fix(deps): update all non-major go dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/cert-manager/cert-manager	v1.19.1 -> v1.19.2
github.com/cloudnative-pg/api	v1.27.0 -> v1.28.0
github.com/cloudnative-pg/cloudnative-pg	v1.27.1 -> v1.28.0
github.com/onsi/ginkgo/v2	v2.27.2 -> v2.27.3
github.com/onsi/gomega	v1.38.2 -> v1.38.3
github.com/spf13/cobra	v1.10.1 -> v1.10.2
google.golang.org/grpc	v1.76.0 -> v1.77.0

---

Release Notes

cert-manager/cert-manager (github.com/cert-manager/cert-manager)

v1.19.2

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

We updated Go to fix some vulnerabilities in the standard library.

📖 Read the full 1.19 release notes on the cert-manager.io website before upgrading.

Changes since v1.19.1

Bug or Regression

• Address false positive vulnerabilities CVE-2025-47914 and CVE-2025-58181 which were reported by Trivy. (#​8283, @​SgtCoDFish)
• Update Go to v1.25.5 to fix CVE-2025-61727 and CVE-2025-61729 (#​8294, @​wallrj-cyberark)
• Update global.nodeSelector to helm chart to perform a merge and allow for a single nodeSelector to be set across all services. (#​8233, @​cert-manager-bot)

Other (Cleanup or Flake)

• Update cert-manager's ACME client, forked from golang/x/crypto (#​8270, @​SgtCoDFish)
• Updated Debian 12 distroless base images (#​8326, @​wallrj-cyberark)

cloudnative-pg/api (github.com/cloudnative-pg/api)

v1.28.0

Compare Source

cloudnative-pg/cloudnative-pg (github.com/cloudnative-pg/cloudnative-pg)

v1.28.0

Compare Source

Release date: Dec 9, 2025

Features

• Quorum-Based Failover Promoted to Stable: Promoted the quorum-based failover feature, introduced experimentally in 1.27.0, to a stable API. This data-driven failover mechanism is now configured via the spec.postgresql.synchronous.failoverQuorum field, graduating from the previous alpha.cnpg.io/failoverQuorum annotation. (#​8589)

• Declarative Foreign Data Management: Introduced comprehensive declarative management for Foreign Data Wrappers (FDW) by extending the Database CRD. This feature adds the .spec.fdws and .spec.servers fields, allowing you to manage FDW extensions and their corresponding foreign servers directly from the Database resource. This work was implemented by Ying Zhu (@​EdwinaZhu) as part of the LFX Mentorship Program 2025 Term 2. (#​7942, #​8401)

Changes

• Updated the default PostgreSQL version to 18.1-system-trixie. (#​9178)

• Updated the default PgBouncer version to 1.25.1 for new Pooler deployments. (#​9367)

Enhancements

• Enabled simultaneous image and configuration changes when using primaryUpdateMethod: restart, allowing you to update the container image (including PostgreSQL version or extensions) and PostgreSQL configuration settings in the same operation. Note that when using primaryUpdateMethod: switchover, image and configuration changes must still be performed separately to avoid configuration mismatches during the switchover process. (#​8241)

• Improved network failure detection for replica instances by setting the default tcp_user_timeout to 5 seconds. This change helps replicas detect and recover from silent network drops more quickly. Previously, replicas could wait up to 127 seconds before detecting such failures; with the new timeout, they reconnect to the primary within 5 seconds. To preserve the previous behavior, set STANDBY_TCP_USER_TIMEOUT to 0 in the operator configuration. (#​9317)

• Adopted standard Kubernetes recommended labels (e.g., app.kubernetes.io/name) for all resources generated by CloudNativePG (Clusters, Backups, Poolers, etc.). Contributed by @​JefeDavis. (#​8087)

• Introduced securityContext at the pod level and containerSecurityContext for individual containers (including postgres, init, and sidecars). This provides granular control over security settings, replacing the previous cluster-wide postgres and operator user settings. Contributed by @​x0ddf. (#​6614)

• Introduced the alpha.cnpg.io/unrecoverable=true annotation for replica pods. When applied, this annotation instructs the operator to permanently delete the instance by removing its Pod and PVCs, after which it will recreate the replica from the primary. (#​8178)

• Introduced a new caching layer for user-defined monitoring queries to reduce load on the PostgreSQL database. (#​8003)

• Enhanced PgBouncer integration by automatically setting auth_dbname to the pgbouncer database, simplifying auth setup. (#​8671)

• Allowed providing stage-specific pg_restore options (preRestore, postRestore, dataRestore) during database import. Contributed by @​hanshal101. (#​7690)

• Added the PostgreSQL majorVersion to the Backup object's status for easier identification and management. (#​8464)

• Enhanced cluster restore to wait for all init containers to complete before starting the restore process. This ensures that backup tools running in init containers finish preparing the data before the restore begins. The implementation correctly handles Kubernetes init container sidecars by ignoring those with RestartPolicy=Always. (#​9026)

• Added the PGBOUNCER_IMAGE_NAME operator configuration parameter to allow overriding the default PgBouncer image. This is useful for air-gapped environments or when using internal registries. (#​9232)

• cnpg plugin:

  • Added a --timeout flag to the kubectl cnpg status command for configuring the timeout for filesystem operations such as calculating cluster size. The default remains 10 seconds but can be adjusted for large clusters where operations may take longer. (#​9201)

  • Improved cnpg report to generate more shell-friendly file names. (#​8984)

Security

• Allowed providing fine-grained custom TLS configurations for PgBouncer. The Pooler CRD was extended with clientTLSSecret, clientCASecret, serverTLSSecret, and serverCASecret fields under .spec.pgbouncer. These fields enable users to supply their own certificates for both client-to-pooler and pooler-to-server connections, taking precedence over the operator-generated certificates. (#​8692)

• Added optional TLS support for the operator's metrics server (port 8080). This feature is opt-in and enabled by setting the METRICS_CERT_DIR environment variable, which instructs the operator to look for tls.crt and tls.key files in the specified directory. When unset, the server continues to use HTTP for backward compatibility. (#​8997)

• Enabled cnpg report operator to work with minimal permissions by making only the operator deployment required. All other resources (pods, secrets, config maps, events, webhooks, and OLM data) are now optional and collected on a best-efforts basis. The command gracefully handles permission errors for those resources by logging clear warnings and continuing report generation with available data, rather than failing completely. This enables least-privileged access, where users may have limited, namespace-scoped permissions. (#​8982)

Fixes

• Improved resilience of all probe types (liveness, readiness, and startup) to transient Kubernetes API server connectivity issues. Probes now use a caching mechanism that falls back to cached cluster definitions during brief network interruptions, preventing unnecessary pod restarts and probe failures. (#​9148)

• Fixed the CheckEmptyWalArchive safeguard to run correctly when restoring from a volume snapshot using CNPG-I backup/WAL plugins (e.g., plugin-barman-cloud). Previously, this check was skipped for plugin-based implementations. (#​9306)

• Improved error reporting when ImageCatalog retrieval fails. The operator now emits a Warning event and logs errors for all failure types, not just NotFound errors, improving visibility into configuration issues. (#​9266)

• Fixed TLS certificate verification issues when connecting to CNPG-I plugins by adding the cnpg.io/pluginServerName annotation. This allows customizing the DNS name used for certificate verification in environments where the plugin's certificate uses a different DNS name than the Service name. (#​9222)

• Fixed an issue where the instance manager controller could fail to restart after an error, reporting a "controller already exists" message. The controller now uses SkipNameValidation for subsequent initialization attempts. Contributed by @​mateusoliveira43. (#​9123)

• Fixed incorrect WAL restore path handling in plugins when the destination path is absolute, preventing path duplication issues. Contributed by @​Endevir. (#​9093)

• Fixed the CREATE PUBLICATION SQL generation for multi-table publications to be backward-compatible with PostgreSQL 13+. The previously generated syntax was only valid for PostgreSQL 15+ and caused syntax errors on older versions. (#​8888)

• Fixed backup failures in complex pod definitions by reliably selecting the postgres container by name instead of by index. Contributed by @​Joda89. (#​8964)

• cnpg plugin:

  • Fixed bugs in cnpg report log collection, especially when fetching previous logs. The collector now correctly fetches previous and current logs in separate requests and gracefully handles missing previous logs (e.g., on containers with no restart history), ensuring current logs are always collected. (#​8992)

Supported versions

• Kubernetes 1.34, 1.33, and 1.32
• PostgreSQL 18, 17, 16, 15, and 14
  • PostgreSQL 18.1 is the default image

v1.27.2

Compare Source

Release date: Dec 9, 2025

!!! Warning Version 1.27 will be supported until 9 March 2026.

Changes

• Updated the default PostgreSQL version to 18.1-system-trixie. (#​9178)

• Updated the default PgBouncer version to 1.25.1 for new Pooler deployments. (#​9367)

Enhancements

• Added the PostgreSQL majorVersion to the Backup object's status for easier identification and management. (#​8464)

• Added the PGBOUNCER_IMAGE_NAME operator configuration parameter to allow overriding the default PgBouncer image. This is useful for air-gapped environments or when using internal registries. (#​9232)

• cnpg plugin:

  • Added a --timeout flag to the kubectl cnpg status command for configuring the timeout for filesystem operations such as calculating cluster size. The default remains 10 seconds but can be adjusted for large clusters where operations may take longer. (#​9201)

  • Improved cnpg report to generate more shell-friendly file names. (#​8984)

Fixes

• Improved resilience of all probe types (liveness, readiness, and startup) to transient Kubernetes API server connectivity issues. Probes now use a caching mechanism that falls back to cached cluster definitions during brief network interruptions, preventing unnecessary pod restarts and probe failures. (#​9148)

• Fixed the CheckEmptyWalArchive safeguard to run correctly when restoring from a volume snapshot using CNPG-I backup/WAL plugins (e.g., plugin-barman-cloud). Previously, this check was skipped for plugin-based implementations. (#​9306)

• Improved error reporting when ImageCatalog retrieval fails. The operator now emits a Warning event and logs errors for all failure types, not just NotFound errors, improving visibility into configuration issues. (#​9266)

• Fixed TLS certificate verification issues when connecting to CNPG-I plugins by adding the cnpg.io/pluginServerName annotation. This allows customizing the DNS name used for certificate verification in environments where the plugin's certificate uses a different DNS name than the Service name. (#​9222)

• Fixed an issue where the instance manager controller could fail to restart after an error, reporting a "controller already exists" message. The controller now uses SkipNameValidation for subsequent initialization attempts. Contributed by @​mateusoliveira43. (#​9123)

• Fixed incorrect WAL restore path handling in plugins when the destination path is absolute, preventing path duplication issues. Contributed by @​Endevir. (#​9093)

• Fixed the CREATE PUBLICATION SQL generation for multi-table publications to be backward-compatible with PostgreSQL 13+. The previously generated syntax was only valid for PostgreSQL 15+ and caused syntax errors on older versions. (#​8888)

• Fixed backup failures in complex pod definitions by reliably selecting the postgres container by name instead of by index. Contributed by @​Joda89. (#​8964)

• cnpg plugin:

  • Fixed bugs in cnpg report log collection, especially when fetching previous logs. The collector now correctly fetches previous and current logs in separate requests and gracefully handles missing previous logs (e.g., on containers with no restart history), ensuring current logs are always collected. (#​8992)

onsi/ginkgo (github.com/onsi/ginkgo/v2)

v2.27.3

Compare Source

2.27.3

Fixes

report exit result in case of failure [1c9f356]
fix data race [ece19c8]

onsi/gomega (github.com/onsi/gomega)

v1.38.3

Compare Source

1.38.3

Fixes

make string formatitng more consistent for users who use format.Object directly

spf13/cobra (github.com/spf13/cobra)

v1.10.2

Compare Source

🔧 Dependencies

• chore: Migrate from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3 by @​dims in #​2336 - the gopkg.in/yaml.v3 package has been deprecated for some time: this should significantly cleanup dependency/supply-chains for consumers of spf13/cobra

📈 CI/CD

• Fix linter and allow CI to pass by @​marckhouzam in #​2327
• fix: actions/setup-go v6 by @​jpmcb in #​2337

🔥✍🏼 Docs

• Add documentation for repeated flags functionality by @​rvergis in #​2316

🍂 Refactors

• refactor: replace several vars with consts by @​htoyoda18 in #​2328
• refactor: change minUsagePadding from var to const by @​ssam18 in #​2325

🤗 New Contributors

• @​rvergis made their first contribution in #​2316
• @​htoyoda18 made their first contribution in #​2328
• @​ssam18 made their first contribution in #​2325
• @​dims made their first contribution in #​2336

Full Changelog: spf13/cobra@v1.10.1...v1.10.2

Thank you to our amazing contributors!!!!! 🐍 🚀

grpc/grpc-go (google.golang.org/grpc)

v1.77.0: Release 1.77.0

Compare Source

API Changes

• mem: Replace the Reader interface with a struct for better performance and maintainability. (#​8669)

Behavior Changes

• balancer/pickfirst: Remove support for the old pick_first LB policy via the environment variable GRPC_EXPERIMENTAL_ENABLE_NEW_PICK_FIRST=false. The new pick_first has been the default since v1.71.0. (#​8672)

Bug Fixes

• xdsclient: Fix a race condition in the ADS stream implementation that could result in resource-not-found errors, causing the gRPC client channel to move to TransientFailure. (#​8605)
• client: Ignore HTTP status header for gRPC streams. (#​8548)
• client: Set a read deadline when closing a transport to prevent it from blocking indefinitely on a broken connection. (#​8534)
  • Special Thanks: @​jgold2-stripe
• client: Fix a bug where default port 443 was not automatically added to addresses without a specified port when sent to a proxy.
  • Setting environment variable GRPC_EXPERIMENTAL_ENABLE_DEFAULT_PORT_FOR_PROXY_TARGET=false disables this change; please file a bug if any problems are encountered as we will remove this option soon. (#​8613)
• balancer/pickfirst: Fix a bug where duplicate addresses were not being ignored as intended. (#​8611)
• server: Fix a bug that caused overcounting of channelz metrics for successful and failed streams. (#​8573)
  • Special Thanks: @​hugehoo
• balancer/pickfirst: When configured, shuffle addresses in resolver updates that lack endpoints. Since gRPC automatically adds endpoints to resolver updates, this bug only affects custom LB policies that delegate to pick_first but don't set endpoints. (#​8610)
• mem: Clear large buffers before re-using. (#​8670)

Performance Improvements

• transport: Reduce heap allocations to reduce time spent in garbage collection. (#​8624, #​8630, #​8639, #​8668)
• transport: Avoid copies when reading and writing Data frames. (#​8657, #​8667)
• mem: Avoid clearing newly allocated buffers. (#​8670)

New Features

• outlierdetection: Add metrics specified in gRFC A91. (#​8644)
  • Special Thanks: @​davinci26, @​PardhuKonakanchi
• stats/opentelemetry: Add support for optional label grpc.lb.backend_service in per-call metrics (#​8637)
• xds: Add support for JWT Call Credentials as specified in gRFC A97. Set environment variable GRPC_EXPERIMENTAL_XDS_BOOTSTRAP_CALL_CREDS=true to enable this feature. (#​8536)
  • Special Thanks: @​dimpavloff
• experimental/stats: Add support for up/down counters. (#​8581)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 26 additional dependencies were updated

Details:

Package	Change
k8s.io/api	v0.34.1 -> v0.34.2
k8s.io/apiextensions-apiserver	v0.34.1 -> v0.34.2
k8s.io/apimachinery	v0.34.1 -> v0.34.2
k8s.io/client-go	v0.34.1 -> v0.34.2
github.com/grpc-ecosystem/go-grpc-middleware/v2	v2.3.2 -> v2.3.3
github.com/kubernetes-csi/external-snapshotter/client/v8	v8.2.0 -> v8.4.0
github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring	v0.86.1 -> v0.86.2
go.opentelemetry.io/auto/sdk	v1.1.0 -> v1.2.1
go.opentelemetry.io/otel	v1.37.0 -> v1.38.0
go.opentelemetry.io/otel/metric	v1.37.0 -> v1.38.0
go.opentelemetry.io/otel/sdk	v1.37.0 -> v1.38.0
go.opentelemetry.io/otel/trace	v1.37.0 -> v1.38.0
go.uber.org/zap	v1.27.0 -> v1.27.1
golang.org/x/mod	v0.27.0 -> v0.29.0
golang.org/x/net	v0.44.0 -> v0.47.0
golang.org/x/oauth2	v0.31.0 -> v0.32.0
golang.org/x/sync	v0.17.0 -> v0.18.0
golang.org/x/sys	v0.37.0 -> v0.38.0
golang.org/x/term	v0.36.0 -> v0.37.0
golang.org/x/text	v0.29.0 -> v0.31.0
golang.org/x/tools	v0.36.0 -> v0.38.0
google.golang.org/genproto/googleapis/api	v0.0.0-20250804133106-a7a43d27e69b -> v0.0.0-20251022142026-3a174f9686a8
google.golang.org/genproto/googleapis/rpc	v0.0.0-20250929231259-57b25ae835d4 -> v0.0.0-20251022142026-3a174f9686a8
google.golang.org/protobuf	v1.36.9 -> v1.36.10
k8s.io/apiserver	v0.34.1 -> v0.34.2
k8s.io/component-base	v0.34.1 -> v0.34.2