Upgrade: Bump github.com/zclconf/go-cty from 1.15.0 to 1.16.2

[dependabot]

Bumps github.com/zclconf/go-cty from 1.15.0 to 1.16.2.

Release notes

Sourced from github.com/zclconf/go-cty's releases.

v1.16.0

• convert: When converting between two different capsule types, will now try to use the "conversion from" implementation from the target type if the source type doesn't have a suitable "conversion to" implementation. (#194)
• convert: When converting to a map whose element type is an object type with optional attributes, will no longer construct a broken result when a final map is empty. (#198)

Changelog

Sourced from github.com/zclconf/go-cty's changelog.

1.16.2 (January 21, 2025)

• json: ImpliedType now returns an error if a JSON object contains two properties of the same name. As a compatibility concession it allows duplicates whose values have the same implied type, since it was unintentionally possible to combine ImpliedType and Unmarshal successfully in that case before, but this is not an endorsement of using duplicate property names since that makes the input ambiguous in any case. (#199)
• function/stdlib: ElementFunc no longer crashes when asked for a negative index into a tuple. This fixes a miss in the negative index support added back in v1.15.0. (#200)

1.16.1 (January 13, 2025)

• cty: Value.HasElement now treats unknown set elements consistently with how much of the rest of cty treats them.
• function/stdlib: FormatFunc and FormatListFunc now handle unknown and null values of unknown type as arguments, rather than letting the function system's short-circuit behavior take care of it. This allows cty.DynamicVal and cty.NullVal(cty.DynamicPseudoType) to be treated consistently with other values, returning results consistent with the documented behavior, rather than forcing the function to immediately return cty.DynamicVal.

1.16.0 (January 3, 2025)

• convert: When converting between two different capsule types, will now try to use the "conversion from" implementation from the target type if the source type doesn't have a suitable "conversion to" implementation. (#194)
• convert: When converting to a map whose element type is an object type with optional attributes, will no longer construct a broken result when a final map is empty. (#198)

1.15.1 (November 26, 2024)

• function: Function calls can now return more mark-related information when called with unknown values when neither AllowMarks nor AllowUnknown are set for a particular parameter. (#196)

Commits

• 51a6901 v1.16.2 release
• 1c48de3 json: ImpliedType rejects duplicate property names of different types
• d13b46e function/stdlib: ElementFunc handles negative index into tuple
• 0ed0ebb Prepare for future v1.16.2 release
• b319524 v1.16.1 release
• e41d261 cty: Fix various Value.HasElement quirks, and add tests
• 8920baa function/stdlib: FormatFunc and FormatListFunc can handle DynamicPseudoType
• 6edebd2 Prepare for v1.16.1 development
• 6e06def v1.16.0 release
• 9dc31e2 Update CHANGELOG.md
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dryrunsecurity]

DryRun Security Summary

The pull request updates the github.com/zclconf/go-cty dependency from v1.15.0 to v1.16.2 in the go.mod and go.sum files, which appears to be a routine dependency update with no significant security concerns.

Expand for full summary

Summary:

The code changes in this pull request update the version of the github.com/zclconf/go-cty dependency from v1.15.0 to v1.16.2 in both the go.mod and go.sum files. This type of dependency update is a common practice in software development and is generally not a cause for significant security concern, as it is likely to include bug fixes, security patches, and feature improvements.

However, as an application security engineer, it is important to review the changelog or release notes of the updated dependency to ensure that there are no known security vulnerabilities or breaking changes that could impact the application. In this case, the github.com/zclconf/go-cty library is a Go language library for working with the Cty data type system, which is used in the Terraform project, and the version update does not appear to introduce any major security concerns based on the available information.

Files Changed:

1. go.mod: The go.mod file has been updated to use version v1.16.2 of the github.com/zclconf/go-cty dependency, instead of the previous version v1.15.0.

2. go.sum: The go.sum file has been updated to reflect the change in the github.com/zclconf/go-cty dependency version.

Overall, this code change appears to be a routine dependency update, which is a common practice in software development. As long as the project's tests pass and there are no known security issues with the updated dependency, this change can be considered safe to merge.

Code Analysis

We ran 9 analyzers against 2 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Sensitive Files Analyzer	2 findings

View PR in the DryRun Dashboard.