chore: update dependencies

[renovate]

Update Request | Renovate Bot

This PR contains the following updates:

Package	Type	Update	Change	Age	Adoption	Passing	Confidence
cgr.dev/chainguard/wolfi-base		digest	31da656 → 0cff4df
cloudflare/cloudflared		minor	2026.3.0 → 2026.5.0
fosrl/newt		patch	1.12.3 → 1.12.5
github.com/anchore/grype	indirect	minor	v0.111.0 → v0.112.0
github.com/anchore/syft	indirect	minor	v1.42.4 → v1.44.0
github.com/dsseng/syft	replace	patch	v1.42.4-0.20260415171054-31b9430f030f → v1.42.4
golang.org/x/sys	require	minor	v0.43.0 → v0.44.0
google/gvisor		minor	20260427.0 → 20260511.0
kubernetes/cloud-provider-aws		minor	v1.35.1 → v1.36.0
lldpd/lldpd		patch	1.0.21 → 1.0.22
netbirdio/netbird		minor	0.70.5 → 0.71.0

---

Release Notes

cloudflare/cloudflared (cloudflare/cloudflared)

v2026.5.0

Compare Source

SHA256 Checksums:

cloudflared-amd64.pkg: 3bba5d1ae1fc7f4e224da244b15c281588f774f649bd15ef148ab7577df9a87d
cloudflared-arm64.pkg: e0aeda65c34359dcd71f228137fe5bcb4e2b36cde41acbeaed018141f18a17a1
cloudflared-darwin-amd64.tgz: 2b9ad49aee5d390ba9b9bf949a0576cc1e5f1e7444a59f4db0f0ceff05560542
cloudflared-darwin-arm64.tgz: 2c1664a06fb7bc4d3af24e208ee34a1b5ed4610006dab98aa3e65cccf2c6b444
cloudflared-fips-linux-amd64: e340475b8ea87469ffeb2d244fa33502a690ccd414be5d31be0a622f5a19f2ef
cloudflared-fips-linux-amd64.deb: 6741ed3e67a3ead2b6f54514de532e8956234f7b4c87b546c98d45fe07626eb1
cloudflared-fips-linux-x86_64.rpm: 365ac1ee3520f8979077840842e3b45f114c482812b2390c5e8694c9e4aa4c55
cloudflared-linux-386: af63c00d89e92538b40b1e3b8a264558f17c23d706b3b07c1c5a0f21e5f27942
cloudflared-linux-386.deb: fd5dda4a50377baed4cdcfa0b112e1d82a7f6db13fbc653a80cd99748ee573e8
cloudflared-linux-386.rpm: 63685d4209bb0313b75dd852b9e0f3760101cbed20a88e242f412bb20314d49a
cloudflared-linux-aarch64.rpm: ae3f0dcfb98d492a850e446b311d1a1bde858735dbe107f69bdf61ac21ac2dcc
cloudflared-linux-amd64: 0095e46fdc88855d801c4d304cb1f5dd4bd656116c47ab94c2ad0ae7cda1c7ec
cloudflared-linux-amd64.deb: 0173a478774c635e577ef1eaa5a49af88d09d2d69b4a3e46f7033598f68f6521
cloudflared-linux-arm: 22394bc6d820b48a7a273f4d61a8b2f512243404b3f69388fae9632a3d253bb5
cloudflared-linux-arm.deb: 066763b36571d8ab5807b4d86b73c85eed98e0f072bddb83b239ea2dd49bc321
cloudflared-linux-arm.rpm: 3b103fdd463a82f360f4e9d2b1405b7b51bc225f569278f8ea5236028d7a5d80
cloudflared-linux-arm64: 2dc0945345677d27de3ae390a31c3b168866b48766da5f4cfd3fc473ce572303
cloudflared-linux-arm64.deb: 4e80137180f64ab1c7f4bd8aa324907aefe2da25ef62e2a8f3fdd3601dc70be6
cloudflared-linux-armhf: fcd05d6fef48b120c582c26625915bb9bc5713b21105a2c0c142fe72c205adee
cloudflared-linux-armhf.deb: b74468de70ef23aacb04c834f853b3dde050fc8a788ca2739a1d48837bae0687
cloudflared-linux-armhf.rpm: d72e0da0b97ab312a703ec1b86319e84046e170c1754b16733b6782d65955340
cloudflared-linux-x86_64.rpm: 31ba4df6de0bb7678856dd7a35eb3cb6db63ce96ea5bca5062c750cb88af5bec
cloudflared-windows-386.exe: f4294840f044dcfad86d5baccb63d92d3efc3ef1528a6f4962b367477af1dc5f
cloudflared-windows-386.msi: fa7209bb4269140267e81ac6bfb476b5f7c6851f309a245335bd11e82737b670
cloudflared-windows-amd64.exe: f141cded099c239171ad2cea6fb5da0fdaa2bd36104c3074d883f9546519eba7
cloudflared-windows-amd64.msi: 412f9d971a8b0dee307ea49e73cc363be775a43008df66d8dd398e621789d06e

fosrl/newt (fosrl/newt)

v1.12.5

Compare Source

Container Images

• GHCR: ghcr.io/fosrl/newt@sha256:3c009663332145cae39b940b07857469038d5e9d71aacb1497e78795ba4e3b9b
• Docker Hub: docker.io/fosrl/newt@sha256:3c009663332145cae39b940b07857469038d5e9d71aacb1497e78795ba4e3b9b
  Tag: 1.12.5

What's Changed

• fix(http): Set host header based on in by @​LaurenceJJones in #​344
• fix(http): populate Request.TLS for private HTTPS via httpConnCtx by @​LaurenceJJones in #​345
• Fix redirect by @​oschwartz10612 in #​346

Full Changelog: fosrl/newt@1.12.4...1.12.5

v1.12.4

Compare Source

Container Images

• GHCR: ghcr.io/fosrl/newt@sha256:6369c0e0872d0634461ed477dea684431f4ddb92a9c30e485c07d1904623582d
• Docker Hub: docker.io/fosrl/newt@sha256:6369c0e0872d0634461ed477dea684431f4ddb92a9c30e485c07d1904623582d
  Tag: 1.12.4

What's Changed

• Fix newt not reconnecting on data plane Wireguard connection failure from @​dephekt
• Fix connection logs not getting generated on edge case with rewrite addresses
• Update status code on redirect for http resources to 308

Full Changelog: fosrl/newt@1.12.3...1.12.4

anchore/grype (github.com/anchore/grype)

v0.112.0

Compare Source

Added Features

• Expand ignore rules to owned sub packages of distro packages [#​3368 #​3326 @​kzantow]

Additional Changes

• update anchore dependencies [#​3391 @​anchore-oss-update-bot]

(Full Changelog)

v0.111.1

Compare Source

Bug Fixes

• apply overlap by ownership removal to dynamically created relationships [#​3363 @​kzantow]
• compare mismatched package / db versions [#​3372 @​kzantow]
• Grype doesn't recognize debian component when "group" : "debian" is specified [#​2967]
• HelpURI missing information in SARIF output [#​2874 #​3351 @​will-bates11]

(Full Changelog)

anchore/syft (github.com/anchore/syft)

v1.44.0

Compare Source

Added Features

• Add support for linux-riscv64 [#​4757 @​luhenry]

Bug Fixes

• Yarn lockfile cataloguing does not handle aliases [#​4833 #​4836 @​cyphercodes]
• Some snippet files are saved in the previous test directory [#​4829 #​4830 @​witchcraze]
• empty rockspec causes index out of range [#​4824 #​4827 @​aki1770-del]
• PE cataloger shows asp.net core ref assemblies using fileversion build stamp instead of productversion [#​4813 #​4814 @​rezmoss]
• Syft safeCopy silently swallows archive decompression errors [#​4806 #​4807 @​SAY-5]

