5.1`
`github.com/sigstore/rekor-tiles/v2`	`v2.0.1` -> `v2.2.1`
`github.com/sigstore/timestamp-authority/v2`	`v2.0.4` -> `v2.0.5`
`github.com/tidwall/gjson`	`v1.18.0` -> `v1.19.0`
`go.uber.org/zap`	`v1.27.1` -> `v1.28.0`
`golang.org/x/crypto`	`v0.49.0` -> `v0.50.0`
`golang.org/x/mod`	`v0.33.0` -> `v0.34.0`
`golang.org/x/net`	`v0.52.0` -> `v0.53.0`
`golang.org/x/sys`	`v0.42.0` -> `v0.43.0`
`golang.org/x/term`	`v0.41.0` -> `v0.42.0`
`golang.org/x/text`	`v0.35.0` -> `v0.36.0`
`google.golang.org/api`	`v0.271.0` -> `v0.274.0`
`google.golang.org/genproto/googleapis/api`	`v0.0.0-20260203192932-546029d2fa20` -> `v0.0.0-20260401024825-9d38bb4040a9`
`google.golang.org/genproto/googleapis/rpc`	`v0.0.0-20260226221140-a57be14db171` -> `v0.0.0-20260401024825-9d38bb4040a9`
`google.golang.org/grpc`	`v1.79.3` -> `v1.80.0`

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

78 additional dependencies were updated

Details:

Package	Change
`github.com/go-git/go-git/v5`	`v5.17.1` -> `v5.18.0`
`github.com/secure-systems-lab/go-securesystemslib`	`v0.10.0` -> `v0.11.0`
`golang.org/x/exp`	`v0.0.0-20250911091902-df9299821621` -> `v0.0.0-20251023183803-a4bb9ffd2546`
`golang.org/x/net`	`v0.52.0` -> `v0.53.0`
`k8s.io/klog/v2`	`v2.130.1` -> `v2.140.0`
`golang.org/x/text`	`v0.35.0` -> `v0.36.0`
`cloud.google.com/go/auth`	`v0.18.2` -> `v0.19.0`
`cloud.google.com/go/iam`	`v1.5.3` -> `v1.7.0`
`cloud.google.com/go/storage`	`v1.61.3` -> `v1.62.0`
`github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp`	`v1.30.0` -> `v1.31.0`
`github.com/aws/aws-sdk-go-v2`	`v1.41.4` -> `v1.41.6`
`github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream`	`v1.7.7` -> `v1.7.8`
`github.com/aws/aws-sdk-go-v2/config`	`v1.32.12` -> `v1.32.14`
`github.com/aws/aws-sdk-go-v2/credentials`	`v1.19.12` -> `v1.19.14`
`github.com/aws/aws-sdk-go-v2/feature/ec2/imds`	`v1.18.20` -> `v1.18.21`
`github.com/aws/aws-sdk-go-v2/internal/configsources`	`v1.4.20` -> `v1.4.22`
`github.com/aws/aws-sdk-go-v2/internal/endpoints/v2`	`v2.7.20` -> `v2.7.22`
`github.com/aws/aws-sdk-go-v2/internal/v4a`	`v1.4.21` -> `v1.4.22`
`github.com/aws/aws-sdk-go-v2/service/ecr`	`v1.51.2` -> `v1.55.3`
`github.com/aws/aws-sdk-go-v2/service/ecrpublic`	`v1.38.2` -> `v1.38.10`
`github.com/aws/aws-sdk-go-v2/service/internal/checksum`	`v1.9.12` -> `v1.9.13`
`github.com/aws/aws-sdk-go-v2/service/internal/presigned-url`	`v1.13.20` -> `v1.13.21`
`github.com/aws/aws-sdk-go-v2/service/internal/s3shared`	`v1.19.20` -> `v1.19.21`
`github.com/aws/aws-sdk-go-v2/service/s3`	`v1.97.1` -> `v1.97.3`
`github.com/aws/aws-sdk-go-v2/service/signin`	`v1.0.8` -> `v1.0.9`
`github.com/aws/aws-sdk-go-v2/service/sso`	`v1.30.13` -> `v1.30.15`
`github.com/aws/aws-sdk-go-v2/service/ssooidc`	`v1.35.17` -> `v1.35.19`
`github.com/aws/aws-sdk-go-v2/service/sts`	`v1.41.9` -> `v1.41.10`
`github.com/aws/smithy-go`	`v1.24.2` -> `v1.25.0`
`github.com/awslabs/amazon-ecr-credential-helper/ecr-login`	`v0.11.0` -> `v0.12.0`
`github.com/clipperhouse/displaywidth`	`v0.6.0` -> `v0.10.0`
`github.com/clipperhouse/uax29/v2`	`v2.3.0` -> `v2.6.0`
`github.com/gkampitakis/ciinfo`	`v0.3.2` -> `v0.3.4`
`github.com/go-chi/chi/v5`	`v5.2.4` -> `v5.2.5`
`github.com/go-openapi/analysis`	`v0.24.3` -> `v0.25.0`
`github.com/go-openapi/swag`	`v0.25.4` -> `v0.26.0`
`github.com/go-openapi/swag/cmdutils`	`v0.25.4` -> `v0.26.0`
`github.com/go-openapi/swag/conv`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/fileutils`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/jsonname`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/jsonutils`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/loading`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/mangling`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/netutils`	`v0.25.4` -> `v0.26.0`
`github.com/go-openapi/swag/stringutils`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/typeutils`	`v0.25.5` -> `v0.26.0`
`github.com/go-openapi/swag/yamlutils`	`v0.25.5` -> `v0.26.0`
`github.com/goccy/go-yaml`	`v1.18.0` -> `v1.19.2`
`github.com/google/certificate-transparency-go`	`v1.3.2` -> `v1.3.3`
`github.com/googleapis/gax-go/v2`	`v2.17.0` -> `v2.22.0`
`github.com/letsencrypt/boulder`	`v0.20251110.0` -> `v0.20260223.0`
`github.com/maruel/natural`	`v1.1.1` -> `v1.3.0`
`github.com/miekg/pkcs11`	`v1.1.1` -> `v1.1.2`
`github.com/olekukonko/errors`	`v1.1.0` -> `v1.2.0`
`github.com/olekukonko/ll`	`v0.1.3` -> `v0.1.6`
`github.com/olekukonko/tablewriter`	`v1.1.2` -> `v1.1.4`
`github.com/prometheus/common`	`v0.67.4` -> `v0.67.5`
`github.com/prometheus/procfs`	`v0.17.0` -> `v0.19.2`
`github.com/sigstore/fulcio`	`v1.8.4` -> `v1.8.5`
`github.com/sigstore/protobuf-specs`	`v0.5.0` -> `v0.5.1`
`github.com/sigstore/rekor-tiles/v2`	`v2.0.1` -> `v2.2.1`
`github.com/sigstore/timestamp-authority/v2`	`v2.0.4` -> `v2.0.5`
`github.com/tidwall/gjson`	`v1.18.0` -> `v1.19.0`
`gitlab.com/gitlab-org/api/client-go`	`v1.11.0` -> `v1.46.0`
`go.opentelemetry.io/contrib/detectors/gcp`	`v1.39.0` -> `v1.40.0`
`go.uber.org/zap`	`v1.27.1` -> `v1.28.0`
`golang.org/x/crypto`	`v0.49.0` -> `v0.50.0`
`golang.org/x/mod`	`v0.33.0` -> `v0.34.0`
`golang.org/x/sys`	`v0.42.0` -> `v0.43.0`
`golang.org/x/term`	`v0.41.0` -> `v0.42.0`
`golang.org/x/tools`	`v0.42.0` -> `v0.43.0`
`google.golang.org/api`	`v0.271.0` -> `v0.274.0`
`google.golang.org/genproto`	`v0.0.0-20260128011058-8636f8732409` -> `v0.0.0-20260319201613-d00831a3d3e7`
`google.golang.org/genproto/googleapis/api`	`v0.0.0-20260203192932-546029d2fa20` -> `v0.0.0-20260401024825-9d38bb4040a9`
`google.golang.org/genproto/googleapis/rpc`	`v0.0.0-20260226221140-a57be14db171` -> `v0.0.0-20260401024825-9d38bb4040a9`
`google.golang.org/grpc`	`v1.79.3` -> `v1.80.0`
`gopkg.in/ini.v1`	`v1.67.1` -> `v1.67.2`
`sigs.k8s.io/release-utils`	`v0.12.3` -> `v0.12.4`

File name: tools/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

2 additional dependencies were updated

Details:

Package	Change
`github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp`	`v1.30.0` -> `v1.31.0`
`google.golang.org/grpc`	`v1.79.3` -> `v1.80.0`

renovate · 2026-05-28T08:38:53Z

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: acceptance/go.sum

Command failed: go mod tidy
go: downloading github.com/go-openapi/testify/v2 v2.5.1
go: downloading github.com/go-openapi/swag/jsonutils/fixtures_test v0.26.0
go: downloading github.com/go-openapi/testify/enable/yaml/v2 v2.4.2
go: downloading github.com/google/trillian v1.7.3
go: downloading github.com/jackc/pgx/v5 v5.8.0
go: downloading github.com/sigstore/sigstore/pkg/signature/kms/aws v1.10.6
go: downloading github.com/sigstore/sigstore/pkg/signature/kms/azure v1.10.6
go: downloading github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.10.6
go: downloading github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.10.6
go: downloading go.step.sm/crypto v0.77.7
go: downloading github.com/tink-crypto/tink-go-awskms/v3 v3.0.0
go: downloading google.golang.org/api v0.274.0
go: downloading filippo.io/edwards25519 v1.2.0
go: downloading github.com/aws/aws-sdk-go-v2 v1.41.6
go: downloading github.com/aws/aws-sdk-go-v2/config v1.32.14
go: downloading github.com/aws/aws-sdk-go-v2/service/kms v1.50.5
go: downloading cloud.google.com/go/kms v1.28.0
go: downloading github.com/Masterminds/semver v1.5.0
go: downloading go.etcd.io/etcd/client/pkg/v3 v3.6.8
go: downloading go.etcd.io/etcd/client/v3 v3.6.8
go: downloading github.com/aws/aws-sdk-go-v2/credentials v1.19.14
go: downloading cloud.google.com/go/auth v0.19.0
go: downloading github.com/aws/smithy-go v1.25.0
go: downloading github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.21
go: downloading github.com/aws/aws-sdk-go-v2/service/signin v1.0.9
go: downloading github.com/aws/aws-sdk-go-v2/service/sso v1.30.15
go: downloading github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.19
go: downloading github.com/aws/aws-sdk-go-v2/service/sts v1.41.10
go: downloading github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.22
go: downloading cloud.google.com/go/iam v1.7.0
go: downloading cloud.google.com/go/longrunning v0.9.0
go: downloading github.com/googleapis/gax-go/v2 v2.22.0
go: downloading google.golang.org/genproto v0.0.0-20260319201613-d00831a3d3e7
go: downloading go.etcd.io/etcd/api/v3 v3.6.8
go: downloading github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21
go: downloading github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.22
go: downloading github.com/google/pprof v0.0.0-20260402051712-545e8a4df936
go: finding module for package knative.dev/pkg/metrics
go: finding module for package knative.dev/pkg/tracing/config
go: github.com/conforma/cli/acceptance/kubernetes/kind imports
	github.com/tektoncd/cli/pkg/formatted tested by
	github.com/tektoncd/cli/pkg/formatted.test imports
	github.com/tektoncd/cli/pkg/test imports
	github.com/tektoncd/triggers/test imports
	github.com/tektoncd/triggers/pkg/reconciler/eventlistener/resources imports
	knative.dev/eventing/pkg/reconciler/source imports
	knative.dev/pkg/metrics: module knative.dev/pkg@latest found (v0.0.0-20260602142205-ac97e43f6622), but does not contain package knative.dev/pkg/metrics
go: github.com/conforma/cli/acceptance/kubernetes/kind imports
	github.com/tektoncd/cli/pkg/formatted tested by
	github.com/tektoncd/cli/pkg/formatted.test imports
	github.com/tektoncd/cli/pkg/test imports
	github.com/tektoncd/triggers/test imports
	github.com/tektoncd/triggers/pkg/reconciler/eventlistener/resources imports
	knative.dev/eventing/pkg/reconciler/source imports
	knative.dev/pkg/tracing/config: module knative.dev/pkg@latest found (v0.0.0-20260602142205-ac97e43f6622), but does not contain package knative.dev/pkg/tracing/config

File name: tools/go.sum

Command failed: go mod tidy
go: downloading github.com/mattn/go-shellwords v1.0.12
go: downloading github.com/distribution/distribution/v3 v3.0.0
go: downloading github.com/DATA-DOG/go-sqlmock v1.5.2
go: downloading github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2
go: downloading github.com/onsi/ginkgo/v2 v2.28.1
go: downloading github.com/onsi/gomega v1.39.1
go: downloading github.com/redis/go-redis/v9 v9.17.2
go: downloading gopkg.in/yaml.v2 v2.4.0
go: downloading github.com/bshuster-repo/logrus-logstash-hook v1.0.0
go: downloading github.com/docker/go-metrics v0.0.1
go: downloading github.com/gorilla/handlers v1.5.2
go: downloading github.com/mattn/go-sqlite3 v1.14.28
go: downloading github.com/tink-crypto/tink-go-hcvault/v2 v2.3.0
go: downloading github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2
go: downloading cloud.google.com/go/pubsub v1.50.1
go: downloading github.com/hinshun/vt10x v0.0.0-20220228203356-1ab2cad5fd82
go: downloading gopkg.in/h2non/gock.v1 v1.1.2
go: downloading github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f
go: downloading github.com/gorilla/mux v1.8.1
go: downloading github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c
go: downloading github.com/redis/go-redis/extra/redisotel/v9 v9.5.3
go: downloading go.opentelemetry.io/contrib/exporters/autoexport v0.57.0
go: downloading github.com/poy/onpar v1.1.2
go: downloading github.com/go-logr/zapr v1.3.0
go: downloading github.com/alecthomas/assert/v2 v2.11.0
go: downloading github.com/alecthomas/repr v0.5.2
go: downloading github.com/gostaticanalysis/testutil v0.5.0
go: downloading go-simpler.org/assert v0.9.0
go: downloading golang.org/x/tools/go/expect v0.1.1-deprecated
go: downloading github.com/matryer/is v1.4.0
go: downloading github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1
go: downloading github.com/google/go-replayers/grpcreplay v1.3.0
go: downloading github.com/google/go-replayers/httpreplay v1.2.0
go: downloading cloud.google.com/go/pubsub/v2 v2.3.0
go: downloading github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542
go: downloading github.com/hashicorp/golang-lru/arc/v2 v2.0.5
go: downloading github.com/redis/go-redis/extra/rediscmd/v9 v9.5.3
go: downloading go.opentelemetry.io/contrib/bridges/prometheus v0.57.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.8.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.8.0
go: downloading go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.8.0
go: downloading go.opentelemetry.io/otel/sdk/log v0.8.0
go: downloading golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated
go: downloading github.com/tenntenn/modver v1.0.1
go: downloading github.com/tenntenn/text/transform v0.0.0-20200319021203-7eef512accb3
go: downloading github.com/go-toolsmith/pkgload v1.2.2
go: downloading github.com/keybase/go-keychain v0.0.1
go: downloading github.com/jcmturner/goidentity/v6 v6.0.1
go: downloading github.com/ActiveState/vt10x v1.3.1
go: downloading go.opentelemetry.io/otel/log v0.8.0
go: downloading github.com/dave/jennifer v1.7.1
go: downloading github.com/jmespath/go-jmespath/internal/testify v1.5.1
go: downloading github.com/kr/pty v1.1.8
go: downloading github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83
go: finding module for package knative.dev/pkg/metrics
go: finding module for package knative.dev/pkg/tracing/config
go: github.com/conforma/cli/tools imports
	github.com/tektoncd/cli/cmd/tkn imports
	github.com/tektoncd/cli/pkg/cmd imports
	github.com/tektoncd/cli/pkg/cmd/clustertriggerbinding tested by
	github.com/tektoncd/cli/pkg/cmd/clustertriggerbinding.test imports
	github.com/tektoncd/triggers/test imports
	github.com/tektoncd/triggers/pkg/reconciler/eventlistener/resources imports
	knative.dev/eventing/pkg/reconciler/source imports
	knative.dev/pkg/metrics: module knative.dev/pkg@latest found (v0.0.0-20260602142205-ac97e43f6622), but does not contain package knative.dev/pkg/metrics
go: github.com/conforma/cli/tools imports
	github.com/tektoncd/cli/cmd/tkn imports
	github.com/tektoncd/cli/pkg/cmd imports
	github.com/tektoncd/cli/pkg/cmd/clustertriggerbinding tested by
	github.com/tektoncd/cli/pkg/cmd/clustertriggerbinding.test imports
	github.com/tektoncd/triggers/test imports
	github.com/tektoncd/triggers/pkg/reconciler/eventlistener/resources imports
	knative.dev/eventing/pkg/reconciler/source imports
	knative.dev/pkg/tracing/config: module knative.dev/pkg@latest found (v0.0.0-20260602142205-ac97e43f6622), but does not contain package knative.dev/pkg/tracing/config

fullsend-ai-review · 2026-06-03T14:12:50Z

Review

Findings

Medium

[version skew across modules] go.mod:33 / acceptance/go.mod:24 — This PR updates secure-systems-lab/go-securesystemslib from v0.10.0 to v0.11.0 in the main go.mod, but leaves it at v0.10.0 in acceptance/go.mod. This is a minor version bump which may include API or behavioral changes. Both modules directly import this library (used in acceptance/rekor/rekor.go, internal/validate/vsa/ and related test files), so the version skew means acceptance tests will validate behavior against v0.10.0 while the production CLI uses v0.11.0. Consider aligning the version across both modules.

Info

[dependency consistency] go.mod — golang.org/x/exp diverges between go.mod (updated to v0.0.0-20251023183803) and acceptance/go.mod (stays at v0.0.0-20250911091902). Since golang.org/x/exp is experimental with unstable APIs, the risk is low but worth noting for future alignment.

Previous run

Review

Findings

Low

[data-exposure] acceptance/go.mod:14 — acceptance/go.mod retains go-git/go-git/v5 v5.17.1 while go.mod bumps to v5.18.0. The go-gather v1.1.5 changelog explicitly tags the v5.18.0 update as a security fix. The acceptance module may run with a version that has known security issues. This is mitigated by the fact that acceptance tests run in CI (not production), and these are separate Go modules where Renovate intentionally splits minor vs patch updates — this PR is scoped to patch-level bumps only, and v5.17→v5.18 is a minor version change. Renovate will likely issue a separate minor-bump PR for the acceptance module.
Remediation: Consider bumping go-git to v5.18.0 in acceptance/go.mod in a follow-up PR, or verify the security issue does not affect test-time usage patterns.

Info

[pattern-violation] go.mod — go-securesystemslib is bumped from v0.10.0 to v0.11.0 (minor) in go.mod but stays at v0.10.0 in acceptance/go.mod. This is expected cross-module version skew in a multi-module repo with Renovate's patch-only grouping. No immediate correctness risk since no production code is changed in this PR.

Previous run (2)

Review

Findings

Low

[version consistency] acceptance/go.mod:40 — After this update, k8s.io/api and k8s.io/client-go are bumped to v0.35.5 in acceptance/go.mod, but k8s.io/apimachinery remains at v0.35.4. The k8s.io packages are designed to be used at consistent versions. Go's minimum version selection will resolve this safely at runtime (apimachinery v0.35.5 will be pulled in transitively if required by api or client-go), so this is cosmetic and will likely be resolved in the next update cycle.
[API compatibility] go.mod:33 — github.com/secure-systems-lab/go-securesystemslib is updated from v0.10.0 to v0.11.0. This is a minor version bump on a v0.x module, which per Go semver conventions does not guarantee backward compatibility. This library is a direct dependency used in production code (internal/validate/vsa/). Since no source code changes accompany this update, compatibility should be verified by CI pipeline success before merging.

Info

[sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model unavailability. This dimension is non-critical for a dependency-only update.

fullsend-ai-review · 2026-06-03T14:12:52Z

 	gopkg.in/go-jose/go-jose.v2 v2.6.3
-	k8s.io/api v0.35.4
+	k8s.io/api v0.35.5
 	k8s.io/apimachinery v0.35.4


[low] version consistency

After this update, k8s.io/api and k8s.io/client-go are bumped to v0.35.5 but k8s.io/apimachinery remains at v0.35.4. The k8s.io packages are designed to be used at consistent versions. Go's MVS resolves this safely, but the inconsistency is worth noting.

fullsend-ai-review · 2026-06-03T14:12:52Z

-	github.com/sigstore/cosign/v3 v3.0.4
-	github.com/sigstore/rekor v1.5.0
-	github.com/sigstore/sigstore v1.10.5
+	github.com/secure-systems-lab/go-securesystemslib v0.11.0


[low] API compatibility

github.com/secure-systems-lab/go-securesystemslib is updated from v0.10.0 to v0.11.0, a minor version bump on a v0.x module which does not guarantee backward compatibility per Go semver. Verify CI passes before merging.

fullsend-ai-review · 2026-06-03T15:09:41Z

-	github.com/gkampitakis/go-snaps v0.5.19
+	github.com/gkampitakis/go-snaps v0.5.22
 	github.com/go-git/go-billy/v5 v5.8.0
 	github.com/go-git/go-git/v5 v5.17.1


[low] data-exposure

acceptance/go.mod retains go-git/go-git/v5 v5.17.1 while go.mod bumps to v5.18.0. The go-gather v1.1.5 changelog explicitly tags the v5.18.0 update as a security fix. The acceptance module may run with a version that has known security issues. Mitigated by CI-only usage and separate module scope.

Suggested fix: Consider bumping go-git to v5.18.0 in acceptance/go.mod in a follow-up PR, or verify the security issue does not affect test-time usage patterns.

renovate Bot added main renovate labels Feb 27, 2026

renovate Bot enabled auto-merge February 27, 2026 01:15

github-actions Bot added the size: XL label Feb 27, 2026

renovate Bot force-pushed the renovate/main-patch-go-modules branch 14 times, most recently from 2a265d3 to a650df7 Compare March 6, 2026 00:43

renovate Bot force-pushed the renovate/main-patch-go-modules branch 4 times, most recently from 5fde2e2 to 0d4d965 Compare March 9, 2026 23:05

github-actions Bot added size: XXL and removed size: XL labels Mar 9, 2026

renovate Bot force-pushed the renovate/main-patch-go-modules branch 5 times, most recently from afe86d8 to 9a0b95c Compare March 15, 2026 01:16

renovate Bot force-pushed the renovate/main-patch-go-modules branch 11 times, most recently from 5792771 to ff562fa Compare April 7, 2026 16:43

renovate Bot force-pushed the renovate/main-patch-go-modules branch 12 times, most recently from 1d6391b to 1166813 Compare April 14, 2026 18:58

renovate Bot force-pushed the renovate/main-patch-go-modules branch 2 times, most recently from 68c7ba1 to e62576d Compare April 16, 2026 19:20

fullsend-ai-review Bot approved these changes Jun 3, 2026

View reviewed changes

Update go modules

3277851

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update go modules (main) (patch)#3130

Update go modules (main) (patch)#3130
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/main-patch-go-modules

renovate Bot commented Feb 27, 2026 •

edited

Loading

Uh oh!

renovate Bot commented Feb 27, 2026 •

edited

Loading

Uh oh!

renovate Bot commented May 28, 2026 •

edited

Loading

Uh oh!

fullsend-ai-review Bot commented Jun 3, 2026 •

edited

Loading

Review

Findings

Low

Info

Review

Findings

Low

Info

Uh oh!

fullsend-ai-review Bot Jun 3, 2026

Uh oh!

fullsend-ai-review Bot Jun 3, 2026

Uh oh!

fullsend-ai-review Bot Jun 3, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate Bot commented Feb 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

Language

Evaluator

cmd/cue

Go API

Added

Changed

Fixed

What's Changed

New Contributors

What's Changed

What's Changed

0.29.5 - 2026-05-04

Implemented enhancements

Fixed bugs

Documentation

Miscellaneous tasks

Updates

People who contributed to this release

New Contributors

Per-module changes

client-middleware/opentracing (0.29.5)

Fixed bugs

Miscellaneous tasks

Updates

0.29.4 - 2026-04-18

Documentation

Testing

Miscellaneous tasks

Updates

People who contributed to this release

Per-module changes

client-middleware/opentracing (0.29.4)

Miscellaneous tasks

Updates

0.29.3 - 2026-03-08

Fixed bugs

Documentation

Code quality

Miscellaneous tasks

Updates

People who contributed to this release

New Contributors

Per-module changes

client-middleware/opentracing (0.29.3)

Documentation

Code quality

Miscellaneous tasks

0.26.3 - 2026-05-31

Documentation

Miscellaneous tasks

Updates

People who contributed to this release

Per-module changes

enable/mongodb (0.26.3)

Miscellaneous tasks

Updates

internal/testintegration (0.26.3)

Miscellaneous tasks

Updates

0.26.2 - 2026-04-29

Documentation

Performance

Miscellaneous tasks

Updates

Configuration

Uh oh!

renovate Bot commented Feb 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

ℹ️ Artifact update notice

File name: acceptance/go.mod

File name: go.mod

File name: tools/go.mod

Uh oh!

renovate Bot commented May 28, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

⚠️ Artifact update problem

renovate Bot commented Feb 27, 2026 •

edited

Loading

`cmd/cue`

renovate Bot commented Feb 27, 2026 •

edited

Loading

renovate Bot commented May 28, 2026 •

edited

Loading

fullsend-ai-review Bot commented Jun 3, 2026 •

edited

Loading