From 97e33a7a3de5bbb9d3a1ec7c9da5e53ef5f23afe Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 28 Aug 2023 19:53:54 +0000
Subject: [PATCH] build(deps): Bump github.com/google/go-containerregistry

Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.15.2 to 0.16.1.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.15.2...v0.16.1)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 go.mod                                        |  10 +-
 go.sum                                        |  19 +--
 .../docker/cli/cli/config/configfile/file.go  |   1 -
 vendor/github.com/docker/docker/AUTHORS       |  18 +++
 .../docker/pkg/homedir/homedir_linux.go       |   9 +-
 .../pkg/v1/mutate/mutate.go                   |   4 +-
 .../pkg/v1/remote/descriptor.go               |  14 +-
 .../pkg/v1/remote/fetcher.go                  |   8 +-
 .../pkg/v1/remote/options.go                  |   3 +-
 .../pkg/v1/remote/transport/bearer.go         | 137 +++++++++++++-----
 .../pkg/v1/remote/transport/ping.go           |  60 ++++----
 .../pkg/v1/remote/transport/schemer.go        |   2 +-
 .../pkg/v1/remote/transport/transport.go      |  47 +++---
 .../pkg/v1/remote/write.go                    |  12 +-
 vendor/github.com/sirupsen/logrus/README.md   |   8 +-
 vendor/github.com/sirupsen/logrus/writer.go   |  34 ++++-
 vendor/golang.org/x/oauth2/google/default.go  |   9 +-
 vendor/golang.org/x/oauth2/internal/oauth2.go |   2 +-
 vendor/golang.org/x/oauth2/internal/token.go  |  60 ++++++--
 vendor/golang.org/x/oauth2/token.go           |  19 ++-
 vendor/modules.txt                            |  10 +-
 21 files changed, 329 insertions(+), 157 deletions(-)

diff --git a/go.mod b/go.mod
index d127af949..059fee66e 100644
--- a/go.mod
+++ b/go.mod
@@ -9,7 +9,7 @@ require (
 	github.com/cppforlife/cobrautil v0.0.0-20221021151949-d60711905d65
 	github.com/cppforlife/go-cli-ui v0.0.0-20220425131040-94f26b16bc14
 	github.com/fatih/color v1.14.1 // indirect
-	github.com/google/go-containerregistry v0.15.2
+	github.com/google/go-containerregistry v0.16.1
 	github.com/mattn/go-isatty v0.0.19
 	github.com/maxbrunsfeld/counterfeiter/v6 v6.7.0
 	github.com/spf13/cobra v1.7.0
@@ -47,9 +47,9 @@ require (
 	github.com/creack/pty v1.1.11 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dimchansky/utfbom v1.1.0 // indirect
-	github.com/docker/cli v23.0.5+incompatible // indirect
+	github.com/docker/cli v24.0.0+incompatible // indirect
 	github.com/docker/distribution v2.8.2+incompatible // indirect
-	github.com/docker/docker v23.0.5+incompatible // indirect
+	github.com/docker/docker v24.0.0+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/form3tech-oss/jwt-go v3.2.3+incompatible // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
@@ -64,14 +64,14 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
-	github.com/sirupsen/logrus v1.9.0 // indirect
+	github.com/sirupsen/logrus v1.9.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/vbatts/tar-split v0.11.3 // indirect
 	github.com/vito/go-interact v1.0.1 // indirect
 	golang.org/x/crypto v0.12.0 // indirect
 	golang.org/x/mod v0.12.0 // indirect
 	golang.org/x/net v0.14.0 // indirect
-	golang.org/x/oauth2 v0.7.0 // indirect
+	golang.org/x/oauth2 v0.8.0 // indirect
 	golang.org/x/term v0.11.0 // indirect
 	golang.org/x/tools v0.12.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
diff --git a/go.sum b/go.sum
index 5e2c6d9af..7b07b4302 100644
--- a/go.sum
+++ b/go.sum
@@ -131,12 +131,12 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dimchansky/utfbom v1.1.0 h1:FcM3g+nofKgUteL8dm/UpdRXNC9KmADgTpLKsu0TRo4=
 github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8=
-github.com/docker/cli v23.0.5+incompatible h1:ufWmAOuD3Vmr7JP2G5K3cyuNC4YZWiAsuDEvFVVDafE=
-github.com/docker/cli v23.0.5+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v24.0.0+incompatible h1:0+1VshNwBQzQAx9lOl+OYCTCEAD8fKs/qeXMx3O0wqM=
+github.com/docker/cli v24.0.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
 github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v23.0.5+incompatible h1:DaxtlTJjFSnLOXVNUBU1+6kXGz2lpDoEAH6QoxaSg8k=
-github.com/docker/docker v23.0.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v24.0.0+incompatible h1:z4bf8HvONXX9Tde5lGBMQ7yCJgNahmJumdrStZAbeY4=
+github.com/docker/docker v24.0.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y=
 github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
 github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=
@@ -208,8 +208,8 @@ github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
-github.com/google/go-containerregistry v0.15.2 h1:MMkSh+tjSdnmJZO7ljvEqV1DjfekB6VUEAZgy3a+TQE=
-github.com/google/go-containerregistry v0.15.2/go.mod h1:wWK+LnOv4jXMM23IT/F1wdYftGWGr47Is8CG+pmHK1Q=
+github.com/google/go-containerregistry v0.16.1 h1:rUEt426sR6nyrL3gt+18ibRcvYpKYdpsa5ZW7MA08dQ=
+github.com/google/go-containerregistry v0.16.1/go.mod h1:u0qB2l7mvtWVR5kNcbFIhFY1hLbf8eeGapA+vbFDCtQ=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
 github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
@@ -301,8 +301,9 @@ github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQD
 github.com/sclevine/agouti v3.0.0+incompatible/go.mod h1:b4WX9W9L1sfQKXeJf1mUTLZKJ48R1S7H23Ji7oFO5Bw=
 github.com/sclevine/spec v1.4.0 h1:z/Q9idDcay5m5irkZ28M7PtQM4aOISzOpj4bUPkDee8=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
-github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
 github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/sirupsen/logrus v1.9.1 h1:Ou41VVR3nMWWmTiEUnj0OlsgOSCUFgsPAOl6jRIcVtQ=
+github.com/sirupsen/logrus v1.9.1/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
 github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
@@ -441,8 +442,8 @@ golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.7.0 h1:qe6s0zUXlPX80/dITx3440hWZ7GwMwgDDyrSGTPJG/g=
-golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4=
+golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8=
+golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
diff --git a/vendor/github.com/docker/cli/cli/config/configfile/file.go b/vendor/github.com/docker/cli/cli/config/configfile/file.go
index 609a88c27..5db7f8b82 100644
--- a/vendor/github.com/docker/cli/cli/config/configfile/file.go
+++ b/vendor/github.com/docker/cli/cli/config/configfile/file.go
@@ -37,7 +37,6 @@ type ConfigFile struct {
 	PruneFilters         []string                     `json:"pruneFilters,omitempty"`
 	Proxies              map[string]ProxyConfig       `json:"proxies,omitempty"`
 	Experimental         string                       `json:"experimental,omitempty"`
-	StackOrchestrator    string                       `json:"stackOrchestrator,omitempty"` // Deprecated: swarm is now the default orchestrator, and this option is ignored.
 	CurrentContext       string                       `json:"currentContext,omitempty"`
 	CLIPluginsExtraDirs  []string                     `json:"cliPluginsExtraDirs,omitempty"`
 	Plugins              map[string]map[string]string `json:"plugins,omitempty"`
diff --git a/vendor/github.com/docker/docker/AUTHORS b/vendor/github.com/docker/docker/AUTHORS
index 0728bfe18..b31418192 100644
--- a/vendor/github.com/docker/docker/AUTHORS
+++ b/vendor/github.com/docker/docker/AUTHORS
@@ -29,6 +29,7 @@ Adam Pointer <adam.pointer@skybettingandgaming.com>
 Adam Singer <financeCoding@gmail.com>
 Adam Walz <adam@adamwalz.net>
 Adam Williams <awilliams@mirantis.com>
+AdamKorcz <adam@adalogics.com>
 Addam Hardy <addam.hardy@gmail.com>
 Aditi Rajagopal <arajagopal@us.ibm.com>
 Aditya <aditya@netroy.in>
@@ -81,6 +82,7 @@ Alex Goodman <wagoodman@gmail.com>
 Alex Nordlund <alexander.nordlund@nasdaq.com>
 Alex Olshansky <i@creagenics.com>
 Alex Samorukov <samm@os2.kiev.ua>
+Alex Stockinger <alex@atomicjar.com>
 Alex Warhawk <ax.warhawk@gmail.com>
 Alexander Artemenko <svetlyak.40wt@gmail.com>
 Alexander Boyd <alex@opengroove.org>
@@ -198,6 +200,7 @@ Anusha Ragunathan <anusha.ragunathan@docker.com>
 Anyu Wang <wanganyu@outlook.com>
 apocas <petermdias@gmail.com>
 Arash Deshmeh <adeshmeh@ca.ibm.com>
+arcosx <arcosx@outlook.com>
 ArikaChen <eaglesora@gmail.com>
 Arko Dasgupta <arko@tetrate.io>
 Arnaud Lefebvre <a.lefebvre@outlook.fr>
@@ -241,6 +244,7 @@ Benjamin Atkin <ben@benatkin.com>
 Benjamin Baker <Benjamin.baker@utexas.edu>
 Benjamin Boudreau <boudreau.benjamin@gmail.com>
 Benjamin Böhmke <benjamin@boehmke.net>
+Benjamin Wang <wachao@vmware.com>
 Benjamin Yolken <yolken@stripe.com>
 Benny Ng <benny.tpng@gmail.com>
 Benoit Chesneau <bchesneau@gmail.com>
@@ -634,6 +638,7 @@ Eng Zer Jun <engzerjun@gmail.com>
 Enguerran <engcolson@gmail.com>
 Eohyung Lee <liquidnuker@gmail.com>
 epeterso <epeterson@breakpoint-labs.com>
+er0k <er0k@er0k.net>
 Eric Barch <barch@tomesoftware.com>
 Eric Curtin <ericcurtin17@gmail.com>
 Eric G. Noriega <enoriega@vizuri.com>
@@ -754,6 +759,7 @@ Félix Baylac-Jacqué <baylac.felix@gmail.com>
 Félix Cantournet <felix.cantournet@cloudwatt.com>
 Gabe Rosenhouse <gabe@missionst.com>
 Gabor Nagy <mail@aigeruth.hu>
+Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
 Gabriel Goller <gabrielgoller123@gmail.com>
 Gabriel L. Somlo <gsomlo@gmail.com>
 Gabriel Linder <linder.gabriel@gmail.com>
@@ -855,6 +861,7 @@ Hongbin Lu <hongbin034@gmail.com>
 Hongxu Jia <hongxu.jia@windriver.com>
 Honza Pokorny <me@honza.ca>
 Hsing-Hui Hsu <hsinghui@amazon.com>
+Hsing-Yu (David) Chen <davidhsingyuchen@gmail.com>
 hsinko <21551195@zju.edu.cn>
 Hu Keping <hukeping@huawei.com>
 Hu Tao <hutao@cn.fujitsu.com>
@@ -887,6 +894,7 @@ Igor Dolzhikov <bluesriverz@gmail.com>
 Igor Karpovich <i.karpovich@currencysolutions.com>
 Iliana Weller <iweller@amazon.com>
 Ilkka Laukkanen <ilkka@ilkka.io>
+Illia Antypenko <ilya@antipenko.pp.ua>
 Illo Abdulrahim <abdulrahim.illo@nokia.com>
 Ilya Dmitrichenko <errordeveloper@gmail.com>
 Ilya Gusev <mail@igusev.ru>
@@ -938,6 +946,7 @@ Jamie Hannaford <jamie@limetree.org>
 Jamshid Afshar <jafshar@yahoo.com>
 Jan Breig <git@pygos.space>
 Jan Chren <dev.rindeal@gmail.com>
+Jan Garcia <github-public@n-garcia.com>
 Jan Götte <jaseg@jaseg.net>
 Jan Keromnes <janx@linux.com>
 Jan Koprowski <jan.koprowski@gmail.com>
@@ -1206,6 +1215,7 @@ Kimbro Staken <kstaken@kstaken.com>
 Kir Kolyshkin <kolyshkin@gmail.com>
 Kiran Gangadharan <kiran.daredevil@gmail.com>
 Kirill SIbirev <l0kix2@gmail.com>
+Kirk Easterson <kirk.easterson@gmail.com>
 knappe <tyler.knappe@gmail.com>
 Kohei Tsuruta <coheyxyz@gmail.com>
 Koichi Shiraishi <k@zchee.io>
@@ -1240,10 +1250,12 @@ Lars Kellogg-Stedman <lars@redhat.com>
 Lars R. Damerow <lars@pixar.com>
 Lars-Magnus Skog <ralphtheninja@riseup.net>
 Laszlo Meszaros <lacienator@gmail.com>
+Laura Brehm <laurabrehm@hey.com>
 Laura Frank <ljfrank@gmail.com>
 Laurent Bernaille <laurent.bernaille@datadoghq.com>
 Laurent Erignoux <lerignoux@gmail.com>
 Laurie Voss <github@seldo.com>
+Leandro Motta Barros <lmb@stackedboxes.org>
 Leandro Siqueira <leandro.siqueira@gmail.com>
 Lee Calcote <leecalcote@gmail.com>
 Lee Chao <932819864@qq.com>
@@ -1563,6 +1575,7 @@ Nick Neisen <nwneisen@gmail.com>
 Nick Parker <nikaios@gmail.com>
 Nick Payne <nick@kurai.co.uk>
 Nick Russo <nicholasjamesrusso@gmail.com>
+Nick Santos <nick.santos@docker.com>
 Nick Stenning <nick.stenning@digital.cabinet-office.gov.uk>
 Nick Stinemates <nick@stinemates.org>
 Nick Wood <nwood@microsoft.com>
@@ -1584,6 +1597,7 @@ NikolaMandic <mn080202@gmail.com>
 Nikolas Garofil <nikolas.garofil@uantwerpen.be>
 Nikolay Edigaryev <edigaryev@gmail.com>
 Nikolay Milovanov <nmil@itransformers.net>
+ningmingxiao <ning.mingxiao@zte.com.cn>
 Nirmal Mehta <nirmalkmehta@gmail.com>
 Nishant Totla <nishanttotla@gmail.com>
 NIWA Hideyuki <niwa.niwa@nifty.ne.jp>
@@ -1615,6 +1629,7 @@ Omri Shiv <Omri.Shiv@teradata.com>
 Onur Filiz <onur.filiz@microsoft.com>
 Oriol Francès <oriolfa@gmail.com>
 Oscar Bonilla <6f6231@gmail.com>
+oscar.chen <2972789494@qq.com>
 Oskar Niburski <oskarniburski@gmail.com>
 Otto Kekäläinen <otto@seravo.fi>
 Ouyang Liduo <oyld0210@163.com>
@@ -1822,6 +1837,7 @@ Rory Hunter <roryhunter2@gmail.com>
 Rory McCune <raesene@gmail.com>
 Ross Boucher <rboucher@gmail.com>
 Rovanion Luckey <rovanion.luckey@gmail.com>
+Roy Reznik <roy@wiz.io>
 Royce Remer <royceremer@gmail.com>
 Rozhnov Alexandr <nox73@ya.ru>
 Rudolph Gottesheim <r.gottesheim@loot.at>
@@ -2271,6 +2287,7 @@ Xiaoyu Zhang <zhang.xiaoyu33@zte.com.cn>
 xichengliudui <1693291525@qq.com>
 xiekeyang <xiekeyang@huawei.com>
 Ximo Guanter Gonzálbez <joaquin.guantergonzalbez@telefonica.com>
+xin.li <xin.li@daocloud.io>
 Xinbo Weng <xihuanbo_0521@zju.edu.cn>
 Xinfeng Liu <xinfeng.liu@gmail.com>
 Xinzi Zhou <imdreamrunner@gmail.com>
@@ -2282,6 +2299,7 @@ Yahya <ya7yaz@gmail.com>
 yalpul <yalpul@gmail.com>
 YAMADA Tsuyoshi <tyamada@minimum2scp.org>
 Yamasaki Masahide <masahide.y@gmail.com>
+Yamazaki Masashi <masi19bw@gmail.com>
 Yan Feng <yanfeng2@huawei.com>
 Yan Zhu <yanzhu@alauda.io>
 Yang Bai <hamo.by@gmail.com>
diff --git a/vendor/github.com/docker/docker/pkg/homedir/homedir_linux.go b/vendor/github.com/docker/docker/pkg/homedir/homedir_linux.go
index 7df039b4c..ded1c7c8c 100644
--- a/vendor/github.com/docker/docker/pkg/homedir/homedir_linux.go
+++ b/vendor/github.com/docker/docker/pkg/homedir/homedir_linux.go
@@ -64,13 +64,14 @@ func stick(f string) error {
 
 // GetDataHome returns XDG_DATA_HOME.
 // GetDataHome returns $HOME/.local/share and nil error if XDG_DATA_HOME is not set.
+// If HOME and XDG_DATA_HOME are not set, getpwent(3) is consulted to determine the users home directory.
 //
 // See also https://standards.freedesktop.org/basedir-spec/latest/ar01s03.html
 func GetDataHome() (string, error) {
 	if xdgDataHome := os.Getenv("XDG_DATA_HOME"); xdgDataHome != "" {
 		return xdgDataHome, nil
 	}
-	home := os.Getenv("HOME")
+	home := Get()
 	if home == "" {
 		return "", errors.New("could not get either XDG_DATA_HOME or HOME")
 	}
@@ -79,13 +80,14 @@ func GetDataHome() (string, error) {
 
 // GetConfigHome returns XDG_CONFIG_HOME.
 // GetConfigHome returns $HOME/.config and nil error if XDG_CONFIG_HOME is not set.
+// If HOME and XDG_CONFIG_HOME are not set, getpwent(3) is consulted to determine the users home directory.
 //
 // See also https://standards.freedesktop.org/basedir-spec/latest/ar01s03.html
 func GetConfigHome() (string, error) {
 	if xdgConfigHome := os.Getenv("XDG_CONFIG_HOME"); xdgConfigHome != "" {
 		return xdgConfigHome, nil
 	}
-	home := os.Getenv("HOME")
+	home := Get()
 	if home == "" {
 		return "", errors.New("could not get either XDG_CONFIG_HOME or HOME")
 	}
@@ -93,8 +95,9 @@ func GetConfigHome() (string, error) {
 }
 
 // GetLibHome returns $HOME/.local/lib
+// If HOME is not set, getpwent(3) is consulted to determine the users home directory.
 func GetLibHome() (string, error) {
-	home := os.Getenv("HOME")
+	home := Get()
 	if home == "" {
 		return "", errors.New("could not get HOME")
 	}
diff --git a/vendor/github.com/google/go-containerregistry/pkg/v1/mutate/mutate.go b/vendor/github.com/google/go-containerregistry/pkg/v1/mutate/mutate.go
index e4a0e5273..1a24b10d7 100644
--- a/vendor/github.com/google/go-containerregistry/pkg/v1/mutate/mutate.go
+++ b/vendor/github.com/google/go-containerregistry/pkg/v1/mutate/mutate.go
@@ -402,7 +402,9 @@ func Time(img v1.Image, t time.Time) (v1.Image, error) {
 			historyIdx++
 			break
 		}
-		addendums[addendumIdx].Layer = newLayer
+		if addendumIdx < len(addendums) {
+			addendums[addendumIdx].Layer = newLayer
+		}
 	}
 
 	// add all leftover History entries
diff --git a/vendor/github.com/google/go-containerregistry/pkg/v1/remote/descriptor.go b/vendor/github.com/google/go-containerregistry/pkg/v1/remote/descriptor.go
index 61f28f4c0..fafe910e9 100644
--- a/vendor/github.com/google/go-containerregistry/pkg/v1/remote/descriptor.go
+++ b/vendor/github.com/google/go-containerregistry/pkg/v1/remote/descriptor.go
@@ -16,6 +16,7 @@ package remote
 
 import (
 	"context"
+	"errors"
 	"fmt"
 
 	"github.com/google/go-containerregistry/pkg/logs"
@@ -33,20 +34,11 @@ var allManifestMediaTypes = append(append([]types.MediaType{
 // ErrSchema1 indicates that we received a schema1 manifest from the registry.
 // This library doesn't have plans to support this legacy image format:
 // https://github.com/google/go-containerregistry/issues/377
-type ErrSchema1 struct {
-	schema string
-}
+var ErrSchema1 = errors.New("see https://github.com/google/go-containerregistry/issues/377")
 
 // newErrSchema1 returns an ErrSchema1 with the unexpected MediaType.
 func newErrSchema1(schema types.MediaType) error {
-	return &ErrSchema1{
-		schema: string(schema),
-	}
-}
-
-// Error implements error.
-func (e *ErrSchema1) Error() string {
-	return fmt.Sprintf("unsupported MediaType: %q, see https://github.com/google/go-containerregistry/issues/377", e.schema)
+	return fmt.Errorf("unsupported MediaType: %q, %w", schema, ErrSchema1)
 }
 
 // Descriptor provides access to metadata about remote artifact and accessors
diff --git a/vendor/github.com/google/go-containerregistry/pkg/v1/remote/fetcher.go b/vendor/github.com/google/go-containerregistry/pkg/v1/remote/fetcher.go
index b671f836c..4e61002be 100644
--- a/vendor/github.com/google/go-containerregistry/pkg/v1/remote/fetcher.go
+++ b/vendor/github.com/google/go-containerregistry/pkg/v1/remote/fetcher.go
@@ -32,6 +32,12 @@ import (
 	"github.com/google/go-containerregistry/pkg/v1/types"
 )
 
+const (
+	kib           = 1024
+	mib           = 1024 * kib
+	manifestLimit = 100 * mib
+)
+
 // fetcher implements methods for reading from a registry.
 type fetcher struct {
 	target resource
@@ -130,7 +136,7 @@ func (f *fetcher) fetchManifest(ctx context.Context, ref name.Reference, accepta
 		return nil, nil, err
 	}
 
-	manifest, err := io.ReadAll(resp.Body)
+	manifest, err := io.ReadAll(io.LimitReader(resp.Body, manifestLimit))
 	if err != nil {
 		return nil, nil, err
 	}
diff --git a/vendor/github.com/google/go-containerregistry/pkg/v1/remote/options.go b/vendor/github.com/google/go-containerregistry/pkg/v1/remote/options.go
index a722c2ca6..99a2bb2eb 100644
--- a/vendor/github.com/google/go-containerregistry/pkg/v1/remote/options.go
+++ b/vendor/github.com/google/go-containerregistry/pkg/v1/remote/options.go
@@ -96,7 +96,8 @@ var defaultRetryStatusCodes = []int{
 	http.StatusBadGateway,
 	http.StatusServiceUnavailable,
 	http.StatusGatewayTimeout,
-	499,
+	499, // nginx-specific, client closed request
+	522, // Cloudflare-specific, connection timeout
 }
 
 const (
diff --git a/vendor/github.com/google/go-containerregistry/pkg/v1/remote/transport/bearer.go b/vendor/github.com/google/go-containerregistry/pkg/v1/remote/transport/bearer.go
index ea07ff6ab..cb1567496 100644
--- a/vendor/github.com/google/go-containerregistry/pkg/v1/remote/transport/bearer.go
+++ b/vendor/github.com/google/go-containerregistry/pkg/v1/remote/transport/bearer.go
@@ -32,6 +32,71 @@ import (
 	"github.com/google/go-containerregistry/pkg/name"
 )
 
+type Token struct {
+	Token        string `json:"token"`
+	AccessToken  string `json:"access_token,omitempty"`
+	RefreshToken string `json:"refresh_token"`
+	ExpiresIn    int    `json:"expires_in"`
+}
+
+// Exchange requests a registry Token with the given scopes.
+func Exchange(ctx context.Context, reg name.Registry, auth authn.Authenticator, t http.RoundTripper, scopes []string, pr *Challenge) (*Token, error) {
+	if strings.ToLower(pr.Scheme) != "bearer" {
+		// TODO: Pretend token for basic?
+		return nil, fmt.Errorf("challenge scheme %q is not bearer", pr.Scheme)
+	}
+	bt, err := fromChallenge(reg, auth, t, pr, scopes...)
+	if err != nil {
+		return nil, err
+	}
+	authcfg, err := auth.Authorization()
+	if err != nil {
+		return nil, err
+	}
+	tok, err := bt.Refresh(ctx, authcfg)
+	if err != nil {
+		return nil, err
+	}
+	return tok, nil
+}
+
+// FromToken returns a transport given a Challenge + Token.
+func FromToken(reg name.Registry, auth authn.Authenticator, t http.RoundTripper, pr *Challenge, tok *Token) (http.RoundTripper, error) {
+	if strings.ToLower(pr.Scheme) != "bearer" {
+		return &Wrapper{&basicTransport{inner: t, auth: auth, target: reg.RegistryStr()}}, nil
+	}
+	bt, err := fromChallenge(reg, auth, t, pr)
+	if err != nil {
+		return nil, err
+	}
+	if tok.Token != "" {
+		bt.bearer.RegistryToken = tok.Token
+	}
+	return &Wrapper{bt}, nil
+}
+
+func fromChallenge(reg name.Registry, auth authn.Authenticator, t http.RoundTripper, pr *Challenge, scopes ...string) (*bearerTransport, error) {
+	// We require the realm, which tells us where to send our Basic auth to turn it into Bearer auth.
+	realm, ok := pr.Parameters["realm"]
+	if !ok {
+		return nil, fmt.Errorf("malformed www-authenticate, missing realm: %v", pr.Parameters)
+	}
+	service := pr.Parameters["service"]
+	scheme := "https"
+	if pr.Insecure {
+		scheme = "http"
+	}
+	return &bearerTransport{
+		inner:    t,
+		basic:    auth,
+		realm:    realm,
+		registry: reg,
+		service:  service,
+		scopes:   scopes,
+		scheme:   scheme,
+	}, nil
+}
+
 type bearerTransport struct {
 	// Wrapped by bearerTransport.
 	inner http.RoundTripper
@@ -73,7 +138,7 @@ func (bt *bearerTransport) RoundTrip(in *http.Request) (*http.Response, error) {
 		// we are redirected, only set it when the authorization header matches
 		// the registry with which we are interacting.
 		// In case of redirect http.Client can use an empty Host, check URL too.
-		if matchesHost(bt.registry, in, bt.scheme) {
+		if matchesHost(bt.registry.RegistryStr(), in, bt.scheme) {
 			hdr := fmt.Sprintf("Bearer %s", bt.bearer.RegistryToken)
 			in.Header.Set("Authorization", hdr)
 		}
@@ -135,7 +200,36 @@ func (bt *bearerTransport) refresh(ctx context.Context) error {
 		return nil
 	}
 
-	var content []byte
+	response, err := bt.Refresh(ctx, auth)
+	if err != nil {
+		return err
+	}
+
+	// Some registries set access_token instead of token. See #54.
+	if response.AccessToken != "" {
+		response.Token = response.AccessToken
+	}
+
+	// Find a token to turn into a Bearer authenticator
+	if response.Token != "" {
+		bt.bearer.RegistryToken = response.Token
+	}
+
+	// If we obtained a refresh token from the oauth flow, use that for refresh() now.
+	if response.RefreshToken != "" {
+		bt.basic = authn.FromConfig(authn.AuthConfig{
+			IdentityToken: response.RefreshToken,
+		})
+	}
+
+	return nil
+}
+
+func (bt *bearerTransport) Refresh(ctx context.Context, auth *authn.AuthConfig) (*Token, error) {
+	var (
+		content []byte
+		err     error
+	)
 	if auth.IdentityToken != "" {
 		// If the secret being stored is an identity token,
 		// the Username should be set to <token>, which indicates
@@ -152,48 +246,25 @@ func (bt *bearerTransport) refresh(ctx context.Context) error {
 		content, err = bt.refreshBasic(ctx)
 	}
 	if err != nil {
-		return err
-	}
-
-	// Some registries don't have "token" in the response. See #54.
-	type tokenResponse struct {
-		Token        string `json:"token"`
-		AccessToken  string `json:"access_token"`
-		RefreshToken string `json:"refresh_token"`
-		// TODO: handle expiry?
+		return nil, err
 	}
 
-	var response tokenResponse
+	var response Token
 	if err := json.Unmarshal(content, &response); err != nil {
-		return err
-	}
-
-	// Some registries set access_token instead of token.
-	if response.AccessToken != "" {
-		response.Token = response.AccessToken
-	}
-
-	// Find a token to turn into a Bearer authenticator
-	if response.Token != "" {
-		bt.bearer.RegistryToken = response.Token
-	} else {
-		return fmt.Errorf("no token in bearer response:\n%s", content)
+		return nil, err
 	}
 
-	// If we obtained a refresh token from the oauth flow, use that for refresh() now.
-	if response.RefreshToken != "" {
-		bt.basic = authn.FromConfig(authn.AuthConfig{
-			IdentityToken: response.RefreshToken,
-		})
+	if response.Token == "" && response.AccessToken == "" {
+		return &response, fmt.Errorf("no token in bearer response:\n%s", content)
 	}
 
-	return nil
+	return &response, nil
 }
 
-func matchesHost(reg name.Registry, in *http.Request, scheme string) bool {
+func matchesHost(host string, in *http.Request, scheme string) bool {
 	canonicalHeaderHost := canonicalAddress(in.Host, scheme)
 	canonicalURLHost := canonicalAddress(in.URL.Host, scheme)
-	canonicalRegistryHost := canonicalAddress(reg.RegistryStr(), scheme)
+	canonicalRegistryHost := canonicalAddress(host, scheme)
 	return canonicalHeaderHost == canonicalRegistryHost || canonicalURLHost == canonicalRegistryHost
 }
 
diff --git a/vendor/github.com/google/go-containerregistry/pkg/v1/remote/transport/ping.go b/vendor/github.com/google/go-containerregistry/pkg/v1/remote/transport/ping.go
index d852ef845..799c7ea08 100644
--- a/vendor/github.com/google/go-containerregistry/pkg/v1/remote/transport/ping.go
+++ b/vendor/github.com/google/go-containerregistry/pkg/v1/remote/transport/ping.go
@@ -28,33 +28,22 @@ import (
 	"github.com/google/go-containerregistry/pkg/name"
 )
 
-type challenge string
-
-const (
-	anonymous challenge = "anonymous"
-	basic     challenge = "basic"
-	bearer    challenge = "bearer"
-)
-
 // 300ms is the default fallback period for go's DNS dialer but we could make this configurable.
 var fallbackDelay = 300 * time.Millisecond
 
-type pingResp struct {
-	challenge challenge
+type Challenge struct {
+	Scheme string
 
 	// Following the challenge there are often key/value pairs
 	// e.g. Bearer service="gcr.io",realm="https://auth.gcr.io/v36/tokenz"
-	parameters map[string]string
+	Parameters map[string]string
 
-	// The registry's scheme to use. Communicates whether we fell back to http.
-	scheme string
+	// Whether we had to use http to complete the Ping.
+	Insecure bool
 }
 
-func (c challenge) Canonical() challenge {
-	return challenge(strings.ToLower(string(c)))
-}
-
-func ping(ctx context.Context, reg name.Registry, t http.RoundTripper) (*pingResp, error) {
+// Ping does a GET /v2/ against the registry and returns the response.
+func Ping(ctx context.Context, reg name.Registry, t http.RoundTripper) (*Challenge, error) {
 	// This first attempts to use "https" for every request, falling back to http
 	// if the registry matches our localhost heuristic or if it is intentionally
 	// set to insecure via name.NewInsecureRegistry.
@@ -68,9 +57,9 @@ func ping(ctx context.Context, reg name.Registry, t http.RoundTripper) (*pingRes
 	return pingParallel(ctx, reg, t, schemes)
 }
 
-func pingSingle(ctx context.Context, reg name.Registry, t http.RoundTripper, scheme string) (*pingResp, error) {
+func pingSingle(ctx context.Context, reg name.Registry, t http.RoundTripper, scheme string) (*Challenge, error) {
 	client := http.Client{Transport: t}
-	url := fmt.Sprintf("%s://%s/v2/", scheme, reg.Name())
+	url := fmt.Sprintf("%s://%s/v2/", scheme, reg.RegistryStr())
 	req, err := http.NewRequest(http.MethodGet, url, nil)
 	if err != nil {
 		return nil, err
@@ -86,27 +75,28 @@ func pingSingle(ctx context.Context, reg name.Registry, t http.RoundTripper, sch
 		resp.Body.Close()
 	}()
 
+	insecure := scheme == "http"
+
 	switch resp.StatusCode {
 	case http.StatusOK:
 		// If we get a 200, then no authentication is needed.
-		return &pingResp{
-			challenge: anonymous,
-			scheme:    scheme,
+		return &Challenge{
+			Insecure: insecure,
 		}, nil
 	case http.StatusUnauthorized:
 		if challenges := authchallenge.ResponseChallenges(resp); len(challenges) != 0 {
 			// If we hit more than one, let's try to find one that we know how to handle.
 			wac := pickFromMultipleChallenges(challenges)
-			return &pingResp{
-				challenge:  challenge(wac.Scheme).Canonical(),
-				parameters: wac.Parameters,
-				scheme:     scheme,
+			return &Challenge{
+				Scheme:     wac.Scheme,
+				Parameters: wac.Parameters,
+				Insecure:   insecure,
 			}, nil
 		}
 		// Otherwise, just return the challenge without parameters.
-		return &pingResp{
-			challenge: challenge(resp.Header.Get("WWW-Authenticate")).Canonical(),
-			scheme:    scheme,
+		return &Challenge{
+			Scheme:   resp.Header.Get("WWW-Authenticate"),
+			Insecure: insecure,
 		}, nil
 	default:
 		return nil, CheckError(resp, http.StatusOK, http.StatusUnauthorized)
@@ -114,12 +104,12 @@ func pingSingle(ctx context.Context, reg name.Registry, t http.RoundTripper, sch
 }
 
 // Based on the golang happy eyeballs dialParallel impl in net/dial.go.
-func pingParallel(ctx context.Context, reg name.Registry, t http.RoundTripper, schemes []string) (*pingResp, error) {
+func pingParallel(ctx context.Context, reg name.Registry, t http.RoundTripper, schemes []string) (*Challenge, error) {
 	returned := make(chan struct{})
 	defer close(returned)
 
 	type pingResult struct {
-		*pingResp
+		*Challenge
 		error
 		primary bool
 		done    bool
@@ -130,7 +120,7 @@ func pingParallel(ctx context.Context, reg name.Registry, t http.RoundTripper, s
 	startRacer := func(ctx context.Context, scheme string) {
 		pr, err := pingSingle(ctx, reg, t, scheme)
 		select {
-		case results <- pingResult{pingResp: pr, error: err, primary: scheme == "https", done: true}:
+		case results <- pingResult{Challenge: pr, error: err, primary: scheme == "https", done: true}:
 		case <-returned:
 			if pr != nil {
 				logs.Debug.Printf("%s lost race", scheme)
@@ -156,7 +146,7 @@ func pingParallel(ctx context.Context, reg name.Registry, t http.RoundTripper, s
 
 		case res := <-results:
 			if res.error == nil {
-				return res.pingResp, nil
+				return res.Challenge, nil
 			}
 			if res.primary {
 				primary = res
@@ -164,7 +154,7 @@ func pingParallel(ctx context.Context, reg name.Registry, t http.RoundTripper, s
 				fallback = res
 			}
 			if primary.done && fallback.done {
-				return nil, multierrs([]error{primary.error, fallback.error})
+				return nil, multierrs{primary.error, fallback.error}
 			}
 			if res.primary && fallbackTimer.Stop() {
 				// Primary failed and we haven't started the fallback,
diff --git a/vendor/github.com/google/go-containerregistry/pkg/v1/remote/transport/schemer.go b/vendor/github.com/google/go-containerregistry/pkg/v1/remote/transport/schemer.go
index d70b6a850..05844db13 100644
--- a/vendor/github.com/google/go-containerregistry/pkg/v1/remote/transport/schemer.go
+++ b/vendor/github.com/google/go-containerregistry/pkg/v1/remote/transport/schemer.go
@@ -37,7 +37,7 @@ func (st *schemeTransport) RoundTrip(in *http.Request) (*http.Response, error) {
 	// based on which scheme was successful. That is only valid for the
 	// registry server and not e.g. a separate token server or blob storage,
 	// so we should only override the scheme if the host is the registry.
-	if matchesHost(st.registry, in, st.scheme) {
+	if matchesHost(st.registry.String(), in, st.scheme) {
 		in.URL.Scheme = st.scheme
 	}
 	return st.inner.RoundTrip(in)
diff --git a/vendor/github.com/google/go-containerregistry/pkg/v1/remote/transport/transport.go b/vendor/github.com/google/go-containerregistry/pkg/v1/remote/transport/transport.go
index 01fe1fa82..bd539b44f 100644
--- a/vendor/github.com/google/go-containerregistry/pkg/v1/remote/transport/transport.go
+++ b/vendor/github.com/google/go-containerregistry/pkg/v1/remote/transport/transport.go
@@ -16,8 +16,8 @@ package transport
 
 import (
 	"context"
-	"fmt"
 	"net/http"
+	"strings"
 
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/name"
@@ -59,7 +59,7 @@ func NewWithContext(ctx context.Context, reg name.Registry, auth authn.Authentic
 
 	// First we ping the registry to determine the parameters of the authentication handshake
 	// (if one is even necessary).
-	pr, err := ping(ctx, reg, t)
+	pr, err := Ping(ctx, reg, t)
 	if err != nil {
 		return nil, err
 	}
@@ -69,39 +69,32 @@ func NewWithContext(ctx context.Context, reg name.Registry, auth authn.Authentic
 		t = NewUserAgent(t, "")
 	}
 
+	scheme := "https"
+	if pr.Insecure {
+		scheme = "http"
+	}
+
 	// Wrap t in a transport that selects the appropriate scheme based on the ping response.
 	t = &schemeTransport{
-		scheme:   pr.scheme,
+		scheme:   scheme,
 		registry: reg,
 		inner:    t,
 	}
 
-	switch pr.challenge.Canonical() {
-	case anonymous, basic:
+	if strings.ToLower(pr.Scheme) != "bearer" {
 		return &Wrapper{&basicTransport{inner: t, auth: auth, target: reg.RegistryStr()}}, nil
-	case bearer:
-		// We require the realm, which tells us where to send our Basic auth to turn it into Bearer auth.
-		realm, ok := pr.parameters["realm"]
-		if !ok {
-			return nil, fmt.Errorf("malformed www-authenticate, missing realm: %v", pr.parameters)
-		}
-		service := pr.parameters["service"]
-		bt := &bearerTransport{
-			inner:    t,
-			basic:    auth,
-			realm:    realm,
-			registry: reg,
-			service:  service,
-			scopes:   scopes,
-			scheme:   pr.scheme,
-		}
-		if err := bt.refresh(ctx); err != nil {
-			return nil, err
-		}
-		return &Wrapper{bt}, nil
-	default:
-		return nil, fmt.Errorf("unrecognized challenge: %s", pr.challenge)
 	}
+
+	bt, err := fromChallenge(reg, auth, t, pr)
+	if err != nil {
+		return nil, err
+	}
+	bt.scopes = scopes
+
+	if err := bt.refresh(ctx); err != nil {
+		return nil, err
+	}
+	return &Wrapper{bt}, nil
 }
 
 // Wrapper results in *not* wrapping supplied transport with additional logic such as retries, useragent and debug logging
diff --git a/vendor/github.com/google/go-containerregistry/pkg/v1/remote/write.go b/vendor/github.com/google/go-containerregistry/pkg/v1/remote/write.go
index f4369e2a0..6bfce75e7 100644
--- a/vendor/github.com/google/go-containerregistry/pkg/v1/remote/write.go
+++ b/vendor/github.com/google/go-containerregistry/pkg/v1/remote/write.go
@@ -210,7 +210,7 @@ func (w *writer) initiateUpload(ctx context.Context, from, mount, origin string)
 	req.Header.Set("Content-Type", "application/json")
 	resp, err := w.client.Do(req.WithContext(ctx))
 	if err != nil {
-		if origin != "" && origin != w.repo.RegistryStr() {
+		if from != "" {
 			// https://github.com/google/go-containerregistry/issues/1679
 			logs.Warn.Printf("retrying without mount: %v", err)
 			return w.initiateUpload(ctx, "", "", "")
@@ -220,7 +220,7 @@ func (w *writer) initiateUpload(ctx context.Context, from, mount, origin string)
 	defer resp.Body.Close()
 
 	if err := transport.CheckError(resp, http.StatusCreated, http.StatusAccepted); err != nil {
-		if origin != "" && origin != w.repo.RegistryStr() {
+		if from != "" {
 			// https://github.com/google/go-containerregistry/issues/1404
 			logs.Warn.Printf("retrying without mount: %v", err)
 			return w.initiateUpload(ctx, "", "", "")
@@ -360,8 +360,16 @@ func (w *writer) uploadOne(ctx context.Context, l v1.Layer) error {
 			if err := w.maybeUpdateScopes(ctx, ml); err != nil {
 				return err
 			}
+
 			from = ml.Reference.Context().RepositoryStr()
 			origin = ml.Reference.Context().RegistryStr()
+
+			// This keeps breaking with DockerHub.
+			// https://github.com/google/go-containerregistry/issues/1741
+			if w.repo.RegistryStr() == name.DefaultRegistry && origin != w.repo.RegistryStr() {
+				from = ""
+				origin = ""
+			}
 		}
 
 		location, mounted, err := w.initiateUpload(ctx, from, mount, origin)
diff --git a/vendor/github.com/sirupsen/logrus/README.md b/vendor/github.com/sirupsen/logrus/README.md
index b042c896f..d1d4a85fd 100644
--- a/vendor/github.com/sirupsen/logrus/README.md
+++ b/vendor/github.com/sirupsen/logrus/README.md
@@ -9,7 +9,7 @@ the last thing you want from your Logging library (again...).
 
 This does not mean Logrus is dead. Logrus will continue to be maintained for
 security, (backwards compatible) bug fixes, and performance (where we are
-limited by the interface). 
+limited by the interface).
 
 I believe Logrus' biggest contribution is to have played a part in today's
 widespread use of structured logging in Golang. There doesn't seem to be a
@@ -43,7 +43,7 @@ plain text):
 With `log.SetFormatter(&log.JSONFormatter{})`, for easy parsing by logstash
 or Splunk:
 
-```json
+```text
 {"animal":"walrus","level":"info","msg":"A group of walrus emerges from the
 ocean","size":10,"time":"2014-03-10 19:57:38.562264131 -0400 EDT"}
 
@@ -99,7 +99,7 @@ time="2015-03-26T01:27:38-04:00" level=fatal method=github.com/sirupsen/arcticcr
 ```
 Note that this does add measurable overhead - the cost will depend on the version of Go, but is
 between 20 and 40% in recent tests with 1.6 and 1.7.  You can validate this in your
-environment via benchmarks: 
+environment via benchmarks:
 ```
 go test -bench=.*CallerTracing
 ```
@@ -317,6 +317,8 @@ log.SetLevel(log.InfoLevel)
 It may be useful to set `log.Level = logrus.DebugLevel` in a debug or verbose
 environment if your application has that.
 
+Note: If you want different log levels for global (`log.SetLevel(...)`) and syslog logging, please check the [syslog hook README](hooks/syslog/README.md#different-log-levels-for-local-and-remote-logging).
+
 #### Entries
 
 Besides the fields added with `WithField` or `WithFields` some fields are
diff --git a/vendor/github.com/sirupsen/logrus/writer.go b/vendor/github.com/sirupsen/logrus/writer.go
index 72e8e3a1b..7e7703c72 100644
--- a/vendor/github.com/sirupsen/logrus/writer.go
+++ b/vendor/github.com/sirupsen/logrus/writer.go
@@ -4,6 +4,7 @@ import (
 	"bufio"
 	"io"
 	"runtime"
+	"strings"
 )
 
 // Writer at INFO level. See WriterLevel for details.
@@ -20,15 +21,18 @@ func (logger *Logger) WriterLevel(level Level) *io.PipeWriter {
 	return NewEntry(logger).WriterLevel(level)
 }
 
+// Writer returns an io.Writer that writes to the logger at the info log level
 func (entry *Entry) Writer() *io.PipeWriter {
 	return entry.WriterLevel(InfoLevel)
 }
 
+// WriterLevel returns an io.Writer that writes to the logger at the given log level
 func (entry *Entry) WriterLevel(level Level) *io.PipeWriter {
 	reader, writer := io.Pipe()
 
 	var printFunc func(args ...interface{})
 
+	// Determine which log function to use based on the specified log level
 	switch level {
 	case TraceLevel:
 		printFunc = entry.Trace
@@ -48,23 +52,51 @@ func (entry *Entry) WriterLevel(level Level) *io.PipeWriter {
 		printFunc = entry.Print
 	}
 
+	// Start a new goroutine to scan the input and write it to the logger using the specified print function.
+	// It splits the input into chunks of up to 64KB to avoid buffer overflows.
 	go entry.writerScanner(reader, printFunc)
+
+	// Set a finalizer function to close the writer when it is garbage collected
 	runtime.SetFinalizer(writer, writerFinalizer)
 
 	return writer
 }
 
+// writerScanner scans the input from the reader and writes it to the logger
 func (entry *Entry) writerScanner(reader *io.PipeReader, printFunc func(args ...interface{})) {
 	scanner := bufio.NewScanner(reader)
+
+	// Set the buffer size to the maximum token size to avoid buffer overflows
+	scanner.Buffer(make([]byte, bufio.MaxScanTokenSize), bufio.MaxScanTokenSize)
+
+	// Define a split function to split the input into chunks of up to 64KB
+	chunkSize := 64 * 1024 // 64KB
+	splitFunc := func(data []byte, atEOF bool) (int, []byte, error) {
+		if len(data) > chunkSize {
+			return chunkSize, data[:chunkSize], nil
+		}
+
+		return len(data), data, nil
+	}
+
+	//Use the custom split function to split the input
+	scanner.Split(splitFunc)
+
+	// Scan the input and write it to the logger using the specified print function
 	for scanner.Scan() {
-		printFunc(scanner.Text())
+		printFunc(strings.TrimRight(scanner.Text(), "\r\n"))
 	}
+
+	// If there was an error while scanning the input, log an error
 	if err := scanner.Err(); err != nil {
 		entry.Errorf("Error while reading from Writer: %s", err)
 	}
+
+	// Close the reader when we are done
 	reader.Close()
 }
 
+// WriterFinalizer is a finalizer function that closes then given writer when it is garbage collected
 func writerFinalizer(writer *io.PipeWriter) {
 	writer.Close()
 }
diff --git a/vendor/golang.org/x/oauth2/google/default.go b/vendor/golang.org/x/oauth2/google/default.go
index b3e8783cc..2cf71f0f9 100644
--- a/vendor/golang.org/x/oauth2/google/default.go
+++ b/vendor/golang.org/x/oauth2/google/default.go
@@ -8,7 +8,6 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
 	"net/http"
 	"os"
 	"path/filepath"
@@ -142,10 +141,8 @@ func FindDefaultCredentialsWithParams(ctx context.Context, params CredentialsPar
 
 	// Second, try a well-known file.
 	filename := wellKnownFile()
-	if creds, err := readCredentialsFile(ctx, filename, params); err == nil {
-		return creds, nil
-	} else if !os.IsNotExist(err) {
-		return nil, fmt.Errorf("google: error getting credentials using well-known file (%v): %v", filename, err)
+	if b, err := os.ReadFile(filename); err == nil {
+		return CredentialsFromJSONWithParams(ctx, b, params)
 	}
 
 	// Third, if we're on a Google App Engine standard first generation runtime (<= Go 1.9)
@@ -231,7 +228,7 @@ func wellKnownFile() string {
 }
 
 func readCredentialsFile(ctx context.Context, filename string, params CredentialsParams) (*Credentials, error) {
-	b, err := ioutil.ReadFile(filename)
+	b, err := os.ReadFile(filename)
 	if err != nil {
 		return nil, err
 	}
diff --git a/vendor/golang.org/x/oauth2/internal/oauth2.go b/vendor/golang.org/x/oauth2/internal/oauth2.go
index c0ab196cf..14989beaf 100644
--- a/vendor/golang.org/x/oauth2/internal/oauth2.go
+++ b/vendor/golang.org/x/oauth2/internal/oauth2.go
@@ -14,7 +14,7 @@ import (
 
 // ParseKey converts the binary contents of a private key file
 // to an *rsa.PrivateKey. It detects whether the private key is in a
-// PEM container or not. If so, it extracts the the private key
+// PEM container or not. If so, it extracts the private key
 // from PEM container before conversion. It only supports PEM
 // containers with no passphrase.
 func ParseKey(key []byte) (*rsa.PrivateKey, error) {
diff --git a/vendor/golang.org/x/oauth2/internal/token.go b/vendor/golang.org/x/oauth2/internal/token.go
index b4723fcac..58901bda5 100644
--- a/vendor/golang.org/x/oauth2/internal/token.go
+++ b/vendor/golang.org/x/oauth2/internal/token.go
@@ -55,12 +55,18 @@ type Token struct {
 }
 
 // tokenJSON is the struct representing the HTTP response from OAuth2
-// providers returning a token in JSON form.
+// providers returning a token or error in JSON form.
+// https://datatracker.ietf.org/doc/html/rfc6749#section-5.1
 type tokenJSON struct {
 	AccessToken  string         `json:"access_token"`
 	TokenType    string         `json:"token_type"`
 	RefreshToken string         `json:"refresh_token"`
 	ExpiresIn    expirationTime `json:"expires_in"` // at least PayPal returns string, while most return number
+	// error fields
+	// https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
+	ErrorCode        string `json:"error"`
+	ErrorDescription string `json:"error_description"`
+	ErrorURI         string `json:"error_uri"`
 }
 
 func (e *tokenJSON) expiry() (t time.Time) {
@@ -236,21 +242,29 @@ func doTokenRoundTrip(ctx context.Context, req *http.Request) (*Token, error) {
 	if err != nil {
 		return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err)
 	}
-	if code := r.StatusCode; code < 200 || code > 299 {
-		return nil, &RetrieveError{
-			Response: r,
-			Body:     body,
-		}
+
+	failureStatus := r.StatusCode < 200 || r.StatusCode > 299
+	retrieveError := &RetrieveError{
+		Response: r,
+		Body:     body,
+		// attempt to populate error detail below
 	}
 
 	var token *Token
 	content, _, _ := mime.ParseMediaType(r.Header.Get("Content-Type"))
 	switch content {
 	case "application/x-www-form-urlencoded", "text/plain":
+		// some endpoints return a query string
 		vals, err := url.ParseQuery(string(body))
 		if err != nil {
-			return nil, err
+			if failureStatus {
+				return nil, retrieveError
+			}
+			return nil, fmt.Errorf("oauth2: cannot parse response: %v", err)
 		}
+		retrieveError.ErrorCode = vals.Get("error")
+		retrieveError.ErrorDescription = vals.Get("error_description")
+		retrieveError.ErrorURI = vals.Get("error_uri")
 		token = &Token{
 			AccessToken:  vals.Get("access_token"),
 			TokenType:    vals.Get("token_type"),
@@ -265,8 +279,14 @@ func doTokenRoundTrip(ctx context.Context, req *http.Request) (*Token, error) {
 	default:
 		var tj tokenJSON
 		if err = json.Unmarshal(body, &tj); err != nil {
-			return nil, err
+			if failureStatus {
+				return nil, retrieveError
+			}
+			return nil, fmt.Errorf("oauth2: cannot parse json: %v", err)
 		}
+		retrieveError.ErrorCode = tj.ErrorCode
+		retrieveError.ErrorDescription = tj.ErrorDescription
+		retrieveError.ErrorURI = tj.ErrorURI
 		token = &Token{
 			AccessToken:  tj.AccessToken,
 			TokenType:    tj.TokenType,
@@ -276,17 +296,37 @@ func doTokenRoundTrip(ctx context.Context, req *http.Request) (*Token, error) {
 		}
 		json.Unmarshal(body, &token.Raw) // no error checks for optional fields
 	}
+	// according to spec, servers should respond status 400 in error case
+	// https://www.rfc-editor.org/rfc/rfc6749#section-5.2
+	// but some unorthodox servers respond 200 in error case
+	if failureStatus || retrieveError.ErrorCode != "" {
+		return nil, retrieveError
+	}
 	if token.AccessToken == "" {
 		return nil, errors.New("oauth2: server response missing access_token")
 	}
 	return token, nil
 }
 
+// mirrors oauth2.RetrieveError
 type RetrieveError struct {
-	Response *http.Response
-	Body     []byte
+	Response         *http.Response
+	Body             []byte
+	ErrorCode        string
+	ErrorDescription string
+	ErrorURI         string
 }
 
 func (r *RetrieveError) Error() string {
+	if r.ErrorCode != "" {
+		s := fmt.Sprintf("oauth2: %q", r.ErrorCode)
+		if r.ErrorDescription != "" {
+			s += fmt.Sprintf(" %q", r.ErrorDescription)
+		}
+		if r.ErrorURI != "" {
+			s += fmt.Sprintf(" %q", r.ErrorURI)
+		}
+		return s
+	}
 	return fmt.Sprintf("oauth2: cannot fetch token: %v\nResponse: %s", r.Response.Status, r.Body)
 }
diff --git a/vendor/golang.org/x/oauth2/token.go b/vendor/golang.org/x/oauth2/token.go
index 7c64006de..5ffce9764 100644
--- a/vendor/golang.org/x/oauth2/token.go
+++ b/vendor/golang.org/x/oauth2/token.go
@@ -175,14 +175,31 @@ func retrieveToken(ctx context.Context, c *Config, v url.Values) (*Token, error)
 }
 
 // RetrieveError is the error returned when the token endpoint returns a
-// non-2XX HTTP status code.
+// non-2XX HTTP status code or populates RFC 6749's 'error' parameter.
+// https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
 type RetrieveError struct {
 	Response *http.Response
 	// Body is the body that was consumed by reading Response.Body.
 	// It may be truncated.
 	Body []byte
+	// ErrorCode is RFC 6749's 'error' parameter.
+	ErrorCode string
+	// ErrorDescription is RFC 6749's 'error_description' parameter.
+	ErrorDescription string
+	// ErrorURI is RFC 6749's 'error_uri' parameter.
+	ErrorURI string
 }
 
 func (r *RetrieveError) Error() string {
+	if r.ErrorCode != "" {
+		s := fmt.Sprintf("oauth2: %q", r.ErrorCode)
+		if r.ErrorDescription != "" {
+			s += fmt.Sprintf(" %q", r.ErrorDescription)
+		}
+		if r.ErrorURI != "" {
+			s += fmt.Sprintf(" %q", r.ErrorURI)
+		}
+		return s
+	}
 	return fmt.Sprintf("oauth2: cannot fetch token: %v\nResponse: %s", r.Response.Status, r.Body)
 }
diff --git a/vendor/modules.txt b/vendor/modules.txt
index fbacc01c1..7c03b4b2d 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -151,7 +151,7 @@ github.com/davecgh/go-spew/spew
 # github.com/dimchansky/utfbom v1.1.0
 ## explicit
 github.com/dimchansky/utfbom
-# github.com/docker/cli v23.0.5+incompatible
+# github.com/docker/cli v24.0.0+incompatible
 ## explicit
 github.com/docker/cli/cli/config
 github.com/docker/cli/cli/config/configfile
@@ -160,7 +160,7 @@ github.com/docker/cli/cli/config/types
 # github.com/docker/distribution v2.8.2+incompatible
 ## explicit
 github.com/docker/distribution/registry/client/auth/challenge
-# github.com/docker/docker v23.0.5+incompatible
+# github.com/docker/docker v24.0.0+incompatible
 ## explicit
 github.com/docker/docker/pkg/homedir
 # github.com/docker/docker-credential-helpers v0.7.0
@@ -176,7 +176,7 @@ github.com/form3tech-oss/jwt-go
 # github.com/golang/protobuf v1.5.3
 ## explicit; go 1.9
 github.com/golang/protobuf/proto
-# github.com/google/go-containerregistry v0.15.2
+# github.com/google/go-containerregistry v0.16.1
 ## explicit; go 1.18
 github.com/google/go-containerregistry/internal/and
 github.com/google/go-containerregistry/internal/compression
@@ -254,7 +254,7 @@ github.com/pmezard/go-difflib/difflib
 # github.com/rivo/uniseg v0.2.0
 ## explicit; go 1.12
 github.com/rivo/uniseg
-# github.com/sirupsen/logrus v1.9.0
+# github.com/sirupsen/logrus v1.9.1
 ## explicit; go 1.13
 github.com/sirupsen/logrus
 # github.com/spf13/cobra v1.7.0
@@ -285,7 +285,7 @@ golang.org/x/mod/semver
 # golang.org/x/net v0.14.0
 ## explicit; go 1.17
 golang.org/x/net/context
-# golang.org/x/oauth2 v0.7.0
+# golang.org/x/oauth2 v0.8.0
 ## explicit; go 1.17
 golang.org/x/oauth2
 golang.org/x/oauth2/authhandler