chore(deps): bump the common group across 1 directory with 40 updates

[dependabot]

Bumps the common group with 26 updates in the / directory:

Package	From	To
github.com/Azure/azure-sdk-for-go/sdk/azcore	1.21.0	1.21.1
github.com/CycloneDX/cyclonedx-go	0.10.0	0.11.0
github.com/GoogleCloudPlatform/docker-credential-gcr/v2	2.1.31	2.1.32
github.com/alicebob/miniredis/v2	2.36.1	2.38.0
github.com/apparentlymart/go-cidr	1.1.0	1.1.1
github.com/containerd/containerd/v2	2.2.1	2.3.0
github.com/fatih/color	1.18.0	1.19.0
github.com/go-git/go-git/v5	5.16.5	5.19.0
github.com/google/go-containerregistry	0.20.7	0.21.5
github.com/hashicorp/go-getter	1.8.4	1.8.6
github.com/hashicorp/go-version	1.8.0	1.9.0
github.com/hashicorp/hc-install	0.9.2	0.9.5
github.com/hashicorp/terraform-exec	0.24.0	0.25.2
github.com/in-toto/in-toto-golang	0.10.0	0.11.0
github.com/magefile/mage	1.15.0	1.17.2
github.com/mattn/go-shellwords	1.0.12	1.0.13
github.com/open-policy-agent/opa	1.13.1	1.16.2
github.com/openvex/go-vex	0.2.7	0.2.8
github.com/samber/lo	1.52.0	1.53.0
github.com/secure-systems-lab/go-securesystemslib	0.10.0	0.11.0
github.com/sigstore/rekor	1.5.0	1.5.1
golang.org/x/vuln	1.1.4	1.3.0
helm.sh/helm/v3	3.20.0	3.21.0
modernc.org/sqlite	1.45.0	1.50.1
github.com/invopop/jsonschema	0.13.0	0.14.0
github.com/nikolalohinski/gonja/v2	2.6.0	2.8.0

Updates github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.21.0 to 1.21.1

Release notes

Sourced from github.com/Azure/azure-sdk-for-go/sdk/azcore's releases.

sdk/azcore/v1.21.1

1.21.1 (2026-04-16)

Bugs Fixed

• Fixed an issue in ResponseError.Error() where the request URL path was being logged unescaped.
• Redact query parameters when logging errors.
• For runtime.JoinPaths, don't add a slash between root and paths when paths starts with ? (query string).

Other Changes

• Upgraded to Go 1.25.0.
• Upgraded dependencies.

Commits

• 63e4ba1 Bump release date for azcore (#26613)
• fa03121 remove bypass local dns (#26609)
• c47f9a6 Sync eng/common directory with azure-sdk-tools for PR 15153 (#26607)
• 88b8b5b Changelog for v2.2.0 (#26567)
• 72ca19a Storage STG 101 (#26568)
• b64baf5 Sync .github directory with azure-sdk-tools repository (#26600)
• ecd64dd Prep azcore@v1.21.1 for release (#26596)
• 1d02f20 Update copilot code review instructions and migration breaking change mitigat...
• f6e9ce3 Sync eng/common directory with azure-sdk-tools for PR 14973 (#26531)
• d5a3baf Update CODEOWNERS to remove one owner from Custom Providers (#26588)
• Additional commits viewable in compare view

Updates github.com/CycloneDX/cyclonedx-go from 0.10.0 to 0.11.0

Release notes

Sourced from github.com/CycloneDX/cyclonedx-go's releases.

v0.11.0

Changelog

Building and Packaging

• 32221d4829e8ec6007896af2d7f11fd6ba13d6c5: build(deps): bump actions/setup-go from 6.2.0 to 6.4.0 (#261) (@​dependabot[bot])
• a42a4dd9163df91c4173d41db2cc7ed67f0db0b6: build(deps): bump gitpod/workspace-go from 08a7c68 to 00059ff (#255) (@​dependabot[bot])
• 9810ab9f48d46f134ad9a13bbabd1397cc64804e: build(deps): bump goreleaser/goreleaser-action from 6.4.0 to 7.2.1 (#263) (@​dependabot[bot])

Others

• 2cef05662cba14b4ae948b1858fee532f8adadd1: Add comprehensive support for CycloneDX 1.7 specification (#257) (@​alistair-mclean)
• 3ed34da50502f9b9d6ac9dff64df8b08e53aa2a5: Added 5 missing fields to match CycloneDX 1.6 spec: (#256) (@​alistair-mclean)

Commits

• a42a4dd build(deps): bump gitpod/workspace-go from 08a7c68 to 00059ff (#255)
• 9810ab9 build(deps): bump goreleaser/goreleaser-action from 6.4.0 to 7.2.1 (#263)
• 32221d4 build(deps): bump actions/setup-go from 6.2.0 to 6.4.0 (#261)
• 2cef056 Add comprehensive support for CycloneDX 1.7 specification (#257)
• 3ed34da Added 5 missing fields to match CycloneDX 1.6 spec: (#256)
• See full diff in compare view

Updates github.com/GoogleCloudPlatform/docker-credential-gcr/v2 from 2.1.31 to 2.1.32

Release notes

Sourced from github.com/GoogleCloudPlatform/docker-credential-gcr/v2's releases.

v2.1.32

What's Changed

• Add missing AR domains by @​Subserial in GoogleCloudPlatform/docker-credential-gcr#186
• Update logrus to use newer version with no CVE by @​cm894865 in GoogleCloudPlatform/docker-credential-gcr#187

New Contributors

• @​cm894865 made their first contribution in GoogleCloudPlatform/docker-credential-gcr#187

Full Changelog: GoogleCloudPlatform/docker-credential-gcr@v2.1.31...v2.1.32

Commits

• 711dd80 Update logrus to use newer version with no CVE (#187)
• 2c33e9c Merge pull request #186 from Subserial/Subserial-patch-1
• 0692b51 Add missing AR domains
• See full diff in compare view

Updates github.com/alicebob/miniredis/v2 from 2.36.1 to 2.38.0

Release notes

Sourced from github.com/alicebob/miniredis/v2's releases.

DELEX and fixes

• XADD TRIM (thanks @​evan-choi)
• update XINFO STREAM (thanks @​TomBailey167)
• lua fix (thanks @​infastin)
• partial support for DELEX

HEXPIRE

• support HEXPIRE (thanks @​mojixcoder)

Changelog

Sourced from github.com/alicebob/miniredis/v2's changelog.

v2.38.0

• XADD TRIM (thanks @​evan-choi)
• update XINFO STREAM (thanks @​TomBailey167)
• lua fix (thanks @​infastin)
• partial support for DELEX

v2.37.0

• support HEXPIRE (thanks @​mojixcoder)

Commits

• d67bfae update changelog for v2.38.0
• 2b1abd8 DELEX (partly) (#442)
• 452dd37 Merge pull request #440 from infastin/server-alias
• b5b8ec2 feat: add 'server' alias to 'redis' in lua scripts
• ecc4af1 Merge pull request #439 from TomBailey167/xinfo-stream-last-generated-id
• 4a2a33e Merge pull request #435 from evan-choi/fix/xadd-equals-trim-modifier
• d6261ef feat: add last-generated-id to XINFO STREAM response
• f4d8aa3 fix: accept = trim modifier in xadd
• c1b59bf feat: implement HEXPIRE command (#424)
• See full diff in compare view

Updates github.com/apparentlymart/go-cidr from 1.1.0 to 1.1.1

Commits

• 5730b04 SubnetBig returns error for negative subnet number
• fab7bb4 HostBig: Don't crash for out-of-range hostnum greater than max uint64
• e4ff799 Update doc comment spacing for newer gofmt behavior
• See full diff in compare view

Updates github.com/containerd/containerd/v2 from 2.2.1 to 2.3.0

Release notes

Sourced from github.com/containerd/containerd/v2's releases.

containerd 2.3.0

Welcome to the v2.3.0 release of containerd!

The third minor release of containerd 2.x focuses on continued stability alongside new features and improvements. This is the third time-based release for containerd.

Starting with containerd 2.3, the project has moved to release cadence aligned with the Kubernetes release schedule, with new minor releases about every 4 months. The containerd 2.3 release is also the first annual LTS (Long Term Stable) release under this new schedule, with support planned for at least two years. Direct upgrades between sequential LTS releases (e.g., 1.7 to 2.3) will be tested and supported.

Highlights

• Add transfer types for container filesystem copy (#13165)
• Add option to inject trace ID to logs (#13117)
• Propagate OpenTelemetry traces in outgoing RPCs from plugin clients (#13113)
• Update plugin config migration to run on load (#12608)
• Update sandbox API to include spec field (#12840)

Container Runtime Interface (CRI)

• Allow containers to use user namespaces with host networking (#12518)
• Wire UpdatePodSandboxResources to Sandbox API (#13118)
• Unpack images with per-layer labels for specific runtime (#12835)
• Populate ImageId field in container status (#12787)
• Set annotations parameter in CreateSandbox request (#12566)
• Add background stats collector to calculate UsageNanoCores for containers and pod sandboxes (#12629)

Image Distribution

• Support zstd-wrapped EROFS layers (#13185)
• Add os.features support for EROFS native container images (#13091)
• Add EROFS layer media type (#12567)

Image Storage

• Add dmverity support to the erofs snapshotter (#12502)
• Use fsmount API to avoid PAGE_SIZE limit for erofs (#12783)

Node Resource Interface (NRI)

• Pass container user (uid, gids) to plugins (#12769)
• Pass seccomp policy to plugins (#12768)
• Pass any POSIX rlimits to plugins (#12765)
• Pass extended container status to NRI. (#12770)
• Pass injected CDI devices to plugins (#12767)
• Pass linux sysctl to plugins (#12766)
• Use dedicated RPC calls for all pod and container life-cycle events via the NRI wire protocol (containerd/nri#274)
• Add basic metrics collection for the NRI framework (containerd/nri#277)

... (truncated)

Changelog

Sourced from github.com/containerd/containerd/v2's changelog.

Versioning and Release

This document details the versioning and release plan for containerd. Stability is a top goal for this project, and we hope that this document and the processes it entails will help to achieve that. It covers the release process, versioning numbering, backporting, API stability and support horizons.

If you rely on containerd, it would be good to spend time understanding the areas of the API that are and are not supported and how they impact your project in the future.

This document will be considered a living document. Supported timelines, backport targets and API stability guarantees will be updated here as they change.

If there is something that you require or this document leaves out, please reach out by filing an issue.

Releases

Releases of containerd will be versioned using dotted triples, similar to Semantic Version. For the purposes of this document, we will refer to the respective components of this triple as <major>.<minor>.<patch>. The version number may have additional information, such as alpha, beta and release candidate qualifications. Such releases will be considered "pre-releases".

Major and Minor Releases

Major and minor releases of containerd will be made from main. Releases of containerd will be marked with GPG signed tags and announced at https://github.com/containerd/containerd/releases. The tag will be of the format v<major>.<minor>.<patch> and should be made with the command git tag -s v<major>.<minor>.<patch>.

After a minor release, a branch will be created, with the format release/<major>.<minor> from the minor tag. All further patch releases will be done from that branch. For example, once we release v1.0.0, a branch release/1.0 will be created from that tag. All future patch releases will be done against that branch.

Release Cadence

Since containerd v2.3 in April 2026, minor releases are provided on a time basis with a cadence of 4 months. New minor releases are scheduled for April, August, and December of each year. This cadence is synchronized with the Kubernetes release schedule to ensure that new features in containerd can be smoothly adopted by new Kubernetes releases.

The maintainers will maintain a roadmap and milestones for each release, however,

... (truncated)

Commits

• 2976f38 Merge pull request #13325 from dmcgowan/prepare-v2.3.0
• 77eeb2d Prepare release notes for v2.3.0
• c55ada3 Update api to v1.11.0
• ebf4404 Update release document
• f49640e Merge pull request #13321 from dmcgowan/remove-erofs-fsmerge-threshold
• e3d5fe8 Merge pull request #13322 from dmcgowan/prepare-api-v1.11.0
• ee17fa1 Merge pull request #13317 from fuweid/fix-merge-issue
• b7f8c35 erofs: remove fsmerge threshold from snapshotter
• 8f2fce4 Prepare release notes for v1.11.0
• ce2955c Merge pull request #13319 from mxpv/depr
• Additional commits viewable in compare view

Updates github.com/containerd/platforms from 1.0.0-rc.2 to 1.0.0-rc.4

Release notes

Sourced from github.com/containerd/platforms's releases.

v1.0.0-rc.4

What's Changed

• refactor, optimize FormatAll, ParseAll by @​thaJeztah in containerd/platforms#30
• Strip the win32k when comparing windows platforms by @​dmcgowan in containerd/platforms#31
• Add OnlyOS function allow matching any architecture by @​dmcgowan in containerd/platforms#33

Full Changelog: containerd/platforms@v1.0.0-rc.3...v1.0.0-rc.4

v1.0.0-rc.3

What's Changed

• Update GitHub actions by @​dmcgowan in containerd/platforms#27
• Add support for OS Features in the format by @​dmcgowan in containerd/platforms#16
• Match and Compare platforms with OSFeatures by @​dmcgowan in containerd/platforms#20
• Add encoding to os version and features by @​dmcgowan in containerd/platforms#28

Full Changelog: containerd/platforms@v1.0.0-rc.2...v1.0.0-rc.3

Commits

• 09756f5 Merge pull request #33 from dmcgowan/only-os
• 3a284c1 Merge pull request #31 from dmcgowan/windows-strip-features
• 1e75776 Merge pull request #30 from thaJeztah/platforms_refactor
• adbf321 Strip the win32k when comparing windows platforms
• 27058a1 Add OnlyOS function allow matching any architecture
• d028ee3 ParseAll: refactor
• 8f5e31a FormatAll: use a string-builder for formatting os-options
• 0165130 modernize --fix
• f453a3a go.mod: bump minimum go version to go1.24
• 042728d add benchmark for Parse, FormatAll
• Additional commits viewable in compare view

Updates github.com/fatih/color from 1.18.0 to 1.19.0

Release notes

Sourced from github.com/fatih/color's releases.

v1.19.0

What's Changed

• Bump golang.org/x/sys from 0.25.0 to 0.28.0 by @​dependabot[bot] in fatih/color#246
• Fix for issue #230 set/unsetwriter symmetric wrt color support detection by @​ataypamart in fatih/color#243
• chore: go mod cleanup by @​sashamelentyev in fatih/color#244
• Bump golang.org/x/sys from 0.28.0 to 0.30.0 by @​dependabot[bot] in fatih/color#249
• Bump github.com/mattn/go-colorable from 0.1.13 to 0.1.14 by @​dependabot[bot] in fatih/color#248
• Update CI and go deps by @​fatih in fatih/color#254
• Bump golang.org/x/sys from 0.31.0 to 0.37.0 by @​dependabot[bot] in fatih/color#268
• fix: include escape codes in byte counts from Fprint, Fprintf by @​qualidafial in fatih/color#282
• Bump golang.org/x/sys from 0.37.0 to 0.40.0 by @​dependabot[bot] in fatih/color#277
• fix: add nil check for os.Stdout to prevent panic on Windows services by @​majiayu000 in fatih/color#275
• Bump dominikh/staticcheck-action from 1.3.1 to 1.4.0 by @​dependabot[bot] in fatih/color#259
• Bump actions/checkout from 4 to 6 by @​dependabot[bot] in fatih/color#273
• Optimize Color.Equals performance (O(n²) → O(n)) by @​UnSubble in fatih/color#269
• Bump actions/setup-go from 5 to 6 by @​dependabot[bot] in fatih/color#266

New Contributors

• @​ataypamart made their first contribution in fatih/color#243
• @​sashamelentyev made their first contribution in fatih/color#244
• @​qualidafial made their first contribution in fatih/color#282
• @​majiayu000 made their first contribution in fatih/color#275
• @​UnSubble made their first contribution in fatih/color#269

Full Changelog: fatih/color@v1.18.0...v1.19.0

Commits

• ca25f6e Merge pull request #266 from fatih/dependabot/github_actions/actions/setup-go-6
• 1205984 Bump actions/setup-go from 5 to 6
• 5715c20 Merge pull request #269 from UnSubble/main
• 2f6e200 Merge branch 'main' into main
• f72ec94 Merge pull request #273 from fatih/dependabot/github_actions/actions/checkout-6
• 848e633 Merge branch 'main' into main
• 4c2cd34 Add tests
• 7f812f0 Bump actions/checkout from 4 to 6
• b7fc9f9 Merge pull request #259 from fatih/dependabot/github_actions/dominikh/staticc...
• 239a88f Bump dominikh/staticcheck-action from 1.3.1 to 1.4.0
• Additional commits viewable in compare view

Updates github.com/go-git/go-git/v5 from 5.16.5 to 5.19.0

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.19.0

What's Changed

• build: Update module github.com/go-git/go-git/v5 to v5.18.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#2010
• v5: Bump sha1cd and go-billy by @​pjbgf in go-git/go-git#2060
• v5: Align object encoding with upstream by @​pjbgf in go-git/go-git#2065

Full Changelog: go-git/go-git@v5.18.0...v5.19.0

v5.18.0

What's Changed

• plumbing: transport/http, Add support for followRedirects policy by @​pjbgf in go-git/go-git#2004

Full Changelog: go-git/go-git@v5.17.2...v5.18.0

v5.17.2

What's Changed

• build: Update module github.com/go-git/go-git/v5 to v5.17.1 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1941
• dotgit: skip writing pack files that already exist on disk by @​pjbgf in go-git/go-git#1944

⚠️ This release fixes a bug (go-git/go-git#1942) that blocked some users from upgrading to v5.17.1. Thanks @​pskrbasu for reporting it. 🙇

Full Changelog: go-git/go-git@v5.17.1...v5.17.2

v5.17.1

What's Changed

• build: Update module github.com/cloudflare/circl to v1.6.3 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1930
• [v5] plumbing: format/index, Improve v4 entry name validation by @​pjbgf in go-git/go-git#1935
• [v5] plumbing: format/idxfile, Fix version and fanout checks by @​pjbgf in go-git/go-git#1937

Full Changelog: go-git/go-git@v5.17.0...v5.17.1

v5.17.0

What's Changed

• build: Update module github.com/go-git/go-git/v5 to v5.16.5 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1839
• git: worktree, optimize infiles function for very large repos by @​k-anshul in go-git/go-git#1853
• git: Add strict checks for supported extensions by @​pjbgf in go-git/go-git#1861
• backport, git: Improve Status() speed with new index.ModTime check by @​cedric-appdirect in go-git/go-git#1862
• storage: filesystem, Avoid overwriting loose obj files by @​pjbgf in go-git/go-git#1864

Full Changelog: go-git/go-git@v5.16.5...v5.17.0

Commits

• bc930f4 Merge pull request #2065 from go-git/commit-v5
• d315264 plumbing: object, Reset object before decode
• 6e1d348 plumbing: object, Align Tree handling with upstream
• e134ba3 tests: Skip double checks in Git v2.11
• 1971422 tests: Add git conformance tests for signing verification
• a387aa8 plumbing: object, Add ErrMalformedTag
• f415670 plumbing: object, Decode Tag headers via a state machine
• 5b0cd38 plumbing: object, Reject multi-signature commits at Verify
• fe8ed62 plumbing: object, Align Tag.EncodeWithoutSignature with Commit
• 98e337d plumbing: object, Add support for Tag.SignatureSHA256
• Additional commits viewable in compare view

Updates github.com/google/go-containerregistry from 0.20.7 to 0.21.5

Release notes

Sourced from github.com/google/go-containerregistry's releases.

v0.21.5

What's Changed

• Bump docker/cli v29.4.0, moby/api v1.54.1, moby/client v0.4.0 by @​thaJeztah in google/go-containerregistry#2254
• update to Go 1.26.2 by @​thaJeztah in google/go-containerregistry#2255
• Bump aws-actions/configure-aws-credentials from 6.0.0 to 6.1.0 in the actions group across 1 directory by @​dependabot[bot] in google/go-containerregistry#2257
• build(deps): bump golang.org/x/tools from 0.43.0 to 0.44.0 in the go-deps group across 1 directory by @​dependabot[bot] in google/go-containerregistry#2260

Full Changelog: google/go-containerregistry@v0.21.4...v0.21.5

v0.21.4

What's Changed

• go.mod: do not make a viral minimum go version by @​howardjohn in google/go-containerregistry#2237
• Avoid pruning absolute links from extracted and flattened images by @​Subserial in google/go-containerregistry#2241
• Bump the go-deps group across 3 directories with 5 updates by @​dependabot[bot] in google/go-containerregistry#2245
• fix: update to go1.25.8, and use separate .go-version file by @​thaJeztah in google/go-containerregistry#2246
• Bump CI go version to 1.26.1 by @​Subserial in google/go-containerregistry#2242
• Bump codecov/codecov-action from 5.5.2 to 5.5.3 in the actions group by @​dependabot[bot] in google/go-containerregistry#2240
• fork distribution client v3 auth-challenge as an internal package (squashed) by @​thaJeztah in google/go-containerregistry#2248
• transport: validate Bearer realm URL to prevent SSRF by @​evilgensec in google/go-containerregistry#2243
• revert path traversal and symlink escape from #2227 by @​Subserial in google/go-containerregistry#2250
• Fix pkg/v1/google/auth tests for arm64 by @​Subserial in google/go-containerregistry#2085
• goreleaser: Update goreleaser config and GH action by @​Subserial in google/go-containerregistry#2253

New Contributors

• @​evilgensec made their first contribution in google/go-containerregistry#2243

Full Changelog: google/go-containerregistry@v0.21.3...v0.21.4

v0.21.3

What's Changed

• Adds local file support to the crane index subcommand by @​edwardthiele in google/go-containerregistry#2223
• migrate to github.com/moby/moby modules by @​thaJeztah in google/go-containerregistry#2228
• Bump the go-deps group across 4 directories with 7 updates by @​dependabot[bot] in google/go-containerregistry#2233
• Bump goreleaser/goreleaser-action from 6.4.0 to 7.0.0 in the actions group by @​dependabot[bot] in google/go-containerregistry#2220
• mutate: reject path traversal and symlink escape in Extract by @​KevinZhao in google/go-containerregistry#2227
• tarball: detect symlink cycles in extractFileFromTar by @​vnykmshr in google/go-containerregistry#2232
• bump golang to 1.25.7 by @​Subserial in google/go-containerregistry#2236

New Contributors

• @​edwardthiele made their first contribution in google/go-containerregistry#2223
• @​thaJeztah made their first contribution in google/go-containerregistry#2228
• @​KevinZhao made their first contribution in google/go-containerregistry#2227
• @​vnykmshr made their first contribution in google/go-containerregistry#2232

Full Changelog: google/go-containerregistry@v0.21.2...v0.21.3

v0.21.2

What's Changed

• Better handle redirects to https in ping by @​jonjohnsonjr in google/go-containerregistry#2225

... (truncated)

Commits

• 5b80281 build(deps): bump golang.org/x/tools from 0.43.0 to 0.44.0 in the go-deps gro...
• b99bca2 build(deps): bump aws-actions/configure-aws-credentials (#2257)
• f8be1d4 update to Go 1.26.2 (#2255)
• 87ad88b Bump docker/cli v29.4.0, moby/api v1.54.1, moby/client v0.4.0 (#2254)
• e8813dd goreleaser: Update goreleaser config and GH action for releases (#2253)
• e90447d replace gcloud in binary calls in pkg/v1/google tests (#2085)
• 0d0368c revert path traversal and symlink escape changes (#2250)
• a2f47d4 transport: validate Bearer realm URL to prevent SSRF (#2243)
• 19a36cd fork distribution client v3 auth-challenge as an internal package (squashed) ...
• c612a9b Bump codecov/codecov-action from 5.5.2 to 5.5.3 in the actions group (#2240)
• Additional commits viewable in compare view

Updates github.com/hashicorp/go-getter from 1.8.4 to 1.8.6

Release notes

Sourced from github.com/hashicorp/go-getter's releases.

v1.8.6

No release notes provided.

v1.8.5

What's Changed

• [chore] : Bump the go group with 2 updates by @​dependabot[bot] in hashicorp/go-getter#576
• use %w to wrap error by @​Ericwww in hashicorp/go-getter#475
• fix: #538 http file download skipped if headResp.ContentLength is 0 by @​martijnvdp in hashicorp/go-getter#539
• chore: fix error message capitalization in checksum function by @​ssagarverma in hashicorp/go-getter#578
• [chore] : Bump the go group with 8 updates by @​dependabot[bot] in hashicorp/go-getter#577
• Fix git url with ambiguous ref by @​nimasamii in hashicorp/go-getter#382
• fix: resolve compilation errors in get_git_test.go by @​CreatorHead in hashicorp/go-getter#579
• [chore] : Bump the actions group with 2 updates by @​dependabot[bot] in hashicorp/go-getter#582
• [chore] : Bump the go group with 3 updates by @​dependabot[bot] in hashicorp/go-getter#583
• test that arbitrary files cannot be checksummed by @​schmichael in hashicorp/go-getter#250
• [chore] : Bump google.golang.org/api from 0.260.0 to 0.262.0 in the go group by @​dependabot[bot] in hashicorp/go-getter#585
• [chore] : Bump actions/checkout from 6.0.1 to 6.0.2 in the actions group by @​dependabot[bot] in hashicorp/go-getter#586
• [chore] : Bump the go group with 3 updates by @​dependabot[bot] in hashicorp/go-getter#588
• [chore] : Bump actions/cache from 5.0.2 to 5.0.3 in the actions group by @​dependabot[bot] in hashicorp/go-getter#589
• [chore] : Bump aws-actions/configure-aws-credentials from 5.1.1 to 6.0.0 in the actions group by @​dependabot[bot] in hashicorp/go-getter#592
• [chore] : Bump google.golang.org/api from 0.264.0 to 0.265.0 in the go group by @​dependabot[bot] in hashicorp/go-getter#591
• [chore] : Bump the go group with 5 updates by @​dependabot[bot] in hashicorp/go-getter#593
• IND-6310 - CRT Onboarding by @​nasareeny in hashicorp/go-getter#584
• Fix crt build path by @​ssagarverma in hashicorp/go-getter#594
• [chore] : Bump the go group with 3 updates by @​dependabot[bot] in hashicorp/go-getter#596
• fix: remove checkout action from set-product-version job by @​ssagarverma in hashicorp/go-getter#598
• [chore] : Bump the actions group with 4 updates by @​dependabot[bot] in hashicorp/go-getter#595
• fix(deps): upgrade go.opentelemetry.io/otel/sdk to v1.40.0 (GO-2026-4394) by @​ssagarverma in hashicorp/go-getter#599
• Prepare go-getter for v1.8.5 release by @​nasareeny in hashicorp/go-getter#597
• [chore] : Bump the actions group with 2 updates by @​dependabot[bot] in hashicorp/go-getter#600
• sec: bump go and xrepos + redact aws tokens in url by @​dduzgun-security in hashicorp/go-getter#604

NOTES:

Binary Distribution Update: To streamline our release process and align with other HashiCorp tools, all release binaries will now be published exclusively to the official HashiCorp release site. We will no longer attach release assets to GitHub Releases.

New Contributors

• @​Ericwww made their first contribution in hashicorp/go-getter#475
• @​martijnvdp made their first contribution in hashicorp/go-getter#539
• @​nimasamii made their first contribution in hashicorp/go-getter#382
• @​nasareeny made their first contribution in hashicorp/go-getter#584

Full Changelog: hashicorp/go-getter@v1.8.4...v1.8.5

Commits

• d23bff4 Merge pull request #608 from hashicorp/dependabot/go_modules/go-security-9c51...
• 2c4aba8 Merge pull request #613 from hashicorp/pull/v1.8.6
• fe61ed9 Merge pull request #611 from hashicorp/SECVULN-41053
• d533656 Merge pull request #606 from hashicorp/pull/CRT
• 388f23d Additional test for local branch and head
• b7ceaa5 harden checkout ref handling and added regression tests
• 769cc14 Release version bump up
• 6086a6aDescription has been truncated