chore: update dependencies

[renovate]

Update Request | Renovate Bot

This PR contains the following updates:

Package	Type	Update	Change	Age	Adoption	Passing	Confidence
actions/checkout	action	major	v5 -> v6
alpine	final	minor	3.21 -> 3.22
docker/dockerfile-upstream	syntax	minor	1.14.1-labs -> 1.20.0-labs
github.com/google/cel-go	replace	minor	v0.22.0 -> v0.26.1
github.com/onsi/gomega	require	minor	v1.36.3 -> v1.38.2
github.com/siderolabs/capi-utils	require	digest	8d7036d -> 049abbb
github.com/siderolabs/crypto	require	patch	v0.6.3 -> v0.6.4
github.com/siderolabs/gen	require	patch	v0.8.5 -> v0.8.6
github.com/siderolabs/talos/pkg/machinery	require	patch	v1.11.0 -> v1.11.5
github.com/spf13/pflag	require	patch	v1.0.7 -> v1.0.10
github.com/stretchr/testify	require	minor	v1.10.0 -> v1.11.1
golang.org/x/sync	require	minor	v0.15.0 -> v0.18.0
google.golang.org/grpc	require	minor	v1.74.2 -> v1.77.0
google.golang.org/protobuf	require	patch	v1.36.6 -> v1.36.10
k8s.io/api	require	minor	v0.32.3 -> v0.34.2
k8s.io/apiextensions-apiserver	require	minor	v0.32.3 -> v0.34.2
k8s.io/apimachinery	require	minor	v0.32.3 -> v0.34.2
k8s.io/apiserver	require	minor	v0.32.3 -> v0.34.2
k8s.io/client-go	require	minor	v0.32.3 -> v0.34.2
k8s.io/component-base	require	minor	v0.32.3 -> v0.34.2
k8s.io/utils	require	digest	3ea5e8c -> bc988d5
sigs.k8s.io/cluster-api	require	minor	v1.10.4 -> v1.11.3
sigs.k8s.io/controller-runtime	require	minor	v0.20.4 -> v0.22.4

---

Release Notes

actions/checkout (actions/checkout)

v6

Compare Source

google/cel-go (github.com/google/cel-go)

v0.26.1

Compare Source

What's Changed

• Comprehension nesting limit typo, allow nesting limit validator to accept doubles as limits by @​l46kok in #​1196
• Minor compatibility fixes for google3-import. by @​jnthntatum in #​1198
• Bump the npm_and_yarn group across 1 directory with 2 updates by @​dependabot[bot] in #​1197
• Init function bindings on environment init by @​beldmian in #​1199
• Support variable descriptions in the AI prompt template by @​TristonianJones in #​1205
• Add support for nested element type by @​MisLink in #​1190
• Support unwrapping unknown implementations of proto.Message by @​srikrsna in #​1207

New Contributors

• @​beldmian made their first contribution in #​1199
• @​MisLink made their first contribution in #​1190
• @​srikrsna made their first contribution in #​1207

Full Changelog: google/cel-go@v0.25.1...v0.26.1

v0.26.0

Compare Source

New Features ✨

• Add support for global constants to constant folder by @​zeitgeist87 in #​1180
• Adding CEL Regex Extensions by @​maskri17 in #​1187
• Sqrt func by @​haribalan in #​1166
• Add bazel rule to trigger cel tests and return policy metadata while creating CEL programs by @​aakash070 in #​1176
• Create an util method to convert rpc status to eval status by @​ChinmayMadeshi in #​1178
• Add test runner option to configure a custom test suite parser by @​aakash070 in #​1189
• Cost tracking for list operations by @​TristonianJones in #​1192

Bug Fixes 🐛

• Fix lastIndexOf behavior against an empty string in strings extension by @​l46kok in #​1173
• Fix container setting for cel test all types example in online REPL by @​l46kok in #​1182
• fix(checker): Correct Sprintf argument count by @​cuishuang in #​1185

Test Updates 🧪

• fix test runner test cases by @​aakash070 in #​1170
• Update test runner to avoid using flags when not necessary by @​TristonianJones in #​1174
• add support for handling unknown expression ids in test result by @​aakash070 in #​1183
• Test case for aliasing container imports by @​TristonianJones in #​1193

Documentation 📚

• Add documentation for YAML quirks in celpolicy by @​jnthntatum in #​1186

Dependency Updates ⬆️

• Bump the npm_and_yarn group across 1 directory with 2 updates by @​dependabot[bot] in #​1188

v0.25.1

Compare Source

v0.25.0

Compare Source

Features & Enhancements

This release introduces features for richer configuration-based CEL, AI prompt generation from config files, additional documentation, and 3x performance when evaluating traced / state-tracking expressions. This release also introduces a unit test runner framwork.

