From 8a930a97daf2e495e1d76b5354f7609cc364ff55 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Sat, 1 Nov 2025 07:37:36 -0700
Subject: [PATCH] chore(deps): update module
 github.com/cyphar/filepath-securejoin to v0.5.1 (#7563)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Change | Age | Confidence |
|---|---|---|---|
|
[github.com/cyphar/filepath-securejoin](https://redirect.github.com/cyphar/filepath-securejoin)
| `v0.5.0` -> `v0.5.1` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fcyphar%2ffilepath-securejoin/v0.5.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fcyphar%2ffilepath-securejoin/v0.5.0/v0.5.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Release Notes

<details>
<summary>cyphar/filepath-securejoin
(github.com/cyphar/filepath-securejoin)</summary>

###
[`v0.5.1`](https://redirect.github.com/cyphar/filepath-securejoin/releases/tag/v0.5.1):
-- &quot;Spooky scary skeletons send shivers down your spine!&quot;

[Compare
Source](https://redirect.github.com/cyphar/filepath-securejoin/compare/v0.5.0...v0.5.1)

##### Changed

- `openat2` can return `-EAGAIN` if it detects a possible attack in
certain
scenarios (namely if there was a rename or mount while walking a path
with a
`..` component). While this is necessary to avoid a denial-of-service in
the
  kernel, it does require retry loops in userspace.

In previous versions, `pathrs-lite` would retry `openat2` 32 times
before
returning an error, but we've received user reports that this limit can
be
hit on systems with very heavy load. In some synthetic benchmarks
(testing
the worst-case of an attacker doing renames in a tight loop on every
core of
a 16-core machine) we managed to get a \~3% failure rate in runc. We
have
  improved this situation in two ways:

- We have now increased this limit to 128, which should be good enough
for
most use-cases without becoming a denial-of-service vector (the number
of
syscalls called by the `O_PATH` resolver in a typical case is within the
same ballpark). The same benchmarks show a failure rate of \~0.12% which
    (while not zero) is probably sufficient for most users.

- In addition, we now return a `unix.EAGAIN` error that is bubbled up
and can
be detected by callers. This means that callers with stricter
requirements
to avoid spurious errors can choose to do their own infinite `EAGAIN`
retry
loop (though we would strongly recommend users use time-based deadlines
in
    such retry loops to avoid potentially unbounded denials-of-service).

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/open-telemetry/opentelemetry-go).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNTkuNCIsInVwZGF0ZWRJblZlciI6IjQxLjE1OS40IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJTa2lwIENoYW5nZWxvZyIsImRlcGVuZGVuY2llcyJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 internal/tools/go.mod | 2 +-
 internal/tools/go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/internal/tools/go.mod b/internal/tools/go.mod
index 1a38743aa..f7fc567d3 100644
--- a/internal/tools/go.mod
+++ b/internal/tools/go.mod
@@ -71,7 +71,7 @@ require (
 	github.com/clipperhouse/uax29/v2 v2.3.0 // indirect
 	github.com/cloudflare/circl v1.6.1 // indirect
 	github.com/curioswitch/go-reassign v0.3.0 // indirect
-	github.com/cyphar/filepath-securejoin v0.5.0 // indirect
+	github.com/cyphar/filepath-securejoin v0.5.1 // indirect
 	github.com/daixiang0/gci v0.13.7 // indirect
 	github.com/dave/dst v0.27.3 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
diff --git a/internal/tools/go.sum b/internal/tools/go.sum
index dc778e808..2231dad2b 100644
--- a/internal/tools/go.sum
+++ b/internal/tools/go.sum
@@ -118,8 +118,8 @@ github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZ
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/curioswitch/go-reassign v0.3.0 h1:dh3kpQHuADL3cobV/sSGETA8DOv457dwl+fbBAhrQPs=
 github.com/curioswitch/go-reassign v0.3.0/go.mod h1:nApPCCTtqLJN/s8HfItCcKV0jIPwluBOvZP+dsJGA88=
-github.com/cyphar/filepath-securejoin v0.5.0 h1:hIAhkRBMQ8nIeuVwcAoymp7MY4oherZdAxD+m0u9zaw=
-github.com/cyphar/filepath-securejoin v0.5.0/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
+github.com/cyphar/filepath-securejoin v0.5.1 h1:eYgfMq5yryL4fbWfkLpFFy2ukSELzaJOTaUTuh+oF48=
+github.com/cyphar/filepath-securejoin v0.5.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
 github.com/daixiang0/gci v0.13.7 h1:+0bG5eK9vlI08J+J/NWGbWPTNiXPG4WhNLJOkSxWITQ=
 github.com/daixiang0/gci v0.13.7/go.mod h1:812WVN6JLFY9S6Tv76twqmNqevN0pa3SX3nih0brVzQ=
 github.com/dave/dst v0.27.3 h1:P1HPoMza3cMEquVf9kKy8yXsFirry4zEnWOdYPOoIzY=