Update go modules (main) (minor)

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence	Type	Update
cuelang.org/go	v0.16.0 → v0.17.0					require	minor
github.com/CycloneDX/cyclonedx-go	v0.10.0 → v0.11.0					require	minor
github.com/conforma/go-containerregistry	ae5f0ae → 8acb20a					replace	digest
github.com/daixiang0/gci	v0.13.7 → v0.14.0					require	minor
github.com/go-openapi/runtime	v0.29.2 → v0.32.4					require	minor
github.com/golangci/golangci-lint/v2	v2.11.4 → v2.12.2					require	minor
github.com/konflux-ci/application-api	e7eb2ec → dd8c9b1					require	digest
github.com/open-policy-agent/opa	v1.15.2 → v1.18.1					require	minor
github.com/pkg/diff	20ebb0f → 4e6772a					require	digest
github.com/secure-systems-lab/go-securesystemslib	v0.10.0 → v0.11.0					require	minor
github.com/sigstore/cosign/v3	v3.0.4 → v3.1.1					require	minor
github.com/sigstore/sigstore-go	v1.1.4 → v1.2.1					require	minor
github.com/tektoncd/chains	v0.26.2 → v0.27.1					require	minor
github.com/tektoncd/cli	v0.44.1 → v0.45.0					require	minor
github.com/testcontainers/testcontainers-go	v0.34.0 → v0.43.0					require	minor
github.com/testcontainers/testcontainers-go/modules/registry	v0.34.0 → v0.43.0					require	minor
github.com/wiremock/go-wiremock	v1.11.0 → v1.16.0					require	minor
golang.org/x/benchmarks	a2b48b6 → 3558132					require	digest
golang.org/x/exp	746e56f → c48552f					require	digest
gotest.tools/gotestsum	v1.12.1 → v1.13.0					require	minor
k8s.io/kube-openapi	5883c5e → 8f3fa49					require	digest
k8s.io/kubernetes	v1.34.2 → v1.36.2					require	minor
sigs.k8s.io/kind	v0.26.0 → v0.32.0					require	minor
sigs.k8s.io/kustomize/api	v0.20.1 → v0.21.1					require	minor
sigs.k8s.io/kustomize/kyaml	v0.20.1 → v0.21.1					require	minor

---

Release Notes

cue-lang/cue (cuelang.org/go)

v0.17.0

Compare Source

Changes which may break some users are marked below with: ⚠️

Language

The active try experiment renames the new fallback keyword, used with for comprehensions, to otherwise. fallback continues to be accepted for now, but is rewritten to the new form.

The active aliasv2 experiment now allows ~(X) as an alternative to ~X for the single postfix alias form. ~X is also rewritten as ~(X) for the sake of consistency and clarity.

Language versions v0.17.0 and later allow omitting commas in multi-line lists. Just like a newline after a struct field implies a comma, a newline after a list element now implies a comma as well.

Language versions v0.17.0 and later allow a newline or a comma before the closing bracket of an index expression, matching how lists and func arguments allow omitting trailing commas.

The language spec is tweaked to make $ a valid identifier, which was already allowed by the parser and evaluator.

⚠️ Support for the infix div, mod, quo, and rem operators has been removed. Since late 2020, these infix forms have been undocumented and rewritten by cue fix to the new function calls.

The new shortcircuit experiment

This release introduces the shortcircuit experiment, which changes the && and || operators to not evaluate the right operand if the left operand alone determines the result.

This matches the behavior already documented in the CUE spec and is consistent with most mainstream languages, but for the sake of a smooth transition for end users, we are rolling out this change via an experiment.

You can try this experiment via the @experiment(shortcircuit) file attribute. To mimic the old behavior with the experiment, you can use a hidden field:

_y: Y
if X && _y {}

Evaluator

Comprehensions

The comprehension algorithm now waits to run a comprehension's body until the fields it reads have a concrete value, rather than trying to produce its fields up front. This resolves a number of long-standing bugs, most notably the last known regressions from evalv2, where a comprehension that should have resolved instead failed as an incomplete value or a cycle.

This design also greatly simplifies upcoming evaluator work, such as introducing new builtins to replace comparing values to bottom, as well as the design of evalv4.

Other changes

The evaluator no longer deduplicates errors just by position, which was causing some useful errors from disjunctions or standard library calls to be dropped incorrectly.

Several long-standing cycle-detection bugs have been fixed, such as self-referential uses of matchN and matchIf, self-feeding disjunctions, and comprehensions that read a let binding which refers back to the comprehension's own fields.

Fixed a bug where the same package imported via different qualified import paths (e.g. foo.com/bar@v0 or foo.com/bar:baz) did not share the same hidden field namespace.

Resolving an unversioned import from a dependency module now respects that module's own default major version, instead of always using the main module's default.

Fix a number of issues where cue def could produce invalid CUE output, such as due to name conflicts.

Fix an evaluator regression where embedded disjunctions across packages may not correctly apply closedness.

Fix an evaluator bug where cue.Context.BuildExpr of close({}) did not actually result in a closed struct.

Fix a bug where some calls to standard library functions or validators did not include the "error in call to pkg.Func" error context, or included it twice.

A few changes to the evaluator should reduce allocated objects by up to 16%, reducing GC overhead and memory usage.

To ease the transition into the new formatter we plan to release with v0.18, CUE_EXPERIMENT=formatv2=0 is now allowed as a no-op.

A number of other bugs, panics, and hangs have been resolved as well.

cmd/cue

Module replaces

CUE now supports substituting a module dependency with a local directory or a different remote module during development - for example while testing a fix to a dependency before it is published, or to replace a dependency with a fork including improvements.

This configuration lives in cue.mod/local-module.cue, which is excluded when publishing to registries. cue mod edit and cue mod tidy gain support for maintaining this file.

We have also published a how-to guide on replacing a dependency with a local module.

Read the full design doc in the proposal, or read the cue.mod/local-module.cue reference docs.

Other changes

The new global -C or --chdir flag runs cue from the given working directory.

Command input parsing is improved so that CUE packages can come after data files, such as cue vet -c data.yaml ./schema.

cue import --with-context now ensures that data represents the original raw input data, and not its interpretation like JSON Schema.
cue import --path now skips over null values in an input stream, such as empty documents in a YAML file.

Fix a bug where the flag cue export --path was ignored when the inputs were pure CUE.

The new cue exp gengotypes --outfile flag controls the output file path when generating a single package.

cue vet -d/--schema now supports hidden fields, and correctly reports an error when the command inputs are CUE only.

cue fix and cue trim no longer change file modification times when no changes are necessary.

A $CUE_CACHE_DIR directory is no longer required when loading CUE without external dependencies.

The "filetypes" lookup tables now use a more compact encoding, saving about 150KiB in binary size for cmd/cue as well as Go API users.

LSP server

Add an initial version of organize-imports, which sorts the existing imports and removes unneeded imports. It is not yet capable of suggesting missing imports.

Wait for a short period of inactivity before sending diagnostics to the editor. This "debounce" means that a user typing incomplete CUE syntax will not be distracted with syntax errors as much.

The aliasv2 experiment is now fully supported.

The rename function is fixed to distinguish between field names and aliases.

Improve field name analysis in general so that fields with multiple aliases (e.g. v=[k=string]: _) are properly supported.

Improve attribute handling for file-level embedded attributes, and to attach attributes within expressions to the correct struct.

Treat conjunctions (&) and disjunctions (|) the same way for goto-definition. With the cursor on a path, it returns all results that the path MAY resolve to. With the cursor on a field declaration name, it returns all results that the path constructed from the field's name, and its field's name (and so on) MAY resolve to.

Special-case close function calls so that paths can resolve through fields within the argument to close.

Encodings

⚠️ The experimental JSON Schema encoder now emits most definitions without the leading # character, shortening names and ensuring compatibility with the wider JSON Schema ecosystem. This required deprecating encoding/jsonschema.GenerateConfig.NameFunc in favor of NamesFunc.

The JSON Schema encoder is improved to support list.UniqueItems and standalone validators, to use maxItems and minItems instead of maxLength and minLength for lists with prefix elements, and to generate description keywords for doc comments.

Several closedness bugs in the JSON Schema encoder have been fixed, ensuring that the generated JSON Schema behaves the same way as the original CUE definition.

The JSON Schema decoder is improved to better handle the prefixItems keyword.

The ProtoBuf decoder now resolves relative references following the usual scoping rules, instead of always resolving them against the top-level scope.

Standard library

Add time.ToUnix and time.ToUnixNano, which convert an RFC3339Nano time value into seconds or nanoseconds since the Unix epoch, complementing the existing Unix builtin.

strconv.FormatFloat now accepts a string format parameter, like FormatFloat(3.14, "e", 4, 64).

list.MatchN now shows what expected value it's matching against when it fails.

The net IP APIs now consistently return an error on invalid input types.

Go API

Using cue.Values concurrently is now fully supported, which required deprecating cue.Value.Context. If you encounter any races or bugs, please report them via the issue tracker.

cue/load now supports loading from an io/fs.FS, as outlined in proposal #​4285. Loading file embeds through Config.Overlay and Config.FS is supported now as well.

cue/ast/astutil deprecates Sanitize in favor of the new SanitizeFiles API, given that Sanitize on a single file cannot know if another file in the same package shadows builtin names like self.

Add Path.Compare and Selector.Compare, providing allocation-free total ordering suitable for slices.SortFunc.

Clarify that cue/format indents with a tab width of 4 by default.

A new fuzzer has been introduced in the cue package, checking that the parser doesn't crash and that its results are consistent with the rest of the Go APIs like cue/literal. So far, it has already resulted in seventeen bug fixes.

The cue.Interpreter option API has been deprecated in favor of cue.WithInjection, which is a better name going forward.

⚠️ cue/ast.File.Imports, deprecated in mid 2025 in favor of cue/ast.File.ImportSpecs, is now removed.

⚠️ The long-deprecated and hidden cue.Instance methods Lookup, LookupDef, LookupField, and Fill are now removed.

⚠️ The modconfig.Registry interface is changed to report default major versions, which is required for resolving unversioned imports against each dependency module's own defaults. Clients that implement or wrap the interface will need to update. The new interface is future-proofed for upcoming modules changes.

Full list of changes since v0.16.0

• [release-branch.v0.17] internal/mod: resolve module replacements via minimum-version selection by @​rogpeppe in 0fc639b
• cue/format: revert #​4296 regression test by @​mvdan in e73658d
• cue/format: revert manual-AST field alignment fix by @​mvdan in c3f08a1
• cue/format: revert issue #​1006 test cases by @​mvdan in 60e1bb7
• cue/format: revert list and call argument column alignment fix by @​mvdan in 3f7aafe
• cue/format: revert spurious empty line fix by @​mvdan in e2eb7f5
• cue/format: revert Option-behavior test by @​mvdan in 0fa6c09
• cue/format: revert default tab width change from 8 to 4 by @​mvdan in 1e07f16
• cue/format: revert multiline string interpolation indentation fix by @​mvdan in 7190842
• internal/cueexperiment: teach v0.17 about the formatv2 experiment by @​mvdan in 8d2db9d
• cmd/cue: test sharing CUE_EXPERIMENT=formatv2 across v0.17 and v0.18 by @​mvdan in ac083b5
• Revert "internal/core/compile: return Disjunction directly from or() builtin" by @​mvdan in bc31ef8
• all: hide the "ini" decoder for v0.17 by @​mvdan in 0f15eed
• internal/core/compile: re-run with CUE_UPDATE=1 by @​mvdan in 4bec06b
• all: stop using "directive" terminology for module replaces by @​mvdan in 9916719
• cmd/cue: test that mod publish rejects an invalid module path by @​mvdan in 376a328
• mod/modfile: rename the local-module.cue replace field to replaceWith by @​mvdan in b32aca7
• internal/ci: stop running trybot jobs with pull_request_target by @​mvdan in 61bcbc9
• internal/filetypes: shrink embedded toFile lookup tables by @​mvdan in 01907a9
• internal/core/adt: do not freeze fieldSetKnown while an own field task is pending by @​mvdan in 906c3e9
• cue/testdata/eval: add test for issue 4392 list-in-let freeze regression by @​mvdan in 7d77fe7
• mod/modzip: reject a downloaded module containing local-module.cue by @​rogpeppe in 4d73286
• cue/cmd: more replacement test cases by @​rogpeppe in a4372d3
• cmd/cue: reject non-string label values for --path by @​mvdan in 5a0f4f7
• cmd/cue: add test for --path with a non-string label value by @​mvdan in 772d1d3
• update dependencies ahead of v0.17.0-alpha.3 by @​mvdan in b7d1625
• cmd/cue: drop github.com/google/shlex test dependency by @​mvdan in 69bf7d7
• cue/load: accept package arguments after file arguments by @​mvdan in dd80111
• cmd/cue: add test for package arguments listed after files by @​mvdan in ed3622b
• internal/cuetxtar: port old stats framework by @​mpvl in 489b249
• encoding/ini: pass token.Pos through the decoder directly by @​mvdan in 91a3f18
• encoding/ini: minor decoder cleanups by @​mvdan in 5b8ba6e
• encoding/ini: reject section and property name collisions by @​mvdan in eb8ac73
• cue/testdata: add missing error output for issue2627 by @​mpvl in 092c281
• Revert "cue/errors: augment paths of wrapped errors" by @​mvdan in a361a5b
• cmd/cue: add replace directive support to mod edit by @​rogpeppe in 9984dae
• internal/mod/modload,mod/modzip,cmd/cue: tidy and publish two-file modules by @​rogpeppe in 5adf7f5
• mod/modfile,cue/load: read replace directives from local-module.cue by @​rogpeppe in 12ecd27
• all: add core plumbing for module replace directives by @​rogpeppe in 74d78c1
• cue/build,cue/load: fix hidden-field namespace for versioned imports by @​rogpeppe in b159ed1
• cue/testdata: add regression test for issue #​2937 by @​mvdan in 39d5c4e
• cue/errors: augment paths of wrapped errors by @​mvdan in 71c13d2
• pkg/encoding/json: add test for Validate hiding the failing field by @​mvdan in 8507be6
• pkg/time: add ToUnix and ToUnixNano builtins by @​mvdan in d5a3fb7
• cmd/cue: honor -l/--path when exporting CUE values by @​mvdan in 0abb86e
• cmd/cue: add test for export -l with CUE output by @​mvdan in 14d7d4d
• all: make more use of string cut/trim/contains APIs by @​mvdan in 40ad26f
• internal/mod/modpkgload,cue/load: resolve major version defaults per module by @​rogpeppe in b24b39c
• cue: format builtin call's function operand as a bare reference by @​mvdan in 7392c8e
• cue: add test for builtin call function operand formatting by @​mvdan in 72ff12b
• cue/parser: support try clauses in list literals by @​mvdan in b0a4125
• cmd/cue: point to 'cue help flags' from the --with-context flag by @​mvdan in 8b9f8be
• cmd/cue: evaluate --with-context labels against the source data by @​mvdan in 9bb021f
• mod/modconfig: lazily initialize registry clients by @​mvdan in 44f24f1
• cmd/cue: test various command scenarios without cache/config dirs by @​mvdan in 445c76d
• cmd/cue: add test for label references with jsonschema import by @​mvdan in f33b9de
• internal: only wrap over-long generated comment lines by @​mvdan in b682521
• encoding/jsonschema: add test for doc comment reflow by @​mvdan in fa683ed
• internal/core/adt: handle cycle placeholder for composite builtins by @​mpvl in 32244d1
• internal/core/adt: guard nodeContext free on refCount by @​mpvl in 03748aa
• internal/cuetxtar: fix inline runner writeStruct cycle and BasicType embed by @​mpvl in afa5272
• cue/testdata: add test case demonstrating #​2627 reopen by @​mpvl in 684e354
• internal/core/adt: resolve imports to a per-evaluation instance by @​mvdan in 86eb4f1
• cmd/cue: add test cases for issues 4370 and 4371 by @​rogpeppe in 230bbbb
• internal/mod: minor module-related code improvements by @​rogpeppe in 964c012
• internal/core/adt: test optional field referencing pushed-down comprehension by @​mvdan in 32e6da5
• encoding/jsonschema: compile CRD schema only once by @​mvdan in 139794b
• internal/core/adt: attribute failed try references to the owning body by @​mvdan in 8c8c47c
• cue/testdata: add regression tests for nested try clauses by @​mvdan in f7a59da
• internal/core/adt: fire comprehensions on let-bound self references by @​mvdan in f6d7894
• internal/core/adt: add test for comprehensions on let-bound self references by @​mvdan in c60ba81
• internal/core/adt: bound self-feeding disjunction recursion in cycle detection by @​mvdan in 43d216f
• cue/testdata: add a test for the cycle-detection blowup of issue #​4377 by @​mvdan in e7d5121
• cue: add regression test for FillPath exporting fields as optional by @​mvdan in 00df6eb
• internal/core/compile: detect structural cycles in self-referential matchIf by @​mvdan in ec1313c
• internal/core/compile: detect structural cycles in self-referential matchN by @​mvdan in d1a6540
• cue: accept a leading index in ParsePath by @​mvdan in 0b61fdf
• cue: add TestPaths cases for a leading index in a path by @​mvdan in a035333
• cue: give each TestPaths case its own CUE input by @​mvdan in 5cf0e58
• pkg/list: add regression test for list.Contains with defaults by @​mvdan in 7c6d8ae
• .claude: add a skill to draft release notes from a commit log by @​mvdan in 7935fe8
• internal/ci: bump Go and goreleaser for the upcoming alpha by @​mvdan in c2a8155
• encoding/jsonschema: mark generation as experimental by @​rogpeppe in 223cfa7
• encoding/protobuf: translate google.protobuf.Struct to an open struct by @​mvdan in ef3e0ee
• internal/core/adt: report true element count for list length mismatch by @​mvdan in d474938
• cue/testdata: add test for list-length error with comprehensions by @​mvdan in 40961bb
• cue: fix Value.ReferencePath after Eval when sharing is disabled by @​mvdan in 9a6d76d
• cue: clarify Value.ReferencePath path semantics by @​mvdan in 0adb8dd
• pkg/list: report a missing less field as a fatal error by @​mvdan in 6aa4a11
• cmd/cue: fix vet -d resolving a hidden constraint by @​mvdan in 5651def
• cmd/cue: add test for vet -d with a hidden constraint by @​mvdan in 1a0c02c
• pkg/encoding: report every Validate conflict by @​mvdan in 81f9d1b
• pkg/encoding: add tests for Validate reporting a single conflict by @​mvdan in 5310062
• mod/modconfig: delete the dummy $DOCKER_CONFIG dir when the tests are done by @​mvdan in ffb2fbd
• cue/errors: deduplicate without rendering errors unnecessarily by @​mvdan in e9f02ca
• cue/errors: report all distinct errors at the same position by @​mvdan in 774942d
• cue/errors: add a test recording how often removeMultiples renders errors by @​mvdan in 2ba0d46
• cue/errors: add tests for distinct errors dropped at the same position by @​mvdan in a753484
• modconfig: update ociregistry to pick up ociauth fix by @​mvdan in e5e958e
• internal/core/debug: only print integer-labeled arcs of a list value by @​mvdan in 8fdf9d5
• pkg/list: add a regression test for list error printing hidden arcs by @​mvdan in f9b4c66
• internal/filetypes: clarify error for combined file type and file name by @​mvdan in b15022d
• cmd/cue: add a regression test for issue 3187 by @​mvdan in 8273d6f
• cue: avoid panic in Value.Path for dereferenced let bindings by @​mvdan in 58f2356
• internal/core/adt: recompute cached let results that resolved to a cycle by @​mvdan in 4a67df9
• cue/testdata/cycle: add regression test for issue 4357 by @​mvdan in ffc0541
• cue/testdata: add #​4149 regression test for or structural cycle by @​mvdan in 803c837
• internal/cuetxtar: keep nested inline positions relative by @​mpvl in dede65a
• internal/core/adt: detect structural cycle through inline conjunction by @​mvdan in f518389
• internal/core/compile: update compile file comments by @​mpvl in 5a6110a
• internal/core/adt: loosen structure-sharing skip in cycle detection by @​mpvl in aae3830
• internal/core/adt: bound self-recursion in cycle detection skip by @​mpvl in 297d254
• internal/core/adt: do not treat structure sharing as a cycle by @​mpvl in c37cf24
• internal/core/adt: scope task context error before deferred tasks by @​mpvl in 697512f
• cue/testdata: add #​4367 regression tests by @​mpvl in 2735d5a
• internal/core/adt: skip typo check on cross-context Finalize by @​mpvl in a9f3f2a
• all: adopt the cueckoo @​-import guidance mechanism by @​myitcv in 5f10676
• all: fix reversed argument order in cmp.Diff calls by @​mvdan in 82d70cb
• cue/testdata/cycle: add regression test for issue 3364 by @​mvdan in 40caafe
• encoding/protobuf: respect lexical scoping rules by @​SteveRuble in d34b9f5
• internal/mod/modregistry: bump ociregistry to merge auth sources by @​mvdan in 033671e
• cmd/cue: add test for mixing Docker and Podman auth files by @​mvdan in 268fe24
• internal/core/adt: skip in-flight nodes when reclaiming buffers by @​mpvl in 489f4a9
• cmd/cue: preserve mtimes in cue fix and cue trim no-op rewrites by @​mvdan in 28b3474
• cmd/cue: document mtime drift in fix and trim by @​mvdan in e56df9e
• cue/parser: allow a newline before the closing bracket of an index expression by @​mvdan in fa44ce4
• cue/testdata: add regression test for self-referential builtin cycles by @​mvdan in abe46a1
• internal/core/compile: include label-aliased fields in cross-file scope by @​mvdan in 4157262
• cue/testdata: add test for issue #​4312 by @​mvdan in 9888e6f
• internal/core/export: fix label references in pattern constraints by @​mvdan in 0c639f4
• internal/core/compile: strip @​test attributes from mirrored inputs by @​mpvl in b343757
• internal/core/adt: flush label-only cyclic CallExpr deferments by @​mpvl in dd5b4c0
• update dependencies ahead of the next alpha release by @​mvdan in 2fddd86
• cmd/cue: fix json error tests on Go tip by @​mvdan in [bd45f3e](https://redirect.github.com/cue-lang/cue/commit/bd45f3e83c7

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM (* 0-3 * * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: acceptance/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 15 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25.8 -> 1.26.0
github.com/cyphar/filepath-securejoin	v0.6.0 -> v0.6.1
github.com/docker/go-connections	v0.5.0 -> v0.6.0
github.com/lufia/plan9stats	v0.0.0-20240819163618-b1d8f4d146e7 -> v0.0.0-20251013123823-9fd1530e3ec3
github.com/tklauser/go-sysconf	v0.3.14 -> v0.3.16
github.com/tklauser/numcpus	v0.8.0 -> v0.11.0
golang.org/x/crypto	v0.49.0 -> v0.50.0
golang.org/x/mod	v0.33.0 -> v0.36.0
golang.org/x/net	v0.52.0 -> v0.53.0
golang.org/x/sys	v0.42.0 -> v0.43.0
golang.org/x/term	v0.41.0 -> v0.42.0
golang.org/x/text	v0.35.0 -> v0.36.0
google.golang.org/protobuf	v1.36.11 -> v1.36.12-0.20260120151049-f2248ac996af
k8s.io/kube-openapi	v0.0.0-20250910181357-589584f1c912 -> v0.0.0-20260317180543-43fb72c5454a
k8s.io/utils	v0.0.0-20251002143259-bc988d571ff4 -> v0.0.0-20260210185600-b8788abfbbc2
sigs.k8s.io/structured-merge-diff/v6	v6.3.0 -> v6.3.2

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 35 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25.8 -> 1.26.0
golang.org/x/net	v0.52.0 -> v0.54.1-0.20260508232935-23ee2efe81a3
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp	v1.30.0 -> v1.31.0
github.com/containerd/containerd/v2	v2.2.2 -> v2.2.3
github.com/decred/dcrd/dcrec/secp256k1/v4	v4.4.0 -> v4.4.1
github.com/docker/go-connections	v0.5.0 -> v0.6.0
github.com/goccy/go-json	v0.10.5 -> v0.10.6
github.com/grpc-ecosystem/grpc-gateway/v2	v2.27.7 -> v2.28.0
github.com/huandu/go-sqlbuilder	v1.39.1 -> v1.40.2
github.com/lestrrat-go/dsig	v1.0.0 -> v1.2.1
github.com/lestrrat-go/httprc/v3	v3.0.2 -> v3.0.5
github.com/lestrrat-go/jwx/v3	v3.0.13 -> v3.1.0
github.com/power-devops/perfstat	v0.0.0-20210106213030-5aafc221ea8c -> v0.0.0-20240221224432-82ca36839d55
github.com/prometheus/common	v0.67.4 -> v0.67.5
github.com/prometheus/procfs	v0.17.0 -> v0.20.1
github.com/stretchr/objx	v0.5.2 -> v0.5.3
github.com/tklauser/go-sysconf	v0.3.12 -> v0.3.16
github.com/tklauser/numcpus	v0.6.1 -> v0.11.0
github.com/valyala/fastjson	v1.6.7 -> v1.6.10
github.com/yusufpapurcu/wmi	v1.2.3 -> v1.2.4
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc	v0.63.0 -> v0.65.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	v0.65.0 -> v0.68.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace	v1.40.0 -> v1.43.0
go.opentelemetry.io/proto/otlp	v1.9.0 -> v1.10.0
go.yaml.in/yaml/v2	v2.4.3 -> v2.4.4
golang.org/x/crypto	v0.49.0 -> v0.51.0
golang.org/x/mod	v0.33.0 -> v0.36.0
golang.org/x/sys	v0.42.0 -> v0.44.0
golang.org/x/term	v0.41.0 -> v0.43.0
golang.org/x/tools	v0.42.0 -> v0.45.0
google.golang.org/genproto/googleapis/api	v0.0.0-20260203192932-546029d2fa20 -> v0.0.0-20260401024825-9d38bb4040a9
google.golang.org/genproto/googleapis/rpc	v0.0.0-20260226221140-a57be14db171 -> v0.0.0-20260401024825-9d38bb4040a9
google.golang.org/grpc	v1.79.3 -> v1.80.0
google.golang.org/protobuf	v1.36.11 -> v1.36.12-0.20260120151049-f2248ac996af
k8s.io/utils	v0.0.0-20251002143259-bc988d571ff4 -> v0.0.0-20260210185600-b8788abfbbc2
sigs.k8s.io/structured-merge-diff/v6	v6.3.0 -> v6.3.2

File name: tools/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 48 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25.8 -> 1.26.0
github.com/Masterminds/semver/v3	v3.4.0 -> v3.5.0
github.com/alecthomas/chroma/v2	v2.23.1 -> v2.24.1
github.com/ashanbrown/forbidigo/v2	v2.3.0 -> v2.3.1
github.com/ashanbrown/makezero/v2	v2.1.0 -> v2.2.1
github.com/bombsimon/wsl/v5	v5.6.0 -> v5.8.0
github.com/butuzov/ireturn	v0.4.0 -> v0.4.1
github.com/charmbracelet/colorprofile	v0.3.1 -> v0.4.3
github.com/charmbracelet/x/ansi	v0.10.1 -> v0.11.7
github.com/charmbracelet/x/term	v0.2.1 -> v0.2.2
github.com/clipperhouse/displaywidth	v0.6.0 -> v0.11.0
github.com/clipperhouse/uax29/v2	v2.3.0 -> v2.7.0
github.com/cyphar/filepath-securejoin	v0.6.0 -> v0.6.1
github.com/dlclark/regexp2	v1.11.5 -> v1.12.0
github.com/golangci/dupl	v0.0.0-20250308024227-f665c8d69b32 -> v0.0.0-20260401084720-c99c5cf5c202
github.com/hashicorp/go-version	v1.8.0 -> v1.9.0
github.com/jgautheron/goconst	v1.8.2 -> v1.10.0
github.com/lib/pq	v1.11.2 -> v1.12.3
github.com/lucasb-eyer/go-colorful	v1.3.0 -> v1.4.0
github.com/manuelarte/funcorder	v0.5.0 -> v0.6.0
github.com/mattn/go-runewidth	v0.0.19 -> v0.0.23
github.com/moby/spdystream	v0.5.0 -> v0.5.1
github.com/pelletier/go-toml/v2	v2.2.4 -> v2.3.1
github.com/prometheus/procfs	v0.17.0 -> v0.19.2
github.com/securego/gosec/v2	v2.24.8-0.20260309165252-619ce2117e08 -> v2.26.1
github.com/sourcegraph/go-diff	v0.7.0 -> v0.8.0
github.com/tetafro/godot	v1.5.4 -> v1.5.6
github.com/timakin/bodyclose	v0.0.0-20241222091800-1db5c5ca4d67 -> v0.0.0-20260129054331-73d1f95b84b4
github.com/uudashr/iface	v1.4.1 -> v1.4.2
go-simpler.org/sloglint	v0.11.1 -> v0.12.0
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc	v0.63.0 -> v0.65.0
golang.org/x/crypto	v0.49.0 -> v0.50.0
golang.org/x/exp	v0.0.0-20250911091902-df9299821621 -> v0.0.0-20251219203646-944ab1f22d93
golang.org/x/mod	v0.34.0 -> v0.35.0
golang.org/x/net	v0.52.0 -> v0.53.0
golang.org/x/sys	v0.42.0 -> v0.43.0
golang.org/x/term	v0.41.0 -> v0.42.0
golang.org/x/text	v0.35.0 -> v0.36.0
golang.org/x/tools	v0.43.0 -> v0.44.0
google.golang.org/protobuf	v1.36.11 -> v1.36.12-0.20260120151049-f2248ac996af
gopkg.in/evanphx/json-patch.v4	v4.12.0 -> v4.13.0
k8s.io/klog/v2	v2.130.1 -> v2.140.0
k8s.io/kube-openapi	v0.0.0-20250710124328-f3f2b991d03b -> v0.0.0-20260317180543-43fb72c5454a
k8s.io/utils	v0.0.0-20250820121507-0af2bda4dd1d -> v0.0.0-20260210185600-b8788abfbbc2
sigs.k8s.io/json	v0.0.0-20241014173422-cfa47c3a1cc8 -> v0.0.0-20250730193827-2d320260d730
sigs.k8s.io/kustomize/api	v0.20.1 -> v0.21.1
sigs.k8s.io/kustomize/cmd/config	v0.20.1 -> v0.21.1
sigs.k8s.io/kustomize/kyaml	v0.20.1 -> v0.21.1
sigs.k8s.io/structured-merge-diff/v6	v6.3.0 -> v6.3.2

File name: tools/kubectl/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 21 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25.8 -> 1.26.0
github.com/moby/spdystream	v0.5.0 -> v0.5.1
github.com/prometheus/common	v0.66.1 -> v0.67.5
github.com/prometheus/procfs	v0.16.1 -> v0.19.2
github.com/spf13/cobra	v1.9.1 -> v1.10.2
github.com/spf13/pflag	v1.0.6 -> v1.0.9
go.yaml.in/yaml/v2	v2.4.2 -> v2.4.3
golang.org/x/net	v0.43.0 -> v0.49.0
golang.org/x/oauth2	v0.30.0 -> v0.34.0
golang.org/x/sync	v0.17.0 -> v0.19.0
golang.org/x/term	v0.34.0 -> v0.39.0
golang.org/x/text	v0.28.0 -> v0.33.0
google.golang.org/protobuf	v1.36.10 -> v1.36.12-0.20260120151049-f2248ac996af
gopkg.in/evanphx/json-patch.v4	v4.12.0 -> v4.13.0
k8s.io/klog/v2	v2.130.1 -> v2.140.0
k8s.io/kube-openapi	v0.0.0-20250710124328-f3f2b991d03b -> v0.0.0-20260317180543-43fb72c5454a
k8s.io/utils	v0.0.0-20250604170112-4c0f3b243397 -> v0.0.0-20260210185600-b8788abfbbc2
sigs.k8s.io/json	v0.0.0-20241014173422-cfa47c3a1cc8 -> v0.0.0-20250730193827-2d320260d730
sigs.k8s.io/kustomize/api	v0.20.1 -> v0.21.1
sigs.k8s.io/kustomize/kustomize/v5	v5.7.1 -> v5.8.1
sigs.k8s.io/kustomize/kyaml	v0.20.1 -> v0.21.1
sigs.k8s.io/structured-merge-diff/v6	v6.3.0 -> v6.3.2

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[low] version-skew

tools/go.mod keeps go 1.25.8 while the other three go.mod files are updated to go 1.26.0. While these are separate Go modules and unlikely to cause immediate issues, it is a hygiene concern.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 11:01 PM UTC · Completed 11:10 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 2:41 AM UTC · Completed 2:49 AM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 12:53 PM UTC · Completed 1:03 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 5:14 PM UTC · Completed 5:25 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 6:17 AM UTC · Completed 6:28 AM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[critical] API contract violation

testcontainers-go updated from v0.34 to v0.43.0. WithConfigModifier and WithHostConfigModifier were removed in v0.37.0. benchmark/offliner/offliner.go (lines 87, 90) and benchmark/internal/registry/registry.go (lines 131, 154) use these functions, causing compilation failures.

Suggested fix: Either keep testcontainers-go at a version < v0.37.0, or update the benchmark code to use testcontainers.CustomizeRequest instead of the removed modifier functions.

[fullsend-ai-review]

[critical] API contract violation

testcontainers-go in acceptance module updated from v0.34.0 to v0.43.0. GenericContainer and GenericContainerRequest removed in v0.37.0. Used in acceptance/git/git.go:183, acceptance/registry/registry.go:112, acceptance/wiremock/wiremock.go:220.

Suggested fix: Either keep testcontainers-go at a version < v0.37.0, or update all acceptance test code to use testcontainers.Run() and the new request builder pattern.

[fullsend-ai-review]

[medium] API contract violation

in-toto-golang updated from v0.10.0 to v0.11.0. For v0.x libraries, minor bumps can contain breaking changes. Codebase directly imports in_toto types across 17+ files including ProvenanceStatementSLSA02, ProvenanceStatementSLSA1, and Statement.

Suggested fix: Review in-toto-golang v0.11.0 changelog. Run go build ./... to confirm compilation succeeds.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 9:59 AM UTC · Completed 10:09 AM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 8:58 AM UTC · Completed 9:07 AM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[medium] stale-reference

The comment on the testcontainers-go dependency says using unreleased version but v0.43.0 is a released version, making the comment misleading.

Suggested fix: Remove or update the comment to reflect that v0.43.0 is a released version that includes the fix from PR #2899.

[fullsend-ai-review]

[low] api-contract

The go-containerregistry fork replace directive is updated to a new digest. Verify the new digest still carries all patches.

Suggested fix: Verify that the new fork digest still includes all patches from hack/ec-patches.sh.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 2:15 PM UTC · Completed 2:26 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 11:23 AM UTC · Completed 11:33 AM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 1:49 PM UTC · Completed 1:59 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[medium] API contract violation

The PR updates testcontainers-go from v0.34.0 to v0.43.0 (9-minor-version jump). Acceptance test code uses GenericContainer and Binds field in ContainerRequest, both deprecated in intermediate versions. While Go libraries typically retain deprecated APIs, compatibility should be verified.

Suggested fix: Verify testcontainers-go v0.43.0 still includes GenericContainer and the Binds field. Consider migrating from deprecated APIs in a follow-up.

[fullsend-ai-review]

[medium] Version consistency

The replace directive for go-containerregistry points to a fork based on v0.20.7, but the required module version is v0.21.6. If the fork lacks APIs added between v0.20.7 and v0.21.6, compile or runtime errors could occur.

Suggested fix: Verify the updated fork commit is compatible with go-containerregistry v0.21.6 APIs used by the codebase.

[fullsend-ai-review]

[low] Version consistency

sigs.k8s.io/kind updated from v0.26.0 to v0.32.0 -- a large jump. The acceptance tests use versioned v1alpha4 API which is typically stable, but the jump warrants verification.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 5:50 AM UTC · Completed 6:01 AM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 6:20 AM UTC · Completed 6:30 AM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[critical] API contract violation

The PR updates testcontainers-go from v0.34.0 to v0.43.0 in the acceptance module, a 9-minor-version jump. The acceptance module uses testcontainers.GenericContainer in three files: acceptance/git/git.go:183, acceptance/registry/registry.go:112, and acceptance/wiremock/wiremock.go:220. If GenericContainer was removed between v0.35.0 and v0.43.0, these call sites will fail to compile.

Suggested fix: Either (a) pin testcontainers-go to the last version supporting GenericContainer, or (b) migrate all three call sites to use the replacement API (e.g., testcontainers.Run) before merging.

[fullsend-ai-review]

[high] version skew

The main module depends on testcontainers-go/modules/registry at v0.34.0 (line 48), but the PR updates the parent testcontainers-go to v0.43.0. The modules/registry sub-module is versioned in lockstep with the parent module. A v0.34.0 sub-module paired with a v0.43.0 parent will likely cause type incompatibilities at compile time.

Suggested fix: Update github.com/testcontainers/testcontainers-go/modules/registry to v0.43.0 (or the corresponding version that matches the parent module) in go.mod.

[fullsend-ai-review]

[medium] API contract violation

The main module uses a pinned pseudo-version of testcontainers-go with a comment referencing an unreleased fix (PR #2899). The PR updates this to v0.43.0. The stale comment needs cleanup and the fix inclusion should be verified.

Suggested fix: Verify that the fix from PR #2899 is included in v0.43.0, and remove the stale comment about the unreleased version.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 1:13 PM UTC · Completed 1:20 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ❌ Failure · Started 9:14 PM UTC · Completed 9:26 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 5:24 PM UTC · Completed 5:34 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

[low] stale comment

The PR bumps testcontainers-go from a pre-release pseudo-version (v0.34.1-0.20241204123437-72be13940122) to v0.43.0, a proper release. The inline comment '// using unreleased version that contains the fix in testcontainers/testcontainers-go#2899' becomes factually incorrect and should be removed.

[fullsend-ai-review]

[low] version inconsistency

The Go toolchain version is bumped from 1.25.8 to 1.26.0 in acceptance/go.mod, go.mod, and tools/kubectl/go.mod, but NOT in tools/go.mod which stays at 1.25.8. This may be intentional (separate module with independent constraints), but could lead to inconsistencies.

Suggested fix: Either bump tools/go.mod to go 1.26.0 for consistency, or confirm this divergence is intentional.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 8:34 PM UTC · Completed 8:43 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

[low] stale comment

The comment on the testcontainers-go dependency line reads "// using unreleased version that contains the fix in testcontainers/testcontainers-go#2899" but the version is being changed from a pseudo-version (v0.34.1-0.20241204123437-72be13940122) to a proper release (v0.43.0). The comment is now factually incorrect -- v0.43.0 is not an unreleased version.

Suggested fix: Remove or update the comment. If the fix from PR #2899 is confirmed to be in v0.43.0, the comment should be removed entirely.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 11:02 AM UTC · Completed 11:15 AM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 11:18 AM UTC · Completed 11:30 AM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 3:42 PM UTC · Completed 3:54 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[critical] API compatibility / compilation failure

testcontainers-go is being updated from v0.34.1 (unreleased pre-v0.35 commit) to v0.43.0. The codebase uses testcontainers.GenericContainer() with testcontainers.GenericContainerRequest in multiple files (acceptance/git/git.go:183, acceptance/registry/registry.go:112, acceptance/wiremock/wiremock.go:220). ContainerRequest.Binds is used in acceptance/git/git.go:174 and acceptance/wiremock/wiremock.go:212. ContainerRequest.AutoRemove is used in acceptance/testenv/testenv.go:252 and extensively tested in acceptance/testenv/testenv_test.go:234,250,264. These APIs were deprecated in testcontainers-go v0.35.0 and removed by v0.43.0, which will cause compilation failures across both the main and acceptance modules.

Suggested fix: Either pin testcontainers-go to a compatible version (e.g., keep v0.34.x), or update all call sites to use the new testcontainers.Run() API, replace Binds with testcontainers.WithHostConfigModifier, and replace AutoRemove with the equivalent new API before merging this version bump.

[fullsend-ai-review]

[medium] stale-reference

The comment on the testcontainers-go dependency reads: // using unreleased version that contains the fix in testcontainers/testcontainers-go#2899. Since v0.43.0 is a proper release, this comment is now misleading.

Suggested fix: Remove the comment or update it to note that the fix from PR #2899 is included in the released v0.43.0.

[fullsend-ai-review]

[medium] API compatibility

CycloneDX/cyclonedx-go is being updated from v0.10.0 to v0.11.0 (pre-1.0 library where minor bumps can contain breaking changes). The codebase uses cyclonedx.NewBOMDecoder, cyclonedx.BOM, cyclonedx.BOMFileFormatJSON, cyclonedx.ComponentTypeContainer, bom.Formulation, formulation.Components, and component.Properties in benchmark/offliner/base_images.go:53-73.

Suggested fix: Verify API compatibility by checking the v0.11.0 changelog or running go build ./benchmark/...

[fullsend-ai-review]

[low] API compatibility

OPA is being updated from v1.15.2 to v1.18.1. The codebase imports opa/cmd in cmd/opa/opa.go:19 and uses cmd.RootCommand. Within the v1.x line backward compatibility is maintained, but opa/cmd is an internal-facing package.

Suggested fix: Run go build ./... to verify compilation succeeds with OPA v1.18.1.

[fullsend-ai-review]

[low] API compatibility

sigs.k8s.io/kind is being updated from v0.26.0 to v0.32.0 (6 minor versions). The codebase uses v1alpha4.Cluster, v1alpha4.Node, v1alpha4.PortMapping, cluster.NewProvider, and related APIs in acceptance/kubernetes/kind/kind.go.

Suggested fix: Run go build ./acceptance/... to verify compilation succeeds with kind v0.32.0.