chore(deps): bump the go_modules group across 1 directory with 9 updates

[dependabot]

Bumps the go_modules group with 3 updates in the / directory: helm.sh/helm/v3, github.com/hashicorp/go-getter and golang.org/x/image.

Updates helm.sh/helm/v3 from 3.9.4 to 3.14.3

Release notes

Sourced from helm.sh/helm/v3's releases.

Helm v3.14.3 is a patch release. Users are encouraged to upgrade for the best experience. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

• Join the discussion in Kubernetes Slack:
  • for questions and just to hang out
  • for discussing PRs, code, and bugs
• Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
• Test, debug, and contribute charts: ArtifactHub/packages

Installation and Upgrading

Download Helm v3.14.3. The common platform binaries are here:

• MacOS amd64 (checksum / 4d5d01a94c7d6b07e71690dc1988bf3229680284c87f4242d28c6f1cc99653be)
• MacOS arm64 (checksum / dff794152b62b7c1a9ff615d510f8657bcd7a3727c668e0d9d4955f70d5f7573)
• Linux amd64 (checksum / 3c90f24e180f8c207b8a18e5ec82cb0fa49858a7a0a86e4ed52a98398681e00b)
• Linux arm (checksum / d4ff88f02d6731ec5dbde86a67bf391e673d0d9e87901727fbf62372aff106ec)
• Linux arm64 (checksum / 85e1573e76fa60af14ba7e9ec75db2129b6884203be866893fa0b3f7e41ccd5e)
• Linux i386 (checksum / af89e5df5cd21efe4dcaa478b19aaf17d22820716f93c1f098b00f1b7cfe1905)
• Linux ppc64le (checksum / aab121ca470e2a502cda849a9b3e92eeb9a32e213b0f0a79a95a04e375d26ce7)
• Linux s390x (checksum / d64fa8aced3244b549377741dc4e2db8109e5270c0723c11b547a9da5f99ad43)
• Linux riscv64 (checksum / f9f4e68bf43632f5df29e6c9fa760813d7e3537ed91d838cfdc2f103f8442b33)
• Windows amd64 (checksum / 369c6db1c114ef2a00793e9a587db6d7b2c72a23e37fd905c8deb78e9a8f7af6)

This release was signed with 672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E and can be found at @​mattfarina keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

• 3.14.4 will contain only bug fixes and be released on April 10, 2024.
• 3.15.0 is the next feature release and will be on May 08, 2024.

Changelog

• Add a note about --dry-run displaying secrets f03cc04caaa8f6d7c3e67cf918929150cf6f3f12 (Matt Farina)
• add error messages 1a7330fe3802beeb3f897a1c701d8a4b9c1316c5 (George Jenkins)
• Fix: Ignore alias validation error for index load d6acc0027dca47dec40ccdd66febd0c8bcf4813f (George Jenkins)
• chore(deps): bump github.com/containerd/containerd from 1.7.11 to 1.7.12 b2738fb782d149ffa4748cb0ee78d674986d04b0 (dependabot[bot])
• chore(deps): bump github.com/DATA-DOG/go-sqlmock from 1.5.0 to 1.5.2 5b0847e0e763e98bcbf8a12e8f9c5f7c11d123a1 (dependabot[bot])
• Update architecture detection method 7e18c39f0753c73e4660f3796f01f5b33f2552b5 (weidongkl)

Helm v3.14.2 is a security (patch) release. Users are strongly recommended to update to this release.

A Helm contributor discovered uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content.

Jakub Ciolek with AlphaSense discovered the vulnerability.

Installation and Upgrading

... (truncated)

Commits

• f03cc04 Add a note about --dry-run displaying secrets
• 1a7330f add error messages
• d6acc00 Fix: Ignore alias validation error for index load
• b2738fb chore(deps): bump github.com/containerd/containerd from 1.7.11 to 1.7.12
• 5b0847e chore(deps): bump github.com/DATA-DOG/go-sqlmock from 1.5.0 to 1.5.2
• 7e18c39 Update architecture detection method
• c309b6f Some fixes
• e8858f8 validation fix
• 3fc9f4b Improve release action
• 69dcc92 bump version to
• Additional commits viewable in compare view

Updates github.com/containerd/containerd from 1.6.18 to 1.7.12

Release notes

Sourced from github.com/containerd/containerd's releases.

containerd 1.7.12

Welcome to the v1.7.12 release of containerd!

The twelfth patch release for containerd 1.7 contains various fixes and updates.

Notable Updates

• Fix on dialer function for Windows (#9501)
• Improve /etc/group handling when appending groups (#9544)
• Update shim pidfile permissions to 0644 (#9548)
• Update runc binary to v1.1.11 (#9596)
• Allow import and export to reference missing content (#9600)
• Remove runc import (#9605)
• Update Go version to 1.20.13 (#9624)

Deprecation Warnings

• Emit deprecation warning for containerd.io/restart.logpath label usage (#9567)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues.

Contributors

• Akihiro Suda
• Sebastiaan van Stijn
• Wei Fu
• Derek McGowan
• Paweł Gronowski
• Jaroslav Jindrak
• Maksym Pavlenko
• Samuel Karp
• Anthony Nandaa
• Bjorn Neergaard
• Djordje Lukic
• Kay Yan

Changes

• [release/1.7] Prepare release notes for v1.7.12 (#9632)
  • 775d544fe Prepare release notes for v1.7.12
• [release/1.7] update to go1.20.13, test go1.21.6 (#9624)
  • a5dc5b894 update to go1.20.13, test go1.21.6
• [release/1.7] shim: Create pid-file and address with 0644 permissions (#9548)
  • 8d82242eb shim: Create address file with 0644 permissions
  • 260963a35 shim: Create pid-file with 0644 permissions

... (truncated)

Commits

• 71909c1 Merge pull request #9632 from dmcgowan/prepare-v1.7.12
• 775d544 Prepare release notes for v1.7.12
• 4ebe8e2 Merge pull request #9624 from thaJeztah/1.7_update_golang_1.20.13
• a5dc5b8 update to go1.20.13, test go1.21.6
• 50e7359 Merge pull request #9548 from Dzejrou/1.7_fix_ignoring_umask
• 5a675f2 Merge pull request #9602 from thaJeztah/1.7_backport_no_execabs
• ccca466 Merge pull request #9605 from thaJeztah/1.7_backport_switch_moby_user
• 9251072 remove github.com/opencontainers/runc dependency
• 4e67213 vendor: github.com/cncf-tags/container-device-interface v0.6.1
• e0ee0be go.mod: github.com/opencontainers/runtime-spec v1.1.0
• Additional commits viewable in compare view

Updates github.com/cyphar/filepath-securejoin from 0.2.3 to 0.2.4

Release notes

Sourced from github.com/cyphar/filepath-securejoin's releases.

v0.2.4

This release fixes a potential security issue in filepath-securejoin when used on Windows (GHSA-6xv5-86q9-7xr8, which could be used to generate paths outside of the provided rootfs in certain cases), as well as improving the overall behaviour of filepath-securejoin when dealing with Windows paths that contain volume names. Thanks to Paulo Gomes for discovering and fixing these issues.

In addition, we've switched (at long last) to GitHub Actions and have continuous integration testing on Linux, MacOS, and Windows.

Thanks to the following contributors for making this release possible:

• Aleksa Sarai [email protected]
• Paulo Gomes [email protected]

Signed-off-by: Aleksa Sarai [email protected]

Commits

• 2710d06 VERSION: release v0.2.4
• 6894341 merge #9 into main
• c121231 Fix support for Windows
• 05b6423 ci: switch to GHA
• 64536a8 VERSION: back to development
• See full diff in compare view

Updates github.com/hashicorp/go-getter from 1.6.2 to 1.7.4

Release notes

Sourced from github.com/hashicorp/go-getter's releases.

v1.7.4

What's Changed

• Escape user-provided strings in git commands hashicorp/go-getter#483
• Fixed a bug in .netrc handling if the file does not exist hashicorp/go-getter#433

Full Changelog: hashicorp/go-getter@v1.7.3...v1.7.4

v1.7.3

What's Changed

• SEC-090: Automated trusted workflow pinning (2023-04-21) by @​hashicorp-tsccr in hashicorp/go-getter#432
• SEC-090: Automated trusted workflow pinning (2023-09-11) by @​hashicorp-tsccr in hashicorp/go-getter#454
• SEC-090: Automated trusted workflow pinning (2023-09-18) by @​hashicorp-tsccr in hashicorp/go-getter#458
• don't change GIT_SSH_COMMAND when there is no sshKeyFile by @​jbardin in hashicorp/go-getter#459

New Contributors

• @​hashicorp-tsccr made their first contribution in hashicorp/go-getter#432

Full Changelog: hashicorp/go-getter@v1.7.2...v1.7.3

v1.7.2

What's Changed

• Don't override GIT_SSH_COMMAND when not needed by @​nl-brett-stime hashicorp/go-getter#300

Full Changelog: hashicorp/go-getter@v1.7.1...v1.7.2

v1.7.1

No release notes provided.

v1.7.0

What's Changed

• docs: provide logging recommendations by @​mickael-hc in hashicorp/go-getter#371
• Update aws sdk version by @​Jukie in hashicorp/go-getter#384
• Update S3 URL in README by @​twelvelabs in hashicorp/go-getter#378
• Migrate to GHA by @​claire-labry in hashicorp/go-getter#379
• [COMPLIANCE] Update MPL 2.0 LICENSE by @​hashicorp-copywrite in hashicorp/go-getter#386
• remove codesign entirely from go-getter by @​claire-labry in hashicorp/go-getter#408
• Add decompression bomb mitigation options for v1 by @​picatz in hashicorp/go-getter#412
• v1: decompressors: add LimitedDecompressors helper by @​shoenig in hashicorp/go-getter#413

New Contributors

• @​mickael-hc made their first contribution in hashicorp/go-getter#371
• @​Jukie made their first contribution in hashicorp/go-getter#384
• @​twelvelabs made their first contribution in hashicorp/go-getter#378
• @​hashicorp-copywrite made their first contribution in hashicorp/go-getter#386

Full Changelog: hashicorp/go-getter@v1.6.2...v1.7.0

Commits

• 268c11c escape user provide string to git (#483)
• 975961f Merge pull request #433 from adrian-bl/netrc-fix
• 0298a22 Merge pull request #459 from hashicorp/jbardin/setup-git-env
• c70d9c9 don't change GIT_SSH_COMMAND if there's no keyfile
• 3d5770f Merge pull request #458 from hashicorp/tsccr-auto-pinning/trusted/2023-09-18
• 0688979 Result of tsccr-helper -log-level=info -pin-all-workflows .
• e66f244 Merge pull request #454 from hashicorp/tsccr-auto-pinning/trusted/2023-09-11
• e80b3dc Result of tsccr-helper -log-level=info -pin-all-workflows .
• 2d49e24 Merge pull request #432 from hashicorp/tsccr-auto-pinning/trusted/2023-04-21
• 5ccb39a Make addAuthFromNetrc ignore ENOTDIR errors
• Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.1.0 to 0.17.0

Commits

• 9d2ee97 ssh: implement strict KEX protocol changes
• 4e5a261 ssh: close net.Conn on all NewServerConn errors
• 152cdb1 x509roots/fallback: update bundle
• fdfe1f8 ssh: defer channel window adjustment
• b8ffc16 blake2b: drop Go 1.6, Go 1.8 compatibility
• 7e6fbd8 ssh: wrap errors from client handshake
• bda2f3f argon2: avoid clobbering BP
• 325b735 ssh/test: skip TestSSHCLIAuth on Windows
• 1eadac5 go.mod: update golang.org/x dependencies
• b2d7c26 ssh: add (*Client).DialContext method
• Additional commits viewable in compare view

Updates golang.org/x/image from 0.5.0 to 0.10.0

Commits

• cb227cd tiff: limit work when decoding malicious images
• a5392f0 bmp: support to decode 8-bit format with up to 256 color palette
• f9550b0 go.mod: update golang.org/x dependencies
• 81c166c go.mod: update golang.org/x dependencies
• ed5dba0 go.mod: update golang.org/x dependencies
• 08ca817 font: have Glyph return !ok for U+FFFD substitute
• b6ac75b go.mod: update golang.org/x dependencies
• 1b74412 font/sfnt: set type for all NameID constants
• f632f7f tiff, tiff/lzw, vector: use single space in comments
• See full diff in compare view

