chore(deps): Bump the production-dependencies group across 1 directory with 6 updates

[dependabot]

Bumps the production-dependencies group with 6 updates in the / directory:

Package	From	To
github.com/spf13/cobra	1.10.1	1.10.2
k8s.io/apimachinery	0.33.5	0.34.2
github.com/cyphar/filepath-securejoin	0.5.1	0.6.1
github.com/docker/cli	29.0.3+incompatible	29.1.2+incompatible
github.com/klauspost/compress	1.18.1	1.18.2
github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring	0.85.0	0.87.0

Updates github.com/spf13/cobra from 1.10.1 to 1.10.2

Release notes

Sourced from github.com/spf13/cobra's releases.

v1.10.2

🔧 Dependencies

• chore: Migrate from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3 by @​dims in spf13/cobra#2336 - the gopkg.in/yaml.v3 package has been deprecated for some time: this should significantly cleanup dependency/supply-chains for consumers of spf13/cobra

📈 CI/CD

• Fix linter and allow CI to pass by @​marckhouzam in spf13/cobra#2327
• fix: actions/setup-go v6 by @​jpmcb in spf13/cobra#2337

🔥✍🏼 Docs

• Add documentation for repeated flags functionality by @​rvergis in spf13/cobra#2316

🍂 Refactors

• refactor: replace several vars with consts by @​htoyoda18 in spf13/cobra#2328
• refactor: change minUsagePadding from var to const by @​ssam18 in spf13/cobra#2325

🤗 New Contributors

• @​rvergis made their first contribution in spf13/cobra#2316
• @​htoyoda18 made their first contribution in spf13/cobra#2328
• @​ssam18 made their first contribution in spf13/cobra#2325
• @​dims made their first contribution in spf13/cobra#2336

Full Changelog: spf13/cobra@v1.10.1...v1.10.2

Thank you to our amazing contributors!!!!! 🐍 🚀

Commits

• 88b30ab chore: Migrate from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3 (#2336)
• 346d408 fix: actions/setup-go v6 (#2337)
• fc81d20 refactor: change minUsagePadding from var to const (#2325)
• 117698a refactor: replace several vars with consts (#2328)
• e2dd29d Add documentation for repeated flags functionality (#2316)
• 0629892 Fix linter (#2327)
• See full diff in compare view

Updates k8s.io/apimachinery from 0.33.5 to 0.34.2

Commits

• b72d93d Merge remote-tracking branch 'origin/master' into release-1.34
• cd8b91c clarify that staging repos are automatically published
• 8c59599 add pointer to CONTRIBUTING.md for more details on contributing, clarify read...
• ec3cea5 link to what a staging repository is
• e4db694 docs: clarify that this is a staging repository and not for direct contributions
• 04507a3 Merge pull request #132942 from thockin/kyaml
• 50e39b1 Merge pull request #132935 from benluddy/cbor-bump-custom-marshalers
• 7d108e8 Re-vendor sigs.k8s.io/yaml @ v1.6.0
• 58c4eb0 Merge pull request #133130 from ylink-lfs/chore/residual_boolptr_removal
• 38a24e6 chore: residual boolptr and intptr removal
• Additional commits viewable in compare view

Updates github.com/cyphar/filepath-securejoin from 0.5.1 to 0.6.1

Release notes

Sourced from github.com/cyphar/filepath-securejoin's releases.

v0.6.0 -- "By the Power of Greyskull!"

While quite small code-wise, this release marks a very key point in the development of filepath-securejoin.

filepath-securejoin was originally intended (back in 2017) to simply be a single-purpose library that would take some common code used in container runtimes (specifically, Docker's FollowSymlinksInScope) and make it more general-purpose (with the eventual goals of it ending up in the Go stdlib).

Of course, I quickly discovered that this problem was actually far more complicated to solve when dealing with racing attackers, which lead to me developing openat2(2) and libpathrs. I had originally planned for libpathrs to completely replace filepath-securejoin "once it was ready" but in the interim we needed to fix several race attacks in runc as part of security advisories. Obviously we couldn't require the usage of a pre-0.1 Rust library in runc so it was necessary to port bits of libpathrs into filepath-securejoin. (Ironically the first prototypes of libpathrs were originally written in Go and then rewritten to Rust, so the code in filepath-securejoin is actually Go code that was rewritten to Rust then re-rewritten to Go.)

It then became clear that pure-Go libraries will likely not be willing to require CGo for all of their builds, so it was necessary to accept that filepath-securejoin will need to stay. As such, in v0.5.0 we provided more pure-Go implementations of features from libpathrs but moved them into pathrs-lite subpackage to clarify what purpose these helpers serve.

This release finally closes the loop and makes it so that pathrs-lite can transparently use libpathrs (via a libpathrs build-tag). This means that upstream libraries can use the pure Go version if they prefer, but downstreams (either downstream library users or even downstream distributions) are able to migrate to libpathrs for all usages of pathrs-lite in an entire Go binary.

I should make it clear that I do not plan to port the rest of libpathrs to Go, as I do not wish to maintain two copies of the same codebase. pathrs-lite already provides the core essentials necessary to operate on paths safely for most modern systems. Users who want additional hardening or more ergonomic APIs are free to use cyphar.com/go-pathrs (libpathrs's Go bindings).

Breaking

• The deprecated MkdirAll, MkdirAllHandle, OpenInRoot, OpenatInRoot and Reopen wrappers have been removed. Please switch to using pathrs-lite directly.

Added

• pathrs-lite now has support for using libpathrs as a backend. This is opt-in and can be enabled at build time with the libpathrs build tag. The intention is to allow for downstream libraries and other projects to

... (truncated)

Changelog

Sourced from github.com/cyphar/filepath-securejoin's changelog.

[0.6.1] - 2025-11-19

At last up jumped the cunning spider, and fiercely held her fast.

Fixed

• Our logic for deciding whether to use openat2(2) or fallback to an O_PATH resolver would cache the result to avoid doing needless test runs of openat2(2). However, this causes issues when pathrs-lite is being used by a program that applies new seccomp-bpf filters onto itself -- if the filter denies openat2(2) then we would return that error rather than falling back to the O_PATH resolver. To resolve this issue, we no longer cache the result if openat2(2) was successful, only if there was an error.
• A file descriptor leak in our openat2 wrapper (when doing the necessary dup for RESOLVE_IN_ROOT) has been removed.

[0.5.2] - 2025-11-19

"Will you walk into my parlour?" said a spider to a fly.

Fixed

• Our logic for deciding whether to use openat2(2) or fallback to an O_PATH resolver would cache the result to avoid doing needless test runs of openat2(2). However, this causes issues when pathrs-lite is being used by a program that applies new seccomp-bpf filters onto itself -- if the filter denies openat2(2) then we would return that error rather than falling back to the O_PATH resolver. To resolve this issue, we no longer cache the result if openat2(2) was successful, only if there was an error.
• A file descriptor leak in our openat2 wrapper (when doing the necessary dup for RESOLVE_IN_ROOT) has been removed.

[0.6.0] - 2025-11-03

By the Power of Greyskull!

Breaking

• The deprecated MkdirAll, MkdirAllHandle, OpenInRoot, OpenatInRoot and Reopen wrappers have been removed. Please switch to using pathrs-lite directly.

Added

• pathrs-lite now has support for using libpathrs as a backend. This is opt-in and can be enabled at build time with the libpathrs build tag. The intention is to allow for downstream libraries and other projects to make use of the pure-Go github.com/cyphar/filepath-securejoin/pathrs-lite package and distributors can then opt-in to using libpathrs for the entire binary if they wish.

Commits

• 9c4135b VERSION: release 0.6.1
• d952bef merge v0.5.x branch into main
• deb72a4 CHANGELOG: fix unreleased links
• 336bf8f merge #87 into cyphar/filepath-securejoin:v0.5.x
• 23c6e21 VERSION: back to development
• 6311ca8 VERSION: release v0.5.2
• 91da803 merge #86 into cyphar/filepath-securejoin:v0.5.x
• 4dbce7c gopathrs: close the fd after dup in openat2
• 1eaadd6 merge #85 into cyphar/filepath-securejoin:main
• c1c2a53 gopathrs: close the fd after dup in openat2
• Additional commits viewable in compare view

Updates github.com/docker/cli from 29.0.3+incompatible to 29.1.2+incompatible

Commits

• 890dcca Merge pull request #6688 from vvoland/update-go
• d544885 update to go1.25.5
• c197aa7 Merge pull request #6687 from thaJeztah/use_subtests
• ba683d8 opts/swarmopts: use sub-tests
• 0aedba5 Merge pull request #6669 from vvoland/29-norc
• dd2be02 gha/e2e: Switch to rc and 29 latest
• 360952c Merge pull request #6680 from thaJeztah/bump_modules
• 8fc15ea Merge pull request #6579 from dvdksn/doc-daemon-buildc-example
• 1abfbf2 vendor: github.com/moby/moby/client v0.2.1
• e0d30db docs: update buildgc example config to use new buildkit v0.17 options
• Additional commits viewable in compare view

Updates github.com/klauspost/compress from 1.18.1 to 1.18.2

Release notes

Sourced from github.com/klauspost/compress's releases.

v1.18.2

What's Changed

• flate: Fix invalid encoding on level 9 with single value input by @​klauspost in klauspost/compress#1115
• flate: reduce stateless allocations by @​RXamzin in klauspost/compress#1106
• build(deps): bump github/codeql-action from 3.30.5 to 4.31.2 in the github-actions group by @​dependabot[bot] in klauspost/compress#1111

v1.18.1 is marked "retracted" due to invalid flate/zip/gzip encoding.

New Contributors

• @​RXamzin made their first contribution in klauspost/compress#1106

Full Changelog: klauspost/compress@v1.18.1...v1.18.2

Commits

• 444d5d9 Fix invalid encoding on level 9 with single value input (#1115)
• 503c028 build(deps): bump github/codeql-action in the github-actions group (#1111)
• 701ca28 flate: reduce stateless allocations (#1106)
• e0b47ff Update changelog
• See full diff in compare view

Updates github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring from 0.85.0 to 0.87.0

Release notes

Sourced from github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring's releases.

0.87.0 / 2025-11-20

• [FEATURE] Add status subresource for PrometheusRule custom resources (requires the StatusForConfigurationResources feature gate). #8069 #8086 #8024 #8005
• [ENHANCEMENT] Avoid statefulset's rollout due to changes in the number of rule configmaps for Prometheus and ThanosRuler. #8010
• [ENHANCEMENT] Support Azure system-assigned managed identities for remote-write configuration. #7815
• [ENHANCEMENT] Add monospace field to to pushoverConfig receiver in AlertmanagerConfig CRD. #8018
• [BUGFIX] Propagate Certificate Authority updates for HTTP configuration in Alertmanager's global configuration. #8089

0.86.2 / 2025-11-07

• [CHANGE/BUGFIX] Fix operator's permissions to emit Kubernetes events. #8077

0.86.1 / 2025-10-13

• [BUGFIX] Fix formatting of Kubernetes events. #8015

0.86.0 / 2025-10-07

[!NOTE] This release introduces the status subresource (behind the StatusForConfigurationResources feature gate) for ServiceMonitor, PodMonitor, Probe and Scrapeconfig custom resources. It is only supported for Prometheus resources.

[!IMPORTANT] This release enables automatic UTF-8 character support in label names, metric names and PrometheusRule expressions for Prometheus/PrometheusAgent resources running with version >= 3.0.0.

To preserve backward compatibility, the admission webhook service validates PrometheusRule resources against the legacy Prometheus scheme by default (but it can be changed with the --name-validation-scheme flag).

• [CHANGE] Remove automatic addition of the metadata-wal-records feature flag for Prometheus versions >= 3.4. #7893
• [CHANGE] Add miscellaneous validations to the ScrapeConfig CRD. #7856 #7823 #7835 #7838 #7838 ##7966
• [CHANGE/FEATURE] Add support for UTF-8 characters to label names and metric names in PrometheusRule resources and relabel configurations. #7637 #7985
• [FEATURE] Add the flag --name-validation-scheme to admission webhook to select between utf8 and legacy validations. #7985
• [FEATURE] Add status subresource for ServiceMonitor custom resources (requires the StatusForConfigurationResources feature gate). #7767 #7836 #7827 #7795
• [FEATURE] Add status subresource for PodMonitor custom resources (requires the StatusForConfigurationResources feature gate). #7929 #7914 #7936
• [FEATURE] Add status subresource for ScrapeConfig custom resources (requires the StatusForConfigurationResources feature gate). #7958 #7964 #7969
• [FEATURE] Add status subresource for Probe custom resources (requires the StatusForConfigurationResources feature gate). #7933 #7934 #7980
• [FEATURE] Add serviceDiscoveryRole field to ServiceMonitor. #7982
• [FEATURE] Add useFIPSSTSEndpoint field to Sigv4 config. #7987
• [FEATURE] Add UnderscoreEscapingWithoutSuffixes to the translationStrategy field for the Prometheus and PrometheusAgent CRDs. #7947
• [FEATURE] Add promoteScopeMetadata field to the Prometheus and PrometheusAgent CRDs. #7803
• [FEATURE] Add enableHttp2 field to Alertmanager and AlertmanagerConfig CRDs. #7963
• [ENHANCEMENT] Add the related object to the events emitted by the operator. #7867 #7953
• [ENHANCEMENT] Add webhook validation for the MSTeams V2 receiver of AlertmanagerConfig CRD. #7906
• [ENHANCEMENT] Add app.kubernetes.io/managed-by: prometheus-operator label to all managed resources. #7939
• [BUGFIX] Prevent duplicate authentication settings in PodMonitor. #7975
• [BUGFIX] Use distinct port name for the config-reloader init container to avoid duplicate port name warnings. #7904
• [BUGFIX] Validate the PagerDuty URL in the Alertmanager's global configuration. #7945

Changelog

Sourced from github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring's changelog.

0.87.0 / 2025-11-20

• [FEATURE] Add status subresource for PrometheusRule custom resources (requires the StatusForConfigurationResources feature gate). #8069 #8086 #8024 #8005
• [ENHANCEMENT] Avoid statefulset's rollout due to changes in the number of rule configmaps for Prometheus and ThanosRuler. #8010
• [ENHANCEMENT] Support Azure system-assigned managed identities for remote-write configuration. #7815
• [ENHANCEMENT] Add monospace field to to pushoverConfig receiver in AlertmanagerConfig CRD. #8018
• [BUGFIX] Propagate Certificate Authority updates for HTTP configuration in Alertmanager's global configuration. #8089

0.86.2 / 2025-11-07

• [CHANGE/BUGFIX] Fix operator's permissions to emit Kubernetes events. #8077

0.86.1 / 2025-10-13

• [BUGFIX] Fix formatting of Kubernetes events. #8015

0.86.0 / 2025-10-07

[!NOTE] This release introduces the status subresource (behind the StatusForConfigurationResources feature gate) for ServiceMonitor, PodMonitor, Probe and Scrapeconfig custom resources. It is only supported for Prometheus resources.

[!IMPORTANT] This release enables automatic UTF-8 character support in label names, metric names and PrometheusRule expressions for Prometheus/PrometheusAgent resources running with version >= 3.0.0.

To preserve backward compatibility, the admission webhook service validates PrometheusRule resources against the legacy Prometheus scheme by default (but it can be changed with the --name-validation-scheme flag).

• [CHANGE] Remove automatic addition of the metadata-wal-records feature flag for Prometheus versions >= 3.4. #7893
• [CHANGE] Add miscellaneous validations to the ScrapeConfig CRD. #7856 #7823 #7835 #7838 #7838 #7966
• [CHANGE/FEATURE] Add support for UTF-8 characters to label names and metric names in PrometheusRule resources and relabel configurations. #7637 #7985
• [FEATURE] Add the flag --name-validation-scheme to admission webhook to select between utf8 and legacy validations. #7985
• [FEATURE] Add status subresource for ServiceMonitor custom resources (requires the StatusForConfigurationResources feature gate). #7767 #7836 #7827 #7795
• [FEATURE] Add status subresource for PodMonitor custom resources (requires the StatusForConfigurationResources feature gate). #7929 #7914 #7936
• [FEATURE] Add status subresource for ScrapeConfig custom resources (requires the StatusForConfigurationResources feature gate). #7958 #7964 #7969
• [FEATURE] Add status subresource for Probe custom resources (requires the StatusForConfigurationResources feature gate). #7933 #7934 #7980
• [FEATURE] Add serviceDiscoveryRole field to ServiceMonitor. #7982
• [FEATURE] Add useFIPSSTSEndpoint field to Sigv4 config. #7987
• [FEATURE] Add UnderscoreEscapingWithoutSuffixes to the translationStrategy field for the Prometheus and PrometheusAgent CRDs. #7947
• [FEATURE] Add promoteScopeMetadata field to the Prometheus and PrometheusAgent CRDs. #7803
• [FEATURE] Add enableHttp2 field to Alertmanager and AlertmanagerConfig CRDs. #7963
• [ENHANCEMENT] Add the related object to the events emitted by the operator. #7867 #7953
• [ENHANCEMENT] Add webhook validation for the MSTeams V2 receiver of AlertmanagerConfig CRD. #7906
• [ENHANCEMENT] Add app.kubernetes.io/managed-by: prometheus-operator label to all managed resources. #7939
• [BUGFIX] Prevent duplicate authentication settings in PodMonitor. #7975
• [BUGFIX] Use distinct port name for the config-reloader init container to avoid duplicate port name warnings. #7904
• [BUGFIX] Validate the PagerDuty URL in the Alertmanager's global configuration. #7945

Commits

• 0ff52b3 Cut 0.87.0 (#8109)
• ddbbdf4 chore: cut v0.87.0
• d4e674c Skip medium.com links in mdox configuration
• d1ff82e feat: add support for monospace in pushoverConfig (#8018)
• df692bf Feat: set Azure Manage Identity Client ID default to empty value (#7815)
• 3f31a1d Merge pull request #8105 from prometheus-operator/dependabot/go_modules/githu...
• 5be255a build(deps): bump github.com/prometheus/common from 0.67.2 to 0.67.3
• b128cbb chore: bump k8s dependencies to v0.34.2 (#8096)
• 7300032 chore: bump k8s dependencies to v0.34.2
• c8c9492 chore: update golangci-lint version to v2.6.1 (#8093)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[kubevirt-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign 0xfelix for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kubevirt-bot]

Hi @dependabot[bot]. Thanks for your PR.

PRs from untrusted users cannot be marked as trusted with /ok-to-test in this repo meaning untrusted PR authors can never trigger tests themselves. Collaborators can still trigger tests on the PR using /test all.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.