Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: google/go-containerregistry
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v0.21.2
Choose a base ref
...
head repository: google/go-containerregistry
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v0.21.3
Choose a head ref
  • 7 commits
  • 446 files changed
  • 6 contributors

Commits on Mar 11, 2026

  1. Adds local file support to the crane index subcommand (#2223) 

    * Support local and mixed references in crane index append

Refactors crane index append to unify the handling of local and remote references.

- Adds support for appending local OCI layouts to other local layouts or remote indices.
- Adds support for appending remote images/indices to local layouts.
- Simplifies the internal logic by removing specific appender implementations in favor of a unified collectAddendums helper.
- Updates isLocalReference to be more robust against false positives.
- Adds comprehensive tests in cmd/crane/index_test.sh covering local-to-local, remote-to-local, and mixed scenarios.
- Fixes loadImage to correctly handle multi-image OCI layouts when used as a source.

* Refactor crane index append and improve OCI layout support

- Extracted local and remote append logic into dedicated helpers.
- Added support for preserving platform metadata in local OCI layouts.
- Moved isLocalReference to index.go with improved documentation.
- Expanded index_test.sh with mixed-source, flattening, and Docker media type tests.
- Added comprehensive comments for internal flow control and helpers.

* Update codegen and documentation

* Revert unrelated codegen changes to fakes

* Fix lint issues in crane index and clean up whitespace in tests
    @edwardthiele
    edwardthiele authored Mar 11, 2026
    Configuration menu
    Copy the full SHA
    8b2478e View commit details
    Browse the repository at this point in the history

Commits on Mar 12, 2026

  1. migrate to github.com/moby/moby modules (#2228) 

    * bump go-containerregistry version in nested modules

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

* migrate to github.com/moby/moby modules

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

---------

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
    @thaJeztah
    thaJeztah authored Mar 12, 2026
    Configuration menu
    Copy the full SHA
    e916301 View commit details
    Browse the repository at this point in the history

Commits on Mar 16, 2026

  1. Bump the go-deps group across 4 directories with 7 updates (#2233) 

    * Bump the go-deps group across 4 directories with 7 updates

Bumps the go-deps group with 3 updates in the / directory: [golang.org/x/oauth2](https://github.com/golang/oauth2), [golang.org/x/sync](https://github.com/golang/sync) and [golang.org/x/tools](https://github.com/golang/tools).
Bumps the go-deps group with 1 update in the /cmd/krane directory: [github.com/awslabs/amazon-ecr-credential-helper/ecr-login](https://github.com/awslabs/amazon-ecr-credential-helper).
Bumps the go-deps group with 3 updates in the /pkg/authn/k8schain directory: [github.com/awslabs/amazon-ecr-credential-helper/ecr-login](https://github.com/awslabs/amazon-ecr-credential-helper), [k8s.io/api](https://github.com/kubernetes/api) and [k8s.io/client-go](https://github.com/kubernetes/client-go).
Bumps the go-deps group with 2 updates in the /pkg/authn/kubernetes directory: [k8s.io/api](https://github.com/kubernetes/api) and [k8s.io/client-go](https://github.com/kubernetes/client-go).


Updates `golang.org/x/oauth2` from 0.35.0 to 0.36.0
- [Commits](golang/oauth2@v0.35.0...v0.36.0)

Updates `golang.org/x/sync` from 0.19.0 to 0.20.0
- [Commits](golang/sync@v0.19.0...v0.20.0)

Updates `golang.org/x/tools` from 0.42.0 to 0.43.0
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](golang/tools@v0.42.0...v0.43.0)

Updates `github.com/awslabs/amazon-ecr-credential-helper/ecr-login` from 0.11.0 to 0.12.0
- [Release notes](https://github.com/awslabs/amazon-ecr-credential-helper/releases)
- [Changelog](https://github.com/awslabs/amazon-ecr-credential-helper/blob/main/CHANGELOG.md)
- [Commits](awslabs/amazon-ecr-credential-helper@v0.11.0...v0.12.0)

Updates `github.com/awslabs/amazon-ecr-credential-helper/ecr-login` from 0.11.0 to 0.12.0
- [Release notes](https://github.com/awslabs/amazon-ecr-credential-helper/releases)
- [Changelog](https://github.com/awslabs/amazon-ecr-credential-helper/blob/main/CHANGELOG.md)
- [Commits](awslabs/amazon-ecr-credential-helper@v0.11.0...v0.12.0)

Updates `github.com/awslabs/amazon-ecr-credential-helper/ecr-login` from 0.11.0 to 0.12.0
- [Release notes](https://github.com/awslabs/amazon-ecr-credential-helper/releases)
- [Changelog](https://github.com/awslabs/amazon-ecr-credential-helper/blob/main/CHANGELOG.md)
- [Commits](awslabs/amazon-ecr-credential-helper@v0.11.0...v0.12.0)

Updates `github.com/awslabs/amazon-ecr-credential-helper/ecr-login` from 0.11.0 to 0.12.0
- [Release notes](https://github.com/awslabs/amazon-ecr-credential-helper/releases)
- [Changelog](https://github.com/awslabs/amazon-ecr-credential-helper/blob/main/CHANGELOG.md)
- [Commits](awslabs/amazon-ecr-credential-helper@v0.11.0...v0.12.0)

Updates `k8s.io/api` from 0.35.1 to 0.35.2
- [Commits](kubernetes/api@v0.35.1...v0.35.2)

Updates `k8s.io/client-go` from 0.35.1 to 0.35.2
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](kubernetes/client-go@v0.35.1...v0.35.2)

Updates `k8s.io/api` from 0.35.1 to 0.35.2
- [Commits](kubernetes/api@v0.35.1...v0.35.2)

Updates `k8s.io/client-go` from 0.35.1 to 0.35.2
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](kubernetes/client-go@v0.35.1...v0.35.2)

Updates `k8s.io/api` from 0.35.1 to 0.35.2
- [Commits](kubernetes/api@v0.35.1...v0.35.2)

Updates `k8s.io/client-go` from 0.35.1 to 0.35.2
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](kubernetes/client-go@v0.35.1...v0.35.2)

Updates `k8s.io/api` from 0.35.1 to 0.35.2
- [Commits](kubernetes/api@v0.35.1...v0.35.2)

Updates `k8s.io/apimachinery` from 0.35.1 to 0.35.2
- [Commits](kubernetes/apimachinery@v0.35.1...v0.35.2)

Updates `k8s.io/client-go` from 0.35.1 to 0.35.2
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](kubernetes/client-go@v0.35.1...v0.35.2)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-version: 0.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-deps
- dependency-name: golang.org/x/sync
  dependency-version: 0.20.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-deps
- dependency-name: golang.org/x/tools
  dependency-version: 0.43.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-deps
- dependency-name: github.com/awslabs/amazon-ecr-credential-helper/ecr-login
  dependency-version: 0.12.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-deps
- dependency-name: github.com/awslabs/amazon-ecr-credential-helper/ecr-login
  dependency-version: 0.12.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-deps
- dependency-name: github.com/awslabs/amazon-ecr-credential-helper/ecr-login
  dependency-version: 0.12.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-deps
- dependency-name: github.com/awslabs/amazon-ecr-credential-helper/ecr-login
  dependency-version: 0.12.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-deps
- dependency-name: k8s.io/api
  dependency-version: 0.35.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-deps
- dependency-name: k8s.io/client-go
  dependency-version: 0.35.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-deps
- dependency-name: k8s.io/api
  dependency-version: 0.35.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-deps
- dependency-name: k8s.io/client-go
  dependency-version: 0.35.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-deps
- dependency-name: k8s.io/api
  dependency-version: 0.35.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-deps
- dependency-name: k8s.io/client-go
  dependency-version: 0.35.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-deps
- dependency-name: k8s.io/api
  dependency-version: 0.35.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-deps
- dependency-name: k8s.io/apimachinery
  dependency-version: 0.35.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-deps
- dependency-name: k8s.io/client-go
  dependency-version: 0.35.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-deps
...

Signed-off-by: dependabot[bot] <support@github.com>

* run go mod tidy on all go projects

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jared Rodriguez <jrsb@google.com>
    @dependabot @Subserial
    dependabot[bot] and Subserial authored Mar 16, 2026
    Configuration menu
    Copy the full SHA
    be0a845 View commit details
    Browse the repository at this point in the history

  2. Bump goreleaser/goreleaser-action in the actions group (#2220) 

    Bumps the actions group with 1 update: [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action).


Updates `goreleaser/goreleaser-action` from 6.4.0 to 7.0.0
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](goreleaser/goreleaser-action@v6.4.0...v7.0.0)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Mar 16, 2026
    Configuration menu
    Copy the full SHA
    47eedc9 View commit details
    Browse the repository at this point in the history

Commits on Mar 17, 2026

  1. mutate: reject path traversal and symlink escape in Extract (#2227) 

    * mutate: reject path traversal and symlink escape in Extract

The extract() function passes tar entry names and symlink targets
through to the output stream without validating that they stay within
the extraction root. This allows a malicious container image to:

1. Write files outside the extraction directory via ../ prefixes
   (filepath.Clean preserves leading ../ sequences)
2. Create symlinks pointing to arbitrary host paths via absolute
   or ../-prefixed Linkname values
3. Use absolute paths in entry names to target fixed host locations

Add validation after filepath.Clean to skip entries with path
traversal (../ prefix) or absolute paths in both Name and Linkname
fields. This follows the mitigation pattern established by Docker
(moby/moby) and containerd after CVE-2018-15664 and CVE-2019-14271.

Add table-driven tests covering all five attack vectors (path
traversal, absolute path, symlink escape via absolute and relative
targets, hardlink escape) plus a positive case confirming safe
relative symlinks are preserved.

* fix: normalize absolute paths in Extract instead of skipping them

Absolute entry names (e.g. /etc/shadow) are now stripped of their
leading slash and emitted as relative paths rather than being silently
dropped.  This preserves existing behaviour for layers that store files
with absolute paths (used by crane edit fs and reflected in
TestEditFilesystem / TestCraneFilesystem) while still preventing
injection of host-absolute paths when consumers extract the tar to disk.

Symlink and hardlink entries with absolute or dot-dot targets continue
to be rejected outright, as those can never be safe.

Update TestExtractRejectsPathTraversal to document the normalization
behaviour, and update TestCraneFilesystem to use a relative path
consistent with what Extract now emits.

* test: replace deprecated LayerFromReader with LayerFromOpener

Fix golangci-lint staticcheck SA1019 warning.
    @KevinZhao
    KevinZhao authored Mar 17, 2026
    Configuration menu
    Copy the full SHA
    400c263 View commit details
    Browse the repository at this point in the history

  2. tarball: detect symlink cycles in extractFileFromTar (#2232) 

    extractFileFromTar follows symlink and hard link entries recursively without tracking visited paths. A tar containing a link cycle (e.g., manifest.json -> config.json -> manifest.json) causes unbounded recursion until goroutine stack exhaustion crashes the process.

Track visited paths during link resolution and return an error when a cycle is detected.
    @vnykmshr
    vnykmshr authored Mar 17, 2026
    Configuration menu
    Copy the full SHA
    f439624 View commit details
    Browse the repository at this point in the history

  3. bump golang to 1.25.7 (#2236)

    @Subserial
    Subserial authored Mar 17, 2026
    Configuration menu
    Copy the full SHA
    3888fb8 View commit details
    Browse the repository at this point in the history
Loading