fix(deps): update module github.com/containers/image/v5 to v5.32.0

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-04-27 11:01:18 +00:00 · 2024-07-27 15:02:36 +00:00 · 2024-07-27 15:02:36 +00:00 · 299848119c
commit 299848119c
parent f616003b98
127 changed files with 2294 additions and 10184 deletions
--- a/go.mod
+++ b/go.mod
@ -1,15 +1,15 @@
 module github.com/containers/skopeo

 // Minimum required golang version
-go 1.21
+go 1.21.0

 // Warning: Ensure the "go" and "toolchain" versions match exactly to prevent unwanted auto-updates
-toolchain go1.21.0
+toolchain go1.21.12

 require (
 	github.com/Masterminds/semver/v3 v3.2.1
 	github.com/containers/common v0.59.2
-	github.com/containers/image/v5 v5.31.1
+	github.com/containers/image/v5 v5.32.0
 	github.com/containers/ocicrypt v1.2.0
 	github.com/containers/storage v1.55.0
 	github.com/docker/distribution v2.8.3+incompatible
@ -43,8 +43,8 @@ require (
 	github.com/cyphar/filepath-securejoin v0.3.1 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/distribution/reference v0.6.0 // indirect
-	github.com/docker/docker v26.1.3+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.8.1 // indirect
+	github.com/docker/docker v27.1.1+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.8.2 // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect
@ -66,7 +66,7 @@ require (
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
-	github.com/google/go-containerregistry v0.19.1 // indirect
+	github.com/google/go-containerregistry v0.20.0 // indirect
 	github.com/google/go-intervals v0.0.2 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
@ -79,7 +79,7 @@ require (
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/compress v1.17.9 // indirect
 	github.com/klauspost/pgzip v1.2.6 // indirect
-	github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e // indirect
+	github.com/letsencrypt/boulder v0.0.0-20240418210053-89b07f4543e0 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-runewidth v0.0.15 // indirect
 	github.com/mattn/go-sqlite3 v1.14.22 // indirect
@ -106,15 +106,15 @@ require (
 	github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
 	github.com/sigstore/fulcio v1.4.5 // indirect
 	github.com/sigstore/rekor v1.3.6 // indirect
-	github.com/sigstore/sigstore v1.8.3 // indirect
+	github.com/sigstore/sigstore v1.8.4 // indirect
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
 	github.com/stefanberger/go-pkcs11uri v0.0.0-20230803200340-78284954bff6 // indirect
-	github.com/sylabs/sif/v2 v2.16.0 // indirect
+	github.com/sylabs/sif/v2 v2.18.0 // indirect
 	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/ulikunitz/xz v0.5.12 // indirect
 	github.com/vbatts/tar-split v0.11.5 // indirect
-	github.com/vbauerster/mpb/v8 v8.7.3 // indirect
+	github.com/vbauerster/mpb/v8 v8.7.4 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
@ -125,15 +125,14 @@ require (
 	go.opentelemetry.io/otel v1.24.0 // indirect
 	go.opentelemetry.io/otel/metric v1.24.0 // indirect
 	go.opentelemetry.io/otel/trace v1.24.0 // indirect
-	golang.org/x/crypto v0.24.0 // indirect
+	golang.org/x/crypto v0.25.0 // indirect
 	golang.org/x/mod v0.18.0 // indirect
 	golang.org/x/net v0.26.0 // indirect
-	golang.org/x/oauth2 v0.20.0 // indirect
+	golang.org/x/oauth2 v0.21.0 // indirect
 	golang.org/x/sync v0.7.0 // indirect
 	golang.org/x/sys v0.22.0 // indirect
 	golang.org/x/text v0.16.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 // indirect
 	google.golang.org/grpc v1.64.1 // indirect
 	google.golang.org/protobuf v1.33.0 // indirect
-	gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -39,8 +39,8 @@ github.com/containerd/stargz-snapshotter/estargz v0.15.1 h1:eXJjw9RbkLFgioVaTG+G
 github.com/containerd/stargz-snapshotter/estargz v0.15.1/go.mod h1:gr2RNwukQ/S9Nv33Lt6UC7xEx58C+LHRdoqbEKjz1Kk=
 github.com/containers/common v0.59.2 h1:FcURZzlMYMVZXqjMEop6C0A3yWilrfmWUPUw09APHvI=
 github.com/containers/common v0.59.2/go.mod h1:/PHpbapKSHQU29Jmjn3Ld3jekoHvX0zx7qQxxyPqSTM=
-github.com/containers/image/v5 v5.31.1 h1:3x9soI6Biml/GiDLpkSmKrkRSwVGctxu/vONpoUdklA=
-github.com/containers/image/v5 v5.31.1/go.mod h1:5QfOqSackPkSbF7Qxc1DnVNnPJKQ+KWLkfEfDpK590Q=
+github.com/containers/image/v5 v5.32.0 h1:yjbweazPfr8xOzQ2hkkYm1A2V0jN96/kES6Gwyxj7hQ=
+github.com/containers/image/v5 v5.32.0/go.mod h1:x5e0RDfGaY6bnQ13gJ2LqbfHvzssfB/y5a8HduGFxJc=
 github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYglewc+UyGf6lc8Mj2UaPTHy/iF2De0/77CA=
 github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY=
 github.com/containers/ocicrypt v1.2.0 h1:X14EgRK3xNFvJEfI5O4Qn4T3E25ANudSOZz/sirVuPM=
@ -60,14 +60,14 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/cli v26.1.3+incompatible h1:bUpXT/N0kDE3VUHI2r5VMsYQgi38kYuoC0oL9yt3lqc=
-github.com/docker/cli v26.1.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v27.1.1+incompatible h1:goaZxOqs4QKxznZjjBWKONQci/MywhtRv2oNn0GkeZE=
+github.com/docker/cli v27.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v26.1.3+incompatible h1:lLCzRbrVZrljpVNobJu1J2FHk8V0s4BawoZippkc+xo=
-github.com/docker/docker v26.1.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/docker-credential-helpers v0.8.1 h1:j/eKUktUltBtMzKqmfLB0PAgqYyMHOp5vfsD1807oKo=
-github.com/docker/docker-credential-helpers v0.8.1/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M=
+github.com/docker/docker v27.1.1+incompatible h1:hO/M4MtV36kzKldqnA37IWhebRA+LnqqcqDja6kVaKY=
+github.com/docker/docker v27.1.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo=
+github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M=
 github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
 github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
 github.com/docker/go-metrics v0.0.1 h1:AgB/0SvBxihN0X8OR4SjsblXkbMvalQ8cjmtKQ2rQV8=
@ -114,8 +114,8 @@ github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+Gr
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
 github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3BumrGD58=
 github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ=
-github.com/go-rod/rod v0.114.7 h1:h4pimzSOUnw7Eo41zdJA788XsawzHjJMyzCE3BrBww0=
-github.com/go-rod/rod v0.114.7/go.mod h1:aiedSEFg5DwG/fnNbUOTPMTTWX3MRj6vIs/a684Mthw=
+github.com/go-rod/rod v0.116.0 h1:ypRryjTys3EnqHskJ/TdgodFMvXV0EHvmy4bSkKZgHM=
+github.com/go-rod/rod v0.116.0/go.mod h1:aiedSEFg5DwG/fnNbUOTPMTTWX3MRj6vIs/a684Mthw=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/go-test/deep v1.1.0 h1:WOcxcdHcvdgThNXjw0t76K42FXTU7HpNQWHpA2HHNlg=
@ -148,8 +148,8 @@ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-containerregistry v0.19.1 h1:yMQ62Al6/V0Z7CqIrrS1iYoA5/oQCm88DeNujc7C1KY=
-github.com/google/go-containerregistry v0.19.1/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI=
+github.com/google/go-containerregistry v0.20.0 h1:wRqHpOeVh3DnenOrPy9xDOLdnLatiGuuNRVelR2gSbg=
+github.com/google/go-containerregistry v0.20.0/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI=
 github.com/google/go-intervals v0.0.2 h1:FGrVEiUnTRKR8yE04qzXYaJMtnIYqobR5QbblK3ixcM=
 github.com/google/go-intervals v0.0.2/go.mod h1:MkaR3LNRfeKLPmqgJYs4E66z5InYjmCjbbr4TQlcT6Y=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@ -194,8 +194,8 @@ github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e h1:RLTpX495BXToqxpM90Ws4hXEo4Wfh81jr9DX1n/4WOo=
-github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e/go.mod h1:EAuqr9VFWxBi9nD5jc/EA2MT1RFty9288TF6zdtYoCU=
+github.com/letsencrypt/boulder v0.0.0-20240418210053-89b07f4543e0 h1:aiPrFdHDCCvigNBCkOWj2lv9Bx5xDp210OANZEoiP0I=
+github.com/letsencrypt/boulder v0.0.0-20240418210053-89b07f4543e0/go.mod h1:srVwm2N3DC/tWqQ+igZXDrmKlNRN8X/dmJ1wEZrv760=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
@ -261,8 +261,8 @@ github.com/prometheus/client_model v0.6.0 h1:k1v3CzpSRUTrKMppY35TLwPvxHqBu0bYgxZ
 github.com/prometheus/client_model v0.6.0/go.mod h1:NTQHnmxFpouOD0DpvP4XujX3CdOAGQPoaGhyTchlyt8=
 github.com/prometheus/common v0.51.1 h1:eIjN50Bwglz6a/c3hAgSMcofL3nD+nFQkV6Dd4DsQCw=
 github.com/prometheus/common v0.51.1/go.mod h1:lrWtQx+iDfn2mbH5GUzlH9TSHyfZpHkSiG1W7y3sF2Q=
-github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
-github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
+github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
+github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
@ -285,8 +285,8 @@ github.com/sigstore/fulcio v1.4.5 h1:WWNnrOknD0DbruuZWCbN+86WRROpEl3Xts+WT2Ek1yc
 github.com/sigstore/fulcio v1.4.5/go.mod h1:oz3Qwlma8dWcSS/IENR/6SjbW4ipN0cxpRVfgdsjMU8=
 github.com/sigstore/rekor v1.3.6 h1:QvpMMJVWAp69a3CHzdrLelqEqpTM3ByQRt5B5Kspbi8=
 github.com/sigstore/rekor v1.3.6/go.mod h1:JDTSNNMdQ/PxdsS49DJkJ+pRJCO/83nbR5p3aZQteXc=
-github.com/sigstore/sigstore v1.8.3 h1:G7LVXqL+ekgYtYdksBks9B38dPoIsbscjQJX/MGWkA4=
-github.com/sigstore/sigstore v1.8.3/go.mod h1:mqbTEariiGA94cn6G3xnDiV6BD8eSLdL/eA7bvJ0fVs=
+github.com/sigstore/sigstore v1.8.4 h1:g4ICNpiENFnWxjmBzBDWUn62rNFeny/P77HUC8da32w=
+github.com/sigstore/sigstore v1.8.4/go.mod h1:1jIKtkTFEeISen7en+ZPWdDHazqhxco/+v9CNjc7oNg=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA=
@ -307,8 +307,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/sylabs/sif/v2 v2.16.0 h1:2eqaBaQQsn5DZTzm3QZm0HupZQEjNXfxRnCmtyCihEU=
-github.com/sylabs/sif/v2 v2.16.0/go.mod h1:d5TxgD/mhMUU3kWLmZmWJQ99Wg0asaTP0bq3ezR1xpg=
+github.com/sylabs/sif/v2 v2.18.0 h1:eXugsS1qx7St2Wu/AJ21KnsQiVCpouPlTigABh+6KYI=
+github.com/sylabs/sif/v2 v2.18.0/go.mod h1:GOQj7LIBqp15fjqH5i8ZEbLp8SXJi9S+xbRO+QQAdRo=
 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI=
 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes=
@ -320,8 +320,8 @@ github.com/ulikunitz/xz v0.5.12 h1:37Nm15o69RwBkXM0J6A5OlE67RZTfzUxTj8fB3dfcsc=
 github.com/ulikunitz/xz v0.5.12/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
 github.com/vbatts/tar-split v0.11.5 h1:3bHCTIheBm1qFTcgh9oPu+nNBtX+XJIupG/vacinCts=
 github.com/vbatts/tar-split v0.11.5/go.mod h1:yZbwRsSeGjusneWgA781EKej9HF8vme8okylkAeNKLk=
-github.com/vbauerster/mpb/v8 v8.7.3 h1:n/mKPBav4FFWp5fH4U0lPpXfiOmCEgl5Yx/NM3tKJA0=
-github.com/vbauerster/mpb/v8 v8.7.3/go.mod h1:9nFlNpDGVoTmQ4QvNjSLtwLmAFjwmq0XaAF26toHGNM=
+github.com/vbauerster/mpb/v8 v8.7.4 h1:p4f16iMfUt3PkAC73SCzAtgtSf8TYDqEbJUT3odPrPo=
+github.com/vbauerster/mpb/v8 v8.7.4/go.mod h1:r1B5k2Ljj5KJFCekfihbiqyV4VaaRTANYmvWA2btufI=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
 github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo=
 github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
@ -371,8 +371,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
-golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
+golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
+golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 h1:yixxcjnhBmY0nkL253HFVIm0JsFHwrHdT3Yh6szTnfY=
 golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8/go.mod h1:jj3sYF3dwk5D+ghuXyeI3r5MFf+NT2An6/9dOA95KSI=
@ -401,8 +401,8 @@ golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
 golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.20.0 h1:4mQdhULixXKP1rwYBW0vAijoXnkTG0BLCDRzfe1idMo=
-golang.org/x/oauth2 v0.20.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs=
+golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -490,8 +490,6 @@ google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHh
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/go-jose/go-jose.v2 v2.6.3 h1:nt80fvSDlhKWQgSWyHyy5CfmlQr+asih51R8PTWNKKs=
-gopkg.in/go-jose/go-jose.v2 v2.6.3/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
--- a/vendor/github.com/containers/image/v5/copy/compression.go
+++ b/vendor/github.com/containers/image/v5/copy/compression.go
@ -73,7 +73,7 @@ type bpCompressionStepData struct {
 	operation              bpcOperation                // What we are actually doing
 	uploadedOperation      types.LayerCompression      // Operation to use for updating the blob metadata (matching the end state, not necessarily what we do)
 	uploadedAlgorithm      *compressiontypes.Algorithm // An algorithm parameter for the compressionOperation edits.
-	uploadedAnnotations    map[string]string           // Annotations that should be set on the uploaded blob. WARNING: This is only set after the srcStream.reader is fully consumed.
+	uploadedAnnotations    map[string]string           // Compression-related annotations that should be set on the uploaded blob. WARNING: This is only set after the srcStream.reader is fully consumed.
 	srcCompressorName      string                      // Compressor name to record in the blob info cache for the source blob.
 	uploadedCompressorName string                      // Compressor name to record in the blob info cache for the uploaded blob.
 	closers                []io.Closer                 // Objects to close after the upload is done, if any.
@ -323,7 +323,11 @@ func (d *bpCompressionStepData) recordValidatedDigestData(c *copier, uploadedInf
 			return fmt.Errorf("Internal error: Unexpected d.operation value %#v", d.operation)
 		}
 	}
-	if d.uploadedCompressorName != "" && d.uploadedCompressorName != internalblobinfocache.UnknownCompression {
+	if d.srcCompressorName == "" || d.uploadedCompressorName == "" {
+		return fmt.Errorf("internal error: missing compressor names (src: %q, uploaded: %q)",
+			d.srcCompressorName, d.uploadedCompressorName)
+	}
+	if d.uploadedCompressorName != internalblobinfocache.UnknownCompression {
 		if d.uploadedCompressorName != compressiontypes.ZstdChunkedAlgorithmName {
 			// HACK: Don’t record zstd:chunked algorithms.
 			// There is already a similar hack in internal/imagedestination/impl/helpers.CandidateMatchesTryReusingBlobOptions,
@ -337,7 +341,7 @@ func (d *bpCompressionStepData) recordValidatedDigestData(c *copier, uploadedInf
 		}
 	}
 	if srcInfo.Digest != "" && srcInfo.Digest != uploadedInfo.Digest &&
-		d.srcCompressorName != "" && d.srcCompressorName != internalblobinfocache.UnknownCompression {
+		d.srcCompressorName != internalblobinfocache.UnknownCompression {
 		if d.srcCompressorName != compressiontypes.ZstdChunkedAlgorithmName {
 			// HACK: Don’t record zstd:chunked algorithms, see above.
 			c.blobInfoCache.RecordDigestCompressorName(srcInfo.Digest, d.srcCompressorName)
--- a/vendor/github.com/containers/image/v5/copy/single.go
+++ b/vendor/github.com/containers/image/v5/copy/single.go
@ -409,7 +409,6 @@ func (ic *imageCopier) compareImageDestinationManifestEqual(ctx context.Context,
 // copyLayers copies layers from ic.src/ic.c.rawSource to dest, using and updating ic.manifestUpdates if necessary and ic.cannotModifyManifestReason == "".
 func (ic *imageCopier) copyLayers(ctx context.Context) ([]compressiontypes.Algorithm, error) {
 	srcInfos := ic.src.LayerInfos()
-	numLayers := len(srcInfos)
 	updatedSrcInfos, err := ic.src.LayerInfosForCopy(ctx)
 	if err != nil {
 		return nil, err
@ -440,7 +439,7 @@ func (ic *imageCopier) copyLayers(ctx context.Context) ([]compressiontypes.Algor
 	// copyGroup is used to determine if all layers are copied
 	copyGroup := sync.WaitGroup{}

-	data := make([]copyLayerData, numLayers)
+	data := make([]copyLayerData, len(srcInfos))
 	copyLayerHelper := func(index int, srcLayer types.BlobInfo, toEncrypt bool, pool *mpb.Progress, srcRef reference.Named) {
 		defer ic.c.concurrentBlobCopiesSemaphore.Release(1)
 		defer copyGroup.Done()
@ -463,9 +462,7 @@ func (ic *imageCopier) copyLayers(ctx context.Context) ([]compressiontypes.Algor

 	// Decide which layers to encrypt
 	layersToEncrypt := set.New[int]()
-	var encryptAll bool
 	if ic.c.options.OciEncryptLayers != nil {
-		encryptAll = len(*ic.c.options.OciEncryptLayers) == 0
 		totalLayers := len(srcInfos)
 		for _, l := range *ic.c.options.OciEncryptLayers {
 			switch {
@ -478,7 +475,7 @@ func (ic *imageCopier) copyLayers(ctx context.Context) ([]compressiontypes.Algor
 			}
 		}

-		if encryptAll {
+		if len(*ic.c.options.OciEncryptLayers) == 0 { // “encrypt all layers”
 			for i := 0; i < len(srcInfos); i++ {
 				layersToEncrypt.Add(i)
 			}
@ -493,8 +490,7 @@ func (ic *imageCopier) copyLayers(ctx context.Context) ([]compressiontypes.Algor
 		defer copyGroup.Wait()

 		for i, srcLayer := range srcInfos {
-			err = ic.c.concurrentBlobCopiesSemaphore.Acquire(ctx, 1)
-			if err != nil {
+			if err := ic.c.concurrentBlobCopiesSemaphore.Acquire(ctx, 1); err != nil {
 				// This can only fail with ctx.Err(), so no need to blame acquiring the semaphore.
 				return fmt.Errorf("copying layer: %w", err)
 			}
@ -509,8 +505,8 @@ func (ic *imageCopier) copyLayers(ctx context.Context) ([]compressiontypes.Algor
 	}

 	compressionAlgos := set.New[string]()
-	destInfos := make([]types.BlobInfo, numLayers)
-	diffIDs := make([]digest.Digest, numLayers)
+	destInfos := make([]types.BlobInfo, len(srcInfos))
+	diffIDs := make([]digest.Digest, len(srcInfos))
 	for i, cld := range data {
 		if cld.err != nil {
 			return nil, cld.err
--- a/vendor/github.com/containers/image/v5/docker/docker_client.go
+++ b/vendor/github.com/containers/image/v5/docker/docker_client.go
@ -86,11 +86,9 @@ type extensionSignatureList struct {
 	Signatures []extensionSignature `json:"signatures"`
 }

+// bearerToken records a cached token we can use to authenticate.
 type bearerToken struct {
-	Token          string    `json:"token"`
-	AccessToken    string    `json:"access_token"`
-	ExpiresIn      int       `json:"expires_in"`
-	IssuedAt       time.Time `json:"issued_at"`
+	token          string
 	expirationTime time.Time
 }

@ -147,25 +145,6 @@ const (
 	noAuth
 )

-func newBearerTokenFromJSONBlob(blob []byte) (*bearerToken, error) {
-	token := new(bearerToken)
-	if err := json.Unmarshal(blob, &token); err != nil {
-		return nil, err
-	}
-	if token.Token == "" {
-		token.Token = token.AccessToken
-	}
-	if token.ExpiresIn < minimumTokenLifetimeSeconds {
-		token.ExpiresIn = minimumTokenLifetimeSeconds
-		logrus.Debugf("Increasing token expiration to: %d seconds", token.ExpiresIn)
-	}
-	if token.IssuedAt.IsZero() {
-		token.IssuedAt = time.Now().UTC()
-	}
-	token.expirationTime = token.IssuedAt.Add(time.Duration(token.ExpiresIn) * time.Second)
-	return token, nil
-}
-
 // dockerCertDir returns a path to a directory to be consumed by tlsclientconfig.SetupCertificates() depending on ctx and hostPort.
 func dockerCertDir(sys *types.SystemContext, hostPort string) (string, error) {
 	if sys != nil && sys.DockerCertPath != "" {
@ -774,7 +753,7 @@ func (c *dockerClient) setupRequestAuth(req *http.Request, extraScope *authScope
 					token = *t
 					c.tokenCache.Store(cacheKey, token)
 				}
-				registryToken = token.Token
+				registryToken = token.token
 			}
 			req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", registryToken))
 			return nil
@ -827,12 +806,7 @@ func (c *dockerClient) getBearerTokenOAuth2(ctx context.Context, challenge chall
 		return nil, err
 	}

-	tokenBlob, err := iolimits.ReadAtMost(res.Body, iolimits.MaxAuthTokenBodySize)
-	if err != nil {
-		return nil, err
-	}
-
-	return newBearerTokenFromJSONBlob(tokenBlob)
+	return newBearerTokenFromHTTPResponseBody(res)
 }

 func (c *dockerClient) getBearerToken(ctx context.Context, challenge challenge,
@ -878,12 +852,50 @@ func (c *dockerClient) getBearerToken(ctx context.Context, challenge challenge,
 	if err := httpResponseToError(res, "Requesting bearer token"); err != nil {
 		return nil, err
 	}
-	tokenBlob, err := iolimits.ReadAtMost(res.Body, iolimits.MaxAuthTokenBodySize)
+
+	return newBearerTokenFromHTTPResponseBody(res)
+}
+
+// newBearerTokenFromHTTPResponseBody parses a http.Response to obtain a bearerToken.
+// The caller is still responsible for ensuring res.Body is closed.
+func newBearerTokenFromHTTPResponseBody(res *http.Response) (*bearerToken, error) {
+	blob, err := iolimits.ReadAtMost(res.Body, iolimits.MaxAuthTokenBodySize)
 	if err != nil {
 		return nil, err
 	}

-	return newBearerTokenFromJSONBlob(tokenBlob)
+	var token struct {
+		Token          string    `json:"token"`
+		AccessToken    string    `json:"access_token"`
+		ExpiresIn      int       `json:"expires_in"`
+		IssuedAt       time.Time `json:"issued_at"`
+		expirationTime time.Time
+	}
+	if err := json.Unmarshal(blob, &token); err != nil {
+		const bodySampleLength = 50
+		bodySample := blob
+		if len(bodySample) > bodySampleLength {
+			bodySample = bodySample[:bodySampleLength]
+		}
+		return nil, fmt.Errorf("decoding bearer token (last URL %q, body start %q): %w", res.Request.URL.Redacted(), string(bodySample), err)
+	}
+
+	bt := &bearerToken{
+		token: token.Token,
+	}
+	if bt.token == "" {
+		bt.token = token.AccessToken
+	}
+
+	if token.ExpiresIn < minimumTokenLifetimeSeconds {
+		token.ExpiresIn = minimumTokenLifetimeSeconds
+		logrus.Debugf("Increasing token expiration to: %d seconds", token.ExpiresIn)
+	}
+	if token.IssuedAt.IsZero() {
+		token.IssuedAt = time.Now().UTC()
+	}
+	bt.expirationTime = token.IssuedAt.Add(time.Duration(token.ExpiresIn) * time.Second)
+	return bt, nil
 }

 // detectPropertiesHelper performs the work of detectProperties which executes
--- a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
+++ b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
@ -361,8 +361,6 @@ func (d *dockerImageDestination) TryReusingBlobWithOptions(ctx context.Context,
 				logrus.Debugf("Error parsing BlobInfoCache location reference: %s", err)
 				continue
 			}
-		}
-		if !candidate.UnknownLocation {
 			if candidate.CompressionAlgorithm != nil {
 				logrus.Debugf("Trying to reuse blob with cached digest %s compressed with %s in destination repo %s", candidate.Digest.String(), candidate.CompressionAlgorithm.Name(), candidateRepo.Name())
 			} else {
--- a/vendor/github.com/containers/image/v5/docker/docker_image_src.go
+++ b/vendor/github.com/containers/image/v5/docker/docker_image_src.go
@ -1,7 +1,9 @@
 package docker

 import (
+	"bytes"
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
@ -11,6 +13,7 @@ import (
 	"net/http"
 	"net/url"
 	"os"
+	"os/exec"
 	"strings"
 	"sync"

@ -162,6 +165,34 @@ func newImageSourceAttempt(ctx context.Context, sys *types.SystemContext, logica
 		client.Close()
 		return nil, err
 	}
+
+	if h, err := sysregistriesv2.AdditionalLayerStoreAuthHelper(endpointSys); err == nil && h != "" {
+		acf := map[string]struct {
+			Username      string `json:"username,omitempty"`
+			Password      string `json:"password,omitempty"`
+			IdentityToken string `json:"identityToken,omitempty"`
+		}{
+			physicalRef.ref.String(): {
+				Username:      client.auth.Username,
+				Password:      client.auth.Password,
+				IdentityToken: client.auth.IdentityToken,
+			},
+		}
+		acfD, err := json.Marshal(acf)
+		if err != nil {
+			logrus.Warnf("failed to marshal auth config: %v", err)
+		} else {
+			cmd := exec.Command(h)
+			cmd.Stdin = bytes.NewReader(acfD)
+			if err := cmd.Run(); err != nil {
+				var stderr string
+				if ee, ok := err.(*exec.ExitError); ok {
+					stderr = string(ee.Stderr)
+				}
+				logrus.Warnf("Failed to call additional-layer-store-auth-helper (stderr:%s): %v", stderr, err)
+			}
+		}
+	}
 	return s, nil
 }

--- a/vendor/github.com/containers/image/v5/internal/manifest/oci_index.go
+++ b/vendor/github.com/containers/image/v5/internal/manifest/oci_index.go
@ -1,6 +1,7 @@
 package manifest

 import (
+	"bytes"
 	"encoding/json"
 	"fmt"
 	"maps"
@ -296,29 +297,51 @@ func OCI1IndexPublicFromComponents(components []imgspecv1.Descriptor, annotation
 		},
 	}
 	for i, component := range components {
-		var platform *imgspecv1.Platform
-		if component.Platform != nil {
-			platformCopy := ociPlatformClone(*component.Platform)
-			platform = &platformCopy
-		}
-		m := imgspecv1.Descriptor{
-			MediaType:    component.MediaType,
-			ArtifactType: component.ArtifactType,
-			Size:         component.Size,
-			Digest:       component.Digest,
-			URLs:         slices.Clone(component.URLs),
-			Annotations:  maps.Clone(component.Annotations),
-			Platform:     platform,
-		}
-		index.Manifests[i] = m
+		index.Manifests[i] = oci1DescriptorClone(component)
 	}
 	return &index
 }

+func oci1DescriptorClone(d imgspecv1.Descriptor) imgspecv1.Descriptor {
+	var platform *imgspecv1.Platform
+	if d.Platform != nil {
+		platformCopy := ociPlatformClone(*d.Platform)
+		platform = &platformCopy
+	}
+	return imgspecv1.Descriptor{
+		MediaType:    d.MediaType,
+		Digest:       d.Digest,
+		Size:         d.Size,
+		URLs:         slices.Clone(d.URLs),
+		Annotations:  maps.Clone(d.Annotations),
+		Data:         bytes.Clone(d.Data),
+		Platform:     platform,
+		ArtifactType: d.ArtifactType,
+	}
+}
+
 // OCI1IndexPublicClone creates a deep copy of the passed-in index.
 // This is publicly visible as c/image/manifest.OCI1IndexClone.
 func OCI1IndexPublicClone(index *OCI1IndexPublic) *OCI1IndexPublic {
-	return OCI1IndexPublicFromComponents(index.Manifests, index.Annotations)
+	var subject *imgspecv1.Descriptor
+	if index.Subject != nil {
+		s := oci1DescriptorClone(*index.Subject)
+		subject = &s
+	}
+	manifests := make([]imgspecv1.Descriptor, len(index.Manifests))
+	for i, m := range index.Manifests {
+		manifests[i] = oci1DescriptorClone(m)
+	}
+	return &OCI1IndexPublic{
+		Index: imgspecv1.Index{
+			Versioned:    index.Versioned,
+			MediaType:    index.MediaType,
+			ArtifactType: index.ArtifactType,
+			Manifests:    manifests,
+			Subject:      subject,
+			Annotations:  maps.Clone(index.Annotations),
+		},
+	}
 }

 // ToOCI1Index returns the index encoded as an OCI1 index.
--- a/vendor/github.com/containers/image/v5/pkg/blobinfocache/default.go
+++ b/vendor/github.com/containers/image/v5/pkg/blobinfocache/default.go
@ -74,3 +74,15 @@ func DefaultCache(sys *types.SystemContext) types.BlobInfoCache {
 	logrus.Debugf("Using SQLite blob info cache at %s", path)
 	return cache
 }
+
+// CleanupDefaultCache removes the blob info cache directory.
+// It deletes the cache directory but it does not affect any file or memory buffer currently
+// in use.
+func CleanupDefaultCache(sys *types.SystemContext) error {
+	dir, err := blobInfoCacheDir(sys, rootless.GetRootlessEUID())
+	if err != nil {
+		// Mirror the DefaultCache behavior that does not fail in this case
+		return nil
+	}
+	return os.RemoveAll(dir)
+}
--- a/vendor/github.com/containers/image/v5/pkg/blobinfocache/memory/memory.go
+++ b/vendor/github.com/containers/image/v5/pkg/blobinfocache/memory/memory.go
@ -27,7 +27,7 @@ type cache struct {
 	uncompressedDigests   map[digest.Digest]digest.Digest
 	digestsByUncompressed map[digest.Digest]*set.Set[digest.Digest]                // stores a set of digests for each uncompressed digest
 	knownLocations        map[locationKey]map[types.BICLocationReference]time.Time // stores last known existence time for each location reference
-	compressors           map[digest.Digest]string                                 // stores a compressor name, or blobinfocache.Unknown (not blobinfocache.UnknownCompression), for each digest
+	compressors           map[digest.Digest]string                                 // stores a compressor name, or blobinfocache.Uncompressed (not blobinfocache.UnknownCompression), for each digest
 }

 // New returns a BlobInfoCache implementation which is in-memory only.
--- a/vendor/github.com/containers/image/v5/pkg/sysregistriesv2/system_registries_v2.go
+++ b/vendor/github.com/containers/image/v5/pkg/sysregistriesv2/system_registries_v2.go
@ -248,6 +248,11 @@ type V2RegistriesConf struct {
 	// potentially use all unqualified-search registries
 	ShortNameMode string `toml:"short-name-mode"`

+	// AdditionalLayerStoreAuthHelper is a helper binary that receives
+	// registry credentials pass them to Additional Layer Store for
+	// registry authentication. These credentials are only collected when pulling (not pushing).
+	AdditionalLayerStoreAuthHelper string `toml:"additional-layer-store-auth-helper"`
+
 	shortNameAliasConf

 	// If you add any field, make sure to update Nonempty() below.
@ -825,6 +830,16 @@ func CredentialHelpers(sys *types.SystemContext) ([]string, error) {
 	return config.partialV2.CredentialHelpers, nil
 }

+// AdditionalLayerStoreAuthHelper returns the helper for passing registry
+// credentials to Additional Layer Store.
+func AdditionalLayerStoreAuthHelper(sys *types.SystemContext) (string, error) {
+	config, err := getConfig(sys)
+	if err != nil {
+		return "", err
+	}
+	return config.partialV2.AdditionalLayerStoreAuthHelper, nil
+}
+
 // refMatchingSubdomainPrefix returns the length of ref
 // iff ref, which is a registry, repository namespace, repository or image reference (as formatted by
 // reference.Domain(), reference.Named.Name() or reference.Reference.String()
@ -1051,6 +1066,11 @@ func (c *parsedConfig) updateWithConfigurationFrom(updates *parsedConfig) {
 		c.shortNameMode = updates.shortNameMode
 	}

+	// == Merge AdditionalLayerStoreAuthHelper:
+	if updates.partialV2.AdditionalLayerStoreAuthHelper != "" {
+		c.partialV2.AdditionalLayerStoreAuthHelper = updates.partialV2.AdditionalLayerStoreAuthHelper
+	}
+
 	// == Merge aliasCache:
 	// We don’t maintain (in fact we actively clear) c.partialV2.shortNameAliasConf.
 	c.aliasCache.updateWithConfigurationFrom(updates.aliasCache)
--- a/vendor/github.com/containers/image/v5/signature/mechanism_openpgp.go
+++ b/vendor/github.com/containers/image/v5/signature/mechanism_openpgp.go
@ -15,6 +15,7 @@ import (

 	"github.com/containers/image/v5/signature/internal"
 	"github.com/containers/storage/pkg/homedir"
+
 	// This is a fallback code; the primary recommendation is to use the gpgme mechanism
 	// implementation, which is out-of-process and more appropriate for handling long-term private key material
 	// than any Go implementation.
@ -150,7 +151,7 @@ func (m *openpgpSigningMechanism) Verify(unverifiedSignature []byte) (contents [
 		return nil, "", fmt.Errorf("signature error: %v", md.SignatureError)
 	}
 	if md.SignedBy == nil {
-		return nil, "", internal.NewInvalidSignatureError(fmt.Sprintf("Invalid GPG signature: %#v", md.Signature))
+		return nil, "", internal.NewInvalidSignatureError(fmt.Sprintf("Key not found for key ID %x in signature", md.SignedByKeyId))
 	}
 	if md.Signature != nil {
 		if md.Signature.SigLifetimeSecs != nil {
--- a/vendor/github.com/containers/image/v5/storage/storage_dest.go
+++ b/vendor/github.com/containers/image/v5/storage/storage_dest.go
@ -325,7 +325,13 @@ func (s *storageImageDestination) PutBlobPartial(ctx context.Context, chunkAcces
 	if out.UncompressedDigest != "" {
 		// The computation of UncompressedDigest means the whole layer has been consumed; while doing that, chunked.GetDiffer is
 		// responsible for ensuring blobDigest has been validated.
+		if out.CompressedDigest != blobDigest {
+			return private.UploadedBlob{}, fmt.Errorf("internal error: ApplyDiffWithDiffer returned CompressedDigest %q not matching expected %q",
+				out.CompressedDigest, blobDigest)
+		}
 		s.lockProtected.blobDiffIDs[blobDigest] = out.UncompressedDigest
+		// We trust ApplyDiffWithDiffer to validate or create both values correctly.
+		options.Cache.RecordDigestUncompressedPair(out.CompressedDigest, out.UncompressedDigest)
 	} else {
 		// Don’t identify layers by TOC if UncompressedDigest is available.
 		// - Using UncompressedDigest allows image reuse with non-partially-pulled layers
--- a/vendor/github.com/containers/image/v5/version/version.go
+++ b/vendor/github.com/containers/image/v5/version/version.go
@ -6,9 +6,9 @@ const (
 	// VersionMajor is for an API incompatible changes
 	VersionMajor = 5
 	// VersionMinor is for functionality in a backwards-compatible manner
-	VersionMinor = 31
+	VersionMinor = 32
 	// VersionPatch is for backwards-compatible bug fixes
-	VersionPatch = 1
+	VersionPatch = 0

 	// VersionDev indicates development branch. Releases will be empty string.
 	VersionDev = ""
--- a/vendor/github.com/docker/docker/AUTHORS
+++ b/vendor/github.com/docker/docker/AUTHORS
@ -10,6 +10,7 @@ Aaron Huslage <huslage@gmail.com>
 Aaron L. Xu <liker.xu@foxmail.com>
 Aaron Lehmann <alehmann@netflix.com>
 Aaron Welch <welch@packet.net>
+Aaron Yoshitake <airandfingers@gmail.com>
 Abel Muiño <amuino@gmail.com>
 Abhijeet Kasurde <akasurde@redhat.com>
 Abhinandan Prativadi <aprativadi@gmail.com>
@ -62,6 +63,7 @@ alambike <alambike@gmail.com>
 Alan Hoyle <alan@alanhoyle.com>
 Alan Scherger <flyinprogrammer@gmail.com>
 Alan Thompson <cloojure@gmail.com>
+Alano Terblanche <alano.terblanche@docker.com>
 Albert Callarisa <shark234@gmail.com>
 Albert Zhang <zhgwenming@gmail.com>
 Albin Kerouanton <albinker@gmail.com>
@ -141,6 +143,7 @@ Andreas Tiefenthaler <at@an-ti.eu>
 Andrei Gherzan <andrei@resin.io>
 Andrei Ushakov <aushakov@netflix.com>
 Andrei Vagin <avagin@gmail.com>
+Andrew Baxter <423qpsxzhh8k3h@s.rendaw.me>
 Andrew C. Bodine <acbodine@us.ibm.com>
 Andrew Clay Shafer <andrewcshafer@gmail.com>
 Andrew Duckworth <grillopress@gmail.com>
@ -193,6 +196,7 @@ Anton Löfgren <anton.lofgren@gmail.com>
 Anton Nikitin <anton.k.nikitin@gmail.com>
 Anton Polonskiy <anton.polonskiy@gmail.com>
 Anton Tiurin <noxiouz@yandex.ru>
+Antonio Aguilar <antonio@zoftko.com>
 Antonio Murdaca <antonio.murdaca@gmail.com>
 Antonis Kalipetis <akalipetis@gmail.com>
 Antony Messerli <amesserl@rackspace.com>
@ -221,7 +225,6 @@ Avi Das <andas222@gmail.com>
 Avi Kivity <avi@scylladb.com>
 Avi Miller <avi.miller@oracle.com>
 Avi Vaid <avaid1996@gmail.com>
-ayoshitake <airandfingers@gmail.com>
 Azat Khuyiyakhmetov <shadow_uz@mail.ru>
 Bao Yonglei <baoyonglei@huawei.com>
 Bardia Keyoumarsi <bkeyouma@ucsc.edu>
@ -316,6 +319,7 @@ Burke Libbey <burke@libbey.me>
 Byung Kang <byung.kang.ctr@amrdec.army.mil>
 Caleb Spare <cespare@gmail.com>
 Calen Pennington <cale@edx.org>
+Calvin Liu <flycalvin@qq.com>
 Cameron Boehmer <cameron.boehmer@gmail.com>
 Cameron Sparr <gh@sparr.email>
 Cameron Spear <cameronspear@gmail.com>
@ -362,6 +366,7 @@ Chen Qiu <cheney-90@hotmail.com>
 Cheng-mean Liu <soccerl@microsoft.com>
 Chengfei Shang <cfshang@alauda.io>
 Chengguang Xu <cgxu519@gmx.com>
+Chentianze <cmoman@126.com>
 Chenyang Yan <memory.yancy@gmail.com>
 chenyuzhu <chenyuzhi@oschina.cn>
 Chetan Birajdar <birajdar.chetan@gmail.com>
@ -409,6 +414,7 @@ Christopher Crone <christopher.crone@docker.com>
 Christopher Currie <codemonkey+github@gmail.com>
 Christopher Jones <tophj@linux.vnet.ibm.com>
 Christopher Latham <sudosurootdev@gmail.com>
+Christopher Petito <chrisjpetito@gmail.com>
 Christopher Rigor <crigor@gmail.com>
 Christy Norman <christy@linux.vnet.ibm.com>
 Chun Chen <ramichen@tencent.com>
@ -777,6 +783,7 @@ Gabriel L. Somlo <gsomlo@gmail.com>
 Gabriel Linder <linder.gabriel@gmail.com>
 Gabriel Monroy <gabriel@opdemand.com>
 Gabriel Nicolas Avellaneda <avellaneda.gabriel@gmail.com>
+Gabriel Tomitsuka <gabriel@tomitsuka.com>
 Gaetan de Villele <gdevillele@gmail.com>
 Galen Sampson <galen.sampson@gmail.com>
 Gang Qiao <qiaohai8866@gmail.com>
@ -792,6 +799,7 @@ Geoff Levand <geoff@infradead.org>
 Geoffrey Bachelet <grosfrais@gmail.com>
 Geon Kim <geon0250@gmail.com>
 George Kontridze <george@bugsnag.com>
+George Ma <mayangang@outlook.com>
 George MacRorie <gmacr31@gmail.com>
 George Xie <georgexsh@gmail.com>
 Georgi Hristozov <georgi@forkbomb.nl>
@ -913,6 +921,7 @@ Illo Abdulrahim <abdulrahim.illo@nokia.com>
 Ilya Dmitrichenko <errordeveloper@gmail.com>
 Ilya Gusev <mail@igusev.ru>
 Ilya Khlopotov <ilya.khlopotov@gmail.com>
+imalasong <2879499479@qq.com>
 imre Fitos <imre.fitos+github@gmail.com>
 inglesp <peter.inglesby@gmail.com>
 Ingo Gottwald <in.gottwald@gmail.com>
@ -930,6 +939,7 @@ J Bruni <joaohbruni@yahoo.com.br>
 J. Nunn <jbnunn@gmail.com>
 Jack Danger Canty <jackdanger@squareup.com>
 Jack Laxson <jackjrabbit@gmail.com>
+Jack Walker <90711509+j2walker@users.noreply.github.com>
 Jacob Atzen <jacob@jacobatzen.dk>
 Jacob Edelman <edelman.jd@gmail.com>
 Jacob Tomlinson <jacob@tom.linson.uk>
@ -989,6 +999,7 @@ Jason Shepherd <jason@jasonshepherd.net>
 Jason Smith <jasonrichardsmith@gmail.com>
 Jason Sommer <jsdirv@gmail.com>
 Jason Stangroome <jason@codeassassin.com>
+Jasper Siepkes <siepkes@serviceplanet.nl>
 Javier Bassi <javierbassi@gmail.com>
 jaxgeller <jacksongeller@gmail.com>
 Jay <teguhwpurwanto@gmail.com>
@ -1100,6 +1111,7 @@ Jon Johnson <jonjohnson@google.com>
 Jon Surrell <jon.surrell@gmail.com>
 Jon Wedaman <jweede@gmail.com>
 Jonas Dohse <jonas@dohse.ch>
+Jonas Geiler <git@jonasgeiler.com>
 Jonas Heinrich <Jonas@JonasHeinrich.com>
 Jonas Pfenniger <jonas@pfenniger.name>
 Jonathan A. Schweder <jonathanschweder@gmail.com>
@ -1267,6 +1279,7 @@ Lakshan Perera <lakshan@laktek.com>
 Lalatendu Mohanty <lmohanty@redhat.com>
 Lance Chen <cyen0312@gmail.com>
 Lance Kinley <lkinley@loyaltymethods.com>
+Lars Andringa <l.s.andringa@rug.nl>
 Lars Butler <Lars.Butler@gmail.com>
 Lars Kellogg-Stedman <lars@redhat.com>
 Lars R. Damerow <lars@pixar.com>
@ -1673,6 +1686,7 @@ Patrick Böänziger <patrick.baenziger@bsi-software.com>
 Patrick Devine <patrick.devine@docker.com>
 Patrick Haas <patrickhaas@google.com>
 Patrick Hemmer <patrick.hemmer@gmail.com>
+Patrick St. laurent <patrick@saint-laurent.us>
 Patrick Stapleton <github@gdi2290.com>
 Patrik Cyvoct <patrik@ptrk.io>
 pattichen <craftsbear@gmail.com>
@ -1878,6 +1892,7 @@ Royce Remer <royceremer@gmail.com>
 Rozhnov Alexandr <nox73@ya.ru>
 Rudolph Gottesheim <r.gottesheim@loot.at>
 Rui Cao <ruicao@alauda.io>
+Rui JingAn <quiterace@gmail.com>
 Rui Lopes <rgl@ruilopes.com>
 Ruilin Li <liruilin4@huawei.com>
 Runshen Zhu <runshen.zhu@gmail.com>
@ -2184,6 +2199,7 @@ Tomek Mańko <tomek.manko@railgun-solutions.com>
 Tommaso Visconti <tommaso.visconti@gmail.com>
 Tomoya Tabuchi <t@tomoyat1.com>
 Tomáš Hrčka <thrcka@redhat.com>
+Tomáš Virtus <nechtom@gmail.com>
 tonic <tonicbupt@gmail.com>
 Tonny Xu <tonny.xu@gmail.com>
 Tony Abboud <tdabboud@hotmail.com>
@ -2228,6 +2244,7 @@ Victor I. Wood <viw@t2am.com>
 Victor Lyuboslavsky <victor@victoreda.com>
 Victor Marmol <vmarmol@google.com>
 Victor Palma <palma.victor@gmail.com>
+Victor Toni <victor.toni@gmail.com>
 Victor Vieux <victor.vieux@docker.com>
 Victoria Bialas <victoria.bialas@docker.com>
 Vijaya Kumar K <vijayak@caviumnetworks.com>
@ -2279,6 +2296,7 @@ Wassim Dhif <wassimdhif@gmail.com>
 Wataru Ishida <ishida.wataru@lab.ntt.co.jp>
 Wayne Chang <wayne@neverfear.org>
 Wayne Song <wsong@docker.com>
+weebney <weebney@gmail.com>
 Weerasak Chongnguluam <singpor@gmail.com>
 Wei Fu <fuweid89@gmail.com>
 Wei Wu <wuwei4455@gmail.com>
--- a/vendor/github.com/docker/docker/api/common.go
+++ b/vendor/github.com/docker/docker/api/common.go
@ -3,7 +3,7 @@ package api // import "github.com/docker/docker/api"
 // Common constants for daemon and client.
 const (
 	// DefaultVersion of the current REST API.
-	DefaultVersion = "1.45"
+	DefaultVersion = "1.46"

 	// MinSupportedAPIVersion is the minimum API version that can be supported
 	// by the API server, specified as "major.minor". Note that the daemon
--- a/vendor/github.com/docker/docker/api/swagger.yaml
+++ b/vendor/github.com/docker/docker/api/swagger.yaml
--- a/vendor/github.com/docker/docker/api/types/client.go
+++ b/vendor/github.com/docker/docker/api/types/client.go
@ -2,43 +2,15 @@ package types // import "github.com/docker/docker/api/types"

 import (
 	"bufio"
+	"context"
 	"io"
 	"net"

 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/registry"
-	units "github.com/docker/go-units"
 )

-// ContainerExecInspect holds information returned by exec inspect.
-type ContainerExecInspect struct {
-	ExecID      string `json:"ID"`
-	ContainerID string
-	Running     bool
-	ExitCode    int
-	Pid         int
-}
-
-// CopyToContainerOptions holds information
-// about files to copy into a container
-type CopyToContainerOptions struct {
-	AllowOverwriteDirWithFile bool
-	CopyUIDGID                bool
-}
-
-// EventsOptions holds parameters to filter events with.
-type EventsOptions struct {
-	Since   string
-	Until   string
-	Filters filters.Args
-}
-
-// NetworkListOptions holds parameters to filter the list of networks with.
-type NetworkListOptions struct {
-	Filters filters.Args
-}
-
 // NewHijackedResponse intializes a HijackedResponse type
 func NewHijackedResponse(conn net.Conn, mediaType string) HijackedResponse {
 	return HijackedResponse{Conn: conn, Reader: bufio.NewReader(conn), mediaType: mediaType}
@ -101,7 +73,7 @@ type ImageBuildOptions struct {
 	NetworkMode    string
 	ShmSize        int64
 	Dockerfile     string
-	Ulimits        []*units.Ulimit
+	Ulimits        []*container.Ulimit
 	// BuildArgs needs to be a *string instead of just a string so that
 	// we can tell the difference between "" (empty string) and no value
 	// at all (nil). See the parsing of buildArgs in
@ -122,7 +94,7 @@ type ImageBuildOptions struct {
 	Target      string
 	SessionID   string
 	Platform    string
-	// Version specifies the version of the unerlying builder to use
+	// Version specifies the version of the underlying builder to use
 	Version BuilderVersion
 	// BuildID is an optional identifier that can be passed together with the
 	// build request. The same identifier can be used to gracefully cancel the
@ -157,34 +129,13 @@ type ImageBuildResponse struct {
 	OSType string
 }

-// ImageImportSource holds source information for ImageImport
-type ImageImportSource struct {
-	Source     io.Reader // Source is the data to send to the server to create this image from. You must set SourceName to "-" to leverage this.
-	SourceName string    // SourceName is the name of the image to pull. Set to "-" to leverage the Source attribute.
-}
-
-// ImageLoadResponse returns information to the client about a load process.
-type ImageLoadResponse struct {
-	// Body must be closed to avoid a resource leak
-	Body io.ReadCloser
-	JSON bool
-}
-
 // RequestPrivilegeFunc is a function interface that
 // clients can supply to retry operations after
 // getting an authorization error.
 // This function returns the registry authentication
 // header value in base 64 format, or an error
 // if the privilege request fails.
-type RequestPrivilegeFunc func() (string, error)
-
-// ImageSearchOptions holds parameters to search images with.
-type ImageSearchOptions struct {
-	RegistryAuth  string
-	PrivilegeFunc RequestPrivilegeFunc
-	Filters       filters.Args
-	Limit         int
-}
+type RequestPrivilegeFunc func(context.Context) (string, error)

 // NodeListOptions holds parameters to list nodes with.
 type NodeListOptions struct {
@ -289,7 +240,7 @@ type PluginInstallOptions struct {
 	RegistryAuth          string // RegistryAuth is the base64 encoded credentials for the registry
 	RemoteRef             string // RemoteRef is the plugin name on the registry
 	PrivilegeFunc         RequestPrivilegeFunc
-	AcceptPermissionsFunc func(PluginPrivileges) (bool, error)
+	AcceptPermissionsFunc func(context.Context, PluginPrivileges) (bool, error)
 	Args                  []string
 }

--- a/vendor/github.com/docker/docker/api/types/configs.go
+++ b/vendor/github.com/docker/docker/api/types/configs.go
@ -1,18 +0,0 @@
-package types // import "github.com/docker/docker/api/types"
-
-// ExecConfig is a small subset of the Config struct that holds the configuration
-// for the exec feature of docker.
-type ExecConfig struct {
-	User         string   // User that will run the command
-	Privileged   bool     // Is the container in privileged mode
-	Tty          bool     // Attach standard streams to a tty.
-	ConsoleSize  *[2]uint `json:",omitempty"` // Initial console size [height, width]
-	AttachStdin  bool     // Attach the standard input, makes possible user interaction
-	AttachStderr bool     // Attach the standard error
-	AttachStdout bool     // Attach the standard output
-	Detach       bool     // Execute in detach mode
-	DetachKeys   string   // Escape keys for detach
-	Env          []string // Environment variables
-	WorkingDir   string   // Working directory
-	Cmd          []string // Execution commands and args
-}
--- a/vendor/github.com/docker/docker/api/types/container/config.go
+++ b/vendor/github.com/docker/docker/api/types/container/config.go
@ -1,7 +1,6 @@
 package container // import "github.com/docker/docker/api/types/container"

 import (
-	"io"
 	"time"

 	"github.com/docker/docker/api/types/strslice"
@ -36,14 +35,6 @@ type StopOptions struct {
 // HealthConfig holds configuration settings for the HEALTHCHECK feature.
 type HealthConfig = dockerspec.HealthcheckConfig

-// ExecStartOptions holds the options to start container's exec.
-type ExecStartOptions struct {
-	Stdin       io.Reader
-	Stdout      io.Writer
-	Stderr      io.Writer
-	ConsoleSize *[2]uint `json:",omitempty"`
-}
-
 // Config contains the configuration data about a container.
 // It should hold only portable information about the container.
 // Here, "portable" means "independent from the host we are running on".
--- a/vendor/github.com/docker/docker/api/types/container/container.go
+++ b/vendor/github.com/docker/docker/api/types/container/container.go
@ -0,0 +1,44 @@
+package container
+
+import (
+	"io"
+	"os"
+	"time"
+)
+
+// PruneReport contains the response for Engine API:
+// POST "/containers/prune"
+type PruneReport struct {
+	ContainersDeleted []string
+	SpaceReclaimed    uint64
+}
+
+// PathStat is used to encode the header from
+// GET "/containers/{name:.*}/archive"
+// "Name" is the file or directory name.
+type PathStat struct {
+	Name       string      `json:"name"`
+	Size       int64       `json:"size"`
+	Mode       os.FileMode `json:"mode"`
+	Mtime      time.Time   `json:"mtime"`
+	LinkTarget string      `json:"linkTarget"`
+}
+
+// CopyToContainerOptions holds information
+// about files to copy into a container
+type CopyToContainerOptions struct {
+	AllowOverwriteDirWithFile bool
+	CopyUIDGID                bool
+}
+
+// StatsResponseReader wraps an io.ReadCloser to read (a stream of) stats
+// for a container, as produced by the GET "/stats" endpoint.
+//
+// The OSType field is set to the server's platform to allow
+// platform-specific handling of the response.
+//
+// TODO(thaJeztah): remove this wrapper, and make OSType part of [StatsResponse].
+type StatsResponseReader struct {
+	Body   io.ReadCloser `json:"body"`
+	OSType string        `json:"ostype"`
+}
--- a/vendor/github.com/docker/docker/api/types/container/create_request.go
+++ b/vendor/github.com/docker/docker/api/types/container/create_request.go
@ -0,0 +1,13 @@
+package container
+
+import "github.com/docker/docker/api/types/network"
+
+// CreateRequest is the request message sent to the server for container
+// create calls. It is a config wrapper that holds the container [Config]
+// (portable) and the corresponding [HostConfig] (non-portable) and
+// [network.NetworkingConfig].
+type CreateRequest struct {
+	*Config
+	HostConfig       *HostConfig               `json:"HostConfig,omitempty"`
+	NetworkingConfig *network.NetworkingConfig `json:"NetworkingConfig,omitempty"`
+}
--- a/vendor/github.com/docker/docker/api/types/container/exec.go
+++ b/vendor/github.com/docker/docker/api/types/container/exec.go
@ -0,0 +1,43 @@
+package container
+
+// ExecOptions is a small subset of the Config struct that holds the configuration
+// for the exec feature of docker.
+type ExecOptions struct {
+	User         string   // User that will run the command
+	Privileged   bool     // Is the container in privileged mode
+	Tty          bool     // Attach standard streams to a tty.
+	ConsoleSize  *[2]uint `json:",omitempty"` // Initial console size [height, width]
+	AttachStdin  bool     // Attach the standard input, makes possible user interaction
+	AttachStderr bool     // Attach the standard error
+	AttachStdout bool     // Attach the standard output
+	Detach       bool     // Execute in detach mode
+	DetachKeys   string   // Escape keys for detach
+	Env          []string // Environment variables
+	WorkingDir   string   // Working directory
+	Cmd          []string // Execution commands and args
+}
+
+// ExecStartOptions is a temp struct used by execStart
+// Config fields is part of ExecConfig in runconfig package
+type ExecStartOptions struct {
+	// ExecStart will first check if it's detached
+	Detach bool
+	// Check if there's a tty
+	Tty bool
+	// Terminal size [height, width], unused if Tty == false
+	ConsoleSize *[2]uint `json:",omitempty"`
+}
+
+// ExecAttachOptions is a temp struct used by execAttach.
+//
+// TODO(thaJeztah): make this a separate type; ContainerExecAttach does not use the Detach option, and cannot run detached.
+type ExecAttachOptions = ExecStartOptions
+
+// ExecInspect holds information returned by exec inspect.
+type ExecInspect struct {
+	ExecID      string `json:"ID"`
+	ContainerID string
+	Running     bool
+	ExitCode    int
+	Pid         int
+}
--- a/vendor/github.com/docker/docker/api/types/container/hostconfig.go
+++ b/vendor/github.com/docker/docker/api/types/container/hostconfig.go
@ -360,6 +360,12 @@ type LogConfig struct {
 	Config map[string]string
 }

+// Ulimit is an alias for [units.Ulimit], which may be moving to a different
+// location or become a local type. This alias is to help transitioning.
+//
+// Users are recommended to use this alias instead of using [units.Ulimit] directly.
+type Ulimit = units.Ulimit
+
 // Resources contains container's resources (cgroups config, ulimits...)
 type Resources struct {
 	// Applicable to all platforms
@ -387,14 +393,14 @@ type Resources struct {

 	// KernelMemory specifies the kernel memory limit (in bytes) for the container.
 	// Deprecated: kernel 5.4 deprecated kmem.limit_in_bytes.
-	KernelMemory      int64           `json:",omitempty"`
-	KernelMemoryTCP   int64           `json:",omitempty"` // Hard limit for kernel TCP buffer memory (in bytes)
-	MemoryReservation int64           // Memory soft limit (in bytes)
-	MemorySwap        int64           // Total memory usage (memory + swap); set `-1` to enable unlimited swap
-	MemorySwappiness  *int64          // Tuning container memory swappiness behaviour
-	OomKillDisable    *bool           // Whether to disable OOM Killer or not
-	PidsLimit         *int64          // Setting PIDs limit for a container; Set `0` or `-1` for unlimited, or `null` to not change.
-	Ulimits           []*units.Ulimit // List of ulimits to be set in the container
+	KernelMemory      int64     `json:",omitempty"`
+	KernelMemoryTCP   int64     `json:",omitempty"` // Hard limit for kernel TCP buffer memory (in bytes)
+	MemoryReservation int64     // Memory soft limit (in bytes)
+	MemorySwap        int64     // Total memory usage (memory + swap); set `-1` to enable unlimited swap
+	MemorySwappiness  *int64    // Tuning container memory swappiness behaviour
+	OomKillDisable    *bool     // Whether to disable OOM Killer or not
+	PidsLimit         *int64    // Setting PIDs limit for a container; Set `0` or `-1` for unlimited, or `null` to not change.
+	Ulimits           []*Ulimit // List of ulimits to be set in the container

 	// Applicable to Windows
 	CPUCount           int64  `json:"CpuCount"`   // CPU count
--- a/vendor/github.com/docker/docker/api/types/container/hostconfig_unix.go
+++ b/vendor/github.com/docker/docker/api/types/container/hostconfig_unix.go
@ -9,24 +9,6 @@ func (i Isolation) IsValid() bool {
 	return i.IsDefault()
 }

-// NetworkName returns the name of the network stack.
-func (n NetworkMode) NetworkName() string {
-	if n.IsBridge() {
-		return network.NetworkBridge
-	} else if n.IsHost() {
-		return network.NetworkHost
-	} else if n.IsContainer() {
-		return "container"
-	} else if n.IsNone() {
-		return network.NetworkNone
-	} else if n.IsDefault() {
-		return network.NetworkDefault
-	} else if n.IsUserDefined() {
-		return n.UserDefined()
-	}
-	return ""
-}
-
 // IsBridge indicates whether container uses the bridge network stack
 func (n NetworkMode) IsBridge() bool {
 	return n == network.NetworkBridge
@ -41,3 +23,23 @@ func (n NetworkMode) IsHost() bool {
 func (n NetworkMode) IsUserDefined() bool {
 	return !n.IsDefault() && !n.IsBridge() && !n.IsHost() && !n.IsNone() && !n.IsContainer()
 }
+
+// NetworkName returns the name of the network stack.
+func (n NetworkMode) NetworkName() string {
+	switch {
+	case n.IsDefault():
+		return network.NetworkDefault
+	case n.IsBridge():
+		return network.NetworkBridge
+	case n.IsHost():
+		return network.NetworkHost
+	case n.IsNone():
+		return network.NetworkNone
+	case n.IsContainer():
+		return "container"
+	case n.IsUserDefined():
+		return n.UserDefined()
+	default:
+		return ""
+	}
+}
--- a/vendor/github.com/docker/docker/api/types/container/hostconfig_windows.go
+++ b/vendor/github.com/docker/docker/api/types/container/hostconfig_windows.go
@ -2,6 +2,11 @@ package container // import "github.com/docker/docker/api/types/container"

 import "github.com/docker/docker/api/types/network"

+// IsValid indicates if an isolation technology is valid
+func (i Isolation) IsValid() bool {
+	return i.IsDefault() || i.IsHyperV() || i.IsProcess()
+}
+
 // IsBridge indicates whether container uses the bridge network stack
 // in windows it is given the name NAT
 func (n NetworkMode) IsBridge() bool {
@ -19,24 +24,24 @@ func (n NetworkMode) IsUserDefined() bool {
 	return !n.IsDefault() && !n.IsNone() && !n.IsBridge() && !n.IsContainer()
 }

-// IsValid indicates if an isolation technology is valid
-func (i Isolation) IsValid() bool {
-	return i.IsDefault() || i.IsHyperV() || i.IsProcess()
-}
-
 // NetworkName returns the name of the network stack.
 func (n NetworkMode) NetworkName() string {
-	if n.IsDefault() {
+	switch {
+	case n.IsDefault():
 		return network.NetworkDefault
-	} else if n.IsBridge() {
+	case n.IsBridge():
 		return network.NetworkNat
-	} else if n.IsNone() {
+	case n.IsHost():
+		// Windows currently doesn't support host network-mode, so
+		// this would currently never happen..
+		return network.NetworkHost
+	case n.IsNone():
 		return network.NetworkNone
-	} else if n.IsContainer() {
+	case n.IsContainer():
 		return "container"
-	} else if n.IsUserDefined() {
+	case n.IsUserDefined():
 		return n.UserDefined()
+	default:
+		return ""
 	}
-
-	return ""
 }
--- a/vendor/github.com/docker/docker/api/types/container/stats.go
+++ b/vendor/github.com/docker/docker/api/types/container/stats.go
@ -1,6 +1,4 @@
-// Package types is used for API stability in the types and response to the
-// consumers of the API stats endpoint.
-package types // import "github.com/docker/docker/api/types"
+package container

 import "time"

@ -169,8 +167,10 @@ type Stats struct {
 	MemoryStats MemoryStats `json:"memory_stats,omitempty"`
 }

-// StatsJSON is newly used Networks
-type StatsJSON struct {
+// StatsResponse is newly used Networks.
+//
+// TODO(thaJeztah): unify with [Stats]. This wrapper was to account for pre-api v1.21 changes, see https://github.com/moby/moby/commit/d3379946ec96fb6163cb8c4517d7d5a067045801
+type StatsResponse struct {
 	Stats

 	Name string `json:"name,omitempty"`
--- a/vendor/github.com/docker/docker/api/types/events/events.go
+++ b/vendor/github.com/docker/docker/api/types/events/events.go
@ -1,4 +1,5 @@
 package events // import "github.com/docker/docker/api/types/events"
+import "github.com/docker/docker/api/types/filters"

 // Type is used for event-types.
 type Type string
@ -125,3 +126,10 @@ type Message struct {
 	Time     int64 `json:"time,omitempty"`
 	TimeNano int64 `json:"timeNano,omitempty"`
 }
+
+// ListOptions holds parameters to filter events with.
+type ListOptions struct {
+	Since   string
+	Until   string
+	Filters filters.Args
+}
--- a/vendor/github.com/docker/docker/api/types/image/image.go
+++ b/vendor/github.com/docker/docker/api/types/image/image.go
@ -1,9 +1,47 @@
 package image

-import "time"
+import (
+	"io"
+	"time"
+)

 // Metadata contains engine-local data about the image.
 type Metadata struct {
 	// LastTagTime is the date and time at which the image was last tagged.
 	LastTagTime time.Time `json:",omitempty"`
 }
+
+// PruneReport contains the response for Engine API:
+// POST "/images/prune"
+type PruneReport struct {
+	ImagesDeleted  []DeleteResponse
+	SpaceReclaimed uint64
+}
+
+// LoadResponse returns information to the client about a load process.
+//
+// TODO(thaJeztah): remove this type, and just use an io.ReadCloser
+//
+// This type was added in https://github.com/moby/moby/pull/18878, related
+// to https://github.com/moby/moby/issues/19177;
+//
+// Make docker load to output json when the response content type is json
+// Swarm hijacks the response from docker load and returns JSON rather
+// than plain text like the Engine does. This makes the API library to return
+// information to figure that out.
+//
+// However the "load" endpoint unconditionally returns JSON;
+// https://github.com/moby/moby/blob/7b9d2ef6e5518a3d3f3cc418459f8df786cfbbd1/api/server/router/image/image_routes.go#L248-L255
+//
+// PR https://github.com/moby/moby/pull/21959 made the response-type depend
+// on whether "quiet" was set, but this logic got changed in a follow-up
+// https://github.com/moby/moby/pull/25557, which made the JSON response-type
+// unconditionally, but the output produced depend on whether"quiet" was set.
+//
+// We should deprecated the "quiet" option, as it's really a client
+// responsibility.
+type LoadResponse struct {
+	// Body must be closed to avoid a resource leak
+	Body io.ReadCloser
+	JSON bool
+}
--- a/vendor/github.com/docker/docker/api/types/image/opts.go
+++ b/vendor/github.com/docker/docker/api/types/image/opts.go
@ -1,6 +1,18 @@
 package image

-import "github.com/docker/docker/api/types/filters"
+import (
+	"context"
+	"io"
+
+	"github.com/docker/docker/api/types/filters"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// ImportSource holds source information for ImageImport
+type ImportSource struct {
+	Source     io.Reader // Source is the data to send to the server to create this image from. You must set SourceName to "-" to leverage this.
+	SourceName string    // SourceName is the name of the image to pull. Set to "-" to leverage the Source attribute.
+}

 // ImportOptions holds information to import images from the client host.
 type ImportOptions struct {
@ -27,12 +39,28 @@ type PullOptions struct {
 	// privilege request fails.
 	//
 	// Also see [github.com/docker/docker/api/types.RequestPrivilegeFunc].
-	PrivilegeFunc func() (string, error)
+	PrivilegeFunc func(context.Context) (string, error)
 	Platform      string
 }

 // PushOptions holds information to push images.
-type PushOptions PullOptions
+type PushOptions struct {
+	All          bool
+	RegistryAuth string // RegistryAuth is the base64 encoded credentials for the registry
+
+	// PrivilegeFunc is a function that clients can supply to retry operations
+	// after getting an authorization error. This function returns the registry
+	// authentication header value in base64 encoded format, or an error if the
+	// privilege request fails.
+	//
+	// Also see [github.com/docker/docker/api/types.RequestPrivilegeFunc].
+	PrivilegeFunc func(context.Context) (string, error)
+
+	// Platform is an optional field that selects a specific platform to push
+	// when the image is a multi-platform image.
+	// Using this will only push a single platform-specific manifest.
+	Platform *ocispec.Platform `json:",omitempty"`
+}

 // ListOptions holds parameters to list images with.
 type ListOptions struct {
--- a/vendor/github.com/docker/docker/api/types/mount/mount.go
+++ b/vendor/github.com/docker/docker/api/types/mount/mount.go
@ -119,7 +119,11 @@ type TmpfsOptions struct {
 	SizeBytes int64 `json:",omitempty"`
 	// Mode of the tmpfs upon creation
 	Mode os.FileMode `json:",omitempty"`
-
+	// Options to be passed to the tmpfs mount. An array of arrays. Flag
+	// options should be provided as 1-length arrays. Other types should be
+	// provided as 2-length arrays, where the first item is the key and the
+	// second the value.
+	Options [][]string `json:",omitempty"`
 	// TODO(stevvooe): There are several more tmpfs flags, specified in the
 	// daemon, that are accepted. Only the most basic are added for now.
 	//
--- a/vendor/github.com/docker/docker/api/types/network/create_response.go
+++ b/vendor/github.com/docker/docker/api/types/network/create_response.go
@ -0,0 +1,19 @@
+package network
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+// CreateResponse NetworkCreateResponse
+//
+// OK response to NetworkCreate operation
+// swagger:model CreateResponse
+type CreateResponse struct {
+
+	// The ID of the created network.
+	// Required: true
+	ID string `json:"Id"`
+
+	// Warnings encountered when creating the container
+	// Required: true
+	Warning string `json:"Warning"`
+}
--- a/vendor/github.com/docker/docker/api/types/network/endpoint.go
+++ b/vendor/github.com/docker/docker/api/types/network/endpoint.go
@ -18,6 +18,7 @@ type EndpointSettings struct {
 	// Once the container is running, it becomes operational data (it may contain a
 	// generated address).
 	MacAddress string
+	DriverOpts map[string]string
 	// Operational data
 	NetworkID           string
 	EndpointID          string
@ -27,7 +28,6 @@ type EndpointSettings struct {
 	IPv6Gateway         string
 	GlobalIPv6Address   string
 	GlobalIPv6PrefixLen int
-	DriverOpts          map[string]string
 	// DNSNames holds all the (non fully qualified) DNS names associated to this endpoint. First entry is used to
 	// generate PTR records.
 	DNSNames []string
--- a/vendor/github.com/docker/docker/api/types/network/network.go
+++ b/vendor/github.com/docker/docker/api/types/network/network.go
@ -1,6 +1,8 @@
 package network // import "github.com/docker/docker/api/types/network"

 import (
+	"time"
+
 	"github.com/docker/docker/api/types/filters"
 )

@ -17,6 +19,82 @@ const (
 	NetworkNat = "nat"
 )

+// CreateRequest is the request message sent to the server for network create call.
+type CreateRequest struct {
+	CreateOptions
+	Name string // Name is the requested name of the network.
+
+	// Deprecated: CheckDuplicate is deprecated since API v1.44, but it defaults to true when sent by the client
+	// package to older daemons.
+	CheckDuplicate *bool `json:",omitempty"`
+}
+
+// CreateOptions holds options to create a network.
+type CreateOptions struct {
+	Driver     string            // Driver is the driver-name used to create the network (e.g. `bridge`, `overlay`)
+	Scope      string            // Scope describes the level at which the network exists (e.g. `swarm` for cluster-wide or `local` for machine level).
+	EnableIPv6 *bool             `json:",omitempty"` // EnableIPv6 represents whether to enable IPv6.
+	IPAM       *IPAM             // IPAM is the network's IP Address Management.
+	Internal   bool              // Internal represents if the network is used internal only.
+	Attachable bool              // Attachable represents if the global scope is manually attachable by regular containers from workers in swarm mode.
+	Ingress    bool              // Ingress indicates the network is providing the routing-mesh for the swarm cluster.
+	ConfigOnly bool              // ConfigOnly creates a config-only network. Config-only networks are place-holder networks for network configurations to be used by other networks. ConfigOnly networks cannot be used directly to run containers or services.
+	ConfigFrom *ConfigReference  // ConfigFrom specifies the source which will provide the configuration for this network. The specified network must be a config-only network; see [CreateOptions.ConfigOnly].
+	Options    map[string]string // Options specifies the network-specific options to use for when creating the network.
+	Labels     map[string]string // Labels holds metadata specific to the network being created.
+}
+
+// ListOptions holds parameters to filter the list of networks with.
+type ListOptions struct {
+	Filters filters.Args
+}
+
+// InspectOptions holds parameters to inspect network.
+type InspectOptions struct {
+	Scope   string
+	Verbose bool
+}
+
+// ConnectOptions represents the data to be used to connect a container to the
+// network.
+type ConnectOptions struct {
+	Container      string
+	EndpointConfig *EndpointSettings `json:",omitempty"`
+}
+
+// DisconnectOptions represents the data to be used to disconnect a container
+// from the network.
+type DisconnectOptions struct {
+	Container string
+	Force     bool
+}
+
+// Inspect is the body of the "get network" http response message.
+type Inspect struct {
+	Name       string                      // Name is the name of the network
+	ID         string                      `json:"Id"` // ID uniquely identifies a network on a single machine
+	Created    time.Time                   // Created is the time the network created
+	Scope      string                      // Scope describes the level at which the network exists (e.g. `swarm` for cluster-wide or `local` for machine level)
+	Driver     string                      // Driver is the Driver name used to create the network (e.g. `bridge`, `overlay`)
+	EnableIPv6 bool                        // EnableIPv6 represents whether to enable IPv6
+	IPAM       IPAM                        // IPAM is the network's IP Address Management
+	Internal   bool                        // Internal represents if the network is used internal only
+	Attachable bool                        // Attachable represents if the global scope is manually attachable by regular containers from workers in swarm mode.
+	Ingress    bool                        // Ingress indicates the network is providing the routing-mesh for the swarm cluster.
+	ConfigFrom ConfigReference             // ConfigFrom specifies the source which will provide the configuration for this network.
+	ConfigOnly bool                        // ConfigOnly networks are place-holder networks for network configurations to be used by other networks. ConfigOnly networks cannot be used directly to run containers or services.
+	Containers map[string]EndpointResource // Containers contains endpoints belonging to the network
+	Options    map[string]string           // Options holds the network specific options to use for when creating the network
+	Labels     map[string]string           // Labels holds metadata specific to the network being created
+	Peers      []PeerInfo                  `json:",omitempty"` // List of peer nodes for an overlay network
+	Services   map[string]ServiceInfo      `json:",omitempty"`
+}
+
+// Summary is used as response when listing networks. It currently is an alias
+// for [Inspect], but may diverge in the future, as not all information may
+// be included when listing networks.
+type Summary = Inspect
+
 // Address represents an IP address
 type Address struct {
 	Addr      string
@ -45,6 +123,16 @@ type ServiceInfo struct {
 	Tasks        []Task
 }

+// EndpointResource contains network resources allocated and used for a
+// container in a network.
+type EndpointResource struct {
+	Name        string
+	EndpointID  string
+	MacAddress  string
+	IPv4Address string
+	IPv6Address string
+}
+
 // NetworkingConfig represents the container's networking configuration for each of its interfaces
 // Carries the networking configs specified in the `docker run` and `docker network connect` commands
 type NetworkingConfig struct {
@ -70,3 +158,9 @@ var acceptedFilters = map[string]bool{
 func ValidateFilters(filter filters.Args) error {
 	return filter.Validate(acceptedFilters)
 }
+
+// PruneReport contains the response for Engine API:
+// POST "/networks/prune"
+type PruneReport struct {
+	NetworksDeleted []string
+}
--- a/vendor/github.com/docker/docker/api/types/registry/registry.go
+++ b/vendor/github.com/docker/docker/api/types/registry/registry.go
@ -84,32 +84,6 @@ type IndexInfo struct {
 	Official bool
 }

-// SearchResult describes a search result returned from a registry
-type SearchResult struct {
-	// StarCount indicates the number of stars this repository has
-	StarCount int `json:"star_count"`
-	// IsOfficial is true if the result is from an official repository.
-	IsOfficial bool `json:"is_official"`
-	// Name is the name of the repository
-	Name string `json:"name"`
-	// IsAutomated indicates whether the result is automated.
-	//
-	// Deprecated: the "is_automated" field is deprecated and will always be "false".
-	IsAutomated bool `json:"is_automated"`
-	// Description is a textual description of the repository
-	Description string `json:"description"`
-}
-
-// SearchResults lists a collection search results returned from a registry
-type SearchResults struct {
-	// Query contains the query string that generated the search results
-	Query string `json:"query"`
-	// NumResults indicates the number of results the query returned
-	NumResults int `json:"num_results"`
-	// Results is a slice containing the actual results for the search
-	Results []SearchResult `json:"results"`
-}
-
 // DistributionInspect describes the result obtained from contacting the
 // registry to retrieve image metadata
 type DistributionInspect struct {
--- a/vendor/github.com/docker/docker/api/types/registry/search.go
+++ b/vendor/github.com/docker/docker/api/types/registry/search.go
@ -0,0 +1,47 @@
+package registry
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types/filters"
+)
+
+// SearchOptions holds parameters to search images with.
+type SearchOptions struct {
+	RegistryAuth string
+
+	// PrivilegeFunc is a [types.RequestPrivilegeFunc] the client can
+	// supply to retry operations after getting an authorization error.
+	//
+	// It must return the registry authentication header value in base64
+	// format, or an error if the privilege request fails.
+	PrivilegeFunc func(context.Context) (string, error)
+	Filters       filters.Args
+	Limit         int
+}
+
+// SearchResult describes a search result returned from a registry
+type SearchResult struct {
+	// StarCount indicates the number of stars this repository has
+	StarCount int `json:"star_count"`
+	// IsOfficial is true if the result is from an official repository.
+	IsOfficial bool `json:"is_official"`
+	// Name is the name of the repository
+	Name string `json:"name"`
+	// IsAutomated indicates whether the result is automated.
+	//
+	// Deprecated: the "is_automated" field is deprecated and will always be "false".
+	IsAutomated bool `json:"is_automated"`
+	// Description is a textual description of the repository
+	Description string `json:"description"`
+}
+
+// SearchResults lists a collection search results returned from a registry
+type SearchResults struct {
+	// Query contains the query string that generated the search results
+	Query string `json:"query"`
+	// NumResults indicates the number of results the query returned
+	NumResults int `json:"num_results"`
+	// Results is a slice containing the actual results for the search
+	Results []SearchResult `json:"results"`
+}
--- a/vendor/github.com/docker/docker/api/types/swarm/container.go
+++ b/vendor/github.com/docker/docker/api/types/swarm/container.go
@ -5,7 +5,6 @@ import (

 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/mount"
-	"github.com/docker/go-units"
 )

 // DNSConfig specifies DNS related configurations in resolver configuration file (resolv.conf)
@ -115,5 +114,6 @@ type ContainerSpec struct {
 	Sysctls        map[string]string   `json:",omitempty"`
 	CapabilityAdd  []string            `json:",omitempty"`
 	CapabilityDrop []string            `json:",omitempty"`
-	Ulimits        []*units.Ulimit     `json:",omitempty"`
+	Ulimits        []*container.Ulimit `json:",omitempty"`
+	OomScoreAdj    int64               `json:",omitempty"`
 }
--- a/vendor/github.com/docker/docker/api/types/system/info.go
+++ b/vendor/github.com/docker/docker/api/types/system/info.go
@ -75,8 +75,7 @@ type Info struct {
 	DefaultAddressPools []NetworkAddressPool `json:",omitempty"`
 	CDISpecDirs         []string

-	// Legacy API fields for older API versions.
-	legacyFields
+	Containerd *ContainerdInfo `json:",omitempty"`

 	// Warnings contains a slice of warnings that occurred  while collecting
 	// system information. These warnings are intended to be informational
@ -85,8 +84,41 @@ type Info struct {
 	Warnings []string
 }

-type legacyFields struct {
-	ExecutionDriver string `json:",omitempty"` // Deprecated: deprecated since API v1.25, but returned for older versions.
+// ContainerdInfo holds information about the containerd instance used by the daemon.
+type ContainerdInfo struct {
+	// Address is the path to the containerd socket.
+	Address string `json:",omitempty"`
+	// Namespaces is the containerd namespaces used by the daemon.
+	Namespaces ContainerdNamespaces
+}
+
+// ContainerdNamespaces reflects the containerd namespaces used by the daemon.
+//
+// These namespaces can be configured in the daemon configuration, and are
+// considered to be used exclusively by the daemon,
+//
+// As these namespaces are considered to be exclusively accessed
+// by the daemon, it is not recommended to change these values,
+// or to change them to a value that is used by other systems,
+// such as cri-containerd.
+type ContainerdNamespaces struct {
+	// Containers holds the default containerd namespace used for
+	// containers managed by the daemon.
+	//
+	// The default namespace for containers is "moby", but will be
+	// suffixed with the `<uid>.<gid>` of the remapped `root` if
+	// user-namespaces are enabled and the containerd image-store
+	// is used.
+	Containers string
+
+	// Plugins holds the default containerd namespace used for
+	// plugins managed by the daemon.
+	//
+	// The default namespace for plugins is "moby", but will be
+	// suffixed with the `<uid>.<gid>` of the remapped `root` if
+	// user-namespaces are enabled and the containerd image-store
+	// is used.
+	Plugins string
 }

 // PluginsInfo is a temp struct holding Plugins name
--- a/vendor/github.com/docker/docker/api/types/types.go
+++ b/vendor/github.com/docker/docker/api/types/types.go
@ -1,8 +1,6 @@
 package types // import "github.com/docker/docker/api/types"

 import (
-	"io"
-	"os"
 	"time"

 	"github.com/docker/docker/api/types/container"
@ -155,36 +153,13 @@ type Container struct {
 	State      string
 	Status     string
 	HostConfig struct {
-		NetworkMode string `json:",omitempty"`
+		NetworkMode string            `json:",omitempty"`
+		Annotations map[string]string `json:",omitempty"`
 	}
 	NetworkSettings *SummaryNetworkSettings
 	Mounts          []MountPoint
 }

-// CopyConfig contains request body of Engine API:
-// POST "/containers/"+containerID+"/copy"
-type CopyConfig struct {
-	Resource string
-}
-
-// ContainerPathStat is used to encode the header from
-// GET "/containers/{name:.*}/archive"
-// "Name" is the file or directory name.
-type ContainerPathStat struct {
-	Name       string      `json:"name"`
-	Size       int64       `json:"size"`
-	Mode       os.FileMode `json:"mode"`
-	Mtime      time.Time   `json:"mtime"`
-	LinkTarget string      `json:"linkTarget"`
-}
-
-// ContainerStats contains response of Engine API:
-// GET "/stats"
-type ContainerStats struct {
-	Body   io.ReadCloser `json:"body"`
-	OSType string        `json:"ostype"`
-}
-
 // Ping contains response of Engine API:
 // GET "/_ping"
 type Ping struct {
@ -230,17 +205,6 @@ type Version struct {
 	BuildTime     string `json:",omitempty"`
 }

-// ExecStartCheck is a temp struct used by execStart
-// Config fields is part of ExecConfig in runconfig package
-type ExecStartCheck struct {
-	// ExecStart will first check if it's detached
-	Detach bool
-	// Check if there's a tty
-	Tty bool
-	// Terminal size [height, width], unused if Tty == false
-	ConsoleSize *[2]uint `json:",omitempty"`
-}
-
 // HealthcheckResult stores information about a single run of a healthcheck probe
 type HealthcheckResult struct {
 	Start    time.Time // Start is the time this check started
@ -281,18 +245,6 @@ type ContainerState struct {
 	Health     *Health `json:",omitempty"`
 }

-// ContainerNode stores information about the node that a container
-// is running on.  It's only used by the Docker Swarm standalone API
-type ContainerNode struct {
-	ID        string
-	IPAddress string `json:"IP"`
-	Addr      string
-	Name      string
-	Cpus      int
-	Memory    int64
-	Labels    map[string]string
-}
-
 // ContainerJSONBase contains response of Engine API:
 // GET "/containers/{name:.*}/json"
 type ContainerJSONBase struct {
@ -306,7 +258,7 @@ type ContainerJSONBase struct {
 	HostnamePath    string
 	HostsPath       string
 	LogPath         string
-	Node            *ContainerNode `json:",omitempty"` // Node is only propagated by Docker Swarm standalone API
+	Node            *ContainerNode `json:",omitempty"` // Deprecated: Node was only propagated by Docker Swarm standalone API. It sill be removed in the next release.
 	Name            string
 	RestartCount    int
 	Driver          string
@ -423,84 +375,6 @@ type MountPoint struct {
 	Propagation mount.Propagation
 }

-// NetworkResource is the body of the "get network" http response message
-type NetworkResource struct {
-	Name       string                         // Name is the requested name of the network
-	ID         string                         `json:"Id"` // ID uniquely identifies a network on a single machine
-	Created    time.Time                      // Created is the time the network created
-	Scope      string                         // Scope describes the level at which the network exists (e.g. `swarm` for cluster-wide or `local` for machine level)
-	Driver     string                         // Driver is the Driver name used to create the network (e.g. `bridge`, `overlay`)
-	EnableIPv6 bool                           // EnableIPv6 represents whether to enable IPv6
-	IPAM       network.IPAM                   // IPAM is the network's IP Address Management
-	Internal   bool                           // Internal represents if the network is used internal only
-	Attachable bool                           // Attachable represents if the global scope is manually attachable by regular containers from workers in swarm mode.
-	Ingress    bool                           // Ingress indicates the network is providing the routing-mesh for the swarm cluster.
-	ConfigFrom network.ConfigReference        // ConfigFrom specifies the source which will provide the configuration for this network.
-	ConfigOnly bool                           // ConfigOnly networks are place-holder networks for network configurations to be used by other networks. ConfigOnly networks cannot be used directly to run containers or services.
-	Containers map[string]EndpointResource    // Containers contains endpoints belonging to the network
-	Options    map[string]string              // Options holds the network specific options to use for when creating the network
-	Labels     map[string]string              // Labels holds metadata specific to the network being created
-	Peers      []network.PeerInfo             `json:",omitempty"` // List of peer nodes for an overlay network
-	Services   map[string]network.ServiceInfo `json:",omitempty"`
-}
-
-// EndpointResource contains network resources allocated and used for a container in a network
-type EndpointResource struct {
-	Name        string
-	EndpointID  string
-	MacAddress  string
-	IPv4Address string
-	IPv6Address string
-}
-
-// NetworkCreate is the expected body of the "create network" http request message
-type NetworkCreate struct {
-	// Deprecated: CheckDuplicate is deprecated since API v1.44, but it defaults to true when sent by the client
-	// package to older daemons.
-	CheckDuplicate bool `json:",omitempty"`
-	Driver         string
-	Scope          string
-	EnableIPv6     bool
-	IPAM           *network.IPAM
-	Internal       bool
-	Attachable     bool
-	Ingress        bool
-	ConfigOnly     bool
-	ConfigFrom     *network.ConfigReference
-	Options        map[string]string
-	Labels         map[string]string
-}
-
-// NetworkCreateRequest is the request message sent to the server for network create call.
-type NetworkCreateRequest struct {
-	NetworkCreate
-	Name string
-}
-
-// NetworkCreateResponse is the response message sent by the server for network create call
-type NetworkCreateResponse struct {
-	ID      string `json:"Id"`
-	Warning string
-}
-
-// NetworkConnect represents the data to be used to connect a container to the network
-type NetworkConnect struct {
-	Container      string
-	EndpointConfig *network.EndpointSettings `json:",omitempty"`
-}
-
-// NetworkDisconnect represents the data to be used to disconnect a container from the network
-type NetworkDisconnect struct {
-	Container string
-	Force     bool
-}
-
-// NetworkInspectOptions holds parameters to inspect network
-type NetworkInspectOptions struct {
-	Scope   string
-	Verbose bool
-}
-
 // DiskUsageObject represents an object type used for disk usage query filtering.
 type DiskUsageObject string

@ -533,27 +407,6 @@ type DiskUsage struct {
 	BuilderSize int64 `json:",omitempty"` // Deprecated: deprecated in API 1.38, and no longer used since API 1.40.
 }

-// ContainersPruneReport contains the response for Engine API:
-// POST "/containers/prune"
-type ContainersPruneReport struct {
-	ContainersDeleted []string
-	SpaceReclaimed    uint64
-}
-
-// VolumesPruneReport contains the response for Engine API:
-// POST "/volumes/prune"
-type VolumesPruneReport struct {
-	VolumesDeleted []string
-	SpaceReclaimed uint64
-}
-
-// ImagesPruneReport contains the response for Engine API:
-// POST "/images/prune"
-type ImagesPruneReport struct {
-	ImagesDeleted  []image.DeleteResponse
-	SpaceReclaimed uint64
-}
-
 // BuildCachePruneReport contains the response for Engine API:
 // POST "/build/prune"
 type BuildCachePruneReport struct {
@ -561,12 +414,6 @@ type BuildCachePruneReport struct {
 	SpaceReclaimed uint64
 }

-// NetworksPruneReport contains the response for Engine API:
-// POST "/networks/prune"
-type NetworksPruneReport struct {
-	NetworksDeleted []string
-}
-
 // SecretCreateResponse contains the information returned to a client
 // on the creation of a new secret.
 type SecretCreateResponse struct {
--- a/vendor/github.com/docker/docker/api/types/types_deprecated.go
+++ b/vendor/github.com/docker/docker/api/types/types_deprecated.go
@ -1,35 +1,210 @@
 package types

 import (
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/events"
 	"github.com/docker/docker/api/types/image"
+	"github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/api/types/registry"
+	"github.com/docker/docker/api/types/volume"
 )

-// ImageImportOptions holds information to import images from the client host.
+// ImagesPruneReport contains the response for Engine API:
+// POST "/images/prune"
 //
-// Deprecated: use [image.ImportOptions].
-type ImageImportOptions = image.ImportOptions
+// Deprecated: use [image.PruneReport].
+type ImagesPruneReport = image.PruneReport

-// ImageCreateOptions holds information to create images.
+// VolumesPruneReport contains the response for Engine API:
+// POST "/volumes/prune".
 //
-// Deprecated: use [image.CreateOptions].
-type ImageCreateOptions = image.CreateOptions
+// Deprecated: use [volume.PruneReport].
+type VolumesPruneReport = volume.PruneReport

-// ImagePullOptions holds information to pull images.
+// NetworkCreateRequest is the request message sent to the server for network create call.
 //
-// Deprecated: use [image.PullOptions].
-type ImagePullOptions = image.PullOptions
+// Deprecated: use [network.CreateRequest].
+type NetworkCreateRequest = network.CreateRequest

-// ImagePushOptions holds information to push images.
+// NetworkCreate is the expected body of the "create network" http request message
 //
-// Deprecated: use [image.PushOptions].
-type ImagePushOptions = image.PushOptions
+// Deprecated: use [network.CreateOptions].
+type NetworkCreate = network.CreateOptions

-// ImageListOptions holds parameters to list images with.
+// NetworkListOptions holds parameters to filter the list of networks with.
 //
-// Deprecated: use [image.ListOptions].
-type ImageListOptions = image.ListOptions
+// Deprecated: use [network.ListOptions].
+type NetworkListOptions = network.ListOptions

-// ImageRemoveOptions holds parameters to remove images.
+// NetworkCreateResponse is the response message sent by the server for network create call.
 //
-// Deprecated: use [image.RemoveOptions].
-type ImageRemoveOptions = image.RemoveOptions
+// Deprecated: use [network.CreateResponse].
+type NetworkCreateResponse = network.CreateResponse
+
+// NetworkInspectOptions holds parameters to inspect network.
+//
+// Deprecated: use [network.InspectOptions].
+type NetworkInspectOptions = network.InspectOptions
+
+// NetworkConnect represents the data to be used to connect a container to the network
+//
+// Deprecated: use [network.ConnectOptions].
+type NetworkConnect = network.ConnectOptions
+
+// NetworkDisconnect represents the data to be used to disconnect a container from the network
+//
+// Deprecated: use [network.DisconnectOptions].
+type NetworkDisconnect = network.DisconnectOptions
+
+// EndpointResource contains network resources allocated and used for a container in a network.
+//
+// Deprecated: use [network.EndpointResource].
+type EndpointResource = network.EndpointResource
+
+// NetworkResource is the body of the "get network" http response message/
+//
+// Deprecated: use [network.Inspect] or [network.Summary] (for list operations).
+type NetworkResource = network.Inspect
+
+// NetworksPruneReport contains the response for Engine API:
+// POST "/networks/prune"
+//
+// Deprecated: use [network.PruneReport].
+type NetworksPruneReport = network.PruneReport
+
+// ExecConfig is a small subset of the Config struct that holds the configuration
+// for the exec feature of docker.
+//
+// Deprecated: use [container.ExecOptions].
+type ExecConfig = container.ExecOptions
+
+// ExecStartCheck is a temp struct used by execStart
+// Config fields is part of ExecConfig in runconfig package
+//
+// Deprecated: use [container.ExecStartOptions] or [container.ExecAttachOptions].
+type ExecStartCheck = container.ExecStartOptions
+
+// ContainerExecInspect holds information returned by exec inspect.
+//
+// Deprecated: use [container.ExecInspect].
+type ContainerExecInspect = container.ExecInspect
+
+// ContainersPruneReport contains the response for Engine API:
+// POST "/containers/prune"
+//
+// Deprecated: use [container.PruneReport].
+type ContainersPruneReport = container.PruneReport
+
+// ContainerPathStat is used to encode the header from
+// GET "/containers/{name:.*}/archive"
+// "Name" is the file or directory name.
+//
+// Deprecated: use [container.PathStat].
+type ContainerPathStat = container.PathStat
+
+// CopyToContainerOptions holds information
+// about files to copy into a container.
+//
+// Deprecated: use [container.CopyToContainerOptions],
+type CopyToContainerOptions = container.CopyToContainerOptions
+
+// ContainerStats contains response of Engine API:
+// GET "/stats"
+//
+// Deprecated: use [container.StatsResponseReader].
+type ContainerStats = container.StatsResponseReader
+
+// ThrottlingData stores CPU throttling stats of one running container.
+// Not used on Windows.
+//
+// Deprecated: use [container.ThrottlingData].
+type ThrottlingData = container.ThrottlingData
+
+// CPUUsage stores All CPU stats aggregated since container inception.
+//
+// Deprecated: use [container.CPUUsage].
+type CPUUsage = container.CPUUsage
+
+// CPUStats aggregates and wraps all CPU related info of container
+//
+// Deprecated: use [container.CPUStats].
+type CPUStats = container.CPUStats
+
+// MemoryStats aggregates all memory stats since container inception on Linux.
+// Windows returns stats for commit and private working set only.
+//
+// Deprecated: use [container.MemoryStats].
+type MemoryStats = container.MemoryStats
+
+// BlkioStatEntry is one small entity to store a piece of Blkio stats
+// Not used on Windows.
+//
+// Deprecated: use [container.BlkioStatEntry].
+type BlkioStatEntry = container.BlkioStatEntry
+
+// BlkioStats stores All IO service stats for data read and write.
+// This is a Linux specific structure as the differences between expressing
+// block I/O on Windows and Linux are sufficiently significant to make
+// little sense attempting to morph into a combined structure.
+//
+// Deprecated: use [container.BlkioStats].
+type BlkioStats = container.BlkioStats
+
+// StorageStats is the disk I/O stats for read/write on Windows.
+//
+// Deprecated: use [container.StorageStats].
+type StorageStats = container.StorageStats
+
+// NetworkStats aggregates the network stats of one container
+//
+// Deprecated: use [container.NetworkStats].
+type NetworkStats = container.NetworkStats
+
+// PidsStats contains the stats of a container's pids
+//
+// Deprecated: use [container.PidsStats].
+type PidsStats = container.PidsStats
+
+// Stats is Ultimate struct aggregating all types of stats of one container
+//
+// Deprecated: use [container.Stats].
+type Stats = container.Stats
+
+// StatsJSON is newly used Networks
+//
+// Deprecated: use [container.StatsResponse].
+type StatsJSON = container.StatsResponse
+
+// EventsOptions holds parameters to filter events with.
+//
+// Deprecated: use [events.ListOptions].
+type EventsOptions = events.ListOptions
+
+// ImageSearchOptions holds parameters to search images with.
+//
+// Deprecated: use [registry.SearchOptions].
+type ImageSearchOptions = registry.SearchOptions
+
+// ImageImportSource holds source information for ImageImport
+//
+// Deprecated: use [image.ImportSource].
+type ImageImportSource image.ImportSource
+
+// ImageLoadResponse returns information to the client about a load process.
+//
+// Deprecated: use [image.LoadResponse].
+type ImageLoadResponse = image.LoadResponse
+
+// ContainerNode stores information about the node that a container
+// is running on.  It's only used by the Docker Swarm standalone API.
+//
+// Deprecated: ContainerNode was used for the classic Docker Swarm standalone API. It will be removed in the next release.
+type ContainerNode struct {
+	ID        string
+	IPAddress string `json:"IP"`
+	Addr      string
+	Name      string
+	Cpus      int
+	Memory    int64
+	Labels    map[string]string
+}
--- a/vendor/github.com/docker/docker/api/types/volume/options.go
+++ b/vendor/github.com/docker/docker/api/types/volume/options.go
@ -6,3 +6,10 @@ import "github.com/docker/docker/api/types/filters"
 type ListOptions struct {
 	Filters filters.Args
 }
+
+// PruneReport contains the response for Engine API:
+// POST "/volumes/prune"
+type PruneReport struct {
+	VolumesDeleted []string
+	SpaceReclaimed uint64
+}
--- a/vendor/github.com/docker/docker/client/client.go
+++ b/vendor/github.com/docker/docker/client/client.go
@ -49,6 +49,8 @@ import (
 	"net/url"
 	"path"
 	"strings"
+	"sync"
+	"sync/atomic"
 	"time"

 	"github.com/docker/docker/api"
@ -131,7 +133,10 @@ type Client struct {
 	negotiateVersion bool

 	// negotiated indicates that API version negotiation took place
-	negotiated bool
+	negotiated atomic.Bool
+
+	// negotiateLock is used to single-flight the version negotiation process
+	negotiateLock sync.Mutex

 	tp trace.TracerProvider

@ -266,7 +271,16 @@ func (cli *Client) Close() error {
 // be negotiated when making the actual requests, and for which cases
 // we cannot do the negotiation lazily.
 func (cli *Client) checkVersion(ctx context.Context) error {
-	if !cli.manualOverride && cli.negotiateVersion && !cli.negotiated {
+	if !cli.manualOverride && cli.negotiateVersion && !cli.negotiated.Load() {
+		// Ensure exclusive write access to version and negotiated fields
+		cli.negotiateLock.Lock()
+		defer cli.negotiateLock.Unlock()
+
+		// May have been set during last execution of critical zone
+		if cli.negotiated.Load() {
+			return nil
+		}
+
 		ping, err := cli.Ping(ctx)
 		if err != nil {
 			return err
@ -312,6 +326,10 @@ func (cli *Client) ClientVersion() string {
 // added (1.24).
 func (cli *Client) NegotiateAPIVersion(ctx context.Context) {
 	if !cli.manualOverride {
+		// Avoid concurrent modification of version-related fields
+		cli.negotiateLock.Lock()
+		defer cli.negotiateLock.Unlock()
+
 		ping, err := cli.Ping(ctx)
 		if err != nil {
 			// FIXME(thaJeztah): Ping returns an error when failing to connect to the API; we should not swallow the error here, and instead returning it.
@ -336,6 +354,10 @@ func (cli *Client) NegotiateAPIVersion(ctx context.Context) {
 // added (1.24).
 func (cli *Client) NegotiateAPIVersionPing(pingResponse types.Ping) {
 	if !cli.manualOverride {
+		// Avoid concurrent modification of version-related fields
+		cli.negotiateLock.Lock()
+		defer cli.negotiateLock.Unlock()
+
 		cli.negotiateAPIVersionPing(pingResponse)
 	}
 }
@ -361,7 +383,7 @@ func (cli *Client) negotiateAPIVersionPing(pingResponse types.Ping) {
 	// Store the results, so that automatic API version negotiation (if enabled)
 	// won't be performed on the next request.
 	if cli.negotiateVersion {
-		cli.negotiated = true
+		cli.negotiated.Store(true)
 	}
 }

--- a/vendor/github.com/docker/docker/client/container_copy.go
+++ b/vendor/github.com/docker/docker/client/container_copy.go
@ -11,11 +11,11 @@ import (
 	"path/filepath"
 	"strings"

-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
 )

 // ContainerStatPath returns stat information about a path inside the container filesystem.
-func (cli *Client) ContainerStatPath(ctx context.Context, containerID, path string) (types.ContainerPathStat, error) {
+func (cli *Client) ContainerStatPath(ctx context.Context, containerID, path string) (container.PathStat, error) {
 	query := url.Values{}
 	query.Set("path", filepath.ToSlash(path)) // Normalize the paths used in the API.

@ -23,14 +23,14 @@ func (cli *Client) ContainerStatPath(ctx context.Context, containerID, path stri
 	response, err := cli.head(ctx, urlStr, query, nil)
 	defer ensureReaderClosed(response)
 	if err != nil {
-		return types.ContainerPathStat{}, err
+		return container.PathStat{}, err
 	}
 	return getContainerPathStatFromHeader(response.header)
 }

 // CopyToContainer copies content into the container filesystem.
 // Note that `content` must be a Reader for a TAR archive
-func (cli *Client) CopyToContainer(ctx context.Context, containerID, dstPath string, content io.Reader, options types.CopyToContainerOptions) error {
+func (cli *Client) CopyToContainer(ctx context.Context, containerID, dstPath string, content io.Reader, options container.CopyToContainerOptions) error {
 	query := url.Values{}
 	query.Set("path", filepath.ToSlash(dstPath)) // Normalize the paths used in the API.
 	// Do not allow for an existing directory to be overwritten by a non-directory and vice versa.
@ -55,14 +55,14 @@ func (cli *Client) CopyToContainer(ctx context.Context, containerID, dstPath str

 // CopyFromContainer gets the content from the container and returns it as a Reader
 // for a TAR archive to manipulate it in the host. It's up to the caller to close the reader.
-func (cli *Client) CopyFromContainer(ctx context.Context, containerID, srcPath string) (io.ReadCloser, types.ContainerPathStat, error) {
+func (cli *Client) CopyFromContainer(ctx context.Context, containerID, srcPath string) (io.ReadCloser, container.PathStat, error) {
 	query := make(url.Values, 1)
 	query.Set("path", filepath.ToSlash(srcPath)) // Normalize the paths used in the API.

 	apiPath := "/containers/" + containerID + "/archive"
 	response, err := cli.get(ctx, apiPath, query, nil)
 	if err != nil {
-		return nil, types.ContainerPathStat{}, err
+		return nil, container.PathStat{}, err
 	}

 	// In order to get the copy behavior right, we need to know information
@ -78,8 +78,8 @@ func (cli *Client) CopyFromContainer(ctx context.Context, containerID, srcPath s
 	return response.body, stat, err
 }

-func getContainerPathStatFromHeader(header http.Header) (types.ContainerPathStat, error) {
-	var stat types.ContainerPathStat
+func getContainerPathStatFromHeader(header http.Header) (container.PathStat, error) {
+	var stat container.PathStat

 	encodedStat := header.Get("X-Docker-Container-Path-Stat")
 	statDecoder := base64.NewDecoder(base64.StdEncoding, strings.NewReader(encodedStat))
--- a/vendor/github.com/docker/docker/client/container_exec.go
+++ b/vendor/github.com/docker/docker/client/container_exec.go
@ -6,11 +6,12 @@ import (
 	"net/http"

 	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/versions"
 )

 // ContainerExecCreate creates a new exec configuration to run an exec process.
-func (cli *Client) ContainerExecCreate(ctx context.Context, container string, config types.ExecConfig) (types.IDResponse, error) {
+func (cli *Client) ContainerExecCreate(ctx context.Context, container string, options container.ExecOptions) (types.IDResponse, error) {
 	var response types.IDResponse

 	// Make sure we negotiated (if the client is configured to do so),
@ -22,14 +23,14 @@ func (cli *Client) ContainerExecCreate(ctx context.Context, container string, co
 		return response, err
 	}

-	if err := cli.NewVersionError(ctx, "1.25", "env"); len(config.Env) != 0 && err != nil {
+	if err := cli.NewVersionError(ctx, "1.25", "env"); len(options.Env) != 0 && err != nil {
 		return response, err
 	}
 	if versions.LessThan(cli.ClientVersion(), "1.42") {
-		config.ConsoleSize = nil
+		options.ConsoleSize = nil
 	}

-	resp, err := cli.post(ctx, "/containers/"+container+"/exec", nil, config, nil)
+	resp, err := cli.post(ctx, "/containers/"+container+"/exec", nil, options, nil)
 	defer ensureReaderClosed(resp)
 	if err != nil {
 		return response, err
@ -39,7 +40,7 @@ func (cli *Client) ContainerExecCreate(ctx context.Context, container string, co
 }

 // ContainerExecStart starts an exec process already created in the docker host.
-func (cli *Client) ContainerExecStart(ctx context.Context, execID string, config types.ExecStartCheck) error {
+func (cli *Client) ContainerExecStart(ctx context.Context, execID string, config container.ExecStartOptions) error {
 	if versions.LessThan(cli.ClientVersion(), "1.42") {
 		config.ConsoleSize = nil
 	}
@ -52,7 +53,7 @@ func (cli *Client) ContainerExecStart(ctx context.Context, execID string, config
 // It returns a types.HijackedConnection with the hijacked connection
 // and the a reader to get output. It's up to the called to close
 // the hijacked connection by calling types.HijackedResponse.Close.
-func (cli *Client) ContainerExecAttach(ctx context.Context, execID string, config types.ExecStartCheck) (types.HijackedResponse, error) {
+func (cli *Client) ContainerExecAttach(ctx context.Context, execID string, config container.ExecAttachOptions) (types.HijackedResponse, error) {
 	if versions.LessThan(cli.ClientVersion(), "1.42") {
 		config.ConsoleSize = nil
 	}
@ -62,8 +63,8 @@ func (cli *Client) ContainerExecAttach(ctx context.Context, execID string, confi
 }

 // ContainerExecInspect returns information about a specific exec process on the docker host.
-func (cli *Client) ContainerExecInspect(ctx context.Context, execID string) (types.ContainerExecInspect, error) {
-	var response types.ContainerExecInspect
+func (cli *Client) ContainerExecInspect(ctx context.Context, execID string) (container.ExecInspect, error) {
+	var response container.ExecInspect
 	resp, err := cli.get(ctx, "/exec/"+execID+"/json", nil, nil)
 	if err != nil {
 		return response, err
--- a/vendor/github.com/docker/docker/client/container_prune.go
+++ b/vendor/github.com/docker/docker/client/container_prune.go
@ -5,13 +5,13 @@ import (
 	"encoding/json"
 	"fmt"

-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/filters"
 )

 // ContainersPrune requests the daemon to delete unused data
-func (cli *Client) ContainersPrune(ctx context.Context, pruneFilters filters.Args) (types.ContainersPruneReport, error) {
-	var report types.ContainersPruneReport
+func (cli *Client) ContainersPrune(ctx context.Context, pruneFilters filters.Args) (container.PruneReport, error) {
+	var report container.PruneReport

 	if err := cli.NewVersionError(ctx, "1.25", "container prune"); err != nil {
 		return report, err
--- a/vendor/github.com/docker/docker/client/container_stats.go
+++ b/vendor/github.com/docker/docker/client/container_stats.go
@ -4,12 +4,12 @@ import (
 	"context"
 	"net/url"

-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
 )

 // ContainerStats returns near realtime stats for a given container.
 // It's up to the caller to close the io.ReadCloser returned.
-func (cli *Client) ContainerStats(ctx context.Context, containerID string, stream bool) (types.ContainerStats, error) {
+func (cli *Client) ContainerStats(ctx context.Context, containerID string, stream bool) (container.StatsResponseReader, error) {
 	query := url.Values{}
 	query.Set("stream", "0")
 	if stream {
@ -18,10 +18,10 @@ func (cli *Client) ContainerStats(ctx context.Context, containerID string, strea

 	resp, err := cli.get(ctx, "/containers/"+containerID+"/stats", query, nil)
 	if err != nil {
-		return types.ContainerStats{}, err
+		return container.StatsResponseReader{}, err
 	}

-	return types.ContainerStats{
+	return container.StatsResponseReader{
 		Body:   resp.body,
 		OSType: getDockerOS(resp.header.Get("Server")),
 	}, nil
@ -29,17 +29,17 @@ func (cli *Client) ContainerStats(ctx context.Context, containerID string, strea

 // ContainerStatsOneShot gets a single stat entry from a container.
 // It differs from `ContainerStats` in that the API should not wait to prime the stats
-func (cli *Client) ContainerStatsOneShot(ctx context.Context, containerID string) (types.ContainerStats, error) {
+func (cli *Client) ContainerStatsOneShot(ctx context.Context, containerID string) (container.StatsResponseReader, error) {
 	query := url.Values{}
 	query.Set("stream", "0")
 	query.Set("one-shot", "1")

 	resp, err := cli.get(ctx, "/containers/"+containerID+"/stats", query, nil)
 	if err != nil {
-		return types.ContainerStats{}, err
+		return container.StatsResponseReader{}, err
 	}

-	return types.ContainerStats{
+	return container.StatsResponseReader{
 		Body:   resp.body,
 		OSType: getDockerOS(resp.header.Get("Server")),
 	}, nil
--- a/vendor/github.com/docker/docker/client/events.go
+++ b/vendor/github.com/docker/docker/client/events.go
@ -6,7 +6,6 @@ import (
 	"net/url"
 	"time"

-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/events"
 	"github.com/docker/docker/api/types/filters"
 	timetypes "github.com/docker/docker/api/types/time"
@ -16,7 +15,7 @@ import (
 // by cancelling the context. Once the stream has been completely read an io.EOF error will
 // be sent over the error channel. If an error is sent all processing will be stopped. It's up
 // to the caller to reopen the stream in the event of an error by reinvoking this method.
-func (cli *Client) Events(ctx context.Context, options types.EventsOptions) (<-chan events.Message, <-chan error) {
+func (cli *Client) Events(ctx context.Context, options events.ListOptions) (<-chan events.Message, <-chan error) {
 	messages := make(chan events.Message)
 	errs := make(chan error, 1)

@ -68,7 +67,7 @@ func (cli *Client) Events(ctx context.Context, options types.EventsOptions) (<-c
 	return messages, errs
 }

-func buildEventsQueryParams(cliVersion string, options types.EventsOptions) (url.Values, error) {
+func buildEventsQueryParams(cliVersion string, options events.ListOptions) (url.Values, error) {
 	query := url.Values{}
 	ref := time.Now()

--- a/vendor/github.com/docker/docker/client/image_import.go
+++ b/vendor/github.com/docker/docker/client/image_import.go
@ -7,13 +7,12 @@ import (
 	"strings"

 	"github.com/distribution/reference"
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/image"
 )

 // ImageImport creates a new image based on the source options.
 // It returns the JSON content in the response body.
-func (cli *Client) ImageImport(ctx context.Context, source types.ImageImportSource, ref string, options image.ImportOptions) (io.ReadCloser, error) {
+func (cli *Client) ImageImport(ctx context.Context, source image.ImportSource, ref string, options image.ImportOptions) (io.ReadCloser, error) {
 	if ref != "" {
 		// Check if the given image name can be resolved
 		if _, err := reference.ParseNormalizedNamed(ref); err != nil {
--- a/vendor/github.com/docker/docker/client/image_load.go
+++ b/vendor/github.com/docker/docker/client/image_load.go
@ -6,13 +6,13 @@ import (
 	"net/http"
 	"net/url"

-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/image"
 )

 // ImageLoad loads an image in the docker host from the client host.
 // It's up to the caller to close the io.ReadCloser in the
 // ImageLoadResponse returned by this function.
-func (cli *Client) ImageLoad(ctx context.Context, input io.Reader, quiet bool) (types.ImageLoadResponse, error) {
+func (cli *Client) ImageLoad(ctx context.Context, input io.Reader, quiet bool) (image.LoadResponse, error) {
 	v := url.Values{}
 	v.Set("quiet", "0")
 	if quiet {
@ -22,9 +22,9 @@ func (cli *Client) ImageLoad(ctx context.Context, input io.Reader, quiet bool) (
 		"Content-Type": {"application/x-tar"},
 	})
 	if err != nil {
-		return types.ImageLoadResponse{}, err
+		return image.LoadResponse{}, err
 	}
-	return types.ImageLoadResponse{
+	return image.LoadResponse{
 		Body: resp.body,
 		JSON: resp.header.Get("Content-Type") == "application/json",
 	}, nil
--- a/vendor/github.com/docker/docker/client/image_prune.go
+++ b/vendor/github.com/docker/docker/client/image_prune.go
@ -5,13 +5,13 @@ import (
 	"encoding/json"
 	"fmt"

-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/image"
 )

 // ImagesPrune requests the daemon to delete unused data
-func (cli *Client) ImagesPrune(ctx context.Context, pruneFilters filters.Args) (types.ImagesPruneReport, error) {
-	var report types.ImagesPruneReport
+func (cli *Client) ImagesPrune(ctx context.Context, pruneFilters filters.Args) (image.PruneReport, error) {
+	var report image.PruneReport

 	if err := cli.NewVersionError(ctx, "1.25", "image prune"); err != nil {
 		return report, err
--- a/vendor/github.com/docker/docker/client/image_pull.go
+++ b/vendor/github.com/docker/docker/client/image_pull.go
@ -36,7 +36,7 @@ func (cli *Client) ImagePull(ctx context.Context, refStr string, options image.P

 	resp, err := cli.tryImageCreate(ctx, query, options.RegistryAuth)
 	if errdefs.IsUnauthorized(err) && options.PrivilegeFunc != nil {
-		newAuthHeader, privilegeErr := options.PrivilegeFunc()
+		newAuthHeader, privilegeErr := options.PrivilegeFunc(ctx)
 		if privilegeErr != nil {
 			return nil, privilegeErr
 		}
--- a/vendor/github.com/docker/docker/client/image_push.go
+++ b/vendor/github.com/docker/docker/client/image_push.go
@ -2,7 +2,9 @@ package client // import "github.com/docker/docker/client"

 import (
 	"context"
+	"encoding/json"
 	"errors"
+	"fmt"
 	"io"
 	"net/http"
 	"net/url"
@ -36,9 +38,23 @@ func (cli *Client) ImagePush(ctx context.Context, image string, options image.Pu
 		}
 	}

+	if options.Platform != nil {
+		if err := cli.NewVersionError(ctx, "1.46", "platform"); err != nil {
+			return nil, err
+		}
+
+		p := *options.Platform
+		pJson, err := json.Marshal(p)
+		if err != nil {
+			return nil, fmt.Errorf("invalid platform: %v", err)
+		}
+
+		query.Set("platform", string(pJson))
+	}
+
 	resp, err := cli.tryImagePush(ctx, name, query, options.RegistryAuth)
 	if errdefs.IsUnauthorized(err) && options.PrivilegeFunc != nil {
-		newAuthHeader, privilegeErr := options.PrivilegeFunc()
+		newAuthHeader, privilegeErr := options.PrivilegeFunc(ctx)
 		if privilegeErr != nil {
 			return nil, privilegeErr
 		}
--- a/vendor/github.com/docker/docker/client/image_search.go
+++ b/vendor/github.com/docker/docker/client/image_search.go
@ -7,7 +7,6 @@ import (
 	"net/url"
 	"strconv"

-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/registry"
 	"github.com/docker/docker/errdefs"
@ -15,7 +14,7 @@ import (

 // ImageSearch makes the docker host search by a term in a remote registry.
 // The list of results is not sorted in any fashion.
-func (cli *Client) ImageSearch(ctx context.Context, term string, options types.ImageSearchOptions) ([]registry.SearchResult, error) {
+func (cli *Client) ImageSearch(ctx context.Context, term string, options registry.SearchOptions) ([]registry.SearchResult, error) {
 	var results []registry.SearchResult
 	query := url.Values{}
 	query.Set("term", term)
@ -34,7 +33,7 @@ func (cli *Client) ImageSearch(ctx context.Context, term string, options types.I
 	resp, err := cli.tryImageSearch(ctx, query, options.RegistryAuth)
 	defer ensureReaderClosed(resp)
 	if errdefs.IsUnauthorized(err) && options.PrivilegeFunc != nil {
-		newAuthHeader, privilegeErr := options.PrivilegeFunc()
+		newAuthHeader, privilegeErr := options.PrivilegeFunc(ctx)
 		if privilegeErr != nil {
 			return results, privilegeErr
 		}
--- a/vendor/github.com/docker/docker/client/interface.go
+++ b/vendor/github.com/docker/docker/client/interface.go
@ -50,11 +50,11 @@ type ContainerAPIClient interface {
 	ContainerCommit(ctx context.Context, container string, options container.CommitOptions) (types.IDResponse, error)
 	ContainerCreate(ctx context.Context, config *container.Config, hostConfig *container.HostConfig, networkingConfig *network.NetworkingConfig, platform *ocispec.Platform, containerName string) (container.CreateResponse, error)
 	ContainerDiff(ctx context.Context, container string) ([]container.FilesystemChange, error)
-	ContainerExecAttach(ctx context.Context, execID string, config types.ExecStartCheck) (types.HijackedResponse, error)
-	ContainerExecCreate(ctx context.Context, container string, config types.ExecConfig) (types.IDResponse, error)
-	ContainerExecInspect(ctx context.Context, execID string) (types.ContainerExecInspect, error)
+	ContainerExecAttach(ctx context.Context, execID string, options container.ExecAttachOptions) (types.HijackedResponse, error)
+	ContainerExecCreate(ctx context.Context, container string, options container.ExecOptions) (types.IDResponse, error)
+	ContainerExecInspect(ctx context.Context, execID string) (container.ExecInspect, error)
 	ContainerExecResize(ctx context.Context, execID string, options container.ResizeOptions) error
-	ContainerExecStart(ctx context.Context, execID string, config types.ExecStartCheck) error
+	ContainerExecStart(ctx context.Context, execID string, options container.ExecStartOptions) error
 	ContainerExport(ctx context.Context, container string) (io.ReadCloser, error)
 	ContainerInspect(ctx context.Context, container string) (types.ContainerJSON, error)
 	ContainerInspectWithRaw(ctx context.Context, container string, getSize bool) (types.ContainerJSON, []byte, error)
@ -66,18 +66,18 @@ type ContainerAPIClient interface {
 	ContainerRename(ctx context.Context, container, newContainerName string) error
 	ContainerResize(ctx context.Context, container string, options container.ResizeOptions) error
 	ContainerRestart(ctx context.Context, container string, options container.StopOptions) error
-	ContainerStatPath(ctx context.Context, container, path string) (types.ContainerPathStat, error)
-	ContainerStats(ctx context.Context, container string, stream bool) (types.ContainerStats, error)
-	ContainerStatsOneShot(ctx context.Context, container string) (types.ContainerStats, error)
+	ContainerStatPath(ctx context.Context, container, path string) (container.PathStat, error)
+	ContainerStats(ctx context.Context, container string, stream bool) (container.StatsResponseReader, error)
+	ContainerStatsOneShot(ctx context.Context, container string) (container.StatsResponseReader, error)
 	ContainerStart(ctx context.Context, container string, options container.StartOptions) error
 	ContainerStop(ctx context.Context, container string, options container.StopOptions) error
 	ContainerTop(ctx context.Context, container string, arguments []string) (container.ContainerTopOKBody, error)
 	ContainerUnpause(ctx context.Context, container string) error
 	ContainerUpdate(ctx context.Context, container string, updateConfig container.UpdateConfig) (container.ContainerUpdateOKBody, error)
 	ContainerWait(ctx context.Context, container string, condition container.WaitCondition) (<-chan container.WaitResponse, <-chan error)
-	CopyFromContainer(ctx context.Context, container, srcPath string) (io.ReadCloser, types.ContainerPathStat, error)
-	CopyToContainer(ctx context.Context, container, path string, content io.Reader, options types.CopyToContainerOptions) error
-	ContainersPrune(ctx context.Context, pruneFilters filters.Args) (types.ContainersPruneReport, error)
+	CopyFromContainer(ctx context.Context, container, srcPath string) (io.ReadCloser, container.PathStat, error)
+	CopyToContainer(ctx context.Context, container, path string, content io.Reader, options container.CopyToContainerOptions) error
+	ContainersPrune(ctx context.Context, pruneFilters filters.Args) (container.PruneReport, error)
 }

 // DistributionAPIClient defines API client methods for the registry
@ -92,29 +92,29 @@ type ImageAPIClient interface {
 	BuildCancel(ctx context.Context, id string) error
 	ImageCreate(ctx context.Context, parentReference string, options image.CreateOptions) (io.ReadCloser, error)
 	ImageHistory(ctx context.Context, image string) ([]image.HistoryResponseItem, error)
-	ImageImport(ctx context.Context, source types.ImageImportSource, ref string, options image.ImportOptions) (io.ReadCloser, error)
+	ImageImport(ctx context.Context, source image.ImportSource, ref string, options image.ImportOptions) (io.ReadCloser, error)
 	ImageInspectWithRaw(ctx context.Context, image string) (types.ImageInspect, []byte, error)
 	ImageList(ctx context.Context, options image.ListOptions) ([]image.Summary, error)
-	ImageLoad(ctx context.Context, input io.Reader, quiet bool) (types.ImageLoadResponse, error)
+	ImageLoad(ctx context.Context, input io.Reader, quiet bool) (image.LoadResponse, error)
 	ImagePull(ctx context.Context, ref string, options image.PullOptions) (io.ReadCloser, error)
 	ImagePush(ctx context.Context, ref string, options image.PushOptions) (io.ReadCloser, error)
 	ImageRemove(ctx context.Context, image string, options image.RemoveOptions) ([]image.DeleteResponse, error)
-	ImageSearch(ctx context.Context, term string, options types.ImageSearchOptions) ([]registry.SearchResult, error)
+	ImageSearch(ctx context.Context, term string, options registry.SearchOptions) ([]registry.SearchResult, error)
 	ImageSave(ctx context.Context, images []string) (io.ReadCloser, error)
 	ImageTag(ctx context.Context, image, ref string) error
-	ImagesPrune(ctx context.Context, pruneFilter filters.Args) (types.ImagesPruneReport, error)
+	ImagesPrune(ctx context.Context, pruneFilter filters.Args) (image.PruneReport, error)
 }

 // NetworkAPIClient defines API client methods for the networks
 type NetworkAPIClient interface {
 	NetworkConnect(ctx context.Context, network, container string, config *network.EndpointSettings) error
-	NetworkCreate(ctx context.Context, name string, options types.NetworkCreate) (types.NetworkCreateResponse, error)
+	NetworkCreate(ctx context.Context, name string, options network.CreateOptions) (network.CreateResponse, error)
 	NetworkDisconnect(ctx context.Context, network, container string, force bool) error
-	NetworkInspect(ctx context.Context, network string, options types.NetworkInspectOptions) (types.NetworkResource, error)
-	NetworkInspectWithRaw(ctx context.Context, network string, options types.NetworkInspectOptions) (types.NetworkResource, []byte, error)
-	NetworkList(ctx context.Context, options types.NetworkListOptions) ([]types.NetworkResource, error)
+	NetworkInspect(ctx context.Context, network string, options network.InspectOptions) (network.Inspect, error)
+	NetworkInspectWithRaw(ctx context.Context, network string, options network.InspectOptions) (network.Inspect, []byte, error)
+	NetworkList(ctx context.Context, options network.ListOptions) ([]network.Summary, error)
 	NetworkRemove(ctx context.Context, network string) error
-	NetworksPrune(ctx context.Context, pruneFilter filters.Args) (types.NetworksPruneReport, error)
+	NetworksPrune(ctx context.Context, pruneFilter filters.Args) (network.PruneReport, error)
 }

 // NodeAPIClient defines API client methods for the nodes
@ -165,7 +165,7 @@ type SwarmAPIClient interface {

 // SystemAPIClient defines API client methods for the system
 type SystemAPIClient interface {
-	Events(ctx context.Context, options types.EventsOptions) (<-chan events.Message, <-chan error)
+	Events(ctx context.Context, options events.ListOptions) (<-chan events.Message, <-chan error)
 	Info(ctx context.Context) (system.Info, error)
 	RegistryLogin(ctx context.Context, auth registry.AuthConfig) (registry.AuthenticateOKBody, error)
 	DiskUsage(ctx context.Context, options types.DiskUsageOptions) (types.DiskUsage, error)
@ -179,7 +179,7 @@ type VolumeAPIClient interface {
 	VolumeInspectWithRaw(ctx context.Context, volumeID string) (volume.Volume, []byte, error)
 	VolumeList(ctx context.Context, options volume.ListOptions) (volume.ListResponse, error)
 	VolumeRemove(ctx context.Context, volumeID string, force bool) error
-	VolumesPrune(ctx context.Context, pruneFilter filters.Args) (types.VolumesPruneReport, error)
+	VolumesPrune(ctx context.Context, pruneFilter filters.Args) (volume.PruneReport, error)
 	VolumeUpdate(ctx context.Context, volumeID string, version swarm.Version, options volume.UpdateOptions) error
 }

--- a/vendor/github.com/docker/docker/client/network_connect.go
+++ b/vendor/github.com/docker/docker/client/network_connect.go
@ -3,13 +3,12 @@ package client // import "github.com/docker/docker/client"
 import (
 	"context"

-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/network"
 )

 // NetworkConnect connects a container to an existent network in the docker host.
 func (cli *Client) NetworkConnect(ctx context.Context, networkID, containerID string, config *network.EndpointSettings) error {
-	nc := types.NetworkConnect{
+	nc := network.ConnectOptions{
 		Container:      containerID,
 		EndpointConfig: config,
 	}
--- a/vendor/github.com/docker/docker/client/network_create.go
+++ b/vendor/github.com/docker/docker/client/network_create.go
@ -4,13 +4,13 @@ import (
 	"context"
 	"encoding/json"

-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/network"
 	"github.com/docker/docker/api/types/versions"
 )

 // NetworkCreate creates a new network in the docker host.
-func (cli *Client) NetworkCreate(ctx context.Context, name string, options types.NetworkCreate) (types.NetworkCreateResponse, error) {
-	var response types.NetworkCreateResponse
+func (cli *Client) NetworkCreate(ctx context.Context, name string, options network.CreateOptions) (network.CreateResponse, error) {
+	var response network.CreateResponse

 	// Make sure we negotiated (if the client is configured to do so),
 	// as code below contains API-version specific handling of options.
@ -21,12 +21,13 @@ func (cli *Client) NetworkCreate(ctx context.Context, name string, options types
 		return response, err
 	}

-	networkCreateRequest := types.NetworkCreateRequest{
-		NetworkCreate: options,
+	networkCreateRequest := network.CreateRequest{
+		CreateOptions: options,
 		Name:          name,
 	}
 	if versions.LessThan(cli.version, "1.44") {
-		networkCreateRequest.CheckDuplicate = true //nolint:staticcheck // ignore SA1019: CheckDuplicate is deprecated since API v1.44.
+		enabled := true
+		networkCreateRequest.CheckDuplicate = &enabled //nolint:staticcheck // ignore SA1019: CheckDuplicate is deprecated since API v1.44.
 	}

 	serverResp, err := cli.post(ctx, "/networks/create", nil, networkCreateRequest, nil)
--- a/vendor/github.com/docker/docker/client/network_disconnect.go
+++ b/vendor/github.com/docker/docker/client/network_disconnect.go
@ -3,12 +3,15 @@ package client // import "github.com/docker/docker/client"
 import (
 	"context"

-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/network"
 )

 // NetworkDisconnect disconnects a container from an existent network in the docker host.
 func (cli *Client) NetworkDisconnect(ctx context.Context, networkID, containerID string, force bool) error {
-	nd := types.NetworkDisconnect{Container: containerID, Force: force}
+	nd := network.DisconnectOptions{
+		Container: containerID,
+		Force:     force,
+	}
 	resp, err := cli.post(ctx, "/networks/"+networkID+"/disconnect", nil, nd, nil)
 	ensureReaderClosed(resp)
 	return err
--- a/vendor/github.com/docker/docker/client/network_inspect.go
+++ b/vendor/github.com/docker/docker/client/network_inspect.go
@ -7,25 +7,20 @@ import (
 	"io"
 	"net/url"

-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/network"
 )

 // NetworkInspect returns the information for a specific network configured in the docker host.
-func (cli *Client) NetworkInspect(ctx context.Context, networkID string, options types.NetworkInspectOptions) (types.NetworkResource, error) {
+func (cli *Client) NetworkInspect(ctx context.Context, networkID string, options network.InspectOptions) (network.Inspect, error) {
 	networkResource, _, err := cli.NetworkInspectWithRaw(ctx, networkID, options)
 	return networkResource, err
 }

 // NetworkInspectWithRaw returns the information for a specific network configured in the docker host and its raw representation.
-func (cli *Client) NetworkInspectWithRaw(ctx context.Context, networkID string, options types.NetworkInspectOptions) (types.NetworkResource, []byte, error) {
+func (cli *Client) NetworkInspectWithRaw(ctx context.Context, networkID string, options network.InspectOptions) (network.Inspect, []byte, error) {
 	if networkID == "" {
-		return types.NetworkResource{}, nil, objectNotFoundError{object: "network", id: networkID}
+		return network.Inspect{}, nil, objectNotFoundError{object: "network", id: networkID}
 	}
-	var (
-		networkResource types.NetworkResource
-		resp            serverResponse
-		err             error
-	)
 	query := url.Values{}
 	if options.Verbose {
 		query.Set("verbose", "true")
@ -33,17 +28,19 @@ func (cli *Client) NetworkInspectWithRaw(ctx context.Context, networkID string,
 	if options.Scope != "" {
 		query.Set("scope", options.Scope)
 	}
-	resp, err = cli.get(ctx, "/networks/"+networkID, query, nil)
+
+	resp, err := cli.get(ctx, "/networks/"+networkID, query, nil)
 	defer ensureReaderClosed(resp)
 	if err != nil {
-		return networkResource, nil, err
+		return network.Inspect{}, nil, err
 	}

-	body, err := io.ReadAll(resp.body)
+	raw, err := io.ReadAll(resp.body)
 	if err != nil {
-		return networkResource, nil, err
+		return network.Inspect{}, nil, err
 	}
-	rdr := bytes.NewReader(body)
-	err = json.NewDecoder(rdr).Decode(&networkResource)
-	return networkResource, body, err
+
+	var nw network.Inspect
+	err = json.NewDecoder(bytes.NewReader(raw)).Decode(&nw)
+	return nw, raw, err
 }
--- a/vendor/github.com/docker/docker/client/network_list.go
+++ b/vendor/github.com/docker/docker/client/network_list.go
@ -5,12 +5,12 @@ import (
 	"encoding/json"
 	"net/url"

-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/network"
 )

 // NetworkList returns the list of networks configured in the docker host.
-func (cli *Client) NetworkList(ctx context.Context, options types.NetworkListOptions) ([]types.NetworkResource, error) {
+func (cli *Client) NetworkList(ctx context.Context, options network.ListOptions) ([]network.Summary, error) {
 	query := url.Values{}
 	if options.Filters.Len() > 0 {
 		//nolint:staticcheck // ignore SA1019 for old code
@ -21,7 +21,7 @@ func (cli *Client) NetworkList(ctx context.Context, options types.NetworkListOpt

 		query.Set("filters", filterJSON)
 	}
-	var networkResources []types.NetworkResource
+	var networkResources []network.Summary
 	resp, err := cli.get(ctx, "/networks", query, nil)
 	defer ensureReaderClosed(resp)
 	if err != nil {
--- a/vendor/github.com/docker/docker/client/network_prune.go
+++ b/vendor/github.com/docker/docker/client/network_prune.go
@ -5,13 +5,13 @@ import (
 	"encoding/json"
 	"fmt"

-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/network"
 )

 // NetworksPrune requests the daemon to delete unused networks
-func (cli *Client) NetworksPrune(ctx context.Context, pruneFilters filters.Args) (types.NetworksPruneReport, error) {
-	var report types.NetworksPruneReport
+func (cli *Client) NetworksPrune(ctx context.Context, pruneFilters filters.Args) (network.PruneReport, error) {
+	var report network.PruneReport

 	if err := cli.NewVersionError(ctx, "1.25", "network prune"); err != nil {
 		return report, err
--- a/vendor/github.com/docker/docker/client/plugin_install.go
+++ b/vendor/github.com/docker/docker/client/plugin_install.go
@ -84,7 +84,7 @@ func (cli *Client) checkPluginPermissions(ctx context.Context, query url.Values,
 	resp, err := cli.tryPluginPrivileges(ctx, query, options.RegistryAuth)
 	if errdefs.IsUnauthorized(err) && options.PrivilegeFunc != nil {
 		// todo: do inspect before to check existing name before checking privileges
-		newAuthHeader, privilegeErr := options.PrivilegeFunc()
+		newAuthHeader, privilegeErr := options.PrivilegeFunc(ctx)
 		if privilegeErr != nil {
 			ensureReaderClosed(resp)
 			return nil, privilegeErr
@ -105,7 +105,7 @@ func (cli *Client) checkPluginPermissions(ctx context.Context, query url.Values,
 	ensureReaderClosed(resp)

 	if !options.AcceptAllPermissions && options.AcceptPermissionsFunc != nil && len(privileges) > 0 {
-		accept, err := options.AcceptPermissionsFunc(privileges)
+		accept, err := options.AcceptPermissionsFunc(ctx, privileges)
 		if err != nil {
 			return nil, err
 		}
--- a/vendor/github.com/docker/docker/client/request.go
+++ b/vendor/github.com/docker/docker/client/request.go
@ -184,10 +184,10 @@ func (cli *Client) doRequest(req *http.Request) (serverResponse, error) {
 		// `open //./pipe/docker_engine: Le fichier spécifié est introuvable.`
 		if strings.Contains(err.Error(), `open //./pipe/docker_engine`) {
 			// Checks if client is running with elevated privileges
-			if f, elevatedErr := os.Open("\\\\.\\PHYSICALDRIVE0"); elevatedErr == nil {
+			if f, elevatedErr := os.Open(`\\.\PHYSICALDRIVE0`); elevatedErr != nil {
 				err = errors.Wrap(err, "in the default daemon configuration on Windows, the docker client must be run with elevated privileges to connect")
 			} else {
-				f.Close()
+				_ = f.Close()
 				err = errors.Wrap(err, "this error may indicate that the docker daemon is not running")
 			}
 		}
@ -278,7 +278,7 @@ func encodeData(data interface{}) (*bytes.Buffer, error) {
 func ensureReaderClosed(response serverResponse) {
 	if response.body != nil {
 		// Drain up to 512 bytes and close the body to let the Transport reuse the connection
-		io.CopyN(io.Discard, response.body, 512)
-		response.body.Close()
+		_, _ = io.CopyN(io.Discard, response.body, 512)
+		_ = response.body.Close()
 	}
 }
--- a/vendor/github.com/docker/docker/client/volume_prune.go
+++ b/vendor/github.com/docker/docker/client/volume_prune.go
@ -5,13 +5,13 @@ import (
 	"encoding/json"
 	"fmt"

-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/volume"
 )

 // VolumesPrune requests the daemon to delete unused data
-func (cli *Client) VolumesPrune(ctx context.Context, pruneFilters filters.Args) (types.VolumesPruneReport, error) {
-	var report types.VolumesPruneReport
+func (cli *Client) VolumesPrune(ctx context.Context, pruneFilters filters.Args) (volume.PruneReport, error) {
+	var report volume.PruneReport

 	if err := cli.NewVersionError(ctx, "1.25", "volume prune"); err != nil {
 		return report, err
--- a/vendor/github.com/google/go-containerregistry/pkg/name/digest.go
+++ b/vendor/github.com/google/go-containerregistry/pkg/name/digest.go
@ -17,6 +17,7 @@ package name
 import (
 	// nolint: depguard
 	_ "crypto/sha256" // Recommended by go-digest.
+	"encoding/json"
 	"strings"

 	"github.com/opencontainers/go-digest"
@ -59,6 +60,25 @@ func (d Digest) String() string {
 	return d.original
 }

+// MarshalJSON formats the digest into a string for JSON serialization.
+func (d Digest) MarshalJSON() ([]byte, error) {
+	return json.Marshal(d.String())
+}
+
+// UnmarshalJSON parses a JSON string into a Digest.
+func (d *Digest) UnmarshalJSON(data []byte) error {
+	var s string
+	if err := json.Unmarshal(data, &s); err != nil {
+		return err
+	}
+	n, err := NewDigest(s)
+	if err != nil {
+		return err
+	}
+	*d = n
+	return nil
+}
+
 // NewDigest returns a new Digest representing the given name.
 func NewDigest(name string, opts ...Option) (Digest, error) {
 	// Split on "@"
--- a/vendor/github.com/letsencrypt/boulder/core/challenges.go
+++ b/vendor/github.com/letsencrypt/boulder/core/challenges.go
@ -10,27 +10,23 @@ func newChallenge(challengeType AcmeChallenge, token string) Challenge {
 	}
 }

-// HTTPChallenge01 constructs a random http-01 challenge. If token is empty a random token
-// will be generated, otherwise the provided token is used.
+// HTTPChallenge01 constructs a http-01 challenge.
 func HTTPChallenge01(token string) Challenge {
 	return newChallenge(ChallengeTypeHTTP01, token)
 }

-// DNSChallenge01 constructs a random dns-01 challenge. If token is empty a random token
-// will be generated, otherwise the provided token is used.
+// DNSChallenge01 constructs a dns-01 challenge.
 func DNSChallenge01(token string) Challenge {
 	return newChallenge(ChallengeTypeDNS01, token)
 }

-// TLSALPNChallenge01 constructs a random tls-alpn-01 challenge. If token is empty a random token
-// will be generated, otherwise the provided token is used.
+// TLSALPNChallenge01 constructs a tls-alpn-01 challenge.
 func TLSALPNChallenge01(token string) Challenge {
 	return newChallenge(ChallengeTypeTLSALPN01, token)
 }

-// NewChallenge constructs a random challenge of the given kind. It returns an
-// error if the challenge type is unrecognized. If token is empty a random token
-// will be generated, otherwise the provided token is used.
+// NewChallenge constructs a challenge of the given kind. It returns an
+// error if the challenge type is unrecognized.
 func NewChallenge(kind AcmeChallenge, token string) (Challenge, error) {
 	switch kind {
 	case ChallengeTypeHTTP01:
--- a/vendor/github.com/letsencrypt/boulder/core/interfaces.go
+++ b/vendor/github.com/letsencrypt/boulder/core/interfaces.go
@ -7,7 +7,7 @@ import (
 // PolicyAuthority defines the public interface for the Boulder PA
 // TODO(#5891): Move this interface to a more appropriate location.
 type PolicyAuthority interface {
-	WillingToIssueWildcards([]identifier.ACMEIdentifier) error
+	WillingToIssue([]string) error
 	ChallengesFor(identifier.ACMEIdentifier) ([]Challenge, error)
 	ChallengeTypeEnabled(AcmeChallenge) bool
 	CheckAuthz(*Authorization) error
--- a/vendor/github.com/letsencrypt/boulder/core/objects.go
+++ b/vendor/github.com/letsencrypt/boulder/core/objects.go
@ -10,8 +10,8 @@ import (
 	"strings"
 	"time"

+	"github.com/go-jose/go-jose/v4"
 	"golang.org/x/crypto/ocsp"
-	"gopkg.in/go-jose/go-jose.v2"

 	"github.com/letsencrypt/boulder/identifier"
 	"github.com/letsencrypt/boulder/probs"
@ -119,7 +119,7 @@ type Registration struct {
 }

 // ValidationRecord represents a validation attempt against a specific URL/hostname
-// and the IP addresses that were resolved and used
+// and the IP addresses that were resolved and used.
 type ValidationRecord struct {
 	// SimpleHTTP only
 	URL string `json:"url,omitempty"`
@ -144,6 +144,17 @@ type ValidationRecord struct {
 	//   ...
 	// }
 	AddressesTried []net.IP `json:"addressesTried,omitempty"`
+	// ResolverAddrs is the host:port of the DNS resolver(s) that fulfilled the
+	// lookup for AddressUsed. During recursive A and AAAA lookups, a record may
+	// instead look like A:host:port or AAAA:host:port
+	ResolverAddrs []string `json:"resolverAddrs,omitempty"`
+	// UsedRSAKEX is a *temporary* addition to the validation record, so we can
+	// see how many servers that we reach out to during HTTP-01 and TLS-ALPN-01
+	// validation are only willing to negotiate RSA key exchange mechanisms. The
+	// field is not included in the serialized json to avoid cluttering the
+	// database and log lines.
+	// TODO(#7321): Remove this when we have collected sufficient data.
+	UsedRSAKEX bool `json:"-"`
 }

 func looksLikeKeyAuthorization(str string) error {
@ -225,6 +236,8 @@ func (ch Challenge) RecordsSane() bool {
 	switch ch.Type {
 	case ChallengeTypeHTTP01:
 		for _, rec := range ch.ValidationRecord {
+			// TODO(#7140): Add a check for ResolverAddress == "" only after the
+			// core.proto change has been deployed.
 			if rec.URL == "" || rec.Hostname == "" || rec.Port == "" || rec.AddressUsed == nil ||
 				len(rec.AddressesResolved) == 0 {
 				return false
@ -237,6 +250,8 @@ func (ch Challenge) RecordsSane() bool {
 		if ch.ValidationRecord[0].URL != "" {
 			return false
 		}
+		// TODO(#7140): Add a check for ResolverAddress == "" only after the
+		// core.proto change has been deployed.
 		if ch.ValidationRecord[0].Hostname == "" || ch.ValidationRecord[0].Port == "" ||
 			ch.ValidationRecord[0].AddressUsed == nil || len(ch.ValidationRecord[0].AddressesResolved) == 0 {
 			return false
@ -245,6 +260,8 @@ func (ch Challenge) RecordsSane() bool {
 		if len(ch.ValidationRecord) > 1 {
 			return false
 		}
+		// TODO(#7140): Add a check for ResolverAddress == "" only after the
+		// core.proto change has been deployed.
 		if ch.ValidationRecord[0].Hostname == "" {
 			return false
 		}
@ -483,6 +500,12 @@ type SuggestedWindow struct {
 	End   time.Time `json:"end"`
 }

+// IsWithin returns true if the given time is within the suggested window,
+// inclusive of the start time and exclusive of the end time.
+func (window SuggestedWindow) IsWithin(now time.Time) bool {
+	return !now.Before(window.Start) && now.Before(window.End)
+}
+
 // RenewalInfo is a type which is exposed to clients which query the renewalInfo
 // endpoint specified in draft-aaron-ari.
 type RenewalInfo struct {
--- a/vendor/github.com/letsencrypt/boulder/core/util.go
+++ b/vendor/github.com/letsencrypt/boulder/core/util.go
@ -25,7 +25,9 @@ import (
 	"time"
 	"unicode"

-	"gopkg.in/go-jose/go-jose.v2"
+	"github.com/go-jose/go-jose/v4"
+	"google.golang.org/protobuf/types/known/durationpb"
+	"google.golang.org/protobuf/types/known/timestamppb"
 )

 const Unspecified = "Unspecified"
@ -92,8 +94,7 @@ func Fingerprint256(data []byte) string {

 type Sha256Digest [sha256.Size]byte

-// KeyDigest produces a Base64-encoded SHA256 digest of a
-// provided public key.
+// KeyDigest produces the SHA256 digest of a provided public key.
 func KeyDigest(key crypto.PublicKey) (Sha256Digest, error) {
 	switch t := key.(type) {
 	case *jose.JSONWebKey:
@ -212,10 +213,83 @@ func IsAnyNilOrZero(vals ...interface{}) bool {
 		switch v := val.(type) {
 		case nil:
 			return true
+		case bool:
+			if !v {
+				return true
+			}
+		case string:
+			if v == "" {
+				return true
+			}
+		case []string:
+			if len(v) == 0 {
+				return true
+			}
+		case byte:
+			// Byte is an alias for uint8 and will cover that case.
+			if v == 0 {
+				return true
+			}
 		case []byte:
 			if len(v) == 0 {
 				return true
 			}
+		case int:
+			if v == 0 {
+				return true
+			}
+		case int8:
+			if v == 0 {
+				return true
+			}
+		case int16:
+			if v == 0 {
+				return true
+			}
+		case int32:
+			if v == 0 {
+				return true
+			}
+		case int64:
+			if v == 0 {
+				return true
+			}
+		case uint:
+			if v == 0 {
+				return true
+			}
+		case uint16:
+			if v == 0 {
+				return true
+			}
+		case uint32:
+			if v == 0 {
+				return true
+			}
+		case uint64:
+			if v == 0 {
+				return true
+			}
+		case float32:
+			if v == 0 {
+				return true
+			}
+		case float64:
+			if v == 0 {
+				return true
+			}
+		case time.Time:
+			if v.IsZero() {
+				return true
+			}
+		case *timestamppb.Timestamp:
+			if v == nil || v.AsTime().IsZero() {
+				return true
+			}
+		case *durationpb.Duration:
+			if v == nil || v.AsDuration() == time.Duration(0) {
+				return true
+			}
 		default:
 			if reflect.ValueOf(v).IsZero() {
 				return true
--- a/vendor/github.com/letsencrypt/boulder/probs/probs.go
+++ b/vendor/github.com/letsencrypt/boulder/probs/probs.go
@ -20,6 +20,8 @@ const (
 	BadRevocationReasonProblem   = ProblemType("badRevocationReason")
 	BadSignatureAlgorithmProblem = ProblemType("badSignatureAlgorithm")
 	CAAProblem                   = ProblemType("caa")
+	// ConflictProblem is a problem type that is not defined in RFC8555.
+	ConflictProblem              = ProblemType("conflict")
 	ConnectionProblem            = ProblemType("connection")
 	DNSProblem                   = ProblemType("dns")
 	InvalidContactProblem        = ProblemType("invalidContact")
@ -290,11 +292,11 @@ func Canceled(detail string, a ...any) *ProblemDetails {
 	}
 }

-// Conflict returns a ProblemDetails with a MalformedProblem and a 409 Conflict
+// Conflict returns a ProblemDetails with a ConflictProblem and a 409 Conflict
 // status code.
 func Conflict(detail string) *ProblemDetails {
 	return &ProblemDetails{
-		Type:       MalformedProblem,
+		Type:       ConflictProblem,
 		Detail:     detail,
 		HTTPStatus: http.StatusConflict,
 	}
--- a/vendor/github.com/sylabs/sif/v2/pkg/sif/add.go
+++ b/vendor/github.com/sylabs/sif/v2/pkg/sif/add.go
@ -0,0 +1,81 @@
+// Copyright (c) 2018-2023, Sylabs Inc. All rights reserved.
+// Copyright (c) 2017, SingularityWare, LLC. All rights reserved.
+// Copyright (c) 2017, Yannick Cote <yhcote@gmail.com> All rights reserved.
+// This software is licensed under a 3-clause BSD license. Please consult the
+// LICENSE file distributed with the sources of this project regarding your
+// rights to use or distribute this software.
+
+package sif
+
+import (
+	"fmt"
+	"time"
+)
+
+// addOpts accumulates object add options.
+type addOpts struct {
+	t time.Time
+}
+
+// AddOpt are used to specify object add options.
+type AddOpt func(*addOpts) error
+
+// OptAddDeterministic sets header/descriptor fields to values that support deterministic
+// modification of images.
+func OptAddDeterministic() AddOpt {
+	return func(ao *addOpts) error {
+		ao.t = time.Time{}
+		return nil
+	}
+}
+
+// OptAddWithTime specifies t as the image modification time.
+func OptAddWithTime(t time.Time) AddOpt {
+	return func(ao *addOpts) error {
+		ao.t = t
+		return nil
+	}
+}
+
+// AddObject adds a new data object and its descriptor into the specified SIF file.
+//
+// By default, the image modification time is set to the current time for non-deterministic images,
+// and unset otherwise. To override this, consider using OptAddDeterministic or OptAddWithTime.
+func (f *FileImage) AddObject(di DescriptorInput, opts ...AddOpt) error {
+	ao := addOpts{}
+
+	if !f.isDeterministic() {
+		ao.t = time.Now()
+	}
+
+	for _, opt := range opts {
+		if err := opt(&ao); err != nil {
+			return fmt.Errorf("%w", err)
+		}
+	}
+
+	// Find an unused descriptor.
+	i := 0
+	for _, rd := range f.rds {
+		if !rd.Used {
+			break
+		}
+		i++
+	}
+
+	if err := f.writeDataObject(i, di, ao.t); err != nil {
+		return fmt.Errorf("%w", err)
+	}
+
+	if err := f.writeDescriptors(); err != nil {
+		return fmt.Errorf("%w", err)
+	}
+
+	f.h.ModifiedAt = ao.t.Unix()
+
+	if err := f.writeHeader(); err != nil {
+		return fmt.Errorf("%w", err)
+	}
+
+	return nil
+}
--- a/vendor/github.com/sylabs/sif/v2/pkg/sif/create.go
+++ b/vendor/github.com/sylabs/sif/v2/pkg/sif/create.go
@ -1,4 +1,4 @@
-// Copyright (c) 2018-2023, Sylabs Inc. All rights reserved.
+// Copyright (c) 2018-2024, Sylabs Inc. All rights reserved.
 // Copyright (c) 2017, SingularityWare, LLC. All rights reserved.
 // Copyright (c) 2017, Yannick Cote <yhcote@gmail.com> All rights reserved.
 // This software is licensed under a 3-clause BSD license. Please consult the
@ -8,7 +8,6 @@
 package sif

 import (
-	"encoding"
 	"encoding/binary"
 	"errors"
 	"fmt"
@ -56,6 +55,20 @@ func writeDataObjectAt(ws io.WriteSeeker, offsetUnaligned int64, di DescriptorIn
 	return nil
 }

+// calculatedDataSize calculates the size of the data section based on the in-use descriptors.
+func (f *FileImage) calculatedDataSize() int64 {
+	dataEnd := f.DataOffset()
+
+	f.WithDescriptors(func(d Descriptor) bool {
+		if objectEnd := d.Offset() + d.Size(); dataEnd < objectEnd {
+			dataEnd = objectEnd
+		}
+		return false
+	})
+
+	return dataEnd - f.DataOffset()
+}
+
 var (
 	errInsufficientCapacity = errors.New("insufficient descriptor capacity to add data object(s) to image")
 	errPrimaryPartition     = errors.New("image already contains a primary partition")
@ -81,6 +94,8 @@ func (f *FileImage) writeDataObject(i int, di DescriptorInput, t time.Time) erro
 	d := &f.rds[i]
 	d.ID = uint32(i) + 1

+	f.h.DataSize = f.calculatedDataSize()
+
 	if err := writeDataObjectAt(f.rw, f.h.DataOffset+f.h.DataSize, di, t, d); err != nil {
 		return err
 	}
@ -321,378 +336,3 @@ func CreateContainerAtPath(path string, opts ...CreateOpt) (*FileImage, error) {
 	f.closeOnUnload = true
 	return f, nil
 }
-
-// addOpts accumulates object add options.
-type addOpts struct {
-	t time.Time
-}
-
-// AddOpt are used to specify object add options.
-type AddOpt func(*addOpts) error
-
-// OptAddDeterministic sets header/descriptor fields to values that support deterministic
-// modification of images.
-func OptAddDeterministic() AddOpt {
-	return func(ao *addOpts) error {
-		ao.t = time.Time{}
-		return nil
-	}
-}
-
-// OptAddWithTime specifies t as the image modification time.
-func OptAddWithTime(t time.Time) AddOpt {
-	return func(ao *addOpts) error {
-		ao.t = t
-		return nil
-	}
-}
-
-// AddObject adds a new data object and its descriptor into the specified SIF file.
-//
-// By default, the image modification time is set to the current time for non-deterministic images,
-// and unset otherwise. To override this, consider using OptAddDeterministic or OptAddWithTime.
-func (f *FileImage) AddObject(di DescriptorInput, opts ...AddOpt) error {
-	ao := addOpts{}
-
-	if !f.isDeterministic() {
-		ao.t = time.Now()
-	}
-
-	for _, opt := range opts {
-		if err := opt(&ao); err != nil {
-			return fmt.Errorf("%w", err)
-		}
-	}
-
-	// Find an unused descriptor.
-	i := 0
-	for _, rd := range f.rds {
-		if !rd.Used {
-			break
-		}
-		i++
-	}
-
-	if err := f.writeDataObject(i, di, ao.t); err != nil {
-		return fmt.Errorf("%w", err)
-	}
-
-	if err := f.writeDescriptors(); err != nil {
-		return fmt.Errorf("%w", err)
-	}
-
-	f.h.ModifiedAt = ao.t.Unix()
-
-	if err := f.writeHeader(); err != nil {
-		return fmt.Errorf("%w", err)
-	}
-
-	return nil
-}
-
-// isLast return true if the data object associated with d is the last in f.
-func (f *FileImage) isLast(d *rawDescriptor) bool {
-	isLast := true
-
-	end := d.Offset + d.Size
-	f.WithDescriptors(func(d Descriptor) bool {
-		isLast = d.Offset()+d.Size() <= end
-		return !isLast
-	})
-
-	return isLast
-}
-
-// zeroReader is an io.Reader that returns a stream of zero-bytes.
-type zeroReader struct{}
-
-func (zeroReader) Read(b []byte) (int, error) {
-	for i := range b {
-		b[i] = 0
-	}
-	return len(b), nil
-}
-
-// zero overwrites the data object described by d with a stream of zero bytes.
-func (f *FileImage) zero(d *rawDescriptor) error {
-	if _, err := f.rw.Seek(d.Offset, io.SeekStart); err != nil {
-		return err
-	}
-
-	_, err := io.CopyN(f.rw, zeroReader{}, d.Size)
-	return err
-}
-
-// truncateAt truncates f at the start of the padded data object described by d.
-func (f *FileImage) truncateAt(d *rawDescriptor) error {
-	start := d.Offset + d.Size - d.SizeWithPadding
-
-	return f.rw.Truncate(start)
-}
-
-// deleteOpts accumulates object deletion options.
-type deleteOpts struct {
-	zero    bool
-	compact bool
-	t       time.Time
-}
-
-// DeleteOpt are used to specify object deletion options.
-type DeleteOpt func(*deleteOpts) error
-
-// OptDeleteZero specifies whether the deleted object should be zeroed.
-func OptDeleteZero(b bool) DeleteOpt {
-	return func(do *deleteOpts) error {
-		do.zero = b
-		return nil
-	}
-}
-
-// OptDeleteCompact specifies whether the image should be compacted following object deletion.
-func OptDeleteCompact(b bool) DeleteOpt {
-	return func(do *deleteOpts) error {
-		do.compact = b
-		return nil
-	}
-}
-
-// OptDeleteDeterministic sets header/descriptor fields to values that support deterministic
-// modification of images.
-func OptDeleteDeterministic() DeleteOpt {
-	return func(do *deleteOpts) error {
-		do.t = time.Time{}
-		return nil
-	}
-}
-
-// OptDeleteWithTime specifies t as the image modification time.
-func OptDeleteWithTime(t time.Time) DeleteOpt {
-	return func(do *deleteOpts) error {
-		do.t = t
-		return nil
-	}
-}
-
-var errCompactNotImplemented = errors.New("compact not implemented for non-last object")
-
-// DeleteObject deletes the data object with id, according to opts.
-//
-// To zero the data region of the deleted object, use OptDeleteZero. To compact the file following
-// object deletion, use OptDeleteCompact.
-//
-// By default, the image modification time is set to the current time for non-deterministic images,
-// and unset otherwise. To override this, consider using OptDeleteDeterministic or
-// OptDeleteWithTime.
-func (f *FileImage) DeleteObject(id uint32, opts ...DeleteOpt) error {
-	do := deleteOpts{}
-
-	if !f.isDeterministic() {
-		do.t = time.Now()
-	}
-
-	for _, opt := range opts {
-		if err := opt(&do); err != nil {
-			return fmt.Errorf("%w", err)
-		}
-	}
-
-	d, err := f.getDescriptor(WithID(id))
-	if err != nil {
-		return fmt.Errorf("%w", err)
-	}
-
-	if do.compact && !f.isLast(d) {
-		return fmt.Errorf("%w", errCompactNotImplemented)
-	}
-
-	if do.zero {
-		if err := f.zero(d); err != nil {
-			return fmt.Errorf("%w", err)
-		}
-	}
-
-	if do.compact {
-		if err := f.truncateAt(d); err != nil {
-			return fmt.Errorf("%w", err)
-		}
-
-		f.h.DataSize -= d.SizeWithPadding
-	}
-
-	f.h.DescriptorsFree++
-	f.h.ModifiedAt = do.t.Unix()
-
-	// If we remove the primary partition, set the global header Arch field to HdrArchUnknown
-	// to indicate that the SIF file doesn't include a primary partition and no dependency
-	// on any architecture exists.
-	if d.isPartitionOfType(PartPrimSys) {
-		f.h.Arch = hdrArchUnknown
-	}
-
-	// Reset rawDescripter with empty struct
-	*d = rawDescriptor{}
-
-	if err := f.writeDescriptors(); err != nil {
-		return fmt.Errorf("%w", err)
-	}
-
-	if err := f.writeHeader(); err != nil {
-		return fmt.Errorf("%w", err)
-	}
-
-	return nil
-}
-
-// setOpts accumulates object set options.
-type setOpts struct {
-	t time.Time
-}
-
-// SetOpt are used to specify object set options.
-type SetOpt func(*setOpts) error
-
-// OptSetDeterministic sets header/descriptor fields to values that support deterministic
-// modification of images.
-func OptSetDeterministic() SetOpt {
-	return func(so *setOpts) error {
-		so.t = time.Time{}
-		return nil
-	}
-}
-
-// OptSetWithTime specifies t as the image/object modification time.
-func OptSetWithTime(t time.Time) SetOpt {
-	return func(so *setOpts) error {
-		so.t = t
-		return nil
-	}
-}
-
-var (
-	errNotPartition = errors.New("data object not a partition")
-	errNotSystem    = errors.New("data object not a system partition")
-)
-
-// SetPrimPart sets the specified system partition to be the primary one.
-//
-// By default, the image/object modification times are set to the current time for
-// non-deterministic images, and unset otherwise. To override this, consider using
-// OptSetDeterministic or OptSetWithTime.
-func (f *FileImage) SetPrimPart(id uint32, opts ...SetOpt) error {
-	so := setOpts{}
-
-	if !f.isDeterministic() {
-		so.t = time.Now()
-	}
-
-	for _, opt := range opts {
-		if err := opt(&so); err != nil {
-			return fmt.Errorf("%w", err)
-		}
-	}
-
-	descr, err := f.getDescriptor(WithID(id))
-	if err != nil {
-		return fmt.Errorf("%w", err)
-	}
-
-	if descr.DataType != DataPartition {
-		return fmt.Errorf("%w", errNotPartition)
-	}
-
-	var p partition
-	if err := descr.getExtra(binaryUnmarshaler{&p}); err != nil {
-		return fmt.Errorf("%w", err)
-	}
-
-	// if already primary system partition, nothing to do
-	if p.Parttype == PartPrimSys {
-		return nil
-	}
-
-	if p.Parttype != PartSystem {
-		return fmt.Errorf("%w", errNotSystem)
-	}
-
-	// If there is currently a primary system partition, update it.
-	if d, err := f.getDescriptor(WithPartitionType(PartPrimSys)); err == nil {
-		var p partition
-		if err := d.getExtra(binaryUnmarshaler{&p}); err != nil {
-			return fmt.Errorf("%w", err)
-		}
-
-		p.Parttype = PartSystem
-
-		if err := d.setExtra(p); err != nil {
-			return fmt.Errorf("%w", err)
-		}
-
-		d.ModifiedAt = so.t.Unix()
-	} else if !errors.Is(err, ErrObjectNotFound) {
-		return fmt.Errorf("%w", err)
-	}
-
-	// Update the descriptor of the new primary system partition.
-	p.Parttype = PartPrimSys
-
-	if err := descr.setExtra(p); err != nil {
-		return fmt.Errorf("%w", err)
-	}
-
-	descr.ModifiedAt = so.t.Unix()
-
-	if err := f.writeDescriptors(); err != nil {
-		return fmt.Errorf("%w", err)
-	}
-
-	f.h.Arch = p.Arch
-	f.h.ModifiedAt = so.t.Unix()
-
-	if err := f.writeHeader(); err != nil {
-		return fmt.Errorf("%w", err)
-	}
-
-	return nil
-}
-
-// SetMetadata sets the metadata of the data object with id to md, according to opts.
-//
-// By default, the image/object modification times are set to the current time for
-// non-deterministic images, and unset otherwise. To override this, consider using
-// OptSetDeterministic or OptSetWithTime.
-func (f *FileImage) SetMetadata(id uint32, md encoding.BinaryMarshaler, opts ...SetOpt) error {
-	so := setOpts{}
-
-	if !f.isDeterministic() {
-		so.t = time.Now()
-	}
-
-	for _, opt := range opts {
-		if err := opt(&so); err != nil {
-			return fmt.Errorf("%w", err)
-		}
-	}
-
-	rd, err := f.getDescriptor(WithID(id))
-	if err != nil {
-		return fmt.Errorf("%w", err)
-	}
-
-	if err := rd.setExtra(md); err != nil {
-		return fmt.Errorf("%w", err)
-	}
-
-	rd.ModifiedAt = so.t.Unix()
-
-	if err := f.writeDescriptors(); err != nil {
-		return fmt.Errorf("%w", err)
-	}
-
-	f.h.ModifiedAt = so.t.Unix()
-
-	if err := f.writeHeader(); err != nil {
-		return fmt.Errorf("%w", err)
-	}
-
-	return nil
-}
--- a/vendor/github.com/sylabs/sif/v2/pkg/sif/delete.go
+++ b/vendor/github.com/sylabs/sif/v2/pkg/sif/delete.go
@ -0,0 +1,163 @@
+// Copyright (c) 2018-2024, Sylabs Inc. All rights reserved.
+// Copyright (c) 2017, SingularityWare, LLC. All rights reserved.
+// Copyright (c) 2017, Yannick Cote <yhcote@gmail.com> All rights reserved.
+// This software is licensed under a 3-clause BSD license. Please consult the
+// LICENSE file distributed with the sources of this project regarding your
+// rights to use or distribute this software.
+
+package sif
+
+import (
+	"fmt"
+	"io"
+	"time"
+)
+
+// zeroReader is an io.Reader that returns a stream of zero-bytes.
+type zeroReader struct{}
+
+func (zeroReader) Read(b []byte) (int, error) {
+	clear(b)
+	return len(b), nil
+}
+
+// zero overwrites the data object described by d with a stream of zero bytes.
+func (f *FileImage) zero(d *rawDescriptor) error {
+	if _, err := f.rw.Seek(d.Offset, io.SeekStart); err != nil {
+		return err
+	}
+
+	_, err := io.CopyN(f.rw, zeroReader{}, d.Size)
+	return err
+}
+
+// deleteOpts accumulates object deletion options.
+type deleteOpts struct {
+	zero    bool
+	compact bool
+	t       time.Time
+}
+
+// DeleteOpt are used to specify object deletion options.
+type DeleteOpt func(*deleteOpts) error
+
+// OptDeleteZero specifies whether the deleted object should be zeroed.
+func OptDeleteZero(b bool) DeleteOpt {
+	return func(do *deleteOpts) error {
+		do.zero = b
+		return nil
+	}
+}
+
+// OptDeleteCompact specifies whether the image should be compacted following object deletion.
+func OptDeleteCompact(b bool) DeleteOpt {
+	return func(do *deleteOpts) error {
+		do.compact = b
+		return nil
+	}
+}
+
+// OptDeleteDeterministic sets header/descriptor fields to values that support deterministic
+// modification of images.
+func OptDeleteDeterministic() DeleteOpt {
+	return func(do *deleteOpts) error {
+		do.t = time.Time{}
+		return nil
+	}
+}
+
+// OptDeleteWithTime specifies t as the image modification time.
+func OptDeleteWithTime(t time.Time) DeleteOpt {
+	return func(do *deleteOpts) error {
+		do.t = t
+		return nil
+	}
+}
+
+// DeleteObject deletes the data object with id, according to opts. If no matching descriptor is
+// found, an error wrapping ErrObjectNotFound is returned.
+//
+// To zero the data region of the deleted object, use OptDeleteZero. To remove unused space at the
+// end of the FileImage following object deletion, use OptDeleteCompact.
+//
+// By default, the image modification time is set to the current time for non-deterministic images,
+// and unset otherwise. To override this, consider using OptDeleteDeterministic or
+// OptDeleteWithTime.
+func (f *FileImage) DeleteObject(id uint32, opts ...DeleteOpt) error {
+	return f.DeleteObjects(WithID(id), opts...)
+}
+
+// DeleteObjects deletes the data objects selected by fn, according to opts. If no descriptors are
+// selected by fns, an error wrapping ErrObjectNotFound is returned.
+//
+// To zero the data region of the deleted object, use OptDeleteZero. To remove unused space at the
+// end of the FileImage following object deletion, use OptDeleteCompact.
+//
+// By default, the image modification time is set to the current time for non-deterministic images,
+// and unset otherwise. To override this, consider using OptDeleteDeterministic or
+// OptDeleteWithTime.
+func (f *FileImage) DeleteObjects(fn DescriptorSelectorFunc, opts ...DeleteOpt) error {
+	do := deleteOpts{}
+
+	if !f.isDeterministic() {
+		do.t = time.Now()
+	}
+
+	for _, opt := range opts {
+		if err := opt(&do); err != nil {
+			return fmt.Errorf("%w", err)
+		}
+	}
+
+	var selected bool
+
+	if err := f.withDescriptors(fn, func(d *rawDescriptor) error {
+		selected = true
+
+		if do.zero {
+			if err := f.zero(d); err != nil {
+				return fmt.Errorf("%w", err)
+			}
+		}
+
+		f.h.DescriptorsFree++
+
+		// If we remove the primary partition, set the global header Arch field to HdrArchUnknown
+		// to indicate that the SIF file doesn't include a primary partition and no dependency
+		// on any architecture exists.
+		if d.isPartitionOfType(PartPrimSys) {
+			f.h.Arch = hdrArchUnknown
+		}
+
+		// Reset rawDescripter with empty struct
+		*d = rawDescriptor{}
+
+		return nil
+	}); err != nil {
+		return fmt.Errorf("%w", err)
+	}
+
+	if !selected {
+		return fmt.Errorf("%w", ErrObjectNotFound)
+	}
+
+	f.h.ModifiedAt = do.t.Unix()
+
+	if do.compact {
+		f.h.DataSize = f.calculatedDataSize()
+
+		if err := f.rw.Truncate(f.h.DataOffset + f.h.DataSize); err != nil {
+			return fmt.Errorf("%w", err)
+		}
+	}
+
+	if err := f.writeDescriptors(); err != nil {
+		return fmt.Errorf("%w", err)
+	}
+
+	if err := f.writeHeader(); err != nil {
+		return fmt.Errorf("%w", err)
+	}
+
+	return nil
+}
--- a/vendor/github.com/sylabs/sif/v2/pkg/sif/descriptor.go
+++ b/vendor/github.com/sylabs/sif/v2/pkg/sif/descriptor.go
@ -1,4 +1,4 @@
-// Copyright (c) 2018-2023, Sylabs Inc. All rights reserved.
+// Copyright (c) 2018-2024, Sylabs Inc. All rights reserved.
 // Copyright (c) 2017, SingularityWare, LLC. All rights reserved.
 // Copyright (c) 2017, Yannick Cote <yhcote@gmail.com> All rights reserved.
 // This software is licensed under a 3-clause BSD license. Please consult the
@ -92,7 +92,9 @@ func newOCIBlobDigest() *ociBlob {

 // MarshalBinary encodes ob into binary format.
 func (ob *ociBlob) MarshalBinary() ([]byte, error) {
-	ob.digest.Hex = hex.EncodeToString(ob.hasher.Sum(nil))
+	if ob.digest.Hex == "" {
+		ob.digest.Hex = hex.EncodeToString(ob.hasher.Sum(nil))
+	}

 	return ob.digest.MarshalText()
 }
--- a/vendor/github.com/sylabs/sif/v2/pkg/sif/select.go
+++ b/vendor/github.com/sylabs/sif/v2/pkg/sif/select.go
@ -1,4 +1,4 @@
-// Copyright (c) 2021-2023, Sylabs Inc. All rights reserved.
+// Copyright (c) 2021-2024, Sylabs Inc. All rights reserved.
 // This software is licensed under a 3-clause BSD license. Please consult the
 // LICENSE file distributed with the sources of this project regarding your
 // rights to use or distribute this software.
@ -184,10 +184,16 @@ func multiSelectorFunc(fns ...DescriptorSelectorFunc) DescriptorSelectorFunc {
 	}
 }

+var errNilSelectFunc = errors.New("descriptor selector func must not be nil")
+
 // withDescriptors calls onMatchFn with each in-use descriptor in f for which selectFn returns
 // true. If selectFn or onMatchFn return a non-nil error, the iteration halts, and the error is
 // returned to the caller.
 func (f *FileImage) withDescriptors(selectFn DescriptorSelectorFunc, onMatchFn func(*rawDescriptor) error) error {
+	if selectFn == nil {
+		return errNilSelectFunc
+	}
+
 	for i, d := range f.rds {
 		if !d.Used {
 			continue
--- a/vendor/github.com/sylabs/sif/v2/pkg/sif/set.go
+++ b/vendor/github.com/sylabs/sif/v2/pkg/sif/set.go
@ -0,0 +1,220 @@
+// Copyright (c) 2018-2024, Sylabs Inc. All rights reserved.
+// Copyright (c) 2017, SingularityWare, LLC. All rights reserved.
+// Copyright (c) 2017, Yannick Cote <yhcote@gmail.com> All rights reserved.
+// This software is licensed under a 3-clause BSD license. Please consult the
+// LICENSE file distributed with the sources of this project regarding your
+// rights to use or distribute this software.
+
+package sif
+
+import (
+	"encoding"
+	"errors"
+	"fmt"
+	"time"
+
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+)
+
+// setOpts accumulates object set options.
+type setOpts struct {
+	t time.Time
+}
+
+// SetOpt are used to specify object set options.
+type SetOpt func(*setOpts) error
+
+// OptSetDeterministic sets header/descriptor fields to values that support deterministic
+// modification of images.
+func OptSetDeterministic() SetOpt {
+	return func(so *setOpts) error {
+		so.t = time.Time{}
+		return nil
+	}
+}
+
+// OptSetWithTime specifies t as the image/object modification time.
+func OptSetWithTime(t time.Time) SetOpt {
+	return func(so *setOpts) error {
+		so.t = t
+		return nil
+	}
+}
+
+var (
+	errNotPartition = errors.New("data object not a partition")
+	errNotSystem    = errors.New("data object not a system partition")
+)
+
+// SetPrimPart sets the specified system partition to be the primary one.
+//
+// By default, the image/object modification times are set to the current time for
+// non-deterministic images, and unset otherwise. To override this, consider using
+// OptSetDeterministic or OptSetWithTime.
+func (f *FileImage) SetPrimPart(id uint32, opts ...SetOpt) error {
+	so := setOpts{}
+
+	if !f.isDeterministic() {
+		so.t = time.Now()
+	}
+
+	for _, opt := range opts {
+		if err := opt(&so); err != nil {
+			return fmt.Errorf("%w", err)
+		}
+	}
+
+	descr, err := f.getDescriptor(WithID(id))
+	if err != nil {
+		return fmt.Errorf("%w", err)
+	}
+
+	if descr.DataType != DataPartition {
+		return fmt.Errorf("%w", errNotPartition)
+	}
+
+	var p partition
+	if err := descr.getExtra(binaryUnmarshaler{&p}); err != nil {
+		return fmt.Errorf("%w", err)
+	}
+
+	// if already primary system partition, nothing to do
+	if p.Parttype == PartPrimSys {
+		return nil
+	}
+
+	if p.Parttype != PartSystem {
+		return fmt.Errorf("%w", errNotSystem)
+	}
+
+	// If there is currently a primary system partition, update it.
+	if d, err := f.getDescriptor(WithPartitionType(PartPrimSys)); err == nil {
+		var p partition
+		if err := d.getExtra(binaryUnmarshaler{&p}); err != nil {
+			return fmt.Errorf("%w", err)
+		}
+
+		p.Parttype = PartSystem
+
+		if err := d.setExtra(p); err != nil {
+			return fmt.Errorf("%w", err)
+		}
+
+		d.ModifiedAt = so.t.Unix()
+	} else if !errors.Is(err, ErrObjectNotFound) {
+		return fmt.Errorf("%w", err)
+	}
+
+	// Update the descriptor of the new primary system partition.
+	p.Parttype = PartPrimSys
+
+	if err := descr.setExtra(p); err != nil {
+		return fmt.Errorf("%w", err)
+	}
+
+	descr.ModifiedAt = so.t.Unix()
+
+	if err := f.writeDescriptors(); err != nil {
+		return fmt.Errorf("%w", err)
+	}
+
+	f.h.Arch = p.Arch
+	f.h.ModifiedAt = so.t.Unix()
+
+	if err := f.writeHeader(); err != nil {
+		return fmt.Errorf("%w", err)
+	}
+
+	return nil
+}
+
+// SetMetadata sets the metadata of the data object with id to md, according to opts.
+//
+// By default, the image/object modification times are set to the current time for
+// non-deterministic images, and unset otherwise. To override this, consider using
+// OptSetDeterministic or OptSetWithTime.
+func (f *FileImage) SetMetadata(id uint32, md encoding.BinaryMarshaler, opts ...SetOpt) error {
+	so := setOpts{}
+
+	if !f.isDeterministic() {
+		so.t = time.Now()
+	}
+
+	for _, opt := range opts {
+		if err := opt(&so); err != nil {
+			return fmt.Errorf("%w", err)
+		}
+	}
+
+	rd, err := f.getDescriptor(WithID(id))
+	if err != nil {
+		return fmt.Errorf("%w", err)
+	}
+
+	if err := rd.setExtra(md); err != nil {
+		return fmt.Errorf("%w", err)
+	}
+
+	rd.ModifiedAt = so.t.Unix()
+
+	if err := f.writeDescriptors(); err != nil {
+		return fmt.Errorf("%w", err)
+	}
+
+	f.h.ModifiedAt = so.t.Unix()
+
+	if err := f.writeHeader(); err != nil {
+		return fmt.Errorf("%w", err)
+	}
+
+	return nil
+}
+
+// SetOCIBlobDigest updates the digest of the OCI blob object with id to h, according to opts.
+//
+// By default, the image/object modification times are set to the current time for
+// non-deterministic images, and unset otherwise. To override this, consider using
+// OptSetDeterministic or OptSetWithTime.
+func (f *FileImage) SetOCIBlobDigest(id uint32, h v1.Hash, opts ...SetOpt) error {
+	rd, err := f.getDescriptor(WithID(id))
+	if err != nil {
+		return fmt.Errorf("%w", err)
+	}
+
+	if got := rd.DataType; got != DataOCIRootIndex && got != DataOCIBlob {
+		return &unexpectedDataTypeError{got, []DataType{DataOCIRootIndex, DataOCIBlob}}
+	}
+
+	so := setOpts{}
+
+	if !f.isDeterministic() {
+		so.t = time.Now()
+	}
+
+	for _, opt := range opts {
+		if err := opt(&so); err != nil {
+			return fmt.Errorf("%w", err)
+		}
+	}
+
+	md := &ociBlob{
+		digest: h,
+	}
+	if err := rd.setExtra(md); err != nil {
+		return fmt.Errorf("%w", err)
+	}
+
+	rd.ModifiedAt = so.t.Unix()
+
+	if err := f.writeDescriptors(); err != nil {
+		return fmt.Errorf("%w", err)
+	}
+
+	f.h.ModifiedAt = so.t.Unix()
+
+	if err := f.writeHeader(); err != nil {
+		return fmt.Errorf("%w", err)
+	}
+
+	return nil
+}
--- a/vendor/github.com/vbauerster/mpb/v8/bar_filler_bar.go
+++ b/vendor/github.com/vbauerster/mpb/v8/bar_filler_bar.go
@ -233,7 +233,7 @@ func (s *bFiller) Fill(w io.Writer, stat decor.Statistics) error {
 	var tip component
 	var refilling, filling, padding []byte
 	var fillCount int
-	curWidth := int(internal.PercentageRound(stat.Total, stat.Current, uint(width)))
+	curWidth := int(internal.PercentageRound(stat.Total, stat.Current, int64(width)))

 	if curWidth != 0 {
 		if !stat.Completed || s.tipOnComplete {
@ -241,20 +241,19 @@ func (s *bFiller) Fill(w io.Writer, stat decor.Statistics) error {
 			s.tip.count++
 			fillCount += tip.width
 		}
-		if stat.Refill != 0 {
-			refWidth := int(internal.PercentageRound(stat.Total, stat.Refill, uint(width)))
+		switch refWidth := 0; {
+		case stat.Refill != 0:
+			refWidth = int(internal.PercentageRound(stat.Total, stat.Refill, int64(width)))
 			curWidth -= refWidth
 			refWidth += curWidth
+			fallthrough
+		default:
 			for w := s.components[iFiller].width; curWidth-fillCount >= w; fillCount += w {
 				filling = append(filling, s.components[iFiller].bytes...)
 			}
 			for w := s.components[iRefiller].width; refWidth-fillCount >= w; fillCount += w {
 				refilling = append(refilling, s.components[iRefiller].bytes...)
 			}
-		} else {
-			for w := s.components[iFiller].width; curWidth-fillCount >= w; fillCount += w {
-				filling = append(filling, s.components[iFiller].bytes...)
-			}
 		}
 	}

--- a/vendor/github.com/vbauerster/mpb/v8/decor/eta.go
+++ b/vendor/github.com/vbauerster/mpb/v8/decor/eta.go
@ -81,15 +81,15 @@ func (d *movingAverageETA) Decor(s Statistics) (string, int) {
 func (d *movingAverageETA) EwmaUpdate(n int64, dur time.Duration) {
 	if n <= 0 {
 		d.zDur += dur
-	} else {
-		durPerItem := float64(d.zDur+dur) / float64(n)
-		if math.IsInf(durPerItem, 0) || math.IsNaN(durPerItem) {
-			d.zDur += dur
-			return
-		}
-		d.zDur = 0
-		d.average.Add(durPerItem)
+		return
 	}
+	durPerItem := float64(d.zDur+dur) / float64(n)
+	if math.IsInf(durPerItem, 0) || math.IsNaN(durPerItem) {
+		d.zDur += dur
+		return
+	}
+	d.zDur = 0
+	d.average.Add(durPerItem)
 }

 // AverageETA decorator. It's wrapper of NewAverageETA.
--- a/vendor/github.com/vbauerster/mpb/v8/decor/percentage.go
+++ b/vendor/github.com/vbauerster/mpb/v8/decor/percentage.go
@ -61,7 +61,7 @@ func NewPercentage(format string, wcc ...WC) Decorator {
 		format = "% d"
 	}
 	f := func(s Statistics) string {
-		p := internal.Percentage(s.Total, s.Current, 100)
+		p := internal.PercentageRound(s.Total, s.Current, 100)
 		return fmt.Sprintf(format, percentageType(p))
 	}
 	return Any(f, wcc...)
--- a/vendor/github.com/vbauerster/mpb/v8/decor/speed.go
+++ b/vendor/github.com/vbauerster/mpb/v8/decor/speed.go
@ -96,15 +96,15 @@ func (d *movingAverageSpeed) Decor(_ Statistics) (string, int) {
 func (d *movingAverageSpeed) EwmaUpdate(n int64, dur time.Duration) {
 	if n <= 0 {
 		d.zDur += dur
-	} else {
-		durPerByte := float64(d.zDur+dur) / float64(n)
-		if math.IsInf(durPerByte, 0) || math.IsNaN(durPerByte) {
-			d.zDur += dur
-			return
-		}
-		d.zDur = 0
-		d.average.Add(durPerByte)
+		return
 	}
+	durPerByte := float64(d.zDur+dur) / float64(n)
+	if math.IsInf(durPerByte, 0) || math.IsNaN(durPerByte) {
+		d.zDur += dur
+		return
+	}
+	d.zDur = 0
+	d.average.Add(durPerByte)
 }

 // AverageSpeed decorator with dynamic unit measure adjustment. It's
--- a/vendor/github.com/vbauerster/mpb/v8/internal/percentage.go
+++ b/vendor/github.com/vbauerster/mpb/v8/internal/percentage.go
@ -3,17 +3,20 @@ package internal
 import "math"

 // Percentage is a helper function, to calculate percentage.
-func Percentage(total, current int64, width uint) float64 {
-	if total <= 0 {
+func Percentage(total, current, width uint) float64 {
+	if total == 0 {
 		return 0
 	}
 	if current >= total {
 		return float64(width)
 	}
-	return float64(int64(width)*current) / float64(total)
+	return float64(width*current) / float64(total)
 }

 // PercentageRound same as Percentage but with math.Round.
-func PercentageRound(total, current int64, width uint) float64 {
-	return math.Round(Percentage(total, current, width))
+func PercentageRound(total, current, width int64) float64 {
+	if total < 0 || current < 0 || width < 0 {
+		return 0
+	}
+	return math.Round(Percentage(uint(total), uint(current), uint(width)))
 }
--- a/vendor/golang.org/x/crypto/cast5/cast5.go
+++ b/vendor/golang.org/x/crypto/cast5/cast5.go
@ -11,7 +11,7 @@
 // Deprecated: any new system should use AES (from crypto/aes, if necessary in
 // an AEAD mode like crypto/cipher.NewGCM) or XChaCha20-Poly1305 (from
 // golang.org/x/crypto/chacha20poly1305).
-package cast5 // import "golang.org/x/crypto/cast5"
+package cast5

 import (
 	"errors"
--- a/vendor/golang.org/x/crypto/ed25519/ed25519.go
+++ b/vendor/golang.org/x/crypto/ed25519/ed25519.go
@ -1,71 +0,0 @@
-// Copyright 2019 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package ed25519 implements the Ed25519 signature algorithm. See
-// https://ed25519.cr.yp.to/.
-//
-// These functions are also compatible with the “Ed25519” function defined in
-// RFC 8032. However, unlike RFC 8032's formulation, this package's private key
-// representation includes a public key suffix to make multiple signing
-// operations with the same key more efficient. This package refers to the RFC
-// 8032 private key as the “seed”.
-//
-// Beginning with Go 1.13, the functionality of this package was moved to the
-// standard library as crypto/ed25519. This package only acts as a compatibility
-// wrapper.
-package ed25519
-
-import (
-	"crypto/ed25519"
-	"io"
-)
-
-const (
-	// PublicKeySize is the size, in bytes, of public keys as used in this package.
-	PublicKeySize = 32
-	// PrivateKeySize is the size, in bytes, of private keys as used in this package.
-	PrivateKeySize = 64
-	// SignatureSize is the size, in bytes, of signatures generated and verified by this package.
-	SignatureSize = 64
-	// SeedSize is the size, in bytes, of private key seeds. These are the private key representations used by RFC 8032.
-	SeedSize = 32
-)
-
-// PublicKey is the type of Ed25519 public keys.
-//
-// This type is an alias for crypto/ed25519's PublicKey type.
-// See the crypto/ed25519 package for the methods on this type.
-type PublicKey = ed25519.PublicKey
-
-// PrivateKey is the type of Ed25519 private keys. It implements crypto.Signer.
-//
-// This type is an alias for crypto/ed25519's PrivateKey type.
-// See the crypto/ed25519 package for the methods on this type.
-type PrivateKey = ed25519.PrivateKey
-
-// GenerateKey generates a public/private key pair using entropy from rand.
-// If rand is nil, crypto/rand.Reader will be used.
-func GenerateKey(rand io.Reader) (PublicKey, PrivateKey, error) {
-	return ed25519.GenerateKey(rand)
-}
-
-// NewKeyFromSeed calculates a private key from a seed. It will panic if
-// len(seed) is not SeedSize. This function is provided for interoperability
-// with RFC 8032. RFC 8032's private keys correspond to seeds in this
-// package.
-func NewKeyFromSeed(seed []byte) PrivateKey {
-	return ed25519.NewKeyFromSeed(seed)
-}
-
-// Sign signs the message with privateKey and returns a signature. It will
-// panic if len(privateKey) is not PrivateKeySize.
-func Sign(privateKey PrivateKey, message []byte) []byte {
-	return ed25519.Sign(privateKey, message)
-}
-
-// Verify reports whether sig is a valid signature of message by publicKey. It
-// will panic if len(publicKey) is not PublicKeySize.
-func Verify(publicKey PublicKey, message, sig []byte) bool {
-	return ed25519.Verify(publicKey, message, sig)
-}
--- a/vendor/golang.org/x/crypto/nacl/secretbox/secretbox.go
+++ b/vendor/golang.org/x/crypto/nacl/secretbox/secretbox.go
@ -32,7 +32,7 @@ chunk size.

 This package is interoperable with NaCl: https://nacl.cr.yp.to/secretbox.html.
 */
-package secretbox // import "golang.org/x/crypto/nacl/secretbox"
+package secretbox

 import (
 	"golang.org/x/crypto/internal/alias"
--- a/vendor/golang.org/x/crypto/ocsp/ocsp.go
+++ b/vendor/golang.org/x/crypto/ocsp/ocsp.go
@ -5,7 +5,7 @@
 // Package ocsp parses OCSP responses as specified in RFC 2560. OCSP responses
 // are signed messages attesting to the validity of a certificate for a small
 // period of time. This is used to manage revocation for X.509 certificates.
-package ocsp // import "golang.org/x/crypto/ocsp"
+package ocsp

 import (
 	"crypto"
--- a/vendor/golang.org/x/crypto/openpgp/armor/armor.go
+++ b/vendor/golang.org/x/crypto/openpgp/armor/armor.go
@ -10,14 +10,15 @@
 // for their specific task. If you are required to interoperate with OpenPGP
 // systems and need a maintained package, consider a community fork.
 // See https://golang.org/issue/44226.
-package armor // import "golang.org/x/crypto/openpgp/armor"
+package armor

 import (
 	"bufio"
 	"bytes"
 	"encoding/base64"
-	"golang.org/x/crypto/openpgp/errors"
 	"io"
+
+	"golang.org/x/crypto/openpgp/errors"
 )

 // A Block represents an OpenPGP armored structure.
--- a/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go
+++ b/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go
@ -16,7 +16,7 @@
 // https://golang.org/issue/44226), and ElGamal in the OpenPGP ecosystem has
 // compatibility and security issues (see https://eprint.iacr.org/2021/923).
 // Moreover, this package doesn't protect against side-channel attacks.
-package elgamal // import "golang.org/x/crypto/openpgp/elgamal"
+package elgamal

 import (
 	"crypto/rand"
--- a/vendor/golang.org/x/crypto/openpgp/errors/errors.go
+++ b/vendor/golang.org/x/crypto/openpgp/errors/errors.go
@ -9,7 +9,7 @@
 // for their specific task. If you are required to interoperate with OpenPGP
 // systems and need a maintained package, consider a community fork.
 // See https://golang.org/issue/44226.
-package errors // import "golang.org/x/crypto/openpgp/errors"
+package errors

 import (
 	"strconv"
--- a/vendor/golang.org/x/crypto/openpgp/packet/packet.go
+++ b/vendor/golang.org/x/crypto/openpgp/packet/packet.go
@ -10,7 +10,7 @@
 // for their specific task. If you are required to interoperate with OpenPGP
 // systems and need a maintained package, consider a community fork.
 // See https://golang.org/issue/44226.
-package packet // import "golang.org/x/crypto/openpgp/packet"
+package packet

 import (
 	"bufio"
--- a/vendor/golang.org/x/crypto/openpgp/read.go
+++ b/vendor/golang.org/x/crypto/openpgp/read.go
@ -9,7 +9,7 @@
 // for their specific task. If you are required to interoperate with OpenPGP
 // systems and need a maintained package, consider a community fork.
 // See https://golang.org/issue/44226.
-package openpgp // import "golang.org/x/crypto/openpgp"
+package openpgp

 import (
 	"crypto"
--- a/vendor/golang.org/x/crypto/openpgp/s2k/s2k.go
+++ b/vendor/golang.org/x/crypto/openpgp/s2k/s2k.go
@ -10,7 +10,7 @@
 // for their specific task. If you are required to interoperate with OpenPGP
 // systems and need a maintained package, consider a community fork.
 // See https://golang.org/issue/44226.
-package s2k // import "golang.org/x/crypto/openpgp/s2k"
+package s2k

 import (
 	"crypto"
--- a/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go
+++ b/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go
@ -16,7 +16,7 @@ Hash Functions SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 for HMAC. To
 choose, you can pass the `New` functions from the different SHA packages to
 pbkdf2.Key.
 */
-package pbkdf2 // import "golang.org/x/crypto/pbkdf2"
+package pbkdf2

 import (
 	"crypto/hmac"
--- a/vendor/golang.org/x/crypto/salsa20/salsa/hsalsa20.go
+++ b/vendor/golang.org/x/crypto/salsa20/salsa/hsalsa20.go
@ -3,7 +3,7 @@
 // license that can be found in the LICENSE file.

 // Package salsa provides low-level access to functions in the Salsa family.
-package salsa // import "golang.org/x/crypto/salsa20/salsa"
+package salsa

 import "math/bits"

--- a/vendor/golang.org/x/crypto/scrypt/scrypt.go
+++ b/vendor/golang.org/x/crypto/scrypt/scrypt.go
@ -5,7 +5,7 @@
 // Package scrypt implements the scrypt key derivation function as defined in
 // Colin Percival's paper "Stronger Key Derivation via Sequential Memory-Hard
 // Functions" (https://www.tarsnap.com/scrypt/scrypt.pdf).
-package scrypt // import "golang.org/x/crypto/scrypt"
+package scrypt

 import (
 	"crypto/sha256"
--- a/vendor/golang.org/x/crypto/sha3/doc.go
+++ b/vendor/golang.org/x/crypto/sha3/doc.go
@ -59,4 +59,4 @@
 // They produce output of the same length, with the same security strengths
 // against all attacks. This means, in particular, that SHA3-256 only has
 // 128-bit collision resistance, because its output length is 32 bytes.
-package sha3 // import "golang.org/x/crypto/sha3"
+package sha3
--- a/vendor/golang.org/x/crypto/sha3/hashes.go
+++ b/vendor/golang.org/x/crypto/sha3/hashes.go
@ -9,6 +9,7 @@ package sha3
 // bytes.

 import (
+	"crypto"
 	"hash"
 )

@ -40,6 +41,13 @@ func New512() hash.Hash {
 	return new512()
 }

+func init() {
+	crypto.RegisterHash(crypto.SHA3_224, New224)
+	crypto.RegisterHash(crypto.SHA3_256, New256)
+	crypto.RegisterHash(crypto.SHA3_384, New384)
+	crypto.RegisterHash(crypto.SHA3_512, New512)
+}
+
 func new224Generic() *state {
 	return &state{rate: 144, outputLen: 28, dsbyte: 0x06}
 }
--- a/vendor/golang.org/x/crypto/sha3/register.go
+++ b/vendor/golang.org/x/crypto/sha3/register.go
@ -1,18 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build go1.4
-
-package sha3
-
-import (
-	"crypto"
-)
-
-func init() {
-	crypto.RegisterHash(crypto.SHA3_224, New224)
-	crypto.RegisterHash(crypto.SHA3_256, New256)
-	crypto.RegisterHash(crypto.SHA3_384, New384)
-	crypto.RegisterHash(crypto.SHA3_512, New512)
-}
--- a/vendor/gopkg.in/go-jose/go-jose.v2/.gitcookies.sh.enc
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/.gitcookies.sh.enc
@ -1 +0,0 @@
-'|Ę&{tÄU|gGę(ěŹCy=+¨śňcű:u:/pś#~žü["±4¤!nŮAŞDK<Šuf˙hĹażÂ:şü¸ˇ´B/ŁŘ¤ą¤ň_<C588>hÎŰSăT*wĚxĽŻťą-ç|ťŕŔÓ<C594>ŃÄäóĚăŁ—A$$â6ŁÁâG)8nĎpűĆËˇ3ĚšśoďĎvŽB–3ż]xÝ“Ó2l§G•|qRŢŻ
ö2
5R–Ó×Ç$´ń˝YčˇŢÝ™l‘Ë«yAI"ŰŚ<C5B0>®íĂ»ąĽkÄ|Kĺţ[9ĆâŇĺ=°ú˙źń|@S•3ó#ćťx?ľV„,ľ‚SĆÝőśwPíogŇ6&V6	©D.dBŠ7
--- a/vendor/gopkg.in/go-jose/go-jose.v2/.gitignore
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/.gitignore
@ -1,8 +0,0 @@
-*~
-.*.swp
-*.out
-*.test
-*.pem
-*.cov
-jose-util/jose-util
-jose-util.t.err
--- a/vendor/gopkg.in/go-jose/go-jose.v2/.travis.yml
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/.travis.yml
@ -1,45 +0,0 @@
-language: go
-
-sudo: false
-
-matrix:
-  fast_finish: true
-  allow_failures:
-    - go: tip
-
-go:
- '1.14.x'
- '1.15.x'
- tip
-
-go_import_path: gopkg.in/square/go-jose.v2
-
-before_script:
- export PATH=$HOME/.local/bin:$PATH
-
-before_install:
-# Install encrypted gitcookies to get around bandwidth-limits
-# that is causing Travis-CI builds to fail. For more info, see
-# https://github.com/golang/go/issues/12933
- openssl aes-256-cbc -K $encrypted_1528c3c2cafd_key -iv $encrypted_1528c3c2cafd_iv -in .gitcookies.sh.enc -out .gitcookies.sh -d || true
- bash .gitcookies.sh || true
- go get github.com/wadey/gocovmerge
- go get github.com/mattn/goveralls
- go get github.com/stretchr/testify/assert
- go get github.com/stretchr/testify/require
- go get github.com/google/go-cmp/cmp
- go get golang.org/x/tools/cmd/cover || true
- go get code.google.com/p/go.tools/cmd/cover || true
- pip install cram --user
-
-script:
- go test . -v -covermode=count -coverprofile=profile.cov
- go test ./cipher -v -covermode=count -coverprofile=cipher/profile.cov
- go test ./jwt -v -covermode=count -coverprofile=jwt/profile.cov
- go test ./json -v # no coverage for forked encoding/json package
- cd jose-util && go build && PATH=$PWD:$PATH cram -v jose-util.t # cram tests jose-util
- cd ..
-
-after_success:
- gocovmerge *.cov */*.cov > merged.coverprofile
- $HOME/gopath/bin/goveralls -coverprofile merged.coverprofile -service=travis-ci
--- a/vendor/gopkg.in/go-jose/go-jose.v2/CHANGELOG.md
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/CHANGELOG.md
@ -1,84 +0,0 @@
-# v4.0.1
-
-## Fixed
-
- - An attacker could send a JWE containing compressed data that used large
-   amounts of memory and CPU when decompressed by `Decrypt` or `DecryptMulti`.
-   Those functions now return an error if the decompressed data would exceed
-   250kB or 10x the compressed size (whichever is larger). Thanks to
-   Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@zer0yu and @chenjj)
-   for reporting.
-
-# v4.0.0
-
-This release makes some breaking changes in order to more thoroughly
-address the vulnerabilities discussed in [Three New Attacks Against JSON Web
-Tokens][1], "Sign/encrypt confusion", "Billion hash attack", and "Polyglot
-token".
-
-## Changed
-
- - Limit JWT encryption types (exclude password or public key types) (#78)
- - Enforce minimum length for HMAC keys (#85)
- - jwt: match any audience in a list, rather than requiring all audiences (#81)
- - jwt: accept only Compact Serialization (#75)
- - jws: Add expected algorithms for signatures (#74)
- - Require specifying expected algorithms for ParseEncrypted,
-   ParseSigned, ParseDetached, jwt.ParseEncrypted, jwt.ParseSigned,
-   jwt.ParseSignedAndEncrypted (#69, #74)
-   - Usually there is a small, known set of appropriate algorithms for a program
-     to use and it's a mistake to allow unexpected algorithms. For instance the
-     "billion hash attack" relies in part on programs accepting the PBES2
-     encryption algorithm and doing the necessary work even if they weren't
-     specifically configured to allow PBES2.
- - Revert "Strip padding off base64 strings" (#82)
-  - The specs require base64url encoding without padding.
- - Minimum supported Go version is now 1.21
-
-## Added
-
- - ParseSignedCompact, ParseSignedJSON, ParseEncryptedCompact, ParseEncryptedJSON.
-   - These allow parsing a specific serialization, as opposed to ParseSigned and
-     ParseEncrypted, which try to automatically detect which serialization was
-     provided. It's common to require a specific serialization for a specific
-     protocol - for instance JWT requires Compact serialization.
-
-[1]: https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf
-
-# v3.0.3
-
-## Fixed
-
- - Limit decompression output size to prevent a DoS. Backport from v4.0.1.
-
-# v3.0.2
-
-## Fixed
-
- - DecryptMulti: handle decompression error (#19)
-
-## Changed
-
- - jwe/CompactSerialize: improve performance (#67)
- - Increase the default number of PBKDF2 iterations to 600k (#48)
- - Return the proper algorithm for ECDSA keys (#45)
-
-## Added
-
- - Add Thumbprint support for opaque signers (#38)
-
-# v3.0.1
-
-## Fixed
-
- - Security issue: an attacker specifying a large "p2c" value can cause
-   JSONWebEncryption.Decrypt and JSONWebEncryption.DecryptMulti to consume large
-   amounts of CPU, causing a DoS. Thanks to Matt Schwager (@mschwager) for the
-   disclosure and to Tom Tervoort for originally publishing the category of attack.
-   https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf
-
-# v2.6.3
-
-## Fixed
-
- - Limit decompression output size to prevent a DoS. Backport from v4.0.1.
--- a/Show More
+++ b/Show More
				`@ -1 +0,0 @@`
				`'\|Ę&{tÄU\|gGę(ěŹCy=+¨śňcű:u:/pś#~žü["±4¤!nŮAŞDK<Šuf˙hĹażÂ:şü¸ˇ´B/ŁŘ¤ą¤ň_<C588>hÎŰSăT*wĚxĽŻťą-ç\|ťŕŔÓ<C594>ŃÄäóĚăŁ—A$$â6ŁÁâG)8nĎpűĆËˇ3ĚšśoďĎvŽB–3ż]xÝ“Ó2l§G•\|qRŢŻ ö2 5R–Ó×Ç$´ń˝YčˇŢÝ™l‘Ë«yAI"ŰŚ<C5B0>®íĂ»ąĽkÄ\|Kĺţ[9ĆâŇĺ=°ú˙źń\|@S•3ó#ćťx?ľV„,ľ‚SĆÝőśwPíogŇ6&V6 ©D.dBŠ7`