v5.31.0

What's Changed

• Bump c/storage to v1.53.0, c/image to v5.30.0, and then to v5.30.1-dev by @TomSweeneyRedHat in #2327
• fix(deps): update module github.com/sylabs/sif/v2 to v2.15.2 by @renovate in #2333
• fix(deps): update module github.com/docker/cli to v25.0.4+incompatible by @renovate in #2334
• Move to a tagged version of docker/docker by @mtrmac in #2336
• fix(deps): update go-openapi packages to v0.23.0 by @renovate in #2337
• Update to Go 1.20 by @mtrmac in #2340
• chore(deps): update module github.com/go-jose/go-jose/v3 to v3.0.3 [security] by @renovate in #2338
• chore(deps): update module gopkg.in/go-jose/go-jose.v2 to v2.6.3 [security] by @renovate in #2339
• fix(deps): update module github.com/containers/ocicrypt to v1.1.10 by @renovate in #2341
• chore(deps): update module google.golang.org/protobuf to v1.33.0 [security] by @renovate in #2344
• Add support for Docker HealthConfig.StartInterval (v25.0.0+) by @migesok in #2345
• Fix an unintentionally-added dependency on Go 1.21 by @mtrmac in #2343
• fix(deps): update module github.com/docker/docker to v25.0.5+incompatible by @renovate in #2348
• fix(deps): update module github.com/docker/cli to v25.0.5+incompatible by @renovate in #2347
• [CI:DOCS] Update dependency golangci/golangci-lint to v1.57.0 by @renovate in #2349
• [CI:DOCS] Update dependency golangci/golangci-lint to v1.57.1 by @renovate in #2351
• chore: fix function names by @availhang in #2357
• chore(deps): update dependency containers/automation_images to v20240320 by @renovate in #2354
• fix(deps): update module github.com/distribution/reference to v0.6.0 by @renovate in #2358
• [CI:DOCS] Update dependency golangci/golangci-lint to v1.57.2 by @renovate in #2359
• fix(deps): update module github.com/sigstore/sigstore to v1.8.3 by @renovate in #2360
• Filter BlobInfoCache candidates before prioritization, not in transports by @mtrmac in #2346
• fix(deps): update module golang.org/x/oauth2 to v0.19.0 by @renovate in #2367
• fix(deps): update golang.org/x/exp digest to c0f41cb by @renovate in #2361
• Add a helper for formatting multiple errors by @mtrmac in #2365
• fix(deps): update module github.com/ulikunitz/xz to v0.5.12 by @renovate in #2366
• Drop some minimally-used dependencies by @mtrmac in #2364
• Fix a http.response.Body leak on a permission error by @mtrmac in #2363
• fix(deps): update module github.com/klauspost/compress to v1.17.8 by @renovate in #2372
• fix(deps): update module github.com/vbauerster/mpb/v8 to v8.7.3 by @renovate in #2373
• use containers/storage/pkg/fileutils/(Exists,Lexists) by @giuseppe in #2375
• Refactor blobCacheDestination.saveStream by @mtrmac in #2380
• Update to Go1.21 by @mtrmac in #2377
• Avoid a redundant function call by @mtrmac in #2379
• CI VMs: bump to new versions with tmpfs /tmp by @edsantiago in #2384
• Update module github.com/docker/docker to v26.0.2+incompatible [SECURITY] by @renovate in #2381
• Update module github.com/docker/cli to v26.1.0+incompatible by @renovate in #2383
• Update module github.com/docker/docker to v26.1.0+incompatible by @renovate in #2386
• Fix GoDoc link at the top of the README file by @ananthb in #2387
• Update module github.com/docker/cli to v26.1.1+incompatible by @renovate in #2388
• Update module github.com/docker/docker to v26.1.1+incompatible by @renovate in #2389
• Update module golang.org/x/exp to v0.0.0-20240416160154-fe59bbe5cc7f by @renovate in #2392
• [CI:DOCS] Update dependency golangci/golangci-lint to v1.58.0 by @renovate in #2393
• Update module golang.org/x/oauth2 to v0.20.0 by @renovate in #2395
• Update module golang.org/x/term to v0.20.0 by @renovate in #2396
• Update module go.etcd.io/bbolt to v1.3.10 by @renovate in #2397
• Update module golang.org/x/crypto to v0.23.0 by @renovate in #2398
• Update module golang.org/x/exp to v0.0.0-20240506185415-9bf2ced13842 by @renovate in #2399
• [CI:DOCS] Update dependency golangci/golangci-lint to v1.58.1 by @renovate in #2400
• Fix CVE-2024-3727 by @mtrmac in #2403
• Update module github.com/docker/docker to v26.1.2+incompatible by @renovate in #2402
• Update module github.com/docker/cli to v26.1.2+incompatible by @renovate in #2401
• [release-5.30] Release 5.30.1 by @mtrmac in #2405
• Merge the release-5.30 branch into main by @mtrmac in #2407
• Update module github.com/hashicorp/go-retryablehttp to v0.7.6 by @renovate in #2409
• Fix font choices in containers-transports.5 by @mtrmac in #2412
• Quote various strings coming from untrusted sources by @mtrmac in #2408
• Non-security digest.Digest use cleanups by @mtrmac in #2410
• docker: support for requesting chunks without end offset by @giuseppe in #2391
• Silently assume arm=v7, arm64=v8 on macOS by @mtrmac in #2411
• Allow using recent opencontainers/go-digest by @mtrmac in #2406
• Fixes to storage’s GetBlob by @mtrmac in #2394
• storage: cleanup staged layer if unused by @giuseppe in #2390
• Recognize "manifest unknown" errors reported by Harbor by @mtrmac in #2413
• fix(deps): update module github.com/docker/docker to v26.1.3+incompatible by @renovate in #2420
• fix(deps): update module github.com/docker/cli to v26.1.3+incompatible by @renovate in #2419
• [Additional Layer Store] Use TOCDigest as ID of each layer (patch for c/image) by @ktock in #2416
• fix(deps): update module github.com/containers/storage to v1.54.0 by @renovate in #2426
• Short-term kludges for recent AdditionalLayerStore changes by @mtrmac in #2428

New Contributors

• @migesok made their first contribution in #2345
• @availhang made their first contribution in #2357
• @edsantiago made their first contribution in #2384
• @ananthb made their first contribution in #2387

Full Changelog: v5.30.1...v5.31.0

v5.29.3

What's Changed

• Backport Docker Daemon fix #2260, bump to 5.29.2, then 5.29.3-dev by @TomSweeneyRedHat in #2270
• [release-5.29] Fix CVE-2024-3727 by @mtrmac in #2418

Full Changelog: v5.29.2...v5.29.3

v5.30.1

This fixes CVE-2024-3727 .

Digest values used throughout this library were not always validated. That allowed attackers to trigger, when pulling untrusted images, unexpected authenticated registry accesses on behalf of a victim user.

In less common uses of this library (using other transports or not using the containers/image/v5/copy.Image API), an attacker could also trigger local path traversals or crashes.

v5.30.0

What's Changed

A fair number of improvements when working with zstd and zstd:chunked-compressed images.

Note that make install now installs policy.json and registries.d/default.yaml.

• Refuse compression to zstd when using schema1 by @mtrmac in #2196
• Don't expose local account details in oci-archive tar files by @mtrmac in #2202
• Trigger a conversion to OCI when compressing to Zstd by @mtrmac in #2204
• Add buildtags to avoid fulcio and rekor dependencies by @siretart in #2180
• copy: do not fail if digest mismatches by @giuseppe in #1980
• Moving policy.json and default.yaml from containers/skopeo by @rahilarious in #2215
• Embrace codespell: config, workflow (to alert when new typos added) and get typos fixed by @yarikoptic in #2214
• Fix raspberry pi zero cpu variant recognition by @lstolcman in #2086
• storage: validate images converted to zstd:chunked by @giuseppe in #2243
• Make blob reuse choices manifest-format-sensitive, and allow conversions when writing to format-agnostic transports by @mtrmac in #2213
• Edit the manifest when pushing uncompressed data from c/storage by @mtrmac in #2273
• Random storage-related cleanups by @mtrmac in #2287
• Improve storage transport documentation, primarily about locking by @mtrmac in #2291
• Fix c/storage destination with partial pulls by @mtrmac in #2288
• Fix manifest updates when we match a layer by TOC digest by @mtrmac in #2294
• Cleanly fail when trying to obtain a DiffID of a non-OCI image by @mtrmac in #2295
• Beautify TOC-related parts of storageImageSource by @mtrmac in #2296
• storage: use the new ApplyStagedLayer interface by @giuseppe in #2301
• Also annotate image instances using zstd:chunked as using zstd by @mtrmac in #2302
• Support editing ArtifactType, preserve it in lists by @nalind in #2304
• Provide data to correctly report throughput on partial pulls by @mtrmac in #2308
• Add validation error to digesting reader by @saschagrunert in #2312
• Fix handling of errors when fetching layers by URLs by @mtrmac in #2310
• Improve handling of zstd vs. zstd:chunked matching by @mtrmac in #2317

New Contributors

• @rahilarious made their first contribution in #2215
• @yarikoptic made their first contribution in #2214
• @lstolcman made their first contribution in #2086
• @bainsy88 made their first contribution in #2260

Full Changelog: v5.29.2...v5.30.0

v5.29.2

What's Changed

• [release-5.29] backport Docker Daemon fix by @TomSweeneyRedHat in #2270
• [release-5.29] Tag 5.29.1 by @mtrmac in #2253
• Use a stable Skopeo branch for testing the stable c/image branch by @mtrmac in #2262

Full Changelog: v5.29.1...v5.29.2

v5.29.1

• Add support for pushing an image with unknown digest

v5.29.0

What's Changed

• Bump to v5.28.0 by @rhatdan in #2114
• fix(deps): update module github.com/containers/storage to v1.50.2 by @renovate in #2115
• Run codespell on code by @rhatdan in #2116
• fix(deps): update module github.com/opencontainers/image-spec to v1.1.0-rc5 by @renovate in #2117
• Use constants and types from opencontainers/image-spec/specs-go/v1 by @mtrmac in #2119
• progress: set Current before Refill by @giuseppe in #2121
• copy: fix nil pointer dereference when checking compression algorithm by @crazy-max in #2120
• fix(deps): update module github.com/klauspost/compress to v1.17.0 by @renovate in #2122
• fix(deps): update module github.com/sylabs/sif/v2 to v2.14.0 by @renovate in #2124
• ociarchive: Add new ArchiveFileNotFoundError by @cgwalters in #2123
• fix: typo by @testwill in #2125
• fix(deps): update module github.com/sylabs/sif/v2 to v2.14.1 by @renovate in #2126
• fix(deps): update golang.org/x/exp digest to 7918f67 by @renovate in #2130
• fix(deps): update module github.com/sylabs/sif/v2 to v2.15.0 by @renovate in #2137
• fix(deps): update module golang.org/x/oauth2 to v0.13.0 by @renovate in #2136
• Fix podman search for docker.io/library images by @boaz0 in #2133
• fix(deps): update module github.com/docker/distribution to v2.8.3+incompatible by @renovate in #2131
• fix(deps): update module github.com/sigstore/fulcio to v1.4.1 by @renovate in #2138
• fix(deps): update module github.com/sigstore/fulcio to v1.4.2 by @renovate in #2140
• Oci image deletion by @Pvlerick in #2003
• fix(deps): update module github.com/sigstore/fulcio to v1.4.3 by @renovate in #2142
• fix(deps): update module github.com/otiai10/copy to v1.14.0 by @renovate in #2144
• fix(deps): update module github.com/vbauerster/mpb/v8 to v8.6.2 by @renovate in #2146
• fix(deps): update module github.com/klauspost/compress to v1.17.1 by @renovate in #2148
• fix(deps): update module github.com/sigstore/sigstore to v1.7.4 by @renovate in #2145
• chore(deps): update dependency containers/automation_images to v20231004 by @renovate in #2150
• Fix conversion of Zstd images to non-OCI formats by @mtrmac in #2151
• Parse the body of (docker load) response to correctly handle errors by @mtrmac in #2153
• Fix a comment by @mtrmac in #2152
• fix(deps): update module github.com/klauspost/compress to v1.17.2 by @renovate in #2154
• Don't use append() on slices with unclear origin by @mtrmac in #2155
• Remove unused environment variables in Cirrus by @mtrmac in #2156
• Fix and simplify storage tests by @mtrmac in #2147
• Add image.UnparsedInstanceWithReference and storage.ResolveReference by @mtrmac in #2056
• fix(deps): update module github.com/docker/docker to v24.0.7+incompatible [security] by @renovate in #2163
• fix(deps): update module github.com/sigstore/sigstore to v1.7.5 by @renovate in #2159
• fix(deps): update module go.etcd.io/bbolt to v1.3.8 by @renovate in #2161
• Missed null check in docker_image_dest.go by @bojidar-bg in #2164
• Simplify storage test setup by @mtrmac in #2158
• fix(deps): update module github.com/containers/ocicrypt to v1.1.9 by @renovate in #2165
• docker, BlobInfoCache: try to reuse blobs from set of all known compressed blobs when pushing across registries by @flouthoc in #1645
• blobinfocache,sqlite: remove unnecessary compression check by @flouthoc in #2168
• fix(deps): update github.com/containers/storage digest to 6e72f11 by @renovate in #2166
• fix(deps): update github.com/cyberphone/json-canonicalization digest to 785e297 by @renovate in #2167
• Improve documentation of ResolveReference by @mtrmac in #2170
• Improve lint tool handling by @mtrmac in #2171
• [CI:DOCS] Update dependency golangci/golangci-lint to v1.55.2 by @renovate in #2172
• fix(deps): update module golang.org/x/sync to v0.5.0 by @renovate in #2175
• fix(deps): update module github.com/mattn/go-sqlite3 to v1.14.18 by @renovate in #2174
• fix(deps): update module golang.org/x/term to v0.14.0 by @renovate in #2176
• fix(deps): update module github.com/hashicorp/go-retryablehttp to v0.7.5 by @renovate in #2177
• fix(deps): update module golang.org/x/crypto to v0.15.0 by @renovate in #2178
• fix(deps): update module golang.org/x/oauth2 to v0.14.0 by @renovate in #2179
• Add DockerCompatAuthFilePath to allow login/logout to interoperate by @mtrmac in #2173
• fix(deps): update module github.com/docker/cli to v24.0.7+incompatible by @renovate in #2187
• Update github.com/go-jose/go-jose/v3 by @mtrmac in #2188
• Quote the response body in an error message by @mtrmac in #2186
• fix(deps): update module github.com/klauspost/compress to v1.17.3 by @renovate in #2190
• WIP HACK: Do not reuse zstd:chunked blobs by @mtrmac in #2185

New Contributors

• @testwill made their first contribution in #2125
• @bojidar-bg made their first contribution in #2164

Full Changelog: v5.28.0...v5.29.0

v5.28.0

What's Changed

• Bump to v5.26.0 by @TomSweeneyRedHat in #2013
• fix(deps): update module github.com/sigstore/rekor to v1.2.2 by @renovate in #2014
• fix(deps): update module github.com/sigstore/fulcio to v1.3.2 by @renovate in #2016
• Adding IO decorator to copy progress bar by @Pvlerick in #2015
• Ensure we close HTTP connections on all paths by @mtrmac in #2017
• fix(deps): update module github.com/containers/storage to v1.48.0 by @renovate in #2018
• fix(deps): update module github.com/opencontainers/image-spec to v1.1.0-rc4 by @renovate in #2020
• fix(deps): update github.com/cyberphone/json-canonicalization digest to 91eb5f1 by @renovate in #2021
• fix(deps): update golang.org/x/exp digest to 97b1e66 by @renovate in #2022
• fix(deps): update module github.com/klauspost/compress to v1.16.7 by @renovate in #2024
• fix(deps): update module github.com/docker/docker to v24.0.3+incompatible by @renovate in #2031
• fix(deps): update module golang.org/x/oauth2 to v0.10.0 by @renovate in #2028
• manifest: ListUpdate add imgspecv1.Platform field by @flouthoc in #2029
• fix(deps): update module github.com/docker/docker to v24.0.4+incompatible by @renovate in #2032
• pkg/docker: use the same default auth path as macOS on FreeBSD by @dfr in #2034
• fix(deps): update module github.com/sigstore/fulcio to v1.3.4 by @renovate in #2033
• blob: TryReusingBlobWithOptions consider RequiredCompression if set by @flouthoc in #2023
• Fix tests of the ostree transport by @mtrmac in #2037
• helpers_test,cleanup: correct argument order by @flouthoc in #2039
• fix(deps): update module github.com/vbauerster/mpb/v8 to v8.5.1 by @renovate in #2041
• Make temporary names container/image specific by @rhatdan in #2045
• listupdate,oci: instance show read-only annotations and CompressionAlgorithmNames by @flouthoc in #2040
• fix(deps): update module github.com/docker/docker-credential-helpers to v0.8.0 by @renovate in #2046
• fix(deps): update module github.com/vbauerster/mpb/v8 to v8.5.2 by @renovate in #2044
• Fix TestOCI1IndexChooseInstanceByCompression on non-amd64 by @mtrmac in #2043
• Refactor data passing in c/image/copy by @mtrmac in #2048
• Update module github.com/sigstore/fulcio to v1.4.0 by @renovate in #2049
• copy/multiple: instanceCopyCopy honor UpdateCompressionAlgorithms by @flouthoc in #2047
• Update vendor of containers/storage by @rhatdan in #2052
• copy/single: accept custom *Options and wrap arguments in copySingleImageOptions by @flouthoc in #2050
• Improve transport documentation by @mtrmac in #2042
• fix(deps): update module github.com/vbatts/tar-split to v0.11.5 by @renovate in #2053
• fix(deps): update module github.com/docker/docker to v24.0.5+incompatible by @renovate in #2055
• copy: implement instanceCopyClone for zstd compression by @flouthoc in #1987
• copy/multiple: priority of instanceCopyCopy must be higher than instanceCopyClone by @flouthoc in #2059
• Clarify where mirrors are used by @mtrmac in #2061
• fix(deps): update github.com/cyberphone/json-canonicalization digest to aa7fe85 by @renovate in #2064
• fix(deps): update github.com/containers/storage digest to c3da76f by @renovate in #2063
• Update x/exp/slices, and some small slice-related cleanups by @mtrmac in #2066
• Use consistent example domains in #2069
• copy: add support for ForceCompressionFormat by @flouthoc in #2068
• fix(deps): update module golang.org/x/term to v0.11.0 by @renovate in #2073
• fix(deps): update module golang.org/x/crypto to v0.12.0 by @renovate in #2078
• fix(deps): update module golang.org/x/oauth2 to v0.11.0 by @renovate in #2080
• [release-5.27] Preparing 5.27 backport by @mtrmac in #2075
• Update to Go 1.19 by @mtrmac in #2079
• storage.storageImageDestination.Commit(): leverage image options by @nalind in #2067
• Rename SKOPEO_CI_TAG to SKOPEO_CI_BRANCH by @mtrmac in #2083
• [CI:DOCS] Add cirrus-cron retry/monitor jobs by @cevich in #2082
• chore(deps): update dependency containers/automation_images to v20230807 by @renovate in #2081
• [release-5.27] Fix the branch we use for determining a git-validation starting point by @mtrmac in #2084
• fix(deps): update golang.org/x/exp digest to 352e893 by @renovate in #2065
• fix(deps): update module github.com/sigstore/sigstore to v1.7.2 by @renovate in #2085
• OCI image-spec / distribution-spec v1.1 updates, first round by @mtrmac in #2062
• fix(deps): update module github.com/sylabs/sif/v2 to v2.12.0 by @renovate in #2087
• chore(deps): update dependency containers/automation_images to v20230809 by @renovate in #2089
• Merge release branch into main by @mtrmac in #2070
• BREAKING: Update for move of github.com/theupdateframework/go-tuf/encrypted by @mtrmac in #2054
• Update module github.com/containers/ocicrypt to v1.1.8 by @renovate in #2091
• chore(deps): update dependency containers/automation_images to v20230816 by @renovate in #2093
• fix(deps): update module github.com/containers/storage to v1.49.0 by @renovate in #2095
• fix(deps): update module github.com/sylabs/sif/v2 to v2.13.0 by @renovate in #2097
• fix(deps): update module github.com/vbauerster/mpb/v8 to v8.6.0 by @renovate in #2098
• fix(deps): update module github.com/vbauerster/mpb/v8 to v8.6.1 by @renovate in #2099
• fix(deps): update golang.org/x/exp digest to d852ddb by @renovate in #2101
• fix(deps): update module golang.org/x/term to v0.12.0 by @renovate in #2103
• fix(deps): update module github.com/sigstore/sigstore to v1.7.3 by @renovate in #2102
• fix removal of temp file in GetBlob on Windows by @mikenorgate in #2104
• fix(deps): update module golang.org/x/crypto to v0.13.0 by @renovate in #2106
• Fix build with golangci-lint 1.54.2 by @mtrmac in #2107
• fix(deps): update module golang.org/x/oauth2 to v0.12.0 by @renovate in #2108
• Implement, and default to, a SQLite BlobInfoCache instead of BoltDB by @mtrmac in #2092
• fix(deps): update module github.com/docker/docker to v24.0.6+incompatible by @renovate in #2109
• Update dependencies of docker/docker by @mtrmac in #2110
• Correctly handle encryption/decryption changes in non-OCI formats by @mtrmac in #1932
• chore(deps): update module github.com/cyphar/filepath-securejoin to v0.2.4 [security] by @renovate in #2111
• fix(deps): update module github.com/containers/storage to v1.50.1 by @renovate in #2112

New Contributors

• @Pvlerick made their first contribution in #2015
• @mikenorgate made their first contribution in #2104

Full Changelog: v5.27.0...v5.28.0

v5.26.2

What's Changed

• [release-5.26] c/storage to 1.48, bump c/image to v5.26.1, and then to v5.26.2-dev by @TomSweeneyRedHat in #2019
• [release-5.26] Test the release-5.26 branch against the 1.13 branch of Skopeo by @mtrmac in #2090

Full Changelog: v5.26.1...v5.26.2

v5.27.0

• New copy.Options.EnsureCompressionVariantsExist allows creating images that are consumable by existing gzip-only consumers, but include a Zstd-compressed version is preferred by c/image.
• OCI images using Zstd compression now carry a io.github.containers.compression.zstd annotation in the OCI image index.