chore(deps): bump the security group across 1 directory with 10 updates

[dependabot]

Bumps the security group with 8 updates in the / directory:

Package	From	To
github.com/cilium/ebpf	0.19.0	0.20.0
github.com/containerd/cgroups/v3	3.1.0	3.1.1
github.com/hashicorp/go-getter	1.8.2	1.8.3
github.com/shirou/gopsutil/v4	4.25.9	4.25.10
github.com/vmware-tanzu/velero	1.17.0	1.17.1
golang.org/x/sync	0.17.0	0.18.0
sigs.k8s.io/controller-runtime	0.22.3	0.22.4
golang.org/x/sys	0.37.0	0.38.0

Updates github.com/cilium/ebpf from 0.19.0 to 0.20.0

Release notes

Sourced from github.com/cilium/ebpf's releases.

v0.20.0

Performance Improvements

• btf: Memory-map vmlinux BTF when possible instead of copying to heap (saves several megabytes)
• btf: Decode BTF from byte slices instead of io.Reader for better performance
• btf: Cache BTF during fixups and target search to avoid loading each blob multiple times
• linker: Resolve kernel symbols in a single pass instead of individually
• prog: Speed up opening pinned programs by using minimal program info
• map: Avoid allocations during PerCPUMap batch lookups (76% faster, 99% fewer allocations)

New Features

• btf: Added LoadSplitSpec function for easier use of split-BTF files
• btf: Accept empty string tables in BTF data
• link: Added Detach() method for explicitly detaching links
• map: Preliminary support for arena maps
• map: Parse and expose map_extra field in MapSpec (enables bloom filter configuration)
• prog: Allow explicit ifindex specification when loading programs
• prog: Support getting context output from syscall programs
• prog: Allow passing extra targets for CO-RE relocations via ExtraRelocationTargets
• bpf2go: Allow multiple commands in BPF2GO_CC environment variable (e.g., ccache clang)
• tracefs: Allow hyphens in tracepoint group names
• kallsyms: Return ErrRestrictedKernel when reading zero addresses due to kernel.kptr_restrict
• info: Return ErrRestrictedKernel when program info is restricted by kernel security settings
• prog: Tolerate ErrRestrictedKernel during ksym resolution unless ksyms are required

Bugfixes

• ringbuf: Fixed panic when reading after close
• btf: Fixed race condition when loading cached kernel/module specs
• ringbuf: Fixed 32-bit compatibility by using uintptr for positions
• memory: Set cleanup on *Memory instead of **Memory to fix resource leak
• link: Fixed concurrent cleanup ordering for perf events and tracefs events

Windows Support Improvements

• ringbuf: Added Windows support for ring buffer operations
• windows: Fixed compatibility with recent eBPF for Windows changes (XDP_TEST removal, SAMPLE program type)
• windows: Enabled Hyper-V support in test VMs
• program: Added workaround for eBPF for Windows rejecting empty ContextOut

Breaking Changes

ProgramOptions.KernelModuleTypes removed

The KernelModuleTypes field in ProgramOptions has been removed. In 99% of cases this field should not be necessary anymore. Module BTF should be merged into the vmlinux BTF, as tools like btfhub do.

For advanced use cases that still require passing additional BTF specs for CO-RE relocations, use the new ExtraRelocationTargets field:

Before:

... (truncated)

Commits

• c64ffee struct_ops: skip copy for zeroed nested structs and fail on non-zeroed
• 843f326 docs: document how to build parts of efW
• 8f23ed6 map, program: add StructOpsMap support
• e6e4707 ci: install sample_ebpf_ext to provide BPF_PROG_TYPE_SAMPLE
• e5c623f windows: deal with removal of XDP_TEST from efW
• c41a50a program: work around efW rejecting an empty ContextOut
• 9a014ef kallsyms: return ErrRestrictedKernel when reading zero address
• 1bfe0bc info: return ErrRestrictedKernel when program info is restricted
• c27ff92 staticcheck.conf: temporarily disable SA4003
• e653f17 *: convert "go:generate go run ..." to "go:generate go tool ..."
• Additional commits viewable in compare view

Updates github.com/containerd/cgroups/v3 from 3.1.0 to 3.1.1

Release notes

Sourced from github.com/containerd/cgroups/v3's releases.

v3.1.1

What's Changed

• go.mod: github.com/opencontainers/runtime-spec v1.3.0 by @​AkihiroSuda in containerd/cgroups#376

Full Changelog: containerd/cgroups@v3.1.0...v3.1.1

Commits

• f1e92d8 Merge pull request #376 from AkihiroSuda/runtime-spec-v1.3.0
• 34ef430 go.mod: github.com/opencontainers/runtime-spec v1.3.0
• See full diff in compare view

Updates github.com/hashicorp/go-getter from 1.8.2 to 1.8.3

Release notes

Sourced from github.com/hashicorp/go-getter's releases.

v1.8.3

What's Changed

• [chore] : Bump actions/cache from 4.2.4 to 4.3.0 in the actions group by @​dependabot[bot] in hashicorp/go-getter#562
• [chore] : Bump aws-actions/configure-aws-credentials from 5.0.0 to 5.1.0 in the actions group by @​dependabot[bot] in hashicorp/go-getter#563
• Remove failed decompressed files by @​allisonlarson in hashicorp/go-getter#564

New Contributors

• @​allisonlarson made their first contribution in hashicorp/go-getter#564

Full Changelog: hashicorp/go-getter@v1.8.2...v1.8.3

Commits

• 13f1bb2 Merge pull request #564 from allisonlarson/b-chmod-failed-tar
• c0ef527 close file before removing
• d1113d8 Handle failed decompressed files
• cfc3a4f Merge pull request #563 from hashicorp/dependabot/github_actions/actions-e02f...
• 0c1f668 [chore] : Bump aws-actions/configure-aws-credentials
• 5e2f62a Merge pull request #562 from hashicorp/dependabot/github_actions/actions-f175...
• 5b4c45f [chore] : Bump actions/cache from 4.2.4 to 4.3.0 in the actions group
• See full diff in compare view

Updates github.com/shirou/gopsutil/v4 from 4.25.9 to 4.25.10

Release notes

Sourced from github.com/shirou/gopsutil/v4's releases.

v4.25.10

What's Changed

cpu

• chore: enable noctx linter by @​mmorel-35 in shirou/gopsutil#1930
• Use registry to remove wmi from cpu package by @​OrbintSoft in shirou/gopsutil#1929

disk

• Remove leaking goroutine by @​StefanoBalzarottiNozomi in shirou/gopsutil#1921
• use correct path lengths by @​StefanoBalzarottiNozomi in shirou/gopsutil#1937
• refactor disk windows and add tests by @​StefanoBalzarottiNozomi in shirou/gopsutil#1941

host

• fix: linter error about string concat and build tag by @​shirou in shirou/gopsutil#1942

net

• docs: minor improvement for docs by @​huyejia in shirou/gopsutil#1940

Other Changes

• [common]: remove unused DoSysctrl by @​shirou in shirou/gopsutil#1936

New Contributors

• @​huyejia made their first contribution in shirou/gopsutil#1940

Full Changelog: shirou/gopsutil@v4.25.9...v4.25.10

Commits

• 1da1bb1 Merge pull request #1941 from StefanoBalzarottiNozomi/refactor-disk-windows
• 4bea90c Merge pull request #1942 from shirou/fix/linter_error
• 5683c90 [net][linux]: fix gosec linter issue
• 3a9eeb4 fix: linter error about string concat and build tag
• 94fc64e fix build
• 1e8bd3e Update disk/disk_windows.go
• cf1133d Update disk/disk_windows.go
• 7ebc85a Update disk/disk_windows.go
• 0a39842 linting
• b65c122 these tests are only for windows
• Additional commits viewable in compare view

Updates github.com/vmware-tanzu/velero from 1.17.0 to 1.17.1

Release notes

Sourced from github.com/vmware-tanzu/velero's releases.

v1.17.1

Download

https://github.com/vmware-tanzu/velero/releases/tag/v1.17.1

Container Image

velero/velero:v1.17.1

Documentation

https://velero.io/docs/v1.17/

Upgrading

https://velero.io/docs/v1.17/upgrade-to-1.17/

All Changes

• Fix issue #9365, prevent fake completion notification due to multiple update of single PVR (#9376, @​Lyndon-Li)
• Fix issue #9332, add bytesDone for cache files (#9341, @​Lyndon-Li)
• VerifyJSONConfigs verify every elements in Data. (#9303, @​blackpiglet)
• Add option for privileged fs-backup pod (#9300, @​sseago)
• Fix repository maintenance jobs to inherit allowlisted tolerations from Velero deployment (#9299, @​shubham-pampattiwar)
• Fix issue #9229, don't attach backupPVC to the source node (#9297, @​Lyndon-Li)
• Protect VolumeSnapshot field from race condition during multi-thread backup (#9292, @​0xLeo258)
• Implement concurrency control for cache of native VolumeSnapshotter plugin. (#9290, @​0xLeo258)
• Backport to 1.17 (PR#9244 Update AzureAD Microsoft Authentication Library to v1.5.0) (#9285, @​priyansh17)
• Fix schedule controller to prevent backup queue accumulation during extended blocking scenarios by properly handling empty backup phases (#9277, @​shubham-pampattiwar)
• Get pod list once per namespace in pvc IBA (#9266, @​sseago)
• Update AzureAD Microsoft Authentication Library to v1.5.0 (#9244, @​priyansh17)
• feat: Permit specifying annotations for the BackupPVC (#9173, @​clementnuss)

v1.17.1-rc.1

v1.17.1

Download

https://github.com/vmware-tanzu/velero/releases/tag/v1.17.1-rc.1

Container Image

velero/velero:v1.17.1-rc.1

Documentation

https://velero.io/docs/v1.17/

Upgrading

https://velero.io/docs/v1.17/upgrade-to-1.17/

All Changes

• Fix issue #9365, prevent fake completion notification due to multiple update of single PVR (#9376, @​Lyndon-Li)
• Fix issue #9332, add bytesDone for cache files (#9341, @​Lyndon-Li)
• VerifyJSONConfigs verify every elements in Data. (#9303, @​blackpiglet)
• Add option for privileged fs-backup pod (#9300, @​sseago)
• Fix repository maintenance jobs to inherit allowlisted tolerations from Velero deployment (#9299, @​shubham-pampattiwar)

... (truncated)

Commits

• 94f6463 Merge pull request #9385 from Lyndon-Li/release-1.17
• bf0f30d 1.17.1 changelog
• d89ab43 Merge pull request #9378 from vmware-tanzu/1.17_e2e_fix
• 8704b4d Add Windows support for release dev branch.
• 4ce4a48 Merge pull request #9376 from Lyndon-Li/release-1.17
• ec7fe10 issue 9365: prevent multiple update of PVR
• 3ae7183 Merge pull request #9371 from blackpiglet/1.17.1_bump
• bd4c53d Bump base image and Golang version for v1.17.1
• 988bfa5 Merge pull request #9341 from Lyndon-Li/release-1.17
• 71ad893 issue 9332: make bytesDone correct for incremental backup
• Additional commits viewable in compare view

Updates golang.org/x/sync from 0.17.0 to 0.18.0

Commits

• 1966f53 errgroup: fix some typos in comment
• See full diff in compare view

Updates sigs.k8s.io/controller-runtime from 0.22.3 to 0.22.4

Release notes

Sourced from sigs.k8s.io/controller-runtime's releases.

v0.22.4

What's Changed

• ✨ cache: Allow fine-granular SyncPeriod configuration by @​k8s-infra-cherrypick-robot in kubernetes-sigs/controller-runtime#3378
• 🐛 Update List in namespaced client to list objects that are cluster scoped by @​k8s-infra-cherrypick-robot in kubernetes-sigs/controller-runtime#3352 kubernetes-sigs/controller-runtime#3357
• 🐛 priority queue: properly sync the waiter manipulation by @​alvaroaleman in kubernetes-sigs/controller-runtime#3371
• 🐛 envtest: respect pre-configured binary paths in ControlPlane by @​k8s-infra-cherrypick-robot in kubernetes-sigs/controller-runtime#3377

Full Changelog: kubernetes-sigs/controller-runtime@v0.22.3...v0.22.4

Commits

• 7a1b16d Merge pull request #3378 from k8s-infra-cherrypick-robot/cherry-pick-3376-to-...
• 539c94f cache: Allow fine-granular configuration of SyncPeriod
• 8be8410 Merge pull request #3377 from k8s-infra-cherrypick-robot/cherry-pick-3372-to-...
• 3f86a10 envtest: respect pre-configured binary paths in ControlPlane
• 64152a0 Merge pull request #3371 from alvaroaleman/cp-fix
• b3eff6d priority queue: properly sync the waiter manipulation
• 88269f3 Merge pull request #3357 from k8s-infra-cherrypick-robot/cherry-pick-3353-to-...
• c7df7c9 add namespace for test with namespace_client
• 04b5a29 Merge pull request #3352 from k8s-infra-cherrypick-robot/cherry-pick-3351-to-...
• f5a9781 update List in namespaced client
• See full diff in compare view

Updates github.com/opencontainers/runtime-spec from 1.2.1 to 1.3.0

Release notes

Sourced from github.com/opencontainers/runtime-spec's releases.

v1.3.0

This is the fourth minor release of the v1 series of the Open Container Initiative Runtime Specification. This release features the addition of the specification for FreeBSD.

Additions

• config-vm: add hwConfig object (#1209)
• config-linux: add intelRdt.schemata field (#1230)
• config-linux: add netDevices object (#1271)
• config-linux: add memoryPolicy object (#1282)
• config-freebsd: add the spec for FreeBSD (#1286)
• config-linux: add intelRdt.enableMonitoring field (#1287)

Minor fixes

• config-linux: clarify intelRdt configuration (#1196)
• runtime: fail when a poststart hook fails (#1262)
• config-linux: clarify pids cgroup settings (#1279)
• config-linux: define default clos for intelRdt (#1289)
• features-linux: add intelRdt.enableMonitoring field (#1290)
• features-linux: add intelRdt.schemata field (#1291)
• config-linux: fix and elaborate memoryPolicy.nodes field (#1294)
• config-linux, schema: fix FileMode description (#1298)

Documentation, CI & Governance

• add systemd-nspawn to implementations.md (#1272)
• CI: add codespell, bump golangci-lint (#1281)
• docs: add missing backticks for code formatting (#1284)
• docs: fix typo (#1285)
• principles: fix typo (#1288)
• schema: fix json (#1297)
• ci: use supported Go versions (#1300)
• Add minimum supported Go version to CI (#1303)
• Mention FreeBSD platform (#1304)

Thanks to the following contributors for making this release possible: @​Artoria2e5 @​Sharmaann @​aojea @​ariel-anieli @​askervin @​cyphar @​dfr @​gogolok @​ipuustin @​kolyshkin @​marquiz @​oleksiimoisieiev @​tianon

Vote-Results: +9 -0 *2 (#1302) Signed-off-by: Akihiro Suda (@​AkihiroSuda)

Changelog

Sourced from github.com/opencontainers/runtime-spec's changelog.

OpenContainers Specifications

Changes with v1.3.0:

Additions:

• config-vm: add hwConfig object (#1209)
• config-linux: add intelRdt.schemata field (#1230)
• config-linux: add netDevices object (#1271)
• config-linux: add memoryPolicy object (#1282)
• config-freebsd: add the spec for FreeBSD (#1286)
• config-linux: add intelRdt.enableMonitoring field (#1287)

Minor fixes:

• config-linux: clarify intelRdt configuration (#1196)
• runtime: fail when a poststart hook fails (#1262)
• config-linux: clarify pids cgroup settings (#1279)
• config-linux: define default clos for intelRdt (#1289)
• features-linux: add intelRdt.enableMonitoring field (#1290)
• features-linux: add intelRdt.schemata field (#1291)
• config-linux: fix and elaborate memoryPolicy.nodes field (#1294)
• config-linux, schema: fix FileMode description (#1298)

Documentation, CI & Governance:

• add systemd-nspawn to implementations.md (#1272)
• CI: add codespell, bump golangci-lint (#1281)
• docs: add missing backticks for code formatting (#1284)
• docs: fix typo (#1285)
• principles: fix typo (#1288)
• schema: fix json (#1297)
• ci: use supported Go versions (#1300)
• Add minimum supported Go version to CI (#1303)
• Mention FreeBSD platform (#1304)

Changes with v1.2.1:

Additions:

• zos updates (#1273)
• Add support for windows CPU affinity (#1258)
• specs-go: sync SCMP_ARCH_* constants with libseccomp main (#1229)
• Add CPU affinity to executed processes (#1253, #1261)
• config-linux: describe the format of cpus and mems (#1253)

Minor fixes:

• Fix description of errnoRet in Seccomp (#1277)
• config-linux: update for libseccomp v2.6.0 (#1276)

... (truncated)

Commits

• 9224913 version: release v1.3.0
• 6acd32d Merge pull request #1304 from gogolok/add_freebsd_spec_links
• 4df3d11 Mention FreeBSD platform
• dbf183c Merge pull request #1286 from dfr/freebsd-spec
• a257beb Add minimum supported Go version to CI (#1303)
• afdbcb8 Add FreeBSD as a platform
• 5caf304 merge #1300 into opencontainers/runtime-spec:main
• 75d79ee ci: use oldstable and stable Go versions
• 5610abd Merge pull request #1298 from kolyshkin/fix-file-mode
• 3b11014 Merge pull request #1281 from kolyshkin/codespell
• Additional commits viewable in compare view

Updates golang.org/x/net from 0.45.0 to 0.46.0

Commits

• 2002a06 go.mod: update golang.org/x dependencies
• See full diff in compare view

Updates golang.org/x/sys from 0.37.0 to 0.38.0

Commits

• 15129aa cpu: also use MRS instruction in getmmfr1
• ed38ca2 unix: add SizeofNhmsg and SizeofNexthopGrp
• 3675c4c cpu: use MRS instruction to read arm64 system registers
• 2a15272 unix: add consts for ELF handling
• 6239615 cpu: add HPDS, LOR, PAN detection for arm64
• ea436ef windows: add iphlpapi routing functions
• 28c5bda unix: add SetMemPolicy and its mode/flag values
• b731f78 unix/linux: switch to ubuntu 25.04, Go 1.25.1
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions