build(deps): bump the minor-and-patch group across 1 directory with 7 updates

[dependabot]

Bumps the minor-and-patch group with 6 updates in the / directory:

Package	From	To
github.com/landlock-lsm/go-landlock	0.8.1	0.9.0
github.com/sigstore/cosign/v3	3.1.0	3.1.1
github.com/sigstore/sigstore-go	1.2.0	1.2.1
golang.org/x/mod	0.36.0	0.37.0
golang.org/x/net	0.55.0	0.56.0
oras.land/oras-go/v2	2.6.0	2.6.1

Updates github.com/landlock-lsm/go-landlock from 0.8.1 to 0.9.0

Release notes

Sourced from github.com/landlock-lsm/go-landlock's releases.

ABI V9 support

Adds support for LANDLOCK_ACCESS_FS_RESOLVE_UNIX (see https://docs.kernel.org/userspace-api/landlock.html#filesystem-flags), as introduced by Linux 7.1 today.

Users are advised to use landlock.V9 to restrict outgoing connections to named UNIX sockets. Individual sockets or directories can be allow-listed using the FSRule.WithResolveUnix() modifier for file system rules. As usual, the things to look out for are documented in config.go next to the landlock.V9 identifier.

For a step-by-step instruction for upgrading (or when using an AI agent!), see https://github.com/landlock-lsm/go-landlock/blob/main/docs/upgrade.md

Full Changelog: landlock-lsm/go-landlock@v0.8.1...v0.9.0

Commits

• e573f52 sample tools: use landlock.V9
• b5df300 Update documentation references to V9 where needed
• cb288e5 landlock: add support for Landlock ABI v9
• See full diff in compare view

Updates github.com/sigstore/cosign/v3 from 3.1.0 to 3.1.1

Release notes

Sourced from github.com/sigstore/cosign/v3's releases.

v3.1.1

What's Changed

Note: v3.1.0 was skipped due to a bug in our release pipeline. v3.1.1 is identical to v3.1.0

This release deprecates a number of flags related to verification material input for trust root material, as well as the bundle format, standardized across Sigstore SDKs, which is now the default output and input for signing and verifying respectively. You may continue to use the deprecated flags with Cosign v3.x releases. The deprecated flags will be removed in a future Cosign v4 release.

This release also updates the signing path for logging to Rekor v2. DSSE attestations will be logged as hashed entries, using the DSSE's pre-auth encoding (PAE). This should unblock developers who want to upload large signed DSSEs such as SBOMs.

• Initialize PKCS11 slots Before Getting Token Info in sigstore/cosign#4803
• Sign exclusively via sigstore-go in sigstore/cosign#4618
• bundle create: Prevent IgnoreTlog when bundle contains SET in sigstore/cosign#4829
• Require bundle output or registry upload in sigstore/cosign#4785
• fix(load): pass NameOptions to name.ParseReference in sigstore/cosign#4786
• fix: honor --digestAlg when hashing a blob in verify-blob-attestation in sigstore/cosign#4813
• Deprecate Flags for v4: Certificates in sigstore/cosign#4822
• Deprecate flags signing config in sigstore/cosign#4844
• Deprecate flags bundle in sigstore/cosign#4838
• Fix typo in map of verify command fields unsupported for new bundle format in sigstore/cosign#4853
• Add bundle upgrade command in sigstore/cosign#4820
• Deprecate Flags for v4 in sigstore/cosign#4854
• fix: close file descriptor leaked in WriteSignedImageIndexImages loop in sigstore/cosign#4869
• fix: use Header.Set to prevent duplicate Authorization on retry in sigstore/cosign#4870
• feat(cli): add Rekor v2 flag to cosign signing-config create in sigstore/cosign#4868
• Fix crash verifying timestamps when no timestamp was verified in sigstore/cosign#4881
• Deprecate Flags for v4: OCI Referrers in sigstore/cosign#4804
• Use the configured Target Repository more consistently in sigstore/cosign#4836
• fix: check HTTP status code in LoadFileOrURL in sigstore/cosign#4877
• Fix unsafe type assertion in Rego policy evaluation by in sigstore/cosign#4882
• Fix Ed25519ph check to respect custom signing configs in sign-blob in sigstore/cosign#4880
• Enable initialize command output in conformance in sigstore/cosign#4892
• verify: return TUF errors for new bundle trusted roots in sigstore/cosign#4878
• Deprecate subcommands in sigstore/cosign#4894
• Remove docstring references to deprecated flags in sigstore/cosign#4910
• fix(verify): Attach detached certificates to static signatures via wrapped verifier in sigstore/cosign#4737
• fix(verify): copy CheckOpts inside VerifyNewBundle to fix data race in sigstore/cosign#4917
• Update sigstore-go to v1.2.0 in sigstore/cosign#4914

Full Changelog: sigstore/cosign@v3.0.6...v3.1.1

Commits

• 7914231 Fix build for Go version 1.26.3 (#4933)
• d8e992a chore(deps): bump golang.org/x/crypto from 0.52.0 to 0.53.0 (#4929)
• 305817b chore(deps): bump google.golang.org/api from 0.280.0 to 0.283.0 (#4925)
• 09564f9 chore(deps): bump github.com/theupdateframework/go-tuf/v2 (#4926)
• 702cbe0 chore(deps): bump golang in the all group across 1 directory
• f3885a6 chore(deps): bump github.com/go-openapi/swag/conv in the gomod group
• 76a5eec chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.6.0 to 2.7.0
• df2a334 chore(deps): bump golang.org/x/term from 0.43.0 to 0.44.0
• 2620da6 chore(deps): bump github.com/open-policy-agent/opa from 1.16.2 to 1.17.1
• 282ff33 chore(deps): bump the actions group across 1 directory with 4 updates
• See full diff in compare view

Updates github.com/sigstore/sigstore-go from 1.2.0 to 1.2.1

Release notes

Sourced from github.com/sigstore/sigstore-go's releases.

v1.2.1

What's Changed

v1.2.1 resolves GHSA-wqqc-jjcq-vfxm.

• Check signature time against public key validity window in sigstore/sigstore-go#642

Full Changelog: sigstore/sigstore-go@v1.2.0...v1.2.1

Commits

• 4594ab4 Check signature time against public key validity window (#642)
• 3ad400c Bump actions/checkout from 6.0.2 to 6.0.3 (#639)
• See full diff in compare view

Updates golang.org/x/mod from 0.36.0 to 0.37.0

Commits

• deb1dfc go.mod: update golang.org/x dependencies
• 087f651 modfile: use slices.Backward
• 343ee60 x/mod: allow for aggressively conslidating requires
• See full diff in compare view

Updates golang.org/x/net from 0.55.0 to 0.56.0

Commits

• 9e7fdbf internal/http3: fix wrong argument being given when validating header value
• b686e5f internal/http3: add gzip support to transport
• 8a34885 go.mod: update golang.org/x dependencies
• 72eaf98 dns/dnsmessage: correctly validate SVCB record parameter order
• 82e7868 dns/dnsmessage: avoid panic when parsing SVCB record with truncated data
• b64f1fa internal/http3: add server support for "Trailer:" magic prefix
• 2707ee2 internal/http3: implement HTTP/3 clientConn methods
• 31358cc internal/http3: snapshot response headers at WriteHeader time
• 8ecbaa9 html: don't adjust xml:base
• 8ae811a html: properly handle end script tag in fragment mode
• Additional commits viewable in compare view

Updates golang.org/x/sys from 0.45.0 to 0.46.0

Commits

• d58dcfa unix: add GPIO constants and structs
• See full diff in compare view

Updates oras.land/oras-go/v2 from 2.6.0 to 2.6.1

Release notes

Sourced from oras.land/oras-go/v2's releases.

v2.6.1

This is a security patch release addressing five advisories in the authentication, remote, and content layers, plus accumulated bug fixes and maintenance since v2.6.0.

Security Fixes

• Drop the Authorization header on cross-origin redirects to prevent origin credentials leaking to a redirect target on a different scheme/port of the same host (GHSA-vh4v-2xq2-g5cg)
• Validate the bearer realm host before sending credentials to prevent credential exfiltration to an attacker-controlled token service, including TLS downgrades and IP-literal metadata endpoints; adds TrustedRealmHosts (GHSA-28r5-37g7-p6mp, GHSA-xf85-363p-868w)
• Validate the Location host before blob upload to prevent credentials being forwarded to a cross-host upload endpoint (SSRF / CWE-918) (#1152, GHSA-jxpm-75mh-9fp7)
• Reject descriptor sizes exceeding 32 MiB in content.ReadAll to prevent a crafted OCI layout from triggering a makeslice panic and crashing the process (#1153, GHSA-f36w-mj3v-6jqv)
• Resolve symlinks when enforcing the workingDir write boundary in content/file, blocking writes that escape the boundary via a symlinked path component when AllowPathTraversalOnWrite=false

Bug Fixes

• graph.Memory should use digest as map key (#1095)
• Fix credentials key for the Docker registry-1 host (#966)
• Support an empty credentials file (#959)

Other Changes

• Add GitOps release workflow with goreleaser (#1161)
• Shift the Go support window to [1.24, 1.25] (#991)
• Run go modernize (#1005)
• Sync CODEOWNERS and OWNERS.md from main to v2 (#1122)
• Remove scripts reference from the Makefile (#960)
• Bump golang.org/x/sync 0.14.0 → 0.20.0 (#971, #978, #1001, #1037, #1078, #1121)
• Bump GitHub Actions: actions/checkout 4→5 (#989), actions/setup-go 5→6 (#998), actions/stale 9→10 (#997), github/codeql-action 3→4 (#1016)

Commits

• 47b7c80 release: v2.6.1 (#1195)
• 3c2e884 Merge commit from fork
• cc323e5 Merge commit from fork
• 7a9f4b0 Merge commit from fork
• d593d50 feat: add gitops release workflow with goreleaser (#1161)
• 5fd67f9 fix(content): reject descriptor sizes exceeding 32 MiB in ReadAll (#1153)
• 4683c46 fix: validate Location host before blob upload to prevent credential leak (#1...
• 4a3e611 build(deps): bump golang.org/x/sync from 0.19.0 to 0.20.0 (#1121)
• 00de1f0 chore: sync CODEOWNERS and OWNERS.md from main to v2 (#1122)
• d7b6f8e fix: graph.Memory should use digest as map key (#1095)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions