chore(deps): update go dependencies

[red-hat-konflux]

This PR contains the following updates:

Package	Type	Update	Change
github.com/ThalesGroup/crypto11	require	patch	v1.6.0 → v1.6.1
github.com/go-openapi/runtime/server-middleware	indirect	minor	v0.30.0 → v0.31.0
github.com/theupdateframework/go-tuf	indirect	major	v0.7.0 → v2.4.2
github.com/theupdateframework/go-tuf/v2	indirect	patch	v2.4.1 → v2.4.2
golang.org/x/crypto	require	minor	v0.51.0 → v0.52.0
golang.org/x/net	indirect	minor	v0.54.0 → v0.55.0
golang.org/x/sys	indirect	minor	v0.44.0 → v0.45.0

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

ThalesGroup/crypto11 (github.com/ThalesGroup/crypto11)

v1.6.1

Compare Source

go-openapi/runtime (github.com/go-openapi/runtime/server-middleware)

v0.31.0

Compare Source

0.31.0 - 2026-05-17

Full Changelog: go-openapi/runtime@v0.30.0...v0.31.0

33 commits in this release.

---

Implemented enhancements

• feat(client): TLS diagnostic mode for Runtime.Trace by @​fredbi ...
• feat(client): add Runtime.Trace for connection-level diagnostics by @​fredbi ...

Fixed bugs

• fix(client): strip CR/LF from multipart filename and field name by @​fredbi ...
• fix(middleware): cap filename length on untyped formData uploads by @​fredbi ...
• fix: CA cert pool should be cloned not returned as pointer by @​fredbi in #​455 ...
• fix: correct spelling of "Organ trail" to "Oregon Trail" in request tests by @​Copilot in #​449 ...
• fix(client/tls): correct PEM label and add Ed25519 key support by @​fredbi in #​452 ...

Documentation

• doc: fixup module layout by @​fredbi ...
• doc: trimmed deprecated functions from examples by @​fredbi in #​463 ...
• doc: updated contributors file by @​bot-go-openapi[bot] in #​460 ...
• doc: advertised doc site in README.md by @​fredbi in #​454 ...
• fix: correct two comment typos in client/internal/request/request.go by @​Copilot in #​450 ...
• docs(compression): deprecate ContentEncoding, add CAFxX recipe by @​fredbi in #​447 ...
• docs(keep-alive): add a thorough keep-alive primer by @​fredbi in #​445 ...

Code quality

• doc: godoc linting by @​fredbi in #​465 ...
• chore: cleanup linter config, reformat, optimized strings replacer by @​fredbi ...
• Fix/example request by @​fredbi in #​462 ...
• chore(relint): relint code base by @​fredbi in #​461 ...
• doc: doc site on github pages by @​fredbi in #​448 ...

Testing

• test: fix flaky assertion on httptrace by @​fredbi in #​456 ...

Miscellaneous tasks

• chore: prepare release v0.31.0 by @​bot-go-openapi[bot] in #​466 ...
• chore: remove binary by @​fredbi ...
• fix(ci): fix fuzzing workflow by @​fredbi ...

Security

• test(security): fuzz targets for BindForm parse + filename cap by @​fredbi ...
• test(security): fuzz targets for header-parsing surface by @​fredbi ...
• fix(negotiate/header): reject q-values greater than 1 by @​fredbi ...
• docs(security): document constant-time-comparison contract for auth callbacks by @​fredbi in #​457 ...
• feat(runtime): BindForm helper for multipart/urlencoded body binding by @​fredbi in #​446 ...

Updates

• build(deps): bump the development-dependencies group with 4 updates by @​dependabot[bot] in #​458 ...

Other (technical)

• Sec/lens3 multipart by @​fredbi in #​464 ...
• Sec/lens4 headers by @​fredbi in #​459 ...
• middleware/parameter.go: fix comment describing ParseForm fallback by @​Copilot in #​451 ...
• Feat/client httptrace by @​fredbi in #​453 ...

---

People who contributed to this release

• @​Copilot
• @​fredbi

---

New Contributors

• @​Copilot made their first contribution
  in #​451

---

runtime license terms

Per-module changes

---

client-middleware/opentracing (0.31.0)

Code quality

• chore(relint): relint code base by @​fredbi in #​461 ...
• doc: doc site on github pages by @​fredbi in #​448 ...

Miscellaneous tasks

• chore: prepare release v0.31.0 by @​bot-go-openapi[bot] in #​466 ...

---

docs/examples (0.31.0)

Documentation

• doc: fixup module layout by @​fredbi ...
• doc: trimmed deprecated functions from examples by @​fredbi in #​463 ...
• docs(compression): deprecate ContentEncoding, add CAFxX recipe by @​fredbi in #​447 ...

Code quality

• Fix/example request by @​fredbi in #​462 ...
• chore(relint): relint code base by @​fredbi in #​461 ...
• doc: doc site on github pages by @​fredbi in #​448 ...

Miscellaneous tasks

• chore: remove binary by @​fredbi ...

Security

• docs(security): document constant-time-comparison contract for auth callbacks by @​fredbi in #​457 ...

---

server-middleware (0.31.0)

Documentation

• docs(compression): deprecate ContentEncoding, add CAFxX recipe by @​fredbi in #​447 ...

Code quality

• chore(relint): relint code base by @​fredbi in #​461 ...
• doc: doc site on github pages by @​fredbi in #​448 ...

Security

• test(security): fuzz targets for header-parsing surface by @​fredbi ...
• fix(negotiate/header): reject q-values greater than 1 by @​fredbi ...

Other (technical)

• Sec/lens4 headers by @​fredbi in #​459 ...

theupdateframework/go-tuf (github.com/theupdateframework/go-tuf)

v2.4.2

Compare Source

What's Changed

• Do not allow empty hashes for the Target role by @​rdimitrov in #​721
• Decouple CI Go version from module minimum by @​rdimitrov in #​726
• chore(deps): bump github.com/sigstore/sigstore from 1.10.4 to 1.10.5 by @​dependabot[bot] in #​727
• chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.10.0 to 0.11.0 by @​dependabot[bot] in #​729
• Fix log line to not be fmt-styled by @​abayer in #​730
• chore(deps): bump github.com/sigstore/sigstore from 1.10.5 to 1.10.6 by @​dependabot[bot] in #​732
• Fix threshold counting for duplicate public keys by @​rdimitrov in #​733

New Contributors

• @​abayer made their first contribution in #​730

Full Changelog: theupdateframework/go-tuf@v2.4.1...v2.4.2

v2.4.1

Compare Source

What's Changed

• chore(deps): bump github.com/sigstore/sigstore from 1.10.3 to 1.10.4 by @​dependabot[bot] in #​718
• Enforce a stricter validation on the repo name for TAP 4 by @​rdimitrov in #​720

Full Changelog: theupdateframework/go-tuf@v2.4.0...v2.4.1

v2.4.0

Compare Source

What's Changed

• Add BitLength validation for SuccinctRoles by @​rdimitrov in #​716
• Add thread safety documentation for key types by @​rdimitrov in #​715
• Use restrictive permissions (0700) for cache directories by @​rdimitrov in #​714
• Breaking change: Replace panic with error return in Key.ID() by @​rdimitrov in #​713

Full Changelog: theupdateframework/go-tuf@v2.3.1...v2.4.0

v2.3.1

Compare Source

What's Changed

• chore(deps): bump golang.org/x/crypto from 0.40.0 to 0.45.0 by @​dependabot[bot] in #​702
• Resolve govulncheck errors by bumping go to 1.24.11 by @​rdimitrov in #​707
• chore(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2 by @​dependabot[bot] in #​704
• modern go (1.20+) improvements by @​udf2457 in #​705
• chore(deps): bump github.com/sigstore/sigstore from 1.9.5 to 1.10.3 by @​dependabot[bot] in #​706
• chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.9.1 to 0.10.0 by @​dependabot[bot] in #​708
• Perform type assertion by @​kommendorkapten in #​710
• Add tests for failing type assertions by @​rdimitrov in #​711
• Verify threshold is valid by @​kommendorkapten in #​712

Full Changelog: theupdateframework/go-tuf@v2.3.0...v2.3.1

v2.3.0

Compare Source

What's Changed

• Update the config for govulncheck by @​rdimitrov in #​697
• Bump Go to 1.24.9 by @​rdimitrov in #​698

Full Changelog: theupdateframework/go-tuf@v2.2.0...v2.3.0

v2.2.0

Compare Source

What's Changed

• fix: treat http 403 as an updater error by @​MDr164 in #​687
• chore(deps): bump github.com/sigstore/sigstore from 1.8.4 to 1.8.7 by @​dependabot[bot] in #​646
• chore(deps): bump github.com/cenkalti/backoff/v5 from 5.0.2 to 5.0.3 by @​dependabot[bot] in #​690
• chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.9.0 to 0.9.1 by @​dependabot[bot] in #​691
• chore(deps): bump github.com/stretchr/testify from 1.10.0 to 1.11.0 by @​dependabot[bot] in #​692
• chore(deps): bump github.com/stretchr/testify from 1.11.0 to 1.11.1 by @​dependabot[bot] in #​693
• chore(deps): bump github.com/spf13/cobra from 1.9.1 to 1.10.1 by @​dependabot[bot] in #​694

Full Changelog: theupdateframework/go-tuf@v2.1.1...v2.2.0

v2.1.1

Compare Source

What's Changed

Fixed a regression that can fail clients using the DefaultFetcher{} directly without using the constructor.

• Set a default HTTP client for DefaultFetcher in DownloadFile method if none is set by @​malancas in #​686

Full Changelog: theupdateframework/go-tuf@v2.1.0...v2.1.1

v2.1.0

Compare Source

What's Changed

• Move the repository package under examples/repository by @​rdimitrov in #​656
• docs: Joshua retiring as a maintainer by @​joshuagl in #​657
• fix: multirepo potential nil pointer dereference by @​MrDan4es in #​658
• chore(deps): bump golang.org/x/crypto from 0.23.0 to 0.31.0 by @​dependabot in #​661
• chore(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0 by @​dependabot in #​662
• chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.8.0 to 0.9.0 by @​dependabot in #​663
• Use the correct verifier for RSA PSS scheme keys by @​rdimitrov in #​625
• updater.go: replace os.WriteFile with file.Write() by @​udf2457 in #​669
• Remove readFile() and reverseSlice() in favour of stdlib by @​udf2457 in #​671
• updater.go: replace url.QueryEscape() with url.PathEscape() by @​udf2457 in #​675
• Bump Go to 1.22 by @​rdimitrov in #​677
• chore(deps): bump github.com/spf13/cobra from 1.8.1 to 1.9.1 by @​dependabot in #​679
• chore: make function comment match function name by @​suchsoon in #​680
• Update README.md by @​trishankatdatadog in #​681
• chore(deps): bump golang.org/x/crypto from 0.31.0 to 0.35.0 by @​dependabot in #​683
• Allow users to configure custom http.Client or http.RoundTripper in DefaultFetcher by @​malancas in #​682
• Allow users to configure retry behavior in DefaultFetcher by @​malancas in #​684
• Added back timeout to the fetcher DownloadFile method to avoid a breaking change. by @​kommendorkapten in #​685

New Contributors

• @​MrDan4es made their first contribution in #​658
• @​suchsoon made their first contribution in #​680

Full Changelog: theupdateframework/go-tuf@v2.0.2...v2.1.0

v2.0.2

Compare Source

What's Changed

• Error in case the delegated role is missing from the snapshot by @​rdimitrov in #​652

Full Changelog: theupdateframework/go-tuf@v2.0.1...v2.0.2

v2.0.1

Compare Source

What's Changed

Security

• Fix incorrect delegation lookups that can make go-tuf download the wrong artifact by @​rdimitrov (Thanks to @​AdamKorcz for reporting it). This fixes CVE-2024-47534 GHSA-4f8r-qqr9-fq8j

Other

• Update MAINTAINERS.md by @​trishankatdatadog in #​647
• Update the staging TUF repo in the multi-repo example by @​rdimitrov in #​650
• Fix branch name in multi-repo client example by @​rdimitrov in #​651

Full Changelog: theupdateframework/go-tuf@v2.0.0...v2.0.1

v2.0.0

Compare Source

Breaking changes

• This is the first release of go-tuf v2 and it's a complete re-write indicated by the new major version.
• We also decided to leave go-tuf as a library only.

What's Changed

• chore: fixes the CI status badge and updates the README.md file by @​rdimitrov in #​569
• chore(deps): bump securesystemslib from 0.30.0 to 0.31.0 by @​dependabot in #​570
• docs: add Marvin Drees to the list of go-tuf maintainers by @​rdimitrov in #​571
• chore(deps): bump actions/setup-python from 4.7.1 to 5.0.0 by @​dependabot in #​572
• chore: enable grouping of minor and patch updates. by @​kommendorkapten in #​580
• fix: update tests.yml bumping golangci-lint by @​rdimitrov in #​582
• chore(deps): bump actions/setup-go from 4.1.0 to 5.0.0 by @​dependabot in #​573
• chore(deps): bump github/codeql-action from 2 to 3 by @​dependabot in #​574
• chore(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 by @​dependabot in #​575
• chore(deps): bump golang.org/x/term from 0.15.0 to 0.16.0 by @​dependabot in #​577
• chore(deps): bump the minor-patch group with 2 updates by @​dependabot in #​581
• feat!: move rdimitrov/go-tuf-metadata to github.com/theupdateframework/go-tuf/v2 by @​rdimitrov in #​583
• Update license from BSD-2-Clause to Apache-2.0 by @​rdimitrov in #​585
• chore(deps): bump github.com/sigstore/sigstore from 1.8.0 to 1.8.1 by @​dependabot in #​584
• Replace main with master in workflows by @​kipz in #​587
• Do not pin to minor Go versions in go.mod by @​rdimitrov in #​588
• Fixes for windows & enable in CI by @​kipz in #​586
• Bring back SECURITY.md by @​trishankatdatadog in #​591
• remove dependency on golang.org/x/exp by @​mikedanese in #​600
• Refactor errors to use pointer receivers by @​codysoyland in #​602
• move testutils under an ./internal/ directory by @​mikedanese in #​601
• Enable macos and windows runners for examples.yml and tests.yml by @​rdimitrov in #​604
• Do not run CI for all Go versions and use caching by @​rdimitrov in #​606
• chore(deps): bump golang.org/x/crypto from 0.18.0 to 0.19.0 by @​dependabot in #​610
• Don't rename unless file is in same dir by @​jonnystoten in #​603
• Use filepath.Join when combining filesystem components by @​kommendorkapten in #​611
• Always use forward slash when splitting target names by @​kommendorkapten in #​612
• chore(deps): bump github.com/sigstore/sigstore from 1.8.1 to 1.8.2 by @​dependabot in #​614
• chore(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0 by @​dependabot in #​615
• chore(deps): use stdlib ed25519 instead of x by @​MDr164 in #​620
• chore(deps): bump golang.org/x/crypto from 0.20.0 to 0.21.0 by @​dependabot in #​621
• chore(ci): bump action hashes by @​MDr164 in #​618
• chore(deps): bump gopkg.in/go-jose/go-jose.v2 from 2.6.1 to 2.6.3 by @​dependabot in #​622
• Silence govulncheck by @​MDr164 in #​619
• feat: replace logrus in sim with slog by @​MDr164 in #​617
• repository_simulator_setup.go: Use filepath.Join() instead of concatenation by @​udf2457 in #​624
• Fixes README references from rdimitrov/go-tuf-metadata to theupdateframework/go-tuf by @​rdimitrov in #​626
• fix: use SHA384 for ECDSA P384 by @​mrjoelkamp in #​629
• chore(deps): bump github.com/sigstore/sigstore from 1.8.2 to 1.8.3 by @​dependabot in #​627
• Remove nil error from being printed in "persist metadata" error message by @​malancas in #​633
• fix: deep targets file path by @​mrjoelkamp in #​632
• feat: add missing CODEOWNERS and MAINTAINERS file by @​MDr164 in #​635
• Update MAINTAINERS by @​trishankatdatadog in #​636
• chore(deps): bump github.com/sigstore/sigstore from 1.8.3 to 1.8.4 by @​dependabot in #​637
• chore(deps): bump github.com/spf13/cobra from 1.8.0 to 1.8.1 by @​dependabot in #​640
• fix: configurable temp file directory by @​mrjoelkamp in #​638
• export API to set RefTime of Updater by @​AdamKorcz in #​641
• Add the ability to customize the HTTP user agent by @​steiza in #​642
• Increase the default value for MaxRootRotations by @​kommendorkapten in #​645

New Contributors

• @​kipz made their first contribution in #​587
• @​mikedanese made their first contribution in #​600
• @​codysoyland made their first contribution in #​602
• @​jonnystoten made their first contribution in #​603
• @​MDr164 made their first contribution in #​620
• @​mrjoelkamp made their first contribution in #​629
• @​malancas made their first contribution in #​633
• @​AdamKorcz made their first contribution in #​641
• @​steiza made their first contribution in #​642

Full Changelog: theupdateframework/go-tuf@v0.7.0...v2.0.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.