Skip to content

chore(deps): bump github.com/sigstore/cosign/v2 from 2.6.2 to 2.6.3#153

Merged
dtrudg merged 1 commit into
mainfrom
dependabot/go_modules/github.com/sigstore/cosign/v2-2.6.3
Apr 9, 2026
Merged

chore(deps): bump github.com/sigstore/cosign/v2 from 2.6.2 to 2.6.3#153
dtrudg merged 1 commit into
mainfrom
dependabot/go_modules/github.com/sigstore/cosign/v2-2.6.3

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 7, 2026
edited
Loading

Bumps github.com/sigstore/cosign/v2 from 2.6.2 to 2.6.3.

Release notes

Sourced from github.com/sigstore/cosign/v2's releases.

v2.6.3

Changelog

v2.6.3 resolves GHSA-w6c6-c85g-mmv6.

  • fecddd3c22045a39f52392e71e79f66854b41352 Fix DSSE predicate check (#4802)
  • 564c5b1b0bed7bd991910774c47df1150ffb8aa8 Backport bundle detection to sign and attest (#4727)

Thanks to all contributors!

Changelog

Sourced from github.com/sigstore/cosign/v2's changelog.

v3.0.5

Deprecations

  • Deprecate rekor-entry-type flag (#4691)
  • Deprecate cosign triangulate (#4676)
  • Deprecate cosign copy (#4681)

Features

  • Automatically require signed timestamp with Rekor v2 entries (#4666)
  • Allow --local-image with --new-bundle-format for v2 and v3 signatures (#4626)
  • Add mTLS support for TSA client connections when signing with a signing config (#4620)
  • Enforce TSA requirement for Rekor v2, Fuclio signing (#4683)

Bug Fixes

  • Add empty predicate to cosign sign when payload type is application/vnd.in-toto+json (#4635)
  • fix: avoid panic on malformed attestation payload (#4651)
  • fix: avoid panic on malformed tlog entries (#4649)
  • fix: avoid panic on malformed replace payload (#4653)
  • Gracefully fail if bundle payload body is not a string (#4648)
  • Verify validity of chain rather than just certificate (#4663)
  • fix: avoid panic on malformed tlog entry body (#4652)

Documentation

  • docs(cosign): clarify RFC3161 revocation semantics (#4642)
  • Fix typo in CLI help (#4701)

v3.0.4

v3.0.4 resolves GHSA-whqx-f9j3-ch6m.

Changes

  • Fix bundle verify path for old bundle/trusted root (GHSA-whqx-f9j3-ch6m) (#4623)
  • Optimize cosign tree performance by caching digest resolution (#4612)
  • Don't require a trusted root to verify offline with a key (#4613)
  • Support default services for trusted-root and signing-config creation (#4592)
Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Apr 7, 2026
@dependabot
chore(deps): bump github.com/sigstore/cosign/v2 from 2.6.2 to 2.6.3
4b7cf99 
Bumps [github.com/sigstore/cosign/v2](https://github.com/sigstore/cosign) from 2.6.2 to 2.6.3.
- [Release notes](https://github.com/sigstore/cosign/releases)
- [Changelog](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md)
- [Commits](sigstore/cosign@v2.6.2...v2.6.3)

---
updated-dependencies:
- dependency-name: github.com/sigstore/cosign/v2
  dependency-version: 2.6.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/github.com/sigstore/cosign/v2-2.6.3 branch from b51fdfe to 4b7cf99 Compare April 9, 2026 13:37
@dtrudg dtrudg merged commit 7ca7ff7 into main Apr 9, 2026
10 checks passed
@dependabot dependabot Bot deleted the dependabot/go_modules/github.com/sigstore/cosign/v2-2.6.3 branch April 9, 2026 13:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dtrudg dtrudg dtrudg approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dtrudg