build(deps): bump the go_modules group across 1 directory with 4 updates

[dependabot]

Bumps the go_modules group with 3 updates in the / directory: github.com/go-git/go-git/v5, github.com/distribution/distribution/v3 and go.opentelemetry.io/otel/sdk.

Updates github.com/go-git/go-git/v5 from 5.16.5 to 5.17.1

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.17.1

What's Changed

• build: Update module github.com/cloudflare/circl to v1.6.3 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1930
• [v5] plumbing: format/index, Improve v4 entry name validation by @​pjbgf in go-git/go-git#1935
• [v5] plumbing: format/idxfile, Fix version and fanout checks by @​pjbgf in go-git/go-git#1937

Full Changelog: go-git/go-git@v5.17.0...v5.17.1

v5.17.0

What's Changed

• build: Update module github.com/go-git/go-git/v5 to v5.16.5 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1839
• git: worktree, optimize infiles function for very large repos by @​k-anshul in go-git/go-git#1853
• git: Add strict checks for supported extensions by @​pjbgf in go-git/go-git#1861
• backport, git: Improve Status() speed with new index.ModTime check by @​cedric-appdirect in go-git/go-git#1862
• storage: filesystem, Avoid overwriting loose obj files by @​pjbgf in go-git/go-git#1864

Full Changelog: go-git/go-git@v5.16.5...v5.17.0

Commits

• 5e23dfd Merge pull request #1937 from pjbgf/idx-v5
• 6b38a32 Merge pull request #1935 from pjbgf/index-v5
• cd757fc plumbing: format/idxfile, Fix version and fanout checks
• 3ec0d70 plumbing: format/index, Fix tree extension invalidated entry parsing
• dbe10b6 plumbing: format/index, Align V2/V3 long name and V4 prefix encoding with Git
• e9b65df plumbing: format/index, Improve v4 entry name validation
• adad18d Merge pull request #1930 from go-git/renovate/releases/v5.x-go-github.com-clo...
• 29470bd build: Update module github.com/cloudflare/circl to v1.6.3 [SECURITY]
• bdf0688 Merge pull request #1864 from pjbgf/v5-issue-55
• 5290e52 storage: filesystem, Avoid overwriting loose obj files. Fixes #55
• Additional commits viewable in compare view

Updates github.com/distribution/distribution/v3 from 3.0.0 to 3.1.0

Release notes

Sourced from github.com/distribution/distribution/v3's releases.

v3.1.0

Welcome to the v3.1.0 release of registry!

This is a stable release

Please try out the release binaries and report any issues at https://github.com/distribution/distribution/issues.

Notable Changes

• Fixes CVE-2026-35172
• Fixes CVE-2026-33540
• Adds support for tag pagination (#4360, #4353)
• Fixes default credentials in Azure storage provider (#4619)
• Drops support for go1.23 and go1.24 and updates to go1.25

See the full changelog below for the full list of changes.

What's Changed

• docs: Update to refer to new image tag v3 by @​schanzel in distribution/distribution#4373
• Fix default_credentials in azure storage provider by @​switchboardOp in distribution/distribution#4619
• chore: make function comment match function name by @​closeobserve in distribution/distribution#4622
• build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 in the go_modules group across 1 directory by @​dependabot[bot] in distribution/distribution#4625
• fix: implement JWK thumbprint for Ed25519 public keys by @​zhangyoufu in distribution/distribution#4626
• fix: Annotate code block from validation.indexes configuration docs by @​anzoman in distribution/distribution#4629
• feat: extract redis config to separate struct by @​shanduur in distribution/distribution#4620
• Fix: resolve issue #4478 by using a temporary file for non-append writes by @​onporat in distribution/distribution#4624
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​dependabot[bot] in distribution/distribution#4645
• docs: Add note about OTEL_TRACES_EXPORTER by @​jcpunk in distribution/distribution#4669
• fix: set OTEL traces to disabled by default by @​jcpunk in distribution/distribution#4671
• Fix markdown syntax for OTEL traces link in docs by @​shantanoo-desai in distribution/distribution#4676
• Switch UUIDs to UUIDv7 by @​binaryfire in distribution/distribution#4666
• refactor: replace map iteration with maps.Copy/Clone by @​whosehang in distribution/distribution#4632
• s3-aws: fix build for 386 by @​ChenQi1989 in distribution/distribution#4642
• docs: Add OpenTelemetry links to quickstart docs (#4270) by @​dpw13 in distribution/distribution#4640
• Fix S3 driver loglevel param by @​milosgajdos in distribution/distribution#4617
• Fixed data race in TestSchedule test by @​horoshev in distribution/distribution#4647
• Fixes #4683 - uses X/Y instead of Gx/Gy for thumbprint of ecdsa keys by @​gpgenaiz in distribution/distribution#4684
• build(deps): bump actions/checkout from 4 to 5 by @​dependabot[bot] in distribution/distribution#4687
• Fix broken link to Docker Hub fair use policy by @​Klikini in distribution/distribution#4688
• fix(registry/handlers/app): redis CAs by @​ChandonPierre in distribution/distribution#4668
• build(deps): bump actions/labeler from 5 to 6 by @​dependabot[bot] in distribution/distribution#4694
• build(deps): bump actions/setup-go from 5 to 6 by @​dependabot[bot] in distribution/distribution#4693
• build(deps): bump actions/upload-pages-artifact from 3 to 4 by @​dependabot[bot] in distribution/distribution#4691
• build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by @​dependabot[bot] in distribution/distribution#4706
• build(deps): bump github/codeql-action from 3.26.5 to 4.30.7 by @​dependabot[bot] in distribution/distribution#4710
• build(deps): bump github/codeql-action from 4.30.7 to 4.30.8 by @​dependabot[bot] in distribution/distribution#4714
• chore: labeler: add area/client mapping for internal/client/** by @​artem-tkachuk in distribution/distribution#4716
• client: add Accept headers to Exists() HEAD by @​artem-tkachuk in distribution/distribution#4715
• feat(registry): Make graceful shutdown test robust by @​Sumedhvats in distribution/distribution#4720

... (truncated)

Commits

• 708f8d6 chore(ci): Prep for v3.1 release (#4841)
• b1d5dbc chore(ci): Prep for v3.1 release
• 078b078 Merge commit from fork
• cccd0d4 fix(vendor): fix broke vendor validation (#4839)
• 49447e8 fix(vendor): fix broke vendpor validation
• cc5d5fa Merge commit from fork
• 4cfa178 build(deps): bump actions/configure-pages from 5.0.0 to 6.0.0 (#4834)
• c4bac3b build(deps): bump codecov/codecov-action from 5.5.4 to 6.0.0 (#4836)
• 2f2ce9f Opt: refactor tag list pagination support (#4353)
• 6a02a0e Opt: refactor tag list pagination support
• Additional commits viewable in compare view

Updates github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4

Release notes

Sourced from github.com/go-jose/go-jose/v4's releases.

v4.1.4

What's Changed

Fixes Panic in JWE decryption. See GHSA-78h2-9frx-2jm8

Full Changelog: go-jose/go-jose@v4.1.3...v4.1.4

Commits

• 0e59876 Merge commit from fork
• ddffdbc Bump actions/checkout from 5 to 6 (#213)
• See full diff in compare view

Updates go.opentelemetry.io/otel/sdk from 1.42.0 to 1.43.0

Changelog

Sourced from go.opentelemetry.io/otel/sdk's changelog.

[1.43.0/0.65.0/0.19.0] 2026-04-02

Added

• Add IsRandom and WithRandom on TraceFlags, and IsRandom on SpanContext in go.opentelemetry.io/otel/trace for W3C Trace Context Level 2 Random Trace ID Flag support. (#8012)
• Add service detection with WithService in go.opentelemetry.io/otel/sdk/resource. (#7642)
• Add DefaultWithContext and EnvironmentWithContext in go.opentelemetry.io/otel/sdk/resource to support plumbing context.Context through default and environment detectors. (#8051)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. (#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc. (#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc. (#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#8038)
• Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#8038)
• Add support for per-series start time tracking for cumulative metrics in go.opentelemetry.io/otel/sdk/metric. Set OTEL_GO_X_PER_SERIES_START_TIMESTAMPS=true to enable. (#8060)
• Add WithCardinalityLimitSelector for metric reader for configuring cardinality limits specific to the instrument kind. (#7855)

Changed

• Introduce the EMPTY Type in go.opentelemetry.io/otel/attribute to reflect that an empty value is now a valid value, with INVALID remaining as a deprecated alias of EMPTY. (#8038)
• Improve slice handling in go.opentelemetry.io/otel/attribute to optimize short slice values with fixed-size fast paths. (#8039)
• Improve performance of span metric recording in go.opentelemetry.io/otel/sdk/trace by returning early if self-observability is not enabled. (#8067)
• Improve formatting of metric data diffs in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#8073)

Deprecated

• Deprecate INVALID in go.opentelemetry.io/otel/attribute. Use EMPTY instead. (#8038)

Fixed

• Return spec-compliant TraceIdRatioBased description. This is a breaking behavioral change, but it is necessary to make the implementation spec-compliant. (#8027)
• Fix a race condition in go.opentelemetry.io/otel/sdk/metric where the lastvalue aggregation could collect the value 0 even when no zero-value measurements were recorded. (#8056)
• Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (#8108)
• Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (#8108)
• Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (#8108)
• WithHostID detector in go.opentelemetry.io/otel/sdk/resource to use full path for kenv command on BSD. (#8113)
• Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to correctly handle HTTP2 GOAWAY frame. (#8096)

Commits

• 9276201 Release v1.43.0 / v0.65.0 / v0.19.0 (#8128)
• 61b8c94 chore(deps): update module github.com/mattn/go-runewidth to v0.0.22 (#8131)
• 97a086e chore(deps): update github.com/golangci/dupl digest to c99c5cf (#8122)
• 5e363de limit response body size for OTLP HTTP exporters (#8108)
• 35214b6 Use an absolute path when calling bsd kenv (#8113)
• 290024c fix(deps): update module google.golang.org/grpc to v1.80.0 (#8121)
• e70658e fix: support getBody in otelploghttp (#8096)
• 4afe468 fix(deps): update googleapis to 9d38bb4 (#8117)
• b9ca729 chore(deps): update module github.com/go-git/go-git/v5 to v5.17.2 (#8115)
• 69472ec chore(deps): update fossas/fossa-action action to v1.9.0 (#8118)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 9a751c7. Configure here.}

[cursor]

go-git v5.17.1 rejects repos with worktreeConfig extension

Medium Severity

Bumping go-git/go-git/v5 from v5.16.5 to v5.17.1 introduces strict Git extension validation (go-git/go-git#1861) that rejects repositories with unsupported extensions like worktreeConfig. Git automatically sets extensions.worktreeConfig=true when using git worktree add, a common workflow. The gitSHABranch() function calls git.PlainOpenWithOptions() which will now fail with an error like "repositoryformatversion does not support extension: worktreeconfig" for these repos. This is a confirmed upstream issue (go-git/go-git#1943) with no fix planned for v5. The --auto flag for replicated release create will break for affected users.

 

^{Reviewed by Cursor Bugbot for commit 9a751c7. Configure here.}

[dependabot]

Superseded by #690.