Skip to content

chore(deps): bump oras.land/oras-go/v2 from 2.6.1 to 2.6.2#268

Merged
matthiasbruns merged 1 commit into
mainfrom
dependabot/go_modules/oras.land/oras-go/v2-2.6.2
Jul 13, 2026
Merged

chore(deps): bump oras.land/oras-go/v2 from 2.6.1 to 2.6.2#268
matthiasbruns merged 1 commit into
mainfrom
dependabot/go_modules/oras.land/oras-go/v2-2.6.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 10, 2026

Copy link
Copy Markdown
Contributor

Bumps oras.land/oras-go/v2 from 2.6.1 to 2.6.2.

Release notes

Sourced from oras.land/oras-go/v2's releases.

v2.6.2

This is a security patch release addressing advisories in the content and remote layers, plus additional hardening and bug fixes since v2.6.1.

Security Fixes

  • Resolve the hardlink (TypeLink) target before passing it to os.Link, preventing a crafted OCI artifact from hardlinking a file outside the extraction directory via the process CWD (#1232, GHSA-fxhp-mv3v-67qp / CVE-2026-50163)
  • Bound tag and referrer list pagination to prevent a malicious or misbehaving registry from advertising an endless page chain and forcing unbounded client requests (client-side DoS) (#1215)

Bug Fixes

  • Bound content.ReadAll allocation by actual content read rather than the descriptor size, correcting the over-broad 32 MiB cap introduced for GHSA-f36w-mj3v-6jqv so legitimate in-memory Push/FetchAll/FetchBytes are not rejected (#1223)

Other Changes

  • Bump golang.org/x/sync from 0.20.0 to 0.21.0 (#1208)
Commits

@dependabot dependabot Bot added kind/chore chore, maintenance, etc. kind/dependency dependency update, etc. labels Jul 10, 2026
@dependabot dependabot Bot requested a review from a team as a code owner July 10, 2026 21:13
@dependabot dependabot Bot added kind/chore chore, maintenance, etc. kind/dependency dependency update, etc. labels Jul 10, 2026
Bumps [oras.land/oras-go/v2](https://github.com/oras-project/oras-go) from 2.6.1 to 2.6.2.
- [Release notes](https://github.com/oras-project/oras-go/releases)
- [Commits](oras-project/oras-go@v2.6.1...v2.6.2)

---
updated-dependencies:
- dependency-name: oras.land/oras-go/v2
  dependency-version: 2.6.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/oras.land/oras-go/v2-2.6.2 branch from f6b6a0f to fcab4c4 Compare July 13, 2026 05:18
@matthiasbruns matthiasbruns merged commit 6e041cd into main Jul 13, 2026
5 checks passed
@dependabot dependabot Bot deleted the dependabot/go_modules/oras.land/oras-go/v2-2.6.2 branch July 13, 2026 05:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

kind/chore chore, maintenance, etc. kind/dependency dependency update, etc.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant