Skip to content

chores: bump the go-modules group with 15 updates#263

Merged
GrigoryPervakov merged 1 commit into
mainfrom
dependabot/go_modules/go-modules-836174b285
Jul 14, 2026
Merged

chores: bump the go-modules group with 15 updates#263
GrigoryPervakov merged 1 commit into
mainfrom
dependabot/go_modules/go-modules-836174b285

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 14, 2026

Copy link
Copy Markdown
Contributor

Bumps the go-modules group with 15 updates:

Package From To
github.com/cert-manager/cert-manager 1.20.3 1.21.0
github.com/sethvargo/go-envconfig 1.3.0 1.3.1
golang.org/x/sync 0.21.0 0.22.0
github.com/google/cel-go 0.29.1 0.29.2
github.com/prometheus/common 0.69.0 0.70.0
golang.org/x/crypto 0.53.0 0.54.0
golang.org/x/mod 0.37.0 0.38.0
golang.org/x/net 0.56.0 0.57.0
golang.org/x/sys 0.46.0 0.47.0
golang.org/x/term 0.44.0 0.45.0
golang.org/x/text 0.39.0 0.40.0
golang.org/x/tools 0.47.0 0.48.0
google.golang.org/genproto/googleapis/rpc 0.0.0-20260526163538-3dc84a4a5aaa 0.0.0-20260610212136-7ab31c22f7ad
k8s.io/utils 0.0.0-20260507154919-ff6756f316d2 0.0.0-20260626114624-be93311217bd
sigs.k8s.io/structured-merge-diff/v6 6.4.1 6.4.2

Updates github.com/cert-manager/cert-manager from 1.20.3 to 1.21.0

Release notes

Sourced from github.com/cert-manager/cert-manager's releases.

v1.21.0

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

cert-manager 1.21 brings ACME Renewal Information (ARI) support, AWS IAM authentication for the Vault issuer, several security hardening changes, and continued improvements to Gateway API integration and cainjector. There are three breaking changes related to Helm chart RBAC and metrics values — review them carefully before upgrading.

Known Issues

  • Log spam for non-cert-manager-labelled Secret events: the typed predicates refactoring (#8407) causes filteredEventHandler type assertion failures ("OnAdd missing Object", "OnUpdate missing ObjectOld", "OnDelete missing Object") for every non-cert-manager-labelled Secret event, multiplied by 7 certificate sub-controllers. This is cosmetic only — the affected controllers only need events from cert-manager-labelled Secrets (which arrive via the typed informer); the metadata informer events were always filtered out by predicates in previous versions. Issuer and ClusterIssuer controllers are not affected. See #8994 for details.

Major Themes

Default tokenrequest RBAC removed from Helm chart

⚠️ Breaking change

The Helm chart no longer creates a default Role and RoleBinding granting the cert-manager controller permission to create tokens for its own ServiceAccount (serviceaccounts/token: create). No documented workflow requires this RBAC — the Route53 docs section that motivated it was removed in 2024.

If you use serviceAccountRef.name pointing at the controller ServiceAccount, you must now either create your own Role/RoleBinding granting serviceaccounts/token: create, or migrate to a dedicated ServiceAccount (recommended — see the Vault or Route53 documentation).

Restrict Challenge and Order RBAC in cert-manager-edit ClusterRole

⚠️ Potentially breaking change

The cert-manager-edit aggregate ClusterRole no longer grants create for challenges.acme.cert-manager.io or create, patch, update for orders.acme.cert-manager.io (GHSA-8rvj-mm4h-c258). These resources are internal to cert-manager's ACME workflow. Challenge patch and update are retained because users may need them to remove stuck finalizers.

This change was already shipped in v1.20.3 and v1.19.6, so if you are running one of those versions this will not be a breaking change. If you have tooling that creates Challenge or Order resources directly, you will need to grant those permissions explicitly.

Metrics port name and path Helm values removed

⚠️ Breaking change

The Helm values prometheus.servicemonitor.targetPort, prometheus.servicemonitor.path, and prometheus.podmonitor.path have been removed. The controller Service metrics port has been renamed from tcp-prometheus-servicemonitor to http-metrics. Because the Helm values schema uses additionalProperties: false, users who still have any of the removed keys in their values overrides will see a schema validation error on upgrade — remove them before upgrading. (#8952)

ACME and Certificate Management

  • ACME Renewal Information (ARI): experimental support for RFC 9773 behind the ACMEUseARI feature gate. When enabled, cert-manager queries the ACME server's renewalInfo endpoint for the recommended renewal window, allowing servers like Let's Encrypt to proactively prompt renewal during mass revocations or CA key rollovers. (#8798)
  • waitInsteadOfSelfCheck solver option: skip cert-manager's own self-check and instead wait a configured duration before asking the ACME server to validate. An escape hatch for split-horizon DNS and NAT hairpin environments. See configuration details. (#8858)
  • AWS IAM authentication for Vault: the Vault issuer now supports IRSA, EKS Pod Identity, and ambient EC2/ECS credentials, removing the need for long-lived AWS Secrets. (#8422)
  • Certificate renewal policies: a new renewalPolicies field on the Certificate API provides more expressive control over renewal scheduling, complementing renewBefore and renewBeforePercentage. (#8258)
  • Configurable CertificateRequest retry backoff: the new --certificate-request-maximum-backoff-duration flag (default: 32 hours) caps the exponential backoff for failed CertificateRequests, useful for environments with scheduled CA maintenance windows. (#8893)
  • Modern2026 PKCS#12 profile: a new FIPS 140-3 compatible encoding profile using AES-256 + SHA-256 KDFs instead of legacy 3DES/RC2. (#8841)
  • Webhook certificate renewal after system suspend: the webhook now detects missed certificate renewals after system suspend (S3/S4) or VM live migration by polling wall-clock time, recovering within one minute of resume. (#8464)

Gateway API and cainjector

  • HTTP01 ListenerSet parentRef fallback: the acme.cert-manager.io/http01-parentreffallback: "true" annotation causes cert-manager to use the parent Gateway for solver HTTPRoutes instead of the ListenerSet, enabling TLS-only ListenerSets to use a shared HTTP listener for ACME challenges. (#8749)
  • cert-manager.io/ignore-tls-listeners annotation: exclude specific Gateway TLS listeners from certificate management. (#8727)
  • Additional listener protocols: configurable listener protocols beyond the default set. (#8683)
  • enableGatewayAPI configuration restructure: enableGatewayAPI and enableGatewayAPIListenerSet are deprecated in favor of gatewayAPI.enabled / gatewayAPI.enableListenerSet. The old fields continue to work. (#8732)
  • CAInjectorMerging promoted to GA: unconditionally enabled; will be removed in a future release. (#8583)

... (truncated)

Commits
  • b8f325e Merge pull request #8984 from cert-manager-bot/cherry-pick-8983-to-release-1.21
  • 6d43c8c Ignore GO-2026-5932 in trivy scans
  • 8eb9d29 Merge pull request #8980 from cert-manager-bot/cherry-pick-8976-to-release-1.21
  • a95f519 Merge pull request #8981 from erikgb/r-1-21-bump-go
  • 5d62fa3 [release-1.21] Update dependency go to v1.26.5
  • 66241e2 Add acmesolver.runtimeClassName
  • 0357ac2 Merge pull request #8967 from cert-manager/release-1.21-disable-klone
  • 2f2bfc3 Disable generate-klone on release-1.21 branch
  • ae67234 Merge pull request #8893 from lunarwhite/max-backoff-duration
  • 35e46aa Respect configured max backoff in trigger controller
  • Additional commits viewable in compare view

Updates github.com/sethvargo/go-envconfig from 1.3.0 to 1.3.1

Release notes

Sourced from github.com/sethvargo/go-envconfig's releases.

v1.3.1

What's Changed

New Contributors

Full Changelog: sethvargo/go-envconfig@v1.3.0...v1.3.1

Commits

Updates golang.org/x/sync from 0.21.0 to 0.22.0

Commits

Updates github.com/google/cel-go from 0.29.1 to 0.29.2

Release notes

Sourced from github.com/google/cel-go's releases.

Release v0.29.2

What's Changed

Full Changelog: cel-expr/cel-go@v0.29.1...v0.29.2

Commits

Updates github.com/prometheus/common from 0.69.0 to 0.70.0

Release notes

Sourced from github.com/prometheus/common's releases.

v0.70.0

What's Changed

New Contributors

Full Changelog: prometheus/common@v0.69.0...v0.70.0

Changelog

Sourced from github.com/prometheus/common's changelog.

v0.70.0 / 2026-07-10

Enhancements

  • route: add support for the QUERY HTTP method. #932

Bugfixes

  • config: fix TLSVersion.String() printing a pointer address instead of the numeric version for unknown TLS versions. #929

Internal

  • expfmt: add BenchmarkConvertMetricFamily comparing the Prometheus text and OpenMetrics 1.0 encoders. #943
  • Update Go dependencies. #933 #934
  • Synchronize common files from prometheus/prometheus. #923 #927 #930 #937
  • Update GitHub Actions. #938 #939 #940 #941 #942

Full Changelog: prometheus/common@v0.69.0...v0.70.0

Commits
  • 5eff7a8 Merge pull request #941 from prometheus/dependabot/github_actions/actions/che...
  • a23c5b3 Merge pull request #939 from prometheus/dependabot/github_actions/ossf/scorec...
  • 9e1eb87 Merge pull request #942 from prometheus/dependabot/github_actions/actions/upl...
  • ab2736d Merge pull request #940 from prometheus/dependabot/github_actions/actions/set...
  • e596873 Merge pull request #938 from prometheus/dependabot/github_actions/codeql-ac07...
  • 97c066a Add BenchmarkConvertMetricFamily comparing Prometheus text and OpenMetrics 1....
  • 62e9d0f Merge pull request #932 from roidelapluie/roidelapluie/route-query
  • 6c31239 build(deps): bump actions/upload-artifact from 4.6.2 to 7.0.1
  • 755e9d6 build(deps): bump actions/checkout from 3.1.0 to 7.0.0
  • 556d740 build(deps): bump actions/setup-go from 6.2.0 to 6.5.0
  • Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.53.0 to 0.54.0

Commits
  • cdce021 go.mod: update golang.org/x dependencies
  • d9474cc openpgp: make the deprecation message more explicit
  • 7626c50 ssh: verify declared key type matches decoded key in authorized_keys
  • 0471e79 ssh/agent: enforce strict limits on DSA key parameters
  • 6435c37 ssh: sanitize client disconnect messages
  • 7d695da ssh/agent: drain channel stderr in agent forwarders
  • 5b7f841 acme/autocert: fix data race in Manager.createCert
  • 0b316e7 argon2: update RFC 9106 parameter recommendations
  • 55aec0a x509roots/fallback: update bundle
  • 5f2de1a internal: remove wycheproof tests
  • See full diff in compare view

Updates golang.org/x/mod from 0.37.0 to 0.38.0

Commits
  • 792ac16 go.mod: update golang.org/x dependencies
  • fe2ec04 all: fix some comments to improve readability
  • See full diff in compare view

Updates golang.org/x/net from 0.56.0 to 0.57.0

Commits
  • b8f09f6 go.mod: update golang.org/x dependencies
  • f05f21b idna: reject all-ASCII xn-- labels on all Go versions
  • 0f748cf internal/http3: clean up stream I/O methods usages in tests
  • 0bb961e internal/http3: add net/http.ResponseController support
  • 0ca694d webdav: document Dir's lack of defense against filesystem modification
  • bd5f1dc http2: initialize Transport on NewClientConn
  • 488ff63 bpf: add security considerations to package docs
  • 93d1f25 xsrftoken: avoid token collisions
  • 5a3baee internal/http3: prevent panic in QPACK decoder due to overflow
  • See full diff in compare view

Updates golang.org/x/sys from 0.46.0 to 0.47.0

Commits
  • 9e7e939 cpu: handle vendor suffixes in parseRelease
  • f6fb8a1 unix: use epoll_pwait rather than epoll_wait
  • f3eeabf windows: avoid length overflow in NewNTString
  • 3cb6647 unix: update glibc to 2.43
  • c507910 windows: document safe usage of TrusteeValue
  • See full diff in compare view

Updates golang.org/x/term from 0.44.0 to 0.45.0

Commits

Updates golang.org/x/text from 0.39.0 to 0.40.0

Commits
  • 724af9c go.mod: update golang.org/x dependencies
  • bf5b9d6 internal/export/idna: always treat Punycode encoding pure ASCII as an error
  • See full diff in compare view

Updates golang.org/x/tools from 0.47.0 to 0.48.0

Commits
  • 05f9cb5 go.mod: update golang.org/x dependencies
  • 745d7ae gopls: add CompiledAsmFiles in cache.Package
  • 797ee67 go/ssa: make Const(unsafe.Pointer, nil).IsNil() true
  • 9751125 gopls/internal/test: Completion benchmarks use empty range
  • 8786a96 internal/stdlib: update stdlib index for Go 1.27 Release Candidate 2
  • 425085f gopls/internal/server: modify return of parseAction
  • 30c4f87 go/analysis/passes/nilness: skip magic cgo functions
  • 9e6441d gopls/internal/protocol/generate: remove manual rename overwritten
  • df96841 gopls/internal/protocol: use Debug log level
  • 278f062 gopls/internal/protocol: update to LSP 3.18
  • Additional commits viewable in compare view

Updates google.golang.org/genproto/googleapis/rpc from 0.0.0-20260526163538-3dc84a4a5aaa to 0.0.0-20260610212136-7ab31c22f7ad

Commits

Updates k8s.io/utils from 0.0.0-20260507154919-ff6756f316d2 to 0.0.0-20260626114624-be93311217bd

Commits

Updates sigs.k8s.io/structured-merge-diff/v6 from 6.4.1 to 6.4.2

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the go-modules group with 15 updates:

| Package | From | To |
| --- | --- | --- |
| [github.com/cert-manager/cert-manager](https://github.com/cert-manager/cert-manager) | `1.20.3` | `1.21.0` |
| [github.com/sethvargo/go-envconfig](https://github.com/sethvargo/go-envconfig) | `1.3.0` | `1.3.1` |
| [golang.org/x/sync](https://github.com/golang/sync) | `0.21.0` | `0.22.0` |
| [github.com/google/cel-go](https://github.com/google/cel-go) | `0.29.1` | `0.29.2` |
| [github.com/prometheus/common](https://github.com/prometheus/common) | `0.69.0` | `0.70.0` |
| [golang.org/x/crypto](https://github.com/golang/crypto) | `0.53.0` | `0.54.0` |
| [golang.org/x/mod](https://github.com/golang/mod) | `0.37.0` | `0.38.0` |
| [golang.org/x/net](https://github.com/golang/net) | `0.56.0` | `0.57.0` |
| [golang.org/x/sys](https://github.com/golang/sys) | `0.46.0` | `0.47.0` |
| [golang.org/x/term](https://github.com/golang/term) | `0.44.0` | `0.45.0` |
| [golang.org/x/text](https://github.com/golang/text) | `0.39.0` | `0.40.0` |
| [golang.org/x/tools](https://github.com/golang/tools) | `0.47.0` | `0.48.0` |
| [google.golang.org/genproto/googleapis/rpc](https://github.com/googleapis/go-genproto) | `0.0.0-20260526163538-3dc84a4a5aaa` | `0.0.0-20260610212136-7ab31c22f7ad` |
| [k8s.io/utils](https://github.com/kubernetes/utils) | `0.0.0-20260507154919-ff6756f316d2` | `0.0.0-20260626114624-be93311217bd` |
| [sigs.k8s.io/structured-merge-diff/v6](https://github.com/kubernetes-sigs/structured-merge-diff) | `6.4.1` | `6.4.2` |


Updates `github.com/cert-manager/cert-manager` from 1.20.3 to 1.21.0
- [Release notes](https://github.com/cert-manager/cert-manager/releases)
- [Changelog](https://github.com/cert-manager/cert-manager/blob/master/RELEASE.md)
- [Commits](cert-manager/cert-manager@v1.20.3...v1.21.0)

Updates `github.com/sethvargo/go-envconfig` from 1.3.0 to 1.3.1
- [Release notes](https://github.com/sethvargo/go-envconfig/releases)
- [Commits](sethvargo/go-envconfig@v1.3.0...v1.3.1)

Updates `golang.org/x/sync` from 0.21.0 to 0.22.0
- [Commits](golang/sync@v0.21.0...v0.22.0)

Updates `github.com/google/cel-go` from 0.29.1 to 0.29.2
- [Release notes](https://github.com/google/cel-go/releases)
- [Commits](cel-expr/cel-go@v0.29.1...v0.29.2)

Updates `github.com/prometheus/common` from 0.69.0 to 0.70.0
- [Release notes](https://github.com/prometheus/common/releases)
- [Changelog](https://github.com/prometheus/common/blob/main/CHANGELOG.md)
- [Commits](prometheus/common@v0.69.0...v0.70.0)

Updates `golang.org/x/crypto` from 0.53.0 to 0.54.0
- [Commits](golang/crypto@v0.53.0...v0.54.0)

Updates `golang.org/x/mod` from 0.37.0 to 0.38.0
- [Commits](golang/mod@v0.37.0...v0.38.0)

Updates `golang.org/x/net` from 0.56.0 to 0.57.0
- [Commits](golang/net@v0.56.0...v0.57.0)

Updates `golang.org/x/sys` from 0.46.0 to 0.47.0
- [Commits](golang/sys@v0.46.0...v0.47.0)

Updates `golang.org/x/term` from 0.44.0 to 0.45.0
- [Commits](golang/term@v0.44.0...v0.45.0)

Updates `golang.org/x/text` from 0.39.0 to 0.40.0
- [Release notes](https://github.com/golang/text/releases)
- [Commits](golang/text@v0.39.0...v0.40.0)

Updates `golang.org/x/tools` from 0.47.0 to 0.48.0
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](golang/tools@v0.47.0...v0.48.0)

Updates `google.golang.org/genproto/googleapis/rpc` from 0.0.0-20260526163538-3dc84a4a5aaa to 0.0.0-20260610212136-7ab31c22f7ad
- [Commits](https://github.com/googleapis/go-genproto/commits)

Updates `k8s.io/utils` from 0.0.0-20260507154919-ff6756f316d2 to 0.0.0-20260626114624-be93311217bd
- [Commits](https://github.com/kubernetes/utils/commits)

Updates `sigs.k8s.io/structured-merge-diff/v6` from 6.4.1 to 6.4.2
- [Release notes](https://github.com/kubernetes-sigs/structured-merge-diff/releases)
- [Changelog](https://github.com/kubernetes-sigs/structured-merge-diff/blob/master/RELEASE.md)
- [Commits](kubernetes-sigs/structured-merge-diff@v6.4.1...v6.4.2)

---
updated-dependencies:
- dependency-name: github.com/cert-manager/cert-manager
  dependency-version: 1.21.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-modules
- dependency-name: github.com/sethvargo/go-envconfig
  dependency-version: 1.3.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-modules
- dependency-name: golang.org/x/sync
  dependency-version: 0.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-modules
- dependency-name: github.com/google/cel-go
  dependency-version: 0.29.2
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: go-modules
- dependency-name: github.com/prometheus/common
  dependency-version: 0.70.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: go-modules
- dependency-name: golang.org/x/crypto
  dependency-version: 0.54.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: go-modules
- dependency-name: golang.org/x/mod
  dependency-version: 0.38.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: go-modules
- dependency-name: golang.org/x/net
  dependency-version: 0.57.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: go-modules
- dependency-name: golang.org/x/sys
  dependency-version: 0.47.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: go-modules
- dependency-name: golang.org/x/term
  dependency-version: 0.45.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: go-modules
- dependency-name: golang.org/x/text
  dependency-version: 0.40.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: go-modules
- dependency-name: golang.org/x/tools
  dependency-version: 0.48.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: go-modules
- dependency-name: google.golang.org/genproto/googleapis/rpc
  dependency-version: 0.0.0-20260610212136-7ab31c22f7ad
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: go-modules
- dependency-name: k8s.io/utils
  dependency-version: 0.0.0-20260626114624-be93311217bd
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: go-modules
- dependency-name: sigs.k8s.io/structured-merge-diff/v6
  dependency-version: 6.4.2
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: go-modules
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jul 14, 2026
@GrigoryPervakov
GrigoryPervakov enabled auto-merge (squash) July 14, 2026 15:02
@GrigoryPervakov
GrigoryPervakov merged commit d3674a1 into main Jul 14, 2026
39 of 42 checks passed
@GrigoryPervakov
GrigoryPervakov deleted the dependabot/go_modules/go-modules-836174b285 branch July 14, 2026 15:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant