Ignore reading-only judgment

Add OCI/Image Volume Source support
Signed-off-by: Shiming Zhang <wzshiming@hotmail.com>
2025-05-08 21:17:13 +02:00 · 2025-05-08 21:17:13 +02:00 · 2025-03-20 21:34:00 +00:00 · 2025-03-20 21:34:00 +00:00 · 2025-03-20 21:34:00 +00:00 · 2025-03-20 21:33:59 +00:00
109 changed files with 1164 additions and 1639 deletions
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -12,7 +12,7 @@
 	"features": {
 		"ghcr.io/devcontainers/features/docker-in-docker:2": {},
 		"ghcr.io/devcontainers/features/go:1": {
-			"version": "1.23.8"
+			"version": "1.23.7"
 		}
 	},

--- a/.github/actions/install-go/action.yml
+++ b/.github/actions/install-go/action.yml
@@ -3,7 +3,7 @@ description: "Reusable action to install Go, so there is one place to bump Go ve
 inputs:
  go-version:
    required: true
-    default: "1.23.8"
+    default: "1.23.7"
    description: "Go version to install"

 runs:
--- a/.github/workflows/api-release.yml
+++ b/.github/workflows/api-release.yml
@@ -6,7 +6,7 @@ on:
 name: API Release

 env:
-  GO_VERSION: "1.23.8"
+  GO_VERSION: "1.23.7"

 permissions: # added using https://github.com/step-security/secure-workflows
  contents: read
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -189,7 +189,7 @@ jobs:
    strategy:
      matrix:
        os: [ubuntu-22.04, ubuntu-24.04, ubuntu-24.04-arm, macos-13, windows-2019, windows-2022]
-        go-version: ["1.24.2", "1.23.8"]
+        go-version: ["1.24.1", "1.23.7"]
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - uses: ./.github/actions/install-go
@@ -405,9 +405,7 @@ jobs:
          script/setup/install-critools
          script/setup/install-failpoint-binaries

-      # Disable criu testing on arm64 until we can solve the consistent failures of restore testing
-      - if: matrix.os != 'ubuntu-24.04-arm'
-        name: Install criu
+      - name: Install criu
        run: |
          sudo add-apt-repository -y ppa:criu/ppa
          sudo apt-get update
@@ -488,12 +486,8 @@ jobs:
          TEST_RUNTIME: ${{ matrix.runtime }}
          CGROUP_DRIVER: ${{ matrix.cgroup_driver }}
        run: |
-          # skipping the ipv6 test till https://github.com/actions/runner-images/issues/11985 is fixed
-          if [[ ${{matrix.os}} == "ubuntu-22.04" ]]; then
-            skip_test="runtime should support port mapping with host port and container port"
-          fi
          env
-          sudo -E PATH=$PATH SKIP_TEST="$skip_test" ./script/critest.sh "${{github.workspace}}/report"
+          sudo -E PATH=$PATH ./script/critest.sh "${{github.workspace}}/report"

      # Log the status of this VM to investigate issues like
      # https://github.com/containerd/containerd/issues/4969
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,7 +13,7 @@ on:
 name: Release

 env:
-  GO_VERSION: "1.23.8"
+  GO_VERSION: "1.23.7"

 permissions: # added using https://github.com/step-security/secure-workflows
  contents: read
@@ -64,7 +64,7 @@ jobs:

  build:
    name: Build Release Binaries
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-20.04
    timeout-minutes: 30
    strategy:
      matrix:
--- a/2
+++ b/2
@@ -107,7 +107,7 @@ EOF
  config.vm.provision "install-golang", type: "shell", run: "once" do |sh|
    sh.upload_path = "/tmp/vagrant-install-golang"
    sh.env = {
-        'GO_VERSION': ENV['GO_VERSION'] || "1.23.8",
+        'GO_VERSION': ENV['GO_VERSION'] || "1.23.7",
    }
    sh.inline = <<~SHELL
        #!/usr/bin/env bash
--- a/api/go.mod
+++ b/api/go.mod
@@ -1,6 +1,6 @@
 module github.com/containerd/containerd/api

-go 1.23.0
+go 1.21

 require (
 	github.com/containerd/ttrpc v1.2.5
@@ -17,7 +17,7 @@ require (
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
-	golang.org/x/net v0.37.0 // indirect
-	golang.org/x/sys v0.31.0 // indirect
-	golang.org/x/text v0.23.0 // indirect
+	golang.org/x/net v0.23.0 // indirect
+	golang.org/x/sys v0.18.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
 )
--- a/api/go.sum
+++ b/api/go.sum
@@ -42,8 +42,8 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.37.0 h1:1zLorHbz+LYj7MQlSf1+2tPIIgibq2eL5xkrGk6f+2c=
-golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
+golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -51,12 +51,12 @@ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
-golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
+golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
-golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
--- a/client/container.go
+++ b/client/container.go
@@ -280,7 +280,6 @@ func (c *container) NewTask(ctx context.Context, ioCreate cio.Creator, opts ...N
 	}
 	info := TaskInfo{
 		runtime: r.Runtime.Name,
-		runtimeOptions: r.Runtime.Options,
 	}
 	for _, o := range opts {
 		if err := o(ctx, c.client, &info); err != nil {
--- a/client/task.go
+++ b/client/task.go
@@ -146,11 +146,6 @@ type TaskInfo struct {

 	// runtime is the runtime name for the container, and cannot be changed.
 	runtime string
-
-	// runtimeOptions is the runtime options for the container, and when task options are set,
-	// they will be based on the runtimeOptions.
-	// https://github.com/containerd/containerd/issues/11568
-	runtimeOptions typeurl.Any
 }

 // Runtime name for the container
@@ -158,29 +153,6 @@ func (i *TaskInfo) Runtime() string {
 	return i.runtime
 }

-// getRuncOptions returns a reference to the runtime options for use by the task.
-// If the set of options is not set by the opts passed into the NewTask creation
-// this function first attempts to initialize the runtime options with a copy of the runtimeOptions,
-// otherwise an empty set of options is assigned and returned
-func (i *TaskInfo) getRuncOptions() (*options.Options, error) {
-	if i.Options != nil {
-		opts, ok := i.Options.(*options.Options)
-		if !ok {
-			return nil, errors.New("invalid runtime v2 options format")
-		}
-		return opts, nil
-	}
-
-	opts := &options.Options{}
-	if i.runtimeOptions != nil && i.runtimeOptions.GetValue() != nil {
-		if err := typeurl.UnmarshalTo(i.runtimeOptions, opts); err != nil {
-			return nil, fmt.Errorf("failed to get runtime v2 options: %w", err)
-		}
-	}
-	i.Options = opts
-	return opts, nil
-}
-
 // Task is the executable object within containerd
 type Task interface {
 	Process
--- a/client/task_opts.go
+++ b/client/task_opts.go
@@ -54,9 +54,12 @@ func WithRuntimePath(absRuntimePath string) NewTaskOpts {
 // usually it is served inside a sandbox, and we can get it from sandbox status.
 func WithTaskAPIEndpoint(address string, version uint32) NewTaskOpts {
 	return func(ctx context.Context, client *Client, info *TaskInfo) error {
-		opts, err := info.getRuncOptions()
-		if err != nil {
-			return err
+		if info.Options == nil {
+			info.Options = &options.Options{}
+		}
+		opts, ok := info.Options.(*options.Options)
+		if !ok {
+			return errors.New("invalid runtime v2 options format")
 		}
 		opts.TaskApiAddress = address
 		opts.TaskApiVersion = version
@@ -116,9 +119,12 @@ func WithCheckpointImagePath(path string) CheckpointTaskOpts {
 // WithRestoreImagePath sets image path for create option
 func WithRestoreImagePath(path string) NewTaskOpts {
 	return func(ctx context.Context, c *Client, ti *TaskInfo) error {
-		opts, err := ti.getRuncOptions()
-		if err != nil {
-			return err
+		if ti.Options == nil {
+			ti.Options = &options.Options{}
+		}
+		opts, ok := ti.Options.(*options.Options)
+		if !ok {
+			return errors.New("invalid runtime v2 options format")
 		}
 		opts.CriuImagePath = path
 		return nil
@@ -128,9 +134,12 @@ func WithRestoreImagePath(path string) NewTaskOpts {
 // WithRestoreWorkPath sets criu work path for create option
 func WithRestoreWorkPath(path string) NewTaskOpts {
 	return func(ctx context.Context, c *Client, ti *TaskInfo) error {
-		opts, err := ti.getRuncOptions()
-		if err != nil {
-			return err
+		if ti.Options == nil {
+			ti.Options = &options.Options{}
+		}
+		opts, ok := ti.Options.(*options.Options)
+		if !ok {
+			return errors.New("invalid runtime v2 options format")
 		}
 		opts.CriuWorkPath = path
 		return nil
--- a/client/task_opts_unix.go
+++ b/client/task_opts_unix.go
@@ -20,14 +20,20 @@ package client

 import (
 	"context"
+	"errors"
+
+	"github.com/containerd/containerd/api/types/runc/options"
 )

 // WithNoNewKeyring causes tasks not to be created with a new keyring for secret storage.
 // There is an upper limit on the number of keyrings in a linux system
 func WithNoNewKeyring(ctx context.Context, c *Client, ti *TaskInfo) error {
-	opts, err := ti.getRuncOptions()
-	if err != nil {
-		return err
+	if ti.Options == nil {
+		ti.Options = &options.Options{}
+	}
+	opts, ok := ti.Options.(*options.Options)
+	if !ok {
+		return errors.New("invalid v2 shim create options format")
 	}
 	opts.NoNewKeyring = true
 	return nil
@@ -35,9 +41,12 @@ func WithNoNewKeyring(ctx context.Context, c *Client, ti *TaskInfo) error {

 // WithNoPivotRoot instructs the runtime not to you pivot_root
 func WithNoPivotRoot(_ context.Context, _ *Client, ti *TaskInfo) error {
-	opts, err := ti.getRuncOptions()
-	if err != nil {
-		return err
+	if ti.Options == nil {
+		ti.Options = &options.Options{}
+	}
+	opts, ok := ti.Options.(*options.Options)
+	if !ok {
+		return errors.New("invalid v2 shim create options format")
 	}
 	opts.NoPivotRoot = true
 	return nil
@@ -46,9 +55,12 @@ func WithNoPivotRoot(_ context.Context, _ *Client, ti *TaskInfo) error {
 // WithShimCgroup sets the existing cgroup for the shim
 func WithShimCgroup(path string) NewTaskOpts {
 	return func(ctx context.Context, c *Client, ti *TaskInfo) error {
-		opts, err := ti.getRuncOptions()
-		if err != nil {
-			return err
+		if ti.Options == nil {
+			ti.Options = &options.Options{}
+		}
+		opts, ok := ti.Options.(*options.Options)
+		if !ok {
+			return errors.New("invalid v2 shim create options format")
 		}
 		opts.ShimCgroup = path
 		return nil
@@ -58,9 +70,12 @@ func WithShimCgroup(path string) NewTaskOpts {
 // WithUIDOwner allows console I/O to work with the remapped UID in user namespace
 func WithUIDOwner(uid uint32) NewTaskOpts {
 	return func(ctx context.Context, c *Client, ti *TaskInfo) error {
-		opts, err := ti.getRuncOptions()
-		if err != nil {
-			return err
+		if ti.Options == nil {
+			ti.Options = &options.Options{}
+		}
+		opts, ok := ti.Options.(*options.Options)
+		if !ok {
+			return errors.New("invalid v2 shim create options format")
 		}
 		opts.IoUid = uid
 		return nil
@@ -70,9 +85,12 @@ func WithUIDOwner(uid uint32) NewTaskOpts {
 // WithGIDOwner allows console I/O to work with the remapped GID in user namespace
 func WithGIDOwner(gid uint32) NewTaskOpts {
 	return func(ctx context.Context, c *Client, ti *TaskInfo) error {
-		opts, err := ti.getRuncOptions()
-		if err != nil {
-			return err
+		if ti.Options == nil {
+			ti.Options = &options.Options{}
+		}
+		opts, ok := ti.Options.(*options.Options)
+		if !ok {
+			return errors.New("invalid v2 shim create options format")
 		}
 		opts.IoGid = gid
 		return nil
--- a/contrib/Dockerfile.test
+++ b/contrib/Dockerfile.test
@@ -34,7 +34,7 @@
 #   docker run --privileged --group-add keep-groups -v ./critest_exit_code.txt:/tmp/critest_exit_code.txt containerd-test
 # ------------------------------------------------------------------------------

-ARG GOLANG_VERSION=1.23.8
+ARG GOLANG_VERSION=1.23.7
 ARG GOLANG_IMAGE=golang

 FROM ${GOLANG_IMAGE}:${GOLANG_VERSION} AS golang
--- a/contrib/fuzz/oss_fuzz_build.sh
+++ b/contrib/fuzz/oss_fuzz_build.sh
@@ -43,11 +43,11 @@ go run main.go --target_dir $SRC/containerd/images

 apt-get update && apt-get install -y wget
 cd $SRC
-wget --quiet https://go.dev/dl/go1.23.8.linux-amd64.tar.gz
+wget --quiet https://go.dev/dl/go1.23.7.linux-amd64.tar.gz

 mkdir temp-go
 rm -rf /root/.go/*
-tar -C temp-go/ -xzf go1.23.8.linux-amd64.tar.gz
+tar -C temp-go/ -xzf go1.23.7.linux-amd64.tar.gz
 mv temp-go/go/* /root/.go/
 cd $SRC/containerd

--- a/core/remotes/docker/pusher.go
+++ b/core/remotes/docker/pusher.go
@@ -479,15 +479,13 @@ func (pw *pushWriter) Digest() digest.Digest {

 func (pw *pushWriter) Commit(ctx context.Context, size int64, expected digest.Digest, opts ...content.Opt) error {
 	// Check whether read has already thrown an error
-	if pw.pipe != nil {
 	if _, err := pw.pipe.Write([]byte{}); err != nil && !errors.Is(err, io.ErrClosedPipe) {
 		return fmt.Errorf("pipe error before commit: %w", err)
 	}
+
 	if err := pw.pipe.Close(); err != nil {
 		return err
 	}
-	}
-
 	// TODO: timeout waiting for response
 	var resp *http.Response
 	select {
--- a/core/runtime/v2/shim.go
+++ b/core/runtime/v2/shim.go
@@ -91,9 +91,9 @@ func loadShim(ctx context.Context, bundle *Bundle, onClose func()) (_ ShimInstan
 		// To prevent flood of error messages, the expected error
 		// should be reset, like os.ErrClosed or os.ErrNotExist, which
 		// depends on platform.
-		err = checkCopyShimLogError(shimCtx, err)
+		err = checkCopyShimLogError(ctx, err)
 		if err != nil {
-			log.G(shimCtx).WithError(err).Error("copy shim log after reload")
+			log.G(ctx).WithError(err).Error("copy shim log after reload")
 		}
 	}()
 	onCloseWithShimLog := func() {
--- a/core/runtime/v2/task_manager.go
+++ b/core/runtime/v2/task_manager.go
@@ -266,12 +266,12 @@ func (m *TaskManager) validateRuntimeFeatures(ctx context.Context, opts runtime.
 		return nil
 	}

-	topts := opts.TaskOptions
-	if topts == nil || topts.GetValue() == nil {
-		topts = opts.RuntimeOptions
+	ropts := opts.RuntimeOptions
+	if ropts == nil || ropts.GetValue() == nil {
+		ropts = opts.TaskOptions
 	}

-	pInfo, err := m.PluginInfo(ctx, &apitypes.RuntimeRequest{RuntimePath: opts.Runtime, Options: typeurl.MarshalProto(topts)})
+	pInfo, err := m.PluginInfo(ctx, &apitypes.RuntimeRequest{RuntimePath: opts.Runtime, Options: typeurl.MarshalProto(ropts)})
 	if err != nil {
 		return fmt.Errorf("runtime info: %w", err)
 	}
--- a/defaults/defaults_snapshotter_linux.go
+++ b/defaults/defaults_snapshotter_linux.go
@@ -21,6 +21,4 @@ const (
 	// This will be based on the client compilation target, so take that into
 	// account when choosing this value.
 	DefaultSnapshotter = "overlayfs"
-	// DefaultDiffer will set the default differ for the platform.
-	DefaultDiffer = "walking"
 )
--- a/defaults/defaults_snapshotter_unix.go
+++ b/defaults/defaults_snapshotter_unix.go
@@ -23,6 +23,4 @@ const (
 	// This will be based on the client compilation target, so take that into
 	// account when choosing this value.
 	DefaultSnapshotter = "native"
-	// DefaultDiffer will set the default differ for the platform.
-	DefaultDiffer = "walking"
 )
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/containerd/containerd/v2

-go 1.23.0
+go 1.22.0

 require (
 	dario.cat/mergo v1.0.1
@@ -74,8 +74,8 @@ require (
 	go.opentelemetry.io/otel/sdk v1.31.0
 	go.opentelemetry.io/otel/trace v1.31.0
 	golang.org/x/mod v0.21.0
-	golang.org/x/sync v0.12.0
-	golang.org/x/sys v0.31.0
+	golang.org/x/sync v0.10.0
+	golang.org/x/sys v0.28.0
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38
 	google.golang.org/grpc v1.68.1
 	google.golang.org/protobuf v1.35.2
@@ -86,7 +86,7 @@ require (
 	k8s.io/klog/v2 v2.130.1
 	k8s.io/kubelet v0.31.2
 	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8
-	tags.cncf.io/container-device-interface v1.0.0
+	tags.cncf.io/container-device-interface v0.8.1
 )

 require (
@@ -102,7 +102,7 @@ require (
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
-	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
@@ -152,12 +152,12 @@ require (
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/otel/metric v1.31.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
-	golang.org/x/crypto v0.36.0 // indirect
+	golang.org/x/crypto v0.31.0 // indirect
 	golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611 // indirect
-	golang.org/x/net v0.37.0 // indirect
-	golang.org/x/oauth2 v0.28.0 // indirect
-	golang.org/x/term v0.30.0 // indirect
-	golang.org/x/text v0.23.0 // indirect
+	golang.org/x/net v0.33.0 // indirect
+	golang.org/x/oauth2 v0.23.0 // indirect
+	golang.org/x/term v0.27.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
@@ -169,7 +169,7 @@ require (
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
-	tags.cncf.io/container-device-interface/specs-go v1.0.0 // indirect
+	tags.cncf.io/container-device-interface/specs-go v0.8.0 // indirect
 )

 exclude (
--- a/go.sum
+++ b/go.sum
@@ -119,8 +119,8 @@ github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nos
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
 github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
 github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
-github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE=
-github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA=
+github.com/go-jose/go-jose/v4 v4.0.4 h1:VsjPI33J0SB9vQM6PLmNjoHqMQNGPiZ0rHL7Ni7Q6/E=
+github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
@@ -407,8 +407,8 @@ golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliY
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.30.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
-golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611 h1:qCEDpW1G+vcj3Y7Fy52pEM1AWm3abj8WimGYejI3SC4=
 golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
@@ -442,11 +442,11 @@ golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
-golang.org/x/net v0.37.0 h1:1zLorHbz+LYj7MQlSf1+2tPIIgibq2eL5xkrGk6f+2c=
-golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc=
-golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
+golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -458,9 +458,8 @@ golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
-golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -483,9 +482,8 @@ golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
-golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -494,9 +492,8 @@ golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
+golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
 golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
-golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
-golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
@@ -505,9 +502,8 @@ golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
-golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
 golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -598,7 +594,7 @@ sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+s
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
 sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
 sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
-tags.cncf.io/container-device-interface v1.0.0 h1:fbwPQiWZNpXUb9Os6t6JW52rsOppTFUbeJOpNtN1TmI=
-tags.cncf.io/container-device-interface v1.0.0/go.mod h1:mmi2aRGmOjK/6NR3TXjLpEIarOJ9qwgZjQ3nTIRwAaA=
-tags.cncf.io/container-device-interface/specs-go v1.0.0 h1:8gLw29hH1ZQP9K1YtAzpvkHCjjyIxHZYzBAvlQ+0vD8=
-tags.cncf.io/container-device-interface/specs-go v1.0.0/go.mod h1:u86hoFWqnh3hWz3esofRFKbI261bUlvUfLKGrDhJkgQ=
+tags.cncf.io/container-device-interface v0.8.1 h1:c0jN4Mt6781jD67NdPajmZlD1qrqQyov/Xfoab37lj0=
+tags.cncf.io/container-device-interface v0.8.1/go.mod h1:Apb7N4VdILW0EVdEMRYXIDVRZfNJZ+kmEUss2kRRQ6Y=
+tags.cncf.io/container-device-interface/specs-go v0.8.0 h1:QYGFzGxvYK/ZLMrjhvY0RjpUavIn4KcmRmVP/JjdBTA=
+tags.cncf.io/container-device-interface/specs-go v0.8.0/go.mod h1:BhJIkjjPh4qpys+qm4DAYtUyryaTDg9zris+AczXyws=
--- a/integration/client/client_unix_test.go
+++ b/integration/client/client_unix_test.go
@@ -19,26 +19,12 @@
 package client

 import (
-	"context"
-	"strings"
-	"sync"
 	"testing"