Updates golang.org/x/net from 0.7.0 to 0.17.0

Commits

• b225e7c http2: limit maximum handler goroutines to MaxConcurrentStreams
• 88194ad go.mod: update golang.org/x dependencies
• 2b60a61 quic: fix several bugs in flow control accounting
• 73d82ef quic: handle DATA_BLOCKED frames
• 5d5a036 quic: handle streams moving from the data queue to the meta queue
• 350aad2 quic: correctly extend peer's flow control window after MAX_DATA
• 21814e7 quic: validate connection id transport parameters
• a600b35 quic: avoid redundant MAX_DATA updates
• ea63359 http2: check stream body is present on read timeout
• ddd8598 quic: version negotiation
• Additional commits viewable in compare view

Updates google.golang.org/grpc from 1.47.0 to 1.58.3

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.58.3

Security

• server: prohibit more than MaxConcurrentStreams handlers from running at once (CVE-2023-44487)

  In addition to this change, applications should ensure they do not leave running tasks behind related to the RPC before returning from method handlers, or should enforce appropriate limits on any such work.

Release 1.58.2

Bug Fixes

• balancer/weighted_round_robin: fix ticker leak on update

  A new ticker is created every time there is an update of addresses or configuration, but was not properly stopped. This change stops the ticker when it is no longer needed.

Release 1.58.1

Bug Fixes

• grpc: fix a bug that was decrementing active RPC count too early for streaming RPCs; leading to channel moving to IDLE even though it had open streams
• grpc: fix a bug where transports were not being closed upon channel entering IDLE

Release 1.58.0

API Changes

See #6472 for details about these changes.

• balancer: add StateListener to NewSubConnOptions for SubConn state updates and deprecate Balancer.UpdateSubConnState (#6481)
  • UpdateSubConnState will be deleted in the future.
• balancer: add SubConn.Shutdown and deprecate Balancer.RemoveSubConn (#6493)
  • RemoveSubConn will be deleted in the future.
• resolver: remove deprecated AddressType (#6451)
  • This was previously used as a signal to enable the "grpclb" load balancing policy, and to pass LB addresses to the policy. Instead, balancer/grpclb/state.Set() should be used to add these addresses to the name resolver's output. The built-in "dns" name resolver already does this.
• resolver: add new field Endpoints to State and deprecate Addresses (#6471)
  • Addresses will be deleted in the future.

New Features

• balancer/leastrequest: Add experimental support for least request LB policy and least request configured as a custom xDS policy (#6510, #6517)
  • Set GRPC_EXPERIMENTAL_ENABLE_LEAST_REQUEST=true to enable
• stats: Add an RPC event for blocking caused by the LB policy's picker (#6422)

Bug Fixes

• clusterresolver: fix deadlock when dns resolver responds inline with update or error at build time (#6563)
• grpc: fix a bug where the channel could erroneously report TRANSIENT_FAILURE when actually moving to IDLE (#6497)
• balancergroup: do not cache closed sub-balancers by default; affects rls, weightedtarget and clustermanager LB policies (#6523)
• client: fix a bug that prevented detection of RPC status in trailers-only RPC responses when using ClientStream.Header(), and prevented retry of the RPC (#6557)

Performance Improvements

• client & server: Add experimental [With]SharedWriteBuffer to improve performance by reducing allocations when sending RPC messages. (Disabled by default.) (#6309)
  • Special Thanks: @​s-matyukevich

... (truncated)

Commits

• bf05b95 Change version.go to v1.58.3 (#6707)
• c40c9ba server: prohibit more than MaxConcurrentStreams handlers from running at once...
• dd9270d update version to 1.58.3-dev (#6656)
• c0aa20a Change version to 1.58.2 (#6654)
• 67a53a6 balancer/weightedroundrobin: fix ticker leak on update (#6655)
• 863de73 update version to 1.58.2-dev (#6633)
• 62726d4 update version to 1.58.1 (#6629)
• fa6d9ab cherry-pick 6610 and 6620 (#6627)
• 467fbf2 Change version to 1.58.1-dev (#6580)
• c2b0797 Change version to 1.58.0 (#6579)
• Additional commits viewable in compare view

Updates google.golang.org/protobuf from 1.28.0 to 1.31.0

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.