Merge pull request #4202 from thaJeztah/23.0_backport_docs_daemon_proxy_config

[23.0 backport] docs/reference: update dockerd docs for changes in 23.0
Merge pull request #4196 from thaJeztah/23.0_backport_registry_fix_ResolveAuthConfig_docs
2023-04-13 21:58:12 +02:00 · 2023-04-13 14:20:31 +02:00 · 2023-04-13 13:59:39 +02:00 · 2023-04-13 13:59:39 +02:00 · 2023-04-13 13:59:38 +02:00 · 2023-04-13 13:59:38 +02:00
98 changed files with 1600 additions and 744 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -15,14 +15,35 @@ on:
  pull_request:

 jobs:
+  prepare:
+    runs-on: ubuntu-20.04
+    outputs:
+      matrix: ${{ steps.platforms.outputs.matrix }}
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Create matrix
+        id: platforms
+        run: |
+          echo "matrix=$(docker buildx bake cross --print | jq -cr '.target."cross".platforms')" >>${GITHUB_OUTPUT}
+      -
+        name: Show matrix
+        run: |
+          echo ${{ steps.platforms.outputs.matrix }}
+
  build:
    runs-on: ubuntu-20.04
+    needs:
+      - prepare
    strategy:
      fail-fast: false
      matrix:
        target:
-          - cross
-          - dynbinary-cross
+          - binary
+          - dynbinary
+        platform: ${{ fromJson(needs.prepare.outputs.matrix) }}
        use_glibc:
          - ""
          - glibc
@ -36,22 +57,22 @@ jobs:
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      -
-        name: Run ${{ matrix.target }}
+        name: Build
        uses: docker/bake-action@v2
        with:
          targets: ${{ matrix.target }}
+          set: |
+            *.platform=${{ matrix.platform }}
        env:
          USE_GLIBC: ${{ matrix.use_glibc }}
      -
-        name: Flatten artifacts
+        name: Create tarball
        working-directory: ./build
        run: |
-          for dir in */; do
-            base=$(basename "$dir")
-            echo "Creating ${base}.tar.gz ..."
-            tar -cvzf "${base}.tar.gz" "$dir"
-            rm -rf "$dir"
-          done
+          mkdir /tmp/out
+          platform=${{ matrix.platform }}
+          platformPair=${platform//\//-}
+          tar -cvzf "/tmp/out/docker-${platformPair}.tar.gz" .
          if [ -z "${{ matrix.use_glibc }}" ]; then
            echo "ARTIFACT_NAME=${{ matrix.target }}" >> $GITHUB_ENV
          else
@ -62,11 +83,35 @@ jobs:
        uses: actions/upload-artifact@v3
        with:
          name: ${{ env.ARTIFACT_NAME }}
-          path: ./build/*
+          path: /tmp/out/*
          if-no-files-found: error

+  prepare-plugins:
+    runs-on: ubuntu-20.04
+    outputs:
+      matrix: ${{ steps.platforms.outputs.matrix }}
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Create matrix
+        id: platforms
+        run: |
+          echo "matrix=$(docker buildx bake plugins-cross --print | jq -cr '.target."plugins-cross".platforms')" >>${GITHUB_OUTPUT}
+      -
+        name: Show matrix
+        run: |
+          echo ${{ steps.platforms.outputs.matrix }}
+
  plugins:
    runs-on: ubuntu-20.04
+    needs:
+      - prepare-plugins
+    strategy:
+      fail-fast: false
+      matrix:
+        platform: ${{ fromJson(needs.prepare-plugins.outputs.matrix) }}
    steps:
      -
        name: Checkout
@ -75,7 +120,9 @@ jobs:
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      -
-        name: Build plugins
+        name: Build
        uses: docker/bake-action@v2
        with:
          targets: plugins-cross
+          set: |
+            *.platform=${{ matrix.platform }}
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -63,7 +63,7 @@ jobs:
        name: Set up Go
        uses: actions/setup-go@v3
        with:
-          go-version: 1.19.4
+          go-version: 1.19.8
      -
        name: Test
        run: |
--- a/4
+++ b/4
@ -1,12 +1,12 @@
 # syntax=docker/dockerfile:1

 ARG BASE_VARIANT=alpine
-ARG GO_VERSION=1.19.5
+ARG GO_VERSION=1.19.8
 ARG ALPINE_VERSION=3.16
 ARG XX_VERSION=1.1.1
 ARG GOVERSIONINFO_VERSION=v1.3.0
 ARG GOTESTSUM_VERSION=v1.8.2
-ARG BUILDX_VERSION=0.9.1
+ARG BUILDX_VERSION=0.10.4

 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx

--- a/cli-plugins/manager/candidate_test.go
+++ b/cli-plugins/manager/candidate_test.go
@ -74,7 +74,7 @@ func TestValidateCandidate(t *testing.T) {
 		{name: "experimental + allowing experimental", c: &fakeCandidate{path: goodPluginPath, exec: true, meta: metaExperimental}},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
-			p, err := newPlugin(tc.c, fakeroot)
+			p, err := newPlugin(tc.c, fakeroot.Commands())
 			if tc.err != "" {
 				assert.ErrorContains(t, err, tc.err)
 			} else if tc.invalid != "" {
--- a/cli-plugins/manager/cobra.go
+++ b/cli-plugins/manager/cobra.go
@ -3,6 +3,7 @@ package manager
 import (
 	"fmt"
 	"os"
+	"sync"

 	"github.com/docker/cli/cli/command"
 	"github.com/spf13/cobra"
@ -31,64 +32,69 @@ const (
 	CommandAnnotationPluginInvalid = "com.docker.cli.plugin-invalid"
 )

+var pluginCommandStubsOnce sync.Once
+
 // AddPluginCommandStubs adds a stub cobra.Commands for each valid and invalid
 // plugin. The command stubs will have several annotations added, see
 // `CommandAnnotationPlugin*`.
-func AddPluginCommandStubs(dockerCli command.Cli, rootCmd *cobra.Command) error {
-	plugins, err := ListPlugins(dockerCli, rootCmd)
-	if err != nil {
-		return err
-	}
-	for _, p := range plugins {
-		p := p
-		vendor := p.Vendor
-		if vendor == "" {
-			vendor = "unknown"
+func AddPluginCommandStubs(dockerCli command.Cli, rootCmd *cobra.Command) (err error) {
+	pluginCommandStubsOnce.Do(func() {
+		var plugins []Plugin
+		plugins, err = ListPlugins(dockerCli, rootCmd)
+		if err != nil {
+			return
 		}
-		annotations := map[string]string{
-			CommandAnnotationPlugin:        "true",
-			CommandAnnotationPluginVendor:  vendor,
-			CommandAnnotationPluginVersion: p.Version,
-		}
-		if p.Err != nil {
-			annotations[CommandAnnotationPluginInvalid] = p.Err.Error()
-		}
-		rootCmd.AddCommand(&cobra.Command{
-			Use:                p.Name,
-			Short:              p.ShortDescription,
-			Run:                func(_ *cobra.Command, _ []string) {},
-			Annotations:        annotations,
-			DisableFlagParsing: true,
-			RunE: func(cmd *cobra.Command, args []string) error {
-				flags := rootCmd.PersistentFlags()
-				flags.SetOutput(nil)
-				err := flags.Parse(args)
-				if err != nil {
-					return err
-				}
-				if flags.Changed("help") {
-					cmd.HelpFunc()(rootCmd, args)
-					return nil
-				}
-				return fmt.Errorf("docker: '%s' is not a docker command.\nSee 'docker --help'", cmd.Name())
-			},
-			ValidArgsFunction: func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
-				// Delegate completion to plugin
-				cargs := []string{p.Path, cobra.ShellCompRequestCmd, p.Name}
-				cargs = append(cargs, args...)
-				cargs = append(cargs, toComplete)
-				os.Args = cargs
-				runCommand, err := PluginRunCommand(dockerCli, p.Name, cmd)
-				if err != nil {
+		for _, p := range plugins {
+			p := p
+			vendor := p.Vendor
+			if vendor == "" {
+				vendor = "unknown"
+			}
+			annotations := map[string]string{
+				CommandAnnotationPlugin:        "true",
+				CommandAnnotationPluginVendor:  vendor,
+				CommandAnnotationPluginVersion: p.Version,
+			}
+			if p.Err != nil {
+				annotations[CommandAnnotationPluginInvalid] = p.Err.Error()
+			}
+			rootCmd.AddCommand(&cobra.Command{
+				Use:                p.Name,
+				Short:              p.ShortDescription,
+				Run:                func(_ *cobra.Command, _ []string) {},
+				Annotations:        annotations,
+				DisableFlagParsing: true,
+				RunE: func(cmd *cobra.Command, args []string) error {
+					flags := rootCmd.PersistentFlags()
+					flags.SetOutput(nil)
+					perr := flags.Parse(args)
+					if perr != nil {
+						return err
+					}
+					if flags.Changed("help") {
+						cmd.HelpFunc()(rootCmd, args)
+						return nil
+					}
+					return fmt.Errorf("docker: '%s' is not a docker command.\nSee 'docker --help'", cmd.Name())
+				},
+				ValidArgsFunction: func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+					// Delegate completion to plugin
+					cargs := []string{p.Path, cobra.ShellCompRequestCmd, p.Name}
+					cargs = append(cargs, args...)
+					cargs = append(cargs, toComplete)
+					os.Args = cargs
+					runCommand, runErr := PluginRunCommand(dockerCli, p.Name, cmd)
+					if runErr != nil {
+						return nil, cobra.ShellCompDirectiveError
+					}
+					runErr = runCommand.Run()
+					if runErr == nil {
+						os.Exit(0) // plugin already rendered complete data
+					}
 					return nil, cobra.ShellCompDirectiveError
-				}
-				err = runCommand.Run()
-				if err == nil {
-					os.Exit(0) // plugin already rendered complete data
-				}
-				return nil, cobra.ShellCompDirectiveError
-			},
-		})
-	}
-	return nil
+				},
+			})
+		}
+	})
+	return err
 }
--- a/cli-plugins/manager/manager.go
+++ b/cli-plugins/manager/manager.go
@ -1,15 +1,18 @@
 package manager

 import (
+	"context"
 	"os"
 	"path/filepath"
 	"sort"
 	"strings"
+	"sync"

 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/config"
 	"github.com/fvbommel/sortorder"
 	"github.com/spf13/cobra"
+	"golang.org/x/sync/errgroup"
 	exec "golang.org/x/sys/execabs"
 )

@ -120,7 +123,7 @@ func GetPlugin(name string, dockerCli command.Cli, rootcmd *cobra.Command) (*Plu
 			return nil, errPluginNotFound(name)
 		}
 		c := &candidate{paths[0]}
-		p, err := newPlugin(c, rootcmd)
+		p, err := newPlugin(c, rootcmd.Commands())
 		if err != nil {
 			return nil, err
 		}
@ -146,19 +149,32 @@ func ListPlugins(dockerCli command.Cli, rootcmd *cobra.Command) ([]Plugin, error
 	}

 	var plugins []Plugin
+	var mu sync.Mutex
+	eg, _ := errgroup.WithContext(context.TODO())
+	cmds := rootcmd.Commands()
 	for _, paths := range candidates {
-		if len(paths) == 0 {
-			continue
-		}
-		c := &candidate{paths[0]}
-		p, err := newPlugin(c, rootcmd)
-		if err != nil {
-			return nil, err
-		}
-		if !IsNotFound(p.Err) {
-			p.ShadowedPaths = paths[1:]
-			plugins = append(plugins, p)
-		}
+		func(paths []string) {
+			eg.Go(func() error {
+				if len(paths) == 0 {
+					return nil
+				}
+				c := &candidate{paths[0]}
+				p, err := newPlugin(c, cmds)
+				if err != nil {
+					return err
+				}
+				if !IsNotFound(p.Err) {
+					p.ShadowedPaths = paths[1:]
+					mu.Lock()
+					defer mu.Unlock()
+					plugins = append(plugins, p)
+				}
+				return nil
+			})
+		}(paths)
+	}
+	if err := eg.Wait(); err != nil {
+		return nil, err
 	}

 	sort.Slice(plugins, func(i, j int) bool {
@ -199,7 +215,7 @@ func PluginRunCommand(dockerCli command.Cli, name string, rootcmd *cobra.Command
 		}

 		c := &candidate{path: path}
-		plugin, err := newPlugin(c, rootcmd)
+		plugin, err := newPlugin(c, rootcmd.Commands())
 		if err != nil {
 			return nil, err
 		}
--- a/cli-plugins/manager/plugin.go
+++ b/cli-plugins/manager/plugin.go
@ -31,7 +31,7 @@ type Plugin struct {
 // is set, and is always a `pluginError`, but the `Plugin` is still
 // returned with no error. An error is only returned due to a
 // non-recoverable error.
-func newPlugin(c Candidate, rootcmd *cobra.Command) (Plugin, error) {
+func newPlugin(c Candidate, cmds []*cobra.Command) (Plugin, error) {
 	path := c.Path()
 	if path == "" {
 		return Plugin{}, errors.New("plugin candidate path cannot be empty")
@ -62,22 +62,20 @@ func newPlugin(c Candidate, rootcmd *cobra.Command) (Plugin, error) {
 		return p, nil
 	}

-	if rootcmd != nil {
-		for _, cmd := range rootcmd.Commands() {
-			// Ignore conflicts with commands which are
-			// just plugin stubs (i.e. from a previous
-			// call to AddPluginCommandStubs).
-			if IsPluginCommand(cmd) {
-				continue
-			}
-			if cmd.Name() == p.Name {
-				p.Err = NewPluginError("plugin %q duplicates builtin command", p.Name)
-				return p, nil
-			}
-			if cmd.HasAlias(p.Name) {
-				p.Err = NewPluginError("plugin %q duplicates an alias of builtin command %q", p.Name, cmd.Name())
-				return p, nil
-			}
+	for _, cmd := range cmds {
+		// Ignore conflicts with commands which are
+		// just plugin stubs (i.e. from a previous
+		// call to AddPluginCommandStubs).
+		if IsPluginCommand(cmd) {
+			continue
+		}
+		if cmd.Name() == p.Name {
+			p.Err = NewPluginError("plugin %q duplicates builtin command", p.Name)
+			return p, nil
+		}
+		if cmd.HasAlias(p.Name) {
+			p.Err = NewPluginError("plugin %q duplicates an alias of builtin command %q", p.Name, cmd.Name())
+			return p, nil
 		}
 	}

--- a/cli/cobra.go
+++ b/cli/cobra.go
@ -204,6 +204,16 @@ func DisableFlagsInUseLine(cmd *cobra.Command) {
 	})
 }

+// HasCompletionArg returns true if a cobra completion arg request is found.
+func HasCompletionArg(args []string) bool {
+	for _, arg := range args {
+		if arg == cobra.ShellCompRequestCmd || arg == cobra.ShellCompNoDescRequestCmd {
+			return true
+		}
+	}
+	return false
+}
+
 var helpCommand = &cobra.Command{
 	Use:               "help [command]",
 	Short:             "Help about the command",
--- a/cli/command/container/cp.go
+++ b/cli/command/container/cp.go
@ -1,15 +1,20 @@
 package container

 import (
+	"bytes"
 	"context"
 	"fmt"
 	"io"
 	"os"
+	"os/signal"
 	"path/filepath"
 	"strings"
+	"sync/atomic"
+	"time"

 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/streams"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/pkg/system"
@ -48,26 +53,73 @@ type cpConfig struct {
 // copying files to/from a container.
 type copyProgressPrinter struct {
 	io.ReadCloser
-	toContainer bool
-	total       *float64
-	writer      io.Writer
+	total *int64
 }

+const (
+	copyToContainerHeader       = "Copying to container - "
+	copyFromContainerHeader     = "Copying from container - "
+	copyProgressUpdateThreshold = 75 * time.Millisecond
+)
+
 func (pt *copyProgressPrinter) Read(p []byte) (int, error) {
 	n, err := pt.ReadCloser.Read(p)
-	*pt.total += float64(n)
+	atomic.AddInt64(pt.total, int64(n))
+	return n, err
+}

-	if err == nil {
-		fmt.Fprint(pt.writer, aec.Restore)
-		fmt.Fprint(pt.writer, aec.EraseLine(aec.EraseModes.All))
-		if pt.toContainer {
-			fmt.Fprintln(pt.writer, "Copying to container - "+units.HumanSize(*pt.total))
-		} else {
-			fmt.Fprintln(pt.writer, "Copying from container - "+units.HumanSize(*pt.total))
-		}
+func copyProgress(ctx context.Context, dst io.Writer, header string, total *int64) (func(), <-chan struct{}) {
+	done := make(chan struct{})
+	if !streams.NewOut(dst).IsTerminal() {
+		close(done)
+		return func() {}, done
 	}

-	return n, err
+	fmt.Fprint(dst, aec.Save)
+	fmt.Fprint(dst, "Preparing to copy...")
+
+	restore := func() {
+		fmt.Fprint(dst, aec.Restore)
+		fmt.Fprint(dst, aec.EraseLine(aec.EraseModes.All))
+	}
+
+	go func() {
+		defer close(done)
+		fmt.Fprint(dst, aec.Hide)
+		defer fmt.Fprint(dst, aec.Show)
+
+		fmt.Fprint(dst, aec.Restore)
+		fmt.Fprint(dst, aec.EraseLine(aec.EraseModes.All))
+		fmt.Fprint(dst, header)
+
+		var last int64
+		fmt.Fprint(dst, progressHumanSize(last))
+
+		buf := bytes.NewBuffer(nil)
+		ticker := time.NewTicker(copyProgressUpdateThreshold)
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-ticker.C:
+				n := atomic.LoadInt64(total)
+				if n == last {
+					// Don't write to the terminal, if we don't need to.
+					continue
+				}
+
+				// Write to the buffer first to avoid flickering and context switching
+				fmt.Fprint(buf, aec.Column(uint(len(header)+1)))
+				fmt.Fprint(buf, aec.EraseLine(aec.EraseModes.Tail))
+				fmt.Fprint(buf, progressHumanSize(n))
+
+				buf.WriteTo(dst)
+				buf.Reset()
+				last += n
+			}
+		}
+	}()
+	return restore, done
 }

 // NewCopyCommand creates a new `docker cp` command
@ -113,6 +165,10 @@ func NewCopyCommand(dockerCli command.Cli) *cobra.Command {
 	return cmd
 }

+func progressHumanSize(n int64) string {
+	return units.HumanSizeWithPrecision(float64(n), 3)
+}
+
 func runCopy(dockerCli command.Cli, opts copyOptions) error {
 	srcContainer, srcPath := splitCpArg(opts.source)
 	destContainer, destPath := splitCpArg(opts.destination)
@ -193,6 +249,9 @@ func copyFromContainer(ctx context.Context, dockerCli command.Cli, copyConfig cp

 	}

+	ctx, cancel := signal.NotifyContext(ctx, os.Interrupt)
+	defer cancel()
+
 	content, stat, err := client.CopyFromContainer(ctx, copyConfig.container, srcPath)
 	if err != nil {
 		return err
@ -211,13 +270,11 @@ func copyFromContainer(ctx context.Context, dockerCli command.Cli, copyConfig cp
 		RebaseName: rebaseName,
 	}

-	var copiedSize float64
+	var copiedSize int64
 	if !copyConfig.quiet {
 		content = &copyProgressPrinter{
-			ReadCloser:  content,
-			toContainer: false,
-			writer:      dockerCli.Err(),
-			total:       &copiedSize,
+			ReadCloser: content,
+			total:      &copiedSize,
 		}
 	}

@ -231,12 +288,12 @@ func copyFromContainer(ctx context.Context, dockerCli command.Cli, copyConfig cp
 		return archive.CopyTo(preArchive, srcInfo, dstPath)
 	}

-	fmt.Fprint(dockerCli.Err(), aec.Save)
-	fmt.Fprintln(dockerCli.Err(), "Preparing to copy...")
+	restore, done := copyProgress(ctx, dockerCli.Err(), copyFromContainerHeader, &copiedSize)
 	res := archive.CopyTo(preArchive, srcInfo, dstPath)
-	fmt.Fprint(dockerCli.Err(), aec.Restore)
-	fmt.Fprint(dockerCli.Err(), aec.EraseLine(aec.EraseModes.All))
-	fmt.Fprintln(dockerCli.Err(), "Successfully copied", units.HumanSize(copiedSize), "to", dstPath)
+	cancel()
+	<-done
+	restore()
+	fmt.Fprintln(dockerCli.Err(), "Successfully copied", progressHumanSize(copiedSize), "to", dstPath)

 	return res
 }
@ -293,7 +350,7 @@ func copyToContainer(ctx context.Context, dockerCli command.Cli, copyConfig cpCo
 	var (
 		content         io.ReadCloser
 		resolvedDstPath string
-		copiedSize      float64
+		copiedSize      int64
 	)

 	if srcPath == "-" {
@ -337,10 +394,8 @@ func copyToContainer(ctx context.Context, dockerCli command.Cli, copyConfig cpCo
 		content = preparedArchive
 		if !copyConfig.quiet {
 			content = &copyProgressPrinter{
-				ReadCloser:  content,
-				toContainer: true,
-				writer:      dockerCli.Err(),
-				total:       &copiedSize,
+				ReadCloser: content,
+				total:      &copiedSize,
 			}
 		}
 	}
@ -354,12 +409,13 @@ func copyToContainer(ctx context.Context, dockerCli command.Cli, copyConfig cpCo
 		return client.CopyToContainer(ctx, copyConfig.container, resolvedDstPath, content, options)
 	}

-	fmt.Fprint(dockerCli.Err(), aec.Save)
-	fmt.Fprintln(dockerCli.Err(), "Preparing to copy...")
+	ctx, cancel := signal.NotifyContext(ctx, os.Interrupt)
+	restore, done := copyProgress(ctx, dockerCli.Err(), copyToContainerHeader, &copiedSize)
 	res := client.CopyToContainer(ctx, copyConfig.container, resolvedDstPath, content, options)
-	fmt.Fprint(dockerCli.Err(), aec.Restore)
-	fmt.Fprint(dockerCli.Err(), aec.EraseLine(aec.EraseModes.All))
-	fmt.Fprintln(dockerCli.Err(), "Successfully copied", units.HumanSize(copiedSize), "to", copyConfig.container+":"+dstInfo.Path)
+	cancel()
+	<-done
+	restore()
+	fmt.Fprintln(dockerCli.Err(), "Successfully copied", progressHumanSize(copiedSize), "to", copyConfig.container+":"+dstInfo.Path)

 	return res
 }
--- a/cli/command/container/list.go
+++ b/cli/command/container/list.go
@ -17,14 +17,15 @@ import (
 )

 type psOptions struct {
-	quiet   bool
-	size    bool
-	all     bool
-	noTrunc bool
-	nLatest bool
-	last    int
-	format  string
-	filter  opts.FilterOpt
+	quiet       bool
+	size        bool
+	sizeChanged bool
+	all         bool
+	noTrunc     bool
+	nLatest     bool
+	last        int
+	format      string
+	filter      opts.FilterOpt
 }

 // NewPsCommand creates a new cobra.Command for `docker ps`
@ -36,6 +37,7 @@ func NewPsCommand(dockerCli command.Cli) *cobra.Command {
 		Short: "List containers",
 		Args:  cli.NoArgs,
 		RunE: func(cmd *cobra.Command, args []string) error {
+			options.sizeChanged = cmd.Flags().Changed("size")
 			return runPs(dockerCli, &options)
 		},
 		Annotations: map[string]string{
@ -78,13 +80,8 @@ func buildContainerListOptions(opts *psOptions) (*types.ContainerListOptions, er
 		options.Limit = 1
 	}

-	if !opts.quiet && !options.Size && len(opts.format) > 0 {
-		// The --size option isn't set, but .Size may be used in the template.
-		// Parse and execute the given template to detect if the .Size field is
-		// used. If it is, then automatically enable the --size option. See #24696
-		//
-		// Only requesting container size information when needed is an optimization,
-		// because calculating the size is a costly operation.
+	// always validate template when `--format` is used, for consistency
+	if len(opts.format) > 0 {
 		tmpl, err := templates.NewParse("", opts.format)
 		if err != nil {
 			return nil, errors.Wrap(err, "failed to parse template")
@ -98,8 +95,19 @@ func buildContainerListOptions(opts *psOptions) (*types.ContainerListOptions, er
 			return nil, errors.Wrap(err, "failed to execute template")
 		}

-		if _, ok := optionsProcessor.FieldsUsed["Size"]; ok {
-			options.Size = true
+		// if `size` was not explicitly set to false (with `--size=false`)
+		// and `--quiet` is not set, request size if the template requires it
+		if !opts.quiet && !options.Size && !opts.sizeChanged {
+			// The --size option isn't set, but .Size may be used in the template.
+			// Parse and execute the given template to detect if the .Size field is
+			// used. If it is, then automatically enable the --size option. See #24696
+			//
+			// Only requesting container size information when needed is an optimization,
+			// because calculating the size is a costly operation.
+
+			if _, ok := optionsProcessor.FieldsUsed["Size"]; ok {
+				options.Size = true
+			}
 		}
 	}

--- a/cli/command/container/list_test.go
+++ b/cli/command/container/list_test.go
@ -231,15 +231,56 @@ func TestContainerListFormatTemplateWithArg(t *testing.T) {
 }

 func TestContainerListFormatSizeSetsOption(t *testing.T) {
-	cli := test.NewFakeCli(&fakeClient{
-		containerListFunc: func(options types.ContainerListOptions) ([]types.Container, error) {
-			assert.Check(t, options.Size)
-			return []types.Container{}, nil
+	tests := []struct {
+		doc, format, sizeFlag string
+		sizeExpected          bool
+	}{
+		{
+			doc:          "detect with all fields",
+			format:       `{{json .}}`,
+			sizeExpected: true,
 		},
-	})
-	cmd := newListCommand(cli)
-	cmd.Flags().Set("format", `{{.Size}}`)
-	assert.NilError(t, cmd.Execute())
+		{
+			doc:          "detect with explicit field",
+			format:       `{{.Size}}`,
+			sizeExpected: true,
+		},
+		{
+			doc:          "detect no size",
+			format:       `{{.Names}}`,
+			sizeExpected: false,
+		},
+		{
+			doc:          "override enable",
+			format:       `{{.Names}}`,
+			sizeFlag:     "true",
+			sizeExpected: true,
+		},
+		{
+			doc:          "override disable",
+			format:       `{{.Size}}`,
+			sizeFlag:     "false",
+			sizeExpected: false,
+		},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.doc, func(t *testing.T) {
+			cli := test.NewFakeCli(&fakeClient{
+				containerListFunc: func(options types.ContainerListOptions) ([]types.Container, error) {
+					assert.Check(t, is.Equal(options.Size, tc.sizeExpected))
+					return []types.Container{}, nil
+				},
+			})
+			cmd := newListCommand(cli)
+			cmd.Flags().Set("format", tc.format)
+			if tc.sizeFlag != "" {
+				cmd.Flags().Set("size", tc.sizeFlag)
+			}
+			assert.NilError(t, cmd.Execute())
+		})
+	}
 }

 func TestContainerListWithConfigFormat(t *testing.T) {
--- a/cli/command/formatter/image.go
+++ b/cli/command/formatter/image.go
@ -27,6 +27,9 @@ type ImageContext struct {
 }

 func isDangling(image types.ImageSummary) bool {
+	if len(image.RepoTags) == 0 && len(image.RepoDigests) == 0 {
+		return true
+	}
 	return len(image.RepoTags) == 1 && image.RepoTags[0] == "<none>:<none>" && len(image.RepoDigests) == 1 && image.RepoDigests[0] == "<none>@<none>"
 }

--- a/cli/command/image/client_test.go
+++ b/cli/command/image/client_test.go
@ -91,7 +91,7 @@ func (cli *fakeClient) ImageList(ctx context.Context, options types.ImageListOpt
 	if cli.imageListFunc != nil {
 		return cli.imageListFunc(options)
 	}
-	return []types.ImageSummary{{}}, nil
+	return []types.ImageSummary{}, nil
 }

 func (cli *fakeClient) ImageInspectWithRaw(_ context.Context, image string) (types.ImageInspect, []byte, error) {
--- a/cli/command/image/list_test.go
+++ b/cli/command/image/list_test.go
@ -30,7 +30,7 @@ func TestNewImagesCommandErrors(t *testing.T) {
 			name:          "failed-list",
 			expectedError: "something went wrong",
 			imageListFunc: func(options types.ImageListOptions) ([]types.ImageSummary, error) {
-				return []types.ImageSummary{{}}, errors.Errorf("something went wrong")
+				return []types.ImageSummary{}, errors.Errorf("something went wrong")
 			},
 		},
 	}
@ -66,7 +66,7 @@ func TestNewImagesCommandSuccess(t *testing.T) {
 			args: []string{"image"},
 			imageListFunc: func(options types.ImageListOptions) ([]types.ImageSummary, error) {
 				assert.Check(t, is.Equal("image", options.Filters.Get("reference")[0]))
-				return []types.ImageSummary{{}}, nil
+				return []types.ImageSummary{}, nil
 			},
 		},
 		{
@ -74,7 +74,7 @@ func TestNewImagesCommandSuccess(t *testing.T) {
 			args: []string{"--filter", "name=value"},
 			imageListFunc: func(options types.ImageListOptions) ([]types.ImageSummary, error) {
 				assert.Check(t, is.Equal("value", options.Filters.Get("name")[0]))
-				return []types.ImageSummary{{}}, nil
+				return []types.ImageSummary{}, nil
 			},
 		},
 	}
--- a/cli/command/registry.go
+++ b/cli/command/registry.go
@ -21,8 +21,9 @@ import (
 	"github.com/pkg/errors"
 )

-// ElectAuthServer returns the default registry to use
-// Deprecated: use registry.IndexServer instead
+// ElectAuthServer returns the default registry to use.
+//
+// Deprecated: use [registry.IndexServer] instead.
 func ElectAuthServer(_ context.Context, _ Cli) string {
 	return registry.IndexServer
 }
@ -55,9 +56,12 @@ func RegistryAuthenticationPrivilegedFunc(cli Cli, index *registrytypes.IndexInf
 	}
 }

-// ResolveAuthConfig is like registry.ResolveAuthConfig, but if using the
-// default index, it uses the default index name for the daemon's platform,
-// not the client's platform.
+// ResolveAuthConfig returns auth-config for the given registry from the
+// credential-store. It returns an empty AuthConfig if no credentials were
+// found.
+//
+// It is similar to [registry.ResolveAuthConfig], but uses the credentials-
+// store, instead of looking up credentials from a map.
 func ResolveAuthConfig(_ context.Context, cli Cli, index *registrytypes.IndexInfo) types.AuthConfig {
 	configKey := index.Name
 	if index.Official {
--- a/cli/command/registry_test.go
+++ b/cli/command/registry_test.go
@ -6,16 +6,13 @@ import (
 	"fmt"
 	"testing"

-	"gotest.tools/v3/assert"
-	is "gotest.tools/v3/assert/cmp"
-
-	// Prevents a circular import with "github.com/docker/cli/internal/test"
-
-	. "github.com/docker/cli/cli/command"
+	. "github.com/docker/cli/cli/command" // Prevents a circular import with "github.com/docker/cli/internal/test"
 	configtypes "github.com/docker/cli/cli/config/types"
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/client"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
 )

 type fakeClient struct {
--- a/cli/command/stack/loader/loader.go
+++ b/cli/command/stack/loader/loader.go
@ -5,6 +5,7 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"runtime"
 	"sort"
 	"strings"

@ -104,9 +105,22 @@ func GetConfigDetails(composefiles []string, stdin io.Reader) (composetypes.Conf
 func buildEnvironment(env []string) (map[string]string, error) {
 	result := make(map[string]string, len(env))
 	for _, s := range env {
+		if runtime.GOOS == "windows" && len(s) > 0 {
+			// cmd.exe can have special environment variables which names start with "=".
+			// They are only there for MS-DOS compatibility and we should ignore them.
+			// See TestBuildEnvironment for examples.
+			//
+			// https://ss64.com/nt/syntax-variables.html
+			// https://devblogs.microsoft.com/oldnewthing/20100506-00/?p=14133
+			// https://github.com/docker/cli/issues/4078
+			if s[0] == '=' {
+				continue
+			}
+		}
+
 		k, v, ok := strings.Cut(s, "=")
 		if !ok || k == "" {
-			return result, errors.Errorf("unexpected environment %q", s)
+			return result, errors.Errorf("unexpected environment variable '%s'", s)
 		}
 		// value may be set, but empty if "s" is like "K=", not "K".
 		result[k] = v
--- a/cli/command/stack/loader/loader_test.go
+++ b/cli/command/stack/loader/loader_test.go
@ -3,6 +3,7 @@ package loader
 import (
 	"os"
 	"path/filepath"
+	"runtime"
 	"strings"
 	"testing"

@ -45,3 +46,34 @@ services:
 	assert.Check(t, is.Equal("3.0", details.ConfigFiles[0].Config["version"]))
 	assert.Check(t, is.Len(details.Environment, len(os.Environ())))
 }
+
+func TestBuildEnvironment(t *testing.T) {
+	inputEnv := []string{
+		"LEGIT_VAR=LEGIT_VALUE",
+		"EMPTY_VARIABLE=",
+	}
+
+	if runtime.GOOS == "windows" {
+		inputEnv = []string{
+			"LEGIT_VAR=LEGIT_VALUE",
+
+			// cmd.exe has some special environment variables which start with "=".
+			// These should be ignored as they're only there for MS-DOS compatibility.
+			"=ExitCode=00000041",
+			"=ExitCodeAscii=A",
+			`=C:=C:\some\dir`,
+			`=D:=D:\some\different\dir`,
+			`=X:=X:\`,
+			`=::=::\`,
+
+			"EMPTY_VARIABLE=",
+		}
+	}
+
+	env, err := buildEnvironment(inputEnv)
+	assert.NilError(t, err)
+
+	assert.Check(t, is.Len(env, 2))
+	assert.Check(t, is.Equal("LEGIT_VALUE", env["LEGIT_VAR"]))
+	assert.Check(t, is.Equal("", env["EMPTY_VARIABLE"]))
+}
--- a/cli/command/streams.go
+++ b/cli/command/streams.go
@ -1,23 +1,32 @@
 package command

 import (
+	"io"
+
 	"github.com/docker/cli/cli/streams"
 )

 // InStream is an input stream used by the DockerCli to read user input
-// Deprecated: Use github.com/docker/cli/cli/streams.In instead
+//
+// Deprecated: Use [streams.In] instead.
 type InStream = streams.In

 // OutStream is an output stream used by the DockerCli to write normal program
 // output.
-// Deprecated: Use github.com/docker/cli/cli/streams.Out instead
+//
+// Deprecated: Use [streams.Out] instead.
 type OutStream = streams.Out

-var (
-	// NewInStream returns a new InStream object from a ReadCloser
-	// Deprecated: Use github.com/docker/cli/cli/streams.NewIn instead
-	NewInStream = streams.NewIn
-	// NewOutStream returns a new OutStream object from a Writer
-	// Deprecated: Use github.com/docker/cli/cli/streams.NewOut instead
-	NewOutStream = streams.NewOut
-)
+// NewInStream returns a new [streams.In] from an [io.ReadCloser].
+//
+// Deprecated: Use [streams.NewIn] instead.
+func NewInStream(in io.ReadCloser) *streams.In {
+	return streams.NewIn(in)
+}
+
+// NewOutStream returns a new [streams.Out] from an [io.Writer].
+//
+// Deprecated: Use [streams.NewOut] instead.
+func NewOutStream(out io.Writer) *streams.Out {
+	return streams.NewOut(out)
+}
--- a/cli/context/store/metadatastore.go
+++ b/cli/context/store/metadatastore.go
@ -2,12 +2,14 @@ package store

 import (
 	"encoding/json"
+	"fmt"
 	"os"
 	"path/filepath"
 	"reflect"
 	"sort"

 	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/pkg/ioutils"
 	"github.com/fvbommel/sortorder"
 	"github.com/pkg/errors"
 )
@ -35,7 +37,7 @@ func (s *metadataStore) createOrUpdate(meta Metadata) error {
 	if err != nil {
 		return err
 	}
-	return os.WriteFile(filepath.Join(contextDir, metaFile), bytes, 0o644)
+	return ioutils.AtomicWriteFile(filepath.Join(contextDir, metaFile), bytes, 0o644)
 }

 func parseTypedOrMap(payload []byte, getter TypeGetter) (interface{}, error) {
@ -65,7 +67,8 @@ func (s *metadataStore) get(name string) (Metadata, error) {
 }

 func (s *metadataStore) getByID(id contextdir) (Metadata, error) {
-	bytes, err := os.ReadFile(filepath.Join(s.contextDir(id), metaFile))
+	fileName := filepath.Join(s.contextDir(id), metaFile)
+	bytes, err := os.ReadFile(fileName)
 	if err != nil {
 		if errors.Is(err, os.ErrNotExist) {
 			return Metadata{}, errdefs.NotFound(errors.Wrap(err, "context not found"))
@ -77,15 +80,15 @@ func (s *metadataStore) getByID(id contextdir) (Metadata, error) {
 		Endpoints: make(map[string]interface{}),
 	}
 	if err := json.Unmarshal(bytes, &untyped); err != nil {
-		return Metadata{}, err
+		return Metadata{}, fmt.Errorf("parsing %s: %v", fileName, err)
 	}
 	r.Name = untyped.Name
 	if r.Metadata, err = parseTypedOrMap(untyped.Metadata, s.config.contextType); err != nil {
-		return Metadata{}, err
+		return Metadata{}, fmt.Errorf("parsing %s: %v", fileName, err)
 	}
 	for k, v := range untyped.Endpoints {
 		if r.Endpoints[k], err = parseTypedOrMap(v, s.config.endpointTypes[k]); err != nil {
-			return Metadata{}, err
+			return Metadata{}, fmt.Errorf("parsing %s: %v", fileName, err)
 		}
 	}
 	return r, err
--- a/cli/context/store/store_test.go
+++ b/cli/context/store/store_test.go
@ -7,9 +7,11 @@ import (
 	"bytes"
 	"crypto/rand"
 	"encoding/json"
+	"fmt"
 	"io"
 	"os"
 	"path"
+	"path/filepath"
 	"testing"

 	"github.com/docker/docker/errdefs"
@ -230,3 +232,28 @@ func TestImportZipInvalid(t *testing.T) {
 	err = Import("zipInvalid", s, r)
 	assert.ErrorContains(t, err, "unexpected context file")
 }
+
+func TestCorruptMetadata(t *testing.T) {
+	tempDir := t.TempDir()
+	s := New(tempDir, testCfg)
+	err := s.CreateOrUpdate(
+		Metadata{
+			Endpoints: map[string]interface{}{
+				"ep1": endpoint{Foo: "bar"},
+			},
+			Metadata: context{Bar: "baz"},
+			Name:     "source",
+		})
+	assert.NilError(t, err)
+
+	// Simulate the meta.json file getting corrupted
+	// by some external process.
+	contextDir := s.meta.contextDir(contextdirOf("source"))
+	contextFile := filepath.Join(contextDir, metaFile)
+	err = os.WriteFile(contextFile, nil, 0o600)
+	assert.NilError(t, err)
+
+	// Assert that the error message gives the user some clue where to look.
+	_, err = s.GetMetadata("source")
+	assert.ErrorContains(t, err, fmt.Sprintf("parsing %s: unexpected end of JSON input", contextFile))
+}
--- a/cli/context/store/tlsstore.go
+++ b/cli/context/store/tlsstore.go
@ -5,6 +5,7 @@ import (
 	"path/filepath"

 	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/pkg/ioutils"
 	"github.com/pkg/errors"
 )

@ -31,7 +32,7 @@ func (s *tlsStore) createOrUpdate(name, endpointName, filename string, data []by
 	if err := os.MkdirAll(endpointDir, 0o700); err != nil {
 		return err
 	}
-	return os.WriteFile(filepath.Join(endpointDir, filename), data, 0o600)
+	return ioutils.AtomicWriteFile(filepath.Join(endpointDir, filename), data, 0o600)
 }

 func (s *tlsStore) getData(name, endpointName, filename string) ([]byte, error) {
--- a/cmd/docker/docker.go
+++ b/cmd/docker/docker.go
@ -133,13 +133,20 @@ func tryRunPluginHelp(dockerCli command.Cli, ccmd *cobra.Command, cargs []string
 func setHelpFunc(dockerCli command.Cli, cmd *cobra.Command) {
 	defaultHelpFunc := cmd.HelpFunc()
 	cmd.SetHelpFunc(func(ccmd *cobra.Command, args []string) {
-		if pluginmanager.IsPluginCommand(ccmd) {
+		if err := pluginmanager.AddPluginCommandStubs(dockerCli, ccmd.Root()); err != nil {
+			ccmd.Println(err)
+			return
+		}
+
+		if len(args) >= 1 {
 			err := tryRunPluginHelp(dockerCli, ccmd, args)
+			if err == nil {
+				return
+			}
 			if !pluginmanager.IsNotFound(err) {
 				ccmd.Println(err)
+				return
 			}
-			cmd.PrintErrf("unknown help topic: %v\n", ccmd.Name())
-			return
 		}

 		if err := isSupported(ccmd, dockerCli); err != nil {
@ -227,9 +234,14 @@ func runDocker(dockerCli *command.DockerCli) error {
 		return err
 	}

-	err = pluginmanager.AddPluginCommandStubs(dockerCli, cmd)
-	if err != nil {
-		return err
+	if cli.HasCompletionArg(args) {
+		// We add plugin command stubs early only for completion. We don't
+		// want to add them for normal command execution as it would cause
+		// a significant performance hit.
+		err = pluginmanager.AddPluginCommandStubs(dockerCli, cmd)
+		if err != nil {
+			return err
+		}
 	}

 	if len(args) > 0 {
--- a/contrib/completion/bash/docker
+++ b/contrib/completion/bash/docker
@ -1142,6 +1142,42 @@ __docker_complete_user_group() {
 	fi
 }

+DOCKER_PLUGINS_PATH=$(docker info --format '{{range .ClientInfo.Plugins}}{{.Path}}:{{end}}')
+
+__docker_complete_plugin() {
+	local path=$1
+	local completionCommand="__completeNoDesc"
+	local resultArray=($path $completionCommand)
+	for value in "${words[@]:2}"; do
+		if [ -z "$value" ]; then
+			resultArray+=( "''" )
+		else
+			resultArray+=( "$value" )
+		fi
+	done
+	local rawResult=$(eval "${resultArray[*]}" 2> /dev/null)
+	local result=$(grep -v '^:[0-9]*$' <<< "$rawResult")
+
+	# Compose V2 completions sometimes returns returns `:8` (ShellCompDirectiveFilterFileExt)
+	# with the expected file extensions (such as `yml`, `yaml`) to indicate that the shell should
+	# provide autocompletions for files with matching extensions
+	local completionFlag=$(tail -1 <<< "$rawResult")
+	if [ "$completionFlag" == ":8" ]; then
+		# format a valid glob pattern for the provided file extensions
+		local filePattern=$(tr '\n' '|' <<< "$result")
+
+		_filedir "$filePattern"
+		return
+	fi
+
+	# if result empty, just use filename completion as fallback
+	if [ -z "$result" ]; then
+		_filedir
+	else
+		COMPREPLY=( $(compgen -W "${result}" -- "${current-}") )
+	fi
+}
+
 _docker_docker() {
 	# global options that may appear after the docker command
 	local boolean_options="
@ -5395,23 +5431,6 @@ _docker_wait() {
 	_docker_container_wait
 }

-COMPOSE_PLUGIN_PATH=$(docker info --format '{{range .ClientInfo.Plugins}}{{if eq .Name "compose"}}{{.Path}}{{end}}{{end}}')
-
-_docker_compose() {
-	local completionCommand="__completeNoDesc"
-	local resultArray=($COMPOSE_PLUGIN_PATH $completionCommand compose)
-	for value in "${words[@]:2}"; do
-		if [ -z "$value" ]; then
-			resultArray+=( "''" )
-		else
-			resultArray+=( "$value" )
-		fi
-	done
-	local result=$(eval "${resultArray[*]}" 2> /dev/null | grep -v '^:[0-9]*$')
-
-	COMPREPLY=( $(compgen -W "${result}" -- "$current") )
-}
-
 _docker() {
 	local previous_extglob_setting=$(shopt -p extglob)
 	shopt -s extglob
@ -5481,11 +5500,16 @@ _docker() {
 		wait
 	)

+	# Create completion functions for all registered plugins
 	local known_plugin_commands=()
-
-	if [ -f "$COMPOSE_PLUGIN_PATH" ] ; then
-		known_plugin_commands+=("compose")
-	fi
+	local plugin_name=""
+	for plugin_path in ${DOCKER_PLUGINS_PATH//:/ }; do
+		plugin_name=$(basename "$plugin_path" | sed 's/ *$//')
+		plugin_name=${plugin_name#docker-}
+		plugin_name=${plugin_name%%.*}
+		eval "_docker_${plugin_name}() { __docker_complete_plugin \"${plugin_path}\"; }"
+		known_plugin_commands+=(${plugin_name})
+	done

 	local experimental_server_commands=(
 		checkpoint
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@ -1,5 +1,5 @@
 variable "GO_VERSION" {
-    default = "1.19.5"
+    default = "1.19.8"
 }
 variable "VERSION" {
    default = ""
@ -52,7 +52,7 @@ target "binary" {
    platforms = ["local"]
    output = ["build"]
    args = {
-        BASE_VARIANT = USE_GLIBC != "" ? "bullseye" : "alpine"
+        BASE_VARIANT = USE_GLIBC == "1" ? "bullseye" : "alpine"
        VERSION = VERSION
        PACKAGER_NAME = PACKAGER_NAME
        GO_STRIP = STRIP_TARGET
@ -72,7 +72,7 @@ target "plugins" {
    platforms = ["local"]
    output = ["build"]
    args = {
-        BASE_VARIANT = USE_GLIBC != "" ? "bullseye" : "alpine"
+        BASE_VARIANT = USE_GLIBC == "1" ? "bullseye" : "alpine"
        VERSION = VERSION
        GO_STRIP = STRIP_TARGET
    }
@ -155,7 +155,13 @@ target "e2e-image" {
    output = ["type=docker"]
    tags = ["${IMAGE_NAME}"]
    args = {
-        BASE_VARIANT = USE_GLIBC != "" ? "bullseye" : "alpine"
+        BASE_VARIANT = USE_GLIBC == "1" ? "bullseye" : "alpine"
        VERSION = VERSION
    }
 }
+
+target "e2e-gencerts" {
+    inherits = ["_common"]
+    dockerfile = "./e2e/testdata/Dockerfile.gencerts"
+    output = ["./e2e/testdata"]
+}
--- a/dockerfiles/Dockerfile.dev
+++ b/dockerfiles/Dockerfile.dev
@ -1,9 +1,9 @@
 # syntax=docker/dockerfile:1

-ARG GO_VERSION=1.19.5
+ARG GO_VERSION=1.19.8
 ARG ALPINE_VERSION=3.16

-ARG BUILDX_VERSION=0.9.1
+ARG BUILDX_VERSION=0.10.4
 FROM docker/buildx-bin:${BUILDX_VERSION} AS buildx

 FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS golang
--- a/dockerfiles/Dockerfile.lint
+++ b/dockerfiles/Dockerfile.lint
@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1

-ARG GO_VERSION=1.19.5
+ARG GO_VERSION=1.19.8
 ARG ALPINE_VERSION=3.16
 ARG GOLANGCI_LINT_VERSION=v1.49.0

--- a/dockerfiles/Dockerfile.vendor
+++ b/dockerfiles/Dockerfile.vendor
@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1

-ARG GO_VERSION=1.19.4
+ARG GO_VERSION=1.19.8
 ARG ALPINE_VERSION=3.16
 ARG MODOUTDATED_VERSION=v0.8.0

--- a/docs/deprecated.md
+++ b/docs/deprecated.md
@ -50,6 +50,7 @@ The table below provides an overview of the current status of deprecated feature

 | Status     | Feature                                                                                                                            | Deprecated | Remove  |
 |------------|------------------------------------------------------------------------------------------------------------------------------------|------------|---------|
+| Deprecated | [Buildkit build information](#buildkit-build-information)                                                                          | v23.0.0    | v24.0.0 |
 | Deprecated | [Legacy builder for Linux images](#legacy-builder-for-linux-images)                                                                | v23.0.0    | -       |
 | Deprecated | [Legacy builder fallback](#legacy-builder-fallback)                                                                                | v23.0.0    | -       |
 | Removed    | [Btrfs storage driver on CentOS 7 and RHEL 7](#btrfs-storage-driver-on-centos-7-and-rhel-7)                                        | v20.10     | v23.0.0 |
@ -104,6 +105,17 @@ The table below provides an overview of the current status of deprecated feature
 | Removed    | [`--run` flag on `docker commit`](#--run-flag-on-docker-commit)                                                                    | v0.10      | v1.13   |
 | Removed    | [Three arguments form in `docker import`](#three-arguments-form-in-docker-import)                                                  | v0.6.7     | v1.12   |

+### Buildkit build information
+
+**Deprecated in Release: v23.0.0**
+
+[Build information](https://github.com/moby/buildkit/blob/v0.11/docs/buildinfo.md)
+structures have been introduced in [BuildKit v0.10.0](https://github.com/moby/buildkit/releases/tag/v0.10.0)
+and are generated with build metadata that allows you to see all the sources
+(images, git repositories) that were used by the build with their exact
+versions and also the configuration that was passed to the build. This
+information is also embedded into the image configuration if one is generated.
+
 ### Legacy builder for Linux images

 **Deprecated in Release: v23.0.0**
--- a/docs/reference/commandline/build.md
+++ b/docs/reference/commandline/build.md
@ -661,7 +661,7 @@ The `--squash` option has a number of known limitations:

 #### Prerequisites

-The example on this page is using experimental mode in Docker 19.03.
+The example on this page is using experimental mode in Docker 23.03.

 Experimental mode can be enabled by using the `--experimental` flag when starting
 the Docker daemon or setting `experimental: true` in the `daemon.json` configuration
@ -673,21 +673,21 @@ line in the `Engine` section:

 ```console
 Client: Docker Engine - Community
- Version:           19.03.8
- API version:       1.40
- Go version:        go1.12.17
- Git commit:        afacb8b
- Built:             Wed Mar 11 01:21:11 2020
+ Version:           23.0.3
+ API version:       1.42
+ Go version:        go1.19.7
+ Git commit:        3e7cbfd
+ Built:             Tue Apr  4 22:05:41 2023
 OS/Arch:           darwin/amd64
- Experimental:      false
+ Context:           default

 Server: Docker Engine - Community
 Engine:
-  Version:          19.03.8
-  API version:      1.40 (minimum version 1.12)
-  Go version:       go1.12.17
-  Git commit:       afacb8b
-  Built:            Wed Mar 11 01:29:16 2020
+  Version:          23.0.3
+  API version:      1.42 (minimum version 1.12)
+  Go version:       go1.19.7
+  Git commit:       59118bf
+  Built:            Tue Apr  4 22:05:41 2023
  OS/Arch:          linux/amd64
  Experimental:     true
 [...]
--- a/docs/reference/commandline/cli.md
+++ b/docs/reference/commandline/cli.md
@ -123,30 +123,31 @@ the [installation](https://docs.docker.com/install/) instructions for your opera
 The following list of environment variables are supported by the `docker` command
 line:

-| Variable                      | Description                                                                                                                             |
-|:------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------|
-| `DOCKER_API_VERSION`          | Override the negotiated API version to use for debugging (e.g. `1.19`)                                                                  |
-| `DOCKER_CERT_PATH`            | Location of your authentication keys. This variable is used both by the `docker` CLI and the [`dockerd` daemon](dockerd.md)             |
-| `DOCKER_CONFIG`               | The location of your client configuration files.                                                                                        |
-| `DOCKER_CONTENT_TRUST_SERVER` | The URL of the Notary server to use. Defaults to the same URL as the registry.                                                          |
-| `DOCKER_CONTENT_TRUST`        | When set Docker uses notary to sign and verify images. Equates to `--disable-content-trust=false` for build, create, pull, push, run.   |
-| `DOCKER_CONTEXT`              | Name of the `docker context` to use (overrides `DOCKER_HOST` env var and default context set with `docker context use`)                 |
-| `DOCKER_DEFAULT_PLATFORM`     | Default platform for commands that take the `--platform` flag.                                                                          |
-| `DOCKER_HIDE_LEGACY_COMMANDS` | When set, Docker hides "legacy" top-level commands (such as `docker rm`, and `docker pull`) in `docker help` output, and only `Management commands` per object-type (e.g., `docker container`) are printed. This may become the default in a future release, at which point this environment-variable is removed. |
-| `DOCKER_HOST`                 | Daemon socket to connect to.                                                                                                            |
-| `DOCKER_TLS_VERIFY`           | When set Docker uses TLS and verifies the remote. This variable is used both by the `docker` CLI and the [`dockerd` daemon](dockerd.md) |
-| `BUILDKIT_PROGRESS`           | Set type of progress output (`auto`, `plain`, `tty`) when [building](build.md) with [BuildKit backend](https://docs.docker.com/build/buildkit/). Use plain to show container output (default `auto`). |
+| Variable                      | Description                                                                                                                                                                                                                                                  |
+|:------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `DOCKER_API_VERSION`          | Override the negotiated API version to use for debugging (e.g. `1.19`)                                                                                                                                                                                       |
+| `DOCKER_CERT_PATH`            | Location of your authentication keys. This variable is used both by the `docker` CLI and the [`dockerd` daemon](dockerd.md)                                                                                                                                  |
+| `DOCKER_CONFIG`               | The location of your client configuration files.                                                                                                                                                                                                             |
+| `DOCKER_CONTENT_TRUST_SERVER` | The URL of the Notary server to use. Defaults to the same URL as the registry.                                                                                                                                                                               |
+| `DOCKER_CONTENT_TRUST`        | When set Docker uses notary to sign and verify images. Equates to `--disable-content-trust=false` for build, create, pull, push, run.                                                                                                                        |
+| `DOCKER_CONTEXT`              | Name of the `docker context` to use (overrides `DOCKER_HOST` env var and default context set with `docker context use`)                                                                                                                                      |
+| `DOCKER_DEFAULT_PLATFORM`     | Default platform for commands that take the `--platform` flag.                                                                                                                                                                                               |
+| `DOCKER_HIDE_LEGACY_COMMANDS` | When set, Docker hides "legacy" top-level commands (such as `docker rm`, and `docker pull`) in `docker help` output, and only `Management commands` per object-type (e.g., `docker container`) are printed. This may become the default in a future release. |
+| `DOCKER_HOST`                 | Daemon socket to connect to.                                                                                                                                                                                                                                 |
+| `DOCKER_TLS_VERIFY`           | When set Docker uses TLS and verifies the remote. This variable is used both by the `docker` CLI and the [`dockerd` daemon](dockerd.md)                                                                                                                      |
+| `BUILDKIT_PROGRESS`           | Set type of progress output (`auto`, `plain`, `tty`) when [building](build.md) with [BuildKit backend](https://docs.docker.com/build/buildkit/). Use plain to show container output (default `auto`).                                                        |

 Because Docker is developed using Go, you can also use any environment
 variables used by the Go runtime. In particular, you may find these useful:

-* `HTTP_PROXY`
-* `HTTPS_PROXY`
-* `NO_PROXY`
+| Variable      | Description                                                                    |
+|:--------------|:-------------------------------------------------------------------------------|
+| `HTTP_PROXY`  | Proxy URL for HTTP requests unless overridden by NoProxy.                      |
+| `HTTPS_PROXY` | Proxy URL for HTTPS requests unless overridden by NoProxy.                     |
+| `NO_PROXY`    | Comma-separated values specifying hosts that should be excluded from proxying. |

-These Go environment variables are case-insensitive. See the
-[Go specification](https://golang.org/pkg/net/http/) for details on these
-variables.
+See the [Go specification](https://pkg.go.dev/golang.org/x/net/http/httpproxy#Config)
+for details on these variables.

 ## Configuration files

--- a/docs/reference/commandline/container_rm.md
+++ b/docs/reference/commandline/container_rm.md
@ -5,7 +5,7 @@ Remove one or more containers

 ### Aliases

-`docker container rm`, `docker rm`
+`docker container rm`, `docker container remove`, `docker rm`

 ### Options

--- a/docs/reference/commandline/dockerd.md
+++ b/docs/reference/commandline/dockerd.md
@ -18,7 +18,7 @@ redirect_from:
 # daemon

 ```markdown
-Usage: dockerd COMMAND
+Usage: dockerd [OPTIONS]

 A self-sufficient runtime for containers.

@ -35,14 +35,14 @@ Options:
      --containerd-namespace string           Containerd namespace to use (default "moby")
      --containerd-plugins-namespace string   Containerd namespace to use for plugins (default "plugins.moby")
      --cpu-rt-period int                     Limit the CPU real-time period in microseconds for the
-                                              parent cgroup for all containers
+                                              parent cgroup for all containers (not supported with cgroups v2)
      --cpu-rt-runtime int                    Limit the CPU real-time runtime in microseconds for the
-                                              parent cgroup for all containers
+                                              parent cgroup for all containers (not supported with cgroups v2)
      --cri-containerd                        start containerd with cri
      --data-root string                      Root directory of persistent Docker state (default "/var/lib/docker")
  -D, --debug                                 Enable debug mode
      --default-address-pool pool-options     Default address pools for node specific local networks
-      --default-cgroupns-mode string          Default mode for containers cgroup namespace ("host" | "private") (default "host")
+      --default-cgroupns-mode string          Default mode for containers cgroup namespace ("host" | "private") (default "private")
      --default-gateway ip                    Container default gateway IPv4 address
      --default-gateway-v6 ip                 Container default gateway IPv6 address
      --default-ipc-mode string               Default mode for containers ipc ("shareable" | "private") (default "private")
@ -62,6 +62,8 @@ Options:
  -H, --host list                             Daemon socket(s) to connect to
      --host-gateway-ip ip                    IP address that the special 'host-gateway' string in --add-host resolves to.
                                              Defaults to the IP address of the default bridge
+      --http-proxy string                     HTTP proxy URL to use for outgoing traffic
+      --https-proxy string                    HTTPS proxy URL to use for outgoing traffic
      --icc                                   Enable inter-container communication (default true)
      --init                                  Run an init in the container to forward signals and reap processes
      --init-path string                      Path to the docker-init binary
@ -69,8 +71,8 @@ Options:
      --ip ip                                 Default IP when binding container ports (default 0.0.0.0)
      --ip-forward                            Enable net.ipv4.ip_forward (default true)
      --ip-masq                               Enable IP masquerading (default true)
+      --ip6tables                             Enable addition of ip6tables rules (experimental)
      --iptables                              Enable addition of iptables rules (default true)
-      --ip6tables                             Enable addition of ip6tables rules (default false)
      --ipv6                                  Enable IPv6 networking
      --label list                            Set key=value labels to the daemon
      --live-restore                          Enable live restore of docker when containers are still running
@ -81,16 +83,17 @@ Options:
      --max-concurrent-uploads int            Set the max concurrent uploads (default 5)
      --max-download-attempts int             Set the max download attempts for each pull (default 5)
      --metrics-addr string                   Set default address and port to serve the metrics api on
-      --mtu int                               Set the containers network MTU
+      --mtu int                               Set the containers network MTU (default 1500)
      --network-control-plane-mtu int         Network Control plane MTU (default 1500)
      --no-new-privileges                     Set no-new-privileges by default for new containers
+      --no-proxy string                       Comma-separated list of hosts or IP addresses for which the proxy is skipped
      --node-generic-resource list            Advertise user-defined resource
-      --oom-score-adjust int                  Set the oom_score_adj for the daemon (default -500)
+      --oom-score-adjust int                  Set the oom_score_adj for the daemon
  -p, --pidfile string                        Path to use for daemon PID file (default "/var/run/docker.pid")
      --raw-logs                              Full timestamps without ANSI coloring
      --registry-mirror list                  Preferred registry mirror
      --rootless                              Enable rootless mode; typically used with RootlessKit
-      --seccomp-profile string                Path to seccomp profile
+      --seccomp-profile string                Path to seccomp profile. Use "unconfined" to disable the default seccomp profile (default "builtin")
      --selinux-enabled                       Enable selinux support
      --shutdown-timeout int                  Set the default shutdown timeout (default 15)
  -s, --storage-driver string                 Storage driver to use
@ -129,16 +132,42 @@ to [the `daemon.json` file](#daemon-configuration-file).
 For easy reference, the following list of environment variables are supported
 by the `dockerd` command line:

-* `DOCKER_DRIVER` The graph driver to use.
-* `DOCKER_NOWARN_KERNEL_VERSION` Prevent warnings that your Linux kernel is
-  unsuitable for Docker.
-* `DOCKER_RAMDISK` If set this will disable 'pivot_root'.
-* `DOCKER_TMPDIR` Location for temporary Docker files.
-* `MOBY_DISABLE_PIGZ` Do not use [`unpigz`](https://linux.die.net/man/1/pigz) to
-  decompress layers in parallel when pulling images, even if it is installed.
+| Variable            | Description                                                                                                                                                                       |
+|:--------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `DOCKER_CERT_PATH`  | Location of your authentication keys. This variable is used both by the [`docker` CLI](cli.md) and the `dockerd` daemon.                                                          |
+| `DOCKER_DRIVER`     | The storage driver to use.                                                                                                                                                        |
+| `DOCKER_RAMDISK`    | If set this disables 'pivot_root'.                                                                                                                                                |
+| `DOCKER_TLS_VERIFY` | When set Docker uses TLS and verifies the remote. This variable is used both by the  [`docker` CLI](cli.md) and the `dockerd` daemon.                                             |
+| `DOCKER_TMPDIR`     | Location for temporary files created by the daemon.                                                                                                                               |
+| `HTTP_PROXY`        | Proxy URL for HTTP requests unless overridden by NoProxy. See the [Go specification](https://pkg.go.dev/golang.org/x/net/http/httpproxy#Config) for details.                      |
+| `HTTPS_PROXY`       | Proxy URL for HTTPS requests unless overridden by NoProxy. See the [Go specification](https://pkg.go.dev/golang.org/x/net/http/httpproxy#Config) for details.                     |
+| `MOBY_DISABLE_PIGZ` | Disables the use of [`unpigz`](https://linux.die.net/man/1/pigz) to  decompress layers in parallel when pulling images, even if it is installed.                                  |                                                                                                                                                               |
+| `NO_PROXY`          | Comma-separated values specifying hosts that should be excluded from proxying. See the [Go specification](https://pkg.go.dev/golang.org/x/net/http/httpproxy#Config) for details. |

 ## Examples

+### Proxy configuration
+
+> **Note**
+> 
+> Refer to the [Docker Desktop manual](https://docs.docker.com/desktop/networking/#httphttps-proxy-support)
+> if you are running [Docker Desktop](https://docs.docker.com/desktop/).
+
+If you are behind an HTTP proxy server, for example in corporate settings,
+you may have to configure the Docker daemon to use the proxy server for
+operations such as pulling and pushing images. The daemon can be configured
+in three ways:
+
+1. Using environment variables (`HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY`).
+2. Using the "http-proxy", "https-proxy", and "no-proxy" fields in the
+  [daemon configuration file](#daemon-configuration-file) (Docker Engine 23.0 or newer).
+3. Using the `--http-proxy`, `--https-proxy`, and `--no-proxy` command-line
+  options. (Docker Engine 23.0 or newer).
+
+The command-line and configuration file options take precedence over environment
+variables. Refer to [control and configure Docker with systemd](https://docs.docker.com/config/daemon/systemd/#httphttps-proxy)
+to set these environment variables on a host using `systemd`.
+
 ### Daemon socket option

 The Docker daemon can listen for [Docker Engine API](https://docs.docker.com/engine/api/)
@ -295,57 +324,11 @@ $ docker -H tcp://127.0.0.1:2375 pull ubuntu
 On Linux, the Docker daemon has support for several different image layer storage
 drivers: `aufs`, `devicemapper`, `btrfs`, `zfs`, `overlay`, `overlay2`, and `fuse-overlayfs`.

-The `aufs` driver is the oldest, but is based on a Linux kernel patch-set that
-is unlikely to be merged into the main kernel. These are also known to cause
-some serious kernel crashes. However `aufs` allows containers to share
-executable and shared library memory, so is a useful choice when running
-thousands of containers with the same program or libraries.
+`overlay2` is the preferred storage driver for all currently supported Linux distributions,
+and is selected by default. Unless users have a strong reason to prefer another storage driver,
+`overlay2` should be used.

-The `devicemapper` driver uses thin provisioning and Copy on Write (CoW)
-snapshots. For each devicemapper graph location – typically
-`/var/lib/docker/devicemapper` – a thin pool is created based on two block
-devices, one for data and one for metadata. By default, these block devices
-are created automatically by using loopback mounts of automatically created
-sparse files. Refer to [Devicemapper options](#devicemapper-options) below
-for a way how to customize this setup.
-[~jpetazzo/Resizing Docker containers with the Device Mapper plugin](https://jpetazzo.github.io/2014/01/29/docker-device-mapper-resize/)
-article explains how to tune your existing setup without the use of options.
-
-The `btrfs` driver is very fast for `docker build` - but like `devicemapper`
-does not share executable memory between devices. Use
-`dockerd --storage-driver btrfs --data-root /mnt/btrfs_partition`.
-
-The `zfs` driver is probably not as fast as `btrfs` but has a longer track record
-on stability. Thanks to `Single Copy ARC` shared blocks between clones will be
-cached only once. Use `dockerd -s zfs`. To select a different zfs filesystem
-set `zfs.fsname` option as described in [ZFS options](#zfs-options).
-
-The `overlay` is a very fast union filesystem. It is now merged in the main
-Linux kernel as of [3.18.0](https://lkml.org/lkml/2014/10/26/137). `overlay`
-also supports page cache sharing, this means multiple containers accessing
-the same file can share a single page cache entry (or entries), it makes
-`overlay` as efficient with memory as `aufs` driver. Call `dockerd -s overlay`
-to use it.
-
-The `overlay2` uses the same fast union filesystem but takes advantage of
-[additional features](https://lkml.org/lkml/2015/2/11/106) added in Linux
-kernel 4.0 to avoid excessive inode consumption. Call `dockerd -s overlay2`
-to use it.
-
-> **Note**
->
-> The `overlay` storage driver can cause excessive inode consumption (especially
-> as the number of images grows). We recommend using the `overlay2` storage
-> driver instead.
-
-
-> **Note**
->
-> Both `overlay` and `overlay2` are currently unsupported on `btrfs`
-> or any Copy on Write filesystem and should only be used over `ext4` partitions.
-
-The `fuse-overlayfs` driver is similar to `overlay2` but works in userspace.
-The `fuse-overlayfs` driver is expected to be used for [Rootless mode](https://docs.docker.com/engine/security/rootless/).
+You can find out more about storage drivers and how to select one in [Select a storage driver](https://docs.docker.com/storage/storagedriver/select-storage-driver/).

 On Windows, the Docker daemon only supports the `windowsfilter` storage driver.

@ -1189,7 +1172,7 @@ of the flag name, e.g., `labels` for the `label` flag.

 The options set in the configuration file must not conflict with options set
 via flags. The docker daemon fails to start if an option is duplicated between
-the file and the flags, regardless their value. We do this to avoid
+the file and the flags, regardless of their value. We do this to avoid
 silently ignore changes introduced in configuration reloads.
 For example, the daemon fails to start if you set daemon labels
 in the configuration file and also set daemon labels via the `--label` flag.
@ -1268,6 +1251,9 @@ This is a full example of the allowed configuration options on Linux:
  "fixed-cidr-v6": "",
  "group": "",
  "hosts": [],
+  "http-proxy": "http://proxy.example.com:80",
+  "https-proxy": "https://proxy.example.com:443",
+  "no-proxy": "*.test.example.com,.example.org",
  "icc": false,
  "init": false,
  "init-path": "/usr/libexec/docker-init",
@ -1301,7 +1287,7 @@ This is a full example of the allowed configuration options on Linux:
    "NVIDIA-GPU=UUID1",
    "NVIDIA-GPU=UUID2"
  ],
-  "oom-score-adjust": -500,
+  "oom-score-adjust": 0,
  "pidfile": "",
  "raw-logs": false,
  "registry-mirrors": [],
--- a/docs/reference/commandline/info.md
+++ b/docs/reference/commandline/info.md
@ -52,14 +52,11 @@ Client:
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
-    Version:  v0.8.2
+    Version:  v0.10.4
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
-    Version:  v2.6.0
+    Version:  v2.17.2
    Path:     /usr/libexec/docker/cli-plugins/docker-compose
-  scan: Docker Scan (Docker Inc.)
-    Version:  v0.17.0
-    Path:     /usr/libexec/docker/cli-plugins/docker-scan

 Server:
 Containers: 14
@ -67,7 +64,7 @@ Server:
  Paused: 1
  Stopped: 10
 Images: 52
- Server Version: 22.06.0
+ Server Version: 23.0.3
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
@ -82,11 +79,11 @@ Server:
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
- Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
+ Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
- containerd version: 212e8b6fa2f44b9c21b2798135fc6fb7c53efc16
- runc version: v1.1.1-0-g52de29d
+ containerd version: 2806fc1057397dbaeefbea0e4e17bddfbd388f38
+ runc version: v1.1.5-0-gf19387a
 init version: de40ad0
 Security Options:
  apparmor
@ -106,7 +103,7 @@ Server:
 Username: gordontheturtle
 Registry: https://index.docker.io/v1/
 Experimental: false
- Insecure registries:
+ Insecure Registries:
  myinsecurehost:5000
  127.0.0.0/8
 Live Restore Enabled: false
@ -119,7 +116,7 @@ You can also specify the output format:
 ```console
 $ docker info --format '{{json .}}'

-{"ID":"I54V:OLXT:HVMM:TPKO:JPHQ:CQCD:JNLC:O3BZ:4ZVJ:43XJ:PFHZ:6N2S","Containers":14, ...}
+{"ID":"4cee4408-10d2-4e17-891c-a41736ac4536","Containers":14, ...}
 ```

 ### Run `docker info` on Windows
@ -133,9 +130,12 @@ Client:
 Context:    default
 Debug Mode: false
 Plugins:
-  buildx: Docker Buildx (Docker Inc., v0.8.2-docker)
-  compose: Docker Compose (Docker Inc., v2.6.0)
-  scan: Docker Scan (Docker Inc., v0.17.0)
+  buildx: Docker Buildx (Docker Inc.)
+    Version:  v0.10.4
+    Path:     C:\Program Files\Docker\cli-plugins\docker-buildx.exe
+  compose: Docker Compose (Docker Inc.)
+    Version:  v2.17.2
+    Path:     C:\Program Files\Docker\cli-plugins\docker-compose.exe

 Server:
 Containers: 1
@ -143,7 +143,7 @@ Server:
  Paused: 0
  Stopped: 1
 Images: 17
- Server Version: 20.10.16
+ Server Version: 23.0.3
 Storage Driver: windowsfilter
 Logging Driver: json-file
 Plugins:
--- a/docs/reference/commandline/node_ls.md
+++ b/docs/reference/commandline/node_ls.md
@ -110,10 +110,10 @@ Show all nodes that have a `region` node label set:
 $ docker node ls --filter node.label=region

 ID                            HOSTNAME        STATUS    AVAILABILITY   MANAGER STATUS   ENGINE VERSION
-yg550ettvsjn6g6t840iaiwgb *   swarm-test-01   Ready     Active         Leader           20.10.2
-2lm9w9kbepgvkzkkeyku40e65     swarm-test-02   Ready     Active         Reachable        20.10.2
-hc0pu7ntc7s4uvj4pv7z7pz15     swarm-test-03   Ready     Active         Reachable        20.10.2
-n41b2cijmhifxxvz56vwrs12q     swarm-test-04   Ready     Active                          20.10.2
+yg550ettvsjn6g6t840iaiwgb *   swarm-test-01   Ready     Active         Leader           23.0.3
+2lm9w9kbepgvkzkkeyku40e65     swarm-test-02   Ready     Active         Reachable        23.0.3
+hc0pu7ntc7s4uvj4pv7z7pz15     swarm-test-03   Ready     Active         Reachable        23.0.3
+n41b2cijmhifxxvz56vwrs12q     swarm-test-04   Ready     Active                          23.0.3
 ```

 Show all nodes that have a `region` node label, with value `region-a`:
@ -122,8 +122,8 @@ Show all nodes that have a `region` node label, with value `region-a`:
 $ docker node ls --filter node.label=region=region-a

 ID                            HOSTNAME        STATUS    AVAILABILITY   MANAGER STATUS   ENGINE VERSION
-yg550ettvsjn6g6t840iaiwgb *   swarm-test-01   Ready     Active         Leader           20.10.2
-2lm9w9kbepgvkzkkeyku40e65     swarm-test-02   Ready     Active         Reachable        20.10.2
+yg550ettvsjn6g6t840iaiwgb *   swarm-test-01   Ready     Active         Leader           23.0.3
+2lm9w9kbepgvkzkkeyku40e65     swarm-test-02   Ready     Active         Reachable        23.0.3
 ```

 #### membership
@ -203,7 +203,7 @@ e216jshn25ckzbvmwlnh5jr3g: swarm-manager1 Ready
 To list all nodes in JSON format, use the `json` directive:
 ```console
 $ docker node ls --format json
-{"Availability":"Active","EngineVersion":"20.10.5","Hostname":"docker-desktop","ID":"k8f4w7qtzpj5sqzclcqafw35g","ManagerStatus":"Leader","Self":true,"Status":"Ready","TLSStatus":"Ready"}
+{"Availability":"Active","EngineVersion":"23.0.3","Hostname":"docker-desktop","ID":"k8f4w7qtzpj5sqzclcqafw35g","ManagerStatus":"Leader","Self":true,"Status":"Ready","TLSStatus":"Ready"}
 ```

 ## Related commands
--- a/docs/reference/commandline/pull.md
+++ b/docs/reference/commandline/pull.md
@ -34,10 +34,8 @@ use `docker pull`.

 If you are behind an HTTP proxy server, for example in corporate settings,
 before open a connect to registry, you may need to configure the Docker
-daemon's proxy settings, using the `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY`
-environment variables. To set these environment variables on a host using
-`systemd`, refer to the [control and configure Docker with systemd](https://docs.docker.com/config/daemon/systemd/#httphttps-proxy)
-for variables configuration.
+daemon's proxy settings, refer to the [dockerd command-line reference](dockerd.md#proxy-configuration)
+for details.

 ### Concurrent downloads

--- a/docs/reference/commandline/rm.md
+++ b/docs/reference/commandline/rm.md
@ -5,7 +5,7 @@ Remove one or more containers

 ### Aliases

-`docker container rm`, `docker rm`
+`docker container rm`, `docker container remove`, `docker rm`

 ### Options

--- a/docs/reference/commandline/stats.md
+++ b/docs/reference/commandline/stats.md
@ -95,16 +95,16 @@ $ docker stats nginx --no-stream --format "{{ json . }}"
 Running `docker stats` with customized format on all (Running and Stopped) containers.

 ```console
-$ docker stats --all --format "table {{.Container}}\t{{.CPUPerc}}\t{{.MemUsage}}" fervent_panini 5acfcb1b4fd1 drunk_visvesvaraya big_heisenberg
+$ docker stats --all --format "table {{.Container}}\t{{.CPUPerc}}\t{{.MemUsage}}" fervent_panini 5acfcb1b4fd1 humble_visvesvaraya big_heisenberg

 CONTAINER                CPU %               MEM USAGE / LIMIT
 fervent_panini           0.00%               56KiB / 15.57GiB
 5acfcb1b4fd1             0.07%               32.86MiB / 15.57GiB
-drunk_visvesvaraya       0.00%               0B / 0B
+humble_visvesvaraya      0.00%               0B / 0B
 big_heisenberg           0.00%               0B / 0B
 ```

-`drunk_visvesvaraya` and `big_heisenberg` are stopped containers in the above example.
+`humble_visvesvaraya` and `big_heisenberg` are stopped containers in the above example.

 Running `docker stats` on all running containers against a Windows daemon.

--- a/docs/reference/commandline/version.md
+++ b/docs/reference/commandline/version.md
@ -37,30 +37,30 @@ machine running Docker Desktop:
 ```console
 $ docker version

-Client:
- Version:           20.10.16
- API version:       1.41
- Go version:        go1.17.10
- Git commit:        aa7e414
- Built:             Thu May 12 09:17:28 2022
+Client: Docker Engine - Community
+ Version:           23.0.3
+ API version:       1.42
+ Go version:        go1.19.7
+ Git commit:        3e7cbfd
+ Built:             Tue Apr  4 22:05:41 2023
 OS/Arch:           darwin/amd64
 Context:           default

-Server: Docker Desktop 4.8.2 (77141)
+Server: Docker Desktop 4.19.0 (12345)
 Engine:
-  Version:          20.10.16
-  API version:      1.41 (minimum version 1.12)
-  Go version:       go1.17.10
-  Git commit:       f756502
-  Built:            Thu May 12 09:15:33 2022
+  Version:          23.0.3
+  API version:      1.42 (minimum version 1.12)
+  Go version:       go1.19.7
+  Git commit:       59118bf
+  Built:            Tue Apr  4 22:05:41 2023
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
-  Version:          1.6.4
-  GitCommit:        212e8b6fa2f44b9c21b2798135fc6fb7c53efc16
+  Version:          1.6.20
+  GitCommit:        2806fc1057397dbaeefbea0e4e17bddfbd388f38
 runc:
-  Version:          1.1.1
-  GitCommit:        v1.1.1-0-g52de29d
+  Version:          1.1.5
+  GitCommit:        v1.1.5-0-gf19387a
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0
@ -82,12 +82,12 @@ remote-test-server

 $ docker version

-Client:
- Version:           20.10.16
- API version:       1.40 (downgraded from 1.41)
- Go version:        go1.17.10
- Git commit:        aa7e414
- Built:             Thu May 12 09:17:28 2022
+Client: Docker Engine - Community
+ Version:           23.0.3
+ API version:       1.40 (downgraded from 1.42)
+ Go version:        go1.19.7
+ Git commit:        3e7cbfd
+ Built:             Tue Apr  4 22:05:41 2023
 OS/Arch:           darwin/amd64
 Context:           remote-test-server

@ -142,7 +142,7 @@ $ docker version --format '{{.Client.APIVersion}}'

 $ unset DOCKER_API_VERSION
 $ docker version --format '{{.Client.APIVersion}}'
-1.41
+1.42
 ```

 ## Examples
@ -159,7 +159,7 @@ page for details of the format.
 ```console
 $ docker version --format '{{.Server.Version}}'

-20.10.16
+23.0.3
 ```

 ### Get the client API version
@ -169,7 +169,7 @@ The following example prints the API version that is used by the client:
 ```console
 $ docker version --format '{{.Client.APIVersion}}'

-1.41
+1.42
 ```

 The version shown is the API version that is negotiated between the client
@ -181,5 +181,5 @@ above for more information.
 ```console
 $ docker version --format '{{json .}}'

-{"Client":{"Platform":{"Name":"Docker Engine - Community"},"Version":"19.03.8","ApiVersion":"1.40","DefaultAPIVersion":"1.40","GitCommit":"afacb8b","GoVersion":"go1.12.17","Os":"darwin","Arch":"amd64","BuildTime":"Wed Mar 11 01:21:11 2020","Experimental":true},"Server":{"Platform":{"Name":"Docker Engine - Community"},"Components":[{"Name":"Engine","Version":"19.03.8","Details":{"ApiVersion":"1.40","Arch":"amd64","BuildTime":"Wed Mar 11 01:29:16 2020","Experimental":"true","GitCommit":"afacb8b","GoVersion":"go1.12.17","KernelVersion":"4.19.76-linuxkit","MinAPIVersion":"1.12","Os":"linux"}},{"Name":"containerd","Version":"v1.2.13","Details":{"GitCommit":"7ad184331fa3e55e52b890ea95e65ba581ae3429"}},{"Name":"runc","Version":"1.0.0-rc10","Details":{"GitCommit":"dc9208a3303feef5b3839f4323d9beb36df0a9dd"}},{"Name":"docker-init","Version":"0.18.0","Details":{"GitCommit":"fec3683"}}],"Version":"19.03.8","ApiVersion":"1.40","MinAPIVersion":"1.12","GitCommit":"afacb8b","GoVersion":"go1.12.17","Os":"linux","Arch":"amd64","KernelVersion":"4.19.76-linuxkit","Experimental":true,"BuildTime":"2020-03-11T01:29:16.000000000+00:00"}}
+{"Client":"Version":"23.0.3","ApiVersion":"1.42", ...}
 ```
--- a/e2e/cli-plugins/run_test.go
+++ b/e2e/cli-plugins/run_test.go
@ -83,7 +83,7 @@ func TestHelpBad(t *testing.T) {

 	res := icmd.RunCmd(run("help", "badmeta"))
 	res.Assert(t, icmd.Expected{
-		ExitCode: 0,
+		ExitCode: 1,
 		Out:      icmd.None,
 	})
 	golden.Assert(t, res.Stderr(), "docker-help-badmeta-err.golden")
@ -110,8 +110,8 @@ func TestBadHelp(t *testing.T) {
 	res.Assert(t, icmd.Expected{
 		ExitCode: 0,
 		// This should be identical to the --help case above
-		Out: usage,
-		Err: shortHFlagDeprecated,
+		Out: shortHFlagDeprecated + usage,
+		Err: icmd.None,
 	})
 }

--- a/e2e/testdata/Dockerfile.gencerts
+++ b/e2e/testdata/Dockerfile.gencerts
@ -0,0 +1,19 @@
+# syntax=docker/dockerfile:1
+
+ARG GO_VERSION=1.19.8
+
+FROM golang:${GO_VERSION}-alpine AS generated
+RUN go install github.com/dmcgowan/quicktls@master
+WORKDIR /tmp/gencerts/notary
+RUN --mount=type=bind,source=e2e/testdata/notary,target=/tmp/gencerts/notary,rw <<EOT
+  set -eu
+  mkdir -p ../notary-evil /out
+  quicktls -exp 87600h -org=Docker -with-san notary-server notaryserver evil-notary-server evilnotaryserver localhost 127.0.0.1
+  cat ca.pem >> notary-server.cert
+  mv ca.pem root-ca.cert
+  cp notary-server.cert notary-server.key root-ca.cert ../notary-evil
+  cp -r /tmp/gencerts/notary* /out/
+EOT
+
+FROM scratch
+COPY --from=generated /out /
--- a/e2e/testdata/gen-certs.sh
+++ b/e2e/testdata/gen-certs.sh
@ -1,12 +0,0 @@
-#!/usr/bin/env sh
-set -eu
-
-# This script is used to generate the test-certificates in the notary-server and
-# evil-notary-server directories. Run this script to update the certificates if
-# they expire.
-GO111MODULE=off go get -u github.com/dmcgowan/quicktls
-cd notary
-quicktls -org=Docker -with-san notary-server notaryserver evil-notary-server evilnotaryserver localhost 127.0.0.1
-cat ca.pem >> notary-server.cert
-mv ca.pem root-ca.cert
-cp notary-server.cert notary-server.key root-ca.cert ../notary-evil/
--- a/e2e/testdata/notary-evil/notary-server.cert
+++ b/e2e/testdata/notary-evil/notary-server.cert
@ -1,38 +1,40 @@
 -----BEGIN CERTIFICATE-----
-MIIDVDCCAjygAwIBAgIQQReeTsMMrsG9juzWS8eAjjANBgkqhkiG9w0BAQsFADAi
-MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMDA0MDkxNDQ3
-NTdaFw0yMzAzMjUxNDQ3NTdaMCkxDzANBgNVBAoTBkRvY2tlcjEWMBQGA1UEAxMN
-bm90YXJ5LXNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKKA
-wO8S9Ux/e4TMOsTkPtCPfpFU+6l6z72uzrFhCNWb0lrTG7hcxwhP6sIesevTOM24
-GCyvzh+9SMTtdBmSQty4JNElqg9sB6r1tLTeTHo7lMiSiINftctoI1kYg9ni+IO9
-DVBSb9gQf9dDoizat9VhpbLNm3QXkQSeE9cumen6Pz+fcEtB7lFtIYxEEv/L7+VY
-QOvhtg0RXiRzfmtSGwFL+FZ9PBz4LOvPnPOLCMQewhR+6cAkO7Jch0ZMjCe8zXXw
-h8meeIedoevHt0opsr4HHikvr6llwlhWHL+E7zwTPO10xLGd/RIQGGhs8dXhzp1V
-lw/oe2VJoIFSOaGjRFcCAwEAAaN/MH0wDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB
-/wQCMAAwXQYDVR0RBFYwVIINbm90YXJ5LXNlcnZlcoIMbm90YXJ5c2VydmVyghJl
-dmlsLW5vdGFyeS1zZXJ2ZXKCEGV2aWxub3RhcnlzZXJ2ZXKCCWxvY2FsaG9zdIcE
-fwAAATANBgkqhkiG9w0BAQsFAAOCAQEAgwkZpp4s6reZWs9QatF/x9qWWXIXJzYh
-6BgzHL3s7UgeZSs0XhgfHYy6SO94ENpbzPADZwue/NjwNXmp7TLjbyUPjSo1DDt7
-OLG8bQ/hbcPKgMzirTZT36CEsetIBYmfyn39h+ZEIJ30J996/Tgq+X9sG7An2wq3
-/btn+C/BiMUgGnNxZ8p4n+uJCUKA95uVugdLjeioA+19HgQzrLSkeZUR/wsesq5F
-iP9k8va2oU3l3MsF079NpfIDl2gtIgXFYWPhyaJCaa+b8irjdoPnhDBuC5p77AWl
-UTPw/6ENKMMd1Pze6HLpBJAkPP8hTlULKgvuF0pWuGOejipkAKlOBQ==
+MIIDdzCCAl+gAwIBAgIQTujwx+1xxXeI5AbzAQ379TANBgkqhkiG9w0BAQsFADAi
+MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMzAzMjcxMTA5
+NTBaFw0zMzAzMjQxMTA5NTBaMCkxDzANBgNVBAoTBkRvY2tlcjEWMBQGA1UEAxMN
+bm90YXJ5LXNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPhZ
+pU7DRK/2nwbTu+kVYhU/XARDleVSiLrQ5RMR1Cz2xC4LWkOEVSj4aCBo85O66JAx
+p+WRVwoVEU2rdkK3k4983Xr34+7q5Hv4hmwlg6I7QLRRJapEgK5G5RB/9aQntolx
+h5E0KaoF4PJP25y4FHCUr4td4QyitaICsCpuOAN6XgmE9sM9TBf+AEjTSxwwvgEz
+DqHvyovl7pA+pQP2oTKBrf6KN8hHDOXmm9gd8ST9yKLrsYWhqExLLPnAD4lQEcKZ
+29g+iTd4eNoJUXctpuY+3IpqBcQSLq35mNKBP/FQco6g3q26/cB4zWGxTr3jGJqs
+ms8qdFLGZ2KiBCt+oDMCAwEAAaOBoTCBnjAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0T
+AQH/BAIwADAfBgNVHSMEGDAWgBTxYMNqgy2wkgmPZL/+bTCTQo6ulTBdBgNVHREE
+VjBUgg1ub3Rhcnktc2VydmVyggxub3RhcnlzZXJ2ZXKCEmV2aWwtbm90YXJ5LXNl
+cnZlcoIQZXZpbG5vdGFyeXNlcnZlcoIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3
+DQEBCwUAA4IBAQCDMjuZnNINFfqstFwhEEvAgWbjYW26ZQxhQffaqDlbMIQkWoXj
+8inld9bma9Mf5i/GAkUwFqCnEHD4LQ6vDgfAgL+pSOv9VI5SBEuk/gLqvIBUeIRu
+uHo1jWtll2Fr7eDLVdD4mPRPFC7V6mv6sFa9EN4tBN8eheQxHJvzwnnU7X28prfI
+/hWnwPWScVvttqBSsq1h2CUpVu2zGVToeCJ9xl4r/NyDtM5TyMgz7RLrer0p8NSu
+4Qp4ZXtxHDLduWcyMUHLGTprW05yjj9UVq89xfaCOqFSpx5i4oxotYm1PoOacHmN
+RMp9vaYMAmopoxIEYX6fDg5T3sQ5cidZJEvU
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIC8TCCAdmgAwIBAgIQBHJBPhWngTmnMShFTm17rTANBgkqhkiG9w0BAQsFADAi
-MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMDA0MDkxNDQ3
-NTdaFw0yMzAzMjUxNDQ3NTdaMCIxDzANBgNVBAoTBkRvY2tlcjEPMA0GA1UEAxMG
-RG9ja2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5E3t9TSkfFXu
-VJooMBa2sNfX98MPMJoEzG+LEEe42XEegrfrq2VQ5Nb7VdM9hEi65GJgELsXRgc5
-s88C6hmgnnfD7CLb8UsbCTHgVE7SFrUuuwHaDq0gcx3PiVThm2eGbGh70tpFYEfP
-onWqyoUS90gvc5ZeKwRKXLoEQ1fhWSNSurrr6tY4AtVOdbYuAHepJcQW/rYk+i4a
-7E46UBaM0IucYTiX34a6aZtNulRdgNTDmyIBDrFnmBW+BIKQmY/7lIDSBE0QDKZJ
-+yx5TWzJeCiqqPn7rK8jaUlTNeBUCVAyD6PylOf9S8njAlAynFEz5mm+fpRB077Y
-8vTHsvhqMQIDAQABoyMwITAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB
-/zANBgkqhkiG9w0BAQsFAAOCAQEAgibOJ8rfqzjb97ToIJq9VPDQyEqCYV3RHR04
-UqdcAK5DMjcVRPtf6e2vGNP4bbY41GM/HW9aMqTL+9Iiuj/pLwe4Az0Ro/IzoXMt
-yyNqzUpNLfDFAwfMOPLrcBG7gvc/iK6lF1crelPYoaoOptwux+4/PT4nKRKlq3A6
-C1k5CjKnHUOEccBEjBL/2pvaqhuQTupA/iy8InerD2TN1ew9qk0URStMF/cif/2R
-lN68Zl+zAkuypzXbxK4LlheFP3CaNuXf1DDaDsmxAgVyWrrSI7a2Nl+AiLTogxCt
-YnxxdSL6x4tS8aOkrFHAoyb7Oog+285fHoTKiF3e4zjUE/+uXQ==
+MIIDEDCCAfigAwIBAgIQdxGVILXsVcogexr+Ia2MZDANBgkqhkiG9w0BAQsFADAi
+MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMzAzMjcxMTA5
+NTBaFw0zMzAzMjQxMTA5NTBaMCIxDzANBgNVBAoTBkRvY2tlcjEPMA0GA1UEAxMG
+RG9ja2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq3sA/g7Srrkz
+uEf1Qa2jAw93EfEJvxU1ZmZ30aB7KLgHN2TznxAGYtNekAu88CV4H3PKS44BZOar
+wOo3KL4wQffLt7lmsRJG1KOfyiAmjmvidP5JSeRdTiBtj4CCVoi3EE6BZXPpZjst
+9OSOlld2bWWXHb2ZdoY3ZAhZ9rn3tVwyfoLKpuESp1WZSFHPIdcuoMmZPtqD0bSi
+5hc4gVFNLlZOAILvUkXxcHKUgLHZg0YEDQWsYjqh8EYp5LUK2tt4Mpz0HwAt9siE
+VxHGIsiEqG1ajmxZiS28nlRWc4JRlOdmy5x1TPzJTDy+49gxB4njp1nRUtUgzmaG
+QHhml35xHQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB
+/zAdBgNVHQ4EFgQU8WDDaoMtsJIJj2S//m0wk0KOrpUwDQYJKoZIhvcNAQELBQAD
+ggEBAKZJfQjjfqn0K/UlzmrGcRkhrLbJNUfCD6TvxD75MoGtEe+VUEjljm1JHSbj
+DrevDyTnak1W4o5/dcy0h6kI6lhHgObbcoAV5CxQ4+HHmeowA/fzedbnIdnHwtNg
+SUJEslqoJSiYiiFQLV/yWWfBCWpbIgpDrADU7x9Ccxt6INuxrxOQwf1LZnmVbYs0
+1Mb/O1UFnvW7MeVSR4Nb/4lw6lol+mrR1iF8tTQ+rk4sBdCxw2aU48x3Pjqm+XpV
+PIm9uRUr4tRDyQfmBZuxWTNJ9NSx5zVpLEPhDmyOW5wlSw+aKGscu9+RjBx/gXPk
+sK8jZi441ojEJ7OaggGPheO3mCU=
 -----END CERTIFICATE-----
--- a/e2e/testdata/notary-evil/notary-server.key
+++ b/e2e/testdata/notary-evil/notary-server.key
@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAooDA7xL1TH97hMw6xOQ+0I9+kVT7qXrPva7OsWEI1ZvSWtMb
-uFzHCE/qwh6x69M4zbgYLK/OH71IxO10GZJC3Lgk0SWqD2wHqvW0tN5MejuUyJKI
-g1+1y2gjWRiD2eL4g70NUFJv2BB/10OiLNq31WGlss2bdBeRBJ4T1y6Z6fo/P59w
-S0HuUW0hjEQS/8vv5VhA6+G2DRFeJHN+a1IbAUv4Vn08HPgs68+c84sIxB7CFH7p
-wCQ7slyHRkyMJ7zNdfCHyZ54h52h68e3SimyvgceKS+vqWXCWFYcv4TvPBM87XTE
-sZ39EhAYaGzx1eHOnVWXD+h7ZUmggVI5oaNEVwIDAQABAoIBAB+xmO+H9Qu8eWzH
-IFcyZQXsVrUlrAe8CjRmma2CzWRMBdTtA6ULg04duB2wOudRxOxqkVx11W/fTQgL
-f+9U1XGTAKtB+08StNQlI99609OrNzN/UNy+mAhaATrpSx395JZdEvGtgl7TqPtl
-F4ZECkK1zsl2zHDx/7i01A3N6vr1IiK1UU0sdQqqrYdWXm+ozJpRuYj8AMU3JN79
-aVDFy7cM68UZRVHp0os2SXrmTLE6Li0L0Gp55371iAbv7NQAzyhH/U2HRwSMYTSY
-aRqr3VQqI7Frf0QHtHtcUP0idGa/KXMRKzSIbGFCUNV2XxXs+c7+xFylRZuJ1DBp
-oawlYNECgYEAwc8+2034McwM0zMTTdIA+WhrDVSEFDpv4S9LjFzOl09J+LVHe6Mj
-am1bKu99PWzmNnvBrnDPOfEI3VxkIJW59omjPecXsie6/XNfG2U0Yvd4B4Aq5mSW
-+YSqH1FlQ3qqcjj/zTj+A3nfBNyn80I16AsbZVO4jijMrDsleLk+NjMCgYEA1qXI
-hyj+i96/WxYEofgDMlmM3nUWN3Ll3M9MEfpX1+B13XYWqOYpG/WGk7gxDVKtUkqh
-KbgnLtdglQjz10iD1nXpmMPzrVfEFZwlhUfrBGOXJIdOt2nCoxzMd/k13xVqjOS2
-X4sja+vvgJVwYm5q+YS3gNutx1Om5gyeEjoCLU0CgYEAoGhJW/WCcKS0ELF7TrN7
-fvG/eL70ulFLfBNK8hd2HaHQVXqkeV4i19k+1aB2Bbr2Jy3ytdBEk249qgjoDlge
-HED6zSdRY3CiwVcV5nSzER5FR9/6ocmrc0UsENOrflgubm9iuJZtFq9tuHZww1OP
-jkhzGkBaxb5a+EnTz8FyDiUCgYBgVXVDG+XqFmVhVudrXejpXwF3EauP5TQ+vpaQ
-dv+XtniPlSEkWm/WyYHFqGPza8i35yCfnbOQNT92g9cUJspspOzbEA68HGi3niXE
-xHs4tA2waj2s2X1uQU2PBrzjyzPP2hHznXmfRPtvhSI0OwQtyh+laHJ8xBFirAUB
-fyFc/QKBgFWXXq2W/m3m1zsshn0QtxsC/sIxDdLseGq5sUi5Xy7R0fXqhKAW6xfj
-pnHcAe4yKT6ymnfBQ8xdKURuZJWMql8R0b1lSJb7A9P9ZxTD7FjW7ilyzbdFMr7F
-CTRZcz33sHTWD2TOqpDsia9gbQythGmySv4WVJ5W8H7gFY/2/h2W
+MIIEpAIBAAKCAQEA+FmlTsNEr/afBtO76RViFT9cBEOV5VKIutDlExHULPbELgta
+Q4RVKPhoIGjzk7rokDGn5ZFXChURTat2QreTj3zdevfj7urke/iGbCWDojtAtFEl
+qkSArkblEH/1pCe2iXGHkTQpqgXg8k/bnLgUcJSvi13hDKK1ogKwKm44A3peCYT2
+wz1MF/4ASNNLHDC+ATMOoe/Ki+XukD6lA/ahMoGt/oo3yEcM5eab2B3xJP3Iouux
+haGoTEss+cAPiVARwpnb2D6JN3h42glRdy2m5j7cimoFxBIurfmY0oE/8VByjqDe
+rbr9wHjNYbFOveMYmqyazyp0UsZnYqIEK36gMwIDAQABAoIBAQDy7W2f763+mbTQ
+zshepQX+Vq3BlgLIAMWyR6fr0WLEYNVhXMV8ibNrkiD4ovCwLwJSGeBr1JFZUWZN
+nUze0gdLMg7LvDN/ftDk2yNSIhfy1xbhywaW2M8uqjZiv2genKIXK7A6PtYKdBmn
+rKnbUMzdmvNj1f7Ph1E4Gn0L5ChybJDJrq6wQjuTdZ6RmkGkbid0L+47Uv+6xBm9
+hgBPVXd8auQAYGmyXZwvfga5ZjfRMI4wvWkvjOAQcJtxxgOnLT1KDjYV+L70PWul
+bYoKX0sNkFEP9tOq2pD9XVBuTVQxcYeztv0Vz+kG66Ju1KKCAnUYFhRt055zZLfm
+WDYlWm0BAoGBAPvGW9LvzwCDE9QUcR46nG1ZihheJyGKwWVK+ZjYkUU9nLbrIpOD
+/jmihoHHhKBC6YOfHHY73LtZ22fgXEu6ivDzZtTxBErXbdRpEKktJebRK7gPkfsB
+PNQ8CRd/DxRC/JuVFR76OPsbZWhXCaeC7PRdyAtvU9toT1jIQf+a4OhBAoGBAPyE
+kxEoNO1KhWtgByUlsPzvq9PaTjwW/LpmEoo0FBUhYRPxYzVuYrE0BBflDR6JcMRR
+oE9CXYGjtVPB44gT7pHVP09f3Ugrxk7X+t8wy3PWUTaTprmmEGqF0TzfdH4oQz0Y
+v1khwuIu6rRlddGEiCKldXxn+gJy9E70yO4bm4tzAoGAL/XFIBVWVT6i1E9gjOWV
+Tq8zwxiMU7Ney7DQgvEeGxZ1d9Kqr3cBQnFXNfmPpgeY+92fSlZ04atoRA1VB4ft
+V6DGAeI3cxo+bavl5JQZGDLYJSOyJyJBOByHjtZBRRbNj8WCVHhNymeZlZqe2C30
+fUgwBx2Z172y/7KF/+680QECgYEA1GhUKQ9wDdYsiliZSgb9bJXSLH8qZeNULRrl
+J3mNFwUf2p2mvPAgdjxx4QOb2H716z1aIrGJZB4nzc9/LBzQBb2h5ouV4DpqMjH8
+5bbuvH6fi9ABY5Irpt7vVUwFeoU1ofPqKPh8LLQYWywpQddAiBwzyjTQGTVHCg9f
+4OI6Ib8CgYAptl24MGOc6BminKgsux+vNS9X1WwIADiHDyWBPHeQgLX8bYegswq9
+/6uGXJQgdFBhfLuoTBBN0ia/0QQhDezzrqnERddciuL2zxFxEETdpIuxm4lhieX7
+9LqnFcjxM4sLCg4SDSRX+nburiCnLDQiaBzhARooMJO48luTZUiWYQ==
 -----END RSA PRIVATE KEY-----
--- a/e2e/testdata/notary-evil/root-ca.cert
+++ b/e2e/testdata/notary-evil/root-ca.cert
@ -1,18 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIIC8TCCAdmgAwIBAgIQBHJBPhWngTmnMShFTm17rTANBgkqhkiG9w0BAQsFADAi
-MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMDA0MDkxNDQ3
-NTdaFw0yMzAzMjUxNDQ3NTdaMCIxDzANBgNVBAoTBkRvY2tlcjEPMA0GA1UEAxMG
-RG9ja2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5E3t9TSkfFXu
-VJooMBa2sNfX98MPMJoEzG+LEEe42XEegrfrq2VQ5Nb7VdM9hEi65GJgELsXRgc5
-s88C6hmgnnfD7CLb8UsbCTHgVE7SFrUuuwHaDq0gcx3PiVThm2eGbGh70tpFYEfP
-onWqyoUS90gvc5ZeKwRKXLoEQ1fhWSNSurrr6tY4AtVOdbYuAHepJcQW/rYk+i4a
-7E46UBaM0IucYTiX34a6aZtNulRdgNTDmyIBDrFnmBW+BIKQmY/7lIDSBE0QDKZJ
-+yx5TWzJeCiqqPn7rK8jaUlTNeBUCVAyD6PylOf9S8njAlAynFEz5mm+fpRB077Y
-8vTHsvhqMQIDAQABoyMwITAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB
-/zANBgkqhkiG9w0BAQsFAAOCAQEAgibOJ8rfqzjb97ToIJq9VPDQyEqCYV3RHR04
-UqdcAK5DMjcVRPtf6e2vGNP4bbY41GM/HW9aMqTL+9Iiuj/pLwe4Az0Ro/IzoXMt
-yyNqzUpNLfDFAwfMOPLrcBG7gvc/iK6lF1crelPYoaoOptwux+4/PT4nKRKlq3A6
-C1k5CjKnHUOEccBEjBL/2pvaqhuQTupA/iy8InerD2TN1ew9qk0URStMF/cif/2R
-lN68Zl+zAkuypzXbxK4LlheFP3CaNuXf1DDaDsmxAgVyWrrSI7a2Nl+AiLTogxCt
-YnxxdSL6x4tS8aOkrFHAoyb7Oog+285fHoTKiF3e4zjUE/+uXQ==
+MIIDEDCCAfigAwIBAgIQdxGVILXsVcogexr+Ia2MZDANBgkqhkiG9w0BAQsFADAi
+MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMzAzMjcxMTA5
+NTBaFw0zMzAzMjQxMTA5NTBaMCIxDzANBgNVBAoTBkRvY2tlcjEPMA0GA1UEAxMG
+RG9ja2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq3sA/g7Srrkz
+uEf1Qa2jAw93EfEJvxU1ZmZ30aB7KLgHN2TznxAGYtNekAu88CV4H3PKS44BZOar
+wOo3KL4wQffLt7lmsRJG1KOfyiAmjmvidP5JSeRdTiBtj4CCVoi3EE6BZXPpZjst
+9OSOlld2bWWXHb2ZdoY3ZAhZ9rn3tVwyfoLKpuESp1WZSFHPIdcuoMmZPtqD0bSi
+5hc4gVFNLlZOAILvUkXxcHKUgLHZg0YEDQWsYjqh8EYp5LUK2tt4Mpz0HwAt9siE
+VxHGIsiEqG1ajmxZiS28nlRWc4JRlOdmy5x1TPzJTDy+49gxB4njp1nRUtUgzmaG
+QHhml35xHQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB
+/zAdBgNVHQ4EFgQU8WDDaoMtsJIJj2S//m0wk0KOrpUwDQYJKoZIhvcNAQELBQAD
+ggEBAKZJfQjjfqn0K/UlzmrGcRkhrLbJNUfCD6TvxD75MoGtEe+VUEjljm1JHSbj
+DrevDyTnak1W4o5/dcy0h6kI6lhHgObbcoAV5CxQ4+HHmeowA/fzedbnIdnHwtNg
+SUJEslqoJSiYiiFQLV/yWWfBCWpbIgpDrADU7x9Ccxt6INuxrxOQwf1LZnmVbYs0
+1Mb/O1UFnvW7MeVSR4Nb/4lw6lol+mrR1iF8tTQ+rk4sBdCxw2aU48x3Pjqm+XpV
+PIm9uRUr4tRDyQfmBZuxWTNJ9NSx5zVpLEPhDmyOW5wlSw+aKGscu9+RjBx/gXPk
+sK8jZi441ojEJ7OaggGPheO3mCU=
 -----END CERTIFICATE-----
--- a/e2e/testdata/notary/notary-server.cert
+++ b/e2e/testdata/notary/notary-server.cert
@ -1,38 +1,40 @@
 -----BEGIN CERTIFICATE-----
-MIIDVDCCAjygAwIBAgIQQReeTsMMrsG9juzWS8eAjjANBgkqhkiG9w0BAQsFADAi
-MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMDA0MDkxNDQ3
-NTdaFw0yMzAzMjUxNDQ3NTdaMCkxDzANBgNVBAoTBkRvY2tlcjEWMBQGA1UEAxMN
-bm90YXJ5LXNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKKA
-wO8S9Ux/e4TMOsTkPtCPfpFU+6l6z72uzrFhCNWb0lrTG7hcxwhP6sIesevTOM24
-GCyvzh+9SMTtdBmSQty4JNElqg9sB6r1tLTeTHo7lMiSiINftctoI1kYg9ni+IO9
-DVBSb9gQf9dDoizat9VhpbLNm3QXkQSeE9cumen6Pz+fcEtB7lFtIYxEEv/L7+VY
-QOvhtg0RXiRzfmtSGwFL+FZ9PBz4LOvPnPOLCMQewhR+6cAkO7Jch0ZMjCe8zXXw
-h8meeIedoevHt0opsr4HHikvr6llwlhWHL+E7zwTPO10xLGd/RIQGGhs8dXhzp1V
-lw/oe2VJoIFSOaGjRFcCAwEAAaN/MH0wDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB
-/wQCMAAwXQYDVR0RBFYwVIINbm90YXJ5LXNlcnZlcoIMbm90YXJ5c2VydmVyghJl
-dmlsLW5vdGFyeS1zZXJ2ZXKCEGV2aWxub3RhcnlzZXJ2ZXKCCWxvY2FsaG9zdIcE
-fwAAATANBgkqhkiG9w0BAQsFAAOCAQEAgwkZpp4s6reZWs9QatF/x9qWWXIXJzYh
-6BgzHL3s7UgeZSs0XhgfHYy6SO94ENpbzPADZwue/NjwNXmp7TLjbyUPjSo1DDt7
-OLG8bQ/hbcPKgMzirTZT36CEsetIBYmfyn39h+ZEIJ30J996/Tgq+X9sG7An2wq3
-/btn+C/BiMUgGnNxZ8p4n+uJCUKA95uVugdLjeioA+19HgQzrLSkeZUR/wsesq5F
-iP9k8va2oU3l3MsF079NpfIDl2gtIgXFYWPhyaJCaa+b8irjdoPnhDBuC5p77AWl
-UTPw/6ENKMMd1Pze6HLpBJAkPP8hTlULKgvuF0pWuGOejipkAKlOBQ==
+MIIDdzCCAl+gAwIBAgIQTujwx+1xxXeI5AbzAQ379TANBgkqhkiG9w0BAQsFADAi
+MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMzAzMjcxMTA5
+NTBaFw0zMzAzMjQxMTA5NTBaMCkxDzANBgNVBAoTBkRvY2tlcjEWMBQGA1UEAxMN
+bm90YXJ5LXNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPhZ
+pU7DRK/2nwbTu+kVYhU/XARDleVSiLrQ5RMR1Cz2xC4LWkOEVSj4aCBo85O66JAx
+p+WRVwoVEU2rdkK3k4983Xr34+7q5Hv4hmwlg6I7QLRRJapEgK5G5RB/9aQntolx
+h5E0KaoF4PJP25y4FHCUr4td4QyitaICsCpuOAN6XgmE9sM9TBf+AEjTSxwwvgEz
+DqHvyovl7pA+pQP2oTKBrf6KN8hHDOXmm9gd8ST9yKLrsYWhqExLLPnAD4lQEcKZ
+29g+iTd4eNoJUXctpuY+3IpqBcQSLq35mNKBP/FQco6g3q26/cB4zWGxTr3jGJqs
+ms8qdFLGZ2KiBCt+oDMCAwEAAaOBoTCBnjAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0T
+AQH/BAIwADAfBgNVHSMEGDAWgBTxYMNqgy2wkgmPZL/+bTCTQo6ulTBdBgNVHREE
+VjBUgg1ub3Rhcnktc2VydmVyggxub3RhcnlzZXJ2ZXKCEmV2aWwtbm90YXJ5LXNl
+cnZlcoIQZXZpbG5vdGFyeXNlcnZlcoIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3
+DQEBCwUAA4IBAQCDMjuZnNINFfqstFwhEEvAgWbjYW26ZQxhQffaqDlbMIQkWoXj
+8inld9bma9Mf5i/GAkUwFqCnEHD4LQ6vDgfAgL+pSOv9VI5SBEuk/gLqvIBUeIRu
+uHo1jWtll2Fr7eDLVdD4mPRPFC7V6mv6sFa9EN4tBN8eheQxHJvzwnnU7X28prfI
+/hWnwPWScVvttqBSsq1h2CUpVu2zGVToeCJ9xl4r/NyDtM5TyMgz7RLrer0p8NSu
+4Qp4ZXtxHDLduWcyMUHLGTprW05yjj9UVq89xfaCOqFSpx5i4oxotYm1PoOacHmN
+RMp9vaYMAmopoxIEYX6fDg5T3sQ5cidZJEvU
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIC8TCCAdmgAwIBAgIQBHJBPhWngTmnMShFTm17rTANBgkqhkiG9w0BAQsFADAi
-MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMDA0MDkxNDQ3
-NTdaFw0yMzAzMjUxNDQ3NTdaMCIxDzANBgNVBAoTBkRvY2tlcjEPMA0GA1UEAxMG
-RG9ja2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5E3t9TSkfFXu
-VJooMBa2sNfX98MPMJoEzG+LEEe42XEegrfrq2VQ5Nb7VdM9hEi65GJgELsXRgc5
-s88C6hmgnnfD7CLb8UsbCTHgVE7SFrUuuwHaDq0gcx3PiVThm2eGbGh70tpFYEfP
-onWqyoUS90gvc5ZeKwRKXLoEQ1fhWSNSurrr6tY4AtVOdbYuAHepJcQW/rYk+i4a
-7E46UBaM0IucYTiX34a6aZtNulRdgNTDmyIBDrFnmBW+BIKQmY/7lIDSBE0QDKZJ
-+yx5TWzJeCiqqPn7rK8jaUlTNeBUCVAyD6PylOf9S8njAlAynFEz5mm+fpRB077Y
-8vTHsvhqMQIDAQABoyMwITAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB
-/zANBgkqhkiG9w0BAQsFAAOCAQEAgibOJ8rfqzjb97ToIJq9VPDQyEqCYV3RHR04
-UqdcAK5DMjcVRPtf6e2vGNP4bbY41GM/HW9aMqTL+9Iiuj/pLwe4Az0Ro/IzoXMt
-yyNqzUpNLfDFAwfMOPLrcBG7gvc/iK6lF1crelPYoaoOptwux+4/PT4nKRKlq3A6
-C1k5CjKnHUOEccBEjBL/2pvaqhuQTupA/iy8InerD2TN1ew9qk0URStMF/cif/2R
-lN68Zl+zAkuypzXbxK4LlheFP3CaNuXf1DDaDsmxAgVyWrrSI7a2Nl+AiLTogxCt
-YnxxdSL6x4tS8aOkrFHAoyb7Oog+285fHoTKiF3e4zjUE/+uXQ==
+MIIDEDCCAfigAwIBAgIQdxGVILXsVcogexr+Ia2MZDANBgkqhkiG9w0BAQsFADAi
+MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMzAzMjcxMTA5
+NTBaFw0zMzAzMjQxMTA5NTBaMCIxDzANBgNVBAoTBkRvY2tlcjEPMA0GA1UEAxMG
+RG9ja2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq3sA/g7Srrkz
+uEf1Qa2jAw93EfEJvxU1ZmZ30aB7KLgHN2TznxAGYtNekAu88CV4H3PKS44BZOar
+wOo3KL4wQffLt7lmsRJG1KOfyiAmjmvidP5JSeRdTiBtj4CCVoi3EE6BZXPpZjst
+9OSOlld2bWWXHb2ZdoY3ZAhZ9rn3tVwyfoLKpuESp1WZSFHPIdcuoMmZPtqD0bSi
+5hc4gVFNLlZOAILvUkXxcHKUgLHZg0YEDQWsYjqh8EYp5LUK2tt4Mpz0HwAt9siE
+VxHGIsiEqG1ajmxZiS28nlRWc4JRlOdmy5x1TPzJTDy+49gxB4njp1nRUtUgzmaG
+QHhml35xHQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB
+/zAdBgNVHQ4EFgQU8WDDaoMtsJIJj2S//m0wk0KOrpUwDQYJKoZIhvcNAQELBQAD
+ggEBAKZJfQjjfqn0K/UlzmrGcRkhrLbJNUfCD6TvxD75MoGtEe+VUEjljm1JHSbj
+DrevDyTnak1W4o5/dcy0h6kI6lhHgObbcoAV5CxQ4+HHmeowA/fzedbnIdnHwtNg
+SUJEslqoJSiYiiFQLV/yWWfBCWpbIgpDrADU7x9Ccxt6INuxrxOQwf1LZnmVbYs0
+1Mb/O1UFnvW7MeVSR4Nb/4lw6lol+mrR1iF8tTQ+rk4sBdCxw2aU48x3Pjqm+XpV
+PIm9uRUr4tRDyQfmBZuxWTNJ9NSx5zVpLEPhDmyOW5wlSw+aKGscu9+RjBx/gXPk
+sK8jZi441ojEJ7OaggGPheO3mCU=
 -----END CERTIFICATE-----
--- a/e2e/testdata/notary/notary-server.key
+++ b/e2e/testdata/notary/notary-server.key
@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAooDA7xL1TH97hMw6xOQ+0I9+kVT7qXrPva7OsWEI1ZvSWtMb
-uFzHCE/qwh6x69M4zbgYLK/OH71IxO10GZJC3Lgk0SWqD2wHqvW0tN5MejuUyJKI
-g1+1y2gjWRiD2eL4g70NUFJv2BB/10OiLNq31WGlss2bdBeRBJ4T1y6Z6fo/P59w
-S0HuUW0hjEQS/8vv5VhA6+G2DRFeJHN+a1IbAUv4Vn08HPgs68+c84sIxB7CFH7p
-wCQ7slyHRkyMJ7zNdfCHyZ54h52h68e3SimyvgceKS+vqWXCWFYcv4TvPBM87XTE
-sZ39EhAYaGzx1eHOnVWXD+h7ZUmggVI5oaNEVwIDAQABAoIBAB+xmO+H9Qu8eWzH
-IFcyZQXsVrUlrAe8CjRmma2CzWRMBdTtA6ULg04duB2wOudRxOxqkVx11W/fTQgL
-f+9U1XGTAKtB+08StNQlI99609OrNzN/UNy+mAhaATrpSx395JZdEvGtgl7TqPtl
-F4ZECkK1zsl2zHDx/7i01A3N6vr1IiK1UU0sdQqqrYdWXm+ozJpRuYj8AMU3JN79
-aVDFy7cM68UZRVHp0os2SXrmTLE6Li0L0Gp55371iAbv7NQAzyhH/U2HRwSMYTSY
-aRqr3VQqI7Frf0QHtHtcUP0idGa/KXMRKzSIbGFCUNV2XxXs+c7+xFylRZuJ1DBp
-oawlYNECgYEAwc8+2034McwM0zMTTdIA+WhrDVSEFDpv4S9LjFzOl09J+LVHe6Mj
-am1bKu99PWzmNnvBrnDPOfEI3VxkIJW59omjPecXsie6/XNfG2U0Yvd4B4Aq5mSW
-+YSqH1FlQ3qqcjj/zTj+A3nfBNyn80I16AsbZVO4jijMrDsleLk+NjMCgYEA1qXI
-hyj+i96/WxYEofgDMlmM3nUWN3Ll3M9MEfpX1+B13XYWqOYpG/WGk7gxDVKtUkqh
-KbgnLtdglQjz10iD1nXpmMPzrVfEFZwlhUfrBGOXJIdOt2nCoxzMd/k13xVqjOS2
-X4sja+vvgJVwYm5q+YS3gNutx1Om5gyeEjoCLU0CgYEAoGhJW/WCcKS0ELF7TrN7
-fvG/eL70ulFLfBNK8hd2HaHQVXqkeV4i19k+1aB2Bbr2Jy3ytdBEk249qgjoDlge
-HED6zSdRY3CiwVcV5nSzER5FR9/6ocmrc0UsENOrflgubm9iuJZtFq9tuHZww1OP
-jkhzGkBaxb5a+EnTz8FyDiUCgYBgVXVDG+XqFmVhVudrXejpXwF3EauP5TQ+vpaQ
-dv+XtniPlSEkWm/WyYHFqGPza8i35yCfnbOQNT92g9cUJspspOzbEA68HGi3niXE
-xHs4tA2waj2s2X1uQU2PBrzjyzPP2hHznXmfRPtvhSI0OwQtyh+laHJ8xBFirAUB
-fyFc/QKBgFWXXq2W/m3m1zsshn0QtxsC/sIxDdLseGq5sUi5Xy7R0fXqhKAW6xfj
-pnHcAe4yKT6ymnfBQ8xdKURuZJWMql8R0b1lSJb7A9P9ZxTD7FjW7ilyzbdFMr7F
-CTRZcz33sHTWD2TOqpDsia9gbQythGmySv4WVJ5W8H7gFY/2/h2W
+MIIEpAIBAAKCAQEA+FmlTsNEr/afBtO76RViFT9cBEOV5VKIutDlExHULPbELgta
+Q4RVKPhoIGjzk7rokDGn5ZFXChURTat2QreTj3zdevfj7urke/iGbCWDojtAtFEl
+qkSArkblEH/1pCe2iXGHkTQpqgXg8k/bnLgUcJSvi13hDKK1ogKwKm44A3peCYT2
+wz1MF/4ASNNLHDC+ATMOoe/Ki+XukD6lA/ahMoGt/oo3yEcM5eab2B3xJP3Iouux
+haGoTEss+cAPiVARwpnb2D6JN3h42glRdy2m5j7cimoFxBIurfmY0oE/8VByjqDe
+rbr9wHjNYbFOveMYmqyazyp0UsZnYqIEK36gMwIDAQABAoIBAQDy7W2f763+mbTQ
+zshepQX+Vq3BlgLIAMWyR6fr0WLEYNVhXMV8ibNrkiD4ovCwLwJSGeBr1JFZUWZN
+nUze0gdLMg7LvDN/ftDk2yNSIhfy1xbhywaW2M8uqjZiv2genKIXK7A6PtYKdBmn
+rKnbUMzdmvNj1f7Ph1E4Gn0L5ChybJDJrq6wQjuTdZ6RmkGkbid0L+47Uv+6xBm9
+hgBPVXd8auQAYGmyXZwvfga5ZjfRMI4wvWkvjOAQcJtxxgOnLT1KDjYV+L70PWul
+bYoKX0sNkFEP9tOq2pD9XVBuTVQxcYeztv0Vz+kG66Ju1KKCAnUYFhRt055zZLfm
+WDYlWm0BAoGBAPvGW9LvzwCDE9QUcR46nG1ZihheJyGKwWVK+ZjYkUU9nLbrIpOD
+/jmihoHHhKBC6YOfHHY73LtZ22fgXEu6ivDzZtTxBErXbdRpEKktJebRK7gPkfsB
+PNQ8CRd/DxRC/JuVFR76OPsbZWhXCaeC7PRdyAtvU9toT1jIQf+a4OhBAoGBAPyE
+kxEoNO1KhWtgByUlsPzvq9PaTjwW/LpmEoo0FBUhYRPxYzVuYrE0BBflDR6JcMRR
+oE9CXYGjtVPB44gT7pHVP09f3Ugrxk7X+t8wy3PWUTaTprmmEGqF0TzfdH4oQz0Y
+v1khwuIu6rRlddGEiCKldXxn+gJy9E70yO4bm4tzAoGAL/XFIBVWVT6i1E9gjOWV
+Tq8zwxiMU7Ney7DQgvEeGxZ1d9Kqr3cBQnFXNfmPpgeY+92fSlZ04atoRA1VB4ft
+V6DGAeI3cxo+bavl5JQZGDLYJSOyJyJBOByHjtZBRRbNj8WCVHhNymeZlZqe2C30
+fUgwBx2Z172y/7KF/+680QECgYEA1GhUKQ9wDdYsiliZSgb9bJXSLH8qZeNULRrl
+J3mNFwUf2p2mvPAgdjxx4QOb2H716z1aIrGJZB4nzc9/LBzQBb2h5ouV4DpqMjH8
+5bbuvH6fi9ABY5Irpt7vVUwFeoU1ofPqKPh8LLQYWywpQddAiBwzyjTQGTVHCg9f
+4OI6Ib8CgYAptl24MGOc6BminKgsux+vNS9X1WwIADiHDyWBPHeQgLX8bYegswq9
+/6uGXJQgdFBhfLuoTBBN0ia/0QQhDezzrqnERddciuL2zxFxEETdpIuxm4lhieX7
+9LqnFcjxM4sLCg4SDSRX+nburiCnLDQiaBzhARooMJO48luTZUiWYQ==
 -----END RSA PRIVATE KEY-----
--- a/e2e/testdata/notary/root-ca.cert
+++ b/e2e/testdata/notary/root-ca.cert
@ -1,18 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIIC8TCCAdmgAwIBAgIQBHJBPhWngTmnMShFTm17rTANBgkqhkiG9w0BAQsFADAi
-MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMDA0MDkxNDQ3
-NTdaFw0yMzAzMjUxNDQ3NTdaMCIxDzANBgNVBAoTBkRvY2tlcjEPMA0GA1UEAxMG
-RG9ja2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5E3t9TSkfFXu
-VJooMBa2sNfX98MPMJoEzG+LEEe42XEegrfrq2VQ5Nb7VdM9hEi65GJgELsXRgc5
-s88C6hmgnnfD7CLb8UsbCTHgVE7SFrUuuwHaDq0gcx3PiVThm2eGbGh70tpFYEfP
-onWqyoUS90gvc5ZeKwRKXLoEQ1fhWSNSurrr6tY4AtVOdbYuAHepJcQW/rYk+i4a
-7E46UBaM0IucYTiX34a6aZtNulRdgNTDmyIBDrFnmBW+BIKQmY/7lIDSBE0QDKZJ
-+yx5TWzJeCiqqPn7rK8jaUlTNeBUCVAyD6PylOf9S8njAlAynFEz5mm+fpRB077Y
-8vTHsvhqMQIDAQABoyMwITAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB
-/zANBgkqhkiG9w0BAQsFAAOCAQEAgibOJ8rfqzjb97ToIJq9VPDQyEqCYV3RHR04
-UqdcAK5DMjcVRPtf6e2vGNP4bbY41GM/HW9aMqTL+9Iiuj/pLwe4Az0Ro/IzoXMt
-yyNqzUpNLfDFAwfMOPLrcBG7gvc/iK6lF1crelPYoaoOptwux+4/PT4nKRKlq3A6
-C1k5CjKnHUOEccBEjBL/2pvaqhuQTupA/iy8InerD2TN1ew9qk0URStMF/cif/2R
-lN68Zl+zAkuypzXbxK4LlheFP3CaNuXf1DDaDsmxAgVyWrrSI7a2Nl+AiLTogxCt
-YnxxdSL6x4tS8aOkrFHAoyb7Oog+285fHoTKiF3e4zjUE/+uXQ==
+MIIDEDCCAfigAwIBAgIQdxGVILXsVcogexr+Ia2MZDANBgkqhkiG9w0BAQsFADAi
+MQ8wDQYDVQQKEwZEb2NrZXIxDzANBgNVBAMTBkRvY2tlcjAeFw0yMzAzMjcxMTA5
+NTBaFw0zMzAzMjQxMTA5NTBaMCIxDzANBgNVBAoTBkRvY2tlcjEPMA0GA1UEAxMG
+RG9ja2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq3sA/g7Srrkz
+uEf1Qa2jAw93EfEJvxU1ZmZ30aB7KLgHN2TznxAGYtNekAu88CV4H3PKS44BZOar
+wOo3KL4wQffLt7lmsRJG1KOfyiAmjmvidP5JSeRdTiBtj4CCVoi3EE6BZXPpZjst
+9OSOlld2bWWXHb2ZdoY3ZAhZ9rn3tVwyfoLKpuESp1WZSFHPIdcuoMmZPtqD0bSi
+5hc4gVFNLlZOAILvUkXxcHKUgLHZg0YEDQWsYjqh8EYp5LUK2tt4Mpz0HwAt9siE
+VxHGIsiEqG1ajmxZiS28nlRWc4JRlOdmy5x1TPzJTDy+49gxB4njp1nRUtUgzmaG
+QHhml35xHQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB
+/zAdBgNVHQ4EFgQU8WDDaoMtsJIJj2S//m0wk0KOrpUwDQYJKoZIhvcNAQELBQAD
+ggEBAKZJfQjjfqn0K/UlzmrGcRkhrLbJNUfCD6TvxD75MoGtEe+VUEjljm1JHSbj
+DrevDyTnak1W4o5/dcy0h6kI6lhHgObbcoAV5CxQ4+HHmeowA/fzedbnIdnHwtNg
+SUJEslqoJSiYiiFQLV/yWWfBCWpbIgpDrADU7x9Ccxt6INuxrxOQwf1LZnmVbYs0
+1Mb/O1UFnvW7MeVSR4Nb/4lw6lol+mrR1iF8tTQ+rk4sBdCxw2aU48x3Pjqm+XpV
+PIm9uRUr4tRDyQfmBZuxWTNJ9NSx5zVpLEPhDmyOW5wlSw+aKGscu9+RjBx/gXPk
+sK8jZi441ojEJ7OaggGPheO3mCU=
 -----END CERTIFICATE-----
--- a/man/dockerd.8.md
+++ b/man/dockerd.8.md
@ -35,6 +35,8 @@ dockerd - Enable daemon mode
 [**-G**|**--group**[=*docker*]]
 [**-H**|**--host**[=*[]*]]
 [**--help**]
+[**--http-proxy**[*""*]]
+[**--https-proxy**[*""*]]
 [**--icc**[=*true*]]
 [**--init**[=*false*]]
 [**--init-path**[=*""*]]
@ -54,6 +56,7 @@ dockerd - Enable daemon mode
 [**--max-concurrent-downloads**[=*3*]]
 [**--max-concurrent-uploads**[=*5*]]
 [**--max-download-attempts**[=*5*]]
+[**--no-proxy**[*""*]]
 [**--node-generic-resources**[=*[]*]]
 [**-p**|**--pidfile**[=*/var/run/docker.pid*]]
 [**--raw-logs**]
@ -233,6 +236,12 @@ unix://[/path/to/socket] to use.
 **--help**
  Print usage statement

+**--http-proxy***""*
+  Proxy URL for HTTP requests unless overridden by NoProxy.
+
+**--https-proxy***""*
+  Proxy URL for HTTPS requests unless overridden by NoProxy.
+
 **--icc**=*true*|*false*
  Allow unrestricted inter\-container and Docker daemon host communication. If
  disabled, containers can still be linked together using the **--link** option
@ -325,6 +334,9 @@ unix://[/path/to/socket] to use.
 **--max-download-attempts**=*5*
  Set the max download attempts for each pull. Default is `5`.

+**--no-proxy**=*""*"
+  Comma-separated values specifying hosts that should be excluded from proxying.
+
 **--node-generic-resources**=*[]*
  Advertise user-defined resource. Default is `[]`.
  Use this if your swarm cluster has some nodes with custom
--- a/man/src/system/info.md
+++ b/man/src/system/info.md
@ -32,14 +32,11 @@ Client:
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
-    Version:  v0.8.2
+    Version:  v0.10.4
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
-    Version:  v2.6.0
+    Version:  v2.17.2
    Path:     /usr/libexec/docker/cli-plugins/docker-compose
-  scan: Docker Scan (Docker Inc.)
-    Version:  v0.17.0
-    Path:     /usr/libexec/docker/cli-plugins/docker-scan

 Server:
 Containers: 14
@ -47,7 +44,7 @@ Server:
  Paused: 1
  Stopped: 10
 Images: 52
- Server Version: 22.06.0
+ Server Version: 23.0.3
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
@ -62,11 +59,11 @@ Server:
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
- Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
+ Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
- containerd version: 212e8b6fa2f44b9c21b2798135fc6fb7c53efc16
- runc version: v1.1.1-0-g52de29d
+ containerd version: 2806fc1057397dbaeefbea0e4e17bddfbd388f38
+ runc version: v1.1.5-0-gf19387a
 init version: de40ad0
 Security Options:
  apparmor
@ -86,7 +83,7 @@ Server:
 Username: gordontheturtle
 Registry: https://index.docker.io/v1/
 Experimental: false
- Insecure registries:
+ Insecure Registries:
  myinsecurehost:5000
  127.0.0.0/8
 Live Restore Enabled: false
@ -95,4 +92,4 @@ Server:
 You can also specify the output format:

    $ docker info --format '{{json .}}'
-    {"ID":"I54V:OLXT:HVMM:TPKO:JPHQ:CQCD:JNLC:O3BZ:4ZVJ:43XJ:PFHZ:6N2S","Containers":14, ...}
+    {"ID":"4cee4408-10d2-4e17-891c-a41736ac4536","Containers":14, ...}
--- a/man/src/version.md
+++ b/man/src/version.md
@ -1,37 +1,57 @@
-This command displays version information for both the Docker client and 
-daemon. 
+The version command prints the current version number for all independently
+versioned Docker components.

 # EXAMPLES

 ## Display Docker version information

-The default output:
+The default output renders all version information divided into two sections;
+the "Client" section contains information about the Docker CLI and client
+components, and the "Server" section contains information about the Docker
+Engine and components used by the Engine, such as the "Containerd" and "Runc"
+OCI Runtimes.
+
+The information shown may differ depending on how you installed Docker and
+what components are in use. The following example shows the output on a macOS
+machine running Docker Desktop:

    $ docker version
-	Client:
-	 Version:      1.8.0
-	 API version:  1.20
-	 Go version:   go1.4.2
-	 Git commit:   f5bae0a
-	 Built:        Tue Jun 23 17:56:00 UTC 2015
-	 OS/Arch:      linux/amd64
-
-	Server:
-	 Version:      1.8.0
-	 API version:  1.20
-	 Go version:   go1.4.2
-	 Git commit:   f5bae0a
-	 Built:        Tue Jun 23 17:56:00 UTC 2015
-	 OS/Arch:      linux/amd64
+    Client: Docker Engine - Community
+     Version:           23.0.3
+     API version:       1.42
+     Go version:        go1.19.7
+     Git commit:        3e7cbfd
+     Built:             Tue Apr  4 22:05:41 2023
+     OS/Arch:           darwin/amd64
+     Context:           default
+    
+    Server: Docker Desktop 4.19.0 (12345)
+     Engine:
+      Version:          23.0.3
+      API version:      1.42 (minimum version 1.12)
+      Go version:       go1.19.7
+      Git commit:       59118bf
+      Built:            Tue Apr  4 22:05:41 2023
+      OS/Arch:          linux/amd64
+      Experimental:     false
+     containerd:
+      Version:          1.6.20
+      GitCommit:        2806fc1057397dbaeefbea0e4e17bddfbd388f38
+     runc:
+      Version:          1.1.5
+      GitCommit:        v1.1.5-0-gf19387a
+     docker-init:
+      Version:          0.19.0
+      GitCommit:        de40ad0

 Get server version:

    $ docker version --format '{{.Server.Version}}'
-	1.8.0
+    23.0.3

 Dump raw data:

 To view all available fields, you can use the format `{{json .}}`.

    $ docker version --format '{{json .}}'
-    {"Client":{"Version":"1.8.0","ApiVersion":"1.20","GitCommit":"f5bae0a","GoVersion":"go1.4.2","Os":"linux","Arch":"amd64","BuildTime":"Tue Jun 23 17:56:00 UTC 2015"},"ServerOK":true,"Server":{"Version":"1.8.0","ApiVersion":"1.20","GitCommit":"f5bae0a","GoVersion":"go1.4.2","Os":"linux","Arch":"amd64","KernelVersion":"3.13.2-gentoo","BuildTime":"Tue Jun 23 17:56:00 UTC 2015"}}
+    {"Client":"Version":"23.0.3","ApiVersion":"1.42", ...}
--- a/scripts/docs/generate-md.sh
+++ b/scripts/docs/generate-md.sh
@ -25,11 +25,11 @@ trap clean EXIT
  # install cli-docs-tool and copy docs/tools.go in root folder
  # to be able to fetch the required depedencies
  go mod edit -modfile=vendor.mod -require=github.com/docker/cli-docs-tool@${CLI_DOCS_TOOL_VERSION}
-  cp docs/tools.go .
+  cp docs/generate/tools.go .
  # update vendor
  ./scripts/vendor update
  # build docsgen
-  go build -mod=vendor -modfile=vendor.mod -tags docsgen -o /tmp/docsgen ./docs/generate.go
+  go build -mod=vendor -modfile=vendor.mod -tags docsgen -o /tmp/docsgen ./docs/generate/generate.go
 )

 # yaml generation on docs repo needs the cli.md file: https://github.com/docker/cli/pull/3924#discussion_r1059986605
--- a/vendor.mod
+++ b/vendor.mod
@ -7,10 +7,10 @@ module github.com/docker/cli
 go 1.18

 require (
-	github.com/containerd/containerd v1.6.16
+	github.com/containerd/containerd v1.6.19
 	github.com/creack/pty v1.1.11
 	github.com/docker/distribution v2.8.1+incompatible
-	github.com/docker/docker v23.0.0+incompatible
+	github.com/docker/docker v23.0.3+incompatible
 	github.com/docker/docker-credential-helpers v0.7.0
 	github.com/docker/go-connections v0.4.0
 	github.com/docker/go-units v0.5.0
@ -23,7 +23,7 @@ require (
 	github.com/mitchellh/mapstructure v1.3.2
 	github.com/moby/buildkit v0.10.6
 	github.com/moby/patternmatcher v0.5.0
-	github.com/moby/swarmkit/v2 v2.0.0-20230119195359-904c221ac281
+	github.com/moby/swarmkit/v2 v2.0.0-20230309194213-a745a8755ce3
 	github.com/moby/sys/sequential v0.5.0
 	github.com/moby/sys/signal v0.7.0
 	github.com/moby/term v0.0.0-20221128092401-c43b287e0e0f
@ -37,9 +37,10 @@ require (
 	github.com/theupdateframework/notary v0.7.1-0.20210315103452-bf96a202a09a
 	github.com/tonistiigi/go-rosetta v0.0.0-20200727161949-f79598599c5d
 	github.com/xeipuuv/gojsonschema v1.2.0
-	golang.org/x/sys v0.4.0
-	golang.org/x/term v0.4.0
-	golang.org/x/text v0.6.0
+	golang.org/x/sync v0.1.0
+	golang.org/x/sys v0.5.0
+	golang.org/x/term v0.5.0
+	golang.org/x/text v0.7.0
 	gopkg.in/yaml.v2 v2.4.0
 	gotest.tools/v3 v3.4.0
 )
@ -70,8 +71,8 @@ require (
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	go.etcd.io/etcd/raft/v3 v3.5.6 // indirect
 	golang.org/x/crypto v0.2.0 // indirect
-	golang.org/x/net v0.5.0 // indirect
-	golang.org/x/time v0.1.0 // indirect
+	golang.org/x/net v0.7.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
 	google.golang.org/genproto v0.0.0-20220706185917-7780775163c4 // indirect
 	google.golang.org/grpc v1.48.0 // indirect
 	google.golang.org/protobuf v1.28.1 // indirect
--- a/vendor.sum
+++ b/vendor.sum
@ -38,7 +38,7 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/Microsoft/go-winio v0.5.2 h1:a9IhgEQBCUEk6QCdml9CiJGhAws+YwffDHEMp1VMrpA=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
-github.com/Microsoft/hcsshim v0.9.6 h1:VwnDOgLeoi2du6dAznfmspNqTiwczvjv4K7NxuY9jsY=
+github.com/Microsoft/hcsshim v0.9.7 h1:mKNHW/Xvv1aFH87Jb6ERDzXTJTLPlmzfZ28VBFD/bfg=
 github.com/Shopify/logrus-bugsnag v0.0.0-20170309145241-6dbc35f2c30d h1:hi6J4K6DKrR4/ljxn6SF6nURyu785wKMuQcjt7H3VCQ=
 github.com/Shopify/logrus-bugsnag v0.0.0-20170309145241-6dbc35f2c30d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
@ -84,8 +84,8 @@ github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5/go.mod h1:h
 github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA=
 github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f/go.mod h1:i/u985jwjWRlyHXQbwatDASoW0RMlZ/3i9yJHE2xLkI=
 github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U=
-github.com/containerd/containerd v1.6.16 h1:0H5xH6ABsN7XTrxIAKxFpBkFCBtrZ/OSORhCpUnHjrc=
-github.com/containerd/containerd v1.6.16/go.mod h1:1RdCUu95+gc2v9t3IL+zIlpClSmew7/0YS8O5eQZrOw=
+github.com/containerd/containerd v1.6.19 h1:F0qgQPrG0P2JPgwpxWxYavrVeXAG0ezUIB9Z/4FTUAU=
+github.com/containerd/containerd v1.6.19/go.mod h1:HZCDMn4v/Xl2579/MvtOC2M206i+JJ6VxFWU/NetrGY=
 github.com/containerd/continuity v0.3.0 h1:nisirsYROK15TAMVukJOUyGJjz4BNQJBVsNvAXZJ/eg=
 github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
@ -101,8 +101,8 @@ github.com/denisenkom/go-mssqldb v0.0.0-20191128021309-1d7a30a10f73/go.mod h1:xb
 github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6bk8XXApsHjKukMl68=
 github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v23.0.0+incompatible h1:L6c28tNyqZ4/ub9AZC9d5QUuunoHHfEH4/Ue+h/E5nE=
-github.com/docker/docker v23.0.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v23.0.3+incompatible h1:9GhVsShNWz1hO//9BNg/dpMnZW25KydO4wtVxWAIbho=
+github.com/docker/docker v23.0.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
 github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=
 github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c h1:lzqkGL9b3znc+ZUgi7FlLnqjQhcXxkNM/quxIjBVMD0=
@ -283,8 +283,8 @@ github.com/moby/buildkit v0.10.6 h1:DJlEuLIgnu34HQKF4n9Eg6q2YqQVC0eOpMb4p2eRS2w=
 github.com/moby/buildkit v0.10.6/go.mod h1:tQuuyTWtOb9D+RE425cwOCUkX0/oZ+5iBZ+uWpWQ9bU=
 github.com/moby/patternmatcher v0.5.0 h1:YCZgJOeULcxLw1Q+sVR636pmS7sPEn1Qo2iAN6M7DBo=
 github.com/moby/patternmatcher v0.5.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc=
-github.com/moby/swarmkit/v2 v2.0.0-20230119195359-904c221ac281 h1:E0LdO1cZEXmXrLoojCqEvVCk4cNLWSVotoDbWUmNa8g=
-github.com/moby/swarmkit/v2 v2.0.0-20230119195359-904c221ac281/go.mod h1:jIgi55SqNJvlQ74bK35NXKWz6JCTexx5h69d0btP2AM=
+github.com/moby/swarmkit/v2 v2.0.0-20230309194213-a745a8755ce3 h1:05e6sB9az9OINsgqSy1PiSC9i0ffkpfQd0oJGAigo6k=
+github.com/moby/swarmkit/v2 v2.0.0-20230309194213-a745a8755ce3/go.mod h1:GvjR7mC8YuUd9Mq44lrrIZPaXyKPAGEUMBpAQzaj3dI=
 github.com/moby/sys/mountinfo v0.5.0/go.mod h1:3bMD3Rg+zkqx8MRYPi7Pyb0Ie97QEBmdxbhnCLlSvSU=
 github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc=
 github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo=
@ -505,8 +505,8 @@ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96b
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.5.0 h1:GyT4nK/YDHSqa1c4753ouYCDajOYKTja9Xb/OHtgvSw=
-golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
+golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
+golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@ -524,6 +524,8 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@ -578,13 +580,13 @@ golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.4.0 h1:Zr2JFtRQNX3BCZ8YtxRE9hNJYC8J6I1MVbMg6owUp18=
-golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.4.0 h1:O7UWfv5+A2qiuulQk30kVinPoMtoIPeVaKLEgLpVkvg=
-golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ=
+golang.org/x/term v0.5.0 h1:n2a8QNdAb0sZNpU9R1ALUXBbY+w51fCQDN+7EdxNBsY=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@ -593,13 +595,13 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.6.0 h1:3XmdazWV+ubf7QgHSTWeykHOci5oeekaGJBLkrkaw4k=
-golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.1.0 h1:xYY+Bajn2a7VBmTM5GikTmnK8ZuX8YgnQCqZpbBNtmA=
-golang.org/x/time v0.1.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
+golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
--- a/vendor/github.com/containerd/containerd/platforms/defaults_windows.go
+++ b/vendor/github.com/containerd/containerd/platforms/defaults_windows.go
@ -46,10 +46,14 @@ type matchComparer struct {

 // Match matches platform with the same windows major, minor
 // and build version.
-func (m matchComparer) Match(p imagespec.Platform) bool {
-	if m.defaults.Match(p) {
-		// TODO(windows): Figure out whether OSVersion is deprecated.
-		return strings.HasPrefix(p.OSVersion, m.osVersionPrefix)
+func (m matchComparer) Match(p specs.Platform) bool {
+	match := m.defaults.Match(p)
+
+	if match && p.OS == "windows" {
+		if strings.HasPrefix(p.OSVersion, m.osVersionPrefix) {
+			return true
+		}
+		return p.OSVersion == ""
 	}
 	return false
 }
--- a/vendor/github.com/docker/docker/pkg/archive/archive.go
+++ b/vendor/github.com/docker/docker/pkg/archive/archive.go
@ -711,7 +711,7 @@ func createTarFile(path, extractDir string, hdr *tar.Header, reader io.Reader, L
 			}
 		}

-	case tar.TypeReg, tar.TypeRegA:
+	case tar.TypeReg:
 		// Source is regular file. We use sequential file access to avoid depleting
 		// the standby list on Windows. On Linux, this equates to a regular os.OpenFile.
 		file, err := sequential.OpenFile(path, os.O_CREATE|os.O_WRONLY, hdrInfo.Mode())
--- a/vendor/golang.org/x/net/http2/flow.go
+++ b/vendor/golang.org/x/net/http2/flow.go
@ -18,7 +18,7 @@ type inflow struct {
 	unsent int32
 }

-// set sets the initial window.
+// init sets the initial window.
 func (f *inflow) init(n int32) {
 	f.avail = n
 }
--- a/vendor/golang.org/x/net/http2/frame.go
+++ b/vendor/golang.org/x/net/http2/frame.go
@ -662,6 +662,15 @@ func (f *Framer) WriteData(streamID uint32, endStream bool, data []byte) error {
 // It is the caller's responsibility not to violate the maximum frame size
 // and to not call other Write methods concurrently.
 func (f *Framer) WriteDataPadded(streamID uint32, endStream bool, data, pad []byte) error {
+	if err := f.startWriteDataPadded(streamID, endStream, data, pad); err != nil {
+		return err
+	}
+	return f.endWrite()
+}
+
+// startWriteDataPadded is WriteDataPadded, but only writes the frame to the Framer's internal buffer.
+// The caller should call endWrite to flush the frame to the underlying writer.
+func (f *Framer) startWriteDataPadded(streamID uint32, endStream bool, data, pad []byte) error {
 	if !validStreamID(streamID) && !f.AllowIllegalWrites {
 		return errStreamID
 	}
@ -691,7 +700,7 @@ func (f *Framer) WriteDataPadded(streamID uint32, endStream bool, data, pad []by
 	}
 	f.wbuf = append(f.wbuf, data...)
 	f.wbuf = append(f.wbuf, pad...)
-	return f.endWrite()
+	return nil
 }

 // A SettingsFrame conveys configuration parameters that affect how
--- a/vendor/golang.org/x/net/http2/hpack/hpack.go
+++ b/vendor/golang.org/x/net/http2/hpack/hpack.go
@ -211,7 +211,7 @@ func (d *Decoder) at(i uint64) (hf HeaderField, ok bool) {
 	return dt.ents[dt.len()-(int(i)-staticTable.len())], true
 }

-// Decode decodes an entire block.
+// DecodeFull decodes an entire block.
 //
 // TODO: remove this method and make it incremental later? This is
 // easier for debugging now.
@ -359,6 +359,7 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error {

 	var hf HeaderField
 	wantStr := d.emitEnabled || it.indexed()
+	var undecodedName undecodedString
 	if nameIdx > 0 {
 		ihf, ok := d.at(nameIdx)
 		if !ok {
@ -366,15 +367,27 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error {
 		}
 		hf.Name = ihf.Name
 	} else {
-		hf.Name, buf, err = d.readString(buf, wantStr)
+		undecodedName, buf, err = d.readString(buf)
 		if err != nil {
 			return err
 		}
 	}
-	hf.Value, buf, err = d.readString(buf, wantStr)
+	undecodedValue, buf, err := d.readString(buf)
 	if err != nil {
 		return err
 	}
+	if wantStr {
+		if nameIdx <= 0 {
+			hf.Name, err = d.decodeString(undecodedName)
+			if err != nil {
+				return err
+			}
+		}
+		hf.Value, err = d.decodeString(undecodedValue)
+		if err != nil {
+			return err
+		}
+	}
 	d.buf = buf
 	if it.indexed() {
 		d.dynTab.add(hf)
@ -459,46 +472,52 @@ func readVarInt(n byte, p []byte) (i uint64, remain []byte, err error) {
 	return 0, origP, errNeedMore
 }

-// readString decodes an hpack string from p.
+// readString reads an hpack string from p.
 //
-// wantStr is whether s will be used. If false, decompression and
-// []byte->string garbage are skipped if s will be ignored
-// anyway. This does mean that huffman decoding errors for non-indexed
-// strings past the MAX_HEADER_LIST_SIZE are ignored, but the server
-// is returning an error anyway, and because they're not indexed, the error
-// won't affect the decoding state.
-func (d *Decoder) readString(p []byte, wantStr bool) (s string, remain []byte, err error) {
+// It returns a reference to the encoded string data to permit deferring decode costs
+// until after the caller verifies all data is present.
+func (d *Decoder) readString(p []byte) (u undecodedString, remain []byte, err error) {
 	if len(p) == 0 {
-		return "", p, errNeedMore
+		return u, p, errNeedMore
 	}
 	isHuff := p[0]&128 != 0
 	strLen, p, err := readVarInt(7, p)
 	if err != nil {
-		return "", p, err
+		return u, p, err
 	}
 	if d.maxStrLen != 0 && strLen > uint64(d.maxStrLen) {
-		return "", nil, ErrStringLength
+		// Returning an error here means Huffman decoding errors
+		// for non-indexed strings past the maximum string length
+		// are ignored, but the server is returning an error anyway
+		// and because the string is not indexed the error will not
+		// affect the decoding state.
+		return u, nil, ErrStringLength
 	}
 	if uint64(len(p)) < strLen {
-		return "", p, errNeedMore
+		return u, p, errNeedMore
 	}
-	if !isHuff {
-		if wantStr {
-			s = string(p[:strLen])
-		}
-		return s, p[strLen:], nil
-	}
-
-	if wantStr {
-		buf := bufPool.Get().(*bytes.Buffer)
-		buf.Reset() // don't trust others
-		defer bufPool.Put(buf)
-		if err := huffmanDecode(buf, d.maxStrLen, p[:strLen]); err != nil {
-			buf.Reset()
-			return "", nil, err
-		}
-		s = buf.String()
-		buf.Reset() // be nice to GC
-	}
-	return s, p[strLen:], nil
+	u.isHuff = isHuff
+	u.b = p[:strLen]
+	return u, p[strLen:], nil
+}
+
+type undecodedString struct {
+	isHuff bool
+	b      []byte
+}
+
+func (d *Decoder) decodeString(u undecodedString) (string, error) {
+	if !u.isHuff {
+		return string(u.b), nil
+	}
+	buf := bufPool.Get().(*bytes.Buffer)
+	buf.Reset() // don't trust others
+	var s string
+	err := huffmanDecode(buf, d.maxStrLen, u.b)
+	if err == nil {
+		s = buf.String()
+	}
+	buf.Reset() // be nice to GC
+	bufPool.Put(buf)
+	return s, err
 }
--- a/vendor/golang.org/x/net/http2/server.go
+++ b/vendor/golang.org/x/net/http2/server.go
@ -843,8 +843,13 @@ type frameWriteResult struct {
 // and then reports when it's done.
 // At most one goroutine can be running writeFrameAsync at a time per
 // serverConn.
-func (sc *serverConn) writeFrameAsync(wr FrameWriteRequest) {
-	err := wr.write.writeFrame(sc)
+func (sc *serverConn) writeFrameAsync(wr FrameWriteRequest, wd *writeData) {
+	var err error
+	if wd == nil {
+		err = wr.write.writeFrame(sc)
+	} else {
+		err = sc.framer.endWrite()
+	}
 	sc.wroteFrameCh <- frameWriteResult{wr: wr, err: err}
 }

@ -1251,9 +1256,16 @@ func (sc *serverConn) startFrameWrite(wr FrameWriteRequest) {
 		sc.writingFrameAsync = false
 		err := wr.write.writeFrame(sc)
 		sc.wroteFrame(frameWriteResult{wr: wr, err: err})
+	} else if wd, ok := wr.write.(*writeData); ok {
+		// Encode the frame in the serve goroutine, to ensure we don't have
+		// any lingering asynchronous references to data passed to Write.
+		// See https://go.dev/issue/58446.
+		sc.framer.startWriteDataPadded(wd.streamID, wd.endStream, wd.p, nil)
+		sc.writingFrameAsync = true
+		go sc.writeFrameAsync(wr, wd)
 	} else {
 		sc.writingFrameAsync = true
-		go sc.writeFrameAsync(wr)
+		go sc.writeFrameAsync(wr, nil)
 	}
 }

@ -2192,7 +2204,7 @@ func (sc *serverConn) newWriterAndRequestNoBody(st *stream, rp requestParam) (*r
 		tlsState = sc.tlsState
 	}

-	needsContinue := rp.header.Get("Expect") == "100-continue"
+	needsContinue := httpguts.HeaderValuesContainsToken(rp.header["Expect"], "100-continue")
 	if needsContinue {
 		rp.header.Del("Expect")
 	}
--- a/vendor/golang.org/x/net/http2/transport.go
+++ b/vendor/golang.org/x/net/http2/transport.go
@ -1569,7 +1569,7 @@ func (cs *clientStream) cleanupWriteRequest(err error) {
 	close(cs.donec)
 }

-// awaitOpenSlotForStream waits until len(streams) < maxConcurrentStreams.
+// awaitOpenSlotForStreamLocked waits until len(streams) < maxConcurrentStreams.
 // Must hold cc.mu.
 func (cc *ClientConn) awaitOpenSlotForStreamLocked(cs *clientStream) error {
 	for {
--- a/vendor/golang.org/x/net/trace/histogram.go
+++ b/vendor/golang.org/x/net/trace/histogram.go
@ -32,7 +32,7 @@ type histogram struct {
 	valueCount   int64   // number of values recorded for single value
 }

-// AddMeasurement records a value measurement observation to the histogram.
+// addMeasurement records a value measurement observation to the histogram.
 func (h *histogram) addMeasurement(value int64) {
 	// TODO: assert invariant
 	h.sum += value
--- a/vendor/golang.org/x/sync/LICENSE
+++ b/vendor/golang.org/x/sync/LICENSE
@ -0,0 +1,27 @@
+Copyright (c) 2009 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- a/vendor/golang.org/x/sync/PATENTS
+++ b/vendor/golang.org/x/sync/PATENTS
@ -0,0 +1,22 @@
+Additional IP Rights Grant (Patents)
+
+"This implementation" means the copyrightable works distributed by
+Google as part of the Go project.
+
+Google hereby grants to You a perpetual, worldwide, non-exclusive,
+no-charge, royalty-free, irrevocable (except as stated in this section)
+patent license to make, have made, use, offer to sell, sell, import,
+transfer and otherwise run, modify and propagate the contents of this
+implementation of Go, where such license applies only to those patent
+claims, both currently owned or controlled by Google and acquired in
+the future, licensable by Google that are necessarily infringed by this
+implementation of Go.  This grant does not include claims that would be
+infringed only as a consequence of further modification of this
+implementation.  If you or your agent or exclusive licensee institute or
+order or agree to the institution of patent litigation against any
+entity (including a cross-claim or counterclaim in a lawsuit) alleging
+that this implementation of Go or any code incorporated within this
+implementation of Go constitutes direct or contributory patent
+infringement, or inducement of patent infringement, then any patent
+rights granted to you under this License for this implementation of Go
+shall terminate as of the date such litigation is filed.
--- a/vendor/golang.org/x/sync/errgroup/errgroup.go
+++ b/vendor/golang.org/x/sync/errgroup/errgroup.go
@ -0,0 +1,132 @@
+// Copyright 2016 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package errgroup provides synchronization, error propagation, and Context
+// cancelation for groups of goroutines working on subtasks of a common task.
+package errgroup
+
+import (
+	"context"
+	"fmt"
+	"sync"
+)
+
+type token struct{}
+
+// A Group is a collection of goroutines working on subtasks that are part of
+// the same overall task.
+//
+// A zero Group is valid, has no limit on the number of active goroutines,
+// and does not cancel on error.
+type Group struct {
+	cancel func()
+
+	wg sync.WaitGroup
+
+	sem chan token
+
+	errOnce sync.Once
+	err     error
+}
+
+func (g *Group) done() {
+	if g.sem != nil {
+		<-g.sem
+	}
+	g.wg.Done()
+}
+
+// WithContext returns a new Group and an associated Context derived from ctx.
+//
+// The derived Context is canceled the first time a function passed to Go
+// returns a non-nil error or the first time Wait returns, whichever occurs
+// first.
+func WithContext(ctx context.Context) (*Group, context.Context) {
+	ctx, cancel := context.WithCancel(ctx)
+	return &Group{cancel: cancel}, ctx
+}
+
+// Wait blocks until all function calls from the Go method have returned, then
+// returns the first non-nil error (if any) from them.
+func (g *Group) Wait() error {
+	g.wg.Wait()
+	if g.cancel != nil {
+		g.cancel()
+	}
+	return g.err
+}
+
+// Go calls the given function in a new goroutine.
+// It blocks until the new goroutine can be added without the number of
+// active goroutines in the group exceeding the configured limit.
+//
+// The first call to return a non-nil error cancels the group's context, if the
+// group was created by calling WithContext. The error will be returned by Wait.
+func (g *Group) Go(f func() error) {
+	if g.sem != nil {
+		g.sem <- token{}
+	}
+
+	g.wg.Add(1)
+	go func() {
+		defer g.done()
+
+		if err := f(); err != nil {
+			g.errOnce.Do(func() {
+				g.err = err
+				if g.cancel != nil {
+					g.cancel()
+				}
+			})
+		}
+	}()
+}
+
+// TryGo calls the given function in a new goroutine only if the number of
+// active goroutines in the group is currently below the configured limit.
+//
+// The return value reports whether the goroutine was started.
+func (g *Group) TryGo(f func() error) bool {
+	if g.sem != nil {
+		select {
+		case g.sem <- token{}:
+			// Note: this allows barging iff channels in general allow barging.
+		default:
+			return false
+		}
+	}
+
+	g.wg.Add(1)
+	go func() {
+		defer g.done()
+
+		if err := f(); err != nil {
+			g.errOnce.Do(func() {
+				g.err = err
+				if g.cancel != nil {
+					g.cancel()
+				}
+			})
+		}
+	}()
+	return true
+}
+
+// SetLimit limits the number of active goroutines in this group to at most n.
+// A negative value indicates no limit.
+//
+// Any subsequent call to the Go method will block until it can add an active
+// goroutine without exceeding the configured limit.
+//
+// The limit must not be modified while any goroutines in the group are active.
+func (g *Group) SetLimit(n int) {
+	if n < 0 {
+		g.sem = nil
+		return
+	}
+	if len(g.sem) != 0 {
+		panic(fmt.Errorf("errgroup: modify limit while %v goroutines in the group are still active", len(g.sem)))
+	}
+	g.sem = make(chan token, n)
+}
--- a/vendor/golang.org/x/sys/unix/gccgo_c.c
+++ b/vendor/golang.org/x/sys/unix/gccgo_c.c
@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-// +build gccgo,!hurd
-// +build !aix,!hurd
+//go:build gccgo && !aix && !hurd
+// +build gccgo,!aix,!hurd

 #include <errno.h>
 #include <stdint.h>
--- a/vendor/golang.org/x/sys/unix/syscall_darwin.go
+++ b/vendor/golang.org/x/sys/unix/syscall_darwin.go
@ -230,6 +230,7 @@ func direntNamlen(buf []byte) (uint64, bool) {

 func PtraceAttach(pid int) (err error) { return ptrace(PT_ATTACH, pid, 0, 0) }
 func PtraceDetach(pid int) (err error) { return ptrace(PT_DETACH, pid, 0, 0) }
+func PtraceDenyAttach() (err error)    { return ptrace(PT_DENY_ATTACH, 0, 0, 0) }

 //sysnb	pipe(p *[2]int32) (err error)

--- a/vendor/golang.org/x/sys/unix/syscall_freebsd_386.go
+++ b/vendor/golang.org/x/sys/unix/syscall_freebsd_386.go
@ -60,8 +60,13 @@ func PtraceGetFsBase(pid int, fsbase *int64) (err error) {
 	return ptrace(PT_GETFSBASE, pid, uintptr(unsafe.Pointer(fsbase)), 0)
 }

-func PtraceIO(req int, pid int, addr uintptr, out []byte, countin int) (count int, err error) {
-	ioDesc := PtraceIoDesc{Op: int32(req), Offs: uintptr(unsafe.Pointer(addr)), Addr: uintptr(unsafe.Pointer(&out[0])), Len: uint32(countin)}
+func PtraceIO(req int, pid int, offs uintptr, out []byte, countin int) (count int, err error) {
+	ioDesc := PtraceIoDesc{
+		Op:   int32(req),
+		Offs: offs,
+		Addr: uintptr(unsafe.Pointer(&out[0])), // TODO(#58351): this is not safe.
+		Len:  uint32(countin),
+	}
 	err = ptrace(PT_IO, pid, uintptr(unsafe.Pointer(&ioDesc)), 0)
 	return int(ioDesc.Len), err
 }
--- a/vendor/golang.org/x/sys/unix/syscall_freebsd_amd64.go
+++ b/vendor/golang.org/x/sys/unix/syscall_freebsd_amd64.go
@ -60,8 +60,13 @@ func PtraceGetFsBase(pid int, fsbase *int64) (err error) {
 	return ptrace(PT_GETFSBASE, pid, uintptr(unsafe.Pointer(fsbase)), 0)
 }

-func PtraceIO(req int, pid int, addr uintptr, out []byte, countin int) (count int, err error) {
-	ioDesc := PtraceIoDesc{Op: int32(req), Offs: uintptr(unsafe.Pointer(addr)), Addr: uintptr(unsafe.Pointer(&out[0])), Len: uint64(countin)}
+func PtraceIO(req int, pid int, offs uintptr, out []byte, countin int) (count int, err error) {
+	ioDesc := PtraceIoDesc{
+		Op:   int32(req),
+		Offs: offs,
+		Addr: uintptr(unsafe.Pointer(&out[0])), // TODO(#58351): this is not safe.
+		Len:  uint64(countin),
+	}
 	err = ptrace(PT_IO, pid, uintptr(unsafe.Pointer(&ioDesc)), 0)
 	return int(ioDesc.Len), err
 }
--- a/vendor/golang.org/x/sys/unix/syscall_freebsd_arm.go
+++ b/vendor/golang.org/x/sys/unix/syscall_freebsd_arm.go
@ -56,8 +56,13 @@ func sendfile(outfd int, infd int, offset *int64, count int) (written int, err e

 func Syscall9(num, a1, a2, a3, a4, a5, a6, a7, a8, a9 uintptr) (r1, r2 uintptr, err syscall.Errno)

-func PtraceIO(req int, pid int, addr uintptr, out []byte, countin int) (count int, err error) {
-	ioDesc := PtraceIoDesc{Op: int32(req), Offs: uintptr(unsafe.Pointer(addr)), Addr: uintptr(unsafe.Pointer(&out[0])), Len: uint32(countin)}
+func PtraceIO(req int, pid int, offs uintptr, out []byte, countin int) (count int, err error) {
+	ioDesc := PtraceIoDesc{
+		Op:   int32(req),
+		Offs: offs,
+		Addr: uintptr(unsafe.Pointer(&out[0])), // TODO(#58351): this is not safe.
+		Len:  uint32(countin),
+	}
 	err = ptrace(PT_IO, pid, uintptr(unsafe.Pointer(&ioDesc)), 0)
 	return int(ioDesc.Len), err
 }
--- a/vendor/golang.org/x/sys/unix/syscall_freebsd_arm64.go
+++ b/vendor/golang.org/x/sys/unix/syscall_freebsd_arm64.go
@ -56,8 +56,13 @@ func sendfile(outfd int, infd int, offset *int64, count int) (written int, err e

 func Syscall9(num, a1, a2, a3, a4, a5, a6, a7, a8, a9 uintptr) (r1, r2 uintptr, err syscall.Errno)

-func PtraceIO(req int, pid int, addr uintptr, out []byte, countin int) (count int, err error) {
-	ioDesc := PtraceIoDesc{Op: int32(req), Offs: uintptr(unsafe.Pointer(addr)), Addr: uintptr(unsafe.Pointer(&out[0])), Len: uint64(countin)}
+func PtraceIO(req int, pid int, offs uintptr, out []byte, countin int) (count int, err error) {
+	ioDesc := PtraceIoDesc{
+		Op:   int32(req),
+		Offs: offs,
+		Addr: uintptr(unsafe.Pointer(&out[0])), // TODO(#58351): this is not safe.
+		Len:  uint64(countin),
+	}
 	err = ptrace(PT_IO, pid, uintptr(unsafe.Pointer(&ioDesc)), 0)
 	return int(ioDesc.Len), err
 }
--- a/vendor/golang.org/x/sys/unix/syscall_freebsd_riscv64.go
+++ b/vendor/golang.org/x/sys/unix/syscall_freebsd_riscv64.go
@ -56,8 +56,13 @@ func sendfile(outfd int, infd int, offset *int64, count int) (written int, err e

 func Syscall9(num, a1, a2, a3, a4, a5, a6, a7, a8, a9 uintptr) (r1, r2 uintptr, err syscall.Errno)

-func PtraceIO(req int, pid int, addr uintptr, out []byte, countin int) (count int, err error) {
-	ioDesc := PtraceIoDesc{Op: int32(req), Offs: uintptr(unsafe.Pointer(addr)), Addr: uintptr(unsafe.Pointer(&out[0])), Len: uint64(countin)}
+func PtraceIO(req int, pid int, offs uintptr, out []byte, countin int) (count int, err error) {
+	ioDesc := PtraceIoDesc{
+		Op:   int32(req),
+		Offs: offs,
+		Addr: uintptr(unsafe.Pointer(&out[0])), // TODO(#58351): this is not safe.
+		Len:  uint64(countin),
+	}
 	err = ptrace(PT_IO, pid, uintptr(unsafe.Pointer(&ioDesc)), 0)
 	return int(ioDesc.Len), err
 }
--- a/vendor/golang.org/x/sys/unix/syscall_linux.go
+++ b/vendor/golang.org/x/sys/unix/syscall_linux.go
@ -1800,6 +1800,7 @@ func Sendfile(outfd int, infd int, offset *int64, count int) (written int, err e
 //sysnb	Capset(hdr *CapUserHeader, data *CapUserData) (err error)
 //sys	Chdir(path string) (err error)
 //sys	Chroot(path string) (err error)
+//sys	ClockAdjtime(clockid int32, buf *Timex) (state int, err error)
 //sys	ClockGetres(clockid int32, res *Timespec) (err error)
 //sys	ClockGettime(clockid int32, time *Timespec) (err error)
 //sys	ClockNanosleep(clockid int32, flags int, request *Timespec, remain *Timespec) (err error)
@ -1999,7 +2000,7 @@ func appendBytes(vecs []Iovec, bs [][]byte) []Iovec {
 // offs2lohi splits offs into its low and high order bits.
 func offs2lohi(offs int64) (lo, hi uintptr) {
 	const longBits = SizeofLong * 8
-	return uintptr(offs), uintptr(uint64(offs) >> longBits)
+	return uintptr(offs), uintptr(uint64(offs) >> (longBits - 1) >> 1) // two shifts to avoid false positive in vet
 }

 func Readv(fd int, iovs [][]byte) (n int, err error) {
--- a/vendor/golang.org/x/sys/unix/syscall_unix.go
+++ b/vendor/golang.org/x/sys/unix/syscall_unix.go
@ -578,7 +578,7 @@ func Lutimes(path string, tv []Timeval) error {
 	return UtimesNanoAt(AT_FDCWD, path, ts, AT_SYMLINK_NOFOLLOW)
 }

-// emptyIovec reports whether there are no bytes in the slice of Iovec.
+// emptyIovecs reports whether there are no bytes in the slice of Iovec.
 func emptyIovecs(iov []Iovec) bool {
 	for i := range iov {
 		if iov[i].Len > 0 {
--- a/vendor/golang.org/x/sys/unix/timestruct.go
+++ b/vendor/golang.org/x/sys/unix/timestruct.go
@ -9,7 +9,7 @@ package unix

 import "time"

-// TimespecToNSec returns the time stored in ts as nanoseconds.
+// TimespecToNsec returns the time stored in ts as nanoseconds.
 func TimespecToNsec(ts Timespec) int64 { return ts.Nano() }

 // NsecToTimespec converts a number of nanoseconds into a Timespec.
--- a/vendor/golang.org/x/sys/unix/xattr_bsd.go
+++ b/vendor/golang.org/x/sys/unix/xattr_bsd.go
@ -36,9 +36,14 @@ func xattrnamespace(fullattr string) (ns int, attr string, err error) {
 func initxattrdest(dest []byte, idx int) (d unsafe.Pointer) {
 	if len(dest) > idx {
 		return unsafe.Pointer(&dest[idx])
-	} else {
-		return unsafe.Pointer(_zero)
 	}
+	if dest != nil {
+		// extattr_get_file and extattr_list_file treat NULL differently from
+		// a non-NULL pointer of length zero. Preserve the property of nilness,
+		// even if we can't use dest directly.
+		return unsafe.Pointer(&_zero)
+	}
+	return nil
 }

 // FreeBSD and NetBSD implement their own syscalls to handle extended attributes
--- a/vendor/golang.org/x/sys/unix/zerrors_linux.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux.go
@ -457,7 +457,6 @@ const (
 	B600                                        = 0x8
 	B75                                         = 0x2
 	B9600                                       = 0xd
-	BALLOON_KVM_MAGIC                           = 0x13661366
 	BDEVFS_MAGIC                                = 0x62646576
 	BINDERFS_SUPER_MAGIC                        = 0x6c6f6f70
 	BINFMTFS_MAGIC                              = 0x42494e4d
@ -563,6 +562,7 @@ const (
 	BUS_USB                                     = 0x3
 	BUS_VIRTUAL                                 = 0x6
 	CAN_BCM                                     = 0x2
+	CAN_BUS_OFF_THRESHOLD                       = 0x100
 	CAN_CTRLMODE_3_SAMPLES                      = 0x4
 	CAN_CTRLMODE_BERR_REPORTING                 = 0x10
 	CAN_CTRLMODE_CC_LEN8_DLC                    = 0x100
@ -577,9 +577,12 @@ const (
 	CAN_EFF_FLAG                                = 0x80000000
 	CAN_EFF_ID_BITS                             = 0x1d
 	CAN_EFF_MASK                                = 0x1fffffff
+	CAN_ERROR_PASSIVE_THRESHOLD                 = 0x80
+	CAN_ERROR_WARNING_THRESHOLD                 = 0x60
 	CAN_ERR_ACK                                 = 0x20
 	CAN_ERR_BUSERROR                            = 0x80
 	CAN_ERR_BUSOFF                              = 0x40
+	CAN_ERR_CNT                                 = 0x200
 	CAN_ERR_CRTL                                = 0x4
 	CAN_ERR_CRTL_ACTIVE                         = 0x40
 	CAN_ERR_CRTL_RX_OVERFLOW                    = 0x1
@ -820,9 +823,9 @@ const (
 	DM_UUID_FLAG                                = 0x4000
 	DM_UUID_LEN                                 = 0x81
 	DM_VERSION                                  = 0xc138fd00
-	DM_VERSION_EXTRA                            = "-ioctl (2022-02-22)"
+	DM_VERSION_EXTRA                            = "-ioctl (2022-07-28)"
 	DM_VERSION_MAJOR                            = 0x4
-	DM_VERSION_MINOR                            = 0x2e
+	DM_VERSION_MINOR                            = 0x2f
 	DM_VERSION_PATCHLEVEL                       = 0x0
 	DT_BLK                                      = 0x6
 	DT_CHR                                      = 0x2
@ -1049,6 +1052,7 @@ const (
 	ETH_P_CAIF                                  = 0xf7
 	ETH_P_CAN                                   = 0xc
 	ETH_P_CANFD                                 = 0xd
+	ETH_P_CANXL                                 = 0xe
 	ETH_P_CFM                                   = 0x8902
 	ETH_P_CONTROL                               = 0x16
 	ETH_P_CUST                                  = 0x6006
@ -1060,6 +1064,7 @@ const (
 	ETH_P_DNA_RT                                = 0x6003
 	ETH_P_DSA                                   = 0x1b
 	ETH_P_DSA_8021Q                             = 0xdadb
+	ETH_P_DSA_A5PSW                             = 0xe001
 	ETH_P_ECONET                                = 0x18
 	ETH_P_EDSA                                  = 0xdada
 	ETH_P_ERSPAN                                = 0x88be
@ -1194,8 +1199,10 @@ const (
 	FAN_MARK_EVICTABLE                          = 0x200
 	FAN_MARK_FILESYSTEM                         = 0x100
 	FAN_MARK_FLUSH                              = 0x80
+	FAN_MARK_IGNORE                             = 0x400
 	FAN_MARK_IGNORED_MASK                       = 0x20
 	FAN_MARK_IGNORED_SURV_MODIFY                = 0x40
+	FAN_MARK_IGNORE_SURV                        = 0x440
 	FAN_MARK_INODE                              = 0x0
 	FAN_MARK_MOUNT                              = 0x10
 	FAN_MARK_ONLYDIR                            = 0x8
@ -1253,6 +1260,7 @@ const (
 	FSCRYPT_MODE_AES_128_CBC                    = 0x5
 	FSCRYPT_MODE_AES_128_CTS                    = 0x6
 	FSCRYPT_MODE_AES_256_CTS                    = 0x4
+	FSCRYPT_MODE_AES_256_HCTR2                  = 0xa
 	FSCRYPT_MODE_AES_256_XTS                    = 0x1
 	FSCRYPT_POLICY_FLAGS_PAD_16                 = 0x2
 	FSCRYPT_POLICY_FLAGS_PAD_32                 = 0x3
@ -1430,6 +1438,7 @@ const (
 	IFF_NOARP                                   = 0x80
 	IFF_NOFILTER                                = 0x1000
 	IFF_NOTRAILERS                              = 0x20
+	IFF_NO_CARRIER                              = 0x40
 	IFF_NO_PI                                   = 0x1000
 	IFF_ONE_QUEUE                               = 0x2000
 	IFF_PERSIST                                 = 0x800
@ -1805,6 +1814,7 @@ const (
 	MADV_DONTDUMP                               = 0x10
 	MADV_DONTFORK                               = 0xa
 	MADV_DONTNEED                               = 0x4
+	MADV_DONTNEED_LOCKED                        = 0x18
 	MADV_FREE                                   = 0x8
 	MADV_HUGEPAGE                               = 0xe
 	MADV_HWPOISON                               = 0x64
@ -1846,7 +1856,7 @@ const (
 	MFD_ALLOW_SEALING                           = 0x2
 	MFD_CLOEXEC                                 = 0x1
 	MFD_HUGETLB                                 = 0x4
-	MFD_HUGE_16GB                               = -0x78000000
+	MFD_HUGE_16GB                               = 0x88000000
 	MFD_HUGE_16MB                               = 0x60000000
 	MFD_HUGE_1GB                                = 0x78000000
 	MFD_HUGE_1MB                                = 0x50000000
@ -2212,6 +2222,11 @@ const (
 	PERF_AUX_FLAG_PARTIAL                       = 0x4
 	PERF_AUX_FLAG_PMU_FORMAT_TYPE_MASK          = 0xff00
 	PERF_AUX_FLAG_TRUNCATED                     = 0x1
+	PERF_BR_ARM64_DEBUG_DATA                    = 0x7
+	PERF_BR_ARM64_DEBUG_EXIT                    = 0x5
+	PERF_BR_ARM64_DEBUG_HALT                    = 0x4
+	PERF_BR_ARM64_DEBUG_INST                    = 0x6
+	PERF_BR_ARM64_FIQ                           = 0x3
 	PERF_FLAG_FD_CLOEXEC                        = 0x8
 	PERF_FLAG_FD_NO_GROUP                       = 0x1
 	PERF_FLAG_FD_OUTPUT                         = 0x2
@ -2232,6 +2247,8 @@ const (
 	PERF_MEM_LOCK_NA                            = 0x1
 	PERF_MEM_LOCK_SHIFT                         = 0x18
 	PERF_MEM_LVLNUM_ANY_CACHE                   = 0xb
+	PERF_MEM_LVLNUM_CXL                         = 0x9
+	PERF_MEM_LVLNUM_IO                          = 0xa
 	PERF_MEM_LVLNUM_L1                          = 0x1
 	PERF_MEM_LVLNUM_L2                          = 0x2
 	PERF_MEM_LVLNUM_L3                          = 0x3
@ -2265,6 +2282,7 @@ const (
 	PERF_MEM_REMOTE_REMOTE                      = 0x1
 	PERF_MEM_REMOTE_SHIFT                       = 0x25
 	PERF_MEM_SNOOPX_FWD                         = 0x1
+	PERF_MEM_SNOOPX_PEER                        = 0x2
 	PERF_MEM_SNOOPX_SHIFT                       = 0x26
 	PERF_MEM_SNOOP_HIT                          = 0x4
 	PERF_MEM_SNOOP_HITM                         = 0x10
@ -2301,7 +2319,6 @@ const (
 	PERF_SAMPLE_BRANCH_PLM_ALL                  = 0x7
 	PERF_SAMPLE_WEIGHT_TYPE                     = 0x1004000
 	PIPEFS_MAGIC                                = 0x50495045
-	PPC_CMM_MAGIC                               = 0xc7571590
 	PPPIOCGNPMODE                               = 0xc008744c
 	PPPIOCNEWUNIT                               = 0xc004743e
 	PRIO_PGRP                                   = 0x1
@ -2999,6 +3016,7 @@ const (
 	STATX_BLOCKS                                = 0x400
 	STATX_BTIME                                 = 0x800
 	STATX_CTIME                                 = 0x80
+	STATX_DIOALIGN                              = 0x2000
 	STATX_GID                                   = 0x10
 	STATX_INO                                   = 0x100
 	STATX_MNT_ID                                = 0x1000
@ -3392,9 +3410,7 @@ const (
 	XDP_ZEROCOPY                                = 0x4
 	XENFS_SUPER_MAGIC                           = 0xabba1974
 	XFS_SUPER_MAGIC                             = 0x58465342
-	Z3FOLD_MAGIC                                = 0x33
 	ZONEFS_MAGIC                                = 0x5a4f4653
-	ZSMALLOC_MAGIC                              = 0x58295829
 	_HIDIOCGRAWNAME_LEN                         = 0x80
 	_HIDIOCGRAWPHYS_LEN                         = 0x40
 	_HIDIOCGRAWUNIQ_LEN                         = 0x40
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_386.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_386.go
@ -133,6 +133,7 @@ const (
 	MEMGETREGIONCOUNT                = 0x80044d07
 	MEMISLOCKED                      = 0x80084d17
 	MEMLOCK                          = 0x40084d05
+	MEMREAD                          = 0xc03c4d1a
 	MEMREADOOB                       = 0xc00c4d04
 	MEMSETBADBLOCK                   = 0x40084d0c
 	MEMUNLOCK                        = 0x40084d06
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go
@ -133,6 +133,7 @@ const (
 	MEMGETREGIONCOUNT                = 0x80044d07
 	MEMISLOCKED                      = 0x80084d17
 	MEMLOCK                          = 0x40084d05
+	MEMREAD                          = 0xc0404d1a
 	MEMREADOOB                       = 0xc0104d04
 	MEMSETBADBLOCK                   = 0x40084d0c
 	MEMUNLOCK                        = 0x40084d06
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go
@ -131,6 +131,7 @@ const (
 	MEMGETREGIONCOUNT                = 0x80044d07
 	MEMISLOCKED                      = 0x80084d17
 	MEMLOCK                          = 0x40084d05
+	MEMREAD                          = 0xc0404d1a
 	MEMREADOOB                       = 0xc00c4d04
 	MEMSETBADBLOCK                   = 0x40084d0c
 	MEMUNLOCK                        = 0x40084d06
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go
@ -134,6 +134,7 @@ const (
 	MEMGETREGIONCOUNT                = 0x80044d07
 	MEMISLOCKED                      = 0x80084d17
 	MEMLOCK                          = 0x40084d05
+	MEMREAD                          = 0xc0404d1a
 	MEMREADOOB                       = 0xc0104d04
 	MEMSETBADBLOCK                   = 0x40084d0c
 	MEMUNLOCK                        = 0x40084d06
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go
@ -132,6 +132,7 @@ const (
 	MEMGETREGIONCOUNT                = 0x80044d07
 	MEMISLOCKED                      = 0x80084d17
 	MEMLOCK                          = 0x40084d05
+	MEMREAD                          = 0xc0404d1a
 	MEMREADOOB                       = 0xc0104d04
 	MEMSETBADBLOCK                   = 0x40084d0c
 	MEMUNLOCK                        = 0x40084d06
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go
@ -131,6 +131,7 @@ const (
 	MEMGETREGIONCOUNT                = 0x40044d07
 	MEMISLOCKED                      = 0x40084d17
 	MEMLOCK                          = 0x80084d05
+	MEMREAD                          = 0xc0404d1a
 	MEMREADOOB                       = 0xc00c4d04
 	MEMSETBADBLOCK                   = 0x80084d0c
 	MEMUNLOCK                        = 0x80084d06
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go
@ -131,6 +131,7 @@ const (
 	MEMGETREGIONCOUNT                = 0x40044d07
 	MEMISLOCKED                      = 0x40084d17
 	MEMLOCK                          = 0x80084d05
+	MEMREAD                          = 0xc0404d1a
 	MEMREADOOB                       = 0xc0104d04
 	MEMSETBADBLOCK                   = 0x80084d0c
 	MEMUNLOCK                        = 0x80084d06
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go
@ -131,6 +131,7 @@ const (
 	MEMGETREGIONCOUNT                = 0x40044d07
 	MEMISLOCKED                      = 0x40084d17
 	MEMLOCK                          = 0x80084d05
+	MEMREAD                          = 0xc0404d1a
 	MEMREADOOB                       = 0xc0104d04
 	MEMSETBADBLOCK                   = 0x80084d0c
 	MEMUNLOCK                        = 0x80084d06
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go
@ -131,6 +131,7 @@ const (
 	MEMGETREGIONCOUNT                = 0x40044d07
 	MEMISLOCKED                      = 0x40084d17
 	MEMLOCK                          = 0x80084d05
+	MEMREAD                          = 0xc0404d1a
 	MEMREADOOB                       = 0xc00c4d04
 	MEMSETBADBLOCK                   = 0x80084d0c
 	MEMUNLOCK                        = 0x80084d06
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go
@ -131,6 +131,7 @@ const (
 	MEMGETREGIONCOUNT                = 0x40044d07
 	MEMISLOCKED                      = 0x40084d17
 	MEMLOCK                          = 0x80084d05
+	MEMREAD                          = 0xc0404d1a
 	MEMREADOOB                       = 0xc00c4d04
 	MEMSETBADBLOCK                   = 0x80084d0c
 	MEMUNLOCK                        = 0x80084d06
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go
@ -131,6 +131,7 @@ const (
 	MEMGETREGIONCOUNT                = 0x40044d07
 	MEMISLOCKED                      = 0x40084d17
 	MEMLOCK                          = 0x80084d05
+	MEMREAD                          = 0xc0404d1a
 	MEMREADOOB                       = 0xc0104d04
 	MEMSETBADBLOCK                   = 0x80084d0c
 	MEMUNLOCK                        = 0x80084d06
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go
@ -131,6 +131,7 @@ const (
 	MEMGETREGIONCOUNT                = 0x40044d07
 	MEMISLOCKED                      = 0x40084d17
 	MEMLOCK                          = 0x80084d05
+	MEMREAD                          = 0xc0404d1a
 	MEMREADOOB                       = 0xc0104d04
 	MEMSETBADBLOCK                   = 0x80084d0c
 	MEMUNLOCK                        = 0x80084d06
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go
@ -131,6 +131,7 @@ const (
 	MEMGETREGIONCOUNT                = 0x80044d07
 	MEMISLOCKED                      = 0x80084d17
 	MEMLOCK                          = 0x40084d05
+	MEMREAD                          = 0xc0404d1a
 	MEMREADOOB                       = 0xc0104d04
 	MEMSETBADBLOCK                   = 0x40084d0c
 	MEMUNLOCK                        = 0x40084d06
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go
@ -131,6 +131,7 @@ const (
 	MEMGETREGIONCOUNT                = 0x80044d07
 	MEMISLOCKED                      = 0x80084d17
 	MEMLOCK                          = 0x40084d05
+	MEMREAD                          = 0xc0404d1a
 	MEMREADOOB                       = 0xc0104d04
 	MEMSETBADBLOCK                   = 0x40084d0c
 	MEMUNLOCK                        = 0x40084d06
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go
@ -136,6 +136,7 @@ const (
 	MEMGETREGIONCOUNT                = 0x40044d07
 	MEMISLOCKED                      = 0x40084d17
 	MEMLOCK                          = 0x80084d05
+	MEMREAD                          = 0xc0404d1a
 	MEMREADOOB                       = 0xc0104d04
 	MEMSETBADBLOCK                   = 0x80084d0c
 	MEMUNLOCK                        = 0x80084d06
--- a/vendor/golang.org/x/sys/unix/zsyscall_linux.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_linux.go
@ -537,6 +537,17 @@ func Chroot(path string) (err error) {

 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT

+func ClockAdjtime(clockid int32, buf *Timex) (state int, err error) {
+	r0, _, e1 := Syscall(SYS_CLOCK_ADJTIME, uintptr(clockid), uintptr(unsafe.Pointer(buf)), 0)
+	state = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func ClockGetres(clockid int32, res *Timespec) (err error) {
 	_, _, e1 := Syscall(SYS_CLOCK_GETRES, uintptr(clockid), uintptr(unsafe.Pointer(res)), 0)
 	if e1 != 0 {
--- a/vendor/golang.org/x/sys/unix/ztypes_linux.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux.go
@ -29,6 +29,41 @@ type Itimerval struct {
 	Value    Timeval
 }

+const (
+	ADJ_OFFSET            = 0x1
+	ADJ_FREQUENCY         = 0x2
+	ADJ_MAXERROR          = 0x4
+	ADJ_ESTERROR          = 0x8
+	ADJ_STATUS            = 0x10
+	ADJ_TIMECONST         = 0x20
+	ADJ_TAI               = 0x80
+	ADJ_SETOFFSET         = 0x100
+	ADJ_MICRO             = 0x1000
+	ADJ_NANO              = 0x2000
+	ADJ_TICK              = 0x4000
+	ADJ_OFFSET_SINGLESHOT = 0x8001
+	ADJ_OFFSET_SS_READ    = 0xa001
+)
+
+const (
+	STA_PLL       = 0x1
+	STA_PPSFREQ   = 0x2
+	STA_PPSTIME   = 0x4
+	STA_FLL       = 0x8
+	STA_INS       = 0x10
+	STA_DEL       = 0x20
+	STA_UNSYNC    = 0x40
+	STA_FREQHOLD  = 0x80
+	STA_PPSSIGNAL = 0x100
+	STA_PPSJITTER = 0x200
+	STA_PPSWANDER = 0x400
+	STA_PPSERROR  = 0x800
+	STA_CLOCKERR  = 0x1000
+	STA_NANO      = 0x2000
+	STA_MODE      = 0x4000
+	STA_CLK       = 0x8000
+)
+
 const (
 	TIME_OK    = 0x0
 	TIME_INS   = 0x1
@ -53,29 +88,30 @@ type StatxTimestamp struct {
 }

 type Statx_t struct {
-	Mask            uint32
-	Blksize         uint32
-	Attributes      uint64
-	Nlink           uint32
-	Uid             uint32
-	Gid             uint32
-	Mode            uint16
-	_               [1]uint16
-	Ino             uint64
-	Size            uint64
-	Blocks          uint64
-	Attributes_mask uint64
-	Atime           StatxTimestamp
-	Btime           StatxTimestamp
-	Ctime           StatxTimestamp
-	Mtime           StatxTimestamp
-	Rdev_major      uint32
-	Rdev_minor      uint32
-	Dev_major       uint32
-	Dev_minor       uint32
-	Mnt_id          uint64
-	_               uint64
-	_               [12]uint64
+	Mask             uint32
+	Blksize          uint32
+	Attributes       uint64
+	Nlink            uint32
+	Uid              uint32
+	Gid              uint32
+	Mode             uint16
+	_                [1]uint16
+	Ino              uint64
+	Size             uint64
+	Blocks           uint64
+	Attributes_mask  uint64
+	Atime            StatxTimestamp
+	Btime            StatxTimestamp
+	Ctime            StatxTimestamp
+	Mtime            StatxTimestamp
+	Rdev_major       uint32
+	Rdev_minor       uint32
+	Dev_major        uint32
+	Dev_minor        uint32
+	Mnt_id           uint64
+	Dio_mem_align    uint32
+	Dio_offset_align uint32
+	_                [12]uint64
 }

 type Fsid struct {
@ -1099,7 +1135,8 @@ const (
 	PERF_SAMPLE_BRANCH_NO_CYCLES_SHIFT    = 0xf
 	PERF_SAMPLE_BRANCH_TYPE_SAVE_SHIFT    = 0x10
 	PERF_SAMPLE_BRANCH_HW_INDEX_SHIFT     = 0x11
-	PERF_SAMPLE_BRANCH_MAX_SHIFT          = 0x12
+	PERF_SAMPLE_BRANCH_PRIV_SAVE_SHIFT    = 0x12
+	PERF_SAMPLE_BRANCH_MAX_SHIFT          = 0x13
 	PERF_SAMPLE_BRANCH_USER               = 0x1
 	PERF_SAMPLE_BRANCH_KERNEL             = 0x2
 	PERF_SAMPLE_BRANCH_HV                 = 0x4
@ -1118,7 +1155,8 @@ const (
 	PERF_SAMPLE_BRANCH_NO_CYCLES          = 0x8000
 	PERF_SAMPLE_BRANCH_TYPE_SAVE          = 0x10000
 	PERF_SAMPLE_BRANCH_HW_INDEX           = 0x20000
-	PERF_SAMPLE_BRANCH_MAX                = 0x40000
+	PERF_SAMPLE_BRANCH_PRIV_SAVE          = 0x40000
+	PERF_SAMPLE_BRANCH_MAX                = 0x80000
 	PERF_BR_UNKNOWN                       = 0x0
 	PERF_BR_COND                          = 0x1
 	PERF_BR_UNCOND                        = 0x2
@ -1132,7 +1170,10 @@ const (
 	PERF_BR_COND_RET                      = 0xa
 	PERF_BR_ERET                          = 0xb
 	PERF_BR_IRQ                           = 0xc
-	PERF_BR_MAX                           = 0xd
+	PERF_BR_SERROR                        = 0xd
+	PERF_BR_NO_TX                         = 0xe
+	PERF_BR_EXTEND_ABI                    = 0xf
+	PERF_BR_MAX                           = 0x10
 	PERF_SAMPLE_REGS_ABI_NONE             = 0x0
 	PERF_SAMPLE_REGS_ABI_32               = 0x1
 	PERF_SAMPLE_REGS_ABI_64               = 0x2
@ -1151,7 +1192,8 @@ const (
 	PERF_FORMAT_TOTAL_TIME_RUNNING        = 0x2
 	PERF_FORMAT_ID                        = 0x4
 	PERF_FORMAT_GROUP                     = 0x8
-	PERF_FORMAT_MAX                       = 0x10
+	PERF_FORMAT_LOST                      = 0x10
+	PERF_FORMAT_MAX                       = 0x20
 	PERF_IOC_FLAG_GROUP                   = 0x1
 	PERF_RECORD_MMAP                      = 0x1
 	PERF_RECORD_LOST                      = 0x2
@ -2979,7 +3021,16 @@ const (
 	DEVLINK_CMD_TRAP_POLICER_NEW                       = 0x47
 	DEVLINK_CMD_TRAP_POLICER_DEL                       = 0x48
 	DEVLINK_CMD_HEALTH_REPORTER_TEST                   = 0x49
-	DEVLINK_CMD_MAX                                    = 0x51
+	DEVLINK_CMD_RATE_GET                               = 0x4a
+	DEVLINK_CMD_RATE_SET                               = 0x4b
+	DEVLINK_CMD_RATE_NEW                               = 0x4c
+	DEVLINK_CMD_RATE_DEL                               = 0x4d
+	DEVLINK_CMD_LINECARD_GET                           = 0x4e
+	DEVLINK_CMD_LINECARD_SET                           = 0x4f
+	DEVLINK_CMD_LINECARD_NEW                           = 0x50
+	DEVLINK_CMD_LINECARD_DEL                           = 0x51
+	DEVLINK_CMD_SELFTESTS_GET                          = 0x52
+	DEVLINK_CMD_MAX                                    = 0x53
 	DEVLINK_PORT_TYPE_NOTSET                           = 0x0
 	DEVLINK_PORT_TYPE_AUTO                             = 0x1
 	DEVLINK_PORT_TYPE_ETH                              = 0x2
@ -3208,7 +3259,13 @@ const (
 	DEVLINK_ATTR_RATE_NODE_NAME                        = 0xa8
 	DEVLINK_ATTR_RATE_PARENT_NODE_NAME                 = 0xa9
 	DEVLINK_ATTR_REGION_MAX_SNAPSHOTS                  = 0xaa
-	DEVLINK_ATTR_MAX                                   = 0xae
+	DEVLINK_ATTR_LINECARD_INDEX                        = 0xab
+	DEVLINK_ATTR_LINECARD_STATE                        = 0xac
+	DEVLINK_ATTR_LINECARD_TYPE                         = 0xad
+	DEVLINK_ATTR_LINECARD_SUPPORTED_TYPES              = 0xae
+	DEVLINK_ATTR_NESTED_DEVLINK                        = 0xaf
+	DEVLINK_ATTR_SELFTESTS                             = 0xb0
+	DEVLINK_ATTR_MAX                                   = 0xb0
 	DEVLINK_DPIPE_FIELD_MAPPING_TYPE_NONE              = 0x0
 	DEVLINK_DPIPE_FIELD_MAPPING_TYPE_IFINDEX           = 0x1
 	DEVLINK_DPIPE_MATCH_TYPE_FIELD_EXACT               = 0x0
@ -3317,7 +3374,8 @@ const (
 	LWTUNNEL_ENCAP_SEG6_LOCAL = 0x7
 	LWTUNNEL_ENCAP_RPL        = 0x8
 	LWTUNNEL_ENCAP_IOAM6      = 0x9
-	LWTUNNEL_ENCAP_MAX        = 0x9
+	LWTUNNEL_ENCAP_XFRM       = 0xa
+	LWTUNNEL_ENCAP_MAX        = 0xa

 	MPLS_IPTUNNEL_UNSPEC = 0x0
 	MPLS_IPTUNNEL_DST    = 0x1
@ -3512,7 +3570,9 @@ const (
 	ETHTOOL_MSG_PHC_VCLOCKS_GET               = 0x21
 	ETHTOOL_MSG_MODULE_GET                    = 0x22
 	ETHTOOL_MSG_MODULE_SET                    = 0x23
-	ETHTOOL_MSG_USER_MAX                      = 0x23
+	ETHTOOL_MSG_PSE_GET                       = 0x24
+	ETHTOOL_MSG_PSE_SET                       = 0x25
+	ETHTOOL_MSG_USER_MAX                      = 0x25
 	ETHTOOL_MSG_KERNEL_NONE                   = 0x0
 	ETHTOOL_MSG_STRSET_GET_REPLY              = 0x1
 	ETHTOOL_MSG_LINKINFO_GET_REPLY            = 0x2
@ -3550,7 +3610,8 @@ const (
 	ETHTOOL_MSG_PHC_VCLOCKS_GET_REPLY         = 0x22
 	ETHTOOL_MSG_MODULE_GET_REPLY              = 0x23
 	ETHTOOL_MSG_MODULE_NTF                    = 0x24
-	ETHTOOL_MSG_KERNEL_MAX                    = 0x24
+	ETHTOOL_MSG_PSE_GET_REPLY                 = 0x25
+	ETHTOOL_MSG_KERNEL_MAX                    = 0x25
 	ETHTOOL_A_HEADER_UNSPEC                   = 0x0
 	ETHTOOL_A_HEADER_DEV_INDEX                = 0x1
 	ETHTOOL_A_HEADER_DEV_NAME                 = 0x2
@ -3609,7 +3670,8 @@ const (
 	ETHTOOL_A_LINKMODES_MASTER_SLAVE_CFG      = 0x7
 	ETHTOOL_A_LINKMODES_MASTER_SLAVE_STATE    = 0x8
 	ETHTOOL_A_LINKMODES_LANES                 = 0x9
-	ETHTOOL_A_LINKMODES_MAX                   = 0x9
+	ETHTOOL_A_LINKMODES_RATE_MATCHING         = 0xa
+	ETHTOOL_A_LINKMODES_MAX                   = 0xa
 	ETHTOOL_A_LINKSTATE_UNSPEC                = 0x0
 	ETHTOOL_A_LINKSTATE_HEADER                = 0x1
 	ETHTOOL_A_LINKSTATE_LINK                  = 0x2
@ -4201,6 +4263,9 @@ const (
 	NL80211_ACL_POLICY_DENY_UNLESS_LISTED                   = 0x1
 	NL80211_AC_VI                                           = 0x1
 	NL80211_AC_VO                                           = 0x0
+	NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT               = 0x1
+	NL80211_AP_SETTINGS_SA_QUERY_OFFLOAD_SUPPORT            = 0x2
+	NL80211_AP_SME_SA_QUERY_OFFLOAD                         = 0x1
 	NL80211_ATTR_4ADDR                                      = 0x53
 	NL80211_ATTR_ACK                                        = 0x5c
 	NL80211_ATTR_ACK_SIGNAL                                 = 0x107
@ -4209,6 +4274,7 @@ const (
 	NL80211_ATTR_AIRTIME_WEIGHT                             = 0x112
 	NL80211_ATTR_AKM_SUITES                                 = 0x4c
 	NL80211_ATTR_AP_ISOLATE                                 = 0x60
+	NL80211_ATTR_AP_SETTINGS_FLAGS                          = 0x135
 	NL80211_ATTR_AUTH_DATA                                  = 0x9c
 	NL80211_ATTR_AUTH_TYPE                                  = 0x35
 	NL80211_ATTR_BANDS                                      = 0xef
@ -4240,6 +4306,9 @@ const (
 	NL80211_ATTR_COALESCE_RULE_DELAY                        = 0x1
 	NL80211_ATTR_COALESCE_RULE_MAX                          = 0x3
 	NL80211_ATTR_COALESCE_RULE_PKT_PATTERN                  = 0x3
+	NL80211_ATTR_COLOR_CHANGE_COLOR                         = 0x130
+	NL80211_ATTR_COLOR_CHANGE_COUNT                         = 0x12f
+	NL80211_ATTR_COLOR_CHANGE_ELEMS                         = 0x131
 	NL80211_ATTR_CONN_FAILED_REASON                         = 0x9b
 	NL80211_ATTR_CONTROL_PORT                               = 0x44
 	NL80211_ATTR_CONTROL_PORT_ETHERTYPE                     = 0x66
@ -4266,6 +4335,7 @@ const (
 	NL80211_ATTR_DEVICE_AP_SME                              = 0x8d
 	NL80211_ATTR_DFS_CAC_TIME                               = 0x7
 	NL80211_ATTR_DFS_REGION                                 = 0x92
+	NL80211_ATTR_DISABLE_EHT                                = 0x137
 	NL80211_ATTR_DISABLE_HE                                 = 0x12d
 	NL80211_ATTR_DISABLE_HT                                 = 0x93
 	NL80211_ATTR_DISABLE_VHT                                = 0xaf
@ -4273,6 +4343,8 @@ const (
 	NL80211_ATTR_DONT_WAIT_FOR_ACK                          = 0x8e
 	NL80211_ATTR_DTIM_PERIOD                                = 0xd
 	NL80211_ATTR_DURATION                                   = 0x57
+	NL80211_ATTR_EHT_CAPABILITY                             = 0x136
+	NL80211_ATTR_EML_CAPABILITY                             = 0x13d
 	NL80211_ATTR_EXT_CAPA                                   = 0xa9
 	NL80211_ATTR_EXT_CAPA_MASK                              = 0xaa
 	NL80211_ATTR_EXTERNAL_AUTH_ACTION                       = 0x104
@ -4337,10 +4409,11 @@ const (
 	NL80211_ATTR_MAC_HINT                                   = 0xc8
 	NL80211_ATTR_MAC_MASK                                   = 0xd7
 	NL80211_ATTR_MAX_AP_ASSOC_STA                           = 0xca
-	NL80211_ATTR_MAX                                        = 0x137
+	NL80211_ATTR_MAX                                        = 0x140
 	NL80211_ATTR_MAX_CRIT_PROT_DURATION                     = 0xb4
 	NL80211_ATTR_MAX_CSA_COUNTERS                           = 0xce
 	NL80211_ATTR_MAX_MATCH_SETS                             = 0x85
+	NL80211_ATTR_MAX_NUM_AKM_SUITES                         = 0x13c
 	NL80211_ATTR_MAX_NUM_PMKIDS                             = 0x56
 	NL80211_ATTR_MAX_NUM_SCAN_SSIDS                         = 0x2b
 	NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS                   = 0xde
@ -4350,6 +4423,8 @@ const (
 	NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL                     = 0xdf
 	NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS                   = 0xe0
 	NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN                      = 0x7c
+	NL80211_ATTR_MBSSID_CONFIG                              = 0x132
+	NL80211_ATTR_MBSSID_ELEMS                               = 0x133
 	NL80211_ATTR_MCAST_RATE                                 = 0x6b
 	NL80211_ATTR_MDID                                       = 0xb1
 	NL80211_ATTR_MEASUREMENT_DURATION                       = 0xeb
@ -4359,6 +4434,11 @@ const (
 	NL80211_ATTR_MESH_PEER_AID                              = 0xed
 	NL80211_ATTR_MESH_SETUP                                 = 0x70
 	NL80211_ATTR_MGMT_SUBTYPE                               = 0x29
+	NL80211_ATTR_MLD_ADDR                                   = 0x13a
+	NL80211_ATTR_MLD_CAPA_AND_OPS                           = 0x13e
+	NL80211_ATTR_MLO_LINK_ID                                = 0x139
+	NL80211_ATTR_MLO_LINKS                                  = 0x138
+	NL80211_ATTR_MLO_SUPPORT                                = 0x13b
 	NL80211_ATTR_MNTR_FLAGS                                 = 0x17
 	NL80211_ATTR_MPATH_INFO                                 = 0x1b
 	NL80211_ATTR_MPATH_NEXT_HOP                             = 0x1a
@ -4371,6 +4451,7 @@ const (
 	NL80211_ATTR_NETNS_FD                                   = 0xdb
 	NL80211_ATTR_NOACK_MAP                                  = 0x95
 	NL80211_ATTR_NSS                                        = 0x106
+	NL80211_ATTR_OBSS_COLOR_BITMAP                          = 0x12e
 	NL80211_ATTR_OFFCHANNEL_TX_OK                           = 0x6c
 	NL80211_ATTR_OPER_CLASS                                 = 0xd6
 	NL80211_ATTR_OPMODE_NOTIF                               = 0xc2
@ -4397,6 +4478,7 @@ const (
 	NL80211_ATTR_PROTOCOL_FEATURES                          = 0xad
 	NL80211_ATTR_PS_STATE                                   = 0x5d
 	NL80211_ATTR_QOS_MAP                                    = 0xc7
+	NL80211_ATTR_RADAR_BACKGROUND                           = 0x134
 	NL80211_ATTR_RADAR_EVENT                                = 0xa8
 	NL80211_ATTR_REASON_CODE                                = 0x36
 	NL80211_ATTR_RECEIVE_MULTICAST                          = 0x121
@ -4412,6 +4494,7 @@ const (
 	NL80211_ATTR_RESP_IE                                    = 0x4e
 	NL80211_ATTR_ROAM_SUPPORT                               = 0x83
 	NL80211_ATTR_RX_FRAME_TYPES                             = 0x64
+	NL80211_ATTR_RX_HW_TIMESTAMP                            = 0x140
 	NL80211_ATTR_RXMGMT_FLAGS                               = 0xbc
 	NL80211_ATTR_RX_SIGNAL_DBM                              = 0x97
 	NL80211_ATTR_S1G_CAPABILITY                             = 0x128
@ -4484,6 +4567,7 @@ const (
 	NL80211_ATTR_TSID                                       = 0xd2
 	NL80211_ATTR_TWT_RESPONDER                              = 0x116
 	NL80211_ATTR_TX_FRAME_TYPES                             = 0x63
+	NL80211_ATTR_TX_HW_TIMESTAMP                            = 0x13f
 	NL80211_ATTR_TX_NO_CCK_RATE                             = 0x87
 	NL80211_ATTR_TXQ_LIMIT                                  = 0x10a
 	NL80211_ATTR_TXQ_MEMORY_LIMIT                           = 0x10b
@ -4557,6 +4641,10 @@ const (
 	NL80211_BAND_ATTR_RATES                                 = 0x2
 	NL80211_BAND_ATTR_VHT_CAPA                              = 0x8
 	NL80211_BAND_ATTR_VHT_MCS_SET                           = 0x7
+	NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC                    = 0x8
+	NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MCS_SET                = 0xa
+	NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PHY                    = 0x9
+	NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PPE                    = 0xb
 	NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA                   = 0x6
 	NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC                     = 0x2
 	NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET                 = 0x4
@ -4564,6 +4652,8 @@ const (
 	NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE                     = 0x5
 	NL80211_BAND_IFTYPE_ATTR_IFTYPES                        = 0x1
 	NL80211_BAND_IFTYPE_ATTR_MAX                            = 0xb
+	NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS                   = 0x7
+	NL80211_BAND_LC                                         = 0x5
 	NL80211_BAND_S1GHZ                                      = 0x4
 	NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE                 = 0x2
 	NL80211_BITRATE_ATTR_MAX                                = 0x2
@ -4584,7 +4674,9 @@ const (
 	NL80211_BSS_FREQUENCY_OFFSET                            = 0x14
 	NL80211_BSS_INFORMATION_ELEMENTS                        = 0x6
 	NL80211_BSS_LAST_SEEN_BOOTTIME                          = 0xf
-	NL80211_BSS_MAX                                         = 0x14
+	NL80211_BSS_MAX                                         = 0x16
+	NL80211_BSS_MLD_ADDR                                    = 0x16
+	NL80211_BSS_MLO_LINK_ID                                 = 0x15
 	NL80211_BSS_PAD                                         = 0x10
 	NL80211_BSS_PARENT_BSSID                                = 0x12
 	NL80211_BSS_PARENT_TSF                                  = 0x11
@ -4612,6 +4704,7 @@ const (
 	NL80211_CHAN_WIDTH_20                                   = 0x1
 	NL80211_CHAN_WIDTH_20_NOHT                              = 0x0
 	NL80211_CHAN_WIDTH_2                                    = 0x9
+	NL80211_CHAN_WIDTH_320                                  = 0xd
 	NL80211_CHAN_WIDTH_40                                   = 0x2
 	NL80211_CHAN_WIDTH_4                                    = 0xa
 	NL80211_CHAN_WIDTH_5                                    = 0x6
@ -4621,8 +4714,11 @@ const (
 	NL80211_CMD_ABORT_SCAN                                  = 0x72
 	NL80211_CMD_ACTION                                      = 0x3b
 	NL80211_CMD_ACTION_TX_STATUS                            = 0x3c
+	NL80211_CMD_ADD_LINK                                    = 0x94
+	NL80211_CMD_ADD_LINK_STA                                = 0x96
 	NL80211_CMD_ADD_NAN_FUNCTION                            = 0x75
 	NL80211_CMD_ADD_TX_TS                                   = 0x69
+	NL80211_CMD_ASSOC_COMEBACK                              = 0x93
 	NL80211_CMD_ASSOCIATE                                   = 0x26
 	NL80211_CMD_AUTHENTICATE                                = 0x25
 	NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL                    = 0x38
@ -4630,6 +4726,10 @@ const (
 	NL80211_CMD_CHANNEL_SWITCH                              = 0x66
 	NL80211_CMD_CH_SWITCH_NOTIFY                            = 0x58
 	NL80211_CMD_CH_SWITCH_STARTED_NOTIFY                    = 0x6e
+	NL80211_CMD_COLOR_CHANGE_ABORTED                        = 0x90
+	NL80211_CMD_COLOR_CHANGE_COMPLETED                      = 0x91
+	NL80211_CMD_COLOR_CHANGE_REQUEST                        = 0x8e
+	NL80211_CMD_COLOR_CHANGE_STARTED                        = 0x8f
 	NL80211_CMD_CONNECT                                     = 0x2e
 	NL80211_CMD_CONN_FAILED                                 = 0x5b
 	NL80211_CMD_CONTROL_PORT_FRAME                          = 0x81
@ -4678,8 +4778,9 @@ const (
 	NL80211_CMD_LEAVE_IBSS                                  = 0x2c
 	NL80211_CMD_LEAVE_MESH                                  = 0x45
 	NL80211_CMD_LEAVE_OCB                                   = 0x6d
-	NL80211_CMD_MAX                                         = 0x93
+	NL80211_CMD_MAX                                         = 0x98
 	NL80211_CMD_MICHAEL_MIC_FAILURE                         = 0x29
+	NL80211_CMD_MODIFY_LINK_STA                             = 0x97
 	NL80211_CMD_NAN_MATCH                                   = 0x78
 	NL80211_CMD_NEW_BEACON                                  = 0xf
 	NL80211_CMD_NEW_INTERFACE                               = 0x7
@ -4692,6 +4793,7 @@ const (
 	NL80211_CMD_NEW_WIPHY                                   = 0x3
 	NL80211_CMD_NOTIFY_CQM                                  = 0x40
 	NL80211_CMD_NOTIFY_RADAR                                = 0x86
+	NL80211_CMD_OBSS_COLOR_COLLISION                        = 0x8d
 	NL80211_CMD_PEER_MEASUREMENT_COMPLETE                   = 0x85
 	NL80211_CMD_PEER_MEASUREMENT_RESULT                     = 0x84
 	NL80211_CMD_PEER_MEASUREMENT_START                      = 0x83
@ -4707,6 +4809,8 @@ const (
 	NL80211_CMD_REGISTER_FRAME                              = 0x3a
 	NL80211_CMD_RELOAD_REGDB                                = 0x7e
 	NL80211_CMD_REMAIN_ON_CHANNEL                           = 0x37
+	NL80211_CMD_REMOVE_LINK                                 = 0x95
+	NL80211_CMD_REMOVE_LINK_STA                             = 0x98
 	NL80211_CMD_REQ_SET_REG                                 = 0x1b
 	NL80211_CMD_ROAM                                        = 0x2f
 	NL80211_CMD_SCAN_ABORTED                                = 0x23
@ -4717,6 +4821,7 @@ const (
 	NL80211_CMD_SET_CHANNEL                                 = 0x41
 	NL80211_CMD_SET_COALESCE                                = 0x65
 	NL80211_CMD_SET_CQM                                     = 0x3f
+	NL80211_CMD_SET_FILS_AAD                                = 0x92
 	NL80211_CMD_SET_INTERFACE                               = 0x6
 	NL80211_CMD_SET_KEY                                     = 0xa
 	NL80211_CMD_SET_MAC_ACL                                 = 0x5d
@ -4791,6 +4896,8 @@ const (
 	NL80211_EDMG_BW_CONFIG_MIN                              = 0x4
 	NL80211_EDMG_CHANNELS_MAX                               = 0x3c
 	NL80211_EDMG_CHANNELS_MIN                               = 0x1
+	NL80211_EHT_MAX_CAPABILITY_LEN                          = 0x33
+	NL80211_EHT_MIN_CAPABILITY_LEN                          = 0xd
 	NL80211_EXTERNAL_AUTH_ABORT                             = 0x1
 	NL80211_EXTERNAL_AUTH_START                             = 0x0
 	NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK               = 0x32
@ -4807,6 +4914,7 @@ const (
 	NL80211_EXT_FEATURE_BEACON_RATE_HT                      = 0x7
 	NL80211_EXT_FEATURE_BEACON_RATE_LEGACY                  = 0x6
 	NL80211_EXT_FEATURE_BEACON_RATE_VHT                     = 0x8
+	NL80211_EXT_FEATURE_BSS_COLOR                           = 0x3a
 	NL80211_EXT_FEATURE_BSS_PARENT_TSF                      = 0x4
 	NL80211_EXT_FEATURE_CAN_REPLACE_PTK0                    = 0x1f
 	NL80211_EXT_FEATURE_CONTROL_PORT_NO_PREAUTH             = 0x2a
@ -4818,6 +4926,7 @@ const (
 	NL80211_EXT_FEATURE_DFS_OFFLOAD                         = 0x19
 	NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER                = 0x20
 	NL80211_EXT_FEATURE_EXT_KEY_ID                          = 0x24
+	NL80211_EXT_FEATURE_FILS_CRYPTO_OFFLOAD                 = 0x3b
 	NL80211_EXT_FEATURE_FILS_DISCOVERY                      = 0x34
 	NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME               = 0x11
 	NL80211_EXT_FEATURE_FILS_SK_OFFLOAD                     = 0xe
@ -4833,8 +4942,10 @@ const (
 	NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION  = 0x14
 	NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE          = 0x13
 	NL80211_EXT_FEATURE_OPERATING_CHANNEL_VALIDATION        = 0x31
+	NL80211_EXT_FEATURE_POWERED_ADDR_CHANGE                 = 0x3d
 	NL80211_EXT_FEATURE_PROTECTED_TWT                       = 0x2b
 	NL80211_EXT_FEATURE_PROT_RANGE_NEGO_AND_MEASURE         = 0x39
+	NL80211_EXT_FEATURE_RADAR_BACKGROUND                    = 0x3c
 	NL80211_EXT_FEATURE_RRM                                 = 0x1
 	NL80211_EXT_FEATURE_SAE_OFFLOAD_AP                      = 0x33
 	NL80211_EXT_FEATURE_SAE_OFFLOAD                         = 0x26
@ -4906,7 +5017,9 @@ const (
 	NL80211_FREQUENCY_ATTR_NO_10MHZ                         = 0x11
 	NL80211_FREQUENCY_ATTR_NO_160MHZ                        = 0xc
 	NL80211_FREQUENCY_ATTR_NO_20MHZ                         = 0x10
+	NL80211_FREQUENCY_ATTR_NO_320MHZ                        = 0x1a
 	NL80211_FREQUENCY_ATTR_NO_80MHZ                         = 0xb
+	NL80211_FREQUENCY_ATTR_NO_EHT                           = 0x1b
 	NL80211_FREQUENCY_ATTR_NO_HE                            = 0x13
 	NL80211_FREQUENCY_ATTR_NO_HT40_MINUS                    = 0x9
 	NL80211_FREQUENCY_ATTR_NO_HT40_PLUS                     = 0xa
@ -5006,6 +5119,12 @@ const (
 	NL80211_MAX_SUPP_HT_RATES                               = 0x4d
 	NL80211_MAX_SUPP_RATES                                  = 0x20
 	NL80211_MAX_SUPP_REG_RULES                              = 0x80
+	NL80211_MBSSID_CONFIG_ATTR_EMA                          = 0x5
+	NL80211_MBSSID_CONFIG_ATTR_INDEX                        = 0x3
+	NL80211_MBSSID_CONFIG_ATTR_MAX                          = 0x5
+	NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY  = 0x2
+	NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES               = 0x1
+	NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX                   = 0x4
 	NL80211_MESHCONF_ATTR_MAX                               = 0x1f
 	NL80211_MESHCONF_AUTO_OPEN_PLINKS                       = 0x7
 	NL80211_MESHCONF_AWAKE_WINDOW                           = 0x1b
@ -5168,6 +5287,7 @@ const (
 	NL80211_PMSR_FTM_FAILURE_UNSPECIFIED                    = 0x0
 	NL80211_PMSR_FTM_FAILURE_WRONG_CHANNEL                  = 0x3
 	NL80211_PMSR_FTM_REQ_ATTR_ASAP                          = 0x1
+	NL80211_PMSR_FTM_REQ_ATTR_BSS_COLOR                     = 0xd
 	NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION                = 0x5
 	NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD                  = 0x4
 	NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST                = 0x6
@ -5244,12 +5364,36 @@ const (
 	NL80211_RADAR_PRE_CAC_EXPIRED                           = 0x4
 	NL80211_RATE_INFO_10_MHZ_WIDTH                          = 0xb
 	NL80211_RATE_INFO_160_MHZ_WIDTH                         = 0xa
+	NL80211_RATE_INFO_320_MHZ_WIDTH                         = 0x12
 	NL80211_RATE_INFO_40_MHZ_WIDTH                          = 0x3
 	NL80211_RATE_INFO_5_MHZ_WIDTH                           = 0xc
 	NL80211_RATE_INFO_80_MHZ_WIDTH                          = 0x8
 	NL80211_RATE_INFO_80P80_MHZ_WIDTH                       = 0x9
 	NL80211_RATE_INFO_BITRATE32                             = 0x5
 	NL80211_RATE_INFO_BITRATE                               = 0x1
+	NL80211_RATE_INFO_EHT_GI_0_8                            = 0x0
+	NL80211_RATE_INFO_EHT_GI_1_6                            = 0x1
+	NL80211_RATE_INFO_EHT_GI_3_2                            = 0x2
+	NL80211_RATE_INFO_EHT_GI                                = 0x15
+	NL80211_RATE_INFO_EHT_MCS                               = 0x13
+	NL80211_RATE_INFO_EHT_NSS                               = 0x14
+	NL80211_RATE_INFO_EHT_RU_ALLOC_106                      = 0x3
+	NL80211_RATE_INFO_EHT_RU_ALLOC_106P26                   = 0x4
+	NL80211_RATE_INFO_EHT_RU_ALLOC_242                      = 0x5
+	NL80211_RATE_INFO_EHT_RU_ALLOC_26                       = 0x0
+	NL80211_RATE_INFO_EHT_RU_ALLOC_2x996                    = 0xb
+	NL80211_RATE_INFO_EHT_RU_ALLOC_2x996P484                = 0xc
+	NL80211_RATE_INFO_EHT_RU_ALLOC_3x996                    = 0xd
+	NL80211_RATE_INFO_EHT_RU_ALLOC_3x996P484                = 0xe
+	NL80211_RATE_INFO_EHT_RU_ALLOC_484                      = 0x6
+	NL80211_RATE_INFO_EHT_RU_ALLOC_484P242                  = 0x7
+	NL80211_RATE_INFO_EHT_RU_ALLOC_4x996                    = 0xf
+	NL80211_RATE_INFO_EHT_RU_ALLOC_52                       = 0x1
+	NL80211_RATE_INFO_EHT_RU_ALLOC_52P26                    = 0x2
+	NL80211_RATE_INFO_EHT_RU_ALLOC_996                      = 0x8
+	NL80211_RATE_INFO_EHT_RU_ALLOC_996P484                  = 0x9
+	NL80211_RATE_INFO_EHT_RU_ALLOC_996P484P242              = 0xa
+	NL80211_RATE_INFO_EHT_RU_ALLOC                          = 0x16
 	NL80211_RATE_INFO_HE_1XLTF                              = 0x0
 	NL80211_RATE_INFO_HE_2XLTF                              = 0x1
 	NL80211_RATE_INFO_HE_4XLTF                              = 0x2
@ -5292,6 +5436,7 @@ const (
 	NL80211_RRF_GO_CONCURRENT                               = 0x1000
 	NL80211_RRF_IR_CONCURRENT                               = 0x1000
 	NL80211_RRF_NO_160MHZ                                   = 0x10000
+	NL80211_RRF_NO_320MHZ                                   = 0x40000
 	NL80211_RRF_NO_80MHZ                                    = 0x8000
 	NL80211_RRF_NO_CCK                                      = 0x2
 	NL80211_RRF_NO_HE                                       = 0x20000
--- a/vendor/golang.org/x/sys/windows/syscall_windows.go
+++ b/vendor/golang.org/x/sys/windows/syscall_windows.go
@ -10,7 +10,6 @@ import (
 	errorspkg "errors"
 	"fmt"
 	"runtime"
-	"strings"
 	"sync"
 	"syscall"
 	"time"
@ -87,22 +86,13 @@ func StringToUTF16(s string) []uint16 {
 // s, with a terminating NUL added. If s contains a NUL byte at any
 // location, it returns (nil, syscall.EINVAL).
 func UTF16FromString(s string) ([]uint16, error) {
-	if strings.IndexByte(s, 0) != -1 {
-		return nil, syscall.EINVAL
-	}
-	return utf16.Encode([]rune(s + "\x00")), nil
+	return syscall.UTF16FromString(s)
 }

 // UTF16ToString returns the UTF-8 encoding of the UTF-16 sequence s,
 // with a terminating NUL and any bytes after the NUL removed.
 func UTF16ToString(s []uint16) string {
-	for i, v := range s {
-		if v == 0 {
-			s = s[:i]
-			break
-		}
-	}
-	return string(utf16.Decode(s))
+	return syscall.UTF16ToString(s)
 }

 // StringToUTF16Ptr is deprecated. Use UTF16PtrFromString instead.
--- a/vendor/golang.org/x/time/rate/rate.go
+++ b/vendor/golang.org/x/time/rate/rate.go
@ -83,7 +83,7 @@ func (lim *Limiter) Burst() int {
 // TokensAt returns the number of tokens available at time t.
 func (lim *Limiter) TokensAt(t time.Time) float64 {
 	lim.mu.Lock()
-	_, _, tokens := lim.advance(t) // does not mutute lim
+	_, tokens := lim.advance(t) // does not mutate lim
 	lim.mu.Unlock()
 	return tokens
 }
@ -183,7 +183,7 @@ func (r *Reservation) CancelAt(t time.Time) {
 		return
 	}
 	// advance time to now
-	t, _, tokens := r.lim.advance(t)
+	t, tokens := r.lim.advance(t)
 	// calculate new number of tokens
 	tokens += restoreTokens
 	if burst := float64(r.lim.burst); tokens > burst {
@ -304,7 +304,7 @@ func (lim *Limiter) SetLimitAt(t time.Time, newLimit Limit) {
 	lim.mu.Lock()
 	defer lim.mu.Unlock()

-	t, _, tokens := lim.advance(t)
+	t, tokens := lim.advance(t)

 	lim.last = t
 	lim.tokens = tokens
@ -321,7 +321,7 @@ func (lim *Limiter) SetBurstAt(t time.Time, newBurst int) {
 	lim.mu.Lock()
 	defer lim.mu.Unlock()

-	t, _, tokens := lim.advance(t)
+	t, tokens := lim.advance(t)

 	lim.last = t
 	lim.tokens = tokens
@ -356,7 +356,7 @@ func (lim *Limiter) reserveN(t time.Time, n int, maxFutureReserve time.Duration)
 		}
 	}

-	t, last, tokens := lim.advance(t)
+	t, tokens := lim.advance(t)

 	// Calculate the remaining number of tokens resulting from the request.
 	tokens -= float64(n)
@ -379,15 +379,11 @@ func (lim *Limiter) reserveN(t time.Time, n int, maxFutureReserve time.Duration)
 	if ok {
 		r.tokens = n
 		r.timeToAct = t.Add(waitDuration)
-	}

-	// Update state
-	if ok {
+		// Update state
 		lim.last = t
 		lim.tokens = tokens
 		lim.lastEvent = r.timeToAct
-	} else {
-		lim.last = last
 	}

 	return r
@ -396,7 +392,7 @@ func (lim *Limiter) reserveN(t time.Time, n int, maxFutureReserve time.Duration)
 // advance calculates and returns an updated state for lim resulting from the passage of time.
 // lim is not changed.
 // advance requires that lim.mu is held.
-func (lim *Limiter) advance(t time.Time) (newT time.Time, newLast time.Time, newTokens float64) {
+func (lim *Limiter) advance(t time.Time) (newT time.Time, newTokens float64) {
 	last := lim.last
 	if t.Before(last) {
 		last = t
@ -409,7 +405,7 @@ func (lim *Limiter) advance(t time.Time) (newT time.Time, newLast time.Time, new
 	if burst := float64(lim.burst); tokens > burst {
 		tokens = burst
 	}
-	return t, last, tokens
+	return t, tokens
 }

 // durationFromTokens is a unit conversion function from the number of tokens to the duration
--- a/vendor/golang.org/x/time/rate/sometimes.go
+++ b/vendor/golang.org/x/time/rate/sometimes.go
@ -0,0 +1,67 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package rate
+
+import (
+	"sync"
+	"time"
+)
+
+// Sometimes will perform an action occasionally.  The First, Every, and
+// Interval fields govern the behavior of Do, which performs the action.
+// A zero Sometimes value will perform an action exactly once.
+//
+// # Example: logging with rate limiting
+//
+//	var sometimes = rate.Sometimes{First: 3, Interval: 10*time.Second}
+//	func Spammy() {
+//	        sometimes.Do(func() { log.Info("here I am!") })
+//	}
+type Sometimes struct {
+	First    int           // if non-zero, the first N calls to Do will run f.
+	Every    int           // if non-zero, every Nth call to Do will run f.
+	Interval time.Duration // if non-zero and Interval has elapsed since f's last run, Do will run f.
+
+	mu    sync.Mutex
+	count int       // number of Do calls
+	last  time.Time // last time f was run
+}
+
+// Do runs the function f as allowed by First, Every, and Interval.
+//
+// The model is a union (not intersection) of filters.  The first call to Do
+// always runs f.  Subsequent calls to Do run f if allowed by First or Every or
+// Interval.
+//
+// A non-zero First:N causes the first N Do(f) calls to run f.
+//
+// A non-zero Every:M causes every Mth Do(f) call, starting with the first, to
+// run f.
+//
+// A non-zero Interval causes Do(f) to run f if Interval has elapsed since
+// Do last ran f.
+//
+// Specifying multiple filters produces the union of these execution streams.
+// For example, specifying both First:N and Every:M causes the first N Do(f)
+// calls and every Mth Do(f) call, starting with the first, to run f.  See
+// Examples for more.
+//
+// If Do is called multiple times simultaneously, the calls will block and run
+// serially.  Therefore, Do is intended for lightweight operations.
+//
+// Because a call to Do may block until f returns, if f causes Do to be called,
+// it will deadlock.
+func (s *Sometimes) Do(f func()) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if s.count == 0 ||
+		(s.First > 0 && s.count < s.First) ||
+		(s.Every > 0 && s.count%s.Every == 0) ||
+		(s.Interval > 0 && time.Since(s.last) >= s.Interval) {
+		f()
+		s.last = time.Now()
+	}
+	s.count++
+}
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -12,7 +12,7 @@ github.com/beorn7/perks/quantile
 # github.com/cespare/xxhash/v2 v2.1.2
 ## explicit; go 1.11
 github.com/cespare/xxhash/v2
-# github.com/containerd/containerd v1.6.16
+# github.com/containerd/containerd v1.6.19
 ## explicit; go 1.17
 github.com/containerd/containerd/errdefs
 github.com/containerd/containerd/log
@ -40,7 +40,7 @@ github.com/docker/distribution/registry/client/transport
 github.com/docker/distribution/registry/storage/cache
 github.com/docker/distribution/registry/storage/cache/memory
 github.com/docker/distribution/uuid
-# github.com/docker/docker v23.0.0+incompatible
+# github.com/docker/docker v23.0.3+incompatible
 ## explicit
 github.com/docker/docker/api
 github.com/docker/docker/api/types
@ -164,7 +164,7 @@ github.com/moby/buildkit/util/appcontext
 # github.com/moby/patternmatcher v0.5.0
 ## explicit; go 1.19
 github.com/moby/patternmatcher
-# github.com/moby/swarmkit/v2 v2.0.0-20230119195359-904c221ac281
+# github.com/moby/swarmkit/v2 v2.0.0-20230309194213-a745a8755ce3
 ## explicit; go 1.18
 github.com/moby/swarmkit/v2/api
 github.com/moby/swarmkit/v2/api/deepcopy
@ -266,7 +266,7 @@ go.etcd.io/etcd/raft/v3/raftpb
 ## explicit; go 1.17
 golang.org/x/crypto/ed25519
 golang.org/x/crypto/pbkdf2
-# golang.org/x/net v0.5.0
+# golang.org/x/net v0.7.0
 ## explicit; go 1.17
 golang.org/x/net/http/httpguts
 golang.org/x/net/http2
@ -276,24 +276,27 @@ golang.org/x/net/internal/socks
 golang.org/x/net/internal/timeseries
 golang.org/x/net/proxy
 golang.org/x/net/trace
-# golang.org/x/sys v0.4.0
+# golang.org/x/sync v0.1.0
+## explicit
+golang.org/x/sync/errgroup
+# golang.org/x/sys v0.5.0
 ## explicit; go 1.17
 golang.org/x/sys/execabs
 golang.org/x/sys/internal/unsafeheader
 golang.org/x/sys/plan9
 golang.org/x/sys/unix
 golang.org/x/sys/windows
-# golang.org/x/term v0.4.0
+# golang.org/x/term v0.5.0
 ## explicit; go 1.17
 golang.org/x/term
-# golang.org/x/text v0.6.0
+# golang.org/x/text v0.7.0
 ## explicit; go 1.17
 golang.org/x/text/secure/bidirule
 golang.org/x/text/transform
 golang.org/x/text/unicode/bidi
 golang.org/x/text/unicode/norm
 golang.org/x/text/width
-# golang.org/x/time v0.1.0
+# golang.org/x/time v0.3.0
 ## explicit
 golang.org/x/time/rate
 # google.golang.org/genproto v0.0.0-20220706185917-7780775163c4