build(deps): bump the go_modules group across 1 directory with 7 updates

[dependabot]

Bumps the go_modules group with 7 updates in the / directory:

Package	From	To
github.com/docker/compose/v2	2.40.0	2.40.2
golang.org/x/crypto	0.41.0	0.45.0
github.com/containerd/containerd/v2	2.1.4	2.1.5
github.com/go-jose/go-jose/v3	3.0.3	3.0.4
github.com/opencontainers/selinux	1.12.0	1.13.0
github.com/quic-go/quic-go	0.48.2	0.57.0
github.com/smallstep/certificates	0.26.1	0.29.0

Updates github.com/docker/compose/v2 from 2.40.0 to 2.40.2

Release notes

Sourced from github.com/docker/compose/v2's releases.

v2.40.2

What's Changed

🐛 Fixes

• Compose can't create a tar with adequate uid:gid ownership by @​ndeloof in docker/compose#13299
• Test digest or canonical reference, not only tag, when checking if an image is already present by @​glours in docker/compose#13302

🔧 Internal

• Fail build if minimal required version of buildx isn't installed by @​ndeloof in docker/compose#13295
• remove unused code to only rely on api.Service by @​ndeloof in docker/compose#13300
• Introduce WithPrompt to configure compose backend to use a plugable UI component for user interaction by @​ndeloof in docker/compose#13308

Full Changelog: docker/compose@v2.40.1...v2.40.2

v2.40.1

What's Changed

🐛 Fixes

• Write error to watcher error channel if Start() fails by @​Trolldemorted in docker/compose#13263
• Fix: set PWD only if not set by @​kianelbo in docker/compose#13268
• bake only interpolates ${*} by @​ndeloof in docker/compose#13270
• Fix: make "publish" push all compose files addressed in "extends" statements when using "profiles". by @​ogoulpeau-ledger in docker/compose#13277
• Support Ctrl+Z to run compose in background by @​ndeloof in docker/compose#13289
• Fix race-condition bug in publish command by @​paul-kinexon in docker/compose#13291
• Set secret/config uid:gid to match container's USER by @​ndeloof in docker/compose#13288
• Fix failure to delegate build with bake by @​ndeloof in docker/compose#13275
• Make CTRL+Z a no-op operation on Windows by @​glours in docker/compose#13293

🔧 Internal

• pkg/compose: align classic builder implementation with docker/cli by @​thaJeztah in docker/compose#13278
• pkg/compose: build with bake: drop support for buildx v0.16 and lower by @​thaJeztah in docker/compose#13280
• Use fixed version of compose bridge transformer images by @​glours in docker/compose#13284

⚙️ Dependencies

• Build(deps): bump github.com/docker/docker from 28.5.0+incompatible to 28.5.1+incompatible by @​dependabot[bot] in docker/compose#13274
• Build(deps): bump github.com/docker/cli from 28.5.0+incompatible to 28.5.1+incompatible by @​dependabot[bot] in docker/compose#13273
• Build(deps): bump golang.org/x/sys from 0.36.0 to 0.37.0 by @​dependabot[bot] in docker/compose#13272
• Build(deps): bump docker/buildx v0.29.1, moby/buildkit v0.25.1 by @​thaJeztah in docker/compose#13279
• Bump golang to version 1.24.9 by @​glours in docker/compose#13285

New Contributors

• @​Trolldemorted made their first contribution in docker/compose#13263
• @​ogoulpeau-ledger made their first contribution in docker/compose#13277
• @​paul-kinexon made their first contribution in docker/compose#13291

Full Changelog: docker/compose@v2.40.0...v2.40.1

Commits

• 6007d4c publish env_file references as opaque hash to prevent paths conflicts
• 69bcb96 Enforce compose files from OCI artifact all get into the same target (cache) ...
• 9b4fcce introduce WithPrompt to configure compose backend to use a plugable UI compon...
• da5c57c test digest or canonical reference, not only tag, when checking if an image i...
• e25265d remove unused code to only rely on api.Service
• e19e127 fail build if minimal required version of buildx isn't installed
• 585c4db Compose can't create a tar with adequate uid:gid ownership
• be8c7e6 make CTRL+Z a no-op operation on Windows
• 27f59d7 Detect failure to access os.TempDir
• 2681ed1 mutualize code from injectSecrets / injectConfigs
• Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.41.0 to 0.45.0

Commits

• 4e0068c go.mod: update golang.org/x dependencies
• e79546e ssh: curb GSSAPI DoS risk by limiting number of specified OIDs
• f91f7a7 ssh/agent: prevent panic on malformed constraint
• 2df4153 acme/autocert: let automatic renewal work with short lifetime certs
• bcf6a84 acme: pass context to request
• b4f2b62 ssh: fix error message on unsupported cipher
• 79ec3a5 ssh: allow to bind to a hostname in remote forwarding
• 122a78f go.mod: update golang.org/x dependencies
• c0531f9 all: eliminate vet diagnostics
• 0997000 all: fix some comments
• Additional commits viewable in compare view

Updates github.com/containerd/containerd/v2 from 2.1.4 to 2.1.5

Release notes

Sourced from github.com/containerd/containerd/v2's releases.

containerd 2.1.5

Welcome to the v2.1.5 release of containerd!

The fifth patch release for containerd 2.1 contains various fixes and updates.

Security Updates

• containerd

  • GHSA-pwhc-rpq9-4c8w
  • GHSA-m6hq-p25p-ffr2

• runc

  • GHSA-qw9x-cqr3-wc7r
  • GHSA-cgrx-mc8f-2prm
  • GHSA-9493-h29p-rfm2

Highlights

Container Runtime Interface (CRI)

• Disable event subscriber during task cleanup (#12410)
• Add SystemdCgroup to default runtime options (#12253)
• Fix userns with container image VOLUME mounts that need copy (#12242)

Image Distribution

• Ensure errContentRangeIgnored error when range-get request is ignored (#12312)

Runtime

• Update runc binary to v1.3.3 (#12478)

Deprecations

• Postpone v2.2 deprecation items to v2.3 (#12431)

Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues.

Contributors

• Phil Estes
• Akihiro Suda
• Derek McGowan
• Austin Vazquez
• Rodrigo Campos
• Maksym Pavlenko
• Wei Fu
• ningmingxiao
• Akhil Mohan

... (truncated)

Commits

• fcd4322 Merge pull request #12483 from austinvazquez/prep_2_1_5
• fc5bdfe Prepare release notes for v2.1.5
• c578c26 Update mailmap
• 46a4a03 Merge commit from fork
• 239ab87 Merge commit from fork
• ac96e84 Merge pull request #12478 from k8s-infra-cherrypick-robot/cherry-pick-12475-t...
• ed7edda Merge pull request #12470 from austinvazquez/2_1_bump_binaries_job_images
• 3d713d3 runc: Update runc binary to v1.3.3
• de4221c Update GHA runners to use latest images for basic binaries build
• 559240f Merge pull request #12467 from austinvazquez/2_1_bump_go_1_24_9
• Additional commits viewable in compare view

Updates github.com/go-jose/go-jose/v3 from 3.0.3 to 3.0.4

Release notes

Sourced from github.com/go-jose/go-jose/v3's releases.

v3.0.4

What's Changed

Backport fix for GHSA-c6gw-w398-hv78 CVE-2025-27144 go-jose/go-jose#174

Full Changelog: go-jose/go-jose@v3.0.3...v3.0.4

Commits

• 5253038 Backport fix 167 to v3 (#174)
• 047dc99 CI: Update github actions and go version (#173)
• 0f017e9 Revert #26 (ignore unsupported JWKs in Sets) (#131)
• 3e2bbef Unmarshal jwk keys with unsupported key type or algorithm into empty … (#26)
• See full diff in compare view

Updates github.com/opencontainers/selinux from 1.12.0 to 1.13.0

Release notes

Sourced from github.com/opencontainers/selinux's releases.

v1.13.0

What's Changed

• Switch to golangci-lint v2 by @​kolyshkin in opencontainers/selinux#230
• build(deps): bump actions/checkout from 4 to 5 by @​dependabot[bot] in opencontainers/selinux#233
• build(deps): bump actions/setup-go from 5 to 6 by @​dependabot[bot] in opencontainers/selinux#234
• keyring: fix typo in EACCES check by @​cyphar in opencontainers/selinux#235
• Add Go 1.25, drop go 1.23, bump golangci-lint by @​kolyshkin in opencontainers/selinux#236
• selinux: migrate to pathrs-lite procfs API by @​cyphar in opencontainers/selinux#237

Full Changelog: opencontainers/selinux@v1.12.0...v1.13.0

Commits

• 4be9937 Merge pull request #237 from cyphar/selinux-safe-procfs
• c8cfa6f selinux: migrate to pathrs-lite procfs API
• f2424d8 Merge pull request #236 from kolyshkin/modernize-ci
• 648ce7f ci: add go 1.25
• 916cab9 ci: bump golangci-lint to v2.5
• b42e5c8 all: format sources with latest gofumpt
• 74393ea Merge pull request #235 from cyphar/fix-keyring-err-check
• 6ec194b keyring: fix typo in EACCES check
• 879a755 Merge pull request #234 from opencontainers/dependabot/github_actions/actions...
• 3c1bd9a build(deps): bump actions/setup-go from 5 to 6
• Additional commits viewable in compare view

Updates github.com/quic-go/quic-go from 0.48.2 to 0.57.0

Release notes

Sourced from github.com/quic-go/quic-go's releases.

v0.57.0

This release contains a fix for CVE-2025-64702 by reworking the HTTP/3 header processing logic:

• Both client and server now send their respective header size constraints using the SETTINGS_MAX_FIELD_SECTION_SIZE setting: #5431
• For any QPACK-related errors, the correct error code (QPACK_DECOMPRESSION_FAILED) is now used: #5439
• QPACK header parsing is now incremental (instead of parsing all headers at once), which is ~5-10% faster and reduces allocations: #5435 (and quic-go/qpack#67)
• The server now sends a 431 status code (Request Header Fields Too Large) when encountering HTTP header fields exceeding the size constraint: #5452

 

Breaking Changes

• http3: Transport.MaxResponseBytes is now an int (before: int64): #5433  

Notable Fixes

• qlogwriter: fix storing of event schemas (this prevented qlog event logging from working for HTTP/3): #5430
• http3: errors sending the request are now ignored, instead, the response from the server is read (thereby allowing the client to read the status code, for example): #5432

What's Changed

• build(deps): bump golangci/golangci-lint-action from 8 to 9 by @​dependabot[bot] in quic-go/quic-go#5426
• qlogwriter: fix storing of event schemas by @​marten-seemann in quic-go/quic-go#5430
• http3: send SETTINGS_MAX_FIELD_SECTION_SIZE in the SETTINGS frame by @​marten-seemann in quic-go/quic-go#5431
• http3: read response after encountering error sending the request by @​marten-seemann in quic-go/quic-go#5432
• http3: make Transport.MaxResponseBytes an int by @​marten-seemann in quic-go/quic-go#5433
• http3: add a benchmark for header parsing by @​marten-seemann in quic-go/quic-go#5435
• update qpack to v0.6.0 by @​marten-seemann in quic-go/quic-go#5434
• http3: use QPACK_DECOMPRESSION_FAILED for QPACK errors by @​marten-seemann in quic-go/quic-go#5439
• add documentation for Conn.NextConnection by @​marten-seemann in quic-go/quic-go#5442
• ackhandler: don’t generate an immediate ACK for the first packet by @​marten-seemann in quic-go/quic-go#5447
• don’t arm connection timer for connection ID retirement by @​marten-seemann in quic-go/quic-go#5449
• README: add nodepass to list of projects by @​yosebyte in quic-go/quic-go#5448
• qlogwriter: use synctest to make tests deterministic by @​marten-seemann in quic-go/quic-go#5454
• http3: limit size of decompressed headers by @​marten-seemann in quic-go/quic-go#5452

New Contributors

• @​yosebyte made their first contribution in quic-go/quic-go#5448

Full Changelog: quic-go/quic-go@v0.56.0...v0.57.0

v0.56.0

This release introduces qlog support for HTTP/3 (#5367, #5372, #5374, #5375, #5376, #5381, #5383).

For this, we completely changed how connection tracing works. Instead of a general-purpose logging.ConnectionTracer (which we removed entirely), we now have a qlog-specific tracer (#5356, #5417). quic-go users can now implement their own qlog events.

It also removes the Prometheus-based metrics collection. Please comment on the tracking issue (#5294) if you rely on metrics and are interested in seeing metrics brought back in a future release.

Notable Changes

• replaced the unmaintained gojay with a custom, performance-optimized JSON encoder (#5353, #5371)

... (truncated)

Commits

• 5b2d212 http3: limit size of decompressed headers (#5452)
• e80b378 qlogwriter: use synctest to make tests deterministic (#5454)
• d43c589 README: add nodepass to list of projects (#5448)
• ca2835d don’t arm connection timer for connection ID retirement (#5449)
• e84ebae ackhandler: don’t generate an immediate ACK for the first packet (#5447)
• d4d168f add documentation for Conn.NextConnection (#5442)
• 4cdebbe http3: use QPACK_DECOMPRESSION_FAILED for QPACK errors (#5439)
• b7886d5 update qpack to v0.6.0 (#5434)
• 2fc9705 http3: add a benchmark for header parsing (#5435)
• dafdd6f http3: make Transport.MaxResponseBytes an int (#5433)
• Additional commits viewable in compare view

Updates github.com/smallstep/certificates from 0.26.1 to 0.29.0

Release notes

Sourced from github.com/smallstep/certificates's releases.

Step CA v0.29.0 (25-12-03)

Official Release Artifacts

Linux

• 📦 step-ca_linux_0.29.0_amd64.tar.gz
• 📦 step-ca_0.29.0-1_amd64.deb
• 📦 step-ca-0.29.0-1.x86_64.rpm
• 📦 step-ca_0.29.0-1_arm64.deb
• 📦 step-ca-0.29.0-1.aarch64.rpm

OSX Darwin

• 📦 step-ca_darwin_0.29.0_amd64.tar.gz
• 📦 step-ca_darwin_0.29.0_arm64.tar.gz

Windows

• 📦 step-ca_windows_0.29.0_amd64.zip

For more builds across platforms and architectures, see the Assets section below. And for packaged versions (Docker, k8s, Homebrew), see our installation docs.

Don't see the artifact you need? Open an issue here.

Signatures and Checksums

step-ca uses sigstore/cosign for signing and verifying release artifacts.

Below is an example using cosign to verify a release artifact:

cosign verify-blob \
  --certificate step-ca_darwin_0.29.0_amd64.tar.gz.pem \
  --signature step-ca_darwin_0.29.0_amd64.tar.gz.sig \
  --certificate-identity-regexp "https://github\.com/smallstep/workflows/.*" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  step-ca_darwin_0.29.0_amd64.tar.gz

The checksums.txt file (in the Assets section below) contains a checksum for every artifact in the release.

Changelog

• 992ff696e95b424a99140bd7edb2144013975059 Merge pull request #2491 from smallstep/mariano/update
• 9d79c59c1d0afdc235047e4509f79564bb0bd9a0 Merge branch 'master' into mariano/update
• 8e76e290c0e37f09d13660ed2d5c8b01e80377d6 Disable govulncheck until go 1.25.5 is available in github actions (#2490)
• 1011f5f5408b470a636f583bf74c0d7bbaf75d72 Improve validation in authorization path
• 48ed3a5d17d1224377d3a36d8e1a67575340c493 Changelog updates for preparing for v0.29.0 (#2488)
• 008e6ae94aa641c1350d84d0860c428f05dd444c Merge pull request #2487 from smallstep/dependabot/github_actions/softprops/action-gh-release-2.5.0
• 895e8c61bfbeda9baed298ba2350a9b1b59cd122 Bump softprops/action-gh-release from 2.4.2 to 2.5.0

... (truncated)

Changelog

Sourced from github.com/smallstep/certificates's changelog.

[0.29.0] - unreleased

Added

• smallstep/certificates#2370
• smallstep/certificates#2382
• smallstep/certificates#2408
• smallstep/certificates#2461
• smallstep/certificates#2463

Changed

• smallstep/certificates#2343

Deprecated

Removed

Fixed

• smallstep/certificates#2338
• smallstep/certificates#2435
• smallstep/certificates#2444

Security

[0.28.4] - 2025-07-13

Added

• Add support for using key usage, extended key usage, and basic constraints smallstep/crypto#767
• smallstep/certificates#2326
• smallstep/certificates#2290
• Enable dynamic validation of project ownership within a GCP organization smallstep/certificates#2133

Changed

• Introduce poolhttp package for improved memory performance of Authority smallstep/certificates#2325

[0.28.3] - 2025-03-17

• dependabot updates

[0.28.2] - 2025-02-20

... (truncated)

Commits

• 992ff69 Merge pull request #2491 from smallstep/mariano/update
• 9d79c59 Merge branch 'master' into mariano/update
• 8e76e29 Disable govulncheck until go 1.25.5 is available in github actions (#2490)
• 1011f5f Improve validation in authorization path
• 48ed3a5 Changelog updates for preparing for v0.29.0 (#2488)
• 008e6ae Merge pull request #2487 from smallstep/dependabot/github_actions/softprops/a...
• 895e8c6 Bump softprops/action-gh-release from 2.4.2 to 2.5.0
• 930e8fc Merge pull request #2477 from smallstep/dependabot/go_modules/golang.org/x/cr...
• d753789 Bump golang.org/x/crypto from 0.44.0 to 0.45.0
• 07fa345 Merge pull request #2481 from smallstep/dependabot/go_modules/github.com/newr...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.