Bump the go-modules group across 1 directory with 41 updates

[dependabot]

Bumps the go-modules group with 26 updates in the / directory:

Package	From	To
github.com/onsi/gomega	1.36.0	1.36.2
github.com/paketo-buildpacks/libnodejs	0.3.0	0.4.0
dario.cat/mergo	1.0.0	1.0.1
github.com/Masterminds/semver/v3	3.2.1	3.3.1
github.com/Masterminds/sprig/v3	3.2.3	3.3.0
github.com/Microsoft/hcsshim	0.12.5	0.12.9
github.com/ProtonMail/go-crypto	1.1.3	1.1.5
github.com/andybalholm/brotli	1.1.0	1.1.1
github.com/bmatcuk/doublestar/v4	4.6.1	4.8.0
github.com/cloudflare/circl	1.3.9	1.5.0
github.com/containerd/stargz-snapshotter/estargz	0.15.1	0.16.3
github.com/cpuguy83/dockercfg	0.3.1	0.3.2
github.com/cyphar/filepath-securejoin	0.3.1	0.4.0
github.com/docker/cli	27.1.1+incompatible	27.5.0+incompatible
github.com/gabriel-vasile/mimetype	1.4.6	1.4.8
github.com/go-git/go-billy/v5	5.6.0	5.6.2
github.com/go-git/go-git/v5	5.13.0	5.13.1
github.com/google/go-containerregistry	0.20.2	0.20.3
github.com/magiconair/properties	1.8.7	1.8.9
github.com/moby/term	0.5.0	0.5.2
github.com/pierrec/lz4/v4	4.1.21	4.1.22
github.com/pjbgf/sha1cd	0.3.0	0.3.1
github.com/spf13/afero	1.11.0	1.12.0
github.com/spf13/cast	1.7.0	1.7.1
github.com/sylabs/sif/v2	2.18.0	2.20.2
github.com/tklauser/numcpus	0.8.0	0.9.0

Updates github.com/onsi/gomega from 1.36.0 to 1.36.2

Release notes

Sourced from github.com/onsi/gomega's releases.

v1.36.2

Maintenance

• Bump nokogiri from 1.16.3 to 1.16.5 in /docs by @​dependabot in onsi/gomega#757
• Bump github.com/onsi/ginkgo/v2 from 2.20.1 to 2.22.1 by @​dependabot in onsi/gomega#808
• Bump golang.org/x/net from 0.30.0 to 0.33.0 by @​dependabot in onsi/gomega#807
• Bump google.golang.org/protobuf from 1.35.1 to 1.36.1 by @​dependabot in onsi/gomega#810

v1.36.1

1.36.1

Fixes

• Fix onsi/gomega#803 [1c6c112]
• resolves onsi/gomega#696: make HaveField great on pointer receivers given only a non-addressable value [4feb9d7]

Changelog

Sourced from github.com/onsi/gomega's changelog.

1.36.2

Maintenance

• Bump google.golang.org/protobuf from 1.35.1 to 1.36.1 (#810) [9a7609d]
• Bump golang.org/x/net from 0.30.0 to 0.33.0 (#807) [b6cb028]
• Bump github.com/onsi/ginkgo/v2 from 2.20.1 to 2.22.1 (#808) [5756529]
• Bump nokogiri from 1.16.3 to 1.16.5 in /docs (#757) [dabc12e]

1.36.1

Fixes

• Fix onsi/gomega#803 [1c6c112]
• resolves onsi/gomega#696: make HaveField great on pointer receivers given only a non-addressable value [4feb9d7]

Commits

• bb0e550 v1.36.2
• 9a7609d Bump google.golang.org/protobuf from 1.35.1 to 1.36.1 (#810)
• b6cb028 Bump golang.org/x/net from 0.30.0 to 0.33.0 (#807)
• 5756529 Bump github.com/onsi/ginkgo/v2 from 2.20.1 to 2.22.1 (#808)
• dabc12e Bump nokogiri from 1.16.3 to 1.16.5 in /docs (#757)
• 8bc0a2a v1.36.1
• 1c6c112 Fix onsi/gomega#803
• 4feb9d7 resolves onsi/gomega#696: make HaveField great on pointer receivers given onl...
• See full diff in compare view

Updates github.com/paketo-buildpacks/libnodejs from 0.3.0 to 0.4.0

Release notes

Sourced from github.com/paketo-buildpacks/libnodejs's releases.

v0.4.0

What's Changed

• Introduce BP_VERIFY_LAUNCHPOINT to enable generated files

Full Changelog: paketo-buildpacks/libnodejs@v0.3.0...v0.4.0

Commits

• 05a709e Introduce BP_VERIFY_LAUNCHPOINT to enable generated files (#37)
• See full diff in compare view

Updates dario.cat/mergo from 1.0.0 to 1.0.1

Release notes

Sourced from dario.cat/mergo's releases.

v1.0.1

What's Changed

• fixes issue #187 by @​vsemichev in darccio/mergo#253
• fix: WithoutDereference should respect non-nil struct pointers by @​joshkaplinsky in darccio/mergo#251

New Contributors

• @​vsemichev made their first contribution in darccio/mergo#253
• @​joshkaplinsky made their first contribution in darccio/mergo#251

Full Changelog: darccio/mergo@v1.0.0...v1.0.1

Commits

• 59ea6a9 Merge pull request #251 from joshkaplinsky/joshkaplinsky/without-dereference-...
• 96f24af Merge pull request #253 from vsemichev/master
• 2f1a615 fixes issue #187. adds test to verify the fix.
• 4da170b fixes issue #187. attempt #3
• a13a117 fixes issue #187. attempt #2
• 6b830ff fixes issue #187
• f33862a WithoutDereference should respect structs
• cde9f0e Merge pull request #246 from darccio/darccio/v1-frozen
• f1e2fe5 chore: frozen v1
• 7f7b4af Update FUNDING.yml
• Additional commits viewable in compare view

Updates github.com/Masterminds/semver/v3 from 3.2.1 to 3.3.1

Release notes

Sourced from github.com/Masterminds/semver/v3's releases.

v3.3.1

What's Changed

• Fix for allowing some version that were invalid by @​mattfarina in Masterminds/semver#253

Full Changelog: Masterminds/semver@v3.3.0...v3.3.1

v3.3.0

What's Changed

• Fix: bad package in README by @​sdelicata in Masterminds/semver#226
• Updating the GitHub Actions and versions of Go used by @​mattfarina in Masterminds/semver#229
• Fix spelling in README by @​robinschneider in Masterminds/semver#222
• Adding go build cache to fuzz output by @​mattfarina in Masterminds/semver#232
• Add caching to fuzz testing by @​mattfarina in Masterminds/semver#234
• updating github actions by @​mattfarina in Masterminds/semver#235
• feat: nil version equality by @​KnutZuidema in Masterminds/semver#213
• add >= and <= by @​grosser in Masterminds/semver#238
• doc: hyphen range constraint without whitespace by @​johnnychen94 in Masterminds/semver#216
• Removing reference to vert by @​mattfarina in Masterminds/semver#245
• simplify StrictNewVersion by @​grosser in Masterminds/semver#241
• Updating the testing version of Go used by @​mattfarina in Masterminds/semver#246
• bumping min version in go.mod based on what's tested by @​mattfarina in Masterminds/semver#248
• Updating changelog for 3.3.0 by @​mattfarina in Masterminds/semver#249

New Contributors

• @​sdelicata made their first contribution in Masterminds/semver#226
• @​robinschneider made their first contribution in Masterminds/semver#222
• @​KnutZuidema made their first contribution in Masterminds/semver#213
• @​grosser made their first contribution in Masterminds/semver#238
• @​johnnychen94 made their first contribution in Masterminds/semver#216

Full Changelog: Masterminds/semver@v3.2.1...v3.3.0

Changelog

Sourced from github.com/Masterminds/semver/v3's changelog.

Changelog

3.3.0 (2024-08-27)

Added

• #238: Add LessThanEqual and GreaterThanEqual functions (thanks @​grosser)
• #213: nil version equality checking (thanks @​KnutZuidema)

Changed

• #241: Simplify StrictNewVersion parsing (thanks @​grosser)
• Testing support up through Go 1.23
• Minimum version set to 1.21 as this is what's tested now
• Fuzz testing now supports caching

Commits

• 1558ca3 Merge pull request #253 from mattfarina/fix-bad-versions
• 252dd61 Fix for allowing some version that were invalid
• e6e3d4d Merge pull request #249 from mattfarina/update-changelog-3.3.0
• e80c4ea Updating changelog for 3.3.0
• 80427ad Merge pull request #248 from mattfarina/bump-min-version
• b610837 bumping min version in go.mod based on what's tested
• a4cccd8 Merge pull request #246 from mattfarina/bump-go-1.23
• 7c178cf Updating the testing version of Go used
• 29f94c1 Merge pull request #241 from grosser/grosser/validate
• 2cf1b16 Merge pull request #245 from mattfarina/remove-vert
• Additional commits viewable in compare view

Updates github.com/Masterminds/sprig/v3 from 3.2.3 to 3.3.0

Release notes

Sourced from github.com/Masterminds/sprig/v3's releases.

v3.3.0

What's Changed

• Updating the Go versions used in testing by @​mattfarina in Masterminds/sprig#405
• Change intial to initial. by @​chrishalbert in Masterminds/sprig#391
• Updating dependencies by @​mattfarina in Masterminds/sprig#404
• correct value by @​jheyduk in Masterminds/sprig#376
• Updating location of mergo by @​mattfarina in Masterminds/sprig#406
• feature: added sha512sum function by @​itzik-elayev in Masterminds/sprig#400
• docs: Add missing link to url functions by @​carlpett in Masterminds/sprig#375
• Update doc.go by @​chey in Masterminds/sprig#369
• Update mathf.md by @​zzhu41 in Masterminds/sprig#290
• Removing duplicate documentation by @​mattfarina in Masterminds/sprig#407
• Updating the changelog for the 3.3.0 release by @​mattfarina in Masterminds/sprig#408

New Contributors

• @​chrishalbert made their first contribution in Masterminds/sprig#391
• @​jheyduk made their first contribution in Masterminds/sprig#376
• @​itzik-elayev made their first contribution in Masterminds/sprig#400
• @​carlpett made their first contribution in Masterminds/sprig#375
• @​chey made their first contribution in Masterminds/sprig#369
• @​zzhu41 made their first contribution in Masterminds/sprig#290

Full Changelog: Masterminds/sprig@v3.2.3...v3.3.0

Changelog

Sourced from github.com/Masterminds/sprig/v3's changelog.

Release 3.3.0 (2024-08-29)

Added

• #400: added sha512sum function (thanks @​itzik-elayev)

Changed

• #407: Removed duplicate documentation (functions were documentated in 2 places)
• #290: Corrected copy/paster oops in math documentation (thanks @​zzhu41)
• #369: Corrected template reference in docs (thanks @​chey)
• #375: Added link to URL documenation (thanks @​carlpett)
• #406: Updated the mergo dependency which had a breaking change (which was accounted for)
• #376: Fixed documentation error (thanks @​jheyduk)
• #404: Updated dependency tree
• #391: Fixed misspelling (thanks @​chrishalbert)
• #405: Updated Go versions used in testing

Commits

• e708470 Merge pull request #408 from mattfarina/update-changelog-3.3
• 8fc4354 Updating the changelog for the 3.3.0 release
• cb81a32 Merge pull request #407 from mattfarina/remove-dup-math-functions
• 2637693 Removing duplicate documentation
• 06b9a87 Merge pull request #290 from zzhu41/patch-1
• e663ec6 Merge pull request #369 from chey/patch-1
• bb2f73f Merge pull request #375 from carlpett/patch-1
• f07659e Merge pull request #400 from itzik-elayev/master
• 98b35c1 Add closing bracket
• 7a88928 Merge pull request #406 from mattfarina/update-mergo
• Additional commits viewable in compare view

Updates github.com/Microsoft/hcsshim from 0.12.5 to 0.12.9

Release notes

Sourced from github.com/Microsoft/hcsshim's releases.

v0.12.9

What's Changed

• [release/0.12] Update go to 1.22 + switch to using containerd/errdefs/pkg/errgrpc for grpc translation by @​kiashok in microsoft/hcsshim#2301

Full Changelog: microsoft/hcsshim@v0.12.8...v0.12.9

v0.12.8

What's Changed

• Fixing typo by @​ritikaguptams in microsoft/hcsshim#2289
• [release/0.12] Update containerd to v1.7.23 by @​dmcgowan in microsoft/hcsshim#2295

Full Changelog: microsoft/hcsshim@v0.12.7...v0.12.8

v0.12.7

What's Changed

• [release/0.12] Update pkg versions in go.mod by @​kiashok in microsoft/hcsshim#2275
• [release/0.12] Update runc version to 1.1.14 by @​kiashok in microsoft/hcsshim#2271

Full Changelog: microsoft/hcsshim@v0.12.6...v0.12.7

v0.12.6

What's Changed

• [release/0.12] Backport commits from hcsshim/main to update module versions by @​kiashok in microsoft/hcsshim#2237

Full Changelog: microsoft/hcsshim@v0.12.5...v0.12.6

Commits

• 7392335 Switch to using containerd/errdefs/pkg/errgrpc for grpc translation
• 79d3f32 Update go to 1.22
• 05636b9 Update JOB_OBJECT_ALL_ACCESS and OpenJobObject (#2095)
• 1550628 mobve SILOOBJECT_BASIC_INFORMATION to winapi
• bf52d58 fix SILOOBJECT_BASIC_INFORMATION alignment
• 8d48d87 Update containerd to v1.7.23 (#2295)
• 4ad298f Fixing typo (#2289)
• 86b5333 Bump golangci/golangci-lint-action from 4 to 6
• 5ae96f3 Update runc to v1.1.14
• 8f3fccd Update pkg versions
• Additional commits viewable in compare view

Updates github.com/ProtonMail/go-crypto from 1.1.3 to 1.1.5

Release notes

Sourced from github.com/ProtonMail/go-crypto's releases.

Release v1.1.5

What's Changed

• Check binding signature details against primary key by @​twiss in ProtonMail/go-crypto#264

Full Changelog: ProtonMail/go-crypto@v1.1.4...v1.1.5

Release v1.1.5-proton

What's Changed

This release is v1.1.5 with support for the following non-standardized features:

• Presistent symmetric keys draft-ietf-openpgp-persistent-symmetric-keys-00
• Automatic forwarding draft-wussler-openpgp-forwarding-00
• Post-quantum algorithms draft-ietf-openpgp-pqc

Release v1.1.4

What's Changed

• Emit armor headers in sorted order by @​andrewgdotcom in ProtonMail/go-crypto#255
• Reduce memory usage when AEAD en/decrypting large messages by @​twiss in ProtonMail/go-crypto#259
• Update artifact actions to v4 by @​twiss in ProtonMail/go-crypto#260

Full Changelog: ProtonMail/go-crypto@v1.1.3...v1.1.4

Release v1.1.4-proton

What's Changed

This release is v1.1.4 with support for the following non-standardized features:

• Presistent symmetric keys draft-ietf-openpgp-persistent-symmetric-keys-00
• Automatic forwarding draft-wussler-openpgp-forwarding-00
• Post-quantum algorithms draft-ietf-openpgp-pqc

Commits

• d703f49 Check binding signature details against primary key (#264)
• 72cacd5 ci: Update openpgp-interop-test-analyzer to v2.1.0 (#243)
• 3de0301 Update artifact actions to v4 (#260)
• be3aef0 Merge pull request #259 from ProtonMail/less-memory-large-msgs
• 1fd5ec8 Add tests for reusing buffer in OCB en/decryption
• df3ee02 Buffer decrypted bytes more efficiently
• 04cfaf2 Reuse plaintext slice for ciphertext when encrypting
• fee7824 Reuse ciphertext slice for plaintext when decrypting
• 6fa7f91 Preallocate the chunk size rather than buffering
• add07bd Don't allocate the nonce for each chunk
• Additional commits viewable in compare view

Updates github.com/andybalholm/brotli from 1.1.0 to 1.1.1

Commits

• 57434b5 Encoder: check for empty block
• 97e8583 matchfinder.M4: some refinements to scoring
• See full diff in compare view

Updates github.com/bmatcuk/doublestar/v4 from 4.6.1 to 4.8.0

Release notes

Sourced from github.com/bmatcuk/doublestar/v4's releases.

Fixed Escaped Meta in the "Base" of the Pattern

If the "base" of a pattern (ie, everything up to the first path slash before any meta characters) contains an escaped meta character, doublestar would fail to glob any files.

Thanks to @​tdurieux for finding and fixing this bug!

Breaking-ish Change

I've updated SplitPattern to unescape meta characters in the first returned string. I suspect this shouldn't cause issues for anyone because, if anyone was using this function, they've probably either never passed a pattern with escaped meta characters, or hand-rolled an unescape method to fix the bug - which will now be a no-op for them.

What's Changed

• fix(#96) unescapeMeta the pattern base by @​tdurieux in bmatcuk/doublestar#97

New Contributors

• @​tdurieux made their first contribution in bmatcuk/doublestar#97

Full Changelog: bmatcuk/doublestar@v4.7.1...v4.8.0

Fixed FilepathGlob("")

To be consistent with filepath.Glob, FilepathGlob("") returns nil.

Added MatchUnvalidated, PathMatchUnvalidated

These functions provide a small performance improvement in cases where you don't care about whether or not the pattern is valid (maybe because you already ran ValidatePattern).

Commits

• 29e67f4 fix windows tests
• 28b892c remove sponsor =(
• 4b5670c fix(#96) some minor corrections to escaping pattern base
• 1e7ad31 fix: fix match when there is a escaped meta in the pattern
• 1e20c6d fixes #95 FilepathGlob("") should return nil
• da152ef add docs for MatchUnvalidated, PathMatchUnvalidated
• 2832f67 closes #92 adds MatchUnvalidated
• 424062b added sponsor: MASV
• See full diff in compare view

Updates github.com/cloudflare/circl from 1.3.9 to 1.5.0

Release notes

Sourced from github.com/cloudflare/circl's releases.

CIRCL v1.5.0

New: ML-DSA, Module-Lattice-based Digital Signature Algorithm.

What's Changed

• kem: add X25519MLKEM768 TLS hybrid KEM by @​bwesterb in cloudflare/circl#510
• Create semgrep.yml by @​hrushikeshdeshpande in cloudflare/circl#514
• repo: Some fixes reported by CodeQL by @​armfazh in cloudflare/circl#515
• Add ML-DSA (FIPS204) by @​bwesterb in cloudflare/circl#480
• sign/mldsa: Add test for ML-DSA signature verification. by @​armfazh in cloudflare/circl#517
• Release v1.5.0 by @​armfazh in cloudflare/circl#518

New Contributors

• @​hrushikeshdeshpande made their first contribution in cloudflare/circl#514

Full Changelog: cloudflare/circl@v1.4.0...v1.5.0

CIRCL v1.4.0

Changes

New: ML-KEM compatible with FIPS-203.

Commit History

• eddilithium3: fix typos by @​bwesterb in cloudflare/circl#503
• Add ML-KEM (FIPS 203). by @​bwesterb in cloudflare/circl#470
• Add ML-KEM decapsulation key check. by @​bwesterb in cloudflare/circl#507
• Preparing for release v1.4.0 by @​armfazh in cloudflare/circl#508

Full Changelog: cloudflare/circl@v1.3.9...v1.4.0

Commits

• 1310edf Release v1.5.0
• 0246d59 Add test for ML-DSA signature verification.
• e2bbd01 Add ML-DSA (FIPS204) (#480)
• 2ba992f Reverting arm64 jobs since qemu can't run go1.23 binaries yet.
• ab15f82 Updates golangci-lint to v1.61.0 and fixes code.
• 064a9ba Bump to go1.22 inner files and ci jobs.
• 7040592 Adding semgrepignore to also analyse test files.
• 51a9a33 Update semgrep.yml
• cfbc696 Create semgrep.yml
• 2d6cd98 kem: add X25519MLKEM768 TLS hybrid KEM
• Additional commits viewable in compare view

Updates github.com/containerd/errdefs from 0.1.0 to 0.3.0

Release notes

Sourced from github.com/containerd/errdefs's releases.

v0.3.0

This release splits the errdefs package into the github.com/containerd/errdefs package which only contains error definitions as well as basic functions to check for those definitions and the github.com/containerd/errdefs/pkg package which containers functionality for using the errdefs, such as error serialization and adding more data to errors.

What's Changed

• Update GitHub Actions packages and runners by @​austinvazquez in containerd/errdefs#20
• Add errdefs/pkg package by @​dmcgowan in containerd/errdefs#19

Full Changelog: containerd/errdefs@v0.2.0...v0.3.0

pkg/v0.3.0

What's Changed

• Update pkg errodefs to v0.3.0 by @​dmcgowan in containerd/errdefs#21

Full Changelog: containerd/errdefs@v0.3.0...pkg/v0.3.0

v0.2.0

What's Changed

• Add more grpc types by @​dmcgowan in containerd/errdefs#3
• Split gRPC and HTTP error utility into seperate packages by @​austinvazquez in containerd/errdefs#5
• Fix Cancelled interface typo by @​dmcgowan in containerd/errdefs#6
• Add stack support by @​dmcgowan in containerd/errdefs#8
• Add a resolve error function to return first error by @​dmcgowan in containerd/errdefs#9
• Add support for custom error messages by @​dmcgowan in containerd/errdefs#10
• Add support for grpc error details and multiple errors by @​dmcgowan in containerd/errdefs#7
• Complete interface definitions for errors by @​dmcgowan in containerd/errdefs#18

New Contributors

• @​austinvazquez made their first contribution in containerd/errdefs#5

Full Changelog: containerd/errdefs@v0.1.0...v0.2.0

Commits

• 9fd32fc Merge pull request #19 from dmcgowan/pkg-package
• 3dabb2b Merge pull request #20 from austinvazquez/upgrade-ci
• 303a6ea Update to Go 1.22.8 in CI
• e70104e Upgrade to golangci-lint@v1.61.0
• ffe5586 Upgrade to golangci/golangci-lint-action@v6
• 908b04b Upgrade to actions/checkout@v4
• 608b83c Upgrade to actions/setup-go@v5
• 8e82ae4 Upgrade macOS runner image to macOS 13
• 46a6522 Add errdefs/pkg package
• 02b65bc Merge pull request #18 from dmcgowan/add-missing-interfaces
• Additional commits viewable in compare view

Updates github.com/containerd/stargz-snapshotter/estargz from 0.15.1 to 0.16.3

Release notes

Sourced from github.com/containerd/stargz-snapshotter/estargz's releases.

v0.16.3

Notable Changes

• Fix zstd:chunked converter error on duplicated blobs (#1894)

v0.16.2

Notable Changes

• go.mod: Use 1.22.0 by specifying to google.golang.org/grpc v1.67.1 (#1877)

v0.16.1

Notable Changes

• prevernt go version upgraded to 1.23 in go.mod (#1863)

v0.16.0

Notable Changes

• Support for the latest CRI-O(>=v1.31.0) and Podman (>=v5.1.0) Additional Layer Store (#1673, #1674)
• Fix log message in refnode.Lookup (#1595), thanks to @​iain-macdonald
• store: use OnForget API for checking if a node is reusable (#1808)
• Support for containerd v2 (#1722), thanks to @​apostasie
• fs: Check connection only when image isn't fully cached (#1584)

Commits

• c0389e0 Merge pull request #1898 from ktock/prepare-v0.16.3
• c6a444e [v0.16] Prepare for v0.16.3
• 86bbdeb Merge pull request #1894 from ktock/bp-1885
• 9b706a2 Rely on OpenWriter for retrying opening writer
• 570ba70 Rely on contaienrd's GC for cleanup of temporary content
• 1d34a1b Merge pull request #1878 from ktock/prepare-v0.16.2
• 3971b26 Merge pull request #1877 from ktock/v0.16dev
• 1e4fad0 Preapre for v0.16.2
• 4edcebd go.mod: Use 1.22.0 by specifying to google.golang.org/grpc v1.67.1
• 7d3230e Merge pull request #1864 from ktock/prepare-v0.16.1
• Additional commits viewable in compare view

