Bump the go-dependencies group with 3 updates

[dependabot]

Bumps the go-dependencies group with 3 updates: github.com/osscontainertools/kaniko, golang.org/x/sync and golang.org/x/sys.

Updates github.com/osscontainertools/kaniko from 1.27.5 to 1.27.6

Release notes

Sourced from github.com/osscontainertools/kaniko's releases.

v1.27.6

Community Update

@​vidbregar made their first contribution in osscontainertools/kaniko#763

Also many thanks to @​cmellazchy, @​pstoeckle, @​nphantasm, and @​YevheniiSemendiak for reporting issues fixed in this release.

An extraordinary thank you to @​0hlov3 for reviewing 11 PRs this cycle.

What's Changed

Security

• github.com/go-git/go-git/v5 v5.19.0: CVE-2026-45571 CVE-2026-45570 GHSA-w5pp-99ch-qj29
• go stdlib v1.26.3: CVE-2026-42504 CVE-2026-27145 CVE-2026-42507
• golang.org/x/crypto v0.51.0: CVE-2026-39827 CVE-2026-39828 CVE-2026-39829 CVE-2026-39830 CVE-2026-39831 CVE-2026-39832 CVE-2026-39833 CVE-2026-39834 CVE-2026-39835 CVE-2026-42508 CVE-2026-46595 CVE-2026-46597 CVE-2026-46598
• golang.org/x/net v0.54.0: CVE-2026-25680 CVE-2026-25681 CVE-2026-27136 CVE-2026-39821 CVE-2026-42502 CVE-2026-42506

Bugfixes

• malformed Dockerfile input now errors instead of crashing: osscontainertools/kaniko#733
• malformed base-image config now errors instead of crashing: osscontainertools/kaniko#742
• --custom-platform mangles a variant into linux/arm/v7/v7: osscontainertools/kaniko#746

Standardization

• FF_KANIKO_REPRODUCIBLE_PRESERVE_BASE_LAYERS=false --reproducible leaves base-image layers untouched so they still match the registry: osscontainertools/kaniko#732
• FF_KANIKO_SCOPED_DOCKERIGNORE=false scope .dockerignore patterns to the build context: by @​vidbregar in osscontainertools/kaniko#763

Caching

• FF_KANIKO_WARMER_CACHE_LOCK=false coordinate concurrent warmers on a shared cache volume: by @​iahsanGill in osscontainertools/kaniko#705 osscontainertools/kaniko#706

Usability

• FF_KANIKO_PRESERVE_MOUNTED_PATHS=false keep read-only bind mounts (e.g. NVIDIA GPU driver artifacts) in place during extraction: osscontainertools/kaniko#754
• executor push subcommand pushes a pre-built tarball or OCI layout without a separate crane binary: osscontainertools/kaniko#737
• FF_KANIKO_DEPRECATE_INTER_STAGE_RESTORE=false deprecate the --preserve-context inter-stage restore: osscontainertools/kaniko#710

Maintenance

• build(deps): bump codecov/codecov-action from 6.0.0 to 6.0.1: osscontainertools/kaniko#711
• build(deps): bump debian in /deploy: osscontainertools/kaniko#714 osscontainertools/kaniko#716
• build(deps): bump golang in /deploy: osscontainertools/kaniko#715 osscontainertools/kaniko#738 osscontainertools/kaniko#755
• build(deps): bump github.com/go-git/go-git/v5 from 5.19.0 to 5.19.1: osscontainertools/kaniko#713
• build(deps): bump step-security/harden-runner from 2.19.3 to 2.19.4: osscontainertools/kaniko#718
• build(deps): bump docker/build-push-action from 7.1.0 to 7.2.0: osscontainertools/kaniko#718
• build(deps): bump cloud.google.com/go/storage from 1.62.1 to 1.62.3: osscontainertools/kaniko#717 osscontainertools/kaniko#759
• build(deps): bump github.com/docker/cli from 29.5.0 to 29.5.3: osscontainertools/kaniko#717 osscontainertools/kaniko#757
• build(deps): bump google.golang.org/api from 0.279.0 to 0.283.0: osscontainertools/kaniko#722 osscontainertools/kaniko#751
• build(deps): bump golang.org/x/sys from 0.44.0 to 0.45.0: osscontainertools/kaniko#723
• build(deps): bump docker/login-action from 4.1.0 to 4.2.0: osscontainertools/kaniko#730
• build(deps): bump docker/setup-buildx-action from 4.0.0 to 4.1.0: osscontainertools/kaniko#735
• build(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.32.17 to 1.32.23: osscontainertools/kaniko#736 osscontainertools/kaniko#744 osscontainertools/kaniko#759 osscontainertools/kaniko#761
• build(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/transfermanager from 0.1.21 to 0.2.7: osscontainertools/kaniko#736 osscontainertools/kaniko#750 osscontainertools/kaniko#759 osscontainertools/kaniko#761 osscontainertools/kaniko#764
• build(deps): bump busybox in /deploy: osscontainertools/kaniko#734 osscontainertools/kaniko#739
• build(deps): bump docker/setup-qemu-action from 4.0.0 to 4.1.0: osscontainertools/kaniko#743
• build(deps): bump docker/setup-docker-action from 5.1.0 to 5.2.0: osscontainertools/kaniko#743

... (truncated)

Changelog

Sourced from github.com/osscontainertools/kaniko's changelog.

v1.27.6 Release 2026-06-05

Community Update

@​vidbregar made their first contribution in osscontainertools/kaniko#763

Also many thanks to @​cmellazchy, @​pstoeckle, @​nphantasm, and @​YevheniiSemendiak for reporting issues fixed in this release.

An extraordinary thank you to @​0hlov3 for reviewing 11 PRs this cycle.

What's Changed

Security

• github.com/go-git/go-git/v5 v5.19.0: CVE-2026-45571 CVE-2026-45570 GHSA-w5pp-99ch-qj29
• go stdlib v1.26.3: CVE-2026-42504 CVE-2026-27145 CVE-2026-42507
• golang.org/x/crypto v0.51.0: CVE-2026-39827 CVE-2026-39828 CVE-2026-39829 CVE-2026-39830 CVE-2026-39831 CVE-2026-39832 CVE-2026-39833 CVE-2026-39834 CVE-2026-39835 CVE-2026-42508 CVE-2026-46595 CVE-2026-46597 CVE-2026-46598
• golang.org/x/net v0.54.0: CVE-2026-25680 CVE-2026-25681 CVE-2026-27136 CVE-2026-39821 CVE-2026-42502 CVE-2026-42506

Bugfixes

• malformed Dockerfile input now errors instead of crashing: osscontainertools/kaniko#733
• malformed base-image config now errors instead of crashing: osscontainertools/kaniko#742
• --custom-platform mangles a variant into linux/arm/v7/v7: osscontainertools/kaniko#746

Standardization

• FF_KANIKO_REPRODUCIBLE_PRESERVE_BASE_LAYERS=false --reproducible leaves base-image layers untouched so they still match the registry: osscontainertools/kaniko#732
• FF_KANIKO_SCOPED_DOCKERIGNORE=false scope .dockerignore patterns to the build context: by @​vidbregar in osscontainertools/kaniko#763

Caching

• FF_KANIKO_WARMER_CACHE_LOCK=false coordinate concurrent warmers on a shared cache volume: by @​iahsanGill in osscontainertools/kaniko#705 osscontainertools/kaniko#706

Usability

• FF_KANIKO_PRESERVE_MOUNTED_PATHS=false keep read-only bind mounts (e.g. NVIDIA GPU driver artifacts) in place during extraction: osscontainertools/kaniko#754
• executor push subcommand pushes a pre-built tarball or OCI layout without a separate crane binary: osscontainertools/kaniko#737
• FF_KANIKO_DEPRECATE_INTER_STAGE_RESTORE=false deprecate the --preserve-context inter-stage restore: osscontainertools/kaniko#710

Maintenance

• build(deps): bump codecov/codecov-action from 6.0.0 to 6.0.1: osscontainertools/kaniko#711
• build(deps): bump debian in /deploy: osscontainertools/kaniko#714 osscontainertools/kaniko#716
• build(deps): bump golang in /deploy: osscontainertools/kaniko#715 osscontainertools/kaniko#738 osscontainertools/kaniko#755
• build(deps): bump github.com/go-git/go-git/v5 from 5.19.0 to 5.19.1: osscontainertools/kaniko#713
• build(deps): bump step-security/harden-runner from 2.19.3 to 2.19.4: osscontainertools/kaniko#718
• build(deps): bump docker/build-push-action from 7.1.0 to 7.2.0: osscontainertools/kaniko#718
• build(deps): bump cloud.google.com/go/storage from 1.62.1 to 1.62.3: osscontainertools/kaniko#717 osscontainertools/kaniko#759
• build(deps): bump github.com/docker/cli from 29.5.0 to 29.5.3: osscontainertools/kaniko#717 osscontainertools/kaniko#757
• build(deps): bump google.golang.org/api from 0.279.0 to 0.283.0: osscontainertools/kaniko#722 osscontainertools/kaniko#751
• build(deps): bump golang.org/x/sys from 0.44.0 to 0.45.0: osscontainertools/kaniko#723
• build(deps): bump docker/login-action from 4.1.0 to 4.2.0: osscontainertools/kaniko#730
• build(deps): bump docker/setup-buildx-action from 4.0.0 to 4.1.0: osscontainertools/kaniko#735
• build(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.32.17 to 1.32.23: osscontainertools/kaniko#736 osscontainertools/kaniko#744 osscontainertools/kaniko#759 osscontainertools/kaniko#761
• build(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/transfermanager from 0.1.21 to 0.2.7: osscontainertools/kaniko#736 osscontainertools/kaniko#750 osscontainertools/kaniko#759 osscontainertools/kaniko#761 osscontainertools/kaniko#764
• build(deps): bump busybox in /deploy: osscontainertools/kaniko#734 osscontainertools/kaniko#739
• build(deps): bump docker/setup-qemu-action from 4.0.0 to 4.1.0: osscontainertools/kaniko#743

... (truncated)

Commits

• 08e7e84 Merge pull request #765 from osscontainertools/release-v1.27.6
• 50a43e0 release
• 9ac990d Merge pull request #766 from osscontainertools/bump-x-crypto-0.52.0
• 240a690 build(deps): bump golang.org/x/crypto from 0.51.0 to 0.52.0
• c7d82c6 Merge pull request #764 from osscontainertools/dependabot/go_modules/gomod-7c...
• dd21c19 build(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/transfermanager
• da03cd3 mz762: don't match absolute paths outside build context in ExcludesFile (#763)
• 63b3309 Merge pull request #732 from osscontainertools/mz731-reproducible-preserves-b...
• cee0bf0 build(deps): bump the gomod group across 1 directory with 4 updates (#761)
• e4df449 cache lookahead - part 2 (#674)
• Additional commits viewable in compare view

Updates golang.org/x/sync from 0.20.0 to 0.21.0

Commits

• 5071ed6 all: fix some comments to improve readability
• See full diff in compare view

Updates golang.org/x/sys from 0.45.0 to 0.46.0

Commits

• d58dcfa unix: add GPIO constants and structs
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions