Skip to content

chore: bump OSS dependencies on v0.46.x#780

Open
aroradaman wants to merge 6 commits into
carvel-dev:v0.46.xfrom
aroradaman:oss-drift-v0.46.x
Open

chore: bump OSS dependencies on v0.46.x#780
aroradaman wants to merge 6 commits into
carvel-dev:v0.46.xfrom
aroradaman:oss-drift-v0.46.x

Conversation

@aroradaman
Copy link
Copy Markdown

@aroradaman aroradaman commented May 12, 2026
edited
Loading

Summary

Bumps OSS Go dependencies to their latest available versions. All changes are drop-in compatible — build verified on both v0.43.x and v0.46.x, no source code changes required.

Package From To
github.com/spf13/cobra v1.8.1 v1.10.2
github.com/spf13/pflag (indirect) v1.0.5 v1.0.10
golang.org/x/sync v0.7.0 v0.20.0
sigs.k8s.io/yaml v1.4.0 v1.6.0
github.com/google/go-containerregistry v0.20.0 v0.21.5
github.com/maxbrunsfeld/counterfeiter/v6 v6.11.2 v6.12.2

Each dependency is a separate atomic commit. go-containerregistry v0.21.5 includes SSRF protection (Bearer realm URL validation) and symlink cycle detection in tarball extraction. counterfeiter v6.12.2 requires Go 1.25.0, which also bumps the go directive and associated golang.org/x/* transitive dependencies.

Made with Cursor

@aroradaman aroradaman force-pushed the oss-drift-v0.46.x branch from fb3f8e7 to e82caed Compare May 12, 2026 06:27
aroradaman and others added 3 commits May 12, 2026 12:01
@aroradaman @cursoragent
chore: bump github.com/spf13/cobra to v1.10.2
e279888 
Co-authored-by: Cursor <cursoragent@cursor.com>
Signed-off-by: Daman Arora <daman.arora@broadcom.com>
@aroradaman @cursoragent
chore: bump golang.org/x/sync to v0.16.0
be62f44 
Co-authored-by: Cursor <cursoragent@cursor.com>
Signed-off-by: Daman Arora <daman.arora@broadcom.com>
@aroradaman @cursoragent
chore: bump sigs.k8s.io/yaml to v1.6.0
075da3f 
Co-authored-by: Cursor <cursoragent@cursor.com>
Signed-off-by: Daman Arora <daman.arora@broadcom.com>
@aroradaman aroradaman force-pushed the oss-drift-v0.46.x branch from e82caed to 075da3f Compare May 12, 2026 06:32
devacts and others added 2 commits May 12, 2026 17:35
@devacts @aroradaman
Skip gcloud expired token test as gcr not available
329b892 
Signed-off-by: Devanshu <devanshu.d@broadcom.com>
@aroradaman @cursoragent
chore: bump github.com/maxbrunsfeld/counterfeiter/v6 to v6.12.2
38de439 
Requires go 1.25.0 and pulls in updated golang.org/x/* transitive deps.

Co-authored-by: Cursor <cursoragent@cursor.com>
Signed-off-by: Daman Arora <daman.arora@broadcom.com>
@aroradaman aroradaman force-pushed the oss-drift-v0.46.x branch from 8147b25 to 38de439 Compare May 12, 2026 12:19
@aroradaman @cursoragent
chore: upgrade golangci-lint to v2.9.0 for Go 1.25 compatibility
0268f41 
golangci-lint v1.61 was built with Go 1.23 and refuses to run against
modules declaring go 1.25.0. v2.9.0 is the first release built with
Go 1.25.

Config changes for v2:
- Replace deprecated `disable-all: true` with `default: none`
- Remove `typecheck` linter (built-in to the compiler in v2)

Signed-off-by: Daman Arora <daman.arora@broadcom.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Carvel
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aroradaman @carvel-bot @devacts