Merge pull request #1263 from rhatdan/VENDOR

Update vendor or containers/(image, storage)

common/go.mod

@@ -8,9 +8,9 @@ require (
 	github.com/containerd/containerd v1.6.12
 	github.com/containernetworking/cni v1.1.2
 	github.com/containernetworking/plugins v1.1.1
-	github.com/containers/image/v5 v5.23.1-0.20221130170538-333c50e3eac8
+	github.com/containers/image/v5 v5.23.1-0.20221209092225-431fd251c4c5
 	github.com/containers/ocicrypt v1.1.6
-	github.com/containers/storage v1.44.1-0.20221201083122-c5a80ad65f42
+	github.com/containers/storage v1.44.1-0.20221209084436-73d739442168
 	github.com/coreos/go-systemd/v22 v22.5.0
 	github.com/cyphar/filepath-securejoin v0.2.3
 	github.com/davecgh/go-spew v1.1.1
@@ -104,7 +104,7 @@ require (
 	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	golang.org/x/mod v0.6.0 // indirect
-	golang.org/x/net v0.3.0 // indirect
+	golang.org/x/net v0.4.0 // indirect
 	golang.org/x/text v0.5.0 // indirect
 	golang.org/x/tools v0.2.0 // indirect
 	google.golang.org/genproto v0.0.0-20221111202108-142d8a6fa32e // indirect

common/vendor/github.com/containers/image/v5/docker/docker_client.go

@@ -522,9 +522,8 @@ func parseRetryAfter(res *http.Response, fallbackDelay time.Duration) time.Durat
 		return time.Duration(num) * time.Second
 	}
 	// Second, check if we have an HTTP date.
-	// If the delta between the date and now is positive, use it.
-	// Otherwise, fall back to using the default exponential back off.
 	if t, err := http.ParseTime(after); err == nil {
+		// If the delta between the date and now is positive, use it.
 		delta := time.Until(t)
 		if delta > 0 {
 			return delta
@@ -532,7 +531,6 @@ func parseRetryAfter(res *http.Response, fallbackDelay time.Duration) time.Durat
 		logrus.Debugf("Retry-After date in the past, ignoring it")
 		return fallbackDelay
 	}
-	// If the header contents are bogus, fall back to using the default exponential back off.
 	logrus.Debugf("Invalid Retry-After format, ignoring it")
 	return fallbackDelay
 }
@@ -590,7 +588,7 @@ func (c *dockerClient) makeRequestToResolvedURL(ctx context.Context, method stri
 		case <-time.After(delay):
 			// Nothing
 		}
-		delay = delay * 2 // exponential back off
+		delay = delay * 2 // If the registry does not specify a delay, back off exponentially.
 	}
 }
 

common/vendor/github.com/containers/image/v5/docker/docker_image_dest.go

@@ -639,7 +639,7 @@ func (d *dockerImageDestination) putSignaturesToSigstoreAttachments(ctx context.
 
 	ociManifest, err := d.c.getSigstoreAttachmentManifest(ctx, d.ref, manifestDigest)
 	if err != nil {
-		return nil
+		return err
 	}
 	var ociConfig imgspecv1.Image // Most fields empty by default
 	if ociManifest == nil {
@@ -711,13 +711,13 @@ func (d *dockerImageDestination) putSignaturesToSigstoreAttachments(ctx context.
 		LayerIndex: nil,
 	})
 	if err != nil {
-		return nil
+		return err
 	}
 	ociManifest.Config = configDesc
 
 	manifestBlob, err := ociManifest.Serialize()
 	if err != nil {
-		return nil
+		return err
 	}
 	logrus.Debugf("Uploading sigstore attachment manifest")
 	return d.uploadManifest(ctx, manifestBlob, sigstoreAttachmentTag(manifestDigest))

common/vendor/github.com/containers/image/v5/docker/internal/tarfile/reader.go

@@ -34,15 +34,19 @@ func NewReaderFromFile(sys *types.SystemContext, path string) (*Reader, error) {
 	}
 	defer file.Close()
 
-	// If the file is already not compressed we can just return the file itself
+	// If the file is seekable and already not compressed we can just return the file itself
 	// as a source. Otherwise we pass the stream to NewReaderFromStream.
-	stream, isCompressed, err := compression.AutoDecompress(file)
-	if err != nil {
-		return nil, fmt.Errorf("detecting compression for file %q: %w", path, err)
-	}
-	defer stream.Close()
-	if !isCompressed {
-		return newReader(path, false)
+	var stream io.Reader = file
+	if _, err := file.Seek(0, io.SeekCurrent); err == nil { // seeking is possible
+		decompressed, isCompressed, err := compression.AutoDecompress(file)
+		if err != nil {
+			return nil, fmt.Errorf("detecting compression for file %q: %w", path, err)
+		}
+		defer decompressed.Close()
+		stream = decompressed
+		if !isCompressed {
+			return newReader(path, false)
+		}
 	}
 	return NewReaderFromStream(sys, stream)
 }

common/vendor/github.com/containers/image/v5/docker/internal/tarfile/writer.go

@@ -346,7 +346,7 @@ func (t *tarFI) Sys() interface{} {
 func (w *Writer) sendSymlinkLocked(path string, target string) error {
 	hdr, err := tar.FileInfoHeader(&tarFI{path: path, size: 0, isSymlink: true}, target)
 	if err != nil {
-		return nil
+		return err
 	}
 	logrus.Debugf("Sending as tar link %s -> %s", path, target)
 	return w.tar.WriteHeader(hdr)
@@ -363,7 +363,7 @@ func (w *Writer) sendBytesLocked(path string, b []byte) error {
 func (w *Writer) sendFileLocked(path string, expectedSize int64, stream io.Reader) error {
 	hdr, err := tar.FileInfoHeader(&tarFI{path: path, size: expectedSize}, "")
 	if err != nil {
-		return nil
+		return err
 	}
 	logrus.Debugf("Sending as tar file %s", path)
 	if err := w.tar.WriteHeader(hdr); err != nil {

common/vendor/github.com/containers/image/v5/pkg/docker/config/config.go

@@ -56,7 +56,7 @@ var (
 // appropriate for sys and the users’ configuration.
 // A valid key is a repository, a namespace within a registry, or a registry hostname;
 // using forms other than just a registry may fail depending on configuration.
-// Returns a human-redable description of the location that was updated.
+// Returns a human-readable description of the location that was updated.
 // NOTE: The return value is only intended to be read by humans; its form is not an API,
 // it may change (or new forms can be added) any time.
 func SetCredentials(sys *types.SystemContext, key, username, password string) (string, error) {
@@ -78,25 +78,28 @@ func SetCredentials(sys *types.SystemContext, key, username, password string) (s
 		switch helper {
 		// Special-case the built-in helpers for auth files.
 		case sysregistriesv2.AuthenticationFileHelper:
-			desc, err = modifyJSON(sys, func(auths *dockerConfigFile) (bool, error) {
+			desc, err = modifyJSON(sys, func(auths *dockerConfigFile) (bool, string, error) {
 				if ch, exists := auths.CredHelpers[key]; exists {
 					if isNamespaced {
-						return false, unsupportedNamespaceErr(ch)
+						return false, "", unsupportedNamespaceErr(ch)
 					}
-					return false, setAuthToCredHelper(ch, key, username, password)
+					desc, err := setAuthToCredHelper(ch, key, username, password)
+					if err != nil {
+						return false, "", err
+					}
+					return false, desc, nil
 				}
 				creds := base64.StdEncoding.EncodeToString([]byte(username + ":" + password))
 				newCreds := dockerAuthConfig{Auth: creds}
 				auths.AuthConfigs[key] = newCreds
-				return true, nil
+				return true, "", nil
 			})
 		// External helpers.
 		default:
 			if isNamespaced {
 				err = unsupportedNamespaceErr(helper)
 			} else {
-				desc = fmt.Sprintf("credential helper: %s", helper)
-				err = setAuthToCredHelper(helper, key, username, password)
+				desc, err = setAuthToCredHelper(helper, key, username, password)
 			}
 		}
 		if err != nil {
@@ -403,7 +406,7 @@ func RemoveAuthentication(sys *types.SystemContext, key string) error {
 		switch helper {
 		// Special-case the built-in helper for auth files.
 		case sysregistriesv2.AuthenticationFileHelper:
-			_, err = modifyJSON(sys, func(auths *dockerConfigFile) (bool, error) {
+			_, err = modifyJSON(sys, func(auths *dockerConfigFile) (bool, string, error) {
 				if innerHelper, exists := auths.CredHelpers[key]; exists {
 					removeFromCredHelper(innerHelper)
 				}
@@ -411,7 +414,7 @@ func RemoveAuthentication(sys *types.SystemContext, key string) error {
 					isLoggedIn = true
 					delete(auths.AuthConfigs, key)
 				}
-				return true, multiErr
+				return true, "", multiErr
 			})
 			if err != nil {
 				multiErr = multierror.Append(multiErr, err)
@@ -446,18 +449,18 @@ func RemoveAllAuthentication(sys *types.SystemContext) error {
 		switch helper {
 		// Special-case the built-in helper for auth files.
 		case sysregistriesv2.AuthenticationFileHelper:
-			_, err = modifyJSON(sys, func(auths *dockerConfigFile) (bool, error) {
+			_, err = modifyJSON(sys, func(auths *dockerConfigFile) (bool, string, error) {
 				for registry, helper := range auths.CredHelpers {
 					// Helpers in auth files are expected
 					// to exist, so no special treatment
 					// for them.
 					if err := deleteAuthFromCredHelper(helper, registry); err != nil {
-						return false, err
+						return false, "", err
 					}
 				}
 				auths.CredHelpers = make(map[string]string)
 				auths.AuthConfigs = make(map[string]dockerAuthConfig)
-				return true, nil
+				return true, "", nil
 			})
 		// External helpers.
 		default:
@@ -573,8 +576,11 @@ func readJSONFile(path string, legacyFormat bool) (dockerConfigFile, error) {
 
 // modifyJSON finds an auth.json file, calls editor on the contents, and
 // writes it back if editor returns true.
-// Returns a human-redable description of the file, to be returned by SetCredentials.
-func modifyJSON(sys *types.SystemContext, editor func(auths *dockerConfigFile) (bool, error)) (string, error) {
+// Returns a human-readable description of the file, to be returned by SetCredentials.
+//
+// The editor may also return a human-readable description of the updated location; if it is "",
+// the file itself is used.
+func modifyJSON(sys *types.SystemContext, editor func(auths *dockerConfigFile) (bool, string, error)) (string, error) {
 	path, legacyFormat, err := getPathToAuth(sys)
 	if err != nil {
 		return "", err
@@ -593,7 +599,7 @@ func modifyJSON(sys *types.SystemContext, editor func(auths *dockerConfigFile) (
 		return "", fmt.Errorf("reading JSON file %q: %w", path, err)
 	}
 
-	updated, err := editor(&auths)
+	updated, description, err := editor(&auths)
 	if err != nil {
 		return "", fmt.Errorf("updating %q: %w", path, err)
 	}
@@ -608,7 +614,10 @@ func modifyJSON(sys *types.SystemContext, editor func(auths *dockerConfigFile) (
 		}
 	}
 
-	return path, nil
+	if description == "" {
+		description = path
+	}
+	return description, nil
 }
 
 func getAuthFromCredHelper(credHelper, registry string) (types.DockerAuthConfig, error) {
@@ -636,7 +645,9 @@ func getAuthFromCredHelper(credHelper, registry string) (types.DockerAuthConfig,
 	}
 }
 
-func setAuthToCredHelper(credHelper, registry, username, password string) error {
+// setAuthToCredHelper stores (username, password) for registry in credHelper.
+// Returns a human-readable description of the destination, to be returned by SetCredentials.
+func setAuthToCredHelper(credHelper, registry, username, password string) (string, error) {
 	helperName := fmt.Sprintf("docker-credential-%s", credHelper)
 	p := helperclient.NewShellProgramFunc(helperName)
 	creds := &credentials.Credentials{
@@ -644,7 +655,10 @@ func setAuthToCredHelper(credHelper, registry, username, password string) error
 		Username:  username,
 		Secret:    password,
 	}
-	return helperclient.Store(p, creds)
+	if err := helperclient.Store(p, creds); err != nil {
+		return "", err
+	}
+	return fmt.Sprintf("credential helper: %s", credHelper), nil
 }
 
 func deleteAuthFromCredHelper(credHelper, registry string) error {

common/vendor/github.com/containers/image/v5/pkg/sysregistriesv2/system_registries_v2.go

@@ -198,6 +198,7 @@ type V1RegistriesConf struct {
 }
 
 // Nonempty returns true if config contains at least one configuration entry.
+// Empty arrays are treated as missing entries.
 func (config *V1RegistriesConf) Nonempty() bool {
 	copy := *config // A shallow copy
 	if copy.V1TOMLConfig.Search.Registries != nil && len(copy.V1TOMLConfig.Search.Registries) == 0 {
@@ -209,7 +210,15 @@ func (config *V1RegistriesConf) Nonempty() bool {
 	if copy.V1TOMLConfig.Block.Registries != nil && len(copy.V1TOMLConfig.Block.Registries) == 0 {
 		copy.V1TOMLConfig.Block.Registries = nil
 	}
-	return !reflect.DeepEqual(copy, V1RegistriesConf{})
+	return copy.hasSetField()
+}
+
+// hasSetField returns true if config contains at least one configuration entry.
+// This is useful because of a subtlety of the behavior of the TOML decoder, where a missing array field
+// is not modified while unmarshaling (in our case remains to nil), while an [] is unmarshaled
+// as a non-nil []string{}.
+func (config *V1RegistriesConf) hasSetField() bool {
+	return !reflect.DeepEqual(*config, V1RegistriesConf{})
 }
 
 // V2RegistriesConf is the sysregistries v2 configuration format.
@@ -257,7 +266,15 @@ func (config *V2RegistriesConf) Nonempty() bool {
 	if !copy.shortNameAliasConf.nonempty() {
 		copy.shortNameAliasConf = shortNameAliasConf{}
 	}
-	return !reflect.DeepEqual(copy, V2RegistriesConf{})
+	return copy.hasSetField()
+}
+
+// hasSetField returns true if config contains at least one configuration entry.
+// This is useful because of a subtlety of the behavior of the TOML decoder, where a missing array field
+// is not modified while unmarshaling (in our case remains to nil), while an [] is unmarshaled
+// as a non-nil []string{}.
+func (config *V2RegistriesConf) hasSetField() bool {
+	return !reflect.DeepEqual(*config, V2RegistriesConf{})
 }
 
 // parsedConfig is the result of parsing, and possibly merging, configuration files;
@@ -923,15 +940,15 @@ func loadConfigFile(path string, forceV2 bool) (*parsedConfig, error) {
 		logrus.Debugf("Failed to decode keys %q from %q", keys, path)
 	}
 
-	if combinedTOML.V1RegistriesConf.Nonempty() {
+	if combinedTOML.V1RegistriesConf.hasSetField() {
 		// Enforce the v2 format if requested.
 		if forceV2 {
 			return nil, &InvalidRegistries{s: "registry must be in v2 format but is in v1"}
 		}
 
 		// Convert a v1 config into a v2 config.
-		if combinedTOML.V2RegistriesConf.Nonempty() {
-			return nil, &InvalidRegistries{s: "mixing sysregistry v1/v2 is not supported"}
+		if combinedTOML.V2RegistriesConf.hasSetField() {
+			return nil, &InvalidRegistries{s: fmt.Sprintf("mixing sysregistry v1/v2 is not supported: %#v", combinedTOML)}
 		}
 		converted, err := combinedTOML.V1RegistriesConf.ConvertToV2()
 		if err != nil {

common/vendor/github.com/containers/image/v5/pkg/tlsclientconfig/tlsclientconfig.go

@@ -2,6 +2,7 @@ package tlsclientconfig
 
 import (
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"net"
 	"net/http"
@@ -10,8 +11,6 @@ import (
 	"strings"
 	"time"
 
-	"github.com/docker/go-connections/sockets"
-	"github.com/docker/go-connections/tlsconfig"
 	"github.com/sirupsen/logrus"
 )
 
@@ -47,7 +46,7 @@ func SetupCertificates(dir string, tlsc *tls.Config) error {
 				return err
 			}
 			if tlsc.RootCAs == nil {
-				systemPool, err := tlsconfig.SystemCertPool()
+				systemPool, err := x509.SystemCertPool()
 				if err != nil {
 					return fmt.Errorf("unable to get system cert pool: %w", err)
 				}
@@ -103,8 +102,5 @@ func NewTransport() *http.Transport {
 		// TODO(dmcgowan): Call close idle connections when complete and use keep alive
 		DisableKeepAlives: true,
 	}
-	if _, err := sockets.DialerFromEnvironment(direct); err != nil {
-		logrus.Debugf("Can't execute DialerFromEnvironment: %v", err)
-	}
 	return tr
 }

common/vendor/github.com/containers/image/v5/storage/storage_src.go

@@ -111,7 +111,7 @@ func (s *storageImageSource) GetBlob(ctx context.Context, info types.BlobInfo, c
 		return nil, 0, err
 	}
 
-	if _, err := tmpFile.Seek(0, 0); err != nil {
+	if _, err := tmpFile.Seek(0, io.SeekStart); err != nil {
 		return nil, 0, err
 	}
 

common/vendor/github.com/containers/image/v5/types/types.go

@@ -125,6 +125,13 @@ type BlobInfo struct {
 	URLs        []string
 	Annotations map[string]string
 	MediaType   string
+
+	// NOTE: The following fields contain desired _edits_ to blob infos.
+	// Conceptually then don't belong in the BlobInfo object at all;
+	// the edits should be provided specifically as parameters to the edit implementation.
+	// We can’t remove the fields without breaking compatibility, but don’t
+	// add any more.
+
 	// CompressionOperation is used in Image.UpdateLayerInfos to instruct
 	// whether the original layer's "compressed or not" should be preserved,
 	// possibly while changing the compression algorithm from one to another,
@@ -144,6 +151,7 @@ type BlobInfo struct {
 	// TODO: To remove together with CompressionOperation in re-design to
 	// remove field out out of BlobInfo.
 	CryptoOperation LayerCrypto
+	// Before adding any fields to this struct, read the NOTE above.
 }
 
 // BICTransportScope encapsulates transport-dependent representation of a “scope” where blobs are or are not present.

common/vendor/github.com/containers/storage/layers.go

@@ -299,6 +299,9 @@ type rwLayerStore interface {
 
 	// Clean up unreferenced layers
 	GarbageCollect() error
+
+	// supportsShifting() returns true if the driver.Driver.SupportsShifting().
+	supportsShifting() bool
 }
 
 type layerStore struct {
@@ -806,15 +809,14 @@ func (r *layerStore) saveLayers(saveLocations layerLocations) error {
 		if err != nil {
 			return err
 		}
-		var opts *ioutils.AtomicFileWriterOptions
+		opts := ioutils.AtomicFileWriterOptions{}
 		if location == volatileLayerLocation {
-			opts = &ioutils.AtomicFileWriterOptions{
-				NoSync: true,
-			}
+			opts.NoSync = true
 		}
-		if err := ioutils.AtomicWriteFileWithOpts(rpath, jldata, 0600, opts); err != nil {
+		if err := ioutils.AtomicWriteFileWithOpts(rpath, jldata, 0600, &opts); err != nil {
 			return err
 		}
+		r.layerspathsModified[locationIndex] = opts.ModTime
 	}
 	lw, err := r.lockfile.RecordWrite()
 	if err != nil {
@@ -2234,6 +2236,10 @@ func (r *layerStore) LayersByUncompressedDigest(d digest.Digest) ([]Layer, error
 	return r.layersByDigestMap(r.byuncompressedsum, d)
 }
 
+func (r *layerStore) supportsShifting() bool {
+	return r.driver.SupportsShifting()
+}
+
 func closeAll(closes ...func() error) (rErr error) {
 	for _, f := range closes {
 		if err := f(); err != nil {

common/vendor/github.com/containers/storage/pkg/ioutils/fswriters.go

@@ -4,6 +4,7 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"time"
 )
 
 // AtomicFileWriterOptions specifies options for creating the atomic file writer.
@@ -13,6 +14,9 @@ type AtomicFileWriterOptions struct {
 	// storage after it has been written and before it is moved to
 	// the specified path.
 	NoSync bool
+	// On successful return from Close() this is set to the mtime of the
+	// newly written file.
+	ModTime time.Time
 }
 
 var defaultWriterOptions = AtomicFileWriterOptions{}
@@ -74,6 +78,11 @@ func AtomicWriteFileWithOpts(filename string, data []byte, perm os.FileMode, opt
 	if err1 := f.Close(); err == nil {
 		err = err1
 	}
+
+	if opts != nil {
+		opts.ModTime = f.modTime
+	}
+
 	return err
 }
 
@@ -87,6 +96,7 @@ type atomicFileWriter struct {
 	writeErr error
 	perm     os.FileMode
 	noSync   bool
+	modTime  time.Time
 }
 
 func (w *atomicFileWriter) Write(dt []byte) (int, error) {
@@ -109,9 +119,25 @@ func (w *atomicFileWriter) Close() (retErr error) {
 			return err
 		}
 	}
+
+	// fstat before closing the fd
+	info, statErr := w.f.Stat()
+	if statErr == nil {
+		w.modTime = info.ModTime()
+	}
+	// We delay error reporting until after the real call to close()
+	// to match the traditional linux close() behaviour that an fd
+	// is invalid (closed) even if close returns failure. While
+	// weird, this allows a well defined way to not leak open fds.
+
 	if err := w.f.Close(); err != nil {
 		return err
 	}
+
+	if statErr != nil {
+		return statErr
+	}
+
 	if err := os.Chmod(w.f.Name(), w.perm); err != nil {
 		return err
 	}

common/vendor/golang.org/x/net/http2/server.go

@@ -588,6 +588,7 @@ type serverConn struct {
 	maxFrameSize                int32
 	peerMaxHeaderListSize       uint32            // zero means unknown (default)
 	canonHeader                 map[string]string // http2-lower-case -> Go-Canonical-Case
+	canonHeaderKeysSize         int               // canonHeader keys size in bytes
 	writingFrame                bool              // started writing a frame (on serve goroutine or separate)
 	writingFrameAsync           bool              // started a frame on its own goroutine but haven't heard back on wroteFrameCh
 	needsFrameFlush             bool              // last frame write wasn't a flush
@@ -766,6 +767,13 @@ func (sc *serverConn) condlogf(err error, format string, args ...interface{}) {
 	}
 }
 
+// maxCachedCanonicalHeadersKeysSize is an arbitrarily-chosen limit on the size
+// of the entries in the canonHeader cache.
+// This should be larger than the size of unique, uncommon header keys likely to
+// be sent by the peer, while not so high as to permit unreasonable memory usage
+// if the peer sends an unbounded number of unique header keys.
+const maxCachedCanonicalHeadersKeysSize = 2048
+
 func (sc *serverConn) canonicalHeader(v string) string {
 	sc.serveG.check()
 	buildCommonHeaderMapsOnce()
@@ -781,14 +789,10 @@ func (sc *serverConn) canonicalHeader(v string) string {
 		sc.canonHeader = make(map[string]string)
 	}
 	cv = http.CanonicalHeaderKey(v)
-	// maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
-	// entries in the canonHeader cache. This should be larger than the number
-	// of unique, uncommon header keys likely to be sent by the peer, while not
-	// so high as to permit unreasonable memory usage if the peer sends an unbounded
-	// number of unique header keys.
-	const maxCachedCanonicalHeaders = 32
-	if len(sc.canonHeader) < maxCachedCanonicalHeaders {
+	size := 100 + len(v)*2 // 100 bytes of map overhead + key + value
+	if sc.canonHeaderKeysSize+size <= maxCachedCanonicalHeadersKeysSize {
 		sc.canonHeader[v] = cv
+		sc.canonHeaderKeysSize += size
 	}
 	return cv
 }

common/vendor/modules.txt

@@ -78,7 +78,7 @@ github.com/containernetworking/cni/pkg/version
 # github.com/containernetworking/plugins v1.1.1
 ## explicit; go 1.17
 github.com/containernetworking/plugins/pkg/ns
-# github.com/containers/image/v5 v5.23.1-0.20221130170538-333c50e3eac8
+# github.com/containers/image/v5 v5.23.1-0.20221209092225-431fd251c4c5
 ## explicit; go 1.17
 github.com/containers/image/v5/copy
 github.com/containers/image/v5/directory
@@ -157,7 +157,7 @@ github.com/containers/ocicrypt/keywrap/pkcs7
 github.com/containers/ocicrypt/spec
 github.com/containers/ocicrypt/utils
 github.com/containers/ocicrypt/utils/keyprovider
-# github.com/containers/storage v1.44.1-0.20221201083122-c5a80ad65f42
+# github.com/containers/storage v1.44.1-0.20221209084436-73d739442168
 ## explicit; go 1.17
 github.com/containers/storage
 github.com/containers/storage/drivers
@@ -569,7 +569,7 @@ golang.org/x/crypto/ssh/knownhosts
 # golang.org/x/mod v0.6.0
 ## explicit; go 1.17
 golang.org/x/mod/semver
-# golang.org/x/net v0.3.0
+# golang.org/x/net v0.4.0
 ## explicit; go 1.17
 golang.org/x/net/context
 golang.org/x/net/html