chore(deps): update go dependencies

[red-hat-konflux]

This PR contains the following updates:

Package	Type	Update	Change
github.com/go-openapi/jsonpointer	indirect	patch	v0.22.3 -> v0.22.4
github.com/go-openapi/jsonreference	indirect	patch	v0.21.3 -> v0.21.4
github.com/google/pprof	indirect	digest	4902fdd -> b05bdac
github.com/letsencrypt/boulder	indirect	minor	v0.20250721.0 -> v0.20251216.0
github.com/sigstore/sigstore	indirect	minor	v1.9.6-0.20251017153808-5089bd7668f3 -> v1.10.3
github.com/sigstore/sigstore-go	require	patch	v1.1.3 -> v1.1.4
golang.org/x/crypto	indirect	minor	v0.45.0 -> v0.46.0
golang.org/x/net	indirect	minor	v0.47.0 -> v0.48.0
golang.org/x/oauth2	indirect	minor	v0.33.0 -> v0.34.0
golang.org/x/sync	indirect	minor	v0.18.0 -> v0.19.0
golang.org/x/sys	indirect	minor	v0.38.0 -> v0.39.0
golang.org/x/term	indirect	minor	v0.37.0 -> v0.38.0
golang.org/x/text	indirect	minor	v0.31.0 -> v0.32.0
golang.org/x/tools	indirect	minor	v0.39.0 -> v0.40.0
google.golang.org/genproto/googleapis/api	indirect	digest	ff82c1b -> 0a764e5
google.golang.org/genproto/googleapis/rpc	indirect	digest	79d6a2a -> 0a764e5
k8s.io/api	require	minor	v0.34.2 -> v0.35.0
k8s.io/apiextensions-apiserver	indirect	minor	v0.34.2 -> v0.35.0
k8s.io/apimachinery	require	minor	v0.34.2 -> v0.35.0
k8s.io/client-go	require	minor	v0.34.2 -> v0.35.0
k8s.io/utils	require	digest	bc988d5 -> 718f0e5

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

go-openapi/jsonpointer (github.com/go-openapi/jsonpointer)

v0.22.4

Compare Source

0.22.4 - 2025-12-06

Full Changelog: go-openapi/jsonpointer@v0.22.3...v0.22.4

1 commits in this release.

---

Miscellaneous tasks

• ci: aligned CI to use shared workflows by @​fredbi in #​91 ...

---

People who contributed to this release

• @​fredbi

---

jsonpointer license terms

go-openapi/jsonreference (github.com/go-openapi/jsonreference)

v0.21.4

Compare Source

0.21.4 - 2025-12-08

Full Changelog: go-openapi/jsonreference@v0.21.3...v0.21.4

1 commits in this release.

---

Documentation

• doc: updated contributors file by @​bot-go-openapi[bot] in #​64 ...

---

People who contributed to this release

• @​bot-go-openapi[bot]

---

New Contributors

• @​bot-go-openapi[bot] made their first contribution
  in #​64

---

jsonreference license terms

letsencrypt/boulder (github.com/letsencrypt/boulder)

v0.20251216.0

Compare Source

What's Changed

• build(deps): bump the aws group across 1 directory with 4 updates by @​dependabot[bot] in #​8496
• Remove usage of subtle.ConstantTimeCompare in validation by @​aarongable in #​8519
• docker: Add build context for vtcomboserver service by @​sheurich in #​8520
• Fix wildcard authorization reuse with DNS-Account-01 by @​sheurich in #​8504
• Refactor DNS to pass full messages up to the VA by @​aarongable in #​8513
• ca/cert-checker: Support test log submissions by @​beautifulentropy in #​8522

Full Changelog: letsencrypt/boulder@v0.20251208.0...v0.20251216.0

v0.20251208.0

Compare Source

What's Changed

• ratelimits: Refactor Reset() to accept a batch of Transactions by @​beautifulentropy in #​8503
• Update CI to go1.25.5 by @​aarongable in #​8511
• Store authzIDs directly in order table by @​jsha in #​8460
• Add current datetime column to orderFqdnSets and authz2 tables by @​aarongable in #​8512
• sa: Fix modelToOrder to populate V2Authorizations from Authzs column by @​aaomidi in #​8514
• Remove ECDSA P-224 curve support from the ceremony tool by @​pgporada in #​8515
• Allow monitoring_only logs as well as test logs for submitToTestLogs by @​mcpherrinm in #​8510
• database: Add vitess + mysql 8.4 to our development environment by @​beautifulentropy in #​8468

Full Changelog: letsencrypt/boulder@v0.20251202.0...v0.20251208.0

v0.20251202.0

Compare Source

What's Changed

• sa: use dummy date instead of zero date by @​jsha in #​8481
• borp/sa: Update borp to pass Transaction args through BoulderTypeConverter by @​beautifulentropy in #​8494
• sfe: Keep loading intervals in sync with promise, fix wording by @​beautifulentropy in #​8500
• sfe/redis: Add limiter config to SFE and cleanup creds by @​beautifulentropy in #​8501
• Make CAA checking more like DCV checking by @​aarongable in #​8491
• Update Public Suffix List to v0.50.1 by @​aarongable in #​8495
• sa: Stop injecting max_statement_time and long_query_time into DSNs by @​beautifulentropy in #​8490
• Remove dead code by @​mcpherrinm in #​8506
• build(deps): bump github/codeql-action from 3 to 4 by @​dependabot[bot] in #​8507

Full Changelog: letsencrypt/boulder@v0.20251118.0...v0.20251202.0

v0.20251118.0

Compare Source

What's Changed

• build(deps): bump actions/github-script from 7 to 8 by @​dependabot[bot] in #​8472
• wfe: Add healthz endpoint by @​jprenken in #​8484
• Use promauto.With(stats) instead of stats.MustRegister() by @​aarongable in #​8483
• database: Remove Partitions from our tables by @​beautifulentropy in #​8489
• sfe/overrides: Update agreements with revised wording from legal by @​beautifulentropy in #​8488

Full Changelog: letsencrypt/boulder@v0.20251110.0...v0.20251118.0

v0.20251110.0

Compare Source

What's Changed

• Remove 10-second timeout from RA's override loading code by @​jprenken in #​8477
• test: Remove queries containing DDL from unit tests by @​beautifulentropy in #​8479
• Refactor GetSCTs to use a single loop with a ticker by @​mcpherrinm in #​8470
• Use promauto to register stats in bdns by @​mcpherrinm in #​8480
• Export prometheus client_golang's Go build_info metric by @​mcpherrinm in #​8482

Full Changelog: letsencrypt/boulder@v0.20251103.0...v0.20251110.0

v0.20251103.0

Compare Source

What's Changed

• sa: NewOrderAndAuthzs checks that nonzero authzs were provided by @​jsha in #​8464
• Add visibility into nonce redemption failure causes by @​aarongable in #​8448
• Use json tags to suppress Account fields in API responses by @​aarongable in #​8455
• Deprecate NoPendingAuthzReuse flag by @​jsha in #​8458
• build(deps): bump the aws group with 3 updates by @​dependabot[bot] in #​8467
• iana: Remove hardcoded multicast prefixes by @​jprenken in #​8456
• Remove Python tests for TLS-ALPN-01 by @​jsha in #​8457
• wfe/ra: Periodically load rate limit overrides from the database by @​jprenken in #​8407
• sfe: Create Salesforce Case at override request form submission time by @​beautifulentropy in #​8438
• Clean up dangling OCSP configs by @​jenhagg in #​8461

New Contributors

• @​jenhagg made their first contribution in #​8461

Full Changelog: letsencrypt/boulder@v0.20251027.0...v0.20251103.0

v0.20251027.0

Compare Source

What's Changed

• Add an extra timeout waiting for RVAs by @​mcpherrinm in #​8434
• Use a newer version of proxysql, consul, and redis by @​pgporada in #​8450
• Bind issuers to only issue for specified profiles by @​aarongable in #​8409
• build(deps): bump golang.org/x/sync from 0.16.0 to 0.17.0 by @​dependabot[bot] in #​8449
• Remove requirement for IncludeCRLDistributionPoints config by @​aarongable in #​8462
• Update README to reference t.sh and tn.sh by @​aarongable in #​8463
• bdns: remove logDNSError by @​jsha in #​8445
• Remove deprecated Temporary() usage in DNS retry logic by @​sheurich in #​8441
• Make release workflow compatible with immutable releases by @​aarongable in #​8454

Full Changelog: letsencrypt/boulder@v0.20251021.0...v0.20251027.0

v0.20251021.0

Compare Source

What's Changed

• Reduce nonce redemption flake by giving WFE time to mark SubConns READY by @​aarongable in #​8442
• Simplify IssueCertificate into straight-line code by @​aarongable in #​8424
• Delete sa.GetMaxExpiration and sa.GetRevokedCerts by @​aarongable in #​8401
• Ceremony: add checks for too-large validity period by @​aarongable in #​8446
• build(deps): bump the aws group with 3 updates by @​dependabot[bot] in #​8444
• Remove support for the old log line checksum format by @​mcpherrinm in #​8416

Full Changelog: letsencrypt/boulder@v0.20251014.0...v0.20251021.0

v0.20251014.0

Compare Source

What's Changed

• build(deps): bump the otel group with 6 updates by @​dependabot[bot] in #​8437
• sfe: Add configurable automatic approvals for first-tier limits by @​beautifulentropy in #​8381
• Switch to new log checksum format by @​mcpherrinm in #​8415
• Reland "SA: Stop supporting OCSP status NotReady" by @​aarongable in #​8430

Full Changelog: letsencrypt/boulder@v0.20251007.0...v0.20251014.0

v0.20251007.0

Compare Source

What's Changed

• Revert "SA: Stop supporting OCSP status NotReady" by @​aarongable in #​8429
• Introduce nonfunctional IssuerConfig.Profiles config field by @​aarongable in #​8423
• Refactor CA unittests to focus on top-level IssueCertificate by @​aarongable in #​8422
• Add logging of nonce prefix at nonce-service startup by @​jsha in #​8433
• publisher: Do not log failures to submit to audit logs by @​beautifulentropy in #​8435
• Update CI to go1.25.2 by @​aarongable in #​8436

Full Changelog: letsencrypt/boulder@v0.20251003.0...v0.20251007.0

v0.20251003.0

Compare Source

v0.20250929.0

Compare Source

What's Changed

• CA: Stop using OCSP status NotReady by @​aarongable in #​8394
• Remove support for temporally-sharded CRLs by @​aarongable in #​8400
• wfe: Permit Transfer-Encoding: chunked HTTP request bodies by @​benburkert in #​8403
• build(deps): bump the aws group with 4 updates by @​dependabot[bot] in #​8392
• Use GetRevocationStatus instead of GetCertificateStatus by @​aarongable in #​8402
• Start accepting a new log checksum format by @​mcpherrinm in #​8413

New Contributors

• @​benburkert made their first contribution in #​8403

Full Changelog: letsencrypt/boulder@v0.20250922.0...v0.20250929.0

v0.20250922.0

Compare Source

What's Changed

• Remove '-tags "integration"' from build by @​jsha in #​8383
• feat: Support for dns-account-01 Challenge by @​sheurich in #​8149
• test: Work around integration failures & flake by @​jprenken in #​8393
• Delete akamai-purger by @​aarongable in #​8352
• Upload releases to GHCR by @​jprenken in #​8386
• Move //revocation/reasons.go into the post-OCSP world by @​aarongable in #​8355
• Remove "ocsp-response" Ceremony type by @​aarongable in #​8396
• Ceremony: remove support for AIA OCSP URIs by @​aarongable in #​8397
• issuance: Remove last vestiges of OCSP support by @​aarongable in #​8398
• Recognize, but do not process, issuevmc CAA tags by @​BartG95 in #​8374
• Fix location of release.md by @​pgporada in #​8404

New Contributors

• @​BartG95 made their first contribution in #​8374

Full Changelog: letsencrypt/boulder@v0.20250908.0...v0.20250922.0

v0.20250908.0

Compare Source

What's Changed

• Upgrade to latest publicsuffix-go by @​mcpherrinm in #​8376
• sfe: Export emails to mailing list at submission time by @​beautifulentropy in #​8378
• sfe: Periodically import approved rate limit override tickets by @​beautifulentropy in #​8372
• build(deps): bump docker/login-action from 3.4.0 to 3.5.0 by @​dependabot[bot] in #​8375

Full Changelog: letsencrypt/boulder@v0.20250902.0...v0.20250908.0

v0.20250902.0

Compare Source

What's Changed

• test: Enable optional coverage reporting by @​akshithg in #​8306
• sfe: Add rate limit override request portal Web UI and endpoints by @​beautifulentropy in #​8365
• Run go's modernize tool by @​mcpherrinm in #​8371
• sfe: Add per IP rate limits to the overrides request form submissions by @​beautifulentropy in #​8366

New Contributors

• @​akshithg made their first contribution in #​8306

Full Changelog: letsencrypt/boulder@v0.20250825.0...v0.20250902.0

v0.20250825.0

Compare Source

What's Changed

• test: rewrite CAA integration test in Go by @​jsha in #​8340
• test: Remove go1.24.x by @​beautifulentropy in #​8364
• RA: remove dependency on akamai-purger by @​aarongable in #​8353
• CA: delete GenerateOCSP method by @​aarongable in #​8351
• Ceremony: allow CRL ceremonies to skip certain lints by @​aarongable in #​8368
• sfe/zendesk: Add support for status to Zendesk client by @​beautifulentropy in #​8367

Full Changelog: letsencrypt/boulder@v0.20250819.0...v0.20250825.0

v0.20250819.0

Compare Source

What's Changed

• Add --generate-notes flag to gh release create by @​mcpherrinm in #​8337
• admin: Add tooling to support rate limit overrides in the database by @​beautifulentropy in #​8281
• Remove GO111MODULE and GOFLAGS. by @​jsha in #​8333
• Add tool to generate, verify, and output a list of CRLDPs by @​aarongable in #​8329
• Build Boulder in a container for release by @​jsha in #​8331
• Restrict permissions of merged-to-main workflow by @​aarongable in #​8347
• sfe/zendesk: Add a Zendesk API client implementation by @​beautifulentropy in #​8320
• grpc: remove serverIPAddresses config option by @​jsha in #​8339
• Remove ocsp-responder by @​aarongable in #​8344
• Remove python integration test in-the-past scaffolding by @​aarongable in #​8086
• go: Add go1.25.0 to the test suite by @​beautifulentropy in #​8357
• sfe/test: Configure SFE to use a zendesk-test-srv by @​beautifulentropy in #​8354
• RA: delete GenerateOCSP method by @​aarongable in #​8350
• Remove Boulder's understanding of FAKECLOCK by @​aarongable in #​8356

Full Changelog: letsencrypt/boulder@v0.20250812.0...v0.20250819.0

v0.20250812.0

Compare Source

v0.20250805.0

Compare Source

v0.20250728.0

Compare Source

sigstore/sigstore (github.com/sigstore/sigstore)

v1.10.3

Compare Source

What's Changed

v1.10.3 adds ValidatePubKey back to the cryptoutils package to avoid a breaking API change.

• Add back ValidatePubKey as a deprecated, minimal function in #​2235

Full Changelog: sigstore/sigstore@v1.10.2...v1.10.3

v1.10.2

v1.10.2

Functionally equivalent to v1.10.0. v1.10.1 has been retracted to remove copied code.

v1.10.0

Breaking change

#​2194 moves cryptoutils.ValidatePubKey to goodkey.ValidatePubKey to minimize the dependency tree for clients using the cryptoutils package.

Features

• feat(hashivault): token helper in #​2174
• set GoogleAPIClientOption on GCP KMS provider in #​2128

Refactoring

• cryptoutils: move goodkey validation to separate package in #​2194
• Stop depending on golang.org/x/crypto for sha3 in #​2209
• remove duplicative dependency for portable browser opener in #​2178
• consolidate deep Equal usage to one library in #​2177
• Drop redundant aws-sdk-go dependency in the e2e kms tests in #​2172

sigstore/sigstore-go (github.com/sigstore/sigstore-go)

v1.1.4

Compare Source

What's Changed

• Update rekor-tiles version path in #​531
• Bump production Sigstore TUF root to latest in #​537
• Bump staging Sigstore TUF root to latest in #​538
• Bump deps for sigstore libraries in #​543

Full Changelog: sigstore/sigstore-go@v1.1.3...v1.1.4

kubernetes/api (k8s.io/api)

v0.35.0

Compare Source

v0.34.3

Compare Source

kubernetes/apiextensions-apiserver (k8s.io/apiextensions-apiserver)

v0.35.0

Compare Source

v0.34.3

Compare Source

kubernetes/apimachinery (k8s.io/apimachinery)

v0.35.0

Compare Source

v0.34.3

Compare Source

kubernetes/client-go (k8s.io/client-go)

v0.35.0

Compare Source

v0.34.3

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[red-hat-konflux]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 5 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.24.0 -> 1.25.0
github.com/onsi/ginkgo/v2	v2.23.4 -> v2.27.2
github.com/onsi/gomega	v1.37.0 -> v1.38.2
github.com/theupdateframework/go-tuf/v2	v2.2.0 -> v2.3.0
google.golang.org/protobuf	v1.36.10 -> v1.36.11
gopkg.in/evanphx/json-patch.v4	v4.12.0 -> v4.13.0

[red-hat-konflux]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.