chore(deps): update dependency chainguard-dev/apko to v0.25.2

[uniget-bot]

This PR contains the following updates:

Package	Update	Change
chainguard-dev/apko	patch	0.25.1 -> 0.25.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

chainguard-dev/apko (chainguard-dev/apko)

v0.25.2

Compare Source

What's Changed

• build(deps): bump github.com/spf13/cobra from 1.8.1 to 1.9.1 by @​dependabot in https://github.com/chainguard-dev/apko/pull/1531
• build(deps): bump step-security/harden-runner from 2.10.4 to 2.11.0 by @​dependabot in https://github.com/chainguard-dev/apko/pull/1533
• build(deps): bump google.golang.org/api from 0.220.0 to 0.222.0 by @​dependabot in https://github.com/chainguard-dev/apko/pull/1534
• build(deps): bump github.com/sigstore/cosign/v2 from 2.4.2 to 2.4.3 by @​dependabot in https://github.com/chainguard-dev/apko/pull/1535
• build(deps): bump github.com/klauspost/compress from 1.17.11 to 1.18.0 by @​dependabot in https://github.com/chainguard-dev/apko/pull/1536
• build(deps): bump k8s.io/apimachinery from 0.32.1 to 0.32.2 by @​dependabot in https://github.com/chainguard-dev/apko/pull/1527
• build(deps): bump golangci/golangci-lint-action from 6.3.2 to 6.5.0 by @​dependabot in https://github.com/chainguard-dev/apko/pull/1532
• build(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 in the go_modules group by @​dependabot in https://github.com/chainguard-dev/apko/pull/1539
• build(deps): bump github.com/google/go-cmp from 0.6.0 to 0.7.0 by @​dependabot in https://github.com/chainguard-dev/apko/pull/1542
• build(deps): bump sigstore/cosign-installer from 3.8.0 to 3.8.1 by @​dependabot in https://github.com/chainguard-dev/apko/pull/1537
• Make LockImageConfiguration incorporate options by @​jonjohnsonjr in https://github.com/chainguard-dev/apko/pull/1540
• build(deps): bump docker/setup-qemu-action from 3.4.0 to 3.5.0 by @​dependabot in https://github.com/chainguard-dev/apko/pull/1549
• build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.3 to 3.0.4 in the go_modules group by @​dependabot in https://github.com/chainguard-dev/apko/pull/1547
• build(deps): bump github.com/go-git/go-git/v5 from 5.13.2 to 5.14.0 by @​dependabot in https://github.com/chainguard-dev/apko/pull/1548
• build(deps): bump google.golang.org/api from 0.222.0 to 0.223.0 by @​dependabot in https://github.com/chainguard-dev/apko/pull/1545
• apk/signature: remove support for creating new SHA1 signatures by @​xnox in https://github.com/chainguard-dev/apko/pull/1496
• dot: Do a slightly better job by @​jonjohnsonjr in https://github.com/chainguard-dev/apko/pull/1553
• spdx: add attributionText field by @​xnox in https://github.com/chainguard-dev/apko/pull/1554
• build(deps): bump github.com/chainguard-dev/clog from 1.6.1 to 1.7.0 by @​dependabot in https://github.com/chainguard-dev/apko/pull/1555
• build(deps): bump docker/setup-qemu-action from 3.5.0 to 3.6.0 by @​dependabot in https://github.com/chainguard-dev/apko/pull/1552
• apko: make apk cache safer for multi-writers by @​tcnghia in https://github.com/chainguard-dev/apko/pull/1564

Full Changelog: chainguard-dev/apko@v0.25.1...v0.25.2

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[nicholasdille-bot]

Auto-approved because label type/renovate is present.

[github-actions]

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/apko:0.25.2

📦 Image Reference ghcr.io/uniget-org/tools/apko:0.25.2

digest	sha256:afa7e01de57f1c49229f278e928012d77b037cb8f9dad8b27a6acda6756fdcf1
vulnerabilities
platform	linux/amd64
size	22 MB
packages	146

github.com/u-root/u-root 0.14.0 (golang) pkg:golang/github.com/u-root/[email protected] OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=v7.0.0 Fixed version Not Fixed CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Description This affects all versions of package github.com/u-root/u-root/pkg/tarutil. It is vulnerable to both leading and non-leading relative path traversal attacks in tar file extraction. OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=7.0.0 Fixed version Not Fixed CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Description This affects all versions of package github.com/u-root/u-root/pkg/uzip. It is vulnerable to both leading and non-leading relative path traversal attacks in zip file extraction.

github.com/theupdateframework/go-tuf 0.7.0 (golang) pkg:golang/github.com/theupdateframework/[email protected] Affected range >=0 Fixed version Not Fixed Description Incorrect delegation lookups can make go-tuf download the wrong artifact in github.com/theupdateframework/go-tuf

golang.org/x/oauth2 0.26.0 (golang) pkg:golang/golang.org/x/[email protected] Affected range <0.27.0 Fixed version 0.27.0 Description An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

[github-actions]

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/13770234990.

[github-actions]

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/13770234990.