Bump the go_modules group across 1 directory with 4 updates

[dependabot]

Bumps the go_modules group with 3 updates in the /tools directory: github.com/gohugoio/hugo, github.com/docker/docker and github.com/golang-jwt/jwt/v4.

Updates github.com/gohugoio/hugo from 0.126.1 to 0.139.4

Release notes

Sourced from github.com/gohugoio/hugo's releases.

v0.139.4

This release contains a security fix. See this Security Advisory for details. Note that this is only relevant if you don't trust your content (e.g. Markdown) files.

What's Changed

• tpl/tplimpl: Escape Markdown attributes in render hooks and shortcodes 54398f8d5 @​jmooring
• deps: Upgrade github.com/bep/godartsass/v2 v2.3.1 => v2.3.2 b8c15f245 @​bep
• common/maps: Simplify TestScratchSetInMap/DeleteInMap d0dc51884 @​alexandear
• markup/tableofcontents: Cast Fragments.ToHTML args to int b52985900 @​jmooring #13107

v0.139.3

What's Changed

• Fix server edits of resources included in shortcode/hooks c1dc35dd7 @​bep #13093
• commands: Fix flaw in the livereload logic dea158c88 @​bep
• build(deps): bump github.com/bep/godartsass/v2 from 2.3.0 to 2.3.1 7e130e34f @​dependabot[bot]
• build(deps): bump github.com/tetratelabs/wazero from 1.8.1 to 1.8.2 88b7868fb @​dependabot[bot]
• Fix some typos fc3d1cbad @​thirdkeyword

v0.139.2

Note that this is the second patch release today. See v0.139.1. We had to do this release to get the Hugo Docs build running.

What's Changed

• modules: Skip empty lines in modules.txt 0ab81896d @​bep #13084

v0.139.1

What's Changed

• Revert "build(deps): bump github.com/tdewolff/minify/v2 from 2.20.37 to 2.21.1" aa3dd197f @​bep #13082
• minifiers: Add failing test for upstream bug 5a50eee9d @​bep #13082
• dartsass: Fix nilpointer on Close when Dart Sass isn't installed 8d017a60f @​bep #13076

v0.139.0

This release is mostly about removing code that has been deprecated for a long time. This has been shown as an ERROR in the build log and failed the build for at least the last 6 minor Hugo versions, in most cases much longer.

But this is also a full dependency refresh, and there are also some new stuff. For one, we added a -O flag to hugo server to open up the site in your browser after start. This is now my (@​bep) shortcut to start the server:

function h() {
</tr></table> 

... (truncated)

Commits

• 3afe91d releaser: Bump versions for release of 0.139.4
• 54398f8 tpl/tplimpl: Escape Markdown attributes in render hooks and shortcodes
• b8c15f2 deps: Upgrade github.com/bep/godartsass/v2 v2.3.1 => v2.3.2
• d0dc518 common/maps: Simplify TestScratchSetInMap/DeleteInMap
• b529859 markup/tableofcontents: Cast Fragments.ToHTML args to int
• 487bb96 releaser: Prepare repository for 0.140.0-DEV
• 2f68643 releaser: Bump versions for release of 0.139.3
• c1dc35d Fix server edits of resources included in shortcode/hooks
• fc3d1cb Fix some typos
• 7e130e3 build(deps): bump github.com/bep/godartsass/v2 from 2.3.0 to 2.3.1
• Additional commits viewable in compare view

Updates github.com/docker/docker from 26.1.3+incompatible to 26.1.5+incompatible

Release notes

Sourced from github.com/docker/docker's releases.

v26.1.5

26.1.5

Security

This release contains a fix for CVE-2024-41110 / GHSA-v23v-6jw2-98fq that impacted setups using authorization plugins (AuthZ) for access control. No other changes are included in this release, and this release is otherwise identical for users not using AuthZ plugins.

Full Changelog: moby/moby@v26.1.4...v26.1.5

v26.1.4

26.1.4

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 26.1.4 milestone
• moby/moby, 26.1.4 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

Security

This release updates the Go runtime to 1.21.11 which contains security fixes for:

• CVE-2024-24789
• CVE-2024-24790
• A symlink time of check to time of use race condition during directory removal reported by Addison Crump (@​addisoncrump).

