chore: Bump the security group across 1 directory with 3 updates

[dependabot]

Bumps the security group with 3 updates in the / directory: github.com/projectcontour/contour, github.com/vmware-tanzu/velero and go.etcd.io/etcd/client/v3.

Updates github.com/projectcontour/contour from 1.33.4 to 1.33.5

Release notes

Sourced from github.com/projectcontour/contour's releases.

v1.33.5

We are delighted to present version v1.33.5 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

• All Changes
• Installing/Upgrading
• Compatible Kubernetes Versions

All Changes

Security fix for GHSA-g3xr-5w5j-w4q4

Fixes a bug where configuring fallback certificate with JWT verification in HTTPProxy allowed requests without TLS SNI or with unrecognized SNI to bypass JWT verification. Contour now rejects this invalid configuration.

Other Changes

• Bumps Go to 1.25.10 https://go.dev/doc/devel/release#go1.25.minor
• Bumps golang.org/x/net to v0.55.0 CVE-2026-39821

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.33.5 is tested against Kubernetes 1.32 through 1.34.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

Commits

• 2713ad0 Update Contour Docker image to v1.33.5.
• 4cb1dcb HTTPProxy: reject fallback certificate combined with JWT verification
• 9b74896 release-1.33: Bump to go 1.25.10 (#7565)
• 9115d51 release-1.33: bump to golang.org/x/net v0.55.0 (#7561)
• cd950d0 build(deps): bump the k8s-dependencies group with 4 updates (#7548)
• d420a7f build(deps): bump the k8s-dependencies group with 4 updates (#7517)
• afb42aa release-1.33: Bump to go 1.25.9 (#7524)
• See full diff in compare view

Updates github.com/vmware-tanzu/velero from 1.18.0 to 1.18.1

Release notes

Sourced from github.com/vmware-tanzu/velero's releases.

v1.18.1

Download

https://github.com/vmware-tanzu/velero/releases/tag/v1.18.1

Container Image

velero/velero:v1.18.1

Documentation

https://velero.io/docs/v1.18/

Upgrading

https://velero.io/docs/v1.18/upgrade-to-1.18/

All Changes

• Fix wildcard expansion when includes is empty and excludes has wildcards (#9743, @​Joeavaikath)
• Backporting PR #9700 and #9693, fix issue #9699, add a 2-second gap between temporary CSI VolumeSnapshotContent create and delete operations. Enhance backup deletion logic to handle tarball download failures (#9731, @​priyansh17)
• Fix issue #9703, fix CSI PVC Backup Plugin list options to only list in installed namespace (#9708, @​adam-jian-zhang)
• Bump external-snapshotter to v8.4.0 and migrate VolumeGroupSnapshot API from v1beta1 to v1beta2 for Kubernetes 1.34+ compatibility (#9706, @​shubham-pampattiwar)
• Fix issue #9681, fix restores and podvolumerestores list options to only list in installed namespace (#9696, @​adam-jian-zhang)
• Fix issue #9659, in the case that PVB/PVR/DU/DD is cancelled before the data path is really started, call EndEvent to prevent data mover pod from crashing because of delay event distribution (#9672, @​Lyndon-Li)
• Fix issue #9626, let go for uninitialized repo under readonly mode (#9669, @​Lyndon-Li)
• Fix issue #9460, flush buffer before data mover completes (#9610, @​Lyndon-Li)
• Fix issue #9475, use node-selector instead of nodName for generic restore (#9609, @​Lyndon-Li)
• Fix issue #9496, support customized host os (#9606, @​Lyndon-Li)
• Fix issue #9343, include PV topology to data mover pod affinities (#9594, @​Lyndon-Li)
• Fix VolumeGroupSnapshot restore failure with Ceph RBD CSI driver by creating stub VolumeGroupSnapshotContent during restore and looking up VolumeSnapshotClass by driver for credential support (#9687, @​shubham-pampattiwar)
• Add custom action type to volume policies (#9678, @​sseago)
• Fix issue #9666, fix node-agent node detection in multiple instances scenario (#9671, @​adam-jian-zhang)
• Add check for file extraction from tarball. (#9661, @​blackpiglet)
• Fix issue #9636, fix configmap lookup in non-default namespaces (#9637, @​adam-jian-zhang)
• Optimize VSC handle readiness polling for VSS backups (#9629, @​sseago)
• Fix DBR stuck when CSI snapshot no longer exists in cloud provider (#9604, @​shubham-pampattiwar)
• If BIA return updateObj with SkipFromBackupAnnotation, treat it as skip the resource from backup. (#9597, @​blackpiglet)
• Add ephemeral storage limit and request support for data mover and maintenance job (#9596, @​blackpiglet)
• Remove wildcard check from getNamespacesToList. (#9587, @​blackpiglet)

v1.18.1-rc.2

v1.18.1

Download

https://github.com/vmware-tanzu/velero/releases/tag/v1.18.1-rc.2

Container Image

velero/velero:v1.18.1-rc.2

Documentation

https://velero.io/docs/v1.18/

Upgrading

... (truncated)

Commits

• 26ef8fa Modify the E2E version comparison logic. (#9787)
• bf7666f Merge pull request #9786 from blackpiglet/jxun/1.18/bump_k8s_version_to_0.33.11
• 47b3192 Bump k8s library versions to v0.33.11
• 949b020 Merge pull request #9781 from blackpiglet/jxun/1.18/bump_deps
• 5e3cb1e Bump Velero dependencies to latest version.
• ce360b4 Use string.Builder to concatenate string in loop.
• 5de7f61 Enlarge the goreleaser timeout to 60m. (#9777)
• 383c796 Merge pull request #9774 from blackpiglet/xj014661/1.18/CVE-2026-27141
• d245d3b Bump golang.net/x/net to 0.51.0 to fix CVE-2026-27141
• bd42e36 Merge pull request #9766 from blackpiglet/xj014661/1.18/update_windows_docker...
• Additional commits viewable in compare view

Updates go.etcd.io/etcd/client/v3 from 3.6.11 to 3.6.12

Release notes

Sourced from go.etcd.io/etcd/client/v3's releases.

v3.6.12

Please check out CHANGELOG for a full list of changes. And make sure to read upgrade guide before upgrading etcd (there may be breaking changes).

For installation guides, please check out operating etcd. Latest support status for common architectures and operating systems can be found at supported platforms.

Linux

ETCD_VER=v3.6.12
choose either URL
GOOGLE_URL=https://storage.googleapis.com/etcd
GITHUB_URL=https://github.com/etcd-io/etcd/releases/download
DOWNLOAD_URL=${GOOGLE_URL}
rm -f /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz
rm -rf /tmp/etcd-download-test && mkdir -p /tmp/etcd-download-test
curl -L ${DOWNLOAD_URL}/${ETCD_VER}/etcd-${ETCD_VER}-linux-amd64.tar.gz -o /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz
tar xzvf /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz -C /tmp/etcd-download-test --strip-components=1 --no-same-owner
rm -f /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz
/tmp/etcd-download-test/etcd --version
/tmp/etcd-download-test/etcdctl version
/tmp/etcd-download-test/etcdutl version
start a local etcd server
/tmp/etcd-download-test/etcd
write,read to etcd
/tmp/etcd-download-test/etcdctl --endpoints=localhost:2379 put foo bar
/tmp/etcd-download-test/etcdctl --endpoints=localhost:2379 get foo

macOS (Darwin)

ETCD_VER=v3.6.12
choose either URL
GOOGLE_URL=https://storage.googleapis.com/etcd
GITHUB_URL=https://github.com/etcd-io/etcd/releases/download
DOWNLOAD_URL=${GOOGLE_URL}
rm -f /tmp/etcd-${ETCD_VER}-darwin-amd64.zip
rm -rf /tmp/etcd-download-test && mkdir -p /tmp/etcd-download-test
curl -L ${DOWNLOAD_URL}/${ETCD_VER}/etcd-${ETCD_VER}-darwin-amd64.zip -o /tmp/etcd-${ETCD_VER}-darwin-amd64.zip
unzip /tmp/etcd-${ETCD_VER}-darwin-amd64.zip -d /tmp && rm -f /tmp/etcd-${ETCD_VER}-darwin-amd64.zip
mv /tmp/etcd-${ETCD_VER}-darwin-amd64/* /tmp/etcd-download-test && rm -rf mv /tmp/etcd-${ETCD_VER}-darwin-amd64
</tr></table>

... (truncated)

Commits

• 90b034a version: bump up to 3.6.12
• 8b95963 Merge pull request #21811 from Deln0r/release-3.6-backport-21666
• 576a6a0 server: allow non-admin maintenance status
• 2286051 Merge pull request #21794 from vivekpatani/cherry-pick-21788-release-3.6
• e1468c8 client/pkg/fileutil: use os.Getuid() to skip TestIsDirWriteable as root
• aaf38f8 Merge pull request #21768 from silentred/release-3.6-etcdutl-invalid-datadir
• 449e34b etcdutl: validate data file path and return consistent errors instead of pani...
• 00e1b15 Merge pull request #21736 from silentred/release-3.6-bugfix-memberupdate-learner
• 49cd4a4 bugfix: MemberUpdate implicitly and unexpectedly promotes a learner
• 9bbe31b Merge pull request #21727 from silentred/release-3.6-bump-go-1.25.10
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions