chore(deps): bump the security group with 16 updates

[dependabot]

Bumps the security group with 16 updates:

Package	From	To
github.com/containers/image/v5	5.29.0	5.29.2
github.com/google/uuid	1.4.0	1.6.0
github.com/shirou/gopsutil/v3	3.23.12	3.24.1
github.com/vmware-tanzu/velero	1.10.3	1.13.0
go.opentelemetry.io/otel	1.23.0	1.23.1
go.opentelemetry.io/otel/sdk	1.23.0	1.23.1
k8s.io/api	0.29.1	0.29.2
k8s.io/apiextensions-apiserver	0.29.0	0.29.2
k8s.io/apimachinery	0.29.1	0.29.2
k8s.io/apiserver	0.29.0	0.29.2
k8s.io/cli-runtime	0.29.1	0.29.2
k8s.io/client-go	0.29.1	0.29.2
sigs.k8s.io/controller-runtime	0.17.0	0.17.2
golang.org/x/net	0.19.0	0.21.0
helm.sh/helm/v3	3.14.0	3.14.1
k8s.io/metrics	0.29.0	0.29.2

Updates github.com/containers/image/v5 from 5.29.0 to 5.29.2

Release notes

Sourced from github.com/containers/image/v5's releases.

v5.29.2

What's Changed

• [release-5.29] backport Docker Daemon fix by @​TomSweeneyRedHat in containers/image#2270
• [release-5.29] Tag 5.29.1 by @​mtrmac in containers/image#2253
• Use a stable Skopeo branch for testing the stable c/image branch by @​mtrmac in containers/image#2262

Full Changelog: containers/image@v5.29.1...v5.29.2

v5.29.1

• Add support for pushing an image with unknown digest

Commits

• b799d82 [release-5.29] Bump to v5.29.2
• 6cbd4f4 [release-5.29] backport Docker Daemon fix #2260
• 2f0d9ae Merge pull request #2262 from mtrmac/5.29-skopeo-reverse
• ef8a7a5 Use a stable Skopeo branch for testing the stable c/image branch
• d8bbff8 Merge pull request #2253 from mtrmac/releasing-5.29.1
• 540136f Bump to v5.29.2-dev
• f7fbc0a Release 5.29.1
• 1b5932f Merge pull request #2252 from mheon/backport_2209_529
• 47bac8f Add support for pushing image with unknown digest
• 041e291 Merge pull request #2251 from mtrmac/5.29-dest-branch
• Additional commits viewable in compare view

Updates github.com/google/uuid from 1.4.0 to 1.6.0

Release notes

Sourced from github.com/google/uuid's releases.

v1.6.0

1.6.0 (2024-01-16)

Features

• add Max UUID constant (#149) (c58770e)

Bug Fixes

• fix typo in version 7 uuid documentation (#153) (016b199)
• Monotonicity in UUIDv7 (#150) (a2b2b32)

v1.5.0

1.5.0 (2023-12-12)

Features

• Validate UUID without creating new UUID (#141) (9ee7366)

Changelog

Sourced from github.com/google/uuid's changelog.

1.6.0 (2024-01-16)

Features

• add Max UUID constant (#149) (c58770e)

Bug Fixes

• fix typo in version 7 uuid documentation (#153) (016b199)
• Monotonicity in UUIDv7 (#150) (a2b2b32)

1.5.0 (2023-12-12)

Features

• Validate UUID without creating new UUID (#141) (9ee7366)

Commits

• 0f11ee6 chore(master): release 1.6.0 (#151)
• 16939da chore(tests): add strict monotonicity test case for uuid v7. (#154)
• 016b199 fix: fix typo in version 7 uuid documentation (#153)
• 1d8b6ea ci: set token permissions to github workflows (#143)
• a2b2b32 fix: Monotonicity in UUIDv7 (#150)
• c58770e feat: add Max UUID constant (#149)
• 4d47f8e chore(master): release 1.5.0 (#145)
• 9ee7366 feat: Validate UUID without creating new UUID (#141)
• b35aa6a add uuid version 6 and 7 (#139)
• See full diff in compare view

Updates github.com/shirou/gopsutil/v3 from 3.23.12 to 3.24.1

Release notes

Sourced from github.com/shirou/gopsutil/v3's releases.

v3.24.1

Compatibility Notice

We don't think #1585 will affect compatibility about PlatformVersion in host.Info(), but maybe it will.

What's Changed

disk

• [linux][disk]: fix Rdev cast by @​shirou in shirou/gopsutil#1575

host

• [host]: add EnableBootTimeCache function by @​shirou in shirou/gopsutil#1579
• ensure host platform are files and have contents by @​brycekahle in shirou/gopsutil#1584

process

• Windows, read all PIDs if there are more than 1024 PIDs. by @​jnewmano in shirou/gopsutil#1580

Other Changes

• use VERSION_ID from os-release by @​brycekahle in shirou/gopsutil#1585

New Contributors

• @​jnewmano made their first contribution in shirou/gopsutil#1580
• @​brycekahle made their first contribution in shirou/gopsutil#1584

Full Changelog: shirou/gopsutil@v3.23.12...v3.24.1

Commits

• 65b5fa3 Merge pull request #1587 from shirou/dependabot/github_actions/actions/upload...
• 2241397 chore(deps): bump actions/upload-artifact from 4.2.0 to 4.3.0
• 9de1a42 Merge pull request #1585 from DataDog/bryce.kahle/os-release-version-id
• 9b6f828 Merge pull request #1584 from DataDog/bryce.kahle/host-platform
• dc01f63 Merge pull request #1583 from shirou/dependabot/github_actions/actions/cache-...
• e912ebd Merge pull request #1580 from jnewmano/patch-1
• b86b36a Merge pull request #1586 from shirou/dependabot/github_actions/actions/upload...
• 61758d5 chore(deps): bump actions/upload-artifact from 4.1.0 to 4.2.0
• d753f78 use VERSION_ID from os-release
• b0d976c ensure host platform are files and have contents
• Additional commits viewable in compare view

Updates github.com/vmware-tanzu/velero from 1.10.3 to 1.13.0

Release notes

Sourced from github.com/vmware-tanzu/velero's releases.

v1.13.0

v1.13

2024-01-29

Download

https://github.com/vmware-tanzu/velero/releases/tag/v1.13.0

Container Image

velero/velero:v1.13.0

Documentation

https://velero.io/docs/v1.13/

Upgrading

https://velero.io/docs/v1.13/upgrade-to-1.13/

Highlights

Resource Modifier Enhancement

Velero introduced the Resource Modifiers in v1.12.0. This feature allows users to specify a ConfigMap with a set of rules to modify the resources during restoration. However, only the JSON Patch is supported when creating the rules, and JSON Patch has some limitations, which cannot cover all use cases. In v1.13.0, Velero adds new support for JSON Merge Patch and Strategic Merge Patch, which provide more power and flexibility and allow users to use the same ConfigMap to apply patches on the resources. More design details can be found in Support JSON Merge Patch and Strategic Merge Patch in Resource Modifiers design. For instructions on how to use the feature, please refer to the Resource Modifiers doc.

Node-Agent Concurrency

Velero data movement activities from fs-backups and CSI snapshot data movements run in Velero node-agent, so may be hosted by every node in the cluster and consume resources (i.e. CPU, memory, network bandwidth) from there. With v1.13, users are allowed to configure how many data movement activities (a.k.a, loads) run in each node globally or by node, so that users can better leverage the performance of Velero data movement activities and the resource consumption in the cluster. For more information, check the Node-Agent Concurrency document.

Parallel Files Upload Options

Velero now supports configurable options for parallel files upload when using Kopia uploader to do fs-backups or CSI snapshot data movements which makes speed up backup possible. For more information, please check Here.

Write Sparse Files Options

If using fs-restore or CSI snapshot data movements, it’s supported to write sparse files during restore. For more information, please check Here.

Backup Describe

In v1.13, the Backup Volume section is added to the velero backup describe command output. The backup Volumes section describes information for all the volumes included in the backup of various backup types, i.e. native snapshot, fs-backup, CSI snapshot, and CSI snapshot data movement. Particularly, the velero backup description now supports showing the information of CSI snapshot data movements, which is not supported in v1.12.

Additionally, backup describe command will not check EnableCSI feature gate from client side, so if a backup has volumes with CSI snapshot or CSI snapshot data movement, backup describe command always shows the corresponding information in its output.

Backup's new VolumeInfo metadata

Create a new metadata file in the backup repository's backup name sub-directory to store the backup-including PVC and PV information. The information includes the backing-up method of the PVC and PV data, snapshot information, and status. The VolumeInfo metadata file determines how the PV resource should be restored. The Velero downstream software can also use this metadata file to get a summary of the backup's volume data information.

Enhancement for CSI Snapshot Data Movements when Velero Pod Restart

When performing backup and restore operations, enhancements have been implemented for Velero server pods or node agents to ensure that the current backup or restore process is not stuck or interrupted after restart due to certain exceptional circumstances.

New status fields added to show hook execution details

Hook execution status is now included in the backup/restore CR status and displayed in the backup/restore describe command output. Specifically, it will show the number of hooks which attempted to execute under the HooksAttempted field and the number of hooks which failed to execute under the HooksFailed field.

AWS SDK Bump Up

Bump up AWS SDK for Go to version 2, which offers significant performance improvements in CPU and memory utilization over version 1.

Azure AD/Workload Identity Support

Azure AD/Workload Identity is the recommended approach to do the authentication with Azure services/AKS, Velero has introduced support for Azure AD/Workload Identity on the Velero Azure plugin side in previous releases, and in v1.13.0 Velero adds new support for Kopia operations(file system backup/data mover/etc.) with Azure AD/Workload Identity.

... (truncated)

Commits

• 76670e9 Merge pull request #7351 from ywk253100/240124_log
• 25d977e Log the error details
• 94c7d4b Merge pull request #7346 from ywk253100/240122_changelog
• 09401c8 Check whether the API resource exists before creating the informer cache
• 981d64a Merge pull request #7338 from ywk253100/240122_changelog
• 16b8b8d Move unreleased changelogs to 1.13 changelog
• 9fd73b2 Merge pull request #7339 from ywk253100/240122_log_erro
• c377e47 Log the error got from the discovery helper
• f5714cb [cherry-pick]Do not attempt restore resource with no available GVK in cluster...
• 5ffa121 Merge pull request #7328 from ywk253100/240118_release_node
• Additional commits viewable in compare view

Updates go.opentelemetry.io/otel from 1.23.0 to 1.23.1

Changelog

Sourced from go.opentelemetry.io/otel's changelog.

[1.23.1] 2024-02-07

Fixed

• Register all callbacks passed during observable instrument creation instead of just the last one multiple times in go.opentelemetry.io/otel/sdk/metric. (#4888)

Commits

• c5b112f Release v1.23.1/v0.43.2 (#4892)
• 11ebd19 Fix callback registration bug (#4888)
• See full diff in compare view

Updates go.opentelemetry.io/otel/sdk from 1.23.0 to 1.23.1

Changelog

Sourced from go.opentelemetry.io/otel/sdk's changelog.

[1.23.1] 2024-02-07

Fixed

• Register all callbacks passed during observable instrument creation instead of just the last one multiple times in go.opentelemetry.io/otel/sdk/metric. (#4888)

Commits

• c5b112f Release v1.23.1/v0.43.2 (#4892)
• 11ebd19 Fix callback registration bug (#4888)
• See full diff in compare view

Updates k8s.io/api from 0.29.1 to 0.29.2

Commits

• d473130 Update dependencies to v0.29.2 tag
• f5eca04 Merge pull request #122959RomanBednar/automated-cherry-pick-of-#122728
• fd1786f flag PersistentVolumeLastPhaseTransitionTime field as beta
• See full diff in compare view

Updates k8s.io/apiextensions-apiserver from 0.29.0 to 0.29.2

Commits

• e1d6769 Update dependencies to v0.29.2 tag
• f14ac67 Merge pull request #122369cici37/automated-cherry-pick-of-#122193
• eccd921 Merge pull request #122429 from MadhavJivrajani/tools-bump-129
• 06c0a98 Merge pull request #122343jpbetz/automated-cherry-pick-of-#122329
• 4a82ea0 .*: bump golang.org/x/tools to v0.16.1
• 2d320bc Wire in field dropping for CRDs
• 510e9f2 Keep presence cost to 0 to ensure backward compatibility.
• See full diff in compare view

Updates k8s.io/apimachinery from 0.29.1 to 0.29.2

Commits

• See full diff in compare view

Updates k8s.io/apiserver from 0.29.0 to 0.29.2

Commits

• 4c39f36 Update dependencies to v0.29.2 tag
• bd6de43 Merge pull request #123080 from alexzielenski/automated-cherry-pick-of-#12300...
• b7459bd bugfix: dont skip reconcile for unchanged policy if last sync failed
• e9b5722 Merge pull request #122369cici37/automated-cherry-pick-of-#122193
• 037e27f Merge pull request #122478 from liangyuanpeng/automated-cherry-pick-of-#12162...
• 0065398 Merge pull request #122429 from MadhavJivrajani/tools-bump-129
• 919f1ad .*: bump golang.org/x/tools to v0.16.1
• ae9ed66 Address comment
• 02998b3 Keep presence cost to 0 to ensure backward compatibility.
• 5348142 use context for lazy evaluation.
• See full diff in compare view

Updates k8s.io/cli-runtime from 0.29.1 to 0.29.2

Commits

• d173469 Update dependencies to v0.29.2 tag
• See full diff in compare view

Updates k8s.io/client-go from 0.29.1 to 0.29.2

Commits

• 62c5e9e Update dependencies to v0.29.2 tag
• See full diff in compare view

Updates sigs.k8s.io/controller-runtime from 0.17.0 to 0.17.2

Release notes

Sourced from sigs.k8s.io/controller-runtime's releases.

v0.17.2

What's Changed

• ⚠ 🐛 Fakeclient: Do not consider an apply patch to be a strategic merge patch by @​k8s-infra-cherrypick-robot in kubernetes-sigs/controller-runtime#2681
• 🐛 Fix lazy rest mapper cache invalidation by @​k8s-infra-cherrypick-robot in kubernetes-sigs/controller-runtime#2688

Full Changelog: kubernetes-sigs/controller-runtime@v0.17.1...v0.17.2

v0.17.1

What's Changed

• 🐛 Clean restmapper cache if a version is notFound by @​k8s-infra-cherrypick-robot in kubernetes-sigs/controller-runtime#2676

Full Changelog: kubernetes-sigs/controller-runtime@v0.17.0...v0.17.1

Commits

• d0396a3 Merge pull request #2688 from k8s-infra-cherrypick-robot/cherry-pick-2687-to-...
• 565aa5b Fix lazy rest mapper cache invalidation
• 59c26c0 Merge pull request #2681 from k8s-infra-cherrypick-robot/cherry-pick-2679-to-...
• 984aee6 bug: Fakeclient: Do not consider an apply patch to be a strategic merge patch
• 5923139 Merge pull request #2676 from k8s-infra-cherrypick-robot/cherry-pick-2663-to-...
• 0811bad Address review comments
• 40b41df Clean restmapper cache if a version is notFound
• See full diff in compare view

Updates golang.org/x/net from 0.19.0 to 0.21.0

Commits

• 73d21fd go.mod: update golang.org/x dependencies
• 643fd16 html: fix SOLIDUS '/' handling in attribute parsing
• 73e4b50 dns/dnsmessage: allow name compression for SRV resource parsing
• b2208d0 internal/quic/qlog: fix typo
• 0d0b98c http2: avoid goroutine starvation in TestServer_Push_RejectAfterGoAway
• 07e05fd http2: remove suspicious uint32->v conversion in frame code
• 26b646e quic: avoid deadlock in Endpoint.Close
• cb5b10f go.mod: update golang.org/x dependencies
• 689bbc7 quic: deflake TestStreamsCreateConcurrency
• f12db26 internal/quic/cmd/interop: use wget --no-verbose in Dockerfile
• Additional commits viewable in compare view

Updates helm.sh/helm/v3 from 3.14.0 to 3.14.1

Release notes

Sourced from helm.sh/helm/v3's releases.

Helm v3.14.1 is a security (patch) release. Users are strongly recommended to update to this release.

A Helm contributor discovered a path traversal vulnerability when Helm saves a chart including at download time.

Dominykas Blyžė with Nearform Ltd. discovered the vulnerability.

Installation and Upgrading

Download Helm v3.14.1. The common platform binaries are here:

• MacOS amd64 (checksum / 67928236b37c4e780b9fb5e614fb3b9aece90d60f0b1b4cb7406ee292c2dae3b)
• MacOS arm64 (checksum / 96468f927cc6efb4a2b92fd9419f40ed21d634af2f3e84fb8efa59526c7a003b)
• Linux amd64 (checksum / 75496ea824f92305ff7d28af37f4af57536bf5138399c824dff997b9d239dd42)
• Linux arm (checksum / f50c00c262b74435530e677bcec07637aaeda1ed92ef809b49581a4e6182cbbe)
• Linux arm64 (checksum / f865b8ad4228fd0990bbc5b50615eb6cb9eb31c9a9ca7238401ed897bbbe9033)
• Linux i386 (checksum / 3c94ed0601e0e62c195a7e9b75262b18128c8284662aa0e080bb548dc6d47bcd)
• Linux ppc64le (checksum / 4d853ab8fe3462287c7272fbadd5f73531ecdd6fa0db37d31630e41ae1ae21de)
• Linux s390x (checksum / 19bf07999c7244bfeb0fd27152919b9faa1148cf43910edbb98efa9150058a98)
• Linux riscv64 (checksum / 2660bd8eb37aafc071599b788a24bfe244e5d3ffa42da1599da5a5041dafa214)
• Windows amd64 (checksum / 8a6c78a23a4e497ad8bd288138588adb3e5b49be8dbe82a3200fe7b297dac184)

This release was signed with 672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E and can be found at @​mattfarina keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

• 3.14.2 will contain only bug fixes and be released on March 13, 2024.
• 3.15.0 is the next feature release and will be on May 08, 2024.

Commits

• e8858f8 validation fix
• See full diff in compare view

Updates k8s.io/metrics from 0.29.0 to 0.29.2

Commits

• bb460c1 Update dependencies to v0.29.2 tag
• f0708df Merge pull request #122429 from MadhavJivrajani/tools-bump-129
• 2c11cd8 .*: bump golang.org/x/tools to v0.16.1
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions