diff --git a/.bingo/Variables.mk b/.bingo/Variables.mk
index bb7a73d3b..280913c46 100644
--- a/.bingo/Variables.mk
+++ b/.bingo/Variables.mk
@@ -41,6 +41,12 @@ $(CRD_REF_DOCS): $(BINGO_DIR)/crd-ref-docs.mod
 	@echo "(re)installing $(GOBIN)/crd-ref-docs-v0.1.0"
 	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=crd-ref-docs.mod -o=$(GOBIN)/crd-ref-docs-v0.1.0 "github.com/elastic/crd-ref-docs"
 
+GOJQ := $(GOBIN)/gojq-v0.12.17
+$(GOJQ): $(BINGO_DIR)/gojq.mod
+	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
+	@echo "(re)installing $(GOBIN)/gojq-v0.12.17"
+	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=gojq.mod -o=$(GOBIN)/gojq-v0.12.17 "github.com/itchyny/gojq/cmd/gojq"
+
 GOLANGCI_LINT := $(GOBIN)/golangci-lint-v2.1.6
 $(GOLANGCI_LINT): $(BINGO_DIR)/golangci-lint.mod
 	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
diff --git a/.bingo/gojq.mod b/.bingo/gojq.mod
new file mode 100644
index 000000000..004aae3b1
--- /dev/null
+++ b/.bingo/gojq.mod
@@ -0,0 +1,5 @@
+module _ // Auto generated by https://github.com/bwplotka/bingo. DO NOT EDIT
+
+go 1.24.4
+
+require github.com/itchyny/gojq v0.12.17 // cmd/gojq
diff --git a/.bingo/gojq.sum b/.bingo/gojq.sum
new file mode 100644
index 000000000..e87b5b0e3
--- /dev/null
+++ b/.bingo/gojq.sum
@@ -0,0 +1,17 @@
+github.com/itchyny/gojq v0.12.17 h1:8av8eGduDb5+rvEdaOO+zQUjA04MS0m3Ps8HiD+fceg=
+github.com/itchyny/gojq v0.12.17/go.mod h1:WBrEMkgAfAGO1LUcGOckBl5O726KPp+OlkKug0I/FEY=
+github.com/itchyny/timefmt-go v0.1.6 h1:ia3s54iciXDdzWzwaVKXZPbiXzxxnv1SPGFfM/myJ5Q=
+github.com/itchyny/timefmt-go v0.1.6/go.mod h1:RRDZYC5s9ErkjQvTvvU7keJjxUYzIISJGxm9/mAERQg=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
+github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
+github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
+github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/.bingo/variables.env b/.bingo/variables.env
index b814c363e..b1e721562 100644
--- a/.bingo/variables.env
+++ b/.bingo/variables.env
@@ -16,6 +16,8 @@ CRD_DIFF="${GOBIN}/crd-diff-v0.2.0"
 
 CRD_REF_DOCS="${GOBIN}/crd-ref-docs-v0.1.0"
 
+GOJQ="${GOBIN}/gojq-v0.12.17"
+
 GOLANGCI_LINT="${GOBIN}/golangci-lint-v2.1.6"
 
 GORELEASER="${GOBIN}/goreleaser-v1.26.2"
diff --git a/Makefile b/Makefile
index 49d744828..08eb28630 100644
--- a/Makefile
+++ b/Makefile
@@ -178,7 +178,7 @@ generate: $(CONTROLLER_GEN) #EXHELP Generate code containing DeepCopy, DeepCopyI
 	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) object:headerFile="hack/boilerplate.go.txt" paths="./..."
 
 .PHONY: verify
-verify: k8s-pin kind-verify-versions fmt generate manifests crd-ref-docs #HELP Verify all generated code is up-to-date. Runs k8s-pin instead of just tidy.
+verify: k8s-pin kind-verify-versions fmt generate manifests update-tls-profiles crd-ref-docs #HELP Verify all generated code is up-to-date. Runs k8s-pin instead of just tidy.
 	git diff --exit-code
 
 .PHONY: fix-lint
@@ -189,6 +189,10 @@ fix-lint: $(GOLANGCI_LINT) #EXHELP Fix lint issues
 fmt: #EXHELP Formats code
 	go fmt ./...
 
+.PHONY: update-tls-profiles
+update-tls-profiles: $(GOJQ) #EXHELP Update TLS profiles from the Mozilla wiki
+	env JQ=$(GOJQ) hack/tools/update-tls-profiles.sh
+
 .PHONY: verify-crd-compatibility
 CRD_DIFF_ORIGINAL_REF := git://main?path=
 CRD_DIFF_UPDATED_REF := file://
diff --git a/cmd/catalogd/main.go b/cmd/catalogd/main.go
index e5f1678a0..36f7b1675 100644
--- a/cmd/catalogd/main.go
+++ b/cmd/catalogd/main.go
@@ -64,6 +64,7 @@ import (
 	imageutil "github.com/operator-framework/operator-controller/internal/shared/util/image"
 	"github.com/operator-framework/operator-controller/internal/shared/util/pullsecretcache"
 	sautil "github.com/operator-framework/operator-controller/internal/shared/util/sa"
+	"github.com/operator-framework/operator-controller/internal/shared/util/tlsprofiles"
 	"github.com/operator-framework/operator-controller/internal/shared/version"
 )
 
@@ -142,6 +143,7 @@ func init() {
 	klog.InitFlags(flag.CommandLine)
 	flags.AddGoFlagSet(flag.CommandLine)
 	features.CatalogdFeatureGate.AddFlag(flags)
+	tlsprofiles.AddFlags(flags)
 
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 	utilruntime.Must(ocv1.AddToScheme(scheme))
@@ -216,12 +218,18 @@ func run(ctx context.Context) error {
 		// For details, see: https://github.com/kubernetes/kubernetes/issues/121197
 		config.NextProtos = []string{"http/1.1"}
 	}
+	tlsProfile, err := tlsprofiles.GetTLSConfigFunc()
+	if err != nil {
+		setupLog.Error(err, "failed to get TLS profile")
+		return err
+	}
 
 	// Create webhook server and configure TLS
 	webhookServer := crwebhook.NewServer(crwebhook.Options{
 		Port: cfg.webhookPort,
 		TLSOpts: []func(*tls.Config){
 			tlsOpts,
+			tlsProfile,
 		},
 	})
 
@@ -233,7 +241,7 @@ func run(ctx context.Context) error {
 		metricsServerOptions.SecureServing = true
 		metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization
 
-		metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, tlsOpts)
+		metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, tlsOpts, tlsProfile)
 	} else {
 		// Note that the metrics server is not serving if the BindAddress is set to "0".
 		// Therefore, the metrics server is disabled by default. It is only enabled
diff --git a/cmd/operator-controller/main.go b/cmd/operator-controller/main.go
index b408d21a4..0ebce0f71 100644
--- a/cmd/operator-controller/main.go
+++ b/cmd/operator-controller/main.go
@@ -82,6 +82,7 @@ import (
 	imageutil "github.com/operator-framework/operator-controller/internal/shared/util/image"
 	"github.com/operator-framework/operator-controller/internal/shared/util/pullsecretcache"
 	sautil "github.com/operator-framework/operator-controller/internal/shared/util/sa"
+	"github.com/operator-framework/operator-controller/internal/shared/util/tlsprofiles"
 	"github.com/operator-framework/operator-controller/internal/shared/version"
 )
 
@@ -166,6 +167,9 @@ func init() {
 	//add feature gate flags to flagset
 	features.OperatorControllerFeatureGate.AddFlag(flags)
 
+	//add TLS flags
+	tlsprofiles.AddFlags(flags)
+
 	ctrl.SetLogger(klog.NewKlogr())
 }
 func validateMetricsFlags() error {
@@ -274,6 +278,12 @@ func run() error {
 			// the risks. More info https://github.com/golang/go/issues/63417
 			config.NextProtos = []string{"http/1.1"}
 		})
+		tlsProfile, err := tlsprofiles.GetTLSConfigFunc()
+		if err != nil {
+			setupLog.Error(err, "failed to get TLS profile")
+			return err
+		}
+		metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, tlsProfile)
 	} else {
 		// Note that the metrics server is not serving if the BindAddress is set to "0".
 		// Therefore, the metrics server is disabled by default. It is only enabled
diff --git a/commitchecker.yaml b/commitchecker.yaml
index 7fde208e2..33a29d3f9 100644
--- a/commitchecker.yaml
+++ b/commitchecker.yaml
@@ -1,4 +1,4 @@
-expectedMergeBase: 35da385077935545a4eaadc338015e249a6df211
+expectedMergeBase: 6604f2a4e24ca0c4abce99389b1e5dbbe8d8dbfa
 upstreamBranch: main
 upstreamOrg: operator-framework
 upstreamRepo: operator-controller
diff --git a/go.mod b/go.mod
index 9d6b86680..7f9232fbc 100644
--- a/go.mod
+++ b/go.mod
@@ -20,10 +20,11 @@ require (
 	github.com/opencontainers/image-spec v1.1.1
 	github.com/operator-framework/api v0.35.0
 	github.com/operator-framework/helm-operator-plugins v0.8.0
-	github.com/operator-framework/operator-registry v1.59.0
+	github.com/operator-framework/operator-registry v1.60.0
 	github.com/prometheus/client_golang v1.23.2
-	github.com/prometheus/common v0.66.1
+	github.com/prometheus/common v0.67.1
 	github.com/spf13/cobra v1.10.1
+	github.com/spf13/pflag v1.0.10
 	github.com/stretchr/testify v1.11.1
 	go.podman.io/image/v5 v5.37.0
 	golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b
@@ -199,7 +200,6 @@ require (
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/smallstep/pkcs7 v0.2.1 // indirect
 	github.com/spf13/cast v1.7.1 // indirect
-	github.com/spf13/pflag v1.0.10 // indirect
 	github.com/stefanberger/go-pkcs11uri v0.0.0-20230803200340-78284954bff6 // indirect
 	github.com/stoewer/go-strcase v1.3.1 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
@@ -236,7 +236,7 @@ require (
 	google.golang.org/genproto/googleapis/api v0.0.0-20250707201910-8d1bb00bc6a7 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7 // indirect
 	google.golang.org/grpc v1.75.1 // indirect
-	google.golang.org/protobuf v1.36.9 // indirect
+	google.golang.org/protobuf v1.36.10 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
diff --git a/go.sum b/go.sum
index dc835685c..88f13ce55 100644
--- a/go.sum
+++ b/go.sum
@@ -394,8 +394,8 @@ github.com/operator-framework/helm-operator-plugins v0.8.0 h1:0f6HOQC5likkf0b/Ov
 github.com/operator-framework/helm-operator-plugins v0.8.0/go.mod h1:Sc+8bE38xTCgCChBUvtq/PxatEg9fAypr7S5iAw8nlA=
 github.com/operator-framework/operator-lib v0.17.0 h1:cbz51wZ9+GpWR1ZYP4CSKSSBxDlWxmmnseaHVZZjZt4=
 github.com/operator-framework/operator-lib v0.17.0/go.mod h1:TGopBxIE8L6E/Cojzo26R3NFp1eNlqhQNmzqhOblaLw=
-github.com/operator-framework/operator-registry v1.59.0 h1:SQhT0qMTYJXqStNhBOYXmLAMpS3eszzbcXAg5NLgJu8=
-github.com/operator-framework/operator-registry v1.59.0/go.mod h1:QE1RRQGe+iau8sfY10DbP3+eoahH0G0l+coYrnEzJgI=
+github.com/operator-framework/operator-registry v1.60.0 h1:eUP14WThVTNx+/5hQR9Jyg0nxbf5cOg7hK/GgaOA5Tg=
+github.com/operator-framework/operator-registry v1.60.0/go.mod h1:PojPivJbKZgD9RG77JWxFpQRo3iCoUn6WR3aTiS6HBI=
 github.com/otiai10/copy v1.14.1 h1:5/7E6qsUMBaH5AnQ0sSLzzTg1oTECmcCmT6lvF45Na8=
 github.com/otiai10/copy v1.14.1/go.mod h1:oQwrEDDOci3IM8dJF0d8+jnbfPDllW6vUjNc3DoZm9I=
 github.com/otiai10/mint v1.6.3 h1:87qsV/aw1F5as1eH1zS/yqHY85ANKVMgkDrf9rcxbQs=
@@ -418,8 +418,8 @@ github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UH
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
 github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
-github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
-github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
+github.com/prometheus/common v0.67.1 h1:OTSON1P4DNxzTg4hmKCc37o4ZAZDv0cfXLkOt0oEowI=
+github.com/prometheus/common v0.67.1/go.mod h1:RpmT9v35q2Y+lsieQsdOh5sXZ6ajUGC8NjZAmr8vb0Q=
 github.com/prometheus/procfs v0.17.0 h1:FuLQ+05u4ZI+SS/w9+BWEM2TXiHKsUQ9TADiRH7DuK0=
 github.com/prometheus/procfs v0.17.0/go.mod h1:oPQLaDAMRbA+u8H5Pbfq+dl3VDAvHxMUOVhe0wYB2zw=
 github.com/redis/go-redis/extra/rediscmd/v9 v9.10.0 h1:uTiEyEyfLhkw678n6EulHVto8AkcXVr8zUcBJNZ0ark=
@@ -727,8 +727,8 @@ google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
-google.golang.org/protobuf v1.36.9 h1:w2gp2mA27hUeUzj9Ex9FBjsBm40zfaDtEWow293U7Iw=
-google.golang.org/protobuf v1.36.9/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
+google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
+google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
diff --git a/hack/tools/update-tls-profiles.sh b/hack/tools/update-tls-profiles.sh
new file mode 100755
index 000000000..8fa61c43e
--- /dev/null
+++ b/hack/tools/update-tls-profiles.sh
@@ -0,0 +1,69 @@
+#!/usr/bin/env bash
+
+set -e
+
+if [ -z "${JQ}" ]; then
+    echo "JQ not defined"
+    exit 1
+fi
+
+OUTPUT=internal/shared/util/tlsprofiles/mozilla_data.go
+INPUT=https://ssl-config.mozilla.org/guidelines/latest.json
+
+TMPFILE="$(mktemp)"
+trap 'rm -rf "$TMPFILE"' EXIT
+
+curl -L -s ${INPUT} > ${TMPFILE}
+
+version=$(${JQ} -r '.version' ${TMPFILE})
+
+cat > ${OUTPUT} <<EOF
+package tlsprofiles
+
+// DO NOT EDIT, GENERATED BY ${0}
+// DATA SOURCE: ${INPUT}
+// DATA VERSION: ${version}
+
+import (
+"crypto/tls"
+)
+EOF
+
+function generate_profile {
+    cat >> ${OUTPUT} <<EOF
+
+var ${1}TLSProfile = tlsProfile{
+ciphers: cipherSlice{
+cipherNums: []uint16{
+EOF
+
+    ${JQ} -r ".configurations.$1.ciphersuites.[] | . |= \"tls.\" + . + \",\"" ${TMPFILE} >> ${OUTPUT}
+    ${JQ} -r ".configurations.$1.ciphers.go[] | . |= \"tls.\" + . + \",\"" ${TMPFILE} >> ${OUTPUT}
+
+    cat >> ${OUTPUT} <<EOF
+},
+},
+curves: curveSlice{
+curveNums: []tls.CurveID{
+EOF
+
+    ${JQ} -r ".configurations.$1.tls_curves[] | . |= . + \",\"" ${TMPFILE} >> ${OUTPUT}
+
+    version=$(${JQ} -r ".configurations.$1.tls_versions[0]" ${TMPFILE})
+    version=${version/TLSv1./tls.VersionTLS1}
+    version=${version/TLSv1/tls.VersionTLS10}
+
+    cat >> ${OUTPUT} <<EOF
+},
+},
+minTLSVersion: ${version},
+}
+EOF
+}
+
+generate_profile "modern"
+generate_profile "intermediate"
+generate_profile "old"
+
+# Make go happy
+go fmt ${OUTPUT}
diff --git a/helm/olmv1/templates/deployment-olmv1-system-catalogd-controller-manager.yml b/helm/olmv1/templates/deployment-olmv1-system-catalogd-controller-manager.yml
index c90727030..20cc698c2 100644
--- a/helm/olmv1/templates/deployment-olmv1-system-catalogd-controller-manager.yml
+++ b/helm/olmv1/templates/deployment-olmv1-system-catalogd-controller-manager.yml
@@ -53,6 +53,13 @@ spec:
             - --v=${LOG_VERBOSITY}
             - --global-pull-secret=openshift-config/pull-secret
             {{- end }}
+            {{- if .Values.options.e2e.enabled }}
+            {{- /* This is effectively modern with the CHACHA cipher and secp384r1 curve removed */}}
+            - --tls-profile=custom
+            - --tls-custom-version=TLSv1.3
+            - --tls-custom-curves=X25519,prime256v1
+            - --tls-custom-ciphers=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384
+            {{- end }}
           command:
             - ./catalogd
           {{- if or .Values.options.e2e.enabled .Values.options.openshift.enabled }}
diff --git a/helm/olmv1/templates/deployment-olmv1-system-operator-controller-controller-manager.yml b/helm/olmv1/templates/deployment-olmv1-system-operator-controller-controller-manager.yml
index de8344b5c..a62558f8e 100644
--- a/helm/olmv1/templates/deployment-olmv1-system-operator-controller-controller-manager.yml
+++ b/helm/olmv1/templates/deployment-olmv1-system-operator-controller-controller-manager.yml
@@ -54,6 +54,9 @@ spec:
             - --v=${LOG_VERBOSITY}
             - --global-pull-secret=openshift-config/pull-secret
             {{- end }}
+            {{- if .Values.options.e2e.enabled }}
+            - --tls-profile=modern
+            {{- end }}
           command:
             - /operator-controller
           {{- if or .Values.options.e2e.enabled .Values.options.openshift.enabled }}
diff --git a/internal/shared/util/tlsprofiles/flags.go b/internal/shared/util/tlsprofiles/flags.go
new file mode 100644
index 000000000..682963b49
--- /dev/null
+++ b/internal/shared/util/tlsprofiles/flags.go
@@ -0,0 +1,189 @@
+package tlsprofiles
+
+import (
+	"bytes"
+	"crypto/tls"
+	"encoding/csv"
+	"fmt"
+	"maps"
+	"slices"
+	"strings"
+
+	"github.com/spf13/pflag"
+)
+
+func AddFlags(fs *pflag.FlagSet) {
+	fs.Var(&configuredProfile, "tls-profile", "The TLS profile to use. One of "+fmt.Sprintf("%v", slices.Sorted(maps.Keys(profiles))))
+	fs.Var(&customTLSProfile.ciphers, "tls-custom-ciphers", "List of ciphers to be used with the custom TLS profile. Use Go-language cipher names")
+	fs.Var(&customTLSProfile.curves, "tls-custom-curves", "List of curves to be used with the custom TLS profile. Values may consist of "+fmt.Sprintf("%v", slices.Sorted(maps.Keys(curves))))
+	fs.Var(&customTLSProfile.minTLSVersion, "tls-custom-version", "The TLS version to be used with the custom TLS profile. One of "+fmt.Sprintf("%v", slices.Sorted(maps.Keys(tlsVersions))))
+}
+
+// Definition of the type for `--tls-profile`
+type tlsProfileName string
+
+func (p *tlsProfileName) String() string {
+	return string(*p)
+}
+
+func (p *tlsProfileName) Type() string {
+	return "string"
+}
+
+func (p *tlsProfileName) Set(value string) error {
+	newValue := tlsProfileName(value)
+	_, err := findTLSProfile(newValue)
+	if err != nil {
+		return err
+	}
+	*p = newValue
+	return nil
+}
+
+// Definition of the type for `--tls-custom-ciphers`
+type cipherSlice struct {
+	cipherNums  []uint16
+	cipherNames []string
+}
+
+func readAsCSV(val string) ([]string, error) {
+	if val == "" {
+		return []string{}, nil
+	}
+	stringReader := strings.NewReader(val)
+	csvReader := csv.NewReader(stringReader)
+	return csvReader.Read()
+}
+
+func writeAsCSV(vals []string) (string, error) {
+	b := &bytes.Buffer{}
+	w := csv.NewWriter(b)
+	err := w.Write(vals)
+	if err != nil {
+		return "", err
+	}
+	w.Flush()
+	return strings.TrimSuffix(b.String(), "\n"), nil
+}
+
+func (s *cipherSlice) Set(val string) error {
+	v, err := readAsCSV(val)
+	if err != nil {
+		return err
+	}
+	return s.Replace(v)
+}
+
+func (s *cipherSlice) Type() string {
+	return "stringSlice"
+}
+
+func (s *cipherSlice) String() string {
+	str, _ := writeAsCSV(s.cipherNames)
+	return "[" + str + "]"
+}
+
+func (s *cipherSlice) Append(val string) error {
+	num := cipherSuiteId(val)
+	if num == 0 {
+		return fmt.Errorf("unknown cipher %q", val)
+	}
+	s.cipherNums = append(s.cipherNums, num)
+	s.cipherNames = append(s.cipherNames, val)
+	return nil
+}
+
+func (s *cipherSlice) Replace(val []string) error {
+	s.cipherNames = make([]string, 0, len(val))
+	s.cipherNums = make([]uint16, 0, len(val))
+	for _, cipher := range val {
+		if err := s.Append(cipher); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (s *cipherSlice) GetSlice() []string {
+	return s.cipherNames
+}
+
+// Definition of the type for `--tls-custom-curves`
+type curveSlice struct {
+	curveNums  []tls.CurveID
+	curveNames []string
+}
+
+func (s *curveSlice) Set(val string) error {
+	v, err := readAsCSV(val)
+	if err != nil {
+		return err
+	}
+	return s.Replace(v)
+}
+
+func (s *curveSlice) Type() string {
+	return "stringSlice"
+}
+
+func (s *curveSlice) String() string {
+	str, _ := writeAsCSV(s.curveNames)
+	return "[" + str + "]"
+}
+
+func (s *curveSlice) Append(val string) error {
+	num := curveId(val)
+	if num == 0 {
+		return fmt.Errorf("unknown curve %q", val)
