chore(deps): lock file maintenance

[renovate]

This PR contains the following updates:

Update	Change
lockFileMaintenance	All locks refreshed

🔧 This Pull Request updates lock files to use the latest dependency versions.

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

Overview

Image reference	djaytan/papermc-server:1.21.11	djaytan/papermc-server:test
- digest	6b05448a8b12	0f5f372484a2
- tag	1.21.11	test
- stream	latest
- provenance	3c80e3b
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	137 MB	147 MB (+10 MB)
- packages	169	176 (+7)
Base Image	alpine:3.23.3 also known as: • 3 • 3.23 • latest	alpine:3 also known as: • 3.23 • 3.23.3 • latest
- vulnerabilities

Policies (0 improved, 1 worsened, 3 missing data)

Policy Name	djaytan/papermc-server:1.21.11	djaytan/papermc-server:test	Change	Standing
No unapproved base images	✅	❓ No data
Default non-root user	✅	✅		No Change
No AGPL v3 licenses	✅	✅		No Change
No fixable critical or high vulnerabilities	⚠️ 11	⚠️ 11		No Change
No high-profile vulnerabilities	✅	✅		No Change
No outdated base images	✅	❓ No data
SonarQube quality gates passed	❓ No data	❓ No data
Supply chain attestations	✅	⚠️ 2	+2	Worsened

Packages and Vulnerabilities (29 package changes and 0 vulnerability changes)

• ➕ 17 packages added
• ➖ 12 packages removed
• 154 packages unchanged

Changes for packages of type apk (7 changes)

	Package	Version djaytan/papermc-server:1.21.11	Version djaytan/papermc-server:test
➕	alpine-base		3.23.3-r0
➕	ca-certificates		20251003-r0
➕	gcc		15.2.0-r2
➕	ncurses		6.5_p20251123-r0
➕	openssl		3.5.5-r0
➕	pax-utils		1.3.8-r2
➕	xz		5.8.2-r0

Changes for packages of type generic (2 changes)

	Package	Version djaytan/papermc-server:1.21.11	Version djaytan/papermc-server:test
➕	openjdk		21.0.10
➖	openjdk	21.0.10

Changes for packages of type golang (20 changes)

	Package	Version djaytan/papermc-server:1.21.11	Version djaytan/papermc-server:test
➖	cuelabs.dev/go/oci/ociregistry	0.0.0-20250304105642-27e071d2c9b1
➕	cuelabs.dev/go/oci/ociregistry		0.0.0-20250304105642-27e071d2c9b1
➕	github.com/cenkalti/backoff/v5		5.0.3
➖	github.com/cenkalti/backoff/v5	5.0.3
➕	github.com/cespare/xxhash/v2		2.3.0
➖	github.com/cespare/xxhash/v2	2.3.0
➕	github.com/cockroachdb/apd/v3		3.2.1
➖	github.com/cockroachdb/apd/v3	3.2.1
➕	github.com/grpc-ecosystem/grpc-gateway/v2		2.27.7
➖	github.com/grpc-ecosystem/grpc-gateway/v2	2.27.7
➖	github.com/pelletier/go-toml/v2	2.2.4
➕	github.com/pelletier/go-toml/v2		2.2.4
➖	go.opentelemetry.io/contrib/instrumentation/runtime	0.65.0
➕	go.opentelemetry.io/contrib/instrumentation/runtime		0.65.0
➕	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc		1.40.0
➖	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc	1.40.0
➖	go.opentelemetry.io/otel/sdk/metric	1.40.0
➖	google.golang.org/genproto/googleapis/api	0.0.0-20260203192932-546029d2fa20
➖	google.golang.org/genproto/googleapis/rpc	0.0.0-20260203192932-546029d2fa20
➕	google.golang.org/genproto/googleapis/rpc		0.0.0-20260203192932-546029d2fa20

[github-actions]

🔍 Vulnerabilities of djaytan/papermc-server:test

📦 Image Reference djaytan/papermc-server:test

digest	sha256:0f5f372484a22afed7ef08e101d9f9db9264054f6c83797a46360ad761a3c8a1
vulnerabilities
platform	linux/amd64
size	147 MB
packages	176

📦 Base Image alpine:3

also known as	3.23 3.23.3 latest
digest	sha256:59855d3dceb3ae53991193bd03301e082b2a7faa56a514b03527ae0ec2ce3a95
vulnerabilities

stdlib 1.24.4 (golang) pkg:golang/stdlib@1.24.4 Affected range <1.24.13 Fixed version 1.24.13 EPSS Score 0.016% EPSS Percentile 3rd percentile Description During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake. Affected range <1.24.11 Fixed version 1.24.11 EPSS Score 0.017% EPSS Percentile 4th percentile Description Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption. Affected range <1.24.12 Fixed version 1.24.12 EPSS Score 0.026% EPSS Percentile 7th percentile Description The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.031% EPSS Percentile 9th percentile Description The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.038% EPSS Percentile 12th percentile Description The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.018% EPSS Percentile 4th percentile Description Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. Affected range <1.24.9 Fixed version 1.24.9 EPSS Score 0.018% EPSS Percentile 4th percentile Description Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. Affected range <1.24.12 Fixed version 1.24.12 EPSS Score 0.016% EPSS Percentile 3rd percentile Description archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. Affected range <1.24.11 Fixed version 1.24.11 EPSS Score 0.010% EPSS Percentile 1st percentile Description An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com. Affected range >=1.24.0 <1.24.6 Fixed version 1.24.6 EPSS Score 0.020% EPSS Percentile 5th percentile Description If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned. Affected range <1.24.12 Fixed version 1.24.12 EPSS Score 0.009% EPSS Percentile 1st percentile Description During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.022% EPSS Percentile 6th percentile Description The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.014% EPSS Percentile 3rd percentile Description When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.030% EPSS Percentile 9th percentile Description Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.032% EPSS Percentile 9th percentile Description Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.032% EPSS Percentile 9th percentile Description The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.016% EPSS Percentile 3rd percentile Description tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

org.apache.commons/commons-compress 1.5 (maven) pkg:maven/org.apache.commons/commons-compress@1.5 Improper Handling of Length Parameter Inconsistency Affected range <1.21 Fixed version 1.21 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.592% EPSS Percentile 69th percentile Description When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package. Improper Handling of Length Parameter Inconsistency Affected range <1.21 Fixed version 1.21 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 1.062% EPSS Percentile 77th percentile Description When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package. Improper Handling of Length Parameter Inconsistency Affected range <1.21 Fixed version 1.21 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 1.402% EPSS Percentile 80th percentile Description When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package. Excessive Iteration Affected range <1.21 Fixed version 1.21 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.598% EPSS Percentile 69th percentile Description When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.3 <1.26.0 Fixed version 1.26.0 CVSS Score 5.9 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H EPSS Score 0.018% EPSS Percentile 4th percentile Description Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.3 through 1.25.0. Users are recommended to upgrade to version 1.26.0 which fixes the issue.

golang.org/x/net 0.39.0 (golang) pkg:golang/golang.org/x/net@0.39.0 Affected range <0.45.0 Fixed version 0.45.0 EPSS Score 0.018% EPSS Percentile 4th percentile Description The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. Affected range <0.45.0 Fixed version 0.45.0 EPSS Score 0.019% EPSS Percentile 5th percentile Description The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

busybox 1.37.0-r30 (apk) pkg:apk/alpine/busybox@1.37.0-r30?os_name=alpine&os_version=3.23 Affected range <=1.37.0-r30 Fixed version Not Fixed EPSS Score 0.052% EPSS Percentile 16th percentile Description

commons-lang/commons-lang 2.6 (maven) pkg:maven/commons-lang/commons-lang@2.6 Uncontrolled Recursion Affected range >=2.0 <=2.6 Fixed version Not Fixed CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N EPSS Score 0.022% EPSS Percentile 5th percentile Description Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue.

zlib 1.3.1-r2 (apk) pkg:apk/alpine/zlib@1.3.1-r2?os_name=alpine&os_version=3.23 Affected range <=1.3.1-r2 Fixed version Not Fixed EPSS Score 0.006% EPSS Percentile 0th percentile Description