-	"github.com/containerd/containerd/api/services/tasks/v1"
-	"github.com/containerd/containerd/api/types/runc/options"
 	. "github.com/containerd/containerd/v2/client"
 	"github.com/containerd/containerd/v2/integration/images"
 	"github.com/containerd/containerd/v2/pkg/deprecation"
-	"github.com/containerd/containerd/v2/pkg/oci"
-	"github.com/containerd/containerd/v2/pkg/protobuf"
-	"github.com/containerd/containerd/v2/plugins"
-	"github.com/containerd/errdefs"
-	"github.com/containerd/errdefs/pkg/errgrpc"
 	"github.com/containerd/platforms"
-	"github.com/containerd/typeurl/v2"
-	"github.com/google/go-cmp/cmp"
-	"github.com/stretchr/testify/require"
-	"google.golang.org/grpc"
 )

 var (
@@ -77,118 +63,3 @@ func TestImagePullSchema1WithEmptyLayers(t *testing.T) {
 		t.Fatal(err)
 	}
 }
-
-func TestNewTaskWithRuntimeOption(t *testing.T) {
-	t.Parallel()
-
-	fakeTasks := &fakeTaskService{
-		TasksClient:    tasks.NewTasksClient(nil),
-		createRequests: map[string]*tasks.CreateTaskRequest{},
-	}
-
-	cli, err := newClient(t, address,
-		WithServices(WithTaskClient(fakeTasks)),
-	)
-	require.NoError(t, err)
-	defer cli.Close()
-
-	var (
-		image       Image
-		ctx, cancel = testContext(t)
-	)
-	defer cancel()
-
-	image, err = cli.GetImage(ctx, testImage)
-	require.NoError(t, err)
-
-	for _, tc := range []struct {
-		name            string
-		runtimeOption   *options.Options
-		taskOpts        []NewTaskOpts
-		expectedOptions *options.Options
-	}{
-		{
-			name: "should be empty options",
-			runtimeOption: &options.Options{
-				BinaryName: "no-runc",
-			},
-			expectedOptions: nil,
-		},
-		{
-			name: "should overwrite IOUid/ShimCgroup",
-			runtimeOption: &options.Options{
-				BinaryName:    "no-runc",
-				ShimCgroup:    "/abc",
-				IoUid:         1000,
-				SystemdCgroup: true,
-			},
-			taskOpts: []NewTaskOpts{
-				WithUIDOwner(2000),
-				WithGIDOwner(3000),
-				WithShimCgroup("/def"),
-			},
-			expectedOptions: &options.Options{
-				BinaryName:    "no-runc",
-				ShimCgroup:    "/def",
-				IoUid:         2000,
-				IoGid:         3000,
-				SystemdCgroup: true,
-			},
-		},
-	} {
-		t.Run(tc.name, func(t *testing.T) {
-			id := strings.Replace(t.Name(), "/", "_", -1)
-
-			container, err := cli.NewContainer(
-				ctx,
-				id,
-				WithNewSnapshotView(id, image),
-				WithNewSpec(oci.WithImageConfig(image), withExitStatus(7)),
-				WithRuntime(plugins.RuntimeRuncV2, tc.runtimeOption),
-			)
-			require.NoError(t, err)
-			defer container.Delete(ctx, WithSnapshotCleanup)
-
-			_, err = container.NewTask(ctx, empty(), tc.taskOpts...)
-			require.NoError(t, err)
-
-			fakeTasks.Lock()
-			req := fakeTasks.createRequests[id]
-			fakeTasks.Unlock()
-
-			if tc.expectedOptions == nil {
-				require.Nil(t, req.Options)
-				return
-			}
-
-			gotOptions := &options.Options{}
-			require.NoError(t, typeurl.UnmarshalTo(req.Options, gotOptions))
-			require.True(t, cmp.Equal(tc.expectedOptions, gotOptions, protobuf.Compare))
-		})
-	}
-}
-
-type fakeTaskService struct {
-	sync.Mutex
-	createRequests map[string]*tasks.CreateTaskRequest
-	tasks.TasksClient
-}
-
-func (ts *fakeTaskService) Create(ctx context.Context, in *tasks.CreateTaskRequest, opts ...grpc.CallOption) (*tasks.CreateTaskResponse, error) {
-	ts.Lock()
-	defer ts.Unlock()
-
-	ts.createRequests[in.ContainerID] = in
-	return &tasks.CreateTaskResponse{
-		ContainerID: in.ContainerID,
-		Pid:         1,
-	}, nil
-}
-
-func (ts *fakeTaskService) Get(ctx context.Context, in *tasks.GetRequest, opts ...grpc.CallOption) (*tasks.GetResponse, error) {
-	return nil, errgrpc.ToGRPC(errdefs.ErrNotFound)
-}
-
-func (ts *fakeTaskService) Delete(ctx context.Context, in *tasks.DeleteTaskRequest, opts ...grpc.CallOption) (*tasks.DeleteResponse, error) {
-	return nil, errgrpc.ToGRPC(errdefs.ErrNotFound)
-}
--- a/integration/client/container_linux_test.go
+++ b/integration/client/container_linux_test.go
@@ -1090,19 +1090,6 @@ func TestContainerRuntimeOptionsv2(t *testing.T) {
 	if !strings.Contains(err.Error(), `"no-runc"`) {
 		t.Errorf("task creation should have failed because of lack of executable. Instead failed with: %v", err.Error())
 	}
-
-	// It doesn't matter what the NewTaskOpts function is. We are using an existing function in the client package,
-	// which will cause the TaskOptions in the new task request to be non-empty.
-	// https://github.com/containerd/containerd/issues/11568
-	task, err = container.NewTask(ctx, empty(), WithNoNewKeyring)
-	if err == nil {
-		t.Errorf("task creation should have failed")
-		task.Delete(ctx)
-		return
-	}
-	if !strings.Contains(err.Error(), `"no-runc"`) {
-		t.Errorf("task creation should have failed because of lack of executable. Instead failed with: %v", err.Error())
-	}
 }

 func TestContainerKillInitPidHost(t *testing.T) {
--- a/internal/cri/server/podsandbox/events.go
+++ b/internal/cri/server/podsandbox/events.go
@@ -43,7 +43,7 @@ type podSandboxEventHandler struct {
 func (p *podSandboxEventHandler) HandleEvent(any interface{}) error {
 	switch e := any.(type) {
 	case *eventtypes.TaskExit:
-		log.L.Debugf("TaskExit event in podsandbox handler %+v", e)
+		log.L.Infof("TaskExit event in podsandbox handler %+v", e)
 		// Use ID instead of ContainerID to rule out TaskExit event for exec.
 		sb := p.controller.store.Get(e.ID)
 		if sb == nil {
--- a/pkg/oci/spec_opts_linux_test.go
+++ b/pkg/oci/spec_opts_linux_test.go
@@ -105,6 +105,7 @@ guest:x:100:guest
 		},
 	}
 	for _, testCase := range testCases {
+		testCase := testCase
 		t.Run(testCase.user, func(t *testing.T) {
 			t.Parallel()
 			s := Spec{
--- a/plugins/cri/images/plugin.go
+++ b/plugins/cri/images/plugin.go
@@ -73,12 +73,13 @@ func init() {

 			options := &images.CRIImageServiceOptions{
 				Content:          mdb.ContentStore(),
+				Images:           metadata.NewImageStore(mdb),
 				RuntimePlatforms: map[string]images.ImagePlatform{},
 				Snapshotters:     map[string]snapshots.Snapshotter{},
 				ImageFSPaths:     map[string]string{},
 			}

-			ctrdCli, err := containerd.New(
+			options.Client, err = containerd.New(
 				"",
 				containerd.WithDefaultNamespace(constants.K8sContainerdNamespace),
 				containerd.WithDefaultPlatform(platforms.Default()),
@@ -87,8 +88,6 @@ func init() {
 			if err != nil {
 				return nil, fmt.Errorf("unable to init client for cri image service: %w", err)
 			}
-			options.Images = ctrdCli.ImageService()
-			options.Client = ctrdCli

 			allSnapshotters := mdb.Snapshotters()
 			defaultSnapshotter := config.Snapshotter
--- a/plugins/transfer/plugin_defaults_other.go
+++ b/plugins/transfer/plugin_defaults_other.go
@@ -28,7 +28,6 @@ func defaultUnpackConfig() []unpackConfiguration {
 		{
 			Platform:    platforms.Format(platforms.DefaultSpec()),
 			Snapshotter: defaults.DefaultSnapshotter,
-			Differ:      defaults.DefaultDiffer,
 		},
 	}
 }
--- a/releases/v2.0.5.toml
+++ b/releases/v2.0.5.toml
@@ -1,27 +0,0 @@
-# commit to be tagged for new release
-commit = "HEAD"
-
-project_name = "containerd"
-github_repo = "containerd/containerd"
-match_deps = "^github.com/(containerd/[a-zA-Z0-9-]+)$"
-ignore_deps = [ "github.com/containerd/containerd" ]
-
-# previous release
-previous = "v2.0.4"
-
-pre_release = false
-
-preface = """\
-The fifth patch release for containerd 2.0 includes various bug fixes and updates.
-"""
-
-postface = """\
-### Which file should I download?
-* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04).
-* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent.
-
-In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
-and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.
-
-See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.
-"""
--- a/script/critest.sh
+++ b/script/critest.sh
@@ -70,11 +70,6 @@ if [ ! -z "$CGROUP_DRIVER" ] && [ "$CGROUP_DRIVER" = "systemd" ];then
 EOF
 fi

-GINKGO_SKIP_TEST=()
-if [ ! -z "$SKIP_TEST" ]; then
-  GINKGO_SKIP_TEST+=("--ginkgo.skip" "$SKIP_TEST")
-fi
-
 ls /etc/cni/net.d

 /usr/local/bin/containerd \
@@ -90,4 +85,4 @@ do
    crictl --runtime-endpoint ${BDIR}/c.sock info && break || sleep 1
 done

-critest --report-dir "$report_dir" --runtime-endpoint=unix:///${BDIR}/c.sock --parallel=8 "${GINKGO_SKIP_TEST[@]}" "${EXTRA_CRITEST_OPTIONS:-""}"
+critest --report-dir "$report_dir" --runtime-endpoint=unix:///${BDIR}/c.sock --parallel=8 "${EXTRA_CRITEST_OPTIONS:-""}"
--- a/script/setup/prepare_env_windows.ps1
+++ b/script/setup/prepare_env_windows.ps1
@@ -5,7 +5,7 @@
 # lived test environment.
 Set-MpPreference -DisableRealtimeMonitoring:$true

-$PACKAGES= @{ mingw = "10.2.0"; git = ""; golang = "1.23.8"; make = ""; nssm = "" }
+$PACKAGES= @{ mingw = "10.2.0"; git = ""; golang = "1.23.7"; make = ""; nssm = "" }

 Write-Host "Downloading chocolatey package"
 curl.exe -L "https://packages.chocolatey.org/chocolatey.0.10.15.nupkg" -o 'c:\choco.zip'
--- a/script/setup/runc-version
+++ b/script/setup/runc-version
@@ -1 +1 @@
-v1.2.6
+v1.2.5
--- a/vendor/github.com/go-jose/go-jose/v4/CONTRIBUTING.md
+++ b/vendor/github.com/go-jose/go-jose/v4/CONTRIBUTING.md
@@ -7,3 +7,9 @@ When submitting code, please make every effort to follow existing conventions
 and style in order to keep the code as readable as possible. Please also make
 sure all tests pass by running `go test`, and format your code with `go fmt`.
 We also recommend using `golint` and `errcheck`.
+
+Before your code can be accepted into the project you must also sign the
+Individual Contributor License Agreement.  We use [cla-assistant.io][1] and you
+will be prompted to sign once a pull request is opened.
+
+[1]: https://cla-assistant.io/
--- a/vendor/github.com/go-jose/go-jose/v4/README.md
+++ b/vendor/github.com/go-jose/go-jose/v4/README.md
@@ -9,6 +9,14 @@ Package jose aims to provide an implementation of the Javascript Object Signing
 and Encryption set of standards. This includes support for JSON Web Encryption,
 JSON Web Signature, and JSON Web Token standards.

+**Disclaimer**: This library contains encryption software that is subject to
+the U.S. Export Administration Regulations. You may not export, re-export,
+transfer or download this code or any part of it in violation of any United
+States law, directive or regulation. In particular this software may not be
+exported or re-exported in any form or on any media to Iran, North Sudan,
+Syria, Cuba, or North Korea, or to denied persons or entities mentioned on any
+US maintained blocked list.
+
 ## Overview

 The implementation follows the
@@ -101,6 +109,6 @@ allows attaching a key id.

 Examples can be found in the Godoc
 reference for this package. The
-[`jose-util`](https://github.com/go-jose/go-jose/tree/main/jose-util)
+[`jose-util`](https://github.com/go-jose/go-jose/tree/v4/jose-util)
 subdirectory also contains a small command-line utility which might be useful
 as an example as well.
--- a/vendor/github.com/go-jose/go-jose/v4/jwe.go
+++ b/vendor/github.com/go-jose/go-jose/v4/jwe.go
@@ -288,11 +288,10 @@ func ParseEncryptedCompact(
 	keyAlgorithms []KeyAlgorithm,
 	contentEncryption []ContentEncryption,
 ) (*JSONWebEncryption, error) {
-	// Five parts is four separators
-	if strings.Count(input, ".") != 4 {
+	parts := strings.Split(input, ".")
+	if len(parts) != 5 {
 		return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
 	}
-	parts := strings.SplitN(input, ".", 5)

 	rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
 	if err != nil {
--- a/vendor/github.com/go-jose/go-jose/v4/jwk.go
+++ b/vendor/github.com/go-jose/go-jose/v4/jwk.go
@@ -239,10 +239,10 @@ func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
 				keyPub = key
 			}
 		} else {
-			return fmt.Errorf("go-jose/go-jose: unknown curve %s'", raw.Crv)
+			err = fmt.Errorf("go-jose/go-jose: unknown curve %s'", raw.Crv)
 		}
 	default:
-		return fmt.Errorf("go-jose/go-jose: unknown json web key type '%s'", raw.Kty)
+		err = fmt.Errorf("go-jose/go-jose: unknown json web key type '%s'", raw.Kty)
 	}

 	if err != nil {
--- a/vendor/github.com/go-jose/go-jose/v4/jws.go
+++ b/vendor/github.com/go-jose/go-jose/v4/jws.go
@@ -327,11 +327,10 @@ func parseSignedCompact(
 	payload []byte,
 	signatureAlgorithms []SignatureAlgorithm,
 ) (*JSONWebSignature, error) {
-	// Three parts is two separators
-	if strings.Count(input, ".") != 2 {
+	parts := strings.Split(input, ".")
+	if len(parts) != 3 {
 		return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
 	}
-	parts := strings.SplitN(input, ".", 3)

 	if parts[1] != "" && payload != nil {
 		return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
--- a/vendor/golang.org/x/net/http2/config.go
+++ b/vendor/golang.org/x/net/http2/config.go
@@ -60,7 +60,7 @@ func configFromServer(h1 *http.Server, h2 *Server) http2Config {
 	return conf
 }

-// configFromTransport merges configuration settings from h2 and h2.t1.HTTP2
+// configFromServer merges configuration settings from h2 and h2.t1.HTTP2
 // (the net/http Transport).
 func configFromTransport(h2 *Transport) http2Config {
 	conf := http2Config{
--- a/vendor/golang.org/x/net/http2/config_go124.go
+++ b/vendor/golang.org/x/net/http2/config_go124.go
@@ -13,7 +13,7 @@ func fillNetHTTPServerConfig(conf *http2Config, srv *http.Server) {
 	fillNetHTTPConfig(conf, srv.HTTP2)
 }

-// fillNetHTTPTransportConfig sets fields in conf from tr.HTTP2.
+// fillNetHTTPServerConfig sets fields in conf from tr.HTTP2.
 func fillNetHTTPTransportConfig(conf *http2Config, tr *http.Transport) {
 	fillNetHTTPConfig(conf, tr.HTTP2)
 }
--- a/vendor/golang.org/x/net/internal/httpcommon/headermap.go
+++ b/vendor/golang.org/x/net/internal/httpcommon/headermap.go
@@ -1,11 +1,11 @@
-// Copyright 2025 The Go Authors. All rights reserved.
+// Copyright 2014 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-package httpcommon
+package http2

 import (
-	"net/textproto"
+	"net/http"
 	"sync"
 )

@@ -82,15 +82,13 @@ func buildCommonHeaderMaps() {
 	commonLowerHeader = make(map[string]string, len(common))
 	commonCanonHeader = make(map[string]string, len(common))
 	for _, v := range common {
-		chk := textproto.CanonicalMIMEHeaderKey(v)
+		chk := http.CanonicalHeaderKey(v)
 		commonLowerHeader[chk] = v
 		commonCanonHeader[v] = chk
 	}
 }

-// LowerHeader returns the lowercase form of a header name,
-// used on the wire for HTTP/2 and HTTP/3 requests.
-func LowerHeader(v string) (lower string, ascii bool) {
+func lowerHeader(v string) (lower string, ascii bool) {
 	buildCommonHeaderMapsOnce()
 	if s, ok := commonLowerHeader[v]; ok {
 		return s, true
@@ -98,18 +96,10 @@ func LowerHeader(v string) (lower string, ascii bool) {
 	return asciiToLower(v)
 }

-// CanonicalHeader canonicalizes a header name. (For example, "host" becomes "Host".)
-func CanonicalHeader(v string) string {
+func canonicalHeader(v string) string {
 	buildCommonHeaderMapsOnce()
 	if s, ok := commonCanonHeader[v]; ok {
 		return s
 	}
-	return textproto.CanonicalMIMEHeaderKey(v)
-}
-
-// CachedCanonicalHeader returns the canonical form of a well-known header name.
-func CachedCanonicalHeader(v string) (string, bool) {
-	buildCommonHeaderMapsOnce()
-	s, ok := commonCanonHeader[v]
-	return s, ok
+	return http.CanonicalHeaderKey(v)
 }
--- a/vendor/golang.org/x/net/http2/http2.go
+++ b/vendor/golang.org/x/net/http2/http2.go
@@ -38,15 +38,7 @@ var (
 	logFrameWrites                 bool
 	logFrameReads                  bool
 	inTests                        bool
-
-	// Enabling extended CONNECT by causes browsers to attempt to use
-	// WebSockets-over-HTTP/2. This results in problems when the server's websocket
-	// package doesn't support extended CONNECT.
-	//
-	// Disable extended CONNECT by default for now.
-	//
-	// Issue #71128.
-	disableExtendedConnectProtocol = true
+	disableExtendedConnectProtocol bool
 )

 func init() {
@@ -59,8 +51,8 @@ func init() {
 		logFrameWrites = true
 		logFrameReads = true
 	}
-	if strings.Contains(e, "http2xconnect=1") {
-		disableExtendedConnectProtocol = false
+	if strings.Contains(e, "http2xconnect=0") {
+		disableExtendedConnectProtocol = true
 	}
 }

@@ -415,6 +407,23 @@ func (s *sorter) SortStrings(ss []string) {
 	s.v = save
 }

+// validPseudoPath reports whether v is a valid :path pseudo-header
+// value. It must be either:
+//
+//   - a non-empty string starting with '/'
+//   - the string '*', for OPTIONS requests.
+//
+// For now this is only used a quick check for deciding when to clean
+// up Opaque URLs before sending requests from the Transport.
+// See golang.org/issue/16847
+//
+// We used to enforce that the path also didn't start with "//", but
+// Google's GFE accepts such paths and Chrome sends them, so ignore
+// that part of the spec. See golang.org/issue/19103.
+func validPseudoPath(v string) bool {
+	return (len(v) > 0 && v[0] == '/') || v == "*"
+}
+
 // incomparable is a zero-width, non-comparable type. Adding it to a struct
 // makes that struct also non-comparable, and generally doesn't add
 // any size (as long as it's first).
--- a/vendor/golang.org/x/net/http2/server.go
+++ b/vendor/golang.org/x/net/http2/server.go
@@ -50,7 +50,6 @@ import (

 	"golang.org/x/net/http/httpguts"
 	"golang.org/x/net/http2/hpack"
-	"golang.org/x/net/internal/httpcommon"
 )

 const (
@@ -813,7 +812,8 @@ const maxCachedCanonicalHeadersKeysSize = 2048

 func (sc *serverConn) canonicalHeader(v string) string {
 	sc.serveG.check()
-	cv, ok := httpcommon.CachedCanonicalHeader(v)
+	buildCommonHeaderMapsOnce()
+	cv, ok := commonCanonHeader[v]
 	if ok {
 		return cv
 	}
@@ -2233,25 +2233,25 @@ func (sc *serverConn) newStream(id, pusherID uint32, state streamState) *stream
 func (sc *serverConn) newWriterAndRequest(st *stream, f *MetaHeadersFrame) (*responseWriter, *http.Request, error) {
 	sc.serveG.check()

-	rp := httpcommon.ServerRequestParam{
-		Method:    f.PseudoValue("method"),
-		Scheme:    f.PseudoValue("scheme"),
-		Authority: f.PseudoValue("authority"),
-		Path:      f.PseudoValue("path"),
-		Protocol:  f.PseudoValue("protocol"),
+	rp := requestParam{
+		method:    f.PseudoValue("method"),
+		scheme:    f.PseudoValue("scheme"),
+		authority: f.PseudoValue("authority"),
+		path:      f.PseudoValue("path"),
+		protocol:  f.PseudoValue("protocol"),
 	}

 	// extended connect is disabled, so we should not see :protocol
-	if disableExtendedConnectProtocol && rp.Protocol != "" {
+	if disableExtendedConnectProtocol && rp.protocol != "" {
 		return nil, nil, sc.countError("bad_connect", streamError(f.StreamID, ErrCodeProtocol))
 	}

-	isConnect := rp.Method == "CONNECT"
+	isConnect := rp.method == "CONNECT"
 	if isConnect {
-		if rp.Protocol == "" && (rp.Path != "" || rp.Scheme != "" || rp.Authority == "") {
+		if rp.protocol == "" && (rp.path != "" || rp.scheme != "" || rp.authority == "") {
 			return nil, nil, sc.countError("bad_connect", streamError(f.StreamID, ErrCodeProtocol))
 		}
-	} else if rp.Method == "" || rp.Path == "" || (rp.Scheme != "https" && rp.Scheme != "http") {
+	} else if rp.method == "" || rp.path == "" || (rp.scheme != "https" && rp.scheme != "http") {
 		// See 8.1.2.6 Malformed Requests and Responses:
 		//
 		// Malformed requests or responses that are detected
@@ -2265,16 +2265,15 @@ func (sc *serverConn) newWriterAndRequest(st *stream, f *MetaHeadersFrame) (*res
 		return nil, nil, sc.countError("bad_path_method", streamError(f.StreamID, ErrCodeProtocol))
 	}

-	header := make(http.Header)
-	rp.Header = header
+	rp.header = make(http.Header)
 	for _, hf := range f.RegularFields() {
-		header.Add(sc.canonicalHeader(hf.Name), hf.Value)
+		rp.header.Add(sc.canonicalHeader(hf.Name), hf.Value)
 	}
-	if rp.Authority == "" {
-		rp.Authority = header.Get("Host")
+	if rp.authority == "" {
+		rp.authority = rp.header.Get("Host")
 	}
-	if rp.Protocol != "" {
-		header.Set(":protocol", rp.Protocol)
+	if rp.protocol != "" {
+		rp.header.Set(":protocol", rp.protocol)
 	}

 	rw, req, err := sc.newWriterAndRequestNoBody(st, rp)
@@ -2283,7 +2282,7 @@ func (sc *serverConn) newWriterAndRequest(st *stream, f *MetaHeadersFrame) (*res
 	}
 	bodyOpen := !f.StreamEnded()
 	if bodyOpen {
-		if vv, ok := rp.Header["Content-Length"]; ok {
+		if vv, ok := rp.header["Content-Length"]; ok {
 			if cl, err := strconv.ParseUint(vv[0], 10, 63); err == nil {
 				req.ContentLength = int64(cl)
 			} else {
@@ -2299,38 +2298,84 @@ func (sc *serverConn) newWriterAndRequest(st *stream, f *MetaHeadersFrame) (*res
 	return rw, req, nil
 }

-func (sc *serverConn) newWriterAndRequestNoBody(st *stream, rp httpcommon.ServerRequestParam) (*responseWriter, *http.Request, error) {
+type requestParam struct {
+	method                  string
+	scheme, authority, path string
+	protocol                string
+	header                  http.Header
+}
+
+func (sc *serverConn) newWriterAndRequestNoBody(st *stream, rp requestParam) (*responseWriter, *http.Request, error) {
 	sc.serveG.check()

 	var tlsState *tls.ConnectionState // nil if not scheme https
-	if rp.Scheme == "https" {
+	if rp.scheme == "https" {
 		tlsState = sc.tlsState
 	}

-	res := httpcommon.NewServerRequest(rp)
-	if res.InvalidReason != "" {
-		return nil, nil, sc.countError(res.InvalidReason, streamError(st.id, ErrCodeProtocol))
+	needsContinue := httpguts.HeaderValuesContainsToken(rp.header["Expect"], "100-continue")
+	if needsContinue {
+		rp.header.Del("Expect")
+	}
+	// Merge Cookie headers into one "; "-delimited value.
+	if cookies := rp.header["Cookie"]; len(cookies) > 1 {
+		rp.header.Set("Cookie", strings.Join(cookies, "; "))
+	}
+
+	// Setup Trailers
+	var trailer http.Header
+	for _, v := range rp.header["Trailer"] {
+		for _, key := range strings.Split(v, ",") {
+			key = http.CanonicalHeaderKey(textproto.TrimString(key))
+			switch key {
+			case "Transfer-Encoding", "Trailer", "Content-Length":
+				// Bogus. (copy of http1 rules)
+				// Ignore.
+			default:
+				if trailer == nil {
+					trailer = make(http.Header)
+				}
+				trailer[key] = nil
+			}
+		}
+	}
+	delete(rp.header, "Trailer")
+
+	var url_ *url.URL
+	var requestURI string
+	if rp.method == "CONNECT" && rp.protocol == "" {
+		url_ = &url.URL{Host: rp.authority}
+		requestURI = rp.authority // mimic HTTP/1 server behavior
+	} else {
+		var err error
+		url_, err = url.ParseRequestURI(rp.path)
+		if err != nil {
+			return nil, nil, sc.countError("bad_path", streamError(st.id, ErrCodeProtocol))
+		}
+		requestURI = rp.path
 	}

 	body := &requestBody{
 		conn:          sc,
 		stream:        st,
-		needsContinue: res.NeedsContinue,
+		needsContinue: needsContinue,
 	}
-	req := (&http.Request{
-		Method:     rp.Method,
-		URL:        res.URL,
+	req := &http.Request{
+		Method:     rp.method,
+		URL:        url_,
 		RemoteAddr: sc.remoteAddrStr,
-		Header:     rp.Header,
-		RequestURI: res.RequestURI,
+		Header:     rp.header,
+		RequestURI: requestURI,
 		Proto:      "HTTP/2.0",
 		ProtoMajor: 2,
 		ProtoMinor: 0,
 		TLS:        tlsState,
-		Host:       rp.Authority,
+		Host:       rp.authority,
 		Body:       body,
-		Trailer:    res.Trailer,
-	}).WithContext(st.ctx)
+		Trailer:    trailer,
+	}
+	req = req.WithContext(st.ctx)
+
 	rw := sc.newResponseWriter(st, req)
 	return rw, req, nil
 }
@@ -3225,12 +3270,12 @@ func (sc *serverConn) startPush(msg *startPushRequest) {
 		// we start in "half closed (remote)" for simplicity.
 		// See further comments at the definition of stateHalfClosedRemote.
 		promised := sc.newStream(promisedID, msg.parent.id, stateHalfClosedRemote)
-		rw, req, err := sc.newWriterAndRequestNoBody(promised, httpcommon.ServerRequestParam{
-			Method:    msg.method,
-			Scheme:    msg.url.Scheme,
-			Authority: msg.url.Host,
-			Path:      msg.url.RequestURI(),
-			Header:    cloneHeader(msg.header), // clone since handler runs concurrently with writing the PUSH_PROMISE
+		rw, req, err := sc.newWriterAndRequestNoBody(promised, requestParam{
+			method:    msg.method,
+			scheme:    msg.url.Scheme,
+			authority: msg.url.Host,
+			path:      msg.url.RequestURI(),
+			header:    cloneHeader(msg.header), // clone since handler runs concurrently with writing the PUSH_PROMISE
 		})
 		if err != nil {
 			// Should not happen, since we've already validated msg.url.
--- a/vendor/golang.org/x/net/http2/transport.go
+++ b/vendor/golang.org/x/net/http2/transport.go
@@ -25,6 +25,7 @@ import (
 	"net/http"
 	"net/http/httptrace"
 	"net/textproto"
+	"sort"
 	"strconv"
 	"strings"
 	"sync"
@@ -34,7 +35,6 @@ import (
 	"golang.org/x/net/http/httpguts"
 	"golang.org/x/net/http2/hpack"
 	"golang.org/x/net/idna"
-	"golang.org/x/net/internal/httpcommon"
 )

 const (
@@ -375,7 +375,6 @@ type ClientConn struct {
 	doNotReuse       bool       // whether conn is marked to not be reused for any future requests
 	closing          bool
 	closed           bool
-	closedOnIdle     bool                     // true if conn was closed for idleness
 	seenSettings     bool                     // true if we've seen a settings frame, false otherwise
 	seenSettingsChan chan struct{}            // closed when seenSettings is true or frame reading fails
 	wantSettingsAck  bool                     // we sent a SETTINGS frame and haven't heard back
@@ -1090,12 +1089,10 @@ func (cc *ClientConn) idleStateLocked() (st clientConnIdleState) {

 	// If this connection has never been used for a request and is closed,
 	// then let it take a request (which will fail).
-	// If the conn was closed for idleness, we're racing the idle timer;
-	// don't try to use the conn. (Issue #70515.)
 	//
 	// This avoids a situation where an error early in a connection's lifetime
 	// goes unreported.
-	if cc.nextStreamID == 1 && cc.streamsReserved == 0 && cc.closed && !cc.closedOnIdle {
+	if cc.nextStreamID == 1 && cc.streamsReserved == 0 && cc.closed {
 		st.canTakeNewRequest = true
 	}

@@ -1158,7 +1155,6 @@ func (cc *ClientConn) closeIfIdle() {
 		return
 	}
 	cc.closed = true
-	cc.closedOnIdle = true
 	nextID := cc.nextStreamID
 	// TODO: do clients send GOAWAY too? maybe? Just Close:
 	cc.mu.Unlock()
@@ -1275,6 +1271,23 @@ func (cc *ClientConn) closeForLostPing() {
 // exported. At least they'll be DeepEqual for h1-vs-h2 comparisons tests.
 var errRequestCanceled = errors.New("net/http: request canceled")

+func commaSeparatedTrailers(req *http.Request) (string, error) {
+	keys := make([]string, 0, len(req.Trailer))
+	for k := range req.Trailer {
+		k = canonicalHeader(k)
+		switch k {
+		case "Transfer-Encoding", "Trailer", "Content-Length":
+			return "", fmt.Errorf("invalid Trailer key %q", k)
+		}
+		keys = append(keys, k)
+	}
+	if len(keys) > 0 {
+		sort.Strings(keys)
+		return strings.Join(keys, ","), nil
+	}
+	return "", nil
+}
+
 func (cc *ClientConn) responseHeaderTimeout() time.Duration {
 	if cc.t.t1 != nil {
 		return cc.t.t1.ResponseHeaderTimeout
@@ -1286,6 +1299,22 @@ func (cc *ClientConn) responseHeaderTimeout() time.Duration {
 	return 0
 }

+// checkConnHeaders checks whether req has any invalid connection-level headers.
+// per RFC 7540 section 8.1.2.2: Connection-Specific Header Fields.
+// Certain headers are special-cased as okay but not transmitted later.
+func checkConnHeaders(req *http.Request) error {
+	if v := req.Header.Get("Upgrade"); v != "" {
+		return fmt.Errorf("http2: invalid Upgrade request header: %q", req.Header["Upgrade"])
+	}
+	if vv := req.Header["Transfer-Encoding"]; len(vv) > 0 && (len(vv) > 1 || vv[0] != "" && vv[0] != "chunked") {
+		return fmt.Errorf("http2: invalid Transfer-Encoding request header: %q", vv)
+	}
+	if vv := req.Header["Connection"]; len(vv) > 0 && (len(vv) > 1 || vv[0] != "" && !asciiEqualFold(vv[0], "close") && !asciiEqualFold(vv[0], "keep-alive")) {
+		return fmt.Errorf("http2: invalid Connection request header: %q", vv)
+	}
+	return nil
+}
+
 // actualContentLength returns a sanitized version of
 // req.ContentLength, where 0 actually means zero (not unknown) and -1
 // means unknown.
@@ -1331,7 +1360,25 @@ func (cc *ClientConn) roundTrip(req *http.Request, streamf func(*clientStream))
 		donec:                make(chan struct{}),
 	}

-	cs.requestedGzip = httpcommon.IsRequestGzip(req.Method, req.Header, cc.t.disableCompression())
+	// TODO(bradfitz): this is a copy of the logic in net/http. Unify somewhere?
+	if !cc.t.disableCompression() &&
+		req.Header.Get("Accept-Encoding") == "" &&
+		req.Header.Get("Range") == "" &&
+		!cs.isHead {
+		// Request gzip only, not deflate. Deflate is ambiguous and
+		// not as universally supported anyway.
+		// See: https://zlib.net/zlib_faq.html#faq39
+		//
+		// Note that we don't request this for HEAD requests,
+		// due to a bug in nginx:
+		//   http://trac.nginx.org/nginx/ticket/358
+		//   https://golang.org/issue/5522
+		//
+		// We don't request gzip if the request is for a range, since
+		// auto-decoding a portion of a gzipped document will just fail
+		// anyway. See https://golang.org/issue/8923
+		cs.requestedGzip = true
+	}

 	go cs.doRequest(req, streamf)

@@ -1445,6 +1492,10 @@ func (cs *clientStream) writeRequest(req *http.Request, streamf func(*clientStre
 	cc := cs.cc
 	ctx := cs.ctx

+	if err := checkConnHeaders(req); err != nil {
+		return err
+	}
+
 	// wait for setting frames to be received, a server can change this value later,
 	// but we just wait for the first settings frame
 	var isExtendedConnect bool
@@ -1608,39 +1659,26 @@ func (cs *clientStream) encodeAndWriteHeaders(req *http.Request) error {
 	// we send: HEADERS{1}, CONTINUATION{0,} + DATA{0,} (DATA is
 	// sent by writeRequestBody below, along with any Trailers,
 	// again in form HEADERS{1}, CONTINUATION{0,})
-	cc.hbuf.Reset()
-	res, err := encodeRequestHeaders(req, cs.requestedGzip, cc.peerMaxHeaderListSize, func(name, value string) {
-		cc.writeHeader(name, value)
-	})
+	trailers, err := commaSeparatedTrailers(req)
 	if err != nil {
-		return fmt.Errorf("http2: %w", err)
+		return err
+	}
+	hasTrailers := trailers != ""
+	contentLen := actualContentLength(req)
+	hasBody := contentLen != 0
+	hdrs, err := cc.encodeHeaders(req, cs.requestedGzip, trailers, contentLen)
+	if err != nil {
+		return err
 	}
-	hdrs := cc.hbuf.Bytes()

 	// Write the request.
-	endStream := !res.HasBody && !res.HasTrailers
+	endStream := !hasBody && !hasTrailers
 	cs.sentHeaders = true
 	err = cc.writeHeaders(cs.ID, endStream, int(cc.maxFrameSize), hdrs)
 	traceWroteHeaders(cs.trace)
 	return err
 }

-func encodeRequestHeaders(req *http.Request, addGzipHeader bool, peerMaxHeaderListSize uint64, headerf func(name, value string)) (httpcommon.EncodeHeadersResult, error) {
-	return httpcommon.EncodeHeaders(req.Context(), httpcommon.EncodeHeadersParam{
-		Request: httpcommon.Request{
-			Header:              req.Header,
-			Trailer:             req.Trailer,
-			URL:                 req.URL,
-			Host:                req.Host,
-			Method:              req.Method,
-			ActualContentLength: actualContentLength(req),
-		},
-		AddGzipHeader:         addGzipHeader,
-		PeerMaxHeaderListSize: peerMaxHeaderListSize,
-		DefaultUserAgent:      defaultUserAgent,
-	}, headerf)
-}
-
 // cleanupWriteRequest performs post-request tasks.
 //
 // If err (the result of writeRequest) is non-nil and the stream is not closed,
@@ -2028,6 +2066,218 @@ func (cs *clientStream) awaitFlowControl(maxBytes int) (taken int32, err error)
 	}
 }

