chore(deps): update module github.com/theupdateframework/go-tuf to v2 (9.4)

[elastic-renovate-prod]

This PR contains the following updates:

Package	Type	Update	Change
github.com/theupdateframework/go-tuf	indirect	major	v0.7.0 -> v2.4.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

theupdateframework/go-tuf (github.com/theupdateframework/go-tuf)

v2.4.1

Compare Source

What's Changed

• chore(deps): bump github.com/sigstore/sigstore from 1.10.3 to 1.10.4 by @​dependabot[bot] inhttps://github.com/theupdateframework/go-tuf/pull/7188
• Enforce a stricter validation on the repo name for TAP 4 by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/720

Full Changelog: theupdateframework/go-tuf@v2.4.0...v2.4.1

v2.4.0

Compare Source

What's Changed

• Add BitLength validation for SuccinctRoles by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/716
• Add thread safety documentation for key types by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/715
• Use restrictive permissions (0700) for cache directories by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/714
• Breaking change: Replace panic with error return in Key.ID() by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/713

Full Changelog: theupdateframework/go-tuf@v2.3.1...v2.4.0

v2.3.1

Compare Source

What's Changed

• chore(deps): bump golang.org/x/crypto from 0.40.0 to 0.45.0 by @​dependabot[bot] inhttps://github.com/theupdateframework/go-tuf/pull/7022
• Resolve govulncheck errors by bumping go to 1.24.11 by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/707
• chore(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2 by @​dependabot[bot] inhttps://github.com/theupdateframework/go-tuf/pull/7044
• modern go (1.20+) improvements by @​udf2457 in https://github.com/theupdateframework/go-tuf/pull/705
• chore(deps): bump github.com/sigstore/sigstore from 1.9.5 to 1.10.3 by @​dependabot[bot] inhttps://github.com/theupdateframework/go-tuf/pull/7066
• chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.9.1 to 0.10.0 by @​dependabot[bot] inhttps://github.com/theupdateframework/go-tuf/pull/7088
• Perform type assertion by @​kommendorkapten in https://github.com/theupdateframework/go-tuf/pull/710
• Add tests for failing type assertions by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/711
• Verify threshold is valid by @​kommendorkapten in https://github.com/theupdateframework/go-tuf/pull/712

Full Changelog: theupdateframework/go-tuf@v2.3.0...v2.3.1

v2.3.0

Compare Source

What's Changed

• Update the config for govulncheck by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/697
• Bump Go to 1.24.9 by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/698

Full Changelog: theupdateframework/go-tuf@v2.2.0...v2.3.0

v2.2.0

Compare Source

What's Changed

• fix: treat http 403 as an updater error by @​MDr164 in https://github.com/theupdateframework/go-tuf/pull/687
• chore(deps): bump github.com/sigstore/sigstore from 1.8.4 to 1.8.7 by @​dependabot[bot] inhttps://github.com/theupdateframework/go-tuf/pull/6466
• chore(deps): bump github.com/cenkalti/backoff/v5 from 5.0.2 to 5.0.3 by @​dependabot[bot] inhttps://github.com/theupdateframework/go-tuf/pull/6900
• chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.9.0 to 0.9.1 by @​dependabot[bot] inhttps://github.com/theupdateframework/go-tuf/pull/6911
• chore(deps): bump github.com/stretchr/testify from 1.10.0 to 1.11.0 by @​dependabot[bot] inhttps://github.com/theupdateframework/go-tuf/pull/6922
• chore(deps): bump github.com/stretchr/testify from 1.11.0 to 1.11.1 by @​dependabot[bot] inhttps://github.com/theupdateframework/go-tuf/pull/6933
• chore(deps): bump github.com/spf13/cobra from 1.9.1 to 1.10.1 by @​dependabot[bot] inhttps://github.com/theupdateframework/go-tuf/pull/6944

Full Changelog: theupdateframework/go-tuf@v2.1.1...v2.2.0

v2.1.1

Compare Source

What's Changed

Fixed a regression that can fail clients using the DefaultFetcher{} directly without using the constructor.

• Set a default HTTP client for DefaultFetcher in DownloadFile method if none is set by @​malancas in https://github.com/theupdateframework/go-tuf/pull/686

Full Changelog: theupdateframework/go-tuf@v2.1.0...v2.1.1

v2.1.0

Compare Source

What's Changed

• Move the repository package under examples/repository by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/656
• docs: Joshua retiring as a maintainer by @​joshuagl in https://github.com/theupdateframework/go-tuf/pull/657
• fix: multirepo potential nil pointer dereference by @​MrDan4es in https://github.com/theupdateframework/go-tuf/pull/658
• chore(deps): bump golang.org/x/crypto from 0.23.0 to 0.31.0 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/661
• chore(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/662
• chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.8.0 to 0.9.0 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/663
• Use the correct verifier for RSA PSS scheme keys by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/625
• updater.go: replace os.WriteFile with file.Write() by @​udf2457 in https://github.com/theupdateframework/go-tuf/pull/669
• Remove readFile() and reverseSlice() in favour of stdlib by @​udf2457 in https://github.com/theupdateframework/go-tuf/pull/671
• updater.go: replace url.QueryEscape() with url.PathEscape() by @​udf2457 in https://github.com/theupdateframework/go-tuf/pull/675
• Bump Go to 1.22 by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/677
• chore(deps): bump github.com/spf13/cobra from 1.8.1 to 1.9.1 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/679
• chore: make function comment match function name by @​suchsoon in https://github.com/theupdateframework/go-tuf/pull/680
• Update README.md by @​trishankatdatadog in https://github.com/theupdateframework/go-tuf/pull/681
• chore(deps): bump golang.org/x/crypto from 0.31.0 to 0.35.0 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/683
• Allow users to configure custom http.Client or http.RoundTripper in DefaultFetcher by @​malancas in https://github.com/theupdateframework/go-tuf/pull/682
• Allow users to configure retry behavior in DefaultFetcher by @​malancas in https://github.com/theupdateframework/go-tuf/pull/684
• Added back timeout to the fetcher DownloadFile method to avoid a breaking change. by @​kommendorkapten in https://github.com/theupdateframework/go-tuf/pull/685

New Contributors

• @​MrDan4es made their first contribution in https://github.com/theupdateframework/go-tuf/pull/658
• @​suchsoon made their first contribution in https://github.com/theupdateframework/go-tuf/pull/680

Full Changelog: theupdateframework/go-tuf@v2.0.2...v2.1.0

v2.0.2

Compare Source

What's Changed

• Error in case the delegated role is missing from the snapshot by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/652

Full Changelog: theupdateframework/go-tuf@v2.0.1...v2.0.2

v2.0.1

Compare Source

What's Changed

Security

• Fix incorrect delegation lookups that can make go-tuf download the wrong artifact by @​rdimitrov (Thanks to @​AdamKorcz for reporting it). This fixes CVE-2024-47534 GHSA-4f8r-qqr9-fq8j

Other

• Update MAINTAINERS.md by @​trishankatdatadog in https://github.com/theupdateframework/go-tuf/pull/647
• Update the staging TUF repo in the multi-repo example by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/650
• Fix branch name in multi-repo client example by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/651

Full Changelog: theupdateframework/go-tuf@v2.0.0...v2.0.1

v2.0.0

Compare Source

Breaking changes

• This is the first release of go-tuf v2 and it's a complete re-write indicated by the new major version.
• We also decided to leave go-tuf as a library only.

What's Changed

• chore: fixes the CI status badge and updates the README.md file by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/569
• chore(deps): bump securesystemslib from 0.30.0 to 0.31.0 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/570
• docs: add Marvin Drees to the list of go-tuf maintainers by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/571
• chore(deps): bump actions/setup-python from 4.7.1 to 5.0.0 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/572
• chore: enable grouping of minor and patch updates. by @​kommendorkapten in https://github.com/theupdateframework/go-tuf/pull/580
• fix: update tests.yml bumping golangci-lint by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/582
• chore(deps): bump actions/setup-go from 4.1.0 to 5.0.0 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/573
• chore(deps): bump github/codeql-action from 2 to 3 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/574
• chore(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/575
• chore(deps): bump golang.org/x/term from 0.15.0 to 0.16.0 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/577
• chore(deps): bump the minor-patch group with 2 updates by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/581
• feat!: move rdimitrov/go-tuf-metadata to github.com/theupdateframework/go-tuf/v2 by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/583
• Update license from BSD-2-Clause to Apache-2.0 by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/585
• chore(deps): bump github.com/sigstore/sigstore from 1.8.0 to 1.8.1 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/584
• Replace main with master in workflows by @​kipz in https://github.com/theupdateframework/go-tuf/pull/587
• Do not pin to minor Go versions in go.mod by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/588
• Fixes for windows & enable in CI by @​kipz in https://github.com/theupdateframework/go-tuf/pull/586
• Bring back SECURITY.md by @​trishankatdatadog in https://github.com/theupdateframework/go-tuf/pull/591
• remove dependency on golang.org/x/exp by @​mikedanese in https://github.com/theupdateframework/go-tuf/pull/600
• Refactor errors to use pointer receivers by @​codysoyland in https://github.com/theupdateframework/go-tuf/pull/602
• move testutils under an ./internal/ directory by @​mikedanese in https://github.com/theupdateframework/go-tuf/pull/601
• Enable macos and windows runners for examples.yml and tests.yml by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/604
• Do not run CI for all Go versions and use caching by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/606
• chore(deps): bump golang.org/x/crypto from 0.18.0 to 0.19.0 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/610
• Don't rename unless file is in same dir by @​jonnystoten in https://github.com/theupdateframework/go-tuf/pull/603
• Use filepath.Join when combining filesystem components by @​kommendorkapten in https://github.com/theupdateframework/go-tuf/pull/611
• Always use forward slash when splitting target names by @​kommendorkapten in https://github.com/theupdateframework/go-tuf/pull/612
• chore(deps): bump github.com/sigstore/sigstore from 1.8.1 to 1.8.2 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/614
• chore(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/615
• chore(deps): use stdlib ed25519 instead of x by @​MDr164 in https://github.com/theupdateframework/go-tuf/pull/620
• chore(deps): bump golang.org/x/crypto from 0.20.0 to 0.21.0 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/621
• chore(ci): bump action hashes by @​MDr164 in https://github.com/theupdateframework/go-tuf/pull/618
• chore(deps): bump gopkg.in/go-jose/go-jose.v2 from 2.6.1 to 2.6.3 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/622
• Silence govulncheck by @​MDr164 in https://github.com/theupdateframework/go-tuf/pull/619
• feat: replace logrus in sim with slog by @​MDr164 in https://github.com/theupdateframework/go-tuf/pull/617
• repository_simulator_setup.go: Use filepath.Join() instead of concatenation by @​udf2457 in https://github.com/theupdateframework/go-tuf/pull/624
• Fixes README references from rdimitrov/go-tuf-metadata to theupdateframework/go-tuf by @​rdimitrov in https://github.com/theupdateframework/go-tuf/pull/626
• fix: use SHA384 for ECDSA P384 by @​mrjoelkamp in https://github.com/theupdateframework/go-tuf/pull/629
• chore(deps): bump github.com/sigstore/sigstore from 1.8.2 to 1.8.3 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/627
• Remove nil error from being printed in "persist metadata" error message by @​malancas in https://github.com/theupdateframework/go-tuf/pull/633
• fix: deep targets file path by @​mrjoelkamp in https://github.com/theupdateframework/go-tuf/pull/632
• feat: add missing CODEOWNERS and MAINTAINERS file by @​MDr164 in https://github.com/theupdateframework/go-tuf/pull/635
• Update MAINTAINERS by @​trishankatdatadog in https://github.com/theupdateframework/go-tuf/pull/636
• chore(deps): bump github.com/sigstore/sigstore from 1.8.3 to 1.8.4 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/637
• chore(deps): bump github.com/spf13/cobra from 1.8.0 to 1.8.1 by @​dependabot in https://github.com/theupdateframework/go-tuf/pull/640
• fix: configurable temp file directory by @​mrjoelkamp in https://github.com/theupdateframework/go-tuf/pull/638
• export API to set RefTime of Updater by @​AdamKorcz in https://github.com/theupdateframework/go-tuf/pull/641
• Add the ability to customize the HTTP user agent by @​steiza in https://github.com/theupdateframework/go-tuf/pull/642
• Increase the default value for MaxRootRotations by @​kommendorkapten in https://github.com/theupdateframework/go-tuf/pull/645

New Contributors

• @​kipz made their first contribution in https://github.com/theupdateframework/go-tuf/pull/587
• @​mikedanese made their first contribution in https://github.com/theupdateframework/go-tuf/pull/600
• @​codysoyland made their first contribution in https://github.com/theupdateframework/go-tuf/pull/602
• @​jonnystoten made their first contribution in https://github.com/theupdateframework/go-tuf/pull/603
• @​MDr164 made their first contribution in https://github.com/theupdateframework/go-tuf/pull/620
• @​mrjoelkamp made their first contribution in https://github.com/theupdateframework/go-tuf/pull/629
• @​malancas made their first contribution in https://github.com/theupdateframework/go-tuf/pull/633
• @​AdamKorcz made their first contribution in https://github.com/theupdateframework/go-tuf/pull/641
• @​steiza made their first contribution in https://github.com/theupdateframework/go-tuf/pull/642

Full Changelog: theupdateframework/go-tuf@v0.7.0...v2.0.0

---

Configuration

📅 Schedule: Branch creation - "* 1 * * 1-5" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b renovate/9.4-github.com-theupdateframework-go-tuf-2.x upstream/renovate/9.4-github.com-theupdateframework-go-tuf-2.x
git merge upstream/9.4
git push upstream renovate/9.4-github.com-theupdateframework-go-tuf-2.x

[elastic-renovate-prod]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 2.x releases. But if you manually upgrade to 2.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.