Bump github.com/google/go-containerregistry from 0.21.5 to 0.21.6 by dependabot[bot] · Pull Request #165 · cloudfoundry/cnbapplifecycle

dependabot · 2026-05-25T13:11:18Z

Bumps github.com/google/go-containerregistry from 0.21.5 to 0.21.6.

Release notes

Sourced from github.com/google/go-containerregistry's releases.

v0.21.6

What's Changed

fix: update dependencies to use new azure sdk components by @gaganhr94 in google/go-containerregistry#2262

transport: restore resp.Body in retryError so CheckError can parse it by @alliasgher in google/go-containerregistry#2264

pkg/registry: return 202 Accepted for PATCH chunk uploads by @alliasgher in google/go-containerregistry#2265

Follow OCI distribution spec for artifactType and annotations by @malt3 in google/go-containerregistry#2269

actions: attach Codecov token to coverage tests on main by @Subserial in google/go-containerregistry#2270

remote: use DeleteScope (with "delete" action) for manifest deletion by @alliasgher in google/go-containerregistry#2266

remote: limit concurrent layer pulls by @gnix0 in google/go-containerregistry#2271

pkg/registry: reject corrupt disk blobs by @gnix0 in google/go-containerregistry#2272

mutate: close layer readers during export by @gnix0 in google/go-containerregistry#2277

crane/flatten: preserve image media type when flattening by @alliasgher in google/go-containerregistry#2267

build(deps): bump goreleaser/goreleaser-action from 7.0.0 to 7.2.1 in the actions group across 1 directory by @dependabot[bot] in google/go-containerregistry#2273

build(deps): bump go.opentelemetry.io/otel from 1.36.0 to 1.41.0 by @dependabot[bot] in google/go-containerregistry#2278

build(deps): bump the go-deps group across 3 directories with 6 updates by @dependabot[bot] in google/go-containerregistry#2280

Replace go-homedir with os.UserHomeDir by @jammie-jelly in google/go-containerregistry#2282

pkg/name: only treat .localhost as non-HTTPS, not .local by @blackwell-systems in google/go-containerregistry#2281

transport: block unspecified IPs (0.0.0.0, ::) in validateRealmURL by @marwan9696 in google/go-containerregistry#2285

test(mutate): add Extract round-trip test for filesystem object preservation by @blackwell-systems in google/go-containerregistry#2283

experiments: remove deprecated support for estargz by @thaJeztah in google/go-containerregistry#2288

build(deps): bump aws-actions/configure-aws-credentials from 6.1.0 to 6.1.1 in the actions group by @dependabot[bot] in google/go-containerregistry#2289

fix: limit HTTP response body reads to prevent OOM by @evilgensec in google/go-containerregistry#2296

build(deps): bump the go-deps group across 3 directories with 6 updates by @dependabot[bot] in google/go-containerregistry#2297

transport: block redirects from token server to private/link-local addresses (SSRF fix) by @evilgensec in google/go-containerregistry#2292

pkg/v1/mutate: preserve relative symlinks that stay within rootfs in Extract by @anishesg in google/go-containerregistry#2279

validate: skip non-layer layers by @imjasonh in google/go-containerregistry#2298

remote: validate foreign layer URLs to prevent SSRF (fixes #2259) by @evilgensec in google/go-containerregistry#2293

remote: block SSRF via private-IP Location headers in blob uploads by @adilburaksen in google/go-containerregistry#2295

fix(mutate): preserve config blob and layers for non-Docker OCI artifacts by @blackwell-systems in google/go-containerregistry#2286

fix: preserve per-occurrence layer identity in mutate.Image.Layers() by @iahsanGill in google/go-containerregistry#2299

transport: retry HTTP 429 (Too Many Requests) by @iahsanGill in google/go-containerregistry#2301

transport: allow bearer realm at same host:port as registry by @iahsanGill in google/go-containerregistry#2302

Update go version to 1.26.3 by @Subserial in google/go-containerregistry#2300

New Contributors

@gaganhr94 made their first contribution in google/go-containerregistry#2262

@alliasgher made their first contribution in google/go-containerregistry#2264

@malt3 made their first contribution in google/go-containerregistry#2269

@gnix0 made their first contribution in google/go-containerregistry#2271

@blackwell-systems made their first contribution in google/go-containerregistry#2281

@marwan9696 made their first contribution in google/go-containerregistry#2285

@anishesg made their first contribution in google/go-containerregistry#2279

@adilburaksen made their first contribution in google/go-containerregistry#2295

@iahsanGill made their first contribution in google/go-containerregistry#2299

Full Changelog: google/go-containerregistry@v0.21.5...v0.21.6

Commits

53f7e39 Update go version to 1.26.3 (#2300)
bf87c3b transport: allow bearer realm at same host:port as registry (#2302)
c55facd transport: retry HTTP 429 (Too Many Requests) (#2301)
68a569e fix: preserve per-occurrence layer identity in Layers() (#2299)
35b354b fix(mutate): preserve config blob and layers for non-Docker OCI artifacts (#2...
e5983f2 remote: block SSRF via private-IP Location headers in blob uploads (#2295)
6dad820 remote: validate foreign layer URLs to prevent SSRF (fixes #2259) (#2293)
78bdf1b validate: skip non-layer layers (#2298)
c29d91c pkg/v1/mutate: preserve relative symlinks that stay within rootfs in Extract ...
a70d75a transport: block redirects from token server to private/link-local addresses ...
Additional commits viewable in compare view

modulo11 · 2026-06-15T06:43:03Z

@dependabot rebase

Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.21.5 to 0.21.6. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Commits](google/go-containerregistry@v0.21.5...v0.21.6) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-version: 0.21.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels May 25, 2026

dependabot Bot requested a review from a team as a code owner May 25, 2026 13:11

cf-foundation-community-automation Bot added this to Application Runtime Platform Working Group May 25, 2026

cf-foundation-community-automation Bot moved this to Inbox in Application Runtime Platform Working Group May 25, 2026

nicolasbender mentioned this pull request Jun 1, 2026

Remove defer to handle new containerregistry limiter #166

Merged

dependabot Bot force-pushed the dependabot/go_modules/github.com/google/go-containerregistry-0.21.6 branch from 8ee1bec to c484b21 Compare June 10, 2026 11:45

dependabot Bot force-pushed the dependabot/go_modules/github.com/google/go-containerregistry-0.21.6 branch from c484b21 to f6c727d Compare June 15, 2026 06:44

modulo11 approved these changes Jun 15, 2026

View reviewed changes

github-project-automation Bot moved this from Inbox to Pending Merge | Prioritized in Application Runtime Platform Working Group Jun 15, 2026

modulo11 merged commit 150c8c4 into main Jun 15, 2026
7 checks passed

github-project-automation Bot moved this from Pending Merge | Prioritized to Done in Application Runtime Platform Working Group Jun 15, 2026

modulo11 deleted the dependabot/go_modules/github.com/google/go-containerregistry-0.21.6 branch June 15, 2026 06:58

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump github.com/google/go-containerregistry from 0.21.5 to 0.21.6#165

Bump github.com/google/go-containerregistry from 0.21.5 to 0.21.6#165
modulo11 merged 1 commit into
mainfrom
dependabot/go_modules/github.com/google/go-containerregistry-0.21.6

dependabot Bot commented on behalf of github May 25, 2026 •

edited

Loading

Uh oh!

modulo11 commented Jun 15, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

dependabot Bot commented on behalf of github May 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v0.21.6

What's Changed

New Contributors

Uh oh!

modulo11 commented Jun 15, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

dependabot Bot commented on behalf of github May 25, 2026 •

edited

Loading