+func validateHeaders(hdrs http.Header) string {
+	for k, vv := range hdrs {
+		if !httpguts.ValidHeaderFieldName(k) && k != ":protocol" {
+			return fmt.Sprintf("name %q", k)
+		}
+		for _, v := range vv {
+			if !httpguts.ValidHeaderFieldValue(v) {
+				// Don't include the value in the error,
+				// because it may be sensitive.
+				return fmt.Sprintf("value for header %q", k)
+			}
+		}
+	}
+	return ""
+}
+
+var errNilRequestURL = errors.New("http2: Request.URI is nil")
+
+func isNormalConnect(req *http.Request) bool {
+	return req.Method == "CONNECT" && req.Header.Get(":protocol") == ""
+}
+
+// requires cc.wmu be held.
+func (cc *ClientConn) encodeHeaders(req *http.Request, addGzipHeader bool, trailers string, contentLength int64) ([]byte, error) {
+	cc.hbuf.Reset()
+	if req.URL == nil {
+		return nil, errNilRequestURL
+	}
+
+	host := req.Host
+	if host == "" {
+		host = req.URL.Host
+	}
+	host, err := httpguts.PunycodeHostPort(host)
+	if err != nil {
+		return nil, err
+	}
+	if !httpguts.ValidHostHeader(host) {
+		return nil, errors.New("http2: invalid Host header")
+	}
+
+	var path string
+	if !isNormalConnect(req) {
+		path = req.URL.RequestURI()
+		if !validPseudoPath(path) {
+			orig := path
+			path = strings.TrimPrefix(path, req.URL.Scheme+"://"+host)
+			if !validPseudoPath(path) {
+				if req.URL.Opaque != "" {
+					return nil, fmt.Errorf("invalid request :path %q from URL.Opaque = %q", orig, req.URL.Opaque)
+				} else {
+					return nil, fmt.Errorf("invalid request :path %q", orig)
+				}
+			}
+		}
+	}
+
+	// Check for any invalid headers+trailers and return an error before we
+	// potentially pollute our hpack state. (We want to be able to
+	// continue to reuse the hpack encoder for future requests)
+	if err := validateHeaders(req.Header); err != "" {
+		return nil, fmt.Errorf("invalid HTTP header %s", err)
+	}
+	if err := validateHeaders(req.Trailer); err != "" {
+		return nil, fmt.Errorf("invalid HTTP trailer %s", err)
+	}
+
+	enumerateHeaders := func(f func(name, value string)) {
+		// 8.1.2.3 Request Pseudo-Header Fields
+		// The :path pseudo-header field includes the path and query parts of the
+		// target URI (the path-absolute production and optionally a '?' character
+		// followed by the query production, see Sections 3.3 and 3.4 of
+		// [RFC3986]).
+		f(":authority", host)
+		m := req.Method
+		if m == "" {
+			m = http.MethodGet
+		}
+		f(":method", m)
+		if !isNormalConnect(req) {
+			f(":path", path)
+			f(":scheme", req.URL.Scheme)
+		}
+		if trailers != "" {
+			f("trailer", trailers)
+		}
+
+		var didUA bool
+		for k, vv := range req.Header {
+			if asciiEqualFold(k, "host") || asciiEqualFold(k, "content-length") {
+				// Host is :authority, already sent.
+				// Content-Length is automatic, set below.
+				continue
+			} else if asciiEqualFold(k, "connection") ||
+				asciiEqualFold(k, "proxy-connection") ||
+				asciiEqualFold(k, "transfer-encoding") ||
+				asciiEqualFold(k, "upgrade") ||
+				asciiEqualFold(k, "keep-alive") {
+				// Per 8.1.2.2 Connection-Specific Header
+				// Fields, don't send connection-specific
+				// fields. We have already checked if any
+				// are error-worthy so just ignore the rest.
+				continue
+			} else if asciiEqualFold(k, "user-agent") {
+				// Match Go's http1 behavior: at most one
+				// User-Agent. If set to nil or empty string,
+				// then omit it. Otherwise if not mentioned,
+				// include the default (below).
+				didUA = true
+				if len(vv) < 1 {
+					continue
+				}
+				vv = vv[:1]
+				if vv[0] == "" {
+					continue
+				}
+			} else if asciiEqualFold(k, "cookie") {
+				// Per 8.1.2.5 To allow for better compression efficiency, the
+				// Cookie header field MAY be split into separate header fields,
+				// each with one or more cookie-pairs.
+				for _, v := range vv {
+					for {
+						p := strings.IndexByte(v, ';')
+						if p < 0 {
+							break
+						}
+						f("cookie", v[:p])
+						p++
+						// strip space after semicolon if any.
+						for p+1 <= len(v) && v[p] == ' ' {
+							p++
+						}
+						v = v[p:]
+					}
+					if len(v) > 0 {
+						f("cookie", v)
+					}
+				}
+				continue
+			}
+
+			for _, v := range vv {
+				f(k, v)
+			}
+		}
+		if shouldSendReqContentLength(req.Method, contentLength) {
+			f("content-length", strconv.FormatInt(contentLength, 10))
+		}
+		if addGzipHeader {
+			f("accept-encoding", "gzip")
+		}
+		if !didUA {
+			f("user-agent", defaultUserAgent)
+		}
+	}
+
+	// Do a first pass over the headers counting bytes to ensure
+	// we don't exceed cc.peerMaxHeaderListSize. This is done as a
+	// separate pass before encoding the headers to prevent
+	// modifying the hpack state.
+	hlSize := uint64(0)
+	enumerateHeaders(func(name, value string) {
+		hf := hpack.HeaderField{Name: name, Value: value}
+		hlSize += uint64(hf.Size())
+	})
+
+	if hlSize > cc.peerMaxHeaderListSize {
+		return nil, errRequestHeaderListSize
+	}
+
+	trace := httptrace.ContextClientTrace(req.Context())
+	traceHeaders := traceHasWroteHeaderField(trace)
+
+	// Header list size is ok. Write the headers.
+	enumerateHeaders(func(name, value string) {
+		name, ascii := lowerHeader(name)
+		if !ascii {
+			// Skip writing invalid headers. Per RFC 7540, Section 8.1.2, header
+			// field names have to be ASCII characters (just as in HTTP/1.x).
+			return
+		}
+		cc.writeHeader(name, value)
+		if traceHeaders {
+			traceWroteHeaderField(trace, name, value)
+		}
+	})
+
+	return cc.hbuf.Bytes(), nil
+}
+
+// shouldSendReqContentLength reports whether the http2.Transport should send
+// a "content-length" request header. This logic is basically a copy of the net/http
+// transferWriter.shouldSendContentLength.
+// The contentLength is the corrected contentLength (so 0 means actually 0, not unknown).
+// -1 means unknown.
+func shouldSendReqContentLength(method string, contentLength int64) bool {
+	if contentLength > 0 {
+		return true
+	}
+	if contentLength < 0 {
+		return false
+	}
+	// For zero bodies, whether we send a content-length depends on the method.
+	// It also kinda doesn't matter for http2 either way, with END_STREAM.
+	switch method {
+	case "POST", "PUT", "PATCH":
+		return true
+	default:
+		return false
+	}
+}
+
 // requires cc.wmu be held.
 func (cc *ClientConn) encodeTrailers(trailer http.Header) ([]byte, error) {
 	cc.hbuf.Reset()
@@ -2044,7 +2294,7 @@ func (cc *ClientConn) encodeTrailers(trailer http.Header) ([]byte, error) {
 	}

 	for k, vv := range trailer {
-		lowKey, ascii := httpcommon.LowerHeader(k)
+		lowKey, ascii := lowerHeader(k)
 		if !ascii {
 			// Skip writing invalid headers. Per RFC 7540, Section 8.1.2, header
 			// field names have to be ASCII characters (just as in HTTP/1.x).
@@ -2184,12 +2434,9 @@ func (rl *clientConnReadLoop) cleanup() {
 	// This avoids a situation where new connections are constantly created,
 	// added to the pool, fail, and are removed from the pool, without any error
 	// being surfaced to the user.
-	unusedWaitTime := 5 * time.Second
-	if cc.idleTimeout > 0 && unusedWaitTime > cc.idleTimeout {
-		unusedWaitTime = cc.idleTimeout
-	}
+	const unusedWaitTime = 5 * time.Second
 	idleTime := cc.t.now().Sub(cc.lastActive)
-	if atomic.LoadUint32(&cc.atomicReused) == 0 && idleTime < unusedWaitTime && !cc.closedOnIdle {
+	if atomic.LoadUint32(&cc.atomicReused) == 0 && idleTime < unusedWaitTime {
 		cc.idleTimer = cc.t.afterFunc(unusedWaitTime-idleTime, func() {
 			cc.t.connPool().MarkDead(cc)
 		})
@@ -2210,13 +2457,6 @@ func (rl *clientConnReadLoop) cleanup() {
 	}
 	cc.cond.Broadcast()
 	cc.mu.Unlock()
-
-	if !cc.seenSettings {
-		// If we have a pending request that wants extended CONNECT,
-		// let it continue and fail with the connection error.
-		cc.extendedConnectAllowed = true
-		close(cc.seenSettingsChan)
-	}
 }

 // countReadFrameError calls Transport.CountError with a string
@@ -2309,6 +2549,9 @@ func (rl *clientConnReadLoop) run() error {
 			if VerboseLogs {
 				cc.vlogf("http2: Transport conn %p received error from processing frame %v: %v", cc, summarizeFrame(f), err)
 			}
+			if !cc.seenSettings {
+				close(cc.seenSettingsChan)
+			}
 			return err
 		}
 	}
@@ -2403,7 +2646,7 @@ func (rl *clientConnReadLoop) handleResponse(cs *clientStream, f *MetaHeadersFra
 		Status:     status + " " + http.StatusText(statusCode),
 	}
 	for _, hf := range regularFields {
-		key := httpcommon.CanonicalHeader(hf.Name)
+		key := canonicalHeader(hf.Name)
 		if key == "Trailer" {
 			t := res.Trailer
 			if t == nil {
@@ -2411,7 +2654,7 @@ func (rl *clientConnReadLoop) handleResponse(cs *clientStream, f *MetaHeadersFra
 				res.Trailer = t
 			}
 			foreachHeaderElement(hf.Value, func(v string) {
-				t[httpcommon.CanonicalHeader(v)] = nil
+				t[canonicalHeader(v)] = nil
 			})
 		} else {
 			vv := header[key]
@@ -2535,7 +2778,7 @@ func (rl *clientConnReadLoop) processTrailers(cs *clientStream, f *MetaHeadersFr

 	trailer := make(http.Header)
 	for _, hf := range f.RegularFields() {
-		key := httpcommon.CanonicalHeader(hf.Name)
+		key := canonicalHeader(hf.Name)
 		trailer[key] = append(trailer[key], hf.Value)
 	}
 	cs.trailer = trailer
@@ -3081,7 +3324,7 @@ func (cc *ClientConn) writeStreamReset(streamID uint32, code ErrCode, ping bool,

 var (
 	errResponseHeaderListSize = errors.New("http2: response header list larger than advertised limit")
-	errRequestHeaderListSize  = httpcommon.ErrRequestHeaderListSize
+	errRequestHeaderListSize  = errors.New("http2: request header list larger than peer's advertised limit")
 )

 func (cc *ClientConn) logf(format string, args ...interface{}) {
@@ -3265,6 +3508,16 @@ func traceFirstResponseByte(trace *httptrace.ClientTrace) {
 	}
 }

+func traceHasWroteHeaderField(trace *httptrace.ClientTrace) bool {
+	return trace != nil && trace.WroteHeaderField != nil
+}
+
+func traceWroteHeaderField(trace *httptrace.ClientTrace, k, v string) {
+	if trace != nil && trace.WroteHeaderField != nil {
+		trace.WroteHeaderField(k, []string{v})
+	}
+}
+
 func traceGot1xxResponseFunc(trace *httptrace.ClientTrace) func(int, textproto.MIMEHeader) error {
 	if trace != nil {
 		return trace.Got1xxResponse
--- a/vendor/golang.org/x/net/http2/write.go
+++ b/vendor/golang.org/x/net/http2/write.go
@@ -13,7 +13,6 @@ import (

 	"golang.org/x/net/http/httpguts"
 	"golang.org/x/net/http2/hpack"
-	"golang.org/x/net/internal/httpcommon"
 )

 // writeFramer is implemented by any type that is used to write frames.
@@ -352,7 +351,7 @@ func encodeHeaders(enc *hpack.Encoder, h http.Header, keys []string) {
 	}
 	for _, k := range keys {
 		vv := h[k]
-		k, ascii := httpcommon.LowerHeader(k)
+		k, ascii := lowerHeader(k)
 		if !ascii {
 			// Skip writing invalid headers. Per RFC 7540, Section 8.1.2, header
 			// field names have to be ASCII characters (just as in HTTP/1.x).
--- a/vendor/golang.org/x/net/internal/httpcommon/ascii.go
+++ b/vendor/golang.org/x/net/internal/httpcommon/ascii.go
@@ -1,53 +0,0 @@
-// Copyright 2025 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package httpcommon
-
-import "strings"
-
-// The HTTP protocols are defined in terms of ASCII, not Unicode. This file
-// contains helper functions which may use Unicode-aware functions which would
-// otherwise be unsafe and could introduce vulnerabilities if used improperly.
-
-// asciiEqualFold is strings.EqualFold, ASCII only. It reports whether s and t
-// are equal, ASCII-case-insensitively.
-func asciiEqualFold(s, t string) bool {
-	if len(s) != len(t) {
-		return false
-	}
-	for i := 0; i < len(s); i++ {
-		if lower(s[i]) != lower(t[i]) {
-			return false
-		}
-	}
-	return true
-}
-
-// lower returns the ASCII lowercase version of b.
-func lower(b byte) byte {
-	if 'A' <= b && b <= 'Z' {
-		return b + ('a' - 'A')
-	}
-	return b
-}
-
-// isASCIIPrint returns whether s is ASCII and printable according to
-// https://tools.ietf.org/html/rfc20#section-4.2.
-func isASCIIPrint(s string) bool {
-	for i := 0; i < len(s); i++ {
-		if s[i] < ' ' || s[i] > '~' {
-			return false
-		}
-	}
-	return true
-}
-
-// asciiToLower returns the lowercase version of s if s is ASCII and printable,
-// and whether or not it was.
-func asciiToLower(s string) (lower string, ok bool) {
-	if !isASCIIPrint(s) {
-		return "", false
-	}
-	return strings.ToLower(s), true
-}
--- a/vendor/golang.org/x/net/internal/httpcommon/request.go
+++ b/vendor/golang.org/x/net/internal/httpcommon/request.go
@@ -1,467 +0,0 @@
-// Copyright 2025 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package httpcommon
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"net/http/httptrace"
-	"net/textproto"
-	"net/url"
-	"sort"
-	"strconv"
-	"strings"
-
-	"golang.org/x/net/http/httpguts"
-	"golang.org/x/net/http2/hpack"
-)
-
-var (
-	ErrRequestHeaderListSize = errors.New("request header list larger than peer's advertised limit")
-)
-
-// Request is a subset of http.Request.
-// It'd be simpler to pass an *http.Request, of course, but we can't depend on net/http
-// without creating a dependency cycle.
-type Request struct {
-	URL                 *url.URL
-	Method              string
-	Host                string
-	Header              map[string][]string
-	Trailer             map[string][]string
-	ActualContentLength int64 // 0 means 0, -1 means unknown
-}
-
-// EncodeHeadersParam is parameters to EncodeHeaders.
-type EncodeHeadersParam struct {
-	Request Request
-
-	// AddGzipHeader indicates that an "accept-encoding: gzip" header should be
-	// added to the request.
-	AddGzipHeader bool
-
-	// PeerMaxHeaderListSize, when non-zero, is the peer's MAX_HEADER_LIST_SIZE setting.
-	PeerMaxHeaderListSize uint64
-
-	// DefaultUserAgent is the User-Agent header to send when the request
-	// neither contains a User-Agent nor disables it.
-	DefaultUserAgent string
-}
-
-// EncodeHeadersParam is the result of EncodeHeaders.
-type EncodeHeadersResult struct {
-	HasBody     bool
-	HasTrailers bool
-}
-
-// EncodeHeaders constructs request headers common to HTTP/2 and HTTP/3.
-// It validates a request and calls headerf with each pseudo-header and header
-// for the request.
-// The headerf function is called with the validated, canonicalized header name.
-func EncodeHeaders(ctx context.Context, param EncodeHeadersParam, headerf func(name, value string)) (res EncodeHeadersResult, _ error) {
-	req := param.Request
-
-	// Check for invalid connection-level headers.
-	if err := checkConnHeaders(req.Header); err != nil {
-		return res, err
-	}
-
-	if req.URL == nil {
-		return res, errors.New("Request.URL is nil")
-	}
-
-	host := req.Host
-	if host == "" {
-		host = req.URL.Host
-	}
-	host, err := httpguts.PunycodeHostPort(host)
-	if err != nil {
-		return res, err
-	}
-	if !httpguts.ValidHostHeader(host) {
-		return res, errors.New("invalid Host header")
-	}
-
-	// isNormalConnect is true if this is a non-extended CONNECT request.
-	isNormalConnect := false
-	var protocol string
-	if vv := req.Header[":protocol"]; len(vv) > 0 {
-		protocol = vv[0]
-	}
-	if req.Method == "CONNECT" && protocol == "" {
-		isNormalConnect = true
-	} else if protocol != "" && req.Method != "CONNECT" {
-		return res, errors.New("invalid :protocol header in non-CONNECT request")
-	}
-
-	// Validate the path, except for non-extended CONNECT requests which have no path.
-	var path string
-	if !isNormalConnect {
-		path = req.URL.RequestURI()
-		if !validPseudoPath(path) {
-			orig := path
-			path = strings.TrimPrefix(path, req.URL.Scheme+"://"+host)
-			if !validPseudoPath(path) {
-				if req.URL.Opaque != "" {
-					return res, fmt.Errorf("invalid request :path %q from URL.Opaque = %q", orig, req.URL.Opaque)
-				} else {
-					return res, fmt.Errorf("invalid request :path %q", orig)
-				}
-			}
-		}
-	}
-
-	// Check for any invalid headers+trailers and return an error before we
-	// potentially pollute our hpack state. (We want to be able to
-	// continue to reuse the hpack encoder for future requests)
-	if err := validateHeaders(req.Header); err != "" {
-		return res, fmt.Errorf("invalid HTTP header %s", err)
-	}
-	if err := validateHeaders(req.Trailer); err != "" {
-		return res, fmt.Errorf("invalid HTTP trailer %s", err)
-	}
-
-	trailers, err := commaSeparatedTrailers(req.Trailer)
-	if err != nil {
-		return res, err
-	}
-
-	enumerateHeaders := func(f func(name, value string)) {
-		// 8.1.2.3 Request Pseudo-Header Fields
-		// The :path pseudo-header field includes the path and query parts of the
-		// target URI (the path-absolute production and optionally a '?' character
-		// followed by the query production, see Sections 3.3 and 3.4 of
-		// [RFC3986]).
-		f(":authority", host)
-		m := req.Method
-		if m == "" {
-			m = "GET"
-		}
-		f(":method", m)
-		if !isNormalConnect {
-			f(":path", path)
-			f(":scheme", req.URL.Scheme)
-		}
-		if protocol != "" {
-			f(":protocol", protocol)
-		}
-		if trailers != "" {
-			f("trailer", trailers)
-		}
-
-		var didUA bool
-		for k, vv := range req.Header {
-			if asciiEqualFold(k, "host") || asciiEqualFold(k, "content-length") {
-				// Host is :authority, already sent.
-				// Content-Length is automatic, set below.
-				continue
-			} else if asciiEqualFold(k, "connection") ||
-				asciiEqualFold(k, "proxy-connection") ||
-				asciiEqualFold(k, "transfer-encoding") ||
-				asciiEqualFold(k, "upgrade") ||
-				asciiEqualFold(k, "keep-alive") {
-				// Per 8.1.2.2 Connection-Specific Header
-				// Fields, don't send connection-specific
-				// fields. We have already checked if any
-				// are error-worthy so just ignore the rest.
-				continue
-			} else if asciiEqualFold(k, "user-agent") {
-				// Match Go's http1 behavior: at most one
-				// User-Agent. If set to nil or empty string,
-				// then omit it. Otherwise if not mentioned,
-				// include the default (below).
-				didUA = true
-				if len(vv) < 1 {
-					continue
-				}
-				vv = vv[:1]
-				if vv[0] == "" {
-					continue
-				}
-			} else if asciiEqualFold(k, "cookie") {
-				// Per 8.1.2.5 To allow for better compression efficiency, the
-				// Cookie header field MAY be split into separate header fields,
-				// each with one or more cookie-pairs.
-				for _, v := range vv {
-					for {
-						p := strings.IndexByte(v, ';')
-						if p < 0 {
-							break
-						}
-						f("cookie", v[:p])
-						p++
-						// strip space after semicolon if any.
-						for p+1 <= len(v) && v[p] == ' ' {
-							p++
-						}
-						v = v[p:]
-					}
-					if len(v) > 0 {
-						f("cookie", v)
-					}
-				}
-				continue
-			} else if k == ":protocol" {
-				// :protocol pseudo-header was already sent above.
-				continue
-			}
-
-			for _, v := range vv {
-				f(k, v)
-			}
-		}
-		if shouldSendReqContentLength(req.Method, req.ActualContentLength) {
-			f("content-length", strconv.FormatInt(req.ActualContentLength, 10))
-		}
-		if param.AddGzipHeader {
-			f("accept-encoding", "gzip")
-		}
-		if !didUA {
-			f("user-agent", param.DefaultUserAgent)
-		}
-	}
-
-	// Do a first pass over the headers counting bytes to ensure
-	// we don't exceed cc.peerMaxHeaderListSize. This is done as a
-	// separate pass before encoding the headers to prevent
-	// modifying the hpack state.
-	if param.PeerMaxHeaderListSize > 0 {
-		hlSize := uint64(0)
-		enumerateHeaders(func(name, value string) {
-			hf := hpack.HeaderField{Name: name, Value: value}
-			hlSize += uint64(hf.Size())
-		})
-
-		if hlSize > param.PeerMaxHeaderListSize {
-			return res, ErrRequestHeaderListSize
-		}
-	}
-
-	trace := httptrace.ContextClientTrace(ctx)
-
-	// Header list size is ok. Write the headers.
-	enumerateHeaders(func(name, value string) {
-		name, ascii := LowerHeader(name)
-		if !ascii {
-			// Skip writing invalid headers. Per RFC 7540, Section 8.1.2, header
-			// field names have to be ASCII characters (just as in HTTP/1.x).
-			return
-		}
-
-		headerf(name, value)
-
-		if trace != nil && trace.WroteHeaderField != nil {
-			trace.WroteHeaderField(name, []string{value})
-		}
-	})
-
-	res.HasBody = req.ActualContentLength != 0
-	res.HasTrailers = trailers != ""
-	return res, nil
-}
-
-// IsRequestGzip reports whether we should add an Accept-Encoding: gzip header
-// for a request.
-func IsRequestGzip(method string, header map[string][]string, disableCompression bool) bool {
-	// TODO(bradfitz): this is a copy of the logic in net/http. Unify somewhere?
-	if !disableCompression &&
-		len(header["Accept-Encoding"]) == 0 &&
-		len(header["Range"]) == 0 &&
-		method != "HEAD" {
-		// Request gzip only, not deflate. Deflate is ambiguous and
-		// not as universally supported anyway.
-		// See: https://zlib.net/zlib_faq.html#faq39
-		//
-		// Note that we don't request this for HEAD requests,
-		// due to a bug in nginx:
-		//   http://trac.nginx.org/nginx/ticket/358
-		//   https://golang.org/issue/5522
-		//
-		// We don't request gzip if the request is for a range, since
-		// auto-decoding a portion of a gzipped document will just fail
-		// anyway. See https://golang.org/issue/8923
-		return true
-	}
-	return false
-}
-
-// checkConnHeaders checks whether req has any invalid connection-level headers.
-//
-// https://www.rfc-editor.org/rfc/rfc9114.html#section-4.2-3
-// https://www.rfc-editor.org/rfc/rfc9113.html#section-8.2.2-1
-//
-// Certain headers are special-cased as okay but not transmitted later.
-// For example, we allow "Transfer-Encoding: chunked", but drop the header when encoding.
-func checkConnHeaders(h map[string][]string) error {
-	if vv := h["Upgrade"]; len(vv) > 0 && (vv[0] != "" && vv[0] != "chunked") {
-		return fmt.Errorf("invalid Upgrade request header: %q", vv)
-	}
-	if vv := h["Transfer-Encoding"]; len(vv) > 0 && (len(vv) > 1 || vv[0] != "" && vv[0] != "chunked") {
-		return fmt.Errorf("invalid Transfer-Encoding request header: %q", vv)
-	}
-	if vv := h["Connection"]; len(vv) > 0 && (len(vv) > 1 || vv[0] != "" && !asciiEqualFold(vv[0], "close") && !asciiEqualFold(vv[0], "keep-alive")) {
-		return fmt.Errorf("invalid Connection request header: %q", vv)
-	}
-	return nil
-}
-
-func commaSeparatedTrailers(trailer map[string][]string) (string, error) {
-	keys := make([]string, 0, len(trailer))
-	for k := range trailer {
-		k = CanonicalHeader(k)
-		switch k {
-		case "Transfer-Encoding", "Trailer", "Content-Length":
-			return "", fmt.Errorf("invalid Trailer key %q", k)
-		}
-		keys = append(keys, k)
-	}
-	if len(keys) > 0 {
-		sort.Strings(keys)
-		return strings.Join(keys, ","), nil
-	}
-	return "", nil
-}
-
-// validPseudoPath reports whether v is a valid :path pseudo-header
-// value. It must be either:
-//
-//   - a non-empty string starting with '/'
-//   - the string '*', for OPTIONS requests.
-//
-// For now this is only used a quick check for deciding when to clean
-// up Opaque URLs before sending requests from the Transport.
-// See golang.org/issue/16847
-//
-// We used to enforce that the path also didn't start with "//", but
-// Google's GFE accepts such paths and Chrome sends them, so ignore
-// that part of the spec. See golang.org/issue/19103.
-func validPseudoPath(v string) bool {
-	return (len(v) > 0 && v[0] == '/') || v == "*"
-}
-
-func validateHeaders(hdrs map[string][]string) string {
-	for k, vv := range hdrs {
-		if !httpguts.ValidHeaderFieldName(k) && k != ":protocol" {
-			return fmt.Sprintf("name %q", k)
-		}
-		for _, v := range vv {
-			if !httpguts.ValidHeaderFieldValue(v) {
-				// Don't include the value in the error,
-				// because it may be sensitive.
-				return fmt.Sprintf("value for header %q", k)
-			}
-		}
-	}
-	return ""
-}
-
-// shouldSendReqContentLength reports whether we should send
-// a "content-length" request header. This logic is basically a copy of the net/http
-// transferWriter.shouldSendContentLength.
-// The contentLength is the corrected contentLength (so 0 means actually 0, not unknown).
-// -1 means unknown.
-func shouldSendReqContentLength(method string, contentLength int64) bool {
-	if contentLength > 0 {
-		return true
-	}
-	if contentLength < 0 {
-		return false
-	}
-	// For zero bodies, whether we send a content-length depends on the method.
-	// It also kinda doesn't matter for http2 either way, with END_STREAM.
-	switch method {
-	case "POST", "PUT", "PATCH":
-		return true
-	default:
-		return false
-	}
-}
-
-// ServerRequestParam is parameters to NewServerRequest.
-type ServerRequestParam struct {
-	Method                  string
-	Scheme, Authority, Path string
-	Protocol                string
-	Header                  map[string][]string
-}
-
-// ServerRequestResult is the result of NewServerRequest.
-type ServerRequestResult struct {
-	// Various http.Request fields.
-	URL        *url.URL
-	RequestURI string
-	Trailer    map[string][]string
-
-	NeedsContinue bool // client provided an "Expect: 100-continue" header
-
-	// If the request should be rejected, this is a short string suitable for passing
-	// to the http2 package's CountError function.
-	// It might be a bit odd to return errors this way rather than returing an error,
-	// but this ensures we don't forget to include a CountError reason.
-	InvalidReason string
-}
-
-func NewServerRequest(rp ServerRequestParam) ServerRequestResult {
-	needsContinue := httpguts.HeaderValuesContainsToken(rp.Header["Expect"], "100-continue")
-	if needsContinue {
-		delete(rp.Header, "Expect")
-	}
-	// Merge Cookie headers into one "; "-delimited value.
-	if cookies := rp.Header["Cookie"]; len(cookies) > 1 {
-		rp.Header["Cookie"] = []string{strings.Join(cookies, "; ")}
-	}
-
-	// Setup Trailers
-	var trailer map[string][]string
-	for _, v := range rp.Header["Trailer"] {
-		for _, key := range strings.Split(v, ",") {
-			key = textproto.CanonicalMIMEHeaderKey(textproto.TrimString(key))
-			switch key {
-			case "Transfer-Encoding", "Trailer", "Content-Length":
-				// Bogus. (copy of http1 rules)
-				// Ignore.
-			default:
-				if trailer == nil {
-					trailer = make(map[string][]string)
-				}
-				trailer[key] = nil
-			}
-		}
-	}
-	delete(rp.Header, "Trailer")
-
-	// "':authority' MUST NOT include the deprecated userinfo subcomponent
-	// for "http" or "https" schemed URIs."
-	// https://www.rfc-editor.org/rfc/rfc9113.html#section-8.3.1-2.3.8
-	if strings.IndexByte(rp.Authority, '@') != -1 && (rp.Scheme == "http" || rp.Scheme == "https") {
-		return ServerRequestResult{
-			InvalidReason: "userinfo_in_authority",
-		}
-	}
-
-	var url_ *url.URL
-	var requestURI string
-	if rp.Method == "CONNECT" && rp.Protocol == "" {
-		url_ = &url.URL{Host: rp.Authority}
-		requestURI = rp.Authority // mimic HTTP/1 server behavior
-	} else {
-		var err error
-		url_, err = url.ParseRequestURI(rp.Path)
-		if err != nil {
-			return ServerRequestResult{
-				InvalidReason: "bad_path",
-			}
-		}
-		requestURI = rp.Path
-	}
-
-	return ServerRequestResult{
-		URL:           url_,
-		NeedsContinue: needsContinue,
-		RequestURI:    requestURI,
-		Trailer:       trailer,
-	}
-}
--- a/vendor/golang.org/x/net/proxy/per_host.go
+++ b/vendor/golang.org/x/net/proxy/per_host.go
@@ -7,7 +7,6 @@ package proxy
 import (
 	"context"
 	"net"
-	"net/netip"
 	"strings"
 )

@@ -58,8 +57,7 @@ func (p *PerHost) DialContext(ctx context.Context, network, addr string) (c net.
 }

 func (p *PerHost) dialerForRequest(host string) Dialer {
-	if nip, err := netip.ParseAddr(host); err == nil {
-		ip := net.IP(nip.AsSlice())
+	if ip := net.ParseIP(host); ip != nil {
 		for _, net := range p.bypassNetworks {
 			if net.Contains(ip) {
 				return p.bypass
@@ -110,8 +108,8 @@ func (p *PerHost) AddFromString(s string) {
 			}
 			continue
 		}
-		if nip, err := netip.ParseAddr(host); err == nil {
-			p.AddIP(net.IP(nip.AsSlice()))
+		if ip := net.ParseIP(host); ip != nil {
+			p.AddIP(ip)
 			continue
 		}
 		if strings.HasPrefix(host, "*.") {
--- a/vendor/golang.org/x/oauth2/README.md
+++ b/vendor/golang.org/x/oauth2/README.md
@@ -5,6 +5,15 @@

 oauth2 package contains a client implementation for OAuth 2.0 spec.

+## Installation
+
+~~~~
+go get golang.org/x/oauth2
+~~~~
+
+Or you can manually git clone the repository to
+`$(go env GOPATH)/src/golang.org/x/oauth2`.
+
 See pkg.go.dev for further documentation and examples.

 * [pkg.go.dev/golang.org/x/oauth2](https://pkg.go.dev/golang.org/x/oauth2)
@@ -24,11 +33,7 @@ The main issue tracker for the oauth2 repository is located at
 https://github.com/golang/oauth2/issues.

 This repository uses Gerrit for code changes. To learn how to submit changes to
-this repository, see https://go.dev/doc/contribute.
-
-The git repository is https://go.googlesource.com/oauth2.
-
-Note:
+this repository, see https://golang.org/doc/contribute.html. In particular:

 * Excluding trivial changes, all contributions should be connected to an existing issue.
 * API changes must go through the [change proposal process](https://go.dev/s/proposal-process) before they can be accepted.
--- a/vendor/golang.org/x/oauth2/oauth2.go
+++ b/vendor/golang.org/x/oauth2/oauth2.go
@@ -56,7 +56,7 @@ type Config struct {
 	// the OAuth flow, after the resource owner's URLs.
 	RedirectURL string

-	// Scopes specifies optional requested permissions.
+	// Scope specifies optional requested permissions.
 	Scopes []string

 	// authStyleCache caches which auth style to use when Endpoint.AuthStyle is
@@ -288,7 +288,7 @@ func (tf *tokenRefresher) Token() (*Token, error) {
 	if tf.refreshToken != tk.RefreshToken {
 		tf.refreshToken = tk.RefreshToken
 	}
-	return tk, nil
+	return tk, err
 }

 // reuseTokenSource is a TokenSource that holds a single token in memory
@@ -356,15 +356,11 @@ func NewClient(ctx context.Context, src TokenSource) *http.Client {
 	if src == nil {
 		return internal.ContextClient(ctx)
 	}
-	cc := internal.ContextClient(ctx)
 	return &http.Client{
 		Transport: &Transport{
-			Base:   cc.Transport,
+			Base:   internal.ContextClient(ctx).Transport,
 			Source: ReuseTokenSource(nil, src),
 		},
-		CheckRedirect: cc.CheckRedirect,
-		Jar:           cc.Jar,
-		Timeout:       cc.Timeout,
 	}
 }

--- a/vendor/golang.org/x/oauth2/pkce.go
+++ b/vendor/golang.org/x/oauth2/pkce.go
@@ -21,7 +21,7 @@ const (
 //
 // A fresh verifier should be generated for each authorization.
 // S256ChallengeOption(verifier) should then be passed to Config.AuthCodeURL
-// (or Config.DeviceAuth) and VerifierOption(verifier) to Config.Exchange
+// (or Config.DeviceAccess) and VerifierOption(verifier) to Config.Exchange
 // (or Config.DeviceAccessToken).
 func GenerateVerifier() string {
 	// "RECOMMENDED that the output of a suitable random number generator be
@@ -51,7 +51,7 @@ func S256ChallengeFromVerifier(verifier string) string {
 }

 // S256ChallengeOption derives a PKCE code challenge derived from verifier with
-// method S256. It should be passed to Config.AuthCodeURL or Config.DeviceAuth
+// method S256. It should be passed to Config.AuthCodeURL or Config.DeviceAccess
 // only.
 func S256ChallengeOption(verifier string) AuthCodeOption {
 	return challengeOption{
--- a/vendor/golang.org/x/sync/errgroup/errgroup.go
+++ b/vendor/golang.org/x/sync/errgroup/errgroup.go
@@ -46,7 +46,7 @@ func (g *Group) done() {
 // returns a non-nil error or the first time Wait returns, whichever occurs
 // first.
 func WithContext(ctx context.Context) (*Group, context.Context) {
-	ctx, cancel := context.WithCancelCause(ctx)
+	ctx, cancel := withCancelCause(ctx)
 	return &Group{cancel: cancel}, ctx
 }

@@ -118,7 +118,6 @@ func (g *Group) TryGo(f func() error) bool {

 // SetLimit limits the number of active goroutines in this group to at most n.
 // A negative value indicates no limit.
-// A limit of zero will prevent any new goroutines from being added.
 //
 // Any subsequent call to the Go method will block until it can add an active
 // goroutine without exceeding the configured limit.
--- a/vendor/golang.org/x/sync/errgroup/go120.go
+++ b/vendor/golang.org/x/sync/errgroup/go120.go
@@ -0,0 +1,13 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build go1.20
+
+package errgroup
+
+import "context"
+
+func withCancelCause(parent context.Context) (context.Context, func(error)) {
+	return context.WithCancelCause(parent)
+}
--- a/vendor/golang.org/x/sync/errgroup/pre_go120.go
+++ b/vendor/golang.org/x/sync/errgroup/pre_go120.go
@@ -0,0 +1,14 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !go1.20
+
+package errgroup
+
+import "context"
+
+func withCancelCause(parent context.Context) (context.Context, func(error)) {
+	ctx, cancel := context.WithCancel(parent)
+	return ctx, func(error) { cancel() }
+}
--- a/vendor/golang.org/x/sys/cpu/cpu.go
+++ b/vendor/golang.org/x/sys/cpu/cpu.go
@@ -72,9 +72,6 @@ var X86 struct {
 	HasSSSE3            bool // Supplemental streaming SIMD extension 3
 	HasSSE41            bool // Streaming SIMD extension 4 and 4.1
 	HasSSE42            bool // Streaming SIMD extension 4 and 4.2
-	HasAVXIFMA          bool // Advanced vector extension Integer Fused Multiply Add
-	HasAVXVNNI          bool // Advanced vector extension Vector Neural Network Instructions
-	HasAVXVNNIInt8      bool // Advanced vector extension Vector Neural Network Int8 instructions
 	_                   CacheLinePad
 }

--- a/vendor/golang.org/x/sys/cpu/cpu_x86.go
+++ b/vendor/golang.org/x/sys/cpu/cpu_x86.go
@@ -53,9 +53,6 @@ func initOptions() {
 		{Name: "sse41", Feature: &X86.HasSSE41},
 		{Name: "sse42", Feature: &X86.HasSSE42},
 		{Name: "ssse3", Feature: &X86.HasSSSE3},
-		{Name: "avxifma", Feature: &X86.HasAVXIFMA},
-		{Name: "avxvnni", Feature: &X86.HasAVXVNNI},
-		{Name: "avxvnniint8", Feature: &X86.HasAVXVNNIInt8},

 		// These capabilities should always be enabled on amd64:
 		{Name: "sse2", Feature: &X86.HasSSE2, Required: runtime.GOARCH == "amd64"},
@@ -109,7 +106,7 @@ func archInit() {
 		return
 	}

-	eax7, ebx7, ecx7, edx7 := cpuid(7, 0)
+	_, ebx7, ecx7, edx7 := cpuid(7, 0)
 	X86.HasBMI1 = isSet(3, ebx7)
 	X86.HasAVX2 = isSet(5, ebx7) && osSupportsAVX
 	X86.HasBMI2 = isSet(8, ebx7)
@@ -137,24 +134,14 @@ func archInit() {
 		X86.HasAVX512VAES = isSet(9, ecx7)
 		X86.HasAVX512VBMI2 = isSet(6, ecx7)
 		X86.HasAVX512BITALG = isSet(12, ecx7)
+
+		eax71, _, _, _ := cpuid(7, 1)
+		X86.HasAVX512BF16 = isSet(5, eax71)
 	}

 	X86.HasAMXTile = isSet(24, edx7)
 	X86.HasAMXInt8 = isSet(25, edx7)
 	X86.HasAMXBF16 = isSet(22, edx7)
-
-	// These features depend on the second level of extended features.
-	if eax7 >= 1 {
-		eax71, _, _, edx71 := cpuid(7, 1)
-		if X86.HasAVX512 {
-			X86.HasAVX512BF16 = isSet(5, eax71)
-		}
-		if X86.HasAVX {
-			X86.HasAVXIFMA = isSet(23, eax71)
-			X86.HasAVXVNNI = isSet(4, eax71)
-			X86.HasAVXVNNIInt8 = isSet(4, edx71)
-		}
-	}
 }

 func isSet(bitpos uint, value uint32) bool {
--- a/vendor/golang.org/x/sys/unix/auxv.go
+++ b/vendor/golang.org/x/sys/unix/auxv.go
@@ -1,36 +0,0 @@
-// Copyright 2025 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build go1.21 && (aix || darwin || dragonfly || freebsd || linux || netbsd || openbsd || solaris || zos)
-
-package unix
-
-import (
-	"syscall"
-	"unsafe"
-)
-
-//go:linkname runtime_getAuxv runtime.getAuxv
-func runtime_getAuxv() []uintptr
-
-// Auxv returns the ELF auxiliary vector as a sequence of key/value pairs.
-// The returned slice is always a fresh copy, owned by the caller.
-// It returns an error on non-ELF platforms, or if the auxiliary vector cannot be accessed,
-// which happens in some locked-down environments and build modes.
-func Auxv() ([][2]uintptr, error) {
-	vec := runtime_getAuxv()
-	vecLen := len(vec)
-
-	if vecLen == 0 {
-		return nil, syscall.ENOENT
-	}
-
-	if vecLen%2 != 0 {
-		return nil, syscall.EINVAL
-	}
-
-	result := make([]uintptr, vecLen)
-	copy(result, vec)
-	return unsafe.Slice((*[2]uintptr)(unsafe.Pointer(&result[0])), vecLen/2), nil
-}
--- a/vendor/golang.org/x/sys/unix/auxv_unsupported.go
+++ b/vendor/golang.org/x/sys/unix/auxv_unsupported.go
@@ -1,13 +0,0 @@
-// Copyright 2025 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !go1.21 && (aix || darwin || dragonfly || freebsd || linux || netbsd || openbsd || solaris || zos)
-
-package unix
-
-import "syscall"
-
-func Auxv() ([][2]uintptr, error) {
-	return nil, syscall.ENOTSUP
-}
--- a/vendor/golang.org/x/sys/unix/syscall_dragonfly.go
+++ b/vendor/golang.org/x/sys/unix/syscall_dragonfly.go
@@ -246,18 +246,6 @@ func Sendfile(outfd int, infd int, offset *int64, count int) (written int, err e
 	return sendfile(outfd, infd, offset, count)
 }

-func Dup3(oldfd, newfd, flags int) error {
-	if oldfd == newfd || flags&^O_CLOEXEC != 0 {
-		return EINVAL
-	}
-	how := F_DUP2FD
-	if flags&O_CLOEXEC != 0 {
-		how = F_DUP2FD_CLOEXEC
-	}
-	_, err := fcntl(oldfd, how, newfd)
-	return err
-}
-
 /*
 * Exposed directly
 */
--- a/vendor/golang.org/x/sys/unix/syscall_solaris.go
+++ b/vendor/golang.org/x/sys/unix/syscall_solaris.go
@@ -1102,90 +1102,3 @@ func (s *Strioctl) SetInt(i int) {
 func IoctlSetStrioctlRetInt(fd int, req int, s *Strioctl) (int, error) {
 	return ioctlPtrRet(fd, req, unsafe.Pointer(s))
 }
-
-// Ucred Helpers
-// See ucred(3c) and getpeerucred(3c)
-
-//sys	getpeerucred(fd uintptr, ucred *uintptr) (err error)
-//sys	ucredFree(ucred uintptr) = ucred_free
-//sys	ucredGet(pid int) (ucred uintptr, err error) = ucred_get
-//sys	ucredGeteuid(ucred uintptr) (uid int) = ucred_geteuid
-//sys	ucredGetegid(ucred uintptr) (gid int) = ucred_getegid
-//sys	ucredGetruid(ucred uintptr) (uid int) = ucred_getruid
-//sys	ucredGetrgid(ucred uintptr) (gid int) = ucred_getrgid
-//sys	ucredGetsuid(ucred uintptr) (uid int) = ucred_getsuid
-//sys	ucredGetsgid(ucred uintptr) (gid int) = ucred_getsgid
-//sys	ucredGetpid(ucred uintptr) (pid int) = ucred_getpid
-
-// Ucred is an opaque struct that holds user credentials.
-type Ucred struct {
-	ucred uintptr
-}
-
-// We need to ensure that ucredFree is called on the underlying ucred
-// when the Ucred is garbage collected.
-func ucredFinalizer(u *Ucred) {
-	ucredFree(u.ucred)
-}
-
-func GetPeerUcred(fd uintptr) (*Ucred, error) {
-	var ucred uintptr
-	err := getpeerucred(fd, &ucred)
-	if err != nil {
-		return nil, err
-	}
-	result := &Ucred{
-		ucred: ucred,
-	}
-	// set the finalizer on the result so that the ucred will be freed
-	runtime.SetFinalizer(result, ucredFinalizer)
-	return result, nil
-}
-
-func UcredGet(pid int) (*Ucred, error) {
-	ucred, err := ucredGet(pid)
-	if err != nil {
-		return nil, err
-	}
-	result := &Ucred{
-		ucred: ucred,
-	}
-	// set the finalizer on the result so that the ucred will be freed
-	runtime.SetFinalizer(result, ucredFinalizer)
-	return result, nil
-}
-
-func (u *Ucred) Geteuid() int {
-	defer runtime.KeepAlive(u)
-	return ucredGeteuid(u.ucred)
-}
-
-func (u *Ucred) Getruid() int {
-	defer runtime.KeepAlive(u)
-	return ucredGetruid(u.ucred)
-}
-
-func (u *Ucred) Getsuid() int {
-	defer runtime.KeepAlive(u)
-	return ucredGetsuid(u.ucred)
-}
-
-func (u *Ucred) Getegid() int {
-	defer runtime.KeepAlive(u)
-	return ucredGetegid(u.ucred)
-}
-
-func (u *Ucred) Getrgid() int {
-	defer runtime.KeepAlive(u)
-	return ucredGetrgid(u.ucred)
-}
-
-func (u *Ucred) Getsgid() int {
-	defer runtime.KeepAlive(u)
-	return ucredGetsgid(u.ucred)
-}
-
-func (u *Ucred) Getpid() int {
-	defer runtime.KeepAlive(u)
-	return ucredGetpid(u.ucred)
-}
--- a/vendor/golang.org/x/sys/unix/zerrors_linux.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux.go
@@ -1245,7 +1245,6 @@ const (
 	FAN_REPORT_DFID_NAME                        = 0xc00
 	FAN_REPORT_DFID_NAME_TARGET                 = 0x1e00
 	FAN_REPORT_DIR_FID                          = 0x400
-	FAN_REPORT_FD_ERROR                         = 0x2000
 	FAN_REPORT_FID                              = 0x200
 	FAN_REPORT_NAME                             = 0x800
 	FAN_REPORT_PIDFD                            = 0x80
@@ -1331,10 +1330,8 @@ const (
 	FUSE_SUPER_MAGIC                            = 0x65735546
 	FUTEXFS_SUPER_MAGIC                         = 0xbad1dea
 	F_ADD_SEALS                                 = 0x409
-	F_CREATED_QUERY                             = 0x404
 	F_DUPFD                                     = 0x0
 	F_DUPFD_CLOEXEC                             = 0x406
-	F_DUPFD_QUERY                               = 0x403
 	F_EXLCK                                     = 0x4
 	F_GETFD                                     = 0x1
 	F_GETFL                                     = 0x3
@@ -1554,7 +1551,6 @@ const (
 	IPPROTO_ROUTING                             = 0x2b
 	IPPROTO_RSVP                                = 0x2e
 	IPPROTO_SCTP                                = 0x84
-	IPPROTO_SMC                                 = 0x100
 	IPPROTO_TCP                                 = 0x6
 	IPPROTO_TP                                  = 0x1d
 	IPPROTO_UDP                                 = 0x11
@@ -1627,8 +1623,6 @@ const (
 	IPV6_UNICAST_IF                             = 0x4c
 	IPV6_USER_FLOW                              = 0xe
 	IPV6_V6ONLY                                 = 0x1a
-	IPV6_VERSION                                = 0x60
-	IPV6_VERSION_MASK                           = 0xf0
 	IPV6_XFRM_POLICY                            = 0x23
 	IP_ADD_MEMBERSHIP                           = 0x23
 	IP_ADD_SOURCE_MEMBERSHIP                    = 0x27
@@ -1873,7 +1867,6 @@ const (
 	MADV_UNMERGEABLE                            = 0xd
 	MADV_WILLNEED                               = 0x3
 	MADV_WIPEONFORK                             = 0x12
-	MAP_DROPPABLE                               = 0x8
 	MAP_FILE                                    = 0x0
 	MAP_FIXED                                   = 0x10
 	MAP_FIXED_NOREPLACE                         = 0x100000
@@ -1974,7 +1967,6 @@ const (
 	MSG_PEEK                                    = 0x2
 	MSG_PROXY                                   = 0x10
 	MSG_RST                                     = 0x1000
-	MSG_SOCK_DEVMEM                             = 0x2000000
 	MSG_SYN                                     = 0x400
 	MSG_TRUNC                                   = 0x20
 	MSG_TRYHARD                                 = 0x4
@@ -2091,7 +2083,6 @@ const (
 	NFC_ATR_REQ_MAXSIZE                         = 0x40
 	NFC_ATR_RES_GB_MAXSIZE                      = 0x2f
 	NFC_ATR_RES_MAXSIZE                         = 0x40
-	NFC_ATS_MAXSIZE                             = 0x14
 	NFC_COMM_ACTIVE                             = 0x0
 	NFC_COMM_PASSIVE                            = 0x1
 	NFC_DEVICE_NAME_MAXSIZE                     = 0x8
@@ -2172,7 +2163,6 @@ const (
 	NFNL_SUBSYS_QUEUE                           = 0x3
 	NFNL_SUBSYS_ULOG                            = 0x4
 	NFS_SUPER_MAGIC                             = 0x6969
-	NFT_BITWISE_BOOL                            = 0x0
 	NFT_CHAIN_FLAGS                             = 0x7
 	NFT_CHAIN_MAXNAMELEN                        = 0x100
 	NFT_CT_MAX                                  = 0x17
@@ -2501,7 +2491,6 @@ const (
 	PR_GET_PDEATHSIG                            = 0x2
 	PR_GET_SECCOMP                              = 0x15
 	PR_GET_SECUREBITS                           = 0x1b
-	PR_GET_SHADOW_STACK_STATUS                  = 0x4a
 	PR_GET_SPECULATION_CTRL                     = 0x34
 	PR_GET_TAGGED_ADDR_CTRL                     = 0x38
 	PR_GET_THP_DISABLE                          = 0x2a
@@ -2510,7 +2499,6 @@ const (
 	PR_GET_TIMING                               = 0xd
 	PR_GET_TSC                                  = 0x19
 	PR_GET_UNALIGN                              = 0x5
-	PR_LOCK_SHADOW_STACK_STATUS                 = 0x4c
 	PR_MCE_KILL                                 = 0x21
 	PR_MCE_KILL_CLEAR                           = 0x0
 	PR_MCE_KILL_DEFAULT                         = 0x2
@@ -2537,8 +2525,6 @@ const (
 	PR_PAC_GET_ENABLED_KEYS                     = 0x3d
 	PR_PAC_RESET_KEYS                           = 0x36
 	PR_PAC_SET_ENABLED_KEYS                     = 0x3c
-	PR_PMLEN_MASK                               = 0x7f000000
-	PR_PMLEN_SHIFT                              = 0x18
 	PR_PPC_DEXCR_CTRL_CLEAR                     = 0x4
 	PR_PPC_DEXCR_CTRL_CLEAR_ONEXEC              = 0x10
 	PR_PPC_DEXCR_CTRL_EDITABLE                  = 0x1
@@ -2606,7 +2592,6 @@ const (
 	PR_SET_PTRACER                              = 0x59616d61
 	PR_SET_SECCOMP                              = 0x16
 	PR_SET_SECUREBITS                           = 0x1c
-	PR_SET_SHADOW_STACK_STATUS                  = 0x4b
 	PR_SET_SPECULATION_CTRL                     = 0x35
 	PR_SET_SYSCALL_USER_DISPATCH                = 0x3b
 	PR_SET_TAGGED_ADDR_CTRL                     = 0x37
@@ -2617,9 +2602,6 @@ const (
 	PR_SET_UNALIGN                              = 0x6
 	PR_SET_VMA                                  = 0x53564d41
 	PR_SET_VMA_ANON_NAME                        = 0x0
-	PR_SHADOW_STACK_ENABLE                      = 0x1
-	PR_SHADOW_STACK_PUSH                        = 0x4
-	PR_SHADOW_STACK_WRITE                       = 0x2
 	PR_SME_GET_VL                               = 0x40
 	PR_SME_SET_VL                               = 0x3f
 	PR_SME_SET_VL_ONEXEC                        = 0x40000
@@ -2929,6 +2911,7 @@ const (
 	RTM_NEWNEXTHOP                              = 0x68
 	RTM_NEWNEXTHOPBUCKET                        = 0x74
 	RTM_NEWNSID                                 = 0x58
+	RTM_NEWNVLAN                                = 0x70
 	RTM_NEWPREFIX                               = 0x34
 	RTM_NEWQDISC                                = 0x24
 	RTM_NEWROUTE                                = 0x18
@@ -2937,7 +2920,6 @@ const (
 	RTM_NEWTCLASS                               = 0x28
 	RTM_NEWTFILTER                              = 0x2c
 	RTM_NEWTUNNEL                               = 0x78
-	RTM_NEWVLAN                                 = 0x70
 	RTM_NR_FAMILIES                             = 0x1b
 	RTM_NR_MSGTYPES                             = 0x6c
 	RTM_SETDCB                                  = 0x4f
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_386.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_386.go
@@ -116,8 +116,6 @@ const (
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x7b9
-	IPV6_FLOWINFO_MASK               = 0xffffff0f
-	IPV6_FLOWLABEL_MASK              = 0xffff0f00
 	ISIG                             = 0x1
 	IUCLC                            = 0x200
 	IXOFF                            = 0x1000
@@ -306,7 +304,6 @@ const (
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
 	SCM_TIMESTAMPNS                  = 0x23
-	SCM_TS_OPT_ID                    = 0x51
 	SCM_TXTIME                       = 0x3d
 	SCM_WIFI_STATUS                  = 0x29
 	SECCOMP_IOCTL_NOTIF_ADDFD        = 0x40182103
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go
@@ -116,8 +116,6 @@ const (
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x7b9
-	IPV6_FLOWINFO_MASK               = 0xffffff0f
-	IPV6_FLOWLABEL_MASK              = 0xffff0f00
 	ISIG                             = 0x1
 	IUCLC                            = 0x200
 	IXOFF                            = 0x1000
@@ -307,7 +305,6 @@ const (
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
 	SCM_TIMESTAMPNS                  = 0x23
-	SCM_TS_OPT_ID                    = 0x51
 	SCM_TXTIME                       = 0x3d
 	SCM_WIFI_STATUS                  = 0x29
 	SECCOMP_IOCTL_NOTIF_ADDFD        = 0x40182103
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go
@@ -115,8 +115,6 @@ const (
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x7b9
-	IPV6_FLOWINFO_MASK               = 0xffffff0f
-	IPV6_FLOWLABEL_MASK              = 0xffff0f00
 	ISIG                             = 0x1
 	IUCLC                            = 0x200
 	IXOFF                            = 0x1000
@@ -312,7 +310,6 @@ const (
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
 	SCM_TIMESTAMPNS                  = 0x23
-	SCM_TS_OPT_ID                    = 0x51
 	SCM_TXTIME                       = 0x3d
 	SCM_WIFI_STATUS                  = 0x29
 	SECCOMP_IOCTL_NOTIF_ADDFD        = 0x40182103
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go
@@ -109,7 +109,6 @@ const (
 	F_SETOWN                         = 0x8
 	F_UNLCK                          = 0x2
 	F_WRLCK                          = 0x1
-	GCS_MAGIC                        = 0x47435300
 	HIDIOCGRAWINFO                   = 0x80084803
 	HIDIOCGRDESC                     = 0x90044802
 	HIDIOCGRDESCSIZE                 = 0x80044801
@@ -120,8 +119,6 @@ const (
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x7b9
-	IPV6_FLOWINFO_MASK               = 0xffffff0f
-	IPV6_FLOWLABEL_MASK              = 0xffff0f00
 	ISIG                             = 0x1
 	IUCLC                            = 0x200
 	IXOFF                            = 0x1000
@@ -305,7 +302,6 @@ const (
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
 	SCM_TIMESTAMPNS                  = 0x23
-	SCM_TS_OPT_ID                    = 0x51
 	SCM_TXTIME                       = 0x3d
 	SCM_WIFI_STATUS                  = 0x29
 	SECCOMP_IOCTL_NOTIF_ADDFD        = 0x40182103
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go
@@ -116,8 +116,6 @@ const (
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x7b9
-	IPV6_FLOWINFO_MASK               = 0xffffff0f
-	IPV6_FLOWLABEL_MASK              = 0xffff0f00
 	ISIG                             = 0x1
 	IUCLC                            = 0x200
 	IXOFF                            = 0x1000
@@ -299,7 +297,6 @@ const (
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
 	SCM_TIMESTAMPNS                  = 0x23
-	SCM_TS_OPT_ID                    = 0x51
 	SCM_TXTIME                       = 0x3d
 	SCM_WIFI_STATUS                  = 0x29
 	SECCOMP_IOCTL_NOTIF_ADDFD        = 0x40182103
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go
@@ -115,8 +115,6 @@ const (
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x80
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x200007b9
-	IPV6_FLOWINFO_MASK               = 0xfffffff
-	IPV6_FLOWLABEL_MASK              = 0xfffff
 	ISIG                             = 0x1
 	IUCLC                            = 0x200
 	IXOFF                            = 0x1000
@@ -305,7 +303,6 @@ const (
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
 	SCM_TIMESTAMPNS                  = 0x23
-	SCM_TS_OPT_ID                    = 0x51
 	SCM_TXTIME                       = 0x3d
 	SCM_WIFI_STATUS                  = 0x29
 	SECCOMP_IOCTL_NOTIF_ADDFD        = 0x80182103
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go
@@ -115,8 +115,6 @@ const (
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x80
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x200007b9
-	IPV6_FLOWINFO_MASK               = 0xfffffff
-	IPV6_FLOWLABEL_MASK              = 0xfffff
 	ISIG                             = 0x1
 	IUCLC                            = 0x200
 	IXOFF                            = 0x1000
@@ -305,7 +303,6 @@ const (
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
 	SCM_TIMESTAMPNS                  = 0x23
-	SCM_TS_OPT_ID                    = 0x51
 	SCM_TXTIME                       = 0x3d
 	SCM_WIFI_STATUS                  = 0x29
 	SECCOMP_IOCTL_NOTIF_ADDFD        = 0x80182103
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go
@@ -115,8 +115,6 @@ const (
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x80
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x200007b9
-	IPV6_FLOWINFO_MASK               = 0xffffff0f
-	IPV6_FLOWLABEL_MASK              = 0xffff0f00
 	ISIG                             = 0x1
 	IUCLC                            = 0x200
 	IXOFF                            = 0x1000
@@ -305,7 +303,6 @@ const (
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
 	SCM_TIMESTAMPNS                  = 0x23
-	SCM_TS_OPT_ID                    = 0x51
 	SCM_TXTIME                       = 0x3d
 	SCM_WIFI_STATUS                  = 0x29
 	SECCOMP_IOCTL_NOTIF_ADDFD        = 0x80182103
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go
@@ -115,8 +115,6 @@ const (
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x80
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x200007b9
-	IPV6_FLOWINFO_MASK               = 0xffffff0f
-	IPV6_FLOWLABEL_MASK              = 0xffff0f00
 	ISIG                             = 0x1
 	IUCLC                            = 0x200
 	IXOFF                            = 0x1000
@@ -305,7 +303,6 @@ const (
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
 	SCM_TIMESTAMPNS                  = 0x23
-	SCM_TS_OPT_ID                    = 0x51
 	SCM_TXTIME                       = 0x3d
 	SCM_WIFI_STATUS                  = 0x29
 	SECCOMP_IOCTL_NOTIF_ADDFD        = 0x80182103
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go
@@ -115,8 +115,6 @@ const (
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x200007b9
-	IPV6_FLOWINFO_MASK               = 0xfffffff
-	IPV6_FLOWLABEL_MASK              = 0xfffff
 	ISIG                             = 0x80
 	IUCLC                            = 0x1000
 	IXOFF                            = 0x400
@@ -360,7 +358,6 @@ const (
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
 	SCM_TIMESTAMPNS                  = 0x23
-	SCM_TS_OPT_ID                    = 0x51
 	SCM_TXTIME                       = 0x3d
 	SCM_WIFI_STATUS                  = 0x29
 	SECCOMP_IOCTL_NOTIF_ADDFD        = 0x80182103
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go
@@ -115,8 +115,6 @@ const (
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x200007b9
-	IPV6_FLOWINFO_MASK               = 0xfffffff
-	IPV6_FLOWLABEL_MASK              = 0xfffff
 	ISIG                             = 0x80
 	IUCLC                            = 0x1000
 	IXOFF                            = 0x400
@@ -364,7 +362,6 @@ const (
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
 	SCM_TIMESTAMPNS                  = 0x23
-	SCM_TS_OPT_ID                    = 0x51
 	SCM_TXTIME                       = 0x3d
 	SCM_WIFI_STATUS                  = 0x29
 	SECCOMP_IOCTL_NOTIF_ADDFD        = 0x80182103
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go
@@ -115,8 +115,6 @@ const (
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x200007b9
-	IPV6_FLOWINFO_MASK               = 0xffffff0f
-	IPV6_FLOWLABEL_MASK              = 0xffff0f00
 	ISIG                             = 0x80
 	IUCLC                            = 0x1000
 	IXOFF                            = 0x400
@@ -364,7 +362,6 @@ const (
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
 	SCM_TIMESTAMPNS                  = 0x23
-	SCM_TS_OPT_ID                    = 0x51
 	SCM_TXTIME                       = 0x3d
 	SCM_WIFI_STATUS                  = 0x29
 	SECCOMP_IOCTL_NOTIF_ADDFD        = 0x80182103
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go
@@ -115,8 +115,6 @@ const (
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x7b9
-	IPV6_FLOWINFO_MASK               = 0xffffff0f
-	IPV6_FLOWLABEL_MASK              = 0xffff0f00
 	ISIG                             = 0x1
 	IUCLC                            = 0x200
 	IXOFF                            = 0x1000
@@ -296,7 +294,6 @@ const (
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
 	SCM_TIMESTAMPNS                  = 0x23
-	SCM_TS_OPT_ID                    = 0x51
 	SCM_TXTIME                       = 0x3d
 	SCM_WIFI_STATUS                  = 0x29
 	SECCOMP_IOCTL_NOTIF_ADDFD        = 0x40182103
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go
@@ -115,8 +115,6 @@ const (
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x7b9
-	IPV6_FLOWINFO_MASK               = 0xfffffff
-	IPV6_FLOWLABEL_MASK              = 0xfffff
 	ISIG                             = 0x1
 	IUCLC                            = 0x200
 	IXOFF                            = 0x1000
@@ -368,7 +366,6 @@ const (
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
 	SCM_TIMESTAMPNS                  = 0x23
-	SCM_TS_OPT_ID                    = 0x51
 	SCM_TXTIME                       = 0x3d
 	SCM_WIFI_STATUS                  = 0x29
 	SECCOMP_IOCTL_NOTIF_ADDFD        = 0x40182103
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go
@@ -119,8 +119,6 @@ const (
 	IN_CLOEXEC                       = 0x400000
 	IN_NONBLOCK                      = 0x4000
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x200007b9
-	IPV6_FLOWINFO_MASK               = 0xfffffff
-	IPV6_FLOWLABEL_MASK              = 0xfffff
 	ISIG                             = 0x1
 	IUCLC                            = 0x200
 	IXOFF                            = 0x1000
@@ -359,7 +357,6 @@ const (
 	SCM_TIMESTAMPING_OPT_STATS       = 0x38
 	SCM_TIMESTAMPING_PKTINFO         = 0x3c
 	SCM_TIMESTAMPNS                  = 0x21
-	SCM_TS_OPT_ID                    = 0x5a
 	SCM_TXTIME                       = 0x3f
 	SCM_WIFI_STATUS                  = 0x25
 	SECCOMP_IOCTL_NOTIF_ADDFD        = 0x80182103
--- a/vendor/golang.org/x/sys/unix/zsyscall_solaris_amd64.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_solaris_amd64.go
@@ -141,16 +141,6 @@ import (
 //go:cgo_import_dynamic libc_getpeername getpeername "libsocket.so"
 //go:cgo_import_dynamic libc_setsockopt setsockopt "libsocket.so"
 //go:cgo_import_dynamic libc_recvfrom recvfrom "libsocket.so"
-//go:cgo_import_dynamic libc_getpeerucred getpeerucred "libc.so"
-//go:cgo_import_dynamic libc_ucred_get ucred_get "libc.so"
-//go:cgo_import_dynamic libc_ucred_geteuid ucred_geteuid "libc.so"
-//go:cgo_import_dynamic libc_ucred_getegid ucred_getegid "libc.so"
-//go:cgo_import_dynamic libc_ucred_getruid ucred_getruid "libc.so"
-//go:cgo_import_dynamic libc_ucred_getrgid ucred_getrgid "libc.so"
-//go:cgo_import_dynamic libc_ucred_getsuid ucred_getsuid "libc.so"
-//go:cgo_import_dynamic libc_ucred_getsgid ucred_getsgid "libc.so"
-//go:cgo_import_dynamic libc_ucred_getpid ucred_getpid "libc.so"
-//go:cgo_import_dynamic libc_ucred_free ucred_free "libc.so"
 //go:cgo_import_dynamic libc_port_create port_create "libc.so"
 //go:cgo_import_dynamic libc_port_associate port_associate "libc.so"
 //go:cgo_import_dynamic libc_port_dissociate port_dissociate "libc.so"
@@ -290,16 +280,6 @@ import (
 //go:linkname procgetpeername libc_getpeername
 //go:linkname procsetsockopt libc_setsockopt
 //go:linkname procrecvfrom libc_recvfrom
-//go:linkname procgetpeerucred libc_getpeerucred
-//go:linkname procucred_get libc_ucred_get
-//go:linkname procucred_geteuid libc_ucred_geteuid
-//go:linkname procucred_getegid libc_ucred_getegid
-//go:linkname procucred_getruid libc_ucred_getruid
-//go:linkname procucred_getrgid libc_ucred_getrgid
-//go:linkname procucred_getsuid libc_ucred_getsuid
-//go:linkname procucred_getsgid libc_ucred_getsgid
-//go:linkname procucred_getpid libc_ucred_getpid
-//go:linkname procucred_free libc_ucred_free
 //go:linkname procport_create libc_port_create
 //go:linkname procport_associate libc_port_associate
 //go:linkname procport_dissociate libc_port_dissociate
@@ -440,16 +420,6 @@ var (
 	procgetpeername,
 	procsetsockopt,
 	procrecvfrom,
-	procgetpeerucred,
-	procucred_get,
-	procucred_geteuid,
-	procucred_getegid,
-	procucred_getruid,
-	procucred_getrgid,
-	procucred_getsuid,
-	procucred_getsgid,
-	procucred_getpid,
-	procucred_free,
 	procport_create,
 	procport_associate,
 	procport_dissociate,
@@ -2059,90 +2029,6 @@ func recvfrom(fd int, p []byte, flags int, from *RawSockaddrAny, fromlen *_Sockl

 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT

-func getpeerucred(fd uintptr, ucred *uintptr) (err error) {
-	_, _, e1 := sysvicall6(uintptr(unsafe.Pointer(&procgetpeerucred)), 2, uintptr(fd), uintptr(unsafe.Pointer(ucred)), 0, 0, 0, 0)
-	if e1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}
-
-// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
-
-func ucredGet(pid int) (ucred uintptr, err error) {
-	r0, _, e1 := sysvicall6(uintptr(unsafe.Pointer(&procucred_get)), 1, uintptr(pid), 0, 0, 0, 0, 0)
-	ucred = uintptr(r0)
-	if e1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}
-
-// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
-
-func ucredGeteuid(ucred uintptr) (uid int) {
-	r0, _, _ := sysvicall6(uintptr(unsafe.Pointer(&procucred_geteuid)), 1, uintptr(ucred), 0, 0, 0, 0, 0)
-	uid = int(r0)
-	return
-}
-
-// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
-
-func ucredGetegid(ucred uintptr) (gid int) {
-	r0, _, _ := sysvicall6(uintptr(unsafe.Pointer(&procucred_getegid)), 1, uintptr(ucred), 0, 0, 0, 0, 0)
-	gid = int(r0)
-	return
-}
-
-// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
-
-func ucredGetruid(ucred uintptr) (uid int) {
-	r0, _, _ := sysvicall6(uintptr(unsafe.Pointer(&procucred_getruid)), 1, uintptr(ucred), 0, 0, 0, 0, 0)
-	uid = int(r0)
-	return
-}
-
-// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
-
-func ucredGetrgid(ucred uintptr) (gid int) {
-	r0, _, _ := sysvicall6(uintptr(unsafe.Pointer(&procucred_getrgid)), 1, uintptr(ucred), 0, 0, 0, 0, 0)
-	gid = int(r0)
-	return
-}
-
-// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
-
-func ucredGetsuid(ucred uintptr) (uid int) {
-	r0, _, _ := sysvicall6(uintptr(unsafe.Pointer(&procucred_getsuid)), 1, uintptr(ucred), 0, 0, 0, 0, 0)
-	uid = int(r0)
-	return
-}
-
-// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
-
-func ucredGetsgid(ucred uintptr) (gid int) {
-	r0, _, _ := sysvicall6(uintptr(unsafe.Pointer(&procucred_getsgid)), 1, uintptr(ucred), 0, 0, 0, 0, 0)
-	gid = int(r0)
-	return
-}
-
-// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
-
-func ucredGetpid(ucred uintptr) (pid int) {
-	r0, _, _ := sysvicall6(uintptr(unsafe.Pointer(&procucred_getpid)), 1, uintptr(ucred), 0, 0, 0, 0, 0)
-	pid = int(r0)
-	return
-}
-
-// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
-
-func ucredFree(ucred uintptr) {
-	sysvicall6(uintptr(unsafe.Pointer(&procucred_free)), 1, uintptr(ucred), 0, 0, 0, 0, 0)
-	return
-}
-
-// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
-
 func port_create() (n int, err error) {
 	r0, _, e1 := sysvicall6(uintptr(unsafe.Pointer(&procport_create)), 0, 0, 0, 0, 0, 0, 0)
 	n = int(r0)
--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_386.go
+++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_386.go
@@ -458,8 +458,4 @@ const (
 	SYS_LSM_SET_SELF_ATTR            = 460
 	SYS_LSM_LIST_MODULES             = 461
 	SYS_MSEAL                        = 462
-	SYS_SETXATTRAT                   = 463
-	SYS_GETXATTRAT                   = 464
-	SYS_LISTXATTRAT                  = 465
-	SYS_REMOVEXATTRAT                = 466
 )
--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go
+++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go
@@ -381,8 +381,4 @@ const (
 	SYS_LSM_SET_SELF_ATTR       = 460
 	SYS_LSM_LIST_MODULES        = 461
 	SYS_MSEAL                   = 462
-	SYS_SETXATTRAT              = 463
-	SYS_GETXATTRAT              = 464
-	SYS_LISTXATTRAT             = 465
-	SYS_REMOVEXATTRAT           = 466
 )
--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go
+++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go
@@ -422,8 +422,4 @@ const (
 	SYS_LSM_SET_SELF_ATTR            = 460
 	SYS_LSM_LIST_MODULES             = 461
 	SYS_MSEAL                        = 462
-	SYS_SETXATTRAT                   = 463
-	SYS_GETXATTRAT                   = 464
-	SYS_LISTXATTRAT                  = 465
-	SYS_REMOVEXATTRAT                = 466
 )
--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go
+++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go
@@ -325,8 +325,4 @@ const (
 	SYS_LSM_SET_SELF_ATTR       = 460
 	SYS_LSM_LIST_MODULES        = 461
 	SYS_MSEAL                   = 462
-	SYS_SETXATTRAT              = 463
-	SYS_GETXATTRAT              = 464
-	SYS_LISTXATTRAT             = 465
-	SYS_REMOVEXATTRAT           = 466
 )
--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go
+++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go
@@ -321,8 +321,4 @@ const (
 	SYS_LSM_SET_SELF_ATTR       = 460
 	SYS_LSM_LIST_MODULES        = 461
 	SYS_MSEAL                   = 462
-	SYS_SETXATTRAT              = 463
-	SYS_GETXATTRAT              = 464
-	SYS_LISTXATTRAT             = 465
-	SYS_REMOVEXATTRAT           = 466
 )
--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go
+++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go
@@ -442,8 +442,4 @@ const (
 	SYS_LSM_SET_SELF_ATTR            = 4460
 	SYS_LSM_LIST_MODULES             = 4461
 	SYS_MSEAL                        = 4462
-	SYS_SETXATTRAT                   = 4463
-	SYS_GETXATTRAT                   = 4464
-	SYS_LISTXATTRAT                  = 4465
-	SYS_REMOVEXATTRAT                = 4466
 )
--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go
+++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go
@@ -372,8 +372,4 @@ const (
 	SYS_LSM_SET_SELF_ATTR       = 5460
 	SYS_LSM_LIST_MODULES        = 5461
 	SYS_MSEAL                   = 5462
-	SYS_SETXATTRAT              = 5463
-	SYS_GETXATTRAT              = 5464
-	SYS_LISTXATTRAT             = 5465
-	SYS_REMOVEXATTRAT           = 5466
 )
--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go
+++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go
@@ -372,8 +372,4 @@ const (
 	SYS_LSM_SET_SELF_ATTR       = 5460
 	SYS_LSM_LIST_MODULES        = 5461
 	SYS_MSEAL                   = 5462
-	SYS_SETXATTRAT              = 5463
-	SYS_GETXATTRAT              = 5464
-	SYS_LISTXATTRAT             = 5465
-	SYS_REMOVEXATTRAT           = 5466
 )
--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go
+++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go
@@ -442,8 +442,4 @@ const (
 	SYS_LSM_SET_SELF_ATTR            = 4460
 	SYS_LSM_LIST_MODULES             = 4461
 	SYS_MSEAL                        = 4462
-	SYS_SETXATTRAT                   = 4463
-	SYS_GETXATTRAT                   = 4464
-	SYS_LISTXATTRAT                  = 4465
-	SYS_REMOVEXATTRAT                = 4466
 )
--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go
+++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go
@@ -449,8 +449,4 @@ const (
 	SYS_LSM_SET_SELF_ATTR            = 460
 	SYS_LSM_LIST_MODULES             = 461
 	SYS_MSEAL                        = 462
-	SYS_SETXATTRAT                   = 463
-	SYS_GETXATTRAT                   = 464
-	SYS_LISTXATTRAT                  = 465
-	SYS_REMOVEXATTRAT                = 466
 )
--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go
+++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go
@@ -421,8 +421,4 @@ const (
 	SYS_LSM_SET_SELF_ATTR       = 460
 	SYS_LSM_LIST_MODULES        = 461
 	SYS_MSEAL                   = 462
-	SYS_SETXATTRAT              = 463
-	SYS_GETXATTRAT              = 464
-	SYS_LISTXATTRAT             = 465
-	SYS_REMOVEXATTRAT           = 466
 )
--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go
+++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go
@@ -421,8 +421,4 @@ const (
 	SYS_LSM_SET_SELF_ATTR       = 460
 	SYS_LSM_LIST_MODULES        = 461
 	SYS_MSEAL                   = 462
-	SYS_SETXATTRAT              = 463
-	SYS_GETXATTRAT              = 464
-	SYS_LISTXATTRAT             = 465
-	SYS_REMOVEXATTRAT           = 466
 )
--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go
+++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go
@@ -326,8 +326,4 @@ const (
 	SYS_LSM_SET_SELF_ATTR       = 460
 	SYS_LSM_LIST_MODULES        = 461
 	SYS_MSEAL                   = 462
-	SYS_SETXATTRAT              = 463
-	SYS_GETXATTRAT              = 464
-	SYS_LISTXATTRAT             = 465
-	SYS_REMOVEXATTRAT           = 466
 )
--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go
+++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go
@@ -387,8 +387,4 @@ const (
 	SYS_LSM_SET_SELF_ATTR       = 460
 	SYS_LSM_LIST_MODULES        = 461
 	SYS_MSEAL                   = 462
-	SYS_SETXATTRAT              = 463
-	SYS_GETXATTRAT              = 464
-	SYS_LISTXATTRAT             = 465
-	SYS_REMOVEXATTRAT           = 466
 )
--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go
+++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go
@@ -400,8 +400,4 @@ const (
 	SYS_LSM_SET_SELF_ATTR       = 460
 	SYS_LSM_LIST_MODULES        = 461
 	SYS_MSEAL                   = 462
-	SYS_SETXATTRAT              = 463
-	SYS_GETXATTRAT              = 464
-	SYS_LISTXATTRAT             = 465
-	SYS_REMOVEXATTRAT           = 466
 )
--- a/vendor/golang.org/x/sys/unix/ztypes_linux.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux.go
@@ -4747,7 +4747,7 @@ const (
 	NL80211_ATTR_MAC_HINT                                   = 0xc8
 	NL80211_ATTR_MAC_MASK                                   = 0xd7
 	NL80211_ATTR_MAX_AP_ASSOC_STA                           = 0xca
-	NL80211_ATTR_MAX                                        = 0x14d
+	NL80211_ATTR_MAX                                        = 0x14c
 	NL80211_ATTR_MAX_CRIT_PROT_DURATION                     = 0xb4
 	NL80211_ATTR_MAX_CSA_COUNTERS                           = 0xce
 	NL80211_ATTR_MAX_MATCH_SETS                             = 0x85
@@ -5519,7 +5519,7 @@ const (
 	NL80211_MNTR_FLAG_CONTROL                               = 0x3
 	NL80211_MNTR_FLAG_COOK_FRAMES                           = 0x5
 	NL80211_MNTR_FLAG_FCSFAIL                               = 0x1
-	NL80211_MNTR_FLAG_MAX                                   = 0x7
+	NL80211_MNTR_FLAG_MAX                                   = 0x6
 	NL80211_MNTR_FLAG_OTHER_BSS                             = 0x4
 	NL80211_MNTR_FLAG_PLCPFAIL                              = 0x2
 	NL80211_MPATH_FLAG_ACTIVE                               = 0x1
@@ -6174,5 +6174,3 @@ type SockDiagReq struct {
 	Family   uint8
 	Protocol uint8
 }
-
-const RTM_NEWNVLAN = 0x70
--- a/vendor/golang.org/x/sys/windows/dll_windows.go
+++ b/vendor/golang.org/x/sys/windows/dll_windows.go
@@ -43,8 +43,8 @@ type DLL struct {
 // LoadDLL loads DLL file into memory.
 //
 // Warning: using LoadDLL without an absolute path name is subject to
-// DLL preloading attacks. To safely load a system DLL, use [NewLazySystemDLL],
-// or use [LoadLibraryEx] directly.
+// DLL preloading attacks. To safely load a system DLL, use LazyDLL
+// with System set to true, or use LoadLibraryEx directly.
 func LoadDLL(name string) (dll *DLL, err error) {
 	namep, err := UTF16PtrFromString(name)
 	if err != nil {
@@ -271,9 +271,6 @@ func (d *LazyDLL) NewProc(name string) *LazyProc {
 }

 // NewLazyDLL creates new LazyDLL associated with DLL file.
-//
-// Warning: using NewLazyDLL without an absolute path name is subject to
-// DLL preloading attacks. To safely load a system DLL, use [NewLazySystemDLL].
 func NewLazyDLL(name string) *LazyDLL {
 	return &LazyDLL{Name: name}
 }
@@ -413,3 +410,7 @@ func loadLibraryEx(name string, system bool) (*DLL, error) {
 	}
 	return &DLL{Name: name, Handle: h}, nil
 }
+
+type errString string
+
+func (s errString) Error() string { return string(s) }
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -318,7 +318,7 @@ github.com/fsnotify/fsnotify
 # github.com/fxamacker/cbor/v2 v2.7.0
 ## explicit; go 1.17
 github.com/fxamacker/cbor/v2
-# github.com/go-jose/go-jose/v4 v4.0.5
+# github.com/go-jose/go-jose/v4 v4.0.4
 ## explicit; go 1.21
 github.com/go-jose/go-jose/v4
 github.com/go-jose/go-jose/v4/cipher
@@ -675,8 +675,8 @@ go.opentelemetry.io/proto/otlp/collector/trace/v1
 go.opentelemetry.io/proto/otlp/common/v1
 go.opentelemetry.io/proto/otlp/resource/v1
 go.opentelemetry.io/proto/otlp/trace/v1
-# golang.org/x/crypto v0.36.0
-## explicit; go 1.23.0
+# golang.org/x/crypto v0.31.0
+## explicit; go 1.20
 golang.org/x/crypto/cast5
 golang.org/x/crypto/cryptobyte
 golang.org/x/crypto/cryptobyte/asn1
@@ -695,8 +695,8 @@ golang.org/x/exp/slices
 # golang.org/x/mod v0.21.0
 ## explicit; go 1.22.0
 golang.org/x/mod/semver
-# golang.org/x/net v0.37.0
-## explicit; go 1.23.0
+# golang.org/x/net v0.33.0
+## explicit; go 1.18
 golang.org/x/net/bpf
 golang.org/x/net/html
 golang.org/x/net/html/atom
@@ -704,23 +704,22 @@ golang.org/x/net/http/httpguts
 golang.org/x/net/http2
 golang.org/x/net/http2/hpack
 golang.org/x/net/idna
-golang.org/x/net/internal/httpcommon
 golang.org/x/net/internal/socks
 golang.org/x/net/internal/timeseries
 golang.org/x/net/proxy
 golang.org/x/net/trace
 golang.org/x/net/websocket
-# golang.org/x/oauth2 v0.28.0
-## explicit; go 1.23.0
+# golang.org/x/oauth2 v0.23.0
+## explicit; go 1.18
 golang.org/x/oauth2
 golang.org/x/oauth2/internal
-# golang.org/x/sync v0.12.0
-## explicit; go 1.23.0
+# golang.org/x/sync v0.10.0
+## explicit; go 1.18
 golang.org/x/sync/errgroup
 golang.org/x/sync/semaphore
 golang.org/x/sync/singleflight
-# golang.org/x/sys v0.31.0
-## explicit; go 1.23.0
+# golang.org/x/sys v0.28.0
+## explicit; go 1.18
 golang.org/x/sys/cpu
 golang.org/x/sys/execabs
 golang.org/x/sys/plan9
@@ -730,11 +729,11 @@ golang.org/x/sys/windows/registry
 golang.org/x/sys/windows/svc
 golang.org/x/sys/windows/svc/debug
 golang.org/x/sys/windows/svc/mgr
-# golang.org/x/term v0.30.0
-## explicit; go 1.23.0
+# golang.org/x/term v0.27.0
+## explicit; go 1.18
 golang.org/x/term
-# golang.org/x/text v0.23.0
-## explicit; go 1.23.0
+# golang.org/x/text v0.21.0
+## explicit; go 1.18
 golang.org/x/text/secure/bidirule
 golang.org/x/text/transform
 golang.org/x/text/unicode/bidi
@@ -1184,12 +1183,12 @@ sigs.k8s.io/structured-merge-diff/v4/value
 ## explicit; go 1.12
 sigs.k8s.io/yaml
 sigs.k8s.io/yaml/goyaml.v2
-# tags.cncf.io/container-device-interface v1.0.0
+# tags.cncf.io/container-device-interface v0.8.1
 ## explicit; go 1.20
 tags.cncf.io/container-device-interface/internal/validation
 tags.cncf.io/container-device-interface/internal/validation/k8s
 tags.cncf.io/container-device-interface/pkg/cdi
 tags.cncf.io/container-device-interface/pkg/parser
-# tags.cncf.io/container-device-interface/specs-go v1.0.0
+# tags.cncf.io/container-device-interface/specs-go v0.8.0
 ## explicit; go 1.19
 tags.cncf.io/container-device-interface/specs-go
--- a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/annotations.go
+++ b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/annotations.go
@@ -71,7 +71,7 @@ func ParseAnnotations(annotations map[string]string) ([]string, []string, error)
 			continue
 		}
 		for _, d := range strings.Split(value, ",") {
-			if !parser.IsQualifiedName(d) {
+			if !IsQualifiedName(d) {
 				return nil, nil, fmt.Errorf("invalid CDI device name %q", d)
 			}
 			devices = append(devices, d)
@@ -130,7 +130,7 @@ func AnnotationKey(pluginName, deviceID string) (string, error) {
 func AnnotationValue(devices []string) (string, error) {
 	value, sep := "", ""
 	for _, d := range devices {
-		if _, _, _, err := parser.ParseQualifiedName(d); err != nil {
+		if _, _, _, err := ParseQualifiedName(d); err != nil {
 			return "", err
 		}
 		value += sep + d
--- a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/cache.go
+++ b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/cache.go
@@ -22,7 +22,6 @@ import (
 	"io/fs"
 	"os"
 	"path/filepath"
-	"runtime"
 	"sort"
 	"strings"
 	"sync"
@@ -117,7 +116,7 @@ func (c *Cache) configure(options ...Option) {
 		c.watch.setup(c.specDirs, c.dirErrors)
 		c.watch.start(&c.Mutex, c.refresh, c.dirErrors)
 	}
-	_ = c.refresh() // we record but ignore errors
+	c.refresh()
 }

 // Refresh rescans the CDI Spec directories and refreshes the Cache.
@@ -223,8 +222,7 @@ func (c *Cache) refreshIfRequired(force bool) (bool, error) {

 // InjectDevices injects the given qualified devices to an OCI Spec. It
 // returns any unresolvable devices and an error if injection fails for
-// any of the devices. Might trigger a cache refresh, in which case any
-// errors encountered can be obtained using GetErrors().
+// any of the devices.
 func (c *Cache) InjectDevices(ociSpec *oci.Spec, devices ...string) ([]string, error) {
 	var unresolved []string

@@ -235,7 +233,7 @@ func (c *Cache) InjectDevices(ociSpec *oci.Spec, devices ...string) ([]string, e
 	c.Lock()
 	defer c.Unlock()

-	_, _ = c.refreshIfRequired(false) // we record but ignore errors
+	c.refreshIfRequired(false)

 	edits := &ContainerEdits{}
 	specs := map[*Spec]struct{}{}
@@ -337,27 +335,24 @@ func (c *Cache) RemoveSpec(name string) error {
 	return err
 }

-// GetDevice returns the cached device for the given qualified name. Might trigger
-// a cache refresh, in which case any errors encountered can be obtained using
-// GetErrors().
+// GetDevice returns the cached device for the given qualified name.
 func (c *Cache) GetDevice(device string) *Device {
 	c.Lock()
 	defer c.Unlock()

-	_, _ = c.refreshIfRequired(false) // we record but ignore errors
+	c.refreshIfRequired(false)

 	return c.devices[device]
 }

-// ListDevices lists all cached devices by qualified name. Might trigger a cache
-// refresh, in which case any errors encountered can be obtained using GetErrors().
+// ListDevices lists all cached devices by qualified name.
 func (c *Cache) ListDevices() []string {
 	var devices []string

 	c.Lock()
 	defer c.Unlock()

-	_, _ = c.refreshIfRequired(false) // we record but ignore errors
+	c.refreshIfRequired(false)

 	for name := range c.devices {
 		devices = append(devices, name)
@@ -367,15 +362,14 @@ func (c *Cache) ListDevices() []string {
 	return devices
 }

-// ListVendors lists all vendors known to the cache. Might trigger a cache refresh,
-// in which case any errors encountered can be obtained using GetErrors().
+// ListVendors lists all vendors known to the cache.
 func (c *Cache) ListVendors() []string {
 	var vendors []string

 	c.Lock()
 	defer c.Unlock()

-	_, _ = c.refreshIfRequired(false) // we record but ignore errors
+	c.refreshIfRequired(false)

 	for vendor := range c.specs {
 		vendors = append(vendors, vendor)
@@ -385,8 +379,7 @@ func (c *Cache) ListVendors() []string {
 	return vendors
 }

-// ListClasses lists all device classes known to the cache. Might trigger a cache
-// refresh, in which case any errors encountered can be obtained using GetErrors().
+// ListClasses lists all device classes known to the cache.
 func (c *Cache) ListClasses() []string {
 	var (
 		cmap    = map[string]struct{}{}
@@ -396,7 +389,7 @@ func (c *Cache) ListClasses() []string {
 	c.Lock()
 	defer c.Unlock()

-	_, _ = c.refreshIfRequired(false) // we record but ignore errors
+	c.refreshIfRequired(false)

 	for _, specs := range c.specs {
 		for _, spec := range specs {
@@ -411,13 +404,12 @@ func (c *Cache) ListClasses() []string {
 	return classes
 }

-// GetVendorSpecs returns all specs for the given vendor. Might trigger a cache
-// refresh, in which case any errors encountered can be obtained using GetErrors().
+// GetVendorSpecs returns all specs for the given vendor.
 func (c *Cache) GetVendorSpecs(vendor string) []*Spec {
 	c.Lock()
 	defer c.Unlock()

-	_, _ = c.refreshIfRequired(false) // we record but ignore errors
+	c.refreshIfRequired(false)

 	return c.specs[vendor]
 }
@@ -530,13 +522,6 @@ func (w *watch) watch(fsw *fsnotify.Watcher, m *sync.Mutex, refresh func() error
 	if watch == nil {
 		return
 	}
-
-	eventMask := fsnotify.Rename | fsnotify.Remove | fsnotify.Write
-	// On macOS, we also need to watch for Create events.
-	if runtime.GOOS == "darwin" {
-		eventMask |= fsnotify.Create
-	}
-
 	for {
 		select {
 		case event, ok := <-watch.Events:
@@ -544,10 +529,10 @@ func (w *watch) watch(fsw *fsnotify.Watcher, m *sync.Mutex, refresh func() error
 				return
 			}

-			if (event.Op & eventMask) == 0 {
+			if (event.Op & (fsnotify.Rename | fsnotify.Remove | fsnotify.Write)) == 0 {
 				continue
 			}
-			if event.Op == fsnotify.Write || event.Op == fsnotify.Create {
+			if event.Op == fsnotify.Write {
 				if ext := filepath.Ext(event.Name); ext != ".json" && ext != ".yaml" {
 					continue
 				}
@@ -559,7 +544,7 @@ func (w *watch) watch(fsw *fsnotify.Watcher, m *sync.Mutex, refresh func() error
 			} else {
 				w.update(dirErrors)
 			}
-			_ = refresh()
+			refresh()
 			m.Unlock()

 		case _, ok := <-watch.Errors:
--- a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/cache_test_darwin.go
+++ b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/cache_test_darwin.go
@@ -1,26 +0,0 @@
-//go:build darwin
-// +build darwin
-
-/*
-   Copyright © 2021 The CDI Authors
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
-*/
-
-package cdi
-
-import "syscall"
-
-func osSync() {
-	_ = syscall.Sync()
-}
--- a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/cache_test_unix.go
+++ b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/cache_test_unix.go
@@ -1,5 +1,5 @@
-//go:build !windows && !darwin
-// +build !windows,!darwin
+//go:build !windows
+// +build !windows

 /*
   Copyright © 2021 The CDI Authors
--- a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/container-edits.go
+++ b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/container-edits.go
@@ -26,7 +26,7 @@ import (

 	oci "github.com/opencontainers/runtime-spec/specs-go"
 	ocigen "github.com/opencontainers/runtime-tools/generate"
-	cdi "tags.cncf.io/container-device-interface/specs-go"
+	"tags.cncf.io/container-device-interface/specs-go"
 )

 const (
@@ -64,7 +64,7 @@ var (
 // to all OCI Specs where at least one devices from the CDI Spec
 // is injected.
 type ContainerEdits struct {
-	*cdi.ContainerEdits
+	*specs.ContainerEdits
 }

 // Apply edits to the given OCI Spec. Updates the OCI Spec in place.
@@ -205,7 +205,7 @@ func (e *ContainerEdits) Append(o *ContainerEdits) *ContainerEdits {
 		e = &ContainerEdits{}
 	}
 	if e.ContainerEdits == nil {
-		e.ContainerEdits = &cdi.ContainerEdits{}
+		e.ContainerEdits = &specs.ContainerEdits{}
 	}

 	e.Env = append(e.Env, o.Env...)
@@ -259,7 +259,7 @@ func ValidateEnv(env []string) error {

 // DeviceNode is a CDI Spec DeviceNode wrapper, used for validating DeviceNodes.
 type DeviceNode struct {
-	*cdi.DeviceNode
+	*specs.DeviceNode
 }

 // Validate a CDI Spec DeviceNode.
@@ -289,7 +289,7 @@ func (d *DeviceNode) Validate() error {

 // Hook is a CDI Spec Hook wrapper, used for validating hooks.
 type Hook struct {
-	*cdi.Hook
+	*specs.Hook
 }

 // Validate a hook.
@@ -308,7 +308,7 @@ func (h *Hook) Validate() error {

 // Mount is a CDI Mount wrapper, used for validating mounts.
 type Mount struct {
-	*cdi.Mount
+	*specs.Mount
 }

 // Validate a mount.
@@ -325,13 +325,13 @@ func (m *Mount) Validate() error {
 // IntelRdt is a CDI IntelRdt wrapper.
 // This is used for validation and conversion to OCI specifications.
 type IntelRdt struct {
-	*cdi.IntelRdt
+	*specs.IntelRdt
 }

 // ValidateIntelRdt validates the IntelRdt configuration.
 //
 // Deprecated: ValidateIntelRdt is deprecated use IntelRdt.Validate() instead.
-func ValidateIntelRdt(i *cdi.IntelRdt) error {
+func ValidateIntelRdt(i *specs.IntelRdt) error {
 	return (&IntelRdt{i}).Validate()
 }

@@ -355,7 +355,7 @@ func ensureOCIHooks(spec *oci.Spec) {
 func sortMounts(specgen *ocigen.Generator) {
 	mounts := specgen.Mounts()
 	specgen.ClearMounts()
-	sort.Stable(orderedMounts(mounts))
+	sort.Sort(orderedMounts(mounts))
 	specgen.Config.Mounts = mounts
 }

@@ -375,7 +375,14 @@ func (m orderedMounts) Len() int {
 // mount indexed by parameter 1 is less than that of the mount indexed by
 // parameter 2. Used in sorting.
 func (m orderedMounts) Less(i, j int) bool {
-	return m.parts(i) < m.parts(j)
+	ip, jp := m.parts(i), m.parts(j)
+	if ip < jp {
+		return true
+	}
+	if jp < ip {
+		return false
+	}
+	return m[i].Destination < m[j].Destination
 }

 // Swap swaps two items in an array of mounts. Used in sorting
--- a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/device.go
+++ b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/device.go
@@ -67,7 +67,7 @@ func (d *Device) edits() *ContainerEdits {

 // Validate the device.
 func (d *Device) validate() error {
-	if err := parser.ValidateDeviceName(d.Name); err != nil {
+	if err := ValidateDeviceName(d.Name); err != nil {
 		return err
 	}
 	name := d.Name
--- a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/doc.go
+++ b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/doc.go
@@ -35,11 +35,25 @@
 // available and instantiated the first time it is referenced directly
 // or indirectly. The most frequently used cache functions are available
 // as identically named package level functions which operate on the
-// default cache instance.
+// default cache instance. Moreover, the registry also operates on the
+// same default cache. We plan to deprecate the registry and eventually
+// remove it in a future release.
+//
+// # CDI Registry
+//
+// Note: the Registry and its related interfaces are deprecated and will
+// be removed in a future version. Please use the default cache and its
+// related package-level function instead.
+//
+// The primary interface to interact with CDI devices is the Registry. It
+// is essentially a cache of all Specs and devices discovered in standard
+// CDI directories on the host. The registry has two main functionality,
+// injecting devices into an OCI Spec and refreshing the cache of CDI
+// Specs and devices.
 //
 // # Device Injection
 //
-// Using the Cache one can inject CDI devices into a container with code
+// Using the Registry one can inject CDI devices into a container with code
 // similar to the following snippet:
 //
 //	import (
@@ -49,14 +63,13 @@
 //	    log "github.com/sirupsen/logrus"
 //
 //	    "tags.cncf.io/container-device-interface/pkg/cdi"
-//	    "github.com/opencontainers/runtime-spec/specs-go"
+//	    oci "github.com/opencontainers/runtime-spec/specs-go"
 //	)
 //
-//	func injectCDIDevices(spec *specs.Spec, devices []string) error {
+//	func injectCDIDevices(spec *oci.Spec, devices []string) error {
 //	    log.Debug("pristine OCI Spec: %s", dumpSpec(spec))
 //
-//	    cache := cdi.GetDefaultCache()
-//	    unresolved, err := cache.InjectDevices(spec, devices)
+//	    unresolved, err := cdi.GetRegistry().InjectDevices(spec, devices)
 //	    if err != nil {
 //	        return fmt.Errorf("CDI device injection failed: %w", err)
 //	    }
@@ -93,17 +106,17 @@
 //	    log "github.com/sirupsen/logrus"
 //
 //	    "tags.cncf.io/container-device-interface/pkg/cdi"
-//	    "github.com/opencontainers/runtime-spec/specs-go"
+//	    oci "github.com/opencontainers/runtime-spec/specs-go"
 //	)
 //
-//	func injectCDIDevices(spec *specs.Spec, devices []string) error {
-//	    cache := cdi.GetDefaultCache()
+//	func injectCDIDevices(spec *oci.Spec, devices []string) error {
+//	    registry := cdi.GetRegistry()
 //
-//	    if err := cache.Refresh(); err != nil {
+//	    if err := registry.Refresh(); err != nil {
 //	        // Note:
 //	        //   It is up to the implementation to decide whether
 //	        //   to abort injection on errors. A failed Refresh()
-//	        //   does not necessarily render the cache unusable.
+//	        //   does not necessarily render the registry unusable.
 //	        //   For instance, a parse error in a Spec file for
 //	        //   vendor A does not have any effect on devices of
 //	        //   vendor B...
@@ -112,7 +125,7 @@
 //
 //	    log.Debug("pristine OCI Spec: %s", dumpSpec(spec))
 //
-//	    unresolved, err := cache.InjectDevices(spec, devices)
+//	    unresolved, err := registry.InjectDevices(spec, devices)
 //	    if err != nil {
 //	        return fmt.Errorf("CDI device injection failed: %w", err)
 //	    }
@@ -179,7 +192,7 @@
 // )
 //
 //	func generateDeviceSpecs() error {
-//	    cache := specs.GetDefaultCache()
+//	    registry := cdi.GetRegistry()
 //	    spec := &specs.Spec{
 //	        Version: specs.CurrentVersion,
 //	        Kind:    vendor+"/"+class,
@@ -197,7 +210,7 @@
 //	        return fmt.Errorf("failed to generate Spec name: %w", err)
 //	    }
 //
-//	    return cache.WriteSpec(spec, specName)
+//	    return registry.SpecDB().WriteSpec(spec, specName)
 //	}
 //
 // Similarly, generating and later cleaning up transient Spec files can be
@@ -216,7 +229,7 @@
 // )
 //
 //	func generateTransientSpec(ctr Container) error {
-//	    cache := specs.GetDefaultCache()
+//	    registry := cdi.GetRegistry()
 //	    devices := getContainerDevs(ctr, vendor, class)
 //	    spec := &specs.Spec{
 //	        Version: specs.CurrentVersion,
@@ -244,21 +257,21 @@
 //	        return fmt.Errorf("failed to generate Spec name: %w", err)
 //	    }
 //
-//	    return cache.WriteSpec(spec, specName)
+//	    return registry.SpecDB().WriteSpec(spec, specName)
 //	}
 //
 //	func removeTransientSpec(ctr Container) error {
-//	    cache := specs.GetDefaultCache()
+//	    registry := cdi.GetRegistry()
 //	    transientID := getSomeSufficientlyUniqueIDForContainer(ctr)
 //	    specName := cdi.GenerateNameForTransientSpec(vendor, class, transientID)
 //
-//	    return cache.RemoveSpec(specName)
+//	    return registry.SpecDB().RemoveSpec(specName)
 //	}
 //
 // # CDI Spec Validation
 //
 // This package performs both syntactic and semantic validation of CDI
-// Spec file data when a Spec file is loaded via the cache or using
+// Spec file data when a Spec file is loaded via the registry or using
 // the ReadSpec API function. As part of the semantic verification, the
 // Spec file is verified against the CDI Spec JSON validation schema.
 //
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
wang	a9add11578	Ignore reading-only judgment	2025-05-08 21:17:13 +02:00
Shiming Zhang	a0bd8c6f2d	Add OCI/Image Volume Source support Signed-off-by: Shiming Zhang <wzshiming@hotmail.com>	2025-05-08 21:17:13 +02:00
Brad Davidson	63272c3b7a	Enable btrfs/fuse-overlayfs/stargz snapshotter plugins Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2025-03-20 21:34:00 +00:00
Brad Davidson	07701fd755	Add rewrite support to hosts.toml loader Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2025-03-20 21:34:00 +00:00
Jacob Blain Christen	48894d6f5e	Mirror repository rewrites (v1.1) Support CRI configuration to allow for request-time rewrite rules applicable only to the repository portion of resource paths when pulling images. Because the rewrites are applied at request time, images themselves will not be "rewritten" -- images as stored by CRI (and the underlying containerd facility) will continue to present as normal. As an example, if you use the following config for your containerd: ```toml [plugins] [plugins."io.containerd.grpc.v1.cri"] [plugins."io.containerd.grpc.v1.cri".registry] [plugins."io.containerd.grpc.v1.cri".registry.mirrors] [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"] endpoint = ["https://registry-1.docker.io/v2"] [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io".rewrite] "^library/(.*)" = "my-org/$1" ``` And then subsequently invoke `crictl pull alpine:3.13` it will pull content from `docker.io/my-org/alpine:3.13` but still show up as `docker.io/library/alpine:3.13` in the `crictl images` listing. This commit has been reworked from the original implementation. Rewites are now done when resolving instead of when building the request, so that auth token scopes stored in the context properly reflect the rewritten repository path. For the original implementation, see 06c4ea9baec2b278b8172a789bf601168292f645. Ref: https://github.com/k3s-io/k3s/issues/11191#issuecomment-2455525773 Signed-off-by: Jacob Blain Christen <jacob@rancher.com> Co-authored-by: Brad Davidson <brad.davidson@rancher.com> Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2025-03-20 21:34:00 +00:00
Brad Davidson	b5eb7da8e5	Remove GRPC metrics These conflict with other GRPC servers when running embedded Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2025-03-20 21:33:59 +00:00
ningmingxiao	2879c0790c	cri:fix containerd panic when can't find sandbox extension Signed-off-by: ningmingxiao <ning.mingxiao@zte.com.cn> Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2025-03-20 21:33:53 +00:00