This issue lists Renovate updates and detected dependencies. Read the [Dependency Dashboard](https://docs.renovatebot.com/key-concepts/dashboard/) docs to learn more. ## Repository problems Renovate tried to run on this repository, but found these problems. - WARN: Cannot access vulnerability alerts. Please ensure permissions have been granted. ## Open These updates have all been created already. Click a checkbox below to force a retry/rebase of any. - [ ] <!-- rebase-branch=renovate/alauda-v2.5.3-go-golang.org-x-sys-vulnerability -->[chore(deps): update module golang.org/x/sys to v0.44.0 [security] (alauda-v2.5.3)](../pull/42) - [ ] <!-- rebase-branch=renovate/alauda-v2.5.3-go-github.com-in-toto-in-toto-golang-vulnerability -->[fix(deps): update module github.com/in-toto/in-toto-golang to v0.11.0 [security] (alauda-v2.5.3)](../pull/41) - [ ] <!-- rebase-branch=renovate/alauda-v2.6.2-go-golang.org-x-sys-vulnerability -->[chore(deps): update module golang.org/x/sys to v0.44.0 [security] (alauda-v2.6.2)](../pull/43) - [ ] <!-- rebase-all-open-prs -->**Click on this checkbox to rebase all open PRs at once** ## Ignored or Blocked These are blocked by an existing closed PR and will not be recreated unless you click a checkbox below. - [ ] <!-- recreate-branch=renovate/alauda-v2.5.3-go-github.com-sigstore-timestamp-authority-vulnerability -->[fix(deps): update module github.com/sigstore/timestamp-authority to v2 [security] (alauda-v2.5.3)](../pull/18) ## Vulnerabilities `22`/`26` CVEs have Renovate fixes. <details><summary>gomod</summary> <blockquote> <details><summary>go.mod</summary> <blockquote> <details><summary>github.com/in-toto/in-toto-golang</summary> <blockquote> - [GHSA-pmwq-pjrm-6p5r](https://osv.dev/vulnerability/GHSA-pmwq-pjrm-6p5r) (fixed in >= 0.11.0) </blockquote> </details> <details><summary>github.com/sigstore/timestamp-authority</summary> <blockquote> - [GHSA-4qg8-fj49-pxjh](https://osv.dev/vulnerability/GHSA-4qg8-fj49-pxjh) (fixed in >= 2.0.3) - [GO-2025-4192](https://osv.dev/vulnerability/GO-2025-4192) </blockquote> </details> <details><summary>golang.org/x/crypto</summary> <blockquote> - [GO-2026-5021](https://osv.dev/vulnerability/GO-2026-5021) (fixed in >= 0.52.0) - [GO-2026-5017](https://osv.dev/vulnerability/GO-2026-5017) (fixed in >= 0.52.0) - [GO-2026-5020](https://osv.dev/vulnerability/GO-2026-5020) (fixed in >= 0.52.0) - [GO-2026-5013](https://osv.dev/vulnerability/GO-2026-5013) (fixed in >= 0.52.0) - [GO-2026-5019](https://osv.dev/vulnerability/GO-2026-5019) (fixed in >= 0.52.0) - [GO-2026-5023](https://osv.dev/vulnerability/GO-2026-5023) (fixed in >= 0.52.0) - [GO-2026-5033](https://osv.dev/vulnerability/GO-2026-5033) (fixed in >= 0.52.0) - [GO-2026-5018](https://osv.dev/vulnerability/GO-2026-5018) (fixed in >= 0.52.0) - [GO-2026-5005](https://osv.dev/vulnerability/GO-2026-5005) (fixed in >= 0.52.0) - [GO-2026-5015](https://osv.dev/vulnerability/GO-2026-5015) (fixed in >= 0.52.0) - [GO-2026-5014](https://osv.dev/vulnerability/GO-2026-5014) (fixed in >= 0.52.0) - [GO-2026-5016](https://osv.dev/vulnerability/GO-2026-5016) (fixed in >= 0.52.0) - [GO-2026-5006](https://osv.dev/vulnerability/GO-2026-5006) (fixed in >= 0.52.0) </blockquote> </details> <details><summary>github.com/aws/aws-sdk-go</summary> <blockquote> - [GO-2022-0646](https://osv.dev/vulnerability/GO-2022-0646) - [GO-2022-0635](https://osv.dev/vulnerability/GO-2022-0635) </blockquote> </details> <details><summary>github.com/go-chi/chi</summary> <blockquote> - [GO-2026-4316](https://osv.dev/vulnerability/GO-2026-4316) </blockquote> </details> <details><summary>golang.org/x/net</summary> <blockquote> - [GO-2026-5026](https://osv.dev/vulnerability/GO-2026-5026) (fixed in >= 0.55.0) - [GO-2026-5028](https://osv.dev/vulnerability/GO-2026-5028) (fixed in >= 0.55.0) - [GO-2026-5025](https://osv.dev/vulnerability/GO-2026-5025) (fixed in >= 0.55.0) - [GO-2026-5027](https://osv.dev/vulnerability/GO-2026-5027) (fixed in >= 0.55.0) - [GO-2026-5030](https://osv.dev/vulnerability/GO-2026-5030) (fixed in >= 0.55.0) - [GO-2026-5029](https://osv.dev/vulnerability/GO-2026-5029) (fixed in >= 0.55.0) </blockquote> </details> <details><summary>golang.org/x/sys</summary> <blockquote> - [GO-2026-5024](https://osv.dev/vulnerability/GO-2026-5024) (fixed in >= 0.44.0) </blockquote> </details> </blockquote> </details> </blockquote> </details> ## Detected dependencies <details><summary>Branch alauda-v2.5.3</summary> <blockquote> <details><summary>gomod</summary> <blockquote> <details><summary>go.mod</summary> - `go 1.25.5` - `cuelang.org/go v0.12.1` - `github.com/ThalesIgnite/crypto11 v1.2.5` - `github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.9.1` - `github.com/buildkite/agent/v3 v3.102.1` - `github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589@82a0ddb27589` - `github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467@19d51d7fe467` - `github.com/depcheck-test/depcheck-test v0.0.0-20220607135614-199033aaa936@199033aaa936` - `github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7@220c5c2851b7` - `github.com/dustin/go-humanize v1.0.1` - `github.com/go-jose/go-jose/v3 v3.0.5` - `github.com/go-openapi/runtime v0.29.2` - `github.com/go-openapi/strfmt v0.25.0` - `github.com/go-openapi/swag v0.25.4` - `github.com/go-piv/piv-go/v2 v2.4.0` - `github.com/google/certificate-transparency-go v1.3.2` - `github.com/google/go-cmp v0.7.0` - `github.com/google/go-containerregistry v0.20.7` - `github.com/google/go-github/v73 v73.0.0` - `github.com/in-toto/in-toto-golang v0.9.0` - `github.com/kelseyhightower/envconfig v1.4.0` - `github.com/manifoldco/promptui v0.9.0` - `github.com/miekg/pkcs11 v1.1.1` - `github.com/mitchellh/go-wordwrap v1.0.1` - `github.com/moby/term v0.5.2` - `github.com/mozillazg/docker-credential-acr-helper v0.4.0` - `github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481@2ea982251481` - `github.com/open-policy-agent/opa v1.6.0` - `github.com/secure-systems-lab/go-securesystemslib v0.10.0` - `github.com/sigstore/fulcio v1.8.5` - `github.com/sigstore/protobuf-specs v0.5.0` - `github.com/sigstore/rekor v1.5.0` - `github.com/sigstore/rekor-tiles v0.1.11` - `github.com/sigstore/sigstore v1.10.4` - `github.com/sigstore/sigstore-go v1.1.3` - `github.com/sigstore/sigstore/pkg/signature/kms/aws v1.10.3` - `github.com/sigstore/sigstore/pkg/signature/kms/azure v1.10.3` - `github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.10.3` - `github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.10.3` - `github.com/sigstore/timestamp-authority v1.2.9` - `github.com/spf13/cobra v1.10.2` - `github.com/spf13/pflag v1.0.10` - `github.com/spf13/viper v1.21.0` - `github.com/spiffe/go-spiffe/v2 v2.6.0` - `github.com/stretchr/testify v1.11.1` - `github.com/theupdateframework/go-tuf/v2 v2.4.1` - `github.com/transparency-dev/merkle v0.0.2` - `github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1` - `gitlab.com/gitlab-org/api/client-go v0.134.0` - `golang.org/x/crypto v0.50.0` - `golang.org/x/oauth2 v0.34.0` - `golang.org/x/sync v0.20.0` - `golang.org/x/term v0.42.0` - `google.golang.org/api v0.260.0` - `google.golang.org/protobuf v1.36.11` - `k8s.io/api v0.33.2` - `k8s.io/apimachinery v0.33.2` - `k8s.io/client-go v0.33.2` - `k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d@0af2bda4dd1d` - `sigs.k8s.io/release-utils v0.12.3` - `cel.dev/expr v0.25.1` - `cloud.google.com/go v0.121.6` - `cloud.google.com/go/auth v0.18.0` - `cloud.google.com/go/auth/oauth2adapt v0.2.8` - `cloud.google.com/go/compute/metadata v0.9.0` - `cloud.google.com/go/iam v1.5.3` - `cloud.google.com/go/kms v1.23.2` - `cloud.google.com/go/longrunning v0.7.0` - `cloud.google.com/go/monitoring v1.24.3` - `cloud.google.com/go/spanner v1.86.1` - `cloud.google.com/go/storage v1.56.1` - `cuelabs.dev/go/oci/ociregistry v0.0.0-20241125120445-2c00c104c6e1@2c00c104c6e1` - `filippo.io/edwards25519 v1.1.1` - `github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0` - `github.com/Azure/azure-sdk-for-go v68.0.0+incompatible` - `github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0` - `github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1` - `github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2` - `github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.4.0` - `github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0` - `github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c@faa5f7b0171c` - `github.com/Azure/go-autorest v14.2.0+incompatible` - `github.com/Azure/go-autorest/autorest v0.11.29` - `github.com/Azure/go-autorest/autorest/adal v0.9.23` - `github.com/Azure/go-autorest/autorest/azure/auth v0.5.12` - `github.com/Azure/go-autorest/autorest/azure/cli v0.4.6` - `github.com/Azure/go-autorest/autorest/date v0.3.0` - `github.com/Azure/go-autorest/logger v0.2.1` - `github.com/Azure/go-autorest/tracing v0.6.0` - `github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0` - `github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.5.3` - `github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0` - `github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.53.0` - `github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.53.0` - `github.com/Microsoft/go-winio v0.6.2` - `github.com/agnivade/levenshtein v1.2.1` - `github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4` - `github.com/alibabacloud-go/cr-20160607 v1.0.1` - `github.com/alibabacloud-go/cr-20181201 v1.0.10` - `github.com/alibabacloud-go/darabonba-openapi v0.2.1` - `github.com/alibabacloud-go/debug v1.0.0` - `github.com/alibabacloud-go/endpoint-util v1.1.1` - `github.com/alibabacloud-go/openapi-util v0.1.0` - `github.com/alibabacloud-go/tea v1.2.1` - `github.com/alibabacloud-go/tea-utils v1.4.5` - `github.com/alibabacloud-go/tea-xml v1.1.3` - `github.com/aliyun/credentials-go v1.3.2` - `github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2@a9d515a09cc2` - `github.com/aws/aws-sdk-go v1.55.7` - `github.com/aws/aws-sdk-go-v2 v1.41.0` - `github.com/aws/aws-sdk-go-v2/config v1.32.5` - `github.com/aws/aws-sdk-go-v2/credentials v1.19.5` - `github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.16` - `github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.16` - `github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.16` - `github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4` - `github.com/aws/aws-sdk-go-v2/service/ecr v1.40.3` - `github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.31.2` - `github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4` - `github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.16` - `github.com/aws/aws-sdk-go-v2/service/kms v1.49.1` - `github.com/aws/aws-sdk-go-v2/service/signin v1.0.4` - `github.com/aws/aws-sdk-go-v2/service/sso v1.30.7` - `github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.12` - `github.com/aws/aws-sdk-go-v2/service/sts v1.41.5` - `github.com/aws/smithy-go v1.24.0` - `github.com/beorn7/perks v1.0.1` - `github.com/blang/semver v3.5.1+incompatible` - `github.com/buildkite/go-pipeline v0.14.0` - `github.com/buildkite/interpolate v0.1.5` - `github.com/buildkite/roko v1.3.1` - `github.com/cenkalti/backoff/v4 v4.3.0` - `github.com/cenkalti/backoff/v5 v5.0.3` - `github.com/cespare/xxhash/v2 v2.3.0` - `github.com/chzyer/readline v1.5.1` - `github.com/clbanning/mxj/v2 v2.7.0` - `github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5@ee656c7534f5` - `github.com/cockroachdb/apd/v3 v3.2.1` - `github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be@734e95fb86be` - `github.com/containerd/stargz-snapshotter/estargz v0.18.1` - `github.com/coreos/go-oidc/v3 v3.17.0` - `github.com/cpuguy83/go-md2man/v2 v2.0.7` - `github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc@d8f796af33cc` - `github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352@3a137a874352` - `github.com/dimchansky/utfbom v1.1.1` - `github.com/docker/cli v29.2.0+incompatible` - `github.com/docker/distribution v2.8.3+incompatible` - `github.com/docker/docker-credential-helpers v0.9.3` - `github.com/docker/go-units v0.5.0` - `github.com/emicklei/go-restful/v3 v3.11.0` - `github.com/emicklei/proto v1.13.4` - `github.com/envoyproxy/go-control-plane/envoy v1.36.0` - `github.com/envoyproxy/protoc-gen-validate v1.3.0` - `github.com/felixge/httpsnoop v1.0.4` - `github.com/fsnotify/fsnotify v1.9.0` - `github.com/fxamacker/cbor/v2 v2.7.0` - `github.com/go-chi/chi v4.1.2+incompatible` - `github.com/go-chi/chi/v5 v5.2.4` - `github.com/go-ini/ini v1.67.0` - `github.com/go-jose/go-jose/v4 v4.1.4` - `github.com/go-logr/logr v1.4.3` - `github.com/go-logr/stdr v1.2.2` - `github.com/go-openapi/analysis v0.24.1` - `github.com/go-openapi/errors v0.22.6` - `github.com/go-openapi/jsonpointer v0.22.4` - `github.com/go-openapi/jsonreference v0.21.4` - `github.com/go-openapi/loads v0.23.2` - `github.com/go-openapi/spec v0.22.3` - `github.com/go-openapi/swag/cmdutils v0.25.4` - `github.com/go-openapi/swag/conv v0.25.4` - `github.com/go-openapi/swag/fileutils v0.25.4` - `github.com/go-openapi/swag/jsonname v0.25.4` - `github.com/go-openapi/swag/jsonutils v0.25.4` - `github.com/go-openapi/swag/loading v0.25.4` - `github.com/go-openapi/swag/mangling v0.25.4` - `github.com/go-openapi/swag/netutils v0.25.4` - `github.com/go-openapi/swag/stringutils v0.25.4` - `github.com/go-openapi/swag/typeutils v0.25.4` - `github.com/go-openapi/swag/yamlutils v0.25.4` - `github.com/go-openapi/validate v0.25.1` - `github.com/go-sql-driver/mysql v1.9.3` - `github.com/go-viper/mapstructure/v2 v2.4.0` - `github.com/gobwas/glob v0.2.3` - `github.com/gogo/protobuf v1.3.2` - `github.com/golang-jwt/jwt/v4 v4.5.2` - `github.com/golang-jwt/jwt/v5 v5.3.0` - `github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8@2c02b8208cf8` - `github.com/golang/snappy v0.0.4` - `github.com/google/gnostic-models v0.6.9` - `github.com/google/go-querystring v1.1.0` - `github.com/google/s2a-go v0.1.9` - `github.com/google/trillian v1.7.2` - `github.com/google/uuid v1.6.0` - `github.com/googleapis/enterprise-certificate-proxy v0.3.9` - `github.com/googleapis/gax-go/v2 v2.16.0` - `github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.4` - `github.com/hashicorp/errwrap v1.1.0` - `github.com/hashicorp/go-cleanhttp v0.5.2` - `github.com/hashicorp/go-multierror v1.1.1` - `github.com/hashicorp/go-retryablehttp v0.7.8` - `github.com/hashicorp/go-rootcerts v1.0.2` - `github.com/hashicorp/go-secure-stdlib/parseutil v0.2.0` - `github.com/hashicorp/go-secure-stdlib/strutil v0.1.2` - `github.com/hashicorp/go-sockaddr v1.0.7` - `github.com/hashicorp/golang-lru/v2 v2.0.7` - `github.com/hashicorp/hcl v1.0.1-vault-7` - `github.com/hashicorp/vault/api v1.22.0` - `github.com/in-toto/attestation v1.1.2` - `github.com/inconshreveable/mousetrap v1.1.0` - `github.com/jackc/pgpassfile v1.0.0` - `github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761@5a60cdf6a761` - `github.com/jackc/pgx/v5 v5.9.2` - `github.com/jackc/puddle/v2 v2.2.2` - `github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267@661be99b8267` - `github.com/jellydator/ttlcache/v3 v3.4.0` - `github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24@b0104c826a24` - `github.com/json-iterator/go v1.1.12` - `github.com/klauspost/compress v1.18.1` - `github.com/kylelemons/godebug v1.1.0` - `github.com/letsencrypt/boulder v0.20251110.0` - `github.com/mitchellh/go-homedir v1.1.0` - `github.com/mitchellh/mapstructure v1.5.1-0.20231216201459-8508981c8b6c@8508981c8b6c` - `github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd@bacd9c7ef1dd` - `github.com/modern-go/reflect2 v1.0.2` - `github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822@a7dc8b61c822` - `github.com/natefinch/atomic v1.0.1` - `github.com/oklog/ulid v1.3.1` - `github.com/oleiade/reflections v1.1.0` - `github.com/opencontainers/go-digest v1.0.0` - `github.com/opencontainers/image-spec v1.1.1` - `github.com/pborman/uuid v1.2.1` - `github.com/pelletier/go-toml/v2 v2.2.4` - `github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c@5ac0b6a4141c` - `github.com/pkg/errors v0.9.1` - `github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10@0393e58bdf10` - `github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2@5d4384ee4fb2` - `github.com/prometheus/client_golang v1.23.2` - `github.com/prometheus/client_model v0.6.2` - `github.com/prometheus/common v0.67.5` - `github.com/prometheus/procfs v0.16.1` - `github.com/protocolbuffers/txtpbfmt v0.0.0-20241112170944-20d2c9ebc01d@20d2c9ebc01d` - `github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475@cf1acfcdf475` - `github.com/rogpeppe/go-internal v1.14.1` - `github.com/rs/cors v1.11.1` - `github.com/russross/blackfriday/v2 v2.1.0` - `github.com/ryanuber/go-glob v1.0.0` - `github.com/sagikazarmark/locafero v0.11.0` - `github.com/sassoftware/relic v7.2.1+incompatible` - `github.com/shibumi/go-pathspec v1.3.0` - `github.com/sirupsen/logrus v1.9.4` - `github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8@5f936abd7ae8` - `github.com/spf13/afero v1.15.0` - `github.com/spf13/cast v1.10.0` - `github.com/subosito/gotenv v1.6.0` - `github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d@126854af5e6d` - `github.com/tchap/go-patricia/v2 v2.3.2` - `github.com/thales-e-security/pool v0.0.2` - `github.com/theupdateframework/go-tuf v0.7.0` - `github.com/tink-crypto/tink-go-awskms/v2 v2.1.0` - `github.com/tink-crypto/tink-go-gcpkms/v2 v2.2.0` - `github.com/tink-crypto/tink-go-hcvault/v2 v2.3.0` - `github.com/tink-crypto/tink-go/v2 v2.6.0` - `github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399@afe73141d399` - `github.com/tjfoc/gmsm v1.4.1` - `github.com/transparency-dev/formats v0.0.0-20250421220931-bb8ad4d07c26@bb8ad4d07c26` - `github.com/transparency-dev/tessera v1.0.0-rc3` - `github.com/urfave/negroni v1.0.0` - `github.com/vbatts/tar-split v0.12.2` - `github.com/vektah/gqlparser/v2 v2.5.28` - `github.com/x448/float16 v0.8.4` - `github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb@02993c407bfb` - `github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415@bd5ef7bd5415` - `github.com/yashtewari/glob-intersection v0.2.0` - `go.mongodb.org/mongo-driver v1.17.6` - `go.opencensus.io v0.24.0` - `go.opentelemetry.io/auto/sdk v1.2.1` - `go.opentelemetry.io/contrib/detectors/gcp v1.39.0` - `go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0` - `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0` - `go.opentelemetry.io/otel v1.43.0` - `go.opentelemetry.io/otel/metric v1.43.0` - `go.opentelemetry.io/otel/sdk v1.43.0` - `go.opentelemetry.io/otel/sdk/metric v1.43.0` - `go.opentelemetry.io/otel/trace v1.43.0` - `go.step.sm/crypto v0.75.0` - `go.uber.org/multierr v1.11.0` - `go.uber.org/zap v1.27.1` - `go.yaml.in/yaml/v2 v2.4.3` - `go.yaml.in/yaml/v3 v3.0.4` - `golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b@b7579e27df2b` - `golang.org/x/mod v0.34.0` - `golang.org/x/net v0.53.0` - `golang.org/x/sys v0.43.0` - `golang.org/x/text v0.36.0` - `golang.org/x/time v0.14.0` - `golang.org/x/tools v0.43.0` - `google.golang.org/genproto v0.0.0-20251202230838-ff82c1b0f217@ff82c1b0f217` - `google.golang.org/genproto/googleapis/api v0.0.0-20251222181119-0a764e51fe1b@0a764e51fe1b` - `google.golang.org/genproto/googleapis/rpc v0.0.0-20251222181119-0a764e51fe1b@0a764e51fe1b` - `google.golang.org/grpc v1.79.3` - `gopkg.in/evanphx/json-patch.v4 v4.12.0` - `gopkg.in/inf.v0 v0.9.1` - `gopkg.in/ini.v1 v1.67.1` - `gopkg.in/yaml.v3 v3.0.1` - `k8s.io/klog/v2 v2.130.1` - `k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff@c8a335a9a2ff` - `sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3@9aa6b5e7a4b3` - `sigs.k8s.io/randfill v1.0.0` - `sigs.k8s.io/structured-merge-diff/v4 v4.6.0` - `sigs.k8s.io/yaml v1.6.0` - `github.com/AlaudaDevops/timestamp-authority v1.2.10-alauda.2` </details> </blockquote> </details> </blockquote> </details> <details><summary>Branch alauda-v2.6.2</summary> <blockquote> <details><summary>dockerfile</summary> <blockquote> <details><summary>Dockerfile</summary> - `golang 1.26.4` </details> </blockquote> </details> <details><summary>gomod</summary> <blockquote> <details><summary>go.mod</summary> - `go 1.26.4` - `cuelang.org/go v0.14.1` - `github.com/ThalesIgnite/crypto11 v1.2.5` - `github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.10.1` - `github.com/buildkite/agent/v3 v3.104.0` - `github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589@82a0ddb27589` - `github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467@19d51d7fe467` - `github.com/depcheck-test/depcheck-test v0.0.0-20220607135614-199033aaa936@199033aaa936` - `github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7@220c5c2851b7` - `github.com/dustin/go-humanize v1.0.1` - `github.com/go-jose/go-jose/v4 v4.1.4` - `github.com/go-openapi/runtime v0.29.3` - `github.com/go-openapi/strfmt v0.26.1` - `github.com/go-openapi/swag v0.25.5` - `github.com/go-openapi/swag/conv v0.25.5` - `github.com/go-piv/piv-go/v2 v2.5.0` - `github.com/google/certificate-transparency-go v1.3.2` - `github.com/google/go-cmp v0.7.0` - `github.com/google/go-containerregistry v0.20.7` - `github.com/google/go-github/v73 v73.0.0` - `github.com/in-toto/attestation v1.1.2` - `github.com/in-toto/in-toto-golang v0.11.0` - `github.com/kelseyhightower/envconfig v1.4.0` - `github.com/manifoldco/promptui v0.9.0` - `github.com/miekg/pkcs11 v1.1.1` - `github.com/mitchellh/go-wordwrap v1.0.1` - `github.com/moby/term v0.5.2` - `github.com/mozillazg/docker-credential-acr-helper v0.4.0` - `github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481@2ea982251481` - `github.com/open-policy-agent/opa v1.8.0` - `github.com/secure-systems-lab/go-securesystemslib v0.10.0` - `github.com/sigstore/fulcio v1.8.5` - `github.com/sigstore/protobuf-specs v0.5.0` - `github.com/sigstore/rekor v1.5.0` - `github.com/sigstore/rekor-tiles/v2 v2.0.1` - `github.com/sigstore/sigstore v1.10.5` - `github.com/sigstore/sigstore-go v1.1.4` - `github.com/sigstore/sigstore/pkg/signature/kms/aws v1.10.5` - `github.com/sigstore/sigstore/pkg/signature/kms/azure v1.10.5` - `github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.10.5` - `github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.10.5` - `github.com/sigstore/timestamp-authority/v2 v2.0.6` - `github.com/spf13/cobra v1.10.2` - `github.com/spf13/pflag v1.0.10` - `github.com/spf13/viper v1.21.0` - `github.com/spiffe/go-spiffe/v2 v2.6.0` - `github.com/stretchr/testify v1.11.1` - `github.com/theupdateframework/go-tuf/v2 v2.4.1` - `github.com/transparency-dev/merkle v0.0.2` - `github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1` - `gitlab.com/gitlab-org/api/client-go v0.143.3` - `golang.org/x/crypto v0.50.0` - `golang.org/x/oauth2 v0.36.0` - `golang.org/x/sync v0.20.0` - `golang.org/x/term v0.42.0` - `google.golang.org/api v0.272.0` - `google.golang.org/protobuf v1.36.11` - `k8s.io/api v0.34.1` - `k8s.io/apimachinery v0.34.1` - `k8s.io/client-go v0.34.1` - `k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d@0af2bda4dd1d` - `sigs.k8s.io/release-utils v0.12.4` - `cloud.google.com/go v0.123.0` - `cloud.google.com/go/auth v0.18.2` - `cloud.google.com/go/auth/oauth2adapt v0.2.8` - `cloud.google.com/go/compute/metadata v0.9.0` - `cloud.google.com/go/iam v1.5.3` - `cloud.google.com/go/kms v1.26.0` - `cloud.google.com/go/longrunning v0.8.0` - `cuelabs.dev/go/oci/ociregistry v0.0.0-20250715075730-49cab49c8e9d@49cab49c8e9d` - `filippo.io/edwards25519 v1.2.0` - `github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0` - `github.com/Azure/azure-sdk-for-go v68.0.0+incompatible` - `github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0` - `github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1` - `github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2` - `github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.4.0` - `github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0` - `github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c@faa5f7b0171c` - `github.com/Azure/go-autorest v14.2.0+incompatible` - `github.com/Azure/go-autorest/autorest v0.11.29` - `github.com/Azure/go-autorest/autorest/adal v0.9.23` - `github.com/Azure/go-autorest/autorest/azure/auth v0.5.12` - `github.com/Azure/go-autorest/autorest/azure/cli v0.4.6` - `github.com/Azure/go-autorest/autorest/date v0.3.0` - `github.com/Azure/go-autorest/logger v0.2.1` - `github.com/Azure/go-autorest/tracing v0.6.0` - `github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0` - `github.com/Microsoft/go-winio v0.6.2` - `github.com/agnivade/levenshtein v1.2.1` - `github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4` - `github.com/alibabacloud-go/cr-20160607 v1.0.1` - `github.com/alibabacloud-go/cr-20181201 v1.0.10` - `github.com/alibabacloud-go/darabonba-openapi v0.2.1` - `github.com/alibabacloud-go/debug v1.0.0` - `github.com/alibabacloud-go/endpoint-util v1.1.1` - `github.com/alibabacloud-go/openapi-util v0.1.0` - `github.com/alibabacloud-go/tea v1.2.1` - `github.com/alibabacloud-go/tea-utils v1.4.5` - `github.com/alibabacloud-go/tea-xml v1.1.3` - `github.com/aliyun/credentials-go v1.3.2` - `github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2@a9d515a09cc2` - `github.com/aws/aws-sdk-go v1.55.8` - `github.com/aws/aws-sdk-go-v2 v1.41.4` - `github.com/aws/aws-sdk-go-v2/config v1.32.12` - `github.com/aws/aws-sdk-go-v2/credentials v1.19.12` - `github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20` - `github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.20` - `github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.20` - `github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6` - `github.com/aws/aws-sdk-go-v2/service/ecr v1.45.1` - `github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2` - `github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7` - `github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20` - `github.com/aws/aws-sdk-go-v2/service/kms v1.50.3` - `github.com/aws/aws-sdk-go-v2/service/signin v1.0.8` - `github.com/aws/aws-sdk-go-v2/service/sso v1.30.13` - `github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17` - `github.com/aws/aws-sdk-go-v2/service/sts v1.41.9` - `github.com/aws/smithy-go v1.24.2` - `github.com/beorn7/perks v1.0.1` - `github.com/blang/semver v3.5.1+incompatible` - `github.com/buildkite/go-pipeline v0.15.0` - `github.com/buildkite/interpolate v0.1.5` - `github.com/buildkite/roko v1.4.0` - `github.com/cenkalti/backoff/v4 v4.3.0` - `github.com/cenkalti/backoff/v5 v5.0.3` - `github.com/cespare/xxhash/v2 v2.3.0` - `github.com/chzyer/readline v1.5.1` - `github.com/clbanning/mxj/v2 v2.7.0` - `github.com/cockroachdb/apd/v3 v3.2.1` - `github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be@734e95fb86be` - `github.com/containerd/stargz-snapshotter/estargz v0.18.1` - `github.com/coreos/go-oidc/v3 v3.17.0` - `github.com/cpuguy83/go-md2man/v2 v2.0.7` - `github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc@d8f796af33cc` - `github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0` - `github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352@3a137a874352` - `github.com/dimchansky/utfbom v1.1.1` - `github.com/docker/cli v29.2.0+incompatible` - `github.com/docker/distribution v2.8.3+incompatible` - `github.com/docker/docker-credential-helpers v0.9.3` - `github.com/docker/go-units v0.5.0` - `github.com/emicklei/go-restful/v3 v3.12.2` - `github.com/emicklei/proto v1.14.2` - `github.com/felixge/httpsnoop v1.0.4` - `github.com/fsnotify/fsnotify v1.9.0` - `github.com/fxamacker/cbor/v2 v2.9.0` - `github.com/go-chi/chi/v5 v5.2.5` - `github.com/go-ini/ini v1.67.0` - `github.com/go-logr/logr v1.4.3` - `github.com/go-logr/stdr v1.2.2` - `github.com/go-openapi/analysis v0.24.3` - `github.com/go-openapi/errors v0.22.7` - `github.com/go-openapi/jsonpointer v0.22.5` - `github.com/go-openapi/jsonreference v0.21.5` - `github.com/go-openapi/loads v0.23.3` - `github.com/go-openapi/spec v0.22.4` - `github.com/go-openapi/swag/cmdutils v0.25.5` - `github.com/go-openapi/swag/fileutils v0.25.5` - `github.com/go-openapi/swag/jsonname v0.25.5` - `github.com/go-openapi/swag/jsonutils v0.25.5` - `github.com/go-openapi/swag/loading v0.25.5` - `github.com/go-openapi/swag/mangling v0.25.5` - `github.com/go-openapi/swag/netutils v0.25.5` - `github.com/go-openapi/swag/stringutils v0.25.5` - `github.com/go-openapi/swag/typeutils v0.25.5` - `github.com/go-openapi/swag/yamlutils v0.25.5` - `github.com/go-openapi/validate v0.25.2` - `github.com/go-sql-driver/mysql v1.9.3` - `github.com/go-viper/mapstructure/v2 v2.5.0` - `github.com/gobwas/glob v0.2.3` - `github.com/goccy/go-json v0.10.3` - `github.com/gogo/protobuf v1.3.2` - `github.com/golang-jwt/jwt/v4 v4.5.2` - `github.com/golang-jwt/jwt/v5 v5.3.0` - `github.com/golang/snappy v0.0.4` - `github.com/google/gnostic-models v0.7.0` - `github.com/google/go-querystring v1.1.0` - `github.com/google/s2a-go v0.1.9` - `github.com/google/trillian v1.7.2` - `github.com/google/uuid v1.6.0` - `github.com/googleapis/enterprise-certificate-proxy v0.3.14` - `github.com/googleapis/gax-go/v2 v2.19.0` - `github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.4` - `github.com/hashicorp/errwrap v1.1.0` - `github.com/hashicorp/go-cleanhttp v0.5.2` - `github.com/hashicorp/go-multierror v1.1.1` - `github.com/hashicorp/go-retryablehttp v0.7.8` - `github.com/hashicorp/go-rootcerts v1.0.2` - `github.com/hashicorp/go-secure-stdlib/parseutil v0.2.0` - `github.com/hashicorp/go-secure-stdlib/strutil v0.1.2` - `github.com/hashicorp/go-sockaddr v1.0.7` - `github.com/hashicorp/golang-lru/v2 v2.0.7` - `github.com/hashicorp/hcl v1.0.1-vault-7` - `github.com/hashicorp/vault/api v1.22.0` - `github.com/inconshreveable/mousetrap v1.1.0` - `github.com/jackc/pgpassfile v1.0.0` - `github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761@5a60cdf6a761` - `github.com/jackc/pgx/v5 v5.9.2` - `github.com/jackc/puddle/v2 v2.2.2` - `github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267@661be99b8267` - `github.com/jellydator/ttlcache/v3 v3.4.0` - `github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24@b0104c826a24` - `github.com/json-iterator/go v1.1.12` - `github.com/klauspost/compress v1.18.1` - `github.com/kylelemons/godebug v1.1.0` - `github.com/lestrrat-go/blackmagic v1.0.4` - `github.com/lestrrat-go/httpcc v1.0.1` - `github.com/lestrrat-go/httprc/v3 v3.0.0` - `github.com/lestrrat-go/jwx/v3 v3.0.10` - `github.com/lestrrat-go/option v1.0.1` - `github.com/lestrrat-go/option/v2 v2.0.0` - `github.com/letsencrypt/boulder v0.20260223.0` - `github.com/mitchellh/go-homedir v1.1.0` - `github.com/mitchellh/mapstructure v1.5.1-0.20231216201459-8508981c8b6c@8508981c8b6c` - `github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd@bacd9c7ef1dd` - `github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee@35a7c28c31ee` - `github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822@a7dc8b61c822` - `github.com/natefinch/atomic v1.0.1` - `github.com/oklog/ulid/v2 v2.1.1` - `github.com/oleiade/reflections v1.1.0` - `github.com/opencontainers/go-digest v1.0.0` - `github.com/opencontainers/image-spec v1.1.1` - `github.com/pborman/uuid v1.2.1` - `github.com/pelletier/go-toml/v2 v2.2.4` - `github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c@5ac0b6a4141c` - `github.com/pkg/errors v0.9.1` - `github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2@5d4384ee4fb2` - `github.com/prometheus/client_golang v1.23.2` - `github.com/prometheus/client_model v0.6.2` - `github.com/prometheus/common v0.67.5` - `github.com/prometheus/procfs v0.17.0` - `github.com/protocolbuffers/txtpbfmt v0.0.0-20250627152318-f293424e46b5@f293424e46b5` - `github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475@cf1acfcdf475` - `github.com/rogpeppe/go-internal v1.14.1` - `github.com/rs/cors v1.11.1` - `github.com/russross/blackfriday/v2 v2.1.0` - `github.com/ryanuber/go-glob v1.0.0` - `github.com/sagikazarmark/locafero v0.11.0` - `github.com/sassoftware/relic v7.2.1+incompatible` - `github.com/segmentio/asm v1.2.0` - `github.com/shibumi/go-pathspec v1.3.0` - `github.com/sirupsen/logrus v1.9.4` - `github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8@5f936abd7ae8` - `github.com/spf13/afero v1.15.0` - `github.com/spf13/cast v1.10.0` - `github.com/subosito/gotenv v1.6.0` - `github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d@126854af5e6d` - `github.com/tchap/go-patricia/v2 v2.3.3` - `github.com/thales-e-security/pool v0.0.2` - `github.com/theupdateframework/go-tuf v0.7.0` - `github.com/tink-crypto/tink-go-awskms/v2 v2.1.0` - `github.com/tink-crypto/tink-go-gcpkms/v2 v2.2.0` - `github.com/tink-crypto/tink-go-hcvault/v2 v2.4.0` - `github.com/tink-crypto/tink-go/v2 v2.6.0` - `github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399@afe73141d399` - `github.com/tjfoc/gmsm v1.4.1` - `github.com/transparency-dev/formats v0.0.0-20251017110053-404c0d5b696c@404c0d5b696c` - `github.com/urfave/negroni v1.0.0` - `github.com/valyala/fastjson v1.6.4` - `github.com/vbatts/tar-split v0.12.2` - `github.com/vektah/gqlparser/v2 v2.5.30` - `github.com/x448/float16 v0.8.4` - `github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb@02993c407bfb` - `github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415@bd5ef7bd5415` - `github.com/yashtewari/glob-intersection v0.2.0` - `go.opentelemetry.io/auto/sdk v1.2.1` - `go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0` - `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0` - `go.opentelemetry.io/otel v1.43.0` - `go.opentelemetry.io/otel/metric v1.43.0` - `go.opentelemetry.io/otel/sdk v1.43.0` - `go.opentelemetry.io/otel/trace v1.43.0` - `go.step.sm/crypto v0.77.2` - `go.uber.org/multierr v1.11.0` - `go.uber.org/zap v1.27.1` - `go.yaml.in/yaml/v2 v2.4.3` - `go.yaml.in/yaml/v3 v3.0.4` - `golang.org/x/mod v0.34.0` - `golang.org/x/net v0.53.0` - `golang.org/x/sys v0.43.0` - `golang.org/x/text v0.36.0` - `golang.org/x/time v0.15.0` - `golang.org/x/tools v0.43.0` - `google.golang.org/genproto v0.0.0-20260316180232-0b37fe3546d5@0b37fe3546d5` - `google.golang.org/genproto/googleapis/api v0.0.0-20260316180232-0b37fe3546d5@0b37fe3546d5` - `google.golang.org/genproto/googleapis/rpc v0.0.0-20260316180232-0b37fe3546d5@0b37fe3546d5` - `google.golang.org/grpc v1.79.3` - `gopkg.in/evanphx/json-patch.v4 v4.12.0` - `gopkg.in/inf.v0 v0.9.1` - `gopkg.in/ini.v1 v1.67.1` - `gopkg.in/yaml.v3 v3.0.1` - `k8s.io/klog/v2 v2.130.1` - `k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b@f3f2b991d03b` - `sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8@cfa47c3a1cc8` - `sigs.k8s.io/randfill v1.0.0` - `sigs.k8s.io/structured-merge-diff/v6 v6.3.0` - `sigs.k8s.io/yaml v1.6.0` </details> </blockquote> </details> </blockquote> </details> --- - [ ] <!-- manual job -->Check this box to trigger a request for Renovate to run again on this repository
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
Repository problems
Renovate tried to run on this repository, but found these problems.
Open
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
Ignored or Blocked
These are blocked by an existing closed PR and will not be recreated unless you click a checkbox below.
Vulnerabilities
22/26CVEs have Renovate fixes.gomod
Detected dependencies
Branch alauda-v2.5.3
Branch alauda-v2.6.2