Bump the root-deps group with 8 updates

[dependabot]

Bumps the root-deps group with 8 updates:

Package	From	To
github.com/containerd/stargz-snapshotter/estargz	0.16.3	0.18.1
github.com/docker/cli	28.2.2+incompatible	29.0.0+incompatible
github.com/docker/docker	28.2.2+incompatible	28.5.2+incompatible
github.com/klauspost/compress	1.18.0	1.18.1
github.com/spf13/cobra	1.9.1	1.10.1
golang.org/x/oauth2	0.30.0	0.33.0
golang.org/x/sync	0.15.0	0.17.0
golang.org/x/tools	0.34.0	0.38.0

Updates github.com/containerd/stargz-snapshotter/estargz from 0.16.3 to 0.18.1

Release notes

Sourced from github.com/containerd/stargz-snapshotter/estargz's releases.

v0.18.1

Notable Changes

• Avoid repeated decompression and further utilize the --GH option to speed up conversion (#2145), thanks to @​escapefreeg
• Improved sortEntries performance (#2153), thanks to @​wswsmao

v0.18.0

Notable Changes

• Fixed restoring error of snapshots on unexpected restart of stargz snapshotter (#2091, #2092), thanks to @​wswsmao
• Added FadvDontNeed option to reduce pagecache consumption in stargz snapshotter (#2095), thanks to @​wswsmao
• Removed testing dependency from code outside tests (#2098), thanks to @​rosstimothy
• Added all option for the ctr-remote's --gpus flag (#2102, #2118), thanks to @​wswsmao
• Added --prefetch-list flag to ctr-remote (#2113, #2148), thanks to @​wswsmao
• Enabled deduplication in ImageRecorder.Record (#2116), thanks to @​wswsmao
• Fixed potential data race in nativeconverter/estargz (#2133), thanks to @​escapefreeg
• Added support of decompression helpers in ctr-remote for better conversion speed (#2117), thanks to @​escapefreeg
• Improved logging behaviour in fusemanager (#2135), thanks to @​mmonaco
• Fixed to preserve normal snapshots during cleanup in stargz snapshotter (#2127), thanks to @​ChengyuZhu6
• Fixed lazy pulling failure on images with empty layers (#2137)
• Fixed stargz snapshotter to run without depending on fusermount by default (#2146)
• Enabled ctr-remote to capture early file access (#2129), thanks to @​wswsmao
• Refactors and document fixes (#2112, #2150), thanks to @​wswsmao

v0.17.0

Notable Changes

• New features
  • Added support for FUSE passthourgh (#1868, #1870, #1874, #1876, #1881, #1923, #1987, #2012, #2045, #2068), thanks to @​wswsmao
  • Added support for detaching FUSE server as a separated processs (FUSE manager), thanks to @​wswsmao (#1892, #1912, #1905) and @​ilyee (#1892)
  • Expanded support for graceful restarting of Stargz Snapshotter (#2077)
  • Added arm64 KIND node image (ghcr.io/containerd/stargz-snapshotter:0.17.0-kind) (#1983)
• Fixes and changes
  • Set maximum filename length to 255 bytes (#2024), thanks to @​wswsmao
  • Fixed EOPNOTSUPP issue on getdents64 (#2063), thanks to @​wswsmao
  • Fixed TTLCache failed to release resources on exit (#2076)
  • Fixed the configuration and docs to prevent GC failures in CRI plugin (#1893)
  • Refactored blob manipulation logic to make it more modular (#1955), thanks to @​ChengyuZhu6
  • Fix zstd:chunked converter error on duplicated blobs (#1885), thanks to @​apostasie
• Document updates
  • Added docs about how to use Stargz Snapshotter on Lima (#1967)
  • Added docs about how to use Stargz Snapshotter with Transfer Service (#2084)
  • Improved legibility in docs/overview.md (#2061), thanks to @​soulshake
• CI updates
  • Added tests for wider configrations (FUSE passthrough and FUSE manager) (#2074, #2083, #1914)
  • Fixed dependabot's configuration to avoid CI failures in gomod PRs (#1920, #1941), thanks to @​djdongjin
  • Bump up containerd/project-checks to v1.2.2 (#2004), thanks to @​wswsmao
• Dependencies