+	}
+	s.curveNums = append(s.curveNums, num)
+	s.curveNames = append(s.curveNames, val)
+	return nil
+}
+
+func (s *curveSlice) Replace(val []string) error {
+	s.curveNames = make([]string, 0, len(val))
+	s.curveNums = make([]tls.CurveID, 0, len(val))
+	for _, curve := range val {
+		if err := s.Append(curve); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (s *curveSlice) GetSlice() []string {
+	return s.curveNames
+}
+
+// Definition of the type for `--tls-custom-version`
+type tlsVersion uint16
+
+var tlsVersions = map[string]uint16{
+	"TLSv1.0": tls.VersionTLS10,
+	"TLSv1.1": tls.VersionTLS11,
+	"TLSv1.2": tls.VersionTLS12,
+	"TLSv1.3": tls.VersionTLS13,
+}
+
+func (v *tlsVersion) String() string {
+	for s, n := range tlsVersions {
+		if *v == tlsVersion(n) {
+			return s
+		}
+	}
+	return ""
+}
+
+func (v *tlsVersion) Type() string {
+	return "string"
+}
+
+func (v *tlsVersion) Set(value string) error {
+	n, ok := tlsVersions[value]
+	if !ok {
+		return fmt.Errorf("unknown TLS version: %q", value)
+	}
+	*v = tlsVersion(n)
+	return nil
+}
diff --git a/internal/shared/util/tlsprofiles/mozilla_data.go b/internal/shared/util/tlsprofiles/mozilla_data.go
new file mode 100644
index 000000000..6b74ade2d
--- /dev/null
+++ b/internal/shared/util/tlsprofiles/mozilla_data.go
@@ -0,0 +1,87 @@
+package tlsprofiles
+
+// DO NOT EDIT, GENERATED BY hack/tools/update-tls-profiles.sh
+// DATA SOURCE: https://ssl-config.mozilla.org/guidelines/latest.json
+// DATA VERSION: 5.7
+
+import (
+	"crypto/tls"
+)
+
+var modernTLSProfile = tlsProfile{
+	ciphers: cipherSlice{
+		cipherNums: []uint16{
+			tls.TLS_AES_128_GCM_SHA256,
+			tls.TLS_AES_256_GCM_SHA384,
+			tls.TLS_CHACHA20_POLY1305_SHA256,
+		},
+	},
+	curves: curveSlice{
+		curveNums: []tls.CurveID{
+			X25519,
+			prime256v1,
+			secp384r1,
+		},
+	},
+	minTLSVersion: tls.VersionTLS13,
+}
+
+var intermediateTLSProfile = tlsProfile{
+	ciphers: cipherSlice{
+		cipherNums: []uint16{
+			tls.TLS_AES_128_GCM_SHA256,
+			tls.TLS_AES_256_GCM_SHA384,
+			tls.TLS_CHACHA20_POLY1305_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+		},
+	},
+	curves: curveSlice{
+		curveNums: []tls.CurveID{
+			X25519,
+			prime256v1,
+			secp384r1,
+		},
+	},
+	minTLSVersion: tls.VersionTLS12,
+}
+
+var oldTLSProfile = tlsProfile{
+	ciphers: cipherSlice{
+		cipherNums: []uint16{
+			tls.TLS_AES_128_GCM_SHA256,
+			tls.TLS_AES_256_GCM_SHA384,
+			tls.TLS_CHACHA20_POLY1305_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
+			tls.TLS_RSA_WITH_AES_128_CBC_SHA,
+			tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+		},
+	},
+	curves: curveSlice{
+		curveNums: []tls.CurveID{
+			X25519,
+			prime256v1,
+			secp384r1,
+		},
+	},
+	minTLSVersion: tls.VersionTLS10,
+}
diff --git a/internal/shared/util/tlsprofiles/tlsprofiles.go b/internal/shared/util/tlsprofiles/tlsprofiles.go
new file mode 100644
index 000000000..bac658610
--- /dev/null
+++ b/internal/shared/util/tlsprofiles/tlsprofiles.go
@@ -0,0 +1,91 @@
+package tlsprofiles
+
+import (
+	"crypto/tls"
+	"fmt"
+	"strings"
+)
+
+var (
+	configuredProfile tlsProfileName = "intermediate"
+	customTLSProfile  tlsProfile     = tlsProfile{
+		ciphers:       cipherSlice{},
+		curves:        curveSlice{},
+		minTLSVersion: tls.VersionTLS12,
+	}
+)
+
+type tlsProfile struct {
+	ciphers       cipherSlice
+	curves        curveSlice
+	minTLSVersion tlsVersion
+}
+
+// Based on compatibility levels from: https://wiki.mozilla.org/Security/Server_Side_TLS
+var profiles = map[string]*tlsProfile{
+	"modern":       &modernTLSProfile,
+	"intermediate": &intermediateTLSProfile,
+	"old":          &oldTLSProfile,
+	"custom":       &customTLSProfile,
+}
+
+func findTLSProfile(profile tlsProfileName) (*tlsProfile, error) {
+	p := strings.ToLower(profile.String())
+	tlsProfile, ok := profiles[p]
+	if !ok {
+		return nil, fmt.Errorf("unknown TLS profile: %q", profile.String())
+	}
+	return tlsProfile, nil
+}
+
+func GetTLSConfigFunc() (func(*tls.Config), error) {
+	tlsProfile, err := findTLSProfile(configuredProfile)
+	if err != nil {
+		return nil, err
+	}
+	return func(config *tls.Config) {
+		config.MinVersion = uint16(tlsProfile.minTLSVersion)
+		config.CipherSuites = tlsProfile.ciphers.cipherNums
+		config.CurvePreferences = tlsProfile.curves.curveNums
+	}, nil
+}
+
+// This function should _really_ exist in crypto/tls
+// cipherSuiteId returns the cipher suite ID given a standard name
+// (e.g. "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"), or 0 if no such cipher exists
+func cipherSuiteId(name string) uint16 {
+	for _, c := range tls.CipherSuites() {
+		if c.Name == name {
+			return c.ID
+		}
+	}
+	for _, c := range tls.InsecureCipherSuites() {
+		if c.Name == name {
+			return c.ID
+		}
+	}
+	return 0
+}
+
+// This is primarily so that we don't have to rewrite curve values in mozilla_data.go
+const (
+	X25519     tls.CurveID = tls.X25519
+	prime256v1 tls.CurveID = tls.CurveP256
+	secp384r1  tls.CurveID = tls.CurveP384
+	secp521r1  tls.CurveID = tls.CurveP521
+)
+
+var curves = map[string]tls.CurveID{
+	"X25519":     tls.X25519,
+	"prime256v1": tls.CurveP256,
+	"secp384r1":  tls.CurveP384,
+	"secp521r1":  tls.CurveP521,
+}
+
+// Returns 0 for an invalid curve name
+func curveId(name string) tls.CurveID {
+	if id, ok := curves[name]; ok {
+		return id
+	}
+	return 0
+}
diff --git a/internal/shared/util/tlsprofiles/tlsprofiles_test.go b/internal/shared/util/tlsprofiles/tlsprofiles_test.go
new file mode 100644
index 000000000..7be0903f7
--- /dev/null
+++ b/internal/shared/util/tlsprofiles/tlsprofiles_test.go
@@ -0,0 +1,160 @@
+package tlsprofiles
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestGetProfiles(t *testing.T) {
+	tests := []struct {
+		name   tlsProfileName
+		result bool
+	}{
+		{"modern", true},
+		{"intermediate", true},
+		{"old", true},
+		{"custom", true},
+		{"does-not-exist", false},
+	}
+
+	for _, test := range tests {
+		p, err := findTLSProfile(test.name)
+		if !test.result {
+			require.Error(t, err)
+		} else {
+			require.NoError(t, err)
+			require.NotNil(t, p)
+		}
+	}
+}
+
+func TestGetTLSConfigFunc(t *testing.T) {
+	f, err := GetTLSConfigFunc()
+	require.NoError(t, err)
+	require.NotNil(t, f)
+
+	// Set an invalid profile
+	configuredProfile = "does-not-exist"
+	f, err = GetTLSConfigFunc()
+	require.Error(t, err)
+	require.Nil(t, f)
+}
+
+func TestCipherStuiteId(t *testing.T) {
+	tests := []struct {
+		name   string
+		result uint16
+	}{
+		{"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", 0xC009},
+		{"unknown-cipher", 0},
+		{"TLS_RSA_WITH_3DES_EDE_CBC_SHA", 0x000A}, // Insecure cipher
+		{"DHE-RSA-AES128-SHA256", 0},              // Valid OpenSSL cipher, not implemented
+	}
+
+	for _, test := range tests {
+		v := cipherSuiteId(test.name)
+		require.Equal(t, test.result, v)
+	}
+}
+
+func TestSetProfileName(t *testing.T) {
+	var profile tlsProfileName
+
+	tests := []struct {
+		name   string
+		result bool
+	}{
+		{"modern", true},
+		{"intermediate", true},
+		{"old", true},
+		{"custom", true},
+		{"does-not-exist", false},
+	}
+
+	for _, test := range tests {
+		err := (&profile).Set(test.name)
+		if !test.result {
+			require.Error(t, err)
+		} else {
+			require.NoError(t, err)
+		}
+	}
+}
+
+func TestSetCustomCipher(t *testing.T) {
+	var ciphers cipherSlice
+
+	tests := []struct {
+		name   string
+		result bool
+	}{
+		{"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", true},
+		{"unknown-cipher", false},
+		{"TLS_RSA_WITH_3DES_EDE_CBC_SHA", true},                                      // Insecure cipher
+		{"DHE-RSA-AES128-SHA256", false},                                             // Valid OpenSSL cipher, not implemented
+		{"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA", true}, // Multiple
+	}
+
+	for _, test := range tests {
+		err := ciphers.Set(test.name)
+		if test.result {
+			require.NoError(t, err)
+			require.Equal(t, "["+test.name+"]", ciphers.String())
+		} else {
+			require.Error(t, err)
+		}
+	}
+}
+
+func TestSetCustomCurves(t *testing.T) {
+	var curves curveSlice
+
+	tests := []struct {
+		name   string
+		result bool
+	}{
+		{"X25519", true},
+		{"prime256v1", true},
+		{"secp384r1", true},
+		{"secp521r1", true},
+		{"unknown-cuve", false},
+		{"X448", false},             // Valid OpenSSL curve, not implemented
+		{"X25519,prime256v1", true}, // Multiple
+	}
+
+	for _, test := range tests {
+		err := curves.Set(test.name)
+		if test.result {
+			require.NoError(t, err)
+			require.Equal(t, "["+test.name+"]", curves.String())
+		} else {
+			require.Error(t, err)
+		}
+	}
+}
+
+func TestSetCustomVersion(t *testing.T) {
+	var version tlsVersion
+
+	tests := []struct {
+		name   string
+		result bool
+	}{
+		{"TLSv1.0", true},
+		{"TLSv1.1", true},
+		{"TLSv1.2", true},
+		{"TLSv1.3", true},
+		{"unknown-version", false},
+	}
+
+	for _, test := range tests {
+		err := version.Set(test.name)
+		if test.result {
+			require.NoError(t, err)
+			require.Equal(t, test.name, version.String())
+		} else {
+			require.Error(t, err)
+		}
+	}
+}
diff --git a/manifests/experimental-e2e.yaml b/manifests/experimental-e2e.yaml
index 3724dbee2..1bc93321e 100644
--- a/manifests/experimental-e2e.yaml
+++ b/manifests/experimental-e2e.yaml
@@ -2025,6 +2025,10 @@ spec:
             - --tls-cert=/var/certs/tls.crt
             - --tls-key=/var/certs/tls.key
             - --pull-cas-dir=/var/ca-certs
+            - --tls-profile=custom
+            - --tls-custom-version=TLSv1.3
+            - --tls-custom-curves=X25519,prime256v1
+            - --tls-custom-ciphers=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384
           command:
             - ./catalogd
           env:
@@ -2171,6 +2175,7 @@ spec:
             - --tls-key=/var/certs/tls.key
             - --catalogd-cas-dir=/var/ca-certs
             - --pull-cas-dir=/var/ca-certs
+            - --tls-profile=modern
           command:
             - /operator-controller
           env:
diff --git a/manifests/standard-e2e.yaml b/manifests/standard-e2e.yaml
index e86573534..72f8b82dc 100644
--- a/manifests/standard-e2e.yaml
+++ b/manifests/standard-e2e.yaml
@@ -1783,6 +1783,10 @@ spec:
             - --tls-cert=/var/certs/tls.crt
             - --tls-key=/var/certs/tls.key
             - --pull-cas-dir=/var/ca-certs
+            - --tls-profile=custom
+            - --tls-custom-version=TLSv1.3
+            - --tls-custom-curves=X25519,prime256v1
+            - --tls-custom-ciphers=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384
           command:
             - ./catalogd
           env:
@@ -1924,6 +1928,7 @@ spec:
             - --tls-key=/var/certs/tls.key
             - --catalogd-cas-dir=/var/ca-certs
             - --pull-cas-dir=/var/ca-certs
+            - --tls-profile=modern
           command:
             - /operator-controller
           env:
diff --git a/requirements.txt b/requirements.txt
index eb4e46a96..508f82991 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,8 +1,8 @@
 Babel==2.17.0
 beautifulsoup4==4.14.2
-certifi==2025.8.3
+certifi==2025.10.5
 charset-normalizer==3.4.3
-click==8.1.8
+click==8.3.0
 colorama==0.4.6
 cssselect==1.3.0
 ghp-import==2.1.0
diff --git a/vendor/github.com/operator-framework/operator-registry/pkg/lib/bundle/supported_resources.go b/vendor/github.com/operator-framework/operator-registry/pkg/lib/bundle/supported_resources.go
index 3569367ef..ee2afeb41 100644
--- a/vendor/github.com/operator-framework/operator-registry/pkg/lib/bundle/supported_resources.go
+++ b/vendor/github.com/operator-framework/operator-registry/pkg/lib/bundle/supported_resources.go
@@ -22,6 +22,7 @@ const (
 	ConsoleLinkKind           = "ConsoleLink"
 	ConsolePlugin             = "ConsolePlugin"
 	NetworkPolicyKind         = "NetworkPolicy"
+	PodMonitorKind            = "PodMonitor"
 )
 
 // Namespaced indicates whether the resource is namespace scoped (true) or cluster-scoped (false).
@@ -51,6 +52,7 @@ var supportedResources = map[string]Namespaced{
 	ConsoleLinkKind:           false,
 	ConsolePlugin:             false,
 	NetworkPolicyKind:         true,
+	PodMonitorKind:            true,
 }
 
 // IsSupported checks if the object kind is OLM-supported and if it is namespaced
diff --git a/vendor/github.com/prometheus/common/expfmt/decode.go b/vendor/github.com/prometheus/common/expfmt/decode.go
index 7b762370e..8f8dc65d3 100644
--- a/vendor/github.com/prometheus/common/expfmt/decode.go
+++ b/vendor/github.com/prometheus/common/expfmt/decode.go
@@ -220,7 +220,7 @@ func extractSamples(f *dto.MetricFamily, o *DecodeOptions) (model.Vector, error)
 		return extractSummary(o, f), nil
 	case dto.MetricType_UNTYPED:
 		return extractUntyped(o, f), nil
-	case dto.MetricType_HISTOGRAM:
+	case dto.MetricType_HISTOGRAM, dto.MetricType_GAUGE_HISTOGRAM:
 		return extractHistogram(o, f), nil
 	}
 	return nil, fmt.Errorf("expfmt.extractSamples: unknown metric family type %v", f.GetType())
@@ -403,9 +403,13 @@ func extractHistogram(o *DecodeOptions, f *dto.MetricFamily) model.Vector {
 				infSeen = true
 			}
 
+			v := q.GetCumulativeCountFloat()
+			if v <= 0 {
+				v = float64(q.GetCumulativeCount())
+			}
 			samples = append(samples, &model.Sample{
 				Metric:    model.Metric(lset),
-				Value:     model.SampleValue(q.GetCumulativeCount()),
+				Value:     model.SampleValue(v),
 				Timestamp: timestamp,
 			})
 		}
@@ -428,9 +432,13 @@ func extractHistogram(o *DecodeOptions, f *dto.MetricFamily) model.Vector {
 		}
 		lset[model.MetricNameLabel] = model.LabelValue(f.GetName() + "_count")
 
+		v := m.Histogram.GetSampleCountFloat()
+		if v <= 0 {
+			v = float64(m.Histogram.GetSampleCount())
+		}
 		count := &model.Sample{
 			Metric:    model.Metric(lset),
-			Value:     model.SampleValue(m.Histogram.GetSampleCount()),
+			Value:     model.SampleValue(v),
 			Timestamp: timestamp,
 		}
 		samples = append(samples, count)
diff --git a/vendor/github.com/prometheus/common/expfmt/openmetrics_create.go b/vendor/github.com/prometheus/common/expfmt/openmetrics_create.go
index 8dbf6d04e..8c8bbaa62 100644
--- a/vendor/github.com/prometheus/common/expfmt/openmetrics_create.go
+++ b/vendor/github.com/prometheus/common/expfmt/openmetrics_create.go
@@ -208,6 +208,8 @@ func MetricFamilyToOpenMetrics(out io.Writer, in *dto.MetricFamily, options ...E
 		n, err = w.WriteString(" unknown\n")
 	case dto.MetricType_HISTOGRAM:
 		n, err = w.WriteString(" histogram\n")
+	case dto.MetricType_GAUGE_HISTOGRAM:
+		n, err = w.WriteString(" gaugehistogram\n")
 	default:
 		return written, fmt.Errorf("unknown metric type %s", metricType.String())
 	}
@@ -325,7 +327,7 @@ func MetricFamilyToOpenMetrics(out io.Writer, in *dto.MetricFamily, options ...E
 				createdTsBytesWritten, err = writeOpenMetricsCreated(w, compliantName, "", metric, "", 0, metric.Summary.GetCreatedTimestamp())
 				n += createdTsBytesWritten
 			}
-		case dto.MetricType_HISTOGRAM:
+		case dto.MetricType_HISTOGRAM, dto.MetricType_GAUGE_HISTOGRAM:
 			if metric.Histogram == nil {
 				return written, fmt.Errorf(
 					"expected histogram in metric %s %s", compliantName, metric,
@@ -333,6 +335,12 @@ func MetricFamilyToOpenMetrics(out io.Writer, in *dto.MetricFamily, options ...E
 			}
 			infSeen := false
 			for _, b := range metric.Histogram.Bucket {
+				if b.GetCumulativeCountFloat() > 0 {
+					return written, fmt.Errorf(
+						"OpenMetrics v1.0 does not support float histogram %s %s",
+						compliantName, metric,
+					)
+				}
 				n, err = writeOpenMetricsSample(
 					w, compliantName, "_bucket", metric,
 					model.BucketLabel, b.GetUpperBound(),
@@ -354,6 +362,9 @@ func MetricFamilyToOpenMetrics(out io.Writer, in *dto.MetricFamily, options ...E
 					0, metric.Histogram.GetSampleCount(), true,
 					nil,
 				)
+				// We do not check for a float sample count here
+				// because we will check for it below (and error
+				// out if needed).
 				written += n
 				if err != nil {
 					return
@@ -368,6 +379,12 @@ func MetricFamilyToOpenMetrics(out io.Writer, in *dto.MetricFamily, options ...E
 			if err != nil {
 				return
 			}
+			if metric.Histogram.GetSampleCountFloat() > 0 {
+				return written, fmt.Errorf(
+					"OpenMetrics v1.0 does not support float histogram %s %s",
+					compliantName, metric,
+				)
+			}
 			n, err = writeOpenMetricsSample(
 				w, compliantName, "_count", metric, "", 0,
 				0, metric.Histogram.GetSampleCount(), true,
diff --git a/vendor/github.com/prometheus/common/expfmt/text_create.go b/vendor/github.com/prometheus/common/expfmt/text_create.go
index c4e9c1bbc..7e1d23cab 100644
--- a/vendor/github.com/prometheus/common/expfmt/text_create.go
+++ b/vendor/github.com/prometheus/common/expfmt/text_create.go
@@ -151,7 +151,10 @@ func MetricFamilyToText(out io.Writer, in *dto.MetricFamily) (written int, err e
 		n, err = w.WriteString(" summary\n")
 	case dto.MetricType_UNTYPED:
 		n, err = w.WriteString(" untyped\n")
-	case dto.MetricType_HISTOGRAM:
+	case dto.MetricType_HISTOGRAM, dto.MetricType_GAUGE_HISTOGRAM:
+		// The classic Prometheus text format has no notion of a gauge
+		// histogram. We render a gauge histogram in the same way as a
+		// regular histogram.
 		n, err = w.WriteString(" histogram\n")
 	default:
 		return written, fmt.Errorf("unknown metric type %s", metricType.String())
@@ -223,7 +226,7 @@ func MetricFamilyToText(out io.Writer, in *dto.MetricFamily) (written int, err e
 				w, name, "_count", metric, "", 0,
 				float64(metric.Summary.GetSampleCount()),
 			)
-		case dto.MetricType_HISTOGRAM:
+		case dto.MetricType_HISTOGRAM, dto.MetricType_GAUGE_HISTOGRAM:
 			if metric.Histogram == nil {
 				return written, fmt.Errorf(
 					"expected histogram in metric %s %s", name, metric,
@@ -231,10 +234,14 @@ func MetricFamilyToText(out io.Writer, in *dto.MetricFamily) (written int, err e
 			}
 			infSeen := false
 			for _, b := range metric.Histogram.Bucket {
+				v := b.GetCumulativeCountFloat()
+				if v == 0 {
+					v = float64(b.GetCumulativeCount())
+				}
 				n, err = writeSample(
 					w, name, "_bucket", metric,
 					model.BucketLabel, b.GetUpperBound(),
-					float64(b.GetCumulativeCount()),
+					v,
 				)
 				written += n
 				if err != nil {
@@ -245,10 +252,14 @@ func MetricFamilyToText(out io.Writer, in *dto.MetricFamily) (written int, err e
 				}
 			}
 			if !infSeen {
+				v := metric.Histogram.GetSampleCountFloat()
+				if v == 0 {
+					v = float64(metric.Histogram.GetSampleCount())
+				}
 				n, err = writeSample(
 					w, name, "_bucket", metric,
 					model.BucketLabel, math.Inf(+1),
-					float64(metric.Histogram.GetSampleCount()),
+					v,
 				)
 				written += n
 				if err != nil {
@@ -263,10 +274,11 @@ func MetricFamilyToText(out io.Writer, in *dto.MetricFamily) (written int, err e
 			if err != nil {
 				return
 			}
-			n, err = writeSample(
-				w, name, "_count", metric, "", 0,
-				float64(metric.Histogram.GetSampleCount()),
-			)
+			v := metric.Histogram.GetSampleCountFloat()
+			if v == 0 {
+				v = float64(metric.Histogram.GetSampleCount())
+			}
+			n, err = writeSample(w, name, "_count", metric, "", 0, v)
 		default:
 			return written, fmt.Errorf(
 				"unexpected type in metric %s %s", name, metric,
diff --git a/vendor/github.com/prometheus/common/expfmt/text_parse.go b/vendor/github.com/prometheus/common/expfmt/text_parse.go
index 8f2edde32..00c8841a1 100644
--- a/vendor/github.com/prometheus/common/expfmt/text_parse.go
+++ b/vendor/github.com/prometheus/common/expfmt/text_parse.go
@@ -48,8 +48,10 @@ func (e ParseError) Error() string {
 	return fmt.Sprintf("text format parsing error in line %d: %s", e.Line, e.Msg)
 }
 
-// TextParser is used to parse the simple and flat text-based exchange format. Its
-// zero value is ready to use.
+// TextParser is used to parse the simple and flat text-based exchange format.
+//
+// TextParser instances must be created with NewTextParser, the zero value of
+// TextParser is invalid.
 type TextParser struct {
 	metricFamiliesByName map[string]*dto.MetricFamily
 	buf                  *bufio.Reader // Where the parsed input is read through.
@@ -129,9 +131,44 @@ func (p *TextParser) TextToMetricFamilies(in io.Reader) (map[string]*dto.MetricF
 	if p.err != nil && errors.Is(p.err, io.EOF) {
 		p.parseError("unexpected end of input stream")
 	}
+	for _, histogramMetric := range p.histograms {
+		normalizeHistogram(histogramMetric.GetHistogram())
+	}
 	return p.metricFamiliesByName, p.err
 }
 
+// normalizeHistogram makes sure that all the buckets and the count in each
+// histogram is either completely float or completely integer.
+func normalizeHistogram(histogram *dto.Histogram) {
+	if histogram == nil {
+		return
+	}
+	anyFloats := false
+	if histogram.GetSampleCountFloat() != 0 {
+		anyFloats = true
+	} else {
+		for _, b := range histogram.GetBucket() {
+			if b.GetCumulativeCountFloat() != 0 {
+				anyFloats = true
+				break
+			}
+		}
+	}
+	if !anyFloats {
+		return
+	}
+	if histogram.GetSampleCountFloat() == 0 {
+		histogram.SampleCountFloat = proto.Float64(float64(histogram.GetSampleCount()))
+		histogram.SampleCount = nil
+	}
+	for _, b := range histogram.GetBucket() {
+		if b.GetCumulativeCountFloat() == 0 {
+			b.CumulativeCountFloat = proto.Float64(float64(b.GetCumulativeCount()))
+			b.CumulativeCount = nil
+		}
+	}
+}
+
 func (p *TextParser) reset(in io.Reader) {
 	p.metricFamiliesByName = map[string]*dto.MetricFamily{}
 	p.currentLabelPairs = nil
@@ -281,7 +318,9 @@ func (p *TextParser) readingLabels() stateFn {
 	// Summaries/histograms are special. We have to reset the
 	// currentLabels map, currentQuantile and currentBucket before starting to
 	// read labels.
-	if p.currentMF.GetType() == dto.MetricType_SUMMARY || p.currentMF.GetType() == dto.MetricType_HISTOGRAM {
+	if p.currentMF.GetType() == dto.MetricType_SUMMARY ||
+		p.currentMF.GetType() == dto.MetricType_HISTOGRAM ||
+		p.currentMF.GetType() == dto.MetricType_GAUGE_HISTOGRAM {
 		p.currentLabels = map[string]string{}
 		p.currentLabels[string(model.MetricNameLabel)] = p.currentMF.GetName()
 		p.currentQuantile = math.NaN()
@@ -374,7 +413,9 @@ func (p *TextParser) startLabelName() stateFn {
 	// Special summary/histogram treatment. Don't add 'quantile' and 'le'
 	// labels to 'real' labels.
 	if (p.currentMF.GetType() != dto.MetricType_SUMMARY || p.currentLabelPair.GetName() != model.QuantileLabel) &&
-		(p.currentMF.GetType() != dto.MetricType_HISTOGRAM || p.currentLabelPair.GetName() != model.BucketLabel) {
+		((p.currentMF.GetType() != dto.MetricType_HISTOGRAM &&
+			p.currentMF.GetType() != dto.MetricType_GAUGE_HISTOGRAM) ||
+			p.currentLabelPair.GetName() != model.BucketLabel) {
 		p.currentLabelPairs = append(p.currentLabelPairs, p.currentLabelPair)
 	}
 	// Check for duplicate label names.
@@ -425,7 +466,7 @@ func (p *TextParser) startLabelValue() stateFn {
 		}
 	}
 	// Similar special treatment of histograms.
-	if p.currentMF.GetType() == dto.MetricType_HISTOGRAM {
+	if p.currentMF.GetType() == dto.MetricType_HISTOGRAM || p.currentMF.GetType() == dto.MetricType_GAUGE_HISTOGRAM {
 		if p.currentLabelPair.GetName() == model.BucketLabel {
 			if p.currentBucket, p.err = parseFloat(p.currentLabelPair.GetValue()); p.err != nil {
 				// Create a more helpful error message.
@@ -476,7 +517,7 @@ func (p *TextParser) readingValue() stateFn {
 			p.summaries[signature] = p.currentMetric
 			p.currentMF.Metric = append(p.currentMF.Metric, p.currentMetric)
 		}
-	case dto.MetricType_HISTOGRAM:
+	case dto.MetricType_HISTOGRAM, dto.MetricType_GAUGE_HISTOGRAM:
 		signature := model.LabelsToSignature(p.currentLabels)
 		if histogram := p.histograms[signature]; histogram != nil {
 			p.currentMetric = histogram
@@ -522,24 +563,38 @@ func (p *TextParser) readingValue() stateFn {
 				},
 			)
 		}
-	case dto.MetricType_HISTOGRAM:
+	case dto.MetricType_HISTOGRAM, dto.MetricType_GAUGE_HISTOGRAM:
 		// *sigh*
 		if p.currentMetric.Histogram == nil {
 			p.currentMetric.Histogram = &dto.Histogram{}
 		}
 		switch {
 		case p.currentIsHistogramCount:
-			p.currentMetric.Histogram.SampleCount = proto.Uint64(uint64(value))
+			if uintValue := uint64(value); value == float64(uintValue) {
+				p.currentMetric.Histogram.SampleCount = proto.Uint64(uintValue)
+			} else {
+				if value < 0 {
+					p.parseError(fmt.Sprintf("negative count for histogram %q", p.currentMF.GetName()))
+					return nil
+				}
+				p.currentMetric.Histogram.SampleCountFloat = proto.Float64(value)
+			}
 		case p.currentIsHistogramSum:
 			p.currentMetric.Histogram.SampleSum = proto.Float64(value)
 		case !math.IsNaN(p.currentBucket):
-			p.currentMetric.Histogram.Bucket = append(
-				p.currentMetric.Histogram.Bucket,
-				&dto.Bucket{
-					UpperBound:      proto.Float64(p.currentBucket),
-					CumulativeCount: proto.Uint64(uint64(value)),
-				},
-			)
+			b := &dto.Bucket{
+				UpperBound: proto.Float64(p.currentBucket),
+			}
+			if uintValue := uint64(value); value == float64(uintValue) {
+				b.CumulativeCount = proto.Uint64(uintValue)
+			} else {
+				if value < 0 {
+					p.parseError(fmt.Sprintf("negative bucket population for histogram %q", p.currentMF.GetName()))
+					return nil
+				}
+				b.CumulativeCountFloat = proto.Float64(value)
+			}
+			p.currentMetric.Histogram.Bucket = append(p.currentMetric.Histogram.Bucket, b)
 		}
 	default:
 		p.err = fmt.Errorf("unexpected type for metric name %q", p.currentMF.GetName())
@@ -602,10 +657,18 @@ func (p *TextParser) readingType() stateFn {
 	if p.readTokenUntilNewline(false); p.err != nil {
 		return nil // Unexpected end of input.
 	}
-	metricType, ok := dto.MetricType_value[strings.ToUpper(p.currentToken.String())]
+	typ := strings.ToUpper(p.currentToken.String()) // Tolerate any combination of upper and lower case.
+	metricType, ok := dto.MetricType_value[typ]     // Tolerate "gauge_histogram" (not originally part of the text format).
 	if !ok {
-		p.parseError(fmt.Sprintf("unknown metric type %q", p.currentToken.String()))
-		return nil
+		// We also want to tolerate "gaugehistogram" to mark a gauge
+		// histogram, because that string is used in OpenMetrics. Note,
+		// however, that gauge histograms do not officially exist in the
+		// classic text format.
+		if typ != "GAUGEHISTOGRAM" {
+			p.parseError(fmt.Sprintf("unknown metric type %q", p.currentToken.String()))
+			return nil
+		}
+		metricType = int32(dto.MetricType_GAUGE_HISTOGRAM)
 	}
 	p.currentMF.Type = dto.MetricType(metricType).Enum()
 	return p.startOfLine
@@ -855,7 +918,8 @@ func (p *TextParser) setOrCreateCurrentMF() {
 	}
 	histogramName := histogramMetricName(name)
 	if p.currentMF = p.metricFamiliesByName[histogramName]; p.currentMF != nil {
-		if p.currentMF.GetType() == dto.MetricType_HISTOGRAM {
+		if p.currentMF.GetType() == dto.MetricType_HISTOGRAM ||
+			p.currentMF.GetType() == dto.MetricType_GAUGE_HISTOGRAM {
 			if isCount(name) {
 				p.currentIsHistogramCount = true
 			}
diff --git a/vendor/google.golang.org/protobuf/internal/filedesc/desc.go b/vendor/google.golang.org/protobuf/internal/filedesc/desc.go
index 688aabe43..dbcf90b87 100644
--- a/vendor/google.golang.org/protobuf/internal/filedesc/desc.go
+++ b/vendor/google.golang.org/protobuf/internal/filedesc/desc.go
@@ -72,9 +72,10 @@ type (
 		EditionFeatures EditionFeatures
 	}
 	FileL2 struct {
-		Options   func() protoreflect.ProtoMessage
-		Imports   FileImports
-		Locations SourceLocations
+		Options       func() protoreflect.ProtoMessage
+		Imports       FileImports
+		OptionImports func() protoreflect.FileImports
+		Locations     SourceLocations
 	}
 
 	// EditionFeatures is a frequently-instantiated struct, so please take care
@@ -126,12 +127,9 @@ func (fd *File) ParentFile() protoreflect.FileDescriptor { return fd }
 func (fd *File) Parent() protoreflect.Descriptor         { return nil }
 func (fd *File) Index() int                              { return 0 }
 func (fd *File) Syntax() protoreflect.Syntax             { return fd.L1.Syntax }
-
-// Not exported and just used to reconstruct the original FileDescriptor proto
-func (fd *File) Edition() int32                  { return int32(fd.L1.Edition) }
-func (fd *File) Name() protoreflect.Name         { return fd.L1.Package.Name() }
-func (fd *File) FullName() protoreflect.FullName { return fd.L1.Package }
-func (fd *File) IsPlaceholder() bool             { return false }
+func (fd *File) Name() protoreflect.Name                 { return fd.L1.Package.Name() }
+func (fd *File) FullName() protoreflect.FullName         { return fd.L1.Package }
+func (fd *File) IsPlaceholder() bool                     { return false }
 func (fd *File) Options() protoreflect.ProtoMessage {
 	if f := fd.lazyInit().Options; f != nil {
 		return f()
@@ -150,6 +148,16 @@ func (fd *File) Format(s fmt.State, r rune)                    { descfmt.FormatD
 func (fd *File) ProtoType(protoreflect.FileDescriptor)         {}
 func (fd *File) ProtoInternal(pragma.DoNotImplement)           {}
 
+// The next two are not part of the FileDescriptor interface. They are just used to reconstruct
+// the original FileDescriptor proto.
+func (fd *File) Edition() int32 { return int32(fd.L1.Edition) }
+func (fd *File) OptionImports() protoreflect.FileImports {
+	if f := fd.lazyInit().OptionImports; f != nil {
+		return f()
+	}
+	return emptyFiles
+}
+
 func (fd *File) lazyInit() *FileL2 {
 	if atomic.LoadUint32(&fd.once) == 0 {
 		fd.lazyInitOnce()
@@ -182,9 +190,9 @@ type (
 		L2 *EnumL2 // protected by fileDesc.once
 	}
 	EnumL1 struct {
-		eagerValues bool // controls whether EnumL2.Values is already populated
-
 		EditionFeatures EditionFeatures
+		Visibility      int32
+		eagerValues     bool // controls whether EnumL2.Values is already populated
 	}
 	EnumL2 struct {
 		Options        func() protoreflect.ProtoMessage
@@ -219,6 +227,11 @@ func (ed *Enum) ReservedNames() protoreflect.Names       { return &ed.lazyInit()
 func (ed *Enum) ReservedRanges() protoreflect.EnumRanges { return &ed.lazyInit().ReservedRanges }
 func (ed *Enum) Format(s fmt.State, r rune)              { descfmt.FormatDesc(s, r, ed) }
 func (ed *Enum) ProtoType(protoreflect.EnumDescriptor)   {}
+
+// This is not part of the EnumDescriptor interface. It is just used to reconstruct
+// the original FileDescriptor proto.
+func (ed *Enum) Visibility() int32 { return ed.L1.Visibility }
+
 func (ed *Enum) lazyInit() *EnumL2 {
 	ed.L0.ParentFile.lazyInit() // implicitly initializes L2
 	return ed.L2
@@ -244,13 +257,13 @@ type (
 		L2 *MessageL2 // protected by fileDesc.once
 	}
 	MessageL1 struct {
-		Enums        Enums
-		Messages     Messages
-		Extensions   Extensions
-		IsMapEntry   bool // promoted from google.protobuf.MessageOptions
-		IsMessageSet bool // promoted from google.protobuf.MessageOptions
-
+		Enums           Enums
+		Messages        Messages
+		Extensions      Extensions
 		EditionFeatures EditionFeatures
+		Visibility      int32
+		IsMapEntry      bool // promoted from google.protobuf.MessageOptions
+		IsMessageSet    bool // promoted from google.protobuf.MessageOptions
 	}
 	MessageL2 struct {
 		Options               func() protoreflect.ProtoMessage
@@ -319,6 +332,11 @@ func (md *Message) Messages() protoreflect.MessageDescriptors     { return &md.L
 func (md *Message) Extensions() protoreflect.ExtensionDescriptors { return &md.L1.Extensions }
 func (md *Message) ProtoType(protoreflect.MessageDescriptor)      {}
 func (md *Message) Format(s fmt.State, r rune)                    { descfmt.FormatDesc(s, r, md) }
+
+// This is not part of the MessageDescriptor interface. It is just used to reconstruct
+// the original FileDescriptor proto.
+func (md *Message) Visibility() int32 { return md.L1.Visibility }
+
 func (md *Message) lazyInit() *MessageL2 {
 	md.L0.ParentFile.lazyInit() // implicitly initializes L2
 	return md.L2
diff --git a/vendor/google.golang.org/protobuf/internal/filedesc/desc_init.go b/vendor/google.golang.org/protobuf/internal/filedesc/desc_init.go
index d2f549497..e91860f5a 100644
--- a/vendor/google.golang.org/protobuf/internal/filedesc/desc_init.go
+++ b/vendor/google.golang.org/protobuf/internal/filedesc/desc_init.go
@@ -284,6 +284,13 @@ func (ed *Enum) unmarshalSeed(b []byte, sb *strs.Builder, pf *File, pd protorefl
 			case genid.EnumDescriptorProto_Value_field_number:
 				numValues++
 			}
+		case protowire.VarintType:
+			v, m := protowire.ConsumeVarint(b)
+			b = b[m:]
+			switch num {
+			case genid.EnumDescriptorProto_Visibility_field_number:
+				ed.L1.Visibility = int32(v)
+			}
 		default:
 			m := protowire.ConsumeFieldValue(num, typ, b)
 			b = b[m:]
@@ -365,6 +372,13 @@ func (md *Message) unmarshalSeed(b []byte, sb *strs.Builder, pf *File, pd protor
 				md.unmarshalSeedOptions(v)
 			}
 			prevField = num
+		case protowire.VarintType:
+			v, m := protowire.ConsumeVarint(b)
+			b = b[m:]
+			switch num {
+			case genid.DescriptorProto_Visibility_field_number:
+				md.L1.Visibility = int32(v)
+			}
 		default:
 			m := protowire.ConsumeFieldValue(num, typ, b)
 			b = b[m:]
diff --git a/vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go b/vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go
index d4c94458b..dd31faaeb 100644
--- a/vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go
+++ b/vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go
@@ -134,6 +134,7 @@ func (fd *File) unmarshalFull(b []byte) {
 
 	var enumIdx, messageIdx, extensionIdx, serviceIdx int
 	var rawOptions []byte
+	var optionImports []string
 	fd.L2 = new(FileL2)
 	for len(b) > 0 {
 		num, typ, n := protowire.ConsumeTag(b)
@@ -157,6 +158,8 @@ func (fd *File) unmarshalFull(b []byte) {
 					imp = PlaceholderFile(path)
 				}
 				fd.L2.Imports = append(fd.L2.Imports, protoreflect.FileImport{FileDescriptor: imp})
+			case genid.FileDescriptorProto_OptionDependency_field_number:
+				optionImports = append(optionImports, sb.MakeString(v))
 			case genid.FileDescriptorProto_EnumType_field_number:
 				fd.L1.Enums.List[enumIdx].unmarshalFull(v, sb)
 				enumIdx++
@@ -178,6 +181,23 @@ func (fd *File) unmarshalFull(b []byte) {
 		}
 	}
 	fd.L2.Options = fd.builder.optionsUnmarshaler(&descopts.File, rawOptions)
+	if len(optionImports) > 0 {
+		var imps FileImports
+		var once sync.Once
+		fd.L2.OptionImports = func() protoreflect.FileImports {
+			once.Do(func() {
+				imps = make(FileImports, len(optionImports))
+				for i, path := range optionImports {
+					imp, _ := fd.builder.FileRegistry.FindFileByPath(path)
+					if imp == nil {
+						imp = PlaceholderFile(path)
+					}
+					imps[i] = protoreflect.FileImport{FileDescriptor: imp}
+				}
+			})
+			return &imps
+		}
+	}
 }
 
 func (ed *Enum) unmarshalFull(b []byte, sb *strs.Builder) {
diff --git a/vendor/google.golang.org/protobuf/internal/version/version.go b/vendor/google.golang.org/protobuf/internal/version/version.go
index 31e79a653..77de0f238 100644
--- a/vendor/google.golang.org/protobuf/internal/version/version.go
+++ b/vendor/google.golang.org/protobuf/internal/version/version.go
@@ -52,7 +52,7 @@ import (
 const (
 	Major      = 1
 	Minor      = 36
-	Patch      = 9
+	Patch      = 10
 	PreRelease = ""
 )
 
diff --git a/vendor/google.golang.org/protobuf/reflect/protodesc/desc.go b/vendor/google.golang.org/protobuf/reflect/protodesc/desc.go
index 823dbf3ba..9196288e4 100644
--- a/vendor/google.golang.org/protobuf/reflect/protodesc/desc.go
+++ b/vendor/google.golang.org/protobuf/reflect/protodesc/desc.go
@@ -152,6 +152,28 @@ func (o FileOptions) New(fd *descriptorpb.FileDescriptorProto, r Resolver) (prot
 		imp := &f.L2.Imports[i]
 		imps.importPublic(imp.Imports())
 	}
+	if len(fd.GetOptionDependency()) > 0 {
+		optionImports := make(filedesc.FileImports, len(fd.GetOptionDependency()))
+		for i, path := range fd.GetOptionDependency() {
+			imp := &optionImports[i]
+			f, err := r.FindFileByPath(path)
+			if err == protoregistry.NotFound {
+				// We always allow option imports to be unresolvable.
+				f = filedesc.PlaceholderFile(path)
+			} else if err != nil {
+				return nil, errors.New("could not resolve import %q: %v", path, err)
+			}
+			imp.FileDescriptor = f
+
+			if imps[imp.Path()] {
+				return nil, errors.New("already imported %q", path)
+			}
+			imps[imp.Path()] = true
+		}
+		f.L2.OptionImports = func() protoreflect.FileImports {
+			return &optionImports
+		}
+	}
 
 	// Handle source locations.
 	f.L2.Locations.File = f
diff --git a/vendor/google.golang.org/protobuf/reflect/protodesc/desc_init.go b/vendor/google.golang.org/protobuf/reflect/protodesc/desc_init.go
index 9da34998b..c826ad043 100644
--- a/vendor/google.golang.org/protobuf/reflect/protodesc/desc_init.go
+++ b/vendor/google.golang.org/protobuf/reflect/protodesc/desc_init.go
@@ -29,6 +29,7 @@ func (r descsByName) initEnumDeclarations(eds []*descriptorpb.EnumDescriptorProt
 			e.L2.Options = func() protoreflect.ProtoMessage { return opts }
 		}
 		e.L1.EditionFeatures = mergeEditionFeatures(parent, ed.GetOptions().GetFeatures())
+		e.L1.Visibility = int32(ed.GetVisibility())
 		for _, s := range ed.GetReservedName() {
 			e.L2.ReservedNames.List = append(e.L2.ReservedNames.List, protoreflect.Name(s))
 		}
@@ -70,6 +71,7 @@ func (r descsByName) initMessagesDeclarations(mds []*descriptorpb.DescriptorProt
 			return nil, err
 		}
 		m.L1.EditionFeatures = mergeEditionFeatures(parent, md.GetOptions().GetFeatures())
+		m.L1.Visibility = int32(md.GetVisibility())
 		if opts := md.GetOptions(); opts != nil {
 			opts = proto.Clone(opts).(*descriptorpb.MessageOptions)
 			m.L2.Options = func() protoreflect.ProtoMessage { return opts }
diff --git a/vendor/google.golang.org/protobuf/reflect/protodesc/proto.go b/vendor/google.golang.org/protobuf/reflect/protodesc/proto.go
index 9b880aa8c..6f91074e3 100644
--- a/vendor/google.golang.org/protobuf/reflect/protodesc/proto.go
+++ b/vendor/google.golang.org/protobuf/reflect/protodesc/proto.go
@@ -70,16 +70,27 @@ func ToFileDescriptorProto(file protoreflect.FileDescriptor) *descriptorpb.FileD
 	if syntax := file.Syntax(); syntax != protoreflect.Proto2 && syntax.IsValid() {
 		p.Syntax = proto.String(file.Syntax().String())
 	}
+	desc := file
+	if fileImportDesc, ok := file.(protoreflect.FileImport); ok {
+		desc = fileImportDesc.FileDescriptor
+	}
 	if file.Syntax() == protoreflect.Editions {
-		desc := file
-		if fileImportDesc, ok := file.(protoreflect.FileImport); ok {
-			desc = fileImportDesc.FileDescriptor
-		}
-
 		if editionsInterface, ok := desc.(interface{ Edition() int32 }); ok {
 			p.Edition = descriptorpb.Edition(editionsInterface.Edition()).Enum()
 		}
 	}
+	type hasOptionImports interface {
+		OptionImports() protoreflect.FileImports
+	}
+	if opts, ok := desc.(hasOptionImports); ok {
+		if optionImports := opts.OptionImports(); optionImports.Len() > 0 {
+			optionDeps := make([]string, optionImports.Len())
+			for i := range optionImports.Len() {
+				optionDeps[i] = optionImports.Get(i).Path()
+			}
+			p.OptionDependency = optionDeps
+		}
+	}
 	return p
 }
 
@@ -123,6 +134,14 @@ func ToDescriptorProto(message protoreflect.MessageDescriptor) *descriptorpb.Des
 	for i, names := 0, message.ReservedNames(); i < names.Len(); i++ {
 		p.ReservedName = append(p.ReservedName, string(names.Get(i)))
 	}
+	type hasVisibility interface {
+		Visibility() int32
+	}
+	if vis, ok := message.(hasVisibility); ok {
+		if visibility := vis.Visibility(); visibility > 0 {
+			p.Visibility = descriptorpb.SymbolVisibility(visibility).Enum()
+		}
+	}
 	return p
 }
 
@@ -216,6 +235,14 @@ func ToEnumDescriptorProto(enum protoreflect.EnumDescriptor) *descriptorpb.EnumD
 	for i, names := 0, enum.ReservedNames(); i < names.Len(); i++ {
 		p.ReservedName = append(p.ReservedName, string(names.Get(i)))
 	}
+	type hasVisibility interface {
+		Visibility() int32
+	}
+	if vis, ok := enum.(hasVisibility); ok {
+		if visibility := vis.Visibility(); visibility > 0 {
+			p.Visibility = descriptorpb.SymbolVisibility(visibility).Enum()
+		}
+	}
 	return p
 }
 
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 517006f6d..89433dba9 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -659,7 +659,7 @@ github.com/operator-framework/helm-operator-plugins/pkg/storage
 github.com/operator-framework/operator-lib/handler
 github.com/operator-framework/operator-lib/handler/internal/metrics
 github.com/operator-framework/operator-lib/internal/annotation
-# github.com/operator-framework/operator-registry v1.59.0
+# github.com/operator-framework/operator-registry v1.60.0
 ## explicit; go 1.24.4
 github.com/operator-framework/operator-registry/alpha/declcfg
 github.com/operator-framework/operator-registry/alpha/model
@@ -707,8 +707,8 @@ github.com/prometheus/client_golang/prometheus/promhttp/internal
 # github.com/prometheus/client_model v0.6.2
 ## explicit; go 1.22.0
 github.com/prometheus/client_model/go
-# github.com/prometheus/common v0.66.1
-## explicit; go 1.23.0
+# github.com/prometheus/common v0.67.1
+## explicit; go 1.24.0
 github.com/prometheus/common/expfmt
 github.com/prometheus/common/model
 # github.com/prometheus/procfs v0.17.0
@@ -1177,7 +1177,7 @@ google.golang.org/grpc/serviceconfig
 google.golang.org/grpc/stats
 google.golang.org/grpc/status
 google.golang.org/grpc/tap
-# google.golang.org/protobuf v1.36.9
+# google.golang.org/protobuf v1.36.10
 ## explicit; go 1.23
 google.golang.org/protobuf/encoding/protodelim
 google.golang.org/protobuf/encoding/protojson