What's Changed

• tarball: return error instead of panicking on missing rootfs.diff_ids by @iahsanGill in #2304
• gcrane: honor --platform flag in copy by @iahsanGill in #2307
• mutate: verify layer digests in Extract and Time by @momenashrafff in #2303
• tarball: close layer readers during Write by @nandbhat in #2308
• build(deps): bump the actions group across 1 directory with 2 updates by @dependabot[bot] in #2311
• build(deps): bump github.com/docker/cli from 29.4.3+incompatible to 29.5.2+incompatible in the go-deps group across 1 directory by @dependabot[bot] in #2312
• BUGFIX: Fail with error when read exceeds maximum by @inteon in #2328
• build(deps): bump the actions group across 1 directory with 2 updates by @dependabot[bot] in #2327
• fix(name): anchor loopback registry detection by @rohan-patnaik in #2314
• Reject symlinks in OCI layout blobs by @mosskappa in #2306
• fix(crane): avoid creating export tar on pull failure by @Haihan-Jiang in #2318
• feat(kubernetes): allow ignoring pull secrets by @rohan-patnaik in #2315
• fix(name): preserve localhost registry references by @rohan-patnaik in #2316
• pkg/registry: export ErrNotFound by @malt3 in #2176
• pkg/registry: export RedirectError by @malt3 in #2177
• build(deps): bump the go-deps group across 1 directory with 2 updates by @dependabot[bot] in #2343
• build(deps): bump the actions group across 1 directory with 2 updates by @dependabot[bot] in #2344
• fix: prevent SSRF in google.List() pagination by @tufstraka in #2332
• internal/gzip: fix goroutine leak in ReadCloserLevel by @amarkdotdev in #2347
• fix(transport): apply refreshed bearer token after cross-host redirect by @64johnlee in #2337
• build(deps): bump the go-deps group across 3 directories with 4 updates by @dependabot[bot] in #2348
• fix(tarball): normalize paths when matching files by @bstoll in #2334
• transport: do not re-attach bearer token after cross-host redirect by @evilgensec in #2349
• Bump CI go version to 1.26.4 by @Subserial in #2350

New Contributors

• @momenashrafff made their first contribution in #2303
• @nandbhat made their first contribution in #2308
• @inteon made their first contribution in #2328
• @rohan-patnaik made their first contribution in #2314
• @mosskappa made their first contribution in #2306
• @Haihan-Jiang made their first contribution in #2318
• @tufstraka made their first contribution in #2332
• @amarkdotdev made their first contribution in #2347
• @64johnlee made their first contribution in #2337
• @bstoll made their first contribution in #2334

Full Changelog: v0.21.6...v0.21.7

Contributors

• @malt3
• @bstoll
• @rohan-patnaik
• @Subserial
• @dependabot
• @inteon
• @Haihan-Jiang
• @amarkdotdev
• @tufstraka
• @nandbhat
• @momenashrafff
• @iahsanGill
• @evilgensec
• @mosskappa
• @64johnlee

What's Changed

• fix: update dependencies to use new azure sdk components by @gaganhr94 in #2262
• transport: restore resp.Body in retryError so CheckError can parse it by @alliasgher in #2264
• pkg/registry: return 202 Accepted for PATCH chunk uploads by @alliasgher in #2265
• Follow OCI distribution spec for artifactType and annotations by @malt3 in #2269
• actions: attach Codecov token to coverage tests on main by @Subserial in #2270
• remote: use DeleteScope (with "delete" action) for manifest deletion by @alliasgher in #2266
• remote: limit concurrent layer pulls by @gnix0 in #2271
• pkg/registry: reject corrupt disk blobs by @gnix0 in #2272
• mutate: close layer readers during export by @gnix0 in #2277
• crane/flatten: preserve image media type when flattening by @alliasgher in #2267
• build(deps): bump goreleaser/goreleaser-action from 7.0.0 to 7.2.1 in the actions group across 1 directory by @dependabot[bot] in #2273
• build(deps): bump go.opentelemetry.io/otel from 1.36.0 to 1.41.0 by @dependabot[bot] in #2278
• build(deps): bump the go-deps group across 3 directories with 6 updates by @dependabot[bot] in #2280
• Replace go-homedir with os.UserHomeDir by @jammie-jelly in #2282
• pkg/name: only treat .localhost as non-HTTPS, not .local by @blackwell-systems in #2281
• transport: block unspecified IPs (0.0.0.0, ::) in validateRealmURL by @marwan9696 in #2285
• test(mutate): add Extract round-trip test for filesystem object preservation by @blackwell-systems in #2283
• experiments: remove deprecated support for estargz by @thaJeztah in #2288
• build(deps): bump aws-actions/configure-aws-credentials from 6.1.0 to 6.1.1 in the actions group by @dependabot[bot] in #2289
• fix: limit HTTP response body reads to prevent OOM by @evilgensec in #2296
• build(deps): bump the go-deps group across 3 directories with 6 updates by @dependabot[bot] in #2297
• transport: block redirects from token server to private/link-local addresses (SSRF fix) by @evilgensec in #2292
• pkg/v1/mutate: preserve relative symlinks that stay within rootfs in Extract by @anishesg in #2279
• validate: skip non-layer layers by @imjasonh in #2298
• remote: validate foreign layer URLs to prevent SSRF (fixes #2259) by @evilgensec in #2293
• remote: block SSRF via private-IP Location headers in blob uploads by @adilburaksen in #2295
• fix(mutate): preserve config blob and layers for non-Docker OCI artifacts by @blackwell-systems in #2286
• fix: preserve per-occurrence layer identity in mutate.Image.Layers() by @iahsanGill in #2299
• transport: retry HTTP 429 (Too Many Requests) by @iahsanGill in #2301
• transport: allow bearer realm at same host:port as registry by @iahsanGill in #2302
• Update go version to 1.26.3 by @Subserial in #2300

New Contributors

• @gaganhr94 made their first contribution in #2262
• @alliasgher made their first contribution in #2264
• @malt3 made their first contribution in #2269
• @gnix0 made their first contribution in #2271
• @blackwell-systems made their first contribution in #2281
• @marwan9696 made their first contribution in #2285
• @anishesg made their first contribution in #2279
• @adilburaksen made their first contribution in #2295
• @iahsanGill made their first contribution in #2299

Full Changelog: v0.21.5...v0.21.6

Contributors

• @imjasonh
• @malt3
• @thaJeztah
• @Subserial
• @dependabot
• @adilburaksen
• @marwan9696
• @gaganhr94
• @alliasgher
• @jammie-jelly
• @iahsanGill
• @anishesg
• @gnix0
• @evilgensec
• @blackwell-systems

What's Changed

• Bump docker/cli v29.4.0, moby/api v1.54.1, moby/client v0.4.0 by @thaJeztah in #2254
• update to Go 1.26.2 by @thaJeztah in #2255
• Bump aws-actions/configure-aws-credentials from 6.0.0 to 6.1.0 in the actions group across 1 directory by @dependabot[bot] in #2257
• build(deps): bump golang.org/x/tools from 0.43.0 to 0.44.0 in the go-deps group across 1 directory by @dependabot[bot] in #2260

Full Changelog: v0.21.4...v0.21.5

Contributors

• @thaJeztah
• @dependabot

What's Changed

• go.mod: do not make a viral minimum go version by @howardjohn in #2237
• Avoid pruning absolute links from extracted and flattened images by @Subserial in #2241
• Bump the go-deps group across 3 directories with 5 updates by @dependabot[bot] in #2245
• fix: update to go1.25.8, and use separate .go-version file by @thaJeztah in #2246
• Bump CI go version to 1.26.1 by @Subserial in #2242
• Bump codecov/codecov-action from 5.5.2 to 5.5.3 in the actions group by @dependabot[bot] in #2240
• fork distribution client v3 auth-challenge as an internal package (squashed) by @thaJeztah in #2248
• transport: validate Bearer realm URL to prevent SSRF by @evilgensec in #2243
• revert path traversal and symlink escape from #2227 by @Subserial in #2250
• Fix pkg/v1/google/auth tests for arm64 by @Subserial in #2085
• goreleaser: Update goreleaser config and GH action by @Subserial in #2253

New Contributors

• @evilgensec made their first contribution in #2243

Full Changelog: v0.21.3...v0.21.4

Contributors

• @howardjohn
• @thaJeztah
• @Subserial
• @dependabot
• @evilgensec

What's Changed

• Adds local file support to the crane index subcommand by @edwardthiele in #2223
• migrate to github.com/moby/moby modules by @thaJeztah in #2228
• Bump the go-deps group across 4 directories with 7 updates by @dependabot[bot] in #2233
• Bump goreleaser/goreleaser-action from 6.4.0 to 7.0.0 in the actions group by @dependabot[bot] in #2220
• mutate: reject path traversal and symlink escape in Extract by @KevinZhao in #2227
• tarball: detect symlink cycles in extractFileFromTar by @vnykmshr in #2232
• bump golang to 1.25.7 by @Subserial in #2236

New Contributors

• @edwardthiele made their first contribution in #2223
• @thaJeztah made their first contribution in #2228
• @KevinZhao made their first contribution in #2227
• @vnykmshr made their first contribution in #2232

Full Changelog: v0.21.2...v0.21.3

Contributors

• @vnykmshr
• @KevinZhao
• @thaJeztah
• @edwardthiele
• @Subserial
• @dependabot

What's Changed

• Better handle redirects to https in ping by @jonjohnsonjr in #2225

Full Changelog: v0.21.1...v0.21.2

Contributors

• @jonjohnsonjr

This release fixes a regression in crane introduced in the previous release.

What's Changed

• Add WithFileBufferedOpener for file-backed daemon image buffering by @twdamhore in #2214
• crane: fix case in auth response json by @aelindeman in #2218

New Contributors

• @twdamhore made their first contribution in #2214
• @aelindeman made their first contribution in #2218

Full Changelog: v0.21.0...v0.21.1

Contributors

• @twdamhore
• @aelindeman

This release updates the minimum Go version to 1.25.6.

What's Changed

• fix(mutate): don't skip dir replacements via whiteout in export by @r4f4 in #2191
• Improve performance of v1.NewHash by @bmoylan in #2194
• Bump the actions group across 1 directory with 4 updates by @dependabot[bot] in #2207
• Bump the root-deps group across 1 directory with 7 updates by @dependabot[bot] in #2195
• Fix error messages in crane_test.go by @jammie-jelly in #2189
• Bump go version across packages to 1.25.6 by @Subserial in #2211
• Join go.mod dependency updates by @Subserial in #2212
• Bump the go-deps group across 3 directories with 3 updates by @dependabot[bot] in #2213
• Disable taint gosec lints by @Subserial in #2215
• Update go version used in goreleaser by @Subserial in #2216

New Contributors

• @r4f4 made their first contribution in #2191
• @jammie-jelly made their first contribution in #2189

Full Changelog: v0.20.7...v0.21.0

Contributors

• @r4f4
• @bmoylan
• @Subserial
• @dependabot
• @jammie-jelly

What's Changed

• Fix ArgsEscaped lint directive by @Subserial in #2137
• transport: Fix broken links to distribution docs by @guzalv in #2136
• fix(remote): using customized retry predicate func if provided by @derekhjray in #2135
• Adding docker file by @HassanJasim in #2138
• crane: Add timestamp to flatten layer by @Stephanie0829 in #2117
• feat(remote): pass retryBackoff option to transport by @aslafy-z in #1628
• Expose clobber refusal error by @pjbgf in #2146
• Build artifacts for riscv64 by @ffgan in #2159
• Update dependencies and deprecate DockerVersion field by @Subserial in #2164

New Contributors

• @guzalv made their first contribution in #2136
• @derekhjray made their first contribution in #2135
• @HassanJasim made their first contribution in #2138
• @Stephanie0829 made their first contribution in #2117
• @pjbgf made their first contribution in #2146
• @ffgan made their first contribution in #2159

Full Changelog: v0.20.6...v0.20.7

Contributors

• @pjbgf
• @aslafy-z
• @guzalv
• @Subserial
• @HassanJasim
• @Stephanie0829
• @derekhjray
• @ffgan

What's Changed

• Ensure that tag name is not empty if name contains colon by @SaschaSchwarze0 in #2094
• Bump some deps by @jonjohnsonjr in #2110

New Contributors

• @SaschaSchwarze0 made their first contribution in #2094

Full Changelog: v0.20.4...v0.20.6

Contributors

• @jonjohnsonjr
• @SaschaSchwarze0