Skip to content

chore(deps): bump the go group with 9 updates#947

Merged
jneisener merged 1 commit into
mainfrom
dependabot/go_modules/go-361c972acf
Jun 22, 2026
Merged

chore(deps): bump the go group with 9 updates#947
jneisener merged 1 commit into
mainfrom
dependabot/go_modules/go-361c972acf

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 21, 2026

Copy link
Copy Markdown
Contributor

Bumps the go group with 9 updates:

Package From To
github.com/cyphar/filepath-securejoin 0.6.1 0.7.0
github.com/fluxcd/helm-controller/api 1.5.5 1.6.0
github.com/fluxcd/kustomize-controller/api 1.8.5 1.9.0
github.com/fluxcd/pkg/kustomize 1.34.0 1.35.0
github.com/fluxcd/source-controller/api 1.8.5 1.9.0
github.com/google/go-containerregistry 0.21.6 0.21.7
github.com/onsi/gomega 1.41.0 1.42.0
helm.sh/helm/v3 3.21.1 3.21.2
ocm.software/ocm 0.43.0 0.44.0

Updates github.com/cyphar/filepath-securejoin from 0.6.1 to 0.7.0

Changelog

Sourced from github.com/cyphar/filepath-securejoin's changelog.

[0.7.0] - 2025-06-17

You talk of times of peace for all, and then prepare for war.

Changed

  • Update to cyphar.com/go-pathrs@0.2.5, which included a build-time API breakage that we needed to work around. The API of this library is unchanged by this, but users should make sure to update to v0.7.0 of filepath-securejoin if they use the libpathrs built tag and have update to libpathrs v0.2.5.
Commits
  • 8096a95 VERSION: release v0.7.0
  • 1324ccb merge #101 into cyphar/filepath-securejoin:main
  • dd8f0bb deps: bump to cyphar.com/go-pathrs@v0.2.5
  • c9a7725 gha: bump golangci-lint to v2.12
  • 2e968bd Merge pull request #91 from cyphar/dependabot/github_actions/actions/download...
  • 2879148 Merge pull request #90 from cyphar/dependabot/github_actions/actions/upload-a...
  • 07b805b build(deps): bump actions/download-artifact from 6 to 7
  • 8507844 build(deps): bump actions/upload-artifact from 5 to 6
  • daef0cf Merge pull request #89 from cyphar/dependabot/github_actions/actions/checkout-6
  • 95f8ea4 build(deps): bump actions/checkout from 5 to 6
  • Additional commits viewable in compare view

Updates github.com/fluxcd/helm-controller/api from 1.5.5 to 1.6.0

Release notes

Sourced from github.com/fluxcd/helm-controller/api's releases.

v1.6.0

Changelog

v1.6.0 changelog

Container images

  • docker.io/fluxcd/helm-controller:v1.6.0
  • ghcr.io/fluxcd/helm-controller:v1.6.0

Supported architectures: linux/amd64, linux/arm64 and linux/arm/v7.

The container images are built on GitHub hosted runners and are signed with cosign and GitHub OIDC. To verify the images and their provenance (SLSA level 3), please see the security documentation.

Changelog

Sourced from github.com/fluxcd/helm-controller/api's changelog.

1.6.0

Release date: 2026-06-17

This minor release continues aligning Flux with Helm v4, adding support for Helm's post-render strategies along with several new HelmRelease configuration options and improved drift observability.

⚠️ Breaking change: the default post-render strategy is now combined, to stay aligned with Helm v4.2's default for sending hooks to post-renderers. Users relying on the previous Helm v3 behavior can either enable the UseHelm3Defaults feature gate (which switches the default back to nohooks) or pin the behavior per HelmRelease via .spec.postRenderStrategy.

HelmRelease

Helm's post-render strategies are now supported through the new .spec.postRenderStrategy field, which controls how hooks are passed to post-renderers. The accepted values are nohooks, combined and separate. The default is combined to stay aligned with Helm v4.2, switching to nohooks when the UseHelm3Defaults feature gate is enabled.

A new .spec.upgrade.chartNameChangeStrategy field controls what happens when a HelmRelease's chart name changes. The default Reinstall keeps the current behavior of uninstalling and reinstalling the release, while InPlaceUpdate performs an in-place Helm upgrade instead, re-introducing on an opt-in basis the behavior present before Flux 2.2.

valuesFrom entries now accept a literal field. When set to true, the referenced value is used verbatim instead of being parsed with Helm's --set syntax, allowing arbitrary file content (JSON blobs, multi-line YAML, HOCON, etc.) that would otherwise be misinterpreted by the strvals parser.

A new Drifted condition is now set on the HelmRelease to improve the observability of drift detection.

Improvements:

  • Add post-render strategy support and conditional defaults #1470
  • Support helm release upgrade on helm chart name change #1447
  • Add literal field to valuesFrom #1503
  • Add Drifted condition to HelmRelease #1367
  • Migrate DependencyReference to shared apis/meta type #1502
  • Update source-controller API to v1.9.0 #1519
  • Various dependency updates

... (truncated)

Commits
  • 363c849 Merge pull request #1520 from fluxcd/release-v1.6.0
  • c88ae15 Release v1.6.0
  • 6e467b9 Add changelog entry for v1.6.0
  • a2e22df Merge pull request #1519 from fluxcd/source-controller-v1.9.0
  • 67f9b81 Upgrade source-controller API to v1.9.0
  • a644069 Merge pull request #1447 from Nordix/issue-870
  • 95f303b Add documentation to helmreleases.md
  • 41a6f08 Add condition on new tests
  • 68d284c Add tests to e2e for chart name change upgrade
  • eb95b9f Updated for review comments
  • Additional commits viewable in compare view

Updates github.com/fluxcd/kustomize-controller/api from 1.8.5 to 1.9.0

Release notes

Sourced from github.com/fluxcd/kustomize-controller/api's releases.

v1.9.0

Changelog

v1.9.0 changelog

Container images

  • docker.io/fluxcd/kustomize-controller:v1.9.0
  • ghcr.io/fluxcd/kustomize-controller:v1.9.0

Supported architectures: linux/amd64, linux/arm64 and linux/arm/v7.

The container images are built on GitHub hosted runners and are signed with cosign and GitHub OIDC. To verify the images and their provenance (SLSA level 3), please see the security documentation.

Changelog

Sourced from github.com/fluxcd/kustomize-controller/api's changelog.

1.9.0

Release date: 2026-06-17

This minor release comes with new features for post-build variable substitution, drift detection, SOPS decryption and Kustomize build metadata, along with various bug fixes and dependency updates.

Kustomization

Post-build substitutions are now stricter by default: the controller fails the reconciliation when a variable without a default value is referenced in the manifests but is missing from the input vars. This behavior is controlled by the StrictPostBuildSubstitutions feature gate, which is now enabled by default and can be opted out of. In addition, a new .spec.postBuild.substituteStrategy: Always option was introduced to always perform substitutions even when no variables are defined, which is useful when the substitution expressions all carry defaults (e.g. ${var:=default}).

Drift detection can now be fine-tuned with ignore rules. The new .spec.ignore field accepts a list of rules selecting JSON pointer paths (optionally scoped to specific targets) to exclude from both drift detection and the apply process.

A new .spec.buildMetadata field allows enabling Kustomize build metadata annotations per Kustomization, supporting the originAnnotations and transformerAnnotations options.

The controller now keeps resources that failed to be pruned in the .status.inventory, ensuring they remain tracked and can be retried on the next reconciliation instead of becoming untracked orphans.

SOPS decryption

SOPS decryption now supports generic Kubernetes workload identity for the OpenBao/Vault transit engine, allowing the controller to authenticate to OpenBao by exchanging a Kubernetes ServiceAccount token for a short-lived OpenBao token through a JWT-backed auth method, instead of using a static token. This is purely additive and non-breaking: the existing sops.vault-token Secret and VAULT_TOKEN environment variable paths are unchanged and take precedence.

Age and SOPS have also been updated to support Age hybrid post-quantum encryption.

General updates

In addition, the Kubernetes dependencies have been updated to v1.36, the controller is now built with Go 1.26 and the source-controller API has been upgraded to v1.9.0. The shared DependencyReference type was migrated to the apis/meta package, preserving backward compatibility through a type alias.

Fixes:

... (truncated)

Commits
  • 5469138 Merge pull request #1675 from fluxcd/release-v1.9.0
  • 1b885f3 Release v1.9.0
  • 94d4688 Add changelog entry for v1.9.0
  • 9dfc5b3 Merge pull request #1674 from fluxcd/source-controller-v1.9.0
  • 7365c20 Upgrade source-controller API to v1.9.0
  • 77e3d98 Merge pull request #1673 from yugstar/docs-sops-dotenv-type
  • 2bdabb9 docs: fix SOPS store type for dotenv files (env -> dotenv)
  • 5b3449c Merge pull request #1672 from fluxcd/varsub-always
  • 6214269 Introduce substituteStrategy: Always
  • 3e12665 Merge pull request #1671 from fluxcd/strict-varsub-default
  • Additional commits viewable in compare view

Updates github.com/fluxcd/pkg/kustomize from 1.34.0 to 1.35.0

Commits
  • ae10469 Merge pull request #1246 from fluxcd/ks-always-subst
  • 2cd36cb kustomize: add tests for empty vars with strict sub and omitted without
  • ca2a7aa kustomize: introduce option for always substituting
  • d884940 Merge pull request #1245 from fluxcd/release-main
  • 741aab2 Prepare for release
  • 84ae38c Merge pull request #1244 from fluxcd/improve-registry-auth
  • bf1b9c7 auth/utils: ensure registry credentials are always fresh
  • See full diff in compare view

Updates github.com/fluxcd/source-controller/api from 1.8.5 to 1.9.0

Release notes

Sourced from github.com/fluxcd/source-controller/api's releases.

v1.9.0

Changelog

v1.9.0 changelog

Container images

  • docker.io/fluxcd/source-controller:v1.9.0
  • ghcr.io/fluxcd/source-controller:v1.9.0

Supported architectures: linux/amd64, linux/arm64 and linux/arm/v7.

The container images are built on GitHub hosted runners and are signed with cosign and GitHub OIDC. To verify the images and their provenance (SLSA level 3), please see the security documentation.

Changelog

Sourced from github.com/fluxcd/source-controller/api's changelog.

1.9.0

Release date: 2026-06-17

This minor release comes with new authentication and verification features for the source APIs, along with various improvements, fixes and dependency updates.

GitRepository

The GitRepository controller now supports AWS CodeCommit as a Git provider, allowing authentication to CodeCommit repositories.

Git commit and tag verification now supports SSH signatures in addition to OpenPGP, so commits and tags signed with SSH keys can be verified via .spec.verify.

OCIRepository

The OCIRepository controller now supports configuring a custom Sigstore trusted root for keyless signature verification, via a Secret referenced in the verification configuration.

OCI artifacts are now resolved and stored strictly by their content digest.

Fixes:

  • cosign: fix v3 bundle verify on http and private CA registries and pass TLS to Rekor #2061
  • Close OCI blob reader and wrap errors consistently across controllers #2066
  • Remove unimplemented field from HelmChart CRD #2080

Improvements:

  • AWS CodeCommit support #2035
  • Add git commit/tag SSH signature verification #2077
  • Add custom Sigstore trusted root support #2003
  • Ensure OCI artifacts are handled strictly by digest #2075
  • build: target host architecture for local builds and envtest #2076
  • Various dependency updates #2067 #2071 #2072 #2073 #2078

... (truncated)

Commits
  • 57734ac Merge pull request #2082 from fluxcd/release-v1.9.0
  • 565d3f0 Release v1.9.0
  • 63e7ba2 Add changelog entry for v1.9.0
  • 16e724e Merge pull request #2081 from fluxcd/update-pkg-deps/main
  • e3d8a3f Fix tests for lazy artifact registry credentials
  • d00344a Update fluxcd/pkg dependencies
  • 54f9f98 Merge pull request #2080 from fluxcd/fix-hc-trusted-root
  • 1ecb593 fix: remove unimplemented field from HelmChart CRD
  • bed4f74 Merge pull request #2079 from fluxcd/update-pkg-deps/main
  • 9ab0968 Update fluxcd/pkg dependencies
  • Additional commits viewable in compare view

Updates github.com/google/go-containerregistry from 0.21.6 to 0.21.7

Release notes

Sourced from github.com/google/go-containerregistry's releases.

v0.21.7

What's Changed

New Contributors

Full Changelog: google/go-containerregistry@v0.21.6...v0.21.7

Commits
  • c68d899 Bump go version to 1.26.4 (#2350)
  • da61d86 transport: do not re-attach bearer token after cross-host redirect (#2349)
  • 09fe1e5 fix(tarball): normalize paths when matching files (#2334)
  • 5baa399 build(deps): bump the go-deps group across 3 directories with 4 updates (#2348)
  • 97a8a17 fix(transport): apply refreshed bearer token after cross-host redirect (#2337)
  • e963497 internal/gzip: fix goroutine leak in ReadCloserLevel (#2347)
  • 02649ea fix: prevent SSRF in google.List() pagination (#2332)
  • 7204b40 build(deps): bump the actions group across 1 directory with 2 updates (#2344)
  • 4cfaa93 build(deps): bump the go-deps group across 1 directory with 2 updates (#2343)
  • 6849394 pkg/registry: export RedirectError (#2177)
  • Additional commits viewable in compare view

Updates github.com/onsi/gomega from 1.41.0 to 1.42.0

Release notes

Sourced from github.com/onsi/gomega's releases.

v1.42.0

1.42.0

Add a set of Claude skill as a marketplace plugin

Changelog

Sourced from github.com/onsi/gomega's changelog.

1.42.0

Add a set of Claude skill as a marketplace plugin

Commits

Updates helm.sh/helm/v3 from 3.21.1 to 3.21.2

Release notes

Sourced from helm.sh/helm/v3's releases.

Helm v3.21.2 is a patch release to correct bump the Kubernetes client libraries (client-go, etc) to match the expected Kubernetes v1.36 release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages

Notable Changes

  • Update Kubernetes client libraries to v1.36

Installation and Upgrading

Download Helm v3.21.2. The common platform binaries are here:

This release was signed by @​gjenkins8 with key BF88 8333 D96A 1C18 E268 2AAE D79D 67C9 EC01 6739, which can be found at https://keys.openpgp.org/vks/v1/by-fingerprint/BF888333D96A1C18E2682AAED79D67C9EC016739. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

  • 3.21.3 will contain only bug fixes.
  • 3.22.0 is the next (and final) Helm 3 feature release

Changelog

  • chore(deps): bump the k8s-io group with 2 updates 125963406833fe0525be91f46c8b5b0f22fb9e32 (dependabot[bot])
  • fixes b52e27609b4420d206c1874ce9b0c75e271665e7 (Matheus Pimenta)
  • chore(deps): bump the k8s-io group across 1 directory with 2 updates 3342dbfec8f39776a9accd50fa91a52d68673af1 (dependabot[bot])

Full Changelog: helm/helm@v3.21.1...v3.21.2

Commits
  • 1259634 chore(deps): bump the k8s-io group with 2 updates
  • b52e276 fixes
  • 3342dbf chore(deps): bump the k8s-io group across 1 directory with 2 updates
  • See full diff in compare view

Updates ocm.software/ocm from 0.43.0 to 0.44.0

Release notes

Sourced from ocm.software/ocm's releases.

v0.44.0

What's Changed

🐛 Bug Fixes

⬆️ Dependencies

🧰 Maintenance

Full Changelog: open-component-model/ocm@v0.43...v0.44.0

v0.44.0-rc.2

What's Changed

🐛 Bug Fixes

⬆️ Dependencies

🧰 Maintenance

Full Changelog: open-component-model/ocm@v0.43...v0.44.0

v0.44.0-rc.1

What's Changed

🐛 Bug Fixes

... (truncated)

Commits
  • 0d30a2f chore: update 'flake.nix' (#1984)
  • c666a61 chore(deps): bump github.com/go-git/go-git/v5 from 5.19.0 to 5.19.1 (#1965)
  • d41adba fix(tests): replace AddGlob with AddWithOptions to fix go-git v5.19.1… (#1983)
  • 5b88451 chore: remove blackduck workflow call (#1980)
  • fb4a954 chore: update 'flake.nix' (#1977)
  • 938bb3e chore(deps): bump github.com/containerd/containerd/v2 from 2.3.0 to 2.3.1 (#1...
  • 78a7295 chore: remove blackduck (#1975)
  • de5284f chore: use github environment (#1976)
  • 37075fa chore(deps): bump docker/setup-qemu-action from 4.0.0 to 4.1.0 in the ci grou...
  • b1a749a fix: pin ocm cli v2 (#1978)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the go group with 9 updates:

| Package | From | To |
| --- | --- | --- |
| [github.com/cyphar/filepath-securejoin](https://github.com/cyphar/filepath-securejoin) | `0.6.1` | `0.7.0` |
| [github.com/fluxcd/helm-controller/api](https://github.com/fluxcd/helm-controller) | `1.5.5` | `1.6.0` |
| [github.com/fluxcd/kustomize-controller/api](https://github.com/fluxcd/kustomize-controller) | `1.8.5` | `1.9.0` |
| [github.com/fluxcd/pkg/kustomize](https://github.com/fluxcd/pkg) | `1.34.0` | `1.35.0` |
| [github.com/fluxcd/source-controller/api](https://github.com/fluxcd/source-controller) | `1.8.5` | `1.9.0` |
| [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) | `0.21.6` | `0.21.7` |
| [github.com/onsi/gomega](https://github.com/onsi/gomega) | `1.41.0` | `1.42.0` |
| [helm.sh/helm/v3](https://github.com/helm/helm) | `3.21.1` | `3.21.2` |
| [ocm.software/ocm](https://github.com/open-component-model/ocm) | `0.43.0` | `0.44.0` |


Updates `github.com/cyphar/filepath-securejoin` from 0.6.1 to 0.7.0
- [Release notes](https://github.com/cyphar/filepath-securejoin/releases)
- [Changelog](https://github.com/cyphar/filepath-securejoin/blob/main/CHANGELOG.md)
- [Commits](cyphar/filepath-securejoin@v0.6.1...v0.7.0)

Updates `github.com/fluxcd/helm-controller/api` from 1.5.5 to 1.6.0
- [Release notes](https://github.com/fluxcd/helm-controller/releases)
- [Changelog](https://github.com/fluxcd/helm-controller/blob/main/CHANGELOG.md)
- [Commits](fluxcd/helm-controller@v1.5.5...v1.6.0)

Updates `github.com/fluxcd/kustomize-controller/api` from 1.8.5 to 1.9.0
- [Release notes](https://github.com/fluxcd/kustomize-controller/releases)
- [Changelog](https://github.com/fluxcd/kustomize-controller/blob/main/CHANGELOG.md)
- [Commits](fluxcd/kustomize-controller@v1.8.5...v1.9.0)

Updates `github.com/fluxcd/pkg/kustomize` from 1.34.0 to 1.35.0
- [Commits](fluxcd/pkg@kustomize/v1.34.0...kustomize/v1.35.0)

Updates `github.com/fluxcd/source-controller/api` from 1.8.5 to 1.9.0
- [Release notes](https://github.com/fluxcd/source-controller/releases)
- [Changelog](https://github.com/fluxcd/source-controller/blob/main/CHANGELOG.md)
- [Commits](fluxcd/source-controller@v1.8.5...v1.9.0)

Updates `github.com/google/go-containerregistry` from 0.21.6 to 0.21.7
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Commits](google/go-containerregistry@v0.21.6...v0.21.7)

Updates `github.com/onsi/gomega` from 1.41.0 to 1.42.0
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.41.0...v1.42.0)

Updates `helm.sh/helm/v3` from 3.21.1 to 3.21.2
- [Release notes](https://github.com/helm/helm/releases)
- [Commits](helm/helm@v3.21.1...v3.21.2)

Updates `ocm.software/ocm` from 0.43.0 to 0.44.0
- [Release notes](https://github.com/open-component-model/ocm/releases)
- [Changelog](https://github.com/open-component-model/ocm/blob/main/RELEASE_PROCESS.md)
- [Commits](open-component-model/ocm@v0.43...v0.44)

---
updated-dependencies:
- dependency-name: github.com/cyphar/filepath-securejoin
  dependency-version: 0.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: github.com/fluxcd/helm-controller/api
  dependency-version: 1.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: github.com/fluxcd/kustomize-controller/api
  dependency-version: 1.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: github.com/fluxcd/pkg/kustomize
  dependency-version: 1.35.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: github.com/fluxcd/source-controller/api
  dependency-version: 1.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: github.com/google/go-containerregistry
  dependency-version: 0.21.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go
- dependency-name: github.com/onsi/gomega
  dependency-version: 1.42.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: helm.sh/helm/v3
  dependency-version: 3.21.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go
- dependency-name: ocm.software/ocm
  dependency-version: 0.44.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added kind/chore chore, maintenance, etc. kind/dependency dependency update, etc. labels Jun 21, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 21, 2026 15:04
@dependabot dependabot Bot added kind/chore chore, maintenance, etc. kind/dependency dependency update, etc. labels Jun 21, 2026
@jneisener jneisener merged commit 8935b4f into main Jun 22, 2026
9 checks passed
@jneisener jneisener deleted the dependabot/go_modules/go-361c972acf branch June 22, 2026 07:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

kind/chore chore, maintenance, etc. kind/dependency dependency update, etc.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants