v5.29.5

What's Changed

• [release-5.29] Don't abort listing tags when we encounter a digest by @TomSweeneyRedHat in #2453

Full Changelog: v5.29.4...v5.29.5

v5.32.0

What's Changed

• Bump to c/storage v1.54.0 then c/image to v5.31.0 and then to v5.31.1-dev by @TomSweeneyRedHat in #2425
• Bump to v5.32.0-dev by @TomSweeneyRedHat in #2430
• fix(deps): update module github.com/docker/docker-credential-helpers to v0.8.2 by @renovate in #2433
• fix(deps): update module github.com/burntsushi/toml to v1.4.0 by @renovate in #2434
• [CI:DOCS] Update dependency golangci/golangci-lint to v1.59.0 by @renovate in #2427
• fix(deps): update module github.com/sigstore/sigstore to v1.8.4 by @renovate in #2436
• blobinfocache: add function to delete the cache directory by @giuseppe in #2435
• chore(deps): update dependency containers/automation_images to v20240529 by @renovate in #2414
• fix(deps): update module github.com/hashicorp/go-retryablehttp to v0.7.7 by @renovate in #2437
• Update github.com/letsencrypt/boulder by @mtrmac in #2438
• fix(deps): update golang.org/x/exp digest to fd00a4e by @renovate in #2439
• Don't abort listing tags when we encounter a digest by @mtrmac in #2440
• fix(deps): update module golang.org/x/oauth2 to v0.21.0 by @renovate in #2441
• [Additional Layer Store] Enable Additional Layer Store to perform registry authentication by @ktock in #2417
• fix(deps): update module golang.org/x/crypto to v0.24.0 by @renovate in #2442
• fix(deps): update module github.com/docker/cli to v26.1.4+incompatible by @renovate in #2444
• [CI:DOCS] Update dependency golangci/golangci-lint to v1.59.1 by @renovate in #2446
• fix(deps): update module github.com/klauspost/compress to v1.17.9 by @renovate in #2448
• fix(deps): update module github.com/sylabs/sif/v2 to v2.17.0 by @renovate in #2455
• Add more context to errors when obtaining a registry access token by @mtrmac in #2454
• fix(deps): update module github.com/docker/docker to v27 by @renovate in #2459
• fix(deps): update module github.com/docker/cli to v27 by @renovate in #2457
• fix(deps): update module github.com/docker/docker to v27.0.2+incompatible by @renovate in #2463
• fix(deps): update module github.com/docker/cli to v27.0.2+incompatible by @renovate in #2462
• Warn that docker-archive and oci-archive overwrite the whole file by @mtrmac in #2468
• fix(deps): update golang.org/x/exp digest to 7f521ea by @renovate in #2470
• fix(deps): update module github.com/sylabs/sif/v2 to v2.17.1 by @renovate in #2469
• Improve the error message when MessageDetails.SignedBy == nil by @mtrmac in #2466
• Drop the toolchain directive from go.mod by @mtrmac in #2473
• fix(deps): update module github.com/docker/docker to v27.0.3+incompatible by @renovate in #2472
• fix(deps): update module github.com/docker/cli to v27.0.3+incompatible by @renovate in #2471
• fix(deps): update module github.com/containers/ocicrypt to v1.2.0 by @renovate in #2474
• Preserve more-recently-added fields when copying/updating OCI indices by @mtrmac in #2475
• fix(deps): update module golang.org/x/term to v0.22.0 by @renovate in #2476
• fix(deps): update module golang.org/x/crypto to v0.25.0 by @renovate in #2477
• fix(deps): update module github.com/sylabs/sif/v2 to v2.18.0 by @renovate in #2479
• Allow matching of compressed blobs converted on the fly to zstd:chunked by @mtrmac in #2478
• Beautify by @mtrmac in #2467
• Clean up obtaining bearer tokens for registries by @mtrmac in #2480
• chore(deps): update module google.golang.org/grpc to v1.64.1 [security] by @renovate in #2481
• fix(deps): update module github.com/vbauerster/mpb/v8 to v8.7.4 by @renovate in #2486
• fix(deps): update module github.com/docker/docker to v27.1.0+incompatible by @renovate in #2489
• fix(deps): update module github.com/docker/cli to v27.1.0+incompatible by @renovate in #2488
• Trivial zstd:chunked-related cleanups by @mtrmac in #2490
• fix(deps): update module github.com/docker/cli to v27.1.1+incompatible by @renovate in #2491
• fix(deps): update module github.com/docker/docker to v27.1.1+incompatible by @renovate in #2492

Full Changelog: v5.31.0...v5.32.0

v5.30.2

Fixes an interoperability issue while listing tags from JFrog Artifactory.

v5.31.1

Fixes an interoperability issue while listing tags from JFrog Artifactory.

v5.29.4

Fixes an interoperability issue while listing tags from JFrog Artifactory.

v5.31.0

What's Changed

• Bump c/storage to v1.53.0, c/image to v5.30.0, and then to v5.30.1-dev by @TomSweeneyRedHat in #2327
• fix(deps): update module github.com/sylabs/sif/v2 to v2.15.2 by @renovate in #2333
• fix(deps): update module github.com/docker/cli to v25.0.4+incompatible by @renovate in #2334
• Move to a tagged version of docker/docker by @mtrmac in #2336
• fix(deps): update go-openapi packages to v0.23.0 by @renovate in #2337
• Update to Go 1.20 by @mtrmac in #2340
• chore(deps): update module github.com/go-jose/go-jose/v3 to v3.0.3 [security] by @renovate in #2338
• chore(deps): update module gopkg.in/go-jose/go-jose.v2 to v2.6.3 [security] by @renovate in #2339
• fix(deps): update module github.com/containers/ocicrypt to v1.1.10 by @renovate in #2341
• chore(deps): update module google.golang.org/protobuf to v1.33.0 [security] by @renovate in #2344
• Add support for Docker HealthConfig.StartInterval (v25.0.0+) by @migesok in #2345
• Fix an unintentionally-added dependency on Go 1.21 by @mtrmac in #2343
• fix(deps): update module github.com/docker/docker to v25.0.5+incompatible by @renovate in #2348
• fix(deps): update module github.com/docker/cli to v25.0.5+incompatible by @renovate in #2347
• [CI:DOCS] Update dependency golangci/golangci-lint to v1.57.0 by @renovate in #2349
• [CI:DOCS] Update dependency golangci/golangci-lint to v1.57.1 by @renovate in #2351
• chore: fix function names by @availhang in #2357
• chore(deps): update dependency containers/automation_images to v20240320 by @renovate in #2354
• fix(deps): update module github.com/distribution/reference to v0.6.0 by @renovate in #2358
• [CI:DOCS] Update dependency golangci/golangci-lint to v1.57.2 by @renovate in #2359
• fix(deps): update module github.com/sigstore/sigstore to v1.8.3 by @renovate in #2360
• Filter BlobInfoCache candidates before prioritization, not in transports by @mtrmac in #2346
• fix(deps): update module golang.org/x/oauth2 to v0.19.0 by @renovate in #2367
• fix(deps): update golang.org/x/exp digest to c0f41cb by @renovate in #2361
• Add a helper for formatting multiple errors by @mtrmac in #2365
• fix(deps): update module github.com/ulikunitz/xz to v0.5.12 by @renovate in #2366
• Drop some minimally-used dependencies by @mtrmac in #2364
• Fix a http.response.Body leak on a permission error by @mtrmac in #2363
• fix(deps): update module github.com/klauspost/compress to v1.17.8 by @renovate in #2372
• fix(deps): update module github.com/vbauerster/mpb/v8 to v8.7.3 by @renovate in #2373
• use containers/storage/pkg/fileutils/(Exists,Lexists) by @giuseppe in #2375
• Refactor blobCacheDestination.saveStream by @mtrmac in #2380
• Update to Go1.21 by @mtrmac in #2377
• Avoid a redundant function call by @mtrmac in #2379
• CI VMs: bump to new versions with tmpfs /tmp by @edsantiago in #2384
• Update module github.com/docker/docker to v26.0.2+incompatible [SECURITY] by @renovate in #2381
• Update module github.com/docker/cli to v26.1.0+incompatible by @renovate in #2383
• Update module github.com/docker/docker to v26.1.0+incompatible by @renovate in #2386
• Fix GoDoc link at the top of the README file by @ananthb in #2387
• Update module github.com/docker/cli to v26.1.1+incompatible by @renovate in #2388
• Update module github.com/docker/docker to v26.1.1+incompatible by @renovate in #2389
• Update module golang.org/x/exp to v0.0.0-20240416160154-fe59bbe5cc7f by @renovate in #2392
• [CI:DOCS] Update dependency golangci/golangci-lint to v1.58.0 by @renovate in #2393
• Update module golang.org/x/oauth2 to v0.20.0 by @renovate in #2395
• Update module golang.org/x/term to v0.20.0 by @renovate in #2396
• Update module go.etcd.io/bbolt to v1.3.10 by @renovate in #2397
• Update module golang.org/x/crypto to v0.23.0 by @renovate in #2398
• Update module golang.org/x/exp to v0.0.0-20240506185415-9bf2ced13842 by @renovate in #2399
• [CI:DOCS] Update dependency golangci/golangci-lint to v1.58.1 by @renovate in #2400
• Fix CVE-2024-3727 by @mtrmac in #2403
• Update module github.com/docker/docker to v26.1.2+incompatible by @renovate in #2402
• Update module github.com/docker/cli to v26.1.2+incompatible by @renovate in #2401
• [release-5.30] Release 5.30.1 by @mtrmac in #2405
• Merge the release-5.30 branch into main by @mtrmac in #2407
• Update module github.com/hashicorp/go-retryablehttp to v0.7.6 by @renovate in #2409
• Fix font choices in containers-transports.5 by @mtrmac in #2412
• Quote various strings coming from untrusted sources by @mtrmac in #2408
• Non-security digest.Digest use cleanups by @mtrmac in #2410
• docker: support for requesting chunks without end offset by @giuseppe in #2391
• Silently assume arm=v7, arm64=v8 on macOS by @mtrmac in #2411
• Allow using recent opencontainers/go-digest by @mtrmac in #2406
• Fixes to storage’s GetBlob by @mtrmac in #2394
• storage: cleanup staged layer if unused by @giuseppe in #2390
• Recognize "manifest unknown" errors reported by Harbor by @mtrmac in #2413
• fix(deps): update module github.com/docker/docker to v26.1.3+incompatible by @renovate in #2420
• fix(deps): update module github.com/docker/cli to v26.1.3+incompatible by @renovate in #2419
• [Additional Layer Store] Use TOCDigest as ID of each layer (patch for c/image) by @ktock in #2416
• fix(deps): update module github.com/containers/storage to v1.54.0 by @renovate in #2426
• Short-term kludges for recent AdditionalLayerStore changes by @mtrmac in #2428

New Contributors

• @migesok made their first contribution in #2345
• @availhang made their first contribution in #2357
• @edsantiago made their first contribution in #2384
• @ananthb made their first contribution in #2387

Full Changelog: v5.30.1...v5.31.0

v5.29.3

What's Changed

• Backport Docker Daemon fix #2260, bump to 5.29.2, then 5.29.3-dev by @TomSweeneyRedHat in #2270
• [release-5.29] Fix CVE-2024-3727 by @mtrmac in #2418

Full Changelog: v5.29.2...v5.29.3

v5.30.1

This fixes CVE-2024-3727 .

Digest values used throughout this library were not always validated. That allowed attackers to trigger, when pulling untrusted images, unexpected authenticated registry accesses on behalf of a victim user.

In less common uses of this library (using other transports or not using the containers/image/v5/copy.Image API), an attacker could also trigger local path traversals or crashes.

v5.30.0

What's Changed

A fair number of improvements when working with zstd and zstd:chunked-compressed images.

Note that make install now installs policy.json and registries.d/default.yaml.

• Refuse compression to zstd when using schema1 by @mtrmac in #2196
• Don't expose local account details in oci-archive tar files by @mtrmac in #2202
• Trigger a conversion to OCI when compressing to Zstd by @mtrmac in #2204
• Add buildtags to avoid fulcio and rekor dependencies by @siretart in #2180
• copy: do not fail if digest mismatches by @giuseppe in #1980
• Moving policy.json and default.yaml from containers/skopeo by @rahilarious in #2215
• Embrace codespell: config, workflow (to alert when new typos added) and get typos fixed by @yarikoptic in #2214
• Fix raspberry pi zero cpu variant recognition by @lstolcman in #2086
• storage: validate images converted to zstd:chunked by @giuseppe in #2243
• Make blob reuse choices manifest-format-sensitive, and allow conversions when writing to format-agnostic transports by @mtrmac in #2213
• Edit the manifest when pushing uncompressed data from c/storage by @mtrmac in #2273
• Random storage-related cleanups by @mtrmac in #2287
• Improve storage transport documentation, primarily about locking by @mtrmac in #2291
• Fix c/storage destination with partial pulls by @mtrmac in #2288
• Fix manifest updates when we match a layer by TOC digest by @mtrmac in #2294
• Cleanly fail when trying to obtain a DiffID of a non-OCI image by @mtrmac in #2295
• Beautify TOC-related parts of storageImageSource by @mtrmac in #2296
• storage: use the new ApplyStagedLayer interface by @giuseppe in #2301
• Also annotate image instances using zstd:chunked as using zstd by @mtrmac in #2302
• Support editing ArtifactType, preserve it in lists by @nalind in #2304
• Provide data to correctly report throughput on partial pulls by @mtrmac in #2308
• Add validation error to digesting reader by @saschagrunert in #2312
• Fix handling of errors when fetching layers by URLs by @mtrmac in #2310
• Improve handling of zstd vs. zstd:chunked matching by @mtrmac in #2317

New Contributors

• @rahilarious made their first contribution in #2215
• @yarikoptic made their first contribution in #2214
• @lstolcman made their first contribution in #2086
• @bainsy88 made their first contribution in #2260

Full Changelog: v5.29.2...v5.30.0

v5.29.2

What's Changed

• [release-5.29] backport Docker Daemon fix by @TomSweeneyRedHat in #2270
• [release-5.29] Tag 5.29.1 by @mtrmac in #2253
• Use a stable Skopeo branch for testing the stable c/image branch by @mtrmac in #2262

Full Changelog: v5.29.1...v5.29.2