... (truncated)

Commits

• 60de78b Merge pull request #2167 from ktock/prepare-v0.18.1
• d676264 Prepare for v0.18.1
• b53f30b Merge pull request #2164 from containerd/dependabot/go_modules/gomod-30043e7df9
• 9f66f8d Merge pull request #2165 from AkihiroSuda/containerd-2.1.5
• 7a0b484 Dockerfile: update runc (1.3.3)
• abedc76 Dockerfile: update containerd (2.1.5)
• 0caa3c2 go.mod: github.com/containerd/containerd/v2 v2.1.5
• 1274e2a build(deps): bump github.com/docker/cli
• dca1521 Merge pull request #2162 from ktock/golangci-lint-2.6
• 7c03a01 Fix golangci-lint "misspell" error
• Additional commits viewable in compare view

Updates github.com/docker/cli from 28.2.2+incompatible to 29.0.0+incompatible

Commits

• 3d4129b Merge pull request #6644 from thaJeztah/connhelper_nowarn
• d787e70 cli/connhelper/commandcon: remove warn logs
• e730f6f Merge pull request #6643 from thaJeztah/bump_modules2
• 6ac3f93 Merge pull request #6578 from thaJeztah/bump_otel_semconv
• ebc1995 vendor: github.com/moby/moby/api v1.52.0, moby/client v0.1.0
• 31d1a59 Merge pull request #6642 from vvoland/swarm-compose-work
• ad96811 swarm: Add memory swap support (no stack/compose support)
• 6ba06b5 Revert "cli/compose: add schema 3.14 (no changes from 3.13 yet)"
• e0716b5 Revert "Add memory swap to swarm"
• 179efae Merge pull request #6641 from thaJeztah/bump_modules
• Additional commits viewable in compare view

Updates github.com/docker/docker from 28.2.2+incompatible to 28.5.2+incompatible

Release notes

Sourced from github.com/docker/docker's releases.

v28.5.2

28.5.2

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.5.2 milestone
• moby/moby, 28.5.2 milestone

[!CAUTION] This release contains fixes for three high-severity security vulnerabilities in runc:

• CVE-2025-31133
• CVE-2025-52565
• CVE-2025-52881

All three vulnerabilities ultimately allow (through different methods) for full container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files.

Packaging updates

• Update runc to v1.3.3. moby/moby#51394

Bug fixes and enhancements

• dockerd-rootless.sh: if slirp4netns is not installed, try using pasta (passt). moby/moby#51162
• Update Go runtime to 1.24.9. moby/moby#51387, docker/cli#6613

Deprecations

• Go-SDK: cli/command/image/build: deprecate DefaultDockerfileName, DetectArchiveReader, WriteTempDockerfile, ResolveAndValidateContextPath. These utilities were only used internally and will be removed in the next release. docker/cli#6610
• Go-SDK: cli/command/image/build: deprecate IsArchive utility. docker/cli#6560
• Go-SDK: opts: deprecate ValidateMACAddress. docker/cli#6560
• Go-SDK: opts: deprecate ListOpts.Delete(). docker/cli#6560

v28.5.1

28.5.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.5.1 milestone
• moby/moby, 28.5.1 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

Bug fixes and enhancements

• Update BuildKit to v0.25.1. moby/moby#51137
• Update Go runtime to 1.24.8. moby/moby#51133, docker/cli#6541

Deprecations

• api/types/image: InspectResponse: deprecate Parent and DockerVersion fields. moby/moby#51105
• api/types/plugin: deprecate Config.DockerVersion field. moby/moby#51110

... (truncated)

Commits

• 89c5e8f Merge pull request #51396 from thaJeztah/28.x_backport_api_docs
• 9b93878 Merge pull request #51395 from thaJeztah/28.x_backport_rootless_reject
• 6178456 Merge pull request #51398 from vvoland/51397-28.x
• 0cae4e5 vendor: github.com/moby/buildkit v0.25.2
• 33cc06f Merge pull request #51394 from vvoland/51393-28.x
• d525277 api/docs: remove BuildCache.Parent field for API v1.42 and up
• 2fbc51b dockerd-rootless.sh: reject DOCKERD_ROOTLESS_ROOTLESSKIT_NET=host
• bd98008 integration-cli: Adjust nofile limits
• 1967515 Dockerfile: update runc binary to v1.3.3
• 4489660 Merge pull request #51387 from thaJeztah/28.x_bump_go
• Additional commits viewable in compare view

Updates github.com/klauspost/compress from 1.18.0 to 1.18.1

Release notes

Sourced from github.com/klauspost/compress's releases.

v1.18.1

What's Changed

• zstd: Fix incorrect buffer size in dictionary encodes by @​klauspost in klauspost/compress#1059
• s2: check for cap, not len of buffer in EncodeBetter/Best by @​vdarulis in klauspost/compress#1080
• zstd: Add simple zstd EncodeTo/DecodeTo functions by @​klauspost in klauspost/compress#1079
• zlib: Avoiding extra allocation in zlib.reader.Reset by @​travelpolicy in klauspost/compress#1086
• gzhttp: remove redundant err check in zstdReader by @​ryanfowler in klauspost/compress#1090
• Run modernize. Deprecate Go 1.22 by @​klauspost in klauspost/compress#1095
• flate: Simplify matchlen by @​klauspost in klauspost/compress#1101
• flate: Add examples by @​klauspost in klauspost/compress#1102
• flate: Use exact sizes for huffman tables by @​klauspost in klauspost/compress#1103
• flate: Faster load+store by @​klauspost in klauspost/compress#1104
• Add notice to S2 about MinLZ by @​klauspost in klauspost/compress#1065

New Contributors

• @​wooffie made their first contribution in klauspost/compress#1069
• @​vdarulis made their first contribution in klauspost/compress#1080
• @​travelpolicy made their first contribution in klauspost/compress#1086
• @​ryanfowler made their first contribution in klauspost/compress#1090

Full Changelog: klauspost/compress@v1.18.0...v1.18.1

Commits

• d10b525 build(deps): bump the github-actions group with 2 updates (#1105)
• 3c0d308 flate: Faster load+st0re (#1104)
• 6e2f5d5 flate: Use exact sizes for huffman tables (#1103)
• bda824b flate: Add examples (#1102)
• f44517c flate: Simplify matchlen (#1101)
• 54cb7a5 build(deps): bump the github-actions group with 3 updates (#1096)
• c43fcbb Run modernize. Deprecate Go 1.22 (#1095)
• 86a9489 gzhttp: remove redundant err check in zstdReader (#1090)
• ad4a030 build(deps): bump github/codeql-action in the github-actions group (#1087)
• 1a8c0e4 Avoiding extra allocation in Reset (#1086)
• Additional commits viewable in compare view

Updates github.com/spf13/cobra from 1.9.1 to 1.10.1

Release notes

Sourced from github.com/spf13/cobra's releases.

v1.10.1

🐛 Fix

• chore: upgrade pflags v1.0.9 by @​jpmcb in spf13/cobra#2305

v1.0.9 of pflags brought back ParseErrorsWhitelist and marked it as deprecated

Full Changelog: spf13/cobra@v1.10.0...v1.10.1

v1.10.0

What's Changed

🚨 Attention!

• Bump pflag to 1.0.8 by @​tomasaschan in spf13/cobra#2303

This version of pflag carried a breaking change: it renamed ParseErrorsWhitelist to ParseErrorsAllowlist which can break builds if both pflag and cobra are dependencies in your project.

• If you use both pflag and cobra, upgrade pflagto 1.0.8 andcobrato1.10.0`
• or use the newer, fixed version of pflag v1.0.9 which keeps the deprecated ParseErrorsWhitelist

More details can be found here: spf13/cobra#2303

✨ Features

• Flow context to command in SetHelpFunc by @​Frassle in spf13/cobra#2241
• The default ShellCompDirective can be customized for a command and its subcommands by @​albers in spf13/cobra#2238

🐛 Fix

• Upgrade golangci-lint to v2, address findings by @​scop in spf13/cobra#2279

🪠 Testing

• Test with Go 1.24 by @​harryzcy in spf13/cobra#2236
• chore: Rm GitHub Action PR size labeler by @​jpmcb in spf13/cobra#2256

📝 Docs

• Remove traling curlybrace by @​yedayak in spf13/cobra#2237
• Update command.go by @​styee in spf13/cobra#2248
• feat: Add security policy by @​jpmcb in spf13/cobra#2253
• Update Readme (Warp) by @​ericdachen in spf13/cobra#2267
• Add Periscope to the list of projects using Cobra by @​anishathalye in spf13/cobra#2299

New Contributors

• @​harryzcy made their first contribution in spf13/cobra#2236
• @​yedayak made their first contribution in spf13/cobra#2237
• @​Frassle made their first contribution in spf13/cobra#2241

... (truncated)

Commits

• 7da941c chore: Bump pflag to v1.0.9 (#2305)
• 51d6751 Bump pflag to 1.0.8 (#2303)
• 3f3b818 Update README.md with new logo
• dcaf42e Add Periscope to the list of projects using Cobra (#2299)
• 6dec1ae The default ShellCompDirective can be customized for a command and its subcom...
• c8289c1 chore(golangci-lint): add some exclusion presets
• 4af7b64 refactor: apply golangci-lint autofixes, work around false positives
• 75790e4 chore(golangci-lint): upgrade to v2
• db3ddb5 Adding sponsorship to README.md
• 67171d6 putting sponsorship below header
• Additional commits viewable in compare view

Updates golang.org/x/oauth2 from 0.30.0 to 0.33.0

Commits

• f28b0b5 all: fix some comments
• fd15e0f x/oauth2: populate RetrieveError from DeviceAuth
• 792c877 oauth2: use strings.Builder instead of bytes.Buffer
• 014cf77 all: upgrade go directive to at least 1.24.0 [generated]
• 3c76ce5 endpoints: correct Naver OAuth2 endpoint URLs
• See full diff in compare view

Updates golang.org/x/sync from 0.15.0 to 0.17.0

Commits

• 04914c2 all: upgrade go directive to at least 1.24.0 [generated]
• 7fad2c9 errgroup: revert propagation of panics
• See full diff in compare view

Updates golang.org/x/tools from 0.34.0 to 0.38.0

Commits

• a22b5e8 go.mod: update golang.org/x dependencies
• 4bbcc9f all: use reflect.TypeFor instead of reflect.TypeOf when we have known the type
• 122c93a internal/refactor: AddImport: remove unnecessary result
• 76aace8 internal/analysisinternal: rationalize
• 8cf2d63 gopls/internal/golang: add condition for enabling package move
• 1f054fd x/tools: downgrade token.FileSet parameters to token.File
• 44e71e5 go/analysis/passes/printf: check anonymous functions too
• 9095e9b internal/analysisinternal: extract DeleteVar
• 62a1b26 internal/analysisinternal: IsChildOf(Cursor, edge.Kind) bool
• d32fb50 internal/analysisinternal: export EnclosingFile
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[Subserial]

@dependabot rebase

[Subserial]

The linter fails from a deprecation. The presubmit fails from a missing "go mod tidy", which seems to be an oversight in dependabot: dependabot/dependabot-core#11046. I'll open a PR with both the deprecation and the tidy fix.