build(deps): bump the go_modules group across 5 directories with 8 updates

[dependabot]

Bumps the go_modules group with 7 updates in the / directory:

Package	From	To
golang.org/x/crypto	0.38.0	0.45.0
github.com/go-viper/mapstructure/v2	2.0.0-alpha.1	2.4.0
filippo.io/edwards25519	1.1.0	1.1.1
github.com/cloudflare/circl	1.3.7	1.6.1
github.com/docker/docker	27.4.1+incompatible	28.0.0+incompatible
github.com/go-git/go-git/v5	5.13.1	5.16.5
github.com/ulikunitz/xz	0.5.11	0.5.14

Bumps the go_modules group with 1 update in the /gokrazy/natlabapp.arm64/builddir/github.com/gokrazy/gokrazy/cmd/dhcp directory: golang.org/x/net.
Bumps the go_modules group with 1 update in the /gokrazy/natlabapp/builddir/github.com/gokrazy/gokrazy/cmd/dhcp directory: golang.org/x/net.
Bumps the go_modules group with 1 update in the /gokrazy/tsapp/builddir/github.com/gokrazy/breakglass directory: golang.org/x/crypto.
Bumps the go_modules group with 1 update in the /gokrazy/tsapp/builddir/github.com/gokrazy/gokrazy/cmd/dhcp directory: golang.org/x/net.

Updates golang.org/x/crypto from 0.38.0 to 0.45.0

Commits

• 4e0068c go.mod: update golang.org/x dependencies
• e79546e ssh: curb GSSAPI DoS risk by limiting number of specified OIDs
• f91f7a7 ssh/agent: prevent panic on malformed constraint
• 2df4153 acme/autocert: let automatic renewal work with short lifetime certs
• bcf6a84 acme: pass context to request
• b4f2b62 ssh: fix error message on unsupported cipher
• 79ec3a5 ssh: allow to bind to a hostname in remote forwarding
• 122a78f go.mod: update golang.org/x dependencies
• c0531f9 all: eliminate vet diagnostics
• 0997000 all: fix some comments
• Additional commits viewable in compare view

Updates github.com/go-viper/mapstructure/v2 from 2.0.0-alpha.1 to 2.4.0

Release notes

Sourced from github.com/go-viper/mapstructure/v2's releases.

v2.4.0

What's Changed

• refactor: replace interface{} with any by @​sagikazarmark in go-viper/mapstructure#115
• build(deps): bump github/codeql-action from 3.29.0 to 3.29.2 by @​dependabot[bot] in go-viper/mapstructure#114
• Generic tests by @​sagikazarmark in go-viper/mapstructure#118
• Fix godoc reference link in README.md by @​peczenyj in go-viper/mapstructure#107
• feat: add StringToTimeLocationHookFunc to convert strings to *time.Location by @​ErfanMomeniii in go-viper/mapstructure#117
• feat: add back previous StringToSlice as a weak function by @​sagikazarmark in go-viper/mapstructure#119

New Contributors

• @​ErfanMomeniii made their first contribution in go-viper/mapstructure#117

Full Changelog: go-viper/mapstructure@v2.3.0...v2.4.0

v2.3.0

What's Changed

• build(deps): bump actions/checkout from 4.1.7 to 4.2.0 by @​dependabot in go-viper/mapstructure#46
• build(deps): bump golangci/golangci-lint-action from 6.1.0 to 6.1.1 by @​dependabot in go-viper/mapstructure#47
• [enhancement] Add check for reflect.Value in ComposeDecodeHookFunc by @​mahadzaryab1 in go-viper/mapstructure#52
• build(deps): bump actions/setup-go from 5.0.2 to 5.1.0 by @​dependabot in go-viper/mapstructure#51
• build(deps): bump actions/checkout from 4.2.0 to 4.2.2 by @​dependabot in go-viper/mapstructure#50
• build(deps): bump actions/setup-go from 5.1.0 to 5.2.0 by @​dependabot in go-viper/mapstructure#55
• build(deps): bump actions/setup-go from 5.2.0 to 5.3.0 by @​dependabot in go-viper/mapstructure#58
• ci: add Go 1.24 to the test matrix by @​sagikazarmark in go-viper/mapstructure#74
• build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.5.0 by @​dependabot in go-viper/mapstructure#72
• build(deps): bump golangci/golangci-lint-action from 6.5.0 to 6.5.1 by @​dependabot in go-viper/mapstructure#76
• build(deps): bump actions/setup-go from 5.3.0 to 5.4.0 by @​dependabot in go-viper/mapstructure#78
• feat: add decode hook for netip.Prefix by @​tklauser in go-viper/mapstructure#85
• Updates by @​sagikazarmark in go-viper/mapstructure#86
• build(deps): bump github/codeql-action from 2.13.4 to 3.28.15 by @​dependabot in go-viper/mapstructure#87
• build(deps): bump actions/setup-go from 5.4.0 to 5.5.0 by @​dependabot in go-viper/mapstructure#93
• build(deps): bump github/codeql-action from 3.28.15 to 3.28.17 by @​dependabot in go-viper/mapstructure#92
• build(deps): bump github/codeql-action from 3.28.17 to 3.28.19 by @​dependabot in go-viper/mapstructure#97
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​dependabot in go-viper/mapstructure#96
• Update README.md by @​peczenyj in go-viper/mapstructure#90
• Add omitzero tag. by @​Crystalix007 in go-viper/mapstructure#98
• Use error structs instead of duplicated strings by @​m1k1o in go-viper/mapstructure#102
• build(deps): bump github/codeql-action from 3.28.19 to 3.29.0 by @​dependabot in go-viper/mapstructure#101
• feat: add common error interface by @​sagikazarmark in go-viper/mapstructure#105
• update linter by @​sagikazarmark in go-viper/mapstructure#106
• Feature allow unset pointer by @​rostislaved in go-viper/mapstructure#80

New Contributors

• @​tklauser made their first contribution in go-viper/mapstructure#85
• @​peczenyj made their first contribution in go-viper/mapstructure#90
• @​Crystalix007 made their first contribution in go-viper/mapstructure#98
• @​rostislaved made their first contribution in go-viper/mapstructure#80

Full Changelog: go-viper/mapstructure@v2.2.1...v2.3.0

... (truncated)

Commits

• b9794a5 Merge pull request #119 from go-viper/string-to-weak-slice
• 17cdcb0 feat: add back previous StringToSlice as a weak function
• 3caca36 Merge pull request #117 from ErfanMomeniii/main
• 9a861bc Merge pull request #107 from peczenyj/patch-2
• 86ed5b5 refactor: update
• ace5b4e chore: add interface any linter
• 1a4f1ae Merge pull request #118 from go-viper/generic-tests
• a268909 fix: lint
• 17f1fd4 test: add more comments
• b48c856 test: expand tests
• Additional commits viewable in compare view

Updates filippo.io/edwards25519 from 1.1.0 to 1.1.1

Commits

• d1c650a extra: initialize receiver in MultiScalarMult
• See full diff in compare view

Updates github.com/cloudflare/circl from 1.3.7 to 1.6.1

Release notes

Sourced from github.com/cloudflare/circl's releases.

CIRCL v1.6.1

• Fixes some point checks on the FourQ curve.
• Hybrid KEM fails on low-order points.

What's Changed

• kem/hybrid: ensure X25519 hybrids fails with low order points by @​Lekensteyn in cloudflare/circl#541
• .github: Use native ARM64 builders instead of QEMU by @​Lekensteyn in cloudflare/circl#542
• Fixes several errors on twisted Edwards curves. by @​armfazh in cloudflare/circl#545
• Release v1.6.1 by @​armfazh in cloudflare/circl#546

Full Changelog: cloudflare/circl@v1.6.0...v1.6.1

CIRCL v1.6.0

New!

• Prio3 Verifiable Distributed Aggregation Function (draft-irtf-cfrg-vdaf).
• X-Wing: general-purpose hybrid post-quantum KEM (draft-connolly-cfrg-xwing-kem)

What's Changed

• Add OIDs to ML-DSA by @​bwesterb in cloudflare/circl#519
• Adds Prio3 a set of verifiable distributed aggregation functions. by @​armfazh in cloudflare/circl#522
• Run semgrep cronjob only in upstream repository. by @​armfazh in cloudflare/circl#526
• X-Wing PQ/T hybrid by @​bwesterb in cloudflare/circl#471
• ckem: move crypto/elliptic to crypto/ecdh by @​MingLLuo in cloudflare/circl#529
• hpke: Update HPKE code to use ecdh stdlib package. by @​armfazh in cloudflare/circl#530
• prio3: Adds polynomial multiplication using NTT by @​armfazh in cloudflare/circl#532
• Add Prio3 in readme. by @​armfazh in cloudflare/circl#527

New Contributors

• @​MingLLuo made their first contribution in cloudflare/circl#529

Full Changelog: cloudflare/circl@v1.5.0...v1.6.0

CIRCL v1.5.0

New: ML-DSA, Module-Lattice-based Digital Signature Algorithm.

What's Changed

• kem: add X25519MLKEM768 TLS hybrid KEM by @​bwesterb in cloudflare/circl#510
• Create semgrep.yml by @​hrushikeshdeshpande in cloudflare/circl#514
• repo: Some fixes reported by CodeQL by @​armfazh in cloudflare/circl#515
• Add ML-DSA (FIPS204) by @​bwesterb in cloudflare/circl#480
• sign/mldsa: Add test for ML-DSA signature verification. by @​armfazh in cloudflare/circl#517
• Release v1.5.0 by @​armfazh in cloudflare/circl#518

New Contributors

• @​hrushikeshdeshpande made their first contribution in cloudflare/circl#514

Full Changelog: cloudflare/circl@v1.4.0...v1.5.0

... (truncated)

Commits

• c6d33e3 Release v1.6.1
• 0c3868e curve4q: Shared must fail with low order points.
• 9fd570d curve4q: Test showing DH does not fails on identity point.
• c988ceb fourq: Correctly unmarshalling point.
• ef2611d fourq: Test showing point unmarshal fails.
• 05eba44 fourq: Handle the case of Z=0 for IsOnCurve and IsEqual.
• eef0878 fourq: Test showing isEqual and IsOnCurve fail.
• 2298474 goldilocks; Handling points with z=0.
• 5a940a1 goldilocks: Test for IsEqual must fail with Z=0
• 48c3b6a ed25519: Fix isEqual to handle points with Z=0.
• Additional commits viewable in compare view

Updates github.com/docker/docker from 27.4.1+incompatible to 28.0.0+incompatible

Release notes

Sourced from github.com/docker/docker's releases.

v28.0.0

28.0.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.0.0 milestone
• moby/moby, 28.0.0 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

New

• Add ability to mount an image inside a container via --mount type=image. moby/moby#48798
  • You can also specify --mount type=image,image-subpath=[subpath],... option to mount a specific path from the image. docker/cli#5755
• docker images --tree now shows metadata badges. docker/cli#5744
• docker load, docker save, and docker history now support a --platform flag allowing you to choose a specific platform for single-platform operations on multi-platform images. docker/cli#5331
• Add OOMScoreAdj to docker service create and docker stack. docker/cli#5145
• docker buildx prune now supports reserved-space, max-used-space, min-free-space and keep-bytes filters. moby/moby#48720
• Windows: Add support for running containerd as a child process of the daemon, instead of using a system-installed containerd. moby/moby#47955

Networking

• The docker-proxy binary has been updated, older versions will not work with the updated dockerd. moby/moby#48132
  • Close a window in which the userland proxy (docker-proxy) could accept TCP connections, that would then fail after iptables NAT rules were set up.
  • The executable rootlesskit-docker-proxy is no longer used, it has been removed from the build and distribution.
• DNS nameservers read from the host's /etc/resolv.conf are now always accessed from the host's network namespace. moby/moby#48290
  • When the host's /etc/resolv.conf contains no nameservers and there are no --dns overrides, Google's DNS servers are no longer used, apart from by the default bridge network and in build containers.
• Container interfaces in bridge and macvlan networks now use randomly generated MAC addresses. moby/moby#48808
  • Gratuitous ARP / Neighbour Advertisement messages will be sent when the interfaces are started so that, when IP addresses are reused, they're associated with the newly generated MAC address.
  • IPv6 addresses in the default bridge network are now IPAM-assigned, rather than being derived from the MAC address.
• The deprecated OCI prestart hook is now only used by build containers. For other containers, network interfaces are added to the network namespace after task creation is complete, before the container task is started. moby/moby#47406
• Add a new gw-priority option to docker run, docker container create, and docker network connect. This option will be used by the Engine to determine which network provides the default gateway for a container. On docker run, this option is only available through the extended --network syntax. docker/cli#5664
• Add a new netlabel com.docker.network.endpoint.ifname to customize the interface name used when connecting a container to a network. It's supported by all built-in network drivers on Linux. moby/moby#49155
  • When a container is created with multiple networks specified, there's no guarantee on the order networks will be connected to the container. So, if a custom interface name uses the same prefix as the auto-generated names, for example eth, the container might fail to start.
  • The recommended practice is to use a different prefix, for example en0, or a numerical suffix high enough to never collide, for example eth100.
  • This label can be specified on docker network connect via the --driver-opt flag, for example docker network connect --driver-opt=com.docker.network.endpoint.ifname=foobar ….
  • Or via the long-form --network flag on docker run, for example docker run --network=name=bridge,driver-opt=com.docker.network.endpoint.ifname=foobar …
• If a custom network driver reports capability GwAllocChecker then, before a network is created, it will get a GwAllocCheckerRequest with the network's options. The custom driver may then reply that no gateway IP address should be allocated. moby/moby#49372

Port publishing in bridge networks

• dockerd now requires ipset support in the Linux kernel. moby/moby#48596
  • The iptables and ip6tables rules used to implement port publishing and network isolation have been extensively modified. This enables some of the following functional changes, and is a first step in refactoring to enable native nftables support in a future release. moby/moby#48815
  • If it becomes necessary to downgrade to an earlier version of the daemon, some manual cleanup of the new rules will be necessary. The simplest and surest approach is to reboot the host, or use iptables -F and ip6tables -F to flush all existing iptables rules from the filter table before starting the older version of the daemon. When that is not possible, run the following commands as root:
    • iptables -D FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; ip6tables -D FORWARD -m set --match-set docker-ext-bridges-v6 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    • iptables -D FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER; ip6tables -D FORWARD -m set --match-set docker-ext-bridges-v6 dst -j DOCKER
    • If you were previously running with the iptables filter-FORWARD policy set to ACCEPT and need to restore access to unpublished ports, also delete per-bridge-network rules from the DOCKER chains. For example, iptables -D DOCKER ! -i docker0 -o docker0 -j DROP.
• Fix a security issue that was allowing remote hosts to connect directly to a container on its published ports. moby/moby#49325
• Fix a security issue that was allowing neighbor hosts to connect to ports mapped on a loopback address. moby/moby#49325

... (truncated)

Commits

• af898ab Merge pull request #49495 from vvoland/update-buildkit
• d67f035 vendor: github.com/moby/buildkit v0.20.0
• 00ab386 Merge pull request #49491 from vvoland/update-buildkit
• 1fde8c4 builder-next: fix cdi manager
• cde9f07 vendor: github.com/moby/buildkit v0.20.0-rc3
• 89e1429 Merge pull request #49490 from thaJeztah/dockerfile_linting
• b2b5590 Dockerfile: fix linting warnings
• 62bc597 Merge pull request #49480 from thaJeztah/docs_api_1.48
• 670cd81 Merge pull request #49485 from vvoland/c8d-list-panic
• a3628f3 docs/api: add documentation for API v1.48
• Additional commits viewable in compare view

Updates github.com/go-git/go-git/v5 from 5.13.1 to 5.16.5

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.16.5

What's Changed

• build: Update module golang.org/x/crypto to v0.45.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1744
• build: Bump Go test versions to 1.23-1.25 (v5) by @​pjbgf in go-git/go-git#1746
• [v5] git: worktree, Don't delete local untracked files when resetting worktree by @​Ch00k in go-git/go-git#1800
• Expand packfile checks by @​pjbgf in go-git/go-git#1836

Full Changelog: go-git/go-git@v5.16.4...v5.16.5

v5.16.4

What's Changed

• backport plumbing: format/idxfile, prevent panic by @​swills in go-git/go-git#1732
• [backport] build: test, Fix build on Windows. by @​pjbgf in go-git/go-git#1734
• build: Update module golang.org/x/net to v0.38.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1742
• build: Update module github.com/cloudflare/circl to v1.6.1 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1741
• build: Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1743

Full Changelog: go-git/go-git@v5.16.3...v5.16.4

v5.16.3

What's Changed

• internal: Expand regex to fix build [5.x] by @​baloo in go-git/go-git#1644
• build: raise timeouts for windows CI tests and disable CIFuzz [5.x] by @​baloo in go-git/go-git#1646
• plumbing: support commits extra headers, support jujutsu signed commit [5.x] by @​baloo in go-git/go-git#1633

Full Changelog: go-git/go-git@v5.16.2...v5.16.3

v5.16.2

What's Changed

• utils: fix diff so subpaths work for sparse checkouts, fixes 1455 to releases/v5.x by @​kane8n in go-git/go-git#1567

Full Changelog: go-git/go-git@v5.16.1...v5.16.2

v5.16.1

What's Changed

• utils: merkletrie, Fix diff on sparse-checkout index. Fixes #1406 to releases/v5.x by @​kane8n in go-git/go-git#1561

New Contributors

• @​kane8n made their first contribution in go-git/go-git#1561

Full Changelog: go-git/go-git@v5.16.0...v5.16.1

v5.16.0

What's Changed

• [v5] plumbing: support mTLS for HTTPS protocol by @​hiddeco in go-git/go-git#1510
• v5: plumbing: transport, Reintroduce SetHostKeyCallback. Fix #1514 by @​pjbgf in go-git/go-git#1515

... (truncated)

Commits

• 48a1ae0 Merge pull request #1836 from go-git/check-v5
• 42bdf1f storage: filesystem, Verify idx matches pack file
• 4146a56 plumbing: format/idxfile, Verify idxfile's checksum
• 63d78ec plumbing: format/packfile, Add new ErrMalformedPackFile
• 25f1624 Merge pull request #1800 from Ch00k/no-delete-untracked-v5
• 600fb13 git: worktree, Don't delete local untracked files when resetting worktree
• 390a569 Merge pull request #1746 from pjbgf/bump-go
• 61c8b85 build: Bump Go test versions to 1.23-1.25 (v5)
• e5a05ec Merge pull request #1744 from go-git/renovate/releases/v5.x-go-golang.org-x-c...
• 1495930 plumbing: Remove use of non-constant format strings
• Additional commits viewable in compare view

Updates github.com/ulikunitz/xz from 0.5.11 to 0.5.14

Commits

• 7184815 Preparation of release v0.5.14
• 88ddf1d Address Security Issue GHSA-jc7w-c686-c4v9
• c8314b8 Add new package xio with WriteCloserStack
• 4f11dce Update README.md and SECURITY.md to address security questions
• f56ebbf TODO.md: fix a typo
• See full diff in compare view

Updates golang.org/x/net from 0.23.0 to 0.38.0

Commits

• e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
• ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
• 1f1fa29 publicsuffix: regenerate table
• 1215081 http2: improve error when server sends HTTP/1
• 312450e html: ensure <search> tag closes <p> and update tests
• 09731f9 http2: improve handling of lost PING in Server
• 55989e2 http2/h2c: use ResponseController for hijacking connections
• 2914f46 websocket: re-recommend gorilla/websocket
• 99b3ae0 go.mod: update golang.org/x dependencies
• 85d1d54 go.mod: update golang.org/x dependencies
• Additional commits viewable in compare view

Updates golang.org/x/net from 0.23.0 to 0.38.0

Commits

• e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
• ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
• 1f1fa29 publicsuffix: regenerate table
• 1215081 http2: improve error when server sends HTTP/1
• 312450e html: ensure <search> tag closes <p> and update tests
• 09731f9 http2: improve handling of lost PING in Server
• 55989e2 http2/h2c: use ResponseController for hijacking connections
• 2914f46 websocket: re-recommend gorilla/websocket
• 99b3ae0 go.mod: update golang.org/x dependencies
• 85d1d54 go.mod: update golang.org/x dependencies
• Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.17.0 to 0.45.0

Commits

• 4e0068c go.mod: update golang.org/x dependencies
• e79546e ssh: curb GSSAPI DoS risk by limiting number of specified OIDs
• f91f7a7 ssh/agent: prevent panic on malformed constraint
• 2df4153 acme/autocert: let automatic renewal work with short lifetime certs
• bcf6a84 acme: pass context to request
• b4f2b62 ssh: fix error message on unsupported cipher
• 79ec3a5 ssh: allow to bind to a hostname in remote forwarding
• 122a78f go.mod: update golang.org/x dependencies
• c0531f9 all: eliminate vet diagnostics
• 0997000 all: fix some comments
• Additional commits viewable in compare view

Updates golang.org/x/net from 0.23.0 to 0.38.0

Commits

• e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
• ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
• 1f1fa29 publicsuffix: regenerate table
• 1215081 http2: improve error when server sends HTTP/1
• 312450e html: ensure <search> tag closes <p> and update tests
• 09731f9 http2: improve handling of lost PING in Server
• 55989e2 http2/h2c: use ResponseController for hijacking connections
• 2914f46 websocket: re-recommend gorilla/websocket
• 99b3ae0 go.mod: update golang.org/x dependencies
• 85d1d54 go.mod: update golang.org/x dependencies
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.