chore(deps): bump the common group across 1 directory with 25 updates

[dependabot]

Bumps the common group with 20 updates in the / directory:

Package	From	To
github.com/Azure/azure-sdk-for-go/sdk/azcore	1.20.0	1.21.0
github.com/BurntSushi/toml	1.5.0	1.6.0
github.com/GoogleCloudPlatform/docker-credential-gcr/v2	2.1.30	2.1.31
github.com/bmatcuk/doublestar/v4	4.9.1	4.9.2
github.com/containerd/containerd/v2	2.2.0	2.2.1
github.com/go-viper/mapstructure/v2	2.4.0	2.5.0
github.com/gocsaf/csaf/v3	3.5.0	3.5.1
github.com/hashicorp/go-getter	1.8.3	1.8.4
github.com/open-policy-agent/opa	1.11.0	1.12.3
github.com/secure-systems-lab/go-securesystemslib	0.9.1	0.10.0
github.com/sirupsen/logrus	1.9.4-0.20230606125235-dd1b4c2e81af	1.9.4
github.com/spdx/tools-golang	0.5.5	0.5.7
github.com/tetratelabs/wazero	1.10.1	1.11.0
github.com/zclconf/go-cty-yaml	1.1.0	1.2.0
golang.org/x/mod	0.31.0	0.32.0
golang.org/x/tools	0.40.0	0.41.0
helm.sh/helm/v3	3.19.2	3.19.5
k8s.io/api	0.34.2	0.35.0
modernc.org/sqlite	1.40.1	1.44.1
github.com/nikolalohinski/gonja/v2	2.4.2	2.5.1

Updates github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.20.0 to 1.21.0

Release notes

Sourced from github.com/Azure/azure-sdk-for-go/sdk/azcore's releases.

sdk/azcore/v1.21.0

1.21.0 (2026-01-12)

Features Added

• Added runtime/datetime package which provides specialized time type wrappers for serializing and deserializing time values in various formats used by Azure services.

Other Changes

• Aligned cloud.AzureGovernment and cloud.AzureChina audience values with Azure CLI

Commits

• f6309d4 Prep [email protected] for release (#25864)
• d0a9819 Update SDK generation as completed when SDK pull request is linked to release...
• aba8672 Configurations: 'specification/resourceconnector/resource-manager/Microsoft....
• 481e4ab Add some missing methods to the types in datetime (#25826)
• 35d6071 Skip unsafeptr check for storage SDKs (#25856)
• 5d68f66 add code (#25837)
• 944cd8d add code (#25836)
• 1191825 [Regeneration]sdk/resourcemanager/quota/armquota (#25835)
• e1a9bfd add code (#25838)
• 1de7ac7 [Automation] Regenerate SDK based on typespec-go branch main (#25729)
• Additional commits viewable in compare view

Updates github.com/BurntSushi/toml from 1.5.0 to 1.6.0

Release notes

Sourced from github.com/BurntSushi/toml's releases.

v1.6.0

TOML 1.1 is now enabled by default. The TOML changelog has an overview of changes: https://github.com/toml-lang/toml/blob/main/CHANGELOG.md

Also two small fixes:

• Encode large floats as exponent syntax so that round-tripping things like 5e+22 is correct.

• Using duplicate array keys would not give an error:

  arr = [1]
  arr = [2]
  

  This will now correctly give a "Key 'arr' has already been defined" error.

Commits

• 5253492 Enable TOML 1.1 by default (#457)
• e954445 Reject duplicate arrays (#455)
• 6b16cbd Update toml-test test cases from upstream (#456)
• 011fa2b Ensure constant format strings in wf calls
• 4b439bf Remove itemNil
• a473c12 Add test for out of range float64
• b535ff8 Add some boring tests for lex.go
• 6011ef0 Remove unreachable condition in lexTableNameStart
• c8ca9e6 Remove unreachable condition
• 1121f81 Make tomlv read from stdin
• Additional commits viewable in compare view

Updates github.com/GoogleCloudPlatform/docker-credential-gcr/v2 from 2.1.30 to 2.1.31

Release notes

Sourced from github.com/GoogleCloudPlatform/docker-credential-gcr/v2's releases.

v2.1.31

What's Changed

• Update version string tests to match version format by @​Subserial in GoogleCloudPlatform/docker-credential-gcr#185
• Bump github.com/sirupsen/logrus from 1.8.1 to 1.8.3 by @​dependabot[bot] in GoogleCloudPlatform/docker-credential-gcr#184

Full Changelog: GoogleCloudPlatform/docker-credential-gcr@v2.1.30...v2.1.31

Commits

• 96df16c Bump github.com/sirupsen/logrus from 1.8.1 to 1.8.3 (#184)
• e6984d0 Update version string tests to match version format (#185)
• See full diff in compare view

Updates github.com/bmatcuk/doublestar/v4 from 4.9.1 to 4.9.2

Release notes

Sourced from github.com/bmatcuk/doublestar/v4's releases.

Fixed Handling of Paths With Meta Chars Using Alts

@​toga4 submitted a PR that fixed a small bug with the way paths were handled when the pattern used {alts}: if some part of the on-disk path that came before the {alt} included meta characters (say, a directory name that included the character ?), these meta characters were not escaped when they were passed back through the globbing routines. This caused doublestar to interpret them as actual meta characters, rather than a fixed-string path as it should have. Nice find, @​toga4 !

What's Changed

• fix: escape meta characters in paths during brace expansion by @​toga4 in bmatcuk/doublestar#108

New Contributors

• @​toga4 made their first contribution in bmatcuk/doublestar#108

Full Changelog: bmatcuk/doublestar@v4.9.1...v4.9.2

Commits

• 3dc8306 Merge branch 'toga4-fix-brace-exp-with-meta'
• 4db19e2 fix tests
• 4ef2b00 fix: escape meta characters in paths during brace expansion
• b191bb9 test: add failing tests for brace expansion with meta char directories
• 9fded31 notes about globbing
• See full diff in compare view

Updates github.com/containerd/containerd/v2 from 2.2.0 to 2.2.1

Release notes

Sourced from github.com/containerd/containerd/v2's releases.

containerd 2.2.1

Welcome to the v2.2.1 release of containerd!

The first patch release for containerd 2.2 contains various fixes and improvements.

Highlights

Container Runtime Interface (CRI)

• Redact all query parameters in CRI error logs (#12546)

Image Distribution

• Fix image defaults on Darwin to usable configuration (#12544)
• Fix possible panic from WithMediaTypeKeyPrefix (#12516)

Runtime

• Update runc binary to v1.3.4 (#12593)
• Fix parsing of hugetlb..events files (containerd/cgroups#379)

Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues.

Contributors

• Krisztian Litkey
• Markus Lehtonen
• Akihiro Suda
• Mike Brown
• Sebastiaan van Stijn
• Derek McGowan
• Heran Yang
• Wei Fu
• Phil Estes
• Samuel Karp
• Austin Vazquez
• Sascha Grunert
• Akhil Mohan
• Andrey Noskov
• Brian Goff
• CrazyMax
• Davanum Srinivas
• Gaurav Ghildiyal
• Neeraj Krishna Gopalakrishna
• Paweł Gronowski
• Tariq Ibrahim
• TomerLev
• Tõnis Tiigi
• bo.jiang

... (truncated)

Commits

• dea7da5 Merge pull request #12677 from dmcgowan/prepare-2.2.1
• f6bae1f Prepare release notes for v2.2.1
• b77253f Merge pull request #12701 from k8s-infra-cherrypick-robot/cherry-pick-12699-t...
• c22cf5d cri,nri: pass any linux security profile to plugins.
• d7532de cri,nri: pass any linux RDT constraints to plugins.
• ef36e61 cri,nri: pass any linux net devices to plugins.
• d56faf4 cri,nri: pass any linux scheduler attributes to plugins.
• e1824d2 cri,nri: pass any linux I/O priority to plugins.
• 01d5490 go.{mod,sum}: bump NRI deps to v0.11.0, re-vendor.
• 815932a Merge pull request #12697 from thaJeztah/release_2.2_backport_bump_semconv
• Additional commits viewable in compare view

Updates github.com/go-viper/mapstructure/v2 from 2.4.0 to 2.5.0

Release notes

Sourced from github.com/go-viper/mapstructure/v2's releases.

v2.5.0

What's Changed

• Print qualified type name when ErrorUnused=true causes errors for unused keys in embedded fields by @​jmacd in go-viper/mapstructure#113
• build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 by @​dependabot[bot] in go-viper/mapstructure#126
• build(deps): bump github/codeql-action from 3.29.7 to 3.29.10 by @​dependabot[bot] in go-viper/mapstructure#131
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @​dependabot[bot] in go-viper/mapstructure#129
• feat: support for automatically initializing squashed pointer structs by @​tuunit in go-viper/mapstructure#71
• build(deps): bump actions/setup-go from 5.5.0 to 6.0.0 by @​dependabot[bot] in go-viper/mapstructure#134
• build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by @​dependabot[bot] in go-viper/mapstructure#142
• Fix slice deep map (owned) by @​jphastings in go-viper/mapstructure#144
• chore: fix lint violations by @​sagikazarmark in go-viper/mapstructure#157
• chore: switch to devenv by @​sagikazarmark in go-viper/mapstructure#158
• build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @​dependabot[bot] in go-viper/mapstructure#151
• build(deps): bump github/codeql-action from 3.29.10 to 4.31.2 by @​dependabot[bot] in go-viper/mapstructure#153
• build(deps): bump golangci/golangci-lint-action from 8.0.0 to 9.0.0 by @​dependabot[bot] in go-viper/mapstructure#154
• build(deps): bump actions/checkout from 5.0.0 to 6.0.1 by @​dependabot[bot] in go-viper/mapstructure#160
• build(deps): bump actions/setup-go from 6.0.0 to 6.1.0 by @​dependabot[bot] in go-viper/mapstructure#159
• build(deps): bump github/codeql-action from 4.31.7 to 4.31.8 by @​dependabot[bot] in go-viper/mapstructure#162
• build(deps): bump actions/upload-artifact from 5.0.0 to 6.0.0 by @​dependabot[bot] in go-viper/mapstructure#161
• build(deps): bump github/codeql-action from 4.31.8 to 4.31.9 by @​dependabot[bot] in go-viper/mapstructure#163
• feature: Add map field name to convert structs dynamically instead of individually with a tag. by @​thespags in go-viper/mapstructure#149
• feat(decoder): support multiple tag names in order by @​DarkiT in go-viper/mapstructure#59
• feat: optional root object name by @​andreev-fn in go-viper/mapstructure#137
• Add unmarshaler interface by @​sagikazarmark in go-viper/mapstructure#166

New Contributors

• @​jmacd made their first contribution in go-viper/mapstructure#113
• @​tuunit made their first contribution in go-viper/mapstructure#71
• @​jphastings made their first contribution in go-viper/mapstructure#144
• @​thespags made their first contribution in go-viper/mapstructure#149
• @​DarkiT made their first contribution in go-viper/mapstructure#59
• @​andreev-fn made their first contribution in go-viper/mapstructure#137

Full Changelog: go-viper/mapstructure@v2.4.0...v2.5.0

Commits

• 9aa3f77 Merge pull request #166 from go-viper/unmarshal2
• ae32a61 doc: add more documentation
• 320c8c9 test: cover unmarshaler to map
• 5b22829 feat: add unmarshaler interface
• fd74c75 Merge pull request #137 from andreev-fn/opt-root-name
• dee4661 Merge pull request #59 from DarkiT/main
• 5605df4 chore: cover more test cases, fix edge cases, add docs
• 6166631 fix(mapstructure): add multi-tag support and regression tests
• 6471aa6 Merge pull request #149 from thespags/main
• dbffaaa chore: add more tests and clarification to the documentation
• Additional commits viewable in compare view

Updates github.com/gocsaf/csaf/v3 from 3.5.0 to 3.5.1

Release notes

Sourced from github.com/gocsaf/csaf/v3's releases.

v3.5.1

This is minor fix correcting a wrong validation test around the name and version of the engine.

What's Changed

• fix: engine is invalid when name is missing by @​benja-M-1 in gocsaf/csaf#710
• Update 3rd party libraries in gocsaf/csaf#711

New Contributors

• @​benja-M-1 made their first contribution in gocsaf/csaf#710

Full Changelog: gocsaf/csaf@v3.5.0...v3.5.1

Commits

• 586524a Update 3rd party libraries. (#711)
• 52ce6bc fix: engine is invalid when name is missing (#710)
• See full diff in compare view

Updates github.com/hashicorp/go-getter from 1.8.3 to 1.8.4

Release notes

Sourced from github.com/hashicorp/go-getter's releases.

v1.8.4

What's Changed

• [IND-4227][COMPLIANCE] chore: Fix lint issues-build tags by @​ssagarverma in hashicorp/go-getter#568
• [IND-4227] [COMPLIANCE] Update Copyright Headers by @​oss-core-libraries-dashboard[bot] in hashicorp/go-getter#566
• [COMPLIANCE] Update Copyright Headers by @​oss-core-libraries-dashboard[bot] in hashicorp/go-getter#571
• [chore] : Bump the actions group across 1 directory with 3 updates by @​dependabot[bot] in hashicorp/go-getter#567
• fix: allow downloading S3 files from MinIO over http by @​vsarunas in hashicorp/go-getter#570
• [chore] : Bump the actions group across 1 directory with 6 updates by @​dependabot[bot] in hashicorp/go-getter#574
• [chore] : Bump the go group across 1 directory with 12 updates by @​dependabot[bot] in hashicorp/go-getter#575

New Contributors

• @​ssagarverma made their first contribution in hashicorp/go-getter#568
• @​oss-core-libraries-dashboard[bot] made their first contribution in hashicorp/go-getter#566

Full Changelog: hashicorp/go-getter@v1.8.3...v1.8.4

Commits

• 576ab86 [chore] : Bump the go group across 1 directory with 12 updates (#575)
• efec2db Merge pull request #574 from hashicorp/dependabot/github_actions/actions-36c6...
• 7ccb947 [chore] : Bump the actions group across 1 directory with 6 updates
• 228ad65 fix: allow downloading S3 files from MinIO over http (#570)
• 5cb8b18 Merge pull request #567 from hashicorp/dependabot/github_actions/actions-92ca...
• f358fa6 Merge pull request #571 from hashicorp/compliance/update-headers
• 376d40c [COMPLIANCE] Update Copyright and License Headers
• 9d34fba [chore] : Bump the actions group across 1 directory with 3 updates
• fd63a33 Merge pull request #566 from hashicorp/compliance/update-headers
• ac8218d [COMPLIANCE] Update Copyright and License Headers
• Additional commits viewable in compare view

Updates github.com/open-policy-agent/opa from 1.11.0 to 1.12.3

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v1.12.3

This is a bug fix release addressing two issues:

Bundle polling is being misconfigured when discovery bundle is updated (#8215)

This is an issue where the polling interval for discovery (discovery.polling.min_delay_seconds and discovery.polling.max_delay_seconds) were misinterpreted on reconfiguration, causing extremely long update intervals.

Reported by @​loganmiller-chime, authored by @​sspaink

Decision log size buffer buffer_size_limit_bytes misconfigured during reconfiguration (#8213)

This is a regression in the decision log, where the decision_logs.reporting.buffer_size_limit_bytes was mistakenly assigned the value of decision_logs.reporting.upload_size_limit_bytes during reconfiguration. This issue is only present when decision_logs.reporting.buffer_type is set to size, which is the default value.

Authored by @​sspaink

v1.12.2

This bug fix release address issues found in the new string interpolation feature

• Add (*TemplateString).Copy() method (#8159) authored by @​anderseknert
• Fix template string not serialized with escaped { (#8161) authored by @​anderseknert
• fix(ast): skip template string vars in ref safety (#8174) authored by @​thevilledev
• fix(ast): use original var names in template error (#8180) authored by @​thevilledev

v1.12.1

This bug fix release reverts a change to regex.replace that unintentionally changed its behaviour for anchored regular expressions.

• Revert "topdown: make regex.replace respect cancellation" (authored by @​srenatus)

v1.12.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• Support for String Interpolation in the Rego language
• Faster compilation and runtime
• Fixes published in the v1.11.1 release

String Interpolation (#4733)

The Rego language has been extended to support String Interpolation, which provides a readable means to compose strings containing dynamic values determined at evaluation time.

An interpolated string is composed of a template-string containing zero or more template-expressions that evaluates to a value at evaluation time.

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

1.12.3

This is a bug fix release addressing two issues:

Bundle polling is being misconfigured when discovery bundle is updated (#8215)

This is an issue where the polling interval for discovery (discovery.polling.min_delay_seconds and discovery.polling.max_delay_seconds) were misinterpreted on reconfiguration, causing extremely long update intervals.

Reported by @​loganmiller-chime, authored by @​sspaink

Decision log size buffer

buffer_size_limit_bytes misconfigured during reconfiguration (#8213)

This is a regression in the decision log, where the decision_logs.reporting.buffer_size_limit_bytes was mistakenly assigned the value of decision_logs.reporting.upload_size_limit_bytes during reconfiguration. This issue is only present when decision_logs.reporting.buffer_type is set to size, which is the default value.

Authored by @​sspaink

1.12.2

This bug fix release address issues found in the new string interpolation feature

• Add (*TemplateString).Copy() method (#8159) authored by @​anderseknert
• Fix template string not serialized with escaped { (#8161) authored by @​anderseknert
• fix(ast): skip template string vars in ref safety (#8174) authored by @​thevilledev
• fix(ast): use original var names in template error (#8180) authored by @​thevilledev

1.12.1

This bug fix release reverts a change to regex.replace that unintentionally changed its behaviour for anchored regular expressions.

• Revert "topdown: make regex.replace respect cancellation" (authored by @​srenatus)

1.12.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• Support for string interpolation in the Rego language
• Faster compilation and runtime
• Fixes published in the v1.11.1 release

String Interpolation (#4733)

The Rego language has been extended to support String Interpolation, which provides a readable means to compose strings containing dynamic values determined at evaluation time.

An interpolated string is composed of a template-string containing zero or more template-expressions that evaluates to a value at evaluation time. The $ character prefix identifies a template-string, and template-expressions are declared by being enclosed in curly-braces ({, }).

... (truncated)

Commits

• 6abb308 Prepare v1.12.3 release (#8217)
• 89c6537 Release v1.12.2
• 92dd54d Release v1.12.1
• fb09d24 Revert "topdown: make regex.replace respect cancellation"
• d61ac38 Prepare v1.12.0 release (#8144)
• 5a0dc47 Template string performance improvements and more (#8143)
• f5c3743 perf: reduce allocations handling terms (#8116)
• d80ffc4 website: Show playground errors
• 7e1c361 oracle: Use typed targets for specific matchers (#8138)
• 629cbd8 String interpolation docs (#8129)
• Additional commits viewable in compare view

Updates github.com/secure-systems-lab/go-securesystemslib from 0.9.1 to 0.10.0

Commits

• 93d7e1c Merge pull request #139 from secure-systems-lab/dependabot/github_actions/gol...
• b2fe7df Merge pull request #138 from secure-systems-lab/dependabot/github_actions/act...
• 7e9f79e chore(deps): bump golangci/golangci-lint-action from 8.0.0 to 9.2.0
• 1552d12 chore(deps): bump actions/setup-go from 5.5.0 to 6.1.0
• d1d5111 Merge pull request #137 from secure-systems-lab/dependabot/go_modules/golang....
• 04d651e Merge pull request #136 from secure-systems-lab/dependabot/github_actions/act...
• 145f8c2 chore(deps): bump golang.org/x/crypto from 0.45.0 to 0.46.0
• e8de185 Merge pull request #127 from secure-systems-lab/dependabot/go_modules/github....
• a50b13e chore(deps): bump actions/checkout from 6.0.0 to 6.0.1
• c24bdce chore(deps): bump github.com/stretchr/testify from 1.10.0 to 1.11.1
• Additional commits viewable in compare view

Updates github.com/sirupsen/logrus from 1.9.4-0.20230606125235-dd1b4c2e81af to 1.9.4

Release notes

Sourced from github.com/sirupsen/logrus's releases.

v1.9.4

Notable changes

• go.mod: update minimum supported go version to v1.17 sirupsen/logrus#1460
• go.mod: bump up dependencies sirupsen/logrus#1460
• Touch-up godoc and add "doc" links.
• README: fix links, grammar, and update examples.
• Add GNU/Hurd support sirupsen/logrus#1364
• Add WASI wasip1 support sirupsen/logrus#1388
• Remove uses of deprecated ioutil package sirupsen/logrus#1472
• CI: update actions and golangci-lint sirupsen/logrus#1459
• CI: remove appveyor, add macOS sirupsen/logrus#1460

Full Changelog: sirupsen/logrus@v1.9.3...v1.9.4

Commits

• See full diff in compare view

Updates github.com/spdx/tools-golang from 0.5.5 to 0.5.7

Release notes

Sourced from github.com/spdx/tools-golang's releases.

v0.5.7

What's Changed

• Fail parsing if the required prefix isn't present for IDs by @​awyeth in spdx/tools-golang#275

New Contributors

• @​awyeth made their first contribution in spdx/tools-golang#275

Full Changelog: spdx/tools-golang@v0.5.6...v0.5.7

v0.5.6

What's Changed

• Change the colon and space separator to just a colon by @​warpkwd in spdx/tools-golang#254
• build(deps): Bump sigs.k8s.io/yaml to 1.6.0 by @​dependabot[bot] in spdx/tools-golang#259
• Resolve two issues related to ExternalDocumentRef by @​KAWAHARA-souta in spdx/tools-golang#269
• fix: Fix prefixDocumentId() to use correct prefix by @​KAWAHARA-souta in spdx/tools-golang#272

New Contributors

• @​warpkwd made their first contribution in spdx/tools-golang#254
• @​KAWAHARA-souta made their first contribution in spdx/tools-golang#269

Full Changelog: spdx/tools-golang@v0.5.5...v0.5.6

Changelog

Sourced from github.com/spdx/tools-golang's changelog.

0.5.7

0.5.7 released on: 2026-01-12

What's Changed

• Fail parsing if the required prefix isn't present for IDs by @​awyeth in #275

New Contributors

• @​awyeth made their first contribution in #275

Contributors

• @​awyeth

0.5.6

0.5.6 released on: 2025-12-23

What's Changed

• Change the colon and space separator to just a colon by @​warpkwd in #254
• build(deps): Bump sigs.k8s.io/yaml to 1.6.0 by @​dependabot[bot] in #259
• Resolve two issues related to ExternalDocumentRef by @​KAWAHARA-souta in #269
• fix: Fix prefixDocumentId() to use correct prefix by @​KAWAHARA-souta in #272

New Contributors

• @​warpkwd made their first contribution in #254
• @​KAWAHARA-souta made their first contribution in #269

Contributors

• @​warpkwd
• @​dependabot
• @​KAWAHARA-souta

Commits

• 28116d2 fix: fail parsing if the required prefix isn't present for IDs (#275)
• 3d64f16 build(deps): Bump actions/checkout from 5 to 6 (#271)
• 254d7a7 fix: Fix prefixDocumentId() to use correct prefix (#272)
• e6786a8 fix: ExternalDocumentRef in JSON serialization (#269)
• 49501ad build(deps): Bump github.com/anchore/go-struct-converter from 0.0.0-202211181...
• e95cf7f build(deps): Bump sigs.k8s.io/yaml from 1.5.0 to 1.6.0 (#259)
• eabe60c build(deps): Bump actions/checkout from 4 to 5 (#260)
• 72d8e33 build(deps): Bump github.com/stretchr/testify from 1.10.0 to 1.11.1 (#264)
• d6b5d35 build(deps): Bump actions/setup-go from 5 to 6 (#265)
• 916d962 build(deps): Bump sigs.k8s.io/yaml from 1.4.0 to 1.5.0 (#258)
• Additional commits viewable in compare view

Updates github.com/tetratelabs/wazero from 1.10.1 to 1.11.0

Release notes

Sourced from github.com/tetratelabs/wazero's releases.

v1.11.0

Hi wazero friends! The new release of wazero v1.11.0 has arrived.

This release is a small "break with the past" it the sense that we added one go.mod dependency to wazero: golang.org/x/sys; read the rational for why.

Behavioral changes

• 77db9681 Require Go 1.24 (#2448) @​ncruces
• fe2e7519 Use golang.org/x/sys (#2443) @​ncruces

Bug fixes

• 92864489 Update Wasm 2.0 spec tests. (#2458) @​ncruces
• 5e7c35eb Fix race condition in refCount initialization (#2447) @​jackorse

New Contributors

• @​jackorse made their first contribution in #2447

Full Changelog: wazero/wazero@v1.10.1...v1.11.0

Commits

• fe2e751 Use golang.org/x/sys (#2443)
• 9286448 Update Wasm 2.0 spec tests. (#2458)
• af80797 Add go-libtiff to users.md (#2457)
• 77db968 Change version policy to two versions. (#2448)
• 275c9a0 Simplify utimens. (#2449)
• 5e7c35e Fix race condition in refCount initialization (#2447)
• cc1ca4c Streamline build tags: remove tinygo, cgo (#2446)
• See full diff in compare view

Updates github.com/zclconf/go-cty-yaml from 1.1.0 to 1.2.0

Changelog

Sourced from github.com/zclconf/go-cty-yaml's changelog.

1.2.0 (December 17, 2025)

• The YAML decoder now has more complete support for tag:yaml.org,2002:merge, including support for merging a sequence of mappings rather than just a single mapping.

  Unfortunately the specification for this tag is terse and incomplete, and other existing implementations disagree even with the few behaviors that are described in the specification, so this library implements behavior that matches existing implementations while diverging slightly from the spec:

  • The untagged scalar value << is resolved as tag:yaml.org,2002:merge only in the mapping key position. In all other positions it's resolved as a normal string, "<<". Writing out the tag explicitly instead of using the shorthand is allowed in mapping key position and rejected as an error in all other positions.
  • Multiple merge keys can appear in the same mapping, and will each be handled separately as if they had all been written as a single merge.
  • Later mentions of a key override earlier mentions of a key in all cases. This is the main deviation from the spec text: the spec requires that the earliest mention of each key takes priority when merging, but that is the opposite of the normal behavior for duplicate keys in a mapping (without merging) and other implementations seem to ignore that exception.

  There are a few other implementations that disagree with what this library implements. That's unfortunate, but unavoidable because existing implementations are in conflict with one another already. The choices in this implementation were based on a survey of various other popular implementatins and will not be changed in a breaking way after this release.

Commits

• 85d6bca v1.2.0 release
• 229f481 Allow a !!merge key to be used with a sequence of mappings
• 5da71a8 Add GitHub funding metadata
• See full diff in compare view

Updates golang.org/x/crypto from 0.46.0 to 0.47.0

Commits

• 506e022 go.mod: update golang.org/x dependencies
• 7dacc38 chacha20poly1305: error out in fips140=only mode
• See full diff in compare view

Updates golang.org/x/mod from 0.31.0 to 0.32.0

Commits

• 4c04067 go.mod: update golang.org/x dependencies
• See full diff in compare view

Updates golang.org/x/net from 0.48.0 to 0.49.0

Commits

• d977772 go.mod: update golang.org/x dependencies
• eea413e internal/http3: use go1.25 synctest.Test instead of go1.24 synctest.Run
• 9ace223 websocket: add missing call to resp.Body.Close
• 7d3dbb0 http2: buffer the most recently received PRIORITY_UPDATE frame
• See full diff in compare view

Updates golang.org/x/term from 0.38.0 to 0.39.0

Commits

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.