Skip to content

Bump the backend group across 1 directory with 7 updates #4443

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Bump the backend group across 1 directory with 7 updates #4443

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jul 7, 2025

Bumps the backend group with 7 updates in the / directory:

Package From To
github.com/Masterminds/semver/v3 3.3.1 3.4.0
github.com/aquasecurity/trivy 0.63.0 0.64.1
github.com/open-policy-agent/opa 1.5.1 1.6.0
github.com/operator-framework/api 0.31.0 0.32.0
github.com/tektoncd/pipeline 1.1.0 1.2.0
google.golang.org/api 0.238.0 0.240.0
sigs.k8s.io/yaml 1.4.0 1.5.0

Updates github.com/Masterminds/semver/v3 from 3.3.1 to 3.4.0

Release notes

Sourced from github.com/Masterminds/semver/v3's releases.

v3.4.0

There are a few changes in this release to highlight:

  1. Constraints now has a property IncludePrerelease. When set to true the Check and Validate methods will include prereleases.
  2. When an AND group has one constraint with a prerelease but more than one constraint then prereleases will be included. For example, >1.0.0-beta.1 < 2. In the past this would not have included prereleases because each constraint needed to have a prerelease. Now, only one constraint needs to have a prerelease. This is considered a long standing bug fix. Note, this does not carry across OR groups. For example, >1.0.0-beta.1 < 2 || > 3. In this case, prereleases will not be included when evaluating against >3.
  3. NewVersion coercion with leading "0"'s is restored. This can be disabled by setting the package level property CoerceNewVersion to false.

What's Changed

New Contributors

Full Changelog: Masterminds/semver@v3.3.1...v3.4.0

Changelog

Sourced from github.com/Masterminds/semver/v3's changelog.

3.4.0 (2025-06-27)

Added

  • #268: Added property to Constraints to include prereleases for Check and Validate

Changed

  • #263: Updated Go testing for 1.24, 1.23, and 1.22
  • #269: Updated the error message handling for message case and wrapping errors
  • #266: Restore the ability to have leading 0's when parsing with NewVersion. Opt-out of this by setting CoerceNewVersion to false.

Fixed

  • #257: Fixed the CodeQL link (thanks @​dmitris)
  • #262: Restored detailed errors when failed to parse with NewVersion. Opt-out of this by setting DetailedNewVersionErrors to false for faster performance.
  • #267: Handle pre-releases for an "and" group if one constraint includes them
Commits
  • 61fc460 Merge pull request #270 from mattfarina/relnotes-3.4.0
  • 69a63e7 Update the release notes and readme for new version
  • dc05094 Merge pull request #269 from mattfarina/lowercase-error-strings
  • a2cd9c2 Updating the error message handling
  • 9760c47 Merge pull request #268 from mattfarina/include-prerelease
  • c374751 Add property to include prereleases
  • 057c901 Merge pull request #267 from mattfarina/fix-259
  • abab1c2 Handle pre-releases on all in an and group
  • ebda872 Merge pull request #266 from mattfarina/restore-calver
  • 4ed619e Restore the ability to have leading 0's with NewVersion
  • Additional commits viewable in compare view

Updates github.com/aquasecurity/trivy from 0.63.0 to 0.64.1

Release notes

Sourced from github.com/aquasecurity/trivy's releases.

v0.64.1

Changelog

  • 86ee3c1176d4707536914dfa65ac8eca452e14cd release: v0.64.1 [release/v0.64] (#9122)
  • 4e1272283a643bfca2d7231d286006219715fada fix(misconf): skip rewriting expr if attr is nil [backport: release/v0.64] (#9127)
  • 9a7d38432cf00f00970259e5ac3edd060e00ccff fix(cli): Add more non-sensitive flags to telemetry [backport: release/v0.64] (#9124)
  • 53adfba3c25664b01e3a36fdec334b39b53c07f1 fix(rootio): check full version to detect root.io packages [backport: release/v0.64] (#9120)
  • 8cf1bf9f6f86936ee7dcd29e0d1cd1ec106e28f6 fix(alma): parse epochs from rpmqa file [backport: release/v0.64] (#9119)

v0.64.0

👉 Trivy v.64.0 release notes (click here)

⬇️ Download Trivy

Full changelog

Changelog

Sourced from github.com/aquasecurity/trivy's changelog.

0.64.1 (2025-07-03)

Bug Fixes

  • alma: parse epochs from rpmqa file [backport: release/v0.64] (#9119) (8cf1bf9)
  • cli: Add more non-sensitive flags to telemetry [backport: release/v0.64] (#9124) (9a7d384)
  • misconf: skip rewriting expr if attr is nil [backport: release/v0.64] (#9127) (4e12722)
  • rootio: check full version to detect root.io packages [backport: release/v0.64] (#9120) (53adfba)

0.64.0 (2025-06-30)

Features

  • cli: add version constraints to annoucements (#9023) (19efa9f)
  • java: dereference all maven settings.xml env placeholders (#9024) (5aade69)
  • misconf: add OpenTofu file extension support (#8747) (57801d0)
  • misconf: normalize CreatedBy for buildah and legacy docker builder (#8953) (65e155f)
  • redhat: Add EOL date for RHEL 10. (#8910) (48258a7)
  • reject unsupported artifact types in remote image retrieval (#9052) (1e1e1b5)
  • sbom: add manufacturer field to CycloneDX tools metadata (#9019) (41d0f94)
  • terraform: add partial evaluation for policy templates (#8967) (a9f7dcd)
  • ubuntu: add end of life date for Ubuntu 25.04 (#9077) (367564a)
  • ubuntu: add eol date for 20.04-ESM (#8981) (87118a0)
  • vuln: add Root.io support for container image scanning (#9073) (3a0ec0f)

Bug Fixes

  • Add missing version check flags (#8951) (ef5f8de)
  • cli: add some values to the telemetry call (#9056) (fd2bc91)
  • Correctly check for semver versions for trivy version check (#8948) (b813527)
  • don't show corrupted trivy-db warning for first run (#8991) (4ed78e3)
  • misconf: .Config.User always takes precedence over USER in .History (#9050) (371b8cc)
  • misconf: correct Azure value-to-time conversion in AsTimeValue (#9015) (40d017b)
  • misconf: move disabled checks filtering after analyzer scan (#9002) (a58c36d)
  • misconf: reduce log noise on incompatible check (#9029) (99c5151)
  • nodejs: correctly parse packages array of bun.lock file (#8998) (875ec3a)
  • report: don't panic when report contains vulns, but doesn't contain packages for table format (#8549) (87fda76)
  • sbom: remove unnecessary OS detection check in SBOM decoding (#9034) (198789a)
Commits
  • 86ee3c1 release: v0.64.1 [release/v0.64] (#9122)
  • 4e12722 fix(misconf): skip rewriting expr if attr is nil [backport: release/v0.64] (#...
  • 9a7d384 fix(cli): Add more non-sensitive flags to telemetry [backport: release/v0.64]...
  • 53adfba fix(rootio): check full version to detect root.io packages [backport: relea...
  • 8cf1bf9 fix(alma): parse epochs from rpmqa file [backport: release/v0.64] (#9119)
  • 280491b release: v0.64.0 [main] (#8955)
  • a6e9807 docs(python): fix type with METADATA file name (#9090)
  • 1e1e1b5 feat: reject unsupported artifact types in remote image retrieval (#9052)
  • 7333c46 chore(deps): bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 (#9...
  • bac6f7b refactor(misconf): rewrite Rego module filtering using functional filters (#9...
  • Additional commits viewable in compare view

Updates github.com/open-policy-agent/opa from 1.5.1 to 1.6.0

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v1.6.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • Improvements to the OPA website and documentation
  • Allowing keywords in Rego references
  • Parallel test execution
  • Faster built-in function execution

Modernized OPA Website (#7037)

We're continuing to modernize the OPA website with a new design and improved user experience.

Some highlights:

  • Builtins: You can now search them on the docs page!
  • Sidebar redesign: Making it easier to find what you're looking for in our docs
  • Feedback forms: Closing the feedback loop between docs authors and readers -- Please let us know if you dislike, or like, a docs page.
  • Downloads page: Find your OS' installation instructions on a less cluttered page!
  • And much more

Authored by @​sky3n3t and @​charlieegan3

Allowing keywords in Rego references (#7709)

Previously, Rego references could not contain terms that conflict with Rego keywords such as package, if, else, not, etc. in certain constructs:

package example
allow if {
input.package.source         # not allowed (before v1.6.0)
input["package"].destination # allowed
}

The constraints for valid Rego references have been relaxed to allow keywords. The above example is now valid and will no longer cause a compilation error.

Authored by @​johanfylling

Parallel Test Execution (#7442)

By default, OPA will now run tests in parallel (defaulting to one parallel execution thread per available CPU core), significantly speeding up test execution time for large test suites. The performance boost is closely tied to the number of tests in your project and your selected parallelism level. For larger projects and default settings, 2-3x performance gains have been measured on a MacBook Pro.

Parallelism can be disabled to run tests sequentially by setting the --parallel flag to 1. E.g. opa test . --parallel=1.

Authored by @​sspaink reported by @​anderseknert

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

1.6.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • Improvements to the OPA website and documentation
  • Allowing keywords in Rego references
  • Parallel test execution
  • Faster built-in function execution

Modernized OPA Website (#7037)

We're continuing to modernize the OPA website with a new design and improved user experience.

Some highlights:

  • Builtins: You can now search them on the docs page!
  • Sidebar redesign: Making it easier to find what you're looking for in our docs
  • Feedback forms: Closing the feedback loop between docs authors and readers -- Please let us know if you dislike, or like, a docs page.
  • Downloads page: Find your OS' installation instructions on a less cluttered page!
  • And much more

Authored by @​sky3n3t and @​charlieegan3

Allowing keywords in Rego references (#7709)

Previously, Rego references could not contain terms that conflict with Rego keywords such as package, if, else, not, etc. in certain constructs:

package example
allow if {
input.package.source         # not allowed (before v1.6.0)
input["package"].destination # allowed
}

The constraints for valid Rego references have been relaxed to allow keywords. The above example is now valid and will no longer cause a compilation error.

Authored by @​johanfylling

Parallel Test Execution (#7442)

By default, OPA will now run tests in parallel (defaulting to one parallel execution thread per available CPU core), significantly speeding up test execution time for large test suites. The performance boost is closely tied to the number of tests in your project and your selected parallelism level. For larger projects and default settings, 2-3x performance gains have been measured on a MacBook Pro.

Parallelism can be disabled to run tests sequentially by setting the --parallel flag to 1. E.g. opa test . --parallel=1.

Authored by @​sspaink reported by @​anderseknert

... (truncated)

Commits
  • 710b5a6 Prepare v1.6.0 release (#7732)
  • d3e83fb website: add titles back to the sidebar
  • fc51c9c docs: Revise sidebar order and layout
  • 13b9e52 ast: Ensure surplus leading zeros always error (#7726)
  • 9750787 perf: Only pass built-in context to calls depending on it (#7728)
  • 2b4722e docs: Redirect old admission control link (#7730)
  • 3a560fa docs: Update sidebar (#7723)
  • d917e3a plugin/decision: check if event is too large after compression (#7521)
  • 817b663 ast,format: Allowing keywords in Rego references (#7709)
  • 1679d79 docs: Move code example data inside the PlaygroundComponent (#7724)
  • Additional commits viewable in compare view

Updates github.com/operator-framework/api from 0.31.0 to 0.32.0

Release notes

Sourced from github.com/operator-framework/api's releases.

v0.32.0

What's Changed

Full Changelog: operator-framework/api@v0.31.0...v0.32.0

Commits
  • ef80267 Merge pull request #435 from camilamacedo86/up-deps
  • 35731bc Merge pull request #434 from camilamacedo86/upgrade-controller-gen-version
  • 435042e Upgrade google.golang.org/genproto/googleapis/api and indirect dependencies
  • 042719a Upgrade controller-gen from v0.17.2 to v0.18.0 and re-generate CRDs
  • c102f5c Update k8s 1 33 (#432)
  • 774f44e Allow override of go-verdiff result via label (#433)
  • 48d8867 (ci) - Add stale config to close PRs and issues which are inactivity (#431)
  • 49ba338 Add camilamacedo86 and tmshort as approver (#428)
  • 5639345 🌱 (cleanup): Update Owner Alias - remove inactive maintainers (#427)
  • e8b2a64 fixup go-verdiff job (#426)
  • Additional commits viewable in compare view

Updates github.com/tektoncd/pipeline from 1.1.0 to 1.2.0

Release notes

Sourced from github.com/tektoncd/pipeline's releases.

Tekton Pipeline release v1.2.0 "Dragon Li Dreadnought"

🎉 Bug fixes and documentation enhancements 🎉

-Docs @ v1.2.0 -Examples @ v1.2.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v1.2.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a754b4d7d26d7ac445cc63785908c6df49e449f3da28b067511a0f2298767d8be

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a754b4d7d26d7ac445cc63785908c6df49e449f3da28b067511a0f2298767d8be
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v1.2.0/release.yaml
REKOR_UUID=108e9186e8c5677a754b4d7d26d7ac445cc63785908c6df49e449f3da28b067511a0f2298767d8be
Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.2.0@sha256:" + .digest.sha256')
Download the release file
curl "$RELEASE_FILE" > release.yaml
For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

... (truncated)

Commits
  • 18736c3 test: extract common status helper functions
  • e3bf428 build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptrace...
  • fa2dc29 Do not propagate managed-by annotation to Pods
  • 03a3fa9 build(deps): bump the all group in /tekton with 4 updates
  • 87e29d8 build(deps): bump k8s.io/apiextensions-apiserver from 0.32.5 to 0.32.6
  • 09efb4d build(deps): bump k8s.io/client-go from 0.32.5 to 0.32.6
  • f187aef build(deps): bump github.com/cloudevents/sdk-go/v2 from 2.16.0 to 2.16.1
  • 5b2eba1 build(deps): bump github.com/google/go-containerregistry
  • 8d4ae4b build(deps): bump the all group in /tekton with 4 updates
  • 9244de6 build(deps): bump step-security/harden-runner from 2.12.0 to 2.12.1
  • Additional commits viewable in compare view

Updates google.golang.org/api from 0.238.0 to 0.240.0

Release notes

Sourced from google.golang.org/api's releases.

v0.240.0

0.240.0 (2025-07-02)

Features

v0.239.0

0.239.0 (2025-06-25)

Features

Changelog

Sourced from google.golang.org/api's changelog.

0.240.0 (2025-07-02)

Features

0.239.0 (2025-06-25)

Features

Commits

Updates sigs.k8s.io/yaml from 1.4.0 to 1.5.0

Release notes

Sourced from sigs.k8s.io/yaml's releases.

v1.5.0

Full Changelog: kubernetes-sigs/yaml@v1.4.0...v1.5.0

Commits
  • 0f318dc Merge pull request #134 from kubernetes-sigs/forgot-to-add-redirects-for-cons...
  • b8fc0c0 Forgot to add redirects for v3 constants
  • 8eaa802 Merge pull request #133 from kubernetes-sigs/deprecate-code-in-goyaml.v3-goya...
  • 69e45c1 Deprecate code in goyaml.v2/goyaml.v3 directories and redirect
  • 0fe7da3 Merge pull request #125 from kragniz/go-1.24
  • 14cbb88 Test against go 1.24.x
  • c6ac2c9 Merge pull request #126 from kragniz/remove-travis
  • 203ded9 Remove old travisci config file
  • b9a9b1c Merge pull request #106 from ThatsMrTalbot/patch-1
  • 4c6913f fix: wrap errors returned by JSON unmarshal
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the backend group across 1 directory with 7 updates
3c485c1 
Bumps the backend group with 7 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [github.com/Masterminds/semver/v3](https://github.com/Masterminds/semver) | `3.3.1` | `3.4.0` |
| [github.com/aquasecurity/trivy](https://github.com/aquasecurity/trivy) | `0.63.0` | `0.64.1` |
| [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) | `1.5.1` | `1.6.0` |
| [github.com/operator-framework/api](https://github.com/operator-framework/api) | `0.31.0` | `0.32.0` |
| [github.com/tektoncd/pipeline](https://github.com/tektoncd/pipeline) | `1.1.0` | `1.2.0` |
| [google.golang.org/api](https://github.com/googleapis/google-api-go-client) | `0.238.0` | `0.240.0` |
| [sigs.k8s.io/yaml](https://github.com/kubernetes-sigs/yaml) | `1.4.0` | `1.5.0` |



Updates `github.com/Masterminds/semver/v3` from 3.3.1 to 3.4.0
- [Release notes](https://github.com/Masterminds/semver/releases)
- [Changelog](https://github.com/Masterminds/semver/blob/master/CHANGELOG.md)
- [Commits](Masterminds/semver@v3.3.1...v3.4.0)

Updates `github.com/aquasecurity/trivy` from 0.63.0 to 0.64.1
- [Release notes](https://github.com/aquasecurity/trivy/releases)
- [Changelog](https://github.com/aquasecurity/trivy/blob/v0.64.1/CHANGELOG.md)
- [Commits](aquasecurity/trivy@v0.63.0...v0.64.1)

Updates `github.com/open-policy-agent/opa` from 1.5.1 to 1.6.0
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](open-policy-agent/opa@v1.5.1...v1.6.0)

Updates `github.com/operator-framework/api` from 0.31.0 to 0.32.0
- [Release notes](https://github.com/operator-framework/api/releases)
- [Changelog](https://github.com/operator-framework/api/blob/master/RELEASE.md)
- [Commits](operator-framework/api@v0.31.0...v0.32.0)

Updates `github.com/tektoncd/pipeline` from 1.1.0 to 1.2.0
- [Release notes](https://github.com/tektoncd/pipeline/releases)
- [Changelog](https://github.com/tektoncd/pipeline/blob/main/releases.md)
- [Commits](tektoncd/pipeline@v1.1.0...v1.2.0)

Updates `google.golang.org/api` from 0.238.0 to 0.240.0
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](googleapis/google-api-go-client@v0.238.0...v0.240.0)

Updates `sigs.k8s.io/yaml` from 1.4.0 to 1.5.0
- [Release notes](https://github.com/kubernetes-sigs/yaml/releases)
- [Changelog](https://github.com/kubernetes-sigs/yaml/blob/master/RELEASE.md)
- [Commits](kubernetes-sigs/yaml@v1.4.0...v1.5.0)

---
updated-dependencies:
- dependency-name: github.com/Masterminds/semver/v3
  dependency-version: 3.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: backend
- dependency-name: github.com/aquasecurity/trivy
  dependency-version: 0.64.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: backend
- dependency-name: github.com/open-policy-agent/opa
  dependency-version: 1.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: backend
- dependency-name: github.com/operator-framework/api
  dependency-version: 0.32.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: backend
- dependency-name: github.com/tektoncd/pipeline
  dependency-version: 1.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: backend
- dependency-name: google.golang.org/api
  dependency-version: 0.240.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: backend
- dependency-name: sigs.k8s.io/yaml
  dependency-version: 1.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: backend
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jul 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file go Pull requests that update Go code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants