build(deps): bump the all group across 1 directory with 27 updates

[dependabot]

Bumps the all group with 13 updates in the / directory:

Package	From	To
cuelang.org/go	0.11.1	0.12.1
github.com/CycloneDX/cyclonedx-go	0.9.0	0.9.2
github.com/docker/docker	27.5.0+incompatible	28.1.1+incompatible
github.com/enterprise-contract/enterprise-contract-controller/api	0.1.79	0.1.100
github.com/evanphx/json-patch	5.9.0+incompatible	5.9.11+incompatible
github.com/gkampitakis/go-snaps	0.5.7	0.5.11
github.com/go-git/go-git/v5	5.13.2	5.16.0
github.com/open-policy-agent/conftest	0.55.0	0.60.0
github.com/sigstore/cosign/v2	2.4.1	2.5.0
github.com/tektoncd/pipeline	0.63.0	1.0.0
github.com/testcontainers/testcontainers-go	0.34.1-0.20241204123437-72be13940122	0.37.0
github.com/testcontainers/testcontainers-go/modules/registry	0.34.0	0.37.0
oras.land/oras-go/v2	2.5.0	2.6.0

Updates cuelang.org/go from 0.11.1 to 0.12.1

Updates github.com/CycloneDX/cyclonedx-go from 0.9.0 to 0.9.2

Release notes

Sourced from github.com/CycloneDX/cyclonedx-go's releases.

v0.9.2

Changelog

Features

• 39ede217f126cfbc80eabf880f6643be3d392a4f: feat: add MarshalXML and UnmarshalXML (@​DmitriyLewen)
• e9191ed11a269fcb6b3fb54e000ed6d81b5bf9db: feat: add UnmarshalJSON (@​DmitriyLewen)

Fixes

• 80fede1f13a956d35eb14696cd2ca9d2d943f809: fix: add json tag for Identity (@​DmitriyLewen)
• 24e9503293f0837e6e7ea3ff670ef958e6075b87: fix: tests (@​DmitriyLewen)
• d68a199bc1747e5d6a7d4196c2f270535bbf6e3e: fix: use identity as array in valid-evidence.json (@​DmitriyLewen)
• ff9cc28f9c9554328bd6c1ad56098be5a692d5e9: fix: use componentEvidence array for Evidence.Identity field (@​DmitriyLewen)

Building and Packaging

• 016ee293d464d6383be3a714f7fb0debebef8ad5: build(deps): bump actions/checkout from 4.1.7 to 4.2.0 (@​dependabot[bot])
• 77153ab5fe005f6484ac1e1225e7152df00db3f1: build(deps): bump actions/checkout from 4.2.0 to 4.2.1 (@​dependabot[bot])
• 4f50d02c1282ac1d0d7448502b231a0e84a1e529: build(deps): bump actions/checkout from 4.2.1 to 4.2.2 (@​dependabot[bot])
• b84451219e77e0fbbe7d5ba054bcf25dbc7aaea4: build(deps): bump actions/setup-go from 5.0.2 to 5.1.0 (@​dependabot[bot])
• 238cbea3479fed9fdfcbfa5f1751828390a05211: build(deps): bump actions/setup-go from 5.1.0 to 5.2.0 (@​dependabot[bot])
• bbe8f3c2c7c4567514ae966c69bf93fc1b3dba2a: build(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (@​dependabot[bot])
• 05f8930fe918a31941ebf90eec627e5e6e908d1c: build(deps): bump github.com/terminalstatic/go-xsd-validate (@​dependabot[bot])
• 082f87791a5e290c9d4c6e8126dc0cc987028a60: build(deps): bump gitpod/workspace-go from 2a9e01c to 9c95281 (@​dependabot[bot])
• 093b1c15164dad5d46768db0e3f6ee43eb60ca20: build(deps): bump gitpod/workspace-go from 9c95281 to 6932342 (@​dependabot[bot])
• 47b7e01ce8f8209894065e9656217b8c00a3c8ea: build(deps): bump golangci/golangci-lint-action from 6.1.0 to 6.1.1 (@​dependabot[bot])
• ce6eb841cb1e21aa28efbccd9eb8fe5eea0555c9: build(deps): bump goreleaser/goreleaser-action from 6.0.0 to 6.1.0 (@​dependabot[bot])

Others

• 4d3aff9fab9ae78bd6fbbc9fd0912fab14c8fb64: UPDATE_SNAPSHOTS=true make test (@​DmitriyLewen)
• 31d954443e6563aeee69d82bdfb82aee83e07df1: refactor (@​DmitriyLewen)
• 0170729e313a681fc8659643601410ae10ffe803: refactor: update convert package (@​DmitriyLewen)

v0.9.1

Changelog

Fixes

• 6f0e0cf025dd99ab903e33f8e043d92b28dab4f6: fix: nil pointer dereference during evidence conversion (@​nscuro)
• ce43b6f4cb5707d3ef2db1af1d597f5b23bf0e15: fix: make linter happy (@​nscuro)
• 5d799e634b9bed9c86621048544737b210e433e8: fix: remove deprecated goreleaser flag (@​nscuro)

Building and Packaging

• 6d5bcb0e277207551dbc728eb29959f1d3cbd685: build(deps): bump actions/checkout from 4.1.6 to 4.1.7 (@​dependabot[bot])
• f34fc0c413da74d20d1cc240863aaf2eb6b274f7: build(deps): bump actions/setup-go from 5.0.1 to 5.0.2 (@​dependabot[bot])
• 71cff221b8dbbc1d50f839fa76ecea4e42d83a2b: build(deps): bump gitpod/workspace-go from 8d15123 to 2a9e01c (@​dependabot[bot])
• ea693550558d230b3fbba810b6e75ac2eb0b55c8: build(deps): bump golangci/golangci-lint-action from 6.0.1 to 6.1.0 (@​dependabot[bot])
• d5cbdad49dfbf54f2dab4ad95bd1a47c710a526c: build(deps): bump goreleaser/goreleaser-action from 5.1.0 to 6.0.0 (@​dependabot[bot])

Commits

• cba06ff Merge pull request #205 from CycloneDX/dependabot/go_modules/github.com/termi...
• 5c81749 Merge pull request #211 from CycloneDX/dependabot/github_actions/actions/setu...
• 753526c Merge pull request #204 from DmitriyLewen/fix/componentEvidence-as-array
• 4d3aff9 UPDATE_SNAPSHOTS=true make test
• d68a199 fix: use identity as array in valid-evidence.json
• 24e9503 fix: tests
• 238cbea build(deps): bump actions/setup-go from 5.1.0 to 5.2.0
• a7f7415 Merge branch 'master' of github.com:DmitriyLewen/cyclonedx-go into fix/compon...
• 05f8930 build(deps): bump github.com/terminalstatic/go-xsd-validate
• 464d426 Merge pull request #202 from CycloneDX/dependabot/github_actions/actions/chec...
• Additional commits viewable in compare view

Updates github.com/docker/docker from 27.5.0+incompatible to 28.1.1+incompatible

Release notes

Sourced from github.com/docker/docker's releases.

v28.1.1

28.1.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.1.1 milestone
• moby/moby, 28.1.1 milestone

Bug fixes and enhancements

• Fix dockerd-rootless-setuptool.sh incorrectly reporting missing iptables. moby/moby#49833
• containerd image store: Fix a potential daemon crash when using docker load with archives containing zero-size tar headers. moby/moby#49837

Packaging updates

• Update Buildx to v0.23.0. docker/docker-ce-packaging#1185
• Update Compose to v2.35.1. docker/docker-ce-packaging#1188

Networking

• Add a warning to a container's /etc/resolv.conf when no upstream DNS servers were found. moby/moby#49827

v28.1.0

28.1.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.1.0 milestone
• moby/moby, 28.1.0 milestone
• Changes to the Engine API, see API version history.

New

• Add docker bake sub-command as alias for docker buildx bake. docker/cli#5947
• Experimental: add a new --use-api-socket flag on docker run and docker create to enable access to Docker socket from inside a container and to share credentials from the host with the container. docker/cli#5858
• docker image inspect now supports a --platform flag to inspect a specific platform of a multi-platform image. docker/cli#5934

Bug fixes and enhancements

• Add CLI shell-completion for context names. docker/cli#6016
• Fix docker images --tree not including non-container images content size in the total image content size. docker/cli#6000
• Fix docker load not preserving replaced images. moby/moby#49650
• Fix docker login hints when logging in to a custom registry. docker/cli#6015
• Fix docker stats not working properly on machines with high CPU core count. moby/moby#49734
• Fix a regression causing docker pull/push to fail when interacting with a private repository. docker/cli#5964
• Fix an issue preventing rootless Docker setup on a host with no ip_tables kernel module. moby/moby#49727
• Fix an issue that could lead to unwanted iptables rules being restored and never deleted following a firewalld reload. moby/moby#49728
• Improve CLI completion of docker service scale. docker/cli#5968
• docker images --tree now hides both untagged and dangling images by default. docker/cli#5924
• docker system info will provide an exit code if a connection cannot be established to the Docker daemon. docker/cli#5918

... (truncated)

Commits

• 01f442b Merge pull request #49588 from thaJeztah/bump_go_build_tags
• e03c0f0 Merge pull request #49834 from thaJeztah/cleanup_ignore
• 8dde918 Merge pull request #49837 from thaJeztah/bump_containerd_2.0.5
• e70ce7a Merge pull request #49833 from vvoland/rootless-iptables-check
• fc8361c vendor: github.com/containerd/containerd v2.0.5
• 62f51e4 vendor: golang.org/x/oauth2 v0.29.0
• bbbb003 cleanup ignore files
• ead379a contrib/rootless-setuptool: Fix iptables detection
• 7c52c4d update go:build tags to go1.23 to align with vendor.mod
• 6573a13 Merge pull request #49827 from robmry/warn_no_ext_nameservers
• Additional commits viewable in compare view

Updates github.com/enterprise-contract/enterprise-contract-controller/api from 0.1.79 to 0.1.100

Release notes

Sourced from github.com/enterprise-contract/enterprise-contract-controller/api's releases.

API Release api/v0.1.100

What's Changed

• Update GitHub Actions updates by @​renovate in enterprise-contract/enterprise-contract-controller#523

Full Changelog: enterprise-contract/enterprise-contract-controller@api/v0.1.99...api/v0.1.100

API Release api/v0.1.99

What's Changed

• Delete redundant CODE_OF_CONDUCT.md by @​Acepresso in enterprise-contract/enterprise-contract-controller#522

New Contributors

• @​Acepresso made their first contribution in enterprise-contract/enterprise-contract-controller#522

Full Changelog: enterprise-contract/enterprise-contract-controller@api/v0.1.98...api/v0.1.99

API Release api/v0.1.98

What's Changed

• Format imageUrl to accept multiple sub-paths by @​joejstuart in enterprise-contract/enterprise-contract-controller#520

Full Changelog: enterprise-contract/enterprise-contract-controller@api/v0.1.97...api/v0.1.98

API Release api/v0.1.97

What's Changed

• Update actions/upload-pages-artifact digest to 2d163be by @​renovate in enterprise-contract/enterprise-contract-controller#513
• Update registry.access.redhat.com/ubi8/ubi-micro:latest Docker digest to 084c06b - autoclosed by @​renovate in enterprise-contract/enterprise-contract-controller#514

New Contributors

• @​renovate made their first contribution in enterprise-contract/enterprise-contract-controller#513

Full Changelog: enterprise-contract/enterprise-contract-controller@api/v0.1.96...api/v0.1.97

API Release api/v0.1.96

What's Changed

• Update stale generated documentation file by @​simonbaird in enterprise-contract/enterprise-contract-controller#512

Full Changelog: enterprise-contract/enterprise-contract-controller@api/v0.1.95...api/v0.1.96

API Release api/v0.1.95

What's Changed

• Only use renovatebot for updates by @​joejstuart in enterprise-contract/enterprise-contract-controller#511

Full Changelog: enterprise-contract/enterprise-contract-controller@api/v0.1.94...api/v0.1.95

API Release api/v0.1.94

What's Changed

• Allow manual trigger for website workflow by @​simonbaird in enterprise-contract/enterprise-contract-controller#510

... (truncated)

Commits

• 34d635e Update GitHub Actions updates (#523)
• cf514f6 Merge pull request #522 from Acepresso/remove-coc-EC-1035
• a745872 Delete redundant CODE_OF_CONDUCT.md
• 4127e83 Merge pull request #520 from joejstuart/imageUrl-regex
• 61f55fc Format imageUrl to accept multiple sub-paths
• 45e50ef Merge pull request #514 from enterprise-contract/renovate/docker-updates
• 03666ce Merge pull request #513 from enterprise-contract/renovate/actions-upload-page...
• 8b295a3 Update registry.access.redhat.com/ubi8/ubi-micro:latest Docker digest to 084c06b
• 5b34e52 Update actions/upload-pages-artifact digest to 2d163be
• 14645fc Merge pull request #512 from simonbaird/sync-generated-docs
• Additional commits viewable in compare view

Updates github.com/evanphx/json-patch from 5.9.0+incompatible to 5.9.11+incompatible

Release notes

Sourced from github.com/evanphx/json-patch's releases.

v5.9.11

What's Changed

• Export errBadJSONDoc and errBadJSONPatch errors by @​skitt in evanphx/json-patch#209

Full Changelog: evanphx/json-patch@v5.9.10...v5.9.11

v5.9.10

What's Changed

• Drop the reference to gopkg.in for v5 by @​skitt in evanphx/json-patch#203
• remove unmaintained errors pkg(github.com/pkg/errors) by @​koba1t in evanphx/json-patch#206

New Contributors

• @​skitt made their first contribution in evanphx/json-patch#203
• @​koba1t made their first contribution in evanphx/json-patch#206

Full Changelog: evanphx/json-patch@v5.9.0...v5.9.10

Commits

• 84a4bb1 Merge pull request #209 from skitt/export-errs-v5
• 7a7a88a Export errBadJSONDoc and errBadJSONPatch errors
• bd18525 Upgrade go-flags
• 42f26cb Fix spacing
• 0a3482b Merge pull request #206 from koba1t/remove_unmaintained_error_pkg
• 106306d remove unmaintained errors pkg
• e7cfbbb Merge pull request #203 from skitt/drop-gopkgin-v5
• 61e1ad7 Drop the reference to gopkg.in for v5
• See full diff in compare view

Updates github.com/gkampitakis/go-snaps from 0.5.7 to 0.5.11

Release notes

Sourced from github.com/gkampitakis/go-snaps's releases.

v0.5.11

What's Changed

• feat: add json format config by @​kitimark in gkampitakis/go-snaps#121

New Contributors

• @​kitimark made their first contribution in gkampitakis/go-snaps#121

Full Changelog: gkampitakis/go-snaps@v0.5.10...v0.5.11

v0.5.10

What's Changed

• fix: handle builds with trimpath enabled by @​gkampitakis in gkampitakis/go-snaps#120

Full Changelog: gkampitakis/go-snaps@v0.5.9...v0.5.10

v0.5.9

What's Changed

• fix: snaps.Update should apply and on snapshot create by @​gkampitakis in gkampitakis/go-snaps#119

Full Changelog: gkampitakis/go-snaps@v0.5.8...v0.5.9

Kudos to @​orloffv for this issue gkampitakis/go-snaps#116

v0.5.8

What's Changed

• feat: implement matchYAML by @​gkampitakis in gkampitakis/go-snaps#114
• feat: implement matchStandaloneJSON by @​gkampitakis in gkampitakis/go-snaps#113

Full Changelog: gkampitakis/go-snaps@v0.5.7...v0.5.8

Commits

• e004bc1 feat: add json format config (#121)
• 8740883 fix: handle builds with trimpath enabled (#120)
• 00f3055 fix: snaps.Update should apply and on snapshot create (#119)
• 560fde0 feat: implement matchStandaloneJSON (#113)
• f81115d feat: implement matchYAML (#114)
• See full diff in compare view

Updates github.com/go-git/go-git/v5 from 5.13.2 to 5.16.0

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.16.0

What's Changed

• [v5] plumbing: support mTLS for HTTPS protocol by @​hiddeco in go-git/go-git#1510
• v5: plumbing: transport, Reintroduce SetHostKeyCallback. Fix #1514 by @​pjbgf in go-git/go-git#1515

Full Changelog: go-git/go-git@v5.15.0...v5.16.0

v5.15.0

What's Changed

• plumbing: add cert auth support to releases/v5.x by @​Javier-varez in go-git/go-git#1482
• v5: Bump dependencies by @​pjbgf in go-git/go-git#1505

Full Changelog: go-git/go-git@v5.14.0...v5.15.0

v5.14.0

What's Changed

• v5: Bump Go and dependencies to mitigate GO-2025-3487 by @​pjbgf in go-git/go-git#1436

⚠️ Note that this version requires Go 1.23, due to the bump to golang.org/x/crypto@v0.35.0 which mitigates the CVE above. User's that can't bump to Go 1.23 will need to remain on the previous v5.13.x release.

Full Changelog: go-git/go-git@v5.13.2...v5.14.0

Commits

• 6d4a5c6 Merge pull request #1515 from pjbgf/regre
• beedd6b plumbing: transport, Reintroduce SetHostKeyCallback. Fix #1514
• 763ce2e Merge pull request #1510 from hiddeco/mtls-support
• 5320e1b plumbing: surface transport configuration errors
• 9bbc93b plumbing: fix unintended pointer mutation in test
• f3783f4 plumbing: support mTLS for HTTPS protocol
• 6f444d3 Merge pull request #1505 from pjbgf/bump
• 9996069 v5: Bump dependencies
• 768fda7 Merge pull request #1482 from Javier-varez/add-cert-auth-support-v5.x
• ba9d693 plumbing: support setting custom host key algorithms along with host key call...
• Additional commits viewable in compare view

Updates github.com/google/go-cmp from 0.6.0 to 0.7.0

Release notes

Sourced from github.com/google/go-cmp's releases.

v0.7.0

New API:

• (#367) Support compare functions with SortSlices and SortMaps

Panic messaging:

• (#370) Detect proto.Message types when failing to export a field

Commits

• 9b12f36 Detect proto.Message types when failing to export a field (#370)
• 4dd3d63 fix: type 'aribica' => 'arabica' (#368)
• 391980c Support compare functions with SortSlices and SortMaps (#367)
• See full diff in compare view

Updates github.com/open-policy-agent/conftest from 0.55.0 to 0.60.0

Release notes

Sourced from github.com/open-policy-agent/conftest's releases.

v0.60.0

Announcements

⚠️ Breaking Changes ⚠️

We have set the default version of Rego syntax to v1. This is a breaking change if your Rego policies are not compatible with the v1 syntax.

• Individual policies can be updated gradually, by adding import rego.v1 to the policy.
• The rego-version flag will remain available indefinitely, and users who do not wish to update their Rego policies can continue to use v0 syntax by setting this flag to v0.

For more information about upgrading to Rego v1 syntax, see the upstream docs at https://www.openpolicyagent.org/docs/latest/v0-upgrade/.

Changelog

New Features

• 06658d41ac259398cf2616b958a898185c0d27d7: feat(output): redirect trace output to stderr (#1084) (@​thevilledev)
• 18a0f14fab7759cce9fd7b101c04a7331bd73e5e: feat(runner): add support for symlinks (#1098) (@​siliconsheep)

OPA Changes

• 2797c9916a070d6e0db37da0a1ce1ee9c53f233d: build(deps): bump github.com/open-policy-agent/opa from 1.3.0 to 1.4.1 (#1113) (@​dependabot[bot])

Other Changes

• 67a3c3e081607af24a7c8831e9454978b95064a7: build(deps): bump actions/setup-go from 4 to 5 (#1102) (@​dependabot[bot])
• 609490f54775bb0044e55e2a4a4bae941f13bab2: build(deps): bump bats-core/bats-action from 1.5.4 to 3.0.1 (#1104) (@​dependabot[bot])
• 9e56924ba242838c1a226e98d8e8558642975077: build(deps): bump github.com/google/go-jsonnet from 0.20.0 to 0.21.0 (#1120) (@​dependabot[bot])
• 5ea04460dc9ae20fa8fa0e77ada3a31bd2f4870b: build(deps): bump github.com/moby/buildkit from 0.20.2 to 0.21.0 (#1101) (@​dependabot[bot])
• 21a73eb583b3ba29c0a17902e225e5d441e51d5a: build(deps): bump github.com/moby/buildkit from 0.21.0 to 0.21.1 (#1111) (@​dependabot[bot])
• b3d0491b52eb2e5f321a9153ca7715ac5c661d38: build(deps): bump golangci/golangci-lint-action from 6 to 7 (#1103) (@​dependabot[bot])
• e894c43ed14bc258b83726d7826b5ff65252d002: build(deps): bump golangci/golangci-lint-action from 7 to 8 (#1119) (@​dependabot[bot])
• 3ae2e78afa0447441868d94653ba64830c96beff: chore: Update Github Actions via Dependabot (#1100) (@​mrueg)
• 4c5e5f536a6dd96d3e8399523f7496a72b8cf61c: ci: Move docker build to separate job in the PR workflow (#1105) (@​jalseth)
• 39074821d8ab04a2e1c68f7145326710ba7fb6dd: cli: Make Rego v1 syntax the default (#1114) (@​jalseth)

v0.59.0

Announcements

Breaking Changes ⚠️

• Bump hcl2json - This makes the behavior of the conversion more consistent by always using arrays for blocks that can be repeated. See open-policy-agent/conftest#1074 and open-policy-agent/conftest#1006 for more info.

Breaking Changes Reminder

In the v0.60 release of conftest (in May 2025), we will change the default version of Rego syntax from v0 to v1. This will be a breaking change if your Rego policies are not compatible with the v1 syntax.

• Individual policies can be updated gradually, by adding import rego.v1 to the policy.
• The rego-version flag will remain available indefinitely, and users who do not wish to update their Rego policies can continue to use v0 syntax by setting this flag to v0.

For more information about upgrading to Rego v1 syntax, see the upstream docs at https://www.openpolicyagent.org/docs/latest/v0-upgrade/.

Changelog

New Features

• 21e1163886e0e9f374dafd2e7a547b1c0df30b04: feat: add pre-commit hook support (#1077) (@​thevilledev)

... (truncated)

Commits

• 9e56924 build(deps): bump github.com/google/go-jsonnet from 0.20.0 to 0.21.0 (#1120)
• e894c43 build(deps): bump golangci/golangci-lint-action from 7 to 8 (#1119)
• 3907482 cli: Make Rego v1 syntax the default (#1114)
• c0799c4 docs: Make examples in the docs compatible with v1 syntax (#1115)
• 2797c99 build(deps): bump github.com/open-policy-agent/opa from 1.3.0 to 1.4.1 (#1113)
• 21a73eb build(deps): bump github.com/moby/buildkit from 0.21.0 to 0.21.1 (#1111)
• 5ea0446 build(deps): bump github.com/moby/buildkit from 0.20.2 to 0.21.0 (#1101)
• 06658d4 feat(output): redirect trace output to stderr (#1084)
• 18a0f14 feat(runner): add support for symlinks (#1098)
• 4c5e5f5 ci: Move docker build to separate job in the PR workflow (#1105)
• Additional commits viewable in compare view

Updates github.com/open-policy-agent/opa from 0.70.0 to 1.4.2

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v1.4.2

This is a bug fix release addressing the missing capabilities/v1.4.1.json in the v1.4.1 release.

v1.4.1

⚠️ Please skip this release and go straight to v1.4.2 ⚠️ This release is broken due to a mistake during the release process and the artifacts are missing a crucial capabilities file. Sorry for any inconvenience.

---

This is a security fix release for the fixes published in Go 1.24.1 and 1.24.2

• build: bump go to 1.24.2 (#7544) (authored by @​sspaink) Addressing CVE-2025-22870 and CVE-2025-22871 vulnerabilities in the Go runtime.

v1.4.0

This release contains a security fix addressing CVE-2025-46569. It also includes a mix of new features, bugfixes, and dependency updates.

Security Fix: CVE-2025-46569 - OPA server Data API HTTP path injection of Rego (GHSA-6m8w-jc87-6cr7)

A vulnerability in the OPA server's Data API allows an attacker to craft the HTTP path in a way that injects Rego code into the query that is evaluated.
The evaluation result cannot be made to return any other data than what is generated by the requested path, but this path can be misdirected, and the injected Rego code can be crafted to make the query succeed or fail; opening up for oracle attacks or, given the right circumstances, erroneous policy decision results. Furthermore, the injected code can be crafted to be computationally expensive, resulting in a Denial Of Service (DoS) attack.

Users are only impacted if all of the following apply:

• OPA is deployed as a standalone server (rather than being used as a Go library)
• The OPA server is exposed outside of the local host in an untrusted environment.
• The configured authorization policy does not do exact matching of the input.path attribute when deciding if the request should be allowed.

or, if all of the following apply:

• OPA is deployed as a standalone server.
• The service connecting to OPA allows 3rd parties to insert unsanitised text into the path of the HTTP request to OPA’s Data API.

Note: With no Authorization Policy configured for restricting API access (the default configuration), the RESTful Data API provides access for managing Rego policies; and the RESTful Query API facilitates advanced queries. Full access to these APIs provides both simpler, and broader access than what the security issue describes here can facilitate. As such, OPA servers exposed to a network are not considered affected by the attack described here if they are knowingly not restricting access through an Authorization Policy.

This issue affects all versions of OPA prior to 1.4.0.

See the Security Advisory for more details.

Reported by @​GamrayW, @​HyouKash, @​AdrienIT, authored by @​johanfylling

Runtime, Tooling, SDK

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

1.4.2

This is a bug fix release addressing the missing capabilities/v1.4.1.json in the v1.4.1 release.

1.4.1

This is a security fix release for the fixes published in Go 1.24.1 and 1.24.2

• build: bump go to 1.24.2 (#7544) (authored by @​sspaink) Addressing CVE-2025-22870 and CVE-2025-22871 vulnerabilities in the Go runtime.

1.4.0

This release contains a security fix addressing CVE-2025-46569. It also includes a mix of new features, bugfixes, and dependency updates.

Security Fix: CVE-2025-46569 - OPA server Data API HTTP path injection of Rego (GHSA-6m8w-jc87-6cr7)

A vulnerability in the OPA server's Data API allows an attacker to craft the HTTP path in a way that injects Rego code into the query that is evaluated.
The evaluation result cannot be made to return any other data than what is generated by the requested path, but this path can be misdirected, and the injected Rego code can be crafted to make the query succeed or fail; opening up for oracle attacks or, given the right circumstances, erroneous policy decision results. Furthermore, the injected code can be crafted to be computationally expensive, resulting in a Denial Of Service (DoS) attack.

Users are only impacted if all of the following apply:

• OPA is deployed as a standalone server (rather than being used as a Go library)
• The OPA server is exposed outside of the local host in an untrusted environment.
• The configured authorization policy does not do exact matching of the input.path attribute when deciding if the request should be allowed.

or, if all of the following apply:

• OPA is deployed as a standalone server.
• The service connecting to OPA allows 3rd parties to insert unsanitised text into the path of the HTTP request to OPA’s Data API.

Note: With no Authorization Policy configured for restricting API access (the default configuration), the RESTful Data API provides access for managing Rego policies; and the RESTful Query API facilitates advanced queries. Full access to these APIs provides both simpler, and broader access than what the security issue describes here can facilitate. As such, OPA servers exposed to a network are not considered affected by the attack described here if they are knowingly not restricting access through an Authorization Policy.

This issue affects all versions of OPA prior to 1.4.0.

See the Security Advisory for more details.

Reported by @​GamrayW, @​HyouKash, @​AdrienIT, authored by @​johanfylling

Runtime, Tooling, SDK

• ast: Adding rego_v1 feature to --v0-compatible capabilities (#7474) authored by @​johanfylling
• executable: Add version and icon to OPA windows executable (#3171) authored by @​sspaink reported by @​christophwille
• format: Don't panic on format due to unexpected comments (#6330) authored by @​sspaink reported by @​sirpi
• format: Avoid modifying strings when formatting (#6220) authored by @​sspaink reported by @​zregvart
• plugins/status: FIFO buffer channel for status events to prevent slow status API blocking (#7522) authored by @​sspaink

... (truncated)

Commits

• 5e4582b Prepare v1.4.2 release (#7547)
• 3b64aff Patch release v1.4.1 (#7545)
• 8b07202 Prepare v1.4.0 release (#7541)
• ad20632 Merge commit from fork
• 24ff9cf fix: return the raw strings when formatting (#7525)
• 254f3bf fix(status plugin): make sure the latest status is read before manually trigg...
• 9b5f601 docs: fix post merge badge (#7532)
• e490277 docs: Point path versioned requests to new sites (#7531)
• d65888c plugins/status: FIFO buffer channel for status events to prevent slow status ...
• eb77d10 docs: update edge links to use /docs/edge/ path (#7529)
• Additional commits viewable in compare view

Updates github.com/sigstore/cosign/v2 from 2.4.1 to 2.5.0

Release notes

Sourced from github.com/sigstore/cosign/v2's releases.

v2.5.0 includes an implementation of the new bundle specification, attesting and verifying OCI image attestations uploaded as OCI artifacts. This feature is currently gated behind the --new-bundle-format flag when running cosign attest.

Features

• Add support for new bundle specification for attesting/verifying OCI image attestations (#3889)
• Feat/non filename completions (#4115)
• Add TSA certificate related flags and fields for cosign attest (#4079)

Fixes

• cmd/cosign/cli: fix typo in ignoreTLogMessage (#4111)
• Fix replace with compliant image mediatype (#4077)

v2.4.3

Features

• Bump sigstore/sigstore to support KMS plugins (#4073)
• Enable fetching signatures without remote get. (#4047)
• Feat/file flag completion improvements (#4028)
• Update builder to use go1.23.6 (#4052)

Bug Fixes

• fix parsing error in --only for cosign copy (#4049)

Cleanup

• Refactor verifyNewBundle into library function (#4013)
• fix comment typo and imports order (#4061)
• sync comment with parameter name in function signature (#4063)
• sort properly Go imports (#4071)

Contributors

• Bob Callaway
• Carlos Tadeu Panato Junior
• Cody Soyland
• Dmitry Savintsev
• Hayden B
• Tomasz Janiszewski
• Ville Skyttä

v2.4.2

Features

• Updated open-policy-agent to 1.1.0 library (#4036)

... (truncated)

Changelog

Sourced from github.com/sigstore/cosign/v2's changelog.

v2.5.0

v2.5.0 includes an implementation of the new bundle specification, attesting and verifying OCI image attestations uploaded as OCI artifacts. This feature is currently gated behind the --new-bundle-format flag when running cosign attest.

Features

• Add support for new bundle specification for attesting/verifying OCI image attestations (#3889)
• Feat/non filename completions (#4115)
• Add TSA certificate related flags and fields for cosign attest (#4079)

Fixes

• cmd/cosign/cli: fix typo in ignoreTLogMessage (#4111)Description has been truncated

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.