chore(deps): bump the go group with 6 updates

[dependabot]

Bumps the go group with 6 updates:

Package	From	To
github.com/fluxcd/flux2/v2	2.8.7	2.8.8
github.com/fluxcd/helm-controller/api	1.5.4	1.5.5
github.com/fluxcd/image-automation-controller/api	1.1.3	1.1.4
github.com/fluxcd/image-reflector-controller/api	1.1.1	1.1.2
github.com/fluxcd/source-controller/api	1.8.4	1.8.5
ocm.software/ocm	0.41.0	0.42.0

Updates github.com/fluxcd/flux2/v2 from 2.8.7 to 2.8.8

Release notes

Sourced from github.com/fluxcd/flux2/v2's releases.

v2.8.8

Highlights

Flux v2.8.8 is a patch release that includes CVE fixes via go-git v5.19.1 (source-controller, image-automation-controller), reliability fixes in helm-controller and source-controller, the move of Helm back to upstream v4.2.0, support for GCP sovereign cloud artifact registries, and dependency updates. Users are encouraged to upgrade for the best experience.

ℹ️ Please follow the Upgrade Procedure for Flux v2.7+ for a smooth upgrade from Flux v2.6 to the latest version.

Fixes:

• Add a configurable HTTP timeout for artifact fetching, preventing fetches that could block indefinitely and stall reconciliations (helm-controller)
• Fix unbounded memory growth caused by a Kubernetes client transport retry wrapper accumulating on every reconcile (helm-controller)
• Stop force-applying non-CRD objects placed under a chart's crds/ directory (helm-controller)
• Fix the Helm test action failing to find releases with names longer than 53 characters (helm-controller)
• Improve path handling in the source reconcilers (source-controller)
• Support Helm semver build-metadata encoding in OCIRepository tags (source-controller)

Improvements:

• Update go-git to v5.19.1 which fixes CVE-2026-45571 and CVE-2026-45570 (source-controller, image-automation-controller)
• Move Helm back to upstream v4.2.0 (source-controller, helm-controller)
• Add support for GCP sovereign cloud artifact registries (source-controller, image-reflector-controller)
• Upgrade Kubernetes to 1.36.1 (source-controller, helm-controller)
• Update fluxcd/pkg dependencies

Components changelog

• helm-controller v1.5.5
• image-automation-controller v1.1.4
• image-reflector-controller v1.1.2
• source-controller v1.8.5

CLI changelog

• Update toolkit components by @​fluxcdbot in fluxcd/flux2#5904

Full Changelog: fluxcd/flux2@v2.8.7...v2.8.8

Commits

• 1fd61a0 Merge pull request #5904 from fluxcd/update-components-release/v2.8.x
• 477f048 Update toolkit components
• 0acfaa2 Merge pull request #5899 from fluxcd/update-pkg-deps/release/v2.8.x
• 264957f Update fluxcd/pkg dependencies
• See full diff in compare view

Updates github.com/fluxcd/helm-controller/api from 1.5.4 to 1.5.5

Release notes

Sourced from github.com/fluxcd/helm-controller/api's releases.

v1.5.5

Changelog

v1.5.5 changelog

Container images

• docker.io/fluxcd/helm-controller:v1.5.5
• ghcr.io/fluxcd/helm-controller:v1.5.5

Supported architectures: linux/amd64, linux/arm64 and linux/arm/v7.

The container images are built on GitHub hosted runners and are signed with cosign and GitHub OIDC. To verify the images and their provenance (SLSA level 3), please see the security documentation.

Changelog

Sourced from github.com/fluxcd/helm-controller/api's changelog.

1.5.5

Release date: 2026-05-20

This patch release fixes several reliability issues. HTTP artifact fetches could block indefinitely and stall reconciliations, the Kubernetes client transport accumulated a new retry wrapper on every reconcile causing unbounded memory growth, non-CRD objects placed under a chart's crds/ directory were force-applied, and the Helm test action failed to find releases with names longer than 53 characters. It also moves Helm back to upstream v4.2.0 (off the Flux fork) and updates Kubernetes and fluxcd/pkg dependencies.

Fixes:

• Add configurable HTTP timeout for artifact fetching #1497
• Move retryingRoundTripper wrapping to constructor #1487
• Ignore non-CRD objects under crds/ #1496
• Use ShortenName for release name in Test action #1498

Improvements:

• Update Helm to v4.2.0 #1482
• Upgrade k8s to 1.36.1, c-r to 0.24.1, cli-utils to 1.2.1 #1495
• Update fluxcd/pkg dependencies #1483

Commits

• e99b6c7 Merge pull request #1500 from fluxcd/release-v1.5.5
• fda206c Release v1.5.5
• 628a880 Add changelog entry for v1.5.5
• 7cf31a4 Merge pull request #1498 from fluxcd/backport-1492-to-release/v1.5.x
• 946c981 Use ShortenName for release name in Test action
• aabd7cb Merge pull request #1497 from fluxcd/backport-1464-to-release/v1.5.x
• 6e2c112 Add configurable HTTP timeout for artifact fetching
• 5e4ff0a Merge pull request #1496 from fluxcd/backport-1494-to-release/v1.5.x
• 6951115 Sanitize CreateReplace for non-CRDs
• 94853fc Merge pull request #1495 from fluxcd/upgrade-deps
• Additional commits viewable in compare view

Updates github.com/fluxcd/image-automation-controller/api from 1.1.3 to 1.1.4

Release notes

Sourced from github.com/fluxcd/image-automation-controller/api's releases.

v1.1.4

Changelog

v1.1.4 changelog

Container images

• docker.io/fluxcd/image-automation-controller:v1.1.4
• ghcr.io/fluxcd/image-automation-controller:v1.1.4

Supported architectures: linux/amd64, linux/arm64 and linux/arm/v7.

The container images are built on GitHub hosted runners and are signed with cosign and GitHub OIDC. To verify the images and their provenance (SLSA level 3), please see the security documentation.

Changelog

Sourced from github.com/fluxcd/image-automation-controller/api's changelog.

1.1.4

Release date: 2026-05-20

This patch release comes with dependency updates, including go-git v5.19.1 which fixes CVE-2026-45571 (crafted repositories may modify the main and submodule .git directories) and CVE-2026-45570 (improper single-quote escaping in the SSH transport).

Improvements:

• Update fluxcd/pkg dependencies #1032

Commits

• 6ffb95a Merge pull request #1033 from fluxcd/release-v1.1.4
• 73efb24 Release v1.1.4
• bb72b2d Add changelog entry for v1.1.4
• 2025637 Merge pull request #1032 from fluxcd/update-pkg-deps/release/v1.1.x
• d6a3ac0 Update fluxcd/pkg dependencies
• See full diff in compare view

Updates github.com/fluxcd/image-reflector-controller/api from 1.1.1 to 1.1.2

Release notes

Sourced from github.com/fluxcd/image-reflector-controller/api's releases.

v1.1.2

Changelog

v1.1.2 changelog

Container images

• docker.io/fluxcd/image-reflector-controller:v1.1.2
• ghcr.io/fluxcd/image-reflector-controller:v1.1.2

Supported architectures: linux/amd64, linux/arm64 and linux/arm/v7.

The container images are built on GitHub hosted runners and are signed with cosign and GitHub OIDC. To verify the images and their provenance (SLSA level 3), please see the security documentation.

Changelog

Sourced from github.com/fluxcd/image-reflector-controller/api's changelog.

1.1.2

Release date: 2026-05-20

This patch release comes with dependency updates, adding support for GCP sovereign cloud artifact registries.

Improvements:

• Update fluxcd/pkg dependencies #883

Commits

• 5556b25 Merge pull request #884 from fluxcd/release-v1.1.2
• ea18889 Release v1.1.2
• 2db54cb Add changelog entry for v1.1.2
• 706e345 Merge pull request #883 from fluxcd/update-pkg-deps/release/v1.1.x
• 56bf186 Update fluxcd/pkg dependencies
• See full diff in compare view

Updates github.com/fluxcd/source-controller/api from 1.8.4 to 1.8.5

Release notes

Sourced from github.com/fluxcd/source-controller/api's releases.

v1.8.5

Changelog

v1.8.5 changelog

Container images

• docker.io/fluxcd/source-controller:v1.8.5
• ghcr.io/fluxcd/source-controller:v1.8.5

Supported architectures: linux/amd64, linux/arm64 and linux/arm/v7.

The container images are built on GitHub hosted runners and are signed with cosign and GitHub OIDC. To verify the images and their provenance (SLSA level 3), please see the security documentation.

Changelog

Sourced from github.com/fluxcd/source-controller/api's changelog.

1.8.5

Release date: 2026-05-20

This patch release hardens path handling in the source reconcilers and updates go-git to v5.19.1, which fixes CVE-2026-45571 (crafted repositories may modify the main and submodule .git directories) and CVE-2026-45570 (improper single-quote escaping in the SSH transport). It also fixes Helm chart resolution for OCI tags that encode semver build metadata, updates Helm to v4.2.0 to align with helm-controller, and adds support for GCP sovereign cloud artifact registries via the fluxcd/pkg update.

Fixes:

• Improve path handling in source reconcilers #2055
• Support Helm semver encoding in OCI repositories #2051

Improvements:

• Update Helm to v4.2.0 #2049
• Upgrade k8s to 1.36.1, c-r to 0.24.1, cli-utils to 1.2.1 #2052
• Update fluxcd/pkg dependencies #2056

Commits

• e9faef4 Merge pull request #2058 from fluxcd/release-v1.8.5
• 35aac36 Release v1.8.5
• 06a570c Add changelog entry for v1.8.5
• 372d3f3 Merge pull request #2056 from fluxcd/update-pkg-deps/release/v1.8.x
• e8c664f Update fluxcd/pkg dependencies
• 10643c9 Merge pull request #2055 from fluxcd/backport-2054-to-release/v1.8.x
• 153b7ab Resolve sparse checkout paths with SecureJoin
• 3dcb00c Resolve bucket object paths with SecureJoin
• 493e0bb Merge pull request #2052 from fluxcd/upgrade-deps
• 0fab7d8 Upgrade k8s to 1.36.1, c-r to 0.24.1, cli-utils to 1.2.1
• Additional commits viewable in compare view

Updates ocm.software/ocm from 0.41.0 to 0.42.0

Release notes

Sourced from ocm.software/ocm's releases.

v0.42.0

What's Changed

🐛 Bug Fixes

• fix: migrate to the website location by @​frewilhelm in open-component-model/ocm#1931

⬆️ Dependencies

• chore(deps): bump github.com/jackc/pgx/v5 to v5.9.0 by @​piotrjanik in open-component-model/ocm#1936
• chore(deps): bump github.com/jackc/pgx/v5 from 5.9.0 to 5.9.2 by @​dependabot[bot] in open-component-model/ocm#1938
• chore(deps): bump the go group across 1 directory with 25 updates by @​dependabot[bot] in open-component-model/ocm#1933

🧰 Maintenance

• chore: bump VERSION to 0.42.0-dev by @​ocmbot[bot] in open-component-model/ocm#1928
• chore: sync contributing guide by @​frewilhelm in open-component-model/ocm#1932
• chore: fix permissions for called workflow by @​frewilhelm in open-component-model/ocm#1934
• chore: fix pr title for cherry pick commit by @​Skarlso in open-component-model/ocm#1941

Full Changelog: open-component-model/ocm@v0.41...v0.42.0

v0.42.0-rc.1

What's Changed

🐛 Bug Fixes

• fix: migrate to the website location by @​frewilhelm in open-component-model/ocm#1931

⬆️ Dependencies

• chore(deps): bump github.com/jackc/pgx/v5 to v5.9.0 by @​piotrjanik in open-component-model/ocm#1936
• chore(deps): bump github.com/jackc/pgx/v5 from 5.9.0 to 5.9.2 by @​dependabot[bot] in open-component-model/ocm#1938
• chore(deps): bump the go group across 1 directory with 25 updates by @​dependabot[bot] in open-component-model/ocm#1933

🧰 Maintenance

• chore: bump VERSION to 0.42.0-dev by @​ocmbot[bot] in open-component-model/ocm#1928
• chore: sync contributing guide by @​frewilhelm in open-component-model/ocm#1932
• chore: fix permissions for called workflow by @​frewilhelm in open-component-model/ocm#1934
• chore: fix pr title for cherry pick commit by @​Skarlso in open-component-model/ocm#1941

Full Changelog: open-component-model/ocm@v0.41...v0.42.0

Commits

• 09ed037 chore: fix pr title for cherry pick commit (#1941)
• 5483af8 chore(deps): bump the go group across 1 directory with 25 updates (#1933)
• 129f7be chore(deps): bump github.com/jackc/pgx/v5 from 5.9.0 to 5.9.2 (#1938)
• a461ecf chore(deps): bump github/codeql-action from 4.35.2 to 4.35.3 in the ci group ...
• ac692e1 chore: fix permissions for called workflow (#1934)
• 8fefc86 chore(deps): bump github.com/jackc/pgx/v5 to v5.9.0 (#1936)
• 175a97a chore: sync contributing guide (#1932)
• 812557b fix: migrate to the website location (#1931)
• 659d415 chore(deps): bump goreleaser/goreleaser-action from 7.1.0 to 7.2.1 in the ci ...
• 012e58d chore: bump VERSION to 0.42.0-dev (#1928)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions