Skip to content

chore(deps): update sigstore (9.4)#4467

Merged
elastic-renovate-prod[bot] merged 1 commit into
9.4from
renovate/9.4-sigstore
Apr 16, 2026
Merged

chore(deps): update sigstore (9.4)#4467
elastic-renovate-prod[bot] merged 1 commit into
9.4from
renovate/9.4-sigstore

Conversation

@elastic-renovate-prod
Copy link
Copy Markdown
Contributor

@elastic-renovate-prod elastic-renovate-prod Bot commented Apr 16, 2026

This PR contains the following updates:

Package Type Update Change
github.com/sigstore/cosign/v2 indirect patch v2.6.2 -> v2.6.3
github.com/sigstore/protobuf-specs indirect patch v0.5.0 -> v0.5.1
github.com/sigstore/rekor indirect patch v1.5.0 -> v1.5.1
github.com/sigstore/rekor-tiles/v2 indirect minor v2.0.1 -> v2.2.1
github.com/sigstore/sigstore indirect patch v1.10.4 -> v1.10.5
github.com/sigstore/timestamp-authority/v2 indirect patch v2.0.3 -> v2.0.6

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

sigstore/cosign (github.com/sigstore/cosign/v2)

v2.6.3

Compare Source

Changelog

v2.6.3 resolves GHSA-w6c6-c85g-mmv6.

Thanks to all contributors!
sigstore/protobuf-specs (github.com/sigstore/protobuf-specs)

v0.5.1

Compare Source

  • Add ML-DSA-44 algorithm identifier (#​860)
sigstore/rekor (github.com/sigstore/rekor)

v1.5.1

Compare Source

Features

  • optimize memory for DSSE v0.0.1 processing (#​2766)

Bug Fixes

  • Type assert the entry bundle when verifying inclusion proof (#​2755)
  • return correct errors in rare failure situations (#​2753)
  • raise error if decoding hash fails during inclusion proof (#​2754)
sigstore/rekor-tiles (github.com/sigstore/rekor-tiles/v2)

v2.2.1

Compare Source

What's Changed

This release includes a fix to prevent large leaf entries from corrupting the log. We recommend updating ASAP.

Full Changelog: sigstore/rekor-tiles@v2.2.0...v2.2.1

v2.2.0

Compare Source

What's Changed

This release adds support for logs deployed on AWS and an alternative storage backend for GCP that uses CloudSQL for sequencing entries rather than Spanner.

Full Changelog: sigstore/rekor-tiles@v2.1.0...v2.2.0

v2.1.0

Compare Source

What's Changed

Full Changelog: sigstore/rekor-tiles@v2.0.1...v2.1.0

sigstore/sigstore (github.com/sigstore/sigstore)

v1.10.5

Compare Source

What's Changed

Full Changelog: sigstore/sigstore@v1.10.4...v1.10.5

sigstore/timestamp-authority (github.com/sigstore/timestamp-authority/v2)

v2.0.6

Compare Source

What's Changed

Full Changelog: sigstore/timestamp-authority@v2.0.5...v2.0.6

v2.0.5

Compare Source

This release updates the chi middleware to resolve a panic.

Bug Fixes

  • Upgrade chi middleware v4 -> v5 (#​1307)

Docs

  • Update the semantics of the NTP monitoring so its clear in the README (#​1276)
  • docs: note that CRL/OCSP checks are not performed (#​1277)

Misc

  • Increase default HTTP idle timeout (#​1287)

v2.0.4

Compare Source

Only contains dependency updates, but fixes #​1252 due to breaking API change in sigstore/sigstore

Configuration

📅 Schedule: Branch creation - "* 1 * * 1-5" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@elastic-renovate-prod elastic-renovate-prod Bot requested a review from a team as a code owner April 16, 2026 15:18
@elastic-renovate-prod elastic-renovate-prod Bot added backport-skip dependencies Pull requests that update a dependency file renovate renovate-auto-approve Team:Security-Cloud Services Security Data Experience - Cloud Services team. labels Apr 16, 2026
@elastic-renovate-prod elastic-renovate-prod Bot enabled auto-merge (squash) April 16, 2026 15:18
@elastic-renovate-prod
Copy link
Copy Markdown
Contributor Author

elastic-renovate-prod Bot commented Apr 16, 2026
edited
Loading

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 12 additional dependencies were updated

Details:

Package Change
github.com/googleapis/gax-go/v2 v2.17.0 -> v2.19.0
go.opentelemetry.io/contrib/detectors/gcp v1.39.0 -> v1.40.0
google.golang.org/api v0.269.0 -> v0.272.0
github.com/letsencrypt/boulder v0.20251110.0 -> v0.20260223.0
golang.org/x/tools v0.42.0 -> v0.43.0
golang.org/x/crypto v0.49.0 -> v0.50.0
golang.org/x/mod v0.33.0 -> v0.34.0
golang.org/x/net v0.52.0 -> v0.53.0
golang.org/x/sys v0.42.0 -> v0.43.0
golang.org/x/term v0.41.0 -> v0.42.0
golang.org/x/text v0.35.0 -> v0.36.0
golang.org/x/time v0.14.0 -> v0.15.0

@mergify mergify Bot added the queued label Apr 16, 2026
@mergify
Copy link
Copy Markdown
Contributor

mergify Bot commented Apr 16, 2026
edited
Loading

Merge Queue Status

  • Entered queue2026-04-16 19:51 UTC · Rule: default
  • 🚫 Left the queue2026-04-16 20:33 UTC · at e53998de708783c608c230d7488b2f19d6f0a8c3

This pull request spent 41 minutes 50 seconds in the queue, with no time running CI.

Reason

The pull request conflicts with pull requests ahead in queue: #4459, #4460, #4461, #4466

Hint

There is nothing you can do for now. If the pull request ahead in the queue is merged, this pull request will become conflicting and you'll have to update it.
If the pull request ahead is not merged, you can requeue this pull request with a @mergifyio queue comment.

@mergify mergify Bot added dequeued and removed queued labels Apr 16, 2026
@mergify
Copy link
Copy Markdown
Contributor

mergify Bot commented Apr 16, 2026

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b renovate/9.4-sigstore upstream/renovate/9.4-sigstore
git merge upstream/9.4
git push upstream renovate/9.4-sigstore

@mergify mergify Bot removed the dequeued label Apr 16, 2026
@elastic-renovate-prod elastic-renovate-prod Bot merged commit a92da6b into 9.4 Apr 16, 2026
11 of 12 checks passed
@elastic-renovate-prod elastic-renovate-prod Bot deleted the renovate/9.4-sigstore branch April 16, 2026 23:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

backport-skip dependencies Pull requests that update a dependency file renovate renovate-auto-approve Team:Security-Cloud Services Security Data Experience - Cloud Services team.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants