build(deps): bump the go-dependencies group with 4 updates by dependabot[bot] · Pull Request #2605 · buildpacks/pack

dependabot · 2026-05-19T07:30:01Z

Bumps the go-dependencies group with 4 updates: github.com/docker/cli, github.com/go-git/go-git/v5, github.com/google/go-containerregistry and github.com/onsi/gomega.

Updates github.com/docker/cli from 29.4.3+incompatible to 29.5.1+incompatible

Commits

2518b52 Merge pull request #6991 from mickael-docker/docs-clarify-authz
9f18a0a docs: clarify authz content type
2944fd1 Merge pull request #6989 from thaJeztah/bump_version
c41489a bump VERSION to v29.5.1-dev
98f1464 Merge pull request #6988 from thaJeztah/make_shell
50712c9 README: simplify instructions for using dev container
653dc8f Merge pull request #6485 from paulchen5/6484-update-pull-request-template
1394582 Merge pull request #6987 from thaJeztah/contributing_links
f99747b docs: fix stale links in CONTRIBUTING.md
ddac061 PR template: remove outdated contributing guide link
Additional commits viewable in compare view

Updates github.com/go-git/go-git/v5 from 5.19.0 to 5.19.1

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.19.1

What's Changed

v5: plumbing: transport/ssh, Shell-quote path by @hiddeco in go-git/go-git#2068

v5: git: submodule, Fix relative URL resolution by @hiddeco in go-git/go-git#2070

v5: git: submodule, canonical remote for relative URLs by @hiddeco in go-git/go-git#2074

v5: git: submodule, error on remote without URLs by @hiddeco in go-git/go-git#2078

v5: plumbing: format/idxfile, Validate offset64 indices by @hiddeco in go-git/go-git#2084

v5: *: Reject malformed variable-length integers by @hiddeco in go-git/go-git#2092

v5: plumbing: format/packfile, Tighten delta validation by @hiddeco in go-git/go-git#2091

v5: Add worktreeFilesystem wrapper for worktree and hardening by @hiddeco in go-git/go-git#2100

v5: config: validate submodule names by @hiddeco in go-git/go-git#2082

build: Update module github.com/go-git/go-git/v5 to v5.19.0 [SECURITY] (releases/v5.x) by @go-git-renovate[bot] in go-git/go-git#2111

v5: git: Allow MkdirAll on worktree-root paths by @hiddeco in go-git/go-git#2117

v5: git: Stop validating symlink target paths by @pjbgf in go-git/go-git#2116

v5: plumbing: format decoder input bounds and contracts by @hiddeco in go-git/go-git#2125

plumbing: format/packfile, cap delta chain depth in parser by @pjbgf in go-git/go-git#2137

Full Changelog: go-git/go-git@v5.19.0...v5.19.1

Commits

3c3be60 Merge pull request #2137 from go-git/validate-v5
3fba897 plumbing: format/packfile, cap delta chain depth in parser
a97d660 Merge pull request #2125 from hiddeco/v5/format-input-bounds
aeaa125 plumbing: format/objfile, require Header before Read
1f38e17 plumbing: format/packfile, bound inflate size
f7545a0 plumbing: format/idxfile, bound nr by file size
170b881 Merge pull request #2116 from pjbgf/symlink-v5
7b6d994 Merge pull request #2117 from hiddeco/v5/worktree-fs-mkdirall-root-noop
f0709b3 git: Stop validating symlink target paths
776d00f git: Allow MkdirAll on worktree-root paths
Additional commits viewable in compare view

Updates github.com/google/go-containerregistry from 0.21.5 to 0.21.6

Release notes

Sourced from github.com/google/go-containerregistry's releases.

v0.21.6

What's Changed

fix: update dependencies to use new azure sdk components by @gaganhr94 in google/go-containerregistry#2262

transport: restore resp.Body in retryError so CheckError can parse it by @alliasgher in google/go-containerregistry#2264

pkg/registry: return 202 Accepted for PATCH chunk uploads by @alliasgher in google/go-containerregistry#2265

Follow OCI distribution spec for artifactType and annotations by @malt3 in google/go-containerregistry#2269

actions: attach Codecov token to coverage tests on main by @Subserial in google/go-containerregistry#2270

remote: use DeleteScope (with "delete" action) for manifest deletion by @alliasgher in google/go-containerregistry#2266

remote: limit concurrent layer pulls by @gnix0 in google/go-containerregistry#2271

pkg/registry: reject corrupt disk blobs by @gnix0 in google/go-containerregistry#2272

mutate: close layer readers during export by @gnix0 in google/go-containerregistry#2277

crane/flatten: preserve image media type when flattening by @alliasgher in google/go-containerregistry#2267

build(deps): bump goreleaser/goreleaser-action from 7.0.0 to 7.2.1 in the actions group across 1 directory by @dependabot[bot] in google/go-containerregistry#2273

build(deps): bump go.opentelemetry.io/otel from 1.36.0 to 1.41.0 by @dependabot[bot] in google/go-containerregistry#2278

build(deps): bump the go-deps group across 3 directories with 6 updates by @dependabot[bot] in google/go-containerregistry#2280

Replace go-homedir with os.UserHomeDir by @jammie-jelly in google/go-containerregistry#2282

pkg/name: only treat .localhost as non-HTTPS, not .local by @blackwell-systems in google/go-containerregistry#2281

transport: block unspecified IPs (0.0.0.0, ::) in validateRealmURL by @marwan9696 in google/go-containerregistry#2285

test(mutate): add Extract round-trip test for filesystem object preservation by @blackwell-systems in google/go-containerregistry#2283

experiments: remove deprecated support for estargz by @thaJeztah in google/go-containerregistry#2288

build(deps): bump aws-actions/configure-aws-credentials from 6.1.0 to 6.1.1 in the actions group by @dependabot[bot] in google/go-containerregistry#2289

fix: limit HTTP response body reads to prevent OOM by @evilgensec in google/go-containerregistry#2296

build(deps): bump the go-deps group across 3 directories with 6 updates by @dependabot[bot] in google/go-containerregistry#2297

transport: block redirects from token server to private/link-local addresses (SSRF fix) by @evilgensec in google/go-containerregistry#2292

pkg/v1/mutate: preserve relative symlinks that stay within rootfs in Extract by @anishesg in google/go-containerregistry#2279

validate: skip non-layer layers by @imjasonh in google/go-containerregistry#2298

remote: validate foreign layer URLs to prevent SSRF (fixes #2259) by @evilgensec in google/go-containerregistry#2293

remote: block SSRF via private-IP Location headers in blob uploads by @adilburaksen in google/go-containerregistry#2295

fix(mutate): preserve config blob and layers for non-Docker OCI artifacts by @blackwell-systems in google/go-containerregistry#2286

fix: preserve per-occurrence layer identity in mutate.Image.Layers() by @iahsanGill in google/go-containerregistry#2299

transport: retry HTTP 429 (Too Many Requests) by @iahsanGill in google/go-containerregistry#2301

transport: allow bearer realm at same host:port as registry by @iahsanGill in google/go-containerregistry#2302

Update go version to 1.26.3 by @Subserial in google/go-containerregistry#2300

New Contributors

@gaganhr94 made their first contribution in google/go-containerregistry#2262

@alliasgher made their first contribution in google/go-containerregistry#2264

@malt3 made their first contribution in google/go-containerregistry#2269

@gnix0 made their first contribution in google/go-containerregistry#2271

@blackwell-systems made their first contribution in google/go-containerregistry#2281

@marwan9696 made their first contribution in google/go-containerregistry#2285

@anishesg made their first contribution in google/go-containerregistry#2279

@adilburaksen made their first contribution in google/go-containerregistry#2295

@iahsanGill made their first contribution in google/go-containerregistry#2299

Full Changelog: google/go-containerregistry@v0.21.5...v0.21.6

Commits

53f7e39 Update go version to 1.26.3 (#2300)
bf87c3b transport: allow bearer realm at same host:port as registry (#2302)
c55facd transport: retry HTTP 429 (Too Many Requests) (#2301)
68a569e fix: preserve per-occurrence layer identity in Layers() (#2299)
35b354b fix(mutate): preserve config blob and layers for non-Docker OCI artifacts (#2...
e5983f2 remote: block SSRF via private-IP Location headers in blob uploads (#2295)
6dad820 remote: validate foreign layer URLs to prevent SSRF (fixes #2259) (#2293)
78bdf1b validate: skip non-layer layers (#2298)
c29d91c pkg/v1/mutate: preserve relative symlinks that stay within rootfs in Extract ...
a70d75a transport: block redirects from token server to private/link-local addresses ...
Additional commits viewable in compare view

Updates github.com/onsi/gomega from 1.40.0 to 1.41.0

Changelog

Sourced from github.com/onsi/gomega's changelog.

1.41.0

Features

Add BeASlice and BeAnArray matchers

Fixes

Object formatting now detects pointer cycles to avoid runaway formatting output.

Commits

af2bccb v1.41.0
73e81f6 v1.41.0 (full)
e35a84f feat: devcontainer configuration with local pkgsite and GH pages
f12e5e1 fix(format): detect pointer cycles to avoid runaway formatting output
e14831f Add optionalDescription docs to AsyncAssertion and Assertion interfaces
344b94d Add BeASlice and BeAnArray matchers
See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the go-dependencies group with 4 updates: [github.com/docker/cli](https://github.com/docker/cli), [github.com/go-git/go-git/v5](https://github.com/go-git/go-git), [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) and [github.com/onsi/gomega](https://github.com/onsi/gomega). Updates `github.com/docker/cli` from 29.4.3+incompatible to 29.5.1+incompatible - [Commits](docker/cli@v29.4.3...v29.5.1) Updates `github.com/go-git/go-git/v5` from 5.19.0 to 5.19.1 - [Release notes](https://github.com/go-git/go-git/releases) - [Changelog](https://github.com/go-git/go-git/blob/main/HISTORY.md) - [Commits](go-git/go-git@v5.19.0...v5.19.1) Updates `github.com/google/go-containerregistry` from 0.21.5 to 0.21.6 - [Release notes](https://github.com/google/go-containerregistry/releases) - [Commits](google/go-containerregistry@v0.21.5...v0.21.6) Updates `github.com/onsi/gomega` from 1.40.0 to 1.41.0 - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.40.0...v1.41.0) --- updated-dependencies: - dependency-name: github.com/docker/cli dependency-version: 29.5.1+incompatible dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-dependencies - dependency-name: github.com/go-git/go-git/v5 dependency-version: 5.19.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-dependencies - dependency-name: github.com/google/go-containerregistry dependency-version: 0.21.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-dependencies - dependency-name: github.com/onsi/gomega dependency-version: 1.41.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-dependencies ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code type/chore Issue that requests non-user facing changes. labels May 19, 2026

dependabot Bot requested review from a team as code owners May 19, 2026 07:30

dependabot Bot added type/chore Issue that requests non-user facing changes. dependencies Pull requests that update a dependency file go Pull requests that update Go code labels May 19, 2026

github-actions Bot added this to the 0.41.0 milestone May 19, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): bump the go-dependencies group with 4 updates#2605

build(deps): bump the go-dependencies group with 4 updates#2605
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/go-dependencies-4ef1d545c6

dependabot Bot commented on behalf of github May 19, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 19, 2026

v5.19.1

What's Changed

v0.21.6

What's Changed

New Contributors

1.41.0

Features

Fixes

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants