Skip to content

build(deps): bump github.com/sigstore/rekor from 1.3.6 to 1.5.0 in /tools#1747

Merged
rcaril merged 1 commit intomainfrom
dependabot/go_modules/tools/github.com/sigstore/rekor-1.5.0
Apr 27, 2026
Merged

build(deps): bump github.com/sigstore/rekor from 1.3.6 to 1.5.0 in /tools#1747
rcaril merged 1 commit intomainfrom
dependabot/go_modules/tools/github.com/sigstore/rekor-1.5.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 27, 2026
edited
Loading

Bumps github.com/sigstore/rekor from 1.3.6 to 1.5.0.

Release notes

Sourced from github.com/sigstore/rekor's releases.

v1.5.0

This release fixes GHSA-273p-m2cw-6833 and GHSA-4c4x-jm2x-pf9j. Note that this drops support for fetching public keys via URL when querying the search API.

Vulnerability Fixes

  • Handle malformed COSE and DSSE entries (#2729)
  • Drop support for fetching public keys by URL in the search index (#2731)

Features

  • Add support for a custom TLS config for clients (#2709)

v1.4.3

This release reduces dependencies for a number of exported packages.

This release also changes the format of the binary and container signature, which is now a Sigstore bundle. To verify a release, use the latest Cosign 3.x, verifying with cosign verify-blob --bundle <artifact>-keyless.sigstore.json <artifact>.

Improvements

  • use interruptable context to elegantly handle signals in rekor-cli (#2681)
  • restapi: Don't log client errors as errors (#2680)
  • pkg: separate pki types from implementations (#2668)
  • e2e: don't mix e2e and regular utilities (#2672)
  • pkg: remove viper config from spec definitions (#2669)
  • log: remove zap & go-chi dependecy from pkg/types (#2667)
  • chore: update go-openapi/runtime to v0.29.0 (#2670)
  • chore: remove double imported mapstructure pkg (#2671)
  • remove archived dependency and use stdlib slices (#2650)

Documentation

  • (docs): guard unsafe int/uint conversions flagged by gosec (#2679)

Contributors

  • AdamKorcz
  • Bob Callaway
  • Jussi Kukkonen
  • Sachin Sampras M
  • Tõnis Tiigi

v1.4.2

What's Changed

... (truncated)

Changelog

Sourced from github.com/sigstore/rekor's changelog.

v1.5.0

This release fixes GHSA-273p-m2cw-6833 and GHSA-4c4x-jm2x-pf9j. Note that this drops support for fetching public keys via URL when querying the search API.

Vulnerability Fixes

  • Handle malformed COSE and DSSE entries (#2729)
  • Drop support for fetching public keys by URL in the search index (#2731)

Features

  • Add support for a custom TLS config for clients (#2709)

v1.4.3

This release reduces dependencies for a number of exported packages.

This release also changes the format of the binary and container signature, which is now a Sigstore bundle. To verify a release, use the latest Cosign 3.x, verifying with cosign verify-blob --bundle <artifact>-keyless.sigstore.json <artifact>.

Improvements

  • use interruptable context to elegantly handle signals in rekor-cli (#2681)
  • restapi: Don't log client errors as errors (#2680)
  • pkg: separate pki types from implementations (#2668)
  • e2e: don't mix e2e and regular utilities (#2672)
  • pkg: remove viper config from spec definitions (#2669)
  • log: remove zap & go-chi dependecy from pkg/types (#2667)
  • chore: update go-openapi/runtime to v0.29.0 (#2670)
  • chore: remove double imported mapstructure pkg (#2671)
  • remove archived dependency and use stdlib slices (#2650)

Documentation

  • (docs): guard unsafe int/uint conversions flagged by gosec (#2679)

Contributors

  • AdamKorcz
  • Bob Callaway
  • Jussi Kukkonen
  • Sachin Sampras M
  • Tõnis Tiigi

v1.4.2

This release includes some performance optimizations and a bug fix for publishing events to a pub/sub topic.

... (truncated)

Commits
  • fe9717f Changelog for v1.5.0 (#2730)
  • 60ef2bc Drop support for fetching public keys by URL in the search index (#2731)
  • ca625dc build(deps): Bump github.com/redis/go-redis/v9 from 9.14.1 to 9.17.2 (#2706)
  • 39bae3d Merge commit from fork (#2729)
  • 812e699 build(deps): Bump google.golang.org/api from 0.256.0 to 0.259.0 (#2723)
  • 4596e4e build(deps): Bump golang.org/x/net from 0.47.0 to 0.48.0 (#2722)
  • a3e73cd build(deps): Bump github.com/sigstore/sigstore from 1.9.5 to 1.10.3 (#2724)
  • 94d259c build(deps): Bump the all group across 1 directory with 3 updates (#2727)
  • a5329c9 build(deps): Bump the all group with 2 updates (#2728)
  • 5e6bdcd build(deps): Bump google.com/cloudsdktool/google-cloud-cli (#2726)
  • Additional commits viewable in compare view

@dependabot dependabot Bot added the tools Indicates that a given PR updates the repo tooling. label Apr 27, 2026
@dependabot dependabot Bot requested a review from a team as a code owner April 27, 2026 13:01
@dependabot dependabot Bot requested a review from jedisct1 April 27, 2026 13:01
@dependabot dependabot Bot added the tools Indicates that a given PR updates the repo tooling. label Apr 27, 2026
@github-actions github-actions Bot added the Skip-Changelog do not add a changelog entry for this change label Apr 27, 2026
@dependabot dependabot Bot force-pushed the dependabot/go_modules/tools/github.com/sigstore/rekor-1.5.0 branch 8 times, most recently from 26511ac to 527eaaf Compare April 27, 2026 15:45
@dependabot
build(deps): bump github.com/sigstore/rekor in /tools
4d4e862 
Bumps [github.com/sigstore/rekor](https://github.com/sigstore/rekor) from 1.3.6 to 1.5.0.
- [Release notes](https://github.com/sigstore/rekor/releases)
- [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md)
- [Commits](sigstore/rekor@v1.3.6...v1.5.0)

---
updated-dependencies:
- dependency-name: github.com/sigstore/rekor
  dependency-version: 1.5.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/tools/github.com/sigstore/rekor-1.5.0 branch from 527eaaf to 4d4e862 Compare April 27, 2026 16:02
@rcaril rcaril enabled auto-merge (squash) April 27, 2026 16:08
@rcaril rcaril merged commit 86dd915 into main Apr 27, 2026
10 checks passed
@rcaril rcaril deleted the dependabot/go_modules/tools/github.com/sigstore/rekor-1.5.0 branch April 27, 2026 16:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rcaril rcaril rcaril approved these changes

@jedisct1 jedisct1 Awaiting requested review from jedisct1 jedisct1 is a code owner automatically assigned from fastly/developer-tools

Assignees

No one assigned

Labels

Skip-Changelog do not add a changelog entry for this change tools Indicates that a given PR updates the repo tooling.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rcaril