(Full Changelog)

v1.43.0

Compare Source

Added Features

• added deno bin classifiers [#​4677 @​rezmoss]
• Support haskell old versions [#​3237 #​4793 @​witchcraze]
• Add support for OpenLDAP binary detection [#​4768 #​4755 @​nadimz]
• Support erlang ols versions [#​3235 #​4766 @​witchcraze]

Bug Fixes

• improve redhat-release parsing fallback for RHEL clones [#​4808 @​westonsteimel]
• fix format string in search results struct [#​4775 @​willmurphyscode]
• prevent infinite recursion in Document.UnmarshalJSON with encoding/json/v2 [#​4748 @​benja-M-1]
• Syft can not complete scanning golang image [#​4686]
• javascript-package-cataloger drops entire package.json when authors/contributors/maintainers is a single string [#​4778 #​4779 @​yoav-orca]
• pnpm lock file cataloger produces unstable output [#​4648 #​4765 @​lawrence3699]
• Linux Kernel bzImage and zImage not cataloged by linux-kernel-cataloger [#​4769 #​4751 @​nadimz]
• Support istio binary (pilot-discovery, pilot-agent) alpha,beta,rc,dev version [#​4546 #​4645 @​witchcraze]
• Scanning mounted ISO: duplicate entries [#​4759]

Additional Changes

• update CPE dictionary index [#​4767 @​anchore-oss-update-bot]

(Full Changelog)

dsseng/syft (github.com/dsseng/syft)

v1.42.4

Compare Source

google/gvisor (google/gvisor)

v20260511.0

Compare Source

v20260504.0

Compare Source

kubernetes/cloud-provider-aws (kubernetes/cloud-provider-aws)

v1.36.0

Compare Source

What's Changed

• fix: lb leak preventing changes in Load Balancer type annotation after creation by @​mtulio in #​1325
• Only wait for delayed test queue entries if there is no work by @​nrb in #​1331
• Update the version of ecr dependency to fix the ipv6 endpoints by @​kmala in #​1333
• feat(ecr-cred-provider): support public dualstack endpoints by @​mselim00 in #​1332
• e2e/loadbalancer: fix e2e by skipping unscheduled nodes on discovery by @​mtulio in #​1340
• Deregister elb targets before registering targets by @​DanielCKennedy in #​1328
• fix: add k8s.io/streaming replace directive in switch-to-latest-k8s by @​a7i in #​1367
• fix: add nil check for instance State in InstanceExistsByProviderID by @​a7i in #​1366
• update helm chart for 1.35 by @​joshuakguo in #​1364
• fix: Add explicit HTTP request timeouts to all AWS SDK clients by @​howard-junec in #​1374
• fix(ci): pin GitHub Actions to full-length commit SHAs by @​mtulio in #​1385
• fix(e2e): increase test timeout and load balancer propagation to cover EUSC region by @​mtulio in #​1383
• Add AWS API metrics middleware for status codes and error tracking by @​howard-junec in #​1377
• 1.36.0 rc release by @​Ganiredi in #​1382
• 1.36 dependency update by @​Ganiredi in #​1395
• Fix leak managed/owned security group on Service update with BYO SG on CLB by @​mtulio in #​1209
• Release v1.36.0 by @​Ganiredi in #​1398

New Contributors

• @​nrb made their first contribution in #​1331

Full Changelog: kubernetes/cloud-provider-aws@v1.35.2...v1.36.0

v1.35.2

Compare Source

What's Changed

• Automated cherry pick of #​1328: Deregister elb targets before registering targets by @​DanielCKennedy in #​1357
• Automated cherry pick of #​1366: fix: add nil check for instance State in by @​a7i in #​1368
• Automated cherry pick of #​1399: cloudbuild: bump gcb-docker-gcloud to v20260205-38cfa9523f
  #​1419: cloudbuild: bump timeout to 3600s
  #​1421: cloudbuild: upgrade to E2_HIGHCPU_32 to fix session timeout by @​Ganiredi in #​1422
• Update go.opentelemetry.io/otel to v1.43.0 and go version to 1.25.9 by @​kmala in #​1431
• Automated cherry pick of #​1374: fix: Add explicit HTTP request timeouts to all AWS SDK by @​howard-junec in #​1436
• Bump golang.org/x/net to v0.53.0 to fix GO-2026-4918 (release-1.35) by @​howard-junec in #​1439
• Release v1.35.2 by @​howard-junec in #​1443

Full Changelog: kubernetes/cloud-provider-aws@v1.35.1...v1.35.2

lldpd/lldpd (lldpd/lldpd)

v1.0.22

Compare Source

Summary

• Fix:
  • Fix out-of-bound read access when removing VLAN tag (CVE-2026-46433, #​787)
  • Reject 0-length management address in LLDP
  • Fix race condition when creating the control socket
  • Fix FDP MAC address
  • Fix memory leak in the BSD bridge query path
  • Fix duplicate management addresses when merging EDP VLAN frames

Changelog

• [df8d729] release: 1.0.22 (Vincent Bernat)
• [4192630] doc: update NEWS for the latest commit (Vincent Bernat)
• [ca931be] Fix heap OOB read in VLAN decapsulation memmove (TristanInSec)
• [7b40322] doc: update NEWS with most notable changes (Vincent Bernat)
• [0365644] daemon/lldpd: return NULL from lldpd_get_os_release on empty result (Vincent Bernat)
• [e408f52] daemon/edp: dedup management addresses against the destination list (Vincent Bernat)
• [b3233ca] daemon/interfaces-bsd: cap NetBSD aggregate port count (Vincent Bernat)
• [877498d] daemon/interfaces-bsd: free req in ifbsd_check_bridge (Vincent Bernat)
• [7875d49] daemon/priv-bsd: fix typos in asroot_iface_description_os (Vincent Bernat)
• [8d95653] marshal: use ssize_t for size accumulators in unserialize (Vincent Bernat)
• [1c91e28] daemon/seccomp: use only async-signal-safe calls in SIGSYS handler (Vincent Bernat)
• [ab0f522] log: do not re-feed caller fmt as a format string to stderr (Vincent Bernat)
• [d527dda] daemon/event: avoid double-free of client on send failure (Vincent Bernat)
• [b718c15] ctl: tighten umask around bind() for the control socket (Vincent Bernat)
• [5d93df6] daemon/priv-linux: reject embedded NUL in authorized path (Vincent Bernat)
• [8fac206] daemon/priv: mark monitored as volatile sig_atomic_t (Vincent Bernat)
• [6fcc94a] client/lldpcli: guard argc>0 before indexing argv (Vincent Bernat)
• [ee7c2be] client/tokenizer: heap-allocate the work buffer (Vincent Bernat)
• [c096e5d] daemon/privsep_fd: bail out on failure or short read (Vincent Bernat)
• [f04e2b6] daemon/dmi-osx: handle CFStringGetCStringPtr returning NULL (Vincent Bernat)
• [b863453] daemon/agent: guard against NULL/empty net-snmp log message (Vincent Bernat)
• [779bc1e] lldpd-structs: bound custom TLV oui_info length (Vincent Bernat)
• [faf8fca] daemon/client: bound MED location data length (Vincent Bernat)
• [883afdb] client/json: escape object keys (Vincent Bernat)
• [6f55f7a] client/json: escape control character 0x1F (Vincent Bernat)
• [71e23bb] daemon/priv: fix ctlname parameter shadowing file-scope global (Vincent Bernat)
• [7ba39ef] daemon/seccomp: fix out-of-bounds index of syscall_names (Vincent Bernat)
• [1d55036] daemon/lldp: reject zero-length management address (Vincent Bernat)
• [435fb46] build: update docker actions (Vincent Bernat)
• [a8098a6] build: bump cross-platform-actions/action to v1.0.0 (Vincent Bernat)
• [50919c1] build: downgrade FreeBSD to 14.3 (Vincent Bernat)
• [fa27fef] build: test on FreeBSD 15.0 (Vincent Bernat)
• [909e379] daemon/cdp: fix another logic error when parsing FDP packets (Vincent Bernat)
• [89105ea] daemon/cdp: fix FDP MAC address (Vincent Bernat)
• [b280f34] build: bump pytest from 7.2.0 to 9.0.3 in /tests/integration (dependabot[bot])
• [69f50b9] liblldpctl: Fix const correctness of the receive callback (Bartel Sielski)
• [1f4189b] build: use a multi-stage build for Dockerfile (Vincent Bernat)
• [cd89d00] build: untabify Dockerfile (Vincent Bernat)

netbirdio/netbird (netbirdio/netbird)

v0.71.0

Compare Source

Release Notes for v0.71.0

What's New

IPv6 overlay addressing
NetBird's overlay is now dual-stack. Every account gets its own IPv6 prefix (default /64, configurable from /48 to /120), and peers can receive both an IPv4 and an IPv6 overlay address. DNS serves AAAA
and reverse PTR records alongside A records, ACLs apply to both families automatically, network routes accept IPv6 CIDRs (with masquerade), exit nodes that route 0.0.0.0/0 get a matching ::/0 route, and
domain routes resolve both A and AAAA.

Rollout is group-gated: new accounts enable IPv6 for the All group by default; existing accounts opt in under Settings > Network. Assignment is also gated on a per-peer capability, so older clients keep
working on IPv4 until they upgrade. Hosts can opt out individually with netbird up --disable-ipv6

Read more in the IPv6 Overlay Addressing announcement and the IPv6 documentation.
#​5631 by @​lixmal

MFA for local users
Local users (non-IdP) can now enable multi-factor authentication, closing a gap for deployments that don't federate auth through an external provider.
#​5804 by @​jnfrati

Bring your own proxy (backend ready)
Backend support for per-account reverse-proxy lifecycle has landed: proxy tokens, per-account cluster allow-lists, conflict detection, and one-proxy-per-account enforcement. Full rollout (dashboard, docs) comes
in a later release.
#​5627 by @​crn4

Client Improvements

• Included MTU and SSH auth config in debug bundle by @​lixmal.
  #​6071
• Added public key to debug bundle config.txt by @​lixmal.
  #​6092
• iOS: structured ResolvedIPs collection for domain routes by @​pappz.
  #​6090
• Used unique temp file and clean up on failure when writing ssh config by @​lixmal.
  #​6064
• Hardened uspfilter conntrack and shared TCP relay by @​lixmal.
  #​5936
• Skipped DNS upstream failover on definitive EDE by @​lixmal.
  #​6089
• Fixed --config flag default to point at profile path by @​lixmal.
  #​6122
• Bracketed IPv6 in embed listeners, expanded debug bundle by @​lixmal.
  #​6134
• Added short flags for status command options by @​mlsmaycon.
  #​6137

Management Improvements

• Removed permissions from geolocations API by @​pascal-fischer.
  #​6091
• Added update reason to buffered calls by @​pascal-fischer.
  #​6103
• Allocated and preserved IPv6 overlay addresses for embedded proxy peers by @​lixmal.
  #​6132
• Fixed offline statuses for public proxy clusters by @​crn4.
  #​6133
• Bracketed IPv6 reverse-proxy target hosts when building URL Host field by @​lixmal.
  #​6141

Relay Improvements

• Preserved non-standard port in WS dialer URL prep by @​lixmal.
  #​6061

Misc

• Updated CONTRIBUTING.md by @​mlsmaycon.
  #​6076

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: internal/grype-scan/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 49 additional dependencies were updated

Details:

Package	Change
cloud.google.com/go/auth	v0.18.1 -> v0.18.2
cloud.google.com/go/storage	v1.60.0 -> v1.61.3
github.com/anchore/stereoscope	v0.1.22 -> v0.1.23
github.com/aws/aws-sdk-go-v2	v1.41.2 -> v1.41.5
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream	v1.7.4 -> v1.7.8
github.com/aws/aws-sdk-go-v2/config	v1.32.10 -> v1.32.12
github.com/aws/aws-sdk-go-v2/credentials	v1.19.10 -> v1.19.12
github.com/aws/aws-sdk-go-v2/feature/ec2/imds	v1.18.18 -> v1.18.20
github.com/aws/aws-sdk-go-v2/internal/configsources	v1.4.18 -> v1.4.21
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2	v2.7.18 -> v2.7.21
github.com/aws/aws-sdk-go-v2/internal/ini	v1.8.4 -> v1.8.6
github.com/aws/aws-sdk-go-v2/internal/v4a	v1.4.17 -> v1.4.22
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding	v1.13.5 -> v1.13.7
github.com/aws/aws-sdk-go-v2/service/internal/checksum	v1.9.8 -> v1.9.13
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url	v1.13.18 -> v1.13.21
github.com/aws/aws-sdk-go-v2/service/internal/s3shared	v1.19.17 -> v1.19.21
github.com/aws/aws-sdk-go-v2/service/s3	v1.96.0 -> v1.97.3
github.com/aws/aws-sdk-go-v2/service/signin	v1.0.6 -> v1.0.8
github.com/aws/aws-sdk-go-v2/service/sso	v1.30.11 -> v1.30.13
github.com/aws/aws-sdk-go-v2/service/ssooidc	v1.35.15 -> v1.35.17
github.com/aws/aws-sdk-go-v2/service/sts	v1.41.7 -> v1.41.9
github.com/aws/smithy-go	v1.24.1 -> v1.24.2
github.com/containerd/containerd/v2	v2.2.1 -> v2.2.2
github.com/containerd/platforms	v1.0.0-rc.2 -> v1.0.0-rc.4
github.com/docker/cli	v29.3.0+incompatible -> v29.4.0+incompatible
github.com/go-git/go-git/v5	v5.17.0 -> v5.18.0
github.com/go-jose/go-jose/v4	v4.1.3 -> v4.1.4
github.com/google/go-containerregistry	v0.21.3 -> v0.21.5
github.com/googleapis/enterprise-certificate-proxy	v0.3.11 -> v0.3.14
github.com/hashicorp/aws-sdk-go-base/v2	v2.0.0-beta.70 -> v2.0.0-beta.72
github.com/hashicorp/go-getter	v1.8.5 -> v1.8.6
github.com/moby/moby/api	v1.54.0 -> v1.54.1
github.com/moby/moby/client	v0.3.0 -> v0.4.0
github.com/openvex/go-vex	v0.2.7 -> v0.2.8
github.com/package-url/packageurl-go	v0.1.3 -> v0.1.5
go.opentelemetry.io/otel	v1.40.0 -> v1.43.0
go.opentelemetry.io/otel/metric	v1.40.0 -> v1.43.0
go.opentelemetry.io/otel/sdk	v1.40.0 -> v1.43.0
go.opentelemetry.io/otel/sdk/metric	v1.40.0 -> v1.43.0
go.opentelemetry.io/otel/trace	v1.40.0 -> v1.43.0
golang.org/x/crypto	v0.49.0 -> v0.50.0
golang.org/x/mod	v0.34.0 -> v0.35.0
golang.org/x/net	v0.52.0 -> v0.53.0
golang.org/x/sys	v0.42.0 -> v0.43.0
golang.org/x/term	v0.41.0 -> v0.42.0
golang.org/x/text	v0.35.0 -> v0.36.0
golang.org/x/tools	v0.43.0 -> v0.44.0
google.golang.org/api	v0.267.0 -> v0.271.0
google.golang.org/genproto/googleapis/rpc	v0.0.0-20260203192932-546029d2fa20 -> v0.0.0-20260226221140-a57be14db171