chore(deps): update module github.com/theupdateframework/go-tuf to v2

[renovate-rancher]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/theupdateframework/go-tuf	v0.7.0 -> v2.3.0

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

theupdateframework/go-tuf (github.com/theupdateframework/go-tuf)

v2.3.0

Compare Source

What's Changed

• Update the config for govulncheck by @​rdimitrov in #​697
• Bump Go to 1.24.9 by @​rdimitrov in #​698

Full Changelog: theupdateframework/go-tuf@v2.2.0...v2.3.0

v2.2.0

Compare Source

What's Changed

• fix: treat http 403 as an updater error by @​MDr164 in #​687
• chore(deps): bump github.com/sigstore/sigstore from 1.8.4 to 1.8.7 by @​dependabot[bot] in #​646
• chore(deps): bump github.com/cenkalti/backoff/v5 from 5.0.2 to 5.0.3 by @​dependabot[bot] in #​690
• chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.9.0 to 0.9.1 by @​dependabot[bot] in #​691
• chore(deps): bump github.com/stretchr/testify from 1.10.0 to 1.11.0 by @​dependabot[bot] in #​692
• chore(deps): bump github.com/stretchr/testify from 1.11.0 to 1.11.1 by @​dependabot[bot] in #​693
• chore(deps): bump github.com/spf13/cobra from 1.9.1 to 1.10.1 by @​dependabot[bot] in #​694

Full Changelog: theupdateframework/go-tuf@v2.1.1...v2.2.0

v2.1.1

Compare Source

What's Changed

Fixed a regression that can fail clients using the DefaultFetcher{} directly without using the constructor.

• Set a default HTTP client for DefaultFetcher in DownloadFile method if none is set by @​malancas in #​686

Full Changelog: theupdateframework/go-tuf@v2.1.0...v2.1.1

v2.1.0

Compare Source

What's Changed

• Move the repository package under examples/repository by @​rdimitrov in #​656
• docs: Joshua retiring as a maintainer by @​joshuagl in #​657
• fix: multirepo potential nil pointer dereference by @​MrDan4es in #​658
• chore(deps): bump golang.org/x/crypto from 0.23.0 to 0.31.0 by @​dependabot in #​661
• chore(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0 by @​dependabot in #​662
• chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.8.0 to 0.9.0 by @​dependabot in #​663
• Use the correct verifier for RSA PSS scheme keys by @​rdimitrov in #​625
• updater.go: replace os.WriteFile with file.Write() by @​udf2457 in #​669
• Remove readFile() and reverseSlice() in favour of stdlib by @​udf2457 in #​671
• updater.go: replace url.QueryEscape() with url.PathEscape() by @​udf2457 in #​675
• Bump Go to 1.22 by @​rdimitrov in #​677
• chore(deps): bump github.com/spf13/cobra from 1.8.1 to 1.9.1 by @​dependabot in #​679
• chore: make function comment match function name by @​suchsoon in #​680
• Update README.md by @​trishankatdatadog in #​681
• chore(deps): bump golang.org/x/crypto from 0.31.0 to 0.35.0 by @​dependabot in #​683
• Allow users to configure custom http.Client or http.RoundTripper in DefaultFetcher by @​malancas in #​682
• Allow users to configure retry behavior in DefaultFetcher by @​malancas in #​684
• Added back timeout to the fetcher DownloadFile method to avoid a breaking change. by @​kommendorkapten in #​685

New Contributors

• @​MrDan4es made their first contribution in #​658
• @​suchsoon made their first contribution in #​680

Full Changelog: theupdateframework/go-tuf@v2.0.2...v2.1.0

v2.0.2

Compare Source

What's Changed

• Error in case the delegated role is missing from the snapshot by @​rdimitrov in #​652

Full Changelog: theupdateframework/go-tuf@v2.0.1...v2.0.2

v2.0.1

Compare Source

What's Changed

Security

• Fix incorrect delegation lookups that can make go-tuf download the wrong artifact by @​rdimitrov (Thanks to @​AdamKorcz for reporting it). This fixes CVE-2024-47534 GHSA-4f8r-qqr9-fq8j

Other

• Update MAINTAINERS.md by @​trishankatdatadog in #​647
• Update the staging TUF repo in the multi-repo example by @​rdimitrov in #​650
• Fix branch name in multi-repo client example by @​rdimitrov in #​651

Full Changelog: theupdateframework/go-tuf@v2.0.0...v2.0.1

v2.0.0

Compare Source

Breaking changes

• This is the first release of go-tuf v2 and it's a complete re-write indicated by the new major version.
• We also decided to leave go-tuf as a library only.

What's Changed

• chore: fixes the CI status badge and updates the README.md file by @​rdimitrov in #​569
• chore(deps): bump securesystemslib from 0.30.0 to 0.31.0 by @​dependabot in #​570
• docs: add Marvin Drees to the list of go-tuf maintainers by @​rdimitrov in #​571
• chore(deps): bump actions/setup-python from 4.7.1 to 5.0.0 by @​dependabot in #​572
• chore: enable grouping of minor and patch updates. by @​kommendorkapten in #​580
• fix: update tests.yml bumping golangci-lint by @​rdimitrov in #​582
• chore(deps): bump actions/setup-go from 4.1.0 to 5.0.0 by @​dependabot in #​573
• chore(deps): bump github/codeql-action from 2 to 3 by @​dependabot in #​574
• chore(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 by @​dependabot in #​575
• chore(deps): bump golang.org/x/term from 0.15.0 to 0.16.0 by @​dependabot in #​577
• chore(deps): bump the minor-patch group with 2 updates by @​dependabot in #​581
• feat!: move rdimitrov/go-tuf-metadata to github.com/theupdateframework/go-tuf/v2 by @​rdimitrov in #​583
• Update license from BSD-2-Clause to Apache-2.0 by @​rdimitrov in #​585
• chore(deps): bump github.com/sigstore/sigstore from 1.8.0 to 1.8.1 by @​dependabot in #​584
• Replace main with master in workflows by @​kipz in #​587
• Do not pin to minor Go versions in go.mod by @​rdimitrov in #​588
• Fixes for windows & enable in CI by @​kipz in #​586
• Bring back SECURITY.md by @​trishankatdatadog in #​591
• remove dependency on golang.org/x/exp by @​mikedanese in #​600
• Refactor errors to use pointer receivers by @​codysoyland in #​602
• move testutils under an ./internal/ directory by @​mikedanese in #​601
• Enable macos and windows runners for examples.yml and tests.yml by @​rdimitrov in #​604
• Do not run CI for all Go versions and use caching by @​rdimitrov in #​606
• chore(deps): bump golang.org/x/crypto from 0.18.0 to 0.19.0 by @​dependabot in #​610
• Don't rename unless file is in same dir by @​jonnystoten in #​603
• Use filepath.Join when combining filesystem components by @​kommendorkapten in #​611
• Always use forward slash when splitting target names by @​kommendorkapten in #​612
• chore(deps): bump github.com/sigstore/sigstore from 1.8.1 to 1.8.2 by @​dependabot in #​614
• chore(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0 by @​dependabot in #​615
• chore(deps): use stdlib ed25519 instead of x by @​MDr164 in #​620
• chore(deps): bump golang.org/x/crypto from 0.20.0 to 0.21.0 by @​dependabot in #​621
• chore(ci): bump action hashes by @​MDr164 in #​618
• chore(deps): bump gopkg.in/go-jose/go-jose.v2 from 2.6.1 to 2.6.3 by @​dependabot in #​622
• Silence govulncheck by @​MDr164 in #​619
• feat: replace logrus in sim with slog by @​MDr164 in #​617
• repository_simulator_setup.go: Use filepath.Join() instead of concatenation by @​udf2457 in #​624
• Fixes README references from rdimitrov/go-tuf-metadata to theupdateframework/go-tuf by @​rdimitrov in #​626
• fix: use SHA384 for ECDSA P384 by @​mrjoelkamp in #​629
• chore(deps): bump github.com/sigstore/sigstore from 1.8.2 to 1.8.3 by @​dependabot in #​627
• Remove nil error from being printed in "persist metadata" error message by @​malancas in #​633
• fix: deep targets file path by @​mrjoelkamp in #​632
• feat: add missing CODEOWNERS and MAINTAINERS file by @​MDr164 in #​635
• Update MAINTAINERS by @​trishankatdatadog in #​636
• chore(deps): bump github.com/sigstore/sigstore from 1.8.3 to 1.8.4 by @​dependabot in #​637
• chore(deps): bump github.com/spf13/cobra from 1.8.0 to 1.8.1 by @​dependabot in #​640
• fix: configurable temp file directory by @​mrjoelkamp in #​638
• export API to set RefTime of Updater by @​AdamKorcz in #​641
• Add the ability to customize the HTTP user agent by @​steiza in #​642
• Increase the default value for MaxRootRotations by @​kommendorkapten in #​645

New Contributors

• @​kipz made their first contribution in #​587
• @​mikedanese made their first contribution in #​600
• @​codysoyland made their first contribution in #​602
• @​jonnystoten made their first contribution in #​603
• @​MDr164 made their first contribution in #​620
• @​mrjoelkamp made their first contribution in #​629
• @​malancas made their first contribution in #​633
• @​AdamKorcz made their first contribution in #​641
• @​steiza made their first contribution in #​642

Full Changelog: theupdateframework/go-tuf@v0.7.0...v2.0.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[renovate-rancher]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 3 additional dependencies were updated

Details:

Package	Change
github.com/sigstore/sigstore	v1.8.3 -> v1.8.4
github.com/spf13/cobra	v1.8.0 -> v1.8.1
golang.org/x/oauth2	v0.19.0 -> v0.20.0

[renovate-rancher]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: mod upgrade --mod-name=github.com/theupdateframework/go-tuf -t=2
could not load package: err: exit status 1: stderr: go: inconsistent vendoring in /tmp/renovate/repos/github/neuvector/sigstore-interface:
	github.com/theupdateframework/go-tuf/[email protected]: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	github.com/cenkalti/backoff/[email protected]: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	github.com/secure-systems-lab/[email protected]: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	github.com/spf13/[email protected]: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	github.com/spf13/[email protected]: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	golang.org/x/[email protected]: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	golang.org/x/[email protected]: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	golang.org/x/[email protected]: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	golang.org/x/[email protected]: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	golang.org/x/[email protected]: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	github.com/cenkalti/backoff/[email protected]: is marked as explicit in vendor/modules.txt, but not explicitly required in go.mod
	github.com/secure-systems-lab/[email protected]: is marked as explicit in vendor/modules.txt, but not explicitly required in go.mod
	github.com/spf13/[email protected]: is marked as explicit in vendor/modules.txt, but not explicitly required in go.mod
	github.com/spf13/[email protected]: is marked as explicit in vendor/modules.txt, but not explicitly required in go.mod
	github.com/theupdateframework/go-tuf/[email protected]: is marked as explicit in vendor/modules.txt, but not explicitly required in go.mod
	golang.org/x/[email protected]: is marked as explicit in vendor/modules.txt, but not explicitly required in go.mod
	golang.org/x/[email protected]: is marked as explicit in vendor/modules.txt, but not explicitly required in go.mod
	golang.org/x/[email protected]: is marked as explicit in vendor/modules.txt, but not explicitly required in go.mod
	golang.org/x/[email protected]: is marked as explicit in vendor/modules.txt, but not explicitly required in go.mod
	golang.org/x/[email protected]: is marked as explicit in vendor/modules.txt, but not explicitly required in go.mod

	To ignore the vendor directory, use -mod=readonly or -mod=mod.
	To sync the vendor directory, run:
		go mod vendor