Commit Graph

111 Commits

Author SHA1 Message Date
dependabot[bot]
326a0d0b7b build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
Bumps the go_modules group with 1 update in the / directory: [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp](https://github.com/open-telemetry/opentelemetry-go).


Updates `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp` from 1.42.0 to 1.43.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.42.0...v1.43.0)

---
updated-dependencies:
- dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
  dependency-version: 1.43.0
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-14 15:30:39 +00:00
dependabot[bot]
567670f6eb build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp
Bumps the go_modules group with 1 update in the / directory: [go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp](https://github.com/open-telemetry/opentelemetry-go).


Updates `go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp` from 0.18.0 to 0.19.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v0.18.0...v0.19.0)

---
updated-dependencies:
- dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp
  dependency-version: 0.19.0
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-08 19:27:49 +00:00
Milos Gajdos
078b0783f2 Merge commit from fork
fix redis repo-scoped blob descriptor revocation
2026-04-05 17:08:50 -07:00
dependabot[bot]
2bf6ae0065 build(deps): bump github.com/go-jose/go-jose/v4
Bumps the go_modules group with 1 update in the / directory: [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose).


Updates `github.com/go-jose/go-jose/v4` from 4.1.3 to 4.1.4
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Commits](https://github.com/go-jose/go-jose/compare/v4.1.3...v4.1.4)

---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v4
  dependency-version: 4.1.4
  dependency-type: direct:production
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-03 04:02:21 +00:00
1seal
5cda72868f fix redis repo-scoped blob descriptor revocation 2026-04-01 18:38:38 +03:00
Milos Gajdos
fa05d6fa31 chore(deps): Bump Go to latest 1.25 in CI workflows and go.mod
In prep for release + fixing sec vulns
* https://github.com/distribution/distribution/security/dependabot/22
* https://github.com/distribution/distribution/security/dependabot/23

otel is particularly silly, especially the contrib deps.

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2026-03-19 09:10:09 -07:00
Milos Gajdos
ab67ffa0bd vendor: github.com/go-jose/go-jose/v4 v4.1.3 (#4790) 2026-02-12 15:03:13 -08:00
Sebastiaan van Stijn
eba1fb4803 vendor: github.com/docker/go-events 605354379745
full diff: e31b211e4f...6053543797

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-12 19:21:25 +01:00
Sebastiaan van Stijn
2a52e9015f vendor: github.com/go-jose/go-jose/v4 v4.1.3
No longer has dependencies

full diff: https://github.com/go-jose/go-jose/compare/v4.0.5...v4.1.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-12 19:12:01 +01:00
Milos Gajdos
1cc061570c vendor: github.com/bshuster-repo/logrus-logstash-hook v1.1.0 (#4788) 2026-02-12 10:03:20 -08:00
Sebastiaan van Stijn
3e841a3d78 vendor: github.com/spf13/cobra v1.10.2
full diff:

- https://github.com/spf13/cobra/compare/v1.8.0...v1.10.2
- https://github.com/spf13/pflag/compare/v1.0.5...v1.0.10

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-12 18:45:18 +01:00
Sebastiaan van Stijn
10e0e8e4c0 vendor: github.com/bshuster-repo/logrus-logstash-hook v1.1.0
- adds go.mod
- DefaultFormatter now uses RFC3339Nano as default

full diff: https://github.com/bshuster-repo/logrus-logstash-hook/compare/v1.0.0...v1.1.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-12 18:37:03 +01:00
Sebastiaan van Stijn
d2398c56f2 vendor: github.com/klauspost/compress v1.18.4
full diff: https://github.com/klauspost/compress/compare/v1.17.11...v1.18.4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-12 09:35:31 -08:00
Sebastiaan van Stijn
c4a0bd3fe9 vendor: github.com/opencontainers/image-spec v1.1.1
full diff: https://github.com/opencontainers/image-spec/compare/v1.1.0...v1.1.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-12 09:34:56 -08:00
Sebastiaan van Stijn
abc9debf41 vendor: github.com/docker/docker-credential-helpers v0.9.5
full diff: https://github.com/docker/docker-credential-helpers/compare/v0.8.2...v0.9.5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-12 09:21:36 -08:00
Sebastiaan van Stijn
9b79cf5105 vendor: golang.org/x/oauth2 v0.35.0
full diff: https://cs.opensource.google/go/x/oauth2/+/refs/tags/v0.28.0...refs/tags/v0.35.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-12 08:58:55 -08:00
Sebastiaan van Stijn
ae7c498d28 vendor: golang.org/x/time v0.14.0
full diff: https://cs.opensource.google/go/x/time/+/refs/tags/v0.6.0...refs/tags/v0.14.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-12 08:58:55 -08:00
Sebastiaan van Stijn
87a9711c88 vendor: golang.org/x/crypto v0.48.0, golang.org/x/net v0.50.0
full diff: https://cs.opensource.google/go/x/crypto/+/refs/tags/v0.36.0...refs/tags/v0.48.0
full diff: https://cs.opensource.google/go/x/net/+/refs/tags/v0.38.0...refs/tags/v0.50.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-12 08:58:55 -08:00
Sebastiaan van Stijn
aebf0612ee vendor: golang.org/x/text v0.34.0
full diff: https://cs.opensource.google/go/x/text/+/refs/tags/v0.23.0...refs/tags/v0.34.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-12 08:58:55 -08:00
Sebastiaan van Stijn
3e3e153900 vendor: golang.org/x/sys v0.41.0
full diff: https://cs.opensource.google/go/x/sys/+/refs/tags/v0.31.0...refs/tags/v0.41.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-12 08:58:55 -08:00
Sebastiaan van Stijn
00464063d5 vendor: github.com/sirupsen/logrus v1.9.4
full diff: https://github.com/sirupsen/logrus/compare/v1.9.3...v1.9.4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-12 08:57:45 -08:00
dependabot[bot]
5a71303e59 build(deps): bump golang.org/x/net
Bumps the go_modules group with 1 update in the / directory: [golang.org/x/net](https://github.com/golang/net).


Updates `golang.org/x/net` from 0.37.0 to 0.38.0
- [Commits](https://github.com/golang/net/compare/v0.37.0...v0.38.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.38.0
  dependency-type: direct:production
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-04-16 23:33:39 +00:00
Milos Gajdos
52f0f6c45d Bump Azure deps
This pulls in go-redis update as well.

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2025-03-27 22:44:26 -07:00
dependabot[bot]
05b308bc42 build(deps): bump github.com/golang-jwt/jwt/v5
Bumps the go_modules group with 1 update in the / directory: [github.com/golang-jwt/jwt/v5](https://github.com/golang-jwt/jwt).


Updates `github.com/golang-jwt/jwt/v5` from 5.2.1 to 5.2.2
- [Release notes](https://github.com/golang-jwt/jwt/releases)
- [Changelog](https://github.com/golang-jwt/jwt/blob/main/VERSION_HISTORY.md)
- [Commits](https://github.com/golang-jwt/jwt/compare/v5.2.1...v5.2.2)

---
updated-dependencies:
- dependency-name: github.com/golang-jwt/jwt/v5
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-03-21 22:28:21 +00:00
dependabot[bot]
896fec507e build(deps): bump golang.org/x/net
Bumps the go_modules group with 1 update in the / directory: [golang.org/x/net](https://github.com/golang/net).


Updates `golang.org/x/net` from 0.33.0 to 0.36.0
- [Commits](https://github.com/golang/net/compare/v0.33.0...v0.36.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-03-19 14:59:20 +00:00
dependabot[bot]
fc3dd55d3d build(deps): bump github.com/go-jose/go-jose/v4 in the go_modules group
Bumps the go_modules group with 1 update: [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose).


Updates `github.com/go-jose/go-jose/v4` from 4.0.2 to 4.0.5
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Changelog](https://github.com/go-jose/go-jose/blob/main/CHANGELOG.md)
- [Commits](https://github.com/go-jose/go-jose/compare/v4.0.2...v4.0.5)

---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v4
  dependency-type: direct:production
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-02-24 22:51:52 +00:00
Milos Gajdos
38fd91a49e (security): Bump golang.org/x/net module
Fixes: https://nvd.nist.gov/vuln/detail/CVE-2024-45338

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2024-12-20 06:21:59 +00:00
dependabot[bot]
6eba54be60 build(deps): bump golang.org/x/crypto from 0.28.0 to 0.31.0
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.28.0 to 0.31.0.
- [Commits](https://github.com/golang/crypto/compare/v0.28.0...v0.31.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-12-12 08:34:18 +00:00
krynju
abbe03efef Upgrade go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
Signed-off-by: krynju <krystian.gulinski@juliahub.com>
2024-11-13 18:27:43 +01:00
Milos Gajdos
d67b46a05b Bump dependencies (#4498) 2024-11-06 10:52:35 +00:00
Milos Gajdos
3ac2285631 Bump otel dependencies
We want to be consistent in our deps so tracking down issue does not end
up in a murder mystery hunt. This commit picks a specific otel versions
that are unified in this codebase.

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2024-11-05 05:45:37 +00:00
Milos Gajdos
3996413f46 Bump google storage module
Also bump the golangci version

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2024-10-26 18:19:46 +01:00
Milos Gajdos
1c26d98fbe Bump dependencies
In preparation to the next release we're going to bump some deps such as
various cloud SDKs we can test i.e. AWS, Google Cloud, etc.

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2024-10-26 17:52:35 +01:00
Chun-Hung Hsiao
eed9400d26 feat: support custom exec-based credential helper in proxy mode
This change allows users to run the registry as a pull-through cache
that can use a credential helper to authenticate against the upstream
registry.

Signed-off-by: Chun-Hung Hsiao <chhsiao@google.com>
2024-08-16 19:42:51 -07:00
Sebastiaan van Stijn
9ba7340601 vendor: github.com/opencontainers/image-spec v1.1.0
full diff: https://github.com/opencontainers/image-spec/compare/v1.0.2...v1.1.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-10 14:58:09 -05:00
dependabot[bot]
050e1a3ee7 build(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity
Bumps [github.com/Azure/azure-sdk-for-go/sdk/azidentity](https://github.com/Azure/azure-sdk-for-go) from 1.3.0 to 1.6.0.
- [Release notes](https://github.com/Azure/azure-sdk-for-go/releases)
- [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md)
- [Commits](https://github.com/Azure/azure-sdk-for-go/compare/sdk/azcore/v1.3.0...sdk/azcore/v1.6.0)

---
updated-dependencies:
- dependency-name: github.com/Azure/azure-sdk-for-go/sdk/azidentity
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-06-11 20:09:16 +00:00
Milos Gajdos
52d68216c0 feature: Bump go-jose and require signing algorithms in auth
This bumps go-jose to the latest available version: v4.0.3.
This slightly breaks the backwards compatibility with the existing
registry deployments but brings more security with it.

We now require the users to specify the list of token signing algorithms in
the configuration. We do strive to maintain the b/w compat by providing
a list of supported algorithms, though, this isn't something we
recommend due to security issues, see:
* https://github.com/go-jose/go-jose/issues/64
* https://github.com/go-jose/go-jose/pull/69

As part of this change we now return to the original flow of the token
signature validation:
1. X2C (tls) headers
2. JWKS
3. KeyID

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2024-05-30 20:44:35 +01:00
dependabot[bot]
2db0a598cc build(deps): bump golang.org/x/net from 0.20.0 to 0.23.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.20.0 to 0.23.0.
- [Commits](https://github.com/golang/net/compare/v0.20.0...v0.23.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-04-19 12:59:08 +00:00
Milos Gajdos
bc6e81e1b9 Add Go 1.22 support to CI (#4314) 2024-04-08 12:15:39 +01:00
Austin Vazquez
21c718d58c Add Go 1.22 support to CI
This change adds Go 1.22 to the Go version matrix in CI and updates all
Dockerfiles to use Go 1.21.8.

Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-03-27 15:59:13 +00:00
Milos Gajdos
167d7996be chore: bump distriution/reference dependency
We've made a new release https://github.com/distribution/reference

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2024-03-26 20:19:28 +00:00
Milos Gajdos
7c7517493c build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3 (#4297) 2024-03-17 10:38:34 +00:00
dependabot[bot]
cb2b51cac9 build(deps): bump google.golang.org/protobuf from 1.31.0 to 1.33.0
Bumps google.golang.org/protobuf from 1.31.0 to 1.33.0.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-03-13 23:16:02 +00:00
dependabot[bot]
1c5fe22dec build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3
Bumps [github.com/go-jose/go-jose/v3](https://github.com/go-jose/go-jose) from 3.0.1 to 3.0.3.
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Changelog](https://github.com/go-jose/go-jose/blob/v3.0.3/CHANGELOG.md)
- [Commits](https://github.com/go-jose/go-jose/compare/v3.0.1...v3.0.3)

---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-03-07 23:01:05 +00:00
erezrokah
11f50c034e feat: Add HTTP2 for unencrypted HTTP
Signed-off-by: erezrokah <erezrokah@users.noreply.github.com>
2024-01-17 20:59:02 +00:00
Milos Gajdos
6926aea0ee vendor: github.com/gorilla/handlers v1.5.2 (#4211) 2024-01-16 17:06:16 +07:00
Sebastiaan van Stijn
bdfa8324a0 vendor: github.com/mitchellh/mapstructure v1.5.0
note that this repository will be sunset, and the "endorsed" fork will be
maintened by "go-viper". Updating the dependency to the latest version in
preparation.

full diff: https://github.com/mitchellh/mapstructure/compare/v1.1.2...v1.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-27 12:28:10 +01:00
Sebastiaan van Stijn
4f9fe183c3 vendor: github.com/gorilla/handlers v1.5.2
full diff: https://github.com/gorilla/handlers/compare/v1.5.1...v1.5.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-22 10:23:09 +01:00
dependabot[bot]
dcee8e93a3 build(deps): bump golang.org/x/crypto from 0.15.0 to 0.17.0
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.15.0 to 0.17.0.
- [Commits](https://github.com/golang/crypto/compare/v0.15.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-19 00:02:47 +00:00
Eng Zer Jun
bcbf0431d1 testing: replace legacy gopkg.in/check.v1
This commit replaces the legacy `gopkg.in/check.v1` testing dependency
with `github.com/stretchr/testify`.

Closes https://github.com/distribution/distribution/issues/3884.

Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2023-12-13 09:22:43 +00:00