Bump the go_modules group across 1 directory with 5 updates

[dependabot]

Bumps the go_modules group with 4 updates in the / directory: github.com/Azure/azure-sdk-for-go/sdk/azidentity, github.com/docker/docker, github.com/golang-jwt/jwt/v5 and github.com/sigstore/cosign/v2.

Updates github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.5.1 to 1.6.0

Release notes

Sourced from github.com/Azure/azure-sdk-for-go/sdk/azidentity's releases.

sdk/storage/azfile/v1.5.3

1.5.3 (2025-10-16)

Other Changes

• Updated service version to 2025-11-05
• Updated azidentity version to 1.13.0
• Updated azcore version to 1.19.1

Commits

• 36f766d add sdk/resourcemanager/cosmos/armcosmos live test (#20705)
• c005ed6 sdk/resourcemanager/network/armnetwork live test (#20331)
• 5fa7df4 add sdk/resourcemanager/compute/armcompute live test (#20048)
• 0d22aed add sdk/resourcemanager/eventhub/armeventhub live test (#20686)
• 2a8d96d add sdk/resourcemanager/postgresql/armpostgresql live test (#20685)
• b2cddab [Release] sdk/resourcemanager/paloaltonetworksngfw/armpanngfw/0.1.0 (#20437)
• ed7f3c7 Fix azidentity troubleshooting guide link (#20736)
• 6dfd0cb [azeventhubs] Fixing checkpoint store race condition (#20727)
• 745d967 pass along the artifact name so we can override it later (#20732)
• 20b4dd8 Update changelog with latest features (#20730)
• Additional commits viewable in compare view

Updates github.com/docker/docker from 26.1.3+incompatible to 28.0.0+incompatible

Release notes

Sourced from github.com/docker/docker's releases.

v28.0.0

28.0.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.0.0 milestone
• moby/moby, 28.0.0 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

New

• Add ability to mount an image inside a container via --mount type=image. moby/moby#48798
  • You can also specify --mount type=image,image-subpath=[subpath],... option to mount a specific path from the image. docker/cli#5755
• docker images --tree now shows metadata badges. docker/cli#5744
• docker load, docker save, and docker history now support a --platform flag allowing you to choose a specific platform for single-platform operations on multi-platform images. docker/cli#5331
• Add OOMScoreAdj to docker service create and docker stack. docker/cli#5145
• docker buildx prune now supports reserved-space, max-used-space, min-free-space and keep-bytes filters. moby/moby#48720
• Windows: Add support for running containerd as a child process of the daemon, instead of using a system-installed containerd. moby/moby#47955

Networking

• The docker-proxy binary has been updated, older versions will not work with the updated dockerd. moby/moby#48132
  • Close a window in which the userland proxy (docker-proxy) could accept TCP connections, that would then fail after iptables NAT rules were set up.
  • The executable rootlesskit-docker-proxy is no longer used, it has been removed from the build and distribution.
• DNS nameservers read from the host's /etc/resolv.conf are now always accessed from the host's network namespace. moby/moby#48290
  • When the host's /etc/resolv.conf contains no nameservers and there are no --dns overrides, Google's DNS servers are no longer used, apart from by the default bridge network and in build containers.
• Container interfaces in bridge and macvlan networks now use randomly generated MAC addresses. moby/moby#48808
  • Gratuitous ARP / Neighbour Advertisement messages will be sent when the interfaces are started so that, when IP addresses are reused, they're associated with the newly generated MAC address.
  • IPv6 addresses in the default bridge network are now IPAM-assigned, rather than being derived from the MAC address.
• The deprecated OCI prestart hook is now only used by build containers. For other containers, network interfaces are added to the network namespace after task creation is complete, before the container task is started. moby/moby#47406
• Add a new gw-priority option to docker run, docker container create, and docker network connect. This option will be used by the Engine to determine which network provides the default gateway for a container. On docker run, this option is only available through the extended --network syntax. docker/cli#5664
• Add a new netlabel com.docker.network.endpoint.ifname to customize the interface name used when connecting a container to a network. It's supported by all built-in network drivers on Linux. moby/moby#49155
  • When a container is created with multiple networks specified, there's no guarantee on the order networks will be connected to the container. So, if a custom interface name uses the same prefix as the auto-generated names, for example eth, the container might fail to start.
  • The recommended practice is to use a different prefix, for example en0, or a numerical suffix high enough to never collide, for example eth100.
  • This label can be specified on docker network connect via the --driver-opt flag, for example docker network connect --driver-opt=com.docker.network.endpoint.ifname=foobar ….
  • Or via the long-form --network flag on docker run, for example docker run --network=name=bridge,driver-opt=com.docker.network.endpoint.ifname=foobar …
• If a custom network driver reports capability GwAllocChecker then, before a network is created, it will get a GwAllocCheckerRequest with the network's options. The custom driver may then reply that no gateway IP address should be allocated. moby/moby#49372

Port publishing in bridge networks

• dockerd now requires ipset support in the Linux kernel. moby/moby#48596
  • The iptables and ip6tables rules used to implement port publishing and network isolation have been extensively modified. This enables some of the following functional changes, and is a first step in refactoring to enable native nftables support in a future release. moby/moby#48815
  • If it becomes necessary to downgrade to an earlier version of the daemon, some manual cleanup of the new rules will be necessary. The simplest and surest approach is to reboot the host, or use iptables -F and ip6tables -F to flush all existing iptables rules from the filter table before starting the older version of the daemon. When that is not possible, run the following commands as root:
    • iptables -D FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; ip6tables -D FORWARD -m set --match-set docker-ext-bridges-v6 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    • iptables -D FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER; ip6tables -D FORWARD -m set --match-set docker-ext-bridges-v6 dst -j DOCKER
    • If you were previously running with the iptables filter-FORWARD policy set to ACCEPT and need to restore access to unpublished ports, also delete per-bridge-network rules from the DOCKER chains. For example, iptables -D DOCKER ! -i docker0 -o docker0 -j DROP.
• Fix a security issue that was allowing remote hosts to connect directly to a container on its published ports. moby/moby#49325
• Fix a security issue that was allowing neighbor hosts to connect to ports mapped on a loopback address. moby/moby#49325

... (truncated)

Commits

• af898ab Merge pull request #49495 from vvoland/update-buildkit
• d67f035 vendor: github.com/moby/buildkit v0.20.0
• 00ab386 Merge pull request #49491 from vvoland/update-buildkit
• 1fde8c4 builder-next: fix cdi manager
• cde9f07 vendor: github.com/moby/buildkit v0.20.0-rc3
• 89e1429 Merge pull request #49490 from thaJeztah/dockerfile_linting
• b2b5590 Dockerfile: fix linting warnings
• 62bc597 Merge pull request #49480 from thaJeztah/docs_api_1.48
• 670cd81 Merge pull request #49485 from vvoland/c8d-list-panic
• a3628f3 docs/api: add documentation for API v1.48
• Additional commits viewable in compare view

Updates github.com/golang-jwt/jwt/v5 from 5.2.1 to 5.2.2

Release notes

Sourced from github.com/golang-jwt/jwt/v5's releases.

v5.2.2

What's Changed

• Fixed GHSA-mh63-6h87-95cp by @​mfridman
• Fixed some typos by @​Ashikpaul in golang-jwt/jwt#382
• build: add go1.22 to ci workflows by @​mfridman in golang-jwt/jwt#383
• Bump golangci/golangci-lint-action from 4 to 5 by @​dependabot in golang-jwt/jwt#387
• Bump golangci/golangci-lint-action from 5 to 6 by @​dependabot in golang-jwt/jwt#389
• chore: bump ci tests to include go1.23 by @​mfridman in golang-jwt/jwt#405
• Fix jwt -show by @​AlexanderYastrebov in golang-jwt/jwt#406
• docs: typo by @​kvii in golang-jwt/jwt#407
• Update SECURITY.md by @​oxisto in golang-jwt/jwt#416
• Update jwt.Parse example to use jwt.WithValidMethods by @​mattt in golang-jwt/jwt#425

New Contributors

• @​Ashikpaul made their first contribution in golang-jwt/jwt#382
• @​kvii made their first contribution in golang-jwt/jwt#407
• @​mattt made their first contribution in golang-jwt/jwt#425

Full Changelog: golang-jwt/jwt@v5.2.1...v5.2.2

Commits

• 0951d18 Merge commit from fork
• c035977 Update Parse example to use WithValidMethods (#425)
• bc8bdca Update SECURITY.md (#416)
• 5ec246c docs: typo (#407)
• 0123f1a Fix jwt -show (#406)
• f961c72 chore: bump ci tests to include go1.23 (#405)
• 62e504c Bump golangci/golangci-lint-action from 5 to 6 (#389)
• 1a56dcf Bump golangci/golangci-lint-action from 4 to 5 (#387)
• c8043ea build: add go1.22 to ci workflows (#383)
• 7c3f6dc Update README.md (#382)
• See full diff in compare view

Updates github.com/sigstore/cosign/v2 from 2.2.4 to 2.6.2

Release notes

Sourced from github.com/sigstore/cosign/v2's releases.

v2.6.2

Changelog

v2.6.2 contains a fix for GHSA-whqx-f9j3-ch6m

• 3ade80c5f77cefc904f8c994e88618e5892e8f1c Fix bundle verify path for old bundle/trusted root (#4624)
• c4e6a783ce9b6ad08bb545b79a3277f1aaa16add v2.6 branch - bump sigstore deps (#4619)

Thanks to all contributors!

v2.6.1

Changelog

• 634fabe54f9fbbab55d821a83ba93b2d25bdba5f Bump sigstore-go, move conformance back to tagged release
• c5545eda23d770180880c245bf0d8f78c354ecc4 Partially populate the output of cosign verify when working with new bundles (#4416)
• e191024a636883b4e6b7de8db2f5cfb85a1fcd0c bump go builder to use 1.25.1 and cosign (#4417)

Thanks to all contributors!

v2.6.0 introduces a number of new features, including:

• Signing an in-toto statement rather than Cosign constructing one from a predicate, along with verifying a statement's subject using a digest and digest algorithm rather than providing a file reference (#4306)
• Uploading a signature and its verification material (a "bundle") as an OCI Image 1.1 referring artifact, completing #3927 (#4316)
• Providing service URLs for signing and attesting using a SigningConfig. Note that this is required when using a Rekor v2 instance (#4319)

Example generation and verification of a signed in-toto statement:

cosign attest-blob --new-bundle-format=true --bundle="digest-key-test.sigstore.json" --key="cosign.key" --statement="../sigstore-go/examples/sigstore-go-signing/intoto.txt"
cosign verify-blob-attestation --bundle="digest-key-test.sigstore.json" --key=cosign.pub --type=unused --digest="b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9" --digestAlg="sha256"

Example container signing and verification using the new bundle format and referring artifacts:

cosign sign --new-bundle-format=true ghcr.io/user/alpine@sha256:a19367999603840546b8612572e338ec076c6d1f2fec61760a9e11410f546733
cosign verify --new-bundle-format=true ghcr.io/user/alpine@sha256:a19367999603840546b8612572e338ec076c6d1f2fec61760a9e11410f546733

Example usage of a signing config provided by the public good instance's TUF repository:

cosign sign-blob --use-signing-config --bundle sigstore.json README.md
cosign verify-blob --new-bundle-format --bundle sigstore.json --certificate-identity $EMAIL --certificate-oidc-issuer $ISSUER --use-signed-timestamps README.md

v2.6.0 leverages sigstore-go's signing and verification APIs gated behind these new flags. In an upcoming major release, we will be updating Cosign to default to producing and consuming bundles to align with all other Sigstore SDKs.

... (truncated)

Changelog

Sourced from github.com/sigstore/cosign/v2's changelog.

v2.6.2

v2.6.2 resolves GHSA-whqx-f9j3-ch6m.

Changes

• Fix bundle verify path for old bundle/trusted root (GHSA-whqx-f9j3-ch6m) (#4624)
• bump sigstore deps to resolve build errors (#4619)

v3.0.3

Thank you for all of your feedback on Cosign v3! v3.0.3 fixes a number of bugs reported by the community along with adding compatibility for the new bundle format and attestation storage in OCI to additional commands. We're continuing to work on compatibility with the remaining commands and will have a new release shortly. If you run into any problems, please file an issue

Changes

• 4554: Closes 4554 - Add warning when --output* is used (#4556)
• Protobuf bundle support for subcommand clean (#4539)
• Add staging flag to initialize with staging TUF metadata
• Updating sign-blob to also support signing with a certificate (#4547)
• Protobuf bundle support for subcommands save and load (#4538)
• Fix cert attachment for new bundle with signing config
• Fix OCI verification with local cert - old bundle
• Deprecate tlog-upload flag (#4458)
• fix: Use signal context for sign cli package.
• update offline verification directions (#4526)
• Fix signing/verifying annotations for new bundle
• Add support to download and attach for protobuf bundles (#4477)
• Add --signing-algorithm flag (#3497)
• Refactor signcommon bundle helpers
• Add --bundle and fix --upload for new bundle
• Pass insecure registry flags through to referrers
• Add protobuf bundle support for tree subcommand (#4491)
• Remove stale embed import (#4492)
• Support multiple container identities
• Fix segfault when no attestations are found (#4472)
• Use overridden repository for new bundle format (#4473)
• Remove --out flag from cosign initialize (#4462)
• Deprecate offline flag (#4457)
• Deduplicate code in sign/attest* and verify* commands (#4449)
• Cache signing config when calling initialize (#4456)

v3.0.2

v3.0.2 is a functionally equivalent release to v3.0.0 and v3.0.1, with a fix for CI to publish signed releases in the new bundle format.

• Note that the --bundle flag specifying an output file to write the Sigstore bundle (which contains all relevant verification material) has moved from optional to required in v3.

... (truncated)

Commits

• 3ade80c Fix bundle verify path for old bundle/trusted root (#4624)
• c4e6a78 v2.6 branch - bump sigstore deps (#4619)
• 634fabe Bump sigstore-go, move conformance back to tagged release
• c5545ed Partially populate the output of cosign verify when working with new bundles ...
• e191024 bump go builder to use 1.25.1 and cosign (#4417)
• 37fbfc7 Require exclusively a SigningConfig or service URLs when signing (#4403)
• b1acaeb Add a terminal spinner while signing with sigstore-go (#4402)
• 2581dfd chore(deps): bump the gomod group across 1 directory with 8 updates (#4401)
• 11163ae Bump sigstore-go, support alternative hash algorithms with keys (#4386)
• 153df46 chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.42.0 (#4391)
• Additional commits viewable in compare view

Updates github.com/ulikunitz/xz from 0.5.12 to 0.5.14

Commits

• 7184815 Preparation of release v0.5.14
• 88ddf1d Address Security Issue GHSA-jc7w-c686-c4v9
• c8314b8 Add new package xio with WriteCloserStack
• See full diff in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[dependabot]

Labels

The following labels could not be found: update. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.