build(deps): bump the dependencies group across 1 directory with 6 updates

[dependabot]

Bumps the dependencies group with 6 updates in the / directory:

Package	From	To
github.com/docker/cli	28.0.0+incompatible	28.0.2+incompatible
github.com/docker/docker	28.0.0+incompatible	28.0.2+incompatible
github.com/go-git/go-git/v5	5.13.2	5.14.0
github.com/opencontainers/image-spec	1.1.0	1.1.1
github.com/opencontainers/selinux	1.11.1	1.12.0
golang.org/x/term	0.29.0	0.30.0

Updates github.com/docker/cli from 28.0.0+incompatible to 28.0.2+incompatible

Commits

• 0442a73 Merge pull request #5929 from vvoland/vendor-docker
• bb0e9ad remove redundant error-handling for registry.ParseRepositoryInfo
• e0979b3 cli/command: remove ValidateMountWithAPIVersion
• cab5164 vendor: github.com/docker/docker v28.0.2-dev (bea4de25004d)
• 888716a Merge pull request #5932 from vvoland/TestConnectAndWait-flaky
• 667fa7b cli: remove uses of deprecated registry.SetCertsDir
• 63f5930 Merge pull request #5784 from thaJeztah/docs_gen_no_pkg_errors
• 0f75059 Merge pull request #5938 from thaJeztah/man_cleans
• 0ce8989 test/cli-plugins: Try to make TestConnectAndWait less flaky
• 2f79598 docs/generate: remove uses of pkg/errors
• Additional commits viewable in compare view

Updates github.com/docker/docker from 28.0.0+incompatible to 28.0.2+incompatible

Release notes

Sourced from github.com/docker/docker's releases.

v28.0.2

28.0.2

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.0.2 milestone
• moby/moby, 28.0.2 milestone

Bug fixes and enhancements

• Fix CLI-specific attributes (docker.cli.*) being unintentionally passed to downstream OTel services. docker/cli#5842
• Fix an issue where user-specified OTEL_RESOURCE_ATTRIBUTES were being overridden by CLI's internal telemetry attributes. The CLI now properly merges user-specified attributes with internal ones, allowing both to coexist. docker/cli#5842
• Fix daemon failing to start on Windows when a container created before v28.0.0 was present. moby/moby#49626
• Fix possible error on docker buildx prune with the --min-free-space. moby/moby#49623
• Fix spurious io: read/write on closed pipe error in the daemon log when closing container. moby/moby#49590
• Fix the Docker daemon failing too early if the containerd socket isn't immediately available. moby/moby#49603
• Mask Linux thermal interrupt info in a container's /proc and /sys by default. moby/moby#49560
• Update contrib/check-config.sh to check for more kernel modules related to iptables. moby/moby#49622
• containerd image store: Fix integer overflow in User ID handling passed via --user. moby/moby#49652
• containerd image store: Fix spurious reference for unknown type: application/vnd.in-toto+json warning being logged to the daemon's log. moby/moby#49652
• containerd image store: Improve performance of docker ps when running large number of containers. moby/moby#49365

Packaging updates

• Update BuildKit to v0.20.1. moby/moby#49587
• Update Buildx to v0.22.0. docker/docker-ce-packaging#1175
• Update Compose to v2.34.0. docker/docker-ce-packaging#1172
• Update Go runtime to 1.23.7. docker/cli#5890, docker/docker-ce-packaging#1171, moby/moby#49580
• Update RootlessKit to v2.3.4. moby/moby#49614
• Update containerd (static binaries only) to v1.7.27. moby/moby#49656

Networking

• Add environment variable DOCKER_INSECURE_NO_IPTABLES_RAW=1 to allow Docker to run on systems where the Linux kernel can't provide CONFIG_IP_NF_RAW support. When enabled, Docker will not create rules in the iptables raw table. Warning: This is not recommended for production environments as it reduces security by allowing other hosts on the local network to route to ports published to host addresses, even when they are published to 127.0.0.1. This option bypasses some of the security hardening introduced in Docker Engine 28.0.0. moby/moby#49621
• Allow container startup when an endpoint is attached to a macvlan network where the parent interface is down. moby/moby#49630
• Do not skip DNAT for packets originating in a gateway_mode=routed network. moby/moby#49577
• Fix a bug causing docker ps to inconsistently report dual-stack port mappings. moby/moby#49657
• Fix a bug that could cause docker-proxy to stop forwarding UDP datagrams to containers. moby/moby#49649
• Fix a bug that was causing docker-proxy to close UDP connections to containers eagerly and resulting in the source address to change needlessly. moby/moby#49649

Go SDK

• Move various types and consts from cli-plugins/manager to a separate package. docker/cli#5902
• Update minimum required Go version to go1.23. moby/moby#49541
• cli/command: Move PrettyPrint utility to cli/command/formatter. docker/cli#5916
• runconfig/errors: split ErrConflictHostNetwork into ErrConflictConnectToHostNetwork and ErrConflictDisconnectFromHostNetwork. moby/moby#49605

Deprecations

• Go-SDK: Deprecate cli-plugins/manager.ResourceAttributesEnvvar constant. It was used internally, but holds the OTEL_RESOURCE_ATTRIBUTES name, which is part of the OpenTelemetry specification. Users of this constant should define their own. It will be removed in the next release. docker/cli#5881

... (truncated)

Commits

• bea4de2 Merge pull request #49656 from austinvazquez/bump-container-1.7.27-binary
• 97ee08e Merge pull request #49657 from akerouanton/fix-missing-port-mappings
• f2a183a daemon: return port-mappings from all endpoints
• 6b3b479 daemon: getEndpointPortMapInfo: err is never used
• 35766af Dockerfile: update containerd binary to v1.7.27
• b2363f0 Merge pull request #49602 from thaJeztah/remove_layerstore_experimental
• c9a763e daemon: remove redundant call to getEndpointPortMapInfo
• 2043aa9 Merge pull request #49652 from vvoland/vendor-containerd
• 7cdd1b5 Merge pull request #49649 from akerouanton/proxy-concurrent-write-close
• fb3cce1 vendor: github.com/containerd/containerd/v2 v2.0.4
• Additional commits viewable in compare view

Updates github.com/go-git/go-git/v5 from 5.13.2 to 5.14.0

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.14.0

What's Changed

• v5: Bump Go and dependencies to mitigate GO-2025-3487 by @​pjbgf in go-git/go-git#1436

⚠️ Note that this version requires Go 1.23, due to the bump to golang.org/x/crypto@v0.35.0 which mitigates the CVE above. User's that can't bump to Go 1.23 will need to remain on the previous v5.13.x release.

Full Changelog: go-git/go-git@v5.13.2...v5.14.0

Commits

• 863c621 Merge pull request #1436 from pjbgf/v5-bumps
• 2e69e81 build: Bump dependencies
• b2c1ec9 build: Bump Go versions
• See full diff in compare view

Updates github.com/opencontainers/image-spec from 1.1.0 to 1.1.1

Release notes

Sourced from github.com/opencontainers/image-spec's releases.

v1.1.1

Vote Passed [+5 -0 nv1] - https://groups.google.com/a/opencontainers.org/g/dev/c/T-olx0jdT18 Release PR : opencontainers/image-spec#1247 Full Changelog: opencontainers/image-spec@v1.1.0...v1.1.1

Commits

• 147f9c1 Release v1.1.1
• fbb4662 Merge pull request #1238 from mkenigs/wording-nit
• 81e457e Fix grammar nit
• 92353b0 Merge pull request #1225 from sudo-bmitch/pr-doc-go-version
• 1a0b9f9 Merge pull request #1230 from sudo-bmitch/pr-layout-extensibility
• f272635 Merge pull request #1228 from sudo-bmitch/pr-mixed-digest-algo
• e0462ab Merge pull request #1229 from tianon/setup-go
• cf536e3 Merge pull request #1227 from sudo-bmitch/pr-rm-project-doc
• 60acaac Document extensibility of the image layout
• 4dcf962 Document Go version policy
• Additional commits viewable in compare view

Updates github.com/opencontainers/selinux from 1.11.1 to 1.12.0

Release notes

Sourced from github.com/opencontainers/selinux's releases.

v1.12.0

This release removes deprecated functions from the label package, and improves documentation and error reporting of SetCreateKey.

What's Changed

• VERSION: remove by @​kolyshkin in opencontainers/selinux#217
• CI: add AlmaLinux 8, CentOS Stream 9, and Fedora by @​AkihiroSuda in opencontainers/selinux#221
• ci: install git-core by @​kolyshkin in opencontainers/selinux#224
• CI: add openSUSE Tumbleweed by @​AkihiroSuda in opencontainers/selinux#223
• Bump Go version, deps, fix some linter issues... by @​kolyshkin in opencontainers/selinux#218
• label: remove deprecated stuff by @​kolyshkin in opencontainers/selinux#228
• Improve SetKeyCreate error reporting, fix test flakes by @​kolyshkin in opencontainers/selinux#227

Full Changelog: opencontainers/selinux@v1.11.1...v1.12.0

Commits

• 996c4cf Merge pull request #227 from kolyshkin/fix-flake
• 2a69eaf ci: add tests to check for races
• 965323e SetKeyLabel: add thread group leader requirement
• 4c76c01 TestSocketLabel: use LockOSThread to avoid flakes
• 13b180a TestSELinux: use LockOSThread to avoid flakes
• 03cde75 Merge pull request #228 from kolyshkin/label-rm-depr
• 6f9de93 label: remove deprecated stuff
• 931542d label: stop using deprecated stuff in tests
• 21fd359 Merge pull request #218 from kolyshkin/ci-bumps
• 346dfb5 Merge pull request #223 from AkihiroSuda/vm
• Additional commits viewable in compare view

Updates golang.org/x/term from 0.29.0 to 0.30.0

Commits

• 04218fd go.mod: update golang.org/x dependencies
• 208db03 all: upgrade go directive to at least 1.23.0 [generated]
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 74.44%. Comparing base (5a80a04) to head (31fa4e7).
Report is 192 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff             @@
##           master    #2706       +/-   ##
===========================================
+ Coverage   61.56%   74.44%   +12.88%     
===========================================
  Files          53       72       +19     
  Lines        9002    11064     +2062     
===========================================
+ Hits         5542     8237     +2695     
+ Misses       3020     2191      -829     
- Partials      440      636      +196     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.