Skip to content

fix(deps): update module github.com/cyphar/filepath-securejoin to v0.5.0#359

Closed
renovate[bot] wants to merge 1 commit intomainfrom
renovate/github.com-cyphar-filepath-securejoin-0.x
Closed

fix(deps): update module github.com/cyphar/filepath-securejoin to v0.5.0#359
renovate[bot] wants to merge 1 commit intomainfrom
renovate/github.com-cyphar-filepath-securejoin-0.x

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Sep 25, 2025
edited
Loading

Note

Mend has cancelled the proposed renaming of the Renovate GitHub app being renamed to mend[bot].

This notice will be removed on 2025-10-07.

This PR contains the following updates:

Package Change Age Confidence
github.com/cyphar/filepath-securejoin v0.4.1 -> v0.5.0 age confidence

Release Notes

cyphar/filepath-securejoin (github.com/cyphar/filepath-securejoin)

v0.5.0

Compare Source

This is our first release of github.com/cyphar/filepath-securejoin,
containing a full implementation with a coverage of 93.5% (the only missing
cases are the error cases, which are hard to mocktest at the moment).

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
Copy link
Copy Markdown
Contributor Author

renovate bot commented Sep 25, 2025

ℹ Artifact update notice

File name: common/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 6 additional dependencies were updated

Details:

Package Change
github.com/google/go-containerregistry v0.20.4-0.20250225234217-098045d5e61f -> v0.20.6
github.com/sylabs/sif/v2 v2.21.1 -> v2.22.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 -> v0.61.0
go.opentelemetry.io/otel v1.35.0 -> v1.36.0
go.opentelemetry.io/otel/metric v1.35.0 -> v1.36.0
go.opentelemetry.io/otel/trace v1.35.0 -> v1.36.0

@github-actions github-actions bot added storage Related to "storage" package common Related to "common" package labels Sep 25, 2025
@mtrmac
Copy link
Copy Markdown
Contributor

mtrmac commented Sep 25, 2025

⚠️

The new API introduced in the [0.3.0][] release has been moved to a new
subpackage called pathrs-lite.

This new subpackage has also been relicensed under the Mozilla Public License
(version 2)

(We do have a user for that API, see the failing lint.) @mheon ISTR there was some concern, or at least paperwork, about the MPL?

@mheon
Copy link
Copy Markdown
Member

mheon commented Sep 25, 2025

We'd probably need an exception from CNCF as MPL is not an approved license.

@Luap99
Copy link
Copy Markdown
Member

Luap99 commented Sep 29, 2025

We'd probably need an exception from CNCF as MPL is not an approved license.

Did you apply for such an exception? Or what is the process to do so? This dep is critical for safe path access so we need it.

@renovate renovate bot force-pushed the renovate/github.com-cyphar-filepath-securejoin-0.x branch from 1a8ceb6 to c1f0d4a Compare September 29, 2025 17:20
This was referenced Oct 1, 2025
Closed
Merged
@mtrmac
Copy link
Copy Markdown
Contributor

mtrmac commented Oct 1, 2025

An exception request has been already filed: cncf/foundation#1074 .

Compare also kubernetes/kubernetes#131480 (comment) .

@renovate renovate bot force-pushed the renovate/github.com-cyphar-filepath-securejoin-0.x branch from c1f0d4a to 6252711 Compare October 1, 2025 16:57
@Luap99
Copy link
Copy Markdown
Member

Luap99 commented Oct 1, 2025

Anyone aware of a stop rebasing option for renovate for a specific PR? I couldn't find something in the docs. I guess we could close it for now because like this it just will spam us with new push notifications.

@mtrmac
Copy link
Copy Markdown
Contributor

mtrmac commented Oct 1, 2025

“Add a Renovate-unrecognized commit on top”, per #352 (comment) , might be an option.

@renovate
fix(deps): update module github.com/cyphar/filepath-securejoin to v0.5.0
c316872 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot force-pushed the renovate/github.com-cyphar-filepath-securejoin-0.x branch from 6252711 to c316872 Compare October 2, 2025 15:57
@Luap99 Luap99 closed this Oct 2, 2025
@renovate
Copy link
Copy Markdown
Contributor Author

renovate bot commented Oct 2, 2025

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (v0.5.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

@renovate renovate bot deleted the renovate/github.com-cyphar-filepath-securejoin-0.x branch October 2, 2025 16:01
@cyphar cyphar mentioned this pull request Oct 20, 2025
Closed
12 tasks
@Luap99 Luap99 mentioned this pull request Oct 20, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

common Related to "common" package dependencies storage Related to "storage" package

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mtrmac @mheon @Luap99