Updates github.com/cpuguy83/dockercfg from 0.3.1 to 0.3.2

Release notes

Sourced from github.com/cpuguy83/dockercfg's releases.

v0.3.2

What's Changed

• chore: improve errors by @​stevenh in cpuguy83/dockercfg#3

New Contributors

• @​stevenh made their first contribution in cpuguy83/dockercfg#3

Full Changelog: cpuguy83/dockercfg@v0.3.1...v0.3.2

Commits

• a07c3d1 Merge pull request #3 from stevenh/chore/improve-errors
• 91bd66a chore: improve errors
• See full diff in compare view

Updates github.com/cyphar/filepath-securejoin from 0.3.1 to 0.4.0

Release notes

Sourced from github.com/cyphar/filepath-securejoin's releases.

v0.4.0

This release primarily includes a few minor breaking changes to make the MkdirAll and SecureJoin interfaces more robust against accidental misuse.

• SecureJoin(VFS) will now return an error if the provided root is not a filepath.Clean'd path.

  While it is ultimately the responsibility of the caller to ensure the root is a safe path to use, passing a path like /symlink/.. as a root would result in the SecureJoin'd path being placed in / even though /symlink/.. might be a different directory, and so we should more strongly discourage such usage.

  All major users of securejoin.SecureJoin already ensure that the paths they provide are safe (and this is ultimately a question of user error), but removing this foot-gun is probably a good idea. Of course, this is necessarily a breaking API change (though we expect no real users to be affected by it).

  Thanks to Erik Sjölund, who initially reported this issue as a possible security issue.

• MkdirAll and MkdirHandle now take an os.FileMode-style mode argument instead of a raw unix.S_*-style mode argument, which may cause compile-time type errors depending on how you use filepath-securejoin. For most users, there will be no change in behaviour aside from the type change (as the bottom 0o777 bits are the same in both formats, and most users are probably only using those bits).

  However, if you were using unix.S_ISVTX to set the sticky bit with MkdirAll(Handle) you will need to switch to os.ModeSticky otherwise you will get a runtime error with this update. In addition, the error message you will get from passing unix.S_ISUID and unix.S_ISGID will be different as they are treated as invalid bits now (note that previously passing said bits was also an error).

Thanks to the following contributors for helping make this release possible:

• Aleksa Sarai cyphar@cyphar.com
• Erik Sjölund erik.sjolund@gmail.com

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

v0.3.6

This release lowers the minimum Go version to Go 1.18 as well as some library dependencies, in order to make it easier for folks that need to backport patches using the new filepath-securejoin API onto branches

... (truncated)

Changelog

Sourced from github.com/cyphar/filepath-securejoin's changelog.

[0.4.0] - 2025-01-13

Breaking

• SecureJoin(VFS) will now return an error if the provided root is not a filepath.Clean'd path.

  While it is ultimately the responsibility of the caller to ensure the root is a safe path to use, passing a path like /symlink/.. as a root would result in the SecureJoin'd path being placed in / even though /symlink/.. might be a different directory, and so we should more strongly discourage such usage.

  All major users of securejoin.SecureJoin already ensure that the paths they provide are safe (and this is ultimately a question of user error), but removing this foot-gun is probably a good idea. Of course, this is necessarily a breaking API change (though we expect no real users to be affected by it).

  Thanks to Erik Sjölund, who initially reported this issue as a possible security issue.

• MkdirAll and MkdirHandle now take an os.FileMode-style mode argument instead of a raw unix.S_*-style mode argument, which may cause compile-time type errors depending on how you use filepath-securejoin. For most users, there will be no change in behaviour aside from the type change (as the bottom 0o777 bits are the same in both formats, and most users are probably only using those bits).

  However, if you were using unix.S_ISVTX to set the sticky bit with MkdirAll(Handle) you will need to switch to os.ModeSticky otherwise you will get a runtime error with this update. In addition, the error message you will get from passing <...

  Description has been truncated

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.