Bug fixes and enhancements

• Fixed an issue where promoting a node immediately after another node was demoted could cause the promotion to fail. moby/moby#47870
• Prevent the daemon log from being spammed with superfluous response.WriteHeader call ... messages.. moby/moby#47843
• Don't show empty hints when plugins return an empty hook message. docker/cli#5083
• Added ContextType: "moby" to the context list/inspect output to address a compatibility issue with Visual Studio Container Tools. docker/cli#5095
• Fix a compatibility issue with Visual Studio Container Tools. docker/cli#5095

Packaging updates

• Update containerd (static binaries only) to v1.7.17. moby/moby#47841
• CVE-2024-24789, CVE-2024-24790: Update Go runtime to 1.21.11. moby/moby#47904
• Update Compose to v2.27.1. docker/docker-ce-packages#1022
• Update Buildx to v0.14.1. docker/docker-ce-packages#1021

Commits

• 411e817 Merge commit from fork
• 9cc85ea If url includes scheme, urlPath will drop hostname, which would not match the...
• 820cab9 Authz plugin security fixes for 0-length content and path validation
• 6bc4906 Merge pull request #48123 from vvoland/v26.1-48120
• 6fbdce4 update to go1.21.12
• f533464 Merge pull request #47986 from vvoland/v26.1-47985
• c1d4587 builder/mobyexporter: Add missing nil check
• d642804 Merge pull request #47940 from thaJeztah/26.1_backport_api_remove_container_c...
• daba246 docs: api: image inspect: remove Container and ContainerConfig
• de5c9cf Merge pull request #47912 from thaJeztah/26.1_backport_vendor_containerd_1.7.18
• Additional commits viewable in compare view

Updates github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1

Release notes

Sourced from github.com/golang-jwt/jwt/v4's releases.

v4.5.1

Security

Unclear documentation of the error behavior in ParseWithClaims in <= 4.5.0 could lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by ParseWithClaims return both error codes. If users only check for the jwt.ErrTokenExpired using error.Is, they will ignore the embedded jwt.ErrTokenSignatureInvalid and thus potentially accept invalid tokens.

This issue was documented in GHSA-29wx-vh33-7x7r and fixed in this release.

Note: v5 was not affected by this issue. So upgrading to this release version is also recommended.

What's Changed

• Back-ported error-handling logic in ParseWithClaims from v5 branch. This fixes GHSA-29wx-vh33-7x7r.

Full Changelog: golang-jwt/jwt@v4.5.0...v4.5.1

Commits

• 7b1c1c0 Merge commit from fork
• See full diff in compare view

Updates google.golang.org/grpc from 1.64.0 to 1.67.1

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.67.1

Bug Fixes

• transport: Fix a bug causing stream failures due to miscalculation of the flow control window in both clients and servers. (#7667)
• xds/server: Fix xDS Server memory leak. (#7681)

Release 1.67.0

Bug Fixes

• ringhash: when used with multiple EDS priorities, fix bug that could prevent a higher priority from recovering from transient failure. (#7364)
  • Special Thanks: @​atollena

Behavior Changes

• In accordance with RFC 7540, clients and servers will now reject TLS connections that don't support ALPN. This can be disabled by setting the environment variable GRPC_ENFORCE_ALPN_ENABLED to false (case insensitive). Please file a bug if you encounter any issues with this behavior. The environment variable to revert this behavior will be removed in an upcoming release. (#7535)

Release 1.66.3

Bug Fixes

• transport: Fix a bug causing stream failures due to miscalculation of the flow control window in both clients and servers. (#7667)
• xds/server: Fix xDS Server memory leak. (#7681)

Release 1.66.2

Dependencies

• Remove unintentional dependency on the testing package (#7579)
• Remove unintentional dependency on the flate package (#7595)
  • Special Thanks: @​ash2k

Bug Fixes

• client: fix a bug that prevented memory reuse after handling unary RPCs (#7571)
  • Special Thanks: @​coxley

Release 1.66.0

New Features

• metadata: stabilize ValueFromIncomingContext (#7368)
  • Special Thanks: @​KarthikReddyPuli
• client: stabilize the WaitForStateChange and GetState methods, which were previously experimental. (#7425)
• xds: Implement ADS flow control mechanism (#7458)
  • See grpc/grpc#34099 for context.
• balancer/rls: Add metrics for data cache and picker internals (#7484, #7495)
• xds: LRS load reports now include the total_issued_requests field. (#7544)

Bug Fixes

• grpc: Clients now return status code INTERNAL instead of UNIMPLEMENTED when the server uses an unsupported compressor. This is consistent with the gRPC compression spec. (#7461)
  • Special Thanks: @​Gayathri625

... (truncated)

Commits

• 3f95b38 Update version to 1.67.1 (#7682)
• 4f6c5f2 xds/server: Fix xDS Server leak (#7664) (#7681)
• 935f8cb transport: Fix reporting of bytes read while reading headers (#7660) (#7667)
• 02bbb65 Change version to 1.67.1-dev (#7605)
• 6f50403 Change version to 1.67.0 (#7604)
• 3c3a025 mem: replace flate.Reader reference (#7595) (#7637)
• 3ffb98b .*: fix revive lints redefines-builtin-id (#7552)
• 5666049 vet: enforce revive linter (#7589)
• c6ad07f protoc: regenerate protos (#7590)
• 70f19ee credentials/tls: default GRPC_ENFORCE_ALPN_ENABLED to true (#7535)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.