... to a version past 1.0.2, just to keep various
dependency checkers happy.
> go get github.com/opencontainers/image-spec@v1.0.2-0.20211123152302-43a7dee1ec31
The commit is intended to match https://github.com/containers/image/pull/1419
to minimize churn.
NOTE: This is NOT a fix for CVE-2021-41190 / GHSA-77vh-xpmg-72qh ,
that was fixed in Skopeo 1.5.2.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Dependabot was apparently not picking these up (and
several haven't had a release for a long time anyway).
Also move from github.com/go-check/check to its newly
declared (and go.mod-enforced) name gopkg.in/check.v1.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This mainly pulls in the latest support for zstd-compressed layers and
eases testing of containers/image.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Anyone running (vndr) currently ends up with failing tests in OCI schema
validation because gojsonschema has fixed its "$ref" interpretation, exposing
inconsistent URI usage inside image-spec/schema.
So, this runs (vndr), and uses mtrmac/image-spec:id-based-loader
( https://github.com/opencontainers/image-spec/pull/739 ) to make the tests pass
again. As soon as that PR is merged we should revert to using the upstream
image-spec repo again.
In order to make sure that we don't create invalid OCI images that are
consistently invalid, add additional checks to ensure that both of the
generated OCI images in the round-trip test are valid according to the
upstream validator.
This commit vendors the following packages (deep breath):
* oci/image-tools@7575a09363, which requires
* oci/image-spec@v1.0.0-rc4 [revendor, but is technically an update
because I couldn't figure out what version was vendored last time]
* oci/runtime-spec@v1.0.0-rc4
* xeipuuv/gojsonschema@6b67b3fab7
* xeipuuv/gojsonreference@e02fc20de9
* xeipuuv/gojsonpointer@e0fe6f6830
* camlistore/go4@7ce08ca145
Signed-off-by: Aleksa Sarai <asarai@suse.de>
