Bump github.com/google/go-containerregistry from 0.21.5 to 0.21.6 by dependabot[bot] · Pull Request #500 · gitops-tools/gitopssets-controller

dependabot · 2026-05-19T05:50:16Z

Bumps github.com/google/go-containerregistry from 0.21.5 to 0.21.6.

Release notes

Sourced from github.com/google/go-containerregistry's releases.

v0.21.6

What's Changed

fix: update dependencies to use new azure sdk components by @gaganhr94 in google/go-containerregistry#2262

transport: restore resp.Body in retryError so CheckError can parse it by @alliasgher in google/go-containerregistry#2264

pkg/registry: return 202 Accepted for PATCH chunk uploads by @alliasgher in google/go-containerregistry#2265

Follow OCI distribution spec for artifactType and annotations by @malt3 in google/go-containerregistry#2269

actions: attach Codecov token to coverage tests on main by @Subserial in google/go-containerregistry#2270

remote: use DeleteScope (with "delete" action) for manifest deletion by @alliasgher in google/go-containerregistry#2266

remote: limit concurrent layer pulls by @gnix0 in google/go-containerregistry#2271

pkg/registry: reject corrupt disk blobs by @gnix0 in google/go-containerregistry#2272

mutate: close layer readers during export by @gnix0 in google/go-containerregistry#2277

crane/flatten: preserve image media type when flattening by @alliasgher in google/go-containerregistry#2267

build(deps): bump goreleaser/goreleaser-action from 7.0.0 to 7.2.1 in the actions group across 1 directory by @dependabot[bot] in google/go-containerregistry#2273

build(deps): bump go.opentelemetry.io/otel from 1.36.0 to 1.41.0 by @dependabot[bot] in google/go-containerregistry#2278

build(deps): bump the go-deps group across 3 directories with 6 updates by @dependabot[bot] in google/go-containerregistry#2280

Replace go-homedir with os.UserHomeDir by @jammie-jelly in google/go-containerregistry#2282

pkg/name: only treat .localhost as non-HTTPS, not .local by @blackwell-systems in google/go-containerregistry#2281

transport: block unspecified IPs (0.0.0.0, ::) in validateRealmURL by @marwan9696 in google/go-containerregistry#2285

test(mutate): add Extract round-trip test for filesystem object preservation by @blackwell-systems in google/go-containerregistry#2283

experiments: remove deprecated support for estargz by @thaJeztah in google/go-containerregistry#2288

build(deps): bump aws-actions/configure-aws-credentials from 6.1.0 to 6.1.1 in the actions group by @dependabot[bot] in google/go-containerregistry#2289

fix: limit HTTP response body reads to prevent OOM by @evilgensec in google/go-containerregistry#2296

build(deps): bump the go-deps group across 3 directories with 6 updates by @dependabot[bot] in google/go-containerregistry#2297

transport: block redirects from token server to private/link-local addresses (SSRF fix) by @evilgensec in google/go-containerregistry#2292

pkg/v1/mutate: preserve relative symlinks that stay within rootfs in Extract by @anishesg in google/go-containerregistry#2279

validate: skip non-layer layers by @imjasonh in google/go-containerregistry#2298

remote: validate foreign layer URLs to prevent SSRF (fixes #2259) by @evilgensec in google/go-containerregistry#2293

remote: block SSRF via private-IP Location headers in blob uploads by @adilburaksen in google/go-containerregistry#2295

fix(mutate): preserve config blob and layers for non-Docker OCI artifacts by @blackwell-systems in google/go-containerregistry#2286

fix: preserve per-occurrence layer identity in mutate.Image.Layers() by @iahsanGill in google/go-containerregistry#2299

transport: retry HTTP 429 (Too Many Requests) by @iahsanGill in google/go-containerregistry#2301

transport: allow bearer realm at same host:port as registry by @iahsanGill in google/go-containerregistry#2302

Update go version to 1.26.3 by @Subserial in google/go-containerregistry#2300

New Contributors

@gaganhr94 made their first contribution in google/go-containerregistry#2262

@alliasgher made their first contribution in google/go-containerregistry#2264

@malt3 made their first contribution in google/go-containerregistry#2269

@gnix0 made their first contribution in google/go-containerregistry#2271

@blackwell-systems made their first contribution in google/go-containerregistry#2281

@marwan9696 made their first contribution in google/go-containerregistry#2285

@anishesg made their first contribution in google/go-containerregistry#2279

@adilburaksen made their first contribution in google/go-containerregistry#2295

@iahsanGill made their first contribution in google/go-containerregistry#2299

Full Changelog: google/go-containerregistry@v0.21.5...v0.21.6

Commits

53f7e39 Update go version to 1.26.3 (#2300)
bf87c3b transport: allow bearer realm at same host:port as registry (#2302)
c55facd transport: retry HTTP 429 (Too Many Requests) (#2301)
68a569e fix: preserve per-occurrence layer identity in Layers() (#2299)
35b354b fix(mutate): preserve config blob and layers for non-Docker OCI artifacts (#2...
e5983f2 remote: block SSRF via private-IP Location headers in blob uploads (#2295)
6dad820 remote: validate foreign layer URLs to prevent SSRF (fixes #2259) (#2293)
78bdf1b validate: skip non-layer layers (#2298)
c29d91c pkg/v1/mutate: preserve relative symlinks that stay within rootfs in Extract ...
a70d75a transport: block redirects from token server to private/link-local addresses ...
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.21.5 to 0.21.6. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Commits](google/go-containerregistry@v0.21.5...v0.21.6) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-version: 0.21.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels May 19, 2026

bigkevmcd merged commit 2f4bd4e into main May 20, 2026
4 checks passed

dependabot Bot deleted the dependabot/go_modules/github.com/google/go-containerregistry-0.21.6 branch May 20, 2026 05:38

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump github.com/google/go-containerregistry from 0.21.5 to 0.21.6#500

Bump github.com/google/go-containerregistry from 0.21.5 to 0.21.6#500
bigkevmcd merged 1 commit into
mainfrom
dependabot/go_modules/github.com/google/go-containerregistry-0.21.6

dependabot Bot commented on behalf of github May 19, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

dependabot Bot commented on behalf of github May 19, 2026

v0.21.6

What's Changed

New Contributors

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant