Skip to content

chore: bump OSS dependencies on v0.43.x#778

Open
aroradaman wants to merge 7 commits into
carvel-dev:v0.43.xfrom
aroradaman:oss-drift-v0.43.x
Open

chore: bump OSS dependencies on v0.43.x#778
aroradaman wants to merge 7 commits into
carvel-dev:v0.43.xfrom
aroradaman:oss-drift-v0.43.x

Conversation

@aroradaman
Copy link
Copy Markdown
Contributor

@aroradaman aroradaman commented May 12, 2026
edited
Loading

Summary

Bumps OSS Go dependencies to their latest available versions. All changes are drop-in compatible — build verified on both v0.43.x and v0.46.x, no source code changes required.

Package From To
github.com/spf13/cobra v1.8.1 v1.10.2
github.com/spf13/pflag (indirect) v1.0.5 v1.0.10
golang.org/x/sync v0.7.0 v0.20.0
sigs.k8s.io/yaml v1.4.0 v1.6.0
github.com/google/go-containerregistry v0.20.0 v0.21.5
github.com/maxbrunsfeld/counterfeiter/v6 v6.8.1 v6.12.2

Each dependency is a separate atomic commit. go-containerregistry v0.21.5 includes SSRF protection (Bearer realm URL validation) and symlink cycle detection in tarball extraction. counterfeiter v6.12.2 requires Go 1.25.0, which also bumps the go directive and associated golang.org/x/* transitive dependencies.

Made with Cursor

@aroradaman aroradaman force-pushed the oss-drift-v0.43.x branch from 9da2311 to 5c6b0b3 Compare May 12, 2026 06:27
aroradaman and others added 4 commits May 12, 2026 12:01
@aroradaman @cursoragent
chore: bump github.com/spf13/cobra to v1.10.2
d8f5377 
Co-authored-by: Cursor <cursoragent@cursor.com>
Signed-off-by: Daman Arora <daman.arora@broadcom.com>
@aroradaman @cursoragent
chore: bump golang.org/x/sync to v0.11.0
9530758 
Co-authored-by: Cursor <cursoragent@cursor.com>
Signed-off-by: Daman Arora <daman.arora@broadcom.com>
@aroradaman @cursoragent
chore: bump sigs.k8s.io/yaml to v1.6.0
7a8e618 
Co-authored-by: Cursor <cursoragent@cursor.com>
Signed-off-by: Daman Arora <daman.arora@broadcom.com>
@aroradaman @cursoragent
chore: bump github.com/google/go-containerregistry to v0.20.2
4a347b9 
Co-authored-by: Cursor <cursoragent@cursor.com>
Signed-off-by: Daman Arora <daman.arora@broadcom.com>
@aroradaman aroradaman force-pushed the oss-drift-v0.43.x branch from 5c6b0b3 to 4a347b9 Compare May 12, 2026 06:32
devacts and others added 2 commits May 12, 2026 17:34
@devacts @aroradaman
Skip gcloud expired token test as gcr not available
1133e0d 
Signed-off-by: Devanshu <devanshu.d@broadcom.com>
@aroradaman @cursoragent
chore: bump github.com/maxbrunsfeld/counterfeiter/v6 to v6.12.2
adff31b 
Requires go 1.25.0 and pulls in updated golang.org/x/* transitive deps.

Co-authored-by: Cursor <cursoragent@cursor.com>
Signed-off-by: Daman Arora <daman.arora@broadcom.com>
@aroradaman aroradaman force-pushed the oss-drift-v0.43.x branch from 0d83779 to adff31b Compare May 12, 2026 12:19
@aroradaman @cursoragent
chore: upgrade golangci-lint to v2.9.0 for Go 1.25 compatibility
c3975dd 
golangci-lint v1.58 was built with Go 1.23 and refuses to run against
modules declaring go 1.25.0. v2.9.0 is the first release built with
Go 1.25.

Config changes for v2:
- Replace deprecated `disable-all: true` with `default: none`
- Remove `typecheck` linter (built-in to the compiler in v2)

Signed-off-by: Daman Arora <daman.arora@broadcom.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
@joaopapereira
Copy link
Copy Markdown
Member

joaopapereira commented May 13, 2026

This line looks somewhat old an does not look like we are supporting it anymore. Any particular reason for this update?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Carvel
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@aroradaman @joaopapereira @carvel-bot @devacts