chore(deps): update docker.io/cuelang/cue docker tag to v0.15.3

[renovate]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
docker.io/cuelang/cue	stage	minor	0.13.2 → 0.15.3

---

Release Notes

cue-lang/cue (docker.io/cuelang/cue)

v0.15.3

Compare Source

Evaluator

Fix a panic which could occur when using Expr after LookupPath on a cue.Value.

cmd/cue

Fix a panic which could occur when using cue cmd tasks referencing definitions.

Fix a panic which could occur when cue get go encountered a Go enum type with zero named values.

Encodings

Fix a bug in the TOML decoder where nested arrays were not being correctly mapped to CUE values.

Full list of changes since v0.15.1

• internal/ci: bump Go and goreleaser versions by @​mvdan in 8a91fed
• cmd/cue: avoid panic in get go when an enum has zero named values by @​mvdan in f544b9c
• encoding/toml: forget nested arrays when starting a new array element by @​mvdan in 641c64a
• tools/flow: support task results when defined via definitions by @​mvdan in 6d86ce6
• cmd/cue: add test case for issue #​2633 by @​mvdan in 3544f15
• internal/core/adt: check opID before inheriting parent reqSets by @​mvdan in 3cb0e2d

v0.15.2

Compare Source

v0.15.1

Compare Source

Evaluator

Fix an evalv3 regression first introduced in v0.11.0 where the and built-in function started evaluating its arguments too eagerly, causing failures in cue def.

Fix an evalv3 regression where closedness info could be lost when using a comprehension.

Fix a bug where the evaluator would panic on alias cycles with dynamic fields rather than giving a good error.

LSP

Formatting standalone CUE files - either without a package name, or outside of a CUE module - now works correctly.

Fix a bug where trying to use "find references" on a CUE module with nested modules would cause a hang.

Fix a bug where resolving path roots did not work correctly in the presence of struct embeddings.

cmd/cue

Fix a regression in v0.15.0 where cue get go no longer skipped generating CUE files without any declarations.

Go API

Fix a bug in the subsume package where a struct with a pattern constraint did not subsume a closed struct with a matching field.

Rename the bootstrap build tag used in the internal/filetypes package to cuebootstrap to avoid conflicts with build tags in other Go modules.

Full list of changes since v0.15.0

• bump pinnedReleaseGo and LanguageVersion for v0.15.1 by @​mvdan in 350755e
• lsp/fscache: improve removal of phantom package decls by @​cuematthew in bcc9a45
• internal/lsp: format standalone files without phantom pkg names by @​cuematthew in bf16055
• lsp/definitions: correct resolution of path roots by @​cuematthew in e64569f
• lsp/definitions: add test to show faulty resolution by @​cuematthew in f2076ae
• lsp/cache: stop nested modules from breaking find-references by @​cuematthew in 6d75085
• internal/core/compile: don't panic on an alias cycle with a dynamic field by @​mvdan in cf6c597
• internal/core/compile: revert and to use Func instead of RawFunc by @​mvdan in 37e8637
• cue/testdata: add test case for #​3719 by @​mvdan in de5328e
• internal/core/subsume: fix duplicate logic for pattern constraints by @​mvdan in a229275
• internal/core/subsume: add test cases for pattern constraints by @​mvdan in bca0a55
• internal/filetypes: use a less generic bootstrap build tag by @​mvdan in 94f2f0e
• cmd/cue: do not emit empty CUE files in get go again by @​mvdan in 819474c
• cmd/cue: test that we don't emit empty CUE files without --outfile by @​mvdan in e61516d
• internal/core/adt: check removed scope per conjunct by @​mvdan in 2e8e111
• cue/testdata: add a test case for #​4180 by @​mvdan in f81118c

v0.15.0

Compare Source

Changes which may break some users are marked below with: ⚠️

Note that this release no longer includes a checksums.txt asset; GitHub now provide digests natively.

LSP

This release includes the initial version of cue lsp - with support for "go to definition", "find references", rename, code completion, hover documentation, and code formatting.

See our Getting Started wiki page for instructions on how to set it up with your editor.

Please report any bugs or missing features you encounter via the Issue tracker or via the #lsp channels on Discord or Slack.

Language

explicitopen experiment for #A...

The explicitopen per-file experiment enables the posfix ... operator to explicitly open closed structs, allowing additional fields to be added. This change simplifies CUE's semantics, reduces user confusion, and enables clearer expression of type extensibility patterns.

You can try this experiment by following our how-to guide. For more information, see the proposal on GitHub and the spec change patch.

aliasv2 experiment

The aliasv2 per-file experiment implements the new "postfix aliases" syntax, and introduces a "self" predeclared identifier referring to the innermost surrounding struct or list.

