gomod(deps): Bump the go-deps group across 1 directory with 7 updates

[dependabot]

Bumps the go-deps group with 7 updates in the / directory:

Package	From	To
github.com/containerd/containerd/v2	2.3.0	2.3.1
github.com/docker/cli	29.4.2+incompatible	29.5.2+incompatible
github.com/moby/buildkit	0.29.0	0.30.0
github.com/posthog/posthog-go	1.12.4	1.12.6
github.com/tidwall/gjson	1.18.0	1.19.0
golang.org/x/mod	0.35.0	0.36.0
golang.org/x/net	0.53.0	0.55.0

Updates github.com/containerd/containerd/v2 from 2.3.0 to 2.3.1

Release notes

Sourced from github.com/containerd/containerd/v2's releases.

containerd 2.3.1

Welcome to the v2.3.1 release of containerd!

The first patch release for containerd 2.3 contains various fixes and improvements.

Security Updates

• CVE-2026-46680

Highlights

• Fix bug where failed gRPC plugins were not tolerated when starting listeners (#13390)

Image Storage

• Ensure metadata and mount plugin boltdb files are closed on server shutdown (#13379)

Runtime

• Fix handling of out-of-range USER values in OCI spec to avoid unexpected username/group lookups (#13447)
• Fix sandbox task API endpoints for non-runc runtimes and deprecate task fields in Runc options (#13422)
• Apply hardening to default seccomp socket policy by blocking AF_ALG (#13409)

Snapshotters

• Disable overlayfs "rebase" capability when running in user namespace (#13394)
• Fix transfer plugin error when EROFS differ is configured but mkfs.erofs is unavailable (#13364)

Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues.

Contributors

• Maksym Pavlenko
• Akihiro Suda
• Derek McGowan
• Paweł Gronowski
• Brian Goff
• Austin Vazquez
• LEI WANG
• Samuel Karp

Changes

• Prepare release notes for v2.3.1 (#13405)
  • 58af96519 Prepare release notes for v2.3.1
  • 8f0b3ca83 Update api to v1.11.1
• oci: return explicit error for out-of-range USER values (#13447)

... (truncated)

Commits

• 64b425c Merge pull request #13405 from AkihiroSuda/prepare-release-2.3.1
• 58af965 Prepare release notes for v2.3.1
• 8f0b3ca Update api to v1.11.1
• 9f8f453 Merge pull request #13447 from samuelkarp/oci-withuser-errrange-2.3
• f822a91 Merge pull request #13444 from dmcgowan/prepare-api-v1.11.1
• da7aef2 Prepare release notes for api/v1.11.1
• a50a704 Merge pull request #13422 from k8s-infra-cherrypick-robot/cherry-pick-13360-t...
• 5282d4e Wire task address and version fields
• e44f5f9 protos: include task API address to CreateTaskRequest
• 85f22f7 Merge pull request #13409 from k8s-infra-cherrypick-robot/cherry-pick-13327-t...
• Additional commits viewable in compare view

Updates github.com/docker/cli from 29.4.2+incompatible to 29.5.2+incompatible

Commits

• 79eb04c Merge pull request #3173 from rene-hermenau/patch-1
• 1a3048f Merge pull request #6997 from vvoland/gha-fix
• 9177c7f gha: Port validate milestones from Moby
• 77cb156 Merge pull request #6994 from thaJeztah/bump_buildx
• 382a92d Dockerfile: update buildx to v0.34.1
• 5c0919a Merge pull request #6995 from thaJeztah/bump_version
• a68dd7a bump VERSION to v29.5.2-dev
• 2518b52 Merge pull request #6991 from mickael-docker/docs-clarify-authz
• 9f18a0a docs: clarify authz content type
• 2944fd1 Merge pull request #6989 from thaJeztah/bump_version
• Additional commits viewable in compare view

Updates github.com/moby/buildkit from 0.29.0 to 0.30.0

Release notes

Sourced from github.com/moby/buildkit's releases.

v0.30.0

Welcome to the v0.30.0 release of buildkit!

Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues.

Contributors

• Tõnis Tiigi
• CrazyMax
• Sebastiaan van Stijn
• Jonathan A. Sternberg
• Natnael Gebremariam
• Akihiro Suda
• Dawei Wei
• Dmitrii Kostyrev
• Jiří Moravčík
• Vladimir Kuznichenkov

Notable Changes

• Builtin Dockerfile frontend has been updated to v1.24.0 changelog
• BuildKit now supports the concept of "compatibility version" for improved reproducible builds support across different BuildKit versions. This allows users to specify a version for which the build should be compatible with, and BuildKit will attempt to maintain compatibility with that version when possible. Compatibility version will be stored in the provenance attestation of the build and can be used to independently verify the artifacts of the build on other BuildKit versions. The current compatibility version and backward compatibility with old versions are defined in Build reproducibility docs #6681
• Git sources now support fetch-by-commit option where commit is fetched by the SHA and then associated with the reference. This is useful when checking out mutable references refs/NR/merge where the commit SHA may change during invocation and cause checksum mismatch error #6708
• The LLB API now supports Git bundle format. Git bundles can be loaded from registry or OCI layout blobs and Git sources can be checked out into bundle format for snapshotting #6711
• Provenance attestations for multi-pass or chained builds now include request details for root requests and individual input requests, allowing full reconstruction of such complex builds #6739
• The version of the built-in Dockerfile frontend that was used is now included in the provenance metadata and reported via worker info APIs. #6705
• Improve error reporting for registry errors on cache export #6762
• S3 cache now supports additional options retry_mode and retry_max_attempts to configure retry behavior of S3 client #6657
• S3 cache now supports disable_accept_encoding option for GCS interoperability #6642
• Reduce potential lock contention in gateway forwarder for improved performance on parallel builds #6741
• A new log level option has been added to the buildkitd TOML configuration; previous "debug" and "trace" options have been deprecated #6732
• Allow gateway frontend requests to forward to the built-in Dockerfile frontend the same way as to external frontends #6643
• Session connection health checks have been improved to better detect loss of connectivity and avoid stuck builds #6649
• Fix issue with Git subdirectory value not being included in ConfigSource section of SLSA provenance for builds from Git sources #6724
• Avoid potential deadlock if the credential helper in the client is misbehaving and never returns credentials #6709
• Fix possible data race in provenance computation on parallel builds #6758
• Fix possible provenance capture race in concurrent no-cache builds that could leave source pins empty and fail with an invalid checksum digest error #6764
• Fix possible data race in progress writer #6679
• Fix data race in S3 cache reader #6675
• Fix possible Git config lookup errors on Windows #6639
• Fix build cancellation not working properly when blocked on credential callback #6641

Dependency Changes

• github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0 -> v1.21.0
• github.com/Microsoft/hcsshim v0.14.0-rc.1 -> v0.14.1
• github.com/aws/aws-sdk-go-v2 v1.41.4 -> v1.41.7

... (truncated)

Commits

• dd2170e Merge pull request #6770 from crazy-max/v0.30-picks-0.30.0
• e4b9769 test: gate merge diff tests through worker capabilities
• d5956a1 skip pin race test on workers without merge diff support
• 505ab37 solver: fix race in walkProvenance
• f2e48d2 Merge pull request #6762 from jsternberg/add-error-details
• f7a40a0 Merge pull request #6758 from tonistiigi/fix-provenance-data-race
• 80e934d remotecache: propagate details field from registry when included
• a7c8749 Merge pull request #6761 from moby/dependabot/github_actions/github/codeql-ac...
• df37b67 build(deps): bump github/codeql-action from 4.35.3 to 4.35.4
• c7ba941 Merge pull request #6759 from moby/dependabot/github_actions/docker/github-bu...
• Additional commits viewable in compare view

Updates github.com/posthog/posthog-go from 1.12.4 to 1.12.6

Release notes

Sourced from github.com/posthog/posthog-go's releases.

1.12.6

Unreleased

1.12.5

Unreleased

Changelog

Sourced from github.com/posthog/posthog-go's changelog.

1.12.6

Patch Changes

• 9289d53: Reject semver values with leading zeros in local flag evaluation. Per semver 2.0.0 §2, numeric identifiers must not include leading zeros — values like 1.07.3 are not valid semver and should not match targeting conditions. Both override values and flag values are now validated; invalid inputs surface an InconclusiveMatchError so the condition does not match.

1.12.5

Patch Changes

• 6d243a6: Return ErrSDKDisabled from no-op clients when the project API key is missing, return ErrNoPersonalAPIKey before making requests for Personal API key dependent methods when no Personal API key is configured, and return ErrNoDistinctID from EvaluateFlags when distinct_id is missing.

New Features

• EvaluateFlags: New method on Client that returns a FeatureFlagEvaluations snapshot for a user using a single /flags request. The snapshot powers any number of IsEnabled / GetFlag / GetFlagPayload checks, fires deduped $feature_flag_called events with full v4 metadata (id, version, reason, request_id), and can be attached to a Capture event via the new Capture.Flags field to populate $feature/<key> and $active_feature_flags without another network call.
• Capture.Flags: New optional field on Capture that accepts a *FeatureFlagEvaluations snapshot. Takes precedence over SendFeatureFlags, avoids a hidden /flags request per event, and lets caller-supplied Properties override the auto-generated $feature/<key> values on conflict.

Internal

• Refactored the $feature_flag_called dedup logic into a shared helper so the existing single-flag path and the new snapshot path use identical semantics against the same per-distinct_id LRU cache.
• $feature_flag_called events from the snapshot path combine response-level errors (errors_while_computing_flags, quota_limited) with per-flag errors (flag_missing) comma-joined in $feature_flag_error, matching the granularity of the legacy single-flag path.

Commits

• a99dc57 chore: release v1.12.6 [version bump] [skip ci]
• 9289d53 fix: reject leading-zero semver values in local evaluation (#200)
• 4caaa1e chore: pin github actions to commit shas (#202)
• 22195ff chore: release v1.12.5 [version bump] [skip ci]
• 6d243a6 fix: revert d2c4dd2 (#199)
• d2c4dd2 chore: release v1.12.4 [version bump] [skip ci]
• e9436fa Fix no-op client for empty API key (#193)
• 06421d2 chore: sign release workflow commits (#198)
• 8e96d3d Run Go CI on main pushes (#197)
• 9f60d7a feat(flags): support mixed targeting in local evaluation (#192)
• Additional commits viewable in compare view

Updates github.com/tidwall/gjson from 1.18.0 to 1.19.0

Commits

• 0fac2c9 Add iterator functions All, Keys, and Values
• 4d23028 Add repo url
• 10d2662 Add copyright comment
• 4a91ee1 Update README.md
• See full diff in compare view

Updates golang.org/x/mod from 0.35.0 to 0.36.0

Commits

• 643da9b go.mod: update golang.org/x dependencies
• ccc3cdf zip: include 'but content has correct sum' note in TestVCS
• ab30318 zip: update zip hashes for new flate compression
• See full diff in compare view

Updates golang.org/x/net from 0.53.0 to 0.55.0

Commits

• 7770ec4 go.mod: update golang.org/x dependencies
• 4ece7b6 html: escape greater-than symbol in doctype identifiers
• 08be507 html: improve Noah's Ark clause performance
• a8fb2fe html: properly render fostered elements in foreign content
• 0dc5b7a html: properly check namespace in "in body" any other end tag
• a452f3c html: ignore duplicate attributes during tokenization
• f865199 quic: fix appendMaxDataFrame erroneously accumulating sentLimit
• 210ed3c quic: establish a "happened-before" relationship between stream write and read
• ad8140e quic: fix buffer slicing when handling overlapping stream data
• 23ee2ef http2: avoid API changes when built with go1.27
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions