google/go-containerregistry v0.21.6

on GitHub

What's Changed

• fix: update dependencies to use new azure sdk components by @gaganhr94 in #2262
• transport: restore resp.Body in retryError so CheckError can parse it by @alliasgher in #2264
• pkg/registry: return 202 Accepted for PATCH chunk uploads by @alliasgher in #2265
• Follow OCI distribution spec for artifactType and annotations by @malt3 in #2269
• actions: attach Codecov token to coverage tests on main by @Subserial in #2270
• remote: use DeleteScope (with "delete" action) for manifest deletion by @alliasgher in #2266
• remote: limit concurrent layer pulls by @gnix0 in #2271
• pkg/registry: reject corrupt disk blobs by @gnix0 in #2272
• mutate: close layer readers during export by @gnix0 in #2277
• crane/flatten: preserve image media type when flattening by @alliasgher in #2267
• build(deps): bump goreleaser/goreleaser-action from 7.0.0 to 7.2.1 in the actions group across 1 directory by @dependabot[bot] in #2273
• build(deps): bump go.opentelemetry.io/otel from 1.36.0 to 1.41.0 by @dependabot[bot] in #2278
• build(deps): bump the go-deps group across 3 directories with 6 updates by @dependabot[bot] in #2280
• Replace go-homedir with os.UserHomeDir by @jammie-jelly in #2282
• pkg/name: only treat .localhost as non-HTTPS, not .local by @blackwell-systems in #2281
• transport: block unspecified IPs (0.0.0.0, ::) in validateRealmURL by @marwan9696 in #2285
• test(mutate): add Extract round-trip test for filesystem object preservation by @blackwell-systems in #2283
• experiments: remove deprecated support for estargz by @thaJeztah in #2288
• build(deps): bump aws-actions/configure-aws-credentials from 6.1.0 to 6.1.1 in the actions group by @dependabot[bot] in #2289
• fix: limit HTTP response body reads to prevent OOM by @evilgensec in #2296
• build(deps): bump the go-deps group across 3 directories with 6 updates by @dependabot[bot] in #2297
• transport: block redirects from token server to private/link-local addresses (SSRF fix) by @evilgensec in #2292
• pkg/v1/mutate: preserve relative symlinks that stay within rootfs in Extract by @anishesg in #2279
• validate: skip non-layer layers by @imjasonh in #2298
• remote: validate foreign layer URLs to prevent SSRF (fixes #2259) by @evilgensec in #2293
• remote: block SSRF via private-IP Location headers in blob uploads by @adilburaksen in #2295
• fix(mutate): preserve config blob and layers for non-Docker OCI artifacts by @blackwell-systems in #2286
• fix: preserve per-occurrence layer identity in mutate.Image.Layers() by @iahsanGill in #2299
• transport: retry HTTP 429 (Too Many Requests) by @iahsanGill in #2301
• transport: allow bearer realm at same host:port as registry by @iahsanGill in #2302
• Update go version to 1.26.3 by @Subserial in #2300

New Contributors

• @gaganhr94 made their first contribution in #2262
• @alliasgher made their first contribution in #2264
• @malt3 made their first contribution in #2269
• @gnix0 made their first contribution in #2271
• @blackwell-systems made their first contribution in #2281
• @marwan9696 made their first contribution in #2285
• @anishesg made their first contribution in #2279
• @adilburaksen made their first contribution in #2295
• @iahsanGill made their first contribution in #2299

Full Changelog: v0.21.5...v0.21.6