You can try this experiment by following our how-to guide. For more information, see the proposal on GitHub and the spec change patch.

Other experiments

⚠️ With its proposal accepted, the keepvalidators global experiment is now stable, meaning that CUE_EXPERIMENT=keepvalidators is always enabled.

With its proposal accepted, the structcmp per-file experiment is now stable with language.version at v0.15.0 or later, meaning that the @experiment(structcmp) attribute is unnecessary as it's always enabled.

Evaluator

⚠️ Removing evalv2

The old evalv2 evaluator, which previously could be re-enabled via CUE_EXPERIMENT=evalv3=0, is now deleted. The new evalv3 evaluator has been on by default since v0.13.0, and at this point our entire test suite including Unity is working.

Removing the old evaluator reduces significant load on development, as we were able to clear out 4000 lines of code, and simplify the internal types and code structure. This is a necessary step to unblock ongoing feature and performance work in the evaluator.

As a bonus, because the old and new evaluators shared many core evaluator types, removing the fields only used by the old evaluator yields modest memory usage improvements of around 4-6%.

Performance

Evaluating concrete CUE values no longer involves dependency analysis; this should result in modest speed improvements when marshaling to YAML, via either cue export -e expr -o yaml or yaml.Marshal.

Dependency analysis now avoids computing references more than once, which resolves an expontential performance issue for some configurations using chains of CUE references.

Add caching to a part of the typochecker algorithm; this has been measured to provide performance improvements of up to 30% on a few large projects.

cue/parser now reuses more memory, which results in parsing performance improvements of up to 30% and memory savings of up to 50%, especially when loading large CUE data files.

Other changes

File embedding via the @embed attribute has gained an allowEmptyGlob option, to allow glob patterns to match zero files without causing an error.

The evaluator now shows all user errors created with the error builtin when they can be related to a disjunction failure. Previously, the evaluator would try to only show user errors directly part of a disjunction error, but that caused too many omissions.

Some error positions which were lost in the transition from evalv2 to evalv3 have been reintroduced.

Fix a bug where required fields in a definition might not be enforced when unifying with an inline struct in an expression, such as (#RequiresFoo & {bar: "baz"}).bar.

Fix a regression introduced in v0.12.0 where incomplete errors were not being handled consistently if they directly involved the top-level value.

A number of panics and error regressions in the evaluator which were reported since v0.14 have been fixed; thank you to all who reported these.

cmd/cue

A new cue help experiments command is introduced to document all available per-file and global experiments.

The cue fix --exp flag is introduced to rewrite files or packages to use new and experimental semantics with @experiment attributes.

cue mod mirror now copies OCI referrers between registries, which ensures that artifacts like signatures and attestations which reference modules being mirrored are copied as well.

cue mod resolve gains a --deps flag that lists all dependencies of the current module and which registries they resolve to.

cue get go gains an --outfile flag to generate exactly one CUE file for a single Go package, which can be useful when integrating cue get go into build systems like Bazel.

Fix a regression introduced in v0.9.0 where loading a qualified pattern like ./...:pkgname no longer filtered files based on the package name given.

cue get go now stops on any Go package loading error. Trying to continue in the presence of syntax or type-checking errors could lead to generating incorrect CUE.

Encodings

Initial support for encoding CUE schemas as JSON Schema is added. This includes a new encoding/jsonschema.Generate Go API, as well as CLI support via cue def --out jsonschema. This is currently very experimental, and many features are missing. For now, it can only generate a single version of JSON Schema, draft/2020-12.

The YAML library in the archived Go module gopkg.in/yaml.v3 has been replaced by go.yaml.in/yaml/v3, an active fork now maintained by the YAML organization.

cue exp gengotypes is improved to handle more edge cases with CUE package imports which could result in broken Go code.

The Protobuf decoder has been tweaked to not require files such as google/protobuf/timestamp.proto to exist on disk, given that they are mapped to CUE standard library APIs directly.

The Protobuf decoder has also been tweaked to support fully qualified references such as my.pkg.name.MessageName.

A bug is fixed in the TOML decoder where sub-table keys could incorrectly lead to duplicate key errors.

Standard library

The net package has gained new AddIP and AddIPCIDR functions to add numerical offsets to IP addresses or CIDR networks.

The Atoi, ParseInt, and ParseUint functions in the strconv package now work on integers with unlimited precision, like the rest of the CUE evaluator, rather than just a maximum of 64 bits.

Go API

The new cue.Value.IsClosed and cue.Value.IsClosedRecursively methods report whether a value has been closed at the top level or recursively, which is useful information when writing schema encodings.

The new cue.Patterns and cue.Selector.Pattern APIs allow introspecting pattern constraints in CUE struct values.

The new encoding/yaml.Decoder API allows decoding a stream of YAML documents, given that existing APIs did not support streams of multiple YAML documents.

encoding/json gains JSON Pointer APIs, which are already useful in packages like encoding/jsonschema.

cue/ast introduces PostfixExpr to support upcoming additions to the language syntax.

cue/ast introduces StringLabelNeedsQuoting to determine whether a string label needs to be quoted when used in CUE syntax.

cue/ast introduces NewStringLabel to create an ast.Label as either an unquoted identifier or a quoted string, depending on whether the string label needs quoting.

tools/fix has gained new APIs to fix configs to use an active experiment, as well as fixing configs to a newer language version.

cue introduces a Path.Append convenience method.

⚠️ cue/build.Instance.Match is removed, given that it was never set to any value at any point since it was added.

cue/token is adjusted so that node positions within a file never result in an offset which is outside the bounds of the file. This could easily lead to subtle bugs or panics when using node position offsets.

⚠️ The cue/token.Pos.Before method is now rewritten to match cue/token.Pos.Compare, given that it always returned "false" for positions from different files. The method is now deprecated as well.

cue/errors is adjusted so that Positions only collects printable positions, to prevent printing empty positions in the CLI.

cue/ast deprecates the File.Imports field in favor of the File.ImportSpecs iterator method. The iterator method File.ImportDecls is also introduced for completeness.

⚠️ The long-deprecated cue.ResolveReferences option API is now removed.

cue/parser.DeprecationError.Version is deprecated, as tracking CUE language versions via integers has not been used since v0.4.3, and the mechanism was never properly documented.

Full list of changes since v0.14.0

• tools/fix: fix several issues with explicitopen rewrite by @​mpvl in 4aad065
• tools/fix: add some test cases by @​mpvl in 3b2b9b4
• internal/core/adt: add __reclose by @​mpvl in f8bf47a
• doc/ref: clarify exact meaning of value for match* builtins by @​mpvl in a650c53
• internal/ci/base: cue fmt files by @​mpvl in ab19f98
• lsp/definitions: fix find-references (UsagesForOffset) by @​cuematthew in 27f5797
• internal/core/dep: fix dependencies on spread operator by @​mpvl in 5634c58
• internal/core/dep: add test for spread operator by @​mpvl in f1cd0d2
• internal/core/export: handle spread operator by @​mpvl in 52f26f9
• doc/ref/spec.md: document matchN and machIf by @​mpvl in 020764b
• cue/parser: fix too restrictive parser test by @​mpvl in 7d69171
• cue/ast/astutil: handle patching of some references in Apply by @​mpvl in b979ace
• cue/ast/astutil: include Sanitize in TestApply by @​mpvl in 57c6f9f
• tools/fix: do not add spread operator to lists by @​mpvl in 7e9a83e
• all: remove two error results which are always nil by @​mvdan in 6ed9b98
• all: remove three func results which are never used by @​mvdan in eca4996
• cmd/cue: remove unused addInjectionFlags parameter by @​mvdan in 083dd03
• internal/core/adt: make CloseInfo.AncestorPositions an iterator by @​mvdan in 82c321f
• CONTRIBUTING: discourage SSH for Gerrit more actively by @​mvdan in 2e7e5af
• pkg/path: fix test failures when executed with -count N by @​roman-mazur in 1bfde52
• internal/source: simplify ReadAll by @​mvdan in cc3d92d
• internal/source: avoid a NopCloser if src is already a Closer by @​mvdan in 6d58d63
• cue/ast/astutil: avoid walking to the root to reuse scopes by @​mvdan in 4ba9572
• lsp/fscache: set version on token.File by @​cuematthew in e79d2ea
• internal/lsp: simplify processing of package imports by @​cuematthew in bbf6f4f
• cue/ast/astutil: assume LetClause.Expr and Alias.Expr are non-nil by @​mvdan in a77e741
• cue/ast/astutil: reuse scope allocations by @​mvdan in e5706db
• cue/ast: do not allocate in SetComments when it's a no-op by @​mvdan in d88bc99
• cue/parser: reuse commentState allocations by @​mvdan in 1e30ed2
• all: replace two uses of astutil.ParseImportPath by @​mvdan in 2dcf1d8
• cue: use Vertex.SingleConjunct in Value.Source by @​mvdan in dea3faa
• cue/load: ensure that Config.ModuleRoot is clean, like Config.Dir by @​mvdan in 14472be
• cue/load: correctly handle the filesystem root as Config.ModuleRoot by @​mvdan in d7a839b
• encoding/jsonschema: avoid redundant patternProperties in Generate by @​rogpeppe in a8385f8
• cmd/cue: update help text to reflect renamed experiment by @​jpluscplusm in 7d0090a
• cmd/cue/cmd: add --deps flag to 'cue mod resolve' by @​rogpeppe in 15afd50
• cue/load: add test case showing an error when Config.ModuleRoot=="/" by @​mvdan in 44dba4e
• internal/ci/goreleaser: actually disable checksum generation by @​mvdan in 93c434c
• all: remove two obsolete and commented-out APIs by @​mvdan in 25322ae
• lsp/definitions: call pos.Offset() directly by @​cuematthew in 64182de
• internal/lsp: support standalone files with imports in modules by @​cuematthew in 7dcbdf6
• internal/lsp: add support for rename by @​cuematthew in 24300be
• internal/lsp: support references with definitions by @​cuematthew in 6feb520
• cmd/cue: adjust cue get go --outfile logic by @​mvdan in 6491013
• cue/token: rewrite Pos.Before in terms of Pos.Compare by @​mvdan in 6c2aa6a
• cue/token: don't unpack line info in Pos.Compare by @​mvdan in 9623737
• cue/token: remove unnecessary Pos.file nil checks by @​mvdan in 852de61
• cue/token: don't unpack line info in Pos.Offset by @​mvdan in 8972e06
• cue/token: don't unpack line info in Pos.Filename by @​mvdan in 6543708
• cue/token: reuse File.Offset in File.position by @​mvdan in f4ba49b
• cue/ast/astutil: use go fix -inline on ImportPathName by @​mvdan in 1850e9b
• internal/core/layer: rudimentary implementation of layers by @​mpvl in 654b5c0
• internal/core/adt: set t.id only once by @​mpvl in aae1e07
• internal/lsp: wire UsagesForOffset into the LSP by @​cuematthew in bdc3901
• lsp/definitions: implement UsagesForOffset by @​cuematthew in 5303c60
• lsp/definitions: add ability to reset definitions analysis by @​cuematthew in aba5ee2
• lsp/rangeset: add String methods by @​cuematthew in bfe4aba
• encoding/yaml: add Decoder for streaming YAML documents by @​mpvl in 738e6e4
• all: start leveraging go fix -inline by @​mvdan in 70d6a9c
• all: go fix -inline ./... by @​mvdan in 279e355
• all: rename aliasandself experiment to aliasv2 by @​mpvl in b85644f
• encoding/jsonschema: explicit close handling by @​rogpeppe in a94cfbc
• encoding/jsonschema: add tests by @​rogpeppe in 2606457
• internal/ci: don't let "---" lines break git commit trailers by @​mvdan in e735c99
• mod/modregistry: mirror referrers in Client.Mirror by @​rogpeppe in f0d24a9
• all: go fix -slicescontains ./... by @​mvdan in 7b65843
• all: go fix -stringsseq ./... by @​mvdan in 2895806
• internal/core/adt: treat equality bound as open validator by @​mpvl in 15f2a53
• internal/core/adt: add tests for Issue 4142 by @​mpvl in de886bc
• cue/testdata/eval/bounds.txtar: accept v3 as golden by @​mpvl in ff6f38b
• cue: support ... operator in Expr by @​mpvl in 3d8e9ea
• internal/ci: bump Go and goreleaser by @​mvdan in 64a5e68
• update all dependencies by @​mvdan in d4d62e6
• tools/fix: add fixAliasAndSelf by @​mpvl in 2b281ea
• internal/core: make label references work for all field types by @​mpvl in 23a328a
• cue/ast/astutil: add resolver support for postfix aliases by @​mpvl in 4d8b1da
• internal/core/adt: report error for missing required fields by @​mpvl in a25fb94
• internal/core/adt: add tests for issue 3918 by @​mpvl in 166a851
• cue/parser|format: implement postfix alias syntax by @​mpvl in 0eb7de7
• all: apply more gopls suggestions by @​mvdan in 8d2909c
• lsp/definitions: fix broken build due to self renaming by @​cuematthew in 8df341b
• internal/cueexperiment: rename self experiment to aliasandself by @​mpvl in a8dce0b
• internal/ci: use unauthenticated GerritHub URL by @​jpluscplusm in 3dabab4
• cue: add postfix alias syntax infrastructure by @​mpvl in d92ce18
• internal/core/adt: fix disjunction related mem mgmt bug by @​mpvl in 335e4fb
• encoding/jsonschema: optimize items in definitions too by @​rogpeppe in 098b6d1
• encoding/jsonschema: add a test to check optimization in definitions by @​rogpeppe in 29ad8ee
• all: fix a number of bad godocs spotted by gopls by @​mvdan in 5b42b38
• encoding: fix two gopls warnings by @​mvdan in 33621a6
• switch this repository to cue.gerrithub.io by @​mvdan in 2a81d1e
• encoding/jsonschema: use unique item values in Generate by @​rogpeppe in 947c85c
• internal/anyunique: new package by @​rogpeppe in 84c673a
• encoding/jsonschema: recognize pattern constraints in Generate by @​rogpeppe in c356c10
• encoding/jsonschema: fix patternProperties in Extract by @​rogpeppe in fc58592
• encoding/jsonschema: recognize different forms of "const" by @​rogpeppe in 5433cb9
• cue: support iteration over pattern constraints by @​rogpeppe in a6f97a1
• internal/core/adt: cache containsDefID results by @​mvdan in 992c1cd
• internal/core/adt: always print errors in leaf nodes by @​mpvl in 8dce6dc
• internal/ci: stop generating checksums.txt as a release archive by @​mvdan in 15e67c0
• internal/core/adt: turn Vertex.VisitAllConjuncts into an iterator by @​mvdan in 2536d4f
• internal/core/...: fully transition away from Vertex.VisitLeafConjuncts by @​mvdan in 40aa589
• encoding/jsonschema: recognize closed structs in Generate by @​rogpeppe in 113d7b9
• cue: implement IsClosed and IsClosedRecursively by @​mpvl in b28a5f3
• encoding/jsonschema: improve teststats by @​rogpeppe in 28054b0
• encoding/jsonschema: treat close as no-op for now by @​rogpeppe in b670102
• encoding/jsonschema: recognize list.MatchN in Generate by @​rogpeppe in 09a0f42
• encoding/jsonschema: recognize explicit errors in CUE by @​rogpeppe in d293a17
• encoding/jsonschema: use error builtin rather than _|_ by @​rogpeppe in 49126bb
• cue: add test case for the fixed bug 4037 by @​mvdan in 5c6dd1c
• cue: fix panic in LookupPath on unfinalized arcs by @​rogpeppe in 4160e88
• encoding/jsonschema: recognize matchIf in Generate by @​rogpeppe in fedcd87
• internal/core/adt: avoid hang on self-references through "let" by @​mvdan in 85e008d
• encoding/yaml: consistently use cue.Concrete when calling Value.Syntax by @​mvdan in 39d559b
• encoding/jsonschema: use more generic siblings function by @​rogpeppe in 366de4b
• encoding/jsonschema: minor improvements to Generate by @​rogpeppe in 06d8b91
• encoding/jsonschema: add a few tests by @​rogpeppe in 2efaae1
• encoding/jsonschema: recognize matchN in Generate by @​rogpeppe in 40a9710
• encoding/jsonschema: round trip external tests by @​rogpeppe in 899a983
• encoding/jsonschema: list support by @​rogpeppe in b4b3d1b
• encoding/jsonschema: improve mergeAllOf behavior by @​rogpeppe in b8e3859
• internal/core/adt: test TopKind in TestKindString by @​mvdan in 42731c2
• all: continue transition away from adt.Vertex.VisitLeafConjuncts by @​mvdan in 658608c
• encoding/jsonschema: adjust for net/url fix in go@​master by @​mvdan in f79aafe
• internal/core/adt: add the Vertex.LeafConjuncts iterator by @​mvdan in 2af8a20
• internal/core/adt: turn VisitConjuncts into ConjunctsSeq by @​mvdan in b33320b
• internal/mod/semver: clean up with cmp.Compare by @​mvdan in a85df20
• cmd/cue: clarify what version affects experiments by @​mvdan in ef2044e
• cmd/cue: add --outfile flag to get go by @​fionera in a6eaaf6
• encoding/jsonschema: use ast.Expr rather than map by @​rogpeppe in 77c93c6
• encoding/jsonschema: add test case for regular fields by @​rogpeppe in e58947e
• internal/encoding: add jsonschema as an output format by @​rogpeppe in 577c245
• internal/encoding: do not require input to be concrete for concrete output formats by @​rogpeppe in 9305978
• internal/encoding: refactor Encoder.Encode, Encoder.EncodeFile by @​rogpeppe in 93c27cc
• cmd/cue: explain package instances in cue-help-inputs by @​jpluscplusm in 103b1ce
• cmd/cue: rewrite export help text by @​jpluscplusm in ff5711d
• internal/cuetxtar: do not skip tests on Instance failure by @​rogpeppe in d62b617
• Revert "mod/modregistry: mirror referrers in Client.Mirror" by @​mvdan in 6f47bbf
• mod/modregistry: mirror referrers in Client.Mirror by @​rogpeppe in 9b06b4c
• encoding/jsonschema: implement Generate by @​rogpeppe in c60b98a
• cue/ast: simplify IsValidIdent logic via strings.CutPrefix by @​mvdan in 53ace20
• cue: reuse internal.IsDef to tell if a name is a definition by @​mvdan in c486bc3
• encoding/jsonschema: remove unused state.value method by @​mvdan in 14a7236
• cue/literal: properly include hashes in escape sequences in bytes by @​mvdan in d21fac3
• cue/literal: add test case for lossy bytes quoting by @​mvdan in d8c663c
• cmd/cue/cmd: alias cue help experiment by @​rogpeppe in 5432a20
• internal/encoding/gotypes: handle CUE import aliases and duplicates by @​phoban01 in ba534b5
• all: run cuetxtar garbage collection by @​rogpeppe in 3e1e769
• internal/cuetxtar: implement garbage collection by @​rogpeppe in a3eb068
• cue/ast: rename NewLabel to NewStringLabel by @​mvdan in 869b034
• cue/build: remove the Instance.Match field, which was never set by @​mvdan in dc3731d
• cue/literal: use Form.tripleQuote when quoting a string by @​mvdan in af175ed
• cue/ast: remove commented out bits of code by @​mvdan in ed355b0
• internal/core/compile: properly quote labels in error message paths by @​mvdan in 01181e9
• cue/testdata: add a test case for quoting paths in evaluator errors by @​mvdan in 08d34f9
• cue/format: remove unnecessary IsDefOrHidden check by @​mvdan in 0010744
• encoding: use ast.StringLabelNeedsQuoting by @​mvdan in a73e4cd
• cue/ast: add StringLabelNeedsQuoting by @​mvdan in 1f88e1a
• internal/cuetdtest: consider the first item in a Matrix to be default by @​rogpeppe in 1bc296c
• cue/stats: use ResolveDep in arithmetic by @​rogpeppe in 37ebf7e
• cue/testdata/basicrewrite: use consistent spelling for "diff/explanation" by @​rogpeppe in 8332fd5
• internal/core/adt: "write" stats file even when it isn't changing by @​rogpeppe in 1873f84
• lsp/cache: be robust for nil file content by @​cuematthew in ec216cf
• cue/parser: use more robust logic for detecting the end of an interpolation by @​rogpeppe in afdde34
• cue/parser: add test case for string interpolation edge case by @​rogpeppe in 276bcce
• cue/scanner: document how interpolations work by @​rogpeppe in 7e9543b
• update all dependencies by @​mvdan in 5944fee
• lsp/definitions: add support for the self experiment by @​cuematthew in d4f9bfb
• lsp/definitions: completions from dot should be zero width by @​cuematthew in 5c15642
• lsp/cache: prevent files from being both standalone and module/package by @​cuematthew in 9357acf
• cue/ast: tweak ParseImportPath to treat :pkgname as .:pkgname by @​mvdan in 0a41be8
• cmd/cue: add a test case for the recent :pkgname CLI argument regression by @​mvdan in a880c06
• lsp/cache: add support for standalone files by @​cuematthew in 632f9b7
• internal/lsp: refactoring by @​cuematthew in ab67c05
• cue/load: respect package qualifiers when matching wildcard packages by @​rogpeppe in a862f84
• cue/loader: add test for issue 4110 by @​rogpeppe in 36bcb3e
• internal/core/adt: add Kind.AllKinds and Kind.Count methods by @​rogpeppe in 313e0c1
• internal/export: cater for NodeLink by @​rogpeppe in [b2a7b29](https://redirect.github.com/cue-lang/cue/commit/b2a7b29cdb775ffaa4c11cf32

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Overview

Image reference	djaytan/papermc-server:1.21.4	djaytan/papermc-server:test
- digest	dd01deeeb832	671d38942c21
- tag	1.21.4	test
- stream	latest
- provenance	221f80c
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	133 MB	144 MB (+11 MB)
- packages	170	179 (+9)
Base Image	alpine:3.22.0 also known as: • 3 • 3.22 • latest	alpine:3 also known as: • 3.22 • latest
- vulnerabilities

Policies (1 improved, 1 worsened, 3 missing data)

Policy Name	djaytan/papermc-server:1.21.4	djaytan/papermc-server:test	Change	Standing
No unapproved base images	⚠️ 1	❓ No data
Default non-root user	✅	✅		No Change
No AGPL v3 licenses	✅	✅		No Change
No fixable critical or high vulnerabilities	⚠️ 17	⚠️ 15	-2	Improved
No high-profile vulnerabilities	✅	✅		No Change
No outdated base images	✅	❓ No data
SonarQube quality gates passed	❓ No data	❓ No data
Supply chain attestations	✅	⚠️ 2	+2	Worsened

Packages and Vulnerabilities (25 package changes and 5 vulnerability changes)

• ➕ 9 packages added
• ➖ 2 packages removed
• ♾️ 14 packages changed
• 150 packages unchanged

• ❗ 5 vulnerabilities added

Changes for packages of type apk (8 changes)

	Package	Version djaytan/papermc-server:1.21.4	Version djaytan/papermc-server:test
➕	alpine-base		3.22.0-r0
➕	ca-certificates		20241121-r2
➕	gcc		14.2.0-r6
♾️	libxml2	2.13.9-r0	2.13.8-r0
			Added vulnerabilities (5):
➕	ncurses		6.5_p20250503-r0
➕	openssl		3.5.0-r0
			Added vulnerabilities (4):
➕	pax-utils		1.3.8-r1
➕	xz		5.8.1-r0

Changes for packages of type generic (2 changes)

	Package	Version djaytan/papermc-server:1.21.4	Version djaytan/papermc-server:test
➖	openjdk	21.0.7
➕	openjdk		21.0.7

Changes for packages of type golang (15 changes)

	Package	Version djaytan/papermc-server:1.21.4	Version djaytan/papermc-server:test
♾️	cuelabs.dev/go/oci/ociregistry	0.0.0-20250304105642-27e071d2c9b1	0.0.0-20250722084951-074d06050084
♾️	cuelang.org/go	0.13.2	0.15.3
♾️	github.com/emicklei/proto	1.14.0	1.14.2
♾️	github.com/protocolbuffers/txtpbfmt	0.0.0-20250129171521-feedd8250727	0.0.0-20251016062345-16587c79cd91
♾️	github.com/spf13/cobra	1.9.1	1.10.1
♾️	github.com/spf13/pflag	1.0.6	1.0.10
➕	go.yaml.in/yaml/v3		3.0.4
♾️	golang.org/x/mod	0.24.0	0.29.0
♾️	golang.org/x/net	0.39.0	0.46.0
♾️	golang.org/x/oauth2	0.29.0	0.32.0
♾️	golang.org/x/sync	0.13.0	0.17.0
♾️	golang.org/x/text	0.24.0	0.30.0
♾️	golang.org/x/tools	0.32.0	0.38.0
➖	gopkg.in/yaml.v3	3.0.1
♾️	stdlib	1.24.4	1.25.5
		Removed vulnerabilities (13):

[github-actions]

🔍 Vulnerabilities of djaytan/papermc-server:test

📦 Image Reference djaytan/papermc-server:test

digest	sha256:671d38942c2170995aab338158064a3ca2b54134bfda1c24ed69f118292435e3
vulnerabilities
platform	linux/amd64
size	144 MB
packages	179

📦 Base Image alpine:3

also known as	3.22 3.22.0 latest
digest	sha256:08001109a7d679fe33b04fa51d681bd40b975d8f5cea8c3ef6c0eccb6a7338ce
vulnerabilities

libxml2 2.13.8-r0 (apk) pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.22 Affected range <2.13.9-r0 Fixed version 2.13.9-r0 EPSS Score 0.459% EPSS Percentile 63rd percentile Description Affected range <2.13.9-r0 Fixed version 2.13.9-r0 EPSS Score 0.263% EPSS Percentile 49th percentile Description Affected range <2.13.9-r0 Fixed version 2.13.9-r0 EPSS Score 0.584% EPSS Percentile 68th percentile Description Affected range <2.13.9-r0 Fixed version 2.13.9-r0 EPSS Score 0.141% EPSS Percentile 35th percentile Description Affected range <2.13.9-r0 Fixed version 2.13.9-r0 EPSS Score 0.017% EPSS Percentile 3rd percentile Description

stdlib 1.24.4 (golang) pkg:golang/[email protected] Affected range <1.24.11 Fixed version 1.24.11 EPSS Score 0.014% EPSS Percentile 2nd percentile Description Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.026% EPSS Percentile 7th percentile Description The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.026% EPSS Percentile 7th percentile Description The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.015% EPSS Percentile 3rd percentile Description Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. Affected range <1.24.9 Fixed version 1.24.9 EPSS Score 0.015% EPSS Percentile 3rd percentile Description Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. Affected range <1.24.11 Fixed version 1.24.11 EPSS Score 0.009% EPSS Percentile 1st percentile Description An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com. Affected range >=1.24.0 <1.24.6 Fixed version 1.24.6 EPSS Score 0.015% EPSS Percentile 2nd percentile Description If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.025% EPSS Percentile 6th percentile Description The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.019% EPSS Percentile 4th percentile Description When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.029% EPSS Percentile 8th percentile Description Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.033% EPSS Percentile 9th percentile Description Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.025% EPSS Percentile 6th percentile Description The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.014% EPSS Percentile 2nd percentile Description tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

org.apache.commons/commons-compress 1.5 (maven) pkg:maven/org.apache.commons/[email protected] Improper Handling of Length Parameter Inconsistency Affected range <1.21 Fixed version 1.21 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.802% EPSS Percentile 74th percentile Description When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package. Improper Handling of Length Parameter Inconsistency Affected range <1.21 Fixed version 1.21 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 1.437% EPSS Percentile 80th percentile Description When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package. Improper Handling of Length Parameter Inconsistency Affected range <1.21 Fixed version 1.21 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 1.893% EPSS Percentile 83rd percentile Description When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package. Excessive Iteration Affected range <1.21 Fixed version 1.21 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.811% EPSS Percentile 74th percentile Description When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.3 <1.26.0 Fixed version 1.26.0 CVSS Score 5.9 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H EPSS Score 0.018% EPSS Percentile 4th percentile Description Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.3 through 1.25.0. Users are recommended to upgrade to version 1.26.0 which fixes the issue.

openssl 3.5.0-r0 (apk) pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.22 Affected range <3.5.4-r0 Fixed version 3.5.4-r0 EPSS Score 0.026% EPSS Percentile 7th percentile Description Affected range <3.5.4-r0 Fixed version 3.5.4-r0 EPSS Score 0.016% EPSS Percentile 3rd percentile Description Affected range <3.5.1-r0 Fixed version 3.5.1-r0 EPSS Score 0.019% EPSS Percentile 4th percentile Description Affected range <3.5.4-r0 Fixed version 3.5.4-r0 EPSS Score 0.028% EPSS Percentile 7th percentile Description

com.google.protobuf/protobuf-java 4.26.1 (maven) pkg:maven/com.google.protobuf/[email protected] Improper Input Validation Affected range >=4.0.0-RC1 <4.27.5 Fixed version 4.27.5 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.077% EPSS Percentile 23rd percentile Description Summary When parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash. Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team [email protected] Affected versions: This issue affects all versions of both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime. Severity CVE-2024-7254 High CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication) This is a potential Denial of Service. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker. Proof of Concept For reproduction details, please refer to the unit tests (Protobuf Java LiteTest and CodedInputStreamTest) that identify the specific inputs that exercise this parsing weakness. Remediation and Mitigation We have been working diligently to address this issue and have released a mitigation that is available now. Please update to the latest available versions of the following packages: protobuf-java (3.25.5, 4.27.5, 4.28.2) protobuf-javalite (3.25.5, 4.27.5, 4.28.2) protobuf-kotlin (3.25.5, 4.27.5, 4.28.2) protobuf-kotlin-lite (3.25.5, 4.27.5, 4.28.2) com-protobuf [JRuby gem only] (3.25.5, 4.27.5, 4.28.2)

golang.org/x/net 0.34.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <0.38.0 Fixed version 0.38.0 CVSS Score 5.3 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N EPSS Score 0.021% EPSS Percentile 5th percentile Description The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts). Misinterpretation of Input Affected range <0.36.0 Fixed version 0.36.0 CVSS Score 4.4 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L EPSS Score 0.023% EPSS Percentile 5th percentile Description Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

commons-lang/commons-lang 2.6 (maven) pkg:maven/commons-lang/[email protected] Uncontrolled Recursion Affected range >=2.0 <=2.6 Fixed version Not Fixed CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N EPSS Score 0.016% EPSS Percentile 3rd percentile Description Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue.

busybox 1.37.0-r18 (apk) pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.22 Affected range <1.37.0-r20 Fixed version 1.37.0-r20 EPSS Score 0.018% EPSS Percentile 4th percentile Description Affected range <1.37.0-r20 Fixed version 1.37.0-r20 EPSS Score 0.021% EPSS Percentile 5th percentile Description

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud