chore(deps): bump the all group across 1 directory with 3 updates

[dependabot]

Bumps the all group with 3 updates in the / directory: cloud.google.com/go/storage, github.com/google/go-containerregistry and golang.org/x/crypto.

Updates cloud.google.com/go/storage from 1.62.1 to 1.62.2

Release notes

Sourced from cloud.google.com/go/storage's releases.

storage: v1.62.2

v1.62.2 (2026-05-18)

Features

• enable open telemetry attrs (#14426) (74eab64d)

Bug Fixes

• restore metadata operations timeout in gRPC (#14575) (275ff562)

• Set default chunkRetryDeadline to 32s in NewWriterFromAppendableObject (#14458) (ec7c7d66)

• refactor userProject metadata propagation in ListObjects (#14533) (fbb543e3)

Commits

• 50a5755 chore: librarian release pull request: 20260518T161338Z (#14610)
• 585840f spanner: skip flaky TestIntegration_DbRemovalRecovery (#14607)
• f8bf88f test(spanner): retry query after database recreation in integration test (#14...
• 9168ab8 chore(librariangen): tweak release preview test (#14599)
• f8b9a93 fix(spanner/spannertest): Support UUID as a base data type (#14117)
• a42fd83 fix(internal/librariange): release preview support (#14588)
• d944830 fix(datastore): add retries to emulator (#14591)
• c5aaedc chore: migrate Go configuration in librarian.yaml (#14587)
• 8a0e849 doc(agentplatform): Add notes and quick examples to the README
• 033f4fe chore: librarian release pull request: 20260514T191310Z (#14589)
• Additional commits viewable in compare view

Updates github.com/google/go-containerregistry from 0.21.5 to 0.21.6

Release notes

Sourced from github.com/google/go-containerregistry's releases.

v0.21.6

What's Changed

• fix: update dependencies to use new azure sdk components by @​gaganhr94 in google/go-containerregistry#2262
• transport: restore resp.Body in retryError so CheckError can parse it by @​alliasgher in google/go-containerregistry#2264
• pkg/registry: return 202 Accepted for PATCH chunk uploads by @​alliasgher in google/go-containerregistry#2265
• Follow OCI distribution spec for artifactType and annotations by @​malt3 in google/go-containerregistry#2269
• actions: attach Codecov token to coverage tests on main by @​Subserial in google/go-containerregistry#2270
• remote: use DeleteScope (with "delete" action) for manifest deletion by @​alliasgher in google/go-containerregistry#2266
• remote: limit concurrent layer pulls by @​gnix0 in google/go-containerregistry#2271
• pkg/registry: reject corrupt disk blobs by @​gnix0 in google/go-containerregistry#2272
• mutate: close layer readers during export by @​gnix0 in google/go-containerregistry#2277
• crane/flatten: preserve image media type when flattening by @​alliasgher in google/go-containerregistry#2267
• build(deps): bump goreleaser/goreleaser-action from 7.0.0 to 7.2.1 in the actions group across 1 directory by @​dependabot[bot] in google/go-containerregistry#2273
• build(deps): bump go.opentelemetry.io/otel from 1.36.0 to 1.41.0 by @​dependabot[bot] in google/go-containerregistry#2278
• build(deps): bump the go-deps group across 3 directories with 6 updates by @​dependabot[bot] in google/go-containerregistry#2280
• Replace go-homedir with os.UserHomeDir by @​jammie-jelly in google/go-containerregistry#2282
• pkg/name: only treat .localhost as non-HTTPS, not .local by @​blackwell-systems in google/go-containerregistry#2281
• transport: block unspecified IPs (0.0.0.0, ::) in validateRealmURL by @​marwan9696 in google/go-containerregistry#2285
• test(mutate): add Extract round-trip test for filesystem object preservation by @​blackwell-systems in google/go-containerregistry#2283
• experiments: remove deprecated support for estargz by @​thaJeztah in google/go-containerregistry#2288
• build(deps): bump aws-actions/configure-aws-credentials from 6.1.0 to 6.1.1 in the actions group by @​dependabot[bot] in google/go-containerregistry#2289
• fix: limit HTTP response body reads to prevent OOM by @​evilgensec in google/go-containerregistry#2296
• build(deps): bump the go-deps group across 3 directories with 6 updates by @​dependabot[bot] in google/go-containerregistry#2297
• transport: block redirects from token server to private/link-local addresses (SSRF fix) by @​evilgensec in google/go-containerregistry#2292
• pkg/v1/mutate: preserve relative symlinks that stay within rootfs in Extract by @​anishesg in google/go-containerregistry#2279
• validate: skip non-layer layers by @​imjasonh in google/go-containerregistry#2298
• remote: validate foreign layer URLs to prevent SSRF (fixes #2259) by @​evilgensec in google/go-containerregistry#2293
• remote: block SSRF via private-IP Location headers in blob uploads by @​adilburaksen in google/go-containerregistry#2295
• fix(mutate): preserve config blob and layers for non-Docker OCI artifacts by @​blackwell-systems in google/go-containerregistry#2286
• fix: preserve per-occurrence layer identity in mutate.Image.Layers() by @​iahsanGill in google/go-containerregistry#2299
• transport: retry HTTP 429 (Too Many Requests) by @​iahsanGill in google/go-containerregistry#2301
• transport: allow bearer realm at same host:port as registry by @​iahsanGill in google/go-containerregistry#2302
• Update go version to 1.26.3 by @​Subserial in google/go-containerregistry#2300

New Contributors

• @​gaganhr94 made their first contribution in google/go-containerregistry#2262
• @​alliasgher made their first contribution in google/go-containerregistry#2264
• @​malt3 made their first contribution in google/go-containerregistry#2269
• @​gnix0 made their first contribution in google/go-containerregistry#2271
• @​blackwell-systems made their first contribution in google/go-containerregistry#2281
• @​marwan9696 made their first contribution in google/go-containerregistry#2285
• @​anishesg made their first contribution in google/go-containerregistry#2279
• @​adilburaksen made their first contribution in google/go-containerregistry#2295
• @​iahsanGill made their first contribution in google/go-containerregistry#2299

Full Changelog: google/go-containerregistry@v0.21.5...v0.21.6

Commits

• 53f7e39 Update go version to 1.26.3 (#2300)
• bf87c3b transport: allow bearer realm at same host:port as registry (#2302)
• c55facd transport: retry HTTP 429 (Too Many Requests) (#2301)
• 68a569e fix: preserve per-occurrence layer identity in Layers() (#2299)
• 35b354b fix(mutate): preserve config blob and layers for non-Docker OCI artifacts (#2...
• e5983f2 remote: block SSRF via private-IP Location headers in blob uploads (#2295)
• 6dad820 remote: validate foreign layer URLs to prevent SSRF (fixes #2259) (#2293)
• 78bdf1b validate: skip non-layer layers (#2298)
• c29d91c pkg/v1/mutate: preserve relative symlinks that stay within rootfs in Extract ...
• a70d75a transport: block redirects from token server to private/link-local addresses ...
• Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.51.0 to 0.52.0

Commits

• a1c0d99 go.mod: update golang.org/x dependencies
• 3c7c869 ssh: fix deadlock on unexpected channel responses
• 533fb3f ssh: fix source-address critical option bypass
• abbc44d ssh: fix incorrect operator order
• e052873 ssh: fix infinite loop on large channel writes due to integer overflow
• b61cf85 ssh: enforce user presence verification for security keys
• 9c2cd33 ssh: enforce strict limits on DSA key parameters
• 8907318 ssh: reject RSA keys with excessively large moduli
• ffd87b4 ssh: fix panic when authority callbacks are nil
• 4e7a738 ssh: fix deadlock on unexpected global responses
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[tekton-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign ab-ghosh after the PR has been reviewed.
You can assign the PR to them by writing /assign @ab-ghosh in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml