build(deps): bump the dependencies group across 1 directory with 11 updates

[dependabot]

Bumps the dependencies group with 10 updates in the / directory:

Package	From	To
github.com/docker/cli	28.5.1+incompatible	29.1.3+incompatible
github.com/docker/docker	28.5.1+incompatible	28.5.2+incompatible
github.com/go-git/go-billy/v5	5.6.2	5.7.0
github.com/go-git/go-git/v5	5.16.3	5.16.4
github.com/opencontainers/selinux	1.13.0	1.13.1
github.com/spf13/cobra	1.10.1	1.10.2
golang.org/x/term	0.37.0	0.38.0
github.com/moby/go-archive	0.1.0	0.2.0
golang.org/x/crypto	0.45.0	0.46.0
google.golang.org/protobuf	1.36.10	1.36.11

Updates github.com/docker/cli from 28.5.1+incompatible to 29.1.3+incompatible

Commits

• f52814d Merge pull request #6705 from vvoland/list-fix
• 0f03c31 image/list: Fix dangling=false handling
• 1e25906 cli/tree: Remove unused all field
• 4d6fc33 Merge pull request #6704 from vvoland/list-fix
• 09a4664 image/tree: Add golden test
• 0d88411 image/tree: Remove --all flag check for untagged images in non-expanded view
• b315983 image/tree: Fix width calculation for untagged images
• 150a25b image/tree: Extract untagged image name to const
• 67f5e34 image: Fix dangling image detection with graphdrivers
• d96b786 Merge pull request #6702 from thaJeztah/bump_compress
• Additional commits viewable in compare view

Updates github.com/docker/docker from 28.5.1+incompatible to 28.5.2+incompatible

Release notes

Sourced from github.com/docker/docker's releases.

v28.5.2

28.5.2

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.5.2 milestone
• moby/moby, 28.5.2 milestone

[!CAUTION] This release contains fixes for three high-severity security vulnerabilities in runc:

• CVE-2025-31133
• CVE-2025-52565
• CVE-2025-52881

All three vulnerabilities ultimately allow (through different methods) for full container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files.

Packaging updates

• Update runc to v1.3.3. moby/moby#51394

Bug fixes and enhancements

• dockerd-rootless.sh: if slirp4netns is not installed, try using pasta (passt). moby/moby#51162
• Update Go runtime to 1.24.9. moby/moby#51387, docker/cli#6613

Deprecations

• Go-SDK: cli/command/image/build: deprecate DefaultDockerfileName, DetectArchiveReader, WriteTempDockerfile, ResolveAndValidateContextPath. These utilities were only used internally and will be removed in the next release. docker/cli#6610
• Go-SDK: cli/command/image/build: deprecate IsArchive utility. docker/cli#6560
• Go-SDK: opts: deprecate ValidateMACAddress. docker/cli#6560
• Go-SDK: opts: deprecate ListOpts.Delete(). docker/cli#6560

Commits

• 89c5e8f Merge pull request #51396 from thaJeztah/28.x_backport_api_docs
• 9b93878 Merge pull request #51395 from thaJeztah/28.x_backport_rootless_reject
• 6178456 Merge pull request #51398 from vvoland/51397-28.x
• 0cae4e5 vendor: github.com/moby/buildkit v0.25.2
• 33cc06f Merge pull request #51394 from vvoland/51393-28.x
• d525277 api/docs: remove BuildCache.Parent field for API v1.42 and up
• 2fbc51b dockerd-rootless.sh: reject DOCKERD_ROOTLESS_ROOTLESSKIT_NET=host
• bd98008 integration-cli: Adjust nofile limits
• 1967515 Dockerfile: update runc binary to v1.3.3
• 4489660 Merge pull request #51387 from thaJeztah/28.x_bump_go
• Additional commits viewable in compare view

Updates github.com/go-git/go-billy/v5 from 5.6.2 to 5.7.0

Release notes

Sourced from github.com/go-git/go-billy/v5's releases.

v5.7.0

What's Changed

• Add support for Chmod on billy.Filesystem by @​bitfehler in go-git/go-billy#171
• build: Update module golang.org/x/net to v0.38.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-billy#177

Full Changelog: go-git/go-billy@v5.6.2...v5.7.0

Commits

• cc50ee7 Merge pull request #177 from go-git/renovate/releases/v5.x-go-golang.org-x-ne...
• c3a9003 build: Update module golang.org/x/net to v0.38.0 [SECURITY]
• 9263834 Merge pull request #171 from bitfehler/releases/v5.x
• 94b84fc Add support for Chmod on billy.Filesystem
• See full diff in compare view

Updates github.com/go-git/go-git/v5 from 5.16.3 to 5.16.4

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.16.4

What's Changed

• backport plumbing: format/idxfile, prevent panic by @​swills in go-git/go-git#1732
• [backport] build: test, Fix build on Windows. by @​pjbgf in go-git/go-git#1734
• build: Update module golang.org/x/net to v0.38.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1742
• build: Update module github.com/cloudflare/circl to v1.6.1 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1741
• build: Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1743

Full Changelog: go-git/go-git@v5.16.3...v5.16.4

Commits

• de8ecc3 Merge pull request #1743 from go-git/renovate/releases/v5.x-go-github.com-go-...
• 3e752f0 build: Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY]
• 3a31754 Merge pull request #1741 from go-git/renovate/releases/v5.x-go-github.com-clo...
• acc28f1 build: Update module github.com/cloudflare/circl to v1.6.1 [SECURITY]
• 95f3880 Merge pull request #1742 from go-git/renovate/releases/v5.x-go-golang.org-x-n...
• 329f926 build: Update module golang.org/x/net to v0.38.0 [SECURITY]
• 399e04b Merge pull request #1734 from pjbgf/fix-ci
• 2025eae build: test, Fix build on Windows.
• fb6806f Merge pull request #1732 from swills/find-hash-panic-fix-backport
• 382530f plumbing: format/idxfile, prevent panic
• See full diff in compare view

Updates github.com/opencontainers/selinux from 1.13.0 to 1.13.1

Release notes

Sourced from github.com/opencontainers/selinux's releases.

v1.13.1

This release includes a minor update to reduce the minimum version requirement of the github.com/cyphar/filepath-securejoin package from v0.6.0 to v0.5.1. We did not use any of the newer features, so downgrading is a no-op but will help with downstreams that need to backport github.com/opencontainers/selinux updates.

What's Changed

• build(deps): bump golangci/golangci-lint-action from 8 to 9 by @​dependabot[bot] in opencontainers/selinux#240
• downgrade github.com/cyphar/filepath-securejoin to v0.5.1 by @​Luap99 in opencontainers/selinux#242

New Contributors

• @​Luap99 made their first contribution in opencontainers/selinux#242

Full Changelog: opencontainers/selinux@v1.13.0...v1.13.1

Commits

• 5647f06 Merge pull request #242 from Luap99/securejoin
• 69a52b8 downgrade github.com/cyphar/filepath-securejoin to v0.5.1
• 6950c32 Merge pull request #240 from opencontainers/dependabot/github_actions/golangc...
• 9a88c88 build(deps): bump golangci/golangci-lint-action from 8 to 9
• See full diff in compare view

Updates github.com/spf13/cobra from 1.10.1 to 1.10.2

Release notes

Sourced from github.com/spf13/cobra's releases.

v1.10.2

🔧 Dependencies

• chore: Migrate from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3 by @​dims in spf13/cobra#2336 - the gopkg.in/yaml.v3 package has been deprecated for some time: this should significantly cleanup dependency/supply-chains for consumers of spf13/cobra

📈 CI/CD

• Fix linter and allow CI to pass by @​marckhouzam in spf13/cobra#2327
• fix: actions/setup-go v6 by @​jpmcb in spf13/cobra#2337

🔥✍🏼 Docs

• Add documentation for repeated flags functionality by @​rvergis in spf13/cobra#2316

🍂 Refactors

• refactor: replace several vars with consts by @​htoyoda18 in spf13/cobra#2328
• refactor: change minUsagePadding from var to const by @​ssam18 in spf13/cobra#2325

🤗 New Contributors

• @​rvergis made their first contribution in spf13/cobra#2316
• @​htoyoda18 made their first contribution in spf13/cobra#2328
• @​ssam18 made their first contribution in spf13/cobra#2325
• @​dims made their first contribution in spf13/cobra#2336

Full Changelog: spf13/cobra@v1.10.1...v1.10.2

Thank you to our amazing contributors!!!!! 🐍 🚀

Commits

• 88b30ab chore: Migrate from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3 (#2336)
• 346d408 fix: actions/setup-go v6 (#2337)
• fc81d20 refactor: change minUsagePadding from var to const (#2325)
• 117698a refactor: replace several vars with consts (#2328)
• e2dd29d Add documentation for repeated flags functionality (#2316)
• 0629892 Fix linter (#2327)
• See full diff in compare view

Updates golang.org/x/term from 0.37.0 to 0.38.0

Commits

• 3863673 go.mod: update golang.org/x dependencies
• See full diff in compare view

Updates github.com/moby/go-archive from 0.1.0 to 0.2.0

Release notes

Sourced from github.com/moby/go-archive's releases.

v0.2.0

What's Changed

• remove aliases for deprecated types and functions moby/go-archive#10
• chrootarchive: remove redundant "init" mitigation for CVE-2019-14271 moby/go-archive#11
• xattr: Fix OS matching moby/go-archive#20
• TestOverlayTarUntar: remove redundant cmpopts.EquateEmpty moby/go-archive#9
• go.mod: bump github.com/klauspost/compress v1.18.2 moby/go-archive#19
• gha: update actions moby/go-archive#18

Full Changelog: moby/go-archive@v0.1.0...v0.2.0

Commits

• 263611f Merge pull request #20 from thaJeztah/carry_17
• a1d4e73 Merge pull request #18 from thaJeztah/bump_gha
• da4e566 xattr: Fix OS matching.
• df87f45 Merge pull request #19 from thaJeztah/bump_deps
• 8996f22 gha: update CodeQL Action to v4
• 985c60f gha: codeql: use go stable
• 4752b25 gha: update actions/setup-go@v6
• 280f775 gha: update actions/checkout@v6
• 4c912d3 gha: update golangci/golangci-lint-action@v9
• 2cd730e go.mod: bump github.com/klauspost/compress v1.18.2
• Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.45.0 to 0.46.0

Commits

• 19acf81 go.mod: update golang.org/x dependencies
• 3a1c6b4 x509roots/fallback: update bundle
• f4602e4 ssh/agent: fix flaky test by ensuring a writeable home directory
• See full diff in compare view

Updates golang.org/x/sync from 0.18.0 to 0.19.0

Commits

• 2a180e2 errgroup: use consistent read for SetLimit panic
• See full diff in compare view

Updates google.golang.org/protobuf from 1.36.10 to 1.36.11

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions