chore(deps): update dependencies (non-major)

[edgard]

This PR contains the following updates:

Package	Update	Change
ghcr.io/mogenius/helm-charts/renovate-operator (source)	minor	4.13.0 → 4.14.0
ghcr.io/renovatebot/renovate (source)	minor	43.242.0 → 43.243.2
opentofu/opentofu	patch	1.12.2 → 1.12.3
quay.io/jetstack/charts/cert-manager (source)	patch	v1.20.2 → v1.20.3

---

Release Notes

mogenius/renovate-operator (ghcr.io/mogenius/helm-charts/renovate-operator)

v4.14.0

Compare Source

Features

• helm: allows adding labels to service monitor (b3596f1)

Bug Fixes

• deps: update node.js to v24.18.0 (f5ec451)
• forgejo: address review — drain 404 body, assert DELETE in test (5684c03)
• forgejo: treat 404 as success when deleting a webhook (730b30f)
• webhook-sync: address review — real 403 skip, preallocation, log wording (95705e3)
• webhook-sync: sync webhooks for autodiscovered repos without a topic (0a52abf)

renovatebot/renovate (ghcr.io/renovatebot/renovate)

v43.243.2

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.67.2 (main) (#​44241) (f387cbe)

v43.243.1

Compare Source

Build System

• deps: update dependency cronstrue to v3.20.0 (main) (#​44238) (06153ae)

v43.243.0

Compare Source

Features

• replacements: add @​aws-sdk/smithy-client to @​smithy/smithy-client (#​44230) (04fb640)

Bug Fixes

• datasource/crate: tolerate null metadata fields (#​44227) (b84a54c)

Documentation

• don't show client-side rendered version number (#​44224) (62277c6)

Miscellaneous Chores

• deps: update dependency pnpm to v11.8.0 (main) (#​44063) (ed10a46)

v43.242.2

Compare Source

Bug Fixes

• manager/pub: Always populate pub extracted constraints (#​44220) (2258aa4)

v43.242.1

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.67.1 (main) (#​44223) (50e5486)

Miscellaneous Chores

• deps: update dependency @​smithy/util-stream to v4.7.1 (main) (#​44221) (17b9886)

opentofu/opentofu (opentofu/opentofu)

v1.12.3

Compare Source

BUG FIXES:

• Properly handle TF_ENCRYPTION with only blank spaces. (#​4265)
• The value resulted from the lifecycle.enabled evaluation now has its deprecation marks processed correctly (#​4162)
• Update documentation to clarify the usage restriction of ephemeral values in lifecycle.enabled. (#​4220)
• tofu console -lock=false now works as intended. (#​4291)

SECURITY ADVISORIES:

• Previous releases in the v1.12 series could read an arbitrary file during certain git operations via a maliciously crafted URL (#​4293)
  • Advisory: GHSA-q7j3-v8qv-22vq

Full Changelog: opentofu/opentofu@v1.12.2...v1.12.3

cert-manager/cert-manager (quay.io/jetstack/charts/cert-manager)

v1.20.3

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

This patch release fixes a security issue (GHSA-8rvj-mm4h-c258, HIGH) where the default cert-manager-edit aggregate ClusterRole granted namespace users permission to create ACME Challenge and Order resources directly. A user who could create a Challenge referencing a ClusterIssuer could supply attacker-controlled solver configuration while cert-manager loaded credentials from the ClusterIssuer's namespace, bypassing Issuer solver selectors (dnsZones, dnsNames, matchLabels). With the acme-dns provider specifically, this could disclose DNS credentials to an attacker-controlled endpoint.

This release also removes the issuer owner reference from Challenges which was blocking Challenge garbage collection, and updates Go to fix reported CVEs.

All users should upgrade.

[!WARNING]
Potentially breaking change: The cert-manager-edit aggregate ClusterRole no longer grants create for challenges.acme.cert-manager.io or create, patch, update for orders.acme.cert-manager.io. These resources are internal to cert-manager's ACME workflow and are not intended to be created or modified directly by users. If you have tooling or workflows that create Challenge or Order resources directly (outside of the normal Certificate → CertificateRequest → Order → Challenge flow), you will need to grant those permissions explicitly.

Changes by Kind

Bug or Regression

• Security (HIGH): Remove Challenge create and Order create, patch, update verbs from the cert-manager-edit aggregate ClusterRole (GHSA-8rvj-mm4h-c258). (#​8940, @​wallrj-cyberark)
• Remove issuer owner reference from challenges blocking challenge garbage collection (#​8759, @​cert-manager-bot)

Other (Cleanup or Flake)

• Bump go to 1.26.3, other deps to fix several govulncheck issues (#​8789, @​SgtCoDFish)
• Update Go to v1.26.4 to fix CVE-2026-27145, CVE-2026-42504, and CVE-2026-42507 (#​8926, @​wallrj-cyberark)

v1.20.3

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

This patch release fixes a security issue (GHSA-8rvj-mm4h-c258, HIGH) where the default cert-manager-edit aggregate ClusterRole granted namespace users permission to create ACME Challenge and Order resources directly. A user who could create a Challenge referencing a ClusterIssuer could supply attacker-controlled solver configuration while cert-manager loaded credentials from the ClusterIssuer's namespace, bypassing Issuer solver selectors (dnsZones, dnsNames, matchLabels). With the acme-dns provider specifically, this could disclose DNS credentials to an attacker-controlled endpoint.

This release also removes the issuer owner reference from Challenges which was blocking Challenge garbage collection, and updates Go to fix reported CVEs.

All users should upgrade.

[!WARNING]
Potentially breaking change: The cert-manager-edit aggregate ClusterRole no longer grants create for challenges.acme.cert-manager.io or create, patch, update for orders.acme.cert-manager.io. These resources are internal to cert-manager's ACME workflow and are not intended to be created or modified directly by users. If you have tooling or workflows that create Challenge or Order resources directly (outside of the normal Certificate → CertificateRequest → Order → Challenge flow), you will need to grant those permissions explicitly.

Changes by Kind

Bug or Regression

• Security (HIGH): Remove Challenge create and Order create, patch, update verbs from the cert-manager-edit aggregate ClusterRole (GHSA-8rvj-mm4h-c258). (#​8940, @​wallrj-cyberark)
• Remove issuer owner reference from challenges blocking challenge garbage collection (#​8759, @​cert-manager-bot)

Other (Cleanup or Flake)

• Bump go to 1.26.3, other deps to fix several govulncheck issues (#​8789, @​SgtCoDFish)
• Update Go to v1.26.4 to fix CVE-2026-27145, CVE-2026-42504, and CVE-2026-42507 (#​8926, @​wallrj-cyberark)

---

Configuration

📅 Schedule: (in timezone Europe/Warsaw)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.