build(deps): bump the go_modules group across 1 directory with 6 updates by dependabot[bot] · Pull Request #690 · replicatedhq/replicated

dependabot · 2026-04-10T18:21:52Z

Bumps the go_modules group with 5 updates in the / directory:

Package	From	To
github.com/go-git/go-git/v5	`5.16.5`	`5.17.1`
helm.sh/helm/v3	`3.20.1`	`3.20.2`
github.com/distribution/distribution/v3	`3.0.0`	`3.1.0`
github.com/hashicorp/go-getter	`1.8.5`	`1.8.6`
go.opentelemetry.io/otel/sdk	`1.42.0`	`1.43.0`

Updates github.com/go-git/go-git/v5 from 5.16.5 to 5.17.1

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.17.1

What's Changed

build: Update module github.com/cloudflare/circl to v1.6.3 [SECURITY] (releases/v5.x) by @go-git-renovate[bot] in go-git/go-git#1930

[v5] plumbing: format/index, Improve v4 entry name validation by @pjbgf in go-git/go-git#1935

[v5] plumbing: format/idxfile, Fix version and fanout checks by @pjbgf in go-git/go-git#1937

Full Changelog: go-git/go-git@v5.17.0...v5.17.1

v5.17.0

What's Changed

build: Update module github.com/go-git/go-git/v5 to v5.16.5 [SECURITY] (releases/v5.x) by @go-git-renovate[bot] in go-git/go-git#1839

git: worktree, optimize infiles function for very large repos by @k-anshul in go-git/go-git#1853

git: Add strict checks for supported extensions by @pjbgf in go-git/go-git#1861

backport, git: Improve Status() speed with new index.ModTime check by @cedric-appdirect in go-git/go-git#1862

storage: filesystem, Avoid overwriting loose obj files by @pjbgf in go-git/go-git#1864

Full Changelog: go-git/go-git@v5.16.5...v5.17.0

Commits

5e23dfd Merge pull request #1937 from pjbgf/idx-v5
6b38a32 Merge pull request #1935 from pjbgf/index-v5
cd757fc plumbing: format/idxfile, Fix version and fanout checks
3ec0d70 plumbing: format/index, Fix tree extension invalidated entry parsing
dbe10b6 plumbing: format/index, Align V2/V3 long name and V4 prefix encoding with Git
e9b65df plumbing: format/index, Improve v4 entry name validation
adad18d Merge pull request #1930 from go-git/renovate/releases/v5.x-go-github.com-clo...
29470bd build: Update module github.com/cloudflare/circl to v1.6.3 [SECURITY]
bdf0688 Merge pull request #1864 from pjbgf/v5-issue-55
5290e52 storage: filesystem, Avoid overwriting loose obj files. Fixes #55
Additional commits viewable in compare view

Updates helm.sh/helm/v3 from 3.20.1 to 3.20.2

Release notes

Sourced from helm.sh/helm/v3's releases.

Helm v3.20.2

v3.20.2

Helm v3.20.2 is a security patch release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

Join the discussion in Kubernetes Slack:

for questions and just to hang out

for discussing PRs, code, and bugs

Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom

Test, debug, and contribute charts: ArtifactHub/packages

Security fixes

GHSA-hr2v-4r36-88hr Helm Chart extraction output directory collapse via Chart.yaml name dot-segment

Installation and Upgrading

Download Helm v3.20.2. The common platform binaries are here:

MacOS amd64 (checksum / 7de04301f28b902a74f6286ed941cadc86ee5e6a9086a18f2ccf1f548e99d618)

MacOS arm64 (checksum / 139c794c22f16b579d08ddd3008c8038b9bb2814f35b5bcca91f50a1f458978d)

Linux amd64 (checksum / 258e830a9e613c8a7a302d6059b4bb3b9758f2f3e1bb8ea0d707ce10a9a72fea)

Linux arm (checksum / a8a614c740399ff1ef32bcea6be6e4523f17e3376f9cf55c192cc48c8f2d1f19)

Linux arm64 (checksum / 5ea2d6bc2cda3f8edf985e028809f5a9278f404fb8ab24044de9b7cb9b79a691)

Linux i386 (checksum / 88e4c1834307cdbc9f3b80920e1a383e4ba50bb488fb0be1b1fbd4918bb6ae73)

Linux ppc64le (checksum / 98bb26a2f3c0b0c1a50db3181dff192554e0c204a07427d98d6b01e259f23cbe)

Linux s390x (checksum / 584dd77ef8096d6ef939a1822f72840e749fc8311b2b13ae94df5f786862a56b)

Linux riscv64 (checksum / 957391d0710d72678acd09959b5dc77888cd007a78a4b99944d3b2fc7e1895ca)

Windows amd64 (checksum / 24e8e5b71bab4ee17e6f989931ecf4fb144f9916cbe9990c0b6b2ec7b925c454)

Windows arm64 (checksum / 7c940a73a6882f50b69aec3282549da4a49917669db18fc503db930fb74b9789)

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

4.1.5 and 3.20.3 are the next patch (bug fix) releases and will be on April 8, 2026

4.2.0 and 3.21.0 are the next minor (feature) releases and will be on May 13, 2026

Changelog

fix: Chart dot-name path bug 8fb76d6ab555577e98e23b7500009537a471feee (George Jenkins)

fix: pin codeql-action/upload-sarif to commit SHA in scorecards workflow 3a8927e275c50cecde273872dad2a5576bd46375 (Terry Howe)

Commits

8fb76d6 fix: Chart dot-name path bug
3a8927e fix: pin codeql-action/upload-sarif to commit SHA in scorecards workflow
See full diff in compare view

Updates github.com/distribution/distribution/v3 from 3.0.0 to 3.1.0

Release notes

Sourced from github.com/distribution/distribution/v3's releases.

v3.1.0

Welcome to the v3.1.0 release of registry!

This is a stable release

Please try out the release binaries and report any issues at https://github.com/distribution/distribution/issues.

Notable Changes

Fixes CVE-2026-35172

Fixes CVE-2026-33540

Adds support for tag pagination (#4360, #4353)

Fixes default credentials in Azure storage provider (#4619)

Drops support for go1.23 and go1.24 and updates to go1.25

See the full changelog below for the full list of changes.

What's Changed

docs: Update to refer to new image tag v3 by @schanzel in distribution/distribution#4373

Fix default_credentials in azure storage provider by @switchboardOp in distribution/distribution#4619

chore: make function comment match function name by @closeobserve in distribution/distribution#4622

build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 in the go_modules group across 1 directory by @dependabot[bot] in distribution/distribution#4625

fix: implement JWK thumbprint for Ed25519 public keys by @zhangyoufu in distribution/distribution#4626

fix: Annotate code block from validation.indexes configuration docs by @anzoman in distribution/distribution#4629

feat: extract redis config to separate struct by @shanduur in distribution/distribution#4620

Fix: resolve issue #4478 by using a temporary file for non-append writes by @onporat in distribution/distribution#4624

build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @dependabot[bot] in distribution/distribution#4645

docs: Add note about OTEL_TRACES_EXPORTER by @jcpunk in distribution/distribution#4669

fix: set OTEL traces to disabled by default by @jcpunk in distribution/distribution#4671

Fix markdown syntax for OTEL traces link in docs by @shantanoo-desai in distribution/distribution#4676

Switch UUIDs to UUIDv7 by @binaryfire in distribution/distribution#4666

refactor: replace map iteration with maps.Copy/Clone by @whosehang in distribution/distribution#4632

s3-aws: fix build for 386 by @ChenQi1989 in distribution/distribution#4642

docs: Add OpenTelemetry links to quickstart docs (#4270) by @dpw13 in distribution/distribution#4640

Fix S3 driver loglevel param by @milosgajdos in distribution/distribution#4617

Fixed data race in TestSchedule test by @horoshev in distribution/distribution#4647

Fixes #4683 - uses X/Y instead of Gx/Gy for thumbprint of ecdsa keys by @gpgenaiz in distribution/distribution#4684

build(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in distribution/distribution#4687

Fix broken link to Docker Hub fair use policy by @Klikini in distribution/distribution#4688

fix(registry/handlers/app): redis CAs by @ChandonPierre in distribution/distribution#4668

build(deps): bump actions/labeler from 5 to 6 by @dependabot[bot] in distribution/distribution#4694

build(deps): bump actions/setup-go from 5 to 6 by @dependabot[bot] in distribution/distribution#4693

build(deps): bump actions/upload-pages-artifact from 3 to 4 by @dependabot[bot] in distribution/distribution#4691

build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by @dependabot[bot] in distribution/distribution#4706

build(deps): bump github/codeql-action from 3.26.5 to 4.30.7 by @dependabot[bot] in distribution/distribution#4710

build(deps): bump github/codeql-action from 4.30.7 to 4.30.8 by @dependabot[bot] in distribution/distribution#4714

chore: labeler: add area/client mapping for internal/client/** by @artem-tkachuk in distribution/distribution#4716

client: add Accept headers to Exists() HEAD by @artem-tkachuk in distribution/distribution#4715

feat(registry): Make graceful shutdown test robust by @Sumedhvats in distribution/distribution#4720

... (truncated)

Commits

708f8d6 chore(ci): Prep for v3.1 release (#4841)
b1d5dbc chore(ci): Prep for v3.1 release
078b078 Merge commit from fork
cccd0d4 fix(vendor): fix broke vendor validation (#4839)
49447e8 fix(vendor): fix broke vendpor validation
cc5d5fa Merge commit from fork
4cfa178 build(deps): bump actions/configure-pages from 5.0.0 to 6.0.0 (#4834)
c4bac3b build(deps): bump codecov/codecov-action from 5.5.4 to 6.0.0 (#4836)
2f2ce9f Opt: refactor tag list pagination support (#4353)
6a02a0e Opt: refactor tag list pagination support
Additional commits viewable in compare view

Updates github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4

Release notes

Sourced from github.com/go-jose/go-jose/v4's releases.

v4.1.4

What's Changed

Fixes Panic in JWE decryption. See GHSA-78h2-9frx-2jm8

Full Changelog: go-jose/go-jose@v4.1.3...v4.1.4

Commits

0e59876 Merge commit from fork
ddffdbc Bump actions/checkout from 5 to 6 (#213)
See full diff in compare view

Updates github.com/hashicorp/go-getter from 1.8.5 to 1.8.6

Release notes

Sourced from github.com/hashicorp/go-getter's releases.

v1.8.6

No release notes provided.

Commits

d23bff4 Merge pull request #608 from hashicorp/dependabot/go_modules/go-security-9c51...
2c4aba8 Merge pull request #613 from hashicorp/pull/v1.8.6
fe61ed9 Merge pull request #611 from hashicorp/SECVULN-41053
d533656 Merge pull request #606 from hashicorp/pull/CRT
388f23d Additional test for local branch and head
b7ceaa5 harden checkout ref handling and added regression tests
769cc14 Release version bump up
6086a6a Review Comments Addressed
e02063c Revert "SECVULN Fix for git checkout argument injection enables arbitrary fil...
c93084d [chore] : Bump google.golang.org/grpc
Additional commits viewable in compare view

Updates go.opentelemetry.io/otel/sdk from 1.42.0 to 1.43.0

Changelog

Sourced from go.opentelemetry.io/otel/sdk's changelog.

[1.43.0/0.65.0/0.19.0] 2026-04-02

Added

Add IsRandom and WithRandom on TraceFlags, and IsRandom on SpanContext in go.opentelemetry.io/otel/trace for W3C Trace Context Level 2 Random Trace ID Flag support. (#8012)

Add service detection with WithService in go.opentelemetry.io/otel/sdk/resource. (#7642)

Add DefaultWithContext and EnvironmentWithContext in go.opentelemetry.io/otel/sdk/resource to support plumbing context.Context through default and environment detectors. (#8051)

Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. (#8038)

Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc. (#8038)

Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc. (#8038)

Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#8038)

Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#8038)

Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#8038)

Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#8038)

Add support for per-series start time tracking for cumulative metrics in go.opentelemetry.io/otel/sdk/metric. Set OTEL_GO_X_PER_SERIES_START_TIMESTAMPS=true to enable. (#8060)

Add WithCardinalityLimitSelector for metric reader for configuring cardinality limits specific to the instrument kind. (#7855)

Changed

Introduce the EMPTY Type in go.opentelemetry.io/otel/attribute to reflect that an empty value is now a valid value, with INVALID remaining as a deprecated alias of EMPTY. (#8038)

Improve slice handling in go.opentelemetry.io/otel/attribute to optimize short slice values with fixed-size fast paths. (#8039)

Improve performance of span metric recording in go.opentelemetry.io/otel/sdk/trace by returning early if self-observability is not enabled. (#8067)

Improve formatting of metric data diffs in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#8073)

Deprecated

Deprecate INVALID in go.opentelemetry.io/otel/attribute. Use EMPTY instead. (#8038)

Fixed

Return spec-compliant TraceIdRatioBased description. This is a breaking behavioral change, but it is necessary to make the implementation spec-compliant. (#8027)

Fix a race condition in go.opentelemetry.io/otel/sdk/metric where the lastvalue aggregation could collect the value 0 even when no zero-value measurements were recorded. (#8056)

Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (#8108)

Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (#8108)

Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (#8108)

WithHostID detector in go.opentelemetry.io/otel/sdk/resource to use full path for kenv command on BSD. (#8113)

Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to correctly handle HTTP2 GOAWAY frame. (#8096)

Commits

9276201 Release v1.43.0 / v0.65.0 / v0.19.0 (#8128)
61b8c94 chore(deps): update module github.com/mattn/go-runewidth to v0.0.22 (#8131)
97a086e chore(deps): update github.com/golangci/dupl digest to c99c5cf (#8122)
5e363de limit response body size for OTLP HTTP exporters (#8108)
35214b6 Use an absolute path when calling bsd kenv (#8113)
290024c fix(deps): update module google.golang.org/grpc to v1.80.0 (#8121)
e70658e fix: support getBody in otelploghttp (#8096)
4afe468 fix(deps): update googleapis to 9d38bb4 (#8117)
b9ca729 chore(deps): update module github.com/go-git/go-git/v5 to v5.17.2 (#8115)
69472ec chore(deps): update fossas/fossa-action action to v1.9.0 (#8118)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the go_modules group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) | `5.16.5` | `5.17.1` | | [helm.sh/helm/v3](https://github.com/helm/helm) | `3.20.1` | `3.20.2` | | [github.com/distribution/distribution/v3](https://github.com/distribution/distribution) | `3.0.0` | `3.1.0` | | [github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter) | `1.8.5` | `1.8.6` | | [go.opentelemetry.io/otel/sdk](https://github.com/open-telemetry/opentelemetry-go) | `1.42.0` | `1.43.0` | Updates `github.com/go-git/go-git/v5` from 5.16.5 to 5.17.1 - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](go-git/go-git@v5.16.5...v5.17.1) Updates `helm.sh/helm/v3` from 3.20.1 to 3.20.2 - [Release notes](https://github.com/helm/helm/releases) - [Commits](helm/helm@v3.20.1...v3.20.2) Updates `github.com/distribution/distribution/v3` from 3.0.0 to 3.1.0 - [Release notes](https://github.com/distribution/distribution/releases) - [Commits](distribution/distribution@v3.0.0...v3.1.0) Updates `github.com/go-jose/go-jose/v4` from 4.1.3 to 4.1.4 - [Release notes](https://github.com/go-jose/go-jose/releases) - [Commits](go-jose/go-jose@v4.1.3...v4.1.4) Updates `github.com/hashicorp/go-getter` from 1.8.5 to 1.8.6 - [Release notes](https://github.com/hashicorp/go-getter/releases) - [Commits](hashicorp/go-getter@v1.8.5...v1.8.6) Updates `go.opentelemetry.io/otel/sdk` from 1.42.0 to 1.43.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.42.0...v1.43.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-version: 5.17.1 dependency-type: direct:production dependency-group: go_modules - dependency-name: helm.sh/helm/v3 dependency-version: 3.20.2 dependency-type: direct:production dependency-group: go_modules - dependency-name: github.com/distribution/distribution/v3 dependency-version: 3.1.0 dependency-type: indirect dependency-group: go_modules - dependency-name: github.com/go-jose/go-jose/v4 dependency-version: 4.1.4 dependency-type: indirect dependency-group: go_modules - dependency-name: github.com/hashicorp/go-getter dependency-version: 1.8.6 dependency-type: indirect dependency-group: go_modules - dependency-name: go.opentelemetry.io/otel/sdk dependency-version: 1.43.0 dependency-type: indirect dependency-group: go_modules ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Apr 10, 2026

dependabot bot mentioned this pull request Apr 10, 2026

build(deps): bump the go_modules group across 1 directory with 4 updates #689

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): bump the go_modules group across 1 directory with 6 updates#690

build(deps): bump the go_modules group across 1 directory with 6 updates#690
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/go_modules-2d9a1c5fe6

dependabot bot commented on behalf of github Apr 10, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot bot commented on behalf of github Apr 10, 2026

v5.17.1

What's Changed

v5.17.0

What's Changed

Helm v3.20.2

v3.20.2

Security fixes

Installation and Upgrading

What's Next

Changelog

v3.1.0

Notable Changes

What's Changed

v4.1.4

What's Changed

v1.8.6

[1.43.0/0.65.0/0.19.0] 2026-04-02

Added

Changed

Deprecated

Fixed

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants