chore: Update Infrastructure dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
chainguard-dev/apko		patch	v1.2.12 → v1.2.13
chainguard-dev/melange		patch	v0.50.6 → v0.50.7
codecov/codecov-action	action	patch	v6.0.0 → v6.0.1
dhi.io/nats (source)		digest	21edf17 → e545a82
ghcr.io/astral-sh/uv	stage	patch	0.11.14 → 0.11.15
github.com/google/go-containerregistry	require	patch	v0.21.5 → v0.21.6
github.com/theupdateframework/go-tuf/v2	require	patch	v2.4.1 → v2.4.2
goreleaser/goreleaser-action	action	patch	v7.2.1 → v7.2.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

chainguard-dev/apko (chainguard-dev/apko)

v1.2.13

Compare Source

Changelog

• 22c16a5 build(deps): bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0 in the go_modules group across 1 directory (#​2222)
• 7effda4 build(deps): bump github/codeql-action from 4.35.3 to 4.35.4 (#​2225)
• de34d75 build(deps): bump go.step.sm/crypto from 0.77.9 to 0.78.0 (#​2224)
• f6032be build(deps): bump golang.org/x/sys from 0.43.0 to 0.44.0 (#​2221)
• f85efc5 build(deps): bump google.golang.org/api from 0.277.0 to 0.278.0 (#​2223)
• 2483b20 build(deps): bump gopkg.in/ini.v1 from 1.67.1 to 1.67.2 (#​2218)
• f693e82 build(deps): bump sigstore/cosign-installer from 4.1.1 to 4.1.2 (#​2226)
• 3e9c1ec cpio: add FromLayers for multi-layer CPIO archives (#​2216)

chainguard-dev/melange (chainguard-dev/melange)

v0.50.7

Compare Source

What's Changed

• chore: Bump go to 1.26.2 by @​EyeCantCU in #​2528
• build(deps): bump sigstore/cosign-installer from 4.1.1 to 4.1.2 in the actions group across 1 directory by @​dependabot[bot] in #​2526

Full Changelog: chainguard-dev/melange@v0.50.6...v0.50.7

codecov/codecov-action (codecov/codecov-action)

v6.0.1

Compare Source

astral-sh/uv (ghcr.io/astral-sh/uv)

v0.11.15

Compare Source

Released on 2026-05-18.

Security

• Fix a TAR partial differential, see GHSA-3cv2-h65g-fgmm (#​19463)
• Enforce that entry points cannot escape in the scripts directory, see GHSA-4gg8-gxpx-9rph (#​19464)

Enhancements

• Add TOML v1.1 -> v1.0 backwards compatibility for source distributions (#​18741)
• Add support for Azure request signing (#​19421)
• Apply stricter validation to all wheel filename segments (#​19364)
• Reject empty strings as an invalid package name (#​19435)
• Use structured errors for signing authentication failures (#​19422)

Preview

• uv audit: Add JSON output (#​19305)

Configuration

• Respect required-environments in uv pip compile (#​19378)

Performance

• Avoid parsing JSON manifest when local Python is available (#​19398)
• Avoid walking nested directories in linker conflict registration (#​19382)
• Optimize async wheel ZIP writing (#​19383)
• Fix dead "already trimmed" fast-path in Version::only_release_trimmed (#​19425)

Bug fixes

• Apply workspace-member [tool.uv.sources] credentials under uv sync --frozen (#​19423)
• Skip empty directories in uv build outputs (#​19437)
• Fix Git submodule handling when using relative paths (#​12156)
• Fix line number reporting in netrc parsing (#​19452)

Documentation

• Move Bazel auth helper setup into integration guide (#​19392)

google/go-containerregistry (github.com/google/go-containerregistry)

v0.21.6

Compare Source

What's Changed

• fix: update dependencies to use new azure sdk components by @​gaganhr94 in #​2262
• transport: restore resp.Body in retryError so CheckError can parse it by @​alliasgher in #​2264
• pkg/registry: return 202 Accepted for PATCH chunk uploads by @​alliasgher in #​2265
• Follow OCI distribution spec for artifactType and annotations by @​malt3 in #​2269
• actions: attach Codecov token to coverage tests on main by @​Subserial in #​2270
• remote: use DeleteScope (with "delete" action) for manifest deletion by @​alliasgher in #​2266
• remote: limit concurrent layer pulls by @​gnix0 in #​2271
• pkg/registry: reject corrupt disk blobs by @​gnix0 in #​2272
• mutate: close layer readers during export by @​gnix0 in #​2277
• crane/flatten: preserve image media type when flattening by @​alliasgher in #​2267
• build(deps): bump goreleaser/goreleaser-action from 7.0.0 to 7.2.1 in the actions group across 1 directory by @​dependabot[bot] in #​2273
• build(deps): bump go.opentelemetry.io/otel from 1.36.0 to 1.41.0 by @​dependabot[bot] in #​2278
• build(deps): bump the go-deps group across 3 directories with 6 updates by @​dependabot[bot] in #​2280
• Replace go-homedir with os.UserHomeDir by @​jammie-jelly in #​2282
• pkg/name: only treat .localhost as non-HTTPS, not .local by @​blackwell-systems in #​2281
• transport: block unspecified IPs (0.0.0.0, ::) in validateRealmURL by @​marwan9696 in #​2285
• test(mutate): add Extract round-trip test for filesystem object preservation by @​blackwell-systems in #​2283
• experiments: remove deprecated support for estargz by @​thaJeztah in #​2288
• build(deps): bump aws-actions/configure-aws-credentials from 6.1.0 to 6.1.1 in the actions group by @​dependabot[bot] in #​2289
• fix: limit HTTP response body reads to prevent OOM by @​evilgensec in #​2296
• build(deps): bump the go-deps group across 3 directories with 6 updates by @​dependabot[bot] in #​2297
• transport: block redirects from token server to private/link-local addresses (SSRF fix) by @​evilgensec in #​2292
• pkg/v1/mutate: preserve relative symlinks that stay within rootfs in Extract by @​anishesg in #​2279
• validate: skip non-layer layers by @​imjasonh in #​2298
• remote: validate foreign layer URLs to prevent SSRF (fixes #​2259) by @​evilgensec in #​2293
• remote: block SSRF via private-IP Location headers in blob uploads by @​adilburaksen in #​2295
• fix(mutate): preserve config blob and layers for non-Docker OCI artifacts by @​blackwell-systems in #​2286
• fix: preserve per-occurrence layer identity in mutate.Image.Layers() by @​iahsanGill in #​2299
• transport: retry HTTP 429 (Too Many Requests) by @​iahsanGill in #​2301
• transport: allow bearer realm at same host:port as registry by @​iahsanGill in #​2302
• Update go version to 1.26.3 by @​Subserial in #​2300

New Contributors

• @​gaganhr94 made their first contribution in #​2262
• @​alliasgher made their first contribution in #​2264
• @​malt3 made their first contribution in #​2269
• @​gnix0 made their first contribution in #​2271
• @​blackwell-systems made their first contribution in #​2281
• @​marwan9696 made their first contribution in #​2285
• @​anishesg made their first contribution in #​2279
• @​adilburaksen made their first contribution in #​2295
• @​iahsanGill made their first contribution in #​2299

Full Changelog: google/go-containerregistry@v0.21.5...v0.21.6

theupdateframework/go-tuf (github.com/theupdateframework/go-tuf/v2)

v2.4.2

Compare Source

What's Changed

• Do not allow empty hashes for the Target role by @​rdimitrov in #​721
• Decouple CI Go version from module minimum by @​rdimitrov in #​726
• chore(deps): bump github.com/sigstore/sigstore from 1.10.4 to 1.10.5 by @​dependabot[bot] in #​727
• chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.10.0 to 0.11.0 by @​dependabot[bot] in #​729
• Fix log line to not be fmt-styled by @​abayer in #​730
• chore(deps): bump github.com/sigstore/sigstore from 1.10.5 to 1.10.6 by @​dependabot[bot] in #​732
• Fix threshold counting for duplicate public keys by @​rdimitrov in #​733

New Contributors

• @​abayer made their first contribution in #​730

Full Changelog: theupdateframework/go-tuf@v2.4.1...v2.4.2

goreleaser/goreleaser-action (goreleaser/goreleaser-action)

v7.2.2

Compare Source

---

Configuration

📅 Schedule: (in timezone Etc/UTC)

• Branch creation
  • Between 12:00 AM and 06:59 AM, only on Saturday (* 0-6 * * 6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: cli/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 4 additional dependencies were updated

Details:

Package	Change
github.com/docker/cli	v29.4.1+incompatible -> v29.4.3+incompatible
github.com/klauspost/compress	v1.18.5 -> v1.18.6
github.com/sigstore/sigstore	v1.10.5 -> v1.10.6
golang.org/x/mod	v0.35.0 -> v0.36.0

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 2 package(s) with unknown licenses.

See the Details below.

License Issues

cli/go.mod

Package	Version	License	Issue Type
github.com/docker/cli	29.4.3+incompatible	Null	Unknown License
github.com/klauspost/compress	1.18.6	Null	Unknown License

Allowed Licenses:

MIT, MIT-0, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, MPL-2.0, PSF-2.0, Unlicense, 0BSD, CC0-1.0, CC-BY-3.0, CC-BY-4.0, Python-2.0, Python-2.0.1, LicenseRef-scancode-free-unknown, LicenseRef-scancode-protobuf, LicenseRef-scancode-google-patent-license-golang, ZPL-2.1, LGPL-2.0-only, LGPL-2.0-or-later, LGPL-2.1-only, LGPL-2.1-or-later, LGPL-3.0-only, LGPL-3.0-or-later, BlueOak-1.0.0, OFL-1.1

Excluded from license check:

pkg:pypi/mem0ai@2.0.1, pkg:pypi/numpy@2.4.4, pkg:pypi/qdrant-client@1.17.1, pkg:pypi/posthog@7.9.12, pkg:pypi/aiohttp@3.13.5, pkg:pypi/cyclonedx-python-lib@11.7.0, pkg:pypi/fsspec@2026.3.0, pkg:pypi/griffelib@2.0.2, pkg:pypi/grpcio@1.80.0, pkg:pypi/charset-normalizer@3.4.6, pkg:pypi/wrapt@2.1.2, pkg:pypi/pytest-codspeed@4.5.0, pkg:pypi/hypothesis@6.152.4, pkg:pypi/litellm@1.83.14, pkg:pypi/openai@2.33.0, pkg:pypi/pyngrok@8.1.2, pkg:pypi/tokenizers@0.23.1, pkg:pypi/typer@0.25.0, pkg:npm/@img/sharp-wasm32@0.33.5, pkg:npm/@img/sharp-win32-ia32@0.33.5, pkg:npm/@img/sharp-win32-x64@0.33.5, pkg:npm/json-schema-typed@8.0.2, pkg:npm/victory-vendor@37.3.6, pkg:pypi/scikit-learn@1.8.0, pkg:pypi/torch@2.11.0, pkg:pypi/cuda-bindings@13.2.0, pkg:pypi/cuda-pathfinder@1.5.0, pkg:pypi/cuda-toolkit@13.0.2, pkg:pypi/nvidia-cublas@13.1.0.3, pkg:pypi/nvidia-cuda-cupti@13.0.85, pkg:pypi/nvidia-cuda-nvrtc@13.0.88, pkg:pypi/nvidia-cuda-runtime@13.0.96, pkg:pypi/nvidia-cudnn-cu13@9.19.0.56, pkg:pypi/nvidia-cufft@12.0.0.61, pkg:pypi/nvidia-cufile@1.15.1.6, pkg:pypi/nvidia-curand@10.4.0.35, pkg:pypi/nvidia-cusolver@12.0.4.66, pkg:pypi/nvidia-cusparse@12.6.3.3, pkg:pypi/nvidia-cusparselt-cu13@0.8.0, pkg:pypi/nvidia-nccl-cu13@2.28.9, pkg:pypi/nvidia-nvjitlink@13.0.88, pkg:pypi/nvidia-nvshmem-cu13@3.4.5, pkg:pypi/nvidia-nvtx@13.0.85

OpenSSF Scorecard

Package	Version	Score	Details
actions/goreleaser/goreleaser-action	5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89	🟢 4.9	Details Check Score Reason Code-Review ⚠️ 0 Found 1/22 approved changesets -- score normalized to 0 Maintained 🟢 10 23 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/github.com/docker/cli	29.4.3+incompatible	Unknown	Unknown
gomod/github.com/google/go-containerregistry	0.21.6	🟢 8.1	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Code-Review 🟢 8 Found 22/25 approved changesets -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Packaging 🟢 10 packaging workflow detected Signed-Releases 🟢 10 5 out of the last 5 releases have a total of 5 signed artifacts. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST 🟢 10 SAST tool is run on all commits
gomod/github.com/klauspost/compress	1.18.6	Unknown	Unknown
gomod/github.com/sigstore/sigstore	1.10.6	🟢 9.4	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed Dependency-Update-Tool 🟢 10 update tool detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 21 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 CII-Best-Practices 🟢 5 badge detected: Passing Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Vulnerabilities 🟢 7 3 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 39 contributing companies or organizations
gomod/github.com/theupdateframework/go-tuf/v2	2.4.2	🟢 7.1	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 4 3 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 4 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches Signed-Releases ⚠️ -1 no releases found SAST 🟢 10 SAST tool is run on all commits
gomod/golang.org/x/mod	0.36.0	Unknown	Unknown

Scanned Files

• .github/workflows/cli.yml
• cli/go.mod

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	golang/​github.com/​google/​go-containerregistry@​v0.21.5 ⏵ v0.21.6	+1
	golang/​github.com/​theupdateframework/​go-tuf/​v2@​v2.4.1 ⏵ v2.4.2	+1

View full report

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.08%. Comparing base (29b64e3) to head (210d23d).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2014      +/-   ##
==========================================
- Coverage   85.09%   85.08%   -0.01%     
==========================================
  Files        1913     1913              
  Lines      113388   113388              
  Branches     9673     9673              
==========================================
- Hits        96487    96481       -6     
- Misses      14532    14536       +4     
- Partials     2369     2371       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Aureliolo]

Decision: Patch/digest-only infrastructure bump (8 deps); CI fully green; no breaking changes; lands three security patches.

Changelog digest:

• Covered: chainguard-dev/apko v1.2.12->v1.2.13, melange v0.50.6->v0.50.7, codecov-action v6.0.0->v6.0.1, dhi.io/nats digest 21edf17->e545a82, ghcr.io/astral-sh/uv 0.11.14->0.11.15, google/go-containerregistry v0.21.5->v0.21.6, theupdateframework/go-tuf/v2 v2.4.1->v2.4.2, goreleaser-action v7.2.1->v7.2.2.
• Relevant (security): uv 0.11.15 fixes TAR partial-diff GHSA-3cv2-h65g-fgmm + entry-point-escape GHSA-4gg8-gxpx-9rph (used in Docker build stage); go-containerregistry v0.21.6 ships multiple SSRF-hardening fixes + 429 retry + OOM-bounded HTTP reads (CLI image ops); go-tuf v2.4.2 rejects empty Target-role hashes and fixes threshold counting for duplicate keys (CLI TUF path).
• Reviewed but not relevant: apko/melange internal dep bumps + Go 1.26.2 (build-tooling only, no behaviour change for us); codecov-action / goreleaser-action / nats digest are routine patch/digest refreshes with no functional release notes.

Follow-ups: none.