Skip to content

build(deps): bump safe go-dependencies (kaniko, tcell, gomega, x/mod)#2647

Open
jjbustamante wants to merge 2 commits into
mainfrom
deps/safe-go-dependency-bumps
Open

build(deps): bump safe go-dependencies (kaniko, tcell, gomega, x/mod)#2647
jjbustamante wants to merge 2 commits into
mainfrom
deps/safe-go-dependency-bumps

Conversation

@jjbustamante

Copy link
Copy Markdown
Member

Summary

Splits the safe subset out of the grouped dependabot bump in #2645. These four direct deps update cleanly without disturbing the docker/moby image stack, so acceptance stays green:

Package From To
github.com/chainguard-dev/kaniko v1.25.15 v1.25.16
github.com/gdamore/tcell/v2 v2.13.9 v2.13.10
github.com/onsi/gomega v1.40.0 v1.42.1
golang.org/x/mod v0.36.0 v0.37.0

The remaining bumps in #2645moby/moby/api 1.55.0, moby/moby/client 0.5.0, go-containerregistry 0.21.7, and docker/cli 29.6.1 — are intentionally held. imgutil still pins moby/moby/client v0.2.2 / api v1.52.1 / go-containerregistry v0.20.6 even on its main tip, so forcing pack ahead breaks the rebase/daemon/* ("could not find base layer in image") and manifest annotate acceptance suites. docker/cli 29.4.3 already satisfies GO-2026-4610, so its bump buys no fixable CVE and stays with the docker family hold.

Output

Before

N/A — dependency bump only.

After

N/A — dependency bump only.

Documentation

  • Should this change be documented?
    • Yes, see #___
    • No

Related

Splits the safe subset out of #2645.

Splits the safe subset out of the grouped dependabot bump in #2645.

These four direct deps update without disturbing the docker/moby image
stack, so they keep acceptance green:

  - github.com/chainguard-dev/kaniko  v1.25.15 -> v1.25.16
  - github.com/gdamore/tcell/v2       v2.13.9  -> v2.13.10
  - github.com/onsi/gomega            v1.40.0  -> v1.42.1
  - golang.org/x/mod                  v0.36.0  -> v0.37.0

The moby/moby/{api,client}, go-containerregistry, and docker/cli bumps
from #2645 are intentionally held: imgutil still pins moby/moby/client
v0.2.2 / api v1.52.1 / go-containerregistry v0.20.6 even on its main tip,
so forcing pack ahead breaks the daemon rebase ("could not find base
layer in image") and manifest annotate acceptance suites.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Juan Bustamante <bustamantejj@gmail.com>
@jjbustamante jjbustamante requested review from a team as code owners June 30, 2026 13:02
@github-actions github-actions Bot added this to the 0.41.0 milestone Jun 30, 2026
@github-actions github-actions Bot added the type/chore Issue that requests non-user facing changes. label Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

type/chore Issue that requests non-user facing changes.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant