Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package go-containerregistry for
openSUSE:Factory checked in at 2026-06-29 17:33:07
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/go-containerregistry (Old)
and /work/SRC/openSUSE:Factory/.go-containerregistry.new.11887 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "go-containerregistry"
Mon Jun 29 17:33:07 2026 rev:14 rq:1362462 version:0.21.7
Changes:
--------
---
/work/SRC/openSUSE:Factory/go-containerregistry/go-containerregistry.changes
2026-03-24 18:48:47.474263791 +0100
+++
/work/SRC/openSUSE:Factory/.go-containerregistry.new.11887/go-containerregistry.changes
2026-06-29 17:35:06.955809681 +0200
@@ -1,0 +2,110 @@
+Mon Jun 29 13:54:56 UTC 2026 - Dirk Müller <[email protected]>
+
+- update to 0.21.7:
+ * tarball: return error instead of panicking on missing
+ rootfs.diff_ids
+ * gcrane: honor --platform flag in copy
+ * mutate: verify layer digests in Extract and Time
+ * tarball: close layer readers during Write
+ * build(deps): bump the actions group across 1 directory with 2
+ updates
+ * build(deps): bump github.com/docker/cli from
+ 29.4.3+incompatible to 29.5.2+incompatible in the go-deps
+ group across 1 directory
+ * BUGFIX: Fail with error when read exceeds maximum
+ * build(deps): bump the actions group across 1 directory with 2
+ updates
+ * fix(name): anchor loopback registry detection
+ * Reject symlinks in OCI layout blobs
+ * fix(crane): avoid creating export tar on pull failure
+ * feat(kubernetes): allow ignoring pull secrets
+ * fix(name): preserve localhost registry references
+ * pkg/registry: export ErrNotFound
+ * pkg/registry: export RedirectError
+ * build(deps): bump the go-deps group across 1 directory with 2
+ updates
+ * build(deps): bump the actions group across 1 directory with 2
+ updates
+ * fix: prevent SSRF in google.List() pagination
+ * internal/gzip: fix goroutine leak in ReadCloserLevel
+ * fix(transport): apply refreshed bearer token after cross-host
+ redirect
+ * build(deps): bump the go-deps group across 3 directories with
+ 4 updates
+ * fix(tarball): normalize paths when matching files
+ * transport: do not re-attach bearer token after cross-host
+ redirect
+ * Bump CI go version to 1.26.4
+- update to 0.21.6:
+ * fix: update dependencies to use new azure sdk components
+ * transport: restore resp.Body in retryError so CheckError can
+ parse it
+ * pkg/registry: return 202 Accepted for PATCH chunk uploads
+ * Follow OCI distribution spec for artifactType and annotations
+ * actions: attach Codecov token to coverage tests on main
+ * remote: use DeleteScope (with "delete" action) for manifest
+ deletion
+ * remote: limit concurrent layer pulls
+ * pkg/registry: reject corrupt disk blobs
+ * mutate: close layer readers during export
+ * crane/flatten: preserve image media type when flattening
+ * build(deps): bump goreleaser/goreleaser-action from 7.0.0 to
+ 7.2.1 in the actions group across 1 directory
+ * build(deps): bump go.opentelemetry.io/otel from 1.36.0 to
+ 1.41.0
+ * build(deps): bump the go-deps group across 3 directories with
+ 6 updates
+ * Replace go-homedir with os.UserHomeDir
+ * pkg/name: only treat .localhost as non-HTTPS, not .local
+ * transport: block unspecified IPs (0.0.0.0, ::) in
+ validateRealmURL
+ * test(mutate): add Extract round-trip test for filesystem
+ object preservation
+ * experiments: remove deprecated support for estargz
+ * build(deps): bump aws-actions/configure-aws-credentials from
+ 6.1.0 to 6.1.1 in the actions group
+ * fix: limit HTTP response body reads to prevent OOM
+ * build(deps): bump the go-deps group across 3 directories with
+ 6 updates
+ * transport: block redirects from token server to private/link-
+ local addresses (SSRF fix)
+ * pkg/v1/mutate: preserve relative symlinks that stay within
+ rootfs in Extract
+ * validate: skip non-layer layers
+ * remote: validate foreign layer URLs to prevent SSRF (fixes
+ #2259)
+ * remote: block SSRF via private-IP Location headers in blob
+ uploads
+ * fix(mutate): preserve config blob and layers for non-Docker
+ OCI artifacts
+ * fix: preserve per-occurrence layer identity in
+ mutate.Image.Layers()
+ * transport: retry HTTP 429 (Too Many Requests)
+ * transport: allow bearer realm at same host:port as registry
+ * Update go version to 1.26.3
+- update to 0.21.5:
+ * Bump docker/cli v29.4.0, moby/api v1.54.1, moby/client v0.4.0
+ * update to Go 1.26.2
+ * Bump aws-actions/configure-aws-credentials from 6.0.0 to
+ 6.1.0 in the actions group across 1 directory
+ * build(deps): bump golang.org/x/tools from 0.43.0 to 0.44.0 in
+ the go-deps group across 1 directory
+ * **Full Changelog**: https://github.com/google/go-
+ containerregistry/compare/v0.21.4...v0.21.5
+- update to 0.21.4:
+ * go.mod: do not make a viral minimum go version
+ * Avoid pruning absolute links from extracted and flattened
+ images
+ * Bump the go-deps group across 3 directories with 5 updates
+ * fix: update to go1.25.8, and use separate .go-version file
+ * Bump CI go version to 1.26.1
+ * Bump codecov/codecov-action from 5.5.2 to 5.5.3 in the
+ actions group
+ * fork distribution client v3 auth-challenge as an internal
+ package (squashed)
+ * transport: validate Bearer realm URL to prevent SSRF
+ * revert path traversal and symlink escape from #2227
+ * Fix pkg/v1/google/auth tests for arm64
+ * goreleaser: Update goreleaser config and GH action
+
+-------------------------------------------------------------------
Old:
----
go-containerregistry-0.21.3.tar.gz
New:
----
go-containerregistry-0.21.7.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ go-containerregistry.spec ++++++
--- /var/tmp/diff_new_pack.wDXXZ6/_old 2026-06-29 17:35:07.935843187 +0200
+++ /var/tmp/diff_new_pack.wDXXZ6/_new 2026-06-29 17:35:07.939843324 +0200
@@ -18,7 +18,7 @@
Name: go-containerregistry
-Version: 0.21.3
+Version: 0.21.7
Release: 0
Summary: Container Library and tools for working with container
registries
License: Apache-2.0
++++++ go-containerregistry-0.21.3.tar.gz -> go-containerregistry-0.21.7.tar.gz
++++++
++++ 66124 lines of diff (skipped)
++++++ vendor.tar.gz ++++++
++++ 58589 lines of diff (skipped)