build(deps): bump github.com/google/go-containerregistry from 0.21.3 to 0.21.4 (#1131)

dependabot[bot] · web-flow · commit 81bc5ff65330 · 2026-04-08T05:33:17.000-04:00
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.21.3 to 0.21.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/google/go-containerregistry/releases">github.com/google/go-containerregistry's releases</a>.</em></p> <blockquote> <h2>v0.21.4</h2> <h2>What's Changed</h2> <ul> <li>go.mod: do not make a viral minimum go version by <a href="https://github.com/howardjohn"><code>@​howardjohn</code></a> in <a href="https://redirect.github.com/google/go-containerregistry/pull/2237">google/go-containerregistry#2237</a></li> <li>Avoid pruning absolute links from extracted and flattened images by <a href="https://github.com/Subserial"><code>@​Subserial</code></a> in <a href="https://redirect.github.com/google/go-containerregistry/pull/2241">google/go-containerregistry#2241</a></li> <li>Bump the go-deps group across 3 directories with 5 updates by <a href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot] in <a href="https://redirect.github.com/google/go-containerregistry/pull/2245">google/go-containerregistry#2245</a></li> <li>fix: update to go1.25.8, and use separate .go-version file by <a href="https://github.com/thaJeztah"><code>@​thaJeztah</code></a> in <a href="https://redirect.github.com/google/go-containerregistry/pull/2246">google/go-containerregistry#2246</a></li> <li>Bump CI go version to 1.26.1 by <a href="https://github.com/Subserial"><code>@​Subserial</code></a> in <a href="https://redirect.github.com/google/go-containerregistry/pull/2242">google/go-containerregistry#2242</a></li> <li>Bump codecov/codecov-action from 5.5.2 to 5.5.3 in the actions group by <a href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot] in <a href="https://redirect.github.com/google/go-containerregistry/pull/2240">google/go-containerregistry#2240</a></li> <li>fork distribution client v3 auth-challenge as an internal package (squashed) by <a href="https://github.com/thaJeztah"><code>@​thaJeztah</code></a> in <a href="https://redirect.github.com/google/go-containerregistry/pull/2248">google/go-containerregistry#2248</a></li> <li>transport: validate Bearer realm URL to prevent SSRF by <a href="https://github.com/evilgensec"><code>@​evilgensec</code></a> in <a href="https://redirect.github.com/google/go-containerregistry/pull/2243">google/go-containerregistry#2243</a></li> <li>revert path traversal and symlink escape from <a href="https://redirect.github.com/google/go-containerregistry/issues/2227">#2227</a> by <a href="https://github.com/Subserial"><code>@​Subserial</code></a> in <a href="https://redirect.github.com/google/go-containerregistry/pull/2250">google/go-containerregistry#2250</a></li> <li>Fix pkg/v1/google/auth tests for arm64 by <a href="https://github.com/Subserial"><code>@​Subserial</code></a> in <a href="https://redirect.github.com/google/go-containerregistry/pull/2085">google/go-containerregistry#2085</a></li> <li>goreleaser: Update goreleaser config and GH action by <a href="https://github.com/Subserial"><code>@​Subserial</code></a> in <a href="https://redirect.github.com/google/go-containerregistry/pull/2253">google/go-containerregistry#2253</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/evilgensec"><code>@​evilgensec</code></a> made their first contribution in <a href="https://redirect.github.com/google/go-containerregistry/pull/2243">google/go-containerregistry#2243</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/google/go-containerregistry/compare/v0.21.3...v0.21.4">https://github.com/google/go-containerregistry/compare/v0.21.3...v0.21.4</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/google/go-containerregistry/commit/e8813dd0a00e799459cae01d8a4659b9be2fd871"><code>e8813dd</code></a> goreleaser: Update goreleaser config and GH action for releases (<a href="https://redirect.github.com/google/go-containerregistry/issues/2253">#2253</a>)</li> <li><a href="https://github.com/google/go-containerregistry/commit/e90447d319233b94dcdc75a24246ccbee6d1e72a"><code>e90447d</code></a> replace gcloud in binary calls in pkg/v1/google tests (<a href="https://redirect.github.com/google/go-containerregistry/issues/2085">#2085</a>)</li> <li><a href="https://github.com/google/go-containerregistry/commit/0d0368c2a5fa524c4765a6c0b7df4ff6d6951471"><code>0d0368c</code></a> revert path traversal and symlink escape changes (<a href="https://redirect.github.com/google/go-containerregistry/issues/2250">#2250</a>)</li> <li><a href="https://github.com/google/go-containerregistry/commit/a2f47d4202de443f68e8bafa95ddd41407327168"><code>a2f47d4</code></a> transport: validate Bearer realm URL to prevent SSRF (<a href="https://redirect.github.com/google/go-containerregistry/issues/2243">#2243</a>)</li> <li><a href="https://github.com/google/go-containerregistry/commit/19a36cd8c44dd465a84f9d6ffea3009023f73660"><code>19a36cd</code></a> fork distribution client v3 auth-challenge as an internal package (squashed) ...</li> <li><a href="https://github.com/google/go-containerregistry/commit/c612a9b20a4c533454b7fa8b39a8c8139065f0b1"><code>c612a9b</code></a> Bump codecov/codecov-action from 5.5.2 to 5.5.3 in the actions group (<a href="https://redirect.github.com/google/go-containerregistry/issues/2240">#2240</a>)</li> <li><a href="https://github.com/google/go-containerregistry/commit/8f92f59fd620d476c074d18f84af038d5ba5279e"><code>8f92f59</code></a> Bump CI go version to 1.26.1 (<a href="https://redirect.github.com/google/go-containerregistry/issues/2242">#2242</a>)</li> <li><a href="https://github.com/google/go-containerregistry/commit/c99e7cf68b979ec8d87bdf47e4ac0e8eab650099"><code>c99e7cf</code></a> fix: update to go1.25.8, and use separate .go-version file (<a href="https://redirect.github.com/google/go-containerregistry/issues/2246">#2246</a>)</li> <li><a href="https://github.com/google/go-containerregistry/commit/0794660d72037159e7c8fcb8364726fcb8068b45"><code>0794660</code></a> Bump the go-deps group across 3 directories with 5 updates (<a href="https://redirect.github.com/google/go-containerregistry/issues/2245">#2245</a>)</li> <li><a href="https://github.com/google/go-containerregistry/commit/4cb93aef099ef41b6ade5eae9d463383acc5087b"><code>4cb93ae</code></a> Undo pruning absolute links from extracted and flattened images (<a href="https://redirect.github.com/google/go-containerregistry/issues/2241">#2241</a>)</li> <li>Additional commits viewable in <a href="https://github.com/google/go-containerregistry/compare/v0.21.3...v0.21.4">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/google/go-containerregistry&package-manager=go_modules&previous-version=0.21.3&new-version=0.21.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
diff --git a/go.mod b/go.mod
@@ -10,7 +10,7 @@ require (
 	github.com/coreos/go-oidc/v3 v3.17.0
 	github.com/danielgtaylor/huma/v2 v2.37.3
 	github.com/golang-jwt/jwt/v5 v5.3.1
-	github.com/google/go-containerregistry v0.21.3
+	github.com/google/go-containerregistry v0.21.4
 	github.com/jackc/pgx/v5 v5.9.1
 	github.com/prometheus/client_golang v1.23.2
 	github.com/rs/cors v1.11.1
@@ -41,8 +41,7 @@ require (
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.18.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/docker/cli v29.3.0+incompatible // indirect
-	github.com/docker/distribution v2.8.3+incompatible // indirect
+	github.com/docker/cli v29.3.1+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.9.3 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
@@ -55,7 +54,7 @@ require (
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
-	github.com/klauspost/compress v1.18.4 // indirect
+	github.com/klauspost/compress v1.18.5 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
diff --git a/go.sum b/go.sum
@@ -45,10 +45,8 @@ github.com/danielgtaylor/huma/v2 v2.37.3/go.mod h1:OeHHtCEAaNiuVbAVdYu4IQ0UOmnb4
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/docker/cli v29.3.0+incompatible h1:z3iWveU7h19Pqx7alZES8j+IeFQZ1lhTwb2F+V9SVvk=
-github.com/docker/cli v29.3.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
-github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
+github.com/docker/cli v29.3.1+incompatible h1:M04FDj2TRehDacrosh7Vlkgc7AuQoWloQkf1PA5hmoI=
+github.com/docker/cli v29.3.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/docker-credential-helpers v0.9.3 h1:gAm/VtF9wgqJMoxzT3Gj5p4AqIjCBS4wrsOh9yRqcz8=
 github.com/docker/docker-credential-helpers v0.9.3/go.mod h1:x+4Gbw9aGmChi3qTLZj8Dfn0TD20M/fuWy0E5+WDeCo=
 github.com/envoyproxy/go-control-plane v0.14.0 h1:hbG2kr4RuFj222B6+7T83thSPqLjwBIfQawTkC++2HA=
@@ -73,8 +71,8 @@ github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/google/go-containerregistry v0.21.3 h1:Xr+yt3VvwOOn/5nJzd7UoOhwPGiPkYW0zWDLLUXqAi4=
-github.com/google/go-containerregistry v0.21.3/go.mod h1:D5ZrJF1e6dMzvInpBPuMCX0FxURz7GLq2rV3Us9aPkc=
+github.com/google/go-containerregistry v0.21.4 h1:VrhlIQtdhE6riZW//MjPrcJ1snAjPoCCpPHqGOygrv8=
+github.com/google/go-containerregistry v0.21.4/go.mod h1:kxgc23zQ2qMY/hAKt0wCbB/7tkeovAP2mE2ienynJUw=
 github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0=
 github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
@@ -93,8 +91,8 @@ github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo
 github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
 github.com/keybase/go-keychain v0.0.1 h1:way+bWYa6lDppZoZcgMbYsvC7GxljxrskdNInRtuthU=
 github.com/keybase/go-keychain v0.0.1/go.mod h1:PdEILRW3i9D8JcdM+FmY6RwkHGnhHxXwkPPMeUgOK1k=
-github.com/klauspost/compress v1.18.4 h1:RPhnKRAQ4Fh8zU2FY/6ZFDwTVTxgJ/EMydqSTzE9a2c=
-github.com/klauspost/compress v1.18.4/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
+github.com/klauspost/compress v1.18.5 h1:/h1gH5Ce+VWNLSWqPzOVn6XBO+vJbCNGvjoaGBFW2IE=
+github.com/klauspost/compress v1.18.5/go.mod h1:cwPg85FWrGar70rWktvGQj8/hthj3wpl0PGDogxkrSQ=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
