Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency carvel-dev/imgpkg to v0.44.2 #10724

Merged
merged 1 commit into from
Mar 6, 2025
Merged

chore(deps): update dependency carvel-dev/imgpkg to v0.44.2 #10724

merged 1 commit into from
Mar 6, 2025

Conversation

uniget-bot
Copy link

This PR contains the following updates:

Package Update Change
carvel-dev/imgpkg patch 0.44.0 -> 0.44.2

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

carvel-dev/imgpkg (carvel-dev/imgpkg)

v0.44.2

Compare Source

Installation and signature verification
Installation
By downloading binary from the release

For instance, if you are using Linux on an AMD64 architecture:

### Download the binary
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.44.2/imgpkg-linux-amd64

### Move the binary in to your PATH
mv imgpkg-linux-amd64 /usr/local/bin/imgpkg

### Make the binary executable
chmod +x /usr/local/bin/imgpkg
Via Homebrew (macOS or Linux)
$ brew tap carvel-dev/carvel
$ brew install imgpkg
$ imgpkg version
Verify checksums file signature

Install cosign on your system https://docs.sigstore.dev/system_config/installation/

The checksums file provided within the artifacts attached to this release is signed using Cosign with GitHub OIDC. To validate the signature of this file, run the following commands:

### Download the checksums file, certificate and signature
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.44.2/checksums.txt
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.44.2/checksums.txt.pem
curl -LO https://github.com/carvel-dev/imgpkg/releases/download/v0.44.2/checksums.txt.sig

### Verify the checksums file
cosign verify-blob checksums.txt \
  --certificate checksums.txt.pem \
  --signature checksums.txt.sig \
  --certificate-identity-regexp=https://github.com/carvel-dev \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com
Verify binary integrity

To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature.

### Verify the binary using the checksums file
sha256sum -c checksums.txt --ignore-missing

What's Changed

  • Maintenance update of libraries and go version

Full Changelog: carvel-dev/imgpkg@v0.44.0...v0.44.2

📂 Files Checksum

133cc95fe9baa7a3fa41cdaab6e5ef60a1f54c76731be5f1b0cac577c360cc8d  ./imgpkg-darwin-amd64
4aff1dea4d9f2e84ba321e2ff9a0194660508fe9267c44d9cd57e89d5eb3d8ee  ./imgpkg-linux-arm64
51e2b75f809b10191afd7566bdcb7390fa6aec2d34287685ef53ec29f6569657  ./imgpkg-darwin-arm64
904bcc6ab88257be95970ca33cf03a49a07e717872deda4292ff963d0cc338ce  ./imgpkg-linux-amd64
c0709f09be57989c2ddbccfa77b7183eb4e9f4b97b2ed5a596b6a533baca5e17  ./imgpkg-windows-amd64.exe

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

nicholasdille-bot
nicholasdille-bot approved these changes Mar 6, 2025
View reviewed changes
Copy link

@nicholasdille-bot nicholasdille-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto-approved because label type/renovate is present.

@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 6, 2025

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/imgpkg:0.44.2

📦 Image Reference ghcr.io/uniget-org/tools/imgpkg:0.44.2
digestsha256:eeecfbedef09342ec772218b964620fc5b30c089425445d969f2c99c47da7bce
vulnerabilitiescritical: 0 high: 2 medium: 0 low: 0
platformlinux/amd64
size12 MB
packages62
critical: 0 high: 1 medium: 0 low: 0 golang.org/x/oauth2 0.25.0 (golang)

pkg:golang/golang.org/x/oauth2@0.25.0

high : CVE--2025--22868

Affected range<0.27.0
Fixed version0.27.0
Description

An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

critical: 0 high: 1 medium: 0 low: 0 golang.org/x/crypto 0.32.0 (golang)

pkg:golang/golang.org/x/crypto@0.32.0

high : CVE--2025--22869

Affected range<0.35.0
Fixed version0.35.0
Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 6, 2025

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/13710004162.

@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 6, 2025

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/13710004162.

@github-actions github-actions bot merged commit ab57746 into main Mar 6, 2025
10 of 11 checks passed
@github-actions github-actions bot deleted the renovate/carvel-dev-imgpkg-0.44.x branch March 6, 2025 23:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicholasdille-bot nicholasdille-bot nicholasdille-bot approved these changes

Assignees
No one assigned
Labels
bump/patch type/renovate
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@uniget-bot @nicholasdille-bot @renovate-bot