Skip to content

Chore(deps): Bump the go-dependencies group with 5 updates#3598

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/go-dependencies-1c0eb9f9e8
Open

Chore(deps): Bump the go-dependencies group with 5 updates#3598
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/go-dependencies-1c0eb9f9e8

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 24, 2026

Bumps the go-dependencies group with 5 updates:

Package From To
github.com/containerd/containerd 1.7.31 1.7.32
github.com/docker/buildx 0.34.0 0.34.1
github.com/docker/cli 29.4.3+incompatible 29.5.2+incompatible
github.com/google/go-containerregistry 0.21.5 0.21.6
github.com/modelcontextprotocol/go-sdk 1.4.1 1.6.1

Updates github.com/containerd/containerd from 1.7.31 to 1.7.32

Release notes

Sourced from github.com/containerd/containerd's releases.

containerd 1.7.32

Welcome to the v1.7.32 release of containerd!


The thirty-second patch release for containerd 1.7 contains various fixes and updates including a security patch.

  • containerd

  • Allow hosts.toml to contain only root-level fields without an explicit [host] section (#10028)

  • Fix handling of out-of-range USER values in OCI spec to avoid unexpected username/group lookups (#13450)

  • Apply hardening to block AF_ALG in default socket policy (#13406)

  • Support both "volatile" and "fsync=volatile" mount options for volatile snapshotter (#13299)

  • Set AppArmor abi conditionally to support versions < 3.0 (#13273)

Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues.

  • Maksym Pavlenko
  • Chris Henzie
  • Derek McGowan
  • Paweł Gronowski
  • Samuel Karp
  • Wei Fu
  • Brad Davidson
  • Brian Goff
  • LEI WANG
  • Phil Estes
  • bc87d865c Prepare release notes for v1.7.32
  • oci: return explicit error for out-of-range USER values (#13450)
    • 503f47946 oci: return explicit error for out-of-range USER values
  • seccomp: Block AF_ALG in default socket policy (#13406)
    • e55b747d3 seccomp: Block AF_ALG in default socket policy
    • 4627a65f8 seccomp: Document socket rule scope and socketcall limitation
  • Fix issue with empty host tree in hosts.toml (#10028)
    • 24007441d Fix error parsing hosts.toml without any host tree
  • Support both styles of volatile mount option (#13299)
    • 940733149 Support both styles of volatile mount option
  • apparmor: Set abi conditionally (#13273)
  • Add GitHub Action for k8s node e2e tests (#13258)
    • 0db1e143a Add GitHub Action for k8s node e2e tests
  • Update release process after 1.7 (#13236)
    • 3223a75c2 Update for latest updates to release tool

... (truncated)

Commits
  • 180a7b7 Merge pull request #13452 from samuelkarp/prepare-1.7.32
  • bc87d86 Prepare release notes for v1.7.32
  • 6a05ddd Merge pull request #13450 from samuelkarp/oci-withuser-errrange-1.7
  • 9c3d01b Merge pull request #13406 from k8s-infra-cherrypick-robot/cherry-pick-13327-t...
  • e55b747 seccomp: Block AF_ALG in default socket policy
  • 4627a65 seccomp: Document socket rule scope and socketcall limitation
  • 33d9e24 Merge pull request #10028 from brandond/fix-hosts-toml
  • 503f479 oci: return explicit error for out-of-range USER values
  • 4393e22 Merge pull request #13299 from chrishenzie/release/1.7-volatile
  • 9407331 Support both styles of volatile mount option
  • Additional commits viewable in compare view

Updates github.com/docker/buildx from 0.34.0 to 0.34.1

Release notes

Sourced from github.com/docker/buildx's releases.

v0.34.1

buildx 0.34.1

Welcome to the v0.34.1 release of buildx!

Please try out the release binaries and report any issues at https://github.com/docker/buildx/issues.

Contributors

  • CrazyMax
  • Jonathan A. Sternberg
  • Tõnis Tiigi

Notable Changes

  • Fix regression in Bake command when building from Compose files with empty array value #3849 #3852
  • Fix possible panic in Kubernetes driver when using statefulset #3853

Dependency Changes

This release has no dependency changes

Previous release can be found at v0.34.0

Commits
  • e0b0e77 Merge pull request #3860 from crazy-max/v0.34-picks-0.34.1
  • b5a025f bake: preserve empty compose cache lists
  • 7fffa6a driver/kubernetes: fix panic when using statefulset in kubernetes driver
  • See full diff in compare view

Updates github.com/docker/cli from 29.4.3+incompatible to 29.5.2+incompatible

Commits
  • 79eb04c Merge pull request #3173 from rene-hermenau/patch-1
  • 1a3048f Merge pull request #6997 from vvoland/gha-fix
  • 9177c7f gha: Port validate milestones from Moby
  • 77cb156 Merge pull request #6994 from thaJeztah/bump_buildx
  • 382a92d Dockerfile: update buildx to v0.34.1
  • 5c0919a Merge pull request #6995 from thaJeztah/bump_version
  • a68dd7a bump VERSION to v29.5.2-dev
  • 2518b52 Merge pull request #6991 from mickael-docker/docs-clarify-authz
  • 9f18a0a docs: clarify authz content type
  • 2944fd1 Merge pull request #6989 from thaJeztah/bump_version
  • Additional commits viewable in compare view

Updates github.com/google/go-containerregistry from 0.21.5 to 0.21.6

Release notes

Sourced from github.com/google/go-containerregistry's releases.

v0.21.6

What's Changed

New Contributors

Full Changelog: google/go-containerregistry@v0.21.5...v0.21.6

Commits
  • 53f7e39 Update go version to 1.26.3 (#2300)
  • bf87c3b transport: allow bearer realm at same host:port as registry (#2302)
  • c55facd transport: retry HTTP 429 (Too Many Requests) (#2301)
  • 68a569e fix: preserve per-occurrence layer identity in Layers() (#2299)
  • 35b354b fix(mutate): preserve config blob and layers for non-Docker OCI artifacts (#2...
  • e5983f2 remote: block SSRF via private-IP Location headers in blob uploads (#2295)
  • 6dad820 remote: validate foreign layer URLs to prevent SSRF (fixes #2259) (#2293)
  • 78bdf1b validate: skip non-layer layers (#2298)
  • c29d91c pkg/v1/mutate: preserve relative symlinks that stay within rootfs in Extract ...
  • a70d75a transport: block redirects from token server to private/link-local addresses ...
  • Additional commits viewable in compare view

Updates github.com/modelcontextprotocol/go-sdk from 1.4.1 to 1.6.1

Release notes

Sourced from github.com/modelcontextprotocol/go-sdk's releases.

v1.6.1

This release adds an MCPGODEBUG flag to opt out of the Content-Type check on POST requests.

Behavior Changes

Prior to v1.6.0 (v1.4.0...v1.5.0), the Content-Type check on POST requests was gated by the same disablecrossoriginprotection MCPGODEBUG flag as the cross-origin protection. In v1.6.0, the cross-origin protection was disabled by default (replaced by the opt-in enableoriginverification flag), but the Content-Type check was kept on unconditionally, leaving no way to disable it. This release restores an escape hatch for both the Streamable HTTP and SSE transports: setting MCPGODEBUG=disablecontenttypecheck=1 skips the Content-Type: application/json validation on POST requests. See #957.

What's Changed

Full Changelog: modelcontextprotocol/go-sdk@v1.6.0...v1.6.1

v1.6.0

This release is equivalent to v1.6.0-pre.1. Thank you to those who tested the pre-release.

In this release we introduce several smaller fixes and improvements, and we started working for release 2026-06-30. The main new feature is the introduction of ClientCredentialsHandler for OAuth client credentials grant.

Add ClientCredentialsHandler for OAuth client credentials grant

Added ClientCredentialsHandler implementing auth.OAuthHandler using the OAuth 2.0 Client Credentials grant (RFC 6749 Section 4.4) for service-to-service authentication with pre-registered credentials.

2026-06-30 Release related PRs

  • feat: add automatic application_type inference by @​guglielmo-san in modelcontextprotocol/go-sdk#904

    New application_type field is added to the ClientRegistrationMetadata for DynamicClientRegistration. If not specified, the application_type will be inferred from the RedirectURIs. This implements SEP-837.

  • feat: HTTP Header Standardization for method and name by @​guglielmo-san in modelcontextprotocol/go-sdk#907

    By mirroring key fields from the JSON-RPC payload into HTTP headers, network intermediaries such as load balancers, proxies, and observability tools can route and process MCP traffic without deep packet inspection, reducing latency and computational overhead. This partially implements SEP-2243.

Behavior Changes

SetError Behavior Change

Previously the SetError method on CallToolResult always overwrote the Content field with the error text. Now SetError preserves the existing value if it has already been populated. You can restore the previous behavior by setting the environment variable seterroroverwrite=1.

Cross-Origin Protection Default Change

Previously (v1.4.1-v1.5.0) default (zero-value) cross-origin protection was applied when CrossOriginProtection in StreamableHTTPOptions was nil. Now cross-origin protection is not enabled by default when CrossOriginProtection is nil. You can restore the previous behavior (enable by default) by setting enableoriginverification=1.

... (truncated)

Commits
  • d454bba mcp: add MCPGPDEBUG for opt-in Content-Type check (#972)
  • f5f2015 MCPGODEBUG update for 1.6.0 (#893)
  • e01639a feat: HTTP Header Standardization for method and name (#907)
  • 93a41b2 internal/jsonrpc2: remove unused code (#910)
  • 446beae mcp: Upgrade jsonschema-go (#912)
  • 2e21834 extauth: add ClientCredentialsHandler for OAuth client credentials grant (#895)
  • 2643b22 feat: add automatic application_type inference (#904)
  • db50910 mcp: do not re-prompt OAuth after cancelled Authorize (#885)
  • 5f2cd8f mcp: preserve transport errors in Write error chain (#888)
  • 0edc597 Update README.md (#896)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Chore(deps): Bump the go-dependencies group with 5 updates
e984c9c 
Bumps the go-dependencies group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [github.com/containerd/containerd](https://github.com/containerd/containerd) | `1.7.31` | `1.7.32` |
| [github.com/docker/buildx](https://github.com/docker/buildx) | `0.34.0` | `0.34.1` |
| [github.com/docker/cli](https://github.com/docker/cli) | `29.4.3+incompatible` | `29.5.2+incompatible` |
| [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) | `0.21.5` | `0.21.6` |
| [github.com/modelcontextprotocol/go-sdk](https://github.com/modelcontextprotocol/go-sdk) | `1.4.1` | `1.6.1` |


Updates `github.com/containerd/containerd` from 1.7.31 to 1.7.32
- [Release notes](https://github.com/containerd/containerd/releases)
- [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md)
- [Commits](containerd/containerd@v1.7.31...v1.7.32)

Updates `github.com/docker/buildx` from 0.34.0 to 0.34.1
- [Release notes](https://github.com/docker/buildx/releases)
- [Commits](docker/buildx@v0.34.0...v0.34.1)

Updates `github.com/docker/cli` from 29.4.3+incompatible to 29.5.2+incompatible
- [Commits](docker/cli@v29.4.3...v29.5.2)

Updates `github.com/google/go-containerregistry` from 0.21.5 to 0.21.6
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Commits](google/go-containerregistry@v0.21.5...v0.21.6)

Updates `github.com/modelcontextprotocol/go-sdk` from 1.4.1 to 1.6.1
- [Release notes](https://github.com/modelcontextprotocol/go-sdk/releases)
- [Commits](modelcontextprotocol/go-sdk@v1.4.1...v1.6.1)

---
updated-dependencies:
- dependency-name: github.com/containerd/containerd
  dependency-version: 1.7.32
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-dependencies
- dependency-name: github.com/docker/buildx
  dependency-version: 0.34.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-dependencies
- dependency-name: github.com/docker/cli
  dependency-version: 29.5.2+incompatible
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-dependencies
- dependency-name: github.com/google/go-containerregistry
  dependency-version: 0.21.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-dependencies
- dependency-name: github.com/modelcontextprotocol/go-sdk
  dependency-version: 1.6.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependabot 🤖 Created by the dependabot label May 24, 2026
@dependabot dependabot Bot requested a review from a team as a code owner May 24, 2026 04:53
@dependabot dependabot Bot added the dependabot 🤖 Created by the dependabot label May 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependabot 🤖 Created by the dependabot

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants