Bump the go-modules group with 2 updates by dependabot[bot] · Pull Request #1597 · paketo-buildpacks/node-engine

dependabot · 2026-06-18T16:53:50Z

Bumps the go-modules group with 2 updates: github.com/cyphar/filepath-securejoin and github.com/google/go-containerregistry.

Updates github.com/cyphar/filepath-securejoin from 0.6.1 to 0.7.0

Changelog

Sourced from github.com/cyphar/filepath-securejoin's changelog.

[0.7.0] - 2025-06-17

You talk of times of peace for all, and then prepare for war.

Changed

Update to cyphar.com/go-pathrs@0.2.5, which included a build-time API breakage that we needed to work around. The API of this library is unchanged by this, but users should make sure to update to v0.7.0 of filepath-securejoin if they use the libpathrs built tag and have update to libpathrs v0.2.5.

Commits

8096a95 VERSION: release v0.7.0
1324ccb merge #101 into cyphar/filepath-securejoin:main
dd8f0bb deps: bump to cyphar.com/go-pathrs@v0.2.5
c9a7725 gha: bump golangci-lint to v2.12
2e968bd Merge pull request #91 from cyphar/dependabot/github_actions/actions/download...
2879148 Merge pull request #90 from cyphar/dependabot/github_actions/actions/upload-a...
07b805b build(deps): bump actions/download-artifact from 6 to 7
8507844 build(deps): bump actions/upload-artifact from 5 to 6
daef0cf Merge pull request #89 from cyphar/dependabot/github_actions/actions/checkout-6
95f8ea4 build(deps): bump actions/checkout from 5 to 6
Additional commits viewable in compare view

Updates github.com/google/go-containerregistry from 0.21.6 to 0.21.7

Release notes

Sourced from github.com/google/go-containerregistry's releases.

v0.21.7

What's Changed

tarball: return error instead of panicking on missing rootfs.diff_ids by @iahsanGill in google/go-containerregistry#2304

gcrane: honor --platform flag in copy by @iahsanGill in google/go-containerregistry#2307

mutate: verify layer digests in Extract and Time by @momenashrafff in google/go-containerregistry#2303

tarball: close layer readers during Write by @nandbhat in google/go-containerregistry#2308

build(deps): bump the actions group across 1 directory with 2 updates by @dependabot[bot] in google/go-containerregistry#2311

build(deps): bump github.com/docker/cli from 29.4.3+incompatible to 29.5.2+incompatible in the go-deps group across 1 directory by @dependabot[bot] in google/go-containerregistry#2312

BUGFIX: Fail with error when read exceeds maximum by @inteon in google/go-containerregistry#2328

build(deps): bump the actions group across 1 directory with 2 updates by @dependabot[bot] in google/go-containerregistry#2327

fix(name): anchor loopback registry detection by @rohan-patnaik in google/go-containerregistry#2314

Reject symlinks in OCI layout blobs by @mosskappa in google/go-containerregistry#2306

fix(crane): avoid creating export tar on pull failure by @Haihan-Jiang in google/go-containerregistry#2318

feat(kubernetes): allow ignoring pull secrets by @rohan-patnaik in google/go-containerregistry#2315

fix(name): preserve localhost registry references by @rohan-patnaik in google/go-containerregistry#2316

pkg/registry: export ErrNotFound by @malt3 in google/go-containerregistry#2176

pkg/registry: export RedirectError by @malt3 in google/go-containerregistry#2177

build(deps): bump the go-deps group across 1 directory with 2 updates by @dependabot[bot] in google/go-containerregistry#2343

build(deps): bump the actions group across 1 directory with 2 updates by @dependabot[bot] in google/go-containerregistry#2344

fix: prevent SSRF in google.List() pagination by @tufstraka in google/go-containerregistry#2332

internal/gzip: fix goroutine leak in ReadCloserLevel by @amarkdotdev in google/go-containerregistry#2347

fix(transport): apply refreshed bearer token after cross-host redirect by @64johnlee in google/go-containerregistry#2337

build(deps): bump the go-deps group across 3 directories with 4 updates by @dependabot[bot] in google/go-containerregistry#2348

fix(tarball): normalize paths when matching files by @bstoll in google/go-containerregistry#2334

transport: do not re-attach bearer token after cross-host redirect by @evilgensec in google/go-containerregistry#2349

Bump CI go version to 1.26.4 by @Subserial in google/go-containerregistry#2350

New Contributors

@momenashrafff made their first contribution in google/go-containerregistry#2303

@nandbhat made their first contribution in google/go-containerregistry#2308

@inteon made their first contribution in google/go-containerregistry#2328

@rohan-patnaik made their first contribution in google/go-containerregistry#2314

@mosskappa made their first contribution in google/go-containerregistry#2306

@Haihan-Jiang made their first contribution in google/go-containerregistry#2318

@tufstraka made their first contribution in google/go-containerregistry#2332

@amarkdotdev made their first contribution in google/go-containerregistry#2347

@64johnlee made their first contribution in google/go-containerregistry#2337

@bstoll made their first contribution in google/go-containerregistry#2334

Full Changelog: google/go-containerregistry@v0.21.6...v0.21.7

Commits

c68d899 Bump go version to 1.26.4 (#2350)
da61d86 transport: do not re-attach bearer token after cross-host redirect (#2349)
09fe1e5 fix(tarball): normalize paths when matching files (#2334)
5baa399 build(deps): bump the go-deps group across 3 directories with 4 updates (#2348)
97a8a17 fix(transport): apply refreshed bearer token after cross-host redirect (#2337)
e963497 internal/gzip: fix goroutine leak in ReadCloserLevel (#2347)
02649ea fix: prevent SSRF in google.List() pagination (#2332)
7204b40 build(deps): bump the actions group across 1 directory with 2 updates (#2344)
4cfaa93 build(deps): bump the go-deps group across 1 directory with 2 updates (#2343)
6849394 pkg/registry: export RedirectError (#2177)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the go-modules group with 2 updates: [github.com/cyphar/filepath-securejoin](https://github.com/cyphar/filepath-securejoin) and [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry). Updates `github.com/cyphar/filepath-securejoin` from 0.6.1 to 0.7.0 - [Release notes](https://github.com/cyphar/filepath-securejoin/releases) - [Changelog](https://github.com/cyphar/filepath-securejoin/blob/main/CHANGELOG.md) - [Commits](cyphar/filepath-securejoin@v0.6.1...v0.7.0) Updates `github.com/google/go-containerregistry` from 0.21.6 to 0.21.7 - [Release notes](https://github.com/google/go-containerregistry/releases) - [Commits](google/go-containerregistry@v0.21.6...v0.21.7) --- updated-dependencies: - dependency-name: github.com/cyphar/filepath-securejoin dependency-version: 0.7.0 dependency-type: indirect update-type: version-update:semver-minor dependency-group: go-modules - dependency-name: github.com/google/go-containerregistry dependency-version: 0.21.7 dependency-type: indirect update-type: version-update:semver-patch dependency-group: go-modules ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jun 18, 2026

dependabot Bot requested review from a team as code owners June 18, 2026 16:53

dependabot Bot added the go Pull requests that update Go code label Jun 18, 2026

dependabot Bot requested review from pacostas and paketo-bot-reviewer and removed request for a team June 18, 2026 16:53

dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 18, 2026

paketo-bot added the semver:patch A change requiring a patch version bump label Jun 18, 2026

paketo-bot-reviewer approved these changes Jun 18, 2026

View reviewed changes

paketo-bot merged commit 3cc5d5a into main Jun 18, 2026
11 of 12 checks passed

paketo-bot deleted the dependabot/go_modules/go-modules-b8a3054473 branch June 18, 2026 17:04

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the go-modules group with 2 updates#1597

Bump the go-modules group with 2 updates#1597
paketo-bot merged 1 commit into
mainfrom
dependabot/go_modules/go-modules-b8a3054473

dependabot Bot commented on behalf of github Jun 18, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

dependabot Bot commented on behalf of github Jun 18, 2026

[0.7.0] - 2025-06-17

Changed

v0.21.7

What's Changed

New Contributors

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants