chore(deps): update module github.com/fxamacker/cbor/v2 to v2.9.2

[red-hat-konflux]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/fxamacker/cbor/v2	v2.9.0 → v2.9.2

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

fxamacker/cbor (github.com/fxamacker/cbor/v2)

v2.9.2

Compare Source

This release refactors and hardens the streaming encoder by adding stricter checks for encoding CBOR indefinite-length data. Other changes include minor bugfixes, defensive checks, and more tests.

Projects that don't use CBOR indefinite-length data may also want to upgrade (summary of prior releases).

The stricter checks in the encoder prevent improper use of the library and bad inputs from producing malformed CBOR indefinite-length data that would be rejected by the decoder.

This release passed fuzz tests (billions of execs) and it is production quality.

What's Changed

• Reject encoding indefinite-length map with odd item count by @​fxamacker in #​764
• Reject encoding indefinite-length data item as a chunk inside indefinite-length byte string or text string by @​fxamacker in #​765
• Make TagSet.Remove a no-op when contentType is nil by @​fxamacker in #​766
• Refactor indefinite-length encoding and improve chunk validation during encoding by @​fxamacker in #​767
• Add more tests, fix a nit in unreachable panic message, update docs & ci by @​fxamacker in #​768

CI / GitHub Actions and Docs

🔎 Details...

• Bump actions/setup-go from 6.3.0 to 6.4.0 by @​dependabot[bot] in #​760
• Bump github/codeql-action from 4.34.1 to 4.35.1 by @​dependabot[bot] in #​761
• Bump github/codeql-action from 4.35.1 to 4.35.2 by @​dependabot[bot] in #​763
• Update README for v2.9.2 release by @​fxamacker in #​769

Full Changelog: fxamacker/cbor@v2.9.1...v2.9.2

v2.9.1

Compare Source

This release includes important bugfixes, defensive checks, improved code quality, and more tests. Although not public, the fuzzer was also improved by adding more fuzz tests.

🐞 Bug fixes related to the keyasint feature

These changes only affect Go struct fields tagged with keyasint:

• [Decoding] Reject integer keys that exceed math.MaxInt64 when decoding CBOR map to a struct with keyasint field (PR #​757)
• [Decoding] Prevent string representation of an integer key from matching the struct field tagged by keyasint (PR #​757)
• [Encoding & Decoding] Deduplicate struct fields with the same normalized keyasint tag values (PR #​757)

🐞 Other bug fixes and defensive checks

Some of the bugs fixed are related to decoding extreme values that cannot be encoded with this library. For example, the decoder checks if epoch time encoded as CBOR float value representing hundreds of billions of years overflows int64(seconds).

NOTE: It is generally good practice to avoid using floating point to store epoch time (even when not using CBOR).

• [Decoding] Reject decoding epoch time encoded as floats that overflow int64 (PR #​753)
• [Encoding] Return a cloned slice for an empty RawMessage from RawMessage.MarshalCBOR (PR #​753)
• [Encoding] Reject encoding nil inside indefinite-length strings (PR #​750)
• [Diagnostic] Accept valid U+FFFD replacement character (PR #​753)

What's Changed

• 🆕 Add TimeMode encoding option TimeRFC3339NanoUTC by @​fxamacker in #​688
• Use actual negative zero in tests by @​makew0rld in #​708
• Reject encoding nil inside CBOR indefinite-length string by @​fxamacker in #​750
• Refactor and add tests by @​fxamacker in #​752
• Small bugfixes, defensive checks, and improvements by @​fxamacker in #​753
• Refactor parseMapToStruct(), getDecodingStructType(), getEncodingStructType(), and field struct by @​fxamacker in #​754
• Fix several issues related to keyasint tag option by @​fxamacker in #​757

CI / GitHub Actions and Docs

🔎 Details...

• Bump github/codeql-action from 3.29.2 to 3.29.4 by @​dependabot[bot] in #​690
• Bump github/codeql-action from 3.29.4 to 3.29.5 by @​dependabot[bot] in #​691
• Bump actions/checkout from 4.2.2 to 5.0.0 by @​dependabot[bot] in #​696
• Bump github/codeql-action from 3.29.7 to 3.29.9 by @​dependabot[bot] in #​697
• Bump github/codeql-action from 3.29.9 to 3.29.11 by @​dependabot[bot] in #​700
• Bump github/codeql-action from 3.29.11 to 3.30.0 by @​dependabot[bot] in #​702
• Bump actions/setup-go from 5.5.0 to 6.0.0 by @​dependabot[bot] in #​703
• Bump github/codeql-action from 3.30.0 to 3.30.3 by @​dependabot[bot] in #​706
• Bump github/codeql-action from 3.30.3 to 3.30.4 by @​dependabot[bot] in #​710
• Bump github/codeql-action from 3.30.4 to 3.30.6 by @​dependabot[bot] in #​712
• Bump github/codeql-action from 3.30.6 to 4.30.7 by @​dependabot[bot] in #​713
• Bump github/codeql-action from 4.30.7 to 4.30.8 by @​dependabot[bot] in #​716
• Bump github/codeql-action from 4.30.8 to 4.30.9 by @​dependabot[bot] in #​718
• Bump github/codeql-action from 4.30.9 to 4.31.2 by @​dependabot[bot] in #​720
• Bump github/codeql-action from 4.31.2 to 4.31.3 by @​dependabot[bot] in #​721
• Bump github/codeql-action from 4.31.3 to 4.31.4 by @​dependabot[bot] in #​724
• Bump actions/setup-go from 6.0.0 to 6.1.0 by @​dependabot[bot] in #​725
• Bump actions/checkout from 5.0.0 to 6.0.0 by @​dependabot[bot] in #​726
• Bump github/codeql-action from 4.31.4 to 4.31.5 by @​dependabot[bot] in #​727
• Bump github/codeql-action from 4.31.5 to 4.31.6 by @​dependabot[bot] in #​728
• Bump actions/checkout from 6.0.0 to 6.0.1 by @​dependabot[bot] in #​729
• Bump github/codeql-action from 4.31.6 to 4.31.8 by @​dependabot[bot] in #​732
• Bump github/codeql-action from 4.31.8 to 4.31.9 by @​dependabot[bot] in #​733
• Bump github/codeql-action from 4.31.9 to 4.31.10 by @​dependabot[bot] in #​738
• Bump actions/setup-go from 6.1.0 to 6.2.0 by @​dependabot[bot] in #​739
• Bump actions/checkout from 6.0.1 to 6.0.2 by @​dependabot[bot] in #​740
• Bump github/codeql-action from 4.31.10 to 4.32.0 by @​dependabot[bot] in #​742
• Bump github/codeql-action from 4.32.0 to 4.32.3 by @​dependabot[bot] in #​745
• Bump actions/setup-go from 6.2.0 to 6.3.0 by @​dependabot[bot] in #​746
• Bump github/codeql-action from 4.32.3 to 4.32.4 by @​dependabot[bot] in #​747
• Bump github/codeql-action from 4.32.4 to 4.32.6 by @​dependabot[bot] in #​748
• Bump github/codeql-action from 4.32.6 to 4.34.0 by @​dependabot[bot] in #​749
• Bump github/codeql-action from 4.34.0 to 4.34.1 by @​dependabot[bot] in #​751
• Update README status section by @​fxamacker in #​758

New Contributors

• @​makew0rld made their first contributihttps://github.com/fxamacker/cbor/pull/708ll/708

Full Changelog: fxamacker/cbor@v2.9.0...v2.9.1

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: red-hat-konflux[bot]
Once this PR has been reviewed and has the lgtm label, please assign rcampos2029 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux[bot]. Thanks for your PR.

I'm waiting for a openshift-online member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: bea2e95e-0830-4d4a-b01f-1cdf431289f9

📥 Commits

Reviewing files that changed from the base of the PR and between 382e8cd and b2828ac.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

✅ Files skipped from review due to trivial changes (1)

• go.mod

---

Summary by CodeRabbit

• Chores
  • Updated an indirect dependency to a newer patch release to improve stability and compatibility.
  • Applied a patch-level maintenance update addressing minor edge cases and reducing regression risk.
  • No functional or public API changes; this is an internal maintenance update with no user-facing impact.

Walkthrough

Updated an indirect Go module dependency in go.mod: github.com/fxamacker/cbor/v2 bumped from v2.9.0 to v2.9.2. No other files, code, or module directives were changed.

Changes

Dependency Update

Layer / File(s)	Summary
Data Shape / Manifest go.mod	Indirect require entry for github.com/fxamacker/cbor/v2 changed from v2.9.0 to v2.9.2.
Tests / Docs none changed	No test or documentation changes in this PR.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: updating the cbor/v2 module from v2.9.0 to v2.9.2.
Description check	✅ Passed	The description is directly related to the changeset, providing detailed release notes, version information, and context for the dependency update.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/mintmaker/main/github.com-fxamacker-cbor-v2-2.x

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}