#​1141: Expose extension option factory as a public method

#​1143: Add a new compiler tool which can be used to compile CEL expressions and policies using serialized environment

#​1151: Lightweight observable evaluation

#​1155: Utilities for formatting and parsing documentation strings

#​1156: Support for documentation and example strings in CEL environments

#​1158: Re-export interpreter.AttributePattern in package cel.

#​1159: Document the standard library macros and functions

#​1160: Prompt generation for AI-assisted authoring based on a CEL environment

#​1117: Add LateFunctionBinding declaration and fix constant folding

#​1163: Initialize stateful observers prior to evaluation

#​1164: Unparse Expr values to strings

#​1149: Add test runner library

#​1167: REPL: Add an extension option for two var comprehensions

Fixes

Several fixes were implemented, including updating strings.format to better adhere to the specification, correcting constant folding logic alongside the late binding feature, removing a non-functional check in test code, and adding argument count validation for optFieldSelect.

#​1133: Update strings.format to adhere to the specification

#​1117: Add LateFunctionBinding declaration and fix constant folding

#​1161: Remove non-functional optional check in test-only selection

#​1168: Check arg count when validating optFieldSelect

Refactoring & Internal Improvements

General refactoring was performed across the codebase. Coverage and comments for Activation methods were improved. The test runner library was refactored to create options from flags and improve code structure.

#​1145: Refactoring changes

#​1150: Additional comments and coverage for Activation methods

#​1165: Refactoring changes to create a test runner option from passed flags, correct indentation and add package level comment for test

Documentation

Documentation was enhanced, including updates to the NativeTypes documentation regarding the cel tag, adding documentation for the optional library, and documenting the standard library functions/macros as part of the documentation string feature.

#​1148: Update NativeTypes doc to reflect how to enable cel tag

#​1155: Utilities for formatting and parsing documentation strings

#​1156: Support for documentation and example strings in CEL environments

#​1159: Document the standard library macros and functions

#​1162: Document optional library and increase docs coverage

Build System

Configuration fixes were made for Bzlmod compatibility.

#​1146: Bzlmod configuration fixes

Type System

Type formatting was updated to correctly handle type parameters.

#​1154: Update type formatting for type params

v0.24.1

Compare Source

Fixes

• Separate unnest optimization from composer to capture type info [#​1138]

Full Changelog: google/cel-go@v0.24.0...v0.24.1

v0.24.0

Compare Source

Support for subsetting CEL standard library and serialization of CEL environments to YAML.

CEL is an official Google product [#​1122]

Features

• Helper methods for subsetting function overloads [#​1120]
• Introduce cel package aliases for Activation [#​1123]
• Canonical environment description and stdlib subsetting [#​1125]
• Support for cel.Env conversion to YAML-serializable config [#​1128]
• Option to configure CEL via env.Config object [#​1129]
• Support for feature flags and validators in env.Config [#​1132]
• Add k8s custom policy tag handler for test [#​1121]

Fixes

• ContextEval support for Unknowns [#​1126]
• Fix godoc formatting for Lists and OptionalTypes functions [#​1127]
• Default enable DefaultUTCTimeZone [#​1130]
• Support for splitting nested branching operators within policies [#​1136]

New Contributors

• @​chaewonkong made their first contribution in #​1127

Full Changelog: google/cel-go@v0.23.2...v0.24.0

v0.23.2

Compare Source

Corrects one remaining issue for cost computations from the v0.23.0 releases

Fixes

• Bump github.com/golang/glog from 1.0.0 to 1.2.4 in /codelab in the go_modules group across 1 directory by @​dependabot in #​1115
• Minor update on cost order by @​TristonianJones in #​1119

Full Changelog: google/cel-go@v0.23.1...v0.23.2

v0.23.1

Compare Source

Minor release to address cost tracking and size estimation [#​1113]

Full Changelog: google/cel-go@v0.23.0...v0.23.1

v0.23.0

Compare Source

Features

• First and last element in list support [#​1067]
• Add support for typed conformance tests. [#​1089]
• Add syntax for escaped field selectors. [#​1002]
• Add optional.unwrap() / .unwrapOpt() function [#​1103]
• Cost tracking for two-variable comprehensions and bindings [#​1104]

Fixes

PR #​1099 enables a change in the internal variable name used for comprehension result accumulation. This change may break some tests which inspect the AST contents in text form; however, will not break any existing uses of CEL during parse, check, or evaluation.

• Improve policy compiler error message for incompatible outputs. [#​1082]
• Fix partial evaluation with the comprehension folder objects [#​1084]
• Introduce versioning options to all extensions [#​1075]
• Fix a crash in mismatched output check for nested rules [#​1086]
• improve debug output to properly quote byte strings [#​1088]
• Fix two-variable comprehension pruning [#​1083]
• Replace checks for valid UTF-8 in strings with go-maintained calls [#​1094]
• Policy nested rule fix [#​1092]
• Address non-const format string lint findings [#​1096]
• Fix typos in ext/README.md [#​1098]
• Add option to use inaccessible accumulator var [#​1097]
• Add test cases for string.format covering various edge cases [#​1101]
• Add base_config and partial_config files under restricted_destination testdata [#​1106]
• Default enable using hidden accumulator name [#​1099]
• Update PruneAst to support constants of optional type [#​1109]

New Contributors

• @​bigkevmcd made their first contribution in #​1067
• @​hudlow made their first contribution in #​1088
• @​dbuduev made their first contribution in #​1098
• @​zeitgeist87 made their first contribution in #​1101

Full Changelog: google/cel-go@v0.22.1...v0.23.0

v0.22.1

Compare Source

Fixes

• Additional hardening on legacy macros [#​1064]
• Additional nil-safety checks with corresponding test updates [#​1073]
• Add two-variable comprehension support to cel-policy [#​1074]
• Fix optional test to short-circuit [#​1076]
• Fix nil-type when two-var comprehension has a dyn range [#​1077]

New Contributors

• @​aakash070 made their first contribution in #​1069

Full Changelog: google/cel-go@v0.22.0...v0.22.1

onsi/gomega (github.com/onsi/gomega)

v1.38.2

Compare Source

1.38.2

• roll back to go 1.23.0 [c404969]

v1.38.1

Compare Source

1.38.1

Fixes

Numerous minor fixes and dependency bumps

v1.38.0

Compare Source

1.38.0

Features

• gstruct handles extra unexported fields [4ee7ed0]

Fixes

• support [] in IgnoringTopFunction function signatures (#​851) [36bbf72]

Maintenance

• Bump golang.org/x/net from 0.40.0 to 0.41.0 (#​846) [529d408]
• Fix typo [acd1f55]
• Bump google.golang.org/protobuf from 1.36.5 to 1.36.6 (#​835) [bae65a0]
• Bump nokogiri from 1.18.4 to 1.18.8 in /docs (#​842) [8dda91f]
• Bump golang.org/x/net from 0.39.0 to 0.40.0 (#​843) [212d812]
• Bump github.com/onsi/ginkgo/v2 from 2.23.3 to 2.23.4 (#​839) [59bd7f9]
• Bump nokogiri from 1.18.1 to 1.18.4 in /docs (#​834) [328c729]
• Bump uri from 1.0.2 to 1.0.3 in /docs (#​826) [9a798a1]
• Bump golang.org/x/net from 0.37.0 to 0.39.0 (#​841) [04a72c6]

v1.37.0

Compare Source

1.37.0

Features

• add To/ToNot/NotTo aliases for AsyncAssertion [5666f98]

siderolabs/crypto (github.com/siderolabs/crypto)

v0.6.4

Compare Source

crypto 0.6.4 (2025-09-29)

Welcome to the v0.6.4 release of crypto!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/crypto/issues.

Contributors

• Andrey Smirnov
• Andrey Smirnov
• Andrey Smirnov
• Alexey Palazhchenko
• Dmitriy Matrenichev
• Andrew Rynhard
• Artem Chernyshev
• Noel Georgi
• Serge Logvinov
• Utku Ozdemir

Changes

41 commits

• 4154a77 feat: implement dynamic certificate reloader
• dae07fa chore: update to Go 1.25
• 62a079b fix: update TLS config, add tests for TLS interactions
• c2b4e26 fix: remove code duplication and fix Ed25511 CA generation
• 2a07632 fix: enforce FIPS-140-3 compliance
• 17107ae fix: add generic CSR generator and OpenSSL interop
• 53659fc refactor: split into files
• 0d45dee chore: bump deps
• 58b2f92 chore: use HTTP/2 ALPN by default
• c240482 feat: provide dynamic client CA matching
• 2f4f911 feat: add PEMEncodedCertificate wrapper
• 1c94bb3 chore: bump dependencies
• 8f77da3 feat: add a method to load PEM key from file
• c03ff58 feat: add a way to represent redacted x509 private keys
• c3225ee feat: allow CSR template subject field to be overridden
• 8570669 chore: rename to siderolabs/crypto
• e9df1b8 feat: add support for generating keys from RSA-SHA256 CAs
• 510b0d2 chore: add json tags
• 6fa2d93 fix: deepcopy nil fields as nil
• 9a63cba fix: add back support for generating ECDSA keys with P-256 and SHA512
• 893bc66 fix: use SHA256 for ECDSA-P256
• deec8d4 chore: implement DeepCopy methods for PEMEncoded* types
• d3cb772 feat: make possible to change KeyUsage
• 6bc5bb5 chore: remove unused argument
• cd18ef6 feat: add support for several organizations
• 97c888b chore: add options to CSR
• 7776057 chore: fix typos
• 80df078 chore: remove named result parameters
• 15bdd28 chore: minor updates
• 4f80b97 fix: verify CSR signature before issuing a certificate
• 39584f1 feat: support for key/certificate types RSA, Ed25519, ECDSA
• cf75519 fix: function NewKeyPair should create certificate with proper subject
• 751c95a feat: add 'PEMEncodedKey' which allows to transport keys in YAML
• 562c3b6 feat: add support for public RSA key in RSAKey
• bda0e9c feat: enable more conversions between encoded and raw versions
• e0dd56a feat: add NotBefore option for x509 cert creation
• 12a4897 feat: add support for SPKI fingerprint generation and matching
• d0c3eef fix: implement NewKeyPair
• 196679e feat: move pkg/grpc/tls from github.com/talos-systems/talos as ./tls
• 1ff6242 chore: initial version as imported from talos-systems/talos
• 835063e chore: initial commit

Changes since v0.6.3

2 commits

• 4154a77 feat: implement dynamic certificate reloader
• dae07fa chore: update to Go 1.25

Dependency Changes

This release has no dependency changes

siderolabs/gen (github.com/siderolabs/gen)

v0.8.6

Compare Source

gen 0.8.6 (2025-11-03)

Welcome to the v0.8.6 release of gen!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/gen/issues.

Contributors

• Dmitriy Matrenichev
• Artem Chernyshev
• Utku Ozdemir
• Andrey Smirnov
• Andrey Smirnov
• Dmitriy Matrenichev
• Mateusz Urbanek

Changes

27 commits

• 4c7388b chore: update Go modules, replace YAML library
• 044d921 feat: add xslices.Deduplicate
• dcb2b74 feat: add panicsafe package
• b36ee43 feat: make xyaml.CheckUnknownKeys public
• 3e319e7 feat: implement xyaml.UnmarshalStrict
• 7c0324f chore: future-proof HashTrieMap
• 5ae3afe chore: update hashtriemap implementation from the latest upstream
• e847d2a chore: add more utilities to xiter
• f3c5a2b chore: add Empty and Empty2 iterators
• c53b90b chore: add packages xiter/xstrings/xbytes
• 7654108 chore: add hashtriemap implementation
• 8485864 chore: optimize maps.Values and maps.Keys
• 238baf9 chore: add typesafe SyncMap and bump stuff
• efca710 chore: add FilterInPlace method to maps and update module
• 36a3ae3 feat: update module
• f9f5805 chore: bump rekres and add functions from exp
• b968d21 feat: add TryRecv and RecvWithContext functions
• 476dfea feat: add foreach and clear to lazymap
• 214c1ef chore: set slice.Filter result slice cap to len
• 8e89b1e feat: add GetOrCreate and GetOrCall methods
• 7c7ccc3 feat: introduce channel SendWithContext
• b3b6db8 fix: fix Copy documentation and implementation
• 521f737 feat: add xerrors package which contains additions to the std errors
• 726e066 fix: rename tuples.go to pair.go and set proper package name
• d8d7d25 chore: minor additions
• 338a650 chore: add initial implementation and documentation
• 4fd8667 Initial commit

Changes since v0.8.5

1 commit

• 4c7388b chore: update Go modules, replace YAML library

Dependency Changes

This release has no dependency changes

siderolabs/talos (github.com/siderolabs/talos/pkg/machinery)

v1.11.5

Compare Source

Talos 1.11.5 (2025-11-06)

Welcome to the v1.11.5 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

containerd: 2.1.5

Talos is built with Go 1.24.9.

Contributors

• Andrey Smirnov

Changes

2 commits

• @​bc34de6 release(v1.11.5): prepare release
• @​3945c6c feat: update containerd to 2.1.5

Changes from siderolabs/pkgs

1 commit

• siderolabs/pkgs@aee690b feat: update containerd to 2.1.5

Dependency Changes

• github.com/siderolabs/pkgs v1.11.0-28-g81fd82c -> v1.11.0-29-gaee690b
• github.com/siderolabs/talos/pkg/machinery v1.11.4 -> v1.11.5

Previous release can be found at v1.11.4

Images

ghcr.io/siderolabs/flannel:v0.27.4
registry.k8s.io/coredns/coredns:v1.12.4
gcr.io/etcd-development/etcd:v3.6.5
registry.k8s.io/kube-apiserver:v1.34.1
registry.k8s.io/kube-controller-manager:v1.34.1
registry.k8s.io/kube-scheduler:v1.34.1
registry.k8s.io/kube-proxy:v1.34.1
ghcr.io/siderolabs/kubelet:v1.34.1
ghcr.io/siderolabs/installer:v1.11.5
registry.k8s.io/pause:3.10

v1.11.4

Compare Source

Talos 1.11.4 (2025-11-06)

Welcome to the v1.11.4 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

runc: 1.3.3
Linux: 6.12.57
linux-firmware: 2025102

Talos is built with Go 1.24.9.

Contributors

• Andrey Smirnov
• Mateusz Urbanek
• Noel Georgi
• Justin Garrison
• Laura Brehm

Changes

13 commits

• @​8aec376 release(v1.11.4): prepare release
• @​9c27f9e fix: race between VolumeConfigController and UserVolumeConfigController
• @​ac27129 fix: provide minimal platform metadata always
• @​1946332 fix: image-signer commands
• @​62aa096 chore: update dependencies
• @​075f9ef fix: userspace wireguard handling
• @​35b9701 fix: log duplication on log senders
• @​d00754e fix: add video kernel module to arm
• @​89bca75 fix: set a timeout for SideroLink provision API call
• [@​`23b

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 13 additional dependencies were updated

Details:

Package	Change
github.com/google/gnostic-models	v0.6.8 -> v0.6.9
github.com/prometheus/client_golang	v1.19.1 -> v1.22.0
github.com/prometheus/common	v0.55.0 -> v0.62.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	v0.54.0 -> v0.58.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace	v1.28.0 -> v1.33.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc	v1.27.0 -> v1.33.0
go.opentelemetry.io/proto/otlp	v1.3.1 -> v1.4.0
golang.org/x/crypto	v0.38.0 -> v0.39.0
golang.org/x/net	v0.40.0 -> v0.41.0
golang.org/x/text	v0.25.0 -> v0.26.0
k8s.io/kube-openapi	v0.0.0-20241105132330-32ad38e42d3f -> v0.0.0-20250318190949-c8a335a9a2ff
sigs.k8s.io/apiserver-network-proxy/konnectivity-client	v0.31.0 -> v0.31.2
sigs.k8s.io/structured-merge-diff/v4	v4.4.2 -> v4.6.0

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go get -t ./...
go: module github.com/siderolabs/[email protected] requires go >= 1.25.3; switching to go1.25.4
go: downloading go1.25.4 (linux/amd64)
go: download go1.25.4: golang.org/[email protected]: verifying module: checksum database disabled by GOSUMDB=off