chore(deps): update tools

[renovate]

This PR contains the following updates:

Package	Update	Change	Age	Adoption	Passing	Confidence
aquasecurity/trivy	patch	v0.69.2 → v0.69.3
github.com/anchore/syft	patch	v1.42.1 → v1.42.2
github.com/golangci/golangci-lint/v2	minor	v2.10.1 → v2.11.2
github.com/google/go-containerregistry	patch	v0.21.1 → v0.21.2
github.com/goreleaser/goreleaser/v2	patch	v2.14.1 → v2.14.3
hashicorp/vault	patch	v1.21.2 → v1.21.4
k8s.io/kube-openapi	patch	v0.0.0-20260127142750-a19766b6e2d4 → v0.0.0-20260304202019-5b3e3fdb0acf
rclone/rclone	patch	v1.73.1 → v1.73.2

---

Release Notes

aquasecurity/trivy (aquasecurity/trivy)

v0.69.3

Compare Source

Changelog

• 6fb20c8 release: v0.69.3 [release/v0.69] (#​10293)
• dabefec fix(deps): bump github.com/go-git/go-git/v5 from 5.16.4 to 5.16.5 [backport: release/v0.69] (#​10291)

anchore/syft (github.com/anchore/syft)

v1.42.2

Compare Source

Bug Fixes

• [BUG] Incorrect Maven PURL generation: Automatic-Module-Name should not be used as Maven groupId [#​4611 #​4642 @​xnox]
• Checksum is 0 for spdx files [#​2307 #​4620 @​ppalucha]
• Support grafana binary various versions [#​4559 #​4635 @​witchcraze]

Additional Changes

• migrate fixtures to testdata [#​4651 @​wagoodman]

(Full Changelog)

golangci/golangci-lint (github.com/golangci/golangci-lint/v2)

v2.11.2

Compare Source

Released on 2026-03-07

1. Fixes
   • fmt: fix error when using the fmt command with explicit paths.

v2.11.1

Compare Source

Released on 2026-03-06

Due to an error related to AUR, some artifacts of the v2.11.0 release have not been published.

This release contains the same things as v2.11.0.

v2.11.0

Compare Source

Released on 2026-03-06

1. Linters new features or changes
   • errcheck: from 1.9.0 to 1.10.0 (exclude crypto/rand.Read by default)
   • gosec: from 2.23.0 to 2.24.6 (new rules: G113, G118, G119, G120, G121, G122, G123, G408, G707)
   • noctx: from 0.4.0 to 0.5.0 (new detection: httptest.NewRequestWithContext)
   • prealloc: from 1.0.2 to 1.1.0
   • revive: from 1.14.0 to 1.15.0 (⚠️ Breaking change: package-related checks moved from var-naming to a new rule package-naming)
2. Linters bug fixes
   • gocognit: from 1.2.0 to 1.2.1
   • gosec: from 2.24.6 to 2.24.7
   • unqueryvet: from 1.5.3 to 1.5.4

google/go-containerregistry (github.com/google/go-containerregistry)

v0.21.2

Compare Source

What's Changed

• Better handle redirects to https in ping by @​jonjohnsonjr in #​2225

Full Changelog: google/go-containerregistry@v0.21.1...v0.21.2

goreleaser/goreleaser (github.com/goreleaser/goreleaser/v2)

v2.14.3

Compare Source

v2.14.2

Compare Source

Announcement

Read the official announcement: Announcing GoReleaser v2.14.

Changelog

Bug fixes

• a5070ed: fix(sbom): fix Windows CI test failure in catalog_source_archives (@​caarlos0 and @​Copilot)
• 89d4957: fix(telegram): chat_id should be allowed in the @channelname form (@​caarlos0)
• 7089915: fix(telegram): improve default message template (@​caarlos0)
• 6a3f983: fix(upload): prevent sendFile race condition on Windows (@​caarlos0 and @​Copilot)
• 0c0906d: fix: go1.26.1 (@​caarlos0)
• 0dfb84b: fix: improve logs (@​caarlos0)
• 53dd3b7: fix: lint (@​caarlos0)

Documentation updates

• b2b85e0: docs(deps): bump mkdocs-material in /www in the docs group (@​dependabot[bot])
• 3227c59: docs(deps): bump mkdocs-material in /www in the docs group (@​dependabot[bot])
• a6aee4a: docs: fix badges (@​caarlos0)
• 3722f3c: docs: improve telegram docs (@​caarlos0)
• 43ce1c2: docs: telegram link (@​caarlos0)
• ed620f1: docs: update install.md (@​caarlos0)

Other work

• 7e53058: chore(ci): switch artifact attestations gen to actions/attest (@​scop)
• b8b56ef: chore: add .env to .gitignore (@​caarlos0)
• 0513ddb: chore: add comment (@​caarlos0)
• ec28ed7: ci(deps): bump the actions group with 11 updates (@​dependabot[bot])
• b51c2e8: ci(deps): bump the actions group with 7 updates (@​dependabot[bot])

Full Changelog: goreleaser/goreleaser@v2.14.1...v2.14.2

Helping out

This release is only possible thanks to all the support of some awesome people!

Want to be one of them?
You can sponsor, get a Pro License or contribute with code.

Where to go next?

• Find examples and commented usage of all options in our website.
• Reach out on Discord and Twitter!

hashicorp/vault (hashicorp/vault)

v1.21.4

Compare Source

SECURITY:

• Upgrade cloudflare/circl to v1.6.3 to resolve CVE-2026-1229
• Upgrade filippo.io/edwards25519 to v1.1.1 to resolve GO-2026-4503
• vault/sdk: Upgrade cloudflare/circl to v1.6.3 to resolve CVE-2026-1229
• vault/sdk: Upgrade go.opentelemetry.io/otel/sdk to v1.40.0 to resolve GO-2026-4394

CHANGES:

• core: Bump Go version to 1.25.7
• mfa/duo: Upgrade duo_api_golang client to 0.2.0 to include the new Duo certificate authorities
• ui: Remove ability to bulk delete secrets engines from the list view.

IMPROVEMENTS:

• core/seal: Enhance sys/seal-backend-status to provide more information about seal backends.
• secrets/kmip (Enterprise): Obey configured best_effort_wal_wait_duration when forwarding kmip requests.
• secrets/pki (enterprise): Return the POSTPKIOperation capability within SCEP GetCACaps endpoint for better legacy client support.

BUG FIXES:

• core (enterprise): Buffer the POST body on binary paths to allow re-reading on non-logical forwarding attempts. Addresses an issue for SCEP, EST and CMPv2 certificate issuances with slow replication of entities
• core/identity (enterprise): Fix excessive logging when updating existing aliases
• core/managed-keys (enterprise): client credentials should not be required when using Azure Managed Identities in managed keys.
• plugins (enterprise): Fix bug where requests to external plugins that modify storage weren't populating the X-Vault-Index response header.
• secrets (pki): Allow issuance of certificates without the server_flag key usage from SCEP, EST and CMPV2 protocols.
• secrets/pki (enterprise): Address cache invalidation issues with CMPv2 on performance standby nodes.
• secrets/pki (enterprise): Address issues using SCEP on performance standby nodes failing due to configuration invalidation issues along with errors writing to storage
• secrets/pki (enterprise): Modify the SCEP GetCACaps endpoint to dynamically reflect the configured encryption and digest algorithms.
• secrets/pki: The root/sign-intermediate endpoint should not fail when provided a CSR with a basic constraint extension containing isCa set to true
• secrets/pki: allow glob-style DNS names in alt_names.

v1.21.3

Compare Source

February 05, 2026

SECURITY:

auth/cert: ensure that the certificate being renewed matches the certificate attached to the session.

CHANGES:

core: Bump Go version to 1.25.6

FEATURES:

UI: Hashi-Built External Plugin Support: Recognize and support Hashi-built plugins when run as external binaries

IMPROVEMENTS:

core/managed-keys (enterprise): Allow GCP managed keys to leverage workload identity federation credentials
sdk: Add alias_metadata to tokenutil fields that auth method roles use.
secret-sync (enterprise): Added telemetry counters for reconciliation loop operations, including the number of corrections detected, retry attempts, and operation outcomes (success or failure with internal/external cause labels).
secret-sync (enterprise): Added telemetry counters for sync/unsync operations with status breakdown by destination type, and exposed operation counters in the destinations list API response.

BUG FIXES:

agent: Fix Vault Agent discarding cached tokens on transient server errors instead of retrying
core (enterprise): Fix crash when seal HSM is disconnected
default-auth: Fix issue when specifying "root" explicitly in Default Auth UI
identity: Fix issue where Vault may consume more memory than intended under heavy authentication load.
secrets/pki (enterprise): Fix SCEP related digest errors when requests contained compound octet strings
ui: Fixes login form so ?with= query param correctly displays only the specified mount when multiple mounts of the same auth type are configured with listing_visibility="unauth"
ui: Reverts Kubernetes CA Certificate auth method configuration form field type to file selector

rclone/rclone (rclone/rclone)

v1.73.2: rclone v1.73.2

Compare Source

This is the v1.73.2 release of rclone.

Full details of the changes can be found in the changelog.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign wallrj for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment